vrijdag 16 december 2011

Export SCOM 2007 R2 SQL reports in PDF Landscape

When using reporting in SCOM 2007R2 sometimes reports don't get out right.
In pages with graphs the first part of the graph is on the first page and the rest of the report is on the second page.
First page:
Second page:

When you save them as PDF it look real messy and you need double the pages if you print.

It is possible to create two extra choices in the export menu, one for creating a A4 PDF portrait report and one for A4 PDF Landschape.

In my case, I use SQL 2008 R2.
To create the export options, follow these steps:

Log on to the SCOM reporting server.
Locate the Rsreportingserver.config file ( C:\Program Files\Microsoft SQL Server\{instance}\Reporting Services\ReportServer )
Open Rsreportingserver.config file in notepad.
Create a copy from the file before continuing. ( for backup )
Locate the "Render" section in the file :

Paste the following below the "Extension Name="PDF" "

<Extension Name="PDF (A4 Landscape)" Type="Microsoft.ReportingServices.Rendering.ImageRenderer.PDFRenderer,Microsoft.ReportingServices.ImageRendering">
            <Name Language="en-US">PDF in A4 Landscape</Name>
<Extension Name="PDF (A4 Portrait)" Type="Microsoft.ReportingServices.Rendering.ImageRenderer.PDFRenderer,Microsoft.ReportingServices.ImageRendering">
            <Name Language="en-US">PDF in A4 Portrait</Name>

If desired, you can even enter a custom PageHeight and PageWidth for your export.
Now run IISreset from the command line on the SCOM reporting server.
( Note : If reporting is co-hosted, only do a reset of reporting to prevent downtime of other sites )

Now open SCOM reporting and notice two extra options in the export menu, using PDF as output with the margins provides in the config file.

Now you're done! No more messy reports!

woensdag 14 december 2011

Using Lync Mobile with Office 365 @domain.onmicrosoft.com domain

When your company signs up for Microsoft Office 365 for enterprises, you’re given an initial domain name that looks like the following: domain.onmicrosoft.com.
Some company's use this domain for services like Lync Online.

If you are using the onmicrosoft domain, there is no way to manage DNS records as they are managed by Microsoft.
And as you know, to get Lync Mobile to work you need to add some DNS records.
( And probably they haven't been updated yet as Lync Mobile does not work )
See previous blogpost : http://blog.msgeneral.nl/2011/12/lync-mobile-and-office-365-how-to-get.html

The thing that does not work is autodiscover, but you can manually enter the discovery URL in your Lync Mobile client.

  • Start the Lync mobile client
  • Enter your username as: <name>@<domain>.onmicrosoft.com
  • Enter your password

Thanks to Ben Lee for the explanation ( source ) :

dinsdag 13 december 2011

Office 365 Troubleshooting Tool , a deeper look at the DIY troubleshooter

The Troubleshooting tool has been here for a while ( since novembre ) and actually does not need extra explanation, but I will show some of the tool's features.
At the moment, the tool is available in nine different languages.
English, Chinese (Traditional), French, German, Italian, Japanese, Korean, Russian and Spanish.
These languages will probably be updated according to customer wishes.

The Troubleshooter pinpoints key technical support issues and provides immediate solutions without the need to post questions to the community or submit a support request ticket. The tool’s interface conveniently displays hundreds of possible help and support assets (i.e. Help topics, KB articles, videos, wikis, blog posts) from within the Office 365 suite.  As you move through a list of troubleshooting options, the tool dynamically displays funneled-down content to lead you towards the answers you need.

The troubleshooting tool is a web based tool that asks you 5 questions to find possible solutions to problems you are experiencing.
  • It first lets you choose if you are an administrator or a user for small business or enterprise.
  • Second, it will let you choose the Service you are experiencing the problem with.
  • Third, it lets you choose the Area of Service you are experiencing the problem with.
  • Fourth, it lets you choose the actual problem you are experiencing ( not all problems are in the list ).
  • And finally, is shows possible solutions ( links to KB articles ) to the problem you are experiencing.
I browsed through a couple of problems from the user and administrator perspective and it actually works pretty good!

It is pretty easy to find a solution to your problem ( if te problem is in the tool off course ) and the user solutions are written in a non-tech format which is understandable to users.

Next, I will go through the tool from the user's perspective, just to show you how it works.
Lets say for example that I am a user and my phone got stolen.
Now I wan't to know what I have to do to erase my phone because I don't want my information to get into the wrong hands.

Lets open the troubleshooter and find out what to do.
At step one I choose the User setting under Office 365 for professionals. The troubleshooter automatically goes to the next step.

The next step is to select the service. The users phone falls under the Exchange Online service.

 It is a mobile phone, so the obvious choice would be Mobile Devices.

My problem is that my phone got stolen and I want to erase my phone.
That problem is actually in the list so how easy is that!

Cool! A link to a possible solution, let's try that!

Here it is! Step by step, how to erase my phone from Outlook Web App.

As mentioned earlier, it works pretty well! Problems and solutions are updated periodically.
For all the little things it will save you a lot of time on creating service requests.

The DIY Troubleshooting tool can be found here : 

maandag 12 december 2011

Office 365 Self Service Password Reset for Administrators

Quietly, Microsoft recently updated the Administration  portal to include a new feature – unattended  password reset for administrators.  This feature has been a LONG time coming and I’m sure the support staff at Microsoft is happy about it. Until now, you had to call Microsoft tech support to get the admin password reset.
Note: This option is only available for Office 365 administrators ( not dirsynced admins )

First, when I logged on with my Office 365 admin account, I got a popup saying "Don't lose access to your account"

It asks you to enter a phone number and a non-365 e-mail address.
Weird enough, it does fill in you 365 email address by default.

