Friday, October 24, 2014
  • Home
  •             

Who said HTTPS is safe? Think again.

October 18th, 2014 by Jabez Gan [MVP]

Users of Wi-Fi hotspots have been warned about the “Poodle” attack – the latest bug in Internet browsers that can hijack web sessions and transactions, and even extract data from secure HTTP connections, The Straits Times reported today.

 

Poodle, or Padding Oracle on Downgraded Legacy Encryption, exploits Secure Sockets Layer version 3 (SSLv3), one of the protocols used to secure Internet traffic, the Singapore daily said.

All major browsers, from Google Chrome to Mozilla Firefox, support SSLv3.

 

An attacker can access online banking or email systems “secured” by HTTP connections. The flaw was reported by Google employees – Bodo Möller, Thai Duong and Krzysztof Kotowicz – in a paper published on Thursday.

The Poodle attack relies on the fact that most web servers and browsers are still using an “ancient” SSLv3 to secure their communications.

Source: The Malaysian Insider

Posted in Security | 1 Comment »

Exchange Management Console shows mailbox is migrating/migrated from one DB to another DB

October 9th, 2014 by Jabez Gan [MVP]

Scenario:

In an Exchange Hybrid environment (using Office 365).

Problem:

In Exchange Management Console (EMC), under Move Request, there is some mailbox being moved. This action was not done by the local IT administrators. The mailbox affected are mailboxes already migrated to Office 365.

Solution/Explanation:

Run a Get-MoveRequest and if you see something like below, you are actually seeing the database being moved from Exchange Online DB to another Exchange Online DB. This is part of Exchange Online DB maintenance. There is no impact to users.

ExchangeGuid               : 404b747c-d942-4ecc-ba61-9459c234a8d3

SourceDatabase             : APCPR04DG020-db001

TargetDatabase             : APCPR04DG011-db170

SourceArchiveDatabase      :

TargetArchiveDatabase      :

Flags                      : IntraOrg, Pull, MoveOnlyPrimaryMailbox

Posted in Office365 | No Comments »

Auto Assign Office 365 License based on domain name

October 2nd, 2014 by Jabez Gan [MVP]

Problem: Customer has a few email domain names and are slowly migrating to Office 365. The customer wants to auto assign license for certain domains using PowerShell.

Step 1:

Set the Office 365 tenant password in a TXT file.

The PowerShell Script:

#Modify below YOURPASSWORD to your Office 365 password
$password = “YOURPASSWORD
$password | ConvertFrom-SecureString | Set-Content c:\o365\password.txt

Step 2:

Search based on the valid domains and add license for users that have not been licensed.

The powershell script:

#Valid Domains.
#Modify below domainA.com and domainB.com to your own domain that you want to auto assign license.
$validDomains =”*@domainA.com”,”*@domainB.com

$MsolAdmUser = “admin@USERTENANTNAME.onmicrosoft.com
$pwd = Get-Content c:\o365\credmsol.txt | ConvertTo-SecureString
$cred = New-Object System.Management.Automation.PSCredential $MsolAdmUser, $pwd

# CONNECT TO 365
Import-Module MSOnline
Connect-MsolService -Credential $cred

$temp = (get-msoluser -all) | select userprincipalname

foreach ($a in $validDomains){

foreach ($b in $temp){

$validUser = ($b) | where {$b.userprincipalname -like $a}

If ($validUser –eq $null){

} else{

set-msoluser -userprincipalname $validUser.userprincipalname -usagelocation “MY”

set-msoluserlicense -userprincipalname $validUser.userprincipalname -addlicenses “userTenantName:STANDARDWOFFPACK

$validUser = $null

}

}

}

 

To get the “userTenantName:STANDARDWOFFPACK“, you will need to run get-msolaccountsku.

 

The above is a script that I quickly developed. Apologies if it isn’t neat as of now :)

Posted in Office365 | No Comments »

Office 365 – Unable to remove verified Domain name

June 25th, 2014 by Jabez Gan [MVP]

Problem:

When you are trying to delete a verified domain name in Office 365, an error pops up saying that some users or Office365 services are still attached to the domain.

Root Cause:

Just like what the error said, some of the Office 365 services or users are still attached/assigned to the domain name that you are trying to remove.

Solution:

Things to check:

  1. Ensure that no users are associated with the domain that you are trying to delete. You can verify this by going into Users And Groups, and Edit a user. Ensure that the domain you are trying to delete, eg, abc.com, is not listed there.
  2. Ensure that no security groups/distribution groups have the accounts attached to abc.com. Security groups/distribution groups can be access by logging into Office 365, click on Users And Groups, and click on Security Groups.
  3. If you have just deleted the users, or changed the domain for each individual users, you will need to wait for a while (1 min?) as it will need to sync the changes to the different Office365 service settings.
  4. If the accounts are uploaded to Dirsync, you will need to stop the Dirsync synchronization to change the accounts to a Cloud Only account. Then, you will need to do step 1-3 above to delete the Security groups; and/or manually modify the e-mail addresses fields in Office 365, Exchange Online.

