Author Archives: Joe Stocker

Lync Online and External Contacts

1 Reply

Update 3/9/2015: I just updated this article to include a previously undocumented dependency, that both Lync and Outlook must be on the same version for this to work.

Here is an interesting scenario that reveals a lot about how Lync Online operates. Let’s assume that two companies plan to merge and they want to have Instant Messaging and Presence between the two companies.

One company, ABC Corp has Lync 2010 on-premises and the other company, XYZ Corp has Lync Online. Both companies have enabled federation.

Both companies would like a shared Global Address List (GAL), and they plan to use Microsoft FIM 2010 R2 GALSync, so that user objects in one forest are copied as contact objects in the other forest.

The last requirement is to have the ability to search for the Lync external contacts within the Lync client itself.

Tips:

  1. By default GALSync does not replicate the SIP address attribute “msRTCSIP-PrimaryUserAddress”, so GALSync must be modified to include this attribute. Additionally, mailnickname and targetaddress is required for Azure Active Directory Synchronization to export the object to Office 365 so that it is accessible for the Lync Online users. For a list of which attributes are synced by DirSync, click (here).
  2. When populating the msRTCSIP-PrimaryUserAddress field, make sure to pre-pend with the sip: in front of the address.
  3. When the targetaddress field is populated, be sure to pre-pend with SMTP: in front of the email address. For more info, see this article
  4. mailNickname can be populated with the contents of sAMAccountName

  5. sAMAccountName, displayname, and CN cannot be blank.

Brajesh Panda wrote a fantastic walkthrough for modifying GALSync to include the msRTCSIP-PrimaryUserAddress attribute. However, it does not mention Lync Online. I wanted to write this blog article to add clarity on how external contacts can appear in Lync Online in a very limited scenario:

1. Outlook must be configured for cached Exchange Mode (this is the default configuration for Exchange Online).

[Update 3/9/2015] 2. Outlook and Lync must be on the same version (ex: Lync 2013 and Outlook 2013). Crossing versions is not supported and will not work (ex: Lync 2013 and Outlook 2010).

Additionally, external contact search is not available for Lync Mobile, OWA or Lync for Mac. The rest of this article explains why.

Unified Contact Store (UCS)

Lync Online is a “wave 15” product, and therefore is written to take advantage of the new Unified Contact Store (UCS).  This is significant because according to my test results, search lookups in Lync Online appear to only query the UCS, and the UCS does not include information from the Global Address List (GAL) according to this MSFT article.

image

Therefore, when Lync Online is formatting its EWS query, it appears to exclude external contacts and only include licensed Lync Online users.  This applies to the following Lync Online clients that exclusively rely on EWS for lookups: Lync Mobile, Lync for Mac OSX, and Lync presence when integrated into OWA. The only Lync client that can search and find external contacts is the Lync client for Windows when installed on a computer with Outlook configured for cached mode, with a local copy of the Offline Address Book. This is because Lync is designed to supplement the EWS query with an additional MAPI query to Outlook when Outlook is configured for cached exchange mode.

Note: When troubleshooting, remember that the OAB does not download immediately after a fresh Outlook profile is created, so it can take some time before external contacts will appear (see below for more information on how to check for this).

Goodbye Lync Address Book

Lync Online does not download a Lync address book. This is the opposite behavior of the Lync on-premises Server. Instead, Lync Online clients that want to lookup a contact will perform a web services query in two parts. The first query depends on whether an EWS connection is available and established (note: this requires the Exchange autodiscover record to be correctly configured to point to Exchange Online). Then, Lync Online is also configured to query the local Outlook via a MAPI connection to the local Outlook profile installed on the same local workstation that Lync is installed on, and it passes the query to Exchange on behalf of Lync. It is worth noting that when Outlook is configured for Online mode, then the MAPI connection that Lync makes to Outlook then uses the same EWS query against the UCS instead of the GAL (and therefore does not return external contacts). Again, cached mode is required.

Lync Online can only query external contacts in the GAL when the local Outlook client is configured for cached mode. Additionally, the SIP address of the user performing the search should match their email address otherwise the EWS and MAPI connection will fail and the user may receive authentication prompts. Also keep in mind that any updates to external contacts in the GAL will not be visible in Lync until the next time the Offline Address Book (OAB) is downloaded by the Outlook client (approximately once per day).  This can take as long as 48 hours in a worst case scenario, consider the behavior by design:

  1. Exchange Online mailbox server generates a new OAB at 5:00 AM (once every 24 hours)
  2. Exchange distributes the OAB to the CAS servers (Default distribution schedule: 480 minutes)
  3. Outlook downloads the OAB (Default update schedule: 24 hours)

This means that in the worst possible scenario, an update to the Address Book won’t become available to the user until 48 hours after the change.

Example:

Monday at 09:00 – Outlook client downloads the OAB

Monday at 14:00 – A new mailbox is created

Tuesday at 05:00 – Exchange OAB Generation runs

Tuesday at 09:00 – Outlook client checks for new OAB

Tuesday at 11:00 – OABVirtualdirectory is updated

Wednesday at 09:00 – Outlook client downloads the new updates.

 

So yes, all of the stars must align in order for the Lync client to search for external contacts. But it does work!

Here is evidence of an external contact replicating and being searchable with Lync Online:

The local contact “Jed Hill” was created in on-premises Active Directory:

image

Here is the DirSync export showing this object was copied to Lync Online

image

Next, download the Offline Address Book. You can check to see if the offline address book was downloaded by checking the timestamps in this directory:
C:\Users\(UserName)\appdata\local\microsoft\Outlook\Offline Address Books\ (long number)
Go into the subfolder and you should see several .OAB files:
image

And here is a screen shot of me searching for the external contact by first name and it returning Jed Hill. Ignore the fact that it says presence unknown, because I picked a fake SIP address for testing.

image

You can force the Outlook client to update more frequently by the methods described in this blog article here:

http://www.howto-outlook.com/howto/oabupdate.htm

Search Limitations

The limitations have already been mentioned, but to recap, external contacts will not be searchable within Lync Mobile, Lync for Mac. Also, keep in mind that when Outlook is in Online Mode, then the regular Lync client for Windows won’t be able to search for external contacts. The work-around for all these scenarios is for each user to type in the full SIP address to communicate with each external contact that is not already pinned or saved as a favorite in their Lync contact list.

IM/Presence Limitations

Here is a screen shot that shows Exchange Online OWA integration with Lync Online does not show presence or IM button for the External Contact. Whereas the full Outlook client will show the IM button when responding to an email with an external contact with a SIP address.

image

  • Lync Online users can pin up to 250 contacts to their Lync Contacts list.

  • Lync Online users each have a total of 200 concurrent presence subscriptions. Once that limit is reached, users can still send and receive instant messages and add users to a Contacts list, but they cannot see any additional presence information and will see a “Maximum Followers Reached” message when attempting to view a user’s presence

For more information on Lync Online features and limitations, see the Lync Online Services Descriptions here:
http://technet.microsoft.com/en-us/library/lync-online-instant-messaging-presence-and-contacts.aspx

References:

http://www.amintavakoli.com/2013/01/how-does-integration-between-outlook.html

http://tech.rundtomrundt.com/2011/10/forcing-lync-client-to-use-mapi.html

http://www.lync.geek.nz/2014/04/lync-2013-exchange-integration.html

http://msexchangeguru.com/2013/05/10/lync-and-exchange/

OneDrive offers unlimited cloud storage

Leave a reply

Today Microsoft announced that OneDrive for Business customers will soon have unlimited storage (previous limit was 1TB).

Many people have pointed out that the 20,000 file limit seems to nullify the “unlimited” storage feature.

http://support.microsoft.com/kb/2933738

Due to the current single item limit of 2GB per file, the effective limitation of OneDrive is now 40TB (20,000 * 2GB = 40TB).

Since local laptop hard drives are moving towards low capacity SSDs, I am comfortable with a 40 TB cap being the same as  “virtually unlimited.’

Microsoft increased the consumer version of OneDrive single item limit from 2GB to 10GB. We hope that the business version will eventually support 10GB files too, but we do not have a date on when or if that will happen yet.  https://blog.onedrive.com/onedrive-now-supports-10-gb-files/

 

Lync Phone edition tls handshake fail with usb tethering out of box

Leave a reply

MSFT support engineers have identified a bug with the USB tethering on Lync Phone Edition. They compared the packet traces of the PIN authentication successful TLS handshake and compared it with the failed USB tethering TLS handshake.

