Marc Kean

September 18, 2013

Fully automate the installation of Office 365

Filed under: Computers and Internet — marckean @ 2:47 pm

This post continues on from my other blog post Fully automate the removal of any Office version in preparation for Office 365. Once all Office software versions have been removed from the computer, you’ll then need to automate the installation of Office 365 on the back end of the un-installation of all legacy Office versions. This guide will demonstrate how to automatically install Office 365 using Group Policy.

First, you’ll need to download and install the Office Deployment Tool for Click-to-Run. Install this on a dedicated (file) server which will host the share and will hold a local copy of the Office 365 setup files. Beware, the Office 365 source files are around 1GB in size. If you have several sites separated by slow WAN links, you would want to dedicate a server for each site that will hold the source files, so repeat these steps for each site server. Once you have installed the Office Deployment Tool for Click-to-Run, this program will give you two files setup.exe and configuration.xml. This is all you need to 1st: download the Office 365 source files from the internet to a local repository and 2nd: Install Office 365 silently.

Download the Office 365 source files

To download the source files to your local server, first create a share and grant the everyone group read permission to the share. In my example, the share is called OfficeSource.

Edit the configuration.xml file, change the UNC path to suit your configuration.

<Configuration>

  <Add SourcePath="\\<server>\OfficeSource\" OfficeClientEdition="32" >
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
    </Product>
  </Add>

  <!–  <Updates Enabled="TRUE" /> –>

  <!–  <Display Level="None" AcceptEULA="TRUE" />  –>

  <!–  <Logging Name="OfficeSetup.txt" Path="%temp%" />  –>

  <!–  <Property Name="AUTOACTIVATE" Value="1" />  –>

</Configuration>

Then run the the following command:

setup.exe /download configuration.xml

Install Office 365 silently

To install Office 365 silently, it’s as easy as running a similar command:

setup.exe /configure configuration.xml

Group Policy Integration

  • You will need to create a service account to be used for the automated install process. The account I used was a member of the Domain Admins group in Active Directory so that the account would have local admin access on all domain joined member machines by default. I called this account svc.admin_install
  • Create a user based group policy and map it to the AD Site which contains your users. Reason why I say attach to a site, so that you can create different server shares which are local to each site and specify them differently for each site based GPO. Create a scheduled task, I called this Install Office. Change the account that is used for the running of the task to the account you setup before and enter in the password when it prompts.

    image

  • Set the trigger to run at user logon

    image

  • For the action, add in “%windir%\Office_in.bat

    image

  • There is a batch file script that needs to be distributed to the computers. Using the same group policy object, configure Files under Group Policy preferences.

    image 

    The destination for this file would be %windir%\Office_in.bat

    The source of this batch file can be located in any location, however as we are using a GPO, I would recommend using the logon script folder as follows:

    \\domain.local\sysvol\domain.local\Policies\{3C683713-8255-4B11-955F-602B49E03A43}\User\Scripts\Logon

    This batch has the following contents.

    @echo off

    cd %SystemDrive%\users
    dir /s O551c3_1n.txt
    if errorlevel 1 goto end

    dir /s C0mp1et3_0ff1c3.txt
    if not errorlevel 1 goto end

    \\<server>\OfficeSource\Setup.exe /configure \\<server>\OfficeSource\configuration.xml

    echo Office 365 Install Complete > %SystemDrive%\users\C0mp1et3_0ff1c3.txt

    :end
    exit

Flag Files

C0mp1et3_0ff1c3.txt – This file indicates that the Office 365 install process has completed. This file is located %SystemDrive%\users
O551c3_1n.txt – This file indicates that all legacy versions of Office have been removed and is created upon completion of the uninstall script in my other post. This file is located %SystemDrive%\users

As this post continues on from my other post to uninstall Office. When this install script is executed, it checks for O551c3_1n.txt, only if this file is found, the script continues. This script then looks for C0mp1et3_0ff1c3.txt, if this file doesn’t exist, the script continues.

September 16, 2013

Desktop Support guide to administering Exchange Online

Filed under: Computers and Internet — marckean @ 10:38 am

This guide is written for the desktop support team of my company. We come from an on-premise infrastructure frame of mind with Exchange/AD etc. Now we have a Hybrid setup with Office 365 with some mailboxes on-premise still and some mailboxes in the cloud. Administering Office 365 Exchange Online mailboxes and users are slightly different to on-premises.

This guide will explain some popular administration scenarios. If not included in this guide, it would be safe to assume that you administer things the same as normal. Remember, with a Hybrid, there is Directory Synchronization turned on, which is a one way sync of all objects from the on-prem Active Directory to the Office 365 Active Directory.

How to connect to Exchange Online using the Exchange Management Console (EMC)

  1. You will need to connect to Exchange Online using the EMC for many purposes, one of which is to check for new mailboxes that you have just setup by enabling remote mailboxes using on-premise Exchange.

    Right click the top level in the tree and choose the option to Add Exchange Forest.

    image

  2. Give a meaningful description for your eyes only, then choose Exchange Online > click OK.

    image

  3. Enter in your credentials to connect to Exchange Online > Click OK

    image 

How to connect to Exchange Online using PowerShell

  1. Setting up the connection to Exchange Online using PowerShell is slightly different. Microsoft .NET Framework 4.5 and Windows Management Framework 3.0 must be installed on the computer used for the PowerShell connection.
  2. Windows PowerShell script execution must be enabled on the computer you use to connect to Exchange Online. To enable script execution for signed scripts, run the following command in an elevated Windows PowerShell window.

    Set-ExecutionPolicy Unrestricted

  3. Connect to Exchange Online
    1. Open Windows PowerShell > Run the following command:

      $UserCredential = Get-Credential

    2. In the Windows PowerShell Credential Request dialog box, type the user name and password of an account in your Exchange Online organization, and then click OK.

      Run the following command:

      $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $UserCredential -Authentication Basic –AllowRedirection

    3. Run the following command:

      Import-PSSession $Session

  4. Disconnect from Exchange Online
    1. Be sure to disconnect the remote PowerShell session when you’re finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you. You’re allowed to have up to three concurrent remote PowerShell sessions. If you use all the sessions available to you, you’ll need to wait for the sessions to expire.

