Category Archives: Office 365

Everything about Microsoft Office 365 services and new trends.

Exchange Online, Office 365

Setting up signature or disclaimer for all users in Office 365 Exchange online.

Leave a comment

The Story

In order to setup a signature for all office 365 Exchange Online users without manually going after each client and set it up, you can do so by using mail flow rules to append the signature along within each and every out going email.
To do so, you will have to go to Office 365 Exchange admin portal, then navigate to Mail flow –> choose Rules and click on the + sign

image

 Click on “Apply disclaimers…”

image

When the new rules opens up, you will have to give it a name and apply condition for the rule. an empty form looks like this one

image

but here’s what mine looks like,
I choose the sender address includes “Specific domain” then in the append the disclaimer part, I have entered an HTML code which includes all user details

image

after applying the disclaimer I choose to wrap it up. and then in the exception part I added a rule that excludes adding the disclaimer and signature to any reply message by reading the “RE” word in the subject field.

image

Now the disclaimer code is as following and you may want to configure it or customize it according to your needs. 

Code:

HTML CODE</br> 
</br> 
<div style=”font-size:9pt; font-family: ‘Calibri’,sans-serif;”> 
%%DisplayName%%</br> 
%%Department%%</br> 
%%Email%%</br> 
</br> 
<div><img alt=”Logo” src=”http://s11.postimg.org/jjdha41wv/mynigga.jpg“><p><p><p>Tel: %%PhoneNumber%%</br> 
Gsm: %%MobileNumber%%</br> 
Fax: %%FaxNumber%%</br> 
Address:%%Street%%</div> 
</div> 
<span style=”font-size:12pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#100101;”>Disclaimer</span></br> 
<p style=”font-size:8pt; line-height:10pt; font-family: ‘Cambria’,’times roman’,serif;”> ________________________________________ 
</br> 
<span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=”http://www.companywebsite.com”>http://www.companywebsite.com</a></span></br></div></br>
________________________________________</br> 
<span style=”font-size:10pt; font-family: ‘Cambria’,’times new roman’,’garamond’,serif; color:#928E8E;”>This e-mail and any information included within any attached document are private and confidential and intended solely for the addressee. Company name does not accept any legal responsibility for the contents of this message and any attached documents. If you are not the intended addressee, it is forbidden to disclose, use, copy, or forward any information within the message or engage in any activity regarding the contents of this message. In such case please notify the sender and delete the message from your system immediately. Company name also denounces any legal responsibility for any amendments made on the electronic message and the outcome of these amendments, as well as any error and/or defect, virus content and any damage that may be given to your system.</span> 
</p> 
<span style=”padding-top:10px; font-weight:bold; color:#CC0000; font-size:10pt; font-family: ‘Calibri’,Arial,sans-serif; “><a href=http://www.companywebsite.com>Company Name </a></span></br></br> 
</div>

 I have highlighted the customizable part of the code in Yellow and red so you can change it or configure it according to how you want it to fit for you. 
The Display name, Department, Email ….etc are all variables for users attributes and they are being pulled from the Microsoft Azure AD, so if your users don’t have any information filled in there then users will likely won’t show anything 

Note for the red highlighted link you will have to import only “HTTP” link for the uploaded logo of your company. HTTPS won’t be acceptable or read.

If you’re an HTML noob , you can use the following links for testing and changing colors..etc 

http://www.w3schools.com/html/tryit.asp?filename=tryhtml_basic_document
For color changing 
http://html-color-codes.info/

Using the w3schools.com website, you can copy the code on the left pane and click on see results and it’ll show you the result on the right pane

See how it looks like

image

Once you’re done with the code, you will have to copy and paste the link in the disclaimer part on the right pane. next click Save and probably this will take about 10 minutes to be applied or less.

image

To test if this is going to work, I will go on one of the users that I applied the rule for and fill out their details like display name, e-mail, street ..etc and try to send out an email with this user. 

image

Mail is empty as you can see 

image

del.icio.us Tags: Exchange Online,ExchangeOnline,Office365,Office 365,Signature

Reference: 
https://technet.microsoft.com/en-us/library/dn600437(v=exchg.150).aspx

Office 365

Set OWA redirection from On-premises OWA to Office 365

Leave a comment

If you run Hybrid Migration Wizard and you noticed that Migrated users from Exchange On-Premises to O365 are not redirected to O365 Owa page then you will have to go through the following to check if there’s an issue and fix it.