They observed that during PIN authentication, the Lync phone connects to the Lync server over port 80 to download the intermediary certificate whereas during USB authentication, the phone skips that step and immediately attempts to handshake on SSL 443. The problem is the handshake fails because the phone does not yet have the intermediate certificate.

Quick conceptual background: A certificate chain is commonly composed of a Root certificate, followed by an intermediate certificate, and finally the issued certificate.

So in summary, there is a bug in the Lync Phone Edition firmware that is preventing the intermediate cert download from occurring during the USB tethering.

This is why the USB tethering works successfully following the PIN authentication, because during the PIN authentication, it successfully downloads the intermediate certificate.

MSFT is going to document this issue into a Knowledge Base Article and then inform the product engineering team. There is no guarantee that the product group will fix this behavior since there is a reasonable work-around to use PIN authentication.

Another potential fix is to find a different certificate authority that may skip the intermediate authority and issue device certs directly from the root authorities that come pre-loaded on each phone as described at the bottom of (this) MS Technet article.

This is not very practical because you would first have to purchase the certificate from Comodo, Verisign, Entrust, etc to find out whether they issue certs directly from the root and skip the intermediate. Also, it is highly unlikely that we would find a CA provider that does not have an intermediate authority because best practice is to mask/shield the root from direct contact by issuing certs from the intermediate rather than the root.

Assign lync policies based on ad group

Leave a reply

I adapted a script I found online to run within a scheduled task to assign a Conferencing Policy based on the membership of a global group named “CSLyncRecordingUsers.” Originally the script accepted paramters, but I wanted to just force the scheduled task to run with as few paramters as possible. I commented out the lines requiring arguments.

The service account needs to have the Logon as Service right assigned, and it needs to be a member of RTCUniversalServerAdmins.

The scheduled task just needs to reference powershell.exe and then a single parameter with the location of the script.

image

_________BEGIN Assign-ToGroup.ps1____________________

import-module ‘C:\Program Files\Common Files\Microsoft Lync Server 2013\Modules\Lync\Lync.psd1’

#Note: The above quotes must be single ticks and not double quotes or the task scheduler will not fire.

#Purpose: Assign the Recording Policy to all members of the global Group CSLyncRecordingUsers

#Syntax C:\Scripts\Assign-ToGroup.ps1 CSLyncRecordingUsers”RecordingAllowed”

#$strFilter = “(&(objectCategory=Group)(SamAccountName=” + $args[0] +”))”
$strFilter = “(&(objectCategory=Group)(SamAccountName=CSLyncRecordingUsers))”

$objDomain = New-Object System.DirectoryServices.DirectoryEntry

$objSearcher = New-Object System.DirectoryServices.DirectorySearcher

$objSearcher.SearchRoot = $objDomain

$objSearcher.Filter = $strFilter

$objSearcher.SearchScope = “Subtree”

$colProplist = “member”

foreach ($i in $colPropList)

    {[void] $objSearcher.PropertiesToLoad.Add($i)}

$colResults = $objSearcher.FindAll()

foreach ($objResult in $colResults)

    {$objItem = $objResult.Properties; $group = $objItem.member}

foreach ($x in $group)

    {

#        Grant-CsConferencingPolicy $x -PolicyName $args[1]
        Grant-CsConferencingPolicy $x -PolicyName “RecordingAllowed”

    }

Windows Azure Automation

Leave a reply

Windows Azure Automation allows you to automate the creation, monitoring, deployment, and maintenance of resources in your Windows Azure environment. For example, by default Azure Automation comes with a default Azure runbook containing over 350 Azure powershell commands that you can schedule for automation. You will also be able to import other runbooks to automate non-Azure assets, or create your own.

“Azure Automation provides an orchestration feature set for public cloud resources that is similar to what the Service Management Automation (SMA) engine provides for on-premises private cloud resources via the Windows Azure Pack and System Center 2012 R2 Orchestrator.” – Keith Mayer (from his excellent blog on Automation here).

I looked into this service because I wanted a solution to shut down my demo VM’s running in Azure on a nightly basis.

