Tuesday, April 18, 2017

Script to Synchronize Primary Email Address with UPN

When planning an Office 365 implementation, it is best practice to start by assuming that UPN for signing in to Office 365 should match the user email address. If you don't configure it this way, then users have two separate items (their UPN for signing in and their email address) that look very similar. In many cases users are confused by the similarity.

If you are synchronizing  your on-premises Active Directory with Office 365 (in most cases you do) then you need to set the UPN for the on-premises user accounts with the correct UPN. The UPN from on-premises user accounts is synchronized to Office 365 to create the ID for signing in.

Most organizations are not using the UPN on user accounts for authentication on-premises. The option has been there since Windows 2000, but most organizations still use the domainname\username format for authentication. However, you need to verify if any user accounts are using the UPN for authentication before making this change. At minimum, you should communicate with your application and system administrators to see if they are aware of anything that might use UPNs. If your organization has issued certificates to users, they might be using UPN as the unique identifier for the certificate.

The script below does the following:
  • Obtains a list of all users where the proxyAddresses attribute has a value. This is done so that the result include only user accounts with an Exchange attributes configured.
  • Identifies the primary email address based on the all caps "SMTP:" text.
  • Strips out the "SMTP:" text from the primary SMTP address.
  • If the new UPN and the existing UPN do not match the user account is updated and the change is logged.
The location and name of the log file are configured in $logfile. You need to manually configure this variable and verify that the necessary folders exist.

 #Log folder must already exist  
 $logfile = "C:\Scripts\SyncUPN.txt"  
 #Adds timestamp to log file  
 Get-Date | Out-File -FilePath $logfile -Append  
 #Obtains only users with valid proxyAddresses attribute   
 $users = Get-ADUser -Properties proxyAddresses -Filter {proxyAddresses -like "*"}  
 #Prepare variables for processing status  
 $total = $users.count  
 $current = 0  
 Foreach ($u in $users) {  
   #Find primary SMTP address for user  
   $primarySMTP = $u.proxyAddresses | Where-Object {$_ -clike "SMTP:*"}  
   #Remove "SMTP:" to create the new UPN value  
   $newUPN = $primarySMTP.Substring(5)  
   #Set the new UPN value only if required  
   If ($u.UserPrincipalName -ne $newUPN) {  
     $u.DistinguishedName + " Old UPN: " + $u.UserPrincipalName | Out-File -FilePath $logfile -Append  
     $u.DistinguishedName + " New UPN: " + $newUPN | Out-File -FilePath $logfile -Append  
     Set-ADUser $u -UserPrincipalName $newUPN      
   } #end if  
   #Processing status  
   $current += 1  
   Write-Progress -Activity "Processing users to update UPN to primary email address" -Status "Progress: $current" -PercentComplete ($current/$total*100)   
 } #end foreach  

Script to Remove Old Domains from User Email Addresses

When managing email addresses and domains in Exchange Server, old email addresses are never removed automatically. This is good because it ensures that email addresses on a mailbox are never accidentally lost. However, you may want to clean up old domains or address formats that are no longer in use.

Some common scenarios where you might want to remove an old domain:
  • An SMB deployment of Exchange Server where a .local domain was added as the first domain for email addresses.
  • Old GroupWise addresses are left in place from an older migration.
  • Obsolete domain left over from a company merger many years ago
I often find that obsolete domains are identified when I run IDFix as part of preparing to migrate to Office 365. To simplify the removal of obsolete domains, I have created the following script.

A few things to note:
  • You need to set $RemovePattern to identify the domain to be removed. Any email addresses matching this pattern will be removed from proxyAddresses attribute in Active Directory objects.
  • The script uses Get-ADObject rather than Get-ADUser to make sure that the domain is removed from distribution groups too.
  • This version of the script is capable of removing multiple instances of a matching email address. So, if a user has several email addresses in the old domain, all of them are removed.
  • At the end of the script, I use Write-Progress to display a status bar. It's not necessary, but if there is a large number of users it's nice to see activity on the screen instead of just waiting and hoping it's doing something.

