Importing PST to Office 365 Exchange online mailboxes through the new Import Service

Note:

Microsoft has decided to charge for this service (8$ for each GB) … 

Microsoft has launched a new feature that allows administrators to import PST to Exchange online directly through the portal.

In this article I’ll guide you through the steps of uploading one PST file and import it to a user’s mailbox. Although the steps are identical to Microsoft’s TechNet article but it’s more detailed and with screenshots.

So to achieve this, you’ll have to first sign in to your Office 365 portal. Open Exchange admin center and follow the below steps:

  1. Granting Permission

Grant your self-importing PST permission to users by navigating to Exchange admin center -> Permissions> Double click on Compliance Management

Under Roles: click on + and add Mailbox Import Export role

Click on + Under Members and add your user account

clip_image001[5]

2. `Copy Secure URL and secure storage account key

To get the Azure secure storage account key and URL you will have to go back to the Office 365 portal and then click on Import tab on the left pane

Then click on the Key sign below

clip_image002[4]

When you click on it, you will be able to retrieve the key and the URL by clicking on Copy Key and URL .

clip_image003[4]

The secure storage account key is pretty long and you’ll have to notice that sometimes you might get confused and copy only the appearing portion of it in the field… if you do so and copied that in the Azcopy command or Azure storage explorer you might get an error …

Here’s my Secure Storage account key that I am using on a trial version of Office 365.

KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g==

Next: Copying the URL.

The URL has an important part which you will be using in Azure Storage Explorer tool in order to login and browse your Tenant’s storage which you’ll use to upload PST to.

The URL will appear as following.. You will need to copy the part in bold

https://d49d7ae0e38a4d8e9c93565.blob.core.windows.net/ingestiondata/

You have to copy this in to the storage account name

d49d7ae0e38a4d8e9c93565

3. Copying PST files to Azure Folder using Azcopy command or Azure Storage Explorer (You can use Azure Storage Explorer too)

In order to upload PST files to Azure, you have two methods. The first is using Azcopy command which is pretty easy and straightforward (but still CMD dependent) or you can use the GUI Application which is Azure Storage explorer

To download azcopy, you can use the following link

http://az635501.vo.msecnd.net/azcopy-3-2-0/MicrosoftAzureStorageTools.msi

Or download them from the Import page as well under Resources:

clip_image004[4]

Once the tool is installed. Right click on it and open it as administrator

The following command will take all the files inside my local folder path C:\Users\Mohammed\Desktop\upload

It will create a folder in Azure’s default folder ingestiondata called “Server01/PSTshareR1/”

It will use the destkey that I have retrieved from Office 365 Import window. And will leave all the logs in your local drive c:\PSTupload\Uploadlog.log

AzCopy /Source:C:\Users\Mohammed\Desktop\upload /Dest:https://d49d7ae0e38a4d8e9c93565.blob.core.windows.net/ingestiondata/SERVER01/PSTshareR1/ /Destkey:KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g== /S /V:C:\PSTUpload\Uploadlog.log

clip_image005[4]

To make sure that files are uploaded. I will open Azure Storage Explorer 6 (Preview) and click Add Account on top

On add storage account window I will use the blob name that I have got from the URL earlier and storage secure key in the storage account key below and click on save.

clip_image006[4]

Once I click that I will get a list of directories, The default directory which is used by Office 365 is the “Ingestiondata” folder, There our files will be uploaded.

clip_image007[4]

https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/

4. Create CSV File to import PST

Assuming you have 150 PST files that you want to upload and import into users which already have been enabled on Exchange online … In order to do so you will have to prepare a CSV file that looks like the below sample

To provide an explanation of what each column stands for .. Microsoft has written a table that clears the dust but some parts were not even clear for me like the FilePath as in the TechNet article it gets you confused with the “Ship data on Physical hard drives” since it uses your drive to upload data directly to Azure through the Import tool on Office 365 portal.

image

From <https://technet.microsoft.com/library/ms.o365.cc.IngestionHelp.aspx?v=15.1.166.0&l=1&f=255&MSPPError=-2147217396>

Note:

The friendly path here is the path of the folder you have created in Azure through the Azcopy command

AzCopy /Source:C:\Users\Mohammed\Desktop\upload /Dest:https://d49d7ae0e38a4d8e9c93565.blob.core.windows.net/ingestiondata/SERVER01/PSTshareR1/

/Destkey:KA9Z00rEYa1JlqGE4wO222MnsN5ywT0elOgLeNht/fSMIJPe2134hEChuuDJ5mfdknq8ts0+cez6uUvFzcQd6g== /S /V:C:\PSTUpload\Uploadlog.log

CSV Sample

clip_image008[4]

So the CSV File is ready.

