IOS 15.4 impact on Microsoft Teams Mobile (Apple Devices)

Microsoft and Apple always has this mutual way of complementing each other with their security updates to the software. This is one other similar update from Apple which has caused a little wrinkle on the Microsoft Teams/ Outlook for IOS devices. Every time a mobile user(in our case its the IOS user) tries to dial in to a meeting by clicking on the dial in number from the respective teams meeting redirects them to the dial pad and the user can dial the number to join the meeting.

But here is where Apple has decided to put an end to such easy dialing option (considering few potential security threats). After upgrading the Apple devices to IOS 15.4 users will not be able to use this feature. Microsoft has already published an article on the same and Apple confirmed that this is by design.

When will this be resolved? Apple might or might not fix them, we may have to wait for an official confirmation from Apple on the same with no ETA mentioned.

Concluding this to be a behavior by design and there are no actual workarounds unless you are okay to long press the link, copy the number with the code and paste it to the dialpad and join the meeting.

Android users can still enjoy the feature.

Cheers,

Ganesh G

AWS – Billing Explained

Automapping on shared mailboxes – Security group added with Full mailbox access

Automapping enables an outlook user to be able to get all those mailboxes automatically populated in their respective outlook clients based on the value set on the MSExchDelegateListLink,

The mailbox that is permissioned: msExchDelegateListLink
The user who is being granted permissions: msExchDelegateListBL

Scenario 1:

Joe Biden has a mailbox hosted online (O365) and he is part of the Technical team to respond to end user’s queries which is sent to a shared mailbox “Tech Support Team”. Hence Joe is given full mailbox access to the shared mailbox,

Add-MailboxPermission -Identity “Tech Support Team” -User “Joe Biden” -AccessRights FullAccess -InheritanceType All

Once the permissions are in place, Joe will be able to access the tech support mailbox on his local outlook (Tech support Team primary mailbox & archive mailbox(if available) will be auto mapped to Joe’s mailbox.

Scenario 2:

Joe Biden has a mailbox hosted online (O365) and he is part of the Technical team to respond to end user’s queries which is sent to a shared mailbox “Tech Support Team”. As the team size is huge and people keep getting added or removed, hence a security group “Sec Group_Tech support” is created and all those who are part of the tech support team are added as members. Now the security group is given full mailbox access to the shared mailbox,

Add-MailboxPermission -Identity “Tech Support Team” -User “Sec Group_Tech support” -AccessRights FullAccess -InheritanceType All

By default when you run add-mailboxpermissions command, it enabled automapping, which means -Automapping $true, if you wish to turn it off explicitly, you can do it by adding -Automapping $false

https://docs.microsoft.com/en-us/outlook/troubleshoot/profiles-and-accounts/remove-automapping-for-shared-mailbox

As these users are not explicitly provided with full mailbox access, there are some limitations in automapping, but still the users can create individual outlook profile for the tech support team mailbox and that has no limitations. This is due to msExchDelegateListBL

If you are part of a security group and the security group is given full mailbox access to a shared mailbox, it is expected that you wont be able to access the archive mailbox of the shared mailbox from outlook as an additional mailbox (auto-mapping) .

But if you are explicitly given full access to shared mailbox you should see the primary shared mailbox along with the shared mailbox’s archive as well.

Please keep me posted for any questions/clarifications.

https://docs.microsoft.com/en-us/powershell/module/exchange/add-mailboxpermission?view=exchange-ps

Ganesh G

Safely remove Public folders from Org – Exchange 2013

I am considering that those who are here reading this blog has good understanding about how public folder is structured and how it works in Exchange 2013, If you are pretty new to this I would suggest you to go through Public folders Exchange 2013 before reading further to ensure this is not above your head,

Scale the organization and get the below info,

• No. of public folders – Getpublicfolderstatistics.ps1 script
• No. of public folder mailboxes
• No. of root public folders
• Get the content mailbox info for each public folder
• Export the public folder permissions to a csv which can be used if in case we need to restore the public folders and reapply the permissions

Here we are exporting the permissions specific to the root folders along with its sub folders,

$PFroot = read-Host "Enter the Publicfolder-Root"
Write-host "You Entered $PFroot"
Get-PublicFolder "\$PFroot" -Recurse -ResultSize "unlimited" | Get-PublicFolderClientPermission | Select-Object Identity,@{Expression={$_.User};Label="User";},@{Expression={$_.AccessRights};Label="AccessRights";} | Export-Csv C:\Temp\Publicfolderclinetpermission_$PFroot.csv -NoTypeInformation

Once the client permissions are exported, we can remove the permissions on the public folders using the below script,

$removepfroot = read-host "Enter the Root Public folder where the permission has to be removed"
$AllPublicFolders = Get-publicFolder \$removepfroot -recurse

foreach($Pf in $AllPublicFolders )
{
Get-PublicFolderClientPermission $Pf | Foreach{ Remove-PublicFolderClientPermission $_.Identity -User $_.User -Confirm:$false }
}

Then we can remove the public folders via EAC or using EMS,

TechNet has a simple command to remove

What is the Back-out plan ?

