Office 365: Outbound conditional (per source domain) mail flow routing

Imagine this scenario: You have an anti-spam appliance in front of your Office 365 tenant, and you want outbound mail flow from your tenant to go via that appliance, but depending on what the email domain of the sender is. For example you have domainA.com and domainB.com as two vanity domains in Office 365, and you want User1@domainA.com outbound email to go via the mail appliance, but user2@domainB.com outbound email to go direct to the Internet.

The scenario above requires conditional routing, meaning the outbound mail flow path will be different depending on what the email domain of the source user (the sender) is. The example above is just one of several that might lead you to apply such configuration.

Now the important part: How do you configure it? Well, you can do it via PowerShell or via the UI, and to do the configuration you will need the following:

  • A Transport Rule
  • An Outbound Connector

Create the Outbound Connector

The first thing you need to create is the Outbound connector.

Via Exchange Online PowerShell

To create the connector via the PowerShell, connect to Exchange Online and run the following:

New-OutboundConnector -Name “To Internet Direct” -ConnectorType Partner -UseMXRecord $true -IsTransportRuleScoped $true

The command above creates a connector that goes directly to the Internet and it’s scoped to the transport rule we will create next. If you want to create a connector that goes via an appliance run the following:

New-OutboundConnector -Name “To Internet via Appliance” -ConnectorType Partner -UseMXRecord $false -SmartHosts <Appliance IP> -IsTransportRuleScoped $true

Via the Exchange Online Admin Center

Navigate to Mail Flow > Connectors and click “+”

1

Select Office 365 as source and Partner Organization as destination

2

Enter a name and description

3

Select “Only when I have a transport rule set up that redirects messages to this”

4

Select “Use MX Record” or “route email through these smart hosts” depending on if you want the email to go direct or via an appliance/smart host

5

Remove the always use TLS selection, unless the appliance or server your sending the email to is configured to use TLS

6

Confirm the settings and click next

7

Validate the connector and save

Create the transport rule

Once you have the outbound connector created, you can now create the transport rule.

Via Exchange Online PowerShell

To create the transport rule via the PowerShell, connect to Exchange Online and run the following:

New-TransportRule -Name “UseAppliance” -SenderDomain <Source Domain> -SentToScope NotInOrganization -RouteMessageOutboundConnector “To Internet Via Appliance”

The command above creates a transport rule, that uses the “To Internet Via appliance outbound connector, and that applies when the source domain is specific and the destination recipient is outside of the organization (very important setting).

Via the Exchange Online Admin Center

Navigate to Mail Flow > Rules and click “+ Create a New rule”

8

Click on more options

Give the rule a name

In the Conditions select “Apply this rule if..” > The recipient is located > Outside of the Organization

Click in Add Condition

Select “Apply this rule if..” > The Sender > Domain is > Enter the domain name of the source user

In the “Do the Following…” section select “Redirect the message to..” > The following connector. Select the outbound connector from the drop down list

Make sure the enforce rule option is selected

9

Now that you have both the transport rule and the outbound connector created, lets test and see if it’s being applied.

Test the routing

The first thing you should do is simple: Send an outbound email from the user that should have conditional routing applied to his domain. Make sure the email is to an external recipient.

Once you sent the email, in the Exchange Admin Center go to Mail flow > Message trace, select the sender you want to trace the message for and click on “search”

10

Note: It might take a few minutes after you sent the message before it shows in the message trace

Once you can see the message there, double click on it to see the details

11

In the details you can see if the transport rule was applied and the transport rule name

13

You will also be able to see if the message was delivered, is pending or has failed. This is key for you to troubleshoot the mail flow and see if the correct rules are applied and the correct outbound connectors are being used.

And that’s it. Job done! As always if you have questions let me know.

Advertisements

The complete journey from Google to Exchange Online with Free/Busy rich coexistence

When questioned by partners, on what is the best approach to plan and execute a move of a customer’s email system, from G-Suite to Exchange Online in Office 365, the first questions that I ask are:

How many users do you have to migrate?

Are you going to do a migration in batches (Staged) or cut over all users at the same time?

Usually when there’s a large number of users, the migration in batches is the preferred option. At that point you should consider two things:

  • How can I automate the mail flow changes
  • How can I have free/busy coexistence between G-Suite and Office 365

The answer to both questions above is simple: You can automate the mail flow and have free/busy coexistence if you use BitTitan MigrationWiz to move the mailboxes, and the BitTitan automation processes to help you with the changes you need to do per migration batch.

In the past I wrote an article on how to configure mail flow coexistence between Google Apps and Office 365, that can help you understand the configurations you need to do.

BitTitan also has a very good article on how you can automate the mail flow changes, on a mail migration from Google to Office 365, as well as the entire migration guide.

But I want to focus this article more on the free/busy rich coexistence, between Google and Office 365, the value that it brings to your migration and your customer, a technical overview on how it works, and of course how you can configure it.

What is the value on having free/busy coexistence between G-Suite mail and Office 365 Exchange online

User experience. It’s all about the user experience!!! If you are moving a 20k users company from Google to Office 365, you often get questioned about what the migration journey will mean for the end users, in terms of end user experience. When you provide your customer and their end users the ability to have not only mail flow coexistence (that one is mandatory of course) but also calendar free/busy lookup capabilities, you’re giving them the best experience they can have.

I have also seen more and more companies using the BitTitan Google coexistence tool for permanent free/busy coexistence between G-Suite and Exchange Online, so don’t think about it just like an add-on to a migration project, it can be much more than that.

How can I achieve that with BitTitan

Currently BitTitan will allow you to use the Google coexistence tool for free during 3 months, if you use BitTitan MigrationWiz to move all of the mailboxes. If you want coexistence for more than 3 months, or if you’re not using MigrationWiz, you will be quoted a price per user per month.

Note: The statement above was true when I wrote this article. There no guarantee that will be true when you read it so please contNact BitTitan for more information.

Why do I need a free/busy coexistence tool between Google and Office 365

The answer to this is short and simple: the Google Calendar Interop, which is the tool that you need to configure on your Google tenant to query free/busy from Exchange mail systems, cannot query free/busy information, from an Exchange Online mailbox, via the Exchange Web Services API and the Availability Service. Instead it will try and query free/busy information from an Exchange Public folder. The problem is that the newer versions of Exchange don’t support that method anymore.