      After you’re finished with your remote Shell session, use the following command to disconnect from Exchange Online.

      Remove-PSSession $Session

How to setup a new cloud mailbox

Setting up a new cloud mailbox involves first setting up a user in Active Directory, then mail enabling the user.

  1. Either setup a new user from scratch using the on-prem Active Directory, or simply copy an existing user account. You do this using the Active Directory Users & Computers management console as normal.
  2. Make sure Advanced Features is turned on

    image

  3. If you created a brand new user without copying, go to step 5.

    If you copied the user account, select the properties of the new copied user, then click on the Attribute Editor tab.

    image

  4. Find the attribute msExchHomeServerName, then clear this value > click OK.

    image

  5. You will need to Mail Enable the new user account. Mail Enabling a user account adds Exchange properties to the AD account, such as an email address. Run the following PowerShell cmdlet with on-premise Exchange:

    Enable-MailUser -Identity ‘<user>’ -Alias ‘<alias>’ -ExternalEmailAddress ‘SMTP:<alias>@domain.com’

  6. Enable a Remote Mailbox for this new Mail User. Run the following PowerShell cmdlet with on-premise Exchange:

    Enable-RemoteMailbox <alias> -RemoteRoutingAddress <alias>@domain.mail.onmicrosoft.com

  7. Make sure that this user has an Office 365 license, contact your IT administrator so that a license can be allocated.
  8. Wait until Directory Synchronization completes, normally this runs every 3 hours by default, unless your IT administrator has sped this up. Once Directory Synchronization has completed, you will see this new mailbox appear in Exchange Online.

    To check to see if the new mailbox has been created online, connect to Exchange Online following the steps above. Using the Exchange Management Console, have a look under Recipient Configuration > Mailbox. Make sure you refresh this view to get the latest listing of remote mailboxes.

     image

  9. You should be able to see the new mailbox.

How to grant full access to a mailbox

  1. You can do this from the Exchange Control Panel from Exchange Online – https://outlook.office365.com/ecp Logon as your tenant account, and select recipients on the left.

    image

  2. Find the mailbox you want to granting access to, and select Edit

    image

  3. Under mailbox delegation, you can add users that you want to have Full Access.

    image

    Once you do this, this will automatically map to the users Outlook in which you granted access to. There is no need to manually adding the additional mailbox to Outlook. Once the mailbox is automatically added to Outlook, it will be cached locally similar to the users’ primary mailbox.

Granting Send-As and Send on Behalf permissions to cloud mailboxes

This is done using the Exchange Online Control Panel.

  1. Logon to https://outlook.office365.com/ecp with your Exchange Online (Office 365) credentials.
  2. Select Recipients > Mailboxes and find the mailbox that you are granting access to and click Properties

    image

  3. Select Mailbox Delegation

    image

Changing default User Principle Name (UPN) of cloud mailboxes

  1. Changing the UPN of a cloud based mailbox is normally done using the on-premise EMC > Recipient Configuration > Mail Contact > select the properties of the Remote User Mailbox, you change the UPN (shown below).

    image

    Normally Directory Synchronization will propagate changes to the cloud, default every 3 hours. Sometimes, this does not work and cloud users can’t access cloud resources after synchronization has taken place. What happens, the UPN is changed on-premise, then Directory Synchronization will run as normal with no errors, but the UPN in the cloud doesn’t change. You can check the UPN of the user in the cloud on the portal https://portal.microsoftonline.com/

    The User Name field represents the UPN of the user, this sometimes doesn’t change the displays the previous UPN. 

    image  

  2. To fix this, you need to connect to Exchange Online using PowerShell (see above steps). Run the following two commands, setting the UPN of the user to the default tenant domain, then the same PowerShell command to change the UPN of the user to what it should be.  

    Set-MsolUserPrincipalName -UserPrincipalName user@<old_UPN> -NewUserPrincipalName user@<tenant_domain>.onmicrosoft.com

    Set-MsolUserPrincipalName -UserPrincipalName user@<tenant_domain>.onmicrosoft.com -NewUserPrincipalName user@<new_UPN>

Kicking off a manual Directory Synchronization

Sometimes waiting for the default 3 hour window of Directory Synchronization can’t be done. Kicking off a manual sync is very easy.

  1. Logon to the Directory Synchronization server. Navigate to C:\Program Files\Microsoft Online Directory Sync
  2. Run DirSyncConfigShell.psc1
  3. Type in Start-OnlineCoexistenceSync and hit enter.

    image

  4. You can monitor the progress by opening up the Directory Synchronization program "C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe"

    You can see the history of Directory Synchronization.

    image

Calendar Permissions

Granting calendar permissions is the same as granting access to any other mailbox folder, as a mailbox calendar is more or less a folder.

  1. You will need to find the PrimarySmtpAddress of the users’ calendar that you want to work with. Connect to Exchange Online PowerShell as above, then run the following command for the user that is in the cloud.

    Get-Mailbox -Identity user* |fl

    Find the PrimarySmtpAddress of the user in the list.

  2. To view current calendar permissions for this user, run:

    Get-MailboxFolderPermission -Identity fred@contoso.com:\Calendar

  3. To add calendar permissions, run the following cmdlet. This will make Ed an owner of Fred’s calendar.

    Add-MailboxFolderPermission -Identity fred@contoso.com:\Calendar -User ed@contoso.com -AccessRights Owner

  4. There are a number of different permissions you can grant to a mailbox folder such as a calendar. See below.

    Taken from http://technet.microsoft.com/en-us/library/dd298062(v=exchg.150).aspx

  5. The AccessRights parameter specifies the permissions for the user with the following access rights:

    • ReadItems   The user has the right to read items within the specified folder.
    • CreateItems   The user has the right to create items within the specified folder.
    • EditOwnedItems   The user has the right to edit the items that the user owns in the specified folder.
    • DeleteOwnedItems   The user has the right to delete items that the user owns in the specified folder.
    • EditAllItems   The user has the right to edit all items in the specified folder.
    • DeleteAllItems   The user has the right to delete all items in the specified folder.
    • CreateSubfolders   The user has the right to create subfolders in the specified folder.
    • FolderOwner   The user is the owner of the specified folder. The user has the right to view and move the folder and create subfolders. The user can’t read items, edit items, delete items, or create items.
    • FolderContact   The user is the contact for the specified public folder.
    • FolderVisible   The user can view the specified folder, but can’t read or edit items within the specified public folder.

