About Michel de Rooij

Michel is a Microsoft MVP for Office Server and Services, specializing on Exchange Server, Office 365 and with a PowerShell affection. He is the publisher of EighTwOne, and works as a consultant. Find Michel on Twitter, LinkedIn, Facebook or Google+.

Exchange and .NET Framework 4.7

Posted on June 13, 2017 by Michel de Rooij

A quick heads-up on that .NET Framework 4.7 has recently been released and will be made available through Windows Update channels. The current versions of Exchange Server are not supported with this version of the .NET Framework, and you should not install or update to this version.

Similar to the situation with .NET Framework 4.61 around a year ago, you can prevent (accidental) upgrades of the .NET Framework by creating the following registry key on your Exchange servers:

HKLM:\Software\Microsoft\NET Framework Setup\NDP\WU\BlockNetFramework47 = 1 (REG_DWORD)

To report on the currently installed .NET Framework version on one or more computers, you can use this PowerShell script, Get-DotNetVersion.ps1. It will not only report the .NET Framework version information, but also if those registry entries to block .NET Framework 4.6.1 or .NET Framework 4.7 upgrades are present.

[PS] C:\> .\get-DotNetVersion.ps1 -ComputerName ex1,ex2 | ft -a

Computer Release NetFramework Net461Block Net47Block
-------- ------- ------------ ----------- ----------
ex1      461268  4.7          False       True
ex2      461268  4.7          False       False

The related article by the Exchange Team on this topic contains steps on how to recover the situation, in case you did upgrade. Of course, with all the dependencies on the .NET Framework by Exchange Server, you may prefer migrating contents to a new Exchange servers with a supported .NET Framework, and decommission servers where you had to remove the unsupported .NET Framework from.

More information can be found in KB4024204.

PS: The updated Unattended Exchange 2013 & 2016 Installation script will now also set the .NET Framework 4.7 blockade registry key.

The UC Architects Podcast Ep63

Posted on April 19, 2017 by Michel de Rooij

iTunes-Podcast-logo[1] Episode 63 of The UC Architects podcast is now available. This episode is hosted by Pat Richard, who is joined by Steve Goodman who’s joined by John Cook. Editing was done by Andrew Price.

Topics discussed in this episode are:

Exchange

Exchange 2007 was end of life on April 11th

Office 365

Microsoft Teams is GA
Microsoft Teams Bandwidth Calculator
Microsoft Advanced Threat Protection
Google Suite vs Office 365

Lync/Skype for Business

Skype for Business updates for Mac
Skype for Business Online Trusted Application API
Consult Transfer option
Lync 2013 CUs for March 2017
Skype for Business 2015 CUs
RUCT updated
Convert-SonusSBCConfigToWord

Events

MS Cloud UG
UC and Cloud Day UK
Office 365 Engage

You can download the podcast here or you can subscribe to the podcasts using iTunes, Zune or use the RSS feed.

About
The UC Architects is a community podcast by people with a passion for Unified Communications; our main focus is on Exchange, Skype for Business or related subjects.

Speaking at Office 365 Engage 2017

Posted on April 11, 2017 by Michel de Rooij

I am happy to announce I will be co-hosting a workshop, as well as present a session at the Office 365 Engage conference. The event will be held in the beautiful city of Haarlem, The Netherlands, from June 19 to June 22.

For an independent event in Europe, track chair Tony Redmond managed to come up with a pretty impressive line-up with lots of Microsoft MVPs, consisting of folks such as Michael van Horenbeeck, Jaap Wesselius, Ingo Gegenwarth, Siegfried Jagott, Brian Reid, Vasil Michev, Paul Robichaux, Chris Goosen, Alan Byrne, Brian Desmond, and last but not least Steve Goodman who I am finally going to meet in person after missing each other for several reasons for the last 5 years.

The single day workshop will be hosted together with Jaap, and we will discuss managing Office 365 and its workloads using PowerShell, and its part of the Office 365 Administration track. The day after, I will be giving a session on Managing Exchange Online using PowerShell – Tips & Tricks, part of the Exchange Online track. If you would like to see something specific addressed, leave it in the comments section or pop me an e-mail.

For visitors, the city of Haarlem, a small distance from Amsterdam or The Netherlands – well, everything in The Netherlands is near, is also a nice city to spend some leisure time. You can check out the Office 365 Engage schedule here. I hope to see you there!

PS: The people behind the conference gave me discount code which you can use when registering. Use code SPRMR467 to get 20% off. You can register here.

Exchange Updates – March 2017

Posted on March 21, 2017 by Michel de Rooij

Today, the Exchange Team released the March updates for Exchange Server 2013 and 2016, as well as Exchange Server 2010 and 2007. The latter will receive its last update, as Exchange 2007 will reach end-of-life April 11, 2017.