In Azure Storage Explorer I doubled check if the PST files has finished uploading and it’s there.

clip_image009[4]

5. Using the Upload Files over the network

Back to Office 365 portal, go to Import and click on the + Sign and select Upload files over the network

clip_image010[4]

Select I have access to the mapping file as well

clip_image011[4]

Click on + and upload the CSV file that you have prepared for the mapping

Next File is imported, Click on “By checking this box, you agree to the terms and conditions of this service.

clip_image012[4]

As soon as you accept and click next the Import is going to check path, email, folder and will start the import process.

clip_image013[4]

clip_image014[4]

Email before importing

clip_image015[4]

Imported started, folder has been created

clip_image016[4]

Importing is done

clip_image017[4]

clip_image018[4]

Importing is done

Reference

https://technet.microsoft.com/library/ms.o365.cc.IngestionHelp.aspx?v=15.1.166.0&l=1&f=255&MSPPError=-2147217396#BKMK_CreateAnewMappingtoupload

https://azure.microsoft.com/en-us/documentation/articles/storage-use-azcopy/

Import Microsoft IP address to receive connector

Sometimes when you launch Office 365 Hybrid integration wizard from Exchange 2010, after successfully implementing the integration the IPs of Microsoft are not all imported in the “Receive Connector” for Microsoft so you might have to consider to add them manually to your on-premises Exchange server.

In order to do so, Open Microsoft Exchange Management shell as Administrator and follow the following cmdlets.

[PS] C:\>$RecvConn = Get-ReceiveConnector “Inbound from Office 365

[PS] C:\>$RecvConn.RemoteIPRanges += “65.52.148.27”, “65.52.184.75”, “65.52.208.73”, “65.52.240.233”, “65.54.80.0/20”, “65.54.165.0/25”, “65.55.86.0/23”, “65.55.233.0/27”, “70.37.128.0/23”, “65.54.54.32/27”, “65.54.55.201”, “65.54.74.0/23”, “70.37.142.0/23”, “70.37.159.0/24”, “94.245.68.0/22”, “65.55.239.168”, “70.37.97.234”, “94.245.86.0/24”, “94.245.117.53”, “94.245.108.85”, “94.245.82.0/23”, “94.245.84.0/24”, “132.245.0.0/16”, “157.56.23.32/27”, “157.56.53.128/25”, “157.55.155.0/25”, “157.56.55.0/25”, “157.56.58.0/25”, “157.55.59.128/25”, “157.55.145.0/25”, “157.55.185.100”, “157.55.194.46”, “157.55.227.192/26”, “157.56.151.0/25”, “157.56.200.0/23”, “157.56.236.0/22”, “207.46.216.54”, “207.46.57.128/25”, “207.46.70.0/24”, “207.46.73.250”, “207.46.150.128/25”, “207.46.198.0/25”, “207.46.206.0/23”, “213.199.148.0/23”, “213.199.182.128/25”

[PS] C:\>Set-ReceiveConnector “Inbound from Office 365” -RemoteIPRanges $RecvConn.RemoteIPRanges

Hit Enter after each PS line and you will be able to find all those IPs in your connector.

Export Office 365 users from specific domain and change their passwords

First of all you will need to connect to your tenant with your global admin account using the following script

Import-Module MSOnline

$O365Cred = Get-Credential

$O365Session = New-PSSession –ConfigurationName Microsoft.Exchange -ConnectionUrihttps://ps.outlook.com/powershell -Credential $O365Cred -Authentication Basic -AllowRedirection

Import-PSSession $O365Session

Connect-MsolService –Credential $O365Cred

After connecting you will need to type the following command line which will export all users in a specific domain that’s added to your portal if you have more than one domain added there.

