Exchange Online

Recipient missing from Exchange Online

When you configure ADConnect for Exchange Hybrid you expect that a UserMailbox from on-premise will be represented in Exchange Online as a MailUser. I had an issue where one mailbox on-premise didn’t have a recipient in Exchange Online. I checked the Admin Center and found the user was synced from on-premise Active Directory successfully. When I clicked on the user I saw the following error “Exchange: The execution of cmdlet Enable-MailUser failed.”

I moved the user in Active Directory to an OU that wasn’t in sync with ADConnect. Running a delta sync with ADConnect removed the user from Azure Active Directory. I then went to Deleted Users in Azure Active Directory, found the user and clicked on Delete Permanently.

Finally I moved the user in Active Directory back to the original OU and ran another delta sync with ADConnect. This time when the user was provisioned in Azure Active Directory they are correctly showing as a Mail User and I’m able to migrate the mailbox.

Exchange

Redirect messages in queue to another server

I was working with a customer who changed some TLS 1.0/1.1 setting on their Exchange server that broken mail flow to Exchange Online. They were in the process of migrating to Exchange Online from their four server Exchange DAG. I found that two servers were unable to send messages to the Edge server and then Exchange Online:

421 4.4.2 Connection dropped due to Socket Error Attempted failover to alternate host, but that did not succeed. Either there are alternate hosts, or delivery failed to all alternate hosts.

In this situation I was able to place the server component Hub Transport in maintenance mode by running:

Once the component was in maintenance I was able to redirect the message to a working server and have them delivered:

Exchange Online

Moderated Groups in Hybrid

Working with a customer who was in the middle of the hybrid migration to Exchange Online they had an issue where emails being sent to All Company were not being approved. The All Company distribution group is a moderated group and the approvers had their mailboxes On-Premise. I found the following error in the message trace:

Moderated groups leverage arbitration mailboxes to send the notification emails to the approvers. Unfortunately the approvers were not getting any notifications when the senders mailbox was in Exchange Online. In the message trace I did find a NDR for “550 5.6.0 APPROVAL.InvalidExpiry; Cannot read expiry policy.” It turns out that Exchange Online required a Retention Policy Tag for Moderation. I ran the following commands in Exchange Online:

After running these two commands messages sent to a moderated group from a cloud mailbox were able to have the notifications delivered to the approvers. This is documented in the Microsoft Docs https://docs.microsoft.com/en-us/exchange/troubleshoot/email-delivery/550-5-6-0-approval-invalidexpiry-cannot-read-expiry-poilcy-error

Hybrid Exchange

Outlook doesn’t connect to mailbox in Exchange Online after hybrid migration.

I have been working on a Hybrid Migration where several users weren’t able to have their Outlook client connect to the mailbox after it migrated to Exchange Online. The mailbox move completes successfully the Outlook client gives a popup that an Administrator has made a change and to close and re-open Outlook. Unfortunately when the user opens Outlook it is stuck trying to connect to the On-Premise Exchange server and doesn’t update. The Outlook version is the ProPlus (Click to Run) Microsoft 365 version that comes with their Office 365 E3 license.

If the user creates a new Outlook profile it is able to connect with the mailbox in Exchange Online. I then asked to switch back to the original Outlook profile and it was successful in connecting to the mailbox in Exchange Online.

Something in the Outlook client was getting updated when a new profile was created that then allows the old profile to work. After testing on a few different machines I found adding the following registry key meant the original Outlook profile would connect without creating a new profile.

  1. Open Registry Editor: Press Windows Key + R to open a Rundialog box. Type “regedit” and then press Enter.
  2. In Registry Editor, locate HKEY_CURRENT_USER\Software\Microsoft\Exchange
  3. Create a new DWORD Value “AlwaysUseMSOAuthForAutoDiscover”
  4. Set the value to 1
  5. Exit Registry Editor
  6. Start Outlook

Hybrid Exchange

Mailbox Moves without a Batch

I recently came across an issue when moving mailboxes to Exchange Online where the migration user had failed with the following error:

Error: MigrationTransientException: MAPI provider is not supported for mailbox with version ‘[version info]’ on server.

It turns out this is an issue with a recent update to Exchange Online and Microsoft is rolling out the fix. I was able to create the move request without creating a batch by running the following from Exchange Online PowerShell:

There is also a similar process if you needed to move a mailbox from Exchange Online back to On-Prem:

Hybrid Exchange

Unable to remove Public Folder Mailbox after migration

I was recently trying to remove the last Exchange 2013 Exchange server having already migrated to Exchange Online and setup the Exchange 2016 recipient management server. I was getting an error that the last database couldn’t be removed because it still had mailboxes on it. Indeed there was one Public Folder mailbox even though the Public Folder had successfully migrated to Exchange Online.

When trying to remove the Public Folder mailbox it gives the error “No active public folder mailboxes were found. This happens when no public folder mailboxes are provisioned or they are provisioned in ‘HoldForMigration’ mode. If you’re not currently performing a migration, create a public folder mailbox.”

I was able to resolve this by running this command:

With the mailbox removed, I could remove the mailbox database and uninstall the Exchange 2013 server.

