Tuesday 16 December 2014

Exchange 2013 OAB generation and FIPS

Recently on a new Exchange 2013 platform that is being built OAB generation and thus the OAB downloads to the Outlook client were not working.

Checking Event Viewer, there were a lot of 17004 events stating that the generation of the OAB was failing:

More interestingly when scrolling through the detail it mentioned FIPS, or 'Federal Information Processing Standard'. You can see in the below screen shot it states:

"System.InvalidOperationExeption: this implementation is not part of the Windows Platform FIPS validated cryptographic algorithms".

After ensuring there were no Group Policy templates applied to the server, I opened the Local Security Policy MMC | Local Policies | and checked the Security Options:

And I could see FIPS was enabled. Disabling it on all the Mailbox Servers that perform OAB generation resolved the issue (disable it on all though if it is a DAG as the mailbox database will move!!!), and the Outlook client could then download the OAB.

But what was the issue here?

Well a look on Bing/Google gave the following Microsoft KB article . It appears the SHA1 hash algorithm that is used for the OAB file hash is not FIPS compliant – thus the OAB generation fails. The platform that is being built is based on Exchange 2013 CU5, as we cannot go to CU6 yet until this is planned – hence the error occurred in all Sysprepped images that have FIPS compliance set to enabled in the local security policies.

This issue however is resolved in Exchange Server 2013 CU6 as it will update the hash algorityhm for OABs , so if you require FIPS compliance ensure you are at least at CU6. 

It appears that as of 3/12/2014 that the health set monitors for Exchange 2013 have been updated to include FIPS. See 'Troubleshooting FIPS Health Set' here.

Oliver Moazzezi - MVP Exchange Server

Wednesday 12 November 2014

Lync Room System won't show the Exchange Calendar

Recently I ran into an issue that is specific to certain hosting scenarios (Office 365 or other), or in some circumstances on-prem environments also for Lync Room Systems (LRS).

An LRS system cannot connect to a Lync environment if the top level domain of the LRS account, for example, LRS@domain.com is not present in the SSL cert on either the Edge, for external connectivity, or the Director or Front End Pool for LRS systems deployed internally.

In nearly all scenarios you will ensure your SIP domains are in your certificates, but some companies don't add all of them accepting functionality caveats, and for Lync Online and Lync Hosting Pack v2 you simply cannot add all tenants domains to certificates, so redirection of tenants domains to a hosting access edge is inevitable.

Taking a look at the SMART LRS setup documentation (as I had a SMART system to setup!) here you can see on page 72 that it is necessary to modify the registry with a TrustModelData key to allow LRS to connect to a Lync deployment where indeed the top level domain (TLD) for the LRS account is not in the cert.

If this key is not added the LRS system sits on a blank screen, whilst the certificate warning is hidden behind the LRS walled garden, never allowing you to go any further. What certificate warning you say? Well one like this:

Adding the key and restarting the LRS system tells LRS that the TLD from the certificate, even though it does not match the TLD for the LRS account, is trusted and this certificate warning does not appear. Therefore the LRS can start successfully and can log into Lync via the LRS console without issue. (If you are wondering how to get the registry up on LRS, check the screenshot from the SMART documentation I have pasted above, this is the same procedure for all LRS systems).

But what I found once LRS was rebooted was that the Exchange Calendar would not load.

I checked that the LRS system could actually contact the autodiscover service by manually authenticating directly on the LRS system against EWS (Exchange Web Services) with the LRS account in question.

I was stumped. A quick PSS call confirmed there's an LRS bug, and that you have to give 'Everyone' 'Full Control' on the HKLM\Software\Microsoft\Office\15.0\Lync registry entry to get the Exchange calendar to show..

Once this was applied and the LRS rebooted the Exchange Calendar still wouldn't show, so I went to verify that I had indeed set the permission correctly. It was during this time that I noticed another TrustModelData key – prepopulated with Lync Online – but more specifically Exchange Online TLDs:

So I added the hosted Exchange TLD (in my instance the Lync Edge TLD and Exchange TLD matched) of the certificate to this key and restarted LRS.

When LRS restarted I again received the dreaded loading symbol for approximately 20 seconds, before the calendar showed in full glory!


This isn't going to affect all customers that deploy LRS systems, if you included all SIP domains in all certificates (Edge and internal) this isn't going to affect you. But this will affect Office 365 LRS deployments and any customers that use multi tenant Hosted Lync and Hosted Exchange deployments.