Get-MsolUser -DomainName Domain.com | Select UserPrincipalName | Export-Csv C:\users.csv –NoTypeInformation

clip_image001

Change passwords for those users by using the following command and pressing enter you’ll be giving a line to enter your new password that you wanna set for all users in the exported file.

$PASS = Read-Host

clip_image002

Run this command to change the passwords

Import-Csv C:\Users.csv | % {Set-MsolUserPassword -userPrincipalName $_.UserPrincipalName -NewPassword $PASS -ForceChangePassword $True}

clip_image003

That’s it. Now users inside the exported csv file have the new password which you have just set.

Note that users will be prompted to reset their passwords upon login, if you don’t want this to happen you can remove the -ForceChangePassword $True parameter.

del.icio.us Tags: Office365,Office 365,Exchange Online,Azure

Exchange: Cannot process command because of one or more missing mandatory parameters

Symptoms:

After you Synchronize users from Local Active Directory to Office 365 Directory using dirsync and try to enable users licenses on Office 365 portal you get the following error.

Error:

Exchange: Cannot process command because of one or more missing mandatory parameters: ArchiveGuid.Exchange: An unknown error has occurred. Refer to correlation ID: dfd8cc2d-e6a4-4b47-8e1e-2059031893c1

According to the error message, it indicates that parameter ArchiveGuid is missed, please refer to the following steps to narrow down this issue:

1.Please Connect Windows PowerShell to Exchange Online and run the command below to compare this parameter of users have errors with normal users:

$LiveCred = Get-Credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

Get-Mailbox <username_with_errors> | fl archive* 

Get-Mailbox <username_no_erros>  | fl archive*

Apparently the commands above didn’t work. And so I had to check something else.!

In order to solve the problem first

  1. I had to assign License to the user synced on O365.
  2. Check User’s Proxy target attribute using ADSI. (Which was correct)
  3. Checking Archiving Attributes since the error is mentioning the Archiving option.
  4. After checking the Archiving attributes it turns that the admin of Exchange has changed the below attributes before he assign user the license on o365 and migrate the user. 

                    5. So deleting the value below msExchArchiveName and setting up msExchRemoteReceipeintType back to 4                             have solved the problem                    6. Of course DirSync needs to be applied in order to sync changes to AD on O365.

Note:

The migration for the User should be “continued” from previous migration batch in the portal otherwise if you start any new batch for the same user the result will be completed but migration won’t take place.

If you used DirSync to sync users from local to online, please try to restart the DirSync to check whether this issue persists or not.

Exchange Hybrid Integration with Office 365

Before Starting the process of implementing the integration, you must consider using some tools to see if your environment has no issues.

First you must use this tool IdFix check the active directory for any possible issues when installing Dirsync and synchronizing users and their objects to the cloud.

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Office 365. IdFix is intended for the Active Directory administrators responsible for DirSync with the Office 365 service.

http://community.office365.com/en-us/w/diagnostic_tools/default.aspx?ss=465d14b0-c5fe-4bbf-84d2-c791113732e2#idfixdirsyncerrorremediationtool

  1. To prepare Exchange for hybrid configuration with Exchange Online you need to prepare the following steps.

http://technet.microsoft.com/en-us/library/jj151800.aspx#BKMK_InstallDirSyncTool

  • Install ADFS (Optional) for SSO (To authenticate users from Local AD)

Note about ADFS:

ADFS can be the reason of so much headache and it’s always better to avoid installing it, instead of using ADFS to use the same password for users on a large scale deployments, the Dirsync can Synchronize local Passwords to Azure AD and same password can be used for both users local and online.

  1. Create an enterprise admin user account on the domain for DirSync service
  2. Installation of Dirsync with Password synchronization: We prepare a separate server for the DirSync tool that is windows 2008 R2 SP1 or 2012 R2 installed and the server

should be domain joined in order to reach Active Directory.

  1. The account used with Dirsync should be member of the domain admin. Also you need to have the admin credentials for the tenant that you signed up to on O365.

http://technet.microsoft.com/en-us/library/jj151831.aspx

Next again

Click Next after selecting the proper location

While installing I had an error saying that current user was not member of the Synchronization Engine FIMSyncAdmins group.

