Exchange 2016 Database Availability Group and Cloud Witness

When implementing a Database Availability Group (in Exchange 2010 and higher) you need a File Share Witness (FSW). This FSW is located on a Witness Server which can be any domain joined server in your internal network, as long as it is running a supported Operating System. It can be another Exchange server, as long as the Witness Server is not a member of the DAG you are deploying.

A long time ago (I don’t recall exactly, but it could well be around Exchange 2013 SP1) Microsoft started to support using Azure for hosting the Witness server. In this scenario you would host a Virtual Machine in Azure. This VM is a domain joined VM, for which you most likely also host a Domain Controller in Azure, and for connectivity you would need a site-2-site VPN connection to Azure. Not only from your primary datacenter, but also from your secondary datacenter, i.e. a multi-site VPN Connection, as shown in the following picture:


While this is possible and fully supported, it is costly adventure, and personally I haven’t seen any of my customers deploy it yet (although my customers are still interested).

Windows 2016 Cloud Witness

In Windows 2016 the concept of ‘Cloud Witness’ was introduced. The Cloud Witness concept is the same as the Witness server, but instead of using a file share it is using Azure Blob Storage for read/write purposes, which is used as an arbitration point in case of a split-brain situation.

The advantages are obvious:

  • No need for a 3rd datacenter hosting your Witness server.
  • No need for an expensive VM in Azure hosting you Witness server.
  • Using standard Azure Blob Storage (thus cheap).
  • Same Azure Storage Account can be used for multiple clusters.
  • Built-in Cloud Witness resource type (in Windows 2016 of course).

Looking at all this it seems like a good idea to use the Cloud Witness when deploying Windows 2016 failover clusters, or when deploying a Database Availability Group when running Exchange 2016 on Windows 2016.

Unfortunately, this is not a supported scenario at this point. All information you find on the Internet is most likely not officially published by the Microsoft Exchange team. If at one point the Cloud Witness becomes a supported solution for Exchange 2016, you can find it on the Exchange blog. When this happens, I’ll update this page as well.

More information

Using a Microsoft Azure VM as a DAG witness server –

Dutch and Belgian Community Event on February 22

On February 22 the Belgian and Dutch messaging and collaboration experts are organizing a community event. Join MVPs like Jaap Wesselius, Dave Stork, Michel de Rooij, Steven Van Houttum and Michael Van Horenbeeck along with well-respected experts such as Thomas Verwer, Kay Sellenrode and more for this first “interland” between the Belgian E-Communications & Collaboration Community and their Dutch counterpart(s). We will start the evening with an introduction by Etan Basserie, a Program Manager from the Azure AD Team at Microsoft in Redmond.

It will be an evening full of technical deep-dives and interesting discussions.
Fujitsu Netherlands has been so kind to allow us to host our collective event in their offices in Maarssen. You can find the Fujitsu offices at ‘Het Kwadrant 1, 3606 AZ, Maarssen’.

The agenda is as follows:

  • 6PM – 6:30PM: Welcome, drinks and food
  • 6:30PM – 7:00PM: Introduction/Keynote by Etan Basseri (Identity Engineering, Microsoft)
  • 7:00PM – 7:50 PM: “Still running Exchange 2010? Now what?” A sessions by Jaap Wesselius and Kay Sellenrode discussing your options, best practices and pitfalls when migrating to Exchange 2016 or Office 365. Or in other words, why or why not using Exchange 2016 in an Exchange 2010 hybrid environment.
  • 8:00PM – 8:30PM: Introduction to “HelloDoor” by HelloDoor.
  • 8:30PM – 9:30PM: “Securing Exchange Online”. This session presented by Dave Stork will cover security options to prevent spoofing of email, tools to prevent data leakage and auditing solutions. Further topics will be EOP, ATP, SPF, DKIM, DMARC, TLS, RMS and DLP to use a few acronyms. Dave’s focus will be on Exchange Online, but a lot of topics can also be used in Exchange on-premises.
  • 9:30PM-10PM: Closing drink(s) and farewell

You can register at the following meetup site:
Hope to see you all there!

Exchange and .NET Framework support

Last week I had to upgrade a few Exchange 2013 CU15 servers to Exchange 2013 CU18. In a typical scenario upgrading to a newer Cumulative Update it’s not a big deal, not even when skipping a few versions, but in this scenario most likely you will hit the following error message:


It fails during the Prerequisite Analysis with the error message

“This computer requires .NET Framework 4.6.2 ( For more information, visit:

The Exchange Server setup operation didn’t complete. More details can be found in ExchangeSetup.log located in the (SystemDrive):\ExchangeSetupLogs folder.”

Exchange Server 2013 CU18 requires the .NET Framework 4.6.2 for installation which was obviously not installed on these servers.

Continue reading Exchange and .NET Framework support

Exchange 2016 Edge Transport Server and IPv6

I’ve never paid too much attention to IPv6, except for turning it off completely in case of strange issues. And admit it, most of you do the same.

Security is getting more and more important, and as a messaging consultant you want your Exchange environment top notch. In the Dutch community NGN I was pointed to where you can check your presence on the Internet. Lots of red crosses when it comes to messaging and IPv6, reason for me to start looking into that.

In this blogpost I will focus on the Exchange 2016 Edge Transport server (I have two for inbound and outbound email) and the Exchange 2016 Mailbox server, which is load balanced behind a Kemp LoadMaster LM3600.

Exchange 2016 Edge Transport server

Although a lot of Exchange admins disable IPv6 on their Exchange servers (through a registry key) in case of strange issues, it is not a recommended solution.

