Tuesday, October 27, 2015

New Office 365 Outlook is not compatible with Exchange Server 2003/2007.

We have customers who works with Exchange 2003/2007 and Windows 2003 still. Those customers obviously want Office 365 with Exchange Online instead of 2-hop migration to latest Exchange Server.
With the release of Office 365 2016 it is no longer possible to connect Office 365 Outlook 2016 to Exchange Server 2007 (and obviously to Exchange Server 2003). Why do I need Office 365 Outlook connected to legacy Exchange Server?
It is best practice first to update client versions prior to Exchange Online mailbox migration in order to prepare clients for the new Exchange environment. But you stuck here because new Outlook 2016 won't connect to Exchange Server 2003/2007 and obviously you would upgrade your Office installation right after mailbox switchover to Exchange Online to reduce downtime with your current mail system.
If you did Office 365 package installation prior mailbox synchronization to Exchange Online you will get following message for your on-premise based Outlook profiles (assuming the account was not removed from the profile on first run):
The resource that you are trying to use is located on an unsupported version of Microsoft Exchange.
Luckily you have workaround for Exchange Server 2007 based deployments.

Deploy Outlook Office 365 2013
Outlook Office 365 2013 still supports Exchange Server 2007 connectivity. Just prevent Office 365 2013 automatic upgrade to Office 365 2016 during Exchange Server 2007 to Exchange Online migration. 
If you will try to download Click-To-Run package directly from Office 365 portal you will get Office 365 2016 now. Discovered alternative way is Office Deployment Tool (ODT) usage. There are two different versions of the ODT available – one for Office 2013 and a different one for Office 2016. Each ODT works only with that specific version of Office. You can download Office 2013 Deployment Tool from the Microsoft Download Center by using the following link: Office Deployment Tool (Office 2013 version).Then:
setup.exe /download Myconfigfile.xml
where:

  • Myconfig.xml is the location of the custom Configuration.xml file, Myconfig.xml in this example
  • setup.exe is the Click-to-Run Office Deployment Tool (ODT) executable
  • /download runs the tool in download mode

The following procedure requires a custom Myconfigfile.xml file that must provide the following information:
  • Product(s)
  • OfficeClientEdition (attribute of Add element). Specifies the edition of Click-to-Run for Office 2013 product to use: 32- or 64-bit.
  • Language(s)
Myconfigfile.xml example:

<Configuration>
   <Add SourcePath="\\server\Office15" OfficeClientEdition="32">
    <Product ID="O365ProPlusRetail" >
     <Language ID="en-us" />      
    </Product>
   </Add>
<Updates Enabled=”TRUE” AutoUpgrade=”FALSE”/>
</Configuration>
This Myconfigfile.xml configuration file specifies that Office 365 ProPlus 32-bit edition be downloaded in English to the \\server\Office15 shared folder and prevent automatic upgrade from Office 365 ProPlus 2013Product IDs that are supported by the Office Deployment Tool for Office 365 Click-to-Run can be found in KB2842297
Check my earlier blog post how you can control automatic Office 365 upgrade (disable/enable upgrade) at enterprise level.

Changing DirSync/AAD Sync/AAD Connect Synchronization Interval in Office 365 Hybrid deployment

Microsoft released few synchronization tools during last years: 
  • DirSync (which is being depreciated), 
  • AAD Sync (current in Office 365 portal)
  • AAD Connect (which actually includes AADSync and a future of Office 365 synchronization)
Default Sync period between On-premise Active Directory and Office 365 (Azure Active Directory) is 3 hours. This for many people is too long, especially if you are testing or you are small organization that can allow near "real-time" synchronization.

Before proceed keep in mind following considerations.

AAD Sync and AAD Connect current versions
AD to AAD synchronization process is executed by Azure AD Sync Scheduller task as shown here:


You can change the frequency by going to the Properties of Azure AD Sync Scheduller

When you save the changes the Task Scheduler will ask you for a password for the “AAD_xxxxxxxx” account.