So in essence, because the Google Calendar Interop hasn’t evolved to match the changes that the Microsoft Exchange product group implemented in the way the free/busy is queried, specifically on the transition from Exchange 2010 to Exchange 2013, you need a translation tool between Google and Office 365. That translation tool is the BitTitan Google Coexistence tool.

How do I configure the BitTitan Google coexistence tool

The answer is, you don’t. You configure the Google Calendar Interop and Exchange Online by creating an Organization Relationship, both to point to the BitTitan Coexistence service, and you also create a MigrationWiz project in the BitTitan portal, so that you can obtain your authentication token from the BitTitan Support (support@bittitan.com). See here the coexistence setup guide.

This is how the Google calendar interop should look like:

1

And to configure the calendar interop:

  1. login to https://admin.google.com
  2. Go to Apps > G Suite > Calendar > Calendar Interop Management
  3. Enter all the information as per the coexistence setup guide

This is how the Exchange Online Organization Relationship should look like:

2

And to configure the Organization Relationship:

  1. Download the Coexistence script from the BitTitan setup guide
  2. Add the details to the script as per instructions on the setup guide
  3. Open an Exchange Online PowerShell session
  4. run the script
  5. Verify if the Organization Relationship was properly created by running: Get-OrganizationRelationship |fl

Do I need contacts in each organization for the free/busy to work

No, you don’t need a contact in Google for each user from Exchange Online that you want to query the free/busy, nor you need them in Office 365 for each Google user. You should have contacts in both sides, but to make sure you have a unified Global Address list.

To be clear on this:

  • Peter@domain.com is a Google mailbox
  • John@domain.com is an Office 365 mailbox
  • You don’t need to create peter@domain.com as an Office 365 mail contact
  • You don’t need to create john@domain.com as a Google mail contact

But again.. you should.. having a unified GAL is usually mandatory and for sure highly recommended.

How do users query the free/busy information

As they do for any other internal user. They open their calendar app and enter the email address of the user on the other system or search for his contact created on the GAL if it exists.

To wrap this up, and please stay tuned for more blog post on this subject coming soon, the rich coexistence (mail flow and free busy) experience, when you’re migrating your customer from Google to Office 365, is very important and also very easy to achieve.

If you have any questions please feel free to reach out. I can help you understand it better as well as configure it.

As always I hope this post was helpful.

PS- The BitTitan coexistence tool also works between Google and Exchange 2010 Sp2+ on premises.

 

 

 

 

Understanding the admin authentication options when using the EWS API in your migration project

One of the major concerns of the consultant or the project manager, on a migration project, is how long will it take to migrate the mailboxes, and what timelines can they define as reasonable for the migration (or the migration batch) to be finished.

Having that in mind, the conversation around it needs to focus on two major factors:

  • What authentication method should we use
  • How can we minimize (or avoid) throttling

So let’s start by talking about the authentication method.

What are the available authentication methods?

Bittitan MigrationWiz, which of course leverages the Exchange Web Services (EWS) as the API to migrate to and from Exchange 2010+, allows you to use two type of admin authentication methods:

  • Delegation
  • Impersonation

Note: MigrationWiz also allows non admin authentication methods, which we will not discuss on this blog post.

What is delegation and how do I configure it?

Delegation is the authentication method in which the entire migration will be done from the calling account (admin account), that needs to have full access to all of the mailboxes that are being migrated. The requirements for delegation are:

  • admin account needs to be mailbox enabled
  • full access is required to all of the mailboxes being migrated (explicit permissions)
  • a throttling policy should be created and associated with the admin account

In the Bittitan community website you will be able to find instructions on how to configure delegation on the source and target Exchange systems. You can also find there how to create the throttling policy.

By default the MigrationWiz project will try and use delegation, so there’s no other change needed.

What is impersonation and how do I configure it?

Impersonation is the authentication method in which the migration will be done on behalf of the user account, that is being impersonated by the calling account (admin account). For this to happen the admin account needs to be granted rights to impersonate the user accounts being migrated. the requirements for impersonation are:

  • the admin account does not need a mailbox
  • impersonation rights need to be granted to the admin account, over all of the users being migrated
  • a throttling policy is not required but highly recommended

In the Bittitan community website, you will also find instructions on how to configure impersonation on the source and target Exchange systems. The instructions to create the throttling policy are the same you can find on the section above.

The default behavior from MigrationWiz is not to use impersonation, so please make sure you follow the MigrationWiz steps of the article above, to configure impersonation at the project level.

Should I use Delegation or Impersonation?

Now that I described what is Delegation and what is Impersonation, let’s discuss which one should you use for each scenario.

In my professional opinion, that I will detail below and explain why, this is what you should do:

  • If the Exchange system is Exchange Online (Office 365) use Impersonation
  • If the Exchange system is Hosted Exchange (online but not in Office 365) use Delegation
  • If the Exchange system is on premises use Delegation

So now let’s break it down per system.

Exchange Online (Office 365)

The main reason that you should use Impersonation when authenticating against Exchange Online is simple: You cannot create a throttling policy in Office 365 and impersonation is less subject to throttling than delegation. 

I don’t think I need to explain why you can’t create a throttling policy in Office 365, but why is impersonation less subject to throttling? Well the explanation is logic: The subscriptions will be charged against the throttling budget of the target mailbox and not the calling account (admin account), which in other words means that the admin account is doing the migration impersonating each target account and the throttling is being charged to the target accounts, making the limits much more flexible and the migration faster.

Another good thing about Exchange Online is that when you set the impersonation rights, you are of course setting them within the boundaries of your tenant, which is not necessarily true for hosted Exchange systems, as you’ll see below.

Hosted Exchange (not in Office 365)

Now when we look at a hosted Exchange and what admin authentication methods we can have, the main thing you need to keep in mind is that, we will have what the Hoster is willing to configure. And what might that be? Short answer will be Delegation.