I will detail the restoring procedures in my next post, Just an heads up on what will be covered in the upcoming post,

1. Export the content mailbox information for each public folders
2. Ways to restore public folders along with the sub folders
3. How do we restore permissions back into the restored folders

To make it easy one much know about the Primary and Secondary Hierarchy,

Primary Hierarchy – The public folder mailbox that hosts writable copy of the public folder hierarchy. The first public folder mailbox created in an Exchange Organization is the primary hierarchy mailbox

Secondary Hierarchy – All other public folder mailboxes in an Exchange organization, except the primary hierarchy, which store read-only copy of the public folder hierarchy.

Happy Learning !

Cheers,

GaGa

 

Hybrid Configuration – Send As

Pre-Existing permissions which were granted before migrating the mailbox to office 365 works, But any new mailbox permissions given post the migration breaks in a hybrid scenario. For example, if we have three mailboxes Mbx1, Mbx2 & Mbx3. Consider Mbx1 has send as permission on Mbx2 and now Mbx2 is migrated to O365, in this case the permission works seamlessly. But if i try to add send as permission for Mbx3 on Mbx2 , it won’t work.

Exchange hybrid configurations do support the use of the Send-As, Receive-As, or Send on behalf of mailbox permissions, these permissions are only available when both the mailbox granting the permissions, and the mailbox receiving the permissions, are in the same realm. Any mailboxes that receive these permissions from another mailbox need to be moved at the same time as that mailbox. If a mailbox receives permissions from multiple mailboxes, that mailbox, and all of the mailboxes granting permissions to it, need to be moved at the same time and exist in the same realm of either on premises or Office 365 Exchange organizations.

https://blogs.technet.microsoft.com/mconeill/2016/03/20/shared-mailboxes-in-exchange-hybrid-now-work-cross-premises/

Watch this video from 44:00 for more clarity.

https://www.youtube.com/watch?v=pN6lsxKRrJQ

Caution ! Exchange 2013 CU18 Security update (OWA Vulnerability)

Upgrading Exchange 2013 CU18 had few challenges when you have too many 3rd party applications running on the exchange servers, In my previous blog you would have seen the show spoiler being identified as Mcafee host intrusion service. Likewise I would also want to bring this to your notice that you should be slightly cautious when installing
Security Update For Exchange Server 2013 CU18 (KB4045655).

Not sure how many went through this caution note on the technet blog where it stresses the importance of running this security update with elevated permissions (run as administrator). I personally experienced this as I ran it just with a double click on the file, post which we had some issues in connecting to our OWA & ECP. Upon investigation its observed that most of the resources weren’t present in the OWA directory.

Here are the known issues reported when this Security patch is installed (ref: https://support.microsoft.com/en-ca/help/4045655/description-of-the-security-update-for-microsoft-exchange-december-12)

1. We are aware of some reports that Exchange services may remain in a disabled state after you install this security update. If this occurs, the update is installed correctly. However, the service control scripts encounter a problem when they try to return Exchange services to its usual state. To resolve this issue, use Services Manager to restore the startup type to Automatic, and then start the affected Exchange services manually.
2. When you try to manually install this security update in “normal mode” (not running the update as an administrator) and by double-clicking the update file (.msp), some files are not correctly updated. When this issue occurs, you do not receive an error message or any indication that the security update is not correctly installed. Also, Outlook Web Access (OWA) and the Exchange Control Panel (ECP) may stop working. This issue occurs on servers that are using UAC (user account control). The issue occurs because the security update does not correctly stop certain Exchange-related services. To avoid this issue, run the security update in elevated mode as an administrator. To do this, right click the update file, and then click Run as administrator.

In case if you already installed this, remove the security update from the server completely and post a reboot install the security update again with the elevated permission.

