About Michel de Rooij

I'm a Microsoft Exchange Server MVP and publisher of EighTwOne. I was originally a developer so hence my PowerShell affection. Connect with me on Twitter, LinkedIn or Google+ or just use the Contact Form.

The UC Architects Podcast Ep48

iTunes-Podcast-logo[1]Episode 48 of The UC Architects podcast is now available. This episode is hosted by Pat Richard, who is joined by John A Cook, Johan Veldhuis, Justin Morris and Tom Arbuthnot. Editing was done by Andrew Price.

Some of the topics discussed in this episode are:

  • Exam ref 70-342 – Advanced Solutions of Exchange 2013 MCSE is available
  • Download An End-to-end Experience with Groups
  • Considering updating your Domain functional level from Windows 2003?
  • Single-Click Mailbox Conversion
  • Access Exchange 2013 public folders in a hybrid setup
  • Some things to do after leaving Windows Server 2003 (from an Exchange perspective)
  • Multiple OWA Virtual Directories in Exchange 2013
  • Office 365 – Two Azure AD Premium Features Coming To All Subscribers
  • What’s new in Office 365: January 2015
  • February 10, 2015 update for #Lync 2013 (KB2920744)
  • Leveraging SEFAUtil for #Lync Shared Line Appearance (Boss-Admin) Delegate Configuration
  • What to do when you can only hear yourself think while using Jabra Evolve 80
  • What’s New in LyncValidator
  • Introducing #Lync #Skype4B User Manager
  • Automatic Fortune Cookie Utility/ Local & Site-tosite dial plan GUI script
  • Lync Server Cookbook | PACKT Books
  • Skype for Business Notes from Microsoft Office365 Summit | The Lync Dude
  • Connecting IFTTT to Lync – getting IMs when stuff happens
  • Lync Server 2010 CU15 Link 1 Link 2
  • Lync Regions and assigning Dial-In Conference Number
  • Ignite and Enterprise Connect Events

More information on the podcast including references and a link to download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a bi-weekly community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Lync or related subjects.

Role-based Access Control

security officer RBACIt has been over 5 years (wait, what?) since I wrote an article on Role-based Access Control, or RBAC, in Exchange 2010. At that time, RBAC was a big architectural change in Exchange 2010 over Exchange 2007.

Present day, RBAC is still a much neglected topic in many Exchange organizations. It must be said that most organization can happily live with the default RBAC configuration. They have no need to dive in this versatile model to set up granular permissions in their organization. In bigger organizations, this configuration can also easily become quite complex.

For TechTarget I started writing few articles on the topic of RBAC, starting with the base components. There you can find Part 1, Part 2, and Part 3.

The UC Architects Podcast Ep47

iTunes-Podcast-logo[1]Episode 47 of The UC Architects podcast is now available,which was recorded at the Norwegian Lync Day. This episode is hosted by Steve Goodman, who is joined by John A Cook and Ståle Hansen. Editing was done by Andrew Price.

Some of the topics discussed in this episode are:

  • Outlook for iOS and Android
  • Microsoft Ignite Session Catalog
  • Blocking Outlook App for iOS & Android
  • Planning and Migrating a Small Organization from Exchange 2003 to Exchange 2013
  • AWS Quick Start Reference Deployment – Exchange Server 2013
  • Considering an Exchange 2013 DAG without AAP?
  • Using a Microsoft Azure VM as a DAG witness server: Exchange 2013 Help
  • Securing Exchange and Lync 2013 with Multi-Factor Authentication
  • Exchange Server 2010 Reaches the End of Mainstream Support
  • Office for Android
  • Azure AD Improvements
  • Amazon Workmail
  • Setting up a multi-forest Azure AD Sync deployment
  • Office 365 Exchange Online Message Size Onboarding Limit Increased to 150mb
  • Drive Shipping and Network Based Data Import for Office 365
  • Skype for Business Video Interoperability Server (VIS)
  • Cumulative Update 10 for Lync Server 2013 released December 31, 2014
  • Fix for Google Chrome, stability
  • Lync 2013 Standard Automatic APP CU 10 December 2014
  • Lync SDN For Dummies – Part 2.1
  • Lync Admin Tools (free): make configuration, administrative and troubleshooting of Lync easier
  • Video calling between Skype and Lync is temporarily disabled
  • What’s New in Skype4B: SILK is default codec for P2P sessions Synchronize Lync Presence with Skype – Lync Exchange – UC Blog
  • Lync Dude: Simple Understanding of Lync Windows Fabric  Failover
  • Lync and Skype video calling is coming to your Android and iOS Devices
  • Passive Auth for Lync 2013 Android mobile client
  • Events