Don’t get me wrong, if you manage to get a Hoster (or if you are part of a Hoster Exchange management team and you’re also driving the migration) to either create a throttling policy or configure impersonation associated with a management scope, then what I recommend is:

  1. If you can create a throttling policy then use Delegation and associate that throttling policy to the admin account
  2. If you can’t create a throttling policy but you can enable impersonation with a scope (explanation below) than enable and use Impersonation
  3. If none of the above is possible, then use Delegation

Note: when you set impersonation, if you don’t use a management scope, that will allow the admin account to impersonate any account on that hosted Exchange. That might (and should) be considered a security breach by the Hoster and therefore not possible to configure. Although possible, many Hosters might not be willing to configure impersonation with a management scope, or configure impersonation at all.

On Premises Exchange

Finally when the system is on premises Exchange, you will be able to do all necessary tasks, so why use delegation?

To be able to reach maximum speeds you will still have to create a throttling policy (if you can), so between impersonating and using delegation I do think that delegation and a throttling policy is the best way to go.

Remember when I said “Impersonation is the authentication method in which the migration will be done on behalf of the user account, that is being impersonated by the calling account (admin account).”? Well that’s not 100% true in all cases. Depending on your Exchange version, the subscription might be charged to the calling account, which in essence makes impersonation as effective as delegation in terms of throttling. See the table below:

Exchange version EWSMaxSubscriptions throttling budget accounting
Exchange Online Charged against the target mailbox.
Exchange 2013 Charged against the target mailbox.
Exchange 2010 SP3 Charged against the target mailbox.
Exchange 2010 SP2 Charged against the calling account. Starting with Exchange 2010 SP2 RU4, the budget is charged against the target mailbox.
Exchange 2010 SP1 Charged against the calling account.
Exchange 2010 Charged against the calling account.

Source: EWS throttling in Exchange

From the above table you will see that if you have an Exchange system older than Exchange 2010 SP2 RU4, impersonation and delegation will have the same impact from the throttling perspective. We know that Exchange Online does have a version newer than the one just mentioned, but that is not necessarily true for Hosted Exchange or Exchange On Premises, so have that in mind when planning the authentication methods.

So let me outline the reasons that should make you choose delegation when migrating from an on premises Exchange:

  • the speed of the migration will be highly dependent on the throttling policy, that you can and should create, as well as monitor the Exchange performance during the migration
  • Implementing delegation is easier, specially in cases where you want the admin account to just have rights over a subset of the mailboxes. It’s much easier to just give full access to some mailboxes when compared to give impersonation rights to just some users
  • the way throttling reacts when using impersonation and delegation is different. In my opinion when using impersonation you’re more likely face ErrorServerBusy errors (if you go over the limit of concurrent migrations) and that causes normally more migrations to fail. When using delegation the failures are more likely to happen on the accounts that caused the admin account to over the maximum subscriptions allowed

I know that the explanation above might be a little confusing, specially the last bullet point, but I do highly recommend that you read the EWS throttling in Exchange article, and if you have another idea on what method to use feel free to share it.

I do think that impersonation makes sense only on those scenarios where you cannot fully implement proper delegation, with throttling policies and processes defined to monitor the Exchange server resources during the migration window.

Some useful articles around this subject

The importance of EWS impersonation while using an application account: you will can read the author outline how impersonation is better from an application perspective, and delegation is more oriented towards user access. I also mentions that user access can be controlled and revoked by the end user, which can be true. But on a migration project MigrationWiz will use user access to get into the mailbox and move the data to a destination mailbox, which is exactly what delegation provides you. He also outlines how less complex and global the impersonation setting can be, which is true, but on a project when you only need to migrate a subset of the mailboxes, and where you don’t want to give global access, impersonation will be significantly more complex. In essence this article is a good read that outlines the positives of impersonation and why it’s a good option for application level access and not user level access.

Impersonation and EWS in Exchange: This is an excellent article and a must read, that details how application level impersonation works in Exchange.

So what is the bottom line? At the end of the day it’s still your decision of whether to use delegation or impersonation. I’d say that for some scenarios like Office 365, the decision is a no-brainer (impersonation of course), and in some other scenarios it will depend on what can you configure and what is the simpler and more effective configuration.

Like I stated above I am always more inclined to decide for delegation against Exchange on premises and hosted Exchange, and impersonation against Office 365.

As always I hope this article is helpful, and feel free to share your thoughts.

Understand and script the Get-MailboxFolderStatistics cmdlet

This blog post is going to give you some insight on how you can script the Get-MailboxFolderStatistics cmdlet, but also how to understand it’s output, as well as how is it important to plan a mailbox migration project.

Why are the mailbox folder statistics important to plan a migration project?

That is indeed the first thing you need to consider: Why do I need those statistics? To better answer that let me start by showing you an output of the command.

1

What you see above is the output of a mailbox, where I filtered the Folder Path, the number of items in the folder and sub folders, as well as the size of each folder. So let me bullet point why is this important for a migration project planning:

  • It will give you item counts per user and per item type (Mail, calendar, contacts). Those numbers are important, specially if extremely large, to estimate migration timelines when using the Bittitan MigrationWiz mailbox migration.
  • It will show you the size of every folder as well as the entire mailbox size. This is important to identify which folders are larger on a very big mailbox. I’ve seen examples of some of those folder being considered irrelevant for a migration (i.e deleted items, sent items) and with a flexible tool like the Bittitan MigrationWiz you can filter them out.
  • It will show you not only the folders visible to the end user, but also the recoverable deleted items folder. This might be very important in scenarios where you have in place hold active. It will give you the exact estimate of how many items are under in place hold on the recoverable items, that you will eventually need to move to the same folder on the destination mailbox.

So in summary, and giving a quick example, if you’re moving 1000 mailbox from Exchange Online tenantA to tenantB, you should use the Bittitan MigrationWiz tool, that will be not only fast but also flexible on what you can include and exclude in the migration, leveraging the Exchange Web Services API. To do that the insight of what’s in the mailbox is fundamental to plan the entire migration. You can plan the timelines and how long it will take, what type of licensing you will need at the destination tenant and many other important variables for the project.

How can I filter the output per item type?

When running the cmdlet you need to use the “-FolderScope” parameter to filter the output per item type. That parameter allows you to enter many different folder scope types, the most common being:

  • All
  • Calendar
  • Contacts
  • RSSSubscriptions
  • RecoverableItems

See the entire list in the official Technet article of the Get-MailboxFolderStatistics cmdlet.