If you look up you admin user, you will see an extra field when editing the user settings.
There is an "alternate email address" field, currently displaying the email address I entered in the popup before.

You can start the process by browsing to the microsoftonline portal and choose "forgot password" at the sign in page.

Previously, this would take you to the support page saying you should contact support to reset your password. This time, it looks different.

First, the wizard asks you if you are an Office 365 administrator.
If you are not, you will be asked to contact your system administrator.
If you are, choose the option and click next.

Enter your admin user logon name and enter the cerification characters and click next.

Now an email is sent to the alternate email address you entered previously on the admin user's settings ( or during the popup you got during logon ).

Below email is the email I found in my alternate email inbox.

Click the link in the email and you will be forwarded to an Office 365 password reset page.

This immidiately sends a text message to you mobile phone. ( also entered at logon popup, or user settings )
Use this code on the reset password page and click next.

Once you entered the mobile verification code, you will be asked to enter a new password.
Enter the new password and click finish.

Your password had now been reset.
How cool is this!! No more calling MS support if you lost you password.

Note: Do not forget to enter an alternate email address and phone number before you lose your password :).

Lync Mobile and Office 365 Lync online, how to get it to work

Today, Microsoft released the Lync Mobile client for Windows Phone, Iphone and IPad. ( Iphone and IPad not downloadable yet )
The deployment guide for on-premise users is published, but how do you get it to work with Office 365 Lync Online?

Well, it's really simple.
Just add the following 2 CNAME entries in DNS.
sip.domain.com, this should point to sipdir.online.lync.com.
lyncdiscover.domain.com, this should point to webdir.online.lync.com.
Replace "domain.com" with your own domain and it should work.

Make sure you wait until public DNS has replicated, if you test it right after the DNS change chances are that DNS is not updated yet and connection will fail.
Be patient :)

More information here : http://onlinehelp.microsoft.com/en-us/office365-enterprises/hh416761.aspx

Lync Mobility Service Bits and Documentation

The bits to install on your server are available to here:
Microsoft Lync Server 2010 Mobility Service and Microsoft Lync Server 2010 Autodiscover Service

When you deploy the Microsoft Lync Server 2010 Mobility Service, users can use supported iPhone, iPad, Android, Windows Phone, or Nokia mobile devices to perform such activities as sending and receiving instant messages, viewing contacts, and viewing presence. In addition, mobile devices support some Enterprise Voice features, such as click to join a conference, Call via Work, single number reach, voice mail, and missed calls. By using Call via Work, users can maintain their work identity during a call, which means that the call recipient does not see the caller’s mobile number, and the caller avoids incurring outbound calling charges. With single number reach, a user receives calls on a mobile phone that were dialed to their work number.
When you use the Microsoft Lync Server 2010 Autodiscover Service along with the Mobility Service, mobile devices can automatically locate the URLs for Lync Server Web Services and the new Mobility Service regardless of network location. It supports client connections using either HTTP or HTTPS.

Note that it is not just a patch to install on your corporate environment. There are changes that will need to be made on your corporate Lync environment including:
  • Applying Lync Update CU4
  • Ensuring your HLB’s support persistence, more information here
  • Changes to your DNS, certificates, firewalls
  • Federation relationship with the cloud-based Lync Server 2010 Push Notification Service, which is located in the Lync Online datacenter
Check the documentation for full details

The Microsoft Lync Server 2010 Mobility Guide documentation is available for download here:
Microsoft Lync Server 2010 Mobility Guide

This document guides you through the process of deploying the Microsoft Lync Server 2010 Mobility Service and the Microsoft Lync Server 2010 Autodiscover Service. When you deploy the Mobility Service, users can use supported iOS, Android, Windows Phone, or Nokia mobile devices to perform such activities as sending and receiving instant messages, viewing contacts, viewing presence. The Mobility Service also enables mobile devices to use some Enterprise Voice features, such as click to join a conference, Call via Work, single number reach, voice mail, and missed calls.
When you use the Microsoft Lync Server 2010 Autodiscover Service along with the Mobility Service, mobile devices can automatically locate the URLs for Lync Server Web Services and the new Mobility Service regardless of network location.

Today, the WP7 client has been released. I haven't seen a press release yet, but I expect the press release to follow shortly.
Android and IOS clients have been submitted to the store and should follow shortly.

Lync Mobile Client for WP7 can be downloaded from here :
Lync Mobile Client for WP7

How to setup mobility on your corporate Lync environment coming soon!

Lync Mobile available for WP7

Looks like the 12 december data was correct in all the rumors online.
Lync Mobile client is finally available for download, at the moment only for Windows Phone.
I expect the Android, IOS and Symbian versions will follow shortly.
I haven't seen a press release yet, and the site hasn't been updated yet, but when the press release shows up, I will update this post.

Note that before you can run Lync Mobile on your mobile, you need to implement changes on your corporate Lync environment.

Lync Mobile for WP7 can be downloaded from here : http://www.windowsphone.com/en-US/apps/9ce93e51-5b35-e011-854c-00237de2db9e?wa=wsignin1.0

vrijdag 9 december 2011

Introducing the Hybrid Configuration Wizard with Exchange SP2 and Office365

I came accross an interesting article on the Exchange Team blog describing the benefits of the hybrid configuration wizard in Exchange SP2.
Here's a quote from the blog :

"During the beta of Office 365 for Enterprises, we received great feedback from our customers and wanted to vastly simplify the process for configuring Exchange in a hybrid deployment with Office 365. We are introducing the Hybrid Configuration Wizard in Exchange 2010 Service Pack 2 to refine the deployment process as a result of that feedback.

What is the Hybrid Configuration Wizard?

