Email Address Internationalization (EAI) support in Office 365

Today, Microsoft announced that Office 365 will enable Email Address Internationalization (EAI) support in Q1 2018. This may have important implications for hybrid customers and those organizations involved with mergers and acquisitions. Here is the announcement:

"Out of 7.6 billion people in the world, only 360 million are native English speakers.

Although email has been the earliest and most widely-adopted platform for modern electronic communication, email addresses have only supported a limited subset of Latin characters (mostly due to historical reasons). People who don't read or speak English have been forced to use email addresses containing characters not used in their own language.

Many people have been working together to try to fix this situation. In fact, new email standards to support email address internationalization (RFCs: 6530, 6531,6532, 6533) were published in 2012. However, changes in standards are difficult to implement in the world of technology due to the millions of legacy systems that are still out there.

Microsoft is pleased to announce that we're joining the effort to adopt the new standards. Office 365 will enable Email Address Internationalization (EAI) support in Q1 2018. As a first step, Office 365 users will be able to send messages to and receive messages from internationalized email addresses. Admins can also use internationalized email addresses in other Office 365 features (for example, mail flow rules that look for EAI addresses, or outbound connectors to Internationalized Domain Name (IDN) domains). But please note that this new release will not support adding EAI addresses for Office 365 users, or IDN domains for Office 365 organizations.  We will continue to evaluate these features as the standards are more widely adopted. We will also keep you posted on the plan to release this to Exchange Enterprise version."

As the article mentions, a change like this is difficult to implement due to millions of legacy systems out there - including Exchange Server on-premises, although I wouldn't call that "legacy". It's impossible to say how every email system will handle email addresses with "non-ASCII" character sets, but I suspect many will bounce emails as undeliverable.

Examples of EAI email addresses include:

• Latin alphabet (with diacritics): Pelé@example.com
• Greek alphabet: δοκιμή@παράδειγμα.δοκιμή
• Traditional Chinese characters: 我買@屋企.香港
• Japanese characters: 甲斐@黒川.日本
• Cyrillic characters: чебурашка@ящик-с-апельсинами.рф
• Hindi email address: संपर्क@डाटामेल.भारत

EAI support in Office 365 won’t matter for hybrid customers if Exchange Server on-premises doesn’t support it, since AD on-prem is the source of authority for email addresses. Microsoft says plans are being made to release EAI support for Exchange Server on-premises, but there are no release dates for this yet.

Organizations involved with mergers and acquisitions will need to be aware of EAI email addresses, especially in tenant-to-tenant migrations where EAI addresses are used. For example, if Contoso (an Exchange hybrid organization) acquires Fabrikam (an O365 tenant with EAI addresses), careful planning and reconfiguration of Fabrikam email addresses may be required.

It's also important to note that the EAI RFCs also permit the use of non-ASCII characters in email headers. This may have effects on various SMTP gateways used and may happen even if your own organization doesn't use EAI email addresses. You should ensure that your gateways are always updated. As usual, careful planning and testing is required.

Read more ...

Hub Transport fails when NIC is not set to register in DNS

In a previous post I wrote that email delivery fails after installing Exchange 2016 CU8. Fellow MCSM and MVP Brian Ricks reminded me of an old bug in Exchange Server that causes Hub Transport services to fail if a server is not configured to register this connection's addresses in DNS.

This is the default setting for all Windows servers, but in some cases, it's not appropriate. For example, Edge Transport servers are not domain-joined and will log event ID 8015 - "The system failed to register host (A or AAAA) resource records (RRs) for network adapter with settings: <NIC details>":

The problem is that the Hub Transport service relies on the NIC being configured to register this connection's address in DNS for it to use the Windows Server settings for name resolution. If you uncheck that box to prevent the DNS Client Events warning, Hub Transport no longer uses the Windows DNS settings and doesn't have any name resolution.

The solution is either to check the box to register DNS (which will fail and cause the warning) or manually configure the Transport Service to use specific DNS settings. You can do that with the following cmdlet on the server experiencing mail delivery issues:

Set-TransportService <edgetransportserver> -ExternalDNSServers <external DNS server> -InternalDNSServers <internal DNS server>

You can configure multiple DNS servers by entering them in comma delimited format. For example:

Set-TransportService mailgate -ExternalDNSServers 99.99.99.153, 99.99.99.53 -InternalDNSServers 10.0.0.1, 10.0.0.2

Once configured (either by selecting the DNS registration checkbox or through the cmdlet) you'll need to restart the Microsoft Exchange Transport Service.

Restart-Service MSExchangeTransportService

I don't believe that the Exchange Transport Service should rely on this checkbox being set, so I've filed a bug on this to have the dependency removed or at least document it.

Read more ...

Email delivery fails after installing Exchange 2016 CU8

Please see Hub Transport fails when NIC is not set to register in DNS for an update to this article.

