Certificates for Exchange

I needed to run up a lab environment to test an Exchange 2010 hybrid.  For this I needed certificates but I didn’t really want to purchase a SAN cert for what was to be a short period of testing.

This came to my rescue;

 https://github.com/Lone-Coder/letsencrypt-win-simple/wiki/Create-a-SAN-certificate-for-Microsoft-Exchange-2016,-2013-&-2010

Exchange 2010 – Office 365 Hybrid

Creating an Exchange 2010 to Office 365 hybrid;

Login to your Office 365 tenancy – Admin – Exchange Admin – Hybrid – Configure

This downloads the hybrid configuration wizard (HCW).  Do the above using IE, initially I used Chrome and I got an error when executing the exe after the download.

In first part the wizard detects the optimal Exchange server to use for the hybrid connection.  In my case I only have a single Exchange 2010 server;

hybrid1

Enter your on premises account info to connect to Exchange (you can see I left the tickbox selected to use the credentials I was signed in with.  And enter your global admin details for your 365 tenancy

hybrid2

hybrid3

The wizard collects some info and connects to Exchange on premises and Exchange online via PowerShell – then click next

hybrid5

I’ve chosen ‘Full Hybrid Configuration’ as I need fill free/busy, sharing and mail flow

hybrid6

 

Click ‘enable’ to create the federation trust

hybrid7

You will need to create a txt record in your DNS zone to prove domain ownership

hybrid9

After proving your domain ownership you are asked for information on the mail flow in the hybrid configuration.  The default is good for my needs

hybrid13

You are then asked to select the hub transport server for the transport configuration.  This is the server that weill host the send connectors for mail transport to Exchange online

hybrid14

You are then asked for the public IP of your hub transport servers.  In my case this is a NAT to the internal Ex2010 server

hybrid15

You then need to choose your transport certificate.  This needs to be a public cert

hybrid16

You then need to enter the FQDN of your Exchange org.  This tells Office 365 where to send email bound for on premises users i.e. before users have been migrated. It creates an outbound connector in Exchange online.

hybrid18

 

On the next page you simply click update – in the background a number of powershell commands are run which do the all configuration work.

 

Using Terraform for Azure deployments

Terraform – “Terraform enables you to safely and predictably create, change, and improve production infrastructure”

https://www.terraform.io/

Using Terraform I was able to deploy a virtual machine, virtual networks, sql server and an sql database to Azure.  It looks like a very useful tool for not only creating infrastructure via code in Azure but then also for adding/updating/removing pieces of that infrastructure (or deleting it entirely).

I only deployed a single VM with a single NIC but it seems simple enough to scale this number up, so with just a few lines of Terraform config we could deploy 100’s of virtual machines.  

What Terraform does not do is any state configuration of those servers, so you’d end up with 100 vanilla Windows or Linux servers.  So we would need another service to apply some configuration to the servers, something like Puppet, Chef or PowerShell DSC.  These would be used to install software such as anti virus, monitoring agents, Octopus tentacles etc etc.

More on Terraform https://blogs.msdn.microsoft.com/eugene/2016/11/03/creating-azure-resources-with-terraform/

 

Free/Busy Exchange Online Hybrid

We have a hybrid Exchange setup with Exchange online.  On premises is Exchange 2016.

Users who had been migrated to Exchange online could only see availability of other users and resources that were still on premises.  A check of the organization relationship showed the following;

Run the below powershell on your on premises servers and look for the FreeBusyAccessLevel setting

Get-OrganizationRelationship | fl

FreeBusyAccessLevel   : AvailabilityOnly

 

This was why migrated users could only see availabilty of on premises users and not any more detail.  To change this use

Set-OrganizationRelationship -FreeBusyAccessLevel LimitedDetails

 

 

Single Active Directory account not syncing to Azure AD

A single user in AD was not being synced to Azure AD via AAD Connect.  All other users were syncing just fine.  When looking at the account the attribute msExchRecipientTypeDetails was set to 2, which indicates a linked mailbox.

We used to use linked mailboxes but stopped doing so quite some time ago.  Obviously this account got missed after we migrated all users into a single forest.

To fix

set-user -identity “useralias” -linkedmasteraccount $null

 

SPN not found AAD Connect ADFS

During an install of AAD Connect I received an error saying that there wasn’t an SPN set on the ADFS service account.  Upon checking the user account I could see it did have an SPN set of host/sts.example.com.

Clicking retry on the ADFS install wizard got things going again and the install proceeded without any further problems.

Domain Controller promotion stops responding

Whilst promoting a Windows 2012R2 server to a domain controller it got as far as ‘Replicating the schema directory partition’ and then nothing else happened.

Now, this server has NetBios over TCPIP disabled which was causing the above problem.  The quick answer to this is to use the long version of the username when entering the credentials for the domain controller promotion i.e. domainname.comadministrator and not domainadministrator

 

More info here https://support.microsoft.com/en-us/kb/2948052

New Child Domain – Server Core and PowerShell

All of my domain controllers are now server core unless someone can give me a very good reason to install Windows with a GUI, so far no one has given me a good enough reason.

When deploying a new child domain this means we can now use some PowerShell goodness to create our new child domain.

Pre-reqs

Windows 2012R2 Server Core installed

IP address set on the box and preferred DNS server set to the IP address of a domain controller in the parent domain

Install-Windowsfeature AD-Domain-Services

Install-ADDSDomain -DomainType child -NewDomainName ‘childdomname’ -ParentDomainName ‘parentdomname.com’ -InstallDns -CreateDnsDelegation -NewDomainNetBiosName ‘childdomname’ -DomainMode win2012r2 -Credential (get-credential)

 

You will be prompted for the admin credentials of your parent domain and then for the safemodepassword that you want to set on this DC.