    The AccessRights parameter also specifies the permissions for the user with the following roles, which are a combination of the rights listed previously:

    • None   FolderVisible
    • Owner   CreateItems, ReadItems, CreateSubfolders, FolderOwner, FolderContact, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
    • PublishingEditor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
    • Editor   CreateItems, ReadItems, FolderVisible, EditOwnedItems, EditAllItems, DeleteOwnedItems, DeleteAllItems
    • PublishingAuthor   CreateItems, ReadItems, CreateSubfolders, FolderVisible, EditOwnedItems, DeleteOwnedItems
    • Author   CreateItems, ReadItems, FolderVisible, EditOwnedItems, DeleteOwnedItems
    • NonEditingAuthor   CreateItems, ReadItems, FolderVisible
    • Reviewer   ReadItems, FolderVisible
    • Contributor   CreateItems, FolderVisible

    The following roles apply specifically to calendar folders:

    • AvailabilityOnly   View only availability data
    • LimitedDetails   View availability data with subject and location

August 30, 2013

Desktop Support guide to administering Exchange Online

Filed under: Computers and Internet — marckean @ 3:06 pm

This guide is written for the desktop support team of my company. We come from an on-premise infrastructure frame of mind with Exchange/AD etc. Now we have a Hybrid setup with Office 365 with some mailboxes on-premise still and some mailboxes in the cloud. Administering Office 365 Exchange Online mailboxes and users are slightly different to on-premises.

This guide will explain some popular administration scenarios. If not included in this guide, it would be safe to assume that you administer things the same as normal. Remember, with a Hybrid, there is Directory Synchronization turned on, which is a one way sync of all objects from the on-prem Active Directory to the Office 365 Active Directory.

How to connect to Exchange Online using the Exchange Management Console (EMC)

  1. You will need to connect to Exchange Online using the EMC for many purposes, one of which is to check for new mailboxes that you have just setup by enabling remote mailboxes using on-premise Exchange.

    Right click the top level in the tree and choose the option to Add Exchange Forest.

    image

  2. Give a meaningful description for your eyes only, then choose Exchange Online > click OK.

    image

  3. Enter in your credentials to connect to Exchange Online > Click OK

    image 

How to connect to Exchange Online using PowerShell

  1. Setting up the connection to Exchange Online using PowerShell is slightly different. Microsoft .NET Framework 4.5 and Windows Management Framework 3.0 must be installed on the computer used for the PowerShell connection.
  2. Windows PowerShell script execution must be enabled on the computer you use to connect to Exchange Online. To enable script execution for signed scripts, run the following command in an elevated Windows PowerShell window.

    Set-ExecutionPolicy Unrestricted

  3. Connect to Exchange Online
    1. Open Windows PowerShell > Run the following command:

      $UserCredential = Get-Credential

    2. In the Windows PowerShell Credential Request dialog box, type the user name and password of an account in your Exchange Online organization, and then click OK.

      Run the following command:

      $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $UserCredential -Authentication Basic –AllowRedirection

    3. Run the following command:

      Import-PSSession $Session

  4. Disconnect from Exchange Online
    1. Be sure to disconnect the remote PowerShell session when you’re finished. If you close the Windows PowerShell window without disconnecting the session, you could use up all the remote PowerShell sessions available to you. You’re allowed to have up to three concurrent remote PowerShell sessions. If you use all the sessions available to you, you’ll need to wait for the sessions to expire.

      After you’re finished with your remote Shell session, use the following command to disconnect from Exchange Online.

      Remove-PSSession $Session

How to setup a new cloud mailbox

Setting up a new cloud mailbox involves first setting up a user in Active Directory, then mail enabling the user.

  1. Either setup a new user from scratch using the on-prem Active Directory, or simply copy an existing user account. You do this using the Active Directory Users & Computers management console as normal.
  2. Make sure Advanced Features is turned on

    image

  3. If you created a brand new user without copying, go to step 5.

    If you copied the user account, select the properties of the new copied user, then click on the Attribute Editor tab.

    image

  4. Find the attribute msExchHomeServerName, then clear this value > click OK.

    image

  5. You will need to Mail Enable the new user account. Mail Enabling a user account adds Exchange properties to the AD account, such as an email address. Run the following PowerShell cmdlet with on-premise Exchange:

    Enable-MailUser -Identity ‘<user>’ -Alias ‘<alias>’ -ExternalEmailAddress ‘SMTP:<alias>@domain.com’

  6. Enable a Remote Mailbox for this new Mail User. Run the following PowerShell cmdlet with on-premise Exchange:

    Enable-RemoteMailbox <alias> -RemoteRoutingAddress <alias>@domain.mail.onmicrosoft.com

  7. Make sure that this user has an Office 365 license, contact your IT administrator so that a license can be allocated.
  8. Wait until Directory Synchronization completes, normally this runs every 3 hours by default, unless your IT administrator has sped this up. Once Directory Synchronization has completed, you will see this new mailbox appear in Exchange Online.

    To check to see if the new mailbox has been created online, connect to Exchange Online following the steps above. Using the Exchange Management Console, have a look under Recipient Configuration > Mailbox. Make sure you refresh this view to get the latest listing of remote mailboxes.

     image

  9. You should be able to see the new mailbox.

How to grant full access to a mailbox

  1. To grant full access to a mailbox, this is done using PowerShell. You need to find out the mailbox Alias that you are granting access to and the SamAccountName of the user in which you want to have access.

    *** Use PowerShell and connect to Exchange Online (as above)

    To find out the SamAccountName of of the user that you need to grant access to, run the following PowerShell cmdlet with Exchange Online:

    This command below will find all users with ‘law’ in the name.

    Get-MailUser -identity law* |fl SamAccountName

  2. To find the alias of the mailbox, have a look in the Exchange Management Console under Exchange Online > Recipient Configuration > Mailbox, you will see the Alias column.

    image

  3. The <alias> is the mailbox in which you are granting access to and <SamAccountName> is the account in which you want to have access. Run the following PowerShell cmdlet with Exchange Online:

    Add-MailboxPermission -Identity <alias> -User <SamAccountName> -AccessRights FullAccess -InheritanceType All -AutoMapping $false

Granting Send-As and Send on Behalf permissions to cloud mailboxes

This is done using the Exchange Control Panel.

