Tuesday, 11 December 2012

AD FS Service fails to start when configuring AD FS on Windows 2008 SP2

In a recent deployment of AD FS on a small VM instance on Windows Azure I got the following error when configuring AD FS:

"Windows could not start the AD FS 2.0 Windows Service service on Local Computer - Error 1053"



I am not sure if it was due to the fact that I was using VM role on Azure or it was AD FS. Also I was extending an ADFS farm from on-premises which was based on a SQL database, so that's another thing that may have something to do with it. Although However here is how I fixed it:

1. Navigate to C:\Program Files\Active Directory Federation Services 2.0
2. Find and open Microsoft.IdentityServer.Servicehost.exe.config file
3. Modify it as follows:
under <runtime> tag, add this line:
<generatePublisherEvidence enabled="false"/>

So it would look like this:
I come across some blogs when I was investigating this issue which were suggesting to add a DWORD value "ServicesPipeTimeout" under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control and set the value to 60000. I tried this but it didn't resolve the issue. I suggest you try editing the XML file first, and if it doesn't work for you then modify the registry key.
And no need to thank me, just buy me a beer next time you see me ...

Tuesday, 13 November 2012

Yammer available with Office 365 and SharePoint Online from March 2013

From the 1st of March 2013, Yammer will be available on Office 365 E plans.

Yammer is a leading Enterprise Social Networking platform used by over 200,000 organizations worldwide and it has been described as a "Facebook for business". Yammer was launched in 2008 and is recently acquired by Microsoft.

This is how Yammer will be offered as part of Office 365 in March next year:

  • SharePoint Online (Plan 1) + Yammer Enterprise        $4 per user/per month
  • SharePoint Online (Plan 2) + Yammer Enterprise        $8 per user/per month
  • Office 365 E Plans 1–4 + Yammer Enterprise              $8–$22 per user/per month
Reference: http://sharepoint.microsoft.com/blog/Pages/BlogPost.aspx?pID=1049
Also check Yammer pricing here: https://www.yammer.com/about/pricing/

Monday, 29 October 2012

FOPE Connectors

In Forefront Online Protection for Exchange (FOPE), you can use FOPE connectors to implement advanced email flow scenarios to provide more control over the mail-flow in its various stages.

There are two sets of connectors that you can set up in FOPE; “Inbound Connector” and “Outbound Connector”. Inbound connector is for emails coming in to the organization and Outbound Connector is to deal with the emails sent out from an organization.
To setup an Inbound Connector in FOPE, follow these instructions:
1. Go to https://admin.messaging.microsoft.com/ and login with your admin credentials.
2. Under Administration > Company > Connectors > Inbound Connectors click on +Add
The following settings are available to you when setting up an Inbound Connector:
Connection settings
  • Source IP
  • Source Domain
  • Reject non Source IP
Security settings
  • Opportunistic TLS
  • Forced TLS
Filtering settings
  • Connection
  • SPAM
  • Policy

To setup an Inbound Connector in FOPE, follow these instructions:
1. Go to https://admin.messaging.microsoft.com/ and login with your admin credentials.
2. Under Administration > Company > Connectors > Outbound Connectors click on +Add
The following settings are available to you when setting up an Inbound Connector
Connection settings
  • Destination domain
Security settings
  • Opportunistic TLS
  • Forced TLS
Delivery settings
  • Smarthost
  • MX

Thursday, 11 October 2012

Hybrid Deployment Process in Office 365 using Hybrid Configuration Wizard in Exchange 2010 SP2

Exchange 2010 SP2 introduces the Hybrid Configuration Wizard which provides you with a simple process to configure a hybrid deployment between Exchange 2010 Hybrid server on-premises and Office 365 Exchange organizations. Hybrid Configuration Wizard was introduced in SP2 in an attempt to automate and simplify the Hybrid setup between Exchange 2010 on-premises and Exchange Online which was a very difficult task with more than 50 manual steps in SP1 now reduced to 6 steps which are all GUI based.

Although Hybrid Configuration Wizard is an amazing feature added in SP2 and it is quite easy to run through, there are many factors that can stop the wizard from completing successfully. In order to be able to troubleshoot when things go wrong, you will need to understand how the Hybrid Configuration Wizard functions and how the Organization Relationship creation works in the background when running the wizard.

When you run the Configuration Wizard, it first starts with collecting all the required information from the user and records it using the Set-HybridConfiguration command. This recorded information is referred to as “desired state”. Once the “desired state” is defined, Configuration Wizard starts deploying the Hybrid Configuration by running the Update-HybridConfiguration command. This command tells Hybrid Configuration Engine to start the Hybrid Configuration process. Once the Hybrid Configuration Engine is started, it reads the “desired state” in the HybridConfiguration object in Active Directory.

This Active Directory object stores the hybrid configuration information for the hybrid deployment and is updated using the Manage Hybrid Configuration wizard.

Next, Hybrid Configuration Engine uses Remote PowerShell to connect to your Exchange 2010 On-premises server and Exchange Online. Once the connection is established successfully, Hybrid Configuration Engine checks the “current configuration” and topology of the On-premises Exchange Server and Exchange Online.

