Exchange federation trust – part 2.

Finally here is the continuation of previous article about Exchange federation trust. So we have established the trust between Microsoft Federation Gateway and our organizations. Next step is to configure inter-organizational behavior. It is a mesh-like net, where 1:1 organization relationship is established.

Prerequisites

  • Autodiscover service must be accessible to at least one CAS server from the internet
  • EWS should be accessible to at least one server and External URL should match the name accessible from  internet and 3rd party certificate SN or SAN name

Organization Relationship

Once we have configured our organizations to trust MS Federation Gateway, we can use it to create organization relationship. We will use

command Get-FederationInformation about opposite organization and pipe it to create new organization relastionship. Access level on both side of relationship should be the same.

In our organization:

Get-FederationInformation -DomainName metrosys.cz | New-OrganizationRelationship -Name "Metrosys" -FreeBusyAccessEnabled $true 
-FreeBusyAccessLevel -LimitedDetails

Or directly:

New-OrganizationRelationship -Name <foreignorganizationname>  -FreeBusyAccessEnabled $True -FreeBusyAccessLeve LimitedDetails -
Enabled $true -PhotosEnabled $true -TargetAutodiscoverEpr https://email.foreigndomain.cz/autodiscover/autodiscover.svc/wssecurity -
DomainNames .cz -TargetApplicationURI http://fydibohf25spdlt.foreigndomain.cz/ -TargetSharingEpr 
https://email.foreigndomain.cz/EWS/Exchange.asmx

Note: Domain names are CASE SENSITIVE!
Result of creation test:

Test-OrganizationRelationship -identity <ForeignOrganizationname> -UserIdentity primarysmtpaddress@salonovi.cz -Verbose

OK success rel test

In foreign organization:

Get-FederationInformation -DomainName salonovi.cz | New-OrganizationRelationship -Name "Salonovi" -FreeBusyAccessEnabled $true -
FreeBusyAccessLevel LimitedDetails

Or directly:

New-OrganizationRelationship -Name  -FreeBusyAccessEnabled $True -FreeBusyAccessLeve LimitedDetails -Enabled $true -PhotosEnabled 
$true -TargetAutodiscoverEpr https://mail.salonovi.cz/autodiscover/autodiscover.svc/wssecurity -DomainNames salonovi.cz -TargetApplicationURI 
http://fydibohf25spdlt.salonovi.cz/ -TargetSharingEpr https://mail.salonovi.cz/EWS/Exchange.asmx

Note: Domain names are CASE SENSITIVE!

Finally result of proper configuration is, that you can see Free/Busy limited details of users in foreign organization

Errors you might face

Index error is cause by Case sensitive domain name inserted (in my case Metrosys.cz instead of metrosys.cz or wrong URLs for EWS or Autodiscover.

test-orgrel_indexerror

Errors from the following picture are caused by wrongly or misspelled URLs (Self explaining)

test_org_rel_err2

Usually autodiscover URL is created in format https://autodisvocer.domianname.cz/autodiscover/autodiscover.xml, however Federation trust use autodiscover service, which is created as URL: https://autodisvocer.domianname.cz/autodiscover/autodiscover.svc/WSSecurity where WSSecurity is authentication used by federeation trust:

org_rel_res_our

Links:

Advertisements

ADFS / Office 365 / Exchange 2010 – How to force synchronization – Event ID:0, Event ID:1, Event ID:3, Event ID:4, Event ID:6126, Event ID:6127

I have created new admin account to manage Exchange 2010 SP3 / Office 365 hybrid deployment using ADFS (advanced SSO config). By default it takes up to 3 hours to sync newly created / added accounts to Office 365. To force synchronization perform:

  1. Logon to DirSync server
  2. Open Powershell module: Microsoft Online Services Module for Windows PowerShell
  3. Or you can use remote powershell if WinRM has been konfigured by running:
    Invoke-Command -ScriptBlock {Add-PSSnapin Coexistence-Configuration;Start-onlinecoexistencesync} –ComputerName <DIRSYNC server name>
  4. Run command for immediate AD synchronization:
    Start-OnlineCoexistenceSync

After running command you can check Event log if all is OK.