 #This pattern is used to match the email addresses being removed.  
 #Test that this pattern finds the correct users and email addresses  
 #before running this script.  
 #Example: $pattern = "smtp:*@olddomain.com"  
 $RemovePattern = "smtp:*@olddomain.local"  
 Import-Module ActiveDirectory #only required for 2008 R2  
 #Get the users that have an email address that matches the pattern  
 Write-Host "Querying objects...This may take a moment"  
 Write-Host ""  
 $objects = Get-ADObject -Filter {ProxyAddresses -like $RemovePattern} -Properties ProxyAddresses  
 #Identify address being removed from first user for warning  
 [String]$proxyexample = $objects[0].proxyaddresses -like $RemovePattern  
 #Display warning and get confirmation  
 Write-Host "You are going to remove email addresses that match the following pattern:"  
 Write-Host -ForegroundColor Red "$RemovePattern"  
 Write-Host ""  
 Write-Host "This is an example from the first object:"  
 Write-Host -ForegroundColor Red "$proxyexample"  
 Write-Host ""  
 Write-Host "This will modify $($objects.count) objects"  
 Write-Host ""  
 $confirm = Read-Host "Enter Y to continue"  
 If ($confirm -ne "Y") {Break}  
 #Prepare variables for processing status  
 $total = $objects.count  
 $current = 0  
 #Processing users to remove addresses  
 Foreach ($o in $objects) {  
   #Build list of addresses to remove for object  
   #required because there might be multiple that match  
   $proxy= New-Object System.Collections.ArrayList  
   Foreach ($a in ($o.ProxyAddresses)) {  
     If ($a -like $RemovePattern) {  
       $proxy.add($a) | Out-Null  
     } #end if  
   } #end foreach  
   #Remove each bad address  
   Foreach ($p in $proxy) {  
     Set-ADObject $o -Remove @{'proxyAddresses'=$p}  
   #Processing status  
   $current += 1  
   Write-Progress -Activity "Removing email addresses that match pattern" -Status "Progress: $current" -PercentComplete ($current/$total*100)   
 } #end foreach  

Thursday, April 13, 2017

Change All UPNs in a Domain

I needed to update all UPNs in a domain today. It was pretty quick to figure out, but here is one line to take care of it for you.

Get-ADUser -Filter * | ForEach-Object { Set-ADUser $_ -UserPrincipalName ($_.UserPrincipalName).Replace("OldDomain","NewDomain")}
Remember to make the pattern in the OldDomain unique enough that you don't accidentally change things you don't intend to. For example, if you are changing from a .local domain in the UPN to a .com, make sure that you replace ".local" and not "local" on the off chance one of the user IDs includes "local" in the name.

If there are any user accounts without a UPN, then an error is generated for those accounts. My domain had 4 accounts without a UPN:
  • krbtgt - default account used for kerberos
  • IWAM_ServerName - Old IIS account from Windows 2003
  • IUSR_ServerName - Old IIS account from Windows 2003
  • support_XXXXXXX - Used by Help and Support service

Suppress Results when Adding Items to an ArrayList

I ran into a mildly annoying feature when adding items to an array list when using PowerShell today. An array list is an expandable array of items with better performance than a normal array when working with large data sets.

Each time I added an item to the array list, it echoed back the index number of the list item. When I added the first item in the list, the number 0 was displayed on the screen. Adding a second item would echo back the number 1. For example:

I would prefer my script to be silent when running except when there is data that I want to display. However, there is no option obviously available for that purpose. Instead, you need to redirect the output to $null. There are a few ways to do this and any one will work:
$proxylist.add($a) > $null
$proxylist.add($a) | Out-Null

Sunday, April 2, 2017

Dell Open Manage System Administrator Hangs (or Unavailable)

Just ran into an issue on Dell servers using the Dell Open Manage System Administrator software. This software runs on the server to let you see hardware details such as failed components and RAID configuration.

