dinsdag 29 november 2011

Microsoft releases Lync Cumulative update 4 ( CU4 ) and adds support for upcoming Lync Mobile Services

Lync CU4 has been released last week.
As you may know, CU4 is a requirement for deploying Lync Mobile clients. ( Expected next month )
( more information on Lync Mobile : http://lync.microsoft.com/en-us/Product/UserInterfaces/Pages/lync-2010-mobile.aspx )
I recommend using the LyncServerUpdateInstaller.exe to update your Lync deployment.
In our case , the update installed without any issues.

There are a couple of new cmdlets available in the management shell :
  • Get-CsAutodiscoverConfiguration
  • New-CsAutodiscoverConfiguration
  • Remove-CsAutodiscoverConfiguration
  • Set-CsAutodiscoverConfiguration
  • New-CsWebLink
  • Test-CsMcxPushNotification
  • Get-CsMobilityPolicy
  • Grant-CsMobilityPolicy
  • New-CsMobilityPolicy
  • Remove-CsMobilityPolicy
  • Set-CsMobilityPolicy
  • Get-CsMcxConfiguration
  • New-CsMcxConfiguration
  • Remove-CsMcxConfiguration
  • Set-CsMcxConfiguration
  • Get-CsPushNotificationConfiguration
  • New-CsPushNotificationConfiguration
  • Remove-CsPushNotificationConfiguration
  • Set-CsPushNotificationConfiguration

Issues that this update fixes

This update package also fixes the issues that are previously documented in the following Microsoft Knowledge Base (KB) articles:
  • 2629913 (http://support.microsoft.com/kb/2629913/ ) IMs are still archived in Outlook after the behavior is disabled by policies in Lync 2010
  • 2637591 (http://support.microsoft.com/kb/2637591/ ) No IM notification is sent to the notification URI in Lync 2010
  • 2607289 (http://support.microsoft.com/kb/2607289 / ) The language of a Lync 2010 client resets to English
  • 2614343 (http://support.microsoft.com/kb/2614343 / ) An update is available to enable RTAudio narrowband between Lync 2010 clients and Mediation servers in Lync Server 2010
  • 2623817 (http://support.microsoft.com/kb/2623817 / ) A user does not receive roster updates during and after a database failover in Lync 2010
  • 2623814 (http://support.microsoft.com/kb/2623814 / ) The application-sharing feature does not work in a meeting which contains an anonymous user in Lync 2010
  • 2623823 (http://support.microsoft.com/kb/2623823 / ) An update is available to enable the presence information on voice and video capabilities in Lync 2010
  • 2623821 (http://support.microsoft.com/kb/2623821 / ) A blank windows might display when Lync 2010 starts
  • 2629910 (http://support.microsoft.com/kb/2629910 / ) Inaccurate warning message during an instant message conversation in Lync 2010
  • 2623818 (http://support.microsoft.com/kb/2623818 / ) The IM history is not stored in the default Exchange mailbox when you use Lync 2010
  • 2639837 (http://support.microsoft.com/kb/2639837/ ) "An error occurred during the online meeting." notification when a user tries to join an online meeting that is created in Outlook by using Lync 2010
  • 2623813 (http://support.microsoft.com/kb/2623813/ ) An update is available to apply certain changes on the "Set Location" feature in Lync 2010
  • 2647471 (http://support.microsoft.com/kb/2647471/ ) The screensaver does not start when you perform media connectivity actions in Lync 2010
Description of the cumulative update for Lync 2010 November 2011 : http://support.microsoft.com/kb/2493736
Direct download for CU4

maandag 28 november 2011

Use Existing AD security groups to manage Office 365 Mailbox Permissions such as Full Control or SendAs

You probably noticed that existing AD security groups do get synced to Office 365, but you cannot select them within the Exchange EMC to manage user permissions.
Also, existing user permissions for mailboxes are reset after the move.

We use many groups to manage mailbox permissions such ach full control of sendas permissions and would like to use the existing populated groups for managing permissions.

Existing security groups are not mail enabled and probably set to global.
To set permissions in Office 365 EMC the group needs to be universal and mail enabled.
To accomplish using existing groups I changed the grouptype for my existing groups.
We had global security groups with name GG_Mailbox_Mailboxname.
Grouptype was set to -2147483646 ( attribute editor ).
Notice that the group does not show up in the "New Distribution Group" wizard when browsing for existing AD groups.

