HCW fails on intra-organization configuration

o365logoFor my lab, I often have to recreate the Exchange Hybrid configuration for a fresh setup of Exchange On-Premises using formerly used namespaces. Normally you would just run the Exchange Hybrid Configuration Wizard (HCW) after configuring certificates and endpoint URLs. If you don’t clean up the previous configuration information from your tenant upfront, you may then run in the following error message when running the HCW:

Updating hybrid configuration failed with error ‎’Subtask Configure execution failed: Configure IntraOrganization Connector Execution of the Get-IntraOrganizationConfiguration cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings. Multiple OnPremises configuration objects were found. Please use the OrganizationGuid parameter to select a specific OnPremises configuration object.

Multiple OnPremises configuration objects indicates there are multiple intra-organization objects defined in your tenant. You can clean up previous intra-organization configuration objects from your tenant as follows:

  1. First, in your Exchange On-Premises environment, run the Get-OrganizationConfig cmdlet from the Exchange Management Shell:
    image
  2. Copy the Guid value, in the example 1a95d446-ff56-4399-a95e-8ab46c30912b.
  3. Connect to Exchange Online (instruction here).
  4. Check the existing On-Premises definitions in your tenant by running Get-OnPremisesOrganization. There should be more than 1 entry.
  5. To remove the orphaned objects, remove all the objects that don’t match the Organization Guid you retrieved from your On-Premises environment earlier, e.g.:Get-OnPremisesOrganization | Where { $_.OrganizationGuid –ne ‘1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-OnPremisesOrganization
    image
  6. Now you could try re-running the HCW immediately, but chances are you will run in another error caused by orphaned intra-organization connectors (IOC). In those cases, when the HCW tries to run New-IntraOrganizationConnector, it will fail as the namespace defined by TargetAddressDomains is already in use by an existing connector, and ‘The domain <domain> already exists in another intra-organization connector’ is reported. Those connectors, named ‘HybridIOC – ’, where GUID is the Guid of previously used organizations, exist in your tenant. In your Exchange Online session, run the following cmdlet to remove orphaned connector definitions:Get-IntraOrganizationConnector | Where { $_.Identity –ne ‘HybridIOC – 1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-IntraOrganizationConnector
    image
  7. While you’re at it, you also might want to remove previously created connectors. Again, in your Exchange Online session, run the following cmdlets to remove orphaned inbound and outbound connectors (again, using the previously noted Organization GUID):
    Get-OutboundConnector | Where { $_.Identity –ne ‘Outbound to 1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-OutboundConnector
    Get-InboundConnector | Where { $_.Identity –ne ‘Inbound from 1a95d446-ff56-4399-a95e-8ab46c30912b’ } | Remove-InboundConnector

After removing these orphaned objects, you should be able to run the HCW succesfully.

The UC Architects Podcast Ep51

iTunes-Podcast-logo[1]Episode 51 of The UC Architects podcast is now available. This episode is hosted by Steve Goodman who is joined by Dave Stork and John Cook.. Editing was done by Andrew Price.

Some of the topics discussed in this episode are:

  • Exchange 2013 CU8
  • Exchange 2010 SP3 CU9
  • Exchange ActiveSync onboarding to Office 365
  • Exchange 2013 Hybrid Config Wizard
  • Office 2013 modern auth public preview
  • Staying informed of Office 365 changes
  • Office 2016 preview
  • Updates for Outlook for iOS
  • Azure AD Sync
  • Office 365 MDM
  • Questions from listeners
  • Lync Kerberos Account
  • Lync/Skype for Business Network Planning for Silk Code
  • Controlling Lync/Skype for Business with your arms
  • Get ready for Skype for Business
  • Updates and Skype for Business
  • Microsoft Ignite
  • UCBUG
  • UCDAY
  • UCExpo

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a bi-weekly community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Lync or related subjects.

The UC Architects Podcast Ep50

iTunes-Podcast-logo[1]Episode 50 of The UC Architects podcast is now available. This episode is hosted by Pat Richard, who is joined by John A Cook and Ståle Hansen. Editing was done by Andrew Price.