The first step is to logon to the Azure Account Portal and sign in with your subscription information:

https://account.windowsazure.com

Then click Preview Features and click the “Try it now” button

image

A pop-up will appear informing you that the feature will be added to your subscription soon.

image

Now logon to the Azure Management Portal. If you were previously signed in, you must sign out and back in before you’ll see the Automation option appear in the menu.

https://manage.windowsazure.com

image

Click ‘Create an automation account’

At the time of preview, it is only available in East US.

image

To get started with your first “Hello World” runbook, follow the guidance online (here).

There are currently 20 powershell commands for managing Azure Automation available (here).

There are 30 runbooks in the Technet script gallery that have been written by the community for use in Azure Automation available (here).

I found a runbook on the Technet script gallery (here) written by Peter Selch Dahl for stopping all VMs.

However, after reading the rest of Keith Mayer’s blog, I decided to just follow his article. http://blogs.technet.com/b/keithmayer/archive/2014/04/04/step-by-step-getting-started-with-windows-azure-automation.aspx

Simple Disk Performance Testing

Leave a reply

I came across an excellent blog article on disk performance testing:

http://www.brentozar.com/archive/2008/09/finding-your-san-bottlenecks-with-sqlio/

It walked through using SQLIO to test disk performance.

Basically, you just modify the param.txt file like this:

D:\testfile.dat 2 0x0 20480  

(Where 20480 is a 20gigabyte file that will get created on the D:\ drive)

Then you can do a quick 10 second run with this syntax:

C:\Program Files (x86)\SQLIO>sqlio.exe -kW -s10 -fsequential -t8 -o8 -b8 -LS -Fparam.txt timeout /T 10

For comparison my C drive is a Corsair Force GS and scored 210mb/s with 27k IOPS and my D drive is a OCZ-Vertex and scored 135mb/s and 17k IOPS

Then you can run a longer 120 second test by creating a batch file containing these entries:

sqlio -kW -t8 -s120 -o8 -frandom -b8 -BH -LS D:\TestFile.dat
sqlio -kR -t8 -s120 -o8 -frandom -b8 -BH -LS D:\TestFile.dat
sqlio -kW -t8 -s120 -o8 -fsequential -b64 -BH -LS D:\TestFile.dat
sqlio -kR -t8 -s120 -o8 -fsequential -b64 -BH -LS D:\TestFile.dat

 

  • -kW and -kR: means we’re testing writes or reads
  • -t8 and -o8: means 8 threads with up to 8 outstanding requests at once.  SQLIO isn’t CPU-bound at all, and you can use more threads than you have processors.  The more load we throw at storage, the faster it goes – to a point.
  • -s120: means the test will last 120 seconds
  • -b8 and -b64: the size of our IO requests in kilobytes.  SQL Server does a lot of random stuff in 8KB chunks, and we’re also testing sequential stuff in 64KB chunks.
  • -frandom and -fsequential: random versus sequential access.  Many queries jump around randomly in the database, whereas things like backups, bulk loads, and table scans generally work sequentially.

Downloads

SQLIO from Microsoft http://www.majorgeeks.com/mg/getmirror/sqlio_disk_subsystem_benchmark_tool,1.html

Note: the blog post also recommends an easy GUI tool that is available here:

CrystalDiskMark Portable Edition http://crystalmark.info/download/index-e.html#CrystalDiskMark

CrystalDiskMark generates sequential & random, read & write loads at your storage system in 512KB and 4KB chunks

image

image

More advanced tools:

Iometer http://www.iometer.org/

SQLIOSim http://support.microsoft.com/kb/231619

Microsoft Azure (IaaS) Cost Estimator Tool

Leave a reply

Microsoft just released a tool that can connect to your on-premises environment and estimate the cost of running it in Azure Infrastructure as a Service (IaaS).

You can target an individual physical machine, a Hyper-V or vCenter/ESX host, or a System Center Virtual Machine Manager (VMM) environment.

The tool takes seconds to install and is extremely easy to use. I installed it on my Windows 8.1 domain-joined laptop and pointed it at my lab environment running Hyper-V.

1. Download the beta (here). Note: The beta will expire on 9-1-2014.

2. Follow the installation (next –> next –> done!)

3. Launch the tool and click on Hyper-V

image

4. Enter the details of your Hyper-V server

image

Note: I selected ‘Run Once’ to get an immediate cost but I like how the tool allows you to run it over a configurable duration of time so that it can include other factors such as disk and network I/O.