The Hybrid Configuration Wizard consists of:
  1. A new Exchange Management Console (EMC) wizard that guides you through the end-to-end process for configuring a hybrid deployment.
  2. A set of Exchange Management Shell (EMS) cmdlets that orchestrate the configuration process (as always, the EMC executes these Shell cmdlets).
  3. Improvements to the manageability of some of the underlying hybrid features (no more exchangedelegation.contoso.com or service.contoso.com domains – Yay!)

What does it do?

The hybrid configuration cmdlets take inputs from the wizard, analyze the state of your existing on-premises and cloud organizations, and calculate the required steps to correctly configure both organizations correctly. You can learn more about this process here.
This friendly wizard replaces approximately 50 manual steps with just a few inputs and several clicks of your mouse. Here are some of the top tasks that the Hybrid Configuration Wizard will automatically verify and configure for you:
  1. Verifies that your on-premises and Office 365 organizations meet the prerequisites for a hybrid deployment.
  2. Provisions your on-premises Exchange federation trust.
  3. Creates mutual organization relationships between your on-premises and Exchange Online organizations.
  4. Modifies e-mail address policies to ensure that mailboxes can be moved successfully to Exchange Online in Office 365.
  5. Enables and configures free/busy calendar sharing, message tracking and MailTips for both your on-premises and Exchange Online organizations.
  6. Configures secure mail flow between your on-premises and Exchange Online organizations. You can even choose to have the wizard automatically configure Exchange Online organization to route mail through your on-premises Exchange organization to meet any additional business or compliance requirements.
  7. Enables support for Exchange Online Archiving for on-premises mailboxes for those customers that have chosen to include archiving in their Office 365 service plan.
Once the hybrid deployment configuration process is complete, the following features are available between your on-premises Exchange organization and Exchange Online:
Native mailbox moveOnline mailbox moves with automatic Outlook reconfiguration
Free/busy and calendar sharingFree/busy and calendar sharing between on-premises and Exchange Online mailboxes
Secure mailTLS-encrypted and authenticated mail flow between your on-premises and Exchange Online organizations
Exchange Online ArchivingProvide unlimited cloud-based archive storage for your on-premises mailboxes
Message trackingIntegrated message tracking logs across on-your on-premises and Exchange Online organizations
Multi-mailbox searchCreate a single search request that automatically queries both on-premises and Exchange Online mailboxes
Outlook Web App redirectionRedirect OWA logons for users that have been moved to Exchange Online
MailtipsEnsures that MailTips are available for both your on-premises and Exchange Online organizations

If you've used the Exchange Server Deployment Assistant to configure a previous hybrid deployment, please note that we’re busy updating the current scenarios to provide guidance based on the automatic configuration process using the Hybrid Configuration Wizard. Watch this blog for announcements when the Deployment Assistant is updated.

With that in mind, we'll be retiring the manual hybrid deployment configuration guidance provided with SP1 and we strongly encourage you use the wizard wherever possible. Although we'll continue to support manually configured hybrid deployments, we believe that using the new wizard is the easiest, most reliable way of getting deployed and staying correctly configured."

Source : http://blogs.technet.com/b/exchange/archive/2011/12/08/introducing-the-hybrid-configuration-wizard.aspx

donderdag 8 december 2011

Office 365 Advisor Tools

Office 365 is not a one size fits all approach like Google Apps. Businesses are unique and have many different needs which is why we have designed our product to have a variety of plans and options. Obviously then the question becomes: Which plan is right for me and/or my organization?

Microsoft offers a wide range of affordable subscription plans based on the features you want, the size and makeup of your company, and the level of IT support you need. Some plans are designed for professionals and small businesses, while others are intended for midsize companies and enterprises.

The good news is that our recently released Office 365 Advisor Tool can help you quickly determine which plan is right for you. The Advisor Tool is an extremely dynamic and useful tool that leverages organizational size – and draws from Forrester Research Office 365 data and marquee Office 365 customer evidence – to recommend the best Office 365 subscription plan based on the needs of your organization.

Using the Advisor Tool is extremely fast. Simply click on “Plan Advisor.” The tool asks a series of simple questions about your business, and then provides a recommended plan that we think would work best for your business.

You can print out the details of your recommended plan, email it, or share it with your team via Facebook, Twitter, or LinkedIn. You can compare all the plans and prices in a side-by-side chart. And you can sign up for a 30-day free trial right from the page showing your results.

In addition to the Plan Advisor, there’s a Cost Estimator to help you calculate the cost of the plan you’ve chosen. Just click on “Cost Estimator,” enter the total number of users into your recommended plan, select the standalone services you need, and voilà—you’ve got your total monthly cost.

A quick walk through the tools.

Want to try out for yourself?

Source : http://community.office365.com/en-us/b/microsoft_office_365_blog/archive/2011/12/07/the-office-365-plan-that-s-right-for-you.aspx

Office 365 hybrid routing ( connectors / TLS ) configuration when using Exchange Edge (Pre SP2)

When migrating to Office 365 we used the Microsoft Deployment assistant / guide for setting up the coexistence server.
Source : http://technet.microsoft.com/en-us/exdeploy2010/default.aspx
One thing I noticed was that the deployment assistant did not describe configuring transport when using an Exchange Edge server.
In our case, we did use an Exchange Edge server.
Documentation about using Exchange Edge with Office 365 was very minimal and at the time of migration we did not have the luxury of SP2 for Exchange.
We wanted a scenario where all mail between mailboxes and the internet is first routed to our on-prem organization and send out via our on-prem edge server. We also use disclaimer software we can only use on-prem, so mail had to be routed via on-prem to get our disclaimer. By routing messages through on-prem you can also apply transport rules, anti-virus policies and anti-spam rules.

