Configure EdgeSync in an Exchange 2010/2013 mixed envt.

This Azure lab set up has an Exchange 2010 Edge Transport Server and a multi role Exchange 2013 server. As we know, Edge server is installed for extra security and anti-spam functions. The presence of Edge server does not expose your Exchange servers (Mailbox, Client Access, Hub Transport) to internet preventing from further attacks as well.

EdgeSync replicates Active Directory data to a subscribed Edge transport server periodically. First step in configuring EdgeSync is creating an Edge Subscription. Edge Subscription subscribes an Edge Transport server to an Active Directory site.

Note: This website covers the required ports and pre-requisites for configuring EdgeSync. [https://practical365.com/exchange-server/exchange-2010-edge-transport-server-configuring-edgesync/]

On the Exchange Server 2010 Edge transport server, launch Exchange Management Shell and execute the below command:

NewEdgeSubscription FileName C:\EdgeSub.xml

Copy the xml file from C: to your Exchange 2013 Mailbox server. On the Exchange 2013 MBX server, launch Exchange Management Shell and execute the below command:

New-EdgeSubscription -FileData ([byte[]]$(Get-Content -.Path “C:\EdgeSub.xml” -Encoding Byte -ReadCount 0)) -Site “AzureSite”

Here ‘AzureSite’ is the name of my Active Directory site.

As mentioned in the notification above, make sure the pre-requisites are met in advance. You may have to add a host entry for the fqdn of your Edge server on the Exchange 2013 server. The primary DNS suffix on the Edge server should be set to prevent any resolution issues.

Once the Edge Subscription is configured, connectors will be created on the Edge Server for mail flow.

You can now perform an EdgeSync forcefully using the below command :

StartEdgeSynchronization Server testexc2

Here, server testexc2 is the Exchange 2013 mailbox server and testexc1 is the Exchange 2010 hub transport server.

Running the new Office 365 Hybrid Configuration Wizard

As you all know, the latest Hybrid Configuration Wizard now runs from O365 irrespective of the previous versions of Exchange where HCW is embedded with the on-prem product. With this addition you will get the latest wizard every time you download it, which means that  you don’t have to wait for the next CU to resolve issues with the current HCW.

I recently updated my Exchange 2013 SP1 to CU16 and is about to run the new wizard:

First, I have to enable Exchange Hybrid on the on-prem server.

You will be asked to log in to your O365 tenant.

The wizard will redirect to O365 sign in page.

Once logged in, click on Enable again and a new tab will open with the link to download the HCW.

Download and run the HCW tool.

Below is the launch page of the Office 365 HCW. Click Next to proceed.

The HCW detects the optimal on-prem server to be the Hybrid Server (in this case, its the Ex 2013 server). You can also manually select a server of your choice. Also specify the type of O365 Organization. Click Next.

Next you have to provide your windows and Office 365 tenant credentials. Once done, click Next to proceed.

 

In next stage, the wizard will gather and confirm the configuration information. Once the test is successful, click Next.

The wizard will ask how the hybrid environment has to be configured for mail flow. If your organization uses Edge servers, you may have to select the second option.

Click on the Advanced button to list additional features. You will then see a check box that says ‘Enable centralized mail transport‘, the description also provides information about what this feature does. If you enable this, all your e-mail flow will happen through the on-prem environment. Once the options are selected, click on Next.

Choose the on-prem Exchange server that should host the receive connector for secure mail transport. Click Next.

Now, choose the on-prem Mailbox server that should host the send connector for secure mail transport. Click Next.

Select the transport certificate to be used for secured mail flow trusted by an external CA. Click Next.

Specify your Organization FQDN for mail flow. Click Next.

Make sure your external URL’s are configured on all virtual directories prior to running the HCW. Click Next.

Since, I already have an Exchange 2010 SP3 Hybrid in place the wizard detects the same and asks to update the configuration. Click Update.

The configuration starts as shown below. Click Stop to cancel.

The HCW process completes. If any configurations are pending it will be shown as below. In this case, my endpoint (Exchange 2010 hybrid server) is offline due to which the notification was received.