Cheers,
Ganesh G

Exchange 2013 CU18 Upgrade issues

 

Environment:

Exchange 2013 CU13
.NET Framework 4.7
Windows 2012 R2
Physical Servers
4 Node DAG

Schema Changes:

Active Directory schema changes in Exchange 2013 cumulative updates CU8 and later

No changes have been made to the Active Directory schema in Exchange 2013 from CU8 onwards. The last cumulative update to include schema changes is currently Exchange 2013 CU7.
https://technet.microsoft.com/en-us/library/bb738144%28v=exchg.150%29.aspx#CU7

Confirm the schema versions as listed below,

So there are no Schema changes in CU18 as well

Downloads:

1. Download Exchange 2013 CU18 from the link below:
https://www.microsoft.com/en-us/download/details.aspx?id=55955

2. Get .NET Framework 4.6.2 installation packages (Offline Installer)
Download .NET Framework 4.6.2 offline package from the link below:
https://www.microsoft.com/en-us/download/details.aspx?id=53344

3. Security Update For Exchange Server 2013 CU18 (KB4045655)

https://www.microsoft.com/en-us/download/details.aspx?id=56329

Plan:

1. Get the general rechecks done on the exchange servers
2. Microsoft doesn’t recommend .NET Framework 4.7 for CU18 and the same is published in the TechNet blog below,
https://blogs.technet.microsoft.com/exchange/2017/06/13/net-framework-4-7-and-exchange-server/
Hence remove 4.7 from the server and install 4.6.2
Note: In our case our .NET Framework failed back to 4.6.2 (Windows 2012 R2 comes with .NET 4.6.2

3. Turn off all the 3rd party services which can interrupt the installation, Don’t have mercy on any of them.
Be brutal in stopping anything and everything other than Microsoft services,

I am stressing this because, it was a night mare when we had to delay our installation by 8 hours as Mcafee was disrupting the upgrade from nowhere.

Our installation failed with the below error when configuring the transport services,

Processing component ‘Transport Common Configuration’ (Configuring common Transport properties.).
Executing:
$dllFile = join-path $RoleInstallPath “bin\ExSMIME.dll”;
$regsvr = join-path (join-path $env:SystemRoot system32) regsvr32.exe;
start-SetupProcess -Name:”$regsvr” -Args:”/s `”$dllFile`”” -Timeout:120000;

Active Directory session settings for ‘Start-SetupProcess’ are: View Entire Forest: ‘True’, Configuration Domain Controller: “DC”, Preferred Global Catalog: ‘DC’, Preferred Domain Controllers: ‘{ DC }’
User specified parameters: -Name:’C:\windows\system32\regsvr32.exe’ -Args:’/s “E:\Program Files\Microsoft\Exchange Server\V15\bin\ExSMIME.dll”‘ -Timeout:’120000’
Beginning processing start-SetupProcess
Starting: C:\windows\system32\regsvr32.exe with arguments: /s “E:\Program Files\Microsoft\Exchange Server\V15\bin\ExSMIME.dll”
Timed out waiting for process to complete
Timed out waiting for process to complete
Ending processing start-SetupProcess
The following 1 error(s) occurred during task execution:

How we fixed it ?
After several investigation , we identified that the McAfee Host intrusion Prevention was the cause for this time out and the Microsoft Registry server was crashing every time when it reached this stage of upgrade (70%)

PS: McAfee Host intrusion Prevention can be stopped via the Orchestrator or by a elevated permission which has to be provided to you by your respective server management team.

We stopped the McAfee Host intrusion Prevention service and re initiated the upgrade following a reboot.
Upgrade completed successfully & installed the security update for CU18 as well.

Should you have any further questions, please feel free to drop in your questions.

Regards,
Ganesh G

Simple Script to get the config file values – Exchange 2013

In a large sized environment, its a tedious job to verify the config files for any specific values, It takes a lot of manual efforts and a utter waste of time.

Just to make it simple, came up with this very basic script that can fasten this task (Still this can be enhanced 🙂 ),

1. Create a file named Server.txt which should have the list of servers where you would want to check the config files
2. If you wish you can even change the path as per your convenience.
3. In this example, we tried looking for the maxRequestLength, MaxDocumentDataSize & MaxRequestLength in the web.config file.
4. Based on your requirement, you can alter the path, file and values.

Please leave your comments or questions below.