In Normal cases, This is done automatically upon running the HCW (Hybrid configuration wizard) but in some cases it might not be found. And therefore when migrated user try to login using the local Exchange OWA page the user is not redirected to O365 OWA and get’s an error.

Resolution:

In order to make sure that redirection is the problem, open Exchange Management PowerShell and run the below command see for ur self if the “TargetOWAURL” is set.

Below in this screen shot, the value for targetowaURL is not set, so we’ll have to set it as in the snapshot after that.

The targetowaURL will point to the OWA of the tenant Url.

http://outlook.com/owa/domain.onmicrosoft.com

The Target URL must be like in the following snapshot

To resolve this case, we’ll have to run the cmdlet

Set-OrganizationRelationship “On Premises to Exchange Online Organization Relationship” -TargetOwaURL:http://outlook.com/owa/domain.onmicrosoft.com

Office 365

Office 365 Mail flow in Hybrid doesn’t work after you white list office365 IPs on your SMTP gateway

Leave a comment

I have deployed Hybrid environment for a customer who have Exchange 2010 SP3 with over 11K users. the customer was using SMTP gateway for spam protection and didn’t want to disable or close the gateway through the hybrid environment deployment or after and wanted to have their gateway constantly.

While Microsoft doesn’t support any SMTP gateways in Hybrid environment I had to find a way to configure this gateway to allow any incoming or outgoing emails from Office 365 tenant to Exchange on-premises using the white list feature in all its services e.g. (Anti-Spam, Virus, spoof…etc

After configuring the hybrid deployment, I had a problem with mail flow from/to Exchange Online.

I have checked all Microsoft’s Office 365/Exchange Online/ Exchange Online protection IPs/CIDs in order to white list them or add them to the ignore list on the SMTP gateway in order for mail flow to not be checked from and to Exchange online if the source is Exchange on-premises but that didn’t work until I find a Microsoft article that which was modified very recently by Microsoft 31-05-2016.

image

Click here for the link

The article mentioned that the IP list have been updated, including the removed IPs list as well.

image

While tracing the logs on Office 365 Message tracer tool I noticed that the connection to the SMTP gateway has been refused due to an IP which the MS article described as “Removed” but it was still used to send emails from Exchange online.

The IP was 213.199.154.78 was greylisted on the SMTP gateway due to it not being added to the white list.

image

If you read the article you’ll notice that the subnet 213.199.154.0 has been mentioned as removed. so adding the IP to the white list has solved the problem for me

image

REF:

https://technet.microsoft.com/en-us/library/dn163581(v=exchg.150).aspx

https://technet.microsoft.com/library/dn163583(v=exchg.150).aspx

Hope this helps

For any questions or inquery please mail me info@moh10ly.com

Exchange Online, Office 365

Importing PST to Office 365 Exchange online mailboxes through the new Import Service

Leave a comment

Note:

Microsoft has decided to charge for this service (8$ for each GB) … 

Microsoft has launched a new feature that allows administrators to import PST to Exchange online directly through the portal.

In this article I’ll guide you through the steps of uploading one PST file and import it to a user’s mailbox. Although the steps are identical to Microsoft’s TechNet article but it’s more detailed and with screenshots.

So to achieve this, you’ll have to first sign in to your Office 365 portal. Open Exchange admin center and follow the below steps:

  1. Granting Permission

Grant your self-importing PST permission to users by navigating to Exchange admin center -> Permissions> Double click on Compliance Management

Under Roles: click on + and add Mailbox Import Export role

Click on + Under Members and add your user account

clip_image001[5]

2. `Copy Secure URL and secure storage account key

To get the Azure secure storage account key and URL you will have to go back to the Office 365 portal and then click on Import tab on the left pane

Then click on the Key sign below

clip_image002[4]

When you click on it, you will be able to retrieve the key and the URL by clicking on Copy Key and URL .

clip_image003[4]

The secure storage account key is pretty long and you’ll have to notice that sometimes you might get confused and copy only the appearing portion of it in the field… if you do so and copied that in the Azcopy command or Azure storage explorer you might get an error …

Here’s my Secure Storage account key that I am using on a trial version of Office 365.

KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g==

Next: Copying the URL.

The URL has an important part which you will be using in Azure Storage Explorer tool in order to login and browse your Tenant’s storage which you’ll use to upload PST to.

The URL will appear as following.. You will need to copy the part in bold

https://d49d7ae0e38a4d8e9c93565.blob.core.windows.net/ingestiondata/

You have to copy this in to the storage account name

d49d7ae0e38a4d8e9c93565

3. Copying PST files to Azure Folder using Azcopy command or Azure Storage Explorer (You can use Azure Storage Explorer too)

In order to upload PST files to Azure, you have two methods. The first is using Azcopy command which is pretty easy and straightforward (but still CMD dependent) or you can use the GUI Application which is Azure Storage explorer

To download azcopy, you can use the following link

http://az635501.vo.msecnd.net/azcopy-3-2-0/MicrosoftAzureStorageTools.msi

Or download them from the Import page as well under Resources:

clip_image004[4]

Once the tool is installed. Right click on it and open it as administrator

The following command will take all the files inside my local folder path C:\Users\Mohammed\Desktop\upload

It will create a folder in Azure’s default folder ingestiondata called “Server01/PSTshareR1/”

It will use the destkey that I have retrieved from Office 365 Import window. And will leave all the logs in your local drive c:\PSTupload\Uploadlog.log

AzCopy /Source:C:\Users\Mohammed\Desktop\upload /Dest:https://d49d7ae0e38a4d8e9c93565.blob.core.windows.net/ingestiondata/SERVER01/PSTshareR1/ /Destkey:KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g== /S /V:C:\PSTUpload\Uploadlog.log

clip_image005[4]

To make sure that files are uploaded. I will open Azure Storage Explorer 6 (Preview) and click Add Account on top

On add storage account window I will use the blob name that I have got from the URL earlier and storage secure key in the storage account key below and click on save.

clip_image006[4]

Once I click that I will get a list of directories, The default directory which is used by Office 365 is the “Ingestiondata” folder, There our files will be uploaded.

clip_image007[4]

https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/

4. Create CSV File to import PST

Assuming you have 150 PST files that you want to upload and import into users which already have been enabled on Exchange online … In order to do so you will have to prepare a CSV file that looks like the below sample

To provide an explanation of what each column stands for .. Microsoft has written a table that clears the dust but some parts were not even clear for me like the FilePath as in the TechNet article it gets you confused with the “Ship data on Physical hard drives” since it uses your drive to upload data directly to Azure through the Import tool on Office 365 portal.

image

From <https://technet.microsoft.com/library/ms.o365.cc.IngestionHelp.aspx?v=15.1.166.0&l=1&f=255&MSPPError=-2147217396>

Note:

The friendly path here is the path of the folder you have created in Azure through the Azcopy command

AzCopy /Source:C:\Users\Mohammed\Desktop\upload /Dest:https://d49d7ae0e38a4d8e9c93565.blob.core.windows.net/ingestiondata/SERVER01/PSTshareR1/

/Destkey:KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g== /S /V:C:\PSTUpload\Uploadlog.log

CSV Sample

clip_image008[4]

So the CSV File is ready.

In Azure Storage Explorer I doubled check if the PST files has finished uploading and it’s there.

clip_image009[4]

5. Using the Upload Files over the network

Back to Office 365 portal, go to Import and click on the + Sign and select Upload files over the network

clip_image010[4]

Select I have access to the mapping file as well

clip_image011[4]

Click on + and upload the CSV file that you have prepared for the mapping

Next File is imported, Click on “By checking this box, you agree to the terms and conditions of this service.

clip_image012[4]

As soon as you accept and click next the Import is going to check path, email, folder and will start the import process.

clip_image013[4]

clip_image014[4]

Email before importing

clip_image015[4]

Imported started, folder has been created

clip_image016[4]

Importing is done

clip_image017[4]

clip_image018[4]

Importing is done

Reference

https://technet.microsoft.com/library/ms.o365.cc.IngestionHelp.aspx?v=15.1.166.0&l=1&f=255&MSPPError=-2147217396#BKMK_CreateAnewMappingtoupload

https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/

Office 365

Import Microsoft IP address to receive connector

Leave a comment

Sometimes when you launch Office 365 Hybrid integration wizard from Exchange 2010, after successfully implementing the integration the IPs of Microsoft are not all imported in the “Receive Connector” for Microsoft so you might have to consider to add them manually to your on-premises Exchange server.

