Tuesday, June 27, 2017
  • Home
  •             

Office 365 Dirsync: Batch update of AD users, and password sync not working?

January 23rd, 2015 by Jabez Gan [MVP]

Background:

Office 365 with Dirsync setup.

Problem:

After a batch update of users in AD, and assignment of license in Office 365, these users are not able to login to Office 365.

However, if create a single user in AD and assign license in Office 365, the user is able to login to Office 365.

Solution:

Do a force password sync

Note: You must have Directory Sync tool version 6438.0003 or greater installed in order to perform the process below.

To trigger a full password sync, perform the following steps:

  1. Open PowerShell, and then type Import-Module DirSync
  2. Type Set-FullPasswordSync, and then press Enter
  3. Load Services.msc
  4. Restart the Forefront Identity Manager Synchronization Service Service.

Posted in Office365 | Comments Off on Office 365 Dirsync: Batch update of AD users, and password sync not working?

Azure AD Connect: One simple, fast, lightweight tool to connect Active Directory and Azure Active Directory

December 17th, 2014 by Jabez Gan [MVP]

Back in August I posted a blog announcing the beta release of Azure AD Connect. Since then we have received a lot of feedback and made improvements in AAD Connect and AAD Sync, including multi forest support and password write back.

The biggest thing we’ve learned from you, our customers and partners, is that rather than a bunch of different tools (DirSync, AAD Connect, AAD Sync, ADFS, etc.) you want one simple, integrated tool for connecting your existing Windows Server Active Directory with Azure Active Directory. You’ll be happy to know that we’ve acted on your feedback!

Today we’re releasing a public preview of the “new” Azure AD Connect (you can download it here).

Azure AD Connect is “new” because it is now one integrated tool that includes all the advances of AAD Sync and the features from the beta release of Azure AD Connect into simple, fast & lightweight solution. Azure AD Connect has everything you need to connect your Windows Server AD(s) and Azure AD with only 4 clicks.

Now you can get started using Azure AD in under an hour, no new hardware required!

With this preview you can choose Express Settings or Custom settings just like before, only now you get the latest sync engine and capabilities.

Add one or many Active Directory forests to your connection.

And configure sync options Exchange Hybrid sync, password write back and alternate ID attribute

There are few things I want to let you know about the preview:

  • Because it’s our first combined wizard and it is in Preview status, we are not supporting production deployments for this release. Our next release will be production supported.
  • Our goal is to bring 100% of the previous DirSync functionality into Azure AD Connect. Before we GA Azure AD Connect we will bring all Dirsync functionality in.
  • We’ve received a lot of great feedback from you and have incorporated most it. But that doesn’t mean we’re done. Please keep the feedback coming!

Our goal is to GA Azure AD Connect with additional sync options, seamless migration from Dirsync, and production support in the next 90 days.

Please note there will no longer be separate releases of Azure AD Sync and Azure AD Connect. And we have no future releases of DirSync planned. Azure AD Connect is now your one stop shop for sync, sign on and all combinations of hybrid connections.

Source: Technet Blog

Posted in Office365, Windows Azure | Comments Off on Azure AD Connect: One simple, fast, lightweight tool to connect Active Directory and Azure Active Directory

Exchange Management Console shows mailbox is migrating/migrated from one DB to another DB

October 9th, 2014 by Jabez Gan [MVP]

Scenario:

In an Exchange Hybrid environment (using Office 365).

Problem:

In Exchange Management Console (EMC), under Move Request, there is some mailbox being moved. This action was not done by the local IT administrators. The mailbox affected are mailboxes already migrated to Office 365.

Solution/Explanation:

Run a Get-MoveRequest and if you see something like below, you are actually seeing the database being moved from Exchange Online DB to another Exchange Online DB. This is part of Exchange Online DB maintenance. There is no impact to users.