As announced in December updates, Exchange 2013 CU16 and Exchange 2016 CU5 require .NET 4.6.2. The recommended upgrade paths:

If you are still on .NET 4.6.1, you can upgrade to .NET 4.6.2 prior of after installing the latest Cumulative Update.
If you are on .NET 4.52, upgrade to Exchange 2016 CU4 or Exchange 2013 CU15 if you are not already on that level, then upgrade to .NET 4.6.2, and finally upgrade to the the latest Cumulative Update.

The Cumulative Updates also include DST changes, which is also contained in the latest Rollups published for Exchange 2010 and 2007.

For a list of fixes in these updates, see below.

Exchange 2016 CU5	15.1.845.34	KB4012106	Download	UMLP
Exchange 2013 CU16	15.0.1293.2	KB4012112	Download	UMLP
Exchange 2010 SP3 Rollup 17	14.3.352.0	KB4011326	Download
Exchange 2007 SP3 Rollup 23	8.3.517.0	KB4011325	Download

Exchange 2016 CU5 fixes:

KB4015665 SyncDelivery logging folders and files are created in wrong location in Exchange Server 2016
KB4015664 A category name that has different case-sensitivity than an existing name is not created in Exchange Server 2016
KB4015663 “The message content has become corrupted” exception when email contains a UUE-encoded attachment in Exchange Server 2016
KB4015662 Deleted inline picture is displayed as attachment after you switch the message to plain text in Exchange Server 2016
KB4015213 Email is still sent to Inbox when the sender is deleted from the Trusted Contacts list in Exchange Server 2016
KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013
KB4012994 PostalAddressIndex element isn’t returning the correct value in Exchange Server 2016

Exchange 2013 CU16 fixes:

KB4013606 Search fails on Exchange Server 2016 or Exchange Server 2013

Exchange 2010 SP3 RU17 fixes:

KB4014076 Migration ends and errors reported when you on-board or off-board a mailbox through Exchange Online in an Exchange Server 2010 hybrid environment
KB4014075 UNC path does not open in OWA when the path contains non-ASCII characters in an Exchange Server 2010 environment
KB4013917 You cannot search in a shared mailbox through OWA in an Exchange Server 2010 Service Pack 3 (Update Rollup 15 or 16) environment
KB4012911 Culture element is added in the wrong order when you use the ResolveNames operation in EWS in Exchange Server 2010

Notes:

Exchange 2016 CU5 doesn’t include schema changes, however, Exchange 2016 CU5 as well as Exchange 2013 CU16 may introduce RBAC changes in your environment. Where applicable, use setup /PrepareSchema to update the schema or /PrepareAD to apply RBAC changes, before deploying or updating Exchange servers. To verify this step has been performed, consult the Exchange schema overview.
When upgrading your Exchange 2013 or 2016 installation, don’t forget to put the server in maintenance mode when required. Do note that upgrading, before installing the Exchange binaries, setup will put the server in server-wide offline-mode.
Using Windows Management Framework (WMF)/PowerShell version 5 on anything earlier than Windows Server 2016 is not supported. Don’t install WMF5 on your Exchange servers running on Windows Server 2012 R2 or earlier.
When using Exchange hybrid deployments or Exchange Online Archiving (EOA), you are allowed to stay at least one version behind (n-1).
If you want to speed up the update process for systems without internet access, you can follow the procedure described here to disable publisher’s certificate revocation checking.
Cumulative Updates can be installed directly, i.e. no need to install RTM prior to installing Cumulative Updates.
Once installed, you can’t uninstall a Cumulative Update nor any of the installed Exchange server roles.
The order of upgrading servers with Cumulative Updates is irrelevant.

Caution: As for any update, I recommend to thoroughly test updates in a test environment prior to implementing them in production. When you lack such facilities, hold out a few days and monitor the comments on the original publication or forums for any issues.

MS17-015: Security Fix for Exchange 2013 SP1+CU14 & 2016 CU3

Posted on March 19, 2017 by Michel de Rooij

Microsoft published security fixes for the issue described in bulletin MS17-105. Fixes have been released for the following product levels:

Exchange 2013 SP1, kb4013242, 15.0.847.53
Exchange 2013 CU14, kb4013242, 15.0.1236.6
Exchange 2016 CU3, kb4013242, 15.1.544.30

You are reading it correctly: the later Cumulative Updates are not affected. Earlier builds will not receive a security fix, as support is provided up to N-2 generation builds. Reason for Exchange 2013 SP1 being in there is that Service Packs are on a different support scheme.