For Office365 customers it appears all  TrustModelData registry entries have been pre-populated through the LRS update program (ensure you are up to the latest LRS update, I was), however you will have to perform the permission change to allow everyone full control for it to work.

For other hosted environments you will have to ensure the TLD is added to the TrustedModelData key as well as performing the permission change to allow everyone full control.

LRS should then login and also show the associated Exchange calendar just fine.

On a side note I'll post the full end to end deployment and configuration steps for Exchange 2013 hosting guidance and Lync Hosting Pack v2 in the coming days. Watch this space!

Take care

Oliver Moazzezi - MVP Exchange Server

Tuesday 14 October 2014

Google Chrome Browser and Outlook Web App and Exchange Admin Center issues

Microsoft have released a kb alluding to all the 'showModalDialog' issues customers have been having when using certain Office365 web portal or Outlook Web App and Exchange Admin Center settings when using Google Chrome as their web browser.

The current fix is classed as a workaround, meaning most likely a permanent fix will be put in place at a later date. As this is a deprecated feature it is likely an update to Exchange will fix this issue. We will have to wait and see!

The work around is detailed below:

1. Click Start, type regedit in the Start search box, and then click regedit.exe.
2. Locate and then click the following registry subkey:

3. On the Edit menu, point to New, and then click String Value.
4. Type 1, and then press Enter.
5. Right-click the 1 string value that you created, and then click Modify.
6. In the Value data box, type ShowModalDialog_EffectiveUntil20150430, and then click OK.

If the key is missing entirely under ..\\SOFTWARE\Policies we need to create it.

Seeing as my workstation was missing this I thought I'd take a few screen shots of the process for those small shops that are using Office365 are don't necessarily have any IT experience.

Right click Policies and select New > Key and enter Google

Create sub keys for Chrome and EnableDeprecatedWebPlatformFeatures as shown

Finally enter the key as mentioned.

Take care

Oliver Moazzezi - MVP Exchange Server

Wednesday 24 September 2014

Configuring On Premise Lync and Exchange Online for hybrid voice mail

Fellow MVP Elan Shudnow wrote a great Exchange Unified Messaging provisioning script back in 2010 to bulk enable users for Exchange Unified Messaging.

This is great for running in Office365 as the EAC is a real pain for doing anything semi-autonomous, especially if a large amount of users are involved.

So this is one side of the puzzle solved for Exchange and Lync integration for voice mail integration.

We still need to enable all or at least a proportion of users for a hosted voice mail policy when the users' mailbox is in Exchange Online and Lync is on-premises or hosted.

I am assuming you have your hosted voice mail policy and hosting provider configuration created and this is working to exap.um.outlook.com just fine and dandy.

What the script does is three fold:
1. It will apply the hosted voice mail policy to your selected users 
2. It will set their 'hostedvoicemail' attribute to $true 
3. It will set their UPN as their email address if it isn't already as Lync uses this to find the EWS endpoint for the users mailbox

Here's the script:

#Oliver Moazzezi Exchange2010.com
#Enter OU DN for $OU
#An example of an OU DN is: "OU=oliver,OU=moazzezi,OU=exchange,DC=2010,DC=com" - keep it in quotes
#You can see a list of all Hosted Voice Mail policies by running Get-CsHostedVoiceMailPolicy
#Ensure you keep the "Tag:"

$OU = "OU DN"
$Policy = "Tag: Policy"

#Import (not necessary in Windows Server 2012+ but won't cause any issues)
Import-Module Lync

#Apply hosted voicemail configuration to tenant
Write-Host The total number of users for this OU are: (Get-CsUser -OU $OU).count
Write-Host Applying Hosted Voice Mail Policy: $Policy to all discovered users for the tenant -foreground yellow
Get-CsUser -OU $OU |Grant-CsHostedVoiceMailPolicy -PolicyName $Policy
Write-Host Applying Hosted Voice Mail attribute to TRUE on all discovered users for the tenant -foreground yellow
Get-CsUser -OU $OU |Set-CsUser -HostedVoiceMail $true

#Set email address on all users for Lync to find Exchange EWS via autodiscover
Get-AdUser -filter * -searchbase $OU | %{$upn = $_.UserPrincipalName; Set-ADUser $_ -replace @{'mail' = $upn}}

#Configuration complete
Write-Host Configuration completed -foreground yellow

I can write up the process of creating the hosted voice mail policy, the hosting provider and clarification on what is needed on the Edge Servers SAN certiifcate if people believe there is value in this. Let me know in the comments.