Posted in Office365 | Comments Off

“Insufficient Permission” shown in DirSync’s MIISClient.exe

June 24th, 2014 by Jabez Gan [MVP]

Lately, I had an issue with Office 365′s MIISClient.exe

Problem:

MIISClient.exe shows that a bunch of user accounts failed to sync with the error “Insufficient Permission”.

Solution:

Certain permissions needed by MSOL Service Account went missing (for whatever reason!). All we had to do is to recheck back the permissions.

Step 1: Run the Azure Active Directory Sync tool Configuration Wizard

Make sure that the latest version of the Directory Sync tool is installed and that you run the Azure Active Directory Sync tool Configuration Wizard. When you run the wizard, one screen prompts you to enable rich coexistence. Complete the wizard, and then start directory synchronization.

Alternatively, you can run the Enable-MSOnlineRichCoexistence cmdlet after the Directory Sync tool is installed to enable the write-back feature. This cmdlet must be run by using enterprise credentials or should be run by the enterprise admin.

Step 2: Confirm MSOL_AD_Sync_RichCoexistence permissions

If step 1 doesn’t resolve the issue, check that the MSOL_AD_Sync user belongs to the MSOL_AD_Sync_RichCoexistence group and that the group has Allow permissions to the user who is experiencing the issue, where write-back is not working for the following attributes:

  • msExchSafeSendersHash
  • msExchBlockedSendersHash
  • msExchSafeRecipientHash
  • msExchArchiveStatus
  • msExchUCVoiceMailSettings
  • ProxyAddresses

To do this, follow these steps:

  1. In Active Directory, make sure that the MSOL_AD_Sync_RichCoexistence group exists and that the MSOL_AD_Sync user is a member of the group.
  2. In the on-premises environment, use Active Directory Users and Computers to open the user properties for the user who is experiencing the issue.
  3. On the Security tab, click Advanced.

    Note
    You must enable advanced features to complete step 3.
  4. Make sure that the MSOL_AD_Sync_RichCoexistence group is listed. If it’s not listed, add the group, and then make sure that the group is granted Allow permissions to write to the attributes that are listed previously.

Note Step 2 may be required if the object does not inherit permissions from the parent. This issue may be resolved by making sure that the object inherits permissions from the parent object.

 

Source: Microsoft KB 2406830

Hope this helps! :)

Posted in Office365 | 1 Comment »

Enable Legal Hold by using PowerShell

June 23rd, 2014 by Jabez Gan [MVP]

Statement:

You have purchased some Office 365 E3 plans and have assigned the Office 365 E3 licenses to the users.

You would like to activate Legal Hold for these users in bulk, using PowerShell.

Script to Activate:

  1. # First you need to be connected to the Exchange PowerShell.
  2. $pagesize = 100# The number of mailboxes per loop
  3. $inc = 0# Start increment value
  4. # Continue until all mailboxes are litigation hold enabled
  5. do {
  6.     Write-Output “Getting mailboxes”
  7.     # Get UserMailboxes that does not have litigation hold enabled
  8.     $mailboxes = Get-Mailbox -Filter {LitigationHoldEnabled -eq $false -andRecipientTypeDetails -eq “UserMailbox”} -ResultSize $pagesize -WarningAction SilentlyContinue
  9.     if($mailboxes) { Write-Output (“Current mailbox count: {0}” -f ($inc += $mailboxes.Count))}
  10.     # Enable litigation hold
  11.     $mailboxes | Set-Mailbox -LitigationHoldEnabled $true -WarningAction SilentlyContinue
  12. } while($mailboxes);

Source: Goodworkaround.com

Posted in Office365 | 1 Comment »

Free/busy not working in Hybrid

June 16th, 2014 by Jabez Gan [MVP]

In a Hybrid deployment, lately I had experienced that:

1. On-premise users can see cloud users’ free/busy

2. Cloud users cant see on-premise users free/busy

 

Note: the below may not solve your problem, but it should lead you to the right way to brute force your way to solve the problem lol

Resolution:

1. Try out the Hybrid Free/Busy Troubleshooting Tool.

2. Check out: User can’t view free/busy information for a remote user in a hybrid deployment of on-premises Exchange Server and Exchange Online in Office 365

3. Did an IISRESET as recommended: http://jesperstahle.azurewebsites.net/?p=242

4. Update/Refresh the Federation Metadata. See this blog for more information.

  •  Connect to Exchange Online in PoweShell
  • Execute:
  • Get-FederationTrust | Set-FederationTrust -RefreshMetadata

5. Execute the free/busy test from Microsoft Remote Analyzer

6. Ensure that in all Exchange Servers (including the inactive ones located in the DR sites), the Get-WebServicesVirtualDirectory has the correct ExternalURL: https://mail.contoso.com/ews/exchange.asmx (and is routable from the internet)

Get-WebServicesVirtualDirectory -Identity “ServerName\EWS (Default Web Site)”

 

Leave a comment if it’s still not working. No promise that I can help you fix, but I’ll try :)

Posted in Office365 | Comments Off

Implementing Office 365 with Exchange Hybrid

May 25th, 2014 by Jabez Gan [MVP]

Problem:

You have a customer. They are on Exchange on-premise. You want to implement Office 365 with Exchange hybrid. What is the Exchange Server versions that is supported in a Hybrid mode?

Answer:

On-premises environment Exchange 2010-based hybrid with tenant version v14 Exchange 2010-based hybrid with tenant version v15 Exchange 2013-based hybrid with tenant version v15
Exchange 2013 (CU1) Not supported1 Not applicable Supported
Exchange 2010 SP3 Supported Supported Supported5
Exchange 2010 SP2 Supported Not supported2 Not supported
Exchange 2010 SP1 Supported Not supported2 Not supported
Exchange 2007 SP3 RU10 Supported3 Supported4 Supported5
Exchange 2007 SP3 Supported3 Not Supported Not supported
Exchange 2003 SP2 Supported3 Supported4 Not supported
noteNote:
1 Blocked in Exchange 2013 setup
2 Tenant upgrade notification provided in Exchange Management Console
3 Requires at least one on-premises Exchange 2010 SP2 server
4 Requires at least one on-premises Exchange 2010 SP3 server
5 Requires at least one on-premises Exchange 2013 CU1 or greater server

Posted in MS News | Comments Off

Bing with video background?

May 24th, 2014 by Jabez Gan [MVP]

Bing is famous for having a different background picture whenever someone browses to Bing. However today onwards, when browsing to Bing using a HTML5 supported browser, it will show a video in the background.

What do you think? Waste of bandwidth?

Source: Bing Blog at http://www.bing.com/community/site_blogs/b/search/archive/2011/09/23/something-new-on-the-homepage.aspx?form=pgbar1

Final Fantasy XIV: Realm Reborn

Posted in Microsoft | Comments Off

Office365 – Dirsync not synchronizing fully

April 19th, 2014 by Jabez Gan [MVP]

Background:

Directory sync is located in the internal network and is behind a TMG proxy. TMG Proxy has been configured to allow Directory Sync to access HTTPS of the internet.

Problem:

With Directory Sync installed, the synchronization fails from time to time after a few hours of sync (we have >10,000 objects to be synced to the cloud).

Root Cause:

Directory sync should have direct connection to the internet. It is known to create issues if it is behind a TMG Proxy.

Posted in Office365 | Comments Off

PowerShell to create Distribution Group in Exchange 2010/Office365

April 14th, 2014 by Jabez Gan [MVP]

When setting up Office365/Exchange 2010, it is very common to assist the customer to create distribution groups.

 

This is my way to script it to speed up the creation of the distribution groups:.

1. Create a CSV file for each distribution group. For my case, I have _AllStaff.CSV created. See below link for the sample of the file.

_AllStaff

 

2. Use Powershell and run the following:

$name=”AllStaff”

(The above should be the filename of your CSV file).

 

New-DistributionGroup -Name “_All Staff” -alias $name -primarysmtpaddress $name@abc.com -memberdepartrestriction closed

(Modify the bold items to the right Distribution Group name and domain name)

 

Import-csv “D:\$name.csv” | foreach {add-distributiongroupmember -identity $name@abc.com -member $_.EmailAddress}

(Point the location to the CSV file, and also specify the correct distribution group name)

 

What’s your way in creating the distribution group?

Новости и Обзоры Онлайн Игр

Posted in Office365 | Comments Off

Creating X500 addresses in Office365/Exchange Online using PowerShell

March 4th, 2014 by Jabez Gan [MVP]

Recently I was doing an email migration from Exchange On-premise to Office365, and the customer’s environment is not suitable to use Dirsync.

This means that I will need to export the X500 address from my local Active Directory and import it into Office365.