After installing Exchange 2016 CU8 on my Edge Transport server in a hybrid environment, I found that emails from on-prem users could not be delivered to EOP. They would queue with the following error: 

LED=451 4.4.0 DNS query failed. The error was: DNS query failed with error ErrorRetry -> DnsQueryFailed: ErrorRetry

 

For troubleshooting I confirmed that name resolution works from the Edge Transport server using NSLOOKUP. I also was able to connect to the tenant SMTP namespace using Telnet on TCP 25 so I know that name resolution is working fine from the server.

Eventually I found that I had to configure the external DNS server in Set-TransportService and restart the transport service on the Edge Transport server to get emails to deliver.

Set-TransportService <edgetransportserver> -ExternalDNSServers 8.8.8.8 -InternalDNSServers <internal DNS server>

When I revert the change, emails start queuing again. I've reported this as a bug to Microsoft.

Read more ...

Free Exchange Hybrid webinar is now available on-demand!

For those of you who missed my free live webinar, "Exchange Hybrid for the Long Haul - Critical Information to Know" it's now available on-demand, brought to you by Enow Software.

The webinar answered many questions including:

• What is Hybrid Mode and what are its advantages?
• When is it appropriate?
• Is AAD Connect required?
• Which authentication method is preferred?
• How do you optimize your network?

Dozens of additional questions arise when looking at Hybrid environments. If you're currently running a hybrid environment or looking into migrating in the near future, 'Hybrid for the Long Haul' will provide answers, solutions, and countless tips and tricks accumulated over hundreds of deployments. Watch the webinar below:

Read more ...

Secure AAD Connect! New build 1.1.654.0 and AdSyncConfig.psm1 module is available

If you attended my webinar yesterday on "Exchange Hybrid for the Long Haul - Critical Information to Know" you learned how important it is to keep AAD Connect up-to-date.

Yesterday Microsoft released AAD Connect build 1.1.654.0 which addresses a security vulnerability that allows lower level administrators to gain elevated privileges by resetting the password of the on-prem MSOL_xxxxxx account used by AAD Connect for synchronization. To be honest, this is no more risky than allowing junior admins from resetting the password of any highly privileged account or being able to add themselves to a highly privileged group, like Domain or Enterprise Admins. You should always secure and monitor any highly privileged account or group in your organization.

The AAD Connect Version History explains the security issue that build 1.1.654.0 addresses. It also gets the EXPTA award for the most poorly written release notes ever. Spelling errors, grammar errors, syntax errors, oh my. But I digress...

Microsoft also released a PowerShell script (module, really), AdSyncConfig.psm1, which configures the new recommended permissions on the MSOL_xxxxxx account for those organizations who need to secure the account immediately, but can't upgrade to the latest version of AAD Connect at this time. The script is available on the TechNet Gallery.

The AdSyncConfig module is not quite as straight forward as written, though, so I wanted to document here how to use it. The first problem is that the module is not digitally signed. That means that you'll get the warning, "The publisher of AdSyncConfig.psm1 couldn't be verified" when you download it with Internet Explorer. Edge doesn't complain.

It also means that you will probably have to change your execution policy in PowerShell to run it. The recommended execution policy of RemoteSigned will prevent the module from being imported since it's not digitally signed.

If you can't upgrade to the latest build immediately, here are all the correct steps to use the AdSyncConfig.psm1 module to secure the MSOL_xxxxxx account immediately. There is no downtime associated with these steps.

• Download AdSyncConfig.psm1 to your AAD Connect computer and open an elevated PowerShell console.
• Run Get-ExecutionPolicy to view the current policy. Usually it's RemoteSigned or Restricted.
• Run Set-ExecutionPolicy -ExecutionPolicy Unrestricted in order to import the unsigned module.
• Run Import-Module AdSyncConfig.psm1 to import the module.
• Run $Account = Get-ADUser -Filter 'Name -like "msol_*"' to store the account information for the MSOL_xxxxxx account.
• Run Set-ADSyncRestrictedPermissions -ObjectDN $Account.DistinguishedName -Credential (Get-Credential) to reset the permissions on the MSOL account to the new recommended settings. Be sure to use domain\username format. 
• Run Set-ExecutionPolicy -ExecutionPolicy RemoteSigned to reset the execution policy.
• Run Restart-Service adsync to restart the Microsoft Azure AD Sync service.
• Run Start-ADSyncSyncCycle -PolicyType Delta to force a new delta sync and confirm that synchronization is working properly.

Once you install AAD Connect build 1.1.654.0 or run the steps for the module above, you will see that the MSOL_xxxxxx account has updated permissions for SELF.

Read more ...

Join me for an Exchange Hybrid webinar December 12th!

I'll be partnering with my friends at ENow Software for a webinar, "Hybrid for the Long Haul - Critical Information to Know"

Join me and ENow Software on Tuesday, December 12th at 12:00pm PST as we discuss Hybrid deployments, their nuances, and various optimizations during our invite-only Webinar.