Take care,

Oliver Moazzezi - MVP Exchange Server

Monday 1 September 2014

My unfortunate experience with Nokia Support

22/09/14 UPDATE: Nokia agreed that my experience was pretty poor and that the damage was actually caused by UPS. Therefore after 4 weeks I recieved my phone repaired and working perfectly, including my camera working once more! Thanks Nokia!

Greetings all,

It's with a heavy heart I am writing this. But part of my job as an MVP is to provide feedback to Microsoft, this is usually related to Exchange Server, Lync Server and Office365 but today my feedback is being written about my customer support experiences returning my Nokia Lumia 1020 in for a warranty repair.

After the last 3+ weeks I have had with Nokia support in Europe, which Microsoft is taking over, I feel I have to provide this feedback on my blog after being blocked at every avenue by Nokia Support to give this any other way.

The story begins with my trusty Nokia Lumia 1020 device getting an issue with its 41mp rear facing camera. The inbuilt Windows Phone 8.1 camera app would fail to open as well as the other rather good Nokia provided ones. Restarting the phone or resetting the phone didn't fix it either. So I presumed there was a hardware fault.

A quick search on the internet showed I could put a service request in via http://www.nokiatechsupport.co.uk/NokiaIMEIPage and that by putting the IMEI number in my phone would show up as to whether it was under the standard Nokia 24 month warranty or not. Fantastic!

Going through the process was pretty painless. I put in my IMEI number, and my phone is confirmed as in warranty. I put in the details page that my camera has stopped working, and then it's confirmed that UPS would pickup my phone the next day.

Fantastic – or so I thought..

This was the email I got from Nokia after submitting the service request:

This actually made me mildly panic as I thought somehow my service request hadn't made it and I would have to do it again. However sure enough a UPS guy came for my phone the next day.

I packed the phone in an HP shipping box not very much unlike this one. But my one was much larger:

– hey I work in the industry and I am absolutely anal about ensuring adequate packaging. On top of this I put my phone between not 1 layer, but 2 layers of this:

1" inch thick anti static padding foam - and off it went on its merry way with the UPS guy.

I then hear nothing from Nokia for  6 days. I get this message:

So great they received my phone, I must admit I was starting to panic. I sit back and wait for my phone to be sent back to me with a fixed camera – fantastic!

The very next day I get this:

Not great – I guess they couldn't fix my phone. I was perplexed why they hadn't contacted me to see if they would repair it for a fee. But I had already looked on eBay and found a replacement 41mp sensor and a video on YouTube of how to replace it. So I was OK.

When I received it back however I was shocked:

I was pretty livid. I immediately started looking on http://www.nokiatechsupport.co.uk/NokiaIMEIPage and eventually found a contact number.

I got through to a support guy and informed him what had happened. Let me tell you – whoever this guy was – he was great. He was ever so sorry, took my case reference, apologised, put me on hold whilst he found out what to do, at this point he had spoken to the repair centre who informed him of some package damage (now this could have been translation issues as English wasn't his first language, or I misheard) and then eventually said a manager would call me back. I was pretty calm at this point as I felt everything was going to be OK. Hey accidents happen right?

I get a phone call from a lady called 'Belle' who in not so many words tells me the phone was not going to be fixed as it arrived damaged. Great.

I asked "But you picked the phone from me? You chose the courier, it was sent via UPS Standard which according to the UPS website has insurance?"

"There's no insurance sir" "You're phone won't be fixed"

At this point I tried maybe 200 times to make her understand that Nokia had picked up my phone, that the damage had quite obviously happened during transit by UPS and I needed her to help to ensure UPS or indeed Nokia took responsibility for that. After all if the support website had informed me at all times my phone would not be covered, I wouldn't have sent it with the provided UPS pickup – in fact I would have sent it to the repair centre at my cost – ensuring that my cherished phone was actually covered by insurance so in the event that the herd of elephants that had so obviously stampeded over it I could claim.

"There's no insurance sir" is all she kept telling me.

Eventually I thought I had managed to get her to see the light of day and she agreed to email me, and she would ask for a copy of the emails I was sent from Nokia and also a photograph of my phone. 

 'Finally I am getting somewhere!'

However I realised after getting off the phone, and then receiving her email, that all she wanted to do was to get me off the phone. I received the email, there was no request for the emails, or a request for a photo of the phone. In fact here's the email. She used those tactics to get me off the phone.