To use the group within the EMC I first changed the grouptype to -2147483640.
Only a 1 digit difference.
Once changed, U will find the group in the "New Distribution Group" wizard when browsing for existing AD groups.

Double click the group to add it as an existing group and click next in the wizard.

Notice that the grouptype, name and pre-Windows 2000 name already get pre-populated.
The group type we already changed with the attribute editor in AD.
The only thing left to do is setting an Alias for the group because the group needs to be mail enabled.
Click next and New on the following screen.

Click finish to finish the wizard.
The changed do need to be synchonized to Office 365 so it is wize to force a Dirsync Synchronization, otherwize wait for the synchronization.
To force Dirsync Synchronization, refer to the following article. http://onlinehelp.microsoft.com/en-us/office365-enterprises/ff652557.aspx#BKMK_SynchronizeDirectories

Once the group is synced, notice that it is possible to choose the group when setting full access permissions on a mailbox. One thing I noticed that once I changed the grouptype and Dirsync replicated the changes, the existing permissions groups got visible again within the full access details of the user. Groups that I used in the On-Prem situation got migrated to Office 365.

The one thing you do need to re-configure is SendAs permissions.
These permissions cannot be set within the EMC for Office 365, only with Powershell.

Setup a remote powershell connection to Office 365.
To do this I refer to the following article. http://help.outlook.com/en-us/140/cc952755.aspx
Once connected to Exchange Online for Office 365, use the following cmdlets to add SendAs permissions for the just created / edited security group.

For easy copy pasting :
Add-RecipientPermission Mailbox@domain.com -trustee groupname@domain.com -AccessRights SendAs

Where maiblox@domain.com is the mailbox that you want to set the permissions for and the trustee is the person or group you want to grant the permission.

Hope this helps!
It certainly made my life easyer :).

donderdag 24 november 2011

Installing and configuring Dirsync 64 Bit for Office 365 ( FIM2010 )

Although the functionality of Dirsync 64-Bit is the same as the 32-bit version, the underlying SQL is differtent. Therefore it is not possible to upgrade and you have to install Dirsync 64-bit on a new computer.

The steps for installing Dirsync 64 bit:
  • Uninstall Dirsync 32-Bit
  • Prepare a new 64-bit computer ( or VM )
  • Install 64-Bit Dirsync
  • Complete Directory Service Configuration Wizard
Because you first uninstall Dirsync 32-bit, there is a time windows where changes are not synced to the cloud. After the 64-bit Dirsync is installed, objects on-prem are automatically matched to the cloud objects. But... object deletions during the time Dirsync was offline will not be found.
Therefore, minimize the changes in AD during the time Dirsync is offline.

The first steps are uninstalling Dirsync 32-bit and preparing a new VM, Í won't get in to detail on that as it is very easy to do and not the same in every deployment.

There is something you should keep in mind, if you edited the Connection Filter within ILM, you should take note of the filters you added. You need to configure them again when Dirsync 64-bit is installed. More info on this in my October article : Dirsync filter unwanted users like service accounts

I prepared a new VM with Windows Server 2008 R2 SP1 installed. Ensure that .NET Framework ( at least 2.0 SP1 ) is present and that you at least use Windows Server 2008 X64 or Windows Server 2008 R2 X64

First, I downloaded Dirsync 64-bit from the download page.
Log on to the admin page and navigate to users, then click the link "Set up" next to Active Directory Synchronization.

Then click Windows 64-bit version and click download.

The installation of Dirsync 64 is the same as the 32-bit version.
It is pretty straight forward as in next, next Finish so I won't get in to detail.
Configuring Dirsync with the Dirsync wizard is exactly the same as the 32-bit version, but I will show some screens anyway.
Click next.

In the next screen, enter the credentials for the Office 365 admin account.
This account wil be used to sync the accounts to Office 365.
We created a Dirsync service account without password expiry specifically for sync purposses.
I also created an article on how to do this : Create Dirsync service account

Then enter your AD Domain admin credentials. Click next.

We want to enable Hybrid Deployment, as we dit on the 32-bit version. Click next.

In my case, the error below was shown. I came accross this error in the 32-bit version also.
I did not log-off after installing Dirsync and therefore I was'nt a member of the dirsync admins.
I worked around this issue by granting my user account full control on the specified registry key.
Click retry.

After configuration completes, click next.

Then, enable the Synchronize now checkbox to start syncrhonizing.

You're done, Dirsync 64-bit is succesfully installed.