  1. Logon to https://outlook.office365.com/ecp with your Exchange Online (Office 365) credentials.
  2. Select Recipients > Mailboxes and find the mailbox that you are granting access to and click Properties

    image

  3. Select Mailbox Delegation

    image

Changing default User Principle Name (UPN) of cloud mailboxes

  1. Changing the UPN of a cloud based mailbox is normally done using the on-premise EMC > Recipient Configuration > Mail Contact > select the properties of the Remote User Mailbox, you change the UPN (shown below).

    image

    Normally Directory Synchronization will propagate changes to the cloud, default every 3 hours. Sometimes, this does not work and cloud users can’t access cloud resources after synchronization has taken place. What happens, the UPN is changed on-premise, then Directory Synchronization will run as normal with no errors, but the UPN in the cloud doesn’t change. You can check the UPN of the user in the cloud on the portal https://portal.microsoftonline.com/

    The User Name field represents the UPN of the user, this sometimes doesn’t change the displays the previous UPN. 

    image  

  2. To fix this, you need to connect to Exchange Online using PowerShell (see above steps). Run the following two commands, setting the UPN of the user to the default tenant domain, then the same PowerShell command to change the UPN of the user to what it should be.  

    Set-MsolUserPrincipalName -UserPrincipalName user@<old_UPN> -NewUserPrincipalName user@<tenant_domain>.onmicrosoft.com

    Set-MsolUserPrincipalName -UserPrincipalName user@<tenant_domain>.onmicrosoft.com -NewUserPrincipalName user@<new_UPN>

Kicking off a manual Directory Synchronization

Sometimes waiting for the default 3 hour window of Directory Synchronization can’t be done. Kicking off a manual sync is very easy.

  1. Logon to the Directory Synchronization server. Navigate to C:\Program Files\Microsoft Online Directory Sync
  2. Run DirSyncConfigShell.psc1
  3. Type in Start-OnlineCoexistenceSync and hit enter.

    image

  4. You can monitor the progress by opening up the Directory Synchronization program "C:\Program Files\Microsoft Online Directory Sync\SYNCBUS\Synchronization Service\UIShell\miisclient.exe"

    You can see the history of Directory Synchronization.

    image

July 12, 2013

Exchange 2010 AutoDiscover for Multi-Tenant

Filed under: Computers and Internet,Uncategorized — marckean @ 6:26 pm

This blog post will explain a solution to prevent the need to use a massive SAN (Subject Alternate Name) SSL certificate for all your tenant domain names. Exchange 2010 can be setup for Multi-Tennant easily by using only a much smaller and cheaper SSL certificate for both the Exchange RPC proxy endpoint and autodiscover DNS names. The RPC proxy endpoint normally stays the same no matter how many domains/tenants you are hosting for and is generally mail.domain.com.

Bit of background, in Exchange 2010, all Outlook clients will normally use MAPI/RPC or Outlook Anywhere (RPC over HTTPS) to connect to a Client Access Server. The MAPI/RPC clients (normally LAN and internal clients) connect to the non-externally resolvable CAS Array Object FQDN (aka RPC endpoint) for Mailbox access and the external/remote HTTPS based clients connect to Outlook Anywhere hostname (aka RPC proxy endpoint) for all Mailbox and Public Folder access. Generally the RPC endpoint is an internally resolvable DNS name only e.g. outlook.internal.com and the RPC proxy endpoint can be both, an internal and external resolvable DNS name e.g. mail.domain.com.

As for autodiscover, when you setup mail for the first time, or each time you re-open your mail client, autodiscover is always working automatically in the background without the user knowing. If setting up their mail for the first time, all the user has to do is enter their email address/username and password, upon clicking next, autodiscover will work its magic and grab the exchange server name, connection settings, free/busy and other important URLs needed for the client to have a successful connection experience.

For autodiscover, there is a certain order to the way a client checks this. For example, take a user which has an email address of sarah.walters@domain-a.com Autodiscover would take the domain name section of this email address only (domain-a.com), then run some checks for autodiscover in the following order stopping at the first one that is successful:

  1. Attempting to test potential Autodiscover https://domain-a.com/autodiscover/autodiscover.xml
  2. Attempting to test potential Autodiscover https://autodiscover.domain-a.com/autodiscover/autodiscover.xml
  3. Attempting to contact the Autodiscover service using the HTTP redirect method http://autodiscover.domain-a.com/autodiscover/autodiscover.xml
  4. Attempting to contact the Autodiscover service using the DNS SRV redirect method _autodiscover._tcp.domain-a.com

If all methods fail, then autodiscover fails. As you can see above, the first two connections are HTTPS connections and are the only true methods for autodiscover, the 4th method is used primarily for internal use. The 3rd method is an HTTP redirect, which simply redirects autodiscover requests, normally to an HTTPS URL. As HTTPS is used, there needs to be an SSL certificate with a SAN of the autodiscover URL e.g. (https://autodiscover.contoso.com). It’s not possible in a multi-tenant environment to have a single SAN certificate to cover all the many different domains which you host.