I couldn't believe I had just been treated like that.

So I went to Twitter to vent my frustration.

Now at this point NokiaCare (@NokiaHelps) replied to my tweet. They followed me and then sent me a direct message. They informed me they didn't think that sounded right about being left out in the dry and asked for my case reference and they would escalate.

So a day later I get a call back from Nokia Europe support. Fantastic I think! 

Again I was wrong!.. This time the person on the phone again told me "we are not going to fix your phone, you can book it in for a repair and we'll charge you". I again tried to make them understand that Nokia used UPS to pick up my phone, my responsibility was ensuring I had packaged the phone extremely well – which I did. I was helpless beyond this point. This time the person stayed on the phone and just kept repeating in not so many words "we're not going to help you, but have a nice day sir". To the point I actually asked if he was just waiting for me to accept this and get off the phone. Which after in not so many words he admitted to. So I told him we might as well end the call.

So again I go to Twitter and tell NokiaCare about my troubles – again they'll say they'll look into it. This time I don't get another call back – just this email:

I received this email on the 28th August. I actually replied back almost immediately stating the same things I have over and over again, and even asked "If I do send my phone in and you repair the screen and charge me for it, are you still going to repair my actual issue, my camera, under warranty?".

As of today, the 1st September no one has yet even replied to my email. That's not great support - in fact it sucks.

So as an MVP I am going to point out these improvements I think need to happen.

1. There may be an issue with the automated email that is sent to a customer when a service request is put in. I received one with blank information
2. You need to state that if a customer sends in a phone and it is damaged by UPS under Nokias care – the customer is out of luck, and they will not be re-imbursed.
3. You should state that the phone is not covered under any insurance what so ever by the Courier (in my case UPS). 
4. You should provide information on the customer sending the phone to the repair centre via their own postal method, ensuring the customer can then make a claim in the unfortunate circumstances like mine where their phone is damaged by UPS. If this was an option this entire incident could have been handled between myself and the method I chose to ship the phone, under the insurance I selected with the courier.
5. Consider adding an app, Nokia have added some great apps to the Windows Phone eco system, that can monitor Gs (using the accelerometer) and will display the results of the transit to the individual at the Nokia repair centre that inspects the phone. I am pretty sure my phone was mistreated, dropped or thrown to get the damaged it recieved.

And finally for anyone sending their phone in, take a picture of it with proof of the date to show your phones pyhsical appearance prior to having it picked up. Whilst I am sure this won't help you at all, at least it will provide proof to Nokia support that you aren't in fact a liar and trying to get damage repaired for free that you in fact did.

Something I am sure Nokia Support in Europe think of about me!!

Take care everyone,

Oliver Moazzezi - MVP Exchange Server

Tuesday 17 June 2014

Cross Forest migrate legacy Public Folder data to Exchange 2013 on-premise

Modern Public Folders are a hot topic at the moment. The revised limits for supportability are a talking point for many businesses – especially around the current 10,000 folder limit (which should be raised to 100,000 and beyond in CU6).

It means many admins are having to fully understand their legacy Public Folder estate prior to moving them to Modern Public Folders, or simply leaving them on legacy platforms (with caveats) if their Public Folder estate is simply too large for Exchange 2013 to reliably handle.

Adding to this frustration is the fact that you can only move Public Folders in a 'cross forest' scenario to Office 365 at this time. Native support for cross forest moves of Public Folders simply isn't there.

So, providing you fall within the supportability metrics for Modern Public Folders, and you need to migrate cross forest, how do you do this at this time?

One product I have tested with great success is Mail Attender by Sherpa Software.

In my example below I am going to move Public Folder content from Forest A, running Exchange 2007 SP3 to Forest B, with Exchange 2013 CU5.

  •   For the actual migration server I am using a Windows 7 x64 virtualised desktop with Office 2013 installed. The Desktop is domain joined and in Forest B.
  • I have used PfDavAdmin/exfolders to give a mailbox in Forest A account OWNER permissions across the entire Public Folder tree in Forest A.
  • A Modern Public Folder has been created with a single empty folder, I have given a mailbox in Forest B OWNER permissions on this folder.
  • A forest trust exists between Forest A and Forest B

Run setup.exe and select a complete installation

It will ask you for a service account to run under. I selected an Exchange Administrator account in Forest B (the same Forest this desktop is domain joined).

It will then automatically grant the relevant log on as a service rights.