Dirsync first imports all the ad users in to the metaverse, then imports all of the cloud users into the metaverse and then runs a full synchronization. This should join the AD and cloud user to 1 object in the metaverse.

You can verify this by openeing the Synchronization Service Manager found in
C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
Under the operations tab you will find the history of all syncs.
Particularly interesting is the Full Confirming Import for the TargetWebService.

This shows the joins in the metaverse for the AD and cloud object.

All the customizations I have done with Dirsync 32-bit, I could also customize in Dirsync 64-bit.
Below a recap for the customizations I have done, all are still applicable :
Keep in mind that the location of the miisclient has changed for editing MA's directly.
C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe
Good luck upgrading your Dirsync!

NOTE: Changing the DirSync configuration directly within FIM is unsupported by Microsoft. They would prefer you rerun the previously mentioned Configuration Wizard if you need to make any changes.

woensdag 23 november 2011

Configuring voicemail in the Cloud with Office 365 UM and Lync on-premise

With Office 365 ( and Exchange Online ) you can enable (Hosted)Unified Messaging for you on-premise Lync deployment. This means that Office 365 users that work with Lync on-prem can use a hosted voicemail solution.

To do this you need to route voicemail calls to your Office 365 deployment.
Below you wil find the steps to follow to allow Lync on-prem to use the voicemail services in Office 365.

  • Ensure you have a working Lync environment.
  • Verify or configure on-premise Lync for integration with Office 365
  • Edit global or create new Hosted Voice Mail Policy.
  • Create UM Dial Plan.
  • Configure an E.164 Routing Number within the Dial Plan and Configure a Subscriber Access Number.
  • Create a Lync Exchange UM Contact to represent the previously created Dial Plan in Exchange.
  • Associate the Hosted VoiceMail Policy with the Contact Object.
  • Enable UM for the user.

First of all, you need an existing ( and working ) Lync environment including a Standard edition ( or Enterprise pool ) allong with a Mediation and an Edge server.
The next step is to verify or configure on-premise Lync for integration with Office 365.
In one of my previous posts, I describe this process. Direct link to post.
You have to configure integration otherwise voicemail will not work.

By default Lync creates a global HostedVoicemailPolicy, you can also create a new HostedVoiceMailPolicy based on a site or user.
I edited the global policy because for us there is no need to create different policy's.

Log on to one of your Lync servers and open an elevated Lync Server Management Shell.
To edit the global HostedVoicemailPolicy, use the following command.

It is very important that u always use Exap.um.outlook.com for the destination and use an Authoritive domain within Office 365 for the organization.
The third level domain which is assigned to the customer when they sign up for Office 365 ( domain.onmicrosoft.com ) would be a good choice.
For more information about which domain to choose for the organization parameter refer to the following community article : Community Office 365 Unified Messaging
If you do not set up the organization with an authoritive domain you wil get an error message from Exchange Online once everything is set up.
The error is shown below.

Now it is time to create a new UM dial plan for lync users who will use Online UM for voicemail.
To do this logon to the Office 365 Admin page and select manage under Exchange online as shown below.

This opens the exchange control panel.
Select Phone & Voice and choose UM Dial Plans and click new.

This opens the New UM Dial Plan wizard.
Enter your prefered settings, we only use 3 digit extensions.
For Dial Plan URI type you choose SIP URI and choose your preferred audio language.

Next we have to configure the Dial Plan with an E.164 Routing number which coincides with the Dial Plan that we just created.
This tells Exchange UM how to route calls for UM enabled users. You also need to fill in a Subscriber Access Number in readable format, this will be shown in the e-mail the users gets when they are UM enabled.
It is also visible in OWA.
Open the details of the Dial Plan and click Configure UM Dial Plan.

Enter the E.164 Routing Number you have chosen for accessing Voicemail and enter a number in readable format that will be presented to users.

Now we need to create a contact in AD to represent the Dial Plan. This can be done on the Lync server via Lync Server Management Shell.
The command is shown below.
  • For displaynumber, enter the number you entered in the Dial Plan.
  • For SipAddress, enter EX-UM-SA@domain.com
  • For Registrarpool, enter the FQDN of your Lync server Pool.
  • For OU, enter the CN for the OU where you want to place the contact.

This created the contact in the designated OU.
We will now have to assoiciate the Hosted Voicemail Policy (the edited global policy) with the contact we just made.

First, do a get-CsExUmContact to get the identity of the contact we just made.
Remember the Identity.
Enter the command below and specify the global policy in the policyname.

