I'm finishing up our companies migration to O365/Exchange Online (EXO). When migrating your on prem users to EXO, O365 has a Hybrid Configuration Wizard (HCW) that does the bulk of the work for you to setup your servers to talk to O365 and vice versa.
Once the HCW completes, all you should have to do is logon to your O365 global admin account and migrate users. This is great but......
They have next to no documentation on how to remove the hybrid configuration, especially if you want to keep an exchange server on prem.
Let's take a few minutes and discuss why you would want to keep an exchange server on prem. It took me a little time to figure out why as some blog posts I couldn't follow.
The main reason you would want to keep an on prem exchange server is if you are using AD Connect (used to be called DirSync) to sync passwords and users from your on prem AD to Azure AD/O365.
If you have AD Connect syncing to Azure AD/O365, then your on prem AD is still the source of authority. Basically what this means is that even though all your users mailboxes are in O365/EXO you can't manipulate any attributes. For example, you can't add another SMTP email address to a user using the O365 admin page. It'll give you an error telling you that the attributes are on your on prem AD. To get around this, you should keep an exchange server on prem. This server does not need to be anything big. Maybe a small VM to handle the mailbox role if using Exchange 2016. All you need it for is to manage users.
In my case I had an Exchange 2010 environment and all i wanted to do was remove those 2010 servers and keep the 2016 server but I couldn't find anything that told me the order to do things or how to create mailboxes on prem that would then sync up to O365 for EXO to create the mailbox for the user.
I finally found THIS site from technet. While it was an older post it worked for me. My only issue was when I tried to remove the Federate trust with the powershell command i got an error so i just went to the EMC and removed it from there.
At this point in time my confusion was (and always has been) how do I now get my 2016 server to create a mailbox for a user and send it to O365 now that the hybrid config is gone? I couldn't find any place that tells you what to d, only thats its possible.
Turns out is easier than I thought. Once you create your user an AD, run this comment in EMS: Enable-MailUser -Identity John -ExternalEmailAddress john@contoso.com
This will create the correct attributes that when you AD Connect sync the changes to Azure AD/O365 it will create the mailbox for that user, as long as you have given that user the correct license in O365.
The one thing I do notice when I do this is that on my 2016 server, the user is listed under Contacts and not mailbox. All the users that I migrated using the HCW show up in the mailbox section as O365 users. Under the O365 admin, the user shows up in the mailbox section.
I'll update the post if I find out a way to make it so that it shows up as a mailbox in both. Hopefully they do so that I can keep everything consistent.
EDIT 12/31/17 - I found out that if you run this command after creating a user it will create the mailbox on O365 and it will be listed as an O365 mailbox in the 2016 server: Enable-RemoteMailbox "wjones" -RemoteRoutingAddress "wjones@mycompany.mail.onmicrosoft.com
Saturday, December 30, 2017
Thursday, December 7, 2017
Add O365 License to users in bulk
We are moving to O365 and I needed a way to add our O365 licenses in bulk. To do this I used PowerShell.
First you need to install the AzureAD V2 PowerShell. This is very easy if you have Windows 10. You will do this:
Install-Module AzureAD
Once you install the module you will need to connect to your account:
Connect-AzureAD
It will prompt you for your O365 global admin credentials. Once you are connected you can see what your License SKU is by doing this:
Get-AzureADSubscribedSku | Select Sku*,*Units
The one we have it called ENTERPRISEPACK. You will need the SkuID. From this point you can put in the code below. I used a CSV file with a header of UserPrincipalName (UPN) and then below that the users. The UPN looks like an email address.
$file = import-csv test.csv
foreach ($user in $file){
$upn = $user.UserPrincipalName
$user2 = Get-AzureADUser -SearchString $upn
Set-AzureADUser -ObjectId $user2.ObjectId -UsageLocation US
$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$License.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900"
$LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$LicensesToAssign.AddLicenses = $License
Set-AzureADUserLicense -ObjectId $user2.ObjectId -AssignedLicenses $LicensesToAssign
}
This went through all my users in the CSV file and assigned the E3 license to their account.