ExchangeGuid               : 404b747c-d942-4ecc-ba61-9459c234a8d3

SourceDatabase             : APCPR04DG020-db001

TargetDatabase             : APCPR04DG011-db170

SourceArchiveDatabase      :

TargetArchiveDatabase      :

Flags                      : IntraOrg, Pull, MoveOnlyPrimaryMailbox

Posted in Office365 | Comments Off on Exchange Management Console shows mailbox is migrating/migrated from one DB to another DB

Auto Assign Office 365 License based on domain name

October 2nd, 2014 by Jabez Gan [MVP]

Problem: Customer has a few email domain names and are slowly migrating to Office 365. The customer wants to auto assign license for certain domains using PowerShell.

Step 1:

Set the Office 365 tenant password in a TXT file.

The PowerShell Script:

#Modify below YOURPASSWORD to your Office 365 password
$password = “YOURPASSWORD
$password | ConvertFrom-SecureString | Set-Content c:\o365\password.txt

Step 2:

Search based on the valid domains and add license for users that have not been licensed.

The powershell script:

#Valid Domains.
#Modify below domainA.com and domainB.com to your own domain that you want to auto assign license.
$validDomains =”*@domainA.com”,”*@domainB.com

$MsolAdmUser = “admin@USERTENANTNAME.onmicrosoft.com
$pwd = Get-Content c:\o365\credmsol.txt | ConvertTo-SecureString
$cred = New-Object System.Management.Automation.PSCredential $MsolAdmUser, $pwd

# CONNECT TO 365
Import-Module MSOnline
Connect-MsolService -Credential $cred

$temp = (get-msoluser -all) | select userprincipalname

foreach ($a in $validDomains){

foreach ($b in $temp){

$validUser = ($b) | where {$b.userprincipalname -like $a}

If ($validUser –eq $null){

} else{

set-msoluser -userprincipalname $validUser.userprincipalname -usagelocation “MY”

set-msoluserlicense -userprincipalname $validUser.userprincipalname -addlicenses “userTenantName:STANDARDWOFFPACK

$validUser = $null

}

}

}

 

To get the “userTenantName:STANDARDWOFFPACK“, you will need to run get-msolaccountsku.

 

The above is a script that I quickly developed. Apologies if it isn’t neat as of now 🙂

Posted in Office365 | Comments Off on Auto Assign Office 365 License based on domain name

Office 365 – Unable to remove verified Domain name

June 25th, 2014 by Jabez Gan [MVP]

Problem:

When you are trying to delete a verified domain name in Office 365, an error pops up saying that some users or Office365 services are still attached to the domain.

Root Cause:

Just like what the error said, some of the Office 365 services or users are still attached/assigned to the domain name that you are trying to remove.

Solution:

Things to check:

  1. Ensure that no users are associated with the domain that you are trying to delete. You can verify this by going into Users And Groups, and Edit a user. Ensure that the domain you are trying to delete, eg, abc.com, is not listed there.
  2. Ensure that no security groups/distribution groups have the accounts attached to abc.com. Security groups/distribution groups can be access by logging into Office 365, click on Users And Groups, and click on Security Groups.
  3. If you have just deleted the users, or changed the domain for each individual users, you will need to wait for a while (1 min?) as it will need to sync the changes to the different Office365 service settings.
  4. If the accounts are uploaded to Dirsync, you will need to stop the Dirsync synchronization to change the accounts to a Cloud Only account. Then, you will need to do step 1-3 above to delete the Security groups; and/or manually modify the e-mail addresses fields in Office 365, Exchange Online.

Posted in Office365 | Comments Off on Office 365 – Unable to remove verified Domain name

“Insufficient Permission” shown in DirSync’s MIISClient.exe

June 24th, 2014 by Jabez Gan [MVP]

Lately, I had an issue with Office 365’s MIISClient.exe

Problem:

MIISClient.exe shows that a bunch of user accounts failed to sync with the error “Insufficient Permission”.

Solution:

Certain permissions needed by MSOL Service Account went missing (for whatever reason!). All we had to do is to recheck back the permissions.