  1. Open application Event log and check for the following events:
  2. Event ID: 0 – Connecting to MS Online and starting Synchronization
  3. Event ID: 6127 – The management agent “SourceAD” completed run profile “Delta Import Delta Sync” with a delta import or delta synchronization step type. The rules configuration has changed since the last full synchronization
  4. Event OS: 6126 – The management agent “TargetWebService” completed run profile “Delta Confirming Import” with a delta import or delta synchronization step type. The rules configuration has changed since the last full import or full synchronization.
  5. Event ID: 1 – Import to Dirsync started
  6. Event ID: 2 – Import to Dirsync completed
  7. Event ID: 3 – Export to Office 365 started
  8. Event ID: 4 – Export to Office 365 completed

Example:

example

Default Sync interval can be changed here:

C:\program files\Microsoft Online Directory Sync\Microsoft.Online.DirSync.Scheduler.exe.Config

To run online coexistence sync for new versions of DirSync run:

Powershell.exe
Import-Module DirSync
Start-OnlineCoexistenceSync

Default path: C:\Program Files\Windows Azure Active Directory Sync\dirsync

Exchange 2013 / 2010 / 2007 – How to configure OAB for offline Thumbnail photo

One of our customers wanted to have Thumbnail photo attribute configured for offline access.

Process:

  • Enhance AD schema of AD attribute ThumbnailPhoto (Done by default for Exchange 2010 SP2+)
  • Upload pictures via Powershell or Sharepoint
    Enable ThumbnailPhoto attribute in OAB (Done by default in Exchange 2010 SP2, but only indicator to fetch data from AD online)
  • Configure ThumbnailPhoto to true Offline access (change attribute Thumbnailphoto,indicator to ThumbnailPhoto,value)

The rough process is simple, but in my case there was a problem, because customer has coexistence scenario Exchange 2007 / Exchange 2010 in single AD site. In this scenario OAB has been first created in Exchange 2003 -> Then Exchange 2003 has been replaced by Exchange 2007 and after that Exchange 2007 left for business purpose (several mailboxes ) and it was extended by Exchange 2010 (Currently SP3). In this scenario OAB is missing ConfiguredAttributes (It is empty) So the process is as follows:

1. Get info about OAB

Command lists OAB and its empty attribute.

Get-OfflineAddressBook "Default Offline Address List" | fl

Default OAB

2. Create new OAB to see configured attributes

To be sure users will not be disrupted by the change I have created new OAB on Exchange 2010.

New-OfflineAddressBook -Name 'Default Offline Address Book + offline photo' -Server 'PF1' -AddressLists '\Default Global Address List' -PublicFolderDistributionEnabled $false -VirtualDirectories 'CH1\OAB (Default Web Site)','CH2\OAB (Default Web Site)','CH2\OAB (Default Web Site)','CH1\OAB (Default Web Site)'

3. List configured attributes

To display all attributes configured we need to use the following cmdlets:

$FormatEnumerationLimit = -1
Get-OfflineAddressBook "Default Offline Address Book*" | select name, Configuredattributes | fl

New OAB with attributes

4. Change attributes

To change attributes I first read attributes to variable and adjusted ThumbnailPhoto,Indicator to ThumbnailPhoto,Value. It will phycically store ThumbnailPhoto data to OAB. Caution. This might increase network load, since OAB will increase its size based on user counts.

$attr = (Get-OfflineAddressBook "Default Offline Address Book*").configuredattributes
$attr.remove("ThumbnailPhoto,Indicator")
$attr.Add("ThumbnailPhoto,Value")

Result:

$attr

Attribute updated in variable

5. Import to OAB

To import modified set of attributes to OAB use:

Set-OfflineAddressBook "Default Offline Address Book*" -ConfiguredAttributes $attr

OAB with edited attribute

6. Update OAB and Check OAB

To generate new OAB and distribute it accross WEB distribution points use:

Get-OfflineAddressBook "Default Offline Address Book*" | Update-OfflineAddressBook

Restart Microsoft Exchange File Distribution service on each previously configured distribution points

New OAB folder on DP

7. Set generation time

Set-OfflineAddressBook -Schedule 'Sun.5:00 AM-Sun.6:00 AM, Mon.5:00 AM-Mon.6:00 AM,Tue.5:00 AM-Tue.6:00 AM, Wed.5:00 AM-Wed.6:00 AM, Thu.5:00 AM-Thu.6:00 AM, Fri.5:00 AM-Fri.6:00 AM, Sat.5:00 AM-Sat.6:00 AM' -Identity '\Default Offline Address Book + offline photo'

8. Assign OAB to mailboxes

Before:

Assign OAB

I selected a method to assign OAB for each mailbox database. Each mailbox inside database, which doesnt have explicitly defined OfflineAddressBook parameter will get the one from database. Exchange Information Store is using cache so changes will be visible after up to 2 hours of actual setting of database. To perform changes immediately you shoud dismount / mount database, where change must be visible immediately. Command:

Get-DailboxDatabase MDB* | Set-MailboxDatabase -OfflineAddressBook "Default Offline Address Book + offline photo"

9. Download new OAB to mailbox via Outlook

You should check autodiscover record if OAB URL changed from old one to new one.