Some of the topics discussed in this episode are:

  • Network ports for clients and mail flow in Exchange 2013
  • iOS 8.2 has been released
  • Using the Hybrid Configuration Wizard in Exchange Server 2013 (Part 2)
  • How and when to decommission Exchange Hybrid
  • The Office 2016 Mac Preview is here!
  • The Exchange Server 2013 Management Pack for System Center Operations Manager has been updated
  • A Guide to PowerShell for Lync and Exchange Online
  • Be the first to learn what’s next for Exchange and Office 365 at Microsoft Ignite
  • Free Load Balancer – KEMP Virtual LoadMaster
  • Use Windows PowerShell cmdlets to enable OneDrive sync for domains that are on the safe recipients list
  • Office 365 for Exchange Professionals
  • Office 365 Partner Admin app
  • Making Clutter in Office 365 even better
  • Azure AD Premium (and EMS) available for partner use
  • Getting rate limiting warnings for auto-discovered partners on your #Lync edge (event id 14603)
  • March 2015 update for #Lync for Mac 2011 14.0.11 (KB3037358)
  • How do I control the Lync and Skype UI with the Skype for Business client
  • Managing the Skype Client UI in Skype for Business
  • Set up Two-Armed Kemp VLM as Reverse Proxy/HLB for Lync 2013
  • Latest Visual C++ 2012 update (11.0.61030) won’t let #Lync Resource Kit or Debugging Tools install
  • March 10, 2015 update for #Lync 2013 (KB2956174)
  • Lync Monitoring Reports Decoder
  • Updates Lync Server 2013 Management Pack
  • LS Storage Service event 32054 after you enable Lync 2013 Mobility in an Exchange 2010 environment
  • Measure your conferencing adoption today with SQL
  • QoS Calculator v1.2
  • Update to Lync 2013 mobile app (v5.8, secure app settings, bug fixes)
  • Lync 2012 Database Mirror Manager update
  • Being a UC Superhero with Lync QoE Superpowers
  • LyncPro: Call Monitor Pro for Skype for Business & Lync: Enhancements and Extensibility
  • Book – Lync Server Cookbook
  • Ignite
  • EventZero/The UC Architects party at Ignite
  • LyncDay becomes SkypeDays
  • UCBUG meeting 05/13/2015
  • UCDAY UK meeting 09/28/2015

More information on the podcast including references and a link to download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a bi-weekly community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Lync or related subjects.

The UC Architects Podcast Ep49

iTunes-Podcast-logo[1]Episode 49 of The UC Architects podcast is now available. This episode is hosted by Steve Goodman, who is joined by Dave Stork, Pat Richard, John A Cook and myself. Editing was done by Andrew Price.

Some of the topics discussed in this episode are:

  • PIN lock and other updates to Outlook for iOS and Android
  • Exchange 2013 and Exchange 2010 Coexistence with Kerberos Authentication
  • Training Course: High Availability for Exchange Server 2013
  • Broken IMAP on Exchange 2013 and how to fix it
  • Windows Mobile does not support your new SSL certificate
  • Introducing New-ExchangeWebsite for Exchange 2013
  • A quick look at the Sunrise Calendar app
  • RBAC Manager R2 for Exchange
  • BitTitan offers Nuix-as-a-service
  • PowerShell for MigrationWiz updated
  • Sign in page branding and cloud user self-service password reset for Office 365
  • A better way to recover a mailbox
  • Automated Hybrid Troubleshooting Experience
  • Shared Mailbox Sent Items Changes Coming to Office 365
  • How Groups could be so much better
  • Using the Hybrid Configuration Wizard in Exchange Server 2013
  • Office 365: Deployment Content Moving
  • Azure AD Sync Service Updated
  • Pausing Music When On A #Lync Call – Using the Client SDK
  • Lync Client 2013 – Disable Customer Experience Improvement Program
  • New update for Lync Environment Report now supports custom Word document templates
  • Lync Server 2013 Control Panel crashes when you access the Route tab under the Voice Routing tab
  • Lync client may connect to a non federated partner, even if you though it should not
  • Persistent Chat – December 2014 CU – 500 Internal Server Error
  • Lync / Skype for Business Photo Editor Version 1.0 available now!
  • Do you need a Lync Server license for every Lync Server role–or is this just a Lync licensing myth?
  • Enabling Group Paging on Polycom VVX Phones for Lync or Skype
  • Issues with Unified Contact Store in combination with Lync on-premises & Exchange Online
  • Deep Dive into Set-CsPinSendCAWelcomeMail
  • Skype for Business and Lync troubleshooting 101
  • Update to Skype for Business / Lync Validator KHI reader. Longer list of counters + graphs
  • Book – Deploying and Managing Exchange 2013 HA
  • Book – Exam Ref 70-342 Advanced Solutions of Microsoft Exchange Server 2013
  • Book – Lync Server Cookbook
  • Ignite
  • Stale Hansen – Speaking at Ignite
  • UCBUG Meeting May 13th
  • UCDAY UK – 28th Sept by by Andrew P, Steve, Jason Wynn, Iain Smith, Adam Gent and Tom A

