Have you ever wondered where Exchange looks to find the certificate for inbound and outbound TLS for the SMTP service?

Well, it’s actually documented in detail here and here. If you read the TechNet articles you can come to the conclusion that Enable-ExchangeCertificate for the SMTP service will stamp the msExchServerInternalTLSCert attribute on the transport server object in AD with the certificate thumbprint you specify in the command.

But what happens if you run Enable-ExchangeCertificate and choose to not overwrite the certificate for SMTP.

If you check the certificate list now, you’ll notice two certificates, both are valid, and apparently both are assigned to SMTP (which isn't really the case, but the output seems to confuse alot of people). So which one will Exchange use, because I didn’t overwrite the current certificate.

Luckily we know from the TechNet articles that Exchange queries AD to match the thumbprint in the msExchInternalTLSCert attribute during the certificate selection process. So, how can I quickly check which one of the certificates is actually being used?

Import-Module activedirectory
$transportServers = Get-TransportServer|select -ExpandProperty Name
$forest = [System.DirectoryServices.ActiveDirectory.Domain]::GetComputerDomain().Forest.ToString();
$searchbase = "CN=Configuration,DC="+($forest).replace('.',',DC=')
$results = @()

foreach($transportServer in $transportServers)
{	

	$CertThumbPrint = Get-ADObject -Filter "ObjectClass -eq 'msExchExchangeServer' -and name -eq '$transportServer'" -properties * -SearchBase $searchbase -server $forest|%{[Security.Cryptography.X509Certificates.X509Certificate2]$_.msExchServerInternalTLSCert}|select -expandproperty thumbprint
	$obj = New-Object PSObject -Property @{"TransportServer"=$transportServer;"SMTPCertificate"=$CertThumbPrint}
	$results+=$obj
}
$results|select TransportServer,SMTPCertificate

Michael Hall
Service Engineer
Office 365

If you've been following the Exchange Team blog you'd know that I released version 2.0 of PelNet recently.

I thought I’d share some info on my blog to cover some of the benefits in using this tool for any Exchange environment. 

PelNet v2.0 has been updated to optimize execution time in large environments and the new code will allow an administrator to test SMTP against a large list of transport servers to multiple smarthosts in a matter of minutes. 

In the Exchange Online Dedicated environment I’m able to validate transport on 1000’s of transport servers in matter of minutes. This increases the efficiency of the change team and incident response teams tremendously when dealing with send connector changes, smarthost changes and mail flow issues. This is amazing considering that most SMTP validation and/or troubleshooting still happens by using TelNet in the community.

The other new feature is the welcomed addition of TLS validation. The administrator has the ability to test TLS from all the transport servers to a specific smarthost (this can actually be any remote organization server, such as Exchange Online Protection in a hybrid scenario). PelNet will essentially try and find the TLS certificate assigned for SMTP and use that certificate for the encryption stream. The other cool thing about this is that an administrator has the ability to override the certificate logic by providing a thumbprint of a certificate to test prior to assigning the SMTP service.

With the new performance enhancements, PelNet could also be used to check SMTP mail flow daily if an administrator sets up some daily task. This way the administrator is being proactive in mitigating any mail flow issues.

PelNet can also be used in change management processes, such as pre- and post change validation. If a transport change occurs such as a new sendconnector, smarthost, MX change etc. PelNet can be used to test all these scenarios to ensure a successful change occurs prior to production switchover.

If you are starting to get excited about this, head over to the Exchange Team blog, read about and download the tool, and then go do some PelNetting!

Until next time,

Michael Hall
Service Engineer
Office 365: Exchange Online

It’s been a while since my last article; things have been quite hectic on the work front and I recently moved half way around the world to pursue some new and exciting challenges.

Seeing that cobwebs have been building in my little space on the Interwebs I decided that it’s time to throw something cool into the wild. 

Now that Exchange 2013 SP1 has been out I know from experience that customers are planning hard to get onto Exchange 2013, SP1 in any product is “believed” to be the “stable, what RTM should’ve been” version…..not sure I always agree with that, but everyone has their opinions, that’s what makes life so interesting.

Let’s jump right into it….Exchange 2013 maintenance.

You need to do some maintenance on your Exchange 2013 environment by setting a server into maintenance mode safely and efficiently.

First, you need to understand the supported process, there’s great content on TechNet covering maintenance here: http://technet.microsoft.com/en-us/library/dd298065(v=exchg.150).aspx#Pm

Now that you’ve gone through the process it might become obvious that you could potentially automate a whole lot of these commands that you need to run. And off course you could add some cool checks and tests and bells and whistles to make the process easier, more efficient and less error prone.