Regards,

Ganesh G

#Script to Simple Script to get the config file values – Exchange 2013

#=========================================================

#Ganesh G

$server = Get-content “C:\Troubleshooting\Server.txt”
Foreach ($Server in $Server)
{
Write-host “$server”
Write-host “From: Exchsrvr\ClientAccess\Sync\web.config”
Select-String “\\$server\d$\Exchsrvr\ClientAccess\Sync\web.config” -pattern “maxRequestLength” | Format-List “Line”
Select-String “\\$server\d$\Exchsrvr\ClientAccess\Sync\web.config” -pattern “MaxDocumentDataSize” | Format-List “Line”
Write-host “From: Exchsrvr\FrontEnd\HttpProxy\sync\web.config”
Select-String “\\$server\d$\Exchsrvr\FrontEnd\HttpProxy\sync\web.config” -pattern “maxRequestLength” | Format-List “Line”
}

Mailbox moves – Exchange 2013 Troubleshooting

Having issues during mailbox moves in Exchange 2013?

Few quick ways to check your mailbox move performance

What are the major factors involved/impacted during a mailbox move?

• Disk IO
• Network Bandwidth
• Size of the mailboxes moved
• No. of active connections on the source and the destination databases
• MRS throttling

Ideally every individual who is troubleshooting a mailbox moves will have the initial probing done and that has to be in place before proposing a workaround or fix.

If Disk I/Os are not optimal, we might have severe effects on the mailbox moves resulting in read/write latency. Ensure that the disk I/O read/write speed is optimal (0.020 ms is considered optimal), Also ensure the disk drivers are up to date.

In order to get a quick insight about your mailbox move performance make use of the mailbox migration performance analysis script. This script provides you with all the necessary information,

Mailbox migration Performance analysis script

• It provides the amount of data transferred (in GB)

• Duration of the migration batch & also the idleness info

• Best part is that, this also reports latency which will help us take a proactive call to suspend the moves before it hit the overall disk/server performance.

• Also its easy for reporting and stuff

 

% of data moved ( GB).

Script used to extract the above statistics and the procedure is explained in the below TechNet Blog,

https://blogs.technet.microsoft.com/exchange/2014/03/24/mailbox-migration-performance-analysis/

Good to know information,

In order to gauge the load on the exchange 2013 servers we need to get the number of active connections (OWA, ActiveSync, RPC). I have not covered EWS connections in this blog,

Get-Counter “\MSExchange OWA\Current Unique Users” -ComputerName “Servername1, Servername2”

Get-Counter “\MSExchange RpcClientAccess\User Count” -ComputerName “Servername1, Servername2”

Get-Counter “\MSExchange ActiveSync\Current Requests” -ComputerName “Servername1, Servername2”

Stages of mailbox moves:

Source enumeration  > Initial data sync > Incremental Sync > Finalization

I will post a detailed blog on each stage of the mailbox moves in near future 🙂

Other possible fixes:

• Modify the MRS config file

MSExchangeMailboxReplication.exe.config, ‘C:\ProgramFiles\Microsoft\Exchange Server\V15\Bin’

MaxActiveMovesPerSourceMDB=”20″

MaxActiveMovesPerTargetMDB=”20″

MaxActiveMovesPerSourceServer=”100″

MaxActiveMovesPerTargetServer=”100″

MaxTotalRequestsPerMRS=”100″

ExportBufferSizeKB=”512″

Also can increase MaxConcurrentMigrations and set that to 100 for a fair mailbox move performance

• Increase the ExportBufferSizeOverrideKB 

This way we are adding moving more data at a time which is best supported in a network which has high latency networks >100ms

This reduces the initial data sync duration which covers the 70% of the move process

Note: Buffer size cannot go beyond 10240. but its recommended to apply this stage by state and the value has to be tested gradually. Also there are high chances of network chocking.

• Disable indexing on the source & Destination databases

 

Personally I wouldn’t recommend to do this, as this has other adverse effects 🙂

This is not it, we have a lot more to look at based on the nature of the issue. So drill it down to the core to find the best solution.

Same is also available in Technet Wiki,

Ganesh G

RBAC – Custom Management Role – Active Sync Mailbox policy

In this post we have a custom management role to restrict users from creating Activesync mailbox policy.

Below are the management role entries for the Recipient Policies Management role (responsible for creating a new active sync mailbox policy)

Created a new custom RBAC role named “Modified Recipient Policy” and removed the entries which needs to be removed

Then logged in to the exchange server as the test user account (RBACTest) – This user wasn’t able to create a new active sync policy.

Note: This RBAC permission takes effect only after you logout and login (Thank you Andrew for pointing this  🙂 )

Regards,

Ganesh G

Video Blog available >  https://www.youtube.com/embed/Js9tdRfECus” target=”_blank”>Start Exchange