To save others from searching the whole internet, I will describe the process we went through setting up transport with Office 365 and our on-premise Exchange Edge.
The transport configuration starts at step 21 of the deployment guide.
I will rewrite some of the steps from the deployment guide below.
First of all, we need a certificate for TLS.
Aquire a public trusted certificate for domain name mail.domain.com and install that cert on the edge server.
For creating a new certificate request :
For importing a certificate:
For assigning a certificate:
Make sure you install the cert on the Exchange 2010 Edge and assign it to the "SMTP" Service.
When doing a get-exchangecertificate on the Edge server your cert should look like this

Then we need to create a send connector. The deployment guide mentions that the send connector has to be made on the hybrid server. Forget this and create the send connector with the edge as source server.

Configure Send connector

 Do the following within EMC console to create a Send connector.
  • In the console tree, click Organization Configuration in the on-premises forest, and then click Hub Transport.
  • In the action pane, click New Send Connector.
  • On the Introduction page, in the Name field, enter the name of the new send connector that will be used to send messages to the cloud-based organization. For example, To Cloud Service Connector.
  • In the Select the intended use for this Send connector drop-down box, select Internet, and then click Next.
  • On the Address space page, click Add.
  • In the SMTP Address Space dialog, enter the service-routing namespace in the Address space field, and then click OK. For example, service.domain.com. Click Next.
  • On the Network settings page, select Use domain name system (DNS) "MX" records to route mail automatically and click Next.
  • On the Source Server page, verify the Exchange 2010 Edge server is included in the server list. If not, click Add, select the Exchange 2010 Edge server, and then click OK. Click Next.
  • On the New Connector page, verify your settings and then click New.
  •  In the details pane, right-click the new Send connector and then click Properties.
  • In the Properties dialog, enter the external fully qualified domain name (FQDN) of the Exchange 2010 Edge server in the Specify the FQDN this connector will provide in response to HELO or EHLO field. For example, mail.domain.com. Click OK.
 Configure Default receive connector
  • In the console tree, click Server Configuration in the on-premises forest, and then click Hub Transport.
  • Select the Exchange 2010 hybrid server in the details pane, right-click Default EX2010, and then click Properties.
  • In the Receive connector properties window, click the Permission Groups tab.
  • Select Anonymous Users, and then click OK.
Configure on-premises transport settings
For this procedure, you’ll use the Exchange Management Shell to configure the following:
  •  Transport Layer Security (TLS) for all messages sent between your on-premises and cloud-organizations.
  •  Inbound and outbound messages sent between your on-premises and cloud-organizations are trusted. Anti-spam rules won't be applied to these messages.
  •  All mail sent to your cloud-based organization is routed through a FOPE smart host.
On your on-premises hybrid server, create a remote domain for inbound messages received from the cloud-based organization.
  • New-RemoteDomain "Inbound Remote Domain" -DomainName domain.com
On your on-premises hybrid server, create a remote domain for outbound messages sent to the cloud-based organization.
  • New-RemoteDomain "Outbound Remote Domain" -DomainName service.domain.com
On your on-premises hybrid server, configure the inbound remote domain to trust messages sent from the cloud-based organization.
  • Set-RemoteDomain "Inbound Remote Domain" -TrustedMailInboundEnabled $True
On your on-premises hybrid server, configure the outbound remote domain to enable trusted delivery of messages to the cloud-based organization.
  • Set-RemoteDomain "Outbound Remote Domain" -TrustedMailOutboundEnabled $True -TargetDeliveryDomain $True -AllowedOOFType InternalLegacy -AutoReplyEnabled $True -AutoForwardEnabled $True -DeliveryReportEnabled $True -NDREnabled $True -DisplaySenderName $True -TNEFEnabled $True
On your on-premises hybrid server, modify the “To cloud” Send connector to enable TLS transport and route all mail sent to your cloud-based organization through a FOPE smart host.
  • Set-SendConnector "To cloud" -RequireTLS $True -TlsAuthLevel DomainValidation -TlsDomain mail.messaging.microsoft.com -Fqdn mail.domain.com -ErrorPolicies DowngradeAuthFailures
Configure Receive connector
Now, we create a receive connector for messages from the cloud.
Browse to: FOPE administration center
If this is your first time accessing FOPE, do the following:
  • a. Click Need your password.
  • b. Enter the e-mail address of the account in the cloud-based service in the User name field. This is the e-mail address you specified when you created the account in the cloud-based service. For example, admin@domain.onmicrosoft.com.
  • c. Log on to your cloud-based service admin e-mail account at https://www.outlook.com/domain.com. Open the e-mail message sent by FOPE to that account and retrieve the password provided.
  • d. Browse back to: FOPE administration center
Enter the e-mail address of the account in the cloud-based service in the User name field.
Enter your FOPE password in the Password field.
Click the Information tab, and then click Configuration.
Make a note of the IP addresses listed under IP addresses to configure on your firewall.

On your on-premises Edge server, create a new Receive connector to accept messages from FOPE.
You cannot do this from the Hybrid server and you need to log on to the edge server.
The Receive connector is configured to only accept connections from the FOPE IP addresses obtained in the previous step and to treat messages sent by the cloud-based organization as internal messages. The FQDN configured on the connector must match the common name of the SSL certificate that you want to use for secure mail.
  • New-ReceiveConnector -Name "From Cloud" -Usage Internet -RemoteIPRanges <FOPE Outbound IP Addresses> -Bindings -FQDN mail.domain.com -TlsDomainCapabilities mail.messaging.microsoft.com:AcceptOorgProtocol
The deployment guide shows mail2.domain.com, but you can use the FQDN of your internet facing Exchange Edge.