Well.... now you are good to go!
Next thing is to enable the user for UM and test your voicemail!

The used Cmdlets for easy copy pasting :) :
Edit global hostedvoicemail:
Set-CsHostedVoicemailPolicy -global -Destination Exap.UM.Outlook.Com -Organization domain.onmicrosoft.com

Create Lync contact for Hosted UM
New-CsExUmContact -DisplayNumber +(E164nr) -SipAddress sip:EX-UM-SA@domain.com -RegistrarPool (FQDN Registrarpool) -OU "(CN for OU you want to place contact in )"

Assoiciate Lync contact with Hosted Voicemail Policy.
Grant-CsHostedVoicemailPolicy -identity (identity) -policyname global

Good luck!

Change Dirsync (32-bit) sync interval to less than 3 hours

There may be scenario's where you don't want to wait 3 hours for Dirsync to copy changes to Office 365.
If you have lots of changes per day you might want to consider chaning the sync interval to less than 3 hours.

Keep in mind that Dirsync takes some time to copy all the changes to Office 365.
Monitor the eventlogs on the Dirsync machine to check how long it takes to sync changes to Office 365.
In our case, this is about 5 minutes.

To change the sync interval we have to make some changes to the "Microsoft Online Services Directory Syncrhonization Service".
  • Log on to the dirsync machine.
  • Browse to "C:\Program Files\Microsoft Online Directory Sync"
  • Open "Microsoft.Online.DirSync.Scheduler.exe.Config" with Notepad.

Once opened, you will find the content shown below.

Notice the "Synctimeinterval" and its value.

The notation for this value is Hours:Minutes:Seconds.
Change the value of the synctimeinterval to the desired value.
In my case I changed the value to 0:15:0, which represents 0 hours, 15 minutes and 0 seconds.
Basically a sync every 15 minutes.

Save the config file and restart the "Microsoft Online Services Directory Syncrhonization Service".

Good luck!

dinsdag 22 november 2011

Configuring IM integration with Lync on-prem and Office 365 OWA

When using Office 365 in a Hybrid configuration and use Lync on-prem , you will probably notice that IM is not available in Outlook Web App.

To integrate on-premises Lync Server 2010 with Exchange Online, you must configure a shared SIP address space (also called a split domain). We need to follow below steps in the on-premise Lync environment. Actually, these steps are also mandatory for configuring Hosted Voicemail

  • Check SRV records
  • Check setting "Enable partner domain discovery" in Access Edge configuration
  • Configure Lync Edge server for Integration with Hosted UM

First, you have to check the presence of the Lync DNS SRV records.
These records are required for a Lync Edge server to route to a hosted Exchange such as Office 365.
To verify the presence of the SRV record, follow these steps :

  • Log on to a client computer in the domain.
  • Click Start, and then click Run.
  • At the command prompt, run the following command:
  • Nslookup _sipfederationtls._tcp.domain.com

This should return the name of the DC, its IP address and the record name.
If it returns a non-existent domain, follow this Technet Article.
Please note that the SRV records need to be in your external domain name DNS zone when using split DNS.

The next step is to check if the setting "Enable partner domain discovery' is enabled in the access edge configuration.
Steps to check this can be found in the following article :

The next step is configuring the Lync Edge server for Integration with Office 365 OWA
If you already configured Federation on you edge server, you can skip the "Set-CsAccessEdgeConfiguation" cmdlet. ( verify below settings using the Get-CsAccessEdgeConfig | fl)
If you haven't set up federation yet, log on to your Lync server and open up an elevated Lync Server Management Shell.

Use the "Set-CsAccessEdgeConfiguration -AllowFederatedUsers $True" to allow Federation.
Use the "Get-CsAccessEdgeConfiguration | fl" to verify this changed the "AllowFederatedUsers" to true.

The last thing we have to set up is a HostingProvider for Office 365.
Use the same Lync Server Management Shell to do this.
Use the below cmdlet to add the Office 365 Hosting Provider.

"New-CsHostingProvider -Identity “Hosted UM” -Enabled $True -EnabledSharedAddressSpace $True –HostsOCSUsers $False -ProxyFqdn "exap.um.outlook.com" –IsLocal $False -VerificationLevel UseSourceVerification"

Use the "Get-CsHostingProvider" to verify that the hosting provider has been made.

Source :  Technet Article

Now, the only thing we have to do is wait for replication between the Lync server and the Lync Edge.
After some time, you should see that IM is working within Office 365 OWA.