The server was turned on and DNS records were confirmed. On re-running the HCW, no issues were reported indicating that procedure completed successfully.

at

 

Updating hybrid configuration failed with error ‘Subtask CheckPrereqs execution failed:Check Tenant Prerequisites’

I came across this error when running the Hybrid Configuration Wizard on my Exchange Server 2013 SP1 server. Detailed error :

Subtask CheckPrereqs execution failed: Check Tenant Prerequisites
Deserialization fails due to one SerializationException: Microsoft.Exchange.Compliance.Serialization.Formatters.BlockedTypeException: The type to be (de)serialized is not allowed:

Towards the end of the error, it asked to view the Hybrid Configuration log for more information. You can find the log in the following location of your Exchange 2013 server : C:\Program Files\Microsoft\Exchange Server\V15\Logging\Update-HybridConfiguration.

Upon searching on the issue, I came across a Microsoft article that says this issue occurs due to a recent change in Microsoft’s Exchange Online environment that prevents the Exchange 2013 HCW to run correctly. The issue can be resolved by installing the latest cumulative update. In my environment I had to download the CU6 update to resolve this issue.

Reference : https://support.microsoft.com/en-us/help/2988229/-subtask-checkprereqs-execution-failed-error-in-hybrid-configuration-wizard-for-exchange-server-2013

 

Converting an Office 365 Federated domain to Managed

My existing azure lab has an Exchange 2010 Hybrid set up with ADFS for single sign-on. I am planning to remove ADFS from the environment and use password sync instead.

First I should check if password sync is already enabled or not. I can check and confirm this from the Azure AD Connect application. Launch AAD Connect tool and check the current configuration :

To check the status of the domain you can use the following commands, once connected to Exchange Online using powershell:

Connect-MsolService -Credential $cred

Get-MsolDomain

The output will be similar to the below screenshot:

new1

As you can see above, the domain ‘anishjohnes.ga‘ is ‘Federated’.

If you go to ADFS management -> Relaying Party Trust, you will notice a trust already set up with MS Office 365.

dom1

Now to convert the domain to ‘Managed’ execute the below command :

Convert-MsolDomainToStandard -DomainName <String> -PasswordFile <String>              -SkipUserConversion <Boolean>  [-Confirm] [-WhatIf] [<CommonParameters>]

dom

Once the domain is converted to ‘Managed’ single sign-on will be no longer applicable, instead same sign-on will be applied. The trust with Microsoft Office 365 will be removed from Relaying Party Trust as well.

Installing Exchange 2013 in an Exchange 2010 SP3 Hybrid Environment

I have an Exchange 2010 SP3 hybrid set up in my lab, and is planning to install and an Exchange 2013 as an Hybrid server.

I directly ran the Exchange 2013 setup without performing any schema preps and received the following error

hybrid

So, I went on to my DC server and tried executing the commands for Schema preps as shown below only to get another failure notification :

hybrid1

As I am already in Hybrid, Exchange requires me to run the prep command adjacent to the /TenantOrganizationConfig switch. You also have to generate a config xml file by connecting to your Exchange online tenant.

For this, connect to your Exchange online tenant through powershell and execute the below command :

Get-OrganizationConfig | Export-Clixml -Path MyTenantOrganizationConfig.XML

hybrid2

The xml file will be generated as shown above. Copy the xml file to C: of the server where you are running the prep command ie, the DC.

Make a note that instead of /PrepareSchema, we will use /PrepareAD to run the /TenantOrganizationConfig switch adjacent to the setup.

.\Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms /TenantOrganizationConfig:C:\MyTenantOrganizationConfig.XML

hybrid3

The Exchange setup will complete successfully now. 🙂

Changing SID of a cloned machine using sysprep tool

I created some VMs in my lab recently and one of the VMs were cloned. When I tried to add this particular Windows Server 2012 R2 VM to domain it showed the following error

SID

I used the sysinternals tool PsGetsid to confirm that the SID on both the base VM and the clone were the same.

So, the next thing to do is change the SID of the server which I am trying to add to domain. By default, Sysprep is available in Windows with which you can perform this operation.