Sounds cool right, well, I’ve been working on something like this and I think it’s ready for some worldly love, attention and testing. Now many of you would say, well there are some scripts out there that do this, and I would say we have a lot of cars on the road….they all get you from point A to point B, but we all like to drive in style from point A to point B….right.

So, let’s talk about this script and most importantly the parameters it accepts.

The script is a one stop shop to add/remove your Exchange 2013 server to/from production rotation. The script will follow the procedures as outlined in the maintenance article in TechNet with a few additional checks and validations.

The process at a high level:

The following parameters are accepted by the script, depending on what you want to do and the script is able to execute everything from a central location.

• [string]$Server:FQDN of the server you want to put into maintenance.
• [string]$LogFolderPath: Self-explanatory (default is "C:\Temp\MaintenanceLogs").
• [switch]$StartMaintenance: Start maintenance, remove server from production rotation.
• [switch]$StopMaintenance: Stop maintenance, add server back into production rotation.
• [switch]$balanceMailboxDatabases: Balance DAG databases after adding server back into production.

The only requirements for the script is Exchange Management tools.

Remove a server from production rotation:

.\E2013-Maintenance.ps1 –server ex15-02.uclabz.com –StartMaintenance –LogFolderPath c:\temp\logs

Add a server back into production rotation:

.\E2013-Maintenance.ps1 –server ex15-02.uclabz.com –StopMaintenance –LogFolderPath c:\temp\logs

Add a server back into production rotation and balance databases:

.\E2013-Maintenance.ps1 –server ex15-02.uclabz.com –StopMaintenance –balanceMailboxDatabases –LogFolderPath c:\temp\logs

Let’s take a look at some output examples.

If you follow the high level process depicted above you’ll see in the screenshot below, the script output is very verbose and the operator knows exactly what’s going on at any given moment. The output shows the steps the script follows when removing a server from production rotation and each line in code at that given point.

If any database move fails the script will bail, catching the Active Manager exception and request operator intervention. It will also test MAPI connectivity after databases have been moved to ensure they are mounted. If any databases are not mounted operator intervention is required at this stage, unless Active Manager fixes the issue automatically. 

The below shows what the script will do when adding the server back into production and the operator forgot to check if all services are started on the target machine. The test health function will essentially try to start these services. If any service is still unable to start the server will not be added back into rotation.

In the below example the script was able to start the services not running and then continued to add the server into production rotation.

The below shows an example where the logic was unable to find enough healthy copies during database pre-validation prior to moving the databases to a new target server, thus alerting the operator and then exiting.

In the final example below, the server was added back into production rotation and the balanceMailboxDatabases switch was specified which resulted in the script balancing the databases in the DAG using the built in database balancing script.

It’s important to note that if you haven’t setup your load balancing for Client Access Servers properly to be in sync with managed availability, i.e. you’re not checking for healthcheck.htm then CAFÉ roles will not be removed from the load balancing pool and client connections will still be directed to the server. Read more here: http://blogs.technet.com/b/exchange/archive/2014/03/05/load-balancing-in-exchange-2013.aspx

Now with any script that moves databases, changes component states and restart services I wouldn't advise anyone to just run this straight in production without making 100% sure it fits your needs, you understand what the output is saying, you are comfortable running it and that you've tested it in your QA/LAB/DEV or whatever environment first.

I've only had a chance to test this in my lab environment with 3 servers and 3 database copies. So if you have some larger test beds out there, please give it a bash and let me know how it goes.

Grab the script here.

Like always, I appreciate any feedback/improvements/ideas/fixes! #smileyface

Michael Hall
Service Engineer

I decided to extend the Insight into the Hybrid Configuration Wizard article into another 2 parts. I've been getting numerous requests on troubleshooting the dreaded Get-FederationInformation Exception.

Let’s recap on what the high level steps for the HCW are:

1. Global Prerequisites task – prerequisite check (covered here).
2. Legacy Exchange Support Task – Legacy Exchange requirements (covered here).
3. Recipient Configuration Task – Accepted domains and email address policy changes.
4. Organization Relationship Task – Federation configuration.
5. On Off Settings Task – Organization Relationship config like Availability Address Space, Free Busy Access, TargetOWAURL etc.
6. Hybrid mail flow task – Creates send and receive connectors for Hybrid mail flow.

I’m going to skip the Recipient Configuration Task here and cover that in my next article. I want to focus on step 4, the Organization Relationship Task for this article.

So let’s get right into it.

As the task name suggests, this step will:

1. Create the Federation Trust with the Microsoft Federation Gateway,
2. Add federated domains and
3. Create the organizational relationships between the two environments.

Now, from the things I’ve seen and heard in the field is that most of the issues occur at step 3.

Step 3 uses a process called ProvisionOrganizationRelationship. The very first step that this function does is it tries to get the federation information for the domain for the organization relationship settings – let’s use uclabz.com.