Some cmdlet examples

See below some examples on how to obtain specific data:

Get total number of items in the mailbox (does not include recoverable deleted items):

Get-MailboxFolderStatistics user@domain.com | Where-Object {$_.foldertype -eq ‘root’} |ft folderpath, itemsinfolderandsubfolders, folderandsubfoldersize

2

Get total number of contacts in the mailbox:

Get-MailboxFolderStatistics user@domain.com -FolderScope Contacts |ft folderpath, items*, folderandsubfoldersize

3

Note: the above will work for calendar items if you change the folder scope from “Contacts” to “Calendar”

Get total number of items in the Recoverable deleted items folders:

Get-MailboxFolderStatistics user@domain.com| where {$_.FolderType -eq ‘RecoverableItemsRoot’}|ft folderpath, itemsinfolderandsubfolders, folderandsubfoldersize

4

And finally… the script that exports all of this to a csv:

Now that we discussed how important it is to get the statistics, and I gave you same examples on how to run some one line commands to get some insight on the mailbox, I will share with you a script that was done by me and my colleague and friend Alberto Nunes.

Below are the details of what the script does:

  • The script will run the statistics against a list of users that needs to be specified on a file called users.csv (see csv format below). The file needs to be on the same folder as the script.
  • The script runs Exchange PowerShell commands, so make sure you’re connected to the Exchange PowerShell (online or on premises)
  • The script will export the results to a file statistics.csv
  • The script will ask you for a source or destination parameter. The statistics for the recoverable deleted items folders will only be included if you select Destination.
  • This script is provided as is and there’s no guarantee that it will work in your environment.

The Users.csv file:

5

Note: Make sure you name the column A “EmailAddress”

The Script:

Copy the text below (in red) to a notepad. Save it as .ps1 and run it from a PowerShell session connected to Exchange.

#Start Script
Param
(
[Parameter(Position=0,Mandatory = $true)][ValidateSet(‘Source’,’Destination’,’MigrationWiz’)][String]$Location,
[Parameter(Mandatory = $false)][String]$Folder = “.”,
[Parameter(Mandatory = $false)][String]$UsersCSV = “Users.csv”,
[Parameter(Mandatory = $false)][String]$OutputCSV = “Statistics.csv”
)
Get-Date
$ErrorActionPreference = “SilentlyContinue”
$SourceFile = $Folder + “\” + $UsersCSV
$OutputFile = $Folder + “\” + $OutputCSV
$mailboxes = Import-Csv -Path “$SourceFile”
$CSV = @()
Foreach ($mailbox in $mailboxes)
{
Write-Host “Working on $($mailbox.EmailAddress)”

$AllStats = Get-MailboxFolderStatistics $($mailbox.EmailAddress)| Where-Object {$_.foldertype -eq ‘root’}

$ContactStats = Get-MailboxFolderStatistics $($mailbox.EmailAddress) -FolderScope Contacts
$TotalContactsItems = ($ContactStats | select -expand ItemsInFolder |Measure-Object -Sum).Sum

$CalendarStats = Get-MailboxFolderStatistics $($mailbox.EmailAddress) -FolderScope Calendar
$TotalCalendarItems = ($CalendarStats | select -expand ItemsInFolder |Measure-Object -Sum).Sum

$RSSFeeds = Get-MailboxFolderStatistics $($mailbox.EmailAddress) -FolderScope RssSubscriptions -ErrorAction SilentlyContinue
If ($RSSFeeds)
{
$TotalRSSFeeds = ($RSSFeeds | select -expand ItemsInFolder | Measure-Object -Sum).Sum
}
Else
{
$TotalRSSFeeds = 0
}

# In the source, we don’t need to know the Size of the RecovableItems
If ($Location -eq “Destination”)
{
$recoverableItems = Get-MailboxFolderStatistics $($mailbox.EmailAddress)| where {$_.FolderType -eq ‘RecoverableItemsRoot’}
[double]$recoverableSize = $recoverableItems.FolderAndSubfolderSize.TrimEnd(” bytes)”).Split(“(“)[1].replace(‘,’,”) |%{“{0:N2}” -f ($_ /1mb)}
}

$TotalMailItems = $AllStats.ItemsInFolderAndSubfolders – $TotalContactsItems – $TotalCalendarItems – $TotalRSSFeeds

$ISSize = $AllStats.FolderAndSubfolderSize.tostring()
[double]$ISSize =$ISSize.TrimEnd(” bytes)”).Split(“(“)[1].replace(‘,’,”) |%{“{0:N2}” -f ($_ /1mb)}

$Output = New-Object PSObject
$Output | Add-Member -MemberType NoteProperty -Name “User” -Value $mailbox.EmailAddress
$Output | Add-Member -MemberType NoteProperty -Name “Location” -Value $Location
$Output | Add-Member -MemberType NoteProperty -Name “TotalItems” -Value $AllStats.ItemsInFolderAndSubfolders
$Output | Add-Member -MemberType NoteProperty -Name “MailboxSize MB” -Value $ISSize
$Output | Add-Member -MemberType NoteProperty -Name “TotalContactItems” -Value $TotalContactsItems
$Output | Add-Member -MemberType NoteProperty -Name “TotalCalendarItems” -Value $TotalCalendarItems
$Output | Add-Member -MemberType NoteProperty -Name “TotalMailItems” -Value $TotalMailItems
$Output | Add-Member -MemberType NoteProperty -Name “TotalRSSFeeds” -Value $TotalRSSFeeds
If ($Location -eq “Destination”)
{
$Output | Add-Member -MemberType NoteProperty -Name “RecovableSize in MB” -Value $recoverableSize
$Output | Add-Member -MemberType NoteProperty -Name “RecovableItems” -Value $recoverableItems.ItemsInFolderAndSubfolders
$Output | Add-Member -MemberType NoteProperty -Name “Total Mailbox Size including Recovable” -Value $($ISSize + $recoverableSize)
$Output | Add-Member -MemberType NoteProperty -Name “Total Mailbox Count including Recovable” -Value $($AllStats.ItemsInFolderAndSubfolders + $recoverableItems.ItemsInFolderAndSubfolders)
}
$CSV += $Output
Write-Host “Completed $($mailbox.EmailAddress)” -ForegroundColor Green
}

$CSV | export-CSV “$OutputCSV” -NoTypeInformation
#End Script

To run the script you need to specify the location parameter:

.\MailboxFolderStats.ps1 -Location Source

.\MailboxFolderStats.ps1 -Location Destination (includes recoverable deleted items statistics)

As always I hope the above is helpful. Thanks for reading.

Office 365 tip: Enable Directory Sync via PowerShell

There’s no easy way to say this. The new Office 365 admin Portal comes with a new way to enable Directory Sync, a wizard that tries to guide you through with a series of questions and suggestions. The end result is bad, to say the least.

 

ADSyncWiz1

The wizard is confusing and the end result is sometimes not the expected. It happened to me several times finishing the wizard just to find out that Directory Sync was still disabled.

In my opinion things like finishing the wizard if you select “1-10” in the number of users of your organization, assuming of course that you don’t want Directory Sync, are not welcome. I understand the “dummy proof” idea behind it, but let’s face it not everything needs to be designed in such way.

ADSyncWiz2

As you can see above once you run the wizard you’ll get a summary report of the results, and links to download  AD Connect and the IdFix tool.

But the purpose of this blog post is to explain you how to get away from the wizard and on a simple command activate Directory Synchronization. Here it goes:

  1. Download and install the Windows Azure Active Directory Module for Windows PowerShell
  2. Connect to Office 365 and run the cmdlets below

ADSyncWiz3

Enable Directory Sync:

Set-MsolDirSyncEnabled -EnableDirSync $true

Verify Directory Sync state:

(Get-MsolCompanyInformation).DirectorySynchronizationEnabled

I hope the above is helpful. As always, any questions please let me know.

 

Office 365: Script to bulk change the UserPrincipalName to match the Email Address

When you are preparing your local Active Directory, to be synced with Office 365, one of the things you should consider is to make the UserPrincipalName of each user you are syncing to match the user’s email address. Why? Because that is going to be his UserPrincipalName and his primary SMTP address on Office 365.

So there are different ways of achieving this, some more manual than others. The procedure I am going to outline today on this blog post is a two step procedure:

Step 1: Export all UserPrincipalNames and Email Addresses from the local AD to a CSV File.

Step 2: Use that CSV file to bulk change the UserPrincipalNames to match those Email Addresses.

Like I said there are different ways of doing this, and I will probably develop a more elaborated script that can do this in a single step. The reason I went for this two step process is because most of the times customers want to check the CSV generated on step 1, and remove all the users that they don’t want to change the UPN, because those users will not be synced to Office 365.

Before we detail the steps above, make sure that you’ve added additional UPN domain suffixes for all the primary SMTP domains that you will have. See the article “How to add UPN suffixes to a forest” for more information.

Also have a detailed read on the article “Prepare to provision users through Directory Synchronization to Office 365”, to fully understand all the tasks you have to do to prepare your local Active Directory.

Making the UPN’s match the email addresses and have a domain that is validated on Office 365 is just one of the several tasks you have to do.

Now back to the two step process to change those UPN’s.

Step 1:

On step one all you have to do is open a PowerShell module on your local AD, and run the cmdlet below.

#Make sure you Import the Active Directory Module into your PowerShell session before you run the cmdlet

Import-Module ActiveDirectory

#Run the cmdlet to export all the users to a CSV. Change the CSV name and path as appropriate

Get-AdUser -Filter * -Properties UserPrincipalName, Name, EmailAddress | Select-Object UserPrincipalName, Name, EmailAddress | Export-CSV -Path C:\MyADUsers.csv -NoTypeInformation

After you run the cmdlet you should get a CSV like the one shown below:

ChangeUPN1

On the example above you can see that the UserPrincipalName does not match the user’s email address, and therefore needs to be changed.

Once you get the CSV check all users that you want to change and remove from that CSV the ones that you don’t.

Step 2:

Now that you have the CSV with all the users you want to change, all you have to do on step 2 is run the script below. The script will change all the UPN’s to match the email address, based on the CSV file you will use.

#Script to Change the UPN on the Active Directory#
#This script should run from an Active Directory Module for Windows PowerShell#
#Version 1.0 – 06/30/2015#
#Author: Antonio Vargas#

$UserCount = 0

Import-Csv -Path C:\MyADUsers.csv | ForEach-Object {

$UPN = $_.UserPrincipalName
Write-Host “Working on user:” $UPN
Get-ADUser -Filter {UserPrincipalName -Eq $UPN} | Set-AdUser -userprincipalname $_.EmailAddress
$usercount = $usercount +1
}
Write-Host “Number of users on your CSV: $UserCount”
Write-Host “UPN’s Changed”

Copy the entire content above into a notepad, and save it as a .ps1 file.

The script above is a very simple script that will read from the CSV. Before you run the script make sure you import the Active Directory module, as described on step 1, into your PowerShell session.

I highly recommend running the script first against a small group of up to 5 users, and then make sure that the changes were applied successfully. Also you need to take into account that you are changing the UserPrincipalName of the user on your local Active Directory, so make sure to test the access to all internal systems that rely on AD for authentication, before you replicate the change to all of your users.

As always, if you have any questions please let me know.

Office 365 AADSync Password Sync failed: Event 611 System.MissingMethodException

Just recently I installed the Microsoft Azure Active Directory Sync, and faced a strange issue: Password Sync was not working. When a password was updated on premises, those changes were not being replicated to Office 365. I was installing AADSync on a Windows 2008 R2 Operating system.

The Microsoft Azure Active Directory Sync tool event ID’s, that you can see on your server event viewer, are actually very good and make the job of troubleshooting the tool much easier. There is a Microsoft support article on how to troubleshoot AADSync that has all the event ID’s and if you’re having problems with the tool you should definitely have a look into it.

On my scenario, I went to the event viewer and immediately detected the event ID 611, that was stating that the Password Sync was failing for my internal domain, as shown below:

PassSync1

I started trying to understand why, and here’s what I looked at:

  • I had no firewalls between the AADSync Server and the AD Domain controllers
  • Both servers were on the same subnet and with the local firewall disabled
  • AADSync was communicating with the Domain Controllers and all other tasks were working, except the Password Sync feature

So there was no way that this was about networking. So I circled back to the prerequisites of AADSync and found out what the problem was:

I had installed Microsoft .Net Framework 4.5, and it actually was good enough to allow me to install AADSync, and you can actually find a lot of guides out there that state that the 4.5 version is good enough, but when you’re installing on a Windows 2008 R2 it’s not, and I needed to install Microsoft .Net Framework 4.5.1.

Once I upgraded the .Net Framework to 4.5.1 everything started to work.

Enable-MailUser errors: “Exchange GUID is mandatory on User mailbox” & “Database is mandatory on User mailbox”

Not long ago I had to prepare an Active Directory to be synced with an Office 365 tenant. The company wanted to have Azure Active Directory Sync installed on premises, and sync all the users (and passwords) to Office 365. The plan was to use several of the Office 365 services, with of course Exchange Online included (it always is, right? ).

Because the company was using Azure Active Directory Sync, part of the preparation of the on premises Active Directory was to install an on premises Exchange 2013 Management Server (see here why should you keep at least one Exchange Management Server on premises when you are using AADSync), and to convert all users that will have a mailbox on Office 365 into mail users on premises, so that they can be manageable from the Exchange tools, and have all Exchange attributes. If you have a Hybrid deployment an Exchange mailbox user on Office 365 should be a Remote Mailbox object on premises, but if that is not the case (and for me it wasn’t) a mail user is enough.

Not let’s go straight to the problem I had and that is mentioned on this article title.

When I tried to enable all the users as mail users, I got the following error for almost all of them:

“Exchange GUID is mandatory on User mailbox”..

“Database is mandatory on User mailbox”..

1

So that got me thinking, and the first thing that came to mind was: What Mailbox? The users I am trying to enable as mail users are not mailboxes.

So I went and checked the users properties on AD, went to the attribute editor and find out that although all the users that I was trying to change were not mailboxes on Exchange, most of them had the msExchHomeServerName attribute populated with the LegacyExchangeDN of the server that was probably hosting their mailbox before it was disabled. Something clearly went wrong on the process of disabling those mailboxes in the past, and I needed to remove those attributes.

When I identified that attribute as the possible cause, the next thing I did was to remove that attribute from a single user, and tried to run the Enable-MailUser Exchange cmdlet only against that user. It worked, that was the attribute causing the issue. By the way I highly recommend that you follow the same approach and don’t go and remove an attribute for hundreds of users without making sure that it is the attribute that is causing you the issue.

One other thing that I need to stress here is that those users from which I removed the msExchHomeServerName attribute were NOT mailboxes on my Exchange on premises. DO NOT remove that attribute from production mailboxes!

Not let me tell you how I automated the process to remove the attribute from all my faulty users.

First I needed to have a CSV file with all the users that had the issue. In my case no user on premises had a mailbox, except my admin user, so all I had to do was take a full list of the users and exclude the admin before using the CSV to delete the attribute. On the Exchange Management Shell I ran:

Get-ADUser –filter * -Properties msExchHomeServerName | where-object {$_.msExchHomeServerName –ne $null} |ft userprincipalname, msExchHomeServerName

2

And to export the result to CSV:

Get-ADUser –filter * -Properties msExchHomeServerName | where-object {$_.msExchHomeServerName –ne $null} |Select-object Userprincipalname, msExchHomeServerName | Export-CSV C:\Scripts\UsersToChange.csv –NoTypeInformation

3

4

And again I can’t stress this enough, if you do have some mailboxes on premises you might want to either filter the CSV you get as an output or put an “-And” on the where-object statement above to exclude the mailboxes using an attribute that the users with problems don’t have (i.e msExchRecipientType)

Not that I had the CSV I needed a script to read from that CSV and delete that attribute on all the users with problems. I found this excellent script on the TechNet Gallery that removes Exchange Attributes using PowerShell. But the script had two problems:

  • It removed more attributes that I wanted/needed to
  • It prompted you to enter the users one by one, and I had hundreds

So I created king of a version 2.0 of the script, but to my own purpose of course, so that the script could read from the CSV and automatically remove the attributes from all the users in it.

See below the part that manners on the script, that you need to copy into a notepad and save as .ps1:

Write-host

Remove Exchange Attributes

—————————-

Remove Exchange 2013 Attributes for a Corrupted Active Directory Account

This Script will use a CSV as baseline

Caution : Mailbox Will Go Disconnected and Exchange Attributes will be Removed” -ForeGround “Cyan”

$AllAccounts = Import-Csv -Path C:\Scripts\UsersToChange.csv

foreach ($Account in $AllAccounts) {

$ADaccount = Get-User $Account.Userprincipalname

$FullDistinguishName = “LDAP://” + $ADaccount.distinguishedName

$AccountEntry = New-Object DirectoryServices.DirectoryEntry $FullDistinguishName

$AccountEntry.PutEx(1, “msExchHomeServerName”, $null)

$AccountEntry.SetInfo()

write-host “Changes made to account” $Account.userprincipalname

}

Make sure you edit the path and the file name of the CSV, and you are ready to run the script.

5

Once it’s done go to the user’s attribute editor on Active Directory and see if the value of the msExchHomeServer attribute is null.

6

And re run the Enable-MailUser Exchange cmdlet for all your users again.

7

Job done! Any questions let me know.

Raise your Exchange Server EWS limits prior to starting your MigrationWiz project

There’s an excellent Microsoft article on TechNet that explains how to configure client-specific message size limits, in Exchange 2013.

There are a lot of good reasons to raise your client limits, as there are also a lot of reasons not to. As long as you’re aware of what your on premises Exchange Server can handle, and you’re not exposing the server to overload or degradation of the service, by raising those limits, than from my perspective, you’re fine doing it.

UPDATE: Michael de Rooij just brought to my attention an excellent script he has, that automates everything described on this post. You can read his article here and download the script here. If for some reason you still want to change it manually, continue reading the steps described below.

On this blog post we are going to change the Exchange Web Services limits. The reason behind it is simple: MigrationWiz leverages the Exchange Web Services to move data to and from your Exchange based systems (on premises or in the cloud), and the default limits on an Exchange 2013 will make the migration of every item over ~35MB fail. The solution to have those items migrated is to increase the EWS limits on your target Exchange Server.

Now let me show you what to do that.

To get the limits raised you need to edit the web.config file on both your Exchange 2013 Client Access and Mailbox Servers. The values you need to edit are:

Serve role Configuration file Keys and default values Size
Client Access %ExchangeInstallPath%FrontEnd\HttpProxy\ews\web.config maxAllowedContentLength=”67108864″ bytes
Mailbox %ExchangeInstallPath%ClientAccess\exchweb\ews\web.config maxAllowedContentLength=”67108864″ bytes
Mailbox %ExchangeInstallPath%ClientAccess\exchweb\ews\web.config 14 instances of maxReceivedMessageSize=”67108864″ bytes

In my case I will raise the limit to 200MB. Go here to convert the 200MB in bytes.

200MB = 209715200 Bytes

Let’s edit the web.config

1

Above you can see the path on the Client Access Server.

2

Search for the value to change on the CAS server, and edit it to match the 200MB.

Do the exact same change on the mailbox web.config file, on your mailbox server, or if you have both CAS and Mailbox on the same server, go to the path: %ExchangeInstallPath%ClientAccess\exchweb\ews\web.config

Once the maxAllowedContentLenght change is made on both web.config files, you need to change 14 instances of the maxReceivedMessageSize value, on the Mailbox Server web.config

3

Go to the Mailbox server web.config file location (also used on the maxAllowedContentLenght change).

4

Search and replace the 14 instances.

Once the changes are made, save the web.config file and do an IISReset from the command prompt.

Note: In the web.config file on Mailbox servers, there are also two instances of the value maxReceivedMessageSize=”1048576″ forUMLegacyMessageEncoderSoap11Element bindings that you don’t need to modify.

Now your on premises Exchange Server will be able to handle much larger files via EWS.

How to configure mail flow coexistence between GApps and O365 using internal relay domains and mail users

Are you planning to move your e-mail system from Google Apps to Office 365? Do you have a large number of users, and therefore migrate the users in stages, and therefore set up mail flow coexistence between the two systems? Keep reading.

On this blog post I am going to guide you through the process of setting up mail flow coexistence, between Google Apps and Office 365.

There are several ways to achieve the mail flow coexistence, from an Office 365 perspective, such as:

  • The Internal relay domain with mail users method
  • The Criteria Based Routing method

This blog article will guide you through the mail flow coexistence configuration, using the internal relay domain method. This method as some pros and cons when compared to others, such as:

Pros:

  • Easy to configure
  • If the processes are well defined it’s also easy to manage as the migration goes along

Cons:

  • Requires more processes during the migration stage
  • Requires more changes post migration
  • When not using Dirsync or AADsync the users on Office 365 need to be created via the Exchange Admin Centre or the Exchange Online PowerShell, which makes the user creation process more complicated.
  • When you enable a mailbox on Office 365, for a user being migrated, all new e-mails coming from other Office 365 users (and external users if you already changed the MX record to Office 365), will not reach the Google Apps mailbox and stay only on the Office 365 mailbox. This makes that the process of migrating the user data has to be managed in batches of users, and done ideally over the weekend.

In my opinion, if you’re using Dirsync this method is an option you should consider.

Now let’s get what matters: the steps for configuring mail flow coexistence between Google Apps and Office 365.

Step 1 – Validate your domain on Office 365:

Of course if you are moving to Office 365, the first thing you need to make sure is that your domain is validated there, and enabled for Exchange Online.

On my scenario, the domain that I am using is myexchlab.com

1

I am not going to give you a step by step guide on the simple tasks, such as adding and validating the domain on Office 365, to keep this blog post focused on the essential, which is to set up the mail flow coexistence.

As you can see above you need to make sure that your domain is added and validated, and that the domain purpose is set to ExchangeOnline.

2

As you can also see above, on my Google Admin Portal, my domain is also validated and working there, as that is my current production environment.

Step 2 – Create and enable your Office 365 users as mail users

Depending on the way you create the users, they can already be mail users on Office 365, i.e. if you are using Dirsync or AADSync to push your users to Office 365, you should have them as mail users on premises, which will also make them mail users on Office 365.

To sum up, there are two ways to create all your users as mail users on Office 365:

  • If you’re using Dirsync enable them as mail users on premises and push them to Office 365
  • If you’re not using Dirsync you need to create all your users via the Exchange Online PowerShell, or the Exchange Admin Centre, directly as mail users. The reason is simple: In Office 365, it’s not supported to enable a user without Exchange attributes (just a regular MSOL user) as a mail user. The only way to give him Exchange attributes is to enable an Exchange Online license and create him a mailbox.

In my case I am not using Dirsync, so I am going to show you how to create all my users as mail users. To do so you can use a script (let me know if you need one), or do it manually via the Exchange Online management Shell.

Connect to the Exchange Online Powershell, and run the following cmdlet:

New-MailUser -Name “GApps1” -Alias Gapps1 -ExternalEmailAddress Gapps1@myexchlab.com -FirstName GApps1 -LastName 1 -MicrosoftOnlineServicesID GApps1@myexchlab.com -Password (ConvertTo-SecureString -String ‘P@ssw0rd’ -AsPlainText -Force)

3

Repeat the step for each user you want to create.

4

Now I have GApps1 and GApps2 created on Office 365, both users also exist and have their productions mailboxes on Google Apps.

5

The users are also Exchange mail users, which is fundamental to have both an up to date Global Address list on Office 365, and to make the mail flow coexistence work.

I know that this way of creating the users might seem a bit manual, but there are two things you need to consider:

  • Most of you will be using Dirsync, which makes the user creation process much simpler.
  • You can script the user creation via the new-mailuser cmdlet and make your live easier.

Step 3 – Configure the routing domain in Office 365

In order to have mail flow coexistence between Google Apps and Office 365, you need to set up a forwarding address in each Google Apps user you move to Office 365. In order for it to work, the forwarding address needs to be from a sub domain of your main email domain. In my case I will use onprem.myexchlab.com which is a subdomain of myexchlab.com.

To properly configure the subdomain you need to:

  • Validate it on Office 365 and configure it for Exchange Online
  • Create an MX record for that subdomain, that points to office 365
  • Make sure that the users have a secondary SMTP address for that subdomain, that you will use as forwarding address on google

To validate the routing domain, go to the domains section on your Office 365 portal and click to add a domain.

As the domain is a subdomain of your main e-mail domain, the validation should be instant.

Skip the steps to add users, and make sure that you choose Exchange as domain purpose, as sown below.

6

The Office 365 wizard will give you an option to add the DNS records (depending on your domain name provider), or you can just copy and paste the DNS records and add them yourself. The only relevant record that needs to be created, is the MX record.

7

Make sure you verify that the MX record is created.

8

Step 4 – Configure Exchange Online for mail flow coexistence

On the Exchange Admin Centre of your Office 365 tenant, you need to do two things:

  • Configure your main domain as internal relay
  • Create a send connector to send e-mail to your Google Apps

To configure your domain as internal relay, log in to your Office 365 tenant, and on the bottom left click on “Admin > Exchange”.

On the Exchange Admin Centre go to “Mail Flow” and click on the “Accepted Domains” tab.

9

Select your main e-mail domain, in my case myexchlab.com, and click edit.

10

Select “Internal Relay” and click save.

Now let’s create the send connector. On the Exchange Admin Centre, select “Mail Flow” and click on the “Connectors” tab.

11

Click on the “+” to add a new connector.

12

When creating the new connector, select from Office 365 and to your organization’s email server.

13

Select a name and keep the existing options selected.

14

Select “Only when email messages are sent to these domains” and click on “+” to add your main email domain.

15

Enter one (or several) of the available Google Apps MX record as a smarthost.

16

You can check the Google Apps MX records by doing an nslookup to your domain.

17

Untick the always use TLS option and click next twice.

18

Finally enter a valid e-mail address from your Google Apps environment, and click validate. Make sure the test succeeds.

Migration steps

Now that you have Office 365 configured for mail flow coexistence, let me give you a quick overview on the migration steps:

Define a migration batch

The first thing you need to do is define a group of users to be migrated. Because there’s no sharing of resources cross platforms (i.e calendars), I highly recommend you approach your migration batches on a per department basis. You might want to export all e-mail addresses of the users being migrated, into a CSV file, in order to use that file to script all the forthcoming tasks.

Activate the user licenses in Office 365

Once you have your group of users defined, you need to activate an Exchange Online license for them on Office 365. Like stated previously you can script that, but for the purposes of this blog post I will just activate the license manually, as the main goal here is to explain how to set up the mail flow coexistence.

19

Go to your Office 365 admin portal, click on “Users > Active Users”, select the user you want to license and add an Exchange Online license.

20

Via the Exchange Admin Centre you will be able to see that, the user is no longer a mail user, and it’s now a mailbox.

Note: As stated before, all e-mail coming from other Office 365 users, or external e-mail if you changed the MX record of your main domain to point to Office 365, will now stay on the GApps1 Office 365 mailbox and not on his Google Apps mailbox.

Migrate your user’s data

Now it’s time to push all the data from Google Apps to the newly created Office 365 mailbox. And how can you do that? Well the answer is simple: Use the best tool in the market. MigrationWiz from BitTitan.

https://www.bittitan.com/products/migrationwiz/about

21

MigrationWiz will move all your emails, calendars and contacts, from Google Apps to Office 365. In addition you can also move your Google Drive and your Google Vault data, with other types of migrations supported by the same tool.

Set up the forwarding address on Google Apps

Now at the same time you start to move the data, you need to set up a forwarding address on the Google Apps accounts you’re migrating. I’ll be blogging soon an explanation on how MigrationWiz automatically sets that up for you, but for now I will again do it manually on my GApps1 user.

Log in to https://admin.google.com

Go to Users and click on the user you want to set up the forwarding. Click on “Account”.

22

On the Email routing section add the forwarding address. Untick the “Change SMTP envelope”, the “Google Apps email” (leave a copy on the source) and the “Inherit routes from <your domain>”.

Important note: do not leave a copy on the source mailbox, or else when moving the data to Office 365 via MigrationWiz, you might get duplicates.

23

Another thing that you need to make sure is that all the users being migrated have a @onprem.myexchlab.com secondary SMTP address.

Connect the users to Office 365

Once all the data is migrated all you have to do is set up your users to connect to Office 365 and start working there.

BitTitan also has a tool to help you automate that process: DeploymentPro

https://www.bittitan.com/products/deploymentpro/about

DeploymentPro will configure Outlook for all your users, and bring all attached PST files and signatures from the old profile (if applicable).

Test mail flow

Now that we’ve covered all the migration steps, it’s time to test mail flow between:

  • GApps1 that was migrated to Office 365
  • GApps2 still in Google Apps

Test message from the Internet to GApps1 (Office 365)

With the MX record still pointing to Google Apps, we will send a test message from the Internet to GApps1, that was already moved to Office 365.

24

25

As you can see the message got delivered to Office 365.

Test message from GApps2 (Google Apps) to GApps1 (Office 365)

Now let’s send a message from a Google Apps user to an Office 365 user.

26

27

And again message delivered to GApps1 Office 365 mailbox.

Test message from GApps1 (Office 365) to GApps2 (Goggle Apps)

Now the most relevant test, the one this blog post is all about: mail flow between Office 365 and Google Apps.

Let’s reply to the GApps2 email.

28

29

And there you go. Working!

Internet mail flow considerations

On this coexistence scenario, there is no centralized outbound mail flow, which in essence means that Office 365 users will email directly to the Internet, and the same of course will happen to Goggle Apps users. Having said that, you need to make sure that your SPF record is up to date, and reflects that scenario. For help setting up your SPF record, go to the Microsoft SPF record wizard page.

Summary

Most of the configurations described above only need to be done once, but on the migration steps section you will want to automate everything. I’ve seen a lot of companies concerned with things like setting up the forwarding address on Google Apps, or scripting the way you enable licenses for users. One of my next blog post will be how MigrationWiz automates the forwarding address configuration, and you can ping me if you need more information about that, or if you need scripts for things like enabling the licenses on Office 365.

As stated on the beginning of this post, there are other methods to configure mail flow coexistence between Google Apps and Office 365, and I will soon be blogging about them so stay tuned.