Let’s say you run a multi-tenant environment and you have the following domains:

domain-a.com
domain-b.net
domain-c.org
domain-d.biz

  1. Choose a master domain in which to host your HTTPS autodiscover DNS name (e.g. contoso.com), use a DNS name in this domain which will be listed on your SSL certificate and will be the DNS name in which all your tenants point to for their autodiscover CNAME record. For example, use autodiscover-redirect.contoso.com
  2. Dedicate an IIS server used for the HTTP redirection method (Step 3 above). Setup a DNS A record (hostname) which points autodiscover-redirect.contoso.com to the IP address of this IIS server. Open port 80 inbound only as we are only using HTTP for the redirection.
  3. Get your tenants (for each one of your hosted Exchange domains) to create a DNS CNAME record. For example, for tenant domain-a.com, they would create a DNS CNAME record which points autodiscover.domain-a.com to autodiscover-redirect.contoso.com
  4. The DNS name autodiscover-redirect.contoso.com would point to a dedicated HTTP redirection IIS server
  5. The HTTP redirect IIS server would through a redirect (HTTP 301/302) response with a redirect URL of https://autodiscover.contoso.com/autodiscover/autodiscover.xml

The diagram below includes the steps in order:

image

HTTP Redirect IIS server setup

  1. Install IIS on a Windows server of your choice, ensure you choose HTTP Redirection

    image

  2. Create a folder C:\inetpub\wwwroot\autodiscover add a blank file called autodiscover.xml

    image

  3. Create a new virtual directory called ‘autodiscover’. Select this new virtual directory > click on Content View > Right click on autodiscover.xml > Select ‘Switch to Features View’

    image

  4. Double click on HTTP Redirect

     image

  5. Change the HTTP Redirect settings to reflect the screenshot below.

    image 

  6. Right click on Default Web Site > click on Edit Bindings

    image

  7. Add in all your Tenant domains as HTTP bindings.

     image

Outlook clients might get a pop up like this, Allow this website to configure <alias>@<domain> server settings?. In this message, click to select the Don’t ask me about this website again check box, and then click Allow.

image

July 1, 2013

Fully automate the installation of Office 365

Filed under: Computers and Internet,Uncategorized — marckean @ 3:03 pm

This post continues on from my other blog post Fully automate the removal of any Office version in preparation for Office 365. Once all Office software versions have been removed from the computer, you’ll then need to automate the installation of Office 365 on the back end of the un-installation of all legacy Office versions. This guide will demonstrate how to automatically install Office 365 using Group Policy.

First, you’ll need to download and install the Office Deployment Tool for Click-to-Run. Install this on a dedicated (file) server which will host the share and will hold a local copy of the Office 365 setup files. Beware, the Office 365 source files are around 1GB in size. If you have several sites separated by slow WAN links, you would want to dedicate a server for each site that will hold the source files, so repeat these steps for each site server. Once you have installed the Office Deployment Tool for Click-to-Run, this program will give you two files setup.exe and configuration.xml. This is all you need to 1st: download the Office 365 source files from the internet to a local repository and 2nd: Install Office 365 silently.

Download the Office 365 source files

To download the source files to your local server, first create a share and grant the everyone group read permission to the share. In my example, the share is called OfficeSource.

Edit the configuration.xml file, change the UNC path to suit your configuration.

<Configuration>

  <Add SourcePath="\\<server>\OfficeSource\" OfficeClientEdition="32" >
    <Product ID="O365ProPlusRetail">
      <Language ID="en-us" />
    </Product>
  </Add>

  <!–  <Updates Enabled="TRUE" UpdatePath="\\Server\Share\Office\" /> –>

  <!–  <Display Level="None" AcceptEULA="TRUE" />  –>

  <!–  <Logging Name="OfficeSetup.txt" Path="%temp%" />  –>

  <!–  <Property Name="AUTOACTIVATE" Value="1" />  –>

</Configuration>

Then run the the following command:

setup.exe /download configuration.xml

Install Office 365 silently

To install Office 365 silently, it’s as easy as running a similar command:

setup.exe /configure configuration.xml

Group Policy Integration

  • You will need to create a service account to be used for the automated install process. The account I used was a member of the Domain Admins group in Active Directory so that the account would have local admin access on all domain joined member machines by default. I called this account svc.admin_install
  • Create a user based group policy and map it to the AD Site which contains your users. Reason why I say attach to a site, so that you can create different server shares which are local to each site and specify them differently for each site based GPO. Create a scheduled task, I called this Install Office. Change the account that is used for the running of the task to the account you setup before and enter in the password when it prompts.

    image

  • Set the trigger to run at user logon

    image

  • For the action, add in “%windir%\Office_in.bat

    image

  • There is a batch file script that needs to be distributed to the computers. Using the same group policy object, configure Files under Group Policy preferences.

    image 

    The destination for this file would be %windir%\Office_in.bat

    The source of this batch file can be located in any location, however as we are using a GPO, I would recommend using the logon script folder as follows:

    \\domain.local\sysvol\domain.local\Policies\{3C683713-8255-4B11-955F-602B49E03A43}\User\Scripts\Logon

    This batch has the following contents.

    @echo off

    cd %SystemDrive%\users
    dir /s O551c3_1n.txt
    if errorlevel 1 goto end

    dir /s C0mp1et3_0ff1c3.txt
    if not errorlevel 1 goto end

    \\<server>\OfficeSource\Setup.exe /configure \\<server>\OfficeSource\configuration.xml

    echo Office 365 Install Complete > %SystemDrive%\users\C0mp1et3_0ff1c3.txt

    :end
    exit

Flag Files

C0mp1et3_0ff1c3.txt – This file indicates that the Office 365 install process has completed. This file is located %SystemDrive%\users
O551c3_1n.txt – This file indicates that all legacy versions of Office have been removed and is created upon completion of the uninstall script in my other post. This file is located %SystemDrive%\users

As this post continues on from my other post to uninstall Office. When this install script is executed, it checks for O551c3_1n.txt, only if this file is found, the script continues. This script then looks for C0mp1et3_0ff1c3.txt, if this file doesn’t exist, the script continues.

June 28, 2013

SMTP relay using Exchange Online Protection (EOP)

Filed under: Computers and Internet,Uncategorized — marckean @ 2:19 pm

Exchange Online Protection (EOP) is a service which you can buy from Microsoft. They also offer a 1 month trial. You can use EOP with your on-premise Exchange as a mail gateway solution in and out. However, if you have Office 365 with Exchange Online, this uses EOP already. So you can make use of its features and relay mail through it using an IIS SMTP server. Why would you want to relay mail through EOP and not send directly? Because EOP ensures that everything is okay with outbound mail, ensuring mail is squeaky clean, keeping things top notch in relation to security.

You can also relay mail from Office 365 itself, however this provides a major limitation, in that you can’t send mail from any domain you like, you can only relay mail from domains that have been setup as ‘accepted domains’ in your Office 365 tenant account. In other words, you need to prove ownership of the domains that you wish to send on behalf of. In contrast, EOP doesn’t care, you can send/relay mail from any domain you wish. But, don’t forget to add in an SPF TXT record in the domain’s DNS that you are sending on behalf of, to ensure that you are legitimately authorised.