Configure Cloud-Based transport settings
For this procedure, you’ll use the Shell to configure the following:
  • Configure the shared SMTP domain as an internal relay domain and set the domain as outbound only.
  • Inbound and outbound messages sent between your on-premises and cloud-organizations are trusted. Anti-spam rules won't be applied to these messages.
First, we need to connect to Exchange online with remote powershell.
To do this, use the following script in "normal" powershell:

$LiveCred = Get-Credential -credential admin@domain.onmicrosoft.com
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

This shows a login box where you enter your credentials, after that powershell connects to Exchange Online.
In the cloud-based organization, create a remote domain for inbound messages received from the on-premises organization. The domain name must contain the name of the certificate published on the Edge server.
  • New-RemoteDomain "Inbound Remote Domain" -DomainName mail.domain.com
In the cloud-based organization, create a remote domain for outbound messages sent to recipients in the on-premises organization. The domain must be the domain portion of the recipient address of on-premises recipients.
  • New-RemoteDomain "Outbound Remote Domain to On-Premises Recipients" -DomainName domain.com
In the cloud-based organization, configure the inbound remote domain to trust messages sent from the on-premises organization.
  • Set-RemoteDomain "Inbound Remote Domain" -TrustedMailInboundEnabled $True
In the cloud-based organization, configure the outbound remote domain to on-premises recipients to enable trusted delivery of messages to the on-premises organization and enable rich e-mail client features.
  • Set-RemoteDomain "Outbound Remote Domain to On-Premises Recipients" -TrustedMailOutboundEnabled $True -AllowedOOFType InternalLegacy -AutoReplyEnabled $True -AutoForwardEnabled $True -DeliveryReportEnabled $True -NDREnabled $True -DisplaySenderName $True -TNEFEnabled $True
In the cloud-based organization, configure the outbound remote domain to Internet recipients to enable trusted delivery of messages to the on-premises organization.
  • Set-RemoteDomain Default -TrustedMailOutboundEnabled $True
In the cloud-based organization, set the accepted domain for the shared SMTP domain to be an internal relay domain, and set the domain as outbound only, using the following command.
  • Set-AcceptedDomain "domain.com" -DomainType InternalRelay -OutboundOnly $True
Configure FOPE to route mail to and from on-premises organization
Browse to: FOPE administration center
Enter the e-mail address of the account in the cloud-based service in the User name field.
Enter your FOPE password in the Password field.
Within FOPE, do the following:
Click the Administration tab, and then click the Company tab.
Click Add next to Inbound Connectors under Connectors.
In the Add inbound Connector dialog, configure the following
  • Name Enter a name for the inbound connector.
  • Description Enter a description for the inbound connector.
  • Under Connector Scope, specify *.* in the Sender Domains text box.
  • Under Connector Scope, specify the source IP address that your firewall presents to hosts on the Internet in the Sender IP Addresses text box. Depending on the configuration of your firewall, this might be the external IP address of your Edge server, or it might be the WAN IP address of the firewall. If you want to specify a range of IP addresses, use CIDR notation. You can also specify multiple IP addresses by separating each IP address with a comma.
  • Select Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above.
  • Under Connector Settings, select the Force TLS option in Transport Layer Security (TLS) Settings. ( Or choose opportunistic for testing purposes if you are not sure your TLS configuration is correct)
  • Select the Sender certificate matches check box and, in the associated text field, specify the certificate subject name that you configured on the on-premises Edge server certificate ( first step in this guide ). For example, mail.domain.com.
    Make sure that all the check boxes are cleared in Filtering in Connector Settings.
  • Click Save.
Click Enforce next to the inbound connector you just created. Click OK on the Enforce Inbound Connector dialog box.
Click Add next to Outbound Connectors under Connectors settings.
In the Add outbound Connector dialog, configure the following:
  • Name Enter a name for the outbound connector.
  • Description Enter a description for the outbound connector.
  • Under Connector Scope, specify *.* in the Recipient Domains text box.
  • Under Message Delivery Settings, select the Deliver all messages to the following destination check box.
  • Select the Fully Qualified Domain Name option and specify the external FQDN of the on-premises Edge server. For example, mail.domain.com.
  • Under Transport Layer Security (TLS) Settings, select The recipient certificate matches and, in the associated text field, specify the certificate subject name that you configured on the on-premises Edge server. For example, mail.domain.com. ( Or choose opportunistic for testing purposes if you are not sure your TLS configuration is correct)
  • Click Save.
I Chose opportunistic TLS instead of Forced TLS.
Forefront Online Protection for Exchange (FOPE) using opportunistic TLS by default which means that if you server is correctly configured for TLS then FOPE will communicate via TLS.

If TLS is not setup correctly, and forced TLS is set instead of Opportunistic TLS cross premise e-mail will be bounced because TLS requirements are not met. ( Wrong cert or not assigned cert )

Click Enforce next to the outbound connector you just created. Click OK on the Enforce Outbound Connector dialog box.
Now transport configuration for communications between the edge server and Office 365 is ready !

You can test this by sending an email with an on-prem user to a cloud mailbox and vice versa.
Take a look at the internet headers for both emails.
If everything is set up correctly, your X-MS-Exchange-Organization-AuthAs header should be set to internal. THis means that messages from Office 365 to on-prem and vice versa are treated as internal.

If you missed something, and TLS is not setup correctly, the header shows as Anonymous.

Hope this helps!
In SP2 the Hybrid Configuration will deal with all these steps, although I havent seen any settings for edge servers yet....

Since beginning of januari 2012 there is a Office 365 community Wiki about configuring Hybrid deployments with an Exchange Edge server.

woensdag 7 december 2011

OWA Mini Exchange 2010 SP2 ( also known as Outlook Mobile Access )

With Exchange 2010 SP2 OMA returns!
Id does have a new name though, OWA Mini.
We probably don't use this option very often bacause today's smartphones use activesync or a fully functional browser that can display OWA.