Ensure you start the service

Once installation is completed, restart the desktop and then open the Mail Attender console and confirm the service has started

Open Outlook 2013 (Office/Outlook 2007/2010 is also supported) and create two new profiles.

One should be to the mailbox in Forest A – connecting to the legacy Public Folders that the account has OWNER permissions over.

The other connect to Forest B and Exchange 2013.

I have called the profiles E12_PF and E15_PF:

In Exchange 2013 – ensure the account has OWNER permissions on the tree

Now we're ready to start setting the Source and Target profiles up in Mail Attender. Within Mail Attender itself go to:

Email Store | Public Folders | Add Public Folders from Global Addres List | Select your source profile (in my case E12_PF)

You will now have this listed under 'All Known Public Folders'

We will now do the same for the Target Profile, selecting the E15_PF mailbox.

I now have both my Source and Target profiles in Mail Attender:

We must now ensure that the service account running the Mail Attender service has full mailbox access to the Exchange 2013 mailbox in Forest B as well as the mailbox in Forest A.

As this is 'cross forest' where the service account is in Forest B and the Exchange 2007 Source mailbox is in Forest A we need to add the permission via powershell. I am also assuming you have a Forest Trust in place between both Forests as noted in the pre-requisites.

Using the Exchange 2007 EMS:

Add-MailboxPermission –Identity 'CN of Mailbox' –User 'ForestB\Administrator' –AccessRights 'FullAccess'

We now add the service account to the Exchange 2013 mailbox also. You can do this in the EAC or again via powershell.

Once full mailbox access has been granted, we can run statistic collections in Mail Attender. These will tell us we can connect to both the Source and Target Public Folders. Simply right click each known public folder store and select 'Collect Statistics Now'.

Providing there are no issues when collecting the statistics this means the Mail Attender console can log in to both Outlook profiles and see the public folder tree.

We are now ready to start creating some migration rules.

 In Mail Attender under:  Management | Rules | we will create a new standard rule.

The process is fairly straight forward. Give it a name:

Add the Source Exchange 2007 endpoint in the 'Email Store' tab

Now select the 'Folders' tab. Select for 'this rule applies to' "ONLY those Folders Listed below" additionally select the 'Explicit Folder Path and Name' and put in your folder Entry. For examples "\All Public Folders\E12 Migration Top level folder". Ensure you include all sub folders.

You can do cool additional things like take data from the Dumpster.

Moving on to the 'Conditions' tab – I haven't selected anything here, but you can add some pretty powerful conditions here. For example maybe you only want to take the last 5 months worth of Public Folder data? Or you want to delete any attachments? Or you just want to migrate certain types of data? Well you can add rules like that here.

Moving on to the 'Actions' tab this is where you select how the data is transferred. I am selecting here 'Copy Message to Public Folder'

Within the action is where we specify the Target Outlook profile – this is pretty confusing at first as it isn't very intuitive!

Note: You have to put "[FOLDER_PATH_FROM(3)]" in, this is how it copies the child folders from the source to the target. Again this isn't intuitive, I recieved this information from a support call.. If you don't do this you'll only copy over the top level folder.

Once you press OK that's the migration rule created.

You will now see this show up as standard rule under the Mail Attender Rule set.

You can add a schedule having the data move multiple times a day if you want. Something that I used to rely on when using the InterOrg Replication tool For Exchange 2003 to Exchange 2003/2007 and 2010 cross forest public folder migrations.

You can additionally configure two way synchronisation, if you are going to be in a long period of co-existence.

Now run the rule and it will copy and migrate your Public Folder data. This may take some time depending on the amount of data and number of Public Folders. I again urge you to be aware of the current revised limits for supportability for Exchange 2013 up to CU5.

For those that need something to perform cross forest public folder migrations to Exchange 2013 on-premises right now, this tool provides that. It is unknown if and when Microsoft will update Exchange 2013 to finally support on-premise cross forest Public Folder moves.

There are simpler, less autonomous ways of moving the data, but these typically include PST digestion and Exchange 2013 doesn't currently support PST imports or exports to modern public folder mailboxes – so the whole affair will be wholly Outlook driven – which isn't ideal.

If you want the solution to be automated, run on schedules, support bi-directional replication, and include some powerful technology to  autonomously clean up your data when migrating to Exchange 2013, Mail Attender is a pretty good product.

Watch out for Part 2 where I'll show you how to script your permissions and configure your mail enabled Public Folders.

Oliver Moazzezi - MVP Exchange Server