Remove old Exchange 2010-2013 migration with hybrid office 365

 

You might want reset your Hybrid configuration or start it from scratch because you’re having issues with it or it’s not functioning properly. in Exchange 2010 the removal of Hybrid integration from powershell will almost everytime end up with errors or not work due to an issue.

In order to get around this and get on with the removal of the Hybrid environment .. please follow this guide

Open your Exchange Console and start by removing the Organization Relationships.

clip_image002

clip_image003

clip_image004

clip_image005

Once that’s complete go to Hub transport and remove all the remote domains that have been added from the Hybrid Setup.

clip_image006

 

clip_image007

Remove Microsoft O365 tenant domain which ends with on.microsoft.com

clip_image008

clip_image009

Make sure that you delete the Connectors that have been created by the Hybrid Wizard e.g. Outbound to Office 365.

clip_image010

clip_image011

Removing Receive connectors (Inbound from Office 365)

clip_image012

Since remove-hybridconfiguration cmdlet is not supported to remove the hybrid configuration object from AD then we have no choice but to use ADSIEDIT tool to do so.

I will navigate to Configuration > Services > Microsoft Exchange > First Organization > Delete “CN=Hybrid Configuration”

clip_image013

clip_image014

clip_image015

Restart MSExchangeServicehost after you have deleted the Hybrid object.

clip_image016

Now you can restart the Hybrid setup again from scratch

clip_image017

Unified messaging between Exchange 2016 and Skype for Business

 

In order to setup UM between Exchange and Skype for business server, the most important step is how you configure the Certificates between both servers in order for them to trust each other.

For that you don’t have to use a public Certificate but rather an internal CA certificate that has its root certificate installed on all of the server where you intend to deploy the UM. (Exchange, S4B Servers..etc).

To claim this certificate, the easiest step would be to get the CSR from Skype for Business’s Deployment Wizard

Run Deployment Wizard and click on the “Install or Update skype for business Server system”

clip_image001

Then click on step 3 (request, install or assign Cert)

clip_image002

I already have certificate deployed for S4B service but I’ll request CSR again to get one trusted certificate for both Exchange and S4B.

I will tick only the services that matters as in the below screenshot (Server default and Web services internal) later also will be used for OWA integration with UM.

clip_image003

Click on Request

clip_image004

Click on Advanced

clip_image005

Next

clip_image006

I’ll continue next until I’ve got to the important part which is “Name and Security settings” I’ll need to tick the “Mark the certificate’s private key as exportable” since we’ll export the certificate to Exchange servers

clip_image007

Next I’ll add Exchange servers’s FQDNs.

clip_image008

clip_image009

Click Next

clip_image010

clip_image011

Here is the CMDLET

Request-CSCertificate -New -Type Default,WebServicesInternal -CA “DC2016.moh10ly.com\moh10ly-DC2016-CA” -Country “TR” -FriendlyName “Skype for Business Server 2015 Default certificate 3/18/2016” -KeySize 2048 -PrivateKeyExportable $True -Organization “moh10ly” -OU “moh10ly” -DomainName “sip.moh10ly.com,ex2016.moh10ly.com,ex2016-2.moh10ly.com,ex2010.moh10ly.com” -AllSipDomain -Verbose -Report “C:\Users\administrator.MOH10LY\AppData\Local\Temp\2\Request-CSCertificate-[2016_03_18][11_16_35].html”

Click Next again and mark the thumbprint for the new Cert as we’ll need to see it later to make sure it’s properly configured for the UM on Exchange.

8BA9A2C4CD926B01C029F6B9A76D75BBEFDDE069

clip_image012

Click next to assign the Cert

clip_image013

clip_image014

Successfully, the certificate has been assigned to the Services

clip_image015

Here’s the CMDLET

Set-CSCertificate -Type Default,WebServicesInternal -Thumbprint 8BA9A2C4CD926B01C029F6B9A76D75BBEFDDE069 -Confirm:$false -Report “C:\Users\administrator.MOH10LY\AppData\Local\Temp\2\Set-CSCertificate-[2016_03_18][11_19_06].html”

Now it’s time to export this certificate and import it to Exchange servers

clip_image016

I’ll find the certificate that I have created today by looking at the expiration date which is 2 years from now with the same day.

clip_image017

Now I’ll right click on the certificate and export it with the private key.

clip_image018

I’ll open Exchange EMC and import the certificate

clip_image019

I’ll have to put the exported cert in a shared folder and provide the path and the password for it

clip_image020

I’ll add the two servers below

clip_image021

clip_image022

I’ll double click on the imported certificate and assign the UM services to it on each of the servers

clip_image023

clip_image024

I have got the below error due to not configuring the service to use TLS instead of TCP on both servers.

clip_image025

To fix this I’ll go on Exchange Management shell and run the following CMDLET

Get-UMService | Set-UMService -UMStartupMode TLS

clip_image026

clip_image027

Now I’ll try to save again

clip_image028

clip_image029

I’ll proceed with YES and continue to do the same to the other Server and restart the UM service on both servers

clip_image030

Now it’s time to create a UM Dial plan

clip_image031

I’ll configure the UM Dial plan according to my Skype for Business settings for users enabled for EV

clip_image032

To use powershell, you can use the following cmdlet

New-UMDialPlan –Name DialplanName –UriType SIPURI –NumberOfDigitsInExtension 4 –VoIPSecurity Secured –CountryOrRegionCode 90 –AccessTelephoneNumber +9012345678

Next, adding a gateway to the UM (NOTE: If configured incorrect, will cause the service not to start and errors with event ID (1057, 4999,1430, 1038) will appear.