But still, it is a nice feature for older phones and it saves some Mb's on your 3G data.

Once SP2 is installed on your CAS, OWA Mini can be reached by setting the /oma switch behind your normal url. Your url should look like this : https://mail.domain.com/owa/oma .
Once logged in, you will see your inbox.

I have 1 unread message at the moment.
When you click the message, the content will be shown like this:

When you click the Calendar at the home page, appointments will be shown like this:

When choosing the options menu, the following options are available to edit:

Not many options, but OWA Mini does the trick if you just want to view appointments or emails.
Try it for yourselve? Install SP2 and don't forget to read the release notes.

Exchange 2010 SP2 can be downloaded here

maandag 5 december 2011

Enabling MRSProxy after installing Exchange 2010 SP2

We recently installed Exchange 2010 SP2.
Afterwards we noticed that MRSProxy service used for mailbox moves did not work anymore saying that the Mailbox Replication Proxy is disabled.
First thing we checked was the web.config on the CAS server and re-added the MRSProxyenabled value. Did not work.
We still got the error below.

Then we started searching for new cmdlets ( Or we should have read the release notes :) )
I noticed there were some new parameters when I ran the get-webservicesvirtualdirectory.
The parameter MRSProxyenabled was one of them.
So I ran "Set-WebServicesVirtualDirectory -MRSProxyEnabled $True" and voila, the MRSProxy was yet again enabled.

I confirmed the settings by running the "Get-WebServicesVirtualDirectory | fl ".
This showed the setting as enabled.

To be certain, I also restarted the Mailbox Replication Service on the CAS, afterwards mailboxes moved to Office 365 without issues.

Also documented in the release notes.

Exchange 2010 SP2 RTM released! ( With Office 365 Hybrid Deployment Wizard !!)

Microsoft declared that Exchange 2010 SP2 had attained a sufficiently high standard of code and features to warrant release to manufacturing (RTM) As you know it's been a while coming.

SP2 addresses 100's of customer reported issues, including fixing the Outlook Notification issues in Exchange 2010.  It also has key new feature functionality enabling Hybrid deployments, Hosting on the Enterprise SKU and the return of OMA (I meant Outlook Web App Mini...).

Here's a quote from Technet.

What's New in Exchange 2010 SP2

This topic provides you with an overview of important new features and functionality in Service Pack 2 (SP2) for Microsoft Exchange Server 2010, which can be useful when you’re planning, deploying, and administering your organization. The following sections include information about changes to features and functionality that has occurred since Service Pack 1 (SP1) for Exchange 2010:
  • Hybrid Configuration Wizard
  • Address Book Policies
  • Cross-Site Silent Redirection for Outlook Web App
  • Mini Version of Outlook Web App
  • Mailbox Replication Service
  • Mailbox Auto-Mapping
  • Multi-Valued Custom Attributes
  • Litigation Hold

In addition to the changes described in this topic, Exchange 2010 SP2 also includes fixes that address issues identified since the release of Exchange 2010 SP1. For a complete list of issues fixed in Exchange 2010 SP2, see: Issues That Are Fixed in Exchange 2010 SP2.

 Hybrid Configuration Wizard

Exchange 2010 SP2 introduces the Hybrid Configuration Wizard which provides you with a streamlined process to configure a hybrid deployment between on-premises and Office 365 Exchange organizations. Hybrid deployments provide the seamless look and feel of a single Exchange organization and offer administrators the ability to extend the feature-rich experience and administrative control of an on-premises organization to the cloud. For more information, see Understanding the Hybrid Configuration Wizard.
 Address Book Policies

Exchange 2010 SP2 introduces the address book policy object which can be assigned to a mailbox user. The ABP determines the global address list (GAL), offline address book (OAB), room list, and address lists that are visible to the mailbox user that is assigned the policy. Address book policies provide a simpler mechanism to accomplish GAL separation for the on-premises organization that needs to run disparate GALs. For more information, see Understanding Address Book Policies.
 Cross-Site Silent Redirection for Outlook Web App

With Exchange 2010 SP2, you can enable a silent redirection when a Client Access server receives a client request that is better serviced by a Client Access server located in another Active Directory site. This silent redirection can also provide a single sign-on experience when forms-based authentication is enabled on each Client Access server. For more information, see Understanding Proxying and Redirection.
 Mini Version of Outlook Web App

The mini version of Outlook Web App is a lightweight browser-based client, similar to the Outlook Mobile Access client in Exchange 2003. It’s designed to be used on a mobile operating system. The mini version of Outlook Web App provides users with the following basic functionality:
  • Access to e-mail, calendar, contacts, tasks and the global address list.
  •  Access to e-mail subfolders.
  •  Compose, reply to, and forward e-mail messages.
  •  Create and edit calendar, contact, and task items.
  •  Handle meeting requests.
  •  Set the time zone and automatic reply messages.