My first issue was when running the System Administrator icon from the desktop. This icon opens up and web page to access System Administrator. However, when Internet Explorer was launched, it came up with the error:
This page can't be displayed
So, I did the standard stuff:
  • restart services
  • verify DNS resolution
  • verify port 1311 is not blocked by firewalls and is listening
Everything looked good, but it wasn't working. One person on a discussion group indicated that they found it was because the older versions of System Administrator used older encryption algorithms for TLS and so the browser was blocking connectivity.

I attempted to resolve it first by updating the existing installation of Server Administrator. This changed the problem to hanging while trying to access the app, but didn't fix it.

The final fix was to remove older versions of System Administrator and install the latest version fresh. It seems that upgrading kept some older incorrect settings. The new install wiped out the older settings and all was good.

So, if Server Administrator is reporting "This page can't be displayed" or hanging when you attempt to access it, try an uninstall and reinstall. You don't need to reboot.

Tuesday, March 14, 2017

Making Sense of Office 365 Plans

If you're just starting to look at Office 365 as a solution for your organization, the various plans can be overwhelming and confusing. I'm going to try and boil down all of the Office 365 plan information to just the essentials that allow you to make an informed decision.

This is all based on research done March 2017 and the prices I include are Canadian dollars. You should verify that these features and prices are still correct for your scenario before making any decisions. I've includes some links at the bottom of this article to Microsoft documentation for you to verify. Microsoft should be keeping that content up to date.

I'm going to focus on Office 365 plans for small business and enterprise. However, whether you are small business, non-profit, enterprise, or education, there are basically three generic Office 365 plans available:
  • Office 365 desktop apps (Word, Excel, Outlook, etc)
  • Cloud services (Exchange, Skype for Business, etc)
  • Office 365 desktop apps and cloud services
Most of the organizations I work with are looking for the cloud services. The initial driver most of them have is replacing an older installation of Exchange Server. At the same time, they can evaluate whether including Office 365 desktop apps is appropriate. I do not have any customers subscribing to only the Office 365 desktop apps.

The Office 365 plans for small business (300 user max) are:
  • Office 365 Business (desktop apps)
  • Office 365 Business Essentials (cloud services)
  • Office 365 Business Premium (Business + Business Essentials)
The Office 365 plans for enterprise (unlimited users) are:
  • Office 365 ProPlus (desktop apps)
  • Office 365 Enterprise E1 (cloud services)
  • Office 365 Enterprise E3 (ProPlus + E1 + a few cloud features)
  • Office 365 Enterprise E5 (E3 + cloud telephony)
It is possible to continue using your existing OEM, retail, or volume licensed edition of Microsoft Office with Office 365 cloud services. So, if you recently purchased 100 volume licenses of Office 2016, that is not a lost investment. You can use those licenses until you are ready to upgrade to a newer edition of Office and then evaluate whether you prefer to purchase new volume licenses for Microsoft Office or change your Office 365 licensing to include the desktop apps.

Office 365 Desktop Apps

The Office 365 desktop apps are similar to the Microsoft Office Suite that you can buy retail, OEM, or through volume licensing. The biggest difference you'll notice is that these apps are streamed to desktops from Office 365 rather than a traditional installation (however it looks the same from a user perspective). This means that they are automatically updated outside of the Windows Update process. This should make the apps more secure because they will be updated faster than most organizations typically deploy updates. However, you do loose control over the update process and this may be a concern in organizations with specialized plugins.

The licensing for the Office 365 desktop apps is per named user rather than per computer. Each user can have up to five instances of the Office 365 desktop apps on devices. This allows a single user to put the Office 365 desktop apps on a work computer, a work laptop and a home computer. However, this does not mean that an organization with 20 users and 20 computers should purchase just 4 user licenses and install the Office 365 desktop apps 5 times per license. You need to license the Office 365 desktop apps for each user.

Licensing for Office 365 desktop apps is verified by signing in to Office 365. On each computer with the Office 365 desktop apps, you need to sign in to Office 365 at least every thirty days to verify that the license is still valid. This is a concern only in scenarios where a mobile computer would not have Internet access for more than 30 days.