More information on the podcast including references and a link to download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a bi-weekly community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Lync or related subjects.

Blocking Outlook App for iOS & Android

imageYesterday, Microsoft announced the immediate availability the Outlook for iOS and Outlook for Android preview. These apps are the former app named Acompli, which was acquired by Microsoft in December, last year. It is unlikely that Microsoft will develop and support two similar apps, so one can assume the new Outlook app will replace the current OWA for iOS and OWA for Android (or just OWA for Devices) apps.

The app isn’t without a little controversy:

  • The app stores credentials in a cloud environment from Amazon Web Services for e-mail accounts that don’t support OAuth authorization.
  • The app makes use of a service sitting between the app and your mailbox. This service acts as a sort of proxy (hence it requires those credentials), fetching, (pre)processing and sending e-mail. In some way this is smart, as it makes the app less dependent on back-end peculiarities, using a uniform protocol to communicate with the proxy service.
  • The app does not distinguish between devices (device identities are assigned to your account, which makes sense since the app uses a service to retrieve and process your e-mail).
  • The app does not honor ActiveSync policies, like PIN requirements. While true, this app is not an ordinary Exchange ActiveSync client.

You can read more about this here and here.

In all fairness, when the app was still named Accompli, nobody cried foul. But the app is now rebranded Outlook and property of Microsoft, so it seems this made the app fair game. I hope Microsoft is working behind the scenes to make the new Outlook app enterprise-ready, and I’m sure it won’t be long before we see the app’s services move from AWS to Azure. The whole outrage in the media also seems a bit misplaced, as Connected Accounts in Exchange Online, which will retrieve e-mail from a POP or IMAP mailbox, will also store credentials ‘in the cloud’.

It is recommended to treat the app as a consumer app for now, and you may want to block the app in your organization. I have written on how to accomplish blocking or quarantining faulty iOS updates before. However, in those articles I used the reported OS version to block or quarantine devices. The Outlook app proxy service reports itself as “Outlook for iOS and Android” as device model when querying your mailbox, allowing us to use the DeviceModel parameter for matching.

The cmdlet to block or quarantine the new Outlook app in Exchange 2010, Exchange 2013 or Office 365,  is:

New-ActiveSyncDeviceAccessRule –QueryString 'Outlook for iOS and Android' –Characteristic DeviceModel –AccessLevel Block

or, to quarantine:

New-ActiveSyncDeviceAccessRule –QueryString 'Outlook for iOS and Android' –Characteristic DeviceModel –AccessLevel Quarantine

For examples of alternative blocking methods using TMG or F5, check this article. If you need to specify the user agent string, use “Outlook-iOS-Android/1.0″ (or partial matching on “Outlook-iOS-Android” to block future updates of the app as well).

As goes for all mobile devices in enterprise environments, as an organization it may be better to test and aprove devices and OS versions rather than to be confronted with mobile apps with possible faulty behavior after an update or which may violate corporate security policies.

Ignite 2015 Session Catalog is here!

ignite ButtonA short heads-up as the session catalog for Microsoft Ignite has been published. So, if you are still undecided or already want to pick ‘must see’ sessions for your schedule, you can check the session catalog here.

The session catalog contains 275 sessions, covering products like Exchange (49), Office 365 (85) and Skype for Business (26). It will be the first major Microsoft event where details will emerge on the next version of Exchange, Exchange v.Next.

The Exchange team published a blog on the Exchange-related Ignite sessions here. The blog contains a nice video featuring Greg Taylor and Jeff Mealiffe talking about what to expect at Ignite.