• What is Hybrid Mode and what are its advantages?
• When is it appropriate?
• Is AAD Connect required?
• Which authentication method is preferred?
• How do you optimize your network?

Dozens of questions arise when looking at Hybrid environments. If you're currently running a hybrid environment or looking into migrating in the near future, 'Hybrid for the Long Haul' will provide answers, solutions, and countless tips and tricks accumulated over hundreds of deployments.

Register Here

Read more ...

I'll be speaking at IT/Dev Connections!

I'll be presenting at IT/Dev Connections next week in San Francisco. It'll be nice to have a conference near my home town in the Bay Area.

My session is Take Control Authentication in Office 365.

Microsoft offers several ways for users and admins to authenticate easily and securely to Office 365. In this session you will learn about new advances in claims based and pass through authentication, multi-factor auth, and the controls available for each. With that knowledge, you'll be able to decide which authentication method works best for your organization. We'll also discuss architectures for high availability and disaster recovery. Live demos will bring it all together.

I'm excited to do this presentation, as I've been doing more Identity work than Exchange lately. I hope you can attend this session and others at IT/Dev Connections. Connections is a boutique IT conference with lots of face time and conversations with MVPs and other experts in their fields. I hope you can join me there!

Other MVP experts include Tony Redmond, Chris Goosen, Jaap Wesselous, J. Peter Bruzzese, and others.

Read more ...

Azure AD Connect 1.1.647.0 released

Microsoft has released Azure Active Directory Connect build 1.1.647.0. This version includes a number of setup bug fixes around password synchronization and Seamless Single Sign-on. It also fixes an issue with the AD Connector account permissions related to Public Folder sync and help screen rendering on Windows Server 2016.

New features include added logic to simplify the steps required to set up Azure AD Connect with Microsoft Germany Cloud, improved domain-specific information on the Troubleshooting page, improved permissions checking for password hash sync, and fixes an issue related to the use of msDS-ConsistencyGuid as Source Anchor feature for AD FS customers.

In my own testing I found that the setup experience was less than ideal if you currently use or have switched from AD FS. I recently switched from AD FS to using password hash sync. When I manually upgrade from build 1.1.614.0 setup prompts to close the AzureADConnect processes (in my case, there are four of them).

Even though I select to "Close the applications and attempt to restart them" setup is unable to stop them and prompts to restart the computer after installation, but before it runs the AAD Connect upgrade wizard.

I chose "No" to restart later and continued with the upgrade wizard. Something else new is that during the upgrade it asks for by tenant admin credentials. I've reached out to the AAD Connect team about both of these issues, as I think they will both prevent the auto-upgrade process from running properly. They are able to repro the issue when using AD FS or having switched from it.

UPDATE: The AAD Connect team found the root cause for the leaked threads and will fix it in a future update. So for now, you can either chose to close the applications or not and continue the upgrade. Personally, I recommend restarting the AAD Connect server after installation, but I didn't see any problems with AADC after installation. They also say that the prompt for tenant admin creds is an added layer of defense in case somebody unauthorized tries to upgrade the server. In the case of auto-upgrade, we assume we already have the permission from the admin to upgrade whenever a new build is required.

Read the AAD Connect release notes here.

Download Azure AD Connect 1.1.647.0 here.

Read more ...

Important notice for Azure AD Connect customers running on SQL Server

Microsoft updated the AAD Connect release notes with an important warning for customers who use a full SQL Server deployment for Azure AD Connect.

Important
Starting with build 1.1.484, Azure AD Connect introduced a regression bug which requires sysadmin permissions to upgrade the SQL database. This bug is still present in the latest build 1.1.614. If you are upgrading to this build, you will need sysadmin permissions. Dbo permissions are not sufficient. If you attempt to upgrade Azure AD Connect without having sysadmin permissions, the upgrade will fail and Azure AD Connect will no longer function correctly afterwards. Microsoft is aware of this and is working to correct this.

This does not affect customers running localDB instances of SQL. The current version of AAD Connect is 1.1.614.0. 

Customers running SQL Server back ends are currently excluded from automatic upgrades, so it always requires a manual upgrade to a newer version of AAD Connect. That means (for now) you don't need to be worried about an auto-upgrade automatically breaking AAD Connect functionality.

Read more ...

Public service announcement for iOS 11 and Exchange/Windows 2016

Apple is scheduled to release iOS 11 on September 19th for iPhones and iPads. And there was much rejoicing.

But not so fast...

First up, iOS 11 introduces an Exchange ActiveSync error when connecting to an Exchange 2016 running on Windows 2016. iOS 11 improperly negotiates HTTP/2 TLS connections for EAS. See Michael B. Smith's article on this issue and another issue about Intune for more details.

The workaround is to temporarily(!) disable HTTP/2 TLS for Windows 2016 with the following registry keys and then reboot the server:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\HTTP\Parameters

• EnableHTTP2Tls = 0 (REG_DWORD)
• EnableHttp2Cleartext = 0 (REG_DWORD)

Note: This problem only affects Exchange 2016 running on Windows 2016, since HTTP/2 TLS is the default protocol on this OS. Apple has acknowledged the issue with iOS 11 and is working on a fix. There is no estimate of when this will be fixed but it is expected as an iOS 11 update.