In order to do so, Open Microsoft Exchange Management shell as Administrator and follow the following cmdlets.

[PS] C:\>$RecvConn = Get-ReceiveConnector “Inbound from Office 365

[PS] C:\>$RecvConn.RemoteIPRanges += “65.52.148.27”, “65.52.184.75”, “65.52.208.73”, “65.52.240.233”, “65.54.80.0/20”, “65.54.165.0/25”, “65.55.86.0/23”, “65.55.233.0/27”, “70.37.128.0/23”, “65.54.54.32/27”, “65.54.55.201”, “65.54.74.0/23”, “70.37.142.0/23”, “70.37.159.0/24”, “94.245.68.0/22”, “65.55.239.168”, “70.37.97.234”, “94.245.86.0/24”, “94.245.117.53”, “94.245.108.85”, “94.245.82.0/23”, “94.245.84.0/24”, “132.245.0.0/16”, “157.56.23.32/27”, “157.56.53.128/25”, “157.55.155.0/25”, “157.56.55.0/25”, “157.56.58.0/25”, “157.55.59.128/25”, “157.55.145.0/25”, “157.55.185.100”, “157.55.194.46”, “157.55.227.192/26”, “157.56.151.0/25”, “157.56.200.0/23”, “157.56.236.0/22”, “207.46.216.54”, “207.46.57.128/25”, “207.46.70.0/24”, “207.46.73.250”, “207.46.150.128/25”, “207.46.198.0/25”, “207.46.206.0/23”, “213.199.148.0/23”, “213.199.182.128/25”

[PS] C:\>Set-ReceiveConnector “Inbound from Office 365” -RemoteIPRanges $RecvConn.RemoteIPRanges

Hit Enter after each PS line and you will be able to find all those IPs in your connector.

Exchange Online, Microsoft Azure, Office 365

Export Office 365 users from specific domain and change their passwords

Leave a comment

First of all you will need to connect to your tenant with your global admin account using the following script

Import-Module MSOnline

$O365Cred = Get-Credential

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUrihttps://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session

Connect-MsolService –Credential $O365Cred

After connecting you will need to type the following command line which will export all users in a specific domain that’s added to your portal if you have more than one domain added there.

Get-MsolUser -DomainName Domain.com | Select UserPrincipalName | Export-Csv C:\users.csv –NoTypeInformation

clip_image001

Change passwords for those users by using the following command and pressing enter you’ll be giving a line to enter your new password that you wanna set for all users in the exported file.

$PASS = Read-Host

clip_image002

Run this command to change the passwords

Import-Csv C:\Users.csv | % {Set-MsolUserPassword -userPrincipalName $_.UserPrincipalName -NewPassword $PASS -ForceChangePassword $True}

clip_image003

That’s it. Now users inside the exported csv file have the new password which you have just set.

Note that users will be prompted to reset their passwords upon login, if you don’t want this to happen you can remove the -ForceChangePassword $True parameter.

del.icio.us Tags: Office365,Office 365,Exchange Online,Azure

Exchange Online, Office 365

Exchange: Cannot process command because of one or more missing mandatory parameters

Leave a comment

Symptoms:

After you Synchronize users from Local Active Directory to Office 365 Directory using dirsync and try to enable users licenses on Office 365 portal you get the following error.

Error:

Exchange: Cannot process command because of one or more missing mandatory parameters: ArchiveGuid.Exchange: An unknown error has occurred. Refer to correlation ID: dfd8cc2d-e6a4-4b47-8e1e-2059031893c1

According to the error message, it indicates that parameter ArchiveGuid is missed, please refer to the following steps to narrow down this issue:

1.Please Connect Windows PowerShell to Exchange Online and run the command below to compare this parameter of users have errors with normal users:

$LiveCred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

Get-Mailbox <username_with_errors> | fl archive* 

Get-Mailbox <username_no_erros>  | fl archive*

Apparently the commands above didn’t work. And so I had to check something else.!

In order to solve the problem first

  1. I had to assign License to the user synced on O365.
  2. Check User’s Proxy target attribute using ADSI. (Which was correct)
  3. Checking Archiving Attributes since the error is mentioning the Archiving option.
  4. After checking the Archiving attributes it turns that the admin of Exchange has changed the below attributes before he assign user the license on o365 and migrate the user. 

                    5. So deleting the value below msExchArchiveName and setting up msExchRemoteReceipeintType back to 4                             have solved the problem                    6. Of course DirSync needs to be applied in order to sync changes to AD on O365.

Note:

The migration for the User should be “continued” from previous migration batch in the portal otherwise if you start any new batch for the same user the result will be completed but migration won’t take place.

If you used DirSync to sync users from local to online, please try to restart the DirSync to check whether this issue persists or not.

Office 365

Exchange Hybrid Integration with Office 365

Leave a comment

Before Starting the process of implementing the integration, you must consider using some tools to see if your environment has no issues.

First you must use this tool IdFix check the active directory for any possible issues when installing Dirsync and synchronizing users and their objects to the cloud.

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Office 365. IdFix is intended for the Active Directory administrators responsible for DirSync with the Office 365 service.

http://community.office365.com/en-us/w/diagnostic_tools/default.aspx?ss=465d14b0-c5fe-4bbf-84d2-c791113732e2#idfixdirsyncerrorremediationtool

  1. To prepare Exchange for hybrid configuration with Exchange Online you need to prepare the following steps.

http://technet.microsoft.com/en-us/library/jj151800.aspx#BKMK_InstallDirSyncTool

  • Install ADFS (Optional) for SSO (To authenticate users from Local AD)

Note about ADFS:

ADFS can be the reason of so much headache and it’s always better to avoid installing it, instead of using ADFS to use the same password for users on a large scale deployments, the Dirsync can Synchronize local Passwords to Azure AD and same password can be used for both users local and online.

  1. Create an enterprise admin user account on the domain for DirSync service
  2. Installation of Dirsync with Password synchronization: We prepare a separate server for the DirSync tool that is windows 2008 R2 SP1 or 2012 R2 installed and the server

should be domain joined in order to reach Active Directory.

  1. The account used with Dirsync should be member of the domain admin. Also you need to have the admin credentials for the tenant that you signed up to on O365.

http://technet.microsoft.com/en-us/library/jj151831.aspx

Next again

Click Next after selecting the proper location

While installing I had an error saying that current user was not member of the Synchronization Engine FIMSyncAdmins group.

I tried uninstall DirSync but it it gives the same error message

The FIMSyncAdmins group is a local group on the server. Your user is not a member of that group locally. Try adding your user to the group.. after adding the user to the required group the installation were completed successfully.

First you need to make sure that your customized (personal) domain is active.

Now we need to enable Dirsync from the portal, next to Active Directory ® Synchronization Click on Set up and activate DirSync.

Now click on Activate

Now after we made sure that our domain is active and we activated Dirsync on Office 365 portal let’s Go back to DirSync server to complete the steps and check if we can start syncing your Active Directory.

Type your enterprise admin user which you have prepared for Dirsync, for my case I’m just going to use the domain admin user since it’s a Lab.

Make sure you Enable Hybrid Deployment since Azure active directory will modify objects in your on-premises AD.

In case you would want to have your On-premises AD password for users synchronized with users on Office 365

then you must tick the option as in the below snapshot.

Here, When I click next I get an error as following:

Error:

The new version of Dirsync doesn’t accept the domain admin account.

Solution:

In order to resolve the problem you have to create a new user account with enterprise admin privileges

Use this account to connect to AD during config.

Here I created the new user and added the required groups.

After using the new account there was no issue with the setup and I could complete the configuration successfully.

Once the configuration finished you will be able to find event ID 611 in the logs.

Now checking Office 365 portal, I can see that users have been synced to the Office 365 portal:

Now let’s go to the Exchange On-Premises server, and before starting the HCW on Exchange on-premises you will have to do three main steps:

  1. Make sure Autodiscover is set
  2. Make sure WSSecurity is set to true.
  3. Make sure that’s MSProxy is set to True.

You need to make sure that Autodiscover URL on autodiscover virtual directory is set for internal and External. To do so first check the current configuration by using the following commands.

Get-autodiscovervirtualdirectory | fl

If the Internal and external Autodiscover urls are not set then set them using the following command line.

Set-AutodiscoverVirtualDirectory -Identity ‘autodiscover(default Web Site)’ Internalurl https://internalfqdn.domain.com/autodiscover/autodiscover.xml

Set-AutodiscoverVirtualDirectory -Identity ‘autodiscover(default Web Site)’ Externalurl https://mail.domain.com.com/autodiscover/autodiscover.xml

From <http://technet.microsoft.com/en-us/library/aa998601(v=exchg.150).aspx>

Now we have to enable the wssecurity and mrsproxy since both of them are not enabled by default in the virtual directory:

You can still check if you need to to make sure that it’s enabled or not by using the following cmdlet

Get-WebServicesVirtualDirectory -Server ExchangeHostName | fl

Now to enable the WebServices use the following cmdlet on Exchange Management shell

To enable the WSSecurity use the following CMDlet

Then use the command “Get-WebServicesVirtualDirectory -Server ExchangeHostName | fl” to see if the values have changed

I need to go to my Local exchange server and start the Hybrid process.

From Under MS Exchange on-premises we click on Organization Configuration after we add our trusted tenant domain to the Exchange server.

Click Next, and enter the credentials for your domain admin and tenant admin.

Click Next, Add enter the verified domain.

Click next, here you will need to press ctrl + C to copy the value and create this value as txt in your public DNS.

Click next once you verified that the value has been published and available on

Select the Mailbox, Client Access, Hub transport.

Here click Next again, below you will need to create a new A Name record in your public DNS that directs to your Inbound connector’s IP under ForeFront Online Protection and the FQDN e.g. “Mail.domain.com” under the outbound connector or place the SMTP gateway’s Public IP if you have it and create an A name in your public DNS that has the same IP .

In the following step, the snapshot shows the certificate which I have associated with my hub transport server however, this certificate is public certificate that’s brought from 3rd party.

Select the certificate and choose how you want to route your mail.

Click Manage, When clicking manage you might get the following error message

Summary: 2 item(s). 1 succeeded, 1 failed.

Elapsed time: 00:03:37

Set-HybridConfiguration

Completed

Exchange Management Shell command completed:

Set-HybridConfiguration -Features ‘MoveMailbox’,’OnlineArchive’,’FreeBusy’,’Mailtips’,’MessageTracking’,’OwaRedirection’,’SecureMail’,’CentralizedTransport’ -Domains ‘cloudimia.com’ -ClientAccessServers ‘EXCH01’ -TransportServers ‘EXCH01’ -ExternalIPAddresses ‘95.0.52.125’ -OnPremisesSmartHost ‘hybrid.cloudimia.com’ -SecureMailCertificateThumbprint ‘E2539EB2BE3BB5FFB56B5EF3BF4CB2017A645717’

Elapsed Time: 00:00:06

Update-HybridConfiguration

Failed

Error:

Updating hybrid configuration failed with error ‘Subtask Configure execution failed: Configure Mail Flow Execution of the Set-HybridMailflow cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.

Connector validation failed: RouteAllMessagesViaOnPremises can be set to true only when there is at least one inbound connector of type OnPremises with AssociatedAcceptedDomains set to empty.

at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors)

‘.

Additional troubleshooting information is available in the Update-HybridConfiguration log file located at C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration\HybridConfiguration_2_11_2014_15_9_37_635277281771541111.log.

Exchange Management Shell command attempted:

Update-HybridConfiguration -OnPremisesCredentials ‘System.Management.Automation.PSCredential’ -TenantCredentials ‘System.Management.Automation.PSCredential’

Elapsed Time: 00:03:31

As Microsoft Employee advises it’s better to use the internet instead. So we will go with this option and see what happens.

The general recommendation and default setting is not do this, but to deliver e-mail from Exchange Online to external recipients directly to the Internet instaed.

If it is no requirement, I advise you to skip that option.

From <http://community.office365.com/en-us/forums/156/t/202214.aspx>

And here we are done.

Looking at the Hub Transport, we can see that at remote domains we have new domains added automatically after the Hybrid Configuration.

Office 365

Error migrating user from office 365 to on-premises

Leave a comment

After migrating a user from on-premises exchange to O365 and try to move it back from O365 to On-premises the user will not move and you will see a message similar to the one below.

Resolution :

To resolve this issue, you will have to disable the ESMTP Inspection rule on your Cisco firewall.

The commands to disable ESMTP inspection are:

pix(config)#policy-map global_policy

pix(config-pmap)#class inspection_default

pix(config-pmap-c)#no inspect esmtp

pix(config-pmap-c)#exit

pix(config-pmap)#exit

Office 365

Emails between O365 and On-premises do not work

Leave a comment

Emails between O365 and On-premises do not work

When sending an e-mail from O365 migrated users to On-premise users the On-premise users  don’t get e-mails.

Failure Message

From: Microsoft Outlook <MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@domain.onmicrosoft.com>
Date: 4 Nisan 2014 22:35:30 GMT+3
To: <test@domain.com.tr>
Subject: Undeliverable: deneme

Delivery has failed to these recipients or groups:

User (User@domain.com.tr)
The server has tried to deliver this message, without success, and has stopped trying. 

Please try sending this message again. If the problem continues, contact your helpdesk.
 

User2 ( Company ) (User2@domain.com.tr)
The server has tried to deliver this message, without success, and has stopped trying. 

Please try sending this message again. If the problem continues, contact your helpdesk.
 

Diagnostic information for administrators:

Generating server: DB4PR03MB532.eurprd03.prod.outlook.com
Receiving server: emea01-internal.map.protection.outlook.com (10.47.216.25)
 

User (User@domain.com.tr)
4/4/2014 7:35:30 PM – Remote Server at emea01-internal.map.protection.outlook.com (10.47.216.25) returned ‘550 4.4.7 QUEUE.Expired; message expired’


4/4/2014 7:27:34 PM – Remote Server at emea01-internal.map.protection.outlook.com (10.47.216.25) returned ‘450 4.7.0 Proxy session setup failed on Frontend with ‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 STARTTLS is required to send mail.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 210.179.31.5:25

User2 ( Company ) (User2@domain.com.tr)
4/4/2014 7:35:30 PM – Remote Server at emea01-internal.map.protection.outlook.com (10.47.216.25) returned ‘550 4.4.7 QUEUE.Expired; message expired’

4/4/2014 7:27:34 PM – Remote Server at emea01-internal.map.protection.outlook.com (10.47.216.25) returned ‘450 4.7.0 Proxy session setup failed on Frontend with ‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 STARTTLS is required to send mail.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 210.179.31.5:25”

Original message headers:

Received: from DB4PR03MB610.eurprd03.prod.outlook.com (10.141.234.156) by DB4PR03MB532.eurprd03.prod.outlook.com (10.141.235.143) with Microsoft SMTP Server (TLS) id 15.0.908.10; Wed, 2 Apr 2014 19:31:29 +0000 Received: 

from DB4PR03MB610.eurprd03.prod.outlook.com (10.141.233.156) by DB4PR03MB610.eurprd03.prod.outlook.com 

(10.141.234.156) with Microsoft SMTP Server (TLS) id 15.0.898.11; Wed, 2 Apr 2014 12:49:18 +0000 Received: from DB4PR03MB610.eurprd03.prod.outlook.com ([10.141.233.156]) by DB4PR03MB620.eurprd03.prod.outlook.com 

([10.141.233.156]) with mapi id 15.00.0913.002; Wed, 2 Apr 2014 12:49:17 +0000 Content-Type: multipart/mixed; boundary=”_000_2c4cf07ee43e4faab98dc52f068a566fDB4PR03MB620eurprd03pro_” 