• First, it will initiate the following from the On-premise session:

Get-FederationInformation –domainname uclabz.onmicrosoft.com –BypassAdditionalDomainValidation $True

• Then create the Organizational Relationship to Exchange Online using the results from the above:

New-OrganizationRelationship -Name -TargetApplicationUri *.outlook.com -TargetAutodiscoverEpr <the Exchange Online Autodiscover URL> -Enabled:$True -DomainNames uclabz.mail.onmicrosoft.com

• The next step will be to initiate Get-FederationInformation from the TenantSession. This is where everything breaks for most people:

Get-FederationInformation –domainname uclabz.com –BypassAdditionalDomainValidation $True

Let’s pause here for a moment.

So why is the code doing this. Well, it’s simple. By using Get-FederationInformation, it’s very easy to get the correct values for TargetApplicationURI, TargetAutodiscoverEPR and DomainNames which is required for the New-OrganizationRelationship task.

The issues occur, because many customers have different ways of doing things, like Autodiscover, Certificates and Reverse Proxy etc.

Let’s take an example – Autodiscover:

• You implement Autodiscover on the Public DNS by using a SRV record and you don’t specify an A record for autodiscover.company.com.
• You run remote connectivity analyzer and everything seems to be working fine.
• Then, you run the Hybrid Configuration Wizard and it bombs out at Get-FederationInformation with the following 

Execution of the Get-FederationInformation cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings. 
 
 Federation information could not be received from the external organization.
 at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors)
 '.

See, the way Get-FederationInformation cmdlet works is that the discovery process only uses the following logic to determine the correct settings (in this order):

1. https://autodiscover.uclabz.com/autodiscover/autodiscover.svc
2. https://uclabz.com/autodiscover/autodiscover.svc
3. https://autodiscover.uclabz.com/autodiscover/autodiscover.xml
4. http://autodiscover.uclabz.com/autodiscover/autodiscover.xml

So as you can see from the above, you need to have the correct DNS record’s in public DNS for this step to work.

Here are some more tips on what to check for when you run into this problem:

• Ensure Autodiscover is working as described above. Autodiscover DNS needs to point to the Hybrid Servers. Use remote connectivity analyzer to confirm that the steps are as per above.
• Confirm that the svc-Integrated handler mapping is not missing in IIS on the Hybrid CAS - http://support.microsoft.com/kb/2626696 
• Confirm WSSecurity is enabled on the Hybrid Server Autodiscover virtual directories –

Get-autodiscovervirtualdirectory –server <hybridcas>|Set-AutodiscoverVirtualDirectory –WSSecurityAuthentication $true 

• Confirm federation information results on the on-premise Hybrid server is working for the tenant target delivery domain.

Get-FederationInformation –domainname domain.onmicrosoft.com -BypassAdditionalDomainValidation $True

• Disable Pre-Authentication on TMG if you are using it – by default TMG will also block traffic to Autodiscover.svc. This can be solved by creating separate rules (higher order) in TMG for the following sites:

• Open Exchange Online PowerShell session and confirm federation information results can be retrieved from the tenant shell – this is the remote check that Hybrid Config also does.

Get-FederationInformation -domainname uclabz.com -BypassAdditionalDomainValidation $True 

• Re-run Hybrid wizard, if you still get the same problem double check everything as above and wait a few hours to rerun.

Phew, I think that’s that for this article. Good luck with your hybrid configurations, I hope the above helps.

Until next time,

Michael Hall

UPDATE 2014/14/09: New version 0.6 has been released to support Power BI for Office 365 licenses.

I’ve been looking for some way of reporting on Office 365 licenses assigned to users and creating a simple Pivot Chart to get an overview of the licenses.

There are alot of PowerShell scripts out there, but the ones I found didn't really fit my requirements.

I decided to throw something together to help me with my requirements ,nothing fancy, but I came with the following.

Basically, I’m using Excel to call PowerShell to export the raw license data to CSV. Once the export process has finished you just use the import button to import the CSV into the Excel sheet. The Pivot Chart will then update with the relevant data.

The Chart will look like this:

You can manipulate the Chart by filtering on AccountSKU, ServiceName and ProvisioningStatus.

I re-used some code in the PowerShell from Alan Byrne's script, but I needed the licensing data in each row to create a report on different SKU’s. So my script basically loops through each user and export SKU’s and Service names against every user.

I hope this helps you to get an overview on your licenses assigned on your tenant.

You can download the tool here

This requires the Windows Azure PowerShell module to work.

I also included this feature in my Migration Management tool to help keep track of licenses during a migration.

If you have any feedback, don’t hesitate to ping me at technicalramblings@outlook.com

Until next time,

Michael Hall (MCS)