-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-

UPDATE: The HEIC file format issue described below may be a non-event. Apple says that iOS will transcode HIEF images and videos to compatible JPEG versions if the receiver cannot indicate it can handle these file types. Transcoding requires a fair amount of compute cycles, which is why HEIF formats are the default on A9+ processor devices. Thanks to @invalidcanary for the heads up.

You should also be aware that the default picture format for iPhone 7/8/X is changing to a new high efficiency image file format (HEIF), called HEIC. With iOS 11, Apple added an option to compress photos and videos with a new, more efficient encoding called HEVC. By default, iOS devices with A9 and newer processors (Apple 7/8/X, iPad Pro and 2017+) will capture images and video using HEVC compression.

The new photo and video formats result in files about 1/2 size of the old JPEG and video formats, while having better quality. The problem is that new files will likely not open properly outside of your iPhone or iPad until everything that you use to work with photos updates to work with new HEIF formats.

To check if your iOS 11 device uses the new format, go to Settings > Camera > Formats. "High Efficiency" is the new format and "Most Compatible" is the old / current format. I do not suggest to just turn this off; Hey - getting files half the size is super cool. Just realize that if you use the photos outside of your phone that there might be temporary issues with viewing.

The file extension used for photos with the new format is ".heic" instead of ".jpg", and videos will use ".hevc" instead of ".mov". Windows and OneDrive do not support the new formats yet. Expect to see that support in future updates. Dropbox does support the new formats and is able to do previews of both.

If you need to convert an HEIC photo, Beamr Imaging offers a free website to convert HEIC photos to JPEGs.

When this sample 1.3MB HEIC photo is converted to JPEG format it becomes 2.3MB.

Special thanks to Nino Bilic at Microsoft (a real gem of a guy) for the heads-up on this and allowing me to share it with you.

Read more ...

Announcing the 10th Annual UC Roundtable at Microsoft Ignite!

I'm pleased to announce the 10th Annual UC Roundtable at Microsoft Ignite 2017 in Orlando!

A one-of-a-kind conference deserves a one-of-a-kind opportunity to network with your peers.

The purpose of the UC Roundtable is to gather Exchange, Office 365, and Skype for Business admins, MCMs, MVPs, Exchange product group members, architects, and experts for a free-flowing discussion about issues, questions, and experiences related to Exchange, Office 365, and Skype for Business. If you work with these technologies you need to be here!

Wednesday, September 27th from 6:00PM to 7:30PM EDT

The UC Roundtable is going old school this year! This will be a no-host event. Order your own beer or a bite to eat before you leave for the evening's parties. Please RSVP to jguillet@expta.com so I can tell them how many people to expect.

We'll be meeting in the outdoor area of Marlow's Tavern at 9101 International Dr, Lower Level -- just a short 10 minute walk from the Ignite convention center.

Download the event to your calendar.

Help spread the word on Twitter and I hope to see you there!

Read more ...

Meet with EXPTA Consulting at Microsoft Ignite

It's less than one week to Microsoft Ignite in Orlando, FL. I hope you’re as excited as I am to attend and hear about all the new hotness that Microsoft plans to deliver. I’ll be speaking Wednesday 12:30-1:45PM at "The Epic Exchange Preferred Architecture Debate" with a panel of experts. I hope to see your there! I’ll also be available throughout the conference for meetings to discuss how I can help you with your current and future IT projects.

Click here to setup a meeting with EXPTA Consulting at Microsoft Ignite

EXPTA Consulting can assist your organization with:

• On-Prem Solutions – Including Exchange and Active Directory health checks, mitigation, and upgrades. We recognize that not all customers can or want to go to the cloud. Let me help you upgrade and make the most of your on-premises solutions, based on my many years’ of experience and best practices. I provide turnkey solutions or I can work with your IT staff and provide training and support.

• Office 365 Solutions – Let EXPTA Consulting help you get the most from Office 365. We can help with data migrations, tenant to tenant migrations, EM+S, interoperability and integration solutions.

• Identity Design and Solutions – Safe, secure, and easy to use Identity management solutions are the key to a successful deployment. I can help design and implement the best identity solutions to meet your organization’s needs. 

Recent EXPTA Consulting customers include an international college Office 365 migration, a large Federal agency identity project, a mid-sized business insurance brokerage Exchange 2016 upgrade, private equity firms, and consulting/hosting providers. Set up a meeting to see how we can help you!

Read more ...

Proud to announce I'll be speaking at Microsoft Ignite!

Come join Ross Smith IV, Lin Chen, Mike Cooper and me at Microsoft Ignite in Orlando for, "The epic Exchange preferred architecture debate" on Wednesday at 12:30pm EDT.