More information on the podcast including references and a link to download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a bi-weekly community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Lync or related subjects.

Blocking Outlook App for iOS & Android

imageYesterday, Microsoft announced the immediate availability the Outlook for iOS and Outlook for Android preview. These apps are the former app named Acompli, which was acquired by Microsoft in December, last year. It is unlikely that Microsoft will develop and support two similar apps, so one can assume the new Outlook app will replace the current OWA for iOS and OWA for Android (or just OWA for Devices) apps.

The app isn’t without a little controversy:

  • The app stores credentials in a cloud environment from Amazon Web Services for e-mail accounts that don’t support OAuth authorization.
  • The app makes use of a service sitting between the app and your mailbox. This service acts as a sort of proxy (hence it requires those credentials), fetching, (pre)processing and sending e-mail. In some way this is smart, as it makes the app less dependent on back-end peculiarities, using a uniform protocol to communicate with the proxy service.
  • The app does not distinguish between devices (device identities are assigned to your account, which makes sense since the app uses a service to retrieve and process your e-mail).
  • The app does not honor ActiveSync policies, like PIN requirements. While true, this app is not an ordinary Exchange ActiveSync client.

You can read more about this here and here.

In all fairness, when the app was still named Accompli, nobody cried foul. But the app is now rebranded Outlook and property of Microsoft, so it seems this made the app fair game. I hope Microsoft is working behind the scenes to make the new Outlook app enterprise-ready, and I’m sure it won’t be long before we see the app’s services move from AWS to Azure. The whole outrage in the media also seems a bit misplaced, as Connected Accounts in Exchange Online, which will retrieve e-mail from a POP or IMAP mailbox, will also store credentials ‘in the cloud’.

It is recommended to treat the app as a consumer app for now, and you may want to block the app in your organization. I have written on how to accomplish blocking or quarantining faulty iOS updates before. However, in those articles I used the reported OS version to block or quarantine devices. The Outlook app proxy service reports itself as “Outlook for iOS and Android” as device model when querying your mailbox, allowing us to use the DeviceModel parameter for matching.

The cmdlet to block or quarantine the new Outlook app in Exchange 2010, Exchange 2013 or Office 365,  is:

New-ActiveSyncDeviceAccessRule –QueryString 'Outlook for iOS and Android' –Characteristic DeviceModel –AccessLevel Block

or, to quarantine:

New-ActiveSyncDeviceAccessRule –QueryString 'Outlook for iOS and Android' –Characteristic DeviceModel –AccessLevel Quarantine

For examples of alternative blocking methods using TMG or F5, check this article. If you need to specify the user agent string, use “Outlook-iOS-Android/1.0″ (or partial matching on “Outlook-iOS-Android” to block future updates of the app as well).

As goes for all mobile devices in enterprise environments, as an organization it may be better to test and aprove devices and OS versions rather than to be confronted with mobile apps with possible faulty behavior after an update or which may violate corporate security policies.