Step 1: Run the Azure Active Directory Sync tool Configuration Wizard

Make sure that the latest version of the Directory Sync tool is installed and that you run the Azure Active Directory Sync tool Configuration Wizard. When you run the wizard, one screen prompts you to enable rich coexistence. Complete the wizard, and then start directory synchronization.

Alternatively, you can run the Enable-MSOnlineRichCoexistence cmdlet after the Directory Sync tool is installed to enable the write-back feature. This cmdlet must be run by using enterprise credentials or should be run by the enterprise admin.

Step 2: Confirm MSOL_AD_Sync_RichCoexistence permissions

If step 1 doesn’t resolve the issue, check that the MSOL_AD_Sync user belongs to the MSOL_AD_Sync_RichCoexistence group and that the group has Allow permissions to the user who is experiencing the issue, where write-back is not working for the following attributes:

  • msExchSafeSendersHash
  • msExchBlockedSendersHash
  • msExchSafeRecipientHash
  • msExchArchiveStatus
  • msExchUCVoiceMailSettings
  • ProxyAddresses

To do this, follow these steps:

  1. In Active Directory, make sure that the MSOL_AD_Sync_RichCoexistence group exists and that the MSOL_AD_Sync user is a member of the group.
  2. In the on-premises environment, use Active Directory Users and Computers to open the user properties for the user who is experiencing the issue.
  3. On the Security tab, click Advanced.

    Note
    You must enable advanced features to complete step 3.
  4. Make sure that the MSOL_AD_Sync_RichCoexistence group is listed. If it’s not listed, add the group, and then make sure that the group is granted Allow permissions to write to the attributes that are listed previously.

Note Step 2 may be required if the object does not inherit permissions from the parent. This issue may be resolved by making sure that the object inherits permissions from the parent object.

 

Source: Microsoft KB 2406830

Hope this helps! 🙂

Posted in Office365 | Comments Off on “Insufficient Permission” shown in DirSync’s MIISClient.exe

Enable Legal Hold by using PowerShell

June 23rd, 2014 by Jabez Gan [MVP]

Statement:

You have purchased some Office 365 E3 plans and have assigned the Office 365 E3 licenses to the users.

You would like to activate Legal Hold for these users in bulk, using PowerShell.

Script to Activate:

  1. # First you need to be connected to the Exchange PowerShell.
  2. $pagesize = 100# The number of mailboxes per loop
  3. $inc = 0# Start increment value
  4. # Continue until all mailboxes are litigation hold enabled
  5. do {
  6.     Write-Output “Getting mailboxes”
  7.     # Get UserMailboxes that does not have litigation hold enabled
  8.     $mailboxes = GetMailbox Filter {LitigationHoldEnabled -eq $false -andRecipientTypeDetails -eq “UserMailbox”} ResultSize $pagesize WarningAction SilentlyContinue
  9.     if($mailboxes) { Write-Output (“Current mailbox count: {0}” -f ($inc += $mailboxes.Count))}
  10.     # Enable litigation hold
  11.     $mailboxes | SetMailbox LitigationHoldEnabled $true WarningAction SilentlyContinue
  12. } while($mailboxes);

Source: Goodworkaround.com

Posted in Office365 | Comments Off on Enable Legal Hold by using PowerShell

Free/busy not working in Hybrid

June 16th, 2014 by Jabez Gan [MVP]

In a Hybrid deployment, lately I had experienced that:

1. On-premise users can see cloud users’ free/busy

2. Cloud users cant see on-premise users free/busy

 

Note: the below may not solve your problem, but it should lead you to the right way to brute force your way to solve the problem lol

Resolution:

1. Try out the Hybrid Free/Busy Troubleshooting Tool.

2. Check out: User can’t view free/busy information for a remote user in a hybrid deployment of on-premises Exchange Server and Exchange Online in Office 365

3. Did an IISRESET as recommended: http://jesperstahle.azurewebsites.net/?p=242

4. Update/Refresh the Federation Metadata. See this blog for more information.

  •  Connect to Exchange Online in PoweShell
  • Execute:
  • Get-FederationTrust | Set-FederationTrust -RefreshMetadata