This local server “AAD_xxxxxxxx” account was automatically created during AAD Sync installation process and obviously you don't know password for that account. Some guys recommend local account password reset at this point. I disagree with this approach (you will discover some broken things later that depend on that account/password) and recommend you to create new account like svc-aadsync-sa and add it to ADSyncAdmins local computer group (also created automatically during AADSync installation process). Use strong password during that process and option "Password never expires"

With new .\svc-aadsync-sa account you can safely make changes in Azure AD Sync schedule settings:

Be aware that changing of synchronization interval to less values may lead to AADSync Server "out of space" issues very quickly soon. You may need to check following folder sometimes and clear it or schedule PowerShell script clean up rule:
C:\Users\AAD_xxxxxxxx\AppData\Local\Microsoft\MSOIdentityCRL\Tracing\

Where “AAD_xxxxxxxx” is an account was automatically created during AAD Sync installation process.

Mentioned changes are not supported by MS and provided AS IS.



DirSync and some older versions of AADSync
Some of you guys maybe still use it. If you want to change the default sync period then firstly navigate to the Windows Azure Active Directory Sync directory on the member server where the Directory Sync tool is installed. Older version (i.e. pre Azure) the directory will be called Microsoft Online Directory Sync. In DirSync the amount of time between synchronizations was determined by the Microsoft.Online.DirSync.Scheduler.exe.config file.

Process to change the Time interval for DirSync:

Step 1: Locate the config file Microsoft.Online.DirSync.Scheduler.exe.config in C:\program Files\Windows Azure Active Directory. In the Older version of DirSync C:\Progam Files\Microsoft Online Directory Sync folder.

Step 2: Open the Microsoft.Online.DirSync.Scheduler.exe.config file using notepad.

Step 3: Locate the value <add key=”SyncTimeInterval” value=”3:0:0″ /> which will be in hh:mm:ss format. Change the value from 3:0:0 to 10 minutes like this <add key=”SyncTimeInterval” value=”0:10:0″ />

Step 4: After saving the file restart the Windows Azure Active Directory Sync service and in the old version Microsoft Online Services Directory Synchronization Service.

The above process will change the DirSync Time interval from 3 hours to 10 minutes.

How to downgrade or change Exchange Server Edition

Example scenarios:
Have missed with Exchange Server Edition during initial deployment? 
Want downgrade your Exchange Server Edition from Enterprise to Standard?
Maybe you want to reuse your Exchange Server 2010/2013/2016 as Exchange Server Hybrid with free Hybrid Product key applied?

1. Run ADSI Edit tool: adsi.msc
2. Connect to
3. In connection settings Select a well known Naming Context - Configuration
4. Expand Configuration - Services - Microsoft Exchange - <Name of your Organization> - Administrative Groups - Exchange Administrative Group (FYDIBOHF23SPDLT) - Servers
5. Click Exchange server Properties
6. Clear msExchProductID attribute
7. Restart Microsoft Exchange Information Store service if server holds mailbox role
8. Enter New Product Key using Exchange Management Console or PowerShell

Set-ExchangeServer -Identity Server1 -ProductKey xxxxx-xxxxx-xxxxx-xxxxx-xxxxx
9. Restart Microsoft Exchange Information Store service

Provided AS IS and don't ask for support.

Successfully worked on some 
non-DAG production.
It should also perfectly work after changing to Exchange Server Hybrid Edition product key as require no mailboxes hosted on it.


I'd be glad to hear if someone will report DAG experience with downgrade. Thank you.

Monday, October 26, 2015

View Exchange Dynamic Distribution Group Membership

How to view members of Dynamic Distribution Group in Exchange? No possible way in UI but with PowerShell only. Make sure that you have got the Organization Management and Recipient Management permissions.
$FTE = Get-DynamicDistributionGroup "Dynamic Distribution Group Name"Get-Recipient -RecipientPreviewFilter $FTE.RecipientFilter
or
Get-Recipient -RecipientPreviewFilter (Get-DynamicDistributionGroup "Dynamic Distribution Group Name").RecipientFilter
 https://technet.microsoft.com/en-us/library/bb124762%28v=exchg.160%29.aspx

Wednesday, October 14, 2015

No "Solutions" Gallery or other "Web Designer Galleries" under Sharepoint Online "Site Settings"

Assume following situation:
  • you buy an Enterprise or Business Office 365 Plan;
  • you want to use some custom Sharepoint Site Template (your own or 3-rd party);
  • you have a Web Solution Package file (.wsp) you want to use;
  • you try to use Microsoft Office support manual to Upload the site template to a Solutions Gallery;
  • you discover that you cannot find Solutions under Web Designer Galleries or you may have no Web Designer Galleries under your Site Collection Site Settings at all.
Default Sharepoint Online Site Collection Site Settings located here:
https://<tenant-name>.sharepoint.com/settings.aspx
where <tenant-name> is your <tenant-name>.onmicrosoft.com Office 365 tenant name
You may have something like


Some smart guys may also find Solutions Gallery and even button Upload Solution under URL:
https://<tenant-name>.sharepoint.com/_catalogs/solutions/Forms/AllItems.aspx
 You may even try to Upload Solution Web Solution Package file (.wsp) there but you get permission error (I've already sent request)
Resolution.
Microsoft Sharepoint Online team rolled out a feature to limit the amount of scripting allowed in order to maintain the security and integrity of the sites in tenants. SharePoint Online tenants received the feature. When the scripting is disabled, the theme gallery, certain web parts, and other features that support scripting are no longer available to site collection owners or site owners. For more information, go to Turn scripting capabilities on and off.

The symptom that no Web Designer Galleries options is probably caused by this update. Please follow the steps below to validate this.
  • Sign in to Office 365 with your work or school account.
  • Go to the SharePoint admin center.
  • Select Settings.
  • Under Custom Script, check if custom script is disabled.
If you cannot see the Custom Script option or the settings are already Allow, please let Microsoft Support know. It may reflect a different issue. 
If the settings are Prevent, you may switch the option to Allow so as to bring the custom scripting feature back. However, Microsoft doesn’t recommend you do this as custom scripts and solutions may cause unexpected security risk and load to your sites.
If you prefer to turn scripting on, please be acknowledged of this consequences:
  • If you want to enable scripting on Personal Sites, select Allow users to run custom script on personal sites
  • If you want to enable scripting on other user-created sites, such as Team Sites or Project Sites, select Allow users to run custom script on self-service created sites.
  • Select OK. It takes about 24 hours for the change to take effect.

Here is table you may find very interesting for your just purchased and out of the box secured Sharepoint Online tenant:

Features affected when scripting is disabled

When you disable scripting on personal sites or self-service-creation sites, the theme gallery, certain web parts, and other features that support scripting are no longer available to site collection owners or site owners. Any sites that used these features before scripting was disabled are still able to use them.
The following site settings are no longer be available after scripting has been disabled:

Site feature
Behavior
Notes
Save Site as Template
No longer available in Site Settings.
You can still build sites from templates created before scripting was disabled.
Save document library as template
No longer available in Library Settings.
You can still build document libraries from templates created before scripting was disabled.
Solution Gallery
No longer available in Site Settings.
You can still use solutions created before scripting was disabled.
Theme Gallery
No longer available in Site Settings.
You can still use themes created before scripting was disabled.
Help Settings
No longer available in Site Settings.
You can still access help file collections available before scripting was disabled.
HTML Field Security
No longer available in Library Settings.
You can still use HTML field security that you set up before scripting was disabled.
Sandbox solutions
Solution Gallery will not appear in the Site Settings so you can’t add, manage, or upgrade sandbox solutions.
You can still run sandbox solutions that were deployed before scripting was disabled.
SharePoint Designer
Site Pages: No longer able to update web pages that are not HTML.
Handling List: Create Form and Custom Actionwill no longer work.
Subsites: New Subsite and Delete Site redirect to the Site Settings page in the browser.
Data Sources: Properties button is no longer available.
You can still open data sources.
Uploading an ASPX file to a document library
No longer available in document libraries.
ASPX files that are in the library already are not impacted.
The following web parts and features are unavailable to site collection owners and site owners after scripting has been disabled.

Web part category
Web part
Blog
Blog Archives
Blog Notifications
Blog Tools
Business Data
Business Data Actions
Business Data Item
Business Data Item Builder
Business Data List
Business Data Related List
Excel Web Access
Indicator Details
Status List
Visio Web Access
Community
About This Community
Join
My Membership
Tools
What’s Happening
Content Rollup
Categories
Project Summary
Relevant Documents
RSS Viewer
Site Aggregator
Sites in Category
Term Property
Timeline
WSRP Viewer
XML Viewer
Document Sets
Document Set Contents
Document Set Properties
Forms
HTML Form Web Part
Media and Content
Content Editor
Script Editor
Silverlight Web Part
Search
Refinement
Search Box
Search Navigation
Search Results
Search-Driven Content
Catalog-Item Reuse
Social Collaboration
Contact Details
Note Board
Organization Browser
Site Feed
Tag Cloud
User Tasks
Master Page Gallery
Can't create or edit master pages
Publishing Sites
Can't create or edit master pages and page layouts

Friday, October 9, 2015

New Office Visio Stencils (October 2015)

      Creating visual representations of your Microsoft Office and Office 365 architectures, including Microsoft Exchange, SharePoint, and Skype for Business is a helpful way to communicate your deployment. These Visio stencils provide more than 300 icons -- many depicting servers, server roles, services and applications -- that you can use in architecture diagrams, charts, and posters. These icons are primarily centered around deployments of Microsoft Exchange Server 2013, Microsoft Skype for Business, and Microsoft SharePoint Server 2013 as well as hybrid Office 365 deployments of aforementioned technologies.
      These stencils contain more than 300 icons to help you create visual representations of Microsoft Office or Microsoft Office 365 deployments including Skype for Business, Microsoft Exchange Server 2013, Microsoft Lync Server 2013, and Microsoft SharePoint Server 2013. The zip file now includes both stencil sets from 2012 and 2014.
    The zip file now includes both stencil sets from 2012 and 2014. If you want only the latest stencils, download the "2014" file. If you also want the older symbols, download the "2012and2014" file which contains both sets.
      Source: Microsoft Download Center.

Sunday, October 4, 2015

How to delete a user's mailbox content in Exchange Server or Exchange Online

Sometimes you have to delete user's mailbox content on Exchange Server or Exchange Online but you need to preserve mailbox object itself with its configuration like forwarding, permissions, assigned policies, etc.
Here is procedure how you can accomplish this task.
Prerequisites:

  • You have to be a member of built-in "Discovery Management" admin role in Exchange.
or
  • You have to be a member of custom Exchange admin role that includes roles: Mailbox Import Export, Mailbox Search

If you have "In-Place Hold" feature activated on mailbox you probably need to deactivate it prior to deletion if your target goal is really to delete content with no recovery.

Step 1.
Log on to the EMS (Exchange Management Shell) or in the case of Exchange Online log on via PowerShell
Step 2.
Run cmdlet on the mailbox you want to clear content:

Search-Mailbox -identity "<mailbox name>" -DeleteContent -force
Wait for the command complete. Depending on number of mailbox items it can take some time to complete. As an optional step you can estimate number of items prior to deletion using cmdlet:
Get-MailboxFolderStatistics <mailbox name> | Select Identity, ItemsInFolder