Ignite 2015 Session Catalog is here!

ignite ButtonA short heads-up as the session catalog for Microsoft Ignite has been published. So, if you are still undecided or already want to pick ‘must see’ sessions for your schedule, you can check the session catalog here.

The session catalog contains 275 sessions, covering products like Exchange (49), Office 365 (85) and Skype for Business (26). It will be the first major Microsoft event where details will emerge on the next version of Exchange, Exchange v.Next.

The Exchange team published a blog on the Exchange-related Ignite sessions here. The blog contains a nice video featuring Greg Taylor and Jeff Mealiffe talking about what to expect at Ignite.

Also, on Febuary 3rd, the team behind Ignite as well as several speakers will be available on Twitter to answer any questions you may have on Ignite. Use the hashtag #IgniteJam to participate, or follow @MS_Ignite for any updates.

More information on Ignite, pre-day sessions, the session catalog and the #IgniteJam in the original post on Channel 9 here.

Multi-Factor Authentication in Office 365 (Part 2)

wp_ss_20140521_0001Multifactor Authentication is a must-have for services based in the cloud, especially for accounts with administrative purposes. We have already covered what Office 365 Multifactor Authentication is and how to configure it in Office 365 tenants with the Office 365 admin center, and we briefly showed the end user experience. Now we will look at how we can use the Azure Active Directory Module for Windows PowerShell to configure Office 365 authentication with MFA.

Azure Active Directory Module for Windows PowerShell (AADMPS) enables organizations to not only configure MFA for existing end users who use PowerShell, but also enhance their current provisioning process with MFA options. By pre-configuring MFA, administrators can prevent end users from having to go through the initial MFA setup process and use their currently configured mobile phone or office number for verification.

Read the full article over on SearchExchange

Multi-Factor Authentication in Office 365 (Part 1)

Multi-Factor AuthenticationMulti-Factor Authentication identifies an end user with more than one factor. Authentication is based on something you know, such as your password; something you have, such as a security token or smart card; or something that’s a physical characteristic of who you are, such as biometrics. By creating an additional factor on top of the password, identity is better protected. Multi-Factor Authentication is seen as a must-have for cloud-based services, especially for administrative types of accounts.

In this first tip on SearchExchange, I explain how you can configure Multi-Factor Authentication in Office 365, discuss the so-called contact methods, explain app passwords for non-MFA applications as well as show the MFA end user experience.

Read the full article over on SearchExchange

Script Updates

powershellA small heads-up for those not following me on Twitter of one of the other social media channels. Last week I made updates to the following three scripts:

Install-Exchange2013.ps1, version 1.72

  • Added CU5 support
  • Added KB2971467 (CU5 Disable Shared Cache Service Managed Availability probes)

Remove-DuplicateItems.ps1, version 1.3

  • Changed parameter Mailbox, you can now use an e-mail address as well.
  • Added parameter Credentials.
  • Added item class and size for certain duplication checks.
  • Changed item removal process
  • Remove items after, not while processing folder. Avoids asynchronous deletion issues.
  • Works against Office 365.

Remove-MessageClassItems.ps1, version 1.3

  • Changed parameter Mailbox, you can now use an e-mail address as well
  • Added parameter Credentials
  • Added parameter PartialMatching for partial class name matching.
  • Changed item removal process. Remove items after, not while processing folder. Avoids asynchronous deletion issues.
  • Works against Office 365.
  • Deleted Items folder will be processed, unless MoveToDeletedItems is used.
  • Changed EWS DLL loading, can now be in current folder as well.

Be advised I keep am overview of the scripts and their current versions with publish dates here.

 

Clutter in the Gutter?