For more information, see Understanding the Mini Version of Outlook Web App.
 Mailbox Replication Service

In Exchange 2010 SP1, if you wanted to move mailboxes from on-premises to Outlook.com or to another forest, you had to enable MRSProxy on the remote Client Access server. To do this, you had to manually configure the web.config file on every Client Access server. In Exchange 2010 SP2, two parameters have been added to the New-WebServicesVirtualDirectory and Set-WebServicesVirtualDirectory cmdlets so that you don't have to perform the manual configuration: MRSProxyEnabled and MaxMRSProxyConnections. For more information, see Start the MRSProxy Service on a Remote Client Access Server.
 Mailbox Auto-Mapping

In Exchange 2010 SP1, Office Outlook 2007 and Outlook 2010 clients can automatically map to any mailbox to which a user has Full Access permissions. If a user is granted Full Access permissions to another user's mailbox or to a shared mailbox, Outlook, through Autodiscover, automatically loads all mailboxes to which the user has full access. However, if the user has full access to a large number of mailboxes, performance issues may occur when starting Outlook. Therefore, in Exchange 2010 SP2, administrators can turn off the auto-mapping feature by setting the value of the new Automapping parameter to $false on the Add-MailboxPermission cmdlets. For more information, see Disable Outlook Auto-Mapping with Full Access Mailboxes.
 Multi-Valued Custom Attributes

Exchange 2010 SP2 introduces five new multi-value custom attributes that you can use to store additional information for mail recipient objects. The ExtensionCustomAttribute1 to ExtensionCustomAttribute5 parameters can each hold up to 1,300 values. You can specify multiple values as a comma-delimited list.The following cmdlets support these new parameters:
  • Set-DistributionGroup
  • Set-DynamicDistributionGroup
  • Set-Mailbox
  • Set-MailContact
  • Set-MailPublicFolder
  • Set-RemoteMailbox

 Litigation Hold

In Exchange 2010 SP2, you can’t disable or remove a mailbox that has been placed on litigation hold. To bypass this restriction, you must either remove litigation hold from the mailbox, or use the new IgnoreLegalHold switch parameter when removing or disabling the mailbox. The IgnoreLegalHold parameter has been added to the following cmdlets:
  • Disable-Mailbox
  • Remove-Mailbox
  • Disable-RemoteMailbox
  • Remove-RemoteMailbox
  • Disable-MailUser
  • Remove-MailUser

Exchange 2010 SP2 RTM can be downloaded from here : http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=28190

Source : http://blogs.technet.com/b/exchange/archive/2011/12/05/released-exchange-server-2010-sp2.aspx

dinsdag 29 november 2011

Microsoft releases Lync Cumulative update 4 ( CU4 ) and adds support for upcoming Lync Mobile Services

Lync CU4 has been released last week.
As you may know, CU4 is a requirement for deploying Lync Mobile clients. ( Expected next month )
( more information on Lync Mobile : http://lync.microsoft.com/en-us/Product/UserInterfaces/Pages/lync-2010-mobile.aspx )
I recommend using the LyncServerUpdateInstaller.exe to update your Lync deployment.
In our case , the update installed without any issues.

There are a couple of new cmdlets available in the management shell :
  • Get-CsAutodiscoverConfiguration
  • New-CsAutodiscoverConfiguration
  • Remove-CsAutodiscoverConfiguration
  • Set-CsAutodiscoverConfiguration
  • New-CsWebLink
  • Test-CsMcxPushNotification
  • Get-CsMobilityPolicy
  • Grant-CsMobilityPolicy
  • New-CsMobilityPolicy
  • Remove-CsMobilityPolicy
  • Set-CsMobilityPolicy
  • Get-CsMcxConfiguration
  • New-CsMcxConfiguration
  • Remove-CsMcxConfiguration
  • Set-CsMcxConfiguration
  • Get-CsPushNotificationConfiguration
  • New-CsPushNotificationConfiguration
  • Remove-CsPushNotificationConfiguration
  • Set-CsPushNotificationConfiguration

Issues that this update fixes

This update package also fixes the issues that are previously documented in the following Microsoft Knowledge Base (KB) articles:
  • 2629913 (http://support.microsoft.com/kb/2629913/ ) IMs are still archived in Outlook after the behavior is disabled by policies in Lync 2010
  • 2637591 (http://support.microsoft.com/kb/2637591/ ) No IM notification is sent to the notification URI in Lync 2010
  • 2607289 (http://support.microsoft.com/kb/2607289 / ) The language of a Lync 2010 client resets to English
  • 2614343 (http://support.microsoft.com/kb/2614343 / ) An update is available to enable RTAudio narrowband between Lync 2010 clients and Mediation servers in Lync Server 2010
  • 2623817 (http://support.microsoft.com/kb/2623817 / ) A user does not receive roster updates during and after a database failover in Lync 2010
  • 2623814 (http://support.microsoft.com/kb/2623814 / ) The application-sharing feature does not work in a meeting which contains an anonymous user in Lync 2010
  • 2623823 (http://support.microsoft.com/kb/2623823 / ) An update is available to enable the presence information on voice and video capabilities in Lync 2010
  • 2623821 (http://support.microsoft.com/kb/2623821 / ) A blank windows might display when Lync 2010 starts
  • 2629910 (http://support.microsoft.com/kb/2629910 / ) Inaccurate warning message during an instant message conversation in Lync 2010
  • 2623818 (http://support.microsoft.com/kb/2623818 / ) The IM history is not stored in the default Exchange mailbox when you use Lync 2010
  • 2639837 (http://support.microsoft.com/kb/2639837/ ) "An error occurred during the online meeting." notification when a user tries to join an online meeting that is created in Outlook by using Lync 2010
  • 2623813 (http://support.microsoft.com/kb/2623813/ ) An update is available to apply certain changes on the "Set Location" feature in Lync 2010
  • 2647471 (http://support.microsoft.com/kb/2647471/ ) The screensaver does not start when you perform media connectivity actions in Lync 2010
Description of the cumulative update for Lync 2010 November 2011 : http://support.microsoft.com/kb/2493736
Direct download for CU4

maandag 28 november 2011

Use Existing AD security groups to manage Office 365 Mailbox Permissions such as Full Control or SendAs

You probably noticed that existing AD security groups do get synced to Office 365, but you cannot select them within the Exchange EMC to manage user permissions.
Also, existing user permissions for mailboxes are reset after the move.