Also, on Febuary 3rd, the team behind Ignite as well as several speakers will be available on Twitter to answer any questions you may have on Ignite. Use the hashtag #IgniteJam to participate, or follow @MS_Ignite for any updates.

More information on Ignite, pre-day sessions, the session catalog and the #IgniteJam in the original post on Channel 9 here.

End of Exchange 2010 Mainstream Support

Exchange 2010 LogoWith all the media attention for Windows 7 going out of mainstream support, one might forget today also marks the end of mainstream support for Exchange Server 2010.

Exchange 2010, which was released in October, 2009 (which seems centuries ago now), and which still has a very large installed base, is going into the extended support phase.

Depending on your support contract, this means Microsoft will no longer provide free support for this product. Patches for security issues will still be available, and owners of premier support contracts are eligible for non-security updates through extended hotfix support option.

Exchange Server 2010 will reach end-of-life on January 14th, 2020.

EighTwOne 2014 Stats

stats chartOi! A tad late as I was enjoying a trip and celebrating New Year in the beautiful country of Brazil, but happy new year to all dear readers and followers.

The start of a new year gives opportunity to reflect on the past year which has been quite busy, apart from writing blog posts and creating and supporting scripts:

Looking at 2015, it will see the daylight of Ignite, the MOAME (Mother Of All Microsoft Events), and merger of events like MEC, LyncConf, TENA, SPC and MMS which will be held from May 4 – 8 in Chicago.

It promises to be an interesting year for Exchange On-Premises, with Microsoft’s cloud-first, mobile-first strategy, and Exchange Online / Office 365 as well. The next version of Exchange (’16’) it expected to be announced at Ignite, and it will become clear which features, new or currently available via Office 365, will make it to the next version of Exchange ‘on-premises’, and which ones will not. With the next version of Windows Server (’10’) expected end of 2015, it is very likely that Exchange ’16’ will require Windows Server 2012 R2 (or 2012) or Windows Server ’10’, adding support for Windows Management Framework 5 (PowerShell). Note that WMF5 might become available as an individual component, before the release of Windows Server ’10’. If things follow earlier OS/WMF dependencies for Exchange, the combination of Windows Server 2012 R2 with WMF5 is highly unlikely to become a supported combination for hosting Exchange.

There is also lots of development towards Azure, looking at the recent support for hosting your File-Share Witness on an Azure VM. This option, originally announced as a ‘possible feature’ in the works for CU2 back at TechEd North America 2013, introduces an interesting alternative for site fail-over scenarios.

Some stats of 2014:

Apart from the Archives, Versions, Builds and Dates, Schema Versions and Toolkit pages, these were the Top Posts (yes, Exchange 2010 is still a strong lead through search engines):

statscountries2014

Top 5 Visitor Countries:

  • United States (95,660)
  • United Kingdom (28,733)
  • Germany (22,730)
  • Australia (14,986)
  • Netherlands (14,242)

Top 5 Referrers:

  • social.technet.microsoft.com (TechNet forum)
  • blogs.technet.com (Technet blogs)
  • exchangeserverpro.com (Paul Cunningham)
  • experts-exchange (community)
  • community.spiceworks.com (community)

Top 5 Search Terms:

  • exchange target address hybrid query
  • kb2506143
  • powershell ise for exchange
  • msexcheseparamcachesizemax
  • exchange versions

(Re)configuring IM Integration

powershellAnyone who has configured Exchange 2013 IM integration with Lync Server at some point has to modify the web.config file on the Mailbox servers to configure OWA with the proper certificate for enabling IM. Another thing (read: nuisance) is that when you have configured IM integration and you apply a Cumulative Update to Exchange 2013, the web.config will be overwritten, in which case you need to reapply those changes to the web.config file.

This is where the script Configure-IMIntegration.ps1 might come in handy.

Requirements
Using the script requires Exchange 2013 and Lync Server. You need to provide the Lync pool and the Mailbox server you want to configure needs to have a valid certificate assigned to UM services. The script will modify the web.config remotely using the system share (e.g. C$), using the location of the Exchange installation, and uses WMI to recycle the OWA Application Pool in IIS. It will create a backup of the web.config before modifying it.

