Hybrid Exchange

Mailbox Moves without a Batch

I recently came across an issue when moving mailboxes to Exchange Online where the migration user had failed with the following error:

Error: MigrationTransientException: MAPI provider is not supported for mailbox with version ‘[version info]’ on server.

It turns out this is an issue with a recent update to Exchange Online and Microsoft is rolling out the fix. I was able to create the move request without creating a batch by running the following from Exchange Online PowerShell:

There is also a similar process if you needed to move a mailbox from Exchange Online back to On-Prem:

Hybrid Exchange

Unable to remove Public Folder Mailbox after migration

I was recently trying to remove the last Exchange 2013 Exchange server having already migrated to Exchange Online and setup the Exchange 2016 recipient management server. I was getting an error that the last database couldn’t be removed because it still had mailboxes on it. Indeed there was one Public Folder mailbox even though the Public Folder had successfully migrated to Exchange Online.

When trying to remove the Public Folder mailbox it gives the error “No active public folder mailboxes were found. This happens when no public folder mailboxes are provisioned or they are provisioned in ‘HoldForMigration’ mode. If you’re not currently performing a migration, create a public folder mailbox.”

I was able to resolve this by running this command:

With the mailbox removed, I could remove the mailbox database and uninstall the Exchange 2013 server.

Exchange Online

Office 365 ATP External email forwarding

I have been discussing with several customers on the upcoming change to block auto forwarding in Exchange Online. The announcement from Microsoft is for Roadmap ID 63831 and goes into effect September 1st 2020.

There is no impact on external forwarding in this update, however automatic forwarding will be disabled based on the policy in a future update currently planned for September 1, 2020 and we will communicate via Message center. Once the policy takes effect messages that are being automatically forwarded outside the organization will be blocked and non-delivery report (NDR) will be sent to the user.

If like many of my customers you have a legitimate reason to forward to external addresses you need to login to https://protection.office.com/antispam and change the “Outbound spam filter policy (always ON)”

The setting you are looking for is under Automatic forwarding and you should set this to “On – Forwarding is enabled”

Now if you want to be more secure you can create a new Outbound policy and scope this to just the mailboxes that need forwarding enabled.

Exchange

Expansion Server

I ran into the following error when uninstalling an Exchange 2010 server:

This computer is responsible for expanding the membership of 15 distribution groups. These must be reassigned to another server before setup can continue.

To find which distribution groups have an Expansion Server set you can run the following from the Exchange Management Shell:

Then run the following to null out the value for the distribution groups:

Exchange Online

Data Consistency Score

Microsoft recently announced improvements in mailbox move requests with something call Data Consistency Score. It is meant to prevent you from setting the bad items to a high number like 5000.

Improving Migrations Using Data Consistency Scoring – Microsoft Tech Community – 1105920

I started not to set any bad item limits and let the new feature go to work. After a few batches it all worked and I was impressed. Last night I hit a snag where the move request was stuck and wouldn’t complete. The move request statistics was stuck on Synced.

I was required to check the migration user to find the data consistency was set to Investigate:

I was required to set the migration user in Exchange Online to approve skipped items:

After setting this the mailbox completed the move request successfully.

ADConnect

ADConnect Filtering Settings

I was working with a customer that asked if there was a way to export from ADConnect the OU filtering settings. From PowerShell on the server where ADConnect is installed I was able to run the following:

You will need to change the name of the AD domain on the 4th line and the exported text files will be saved to the C:\Export folder.

Hybrid Exchange

Manage Distro Groups from Cloud mailbox

One of the downsides to Hybrid Exchange is moving a mailbox to Exchange Online and no longer being able to manage Distribution Groups. One solution I have found allows the cloud mailboxes to login to On-Prem ECP and manage the distribution groups they own from a web browser.

From the Exchange Management Shell On-Prem you will need to create a new RBAC Role and modify the permissions to allow only update distribution group member and add distribution group member.