First you need to install the AzureAD V2 PowerShell. This is very easy if you have Windows 10. You will do this:
Install-Module AzureAD
Once you install the module you will need to connect to your account:
Connect-AzureAD
It will prompt you for your O365 global admin credentials. Once you are connected you can see what your License SKU is by doing this:
Get-AzureADSubscribedSku | Select Sku*,*Units
The one we have it called ENTERPRISEPACK. You will need the SkuID. From this point you can put in the code below. I used a CSV file with a header of UserPrincipalName (UPN) and then below that the users. The UPN looks like an email address.
$file = import-csv test.csv
foreach ($user in $file){
$upn = $user.UserPrincipalName
$user2 = Get-AzureADUser -SearchString $upn
Set-AzureADUser -ObjectId $user2.ObjectId -UsageLocation US
$License = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicense
$License.SkuId = "6fd2c87f-b296-42f0-b197-1e91e994b900"
$LicensesToAssign = New-Object -TypeName Microsoft.Open.AzureAD.Model.AssignedLicenses
$LicensesToAssign.AddLicenses = $License
Set-AzureADUserLicense -ObjectId $user2.ObjectId -AssignedLicenses $LicensesToAssign
}
This went through all my users in the CSV file and assigned the E3 license to their account.
Tuesday, October 31, 2017
Windows 10 Update kills RDP connection when using Remote Desktop Gateway
We had some of our users who were having issues logging in from home after updating their Windows 10 desktops. We use a Remote Desktop Gateway and it was throwing an error saying that they couldn't connect because and error occurred (very helpful).
The big problem we had was that it was random. Someone else who had the same update was able to login without any issues, thus making the issue harder to troubleshoot.
After troubleshooting with one of my users he found this blog post that had the answer.
In short this is what you need to do:
"open regedit and browse to HKLM\SYSTEM\CurrentControlSet\Control\Lsa and look for a DWORD value called LMCompatibilityLevel. If LMCompatibilityLevel is present, and it is set to anything under a value of 3, the user will fail to authenticate to the RD Gateway server. Instruct the user to either change the value to 3, or delete the DWORD entirely. Then reboot the computer and try again."
Once we did that on his computer and rebooted he was able to log back in.
The big problem we had was that it was random. Someone else who had the same update was able to login without any issues, thus making the issue harder to troubleshoot.
After troubleshooting with one of my users he found this blog post that had the answer.
In short this is what you need to do:
"open regedit and browse to HKLM\SYSTEM\CurrentControlSet\Control\Lsa and look for a DWORD value called LMCompatibilityLevel. If LMCompatibilityLevel is present, and it is set to anything under a value of 3, the user will fail to authenticate to the RD Gateway server. Instruct the user to either change the value to 3, or delete the DWORD entirely. Then reboot the computer and try again."
Once we did that on his computer and rebooted he was able to log back in.
Monday, January 9, 2017
Room Calendars Not Auto Accepting Invites?
If you have a Room calendar that is not auto accepting invites do this:
Check to make sure its a Room:
get-mailbox <Identity>| fl *type*,*link*,*share*
If it's not a Room, make it a Room:
Set-Mailbox <Identity> -Type Room
Make sure its set to auto accept invites:
Get-CalendarProcessing <Identity> | fl AutomateProcessing
The AutomateProcessing attribute should be set to AutoAccept
To change it if it's not set to AutoAccept:
Set-CalendarProcessing <Identity> -AutomateProcessing AutoAccept -ConflictPercentageAllowed 0 -maximumConflictInstances 0
I got this info from KB Article 2005631 on Microsoft's Support site.
Check to make sure its a Room:
get-mailbox <Identity>| fl *type*,*link*,*share*
If it's not a Room, make it a Room:
Set-Mailbox <Identity> -Type Room
Make sure its set to auto accept invites:
Get-CalendarProcessing <Identity> | fl AutomateProcessing
The AutomateProcessing attribute should be set to AutoAccept
To change it if it's not set to AutoAccept:
Set-CalendarProcessing <Identity> -AutomateProcessing AutoAccept -ConflictPercentageAllowed 0 -maximumConflictInstances 0
I got this info from KB Article 2005631 on Microsoft's Support site.
Subscribe to:
Posts (Atom)