 From: test <test@domain.com.tr> To: “User ( Company )” <user@domain.com.tr>, “User2 ( Company )” <User2@domain.com.tr> Subject: deneme Thread-Topic: deneme Thread-Index: Ac9Oce26frtuRTMySYWFyAvAom/lyQ== Date: Wed, 2 Apr 2014 12:49:16 +0000 Message-ID: <2c4cf07ee43e4faab98dc52f068a566f@DB4PR03MB620.eurprd03.prod.outlook.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: <2c4cf07ee43e4faab98dc52f068a566f@DB4PR03MB620.eurprd03.prod.outlook.com> x-originating-ip: [78.186.201.28] X-Forefront-Antispam-Report: SFV:SKI;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:DB4PR03MB610;H:DB4PR03MB620.eurprd03.prod.outlook.com;FPR:;LANG:tr;;SKIP:2; MIME-Version: 1.0 X-MS-Exchange-CrossPremises-AuthAs: Internal X-MS-Exchange-CrossPremises-AuthMechanism: 03 X-MS-Exchange-CrossPremises-AuthSource: DB4PR03MB620.eurprd03.prod.outlook.com X-MS-Exchange-CrossPremises-SCL: -1 X-MS-Exchange-CrossPremises-messagesource: StoreDriver X-MS-Exchange-CrossPremises-BCC: X-MS-Exchange-CrossPremises-originalclientipaddress: 78.186.201.28 X-MS-Exchange-CrossPremises-avstamp-service: 1.0 X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating;SFV:SKI;SKIP:0; X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent X-MS-Exchange-CrossPremises-ContentConversionOptions: True;00160000;True;; X-OrganizationHeadersPreserved: DB4PR03MB610.eurprd03.prod.outlook.com Return-Path: test@domain.com.tr X-OriginatorOrg: domain.com

Symptoms

When you try to telnet the Office 365 hub transport from Exchange on-premises server it won’t recognize the telnet commands on the SMTP server.

Resolution:

451 4.4.0 Primary target IP address responded with: “451 5.7.3 Must issue a STARTTLS commnd first” Office 365 Hybrid


If you have an Office 365 hybrid configuration you may experience issues sending emails between on premise and cloud users (in either direction).

The Exchange 2013 (or 2010) on premises queue viewer may show:

‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 STARTTLS is required to send mail.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was xxx.xxx.xxx.xxx’

The Office 365 Message Trace Console shows the delivery status of ‘None’
 


Office 365 Message Trace 

The errors suggest the TLS connection cannot be made but a TLS certificate IS present and during the Hybrid Connection Wizard the required connectors are automatically created so should not require an additional configuration.

When an email is sent between on premise & cloud (Office 365) users of your SSO domain it is sent across one of the automatically created send connectors. These connectors are secured using TLS.

So, assuming you have ruled out all the normal stuff its now time to get baffled. We know the on premise server can send and receive external email. We also know that the Office 365 service can send and receive email. It is just the email between the two services that does not work.

I was banging my head against a wall for ages until I used Telnet to connect from my on premise Exchange server to Microsoft cloud gateway.

What I got is shown below:


This is not correct. As you can see the server has not recognised the “ehlo” statement and the banner does not “look right”…

A bit of digging around the firewall I noticed that packets were being dropped when TLS was attempted.

The firewall is a Cisco PIX 515. I disabled ESMTP inspection but that made no difference so I discounted this as the cause.

After a lot more digging around and raging I remembered that the PIX was behind another Cisco firewall – this time an ASA 5510. So I accessed this device and sure enough this edge firewall was also inspecting and dropping TLS over SMTP.

Once both firewall were configured not to inspect ESMTP the default configuration that was set by the Hybrid Configuration Wizard started working straight away.

The commands to disable ESMTP inspection are:

pix(config)#policy-map global_policy
pix(config-pmap)#class inspection_default
pix(config-pmap-c)#no inspect esmtp
pix(config-pmap-c)#exit
pix(config-pmap)#exit
Now telnet the cloud server and you should see a correct banner: