Once the cert has been installed you will need to enable the cert, you can run the following command to enable the certificate

Enable-ExchangeCertificate -Thumbprint 59 5e a4 7c f0 c0 4f 64 dc 3d 6d 29 95 f7 c4 b1 72 ca 0f 92 -Services "SMTP, IIS"

Note: The thumbprint needs to match the cert you have just installed, use either the get-certificate command or use the MMC, select the cert, click the details page and click on thumbprint or use the command specified in PART 1 to find the correct thumbprint

For each CAS server that is installed a Service Connection Point (SCP) record is created for the autodiscover service for internal clients

When i go into Outlook i get the following error:-

 

This is because i’m connecting to services using the NetBIOS name of mbx1 which does not match the name on the certificate. If i run Get-ClientAccessServer -Identity mbx1 | FL i’ll see that the AutoDiscoverServiceInternalUri says https://MBX1/Autodiscover/Autodiscover.xml, this does not match the certificate. I can also check the other services and see that i get the same results for OAB, EWS, Outlook Anywhere (OA) and Exchange Active Sync (EAS). So i need to update all theses internal url’s to match the name on the cert.

• Set-ClientAccessServer -Identity "mbx1" –AutodiscoverServiceInternalURI https://nlb.nwtraders.msft/autodiscover/autodiscover.xml

 

• Set-WebServicesVirtualDirectory -Identity "mbx1\EWS (Default Web Site)" –InternalUrl  https://nlb.nwtraders.msft/EWS/Exchange.asmx

 

• Set-OABVirtualDirectory -Identity “mbx1\OAB (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/OAB

 

• Enable-OutlookAnywhere -Server mbx1 -ExternalHostname “nlb.nwtraders.msft” -ClientAuthenticationMethod “NTLM”

 

• Set-ActiveSyncVirtualDirectory -Identity “mbx1\Microsoft-Server-ActiveSync (Default Web Site)” -InternalURL https://nlb.nwtraders.msft/Microsoft-Server-Activesync

 

Note: If your customer does decide to enable OA externally it is important to note that the external host name value configured for Outlook Anywhere must match the Certificate Principal Name (CPN) on the certificate used by clients and must match the end point property in the client.

In order for Subject Alternate Name (SAN) certificates to be used for clients to connect to the OA service, where the CPN does not match the msstd value configured in the Outlook client profile (but the url is listed in the SAN part of the certificate), certain conditions need to be met, these are listed below:-

• Outlook 2007 or higher
• Vista SP1

 

Then when you open Outlook you should not longer get the cert error!

 

Written by Daniel Kenyon-Smith

**This blog is based on Exchange 2010 SP1 and not using the Hybrid configuration wizard e.g. SP2**

I’ve had a few customers in the last few weeks ask me how autodiscover works for Office 365 so thought i’d write a post to try and help! (please see my other post for the namespaces required, as the correct autodiscover records will need to be created in DNS for on-premise and Office 365)

As you probably already know, Exchange 2010 includes a service called the autodiscover service, this service allows an Outlook profile to be automatically configured when using Outlook 2007, 2010 or a Windows mobile 6.1 or later device. The autodiscover service uses a user’s email address and password to automatically configure a user profile. This profile can be configured whether the mailbox is located on-premise or in O365 (for more detailed information about the autodiscover service please the published white paper on TechNet).

On-Premise

For on-premise users to use the autodiscover service (where a user’s mailbox resides on-premise) there needs to be an A host record (other options are available, see the white paper ) created in external DNS that points to the externally facing IP address of the configured listener on TMG for example(for more details on publishing Exchange 2010 with UAG and TMG please see the following white paper - http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=8946)

Office 365

For user’s who have a mailbox located in O365 there needs to be a CNAME record created for the service address space office365.company.com that points to autodiscover.outlook.com.

Example – autodiscover.office365.company.com --> autodiscover.outlook.com

When an on-premise mailbox is migrated to O365 their on-premise TargetAddress attribute will be updated to point to office365.company.com service namespace. Therefore when a user’s mailbox has been migrated to Office365 and Outlook attempts to autodiscover, Exchange will return the TargetAddress back to the user and Outlook will then lookup the autodiscover service at office365.company(which in turn points to O365) and will create the profile. See the diagram below for the process flow.

Note: That when a mailbox is migrated to O365 using rich coexistence there is no outlook reconfiguration or OST resync required after mailbox migration. Migrating mailboxes using rich coexistence supports full fidelity mailbox migrations.

 

Written by Daniel Kenyon-Smith

Please find a list of migration issues and resolutions that I captured during my last customers migration:-

Flood mitigation on Threat Management Gateway (TMG) - http://community.office365.com/en-us/w/exchange/office-365-move-mailbox-fails-with-transient-exception.aspx

 

 

Issue	Resolution
The operation couldn't be performed because object couldn't be found on 'xxx.prod.outlook.com'	The object has not been replicated to Office 365, check Dirsync error logs, dirsync email errors. Ensure these errors have all been resolved before the users are added to migration list and ensure the object has been sync’d to O365
A large item was encountered: Item (IPM.Note) Subject:"4600562666", Size: 42.07 MB (44,113,161 bytes), Folder:"Inbox A large item was encountered: Item (IPM.Note) Subject:"Here's My Card", Size: 42.43 MB (44,493,004 bytes), Folder:"Inbox" A large item was encountered: Item (IPM.Note) Subject:"", Size: 48.49 MB (50,848,177 bytes), Folder:"PRIVATE EMAILS"	PFDAV ExMerge - http://support.microsoft.com/kb/328202 Search-Mailbox – Needs to be a 2010 mailbox http://technet.microsoft.com/en-us/library/dd298173.aspx To be able to use the -DeleteContent Parameter you need to have "Mailbox Import Export" permissions. Without these permissions, the parameter -DeleteContent is not available for the Search-Mailbox Command. Instructions: 1. Create a new Security Group 2. Enter the following command in Exchange Management Shell (replace the Security Group name accordingly): New-ManagementRoleAssignment -Name "Import Export Support" -SecurityGroup ImportExport -Role "Mailbox Import Export" *See below for the command to skip large items
Domain xxx.co.uk is not an accepted domain for your organization	Remove all SMTP addresses from mailboxes that are not registered in O365 (or register the domain names)
Target user already has a primary mailbox. Mailbox already migrated	User has already been migrated, ensue no users are duplicated
The target mail user doesn't have an SMTP address that matches the target delivery domain 'Service.company.com'	Add the target domain SMTP (Service.company.com) to all mailboxes before migration (and ensure they have been sync’d to O365)
Warning: Failed to clean up the source mailbox after the move. Error details: MapiExceptionNotFound: Unable to delete mailbox. (hr=0x8004010f, ec=-2147221233)	The issue occurs when migrated accounts cannot clear homemdb, homemta, msexchhomeservername and msexchguid attributes from the source server and set the TargetAddress on the source side which it is supposed to do after mailbox move completes (flipping of the attributes starts after 95% completion of the move). A script can be created or apply this hotfix - http://support.microsoft.com/kb/940012 Pretty much the same issue as large item count http://support.microsoft.com/kb/2584294
Error: This mailbox exceeded the maximum number of large items that were specified for this request. --> MapiExceptionMaxSubmissionExceeded: IExchangeFastTransferEx.TransferBuffer failed (hr=0x80004005, ec=1242)	Pretty much the same issue as large item count http://support.microsoft

 

*new-MoveRequest -identity $_.UserPrincipalName -Remote -RemoteHostName 'mail.company.com' -RemoteCredential $cred -TargetDeliveryDomain 'service.company.com' -BadItemLimit 50 -LargeItemLimit 40

 

If you receive the following error when trying to migrate to O365, the you will need to check that your EWS endpoints are published correctly. 

The call to 'https://mail.company.com/EWS/mrsproxy.svc' timed out. Error details: The request channel timed out while waiting for a reply after 00:00:00.Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been aportion of a longer timeout. --> The HTTP request to https://mail.company.com/EWS/mrsproxy.svc' has exceeded the allotted timeout
of 00:00:00.0010000. The time allotted to this operation may have been a portion of a longer timeout.--> The operation has timed out

Without stating the obvious, there is a timeout issue! I have seen before if you haven’t published EWS correctly to the internet. Ensure when you connect to https://mail.company.com/EWS/mrsproxy.svc that you get prompted for authentication from the exchange server and there is no pre-authentication at TMG/UAG for example. Once EWS is published to the internet correctly you should be able to start migrations to O365!

 

Written by Daniel Kenyon-Smith

Whilst working on a few O365 engagements over the last month or so I have seen various issues that have been caused by on-premise infrastructure/setup and which have not allowed the HCW (which was introduced in Exchange 2010 SP2) to complete successfully. These issues range from not correctly publishing autodiscover to not having the correct patches/updates installed, so I thought I’d share my experiences.

 

HCW Issues:-

I have seen issues with the HCW failing on Get-FederationInformation, this can be caused by various things such as:-

·         The customer did not publish the autodiscover endpoints correctly to allow O365 to make federated autodiscover lookups

·         There is pre-authentication set on the TMG/ISA or UAG. By connecting to https://autodiscover.company.com/autodiscover/autodiscover.xml for example as shown in Figure 1 - Autodiscover pre-auth authenticating - UAG and Figure 2 - Autodiscover pre-auth authenticating - TMG, you can see that UAG/TMG is prompting for pre-auth instead of the auth being directly on exchange, as shown in Figure 3 - No pre-authentication

Figure 1 - Autodiscover pre-auth authenticating - UAG

Figure 2 - Autodiscover pre-auth authenticating - TMG

Figure 3 - No pre-authentication

·         You can also run the command in powershell with the –verbose switch to get more detail, such as get-federationinformation……-verbose

·         If you are using TMG you can follow this article for configuring TMG with hybrid setups

·         You can also check autodiscover and other O365 endpoints (such as AD FS) have been published and are reachable from the internet using the ExRCA

 

Another issue I have seen is with certificates and as you run through the HCW, under Manage Hybrid Configuration – Mail Flow Security, you are asked to select the certificate that will be used for TLS mail flow between on-prem on and the cloud. If you are using a wildcard cert such as *.company.com then you will need to ensure you are running at least Exchange 2010 SP2 RU1. If you are not running SP2 RU1 then you most probably see an empty box when you get to the certificate page as shown in Figure 4 - HCW certificate blank below.

 

Figure 4 - HCW certificate blank

Of course you need to also ensure the certificate has been installed onto the exchange hybrid server(s) via the EMC or powershell, you can check using get-exchangecertificate from powershell.

 

Hybrid steps

Below are the detailed steps that run behind the scenes when you start the hybrid wizard:-

 

Create Federation Delegation and Organizational Relationships

Creates a new Delegation Federated Trust to 'Microsoft Federation Gateway'

Creates new 'On Premises to Exchange Online Organization Relationship'

Creates new 'Exchange Online to on premises Organization Relationship'

Enables MRSProxy on the Exchange 2010 Hybrid Servers

Configure the 'On Premises to Exchange Online Organization Relationship' to set:-

MailboxMoveEnabled 'True'

FreeBusyAccessEnabled 'True'

FreeBusyAccessLevel 'LimitedDetails' –

ArchiveAccessEnabled 'True'

MailTipsAccessEnabled 'True'

MailTipsAccessLevel 'All'

DeliveryReportEnabled  'True'

TargetOwaURL 'http://outlook.com/owa/<company.com>

Configure the 'Exchange Online to on premises Organization Relationship' to set:-

FreeBusyAccessEnabled 'True'

FreeBusyAccessLevel 'LimitedDetails'

MailTipsAccessEnabled 'True'

MailTipsAccessLevel 'All'

DeliveryReportEnabled 'True'

 

Create Send and Receive Connectors

HCW creates a new On Premise Send Connector -Name 'Outbound to Office 365' and below is the full output from the send connector created by the HCW:-

 

AddressSpaces                : {smtp:TenantName.mail.onmicrosoft.com;1}

AuthenticationCredential     :

Comment                      :

ConnectedDomains             : {}

ConnectionInactivityTimeOut  : 00:10:00

DNSRoutingEnabled            : True

DomainSecureEnabled          : False

Enabled                      : True

ErrorPolicies                : DowngradeAuthFailures

ForceHELO                    : False

Fqdn                         : Company.com

HomeMTA                      : Microsoft MTA

HomeMtaServerId              : ServerName

Identity                     : Outbound to Office 365

IgnoreSTARTTLS               : False

IsScopedConnector            : False

IsSmtpConnector              : True

LinkedReceiveConnector       :

MaxMessageSize               : 10 MB (You can increase from 10MB which is the default in 2007 and 2010 to 25MB which is set in the service)

Name                         : Outbound to Office 365

Port                         : 25

ProtocolLoggingLevel         : None

RequireOorg                  : False

RequireTLS                   : True

SmartHostAuthMechanism       : None

SmartHosts                   : {}

SmartHostsString             :

SmtpMaxMessagesPerConnection : 20

SourceIPAddress              : 0.0.0.0

SourceRoutingGroup           : Exchange Routing Group (DWBGZMFD01QNBJR)

SourceTransportServers       : {ServerName}

TlsAuthLevel                 : DomainValidation

TlsDomain                    : outlook.com

UseExternalDNSServersEnabled : False

 

 

HCW creates a new On Premise Receive Connector 'Inbound from Office 365' on each of the Hybrid HT servers and below is the full output from the receive connector created by the HCW:-

 

AuthMechanism                           : Tls, Integrated, BasicAuth, BasicAuthRequireTLS

Banner                                  :

BinaryMimeEnabled                       : True

Bindings                                : {LocalIP:25}

ChunkingEnabled                         : True

DefaultDomain                           :

DeliveryStatusNotificationEnabled       : True

EightBitMimeEnabled                     : True

BareLinefeedRejectionEnabled            : False

DomainSecureEnabled                     : False

EnhancedStatusCodesEnabled              : True

LongAddressesEnabled                    : False

OrarEnabled                             : False

SuppressXAnonymousTls                   : False

AdvertiseClientSettings                 : False

Fqdn                                    : Company.com

Comment                                 :

Enabled                                 : True

ConnectionTimeout                       : 00:10:00

ConnectionInactivityTimeout             : 00:05:00

MessageRateLimit                        : unlimited

MessageRateSource                       : IPAddress

MaxInboundConnection                    : 5000

MaxInboundConnectionPerSource           : 20

MaxInboundConnectionPercentagePerSource : 2

MaxHeaderSize                           : 64 KB (65,536 bytes)

MaxHopCount                             : 60

MaxLocalHopCount                        : 12

MaxLogonFailures                        : 3

MaxMessageSize                          : 28 MB (29,360,128 bytes)

MaxProtocolErrors                       : 5

MaxRecipientsPerMessage                 : 200

PermissionGroups                        : AnonymousUsers

PipeliningEnabled                       : True

ProtocolLoggingLevel                    : None

RemoteIPRanges                          : {RemoteIP Ranges}

RequireEHLODomain                       : False

RequireTLS                              : True

EnableAuthGSSAPI                        : False

ExtendedProtectionPolicy                : None

LiveCredentialEnabled                   : False

TlsDomainCapabilities                   : {outlook.com:AcceptOorgProtocol}

Server                                  : LocalServerName

SizeEnabled                             : Enabled

TarpitInterval                          : 00:00:05

MaxAcknowledgementDelay                 : 00:00:30

AdminDisplayName                        :

ExchangeVersion                         : 0.1 (8.0.535.0)

Name                                    : Inbound from Office 365

DistinguishedName                       : CN=Inbound from Office 365,CN=SMTP Receive Connectors,CN=Protocols,etc…

Identity                                : LocalServerName\Inbound from Office 365

Guid                                    : 9feef51e-1bd9-4aa4-9202-0614a1fcc0dd

ObjectCategory                          : company.com/Configuration/Schema/ms-Exch-Smtp-Receive-Connector

ObjectClass                             : {top, msExchSmtpReceiveConnector}

OriginatingServer                       : ServerName

IsValid                                 : True

 

There are also some connectors created in Forefront Online Protection for Exchange (FOPE). The connector created in FOPE will be called ‘Hybrid Mail Flow Inbound Connector’ and will have the following settings (assuming you are routing mail back on-premise):-

 

Description: The Hybrid Mail Flow inbound connector was created when hybrid mail flow was configured. This connector cannot be modified.
Sender Domains: *.*
Sender IP Addresses: 
Transport Layer Security (TLS) Settings: Forced TLS, and certificate matches specified domain

The recipient certificate matches: mail.company.com

Filtering Settings: Add these IP addresses to the safelist and only accept mail from these IP addresses for the domains specified above
IP Reputation Filtering: Disabled
Spam Filtering: Disabled
Policy Rules: Disabled

 

The other connector created in FOPE will be called ‘Hybrid Mail Flow Outbound Connector’ and will have the following settings:-

 

Description: The Hybrid Mail Flow outbound connector was created when hybrid mail flow was configured. This connector cannot be modified.
Recipient Domains: mail.company.com,*.*
Message Delivery Settings:

Fully Qualified Domain Name: mail.company.com

Transport Layer Security (TLS) Settings: Forced TLS, and certificate matches specified domain

The recipient certificate matches: mail.company.com

 

Create Remote Domains

Create new Remote Domain 'Hybrid Domain – company.com' set with:-

TrustedMailInbound 'True'

Create new Remote Domain 'Hybrid Domain - TenantName.mail.onmicrosoft.com' set with:-

 TrustedMailOutbound 'True'

TargetDeliveryDomain 'True'

AllowedOOFType 'InternalLegacy'

AutoReplyEnabled 'True'

AutoForwardEnabled 'True'

DeliveryReportEnabled 'True'

DisplaySenderName 'True'

NDREnabled 'True'

TNEFEnabled 'True'

Create new Remote Domain 'Hybrid Domain - mail.company.com '

DomainName 'mail.company.com'

TrustedMailInbound 'True

 

Setup Hybrid Mailflow

Set Hybrid Mailflow to:-

SecureMailEnabled 'True'

CentralizedTransportEnabled 'True'

OnPremisesFQDN 'mail.company.com '

CertificateSubject 'mail.company.com '

InboundIPs <>

OutboundDomains <>

 

 Set Address Policies

Update Default Recipient Policy to add <alias>@TenantName.mail.microsoft.com

Apply the updated Default Recipient Policy immediately

 

 

Written by Daniel Kenyon-Smith

Whilst building a test environment for a customer i came across this error ‘The Name on the certificate is invalid or does not match the name of the site’ so thought I'd write up how I resolved it.

The environment was Exchange 2007 SP1 and I was configuring certificates and Outlook Anywhere. For the purposes of the lab I was using an internal certificate authority, but in live the customer is going to use 3rd party certs on the exchange servers, not an internal PKI. The goal here was to try and reduce the number of names in the certificate due to cost.

 

The first thing to do was to generate the certificate

 

The certificate I created didn't have any names in the SAN field of the certificate. Here’s an example of the command i ran:-

New-ExchangeCertificate -GenerateRequest -Path c:\CompanyA.csr -KeySize 2048 -SubjectName "c=GB, s=London, l=London, o=Nwtraders, cn=nlb.nwtraders.msft.com"  -PrivateKeyExportable $True

This generated the .csr file, which i then uploaded into the internal PKI cert auth (note for live the cert would be generated by a 3rd party cert auth).

In order to generate the cert i connected to the PKI server as shown below

Then selected request a certificate

The selected advanced certificate request

Then selected Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.

I then pasted the cert requested that i generated earlier (C:\CompanyA.csr) into the field shown below. I also selected Web Server under certificate template and clicked submit

Then selected Download certificate

Then download .cer file and imported into the local certificate store by running the following PowerShell command:-

Import-ExchangeCertificate -Path c:\certnew.cer -Password:(Get-Credential).password

Note: C:\certnew.cer is the cert that we have just downloaded in the previous steps

You can verify the cert has been installed 2 ways, run the following exchange PowerShell command to list the certs installed on that server:-

Get-exchangecertificate | fl

Output from the command for the cert i just installed:-

AccessRules        : {System.Security.AccessControl.CryptoKeyAccessRule, System
                     .Security.AccessControl.CryptoKeyAccessRule, System.Securi
                     ty.AccessControl.CryptoKeyAccessRule}
CertificateDomains : {nlb.nwtraders.msft}
HasPrivateKey      : True
IsSelfSigned       : False
Issuer             : CN=nwtraders-WIN-63IFOLRGUIP-CA, DC=nwtraders, DC=msft
NotAfter           : 04/05/2012 11:40:33
NotBefore          : 05/05/2010 11:40:33
PublicKeySize      : 2048
RootCAType         : Registry
SerialNumber       : 6175BFDA000000000007
Services           : IMAP, POP, IIS, SMTP
Status             : Valid
Subject            : CN=nlb.nwtraders.msft, OU=nwtraders, O=nwtraders, L=nwtrad
                     ers, S=UK, C=GB
Thumbprint         : 595EA47CF0C04F64DC3D6D2995F7C4B172CA0F92

The 2nd way is using the MMC to add the local computer cert store

See part 2 for enabling the cert and configuring Exchange to use the CN name in the cert you have generated

Written by Daniel Kenyon-Smith