 Good luck!

vrijdag 18 november 2011

64 Bit support Directory Syncrhonization support for Office 365 ( Based on FIM2010 )

Since the introduction of Office 365 there was only an 32 bit option for Directory Synchronization.
Therefore you needed to install a 32 bit version of your OS.
Very annoying.

But, finally, it has arrived.

Microsoft created a 64 bit Directory Synchronization tool for Office 365.
For the underlying sync engine FIM2010 ( Forefront Identity Manager 2010 ) is used.

To download the 64-bit version of the directory synchronization tool from the Office 365 portal:
  • In the header, click Admin.
  • On the Admin page, in the left pane, click Users.
  • At the top of the Users page, click the link next to Active Directory synchronization.
  • Under step 4, select Windows 64-bit version, and then click Download.
I will be upgrading in the near future and will describe the upgrade process here.

Office 365 Wiki for 64 bit sync tool : http://community.office365.com/en-us/w/sso/555.aspx

vrijdag 11 november 2011

How to stop Dirsync from breaking after 90 days ( password expiry )

Last week I noticed that Dirsync did not sync anymore.
When logging on to the Microsoft Online Portal I noticed that I needed to change my password.
During the initial setup of Office 365, I used my Office 365 admin account for setting up Dirsync.
My password had expired and therefore Dirsync did not work either.
To restore Dirsync synchronization you need to run the Directory Sync Configuration wizard again.

To prevent Dirsync from breaking every time your password expires, it is wise to setup a Dirsync service account with nog password expiry.

To do this, log on to the Microsoft Online Portal and create a new user.
  • Login to https://portal.microsoftonline.com as a tenant Administrator
  • Under the Management menu, click on Users
  • Click on New, then select User from the drop down
  • Enter the appropriate details for the new user account and click next
  • Assign the new account “Global Administrator” rights
  • Complete the user creation process (You do not need to assign this user an Office 365 License!)
  • Make a note of the temporary account password
  • Start IE in “InPrivate” mode and browse to https://portal.microsoftonline.com
  • Login with your new DISRYNC service account
  • On first login Office 365 will prompt you to change the password
  • Verify that you can logon to the Office 365 portal with your new account
No you need to run the Directory Sync Configuration wizard again.
To do this, u need to have the Dirsync service account details and AD enterprise administrator details.

  • Logon to your DIRSYNC server
  • Open Start –> All Programs > Microsoft Online Services –> Directory Synchronization : Directory Sync Configuration
  • Click Next at the welcome screen
  • Enter your new DIRSYNC service account details into the Microsoft Online Services Administrator Credentials box
  • Click Next (DIRSYNC will validate your credentials)
  • Enter your existing Enterprise Administrator Credentials into the Active Directory Enterprise Administrator Credentials box
  • Click Next (DIRSYNC will validate your credentials)
  • Enable the "Rich Coexistence” checkbox if you are deploying in “Hybrid” and want AD write-back
  • Click Next
  • DRSYNC Will re-configure itself to use the new account
At this point, I got an error saying that I did not have the appropriate permissions on the Dirsync registry key.

I needed to add permissions to the specified registry hive for my adm account to get the wizard to work.  Adding your account to local administrators also works.

  • Ensure that the Synchronize directories now checkbox is checked and click “Finish”
Dirsync is setup and working again, but password expiry is still active for the dirsync account.
Make sure you understand the security risks for disabling password expiry. The Dirsync account has admin rights in your tenant.

To disable password expiry we need to connect to Office 365 with powershell. To do this we need the Microsoft Online Services Sign in Assistant and the Microsoft Online Services Module for Windows Powershell.
These are present on the ADFS server, so no need to install them on another.
  • Logon to you ADFS server and open powershell.
I created a short powershell script to connect to Office 365 quite fast.

Import-Module msonline  
$Cred = Get-Credential -credential admin@domain.onmicrosoft.com
Connect-MsolService -cred $cred   
Get-Command –Module msonline

  • Save the script to "365login.ps1" or something similar.
  • Open the Microsoft Online Services Module for Windows Powershell.
    This is located in the start menu.
  • Browse to your newly created powershell script.
    This prompts you for your Office 365 admin credentials.
Next, we will do a get-msoluser to show the current settings for the user.

This shows the current settings for the user. Notice the "Passwordneverexpires" setting. This is set to false.
Now you run the following command:

To confirm you can rerun the get-msoluser command and confirm the setting has been changed.

Thats it, now Dirsync wont break anymore because the password does not expire.