Wednesday, July 15, 2015

Creating Shared Mailbox in a Hybrid Deployment

The first thing to be aware of when creating shared mailboxes in a hybrid deployment is security. Sharing mailboxes between on-premises and O365 is not supported. So, if a group of people need to share a mailbox then their mailboxes all need to be on-premises or all in O365.

On-Premises Shared Mailboxes

Creating an on-premises shared mailbox is pretty straight forward. Create the shared mailbox in the on-premises Exchange and it all works.

In Exchange 2013, shared mailboxes are explicitly listed as a recipient type in the Exchange admin center (EAC). You can create and manage the shared mailboxes there.

In Exchange 2010, shared mailboxes are not part of the Exchange Management Console (EMC). You need to create the shared mailbox by using the New-Mailbox cmdlet in the Exchange Management Shell (EMS). For example:
New-Mailbox HelpDesk -shared -UserPrincipalName
After creating the shared mailbox in Exchange 2010, you need to give users permission to access it. Assign Full Mailbox permissions to let users manage the contents of the mailbox. You may also want to give SendAs permissions depending on your scenario.

Office 365 Share Mailboxes

In Office 365, the web-based management interface provides the same option to create shared mailboxes as Exchange 2013 does. However, in a hybrid environment, you can't create the shared mailboxes directly in Office 365.

If you create the share mailbox directly in Office 365 there is no Active Directory reference to the shared mailbox on-premises. This prevents Outlook from properly adding the shared mailboxes because autodiscover does not work properly. In a hybrid environment, autodiscover is directed to the on-premises Exchange organization and won't be able to direct Outlook to the correct location of the shared mailbox because there is no information in Active Directory about the shared mailbox in the on-premises AD.

In a hybrid environment, you should perform the following steps instead:
  1. Create a Remote Mailbox in Office 365 from the on-premises Exchange organization.
  2. Run Dirsync (or wait for several hours).
  3. In Office 365, convert the mailbox to a shared mailbox. Available when the recipient is selected as seen in the screenshot to the right.
  4. In Office 365, configure Full Access and SendAs permissions to the shared mailbox as required.
It's a bit more of a hassle to create a shared mailbox in Office 365 for a hybrid environment, but it does work!

When you create the shared mailbox directly in Office 365, you'll see the following symptoms:
  • Shared mailboxes are not automatically added to Outlook.
  • If you attempt to add the shared mailbox to Outlook manually in the properties of the Exchange account, then Outlook will continually prompt for credentials and hang.

Tuesday, July 7, 2015

Script for Exchange 2013 Message Tracking

Exchange Server 2010 had a graphical utility for analyzing message tracking logs. Unfortunately, this tool was removed from Exchange Server 2013. Instead in Exchange Server 2013, you have only the Get-MessageTrackingLog cmdlet.

The Get-MessageTrackingLog cmdlet is a pain in the butt for a few reasons:
  • You need to memorize the syntax. Most of it is pretty straight forward, but you need to remember the correct parameters for searching by sender, recipient, or subject.
  • It only searches the local server by default. Without specifying servers, it only searches the local Exchange server that you're running the tool on. In a lot of cases, you need to see information from all your servers to track it down.
While working on a message delivery problem this week, I wrote up a short script help with simple message tracking based on time, sender, recipient, or message subject. The script is as follows:
 Write-Host "Current Date/Time: $(Get-Date)"  
 $StartTime = Read-Host "Start time for search"  
 $EndTime = Read-Host "End time for search"  
 $SearchType = Read-Host "Search for (S)ender, (R)ecipient, (M)essage subject, or display (A)ll"  
 Switch ($SearchType) {  
   'S' {  
            $Sender = Read-Host "Sender"  
            Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Start $StartTime -End $EndTime -Sender $Sender |Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Sender,Recipients,MessageSubject | Out-GridView }  
   'R' {  
            $Recipient = Read-Host "Recipient"  
            Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Start $StartTime -End $EndTime -Recipient $Recipient |Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Sender,Recipients,MessageSubject | Out-GridView }  
   'M' {  
            $MessageSubject = Read-Host "Message subject (performs partial matches)"  
            Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Start $StartTime -End $EndTime -MessageSubject $MessageSubject |Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Sender,Recipients,MessageSubject | Out-GridView }  
   'A' {  
            Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Start $StartTime -End $EndTime |Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Sender,Recipients,MessageSubject | Out-GridView }  
   default {Write-Host "Invalid Option - Run Script Again"}  
Here is how the script works:
  1. The current date/time are displayed. This shows you the date/time syntax to use for entering time in the next steps.
  2. You are prompted for the time to start searching the logs.
  3. You are prompted for the time to stop searching the logs.
  4. You are prompted for the type of search you want to do: sender, recipient, message subject, or display all.
  5. The switch command uses the $SearchType variable to run a specific code block. The command varies depending on the option, but in general, it prompts for the required information and then runs the query based on it.
  6. Results are displayed by using Out-Gridview. This allows you to sort based on columns.