Click Begin Profiling to run the scan.

image

In my experience, the scan averaged about 120 Kbit/s between my workstation and the server.

 

5. Click on the virtual machines that you are interested in getting a quote on

image

6. Click ‘get cost’ in the bottom-right.

image

 

\

DSN 5.1.1 Office 365 User could not email on-premise user

Leave a reply

Had a strange issue where a user mailbox was created in Office 365 before Dirsync was enabled.

After dirsync was enabled and the domain name was validated, the same primary SMTP alias existed in two places: (1) on-premise where the real mailbox resided and (2) in the cloud where the POC/Pilot mailbox temporarily resided.

The problem that happened was cloud users attempting to email the on-premise mailbox would not get delivered on-premise, because the SMTP address matched against the cloud mailbox.

After removing the license from the cloud user, the mailbox was removed, but the cloud users then got a DSN 5.1.1 NDR undeliverable bounce-back message.

The solution was described in this o365 community forum thread:

http://community.office365.com/en-us/f/613/t/238038.aspx

Essentially it was necessary to remove the msol-user entirely and then let dirsync re-create the mail-user object. Problem solved!

To confirm the symptom was happening, running a get-mailuser in the remote powershell resulted in no results returned whereas it should have had a cloud mailuser even for an on-premise mailbox. This is why the DSN was getting generated.

One work-around that seemed to work was also to set the domain in the cloud to internal-relay instead of the default authoritative but that didn’t seem the cleanest way to solve the problem, even though that seems to be the required configuration during a hybrid migration.  http://support.microsoft.com/kb/2730609

Combined Powershell script for managing both Azure AD and Exchange Online

Leave a reply

_________________BEGIN Connect.ps1________________________

$LiveCred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic –AllowRedirection
Import-PSSession $Session -AllowClobber
connect-msolservice -credential $LiveCred
#Remove-PSSession $Session

__________________END Connect.ps1_________________________

 

The above script connects to two services: (1) Azure Active Directory remote powershell and (2) Exchange Online remote powershell.

This is useful because the former is required to assign and manage licenses to Dirsync’d users in Office 365, and the later is required for managing mailboxes and mailbox moves in Exchange Online.

By combining the two sessions into a single powershell session, it is easier to administer and only have a single powershell window open.

One of the most common misconceptions about mailbox moves to Exchange Online with powershell is that people do not realize that you must run the move in a remote powershell session (see move script below for an example).

One of the most common tasks when getting started with Office 365 is to bulk license users based on a CSV file containing email addresses. The maintenance script below was created to perform multiple actions based on a source CSV file.

___________BEGIN Maintenance.ps1 ___________________

Import-csv c:\users.csv| foreach {

$UPN = $_.email

#The line below is great for testing the CSV file match against Cloud UPN. Helps you understand if your CSV file email addresses are matched up perfectly against cloud UPN addresses.

#get-Msoluser -UserPrincipalName $UPN

#the next line is great for getting unlicensed users. This helps you identify any unlicensed users that need a license applied.

#get-msoluser -UserPrincipalName $UPN | where {$_.IsLicensed -eq $false}

#The line below sets usage location and is required for every user.

#set-msoluser -userprincipalname $UPN -UsageLocation US

#The next two lines assign licenses. In order to get <tenant name> you run this command: get-msolaccountsku (remove the <>)

#$MSOLSKU = “<tenant name>:ENTERPRISEPACK”

#Set-MsolUserLicense -UserPrincipalName $UPN -Addlicenses $MSOLSKU

}

___________END Maintenance.ps1 ___________________

 

Now that you have licensed your users, it is now time to move mailboxes! (Assumes you have already completed the steps in the Exchange Deployment Assistant for configuring a Hybrid environment).

_______________Move Script.ps1_______________

#When prompted, enter your on-premise AD username and password like Domain\User that is a member of the Exchange Organizational Admins group

#Remember – this script is to be called from within a remote powershell session against Exchange Online, not using your on-premise Exchange Management shell!