I tried uninstall DirSync but it it gives the same error message

The FIMSyncAdmins group is a local group on the server. Your user is not a member of that group locally. Try adding your user to the group.. after adding the user to the required group the installation were completed successfully.

First you need to make sure that your customized (personal) domain is active.

Now we need to enable Dirsync from the portal, next to Active Directory ® Synchronization Click on Set up and activate DirSync.

Now click on Activate

Now after we made sure that our domain is active and we activated Dirsync on Office 365 portal let’s Go back to DirSync server to complete the steps and check if we can start syncing your Active Directory.

Type your enterprise admin user which you have prepared for Dirsync, for my case I’m just going to use the domain admin user since it’s a Lab.

Make sure you Enable Hybrid Deployment since Azure active directory will modify objects in your on-premises AD.

In case you would want to have your On-premises AD password for users synchronized with users on Office 365

then you must tick the option as in the below snapshot.

Here, When I click next I get an error as following:

Error:

The new version of Dirsync doesn’t accept the domain admin account.

Solution:

In order to resolve the problem you have to create a new user account with enterprise admin privileges

Use this account to connect to AD during config.

Here I created the new user and added the required groups.

After using the new account there was no issue with the setup and I could complete the configuration successfully.

Once the configuration finished you will be able to find event ID 611 in the logs.

Now checking Office 365 portal, I can see that users have been synced to the Office 365 portal:

Now let’s go to the Exchange On-Premises server, and before starting the HCW on Exchange on-premises you will have to do three main steps:

  1. Make sure Autodiscover is set
  2. Make sure WSSecurity is set to true.
  3. Make sure that’s MSProxy is set to True.

You need to make sure that Autodiscover URL on autodiscover virtual directory is set for internal and External. To do so first check the current configuration by using the following commands.

Get-autodiscovervirtualdirectory | fl

If the Internal and external Autodiscover urls are not set then set them using the following command line.

Set-AutodiscoverVirtualDirectory -Identity ‘autodiscover(default Web Site)’ Internalurl https://internalfqdn.domain.com/autodiscover/autodiscover.xml

Set-AutodiscoverVirtualDirectory -Identity ‘autodiscover(default Web Site)’ Externalurl https://mail.domain.com.com/autodiscover/autodiscover.xml

From <http://technet.microsoft.com/en-us/library/aa998601(v=exchg.150).aspx>

Now we have to enable the wssecurity and mrsproxy since both of them are not enabled by default in the virtual directory:

You can still check if you need to to make sure that it’s enabled or not by using the following cmdlet

Get-WebServicesVirtualDirectory -Server ExchangeHostName | fl

Now to enable the WebServices use the following cmdlet on Exchange Management shell

To enable the WSSecurity use the following CMDlet

Then use the command “Get-WebServicesVirtualDirectory -Server ExchangeHostName | fl” to see if the values have changed

I need to go to my Local exchange server and start the Hybrid process.

From Under MS Exchange on-premises we click on Organization Configuration after we add our trusted tenant domain to the Exchange server.

Click Next, and enter the credentials for your domain admin and tenant admin.

Click Next, Add enter the verified domain.

Click next, here you will need to press ctrl + C to copy the value and create this value as txt in your public DNS.

Click next once you verified that the value has been published and available on

Select the Mailbox, Client Access, Hub transport.

Here click Next again, below you will need to create a new A Name record in your public DNS that directs to your Inbound connector’s IP under ForeFront Online Protection and the FQDN e.g. “Mail.domain.com” under the outbound connector or place the SMTP gateway’s Public IP if you have it and create an A name in your public DNS that has the same IP .

In the following step, the snapshot shows the certificate which I have associated with my hub transport server however, this certificate is public certificate that’s brought from 3rd party.

Select the certificate and choose how you want to route your mail.

Click Manage, When clicking manage you might get the following error message

Summary: 2 item(s). 1 succeeded, 1 failed.