  • This code is used to identify and generate a list of all Exchange servers with message tracking logs which is then piped to the Get-MessageTrackingLog cmdlet.
    Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true}  
  • When you search by message subject, it returns all results that include the snippet of text. This can make it hard to track down the specific message that you're looking for sometimes. For example, searching for "text" will include messages with "text" in the subject, but also "context","textbook", etc.
  • Only 1000 results are returned by the Get-MessageTrackingLog cmdlet. It's possible to override this, but if your query is returning more than 1000 results, you should probably be refining your query.
  • Times from Exchange 2007 servers seem off. I was testing in a Mixed 2013 and 2007 environment and the content coming back from the 2007 environment had timestamps outside the range I queried. I have not yet had time to investigate, but be aware of this when sorting results based on time.

Thursday, June 18, 2015

KB 3062157 Breaks Single Role Exchange 2013 Servers

It appears that there may be problems, in at least some cases, when you apply KB 3062157 to servers running Exchange Server 2013 SP1 or later. It will break web services such as OWA, ActiveSync, EWS, and ECP.  The KB is meant to address vulnerabilities described in Microsoft Security bulletin MS15-064.

The good news is that this problem appears to affect only  single role servers and not multi-role servers. Since most deployments have multi-role servers that will limit the impact.

If you deploy this update and experience problems, removing the update should resolve the issue and get the server functional again.

This update is also included as part of CU9 and doesn't appear to have the same issues when installed as part of CU9. A commenter on the blog below had problems with KB3062157, uninstalled that update, and installed CU9 without issue.

Tuesday, June 2, 2015

Automatic Activation for Hyper-V VMs

When you use Windows Server 2012 R2 Datacenter Edition as the host operating system for Hyper-V, you can implement an unlimited number of virtual machines using that same license. This means that you can buy a single Windows Server 2012 R2 Datacenter Edition license for a single physical server and run an unlimited number of guests using Windows Server 2012 R2 as the operating system.

If you have multiple Hyper-V hosts, it can be a pain to keep track of the Windows Server 2012 R2 keys for the guest VMs. Instead of using typical activation methods, you can use Automatic Virtual Machine Activation (AVMA).

AVMA activates a guest VM against the Hyper-V host instead of typical Microsoft activation methods. This means that the VM can be completely isolated without access to the Internet or other network and still be activated.

You can use AVMA guest VMs running:
  • Windows Server 2012 R2 Essentials
  • Windows Server 2012 R2 Standard
  • Windows Server 2012 R2 Datacenter

For each guest operating system you enter in a generic AVMA license key. The generic license keys are:
  • Datacenter - Y4TGP-NPTV9-HTC2H-7MGQ3-DV4TW
  • Standard - DBGBW-NPF86-BJVTX-K3WKJ-MTB6V
  • Essentials - K2XGM-NMBT3-2R6Q8-WF2FK-P36R2
To enter the generic AVMA key, you can use any method that you typically use to enter a license key. During installation, you can use an unattend.xml file. After installation, you can run the following command:
slmgr /ipk AVMAlicensekey
To monitor AVMA licensing requests on the Hyper-V host, look for Event ID 12310. On the guest VMs look for Event ID 12309.