Here is the brief steps if you are facing this issue:

Export the LegacyExchangeDN and mail field in your AD:
1. In your DC server, run Command Prompt
2. Run the command:
csvde -f c:\sample.csv -l legacyexchangedn,mail

Now, with that .csv file, make sure that it has a “mail” and “legacyexchangedn” under the heading. See my attached sample file: sample CSV with LegacyExchangeDN

Import the legacyexchangedn/X500 into Office365/Exchange Online using PowerShell:

1. Connect to Exchange Online. using PowerShell
2. Run the command:

 

Import-CSV C:\sample.csv | foreach {

$user=Get-Mailbox $_.mail
$user.EmailAddresses+=”X500:”+$_.legacyExchangeDN

Set-Mailbox $_.mail -EmailAddresses $user.EmailAddresses

}

 

To check if the address has been added:
Get-Mailbox $user | FL emailaddresses

Posted in MS News | Comments Off

IIS in Workgroup, Clustered File Server in a Domain – Access Denied

February 28th, 2014 by Jabez Gan [MVP]

Environment:

IIS Servers in a DMZ Zone, configured in a Workgroup.

Clustered File Servers in the corporate network, in a Domain environment.

All servers are running Windows Server 2008 R2.

 

Problem:

When IIS web app tries to access the clustered file server hosted in the domain, it shows Access Denied.

 

Path to Solution:

On running Procmon.exe, w3wp.exe shows that it is trying to authenticate using whichever account. So I check my IIS Config and make sure that it is using an account which has rights to access the cluster file server in the domain.

Solution 1 – Ensure that your IIS is configured correctly with a user account that has the access rights to the cluster file server.

Specify the correct user account under Identity in the Advanced Setting

 

 

 

 

 

 

 

 

Select the Application Pool that this web application should use.

If the above does not solve the problem, please continue with Solution 2.

 

Solution 2 – Ensure that the username and password is the same between the domain server and the Workgroup IIS Server

If my clustered file server is using the following name:

User: domain\webapp
Password: Pa$$w0rd

Then my Workgroup IIS Server should have a local user created with the following name:

User: IISSERVER\webapp
Password: Pa$$w0rd

(IISSERVER is the name of the IIS Server)

(Make sure that all of your IIS Servers have the same username and password created as well)

 

Solution 3 – Use ICACLS.EXE to provide the rights to the clustered files

Now that you have the same user created on both server (Domain and Workgroup), we will have to use ICACLS.exe to provide the permission (No, using the GUI does not work):

1. Map the shared cluster to Y: Drive

2. Open Command Prompt and execute the following:

icacls y:\SHAREDFOLDER /grant WEBAPP:(OI)(CI)RXW /T

(Replace the SHAREDFOLDER to the folder that your web application needs to access; Replace the WEBAPP with the username that you created in Solution 2)

 

Hope this helps someone out there!

Posted in MS News | Comments Off

Want to use MS Exchange without burning your company’s pocket? Try Microsoft Online

January 23rd, 2014 by Jabez Gan [MVP]

Microsoft Online Services launched in Malaysia for quite a while. This means that Malaysia companies can finally use Exchange Online, Sharepoint Online, Live Meeting and Office Communicator hosted on Microsoft’s data center.

Before we talk further, it’s always about the cost which entices the readers/bosses. Let me do a quick $$ breakdown:

(Sorry – the following will be in Ringgit Malaysia.)

SME (50 users)

- Decent System Administrator: RM3000 (monthly), or RM36,000 (yearly)
- Server hardware (with server redundancy, with license for 50 users): Rm15,000 (one time)
Total: RM51,000

For Microsoft Online Services (with Exchange, OCS, Live Meeting and Sharepoint)

- Rm33/user/month x 50 users x 12 months = Total: RM19,800

As you can see, Microsoft Online is a cheaper alternative to maintain your own IT infrastructure.

This is just a rough estimation.

What do you think?

For more information about Microsoft Online Services, you can click on this link.

Note: This calculation is very subjective and may not reflect everybody’s opinion.

Posted in Microsoft | Comments Off

Windows 8 – To come integrated with Anti Virus

January 18th, 2013 by Jabez Gan [MVP]

Folks! Good news for the consumers of Windows, and bad news for anti virus vendors.

In the next version of Windows 8, anti virus application will be integrated together with Windows Defender, which is used to block spyware and protect from slow performance due to certain applications. However, Windows Defender will be extended to include anti virus in Windows 8.

This would potentially means that, there is not necessary to purchase and install a third party anti virus software like Norton, McAfee or Sophos anti virus.

In the Windows XP and older era, consumers and businesses would purchase firewall applications for all PCs, until Windows XP SP2 introduces both incoming and outgoing monitoring, purchasing firewall application becomes an optional item for enterprise customers.

With integrated anti virus in Windows 8, would this further decrease the profit and growth of major security vendors out there?

What’s your thoughts?

Merc Elite

Posted in MS News | Comments Off

« Previous Entries