There are several things you will need to do for a SMTP relay solution using EOP. The following are steps which I took that worked for us:

  1. Dedicate a Windows Server 2012 server virtual machine hosted with Windows Azure
  2. Have a tenant account with Office 365/Exchange Online (comes with EOP), or just buy the EOP service by itself
  3. Setup an inbound connector in EOP
  4. SSL certificate, you need this so you can have a secure TLS connection between your IIS SMTP server and EOP

The steps I took here were based on a recent webcast done by Frank Brown of Microsoft listed here. If you download and look at the PowerPoint presentation, I am focusing on the last solution, solution number 3 in the slides. However I have added some more detail based on my experience.

Dedicate a Windows Server 2012 server to use for SMTP relay

This server will be used as your IIS SMTP server, aka the SMTP relay server. For my example, I used a virtual machine hosted with Windows Azure.

On your Windows Azure hosted SMTP server, you will need to install IIS SMTP. Some steps listed below are taken from here How to set up an SMTP relay in Office 365.

Create the external hostname and firewall rule 

  • In your Windows Azure management portal, you need to allow for Port 25 inbound to your server. With Windows Azure, this is called an Endpoint.

    image

  • You’ll need to get the external IP address of your hosted server and create a DNS record both internally and externally which points to this IP address, or external DNS only if you don’t have an internal DNS infrastructure. The external IP address of your VM can be found in the Windows Azure portal under the virtual machines dashboard. In this example, I will use smtp.contoso.com which will point to my allocated IP address.

    * What ever you do, don’t shutdown the virtual machine from the console. If you do, the VM will be de-allocated and once you power the VM back up, the VMs public IP address will change.

    * I had a problem with the external IP address I was allocated from Windows Azure for my IIS SMTP relay server, in that it was listed on some SPAM databases and as a result EOP wouldn’t let me even relay off of it. So beware. If this happens, not only will you need to remove the IP address from the SPAM databases, but also from Microsoft by sending email to delist@messaging.microsoft.com

IIS installation

  • Start Server Manager, click Features, and then click Add Features.
  • On the Select Features page, select the SMTP Server check box. If you’re prompted, click Add Required Role Services.

    Note This step automatically installs all prerequisite roles and features, including IIS (if they’re not already installed).

  • On the Select Features page, click Next. Then, on the Web Server (IIS) page, click Next.
  • On the Select Role Services page, make sure that the following role services check boxes are selected, and then click Next:
    • The ODBC Logging check box under Health and Diagnostics
    • The IIS Metabase Compatibility check box in IIS 6 Management Capability under Management Tools
    • The IIS 6 Management Console check box in IIS 6 Management Capability under Management Tools
  • On the Confirm Installation Selections page, click Install.
  • After the SMTP Server installation is completed, click Finish.
  • Open IIS 6.0 Manager, right click Default SMTP Virtual Server, and then click Properties.

    image

  • Click the Access tab, and then click Relay.
  • In the Select which computers may relay through this virtual server area, click Only the list below, and then enter the IP addresses of the on-premises LOB devices and application servers that will relay through the SMTP server.

    image

    Warning Make sure that you enter only the IP addresses of the devices and servers that you trust. This setting lets you relay mail that’s coming from these sources to any destination. In effect, this makes the on-premises server that’s running IIS an open relay.

  • On the Access tab, click Connection, enter the IP addresses of the devices and servers that you want to be able to connect to the SMTP server. This is similar to relay, however one level above, it stops un-authorised connections before they attempt to relay.

    image

  • On the Access tab, click Authentication, make sure that the Anonymous access check box is selected, and then click OK.

    image

  • Click the Delivery tab, click Advanced, and then, under Smart host, enter the SMTP end-point for the tenant domain. This will be the same as your MX record. (i.e contoso-com.mail.protection.outlook.com).

    image

  • On the Delivery tab, click Outbound Connections.
  • In the TCP Port box, type 25, and then click OK.

    image

  • On the Delivery tab, click Outbound Security, and then follow these steps: 
    • Click Anonymous Access
    • Select the TLS encryption check box, and then click OK.

image 

  • Right click Domains, and then click New > Domain

    image

  • Select Remote and click Next.

    image

  • Enter the name of the remote domain in which you want to send/relay to, click Finish.

    image

  • Right click on the domain you just created, then click Properties. On the General tab, enter the same smart host value as you did previously, then click OK.

    image

Setup an inbound connector in EOP

Logon to your online tenant account http://portal.microsoftonline.com. Under the Admin menu at the top, select Exchange and then click on the Mail Flow link on the left. Click on Connectors, and click Add.

image

In the New Inbound connector window, enter the following information:

Name: Choose a unique name for the Inbound connector.
Connector type: Choose On-premises
Connection security: Choose Force TLS, and specify the certificate subject name of the certificate that you will install on your IIS SMTP relay server

image 

Under Domains, click the Add Icon. In the resulting Add domain window, enter * to apply the connector to all of your sending domains. Under IP addresses click the Add Icon, and in the resulting Add IP address window, add the external IP address of your IIS SMTP server.

image

SSL certificate

For the SSL certificate, you’ll need this for the TLS communication. Easiest way to do this, create a file on the IIS SMTP server’s C:\ drive called RequestConfig.inf

Populate this file with the following information, changing the CN to suit your own domain. Close and save the file.

[NewRequest]
Subject="CN=smtp.contoso.com"
Exportable=TRUE
KeyLength=2048
KeySpec=1
KeyUsage=0xf0
MachineKeySet=TRUE
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1
OID=1.3.6.1.5.5.7.3.2

Run the following command using command prompt:

certreq -new -f RequestConfig.inf BinaryRequest.req

This will create a certificate request file for a single domain SSL certificate which you can use to generate a certificate with your favourite provider. We use Go Daddy.

Once the certificate has been approved and generated, add this certificate to the local computer personal certificate store.