Here, we plan to talk about what is the best, DAS or SAN? Are SSDs on the way in or are slow spindles here to stay? Should you give up and migrate to the cloud? What about virtualization?

Come listen to experts from inside and outside of Microsoft debate the various Exchange architectures that can be deployed on-premises and hybrid.

This is an open panel discussion where you can ask questions and learn about architectures and topologies that defy the preferred architecture, such as some of those listed in the Exchange Solution Reviewed Program (ESRP). We'll discuss the ESRP and it's role in Exchange architecture design.

I'll also be a panelist at the session, "Microsoft Exchange: Through the eyes of MVPs" on Thursday at 4:00pm EDT.

Microsoft says,

"We've assembled an amazing set of Exchange MVP luminaries, representing scores of years of experience, to share their unvarnished truth about all things Exchange. You won't want to miss your chance to ask questions and hear this panel's expert opinions. Hiring this set of experts for 75 minutes would cost you a fortune, but by attending this session, you'll only pay the small fee of having to listen to them occasionally poke fun at Microsoft - and each other."

I hope to see you there!

Read more ...

Be Aware: Your company's AAD Connect may Auto-Upgrade

Azure Active Directory Connect version 1.1.561.0 was just released and it expands the scope by which AAD Connect will automatically upgrade.

AAD Connect automatically checks for new builds ever since version 1.1.105.0, but some previous configurations have been unable to auto-upgrade due to customization. Examples include using a defined service account instead of the default account and AAD Connect staging mode installations, but their are many more new scenarios. Don't be surprised by unexpected upgrades now that this new version has been released.

Read my article, "Understanding Auto-Upgrade Options in Azure AD Connect" to learn the details about how it works and how to control it.

Read more ...

Discontinuation of Session Border Controllers in O365 and Why You Should Care

Microsoft announced today the Discontinuation of support for Session Border Controllers in Exchange Online Unified Messaging. This article is meant to explain what this means and why it's such a big deal.

UPDATES:

• Option 3, using TE-SYSTEMS anynode, is no longer a Microsoft recommended option.

• On April 24th Microsoft extended the date to remove SBCs from Office 365 to April 30, 2019, based on user feedback. This is only an extension. They have no intention of supporting SBCs after that date.

Session Border Controllers (SBCs) are used to route SIP-SIP traffic. They act as two-legged single-purpose firewalls, used only for SIP traffic. SBCs are usually deployed in the DMZ, where one interface faces the internal network (gateway/PBX) and the other faces the Internet (Office 365). They are required for all PBXs except Lync Server and Skype for Business to connect to Office 365 for voicemail or cloud PBX. Two SBCs are required for this communication, one on-prem and another Microsoft-owned SBC in Office 365. ß This is what is being retired.

VOIP gateways are needed when a legacy TDM-based PBX does not speak SIP. They translate TDM (PRI) to SIP. A SIP trunk connects the VOIP gateway to the SBC in DMZ.

Customers have one or more of the following types of telephone systems that link to Office 365 for voicemail:

3rd party TDM-based PBX (analog)
Examples include Avaya, AT&T Merlin, Nortel. Requires a voice gateway and SBS to connect to either Exchange UM or EXO UM.

3rd party IP-based PBX (digital)
Examples include Cisco CallManager. Requires an SBS to connect to either Exchange UM or EXO UM.

Lync Server/Skype for Business
Makes an authenticated federated call to the Lync Online service.

An Office 365 customer must create an IP Gateway in the tenant for SBC connectivity to Office 365. This creates a public DNS entry that looks like [GUID].um.outlook.com that maps to the SBC in Office 365. There will be one for each customer, but all on-prem SBCs connect to the same IP Gateway address, so the actual number of SBCs is really unknown.

UM Gateway in Exchange Server

The number of customers utilizing SBCs to connect to Office 365 may be small according to Microsoft, but these are usually very large customers with many SBCs. Once customers settle on a connectivity solution they continue to invest and expand on it. That's why it's such a big deal, especially for these customers.

According to today's announcement, the Office 365 SBCs are scheduled to be decommissioned in July 2018. If you're one of the customers who rely on SBCs to connect your on-premises PBX to Office 365 for Exchange UM or Azure voicemail, you have till then to make a change. As the article states, you have four options:

• Option 1: Complete migration from 3rd party on-premises PBX to Office 365 Cloud PBX.
• Option 2: Complete migration from 3rd party on-premises PBX to Skype for Business Server Enterprise Voice on-premises.
• Option 3: For customers with a mixed deployment of 3rd party PBX and Skype for Business, connect the PBX to Skype for Business Server using a connector from a Microsoft partner, and continue using Exchange Online UM through that connector. For example, TE-SYSTEMS’ anynode UM connector can be used for that purpose.
• Option 4: For customers with no Skype for Business Server deployment or for whom the solutions above are not appropriate, implement a 3rd party voicemail system.