Office 365 Business and Office 365 ProPlus contain the same apps:
  • Outlook
  • Word
  • Excel
  • PowerPoint
  • OneNote
  • Access
However, there are minor differences in app functionality. The following features are available only in Office 365 ProPlus and are not available in Office 365 Business:
  • Outlook:
    • Information Rights Management (IRM)
    • Data Loss Prevention (DLP)
  • Access:
    • Database Compare
  • Excel:
    • Spreadsheet Compare
    • Spreadsheet Inquire
    • Power Map
    • Power Pivot
    • Power Query
    • Power View
  • Support for Group Policy-based configuration
  • Support for Office add-ins, ActiveX, and browser helper objects (BHO)
  • Roaming settings
For a complete comparison of features, see Office Applications Service Description.

Note that some older documentation may reference that:
  • "Access is not included in Office 365 Business." Update: Access is included with Office 365 Business starting in November 2016.
  • "Outlook in Office 365 Business cannot access Exchange in-place archives." Update: The current version of Outlook in Office 365 Business can access in-place archives (also referred to as archive mailboxes). See Outlook license requirements for Exchange features.

Office 365 Plans with Cloud Services

Most cloud services in the small business and enterprise plans are the same. All of the small business and enterprise plans include the following:
  • Mailbox and calendar
  • Office Online apps - web-based versions of Word, Excel, and PowerPoint
  • OneDrive - personal file storage
  • SharePoint Online - shared file storage
  • Skype for Business - teleconferencing and instant messaging
  • Active Directory integration - synchronizes Active Directory users into Office 365
  • Yammer - Group discussions
The Office Online apps are very useful for performing quick edits to documents stored in OneDrive or viewing email attachments. In most cases, users prefer to continue using standard Microsoft Office desktop apps. However, in a very cost conscious organization, with limited needs, the online Office apps may be sufficient.

The graphic below summarizes some of the similarities and differences between the small business and enterprise plans:

Some differences to highlight are:
  • The small business plans are limited to 300 users. However, you can have a mix if small business and enterprise licenses in a single Office 365 tenant.
  • The small business and E1 plans have 50 GB mailboxes with 50 GB archives. The E3 plan has a 100 GB mailbox with unlimited archives. For small business and E1 plans, you can purchase an Archiving add-on for unlimited archiving.
  • Only the E3 plan supports litigation hold and data loss prevention for email.
  • The small business and E1 plans have 1 TB of OneDrive storage per user. The E3 plan has 5 TB of OneDrive storage per user.
  • SharePoint Online has 1TB of storage per Office 365 tenant and then 500 MB additional storage per licensed user. Storage consumed by Office 365 Teams come out of this pool.
  • All plans include Skype for Business, but only enterprise plans can add unified communications.
  • Only enterprise plans have meeting broadcast that allow presentations to thousands of users.
  • Only the E3 plan supports Azure Rights Management to encrypt and secure files.

Why Wouldn't I use Office 365?

The main reason you might not be able to use Office 365 is compliance and recovery purposes. For example, you can recover deleted items in Exchange Online for up to 30 days (only 14 days by default). There is no option to recover deleted data older than that.

It's possible for you to work around this issue, but it's not inexpensive. You will need to implement some sort of third-party backup or archiving solution. However, you'll need that type of system if you have Exchange on-premises anyway. It just becomes more complicated to backup data in the cloud. That said, third-party vendors have recognized this need and more backup and compliance products for Office 365 are being made available.


Most smaller organizations do not need the extra features included in the enterprise plans. The differences Business Essentials and E1 are mostly whether you can add on other features. The core level of functionality is mostly the same. If you have less than 300 users the Business Essentials and Business Premium plans are what you should evaluate first due to the cost savings.

For a very small organization, of 5 or 10 users, it's a pretty easy decision to use Office 365 based only on avoiding the cost of the local Exchange Server and hardware. But, you also avoid other costs like backup software, anti-spam software, and anti-virus software for a local Exchange server.

For slightly larger organizations, you might do a cost comparison and see that the cost of on-premises Exchange is about the same as Office 365 licensing. However, Office 365 is giving you high availability across multiple data centers that you probably can't implement your self. Then throw in the ability to have large mailboxes (up to 50 GB), that most on-premises instances of Exchange don't allow, and Office 365 is a winner on features.

For even larger organizations, you might find that Office 365 licensing is more expensive than purchasing and managing on-premises Exchange. However, Office 365 is more than just email. There are additional features like Skype for Business, OneDrive, and SharePoint Online. So, while you may start evaluating Office 365 as a replacement for on-premises email, remember about the extra value the additional services provide and identify whether those services are useful for your organization. Maybe having video conferencing with Skype for Business is a big value add in your organization.

If you have more than 300 users, you can mix business and enterprise plans in the same Office 365 tenant. However, you probably want to be consistent and stick with the enterprise plans to avoid user and helpdesk confusion. Imagine that you implement a Group Policy object for managing Office 365 Proplus but half of your users are using Office 365 Business so that the GPO doesn't apply. It would be a mess.

If your organization is academic or non-profit, check out the Office 365 licensing available specifically to your type of organization. There are academic and non-profit licenses equivalent to business and enterprise plans. At time of writing the plans with only cloud services were free. The plans that include Microsoft Office apps are heavily discounted compared to business and enterprise plans. It almost becomes foolish to keep running your own internal Exchange server.

Useful Links

The following are some of the links I found useful:

Thursday, March 9, 2017

Exchange 2010 SP3 Hub Transport Upgrade Error

Ran into a new issue yesterday related to installing Exchange 2010 SP3. I was called in to help when the initial upgrade attempt failed. The error during SP3 installation was:
An unexpected error occured while modifying the forms authentication settings for path /LM/W3SVC/1. The error returned was 5506.
A screenshot of the error is below:

Doing a search didn't come up with much, but it did give this:
That link seemed to indicate that it could be related to the SSL binding on the default web site in IIS. Taking a look at the SSL binding, it seemed to be missing the certificate assignment. However, when I tried to add the certificate I got a strange error about the session be closed.

Ok then, since you won't let me add the SSL certificate to the binding by using IIS Manager, let's try with Exchange Admin Console. When I assigned the IIS service to the certificate in EAC, it all looked fine. I also took this moment to review the certificate and verify that the SAN names were correct. I also noted that it did indicate that there was a private key for the certificate.

After this the binding worked because we could access https://servername/owa URL, but it returned a 503 error. However, rather than attempting to fix that error, we tried the SP3 install again. Since a service pack upgrade rewrites a lot of the content in the IIS virtual directories we through we might get lucky and it would fix and configuration errors that we had.

During the next install, the installation of the Hub Transport role completed successfully, but now we got an error on the Client Access role installation. As we were actively troubleshooting I didn't write it down at the time, but it was something like:
Could not grant Network Service access to the certificate with thumbprint BIGLONGHEXTHUMBPRINT because...
Based on this I decided to review the certificate in the Certificates MMC snap-in. Again, all the details looked right. Maybe I can add the necessary permissions myself for Network Service. To access the permissions for a certificate, you right-click it, point to All Tasks, and click Manage Private Keys. This normally brings up a security dialog box. However for me it brought up the following error:
Object not found.
I interpreted this error to mean that either the private keys were not really present for the certificate. Or the Domain Admin account that we were using to access the certificate and run the install didn't have permission to access the private keys. In either case, since our Domain Admin account couldn't set permissions in the certificate, we were dead in the water.

Fortunately certificates are much less expensive than they used to be and we quickly obtained a new certificate with all of the necessary names from NameCheap. They might not have the best management tools for certificates, but the price is right. So, if this didn't work it didn't waste a lot of money.

After installing the new certificate and assigning the correct services to it, we ran the Exchange 2010 SP3 upgrade again. And after some nervous waiting, the upgrade completed properly. And the upgrade fixed all of the errors for the web services. Email for phones began to work immediately, as did OWA.