Viewing the Administrator Audit Log in Exchange 2013 and Exchange Online

Instead of exporting the administrator audit log, which can take up to 24 hours to receive in an e-mail, in Exchange 2013 CU3 (and above) and Exchange Online you can now view administrator audit log entries in the EAC. To do this, go to Compliance Management -> Auditing and click View the administrator audit log.

 

Up to 1000 entries will be displayed on multiple pages. To narrow the search, you can specify a date range.

Office 365 with Internet Explorer 8

The bottom line is: Office 365 is not designed to work with Internet Explorer [IE] 8, and the user experience in Outlook Web Access [OWA] may be compromised, especially when used on Windows XP and/or with low memory machines. Office 365 will not offer code fixes to resolve problems encountered when using IE8, and new Office 365 experiences will likely not work at all.

Office 365 is no longer ending all support for IE8 on 8 April 2014, but both the user and support experience will be limited. After 8 April 2014, IE8 users:

  • Will not be deliberately prevented from connecting to the service;

  • Will not receive code fixes for bugs related to IE8. Security fixes will be released as needed;

  • May only use OWA Light (this does not apply to Office 365 Dedicated);

  • Should expect that the quality of other Office 365 user experiences will diminish over time.

While Office 365 Customer Support and Service will attempt to assist customers with IE8-related problems, the only solution to a particular problem may be to upgrade to a modern browser.

The recommended browser is, at this stage, IE9 with at least MS12-037: Cumulative Security Update for Internet Explorer: June 12, 2012 installed. However, IE10 or later is strongly recommended. This is because, similarly to IE8, Office 365 does not offer code fixes to resolve problems encountered when using IE9, the quality of the user experience will likely diminish over time, and that some new Office 365 experiences might not work at all.

As such, to reiterate, IE10 or later is strongly recommended.

Public Folder permissions lost after Public Folder mailboxes are moved

In an Exchange 2013 organization running CU2 build 15.00.0712.022, if you move a Public Folder (PF) mailbox the permissions structure on some PFs might be lost in the following situations:

1. If you move a secondary PF mailbox using New-MoveRequest, the permissions on any PF not stored in the secondary PF mailbox would be lost from the secondary PF mailbox and replaced by the default Access Control List (ACL). The original ACLs can be restored via a full synchronization event by running the following command:

Update-PublicFolderMailbox -InvokeSynchronizer  -FullSync

2. If you move the primary PF mailbox using New-MoveRequest, the permissions on any PF not stored in that PF mailbox are lost and replaced by the default ACL which gives Author permissions to Default authenticated users.

To work around this issue, install Exchange 2013 CU2 build 15.00.712.024 or later.

Exchange 2013 in coexistence scenario might trigger all clients to download OAB

Installing the first Exchange 2013 server in an organization that already has Exchange 2007 or 2010 might trigger all clients in the organization to download a new copy of the OAB, which can result in network saturation and server performance issues.

This occurs because Exchange 2013 creates a new default OAB in the organization that supersedes the Exchange 2007/2010 OAB. Mailboxes that do not have a specific OAB assigned to them, or that are located on a mailbox database that does not have a specific OAB assigned, will download the new default OAB.

To prevent this from happening, assign an OAB to every mailbox or database before installing the first Exchange 2013 server.

Exchange Admin Center Cmdlet Logging

The Exchange 2010 Management Center included PowerShell cmdlet logging functionality, something that was removed in Exchange 2013. The good news is that this functionality has returned as part of the Exchange Admin Center in Exchange 2013 SP1 and soon to Exchange Online as well.

 

When you sign in with Admin credentials you will find the entry point for the PowerShell log view in the drop down list besides the help question mark under “Show Command Logging” (this feature is not available for non-admins):

 

The cmdlet list will display up to 500 entries and includes features such as search, export, start/stop logging, and more.

Exchange Server 2013 High Availability Book

After a lot of work, I have finally released my first book: Microsoft Exchange Server 2013 High Availability!    :)

I now fully appreciate the work involved in the process of writing/releasing a book!

 

 

“This practical hands-on guide will provide you with a number of clear scenarios and examples that will explain the mechanics behind the working of Exchange 2013 High Availability and how maximum availability and resilience can be achieved through it.

 

Throughout this book, you will go through all the roles, components, and features that should be considered when addressing high availability. You will go through how to achieve high availability for the Client Access and Mailbox server roles, what’s new in load balancing, site resilience, the new public folders, and much more.

 

You will learn to successfully design, configure, and maintain a highly available Exchange 2013 environment by going through different examples and real-world scenarios, saving you and your company time and money, and eliminating errors.”

 

 

The book is available on Amazon.com, Amazon.co.uk, Packt Publishing, and soon in Google Play store, Apple books, Safari books online, Bookshout!, Kobo books, EBL, Vital Source and O'Reilly.

Any feedback appreciated! :)

Exchange 2013 SP1 Feature list

Now that we are getting closer and closer to the release of Exchange 2013 Service Pack 1, here is a list of its main features:

·        Exchange 2013 SP1 will add Windows Server 2012 R2 as a supported operating system for Exchange Server 2013 with SP1;

·        Support for S/MIME in OWA will be brought back in SP1. With SP1 customers will have S/MIME support across Outlook, Exchange ActiveSync clients, and OWA;

·        The Edge Transport server role for Exchange Server 2013 will be available with SP1.

·        Fixes and Improvements. SP1 will include fixes and improvements in several areas. SP1 is the first service pack issued in the new Exchange Server cumulative update release model - thus SP1 is essentially CU4. The installation of SP1 will follow the same process as the prior Exchange 2013 CU releases. SP1 will include all fixes included in previously released cumulative updates for Exchange 2013.

·        MapiHttp is the new communication mechanism added to later builds of Microsoft Exchange Server 2013 and Microsoft Outlook 2013. The plan is to add the functionality to Microsoft Outlook 2010 in a future build. You may also see the new MapiHttp feature referred to internally as the Exchange HTTP Transport or by the internal code name Alchemy. The new MapiHttp transport protocol replaces the older RPC/HTTP (RPC over HTTPS) protocol. This is in an effort to improve the reliability and stability of the Outlook/Exchange connection by removing the dependency on the Microsoft Remote Procedure Call (RPC) communication mechanism;

·         DLP Policy Tip support in OWA.

Free/Busy Information Period (Exchange 2013-2007 Error)

Free/busy information requests to an Exchange 2007 organization from an Exchange 2013 organization may fail due to a mismatch in the requested free/busy information period. By default, Exchange 2007 accepts availability requests for 42 days of free/busy information and Exchange 2013 may request 62 days of free/busy information. If the request exceeds the default 42 limit imposed by Exchange 2007, the request will fail.

 

In order to prevent this failure, follow the steps below to configure your Exchange 2007 CAS servers to accept longer period free/busy information requests:

1. On all your Exchange 2007 CAS servers, open the following file with a text editor such as Notepad (remember to create a backup copy first!):
<Exchange Installation Path>\V14\ClientAccess\ExchWeb\EWS\web.config

2. Locate the appSettings section;

3. Add a new key “<add key="maximumQueryIntervalDays" value="62" />” and save the web.config file. The maximumQueryIntervalDays value is not present by default. When this value is not present, Exchange 2007 uses the default interval of 42 days.

4. Restart IIS on all the Exchange 2007 CAS servers.

DLP Policy Tips in OWA

DLP Policy Tips are informative notices that are displayed to senders in Outlook when they try sending sensitive information. In Exchange 2013 SP1, this functionality has been extended to both the desktop version of Outlook Web App and the mobile version (named OWA for Devices), and you will see it in action if you have an existing DLP policy with Policy Tips turned on for Outlook.

 

The experience and functionality are similar to Policy Tips in Outlook, you do not need to set up anything else.

 

Check Status of Federation Certificates

The certificate used to establish a federation trust is automatically propagated to all Mailbox and Client Access servers in the Exchange organization. If you need to report on its status, use the following cmdlet:

Test-FederationTrustCertificate

This cmdlet, which does not require any parameters, will check the status of certificates used for federation on all Mailbox and Client Access servers.

Exchange 2013 CU3 Invalid Hybrid Product Key

On a newly installed Exchange Server 2013 Cumulative Update 3 (CU3) server (not an upgrade from an earlier 2013 build), when you are setting up a hybrid deployment and you enter the product key to activate it, you will receive the following error message:

error
Invalid Product Key.

This issue occurs because of a regression in CU3 for Exchange 2013 which causes the product to be mistakenly recognized as invalid.

You can safely ignore this product activation error message. Until this issue is resolved in the near future, there are no adverse effects from leaving the server unlicensed. This is a known issue that is scheduled to be addressed in SP1.

If you already deployed the product key for the Hybrid Edition on a server and later upgraded the server to Exchange 2013 CU3, the server will remain licensed, and the license will be displayed as valid.

Staged Exchange Migration with ADFS and DirSync

Some organizations implement ADFS and DirSync in order to take advantage of the Single Sign-On capabilities. However, not all of them opt for a hybrid deployment and perform a Staged Exchange Migration instead to move mailboxes from the on-premises environment to Office 365.

 

In order to perform such migration, one of the steps involved is the creation of a CSV for the Migration batch. This CSV needs to have three columns: EmailAddress, Password and ForceChangePassword.

 

The problem here is if the ForceChangePassword field is set to True. This will cause the migration to fail because Office 365 cannot modify that attribute for an Identity Federated user (remember we are using ADFS and DirSync) so you would get an error.

 

To overcome this, simply update the CSV file and set the ForceChangePassword field to False. This should allow for the migration to succeed.

Office 365 Identity Federation Debug Tool

The Microsoft Remote Connectivity Analyzer tool has been updated and it now includes testing for Office 365 federated identity provider. This can be used with an Office 365 tenant configured for federation with either ADFS or another WS-* based Security Token Service. It helps debug possible issues with the federated identity provider through simple tests.

 

The tool is available for download here.

 

Once downloaded and installed, click on “I can’t setup federation with Office 365, Azure, or other services that use Azure Active Directory (Beta)”:

 

 Then enter your Office 365 credentials and begin the login test of your federation configuration:

 

 Tests are done from the PC that you download the testing tool to. It will attempt to log in to Office 365 using the federation configuration. The testing will proceed and then show results which should help debug any possible federation issues.

Message Tracking Report

New to Exchange 2013, the Get-MessageTrackingReport cmdlet is used to return data for a specific message tracking report.

 

This cmdlet, used by the delivery reports feature, requires you to specify the ID for the message tracking report you want to view. Therefore, first you need to use the Search-MessageTrackingReport cmdlet to find the message tracking report ID for a specific message. You then pass the report ID to the Get-MessageTrackingReport cmdlet.

 

Note that you need to be assigned permissions before you can run this cmdlet. You will not have access to some of its parameters if the account used is not a member of one of the following groups: Organization Management, Records Management or Recipient Management.

 

 

This first example gets the message tracking report for messages sent from one user to another and returns the summary of the message tracking report for a message that Alice Jones sent to John Richardson:

$Temp = Search-MessageTrackingReport “Alice Jones” -Recipients “johnr@letsexchange.com”
Get-MessageTrackingReport $Temp.MessageTrackingReportID -ReportTemplate Summary

• The ReportTemplate parameter specifies a predefined format for the output. You can either return a summary for all recipients or a detailed tracking report for one recipient using one of the following values: RecipientPath or Summary.

 

 

The second example gets the message tracking report for the following scenario: a user named Nuno Mota was expecting an e-mail message from joe@domain.com that never arrived. He contacted the Help Desk, which generated a message tracking report on behalf of Nuno returning detailed troubleshooting information for the specific recipient path:

Search-MessageTrackingReport “Nuno Mota” -Sender “joe@letsexchange.com” -ByPassDelegateChecking -DoNotResolve | ForEach {Get-MessageTrackingReport $_.MessageTrackingReportID -DetailLevel Verbose -BypassDelegateChecking -DoNotResolve -RecipientPathFilter "nunom@domain.com" -ReportTemplate RecipientPath}

• The BypassDelegateChecking switch allows Help Desk staff and administrators to retrieve message tracking reports for any user. By default, each user can only see the message tracking reports for messages sent or received by the user. When using this switch, Exchange allows administrators to view message tracking reports for messages exchanged among other users.
• The DoNotResolve switch prevents the resolution of e-mail addresses to display names. This improves performance, but the end result may not be as easy to interpret because it is missing the display names.
• The DetailLevel parameter specifies the amount of detail to be displayed for the message tracking report. You can use one of the following values: Basic or Verbose. If you specify Basic, simple delivery report information is displayed, which is more appropriate for information workers. If you specify Verbose, full report information is displayed, including server names and physical topology information.
• The RecipientPathFilter parameter specifies the recipient for which the command returns the detailed tracking report. This parameter is used when using the RecipientPath report template.

Microsoft’s Top Solutions Content Blog

As part of Microsoft’s efforts to keep communities informed about the most relevant content that address the top questions or issues present in the forums and other support channels, Microsoft introduced the new Top Solutions Content blog.

In this blog, you will find valuable information about the Microsoft top support solutions for several of its popular products in the Server and Tools portfolio.

In the Exchange Server section, Top Support Solutions for Microsoft Exchange Server, some of the top Microsoft Support solutions to the most common issues experienced include:

• How to temporarily deactivate the kernel mode filter driver in Windows
• How to do performance tuning for NTLM authentication by using the MaxConcurrentApi setting
• Troubleshooting long running MAPI connections to Exchange Server 2010 through Network Load Balancers
• Configuring Kerberos Authentication for Load-Balanced Client Access Servers
• Configure the Availability Service for Cross-Forest Topologies
• Users in a source forest cannot view the free/busy information of mailboxes in a target forest in an Exchange Server 2010 environment
• When, if and how do you modify Outlook Providers?

Checking DirSync Version

If you need to check what version of DirSync you currently have installed, simply run the following PowerShell cmdlet:

(GP “hklm:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Online Directory Sync”).DisplayVersion

Remember that you can use the Version Release History WiKi to keep track of the versions that have been released and the main changes introduced.

Public and Private Computer Default Setting in OWA 2013

In a previous tip, How to Configure Public and Private Computer Settings in OWA 2013, I explained how to add the Private Computer option back to the OWA logon page in Exchange 2013.

 

When adding this feature back, the Private Computer checkbox always comes up checked:

 

 

However, some customers might want it unchecked by default. Unfortunately, there is no way to configure this through the Shell or EAC... We need to modify the logon.aspx file located at (...)\V15\FrontEnd\HttpProxy\owa\auth

 

Before you proceed, remember to create a backup copy of this file!

Open the file, scroll down to line 214 and delete the word checked.

This is how line 214 looks originally:

input id="chkPrvt" onclick="clkSec()" name="trusted" value="4" type="checkbox" checked role="checkbox" aria-labelledby="privateLabel"

And how it looks after deleting checked:

input id="chkPrvt" onclick="clkSec()" name="trusted" value="4" type="checkbox" role="checkbox" aria-labelledby="privateLabel"

After making this change, save the file, restart IIS and the Private Computer option will no longer be selected by default:

Allow XML files in Office 365 OWA

With Exchange 2003 we had to make changes to the Registry in order to allow or block particular file types in OWA, and in Exchange 2007 we had to configure OWAs’ virtual directories. Since Exchange 2010 that this is done through Outlook Web App Mailbox Policies and this applies to the latest Exchange 2013 and Exchange Online.

To check which files are currently being block, and to change this is necessary, first connect to your exchange online service via powershell.

$cred = Get-Credential

$session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $cred -Authentication Basic –AllowRedirection

Import-PSSession $session

After successfully connecting, run the following cmdlet to check what file types are being blocked:

Get-OwaMailboxPolicy "policy name" | Select -ExpandProperty BlockedFileTypes | Sort

If you want to make changes and allow certain file types, such as XML files for example, you remove the .xml from the BlockedFileTypes and BlockedMimeTypes lists and add it to the AllowedFileTypes and AllowedMimeTypes lists:

Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -BlockedFileTypes @{Remove = ".xml"}
Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -AllowedFileTypes @{Add = ".xml"}
Get-OwaMailboxPolicy | Set-OwaMailboxPolicy -BlockedMimeTypes @{Remove = "text/xml", "application/xml”}
Get-OwaMailboxPolicy | Set-OwaMailboxPolicy –AllowedMimeTypes @{Add = "text/xml", "application/xml”

Remember to ensure the settings in the ECP at permissions -> Outlook Wep App policies -> file access match those in servers -> virtual directories -> owa (Default Web Site) -> file access in terms of Direct File Access which enables or disables direct access to all file types in OWA. If this parameter is set to $False, users will not be able to click on attachments in e-mails to open or save the files. The attachment is visible, but the link is grayed out.

Exchange Hybrid #550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

There might be cases where in Exchange hybrid deployments where Exchange Online and on-premises users have the same e-mail namespace (such as alias@domain.com), Office 365 users are unable to send e-mails to on-premises users and receive a nondelivery report (NDR) error message similar to:

 

#550 5.1.1 RESOLVER.ADR.ExRecipNotFound; not found ##

 

Amongst other possible reasons, this can be caused if the domain set up in the hybrid deployment is not configured as a shared domain in Office 365. To correct this problem, follow these steps using the Exchange Admin Center in the new Office 365:

1.       Sign in to the Office 365 portal as a global admin;

2.       In the header, click Admin, and then click Exchange;

3.       In the left navigation pane of the Exchange Admin Center, click mail flow and then click accepted domains;

4.       Select the domain that is set up for the hybrid deployment, and then click Details;

5.       Select Shared, and then click save.

 

The EAC the domains that you added to your account through the Microsoft Office 365 portal. It lets you manage how messages are delivered. In a hybrid scenario, Exchange Online must be set up correctly so that when a cloud-based user sends an e-mail to an on-premises user, Exchange Online routes the e-mail to the on-premises messaging environment.

Office 365 Service Comparison

The following page can be used to filter and compare features of Office 365 plans, Office 365 services and on-premises products, such as comparing every feature of Exchange Server 2013 on-premises vs. Exchange online: Office 365 service comparison.

This is extremely useful when exploring Exchange Online (or any Office 365 service for that matter) and trying to decide if Exchange Online meets all the organization’s requirements.