Go to Run and type Sysprep  and click Enter.

sid1

In the Sysprep folder, launch the sysprep application.

sid2sid3

Select the Generalize check box and click OK.

sid4

Sysprep will start and once done your machine will restart to the below screen

sid5.jpg

sid6

sid8

Input the values and you will login to the machine. You may have to change the hostnames etc. again.

Error “Passive copy of Mailbox Database is not in a good state. Status: FailedAndSuspended”

Recently it was noticed that an active mailbox database copy got failed over and was in a “Failed and Suspended” status.

1

Upon analyzing the event viewer, the following alerts were noticed:

evnt

 

evnt1

The first thing you can do is to right click on the problematic database and select Resume Mailbox Database Copy

3

The database will start re-synchronizing and will become healthy. If still issue persists, you can right click the database and select Update Mailbox Database Copy option.

4

You can also use Exchange shell to troubleshoot these issues.

When further analysis was performed, we noticed that the issue occurred due to the storage drive issues which was later resolved.

evnt5

Reference : http://exchangeserverpro.com/how-to-reseed-a-failed-mailbox-database-copy-in-exchange-server-2010/

Resolve “420 4.2.0 RESOLVER.ADR.Ambiguous; ambiguous address​” error in Queue viewer

Recently when in shift, I noticed that the scom alerts indicated more than 200 messages in queue of our transport servers. Upon checking the queue viewer I could see messages being piled up in the queue with the error 420 4.2.0 RESOLVER.ADR.Ambiguous; ambiguous address.

Queue

As the error says, the messages were getting piled up due to a duplicate smtp address. The event viewer log revealed the following:

Event1

Event2

The logs clearly says another AD object is assigned with the duplicate email address and the next thing to do is to find out the object and delete it.

So, you can search for the email address in Active Directory Users and Computers console in the custom search section with the “proxy address” attribute.

Search

Once you find the AD object, delete the ambiguous address from the proxy address attribute of the other AD object.

proxy

Check and confirm that the issue has been resolved.

Move File Share Witness to another server

DAG is configured in my client’s Exchange environment and the file share witness is configured as a hub transport server. Due to the O365 migrations, the management has decided to cut short the number of on-premise servers. Hence, the current FSW server which also happen to be a CAS/HUB server was planned for decommission. So we had to move the FSW role to a different CAS/HUB server.

This can be achieved either using GUI or shell.

In GUI, select the DAG properties and modify the existing values with the new directory and server details. Once done, click OK and confirm whether the changes have been reflected or not.

FSW1

In order to make this exact change through Exchange shell, execute the below command:

Set-databaseavailabilitygroup -witnessdirectory “Directory” -witnessserver “ServerName” -identity “DAGName”

To confirm, execute the command:

Get-DatabaseAvailabilityGroup -Identity “DAGName” | Select Wi*

Configure RpcClientAccessServer Attribute on Mailbox Database

Recently, my team was notified on an issue happening to outlook clients. Outlook was not able to launch for all users in a particular site. The outlook connection status indicated that it is trying to connect to the F5 load balancer/CAS array, but immediately drops the connection.

Error

We suspected an issue at the load balancer end and hence planned to bypass the load balancer and directly connect to the CAS server instead.

We tried to manually configure outlook for a test mailbox with the fqdn of the CAS server, but the profile configuration was not successful. DAG was configured and the mailbox database in which the mailbox resided had a copy on another Mailbox server. I tried to activate the passive copy and the observed the status, but the issue persisted.

It was then noticed that the RpcClientAccessServer attribute for the mailbox database was configured to point to the fqdn of the cas array, which was expected. In order for outlook to bypass the cas array and directly connect to the CAS server this attribute value should be changed and made to point to the CAS server.

Following cmdlets were used for this :

First to view the current configuration, the below command was executed in Exchange shell :-

Get-MailboxDatabase -identity MailboxDatabase | select rpcclientaccessserver

Now to modify th attribute to point to CAS server,

Set-MailboxDatabase -identity MailboxDatabase -RpcClientAccessServer ‘CASServerFQDN’

Once this change was performed, outlook connected directly to CAS and the connection was established. Later it was identified that there were some network/port issues which prevented the connection. The above change was then reverted and the RpcClientAccessServer attribute was pointed to CAS array.