Options 1, 2, and 4 are pretty well understood, but not trivial. Option 3, the anynode UM connector, requires a bit more explaining.

The anynode Skype for Business Voicemail Connector is a software SIP-to-SIP SBC solution that uses the Microsoft Unified Communications Managed API (UCMA) to communicate directly with Skype for Business Enterprise Voice. It's available from a German software company called TE-SYSTEMS (kind of reminds me of Geomant MWI for Exchange 2007 - anyone remember that?) This is great if your PBX already does SIP, but a number of large customers have analog PBXs in one or more locations. Traditional SBCs can convert analog PSTN calls to SIP using a Voice Gateway feature, and then trunk it over to Skype for Business or Skype for Business Online.

I can understand why Microsoft is discontinuing their SBCs in Office 365. It makes them rely on a third-party system that's sometimes difficult to manage. And after all, Microsoft is in business to sell services like Skype for Business and cloud PBX. But forcing customers to plan for and deploy all-new phone systems, SBC solutions, or voicemail systems in one year is asking a lot. Especially for the size of the customers they're affecting.

So what do you think? Will this tactic make you go "all in" for cloud PBX, as Microsoft hopes, or will it drive you toward one of the other solutions? Either way, you better get started now.

Read more ...

Another Azure AD Connect Update - Version 1.1.558.0

This is the third update in a row where Microsoft published the AAD Connect release notes before the upgrade is publicly available. And if history serves, they'll update the release notes again after the version is released.

If auto upgrade is currently enabled for your version of AAD Connect, don't be too surprised if your version auto upgrades to this version before it becomes publicly available. Microsoft sometimes trial updates some customers ahead of the public release.

Azure AD Connect version 1.1.558.0 continues to fix issues with OU filtering and expands the number of configurations where auto upgrade can be enabled. It's important to note that if your configuration falls under the new configuration requirements, upgrading to this version will enable auto upgrade. If you don't want auto upgrade enabled, you should run the following cmdlet to disable it:

Set-ADSyncAutoUpgrade -AutoUpgradeState disabled

You can always download the latest public release of AAD Connect here.

Read more ...

New article: What to Do When the Office 365 Portal Goes Down

I published a new article to the ENow Exchange & Office 365 Solutions Engine Blog (ESE), "What to Do When the Office 365 Portal Goes Down".

This article talks about recent availability failures in the Office 365 portal and provides direct URL links to Office 365 features and admin portals. Bookmark this page for reference the next time the portal becomes unavailable for your tenant!

Read more ...

Azure AD Connect 1.1.557.0 released

Hot on the heals of AAD Connect 1.1.553.0, Microsoft has released version 1.1.557.0 with an important update for Microsoft Azure AD cloud and Microsoft Cloud Germany customers.

It's important to note that for some reason this version will not be available to customers through the Azure AD Connect Auto Upgrade feature. You will need to download and install this build manually.

New features and improvements

• Password writeback is now available for preview with Microsoft Azure Government cloud and Microsoft Cloud Germany. For more information about Azure AD Connect support for the different service instances, refer to article Azure AD Connect: Special considerations for instances.
• The Initialize-ADSyncDomainJoinedComputerSync cmdlet now has a new optional parameter named AzureADDomain. This parameter lets you specify which verified domain to be used for configuring the service connection point.

Pass-through Authentication

New features and improvements

• The name of the agent required for Pass-through Authentication has been changed from Microsoft Azure AD Application Proxy Connector to Microsoft Azure AD Connect Authentication Agent.
• Enabling Pass-through Authentication no longer enables Password Hash Synchronization by default.

This update also fixes an issue with the Initialize-ADSyncDomainJoinedComputerSync cmdlet that caused the verified domain configured on the existing service connection point object to be changed even if it is still a valid domain. This affects tenants with more than one verified domain that can be used for configuring the service connection point.

To accommodate this, the Initialize-ADSyncDomainJoinedComputerSync cmdlet now accepts a new optional parameter named AzureADDomain. This parameter lets you specify which verified domain to be used for configuring the service connection point.

It's unclear if this update fixes the previously reported issue that AAD Connect 1.1.553 does not carry forward OU filtering settings during upgrade. Always check your AAD Connect configuration after upgrading.

Reader Andrew Pretty noted that auto update became enabled for him in this build.

I checked mine as well, and sure enough auto update is enabled. In previous builds auto update was not enabled unless you installed AAD Connect with Express settings (no customization whatsoever). I really wish changes like this were put into the release notes. If you want to turn auto update off, run the following cmdlet:

Set-ADSyncAutoUpgrade -AutoUpgradeState disabled

You can download the latest version of Azure Active Directory Connect here.

Read more ...

AAD Connect 1.1.553 does not carry forward OU filtering settings during upgrade

I normally update existing posts with updated information, but thought this was important enough to publish as a new one since so many of my customers use OU filtering with AAD Connect.