We use many groups to manage mailbox permissions such ach full control of sendas permissions and would like to use the existing populated groups for managing permissions.

Existing security groups are not mail enabled and probably set to global.
To set permissions in Office 365 EMC the group needs to be universal and mail enabled.
To accomplish using existing groups I changed the grouptype for my existing groups.
We had global security groups with name GG_Mailbox_Mailboxname.
Grouptype was set to -2147483646 ( attribute editor ).
Notice that the group does not show up in the "New Distribution Group" wizard when browsing for existing AD groups.

To use the group within the EMC I first changed the grouptype to -2147483640.
Only a 1 digit difference.
Once changed, U will find the group in the "New Distribution Group" wizard when browsing for existing AD groups.

Double click the group to add it as an existing group and click next in the wizard.

Notice that the grouptype, name and pre-Windows 2000 name already get pre-populated.
The group type we already changed with the attribute editor in AD.
The only thing left to do is setting an Alias for the group because the group needs to be mail enabled.
Click next and New on the following screen.

Click finish to finish the wizard.
The changed do need to be synchonized to Office 365 so it is wize to force a Dirsync Synchronization, otherwize wait for the synchronization.
To force Dirsync Synchronization, refer to the following article. http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspx#BKMK_SynchronizeDirectories

Once the group is synced, notice that it is possible to choose the group when setting full access permissions on a mailbox. One thing I noticed that once I changed the grouptype and Dirsync replicated the changes, the existing permissions groups got visible again within the full access details of the user. Groups that I used in the On-Prem situation got migrated to Office 365.

The one thing you do need to re-configure is SendAs permissions.
These permissions cannot be set within the EMC for Office 365, only with Powershell.

Setup a remote powershell connection to Office 365.
To do this I refer to the following article. http://help.outlook.com/en-us/140/cc952755.aspx
Once connected to Exchange Online for Office 365, use the following cmdlets to add SendAs permissions for the just created / edited security group.

For easy copy pasting :
Add-RecipientPermission Mailbox@domain.com -trustee groupname@domain.com -AccessRights SendAs

Where maiblox@domain.com is the mailbox that you want to set the permissions for and the trustee is the person or group you want to grant the permission.

Hope this helps!
It certainly made my life easyer :).

donderdag 24 november 2011

Installing and configuring Dirsync 64 Bit for Office 365 ( FIM2010 )

Although the functionality of Dirsync 64-Bit is the same as the 32-bit version, the underlying SQL is differtent. Therefore it is not possible to upgrade and you have to install Dirsync 64-bit on a new computer.

The steps for installing Dirsync 64 bit:
  • Uninstall Dirsync 32-Bit
  • Prepare a new 64-bit computer ( or VM )
  • Install 64-Bit Dirsync
  • Complete Directory Service Configuration Wizard
Because you first uninstall Dirsync 32-bit, there is a time windows where changes are not synced to the cloud. After the 64-bit Dirsync is installed, objects on-prem are automatically matched to the cloud objects. But... object deletions during the time Dirsync was offline will not be found.
Therefore, minimize the changes in AD during the time Dirsync is offline.

The first steps are uninstalling Dirsync 32-bit and preparing a new VM, Í won't get in to detail on that as it is very easy to do and not the same in every deployment.

There is something you should keep in mind, if you edited the Connection Filter within ILM, you should take note of the filters you added. You need to configure them again when Dirsync 64-bit is installed. More info on this in my October article : Dirsync filter unwanted users like service accounts

I prepared a new VM with Windows Server 2008 R2 SP1 installed. Ensure that .NET Framework ( at least 2.0 SP1 ) is present and that you at least use Windows Server 2008 X64 or Windows Server 2008 R2 X64

First, I downloaded Dirsync 64-bit from the download page.
Log on to the admin page and navigate to users, then click the link "Set up" next to Active Directory Synchronization.

Then click Windows 64-bit version and click download.

The installation of Dirsync 64 is the same as the 32-bit version.
It is pretty straight forward as in next, next Finish so I won't get in to detail.
Configuring Dirsync with the Dirsync wizard is exactly the same as the 32-bit version, but I will show some screens anyway.
Click next.

In the next screen, enter the credentials for the Office 365 admin account.
This account wil be used to sync the accounts to Office 365.
We created a Dirsync service account without password expiry specifically for sync purposses.
I also created an article on how to do this : Create Dirsync service account

Then enter your AD Domain admin credentials. Click next.

We want to enable Hybrid Deployment, as we dit on the 32-bit version. Click next.

In my case, the error below was shown. I came accross this error in the 32-bit version also.
I did not log-off after installing Dirsync and therefore I was'nt a member of the dirsync admins.
I worked around this issue by granting my user account full control on the specified registry key.
Click retry.

After configuration completes, click next.

Then, enable the Synchronize now checkbox to start syncrhonizing.

You're done, Dirsync 64-bit is succesfully installed.

Dirsync first imports all the ad users in to the metaverse, then imports all of the cloud users into the metaverse and then runs a full synchronization. This should join the AD and cloud user to 1 object in the metaverse.

You can verify this by openeing the Synchronization Service Manager found in
C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
Under the operations tab you will find the history of all syncs.
Particularly interesting is the Full Confirming Import for the TargetWebService.

This shows the joins in the metaverse for the AD and cloud object.

All the customizations I have done with Dirsync 32-bit, I could also customize in Dirsync 64-bit.
Below a recap for the customizations I have done, all are still applicable :
Keep in mind that the location of the miisclient has changed for editing MA's directly.
C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
Good luck upgrading your Dirsync!

NOTE: Changing the DirSync configuration directly within FIM is unsupported by Microsoft. They would prefer you rerun the previously mentioned Configuration Wizard if you need to make any changes.