Note that this Rollup or security fix replaces MS16-108 (kb3184736) – you can install MS13-105 over installations containing this security fix (no need to uninstall it first).

Exchange admins & PowerShell

Posted on March 6, 2017 by Michel de Rooij

Many people I encounter in the field of Office 365 or Exchange have an infrastructure background. That is, they know a lot about their product(s), how to make it work (or don’t), how to manage, deploy or troubleshoot, etcetera.

Then there is, the let us call it, the reality check of the cloud era, with a roller coaster of cloud-originating developments. This requires a different management focus for these products, resulting in products architected for scale, and introducing configuration and management instruments primarily designed to be ready for automation and operate on scale as well. PowerShell support in Microsoft products is such an instrument.

The introduction of PowerShell required folks with an infrastructure background to develop a new skill: instead of clicking buttons in an interface, they should also become a PowerShell practitioner. Not necessarily wizard level, but at least they need to know their way around when managing their environment using PowerShell, reading and interpreting scripts provided by Microsoft or other vendors prior to usage, or even make changes to make those scripts fit for their own environment.

Writing scripts is another matter. This requires a tad different mindset, where you make repeatable tasks repeatable (time-saving), less prone to error (job-saving), and reusable by your coworkers or even the community who may need to perform the same task. Of course, everybody also expects your scripts to be generic (no hard-coded elements), robust and resilient, adding 90% more code (a bit exaggerated, but you get the idea).

What most of administrators struggle with, is making the connection between managing the product using PowerShell, and how to start using PowerShell to develop their own set of scripts or tools to automate tasks their environment. Administrators wanting to learn such skills will usually find is great books about the product, and great books on learning (generic) PowerShell. Of course, existing scripts found using their favorite search engine can also be a great starting point, provided somebody already developed it for the task you are trying to accomplish.

With the Exchange Server 2016 administrator in mind, Exchange fellows Dave Stork and Damian Scoles tried to bridge that gap with their book, Practical PowerShell: Exchange Server 2016. It uses some practical Exchange-themed examples, how to approach the problem, and how to go from running a few cmdlets in sequence to developing small scripts which operate against one or multiple servers. Also, while this book aims at the on-premises Exchange administrators, the skills learned are not lost when the organization moves to Exchange Online as these scripting skills are compatible.

Knowing how difficult it can be to transfer knowledge to paper from my own experience, I think Dave & Damian did a respectable job. The timing of the book release is also interesting, as the product which introduced PowerShell to so many of us, Exchange Server 2007, is going End of Life soon, on April 2011, 2017 to be exact. Realizing PowerShell has been around now for so many years, there is no excuse to get your PowerShell skills going, unless you want to share the faith of dinosaurs.

More information on the book, including a sample chapter, is available at https://www.practicalpowershell.com. You can also order the book from Amazon here.

Exchange and VMWare Guest Introspection

Posted on February 10, 2017 by Michel de Rooij

In this long overdue article, I would like to share an experience, where a customer was upgrading from Exchange 2010 to Exchange 2013. Note that this could also apply to customers migrating from Exchange 2007 or migrating to Exchange 2016 as well. The Exchange 2013 servers were hosted on VMWare vSphere 5.5U2; the Exchange 2010 servers on a previous product level.

The customer saw a negative impact on the end user experience of Outlook 2010 users, especially those working in Online Mode. Other web-based services like Exchange Web Services (EWS) were affected as well. The OWA experience was good.

Symptoms
After migrating end user mailboxes from Exchange 2010 to Exchange 2013 (but as indicated, this applies to Exchange 2016 as well), end users reported delays in their Outlook client responses, where sometimes Outlook seemed to ‘hang’ when performing certain actions like accessing a Shared Mailbox. Also, when opening up the meeting planner in order to schedule a room using Scheduling Assistant, it could take a significant amount of time, (i.e. minutes) before the schedule of all the rooms was being displayed.

The end users’ primary mailbox was configured to use Cached Mode, except for VDI users who used their primary mailbox in Online Mode. Shared Mailboxes were used in Online Mode due to the size (Outlook 2010, so no slider).

Analysis
First, the overall health of the Exchange environment was checked to exclude it as a potential cause. Exchange performance metrics were monitored, as well as Managed Availability status and events, logs like the RCA logs, and VMWare CPU Ready % to check for potential vCPU allocation issues (read: oversubscription). None of these metrics caused any reason for concern.