Knowing the “current state” and “desired state”, Hybrid Configuration Engine figures out what the “difference” between the states are, and configures the Hybrid Organization to get to the “desired state”.

As Hybrid Configuration Engine just applies the “difference” then it means if you don’t change any details and rerun the wizard, it checks the ”current state” and “desired state”, and if no change is made then the “difference” would be nothing and basically tool will not apply any changes.

When Hybrid Configuration Wizard is setting up the Organization Relationship, it first checks the Federation Information using connection to Exchange Online CAS using Remote PowerShell running Get-FederationInformation –DomainName adopt-cloud.com. This requests a delegation token from the Microsoft Federation Gateway. Once it receives the delegation token, it then checks the public DNS to figure out where the autodiscover endpoint is.

Once on-premises autodiscover endpoint is located, Exchange Online Client Access Server uses the delegation token that it had previously received from Microsoft Federation Gateway to connect o Exchange 2010 on-premises CAS. In response, Exchange 2010 on-premises CAS sends back the Federation Trust details. This information includes ApplicationUri, DomainNames, TargetAutodiscoverEpr and TokenIssuerUris.

One of the main issues that may cause the wizard to fail as per my experience is that if the autodiscover is not published correctly or the incoming traffic targeted to Exchange 2010 on-premises CAS server is not directed to the Hybrid server correctly. This is more likely to happen in cases that you have recently added an Exchange 2010 Hybrid server to the environment just for the purposes of setting up Hybrid mail with Exchange Online and you never made sure that the server functions correctly as an Exchange server.

So I would say the best practise is to setup Exchange 2010 Hybrid server, apply all the patches etc. and then ensure it is fully functional before setting up the organization relationship, and definitely as part of this, you ensure that autodiscover works correctly internally and externally.

Wednesday, 3 October 2012

DirSync Write Back Attributes in Hybrid Environment

Microsoft Office 365 Directory Synchronization tool (DirSync) in a none-hybrid environment provides a one-way synchronization from your on-premises Active Directory to Office 365 environment. However when you setup a hybrid environment and run DirSync with the Hybrid check-box selected, it enables a few write backs to your environment which are as follows:

  • For "Filtering Coexistence" which provides on-premises filtering cloud safe/blocked sender data, the followings will be written back:
  • SafeSendersHash
  • "Cloud Archive" feature that allows you to archive mail in the Microsoft Online cloud writes back the following attribute:
  • msExchArchiveStatus
  • "Enable Mailbox" feature that offboards cloud mailboxes on premises writes back the following attributes:
  • ProxyAddresses (LegacyExchangeDN (cloud LegDn) as X500)
  • "Enable UM/cloud voice mail" is a new attribute that is used only for Exchange Unified Messaging–Microsoft Lync Server 2010 integration to indicate to on-premises Lync Server 2010 that the user has voice mail in the cloud. following attribute is written back for this feature:
  • cloudmsExchUCVoiceMailSettings

Office 365 Administrator Roles

Billing administrator
Makes purchases, manages subscriptions, manages support tickets, and monitors service health. 

Global administrator
Sign up to purchase Office 365, you become a global administrator 

Password administrator
Resets passwords, manages service requests and monitors service health 

Service administrator
Administers services, such as Microsoft Exchange Online, but does not require access to user management and other administrative functions. 

User Management administrator
Resets passwords, monitors service health, and manages user accounts, user groups, and service requests. Cannot delete a global admin or create other administrators

Monday, 3 September 2012

Manually reconfigure AD FS for Office 365 Single Sign-on implementation

When you initially install Active Directory Federation Services (AD FS) in your environment, AD FS MMC allows you to run the Initial Configuration, however once it is completed you will no longer see that option in the MMC.

If for any reason you decide to reconfigure ADFS in your Office 365 Single Sign-on implementation, you will need to navigate to %programfiles%\"Active Directory Federation Services 2.0"\ , which is the default installation directory for AD FS, and run “FsConfigWizard.exe”, however before running this wizard you need to manually remove traces of AD FS in your environment by following these instructions:
1. Open IIS and remove AD FS application from its application pool
2. Delete relevant AD FS application pool
3. Delete AD FS virtual directory under “Default Web site”
4. Delete AD FS folder from “inetpub”
5. Run the following commands:
C:\Windows\System32\inetsrv\appcmd delete app “Default Web Site/adfs/ls”
C:\Windows\System32\inetsrv\appcmd delete app “Default Web Site/adfs/card”

If above tasks are not done before attempting to reconfigure the AD FS, the configuration wizard will detect that there is an existing web site and will not recreate it in IIS.

Also when running the configuration wizard, as you are trying to reconfigure an existing AD FS server, it will detect the database of previous installation and present you with the option to “Delete Database”, you need to make sure that you check this box.

Thursday, 21 June 2012

Disable POP and IMAP in Office 365

To disable POP and IMAP for all users in Office 365, follow these steps:

 1. Connect to Exchange Online:
$Credential = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri "https://ps.outlook.com/powershell" -Credential $Credential -Authentication Basic -AllowRedirection
$ImportResults = Import-PSSession $Session

2. Read all user mailboxes and disable POP and IMAP:
$Mailboxes = Get-Mailbox -ResultSize Unlimited
ForEach ($Mailbox in $Mailboxes) {$Mailbox | Set-CASMailbox -PopEnabled $False -ImapEnabled $False }

3. close your session to Exchange Online:
Remove-PSSession $Session

Friday, 16 March 2012

Price Drops on Office365 Plans

This week Microsoft announced new price reductions on most Office 365 plans. Price reductions
are effective for new and renewing direct customers since 14/03/2012. This price redution is a reflection of economies of scale and skill achived by Cloud technology.

Amongst these reductions, the most significant price drop is on SharePoint Online Additional Storage which has dropped 92% from £1.63/GB/month to £0.13/GB/month!!

Here is a list new and old prices and how they are compared:

Previous Cost
New Cost
Office 365 E1
Office 365 E2
Office 365 E3
Office 365 E4
Office 365 K2
Exchange Plan 1
Exchange Plan 2
SharePoint Plan 1
SharePoint Plan 2
Lync Plan 2
Web Apps with SharePoint  Plan 1
Web Apps with SharePoint  Plan 2
SharePoint Storage (GB)
Exchange Archiving

Tuesday, 6 March 2012

Filter Directory Synchronization (DirSync) for Office 365

Microsoft Online Services Directory Synchronization tool allows you to keep your local Active Directory continuously synchronized with Office 365. This tool synchronizes user accounts and groups from AD and global address list (GAL) from Exchange Server environment. DirSync is mainly used in scenarios which you want to have rich co-existence and Single Sign-On for identity federation between your AD and Office 365.
The default configuration of DirSync synchronizes almost all types of users from AD to Office 365 environment which meets the requirements of most organizations. However in some scenarios administrators may want to apply filters on DirSync to stop synchronization of some certain objects from AD to Office 365 e.g. filter out disabled user accounts or service accounts etc.
Microsoft Online Services Directory Synchronization uses Microsoft Identity Integration Server (MIIS) for its service. This can be found in C:\Program Files\Microsoft Online Directory Sync\Syncbus\UIShell path on your DirSync server.

If you open miisclient.exe you will notice there are two agents which both were created when you first setup DirSync.
To filter out what is synchronized from AD to Office 365, go to Management Agents, right click SourceAD and click on Properties

On the Properties screen navigate to Configure Connector Filter. If your organization requires more filters on any object types, this is the place to apply them.
Lets have a look at the “user” object type:  Under Data Source Object Type find “user” type.
You will see there are some existing filters already applied to user type.

To create more filters on users, select user object type and click New

To create a new filter you need to define the data source attribute and its condition(s). Below you can find a reference to LDAP attributes.
LDAP attributes reference for filtering:

CN - Common Name
CN=Guy Thomas.  Actually, this LDAP attribute can be made up from givenName joined to SN.
Maps to 'Name' in the LDAP provider. Remember CN is a mandatory property.  See also sAMAccountName.
What you see in Active Directory Users and Computers.  Not to be confused with displayName on the Users property sheet.
displayName = Guy Thomas.  If you script this property, be sure you understand which field you are configuring.  DisplayName can be confused with CN or description.
DN - also distinguishedName
DN is simply the most important LDAP attribute.
CN=Jay Jamieson, OU= Newport,DC=cp,DC=com
Firstname also called Christian name
Home Folder: connect.  Tricky to configure
name = Guy Thomas.  Exactly the same as CN.
Defines the Active Directory Schema category. For example, objectCategory = Person
objectClass = User.  Also used for Computer, organizationalUnit, even container.  Important top level container.
Office! on the user's General property sheet
Roaming profile path: connect.  Trick to set up
This is a mandatory property, sAMAccountName = guyt.  The old NT 4.0 logon name, must be unique in the domain. 
If you are using an LDAP provider 'Name' automatically maps to sAMAcountName and CN. The default value is same as CN, but can be given a different value.
SN = Thomas. This would be referred to as last name or surname.
Used to disable an account.  A value of 514 disables the account, while 512 makes the account ready for logon.
userPrincipalName = guyt@CP.com  Often abbreviated to UPN, and looks like an email address.  Very useful for logging on especially in a large Forest.  Note UPN must be unique in the forest.
Other Useful LDAP Attributes / Propeties
Country or Region
Company or organization name
Useful category to fill in and use for filtering
Home Phone number, (Lots more phone LDAPs)
l  (Lower case L)
L = Location.  City ( Maybe Office
Important, particularly for printers and computers.
Boss, manager
Mobile Phone number
Usually, User, or Computer
Organizational unit.  See also DN
Force users to change their passwords at next logon
Zip or post code
State, Province or County
First line of address
Office Phone
Enable (512) / disable account (514)