Now you can add a user to the role group:

The user can then login to the Exchange Admin Center search for the group they own and modify the members:

If they try and modify a group they are not an owner for it will not allow them to save the changes:

Hybrid Exchange

Hybrid mail flow with Exchange 2003

I was working with a customer who had Exchange 2010 and Exchange 2003 wanting to move to Exchange Online. We successfully setup the Hybrid Configuration Wizard with Exchange 2010 and were able to move mailboxes to Exchange Online. There was now an issue with mailboxes on Exchange 2003 unable to send messages to mailboxes that had migrated to Exchange Online. They would receive an NDR:

Your message did not reach some or all of the intended recipients. A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients. Contact your administrator. #5.4.6

We found the following error in the Exchange 2003 application logs:

Event Source: MSExchangeTransport

Event Category: NDR

Event ID: 3020

Description:

A non-delivery report with a status code of 5.4.6 was generated for recipient {recipient} Message-ID {Message-ID}.

Cause: A forward loop was detected by the categorizer. This is a common hosting configuration problem caused when someone uses the provisioning tool to create a contact in one organization unit and creates a user in a different organization user that share the same e-mail address.

The resolution was to change the Accepted Domain for tenant.mail.onmicrosoft.com from Authoritative to Internal Relay:

OneDrive

OneDrive Secondary Admin

Working on a tenant to tenant migration the customer was leveraging a 3rd party to migrate their OneDrive data to a new tenant. There was a requirement to have 20 service accounts added to each of the users OneDrive as a secondary admin. I created the following script to go through all the OneDrive URL’s and add the service accounts:

The service accounts will need to be created before running the script. You will need to update the last line AdminURL to match your tenant and change the UPN of each of the service accounts.

Hybrid Exchange

Remote mailbox moves without Hybrid

I have been working with a customer who recently acquired a new company that has 400+ mailboxes running on two Exchange 2010 servers. They need all mailboxes moved to Office 365 where the tenant is already setup has an existing Hybrid configuration to an on-prem Exchange 2016 environment. They don’t want the new users setup with Azure ADConnect and will be created In Cloud. If possible they want to perform MRS mailbox moves instead of paying for licenses for 3rd party migration tools.

I did some testing in a lab environment and have been successful in setting up MRS mailbox moves without having ADConnect or running the Hybrid Configuration Wizard. I decided to share the steps involved if anyone is in a similar position and needs some help.

  • Installed Exchange 2010 SP3 as the customer on-prem server was SP1
  • Enabled MRSProxy on the Web Services Virtual Directory
  • Created new Receive Connector on the 2010 server scoped for the O365 IP addresses and configured with for Fqdn with a valid SSL certificate
  • Add the new domain to the Office 365 portal and verify
  • Changed the accepted domain in Exchange Online from Authoritative to Internal Relay
  • Add outbound connector for the domain in Exchange Online
  • Add inbound connector for the domain in Exchange Online
  • Create a migration endpoint pointing to the on-prem Exchange server
  • Setup federation from On-Prem Exchange to Exchange Online (this was easier to do the the EMC)
  • Setup Organization Relationship from On-Prem to Exchange Online
  • Setup Organization sharing from Exchange Online to On-Prem (Exchange Admin Center)
  • Now you need to create new Mail Users in the Office 365 tenant and these can be scripted out and run from a PowerShell session
  • Add the LegacyExchangeDN from the On-Prem 2010 to the Mail User ExchangeGUID in Exchange Online
  • On-Prem Exchange will need to add the accepted domain for <tenant>.mail.onmicrosoft.com as authoritative
  • On-Prem mailboxes need the alias address for <tenant.mail.onmicrosoft.com>. This can be done using an Email Address Policy 
  • Mail User recipients in Exchange Online need to have both the following addresses added <tenant>.mail.onmicrosoft.com> and <tenant>.onmicrosoft.com
  • Assign the MsolUser with a valid license for Exchange Online

Note that because the MailUser has a value for ExchangeGUID the provisioning service within Exchange Online doesn’t convert this into an empty mailbox when you assign a license. Now you can perform a remote mailbox move and when the move completes the objects will convert from a MailUser to a UserMailbox in Exchange Online and from a UserMailbox to a MailUser in Exchange On-Prem.

I recommend testing this out before doing any live production mailboxes and ensure mail flow is working. You will also want to validate free/busy and ensure all mailboxes including resource and shared get provisioned as MailUser in Exchange Online before moving any mailboxes. You will also need to create Distribution Groups in Exchange Online and add the LegacyExchangeDN to prevent users getting bounce back messages when sending to them.