After reconfiguring the HOSTS file, in order to bypass the load balancer and direct traffic to a single Exchange server to simplify troubleshooting, the symptoms remained. Then, we checked:

TCP/IP optimization settings, e.g. RSS, Chimney, etc.
VMWare VMXNet3 offloading, e.g. Large Send Offload, TCP Checksum Offloading
VMWare VMXNet3 buffer settings

All those settings were also found to be on their recommended values.

We started digging in from the client’s perspective, and used WireShark to see what was going on on the wire. After filtering on the Exchange host, we saw the following pattern:

Note that this customer used SSL Offloading, so mailbox access took place on port 80 instead of 443 (RPC/http).

As you might notice, there is a consistent 200ms delay after the client receives its response (e.g. packets 106 and 110). When searching around for ‘200ms’ and ‘delay’, you may end up with articles describing the effect of the Nagle algorithm (Delayed ACK). Nagle is meant to reduce chatter on the wire, but can have a negative effect on near real-time communications, especially with small packets. Also, while 200ms might seem small, looking at the number of packets exchanged between Outlook and Exchange, this can add up quite quickly. Most of these articles will also describe a fix, recommending to configure a registry key TcpAckFrequency, and set it to 1 (default is 2). For testing purposes, we configured this key and after the mandatory reboot, the end user Outlook experience was snappy. However, setting this key would impact all client communications (real as well as VDI clients); not a recommended long-term solution due to side effects on the network.

After removing the registry key, investigating was continued. Since there was no issue with the Exchange 2010, we started to suspect there was perhaps an issue with VMWare, or there was some form of network optimization or packet inspection going on. This, due to the fact there was no problem with the old Exchange environment, and the elements that changed when migrating were VMWare vSphere version, physical vSphere hosts, and last but not least, the protocol switched. This client didn’t use Outlook Anywhere, so RPC/http was not enabled for Exchange 2010 prior to migration, and clients connected using MAPI. After some more investigating, some potentially related articles on the VMWare knowledgebase were found, talking about latency issues in certain VMWare Tools versions, the VMWare guest driver set, and downgrading these to 5.1 would have the same effect as configuring TcpAckFrequency. Unfortunately, this wasn’t an option as the hardware level of the VMWare guests already was on a certain level.

Remediation
When installing VMWare Tools, the package comes with some system-level drivers which handle communications between the guest and the host or other guests. One of these drivers is the VMWare Guest Introspection driver (or VMCI Drivers, and formerly VShield Drivers). This component can be identified in the guest in the presence of the system drivers vnetflt and vsepflt, and accommodates agentless antivirus solutions like McAfee MOVE. However, it seems to also interfere with certain workloads in their driver ecosystem, thus negatively impacting real-time communications. I wasn’t able to test if the change from MAPI to RPC/http (or later MAPIhttp) also contributed to this effect, as the Introspection driver may not scan MAPI RPC packets at all, in which case there is no overhead introduced.

Needless to say disabling the Guest Introspection component might be less desirable for some organizations, and in those cases, when you experience this issue, I suggest contacting your VMWare representative, after verifying your VMWare Tools are part of the list of recommended versions.

In the end, in this situation Guest Introspection was disabled and a file-level scanner was introduced (with the required exclusions, of course). Performance for Online Mode was optimal when accessing Online Mode mailboxes, and using Exchange web services like Scheduling Assistant showed room planning in seconds rather than minutes.

Note that unfortunately, recent versions of VSphere running Exchange virtualized workloads also have this issue. On the plus side, they allow for separate (de)installation of the file system driver (NSX File Introspection Driver) and the network driver (NSX Network Introspection Driver). I am pretty sure removing the network driver would suffice, which might be a viable solution for some folks as well.

If you have any insights to share, please leave them in the comments.

Results Install-Exchange15 survey

Posted on January 13, 2017 by Michel de Rooij

stats chart A short blog on a small survey I’ve been running for some time now on the usage of Install-Exchange15, the PowerShell script for fully automated deployment of Exchange 2013 or Exchange 2016.

I started the survey because I was curious on a few things:

How the script is used; do folks use it for deploying in lab environments, or also actual production environments.
What Exchange versions are deployed; only current ones (n-2 at most, i.e. lagging 2 Cumulative Update generations at most), or also older versions.
What operating systems are used to deploy Exchange using this script.

The second and last items are of most interest, as keeping backward compatibility in the script, for example like deploying Exchange Server 2013 SP1 on Windows Servers 2008, requires keeping a lot of ‘legacy code’ in there.

Fortunately, the survey shows many of you use the script to deploy recent Exchange builds on current operating systems. So, in time, you will see support for older builds and operating systems being removed, making the script more lean and mean as well.

Now, on to the results:

In what environments do you use the script to deploy Exchange?