Note that the script does not perform the following steps:

  • It does not perform the Lync Server parts to configure IM integration, e.g. configure Exchange as a trusted application.
  • It does not configure Lync Server as an partner application for Exchange (Configure-EnterprisePartnerApplication.ps1).

Usage
The script Configure-IMIntegration.ps1 uses the following syntax:

.\Configure-IMIntegration.ps1 [-Server <String>] -PoolFQDN <String> [-AllCAS] [-AllMailbox]

A quick walk-through on the parameters and switches:

  • Server specifies the server to configure. When omitted, it will configure the local server. This parameter is mutually exclusive with AllMailbox.
  • AllMailbox switch specifies to configure all Mailbox servers. This switch is mutually exclusive with Server.
  • AllCAS switch specifies to enable IM integration on all Client Access servers.
  • PoolFQDN specifies the FQDN of the Lync Pool to use. This parameter is required.

So, suppose you want to quickly reconfigure IM integration on a Mailbox server after applying a Cumulative Update, you can use:

.\Configure-IMIntegration.ps1 -PoolFQDN lync.contoso.com –Server exchange01.contoso.com

image

Or, you can quickly configure Mailbox servers and CAS servers for IM integration after performing the required steps to configure the trusted application settings and installing and assigning the certificate for UM:

.\ Configure-IMIntegration.ps1 -PoolFQDN lync.contoso.com -AllMailbox –AllCAS

image

Note that the script will skip Mailbox servers for which it cannot find a valid UM certificate assignment. Also, in the example above, the CAS servers had already been enabled for IM.

Download
You can download the script from the TechNet Gallery here.

Feedback
Feedback is welcomed through the comments. If you got scripting suggestions or questions, do not hesitate using the contact form.

Revision History
See TechNet Gallery page.

Book: Pro Exchange 2013 SP1 PowerShell Administration

As some of you may have noticed, it has been a bit more quiet here than it used to be. Well, the reason for that, after several months of collaborative hard work, blood, sweat and tears, is finally here (and in stores just in time for the Holidays): A book titled Pro Exchange 2013 Service Pack 1 PowerShell Administration!

2013pa

Together with fellow Exchange MVP Jaap Wesselius, we will talk you through topics such as:

  • Deployment and co-existence scenarios.
  • The Client Access Server role and topics such as namespaces, certificates, load balancing, and publishing.
  • The Mailbox Server role and topics such as managing mailboxes, distribution lists and recipients, message transport
  • High availability topics like Database Availability Groups and Client Access and Transport availability.
  • Message Hygiene using the Edge Transport server role and anti-spam features.
  • Backup, Restore and Disaster Recovery, including the backup-less’ Native Data Protection scenario.
  • Unified Messaging features and integration with IP telephony solutions such as Microsoft Lync Server.
  • Compliance features like In-Place Archiving and MRM, In-Place Discovery, In-Place Hold, Data Loss Prevention including fingerprinting, and auditing.
  • Role-Based Access Control model and Split Permissions model for organizations that require this.
  • Office 365 and Exchange Online (EXO) scenarios, federating organizations, directory synchronization, ADFS and Multi-Factor Authentication, as well as basic tasks like onboarding and offboarding mailboxes.

Our 600+ page book will take a PowerShell-first approach when talking about Exchange Server 2013. You can order the book from Amazon here.

I have also added it to the book page here, which also contains other useful books when you want to learn about Exchange or related technologies like PowerShell, Active Directory or Lync Server.

Outlook 2010 gets MAPI/http support

Office-2010-Outlook-Icon[1]Update (December 13th, 2014): Hotfix pulled until further notice due to possible issues.

A quick heads-up today as the recently released KB2899591 hotfix adds MAPI/http support for Outlook 2010 clients. This will benefit organizations using Exchange 2013 SP1 or later considering switching from RPC/http to MAPI/http. The KB article includes details on the additional fixes that are included in hotfix KB2899591 as well.

You can request the hotfix for x86 and x64 versions of Outlook 2010 here.

Links to background information on MAPI/http, its impact on client performance, and impact on network traffic in an earlier blog post here.