Exchange Online

Data Consistency Score

Microsoft recently announced improvements in mailbox move requests with something call Data Consistency Score. It is meant to prevent you from setting the bad items to a high number like 5000.

Improving Migrations Using Data Consistency Scoring – Microsoft Tech Community – 1105920

I started not to set any bad item limits and let the new feature go to work. After a few batches it all worked and I was impressed. Last night I hit a snag where the move request was stuck and wouldn’t complete. The move request statistics was stuck on Synced.

I was required to check the migration user to find the data consistency was set to Investigate:

I was required to set the migration user in Exchange Online to approve skipped items:

After setting this the mailbox completed the move request successfully.

Hybrid Exchange

Manage Distro Groups from Cloud mailbox

One of the downsides to Hybrid Exchange is moving a mailbox to Exchange Online and no longer being able to manage Distribution Groups. One solution I have found allows the cloud mailboxes to login to On-Prem ECP and manage the distribution groups they own from a web browser.

From the Exchange Management Shell On-Prem you will need to create a new RBAC Role and modify the permissions to allow only update distribution group member and add distribution group member.

Now you can add a user to the role group:

The user can then login to the Exchange Admin Center search for the group they own and modify the members:

If they try and modify a group they are not an owner for it will not allow them to save the changes:

Hybrid Exchange

Hybrid mail flow with Exchange 2003

I was working with a customer who had Exchange 2010 and Exchange 2003 wanting to move to Exchange Online. We successfully setup the Hybrid Configuration Wizard with Exchange 2010 and were able to move mailboxes to Exchange Online. There was now an issue with mailboxes on Exchange 2003 unable to send messages to mailboxes that had migrated to Exchange Online. They would receive an NDR:

Your message did not reach some or all of the intended recipients. A configuration error in the e-mail system caused the message to bounce between two servers or to be forwarded between two recipients. Contact your administrator. #5.4.6

We found the following error in the Exchange 2003 application logs:

Event Source: MSExchangeTransport

Event Category: NDR

Event ID: 3020

Description:

A non-delivery report with a status code of 5.4.6 was generated for recipient {recipient} Message-ID {Message-ID}.

Cause: A forward loop was detected by the categorizer. This is a common hosting configuration problem caused when someone uses the provisioning tool to create a contact in one organization unit and creates a user in a different organization user that share the same e-mail address.

The resolution was to change the Accepted Domain for tenant.mail.onmicrosoft.com from Authoritative to Internal Relay:

Hybrid Exchange

Remote mailbox moves without Hybrid

I have been working with a customer who recently acquired a new company that has 400+ mailboxes running on two Exchange 2010 servers. They need all mailboxes moved to Office 365 where the tenant is already setup has an existing Hybrid configuration to an on-prem Exchange 2016 environment. They don’t want the new users setup with Azure ADConnect and will be created In Cloud. If possible they want to perform MRS mailbox moves instead of paying for licenses for 3rd party migration tools.

I did some testing in a lab environment and have been successful in setting up MRS mailbox moves without having ADConnect or running the Hybrid Configuration Wizard. I decided to share the steps involved if anyone is in a similar position and needs some help.

  • Installed Exchange 2010 SP3 as the customer on-prem server was SP1
  • Enabled MRSProxy on the Web Services Virtual Directory
  • Created new Receive Connector on the 2010 server scoped for the O365 IP addresses and configured with for Fqdn with a valid SSL certificate
  • Add the new domain to the Office 365 portal and verify
  • Changed the accepted domain in Exchange Online from Authoritative to Internal Relay
  • Add outbound connector for the domain in Exchange Online
  • Add inbound connector for the domain in Exchange Online
  • Create a migration endpoint pointing to the on-prem Exchange server
  • Setup federation from On-Prem Exchange to Exchange Online (this was easier to do the the EMC)
  • Setup Organization Relationship from On-Prem to Exchange Online
  • Setup Organization sharing from Exchange Online to On-Prem (Exchange Admin Center)
  • Now you need to create new Mail Users in the Office 365 tenant and these can be scripted out and run from a PowerShell session
  • Add the LegacyExchangeDN from the On-Prem 2010 to the Mail User ExchangeGUID in Exchange Online
  • On-Prem Exchange will need to add the accepted domain for <tenant>.mail.onmicrosoft.com as authoritative
  • On-Prem mailboxes need the alias address for <tenant.mail.onmicrosoft.com>. This can be done using an Email Address Policy 
  • Mail User recipients in Exchange Online need to have both the following addresses added <tenant>.mail.onmicrosoft.com> and <tenant>.onmicrosoft.com
  • Assign the MsolUser with a valid license for Exchange Online

Note that because the MailUser has a value for ExchangeGUID the provisioning service within Exchange Online doesn’t convert this into an empty mailbox when you assign a license. Now you can perform a remote mailbox move and when the move completes the objects will convert from a MailUser to a UserMailbox in Exchange Online and from a UserMailbox to a MailUser in Exchange On-Prem.

I recommend testing this out before doing any live production mailboxes and ensure mail flow is working. You will also want to validate free/busy and ensure all mailboxes including resource and shared get provisioned as MailUser in Exchange Online before moving any mailboxes. You will also need to create Distribution Groups in Exchange Online and add the LegacyExchangeDN to prevent users getting bounce back messages when sending to them.