	Lab	Production
Yes	86%	72%
No	14%	28%

Do you use Install-Exchange15.ps1 for previous (N-2 or older) Exchange 2013/2016 builds?

Yes	28%
No	72%

On which Operating Systems do you deploy Exchange 2013/2016? (multiple options possible)

Windows Server 2008	0%
Windows Server 2008 R2	18%
Windows Server 2012	18%
Windows Server 2012 R2	100%
Windows Server 2016	8%

Finally, a summary of the feedback and requests send in by respondents through the open comments section:

Installation on Windows Server 2016. The survey was created before Windows Server 2016 was supported, so we used the feedback given on people deploying on WS2016 in the above results.
In general, positive feedback on having this script for automated deployment, as well as the SCP feature.
Request for having a GUI to create the answer file.
Request to having the option to configure the virtual directories after installation. However, the script allows for inserting custom (Exchange) cmdlets in its post-configure phase.
Request to output cause of failed Exchange setup to the screen. That however, is something I wouldn’t recommend; the Exchange setup log files contain the details.
Request to have some sort of visible clue if the installation was successful or not.

A short 2016 retrospective

Posted on January 9, 2017 by Michel de Rooij

First of all, happy new year to all dear readers and followers. With January well underway, and taking some (largely offline) time off for the holiday period, it’s time to see what 2016 brought.

But first a new year resolution: step up the blogging game. While there isn’t much development happening in the Exchange space, with Microsoft’s cloud-first strategy, there is still a lot to talk about or script for. My list list of ‘scripting ideas’ is substantial, now let’s find some time to realize some of these ideas. Knowing that when you publish scripts, you automatically become its support channel, so that may put some additional stress on my mailbox, but it’s a small price for helping lots of people out.

Some Highlights:

Re-awarded as Office 365 Servers and Services MVP
Awarded 2016 Exchange Oscar for Best Code Contribution
Workshop: Advanced PowerShell Management of Office 365
IT/Dev Connections
Webinar: How to Benefit from MS Office 365 and Maintain Control of Your Data
Session: Exchange 2016 & OOS, Office Online Server

Global Stats of 2016:

Number of views: 309,767 (total: 1,888,669)
Visitors: 220,900 (total 894,316)
Number of posts: 22 (total 547)

Popular Posts of 2016:

Note: Not considering the Archives, Versions, Builds and Dates, Schema Versions and Toolkit pages.

Exchange ActiveSync and Inheritable Permissions issue
TargetAddress, ExternalEmailAddress and Set As External
The Attribute, the Myth, the legacyExchangeDN
Limiting Exchange 2010 Database Cache
Outlook for iOS adds Contacts support

Top 5 Visitor Countries of 2016:

United States (96,286)
United Kingdom (29,606)
Germany (19,968)
India (14,355)
Netherlands (13,056)

Top 5 Referrers of 2016:

exchangeserverpro.com (Paul Cunningham’s)
blogs.technet.com (MSFT blogs)
meridian.ws (blog)
experts-exchange (community)
veritas.com (support forum)

Top 5 Search Terms of 2016:

kb2506143
targetaddress
federation information could not be retrieved from the external organization
exchange 15.1
exchange version numbers

Top 5 Scripts of 2016:

Ignite 2016 Slidedeck and Video downloader (4,941, total 4,941)
Exchange v15 (2013/2016) Unattended Installation Script (2,601, total 8,577)
Removing Duplicate Items from a Mailbox (2,079, total 6,843)
Clearing AutoComplete and other Recipient Caches (1,932, total 3,920)
Removing Messages by Message Class from Mailbox (915, total 2,942)

Exchange Server Role Requirements Calculator 8.4

Posted on January 7, 2017 by Michel de Rooij

Exchange 2010 Mailbox Role Sizing Calculator 16.4 Last week, the Exchange team published an update for the Exchange Server Role Requirements Calculator, the tool to aid you in properly sizing your Exchange Server 2013 or Exchange Server 2016 deployments.

The new version number is 8.4, and it contains the following changes since version 8.3:

New Functionality

Added support for ReplayLagMaxDelay
Added support for SafetyNetHoldTime in CreateDAG.ps1

Bug Fixes

Improved the DAG auto-calculation results display to highlight deployment configuration in both datacenters
Fixed an issue that prevented DAG auto-calculation in single site DAG deployments
Fixed a SPECInt2006 validation issue with DAG auto-calculation
Fixed a bug with the DAG auto-calculation with Active/Passive deployments
Fixed conditional formatting issues with the transaction log table
Removed data validation from certain unused cells on the Input tab
Fixed bug in calcNumActiveDBsSF formula

You can download the calculator here. For more information, please consult the list of changes here or Read Me here.