June 18, 2013

Fully automate the removal of any Office version in preparation for Office 365

Filed under: Computers and Internet,Uncategorized — marckean @ 12:44 pm

Companies moving to Office 365 will come across a hurdle. Historically Office installations have been different where as they install fully inside of Windows. With Office 365, it’s more like a stream rather than an install. As a result, when Office 365 is streamed to the computer, previous versions of Office are left installed, so you would effectively have two Office installations. Having two Office installations would be be confusing to the user and be very messy.

How has Office changed with Office 365?

Not too long ago Steve Ballmer the CEO announced that Microsoft would now be known as a devices and services company, here’s a link in case you didn’t see it http://news.cnet.com/8301-10805_3-57529238-75/microsoft-is-now-your-devices-and-services-company/

In saying this, the new product is called ‘Office 365’.  This includes all Office components including Lync.

clip_image002

You can’t even install Lync or any other individual Office 365 component by itself. See below, when I try to install Lync from the Microsoft Online Portal by itself, it clearly states that “Lync 2013 is included in the latest version of Office

clip_image004

So to simplify things, it’s all one single product called Office 365. As for what it is? Well essentially at the moment, it’s Office 2013 (but it’s not called Office 2013).

As an option, I don’t have to install Office 365, I can can still install Office 2013 only. See and read below carefully my ‘about’ screenshot.

clip_image006

In comparison, the ‘about’ screenshot on an Office 365 installation is slightly different, nowhere does it say Office 2013.

clip_image008

Office 365 streams and updates in the background automatically, meaning that updates rollout to people automatically, including any new versions. As I mentioned before, Microsoft is now a devices and services company (read between the lines) my tip is that Office 365 is here to stay and is simply a brand name. Currently they are utilising the latest Office 2013 software, but that can change in the future all automatically, as Office 365 is streamed and not installed. In contrast, Office 2013 is installed and can’t easily be updated automatically.

Below, Office 365 can only be installed 5 times and it keeps a track of where it’s installed on the Microsoft Online Portal.

clip_image010

More information here http://community.office365.com/en-us/blogs/office_365_technical_blog/archive/2013/03/06/office-365-proplus-administrator-series-client-deployment-options.aspx?ss=1283c51b-924e-4dff-bfaf-8a8533a24fb2

Solution to automatically uninstall any version of Office

This solution worked for us to automate the removal of Office 2003, Office 2007 and Office 2010. This will remove any version of Office whether it be 32-bit of 64-bit. It will work for all users whether they have admin access to their machines or not. This has been fully tested on Windows 7, however should work with no issues on other Windows versions.

Admin Experience:

For the administrator/project manager, when it comes time for a user to move to Office 365, you send an email to the user with a text file attachment called O551c3_0ut.txt. Ask the user to save the text file to their desktop and then close and save all their work and lock their computer before going to lunch. By this stage there’s already a Scheduled Task in place which is activated by the locking of the the computer. When the computer is locked, a batch file is run and checks for the existence of O551c3_0ut.txt anywhere under their user profile. If this file exists, the uninstall process will begin.

User Experience:

Quite simply, for the user, prior to the installation of Office 365, they simply save the O551c3_0ut.txt email attachment to their desktop, then simply lock their computer. So prior to going to lunch, when the computer is locked, this locking mechanism kicks off the batch file script to check the existence of O551c3_0ut.txt anywhere in the user profile (which includes the Desktop). The batch file will call the relevant VB script to uninstall Office silently in the background and will reboot upon completion.

image

Service account

You will need to create a service account to be used for the automated uninstall process. The account I used was a member of the Domain Admins group in Active Directory so that the account would have local admin access on all domain member machines by default. I called this account svc.admin_install

Group Policy

Create a user based group policy and map it to the OU which contains your users. Create a scheduled task, I called this Remove Office. Change the account that is used for the running of the task to the account you setup before and enter in the password when it prompts.

image

Change the trigger to ‘”On workstation lock”

image

For the action, add in “%windir%\Office_out.bat

image

Distribute the files to the computers

There are four files that need to be distributed to the computers. Using the same group policy object, configure Files under Group Policy preferences.

image

image

Enter the source path, create a share somewhere on your network.

For the destination enter the following:

  • %windir%\Office_out.bat
  • %windir%\OffScrub03.vbs
  • %windir%\OffScrub07.vbs
  • %windir%\OffScrub10.vbs

Files are available here http://sdrv.ms/17hSpmV

The batch file

@echo off

cd %SystemDrive%\users
dir /s O551c3_0ut.txt
if errorlevel 1 goto end

dir /s O551c3_1n.txt
if not errorlevel 1 goto end

:remove Microsoft Office 2003 suites
cscript %windir%\offscrub03.vbs ALL /Quiet /NoCancel

:remove Microsoft Office 2007 suites
cscript %windir%\offscrub07.vbs ALL /Quiet /NoCancel

:remove Microsoft Office 2010 suites
cscript %windir%\offscrub10.vbs ALL /Quiet /NoCancel

echo Legacy Office Uninstall Finished > %SystemDrive%\users\O551c3_1n.txt

shutdown /r /f

:end
exit

How do you know it’s running?

Open Task Manager and sort by username under Processes. You will see the processes running under the user account svc.admin_install. It will take the normal time to uninstall Office, and will reboot upon completion.

image

Flag Files

O551c3_0ut.txt – This file indicates that the script will actually run and start the uninstall process. This file is located %SystemDrive%\users
O551c3_1n.txt – This file indicates that all legacy versions of Office have been removed and is created upon completion of the uninstall script. This file is located %SystemDrive%\users

Where did the scripts come from?

The scripts came from Microsoft http://support.microsoft.com/kb/290301 There are several Microsoft Fix iT utilities used to completely uninstall Office 2003, Office 2007 and Office 2010. So they can be trusted.

Automate the installation of Office 365

Now that you have completed removing all Office versions from the computers, you will need to install Office 365 automatically and silently using Group Policy and source files from a local repository. My other blog post discusses a solution that worked for us, to install Office 365 in a corporate environment and fits nicely to the end of this uninstall process.

June 17, 2013

Add Send As permission to all users in Office 365

Filed under: Computers and Internet,Uncategorized — marckean @ 12:27 pm

The following will show you how to grant SendAs permission to all recipients in Office 365 Exchange Online. This is for two recipient types, mail users and user mailboxes in the situation where you have directory synchronization turned on and an Exchange hybrid setup.