Elapsed time: 00:03:37

Set-HybridConfiguration

Completed

Exchange Management Shell command completed:

Set-HybridConfiguration -Features ‘MoveMailbox’,’OnlineArchive’,’FreeBusy’,’Mailtips’,’MessageTracking’,’OwaRedirection’,’SecureMail’,’CentralizedTransport’ -Domains ‘cloudimia.com’ -ClientAccessServers ‘EXCH01’ -TransportServers ‘EXCH01’ -ExternalIPAddresses ‘95.0.52.125’ -OnPremisesSmartHost ‘hybrid.cloudimia.com’ -SecureMailCertificateThumbprint ‘E2539EB2BE3BB5FFB56B5EF3BF4CB2017A645717’

Elapsed Time: 00:00:06

Update-HybridConfiguration

Failed

Error:

Updating hybrid configuration failed with error ‘Subtask Configure execution failed: Configure Mail Flow Execution of the Set-HybridMailflow cmdlet had thrown an exception. This may indicate invalid parameters in your Hybrid Configuration settings.

Connector validation failed: RouteAllMessagesViaOnPremises can be set to true only when there is at least one inbound connector of type OnPremises with AssociatedAcceptedDomains set to empty.

at Microsoft.Exchange.Management.Hybrid.RemotePowershellSession.RunCommand(String cmdlet, Dictionary`2 parameters, Boolean ignoreNotFoundErrors)

‘.

Additional troubleshooting information is available in the Update-HybridConfiguration log file located at C:\Program Files\Microsoft\Exchange Server\V14\Logging\Update-HybridConfiguration\HybridConfiguration_2_11_2014_15_9_37_635277281771541111.log.

Exchange Management Shell command attempted:

Update-HybridConfiguration -OnPremisesCredentials ‘System.Management.Automation.PSCredential’ -TenantCredentials ‘System.Management.Automation.PSCredential’

Elapsed Time: 00:03:31

As Microsoft Employee advises it’s better to use the internet instead. So we will go with this option and see what happens.

The general recommendation and default setting is not do this, but to deliver e-mail from Exchange Online to external recipients directly to the Internet instaed.

If it is no requirement, I advise you to skip that option.

From <http://community.office365.com/en-us/forums/156/t/202214.aspx>

And here we are done.

Looking at the Hub Transport, we can see that at remote domains we have new domains added automatically after the Hybrid Configuration.

Error migrating user from office 365 to on-premises

After migrating a user from on-premises exchange to O365 and try to move it back from O365 to On-premises the user will not move and you will see a message similar to the one below.

Resolution :

To resolve this issue, you will have to disable the ESMTP Inspection rule on your Cisco firewall.

The commands to disable ESMTP inspection are:

pix(config)#policy-map global_policy

pix(config-pmap)#class inspection_default

pix(config-pmap-c)#no inspect esmtp

pix(config-pmap-c)#exit

pix(config-pmap)#exit

Emails between O365 and On-premises do not work

Emails between O365 and On-premises do not work

When sending an e-mail from O365 migrated users to On-premise users the On-premise users  don’t get e-mails.

Failure Message

From: Microsoft Outlook <MicrosoftExchange329e71ec88ae4615bbc36ab6ce41109e@domain.onmicrosoft.com>
Date: 4 Nisan 2014 22:35:30 GMT+3
To: <test@domain.com.tr>
Subject: Undeliverable: deneme

Delivery has failed to these recipients or groups:

User (User@domain.com.tr)
The server has tried to deliver this message, without success, and has stopped trying. 

Please try sending this message again. If the problem continues, contact your helpdesk.
 

User2 ( Company ) (User2@domain.com.tr)
The server has tried to deliver this message, without success, and has stopped trying. 

Please try sending this message again. If the problem continues, contact your helpdesk.
 