Wednesday, May 27, 2015

Perc H700 Connector Confusion

Throwing this one out there in case anyone hits a similar issue. This one confused the heck out of me but was simple in the end.

We have a customer with a Dell T310 server with an H200 RAID adapter. The performance on the H200 is pretty poor. In part because the drive cache is disabled by default. But, search around and you'll see no one has much nice to say about the H200.

To improve performance for this server, we ordered an H700i card from Dell. We ordered from Dell rather than aftermarket to avoid issues with compatibility. And so that it would be supported.

There are several sets of instructions out there for doing this upgrade. Here is the one I thought was the best:
We went through the guide, installed the card, installed drivers, and then went to connect the drive backplane to the card. Uh oh, wrong connector type.

You can see above that the new card has a two prong connector that does not match the mini SAS connector (shown below) of the cables that shipped with the card. The cable already in the server also had this type of connector.

While I'm comfortable with server hardware, I'm by no means an expert on all different connection types. So, at this point I assume that there is a connector type that I'm unaware of and we need either a different card or different cables.

My rep confirmed that this is in fact the correct card. Next step is calling support. I sent the pictures to support and he wasn't sure what was up either. While on the phone as the support rep was searching, I tried searching for SAS connector types and nothing matched what I was seeing on the card. It wasn't making sense. This can't possibly be correct.

At this point, I tried gently pulling on the plastic part of the connector and it came out (see below). The plastic was a spacer put in the connector for shipping. After removing the plastic plug the connector fit the cable properly. It seems obvious in retrospect, but it didn't at the time.

One final note about this card. We ordered the model with 1 GB non-volatile RAM. I assumed that this meant no battery was required. In fact the card uses DRAM for operations because it is faster than NVRAM. The battery is still required to move data from DRAM to NVRAM when a power outage occurs.

Wednesday, May 20, 2015

Another Plug: Microsoft Virtualization/VDI Book

A brief plug for the latest book writing project that I've completed.

Brian Svidergol and I have completed Virtualizing Desktops and Apps with Windows Server 2012 R2 Inside Out. Here's a quick synopsis of the book.

First, I want to be clear that this book is about planning and implementing virtualization technologies. It's not just an overview.  Much of the content is similar to what's in Microsoft Course 20694 which I was also a co-author on.

This book starts with an overview of Microsoft virtualization technologies. For many of you, this is just review, but if you haven't seen the full range of technologies, then this is useful. It also highlights when you would use each of the virtualization technologies.

The first set of virtualization technologies we explore the details of are for user state virtualization. Basically technologies that support roaming. The newest of these from the Microsoft Desktop Optimization Pack (MDOP) is User ExperienceVirtualization (UE-V). Older technologies like roaming user profiles and credential roaming are also covered.

We also cover Client Hyper-V in this book because some people will use it to run apps in isolation for either testing or compatibility reasons. It also provides a good base of knowledge to understand the virtual machine-based (VM-based) VDI content later in the book.

There are four chapters on implementing and using App-V. This book covers installation, management, and sequencing applications. If you want to learn about using App-V in your organization this is a great resource.

The last five chapters are about implementing Remote Desktop Services (RDS) for virtual desktops. This includes the components you expect for session-based remote desktops with RD Session Hosts (formerly terminal servers), RemoteApp programs, RD Gateway for remote access, RD Connection Broker, and RD Licensing. We cover high availability for all of these components.

Also included in the RDS content is VM-based virtual desktops that are implemented by using Hyper-V servers. Personal virtual desktops are a VM for which a user has exclusive access and it retains state between sessions. Pooled virtual desktops are a set of VMs which are shared between users and don't retain state between sessions. Management considerations for both are discussed.


Free Windows 10 ebook for IT Pro

Microsoft typically releases some free ebooks when new versions of Windows come out. For the most part, they tend to be a high level overview of the new features. So, they won't help you implement much, but they will let you know what's possible.

True to pattern, they have released a new free ebook for Windows 10. You can get it here.

I've downloaded this book, but haven't had a chance to read it yet. I'll update with a synopsis later on.