10. Test offline access

After OAB is successfuly downloaded turn on Offline access and test if OAB can be opened and if Thumbnail photo is visible.

Before change:

OAB before

After change:

OAB after

Notes

Exchange blog article

http://blogs.technet.com/b/exchange/archive/2010/03/10/3409495.aspx

Works for Exchange 2013 as well.

Exchange – IIS problems after upgrade (Event IDs: 10010, 3, 1016)

One of our customers has Exchange 2010 (currently SP3). When I was installing latest build (SP3 from SP4 RU 5v2), I experienced problems that server was unaccessible, Exchange web services were not able to serve clients, Powershell was not working and Forefront was crashing taking down MS Exchange Transport service. I spent several hours troubleshooting and here is the overview and solution.
Description:

Configuration:

Lets say that my server was in Windows NLB cluster having:

LB IP: 192.168.1.120 /24
 Production IP:192.168.1.100 /24
 Production IP2 192.168.1.99 /24

From the start server has been installed and configured with the following  IP´s:

LB IP: 192.168.1.120 /24
Production IP:192.168.1.100 /24

and second Production IP address has been added later as requirement for one business Exchange Web Services-related application.

From IIS point of view:

From the begining there was only one application pool with all virtual directories as shown in the following picture (NOTE binding settings).

APP_Pools_Before
Site bindings for Default application web site application pool:

bindings_default_before

After business application has been added new application pool has been added too(NOTE binding settings).

APP_Pools_After

Site Bindings for business application Application pool

Bindings_application_before

Process of upgrade:

The process of upgrade was normal and well known from MS Technet, however after reboot of server I lost connectivity to Powershell and to EWS on the server. Therefore I expected problems in IIS, but how to find it?

Errors in IIS:

IIS error

Errors in Event log:

Event ID 3 Event ID 1016 Event ID 10010

Solution:

I checked IIS:

  • Application pools up and running
  • IIS up and running
  • Server giving error 404 page cannot be displayed if I tried https://localhost/OWA url
  • I checked virtual directory paths and all needed files were in place
  • I checked bindings and voila! Bidning of localhost has been moved from Default Web Site to Application Web Site

Binding on Bussiness application web site has now localhost:

Bindings_application_after

Bindings on Default Web Site is missing localhost record:

bindings_default_after

Move Localhost binding to correct place and restart IIS!

Explanation:

There is a logic how IP addresses are set in IIS. One basic logic says, that WEB server can have as many IP addresses as needed, BUT the default one must be the one with lowest number. For example if I

have 3 IP addresses:

192.168.10.10
192.168.10.11
192.168.10.12

IP address with highest priority is 192.168.10.10 and in some circumstances localhost binding can be moved under application pool, which is listening under IP address with highest priority without notice. This is quite logical, that Powershell and OWA virtual directories stopped to work against localhost binding, because there was no virtual path inside newly created application pool for bussiness application.

Conclusion:

Plan the possibility to extend server with some more application pools and listeners already in design phase and reserve some IP addresses with higher numbers for future needs.

Exchange 2013 – Set Page file size via PS

The page file size minimum and maximum must be set to physical RAM plus 10 MB regarding Exchange 2013.

The recommended page file size also accounts for the memory that’s needed to collect information if the operating system stops unexpectedly. On 64-bit operating systems, memory can be written as a dump file to the paging file. This file must reside on the boot volume of the server (source: Exchange 2013 System Requirements)

You can use the following cmdlets to ensure required size:

$PageFileSize = [math]::truncate(((Get-WmiObject -Class Win32_ComputerSystem).TotalPhysicalMemory+10MB)/1MB)

Set-CimInstance -Query "Select * from win32_computersystem" -Property @{automaticmanagedpagefile="False"}

Set-CimInstance -Query "Select * from win32_PageFileSetting" -Property @{InitialSize=$PageFileSize;MaximumSize=$PageFileSize}

Comodo Antispam Gateway

I was looking for free Antispam GW for my lab and I came accross Comodo Antispam Gateway. It is free for 1 domain and 10 users.

Sign up for free license is here:

Why to use this GW?

  • Easy configuration
  • Access via Admin interface
  • Quarantine, blocklist, whitelist  – all accessible with free license
  • AD synchronization newly created also for free license!

Few screen shots:

Admin interface:

Admin_comodo

Quarantine settings: Quarantine_settings

Incoming spam detection settings: Spam_detection settings