I have two Exchange 2016 Mailbox servers, one Exchange 2013 multi-role server and two Edge Transport servers (one Exchange 2013 and the other Exchange 2016) for inbound and outbound SMTP traffic. There are two MX records which point to these Edge Transport servers. Both have an external IPv4 address.

The first step of course is to add an IPv6 address to the network adapter of the Edge Transport servers, your provider should be able to supply you with a sufficient IP range.


This should not result in too much issues. If you want to ping your server on IPv6 make sure that the File and Printer Sharing (Echo request – ICMPv6-In) inbound rule is enabled in Windows Firewall.

The next step is to enable the Edge Transport server for IPv6 usage. The Mailbox server has everything setup by default, but the Edge Transport server is only configured for IPv4.

Continue reading Exchange 2016 Edge Transport Server and IPv6

Single Sign-On and Azure AD Connect Pass-Through Authentication

In my previous blogpost I discussed Azure AD Connect Pass-Through Authentication (PTA), how it works and how it can be configured. In that blogpost I did not enable Single Sign-On (SSO) and that was also the first comment I got, within one or two days. Enabling SSO and how it works it this blogpost’s topic.

Authentication flow

I already explained the authentication flow when using PTA. When accessing a service in Office 365 you are redirected to Azure AD, you enter your credentials and the credentials are placed in the Azure Service Bus. The Azure AD Connect server retrieves these credentials from the Service Bus and presents them to the on-premises Domain Controller. The result is returned to the service bus and you’re granted access, or denied when something is wrong of course.


So, what happens if you enable SSO in the Azure AD Connect wizard? Enabling SSO is just a matter of checking the Enable single sign-on checkbox in the Azure AD Connect wizard:


Note. I skipped most of the configuration steps since this is identical to the configuration steps in the previous blogpost.

During the Azure AD Connect wizard you also must enter your on-premises administrator credentials, these are needed to configure your on-premises Active Directory to enable SSO with PTA.

To be fair, it’s not true SSO as with federation (through ADFS), but it is seamless Single-Sign On (sSSO). When enabling SSO in the Azure AD Connect wizard, users only need to enter their logon name when accessing services in Office 365, for example with Outlook Web App:


When you are on a domain joined workstation that has access to a Domain Controller, you only have to select the appropriate user account. The password is automatically returned to Azure AD and if all is well you are granted access to Outlook Web App.

If you don’t want to select or enter a logon name you can also use domain hints. In combination with Outlook Web App you would use a URL like If you do so your current credentials (again, on a domain joined workstation that has access to a Domain Controller) are automatically passed through and you are granted access.

Seamless Single-Sign On under the hood

But how does this sSSO actually work under the hood.

When enabling SSO in the Azure AD Connect wizard you have to enter your on-premises domain administrator account. This is used to create an additional computer object in Active Directory called AZUREADSSOACC.


This computer account is used to create a shared Kerberos key between your on-premises Active Directory and Azure Active Directory, needed for creating the sSSO experience.

During logon in this scenario, the following 8 steps occur:


  1. The client accesses a service in the Microsoft cloud, for example OWA via
  2. The request is redirected from Office 365 to Azure Active Directory.
  3. Access is denied, and a 401 error is returned to the client.
  4. The client accesses a local Domain Controller and requests a Kerberos token.
  5. A Kerberos session ticket is returned to the client.
  6. The session ticket is presented to Azure Active Directory. Since Azure Active Directory has a shared ticket with your on-premises Active Directory is can generate a Kerberos token for the client to use.
  7. The Kerberos token is returned to the client
  8. The Kerberos token is presented to Office 365 and access is granted. The user can now start using OWA.

As you can see this only works for domain joined clients that have access to a local Domain Controller. If they don’t have access to a local Domain Controller the regular PTA process as shown in the beginning of this blogpost (and previous blogpost) is followed.

Note. For the client to automatically pass the credentials, the Azure AD endpoints must be in the intranet zone


Tip. Use GPO to change this for all clients in your network.

If you use your browser and navigate to Exchange Online you will still be prompted to enter your username (or select a username when used previously) but you are not required to enter your password:


If you use a domain hint in your URL like, then the account is automatically logged on. One small but strange note, this is supported by Microsoft Internet Explorer, but not by the Microsoft Edge browser (at least not at the moment of writing, early November 2017). This might change in the future though.

To get this working with Outlook 2016 (or fully patched Outlook 2013 that supports Modern Authentication) we need to enable OAuth on a tenant level. To achieve this, logon use Remote PowerShell in Exchange Online using the following commands:

$Cred= Get-Credential ''
$Session= New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $Cred -Authentication Basic -AllowRedirection
Import-PSSession -Session $Session

And when logged in enter the following command:

Set-OrganizationConfig -OAuth2ClientProfileEnabled:$TRUE


Next time you start Outlook you will see that it will automatically logon to Exchange Online (whereas it didn’t when Oauth was not enabled).

Note. As outlined earlier in this post there’s a shared key between the computer account in your on-premises Active Directory and Azure Active Directory. It is strongly recommended to roll-over these keys every 30 days. For more information check the Microsoft FAQ on this:


You can use Pass-through authentication if you have a requirement to keep all user passwords on-premises (and thus not store them in the Microsoft cloud). When using Pass-through authentication you can also enable seamless Single-Sign On or sSSO. This way domain joined clients (that have access to a Domain Controller) can use Kerberos authentication to access services in the Microsoft cloