Active Directory Synchronization (DirSync) Deprecation 4 April 2017

Active Directory Synchronization (DirSync) Deprecation

Status: Active

Action Required by: April 4, 2017

Details: We will be removing the Windows Azure Active Directory Synchronization feature from Office 365, beginning April 4, 2017. You are receiving this message because our reporting indicates your organization is using Windows Azure Active Directory Synchronization. When this change is implemented, administrators will no longer be able to synchronize their Active Directories. Instead of using Windows Azure Active Directory Synchronization, use Azure Active Directory Connect.

Message Center: MC45036 – We are removing Windows Azure Active Directory Synchronization from Office 365

Posted: April 13, 2016

Additional Information: Upgrade Windows Azure Active Directory Sync (“DirSync”) and Azure Active Directory Sync (“Azure AD Sync”)

Azure AD Connect Adds Support for Windows Server 2016 and SQL 2016

If you’re a customer who uses Azure Active Directory Connect, you’ll want to know that Microsoft just released version 1.1.343.0, which adds support for Windows Server 2016 and SQL Server 2016 and fixes some bugs.

Improvements:
– Added support for installing Azure AD Connect on Windows Server 2016 standard or better.
– Added support for using SQL Server 2016 as the remote database for Azure AD Connect.
– Added support for managing AD FS 2016 using Azure AD Connect.

Fixed issues:
– Sometimes, installing Azure AD Connect fails because it is unable to create a local service account whose password meets the level of complexity specified by the organization’s password policy.
– Fixed an issue where join rules are not re-evaluated when an object in the connector space simultaneously becomes out-of-scope for one join rule and become in-scope for another. This can happen if you have two or more join rules whose join conditions are mutually exclusive.
– Fixed an issue where inbound synchronization rules (from Azure AD) which do not contain join rules are not processed if they have lower precedence values than those containing join rules.

Setup MDT 2013 (Update 2) to encrypt Windows 10 devices (Laptops) automaticlly

This  will show you how to configure your environment for BitLocker, the disk volume encryption built into Windows 10 Enterprise and Windows 10 Pro, using MDT. BitLocker in Windows 10 has two requirements in regard to an operating system deployment:

  • A protector, which can either be stored in the Trusted Platform Module (TPM) chip, or stored as a password.
  • To configure your environment for BitLocker, you will need to do the following:
  1. Configure Active Directory for BitLocker.
  2. Download the various BitLocker scripts and tools.
  3. Configure the rules (CustomSettings.ini) for BitLocker.

Configure Active Directory for BitLocker

To enable BitLocker to store the recovery key and TPM information in Active Directory, you need to create a Group Policy for it in Active Directory. For this section, we are running Windows Server 2012 R2, so you do not need to extend the Schema. You do, however, need to set the appropriate permissions in Active Directory.

Note
Depending on the Active Directory Schema version, you might need to update the Schema before you can store BitLocker information in Active Directory.

In Windows Server 2012 R2 (as well as in Windows Server 2008 R2 and Windows Server 2012), you have access to the BitLocker Drive Encryption Administration Utilities features, which will help you manage BitLocker. When you install the features, the BitLocker Active Directory Recovery Password Viewer is included, and it extends Active Directory Users and Computers with BitLocker Recovery information.

figure 2

Figure 2. The BitLocker Recovery information on a computer object in the contoso.com domain.

Add the BitLocker Drive Encryption Administration Utilities

The BitLocker Drive Encryption Administration Utilities are added as features via Server Manager (or Windows PowerShell):

  1. On DC01, log on as CONTOSO\Administrator, and, using Server Manager, click Add roles and features.
  2. On the Before you begin page, click Next.
  3. On the Select installation type page, select Role-based or feature-based installation, and click Next.
  4. On the Select destination server page, select DC01.contoso.com and click Next.
  5. On the Select server roles page, click Next.
  6. On the Select features page, expand Remote Server Administration Tools, expand Feature Administration Tools, select the following features, and then click Next:
    1. BitLocker Drive Encryption Administration Utilities
    2. BitLocker Drive Encryption Tools
    3. BitLocker Recovery Password Viewer
  7. On the Confirm installation selections page, click Install and then click Close.

figure 3

Figure 3. Selecting the BitLocker Drive Encryption Administration Utilities.

Create the BitLocker Group Policy

Following these steps, you enable the backup of BitLocker and TPM recovery information to Active Directory. You also enable the policy for the TPM validation profile.

  1. On DC01, using Group Policy Management, right-click the Contoso organizational unit (OU), and select Create a GPO in this domain, and Link it here.
  2. Assign the name BitLocker Policy to the new Group Policy.
  3. Expand the Contoso OU, right-click the BitLocker Policy, and select Edit. Configure the following policy settings:

    Computer Configuration / Policies / Administrative Templates / Windows Components / BitLocker Drive Encryption / Operating System Drives

    1. Enable the Choose how BitLocker-protected operating system drives can be recovered policy, and configure the following settings:
      1. Allow data recovery agent (default)
      2. Save BitLocker recovery information to Active Directory Domain Services (default)
      3. Do not enable BitLocker until recovery information is stored in AD DS for operating system drives (Do Not Enable This Winking smile)
    2. Enable the Configure TPM platform validation profile for BIOS-based firmware configurations policy.
    3. Enable the Configure TPM platform validation profile for native UEFI firmware configurations policy.

      Computer Configuration / Policies / Administrative Templates / System / Trusted Platform Module Services

    4. Enable the Turn on TPM backup to Active Directory Domain Services policy.

(Don’t forget to disable Secure Boot & Enable the secure boot again after deployment is succes vol!!)

Set permissions in Active Directory for BitLocker

In addition to the Group Policy created previously, you need to configure permissions in Active Directory to be able to store the TPM recovery information. In these steps, we assume you have downloaded the Add-TPMSelfWriteACE.vbs script from Microsoft to C:\Setup\Scripts on DC01.

  1. On DC01, start an elevated PowerShell prompt (run as Administrator).
  2. Configure the permissions by running the following command:
    cscript C:\Setup\Scripts\Add-TPMSelfWriteACE.vbs
    

figure 4

Figure 4. Running the Add-TPMSelfWriteACE.vbs script on DC01.

Add BIOS configuration tools from Dell, HP, and Lenovo

If you want to automate enabling the TPM chip as part of the deployment process, you need to download the vendor tools and add them to your task sequences, either directly or in a script wrapper.

Add tools from Dell

The Dell tools are available via the Dell Client Configuration Toolkit (CCTK). The executable file from Dell is named cctk.exe. Here is a sample command to enable TPM and set a BIOS password using the cctk.exe tool:

cctk.exe --tpm=on --valsetuppwd=Password1234
Add tools from HP

The HP tools are part of HP System Software Manager. The executable file from HP is named BiosConfigUtility.exe. This utility uses a configuration file for the BIOS settings. Here is a sample command to enable TPM and set a BIOS password using the BiosConfigUtility.exe tool:

BIOSConfigUtility.EXE /SetConfig:TPMEnable.REPSET /NewAdminPassword:Password1234

And the sample content of the TPMEnable.REPSET file:

English
Activate Embedded Security On Next Boot
*Enable
Embedded Security Activation Policy
*No prompts
F1 to Boot
Allow user to reject
Embedded Security Device Availability
*Available
Add tools from Lenovo

The Lenovo tools are a set of VBScripts available as part of the Lenovo BIOS Setup using Windows Management Instrumentation Deployment Guide. Lenovo also provides a separate download of the scripts. Here is a sample command to enable TPM using the Lenovo tools:

cscript.exe SetConfig.vbs SecurityChip Active

CustomSettings.ini

[Default]
SkipBitLocker=YES

[LAPTOP]
TaskSequenceID=LAPTOP
MachineObjectOU=OU=Bitlocker,OU=LAPTOPS,OU=Clients,DC=wardvissers,DC=local
BDEKeyLocation=\\mdt01.wardvissers.local\Bitlocker$

Source

Cumulative Update 12 for Exchange Server 2013

Exchange team released CU12 for Exchange 2013

Issues that this cumulative update fixes:

KB 3143710 “Failed Search or Export” error occurs when an eDiscovery search in the Exchange Admin Center finishes

Cumulative Update 10 for Exchange Server 2013

Exchange Team has released Cumulative Update 10 for Exchange Server 2013.

From the Microsoft Exchange Team blog:

The release includes fixes for customer reported issues, minor product enhancements and previously released security bulletins, including MS15-103.

Cumulative Update 10 does not include updates to Active Directory Schema, but does include additional RBAC definitions requiring PrepareAD to be executed prior to upgrading any servers to CU10. PrepareAD will run automatically during the first server upgrade if Setup detects this is required and the logged on user has sufficient permission.

The updates released today are important pre-requisites for customers with existing Exchange deployments who will deploy Exchange Server 2016.Cumulative Update 10 is the minimum version of Exchange Server 2013 which will co-exist with Exchange Server 2016.

For the full list of fixes check: KB3078678

Cumulative Update 10 is available for download here.

ExchangeLyncAdminScript.ps1 Script to Manage Exchange & Lync & Active Directory

Exchange & Lync Admin Script created by Ward Vissers
www.wardvissers.nl

Tool to Manage Active Directory & Exchange & Lync

THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE RISK
OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER

    Please select the admin area you require

        1. Active Directy Users Tasks
        2. Active Directy Computers Tasks
        3. Active Directy Groups Tasks
        4. Active Directy Protected From Accidental Deletion Tasks
        5. Active Directy FSMO Tasks
        6. User Profile Tasks
        7. Exchange Tasks
        8. Lync Tasks
        9. Quit and exit
    Enter Menu Option Number:

Download: https://gallery.technet.microsoft.com/scriptcenter/Exchange-Lync-Script-c079133e

Public Folder Migratie to Office365

Move Public Folder script from 2007/2010 to Office 365 Script created by Ward Vissers
www.wardvissers.nl

THIS CODE IS MADE AVAILABLE AS IS, WITHOUT WARRANTY OF ANY KIND. THE ENTIRE RISK
OF THE USE OR THE RESULTS FROM THE USE OF THIS CODE REMAINS WITH THE USER

                                        
Please Select the Choice You Want

Prepare for Migration (Legacy Exchange Server
00) Add the Office 365 Domain Name
01) Take a snapshot of the original source folder structure
02) Take a snapshot of public folder statistics such as item count, size, and owner.
03) Take a snapshot of the permissions
04) Locate public folders that have a backslash in the name
05) Rename Public Folder
06) Checks the public folder migration status.
07) Set PublicFolderMigrationComplete to False

Check Office 365
08) Get-PublicFolderMigrationRequest
09) Get-Mailbox -PublicFolder
10) Get-PublicFolder

Generate CSV Files and create Public Folder Mailboxes (Legacy Exchange Server)
11) Export-PublicFolderStatistics PFSizeMap.csv
12) PublicFolderToMailboxMapGenerator PFMailboxMap.csv

Create the public folder mailboxes on Exchange Online
13) Master Public Folder Name
14) Create Public Folder Mailboxen (Check PFMailboxMap.csv)

Migrating the Public Folders
15) Export mail-enabled public folders from Active Directory
16) LegacyExchangeDN Administrator
17) LegacyExchangeDN Public Folder Server
18) External Name Outlook Anywhere
19) Set the XML file
20) Give the CSV file to start the Migration
21) Public Folder Migration Status

Lock down the public folders on the legacy Exchange server for final migration (downtime required)
22) Lock the legacy public folders for finalization

Finalize the public folder migration (downtime required)
23) Finalize the public folder migration (downtime required)

Test and unlock the public folder migration
24) Add Public Folder to Test User
25) Unlock the public folders for all other users
26) Public Folder Migration Complete (Legacy Exchange Server)
27) Public Folders Enabled Local

Final Check
28) Take a snapshot of the original source folder structure.
29) Take a snapshot of the public folder statistics such as item count, size, and owner
30) Take a snapshot of the permissions

99) Exit
Public Folder Migratie to Office365

Download: https://gallery.technet.microsoft.com/scriptcenter/Public-Folder-Migratie-to-25bd50a0

Exchange 2013 Setup Error: A Receive connector must have a unique combination of a local IP address & port bindings and remote IP address ranges

You may get an error while Exchange setup checks Receive Connectors for local IP address/port bindings and remote IP address ranges for the server where you are installing Cumulative Update. This error would come up at “Mailbox Role: Transport Service” step of setup/update process. Here is the detailed error message.

Error:

Error:
The following error was generated when “$error.Clear();
$connectors = Get-ReceiveConnector -Server $RoleFqdnOrName;
foreach($connector in $connectors) { if($connector.MaxLocalHopCount -gt 1) { Set-ReceiveConnector -Identity $connector.Identity -MaxLocalHopCount 5 } };
” was run: “Microsoft.Exchange.Management.SystemConfigurationTasks.ConnectorMappingConflictException: The values that you specified for the Bindings and RemoteIPRanges parameters conflict with the settings on Receive connector “EX2013\Incoming from Internet – Dummy”. A Receive connector must have a unique combination of a local IP address & port bindings and remote IP address ranges. Change at least one of these values.
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.SystemConfigurationTasks.SetReceiveConnector.InternalValidate()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.
 
Error:
The following error was generated when “$error.Clear();
$connectors = Get-ReceiveConnector -Server $RoleFqdnOrName;
foreach($connector in $connectors) { if($connector.MaxLocalHopCount -gt 1) { Set-ReceiveConnector -Identity $connector.Identity -MaxLocalHopCount 5 } };
” was run: “Microsoft.Exchange.Management.SystemConfigurationTasks.ConnectorMappingConflictException: The values that you specified for the Bindings and RemoteIPRanges parameters conflict with the settings on Receive connector “EX2013\Default Frontend EX2013”. A Receive connector must have a unique combination of a local IP address & port bindings and remote IP address ranges. Change at least one of these values.
at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)
at Microsoft.Exchange.Configuration.Tasks.Task.WriteError(Exception exception, ErrorCategory category, Object target)
at Microsoft.Exchange.Management.SystemConfigurationTasks.SetReceiveConnector.InternalValidate()
at Microsoft.Exchange.Configuration.Tasks.Task.<ProcessRecord>b__b()
at Microsoft.Exchange.Configuration.Tasks.Task.InvokeRetryableFunc(String funcName, Action func, Boolean terminatePipelineIfFailed)”.

Explanation:

You can not have same values of Local IP Address:Port bindings and Remote IP Address Range both on two Receive Connectors so essentially you have to change anyone of these on one of the Receive Connector.

Now problem is you won’t be able to open Exchange Admin Center (EAC) or Exchange Management Shell (EMS) to modify Local IP Address:Port Bindings or Remote IP Address Ranges on one of these receive connectors.

Solution:

Exchange saves configuration information in Configuration Partition of Active Directory so you can use any AD Editor like ADSIEdit.msc or ADExplorer.exe to modify this value. (Be careful while using these raw AD Editors!)

  • Open ADSIEDIT.MSC.
  • Navigate to the following location: CN=SMTP Receive Connectors,CN=Protocols,CN=<ExServerName>,CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=<ExOrg Name>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<DomainName>,CN=Com
  • Right-click one of the Receive Connector which is showing up in error and then click Properties. (It is recommend to modify the Receive Connector created manually and not the “Default FrontendServerName” connector.)

Now change the value of either msExchSmtpReceiveRemoteIPRanges or msExchSmtpReceiveBindings following below setps.

  • Locate the msExchSmtpReceiveRemoteIPRanges attribute. This attribute stores values for Remote Network Settings that you see in EAC.
  • Remove the values here and add some unique IP address or IP Range back.

SMTPbindings

Source

Cumulative Update 8 for Exchange Server 2013

The Exchange team is announcing today the availability of Cumulative Update 8 for Exchange Server 2013. The Cumulative Update Package and UM Language Packsare now available on the Microsoft Download Center. Cumulative Update 8 represents the continuation of our Exchange Server 2013 servicing and builds upon Exchange Server 2013 Cumulative Update 7. The release includes fixes for customer reported issues, minor product enhancements and previously released security bulletins. A complete list of customer reported issues resolved can be found in Knowledge Base Article KB3030080. Customers running any previous release of Exchange Server 2013 can move directly to Cumulative Update 8 today. Customers deploying Exchange Server 2013 for the first time may skip previous releases and start their deployment with Cumulative Update 8 directly.

We would like to call your attention to a few items in particular about the Cumulative Update 8 release:

  • Calendar and Contact Modern Public Folders favorites added in Outlook are now accessible in OWA
  • Batch Migration of Public Folders to 2013 improves migration throughput and PF migration experience
  • Smoother migration for EAS clients to O365 with automatic profile redirect upon successful Hybrid migration to O365 (EAS client must support HTTP 451 redirect)

For the latest information and product announcements please read What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.

Cumulative Update 8 includes Exchange related updates to Active Directory schema and configuration. For information on extending schema and configuring the active directory please review the appropriate TechNet documentation. Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.

Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., CU8) or the prior (e.g., CU7) Cumulative Update release.

Translate »