Microsoft updated the release notes for Azure Active Directory Connect 1.1.553.0 to include the following known issue:

Known issue

• There is an issue that affects customers who are using OU-based filtering with Azure AD Connect sync. When you navigate to the Domain and OU Filtering page in the Azure AD Connect wizard, the following behavior is expected:
  • If OU-based filtering is enabled, the Sync selected domains and OUs option is selected.
  • Otherwise, the Sync all domains and OUs option is selected.
+

The issue it is that the Sync all domains and OUs option is selected, even if OU-based filtering is enabled. Before saving any synchronization configuration changes in the wizard, make sure the Sync selected domains and OUs option is selected first. Otherwise, OU-based filtering will be disabled.

This only affects customers who use OU filtering in AAD Connect. Customers performing upgrades of AAD Connect (or any software) should always pay attention during the upgrade process and check their settings afterwards. It's expected that settings will carry over, but as you can see above, that's not always the case. Never assume anything.

Read more ...

Congratulations 2017-2018 Microsoft MVP!

I'm pleased to announce that I have been given the Office Servers and Services Microsoft MVP award again for 2017-2018. I have been awarded every year since 2009, so this will be my ninth consecutive year.



The MVP Award is an important recognition to me and I'm very pleased to receive it. It includes several benefits, but the most important one to me are all the interactions with the great product groups at Microsoft. These relationships allow me to reach out to specific product team members to provide feedback and get clarification on product features and behaviors.

It's a mutually beneficial partnership -- under NDA, Microsoft is able to talk with MVPs about product futures, provide access to technology adoption programs (TAPs) to try out new software, and solicit our feedback. As MVPs, we are able to provide important and honest feedback to the product teams about how new features and behaviors will affect our customers, beta test new software and file bug reports, and be advocates for you, the customer.

This also adds value to my IT consulting business, EXPTA Consulting. It's evidence that Microsoft values my technical leadership and real-world experience, which I bring to each and every engagement, and customers know that I provide the best results as their trusted advisor.

I feel great!

Read more ...

Important update for AAD Connect - Version 1.1.553.0

Microsoft released Azure Active Directory Connect version 1.1.553.0 on June 26, 2017. More importantly, they published an important security advisory one day later.

Microsoft Security Advisory 4033453 - Vulnerability in Azure AD Connect Could Allow Elevation of Privilege explains,

The [ADD Connect version 1.1.553.0] update addresses a vulnerability that could allow elevation of privilege if Azure AD Connect Password writeback is misconfigured during enablement. An attacker who successfully exploited this vulnerability could reset passwords and gain unauthorized access to arbitrary on-premises AD privileged user accounts. The issue is addressed in the latest version (1.1.553.0) of Azure AD Connect by not allowing arbitrary password reset to on-premises AD privileged user accounts.

Microsoft highly recommends all customers update to version 1.1.553.0 or later to mitigate this vulnerability, even if you don't use the optional password writeback feature. If you are unable to update immediately, the article above describes mitigation steps you can consider.

• If the AD DS account is a member of one or more on-premises AD privileged groups, consider removing the AD DS account from the groups.
• If an on-premises AD administrator has previously created Control Access Rights on the adminSDHolder object for the AD DS account which permits Reset Password operation, consider removing it.
• It may not always be possible to remove existing permissions granted to the AD DS account (for example, the AD DS account relies on the group membership for permissions required for other features such as Password synchronization or Exchange hybrid writeback). Consider creating a DENY ACE on the adminSDHolder object which disallows the AD DS account with Reset Password permission using Windows DSACLS tool.

DSACLS DNofAdminSDHolderContainer /D CONTOSO\ADDSAccount:CA;"Reset Password"

Besides this important security update, AAD Connect 1.1.553.0 includes several fixes, new features, and improvements both in AAD Connect and AD FS management. Read the Azure AD Connect: Version release history for a complete list.

With Azure AD Connect being such an important part of your cloud connectivity and authentication solution, it's super important to stay on top of any updates.

Read more ...

Fix for Certificate Error in Chrome - NET::ERR_CERT_COMMON_NAME_INVALID

It amuses me when Google dictates security policy.

Beginning with Chrome 58, the Chrome browser no longer uses the Common Name (CN) field to validate an SSL certificate. Instead, it only uses the Subject Alternative Name field.

This is in violation of RFC 2828 which states,

If a subjectAltName extension of type dNSName is present, that MUST be used as the identity. Otherwise, the (most specific) Common Name field in the Subject field of the certificate MUST be used. Although the use of the Common Name is existing practice, it is deprecated and Certification Authorities are encouraged to use the dNSName instead.

So someone in Google security said, "Hey! If RFC 2828 says the Common Name is deprecated, we should start making Chrome ONLY use the Subject Alternative Name! Existing practice, be damned." Never mind the fact that the RFC was written May 2000, and every other browser and app on the planet uses the Common Name field for single-name certificates.

Therein lies the problem. Most single name certificates and some wildcard certificates only have a Common Name and don't have use Subject Alternative Names. This causes Chrome 58 and later to display the following (incorrect) error. It even goes so far as to blame it on a server misconfiguration.

NET::ERR_CERT_COMMON_NAME_INVALID [missing_subjectAltName]

This same website (in this case, OWA) displays properly in all other browsers. If we look at the certificate, we see this is a wildcard cert for *.contoso.com issued by an internal certification authority (CA). The Details tab shows there is no Subject Alternative Name field for this cert.

Wildcard certificate details with only a Common Name (CN) field

To fix the error for your Chrome users, you'll need to regenerate the certificate to include a Subject Alternative Name. Here's how to do that using the Certificates MMC when you have an internal Certification Authority (CA).

From the web server, open MMC and add the Certificates snap-in, managing the Computer account. Then expand Certificates (Local Computer) > Personal > Certificates.

Right-click Certificates > All Tasks > Request New Certificate.

Choose Active Directory Enrollment Policy to use your existing internal CA.

Select the Web Server certificate template and click the link below it to enter more information.

Add the Common Name for the Subject Name, and the DNS name for the Alternative Name. They can be the same value. Chrome 58 and later only uses the DNS alternative name.

Enter a Friendly Name on the General tab.

Optionally, make the private key exportable on the Private Key tab and click OK.

Click Enroll to generate the new cert from the CA and install it on the web server.

The certificate will be installed. Click Details to view the new certificate.

On the Details tab we see the Subject Alternative Name is on the new cert.

Now you'll either need to configure IIS to use the new certificate (Web Site - Bindings) or reconfigure Exchange web services using the Enable-ExchangeCertificate cmdlet.

Read more ...

The Truth About Public Folder Synchronization with Azure Active Directory

AAD Connect version 1.1.524.0 now syncs mail-enabled Public Folders to Azure Active Directory. And there was much rejoicing. "Behold," said hybrid Exchange Server administrators around the world, "I no longer need to manually run the Public Folder synchronization scripts to populate Office 365 with our Public Folders! This great tool does it for me!"

But lo, that is not the case. And there was much gnashing of teeth.

It turns out that AAD Connect 1.1.524.0 only does what the release notes say it does -- it syncs mail-enabled Public Folders with Azure AD. But Exchange Online uses EXODS, Exchange Online Directory Services, which syncs with Azure AD. At this time EXODS still does not sync mail-enabled Public Folders with Azure AD.

What does this all mean? 

Well, it means that if you sync mail-enabled Public Folders to AAD you can finally use Directory Based Edge Blocking (DBEB) in Exchange Online Protection (EOP). That's a big deal. When DBEB is enabled EOP will reject emails addressed to non-valid emails in your tenant, greatly reducing spam and dictionary attacks against your directory. Until now, mail-enabled Public Folders customes couldn't use DBEB because EOP would reject emails to those folders since they weren't synced to AAD. See Office 365 Directory Based Edge Blocking support for on-premises Mail Enabled Public Folders on the Exchange Team Blog for more details.

That's all well and good, but since EXODS doesn't sync mail-enabled Public Folder objects from AAD, you still need to run the Mail-Enabled Public Folders - Directory Sync Script to populate and configure Exchange Online for Public Folders.

Sometimes change comes slowly.

Read more ...

DO NOT Install .NET Framework 4.7 on Exchange Servers

Update 06/15/2017 - The Exchange Team updated their article to say that they are in the process of validating Exchange Server on the .NET Framework 4.7, but the work is not yet complete. They will update the Exchange supportability matrix when .NET Framework 4.7 is supported with certain versions of Exchange Server.

Update 06/13/2017 - The .NET Team published the article, How to temporarily block installation of the .NET Framework 4.7 using a registry key, similar to the one used to block previous versions of .NET. Exchange admins should implement this ASAP.

The Exchange Team also released the article, .NET Framework 4.7 and Exchange Server. It explains that .NET Framework 4.7 is not supported by any version of Exchange Server at this time, and how to remove it if you've already installed it.

Earlier this month the .NET Blog announced that the .NET Framework 4.7 has reached general availability. Do not install this update on your Exchange servers.

Refer to the Exchange Server Supportability Matrix which provides a central source for Microsoft Exchange administrators to easily locate information about the level of support available for any configuration or required component for supported versions of Microsoft Exchange. At this time no versions of Exchange Server support .NET 4.7, although this is subject to change with future cumulative updates. Exchange Server runs on .NET assemblies and changing to an unsupported version may have dire consequences.

According to the Q&A on the blog, .NET 4.7 is expected to be published to Windows Update in less than 3 months. That means without manual intervention you may wake up to find that Exchange is broken. When I asked, the .NET team said that they will provide a way to block .NET 4.7 installation via Windows Update using a registry key.

At this time, the registry key has not been made available. Check back on this blog post for any updates.

If you manually installed .NET 4.7, please refer to my earlier article, "How to Uninstall .NET Framework 4.6.1" for removal instructions. Those same instructions should work.

Read more ...