5. Execute the free/busy test from Microsoft Remote Analyzer

6. Ensure that in all Exchange Servers (including the inactive ones located in the DR sites), the Get-WebServicesVirtualDirectory has the correct ExternalURL: https://mail.contoso.com/ews/exchange.asmx (and is routable from the internet)

Get-WebServicesVirtualDirectory -Identity “ServerName\EWS (Default Web Site)”

 

Leave a comment if it’s still not working. No promise that I can help you fix, but I’ll try 🙂

Posted in Office365 | Comments Off on Free/busy not working in Hybrid

Office365 – Dirsync not synchronizing fully

April 19th, 2014 by Jabez Gan [MVP]

Background:

Directory sync is located in the internal network and is behind a TMG proxy. TMG Proxy has been configured to allow Directory Sync to access HTTPS of the internet.

Problem:

With Directory Sync installed, the synchronization fails from time to time after a few hours of sync (we have >10,000 objects to be synced to the cloud).

Root Cause:

Directory sync should have direct connection to the internet. It is known to create issues if it is behind a TMG Proxy.

Posted in Office365 | Comments Off on Office365 – Dirsync not synchronizing fully

PowerShell to create Distribution Group in Exchange 2010/Office365

April 14th, 2014 by Jabez Gan [MVP]

When setting up Office365/Exchange 2010, it is very common to assist the customer to create distribution groups.

 

This is my way to script it to speed up the creation of the distribution groups:.

1. Create a CSV file for each distribution group. For my case, I have _AllStaff.CSV created. See below link for the sample of the file.

_AllStaff

 

2. Use Powershell and run the following:

$name=”AllStaff”

(The above should be the filename of your CSV file).

 

New-DistributionGroup -Name “_All Staff” -alias $name -primarysmtpaddress $name@abc.com -memberdepartrestriction closed

(Modify the bold items to the right Distribution Group name and domain name)

 

Import-csv “D:\$name.csv” | foreach {add-distributiongroupmember -identity $name@abc.com -member $_.EmailAddress}

(Point the location to the CSV file, and also specify the correct distribution group name)

 

What’s your way in creating the distribution group?

Новости и Обзоры Онлайн Игр

Posted in Office365 | Comments Off on PowerShell to create Distribution Group in Exchange 2010/Office365

Additional Microsoft Online Speed Test Links

November 1st, 2012 by Jabez Gan [MVP]

Again, with the importance of having a fast connectivity speed to cloud offerings, there are extra links for you to have a more accurate speed details to the cloud.

Use the following appropriate links to do your own speed test based on your Office365 service location:

APAC: http://speedtest.apac.microsoftonline.com/

EMEA: http://speedtest.emea.microsoftonline.com/

US: http://speedtest.microsoftonline.com/

 

For Lync:

Let me know if this helps!

Posted in Office365 | Comments Off on Additional Microsoft Online Speed Test Links

Lotus Dominos Migration to Exchange Online/Exchange using Quest Notes Migrator for Exchange

September 8th, 2012 by Jabez Gan [MVP]

Problem: You are using Quest Notes Migrator for Exchange (NME) to migrate from Lotus Dominos to Exchange Online/Exchange On-premise, and on migrating the user accounts, new emails are no longer entering Lotus Dominos.

 

Problem Statement: You want to have a copy of the new email stored in Lotus Dominos and have a copy forwarded to Exchange Online/Exchange On-premise.

Solution: To be exact, there is no solution to this, as Quest NME tool doesn’t allow the support to have a copy left on the Lotus Dominos before forwarding it to Exchange Online/Exchange on-premise. However it might be possible (correct me if I’m wrong) to configure Lotus Dominos directly to leave a copy before forwarding it, if NME tool modifies Lotus Dominos parameters directly.

Posted in Office365 | Comments Off on Lotus Dominos Migration to Exchange Online/Exchange using Quest Notes Migrator for Exchange