At the Microsoft Exchange Conference earlier this year, the Office team introduced us to some nice features which were under development at that time. These features are part of Office Graph, a machine learning feature set meant to make the end user experience more personal and contextual as part of the Enterprise Social initiative.

imageIn the keynote, during a “Geek out with Perry”, Perry (Corporate VP for Microsoft Exchange) mentioned that the “Cloud First” approach allowed Microsoft to implement features step by step, with the option of reverting not-so-good changes. In the end, this should also result in a better product for the on-premises customer when releasing new Exchange builds, and ultimately Exchange v.Next (the next version), as they would not receive the not-so-good changes. It was mentioned several times, also in individual sessions on Office Graph features like Clutter and Groups as well, that these features would be “cloud-first” but there was “no ETA yet” for Exchange on-premises. At that time, most of us leaving MEC did that with the impression that all these features, at some point, would make it to Exchange or Exchange v.Next.

Apparently we got hold of the wrong end of the stick. Last week this article appeared on Network World, where in an interview with Julia White (GM Office Marketing) she mentioned that Clutter would not make it to “Office Server”, which seems to be the term for the on-premises deployments of the Exchange, Sharepoint and Lync Server triplet. This was a bit surprising, given the information received at MEC. The reason given in the article for this deviation was that Office Graph is too “compute intensive” to include on a Office Server. I assume to preempt any sounds on being forced to the service, Julia states that, “It’s not capricious favoritism toward Office 365 customers.” This is more or less in line with Microsoft’s earlier statements, on not having plans to stop delivering on-premises releases of Exchange (v.Next). In the discussion that followed on Twitter, Julia confirmed that “Clutter won’t make ExServer v.Next unfortunately.”

File:Classic shot of the ENIAC.jpgThe scale of Office 365 is incomparable to the average business running Exchange, Sharepoint and Lync on-premises and the amount of information that needs to be processed for Office Graph. And I can’t help it, but looking at the ‘compute intensive’ argument brings back memories of computer rooms where big monolithic systems offered computing powered easily surpassed by today’s tablet. With Clutter being expected for later this year and vNext next year, that is a considerable window. Some claim that Moore’s Law is obsolete and we also can’t expect to be running Skynet from home next year but still, computing power increases and I know of some customers who would just get the additional hardware onboard to facilitate those extra features. In addition, Clutter can be enabled on a per-user basis anyway.

In a more or less opposite statement, Julia is quoted saying, “Our philosophy is anything we technically can ship in servers, we will. We want our server customers and our cloud customers to have as much as we can ship to them. If it’s possible technically and it’s feasible then we’ll put it in the servers.” I think the reason for not adding Clutter should be sought in the hints Julia provided in the 2nd part of the article. With on-premises customer not following or even delaying upgrading to current versions of Microsoft’s products, Exchange, Sharepoint, Lync and clients, makes it hard to ship and support product transcending features, especially if this requires the latest (and greatest) version.

Think Site Mailboxes, more or less the predecessor of the announced Groups feature of Office Graph. Implementing Site Mailboxes requires Exchange 2013, Sharepoint 2013 and Outlook 2013 and additional configuration to integrate the Exchange and Sharepoint products. In the field, I see very low adoption of Site Mailboxes. Many customers are running older product levels (blocking implementation) or it’s a more elementary reason like not having deployed Sharepoint. But then, for those that are running Site Mailboxes, it adds value. Isn’t that what this is all about? Note that for the compliance discovery feature to work, proper configuration of Exchange, Sharepoint and Lync is required as well, but compliance is perhaps is a better selling point than clutter or one of the other Office Graph features could ever be.

“Assumption is ..” are the first words of a well-known saying. For the future, don’t expect anything you see announced for Office 365 to be ported to the on-premises Exchange releases, even though that product stems from the same code. Then again, features might get dropped, for reasons provided above or just because they were not ready. That’s nothing new and we got accustomed to a little disappointment now and then. In the case of Clutter, it’s a shame because it looked like a neat feature to work more efficiently through e-mail without configuring tons of rules. In the case of Groups, it is confirmed for v.Next, but you never know for sure until it is released. Meanwhile, Microsoft should maybe try to prevent confusion by demonstrating Clutter a.o. in sessions called “What’s new in Exchange“.

If you got an opinion on these changes in course or feature drops, please share them in the comments.