Diagnostic information for administrators:

Generating server: DB4PR03MB532.eurprd03.prod.outlook.com
Receiving server: emea01-internal.map.protection.outlook.com (10.47.216.25)
 

User (User@domain.com.tr)
4/4/2014 7:35:30 PM – Remote Server at emea01-internal.map.protection.outlook.com (10.47.216.25) returned ‘550 4.4.7 QUEUE.Expired; message expired’


4/4/2014 7:27:34 PM – Remote Server at emea01-internal.map.protection.outlook.com (10.47.216.25) returned ‘450 4.7.0 Proxy session setup failed on Frontend with ‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 STARTTLS is required to send mail.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 210.179.31.5:25

User2 ( Company ) (User2@domain.com.tr)
4/4/2014 7:35:30 PM – Remote Server at emea01-internal.map.protection.outlook.com (10.47.216.25) returned ‘550 4.4.7 QUEUE.Expired; message expired’

4/4/2014 7:27:34 PM – Remote Server at emea01-internal.map.protection.outlook.com (10.47.216.25) returned ‘450 4.7.0 Proxy session setup failed on Frontend with ‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 STARTTLS is required to send mail.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was 210.179.31.5:25”

Original message headers:

Received: from DB4PR03MB610.eurprd03.prod.outlook.com (10.141.234.156) by DB4PR03MB532.eurprd03.prod.outlook.com (10.141.235.143) with Microsoft SMTP Server (TLS) id 15.0.908.10; Wed, 2 Apr 2014 19:31:29 +0000 Received: 

from DB4PR03MB610.eurprd03.prod.outlook.com (10.141.233.156) by DB4PR03MB610.eurprd03.prod.outlook.com 

(10.141.234.156) with Microsoft SMTP Server (TLS) id 15.0.898.11; Wed, 2 Apr 2014 12:49:18 +0000 Received: from DB4PR03MB610.eurprd03.prod.outlook.com ([10.141.233.156]) by DB4PR03MB620.eurprd03.prod.outlook.com 

([10.141.233.156]) with mapi id 15.00.0913.002; Wed, 2 Apr 2014 12:49:17 +0000 Content-Type: multipart/mixed; boundary=”_000_2c4cf07ee43e4faab98dc52f068a566fDB4PR03MB620eurprd03pro_” 

 From: test <test@domain.com.tr> To: “User ( Company )” <user@domain.com.tr>, “User2 ( Company )” <User2@domain.com.tr> Subject: deneme Thread-Topic: deneme Thread-Index: Ac9Oce26frtuRTMySYWFyAvAom/lyQ== Date: Wed, 2 Apr 2014 12:49:16 +0000 Message-ID: <2c4cf07ee43e4faab98dc52f068a566f@DB4PR03MB620.eurprd03.prod.outlook.com> Accept-Language: en-US Content-Language: en-US X-MS-Has-Attach: X-MS-TNEF-Correlator: <2c4cf07ee43e4faab98dc52f068a566f@DB4PR03MB620.eurprd03.prod.outlook.com> x-originating-ip: [78.186.201.28] X-Forefront-Antispam-Report: SFV:SKI;SFS:;DIR:INB;SFP:;SCL:-1;SRVR:DB4PR03MB610;H:DB4PR03MB620.eurprd03.prod.outlook.com;FPR:;LANG:tr;;SKIP:2; MIME-Version: 1.0 X-MS-Exchange-CrossPremises-AuthAs: Internal X-MS-Exchange-CrossPremises-AuthMechanism: 03 X-MS-Exchange-CrossPremises-AuthSource: DB4PR03MB620.eurprd03.prod.outlook.com X-MS-Exchange-CrossPremises-SCL: -1 X-MS-Exchange-CrossPremises-messagesource: StoreDriver X-MS-Exchange-CrossPremises-BCC: X-MS-Exchange-CrossPremises-originalclientipaddress: 78.186.201.28 X-MS-Exchange-CrossPremises-avstamp-service: 1.0 X-MS-Exchange-CrossPremises-antispam-scancontext: DIR:Originating;SFV:SKI;SKIP:0; X-MS-Exchange-CrossPremises-processed-by-journaling: Journal Agent X-MS-Exchange-CrossPremises-ContentConversionOptions: True;00160000;True;; X-OrganizationHeadersPreserved: DB4PR03MB610.eurprd03.prod.outlook.com Return-Path: test@domain.com.tr X-OriginatorOrg: domain.com

Symptoms

When you try to telnet the Office 365 hub transport from Exchange on-premises server it won’t recognize the telnet commands on the SMTP server.