$cred = get-credential

Import-csv .\user.csv | foreach {

$UPN = $_.Email

New-MoveRequest -identity $UPN -Remote -RemoteHostname ‘myhybridserver.mydomain.com’ -RemoteCredential $cred -TargetDeliveryDomain ‘mytenantname.mail.onmicrosoft.com’ -BadItemLimit 100 -AcceptLargeDataLoss -LargeItemLimit 100 -SuspendWhenReadyToComplete

}

_______________End Move Script.ps1_______________

 

Tips and Tricks

  1. After you’ve completed the tasks you wanted to perform in the Exchange Online organization, you need to disconnect the session between your local computer and the Exchange Online organization.

Use the following command to disconnect remote PowerShell from the Exchange Online organization.

Remove-PSSession $Session

If you close the remote Windows PowerShell window without following this procedure, the session will have to time out (in approx 15 minutes), and the quota for the maximum number of concurrent connections may prevent you from connecting back to the service on a timely basis (maximum of 3 connections are allowed)

2. If you are setting up a new o365 tenant, and your on-premise AD domain has a default UPN like “myad.local” then you can configure Directory Sync to use an alternate login ID such as the mail attribute so that the email address is mapped to the UPN field in o365. This is beneficial because it saves the effort of changing UPN Id’s on-premise!

http://social.technet.microsoft.com/wiki/contents/articles/24096.using-alternate-login-ids-with-azure-active-directory.aspx

Recent change to Dirsync

It is also important to note that starting with DirSync version 6862.0000 released on June 5 2014 there is no longer a DirSyncConfigShell Console file in the Program Files folder. Instead you just start a normal PowerShell window and run Import-Module DirSync. After that the Start-OnlineCoexistenceSync cmdlet is available.

Common Dirsync Questions

  • Even though Dirsync is configured to sync by default once every three hours, you can manually force dirsync to run at any time.
  • You can also configure the default interval to run in shorter increments
  • The default interval for Dirsync is a completely separate interval than password synchronization. Passwords are synced immediately to Azure AD and the average time before they are effective is usually under 3 minutes.

Minimum Exchange Hybrid Server Requirements for Managing On-Premises Users

Leave a reply

Recently I was trying to locate guidance for the minimum requirements that an Exchange Hybrid Server would need if the only purpose for the server was to manage on-premise remote mailboxes. An on-premise Hybrid Exchange Server is still beneficial to manage the proxy alias attribute since Directory Synchronization is mostly one direction and therefore you cannot update the proxy aliases for a mailbox in Office 365’s administrative portal. You can use ADSIEdit to manage proxy aliases on-premise, but that is not practical for large organizations wishing to use RBAC.

So I posted this question on the new Office 365 IT Pro Yammer group and got a quick response from an MVP named Steve Goodman:

“An Exchange 2010 Hub Transport server role or Exchange 2013 multi role – with Hybrid keys – will do the trick.
After install you can then manage users, which will show as remote mailboxes (within contacts) in 2010 and Office 365 mailboxes in 2013.
Add a remote domain and other acceptors domains in Exchange and set the remote domain as the Office 365 tenant domain. Set the accepted domains as internal relay. Alter email address policies to suit, as they will take effect as you manage or create users.
If you use a multi-role or CAS server beware the AutoDiscover SCP as it will cause cert warnings. Set it to $null using Set-ClientAccessServer <server> -AutoDiscoverServiceInternalURI:$null
More guidance in [Steve Goodman’s] article here http://searchexchange.techtarget.com/tip/Best-practices-for-managing-Office-365-from-Active-Directory

So I learned that you do not have to run the Hybrid Configuration wizard.

Steve’s blog post does not include the syntax of creating a new remote domain. I used powershell to create the remote domain:

New-RemoteDomain –Name contoso.mail.onmicrosoft.com

Set-RemoteDomain -Identity contoso.mail.onmicrosoft.com -TargetDeliveryDomain $true

Then according to this MSFT Blog, if you want the changes to take effect immediately you have to restart IIS.

Steve points out in his blog that another alternative to ADSIEdit or the Hybrid server for managing the proxy aliases is a PowerShell module written by Andreas Lindhal at 365lab.com.

The only thing I would add to Steve’s guidance is that you may need to convert some of the mailboxes to remote-mailboxes using the enable-remotemailbox command otherwise the local contact object won’t exist in the local AD to manage.