Time to configure Gateway

clip_image033

In the gateway I’ll add my PBX (AsteriskNow) and place my already configured UMDP

clip_image034

clip_image035

When you create the dial plan, Exchange automatically creates a new UM mail policy along with it and it also generates a name that’s related to the Dial plan

In order to see this policy, you will have to double click on the new dial plan to view it and you can also change the policy in it .. Which I’m going to apply for the length of the policy to make it shorter

clip_image036

Double click on the Mailbox policy and navigate to Pin Polices and change it to the length you want to allow

clip_image037

Configure Auto Attendant

clip_image038

Set the AA as how you want it to be configured and make sure you add the full E.164 format as it won’t accept otherwise.

clip_image039

Click Save to continue

Now time to configure OVA (Outlook voice access)

Subscriber Access

If you want to configure Outlook Voice Access (OVA) , sometimes also referred to as Subscriber Access, click on the Configure button. Select Outlook Voice Access in the left hand menu and enter the telephone number you want to use to access OVA. This must be in the E.164 notation.

clip_image040

To do so click on Configure

clip_image041

To assign the new dial plan to the UM services, both on the Client Access Server (UM Call Router) as well as on the Mailbox server. In an Exchange Management Shell windows enter the following commands:

1

2

Set-UMCallRouterSettings -DialPlans “Exchangelabs Dial Plan” –Server 2012E15FE04

Get-UMService | Set-UMService -DialPlans “Exchangelabs Dial Plan”

clip_image042

clip_image043

Now I’ll also change the UM call router to TLS and assign Certificate to the service then restart it

clip_image044

clip_image045

Restart the services of the Call router, then associate the service with the dialplan you created.

Set-UMCallRouterSettings -DialPlans “UMDP1” –Server EX2016

Set-UMCallRouterSettings -DialPlans “UMDP1” –Server EX2016-2

Configure Skype for Business Server

To configure the UM Service to be used with Skype for Business Server. Microsoft has a script that will create and configure all necessary components. This scripts is located in the scripts directory C:\Program Files\Microsoft\Exchange Server\V15\Scripts.

Run the following CMDLET

CD $ExScripts

.\ExchUCUtil.ps1

clip_image046

The first time you setup this script it’ll detect the Dial plan and set it up with Skype for Business Server

clip_image047

It will show that no setting has changed but the fact that the dial plan is showing here Not found means that there something has changed .. You’ll notice that if you run the same script again.

clip_image048

Let’s try it again

Here you can see that the dial plan has been assigned to the S4B Front end server.

clip_image049

This script performs the following:

  • Grants Skype for Business Server permission to read Exchange UM Active Directory components, specifically, the SIP URI dial plan that was created in the first step;
  • Creates a UM IP gateway for each Skype for business Server pool that hosts users who will be enabled for Enterprise Voice;
  • Create an Exchange UM hunt group for each UM IP gateway. The hunt group pilot identifier will be the name of the dial plan associated with the corresponding UM IP gateway. The hunt group must specify the UM SIP dial plan used with the UM IP gateway.

When the script has run you’ll see a new UM IP Gateway appear in the EAC. Since this script not only creates the UM IP Gateway but also sets the necessary permissions the UM IP Gateway was not created manually in the first step.

clip_image050

Next we’ll go to Skype for Business FE server and then run the OcsUmUtil.exe tool which creates the contact objects for Outlook Voice Access and for the auto attendants. This tool can be found in C:\Program Files\Common Files\Skype for Business Server 2015\Support

clip_image051

I’ll right click the file to run it as administrator

clip_image052

Click on Load Data

clip_image053

clip_image054

Select the SIP dial plan and click ADD

clip_image055

Click OK

Right after configuring this your Voice mail should be enabled once you enable your user for it

After I enable user for UM and assign a valid dialplan .. Now I can see the user has got his Voice Mail option available.

clip_image056

Hope this was useful

Office 365 Mail flow in Hybrid doesn’t work after you white list office365 IPs on your SMTP gateway

I have deployed Hybrid environment for a customer who have Exchange 2010 SP3 with over 11K users. the customer was using SMTP gateway for spam protection and didn’t want to disable or close the gateway through the hybrid environment deployment or after and wanted to have their gateway constantly.