Resolution:

451 4.4.0 Primary target IP address responded with: “451 5.7.3 Must issue a STARTTLS commnd first” Office 365 Hybrid


If you have an Office 365 hybrid configuration you may experience issues sending emails between on premise and cloud users (in either direction).

The Exchange 2013 (or 2010) on premises queue viewer may show:

‘451 4.4.0 Primary target IP address responded with: “451 5.7.3 STARTTLS is required to send mail.” Attempted failover to alternate host, but that did not succeed. Either there are no alternate hosts, or delivery failed to all alternate hosts. The last endpoint attempted was xxx.xxx.xxx.xxx’

The Office 365 Message Trace Console shows the delivery status of ‘None’
 


Office 365 Message Trace 

The errors suggest the TLS connection cannot be made but a TLS certificate IS present and during the Hybrid Connection Wizard the required connectors are automatically created so should not require an additional configuration.

When an email is sent between on premise & cloud (Office 365) users of your SSO domain it is sent across one of the automatically created send connectors. These connectors are secured using TLS.

So, assuming you have ruled out all the normal stuff its now time to get baffled. We know the on premise server can send and receive external email. We also know that the Office 365 service can send and receive email. It is just the email between the two services that does not work.

I was banging my head against a wall for ages until I used Telnet to connect from my on premise Exchange server to Microsoft cloud gateway.

What I got is shown below:


This is not correct. As you can see the server has not recognised the “ehlo” statement and the banner does not “look right”…

A bit of digging around the firewall I noticed that packets were being dropped when TLS was attempted.

The firewall is a Cisco PIX 515. I disabled ESMTP inspection but that made no difference so I discounted this as the cause.

After a lot more digging around and raging I remembered that the PIX was behind another Cisco firewall – this time an ASA 5510. So I accessed this device and sure enough this edge firewall was also inspecting and dropping TLS over SMTP.

Once both firewall were configured not to inspect ESMTP the default configuration that was set by the Hybrid Configuration Wizard started working straight away.

The commands to disable ESMTP inspection are:

pix(config)#policy-map global_policy
pix(config-pmap)#class inspection_default
pix(config-pmap-c)#no inspect esmtp
pix(config-pmap-c)#exit
pix(config-pmap)#exit
Now telnet the cloud server and you should see a correct banner:

DirSync Installation

Before Starting the process of Deploying Dirsync, you must consider using some tools to see if your environment has no issues.

First you must use this tool IdFix check the active directory for any possible issues when installing Dirsync and synchronizing users and their objects to the cloud.

IdFix is used to perform discovery and remediation of identity objects and their attributes in an on-premises Active Directory environment in preparation for migration to Office 365. IdFix is intended for the Active Directory administrators responsible for DirSync with the Office 365 service.

http://community.office365.com/en-us/w/diagnostic_tools/default.aspx?ss=465d14b0-c5fe-4bbf-84d2-c791113732e2#idfixdirsyncerrorremediationtool

  1. To prepare Exchange for hybrid configuration with Exchange Online you need to prepare the following steps.

http://technet.microsoft.com/en-us/library/jj151800.aspx#BKMK_InstallDirSyncTool

  • Install ADFS (Optional) for SSO (To authenticate users from Local AD)

Note about ADFS:

ADFS can be the reason of so much headache and it’s always better to avoid installing it, instead of using ADFS to use the same password for users on a large scale deployments, the Dirsync can Synchronize local Passwords to Azure AD and same password can be used for both users local and online.

  1. Create an enterprise admin user account on the domain for DirSync service
  2. Installation of Dirsync with Password synchronization: We prepare a separate server for the DirSync tool that is windows 2008 R2 SP1 or 2012 R2 installed and the server

should be domain joined in order to reach Active Directory.

  1. The account used with Dirsync should be member of the domain admin. Also you need to have the admin credentials for the tenant that you signed up to on O365.

http://technet.microsoft.com/en-us/library/jj151831.aspx

Next again

Click Next after selecting the proper location

While installing I had an error saying that current user was not member of the Synchronization Engine FIMSyncAdmins group.

I tried uninstall DirSync but it it gives the same error message

The FIMSyncAdmins group is a local group on the server. Your user is not a member of that group locally. Try adding your user to the group.. after adding the user to the required group the installation were completed successfully.