First things first, connect to the Office 365 Exchange Online remote PowerShell:

Import-module msonline
$LiveCred=Get-Credential
Connect-MsolService –Credential $LiveCred

Run the following 3 commands to connect Windows PowerShell to the Office 365 exchange service:

  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ –Credential $LiveCred -Authentication Basic –AllowRedirection
  • Import-PSSession $Session (If you get an error with this cmdlet, run this Set-ExecutionPolicy Unrestricted)

To grant SendAs permissions to either a group or user, e.g. smtp.user, run the following command. This will grant SendAs permission to smtp.user for all recipient types, mail users and user mailboxes.

Get-Recipient | Where-Object {($_.RecipientType -eq “MailUser”) -or ($_.RecipientType -eq “UserMailbox”)} | Add-RecipientPermission -AccessRights SendAs -Trustee “smtp.user”

June 11, 2013

Office 365 email archiving activation error

Filed under: Computers and Internet,Uncategorized — marckean @ 1:59 pm

We have an Exchange 2010 SP3 Hybrid setup with Office 365 and have directory synchronization turned on. We tried to enable email archiving for a migrated user in the cloud using the Exchange Control Panel.

image

However received the following error:

image

The following error occurred during validation in agent ‘Windows LiveId Agent': ‘Unable to perform the save operation. ‘User_fecbfd8514′ is not within a valid server write scope.’
Click here for help…

The proper way to enable archiving for a user, you need to do this from the on-premise side as shown in the screen shot below.

clip_image002

Once you have enabled the Hosted Archive, you’ll need to sync the changes. From the on-premise directory synchronization server, run a directory sync.

  1. Open “C:\Program Files\Microsoft Online Directory Sync\DirSyncConfigShell.psc1”

    image

  2. Then Run Start-OnlineCoexistenceSync

You will see from the results of the directory sync, the msExchArchiveStatus attribute has been modified.

image

May 27, 2013

Export Active Directory (AD) user accounts with specific email address and import as contacts to Office 365

Filed under: Computers and Internet,Uncategorized — marckean @ 6:03 pm

I have a two Office 365 tenant accounts, with one on-premise Exchange organization. Currently two companies share the same on-premise Exchange organization. As part of moving mailboxes to the cloud, we are separating the companies by moving them to their own Office 365 tenant account. This brings us numerous problems and different functionality, with one major limitation is a split GAL. PowerShell can assist us.

  • I need to get a list of all possible properties for the Get-Mailbox cmdlet.

    Get-Mailbox -identity user@domain.com.au | fl

    This will display all the possible fields that we can use to do a custom search.

  • I want to use the PrimarySmtpAddress field and do a custom search for email addresses like *@domain.com

    Get-Mailbox | Where-Object {$_.PrimarySmtpAddress –like "*@domain.com"}

    See Using the Where-Object Cmdlet for more information on the Where-Object Cmdlet.

    This command above will display all users with a PrimarySmtpAddress with @domain.com. However this isn’t enough information, I need contact information, e.g. address and phone numbers. The Get-Mailbox cmdlet is the wrong command to use in this instance.

  • I will need to export the information from the actual user account itself, so I can include the mobile and telephoneNumber properties along with other properties.

    Run the following in company A’s on-premise Active Directory using using a domain controller and the Active Directory PowerShell module.

    Import-Module activedirectory

    Get-ADUser –identity <alias> –Properties *

    This will display all possible properties for my user account so we know what we need to use. However, I only want users with a @domain.com EmailAddress. I also want specific properties exported to a CSV file.

  • I will need to run the following command to export a list of users from Active Directory with an email address that ends with @domain.com

    Get-ADUser -Filter ‘EmailAddress -like "*@domain.com"’ -Properties * | Select-Object -Property Name,DisplayName,Title,EmailAddress,GivenName,sn,Initials,StreetAddress,Office,City,State,PostalCode,Country,OfficePhone,Company,HomePhone,mobile,Department | Sort-Object -Property Name | export-csv .\UserPropertiesCSV.csv

    We are using 3 cmdlet’s here in this blog post, Get-ADUser, New-MailContact & Set-Contact. The table below shows the similarities between the properties for each cmdlet.

Get-ADUser

New-MailContact

Set-Contact

City

 

City

Company

 

Company

Country

 

CountryOrRegion

Department

 

Department

DisplayName

DisplayName

 

EmailAddress

ExternalEmailAddress

 

GivenName

FirstName

 

HomePhone

 

HomePhone

Initials

 

Initials

Mobile

 

MobilePhone

Name

Name

Name

Office

 

Office

OfficePhone

 

Phone

PostalCode

 

PostalCode

sn

LastName

 

State

 

StateorProvince

StreetAddress

 

StreetAddress

Title

 

Title

  1. Using company B’s tenant account, connect to remote PowerShell on a separate server to where you extracted company A’s user data.

    Import-module msonline
    $LiveCred=Get-Credential
    Connect-MsolService –Credential $LiveCred

    $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ –Credential $LiveCred -Authentication Basic –AllowRedirection

    Import-PSSession $Session (If you get an error with this cmdlet, run this Set-ExecutionPolicy Unrestricted)

  2. Import contacts using the company A information from the CSV file using the New-MailContact cmdlet:

    Import-Csv .\UserPropertiesCSV.csv|%{New-MailContact -Name $_.Name -DisplayName $_.DisplayName -ExternalEmailAddress $_.EmailAddress -FirstName $_.GivenName -LastName $_.sn}

    Set the extended properties for each contact in the CSV by using the Set-Contact cmdlet:

    $Contacts = Import-CSV .\UserPropertiesCSV.csv

    $contacts | ForEach {Set-Contact $_.Name -StreetAddress $_.StreetAddress -City $_.City -StateorProvince $_.State -PostalCode $_.PostalCode –CountryOrRegion $_.Country -Phone $_.OfficePhone -MobilePhone $_.Mobile -HomePhone $_.HomePhone -Company $_.Company -Title $_.Title -Department $_.Department -Initials $_.Initials -Office $_.Office}

Next Page »

The Rubric Theme. Blog at WordPress.com.

Follow

Get every new post delivered to your Inbox.

Join 68 other followers