While Microsoft doesn’t support any SMTP gateways in Hybrid environment I had to find away to configure this gateway to allow any incoming or outgoing emails from Office365 tenant to Exchange on-premises using the whitelist feature in all its services e.g. (Anti-Spam, Virus, spoof…etc

After configuring the hybrid deployment I had a problem with mail flow from/to Exchange Online.

I have checked all Microsoft’s Office 365/Exchange Online/ Exchange Online protection IPs/CIDs in order to white list them or add them to the ignore list on the SMTP gateway in order for mail flow to not be checked from and to Exchange online if the source is Exchange on-premises but that didn’t work until I find a Microsoft article that which was modified very recently by Microsoft 31-05-2016.

image

Click here for the link

The article mentioned that the IP list have been updated, including the removed IPs list as well.

image

While tracing the logs on Office 365 Message tracer tool I noticed that the connection to the SMTP gateway has been refused due to an IP which the MS article described as “Removed” but it was still used to send emails from Exchange online.

The IP was 213.199.154.78 was greylisted on the SMTP gateway due to it not being added to the white list.

image

If you read the article you’ll notice that the subnet 213.199.154.0 has been mentioned as removed. so adding the IP to the white list has solved the problem for me

image

REF:

https://technet.microsoft.com/en-us/library/dn163581(v=exchg.150).aspx

https://technet.microsoft.com/library/dn163583(v=exchg.150).aspx

Hope this helps

Restoring an Active Directory Object after mistakenly deleting it

Starting with Windows 2008 R2, Microsoft introduced the Active Directory recycling bin. This is great for recovering objects back into AD if they are accidentally deleted. In order to use the recycle bin feature, your forest must be running with a functional level of Windows 2008 R2. If your forest is running at this level you simply run a PowerShell command to enable it.

Enable

To enable Active Directory Recycle Bin using the Enable-ADOptionalFeature cmdlet

Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

Below is a sample for enabling it for domain.com:

Enable-ADOptionalFeature –Identity “CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=moh10ly,DC=com” –Scope ForestOrConfigurationSet –Target moh10ly.com

clip_image001

Restore

Once you have the Recycling Bin for Active Directory you will have to use LDP.exe to restore. By default the container with the deleted objects is not displayed. The following steps will allow you to see the container with the deleted objects.

Display Deleted Objects

Follow these steps to display the Deleted Objects container:

  1. To open Ldp.exe, click Start, click Run, and then type exe.
  2. On the Optionsmenu, click Controls.

clip_image002

3. In the Controlsdialog box, expand the Load Predefined pull-down menu, click Return deleted objects, and then click OK.

clip_image003

4. To verify that the Deleted Objects container is displayed:

  • To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then Bind. (U must use SSL and port 636)
  • Click View, click Tree, and in BaseDN, type DC=<mydomain>,DC=<com>, where <mydomain>and <com> represent the appropriate forest root domain name of your AD DS environment.
  • In the console tree, double-click the root distinguished name (also known as DN) and locate the CN=Deleted Objects, DC=<mydomain>,DC=<com>container, where <mydomain>and <com> represent the appropriate forest root domain name of your AD DS environment.

clip_image004

clip_image005

clip_image006

Restore Deleted Objects

Once you have enabled the container to be displayed, you can now restore deleted objects from Active Directory. Below are the steps to recover a single item from the recycle bin using LDP.exe.

Follow these steps to restore a deleted Active Directory object using Ldp.exe:

  1. Open Ldp.exe from an elevated command prompt. Open a command prompt (Cmd.exe) as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Startmenu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue.
  2. To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then click Bind.

clip_image007

  1. On the Options menu, click Controls.
  2. In the Controls dialog box, expand the Load Predefined drop-down list, click Return Deleted Objects, and then click OK.
  3. In the console tree, navigate to the CN=Deleted Objects

clip_image008

  1. Locate and right-click the deleted Active Directory object that you want to restore, and then click Modify.
  2. In the Modifydialog box:
  3. In Edit Entry Attribute, type isDeleted.
  4. Leave the Valuesbox empty.
  5. Under Operation, click Delete, and then click Enter.

clip_image009

clip_image010

  1. In Edit Entry Attribute, type distinguishedName.
  2. In Values, type the original distinguished name (also known as DN) of this Active Directory object.
  3. Under Operation, click Replace.

clip_image011

  1. Make sure that the Extended check box is selected, click Enter, and then click Run.

clip_image012

A key point to understand and remember with AD Recycle Bin is that you must restore hierarchically; a parent object must be restored before a child object. If you were to delete an entire OU and all its contents, you must first restore the OU before you can restore its contents.

Modify

clip_image013

Clicking on Run gives an error

“Error 0x2077 Illegal modify operation. Some aspect of the modification is not permitted.”

clip_image014

Resolution:

Disconnect and reconnect with SSL on port 636

clip_image015

Enter the full Distinguished path in the Values

clip_image016

clip_image017

Before

clip_image018

After

clip_image019