First you need to make sure that your customized (personal) domain is active.

Now we need to enable Dirsync from the portal, next to Active Directory ® Synchronization Click on Set up and activate DirSync.

Now click on Activate

Now after we made sure that our domain is active and we activated Dirsync on Office 365 portal let’s Go back to DirSync server to complete the steps and check if we can start syncing your Active Directory.

Type your enterprise admin user which you have prepared for Dirsync, for my case I’m just going to use the domain admin user since it’s a Lab.

Make sure you Enable Hybrid Deployment since Azure active directory will modify objects in your on-premises AD.

In case you would want to have your On-premises AD password for users synchronized with users on Office 365

then you must tick the option as in the below snapshot.

Here, When I click next I get an error as following:

Error:

The new version of Dirsync doesn’t accept the domain admin account.

Solution:

In order to resolve the problem you have to create a new user account with enterprise admin privileges

Use this account to connect to AD during config.

Here I created the new user and added the required groups.

After using the new account there was no issue with the setup and I could complete the configuration successfully.

Once the configuration finished you will be able to find event ID 611 in the logs.

Now checking Office 365 portal, I can see that users have been synced to the Office 365 portal:

Creating Custom attributes on On-Prem AD for Exchange Online users on O365

Creating Custom Attributes on On-Premises AD for Exchange Online Users

I have came across some interesting scenario where Exchange Server doesn’t exist however some attributes might be still required or used on Office 365 for Exchange online users which are Synced with Azure Active Directory Sync tool.

The attributes might be used for different purposes but sometimes it’s very necessary so I will go ahead and demonstrate how to create a custom attribute which is normally created by default with Exchange servers deployed on-prem.

First I will run the Schema console

On one of the DC servers which are synced with Office 365 Launch  CMD as Administrator

Run the following Command

regsvr32 schmMgmt.dll

clip_image001

Run MMC

Click on File -> ADD /Remove Snap in

clip_image002

clip_image003

Right Click on Attributes -> Create Attribute…

clip_image004

clip_image005

Click on Continue

clip_image006

Click OK

Go to Attributes, Navigate to Custom attributes and double click on it and tick the boxes below then click apply

clip_image007

clip_image008

Now go to Classes

Find and double click on User

clip_image009

Now go to Attributes tab

clip_image010

Click on Add and add the Custom Attribute

clip_image011

clip_image012

Click Apply

Now go back to CMD on DC Server and replicate changes across all DC servers

clip_image013

Open ADUC and check users attributes

clip_image014

Hope this helps  

Copy Immutable ID and Proxy Addresses from Azure to Active Directory

Matching Users after migrating to new Active Directory Forest

Installing ADConnect in a new forest for the same users which have been migrated to a new Active Directory forest

In order to do so you will have to launch Azure powershell in admin mode and connect to MSOL service as in the following snapshot

$cred = get-credential
After connecting then type/copy the following 
Get-MsolUser -ReturnDeletedUsers -All | Out-GridView

clip_image001[5]

Once you type enter a GUI will come up showing you all the deleted users list, you should delete any old non-usable account that has similar attributes to the ones that you’re about to Sync from the AD to O365. 

clip_image002[4]

Once you’re sure about what do you want to delete you can go ahead with the following Command to delete the users

Note:
You must be sure that when you run this command, you will no longer be able to restore any deleted item or object later on.

Get-MsolUser -ReturnDeletedUsers -All | Remove-MsolUser -RemoveFromRecycleBin -Force –Verbose

clip_image003[4]

Now you should run the following Script on the same open power shell in order to start the copying process. 

Import-Module Msonline
Import-Module ActiveDirectory
$cred = Get-Credential
Connect-MsolService -Credential $cred
$onlineusers = Get-MsolUser -All
$adusers = Get-ADUser -Filter *

Press enter and when you want you get prompted to select an option choose 1 and enter

clip_image004[4]

Note:If you would like to receive the powershell script please don’t hesitate to contact me. 

After the copy is finished you can match for yourself the list of ImmutableID along with the GUID 
Ldifde -f dump.txt

Dump.txt

clip_image005[4]
clip_image006[4]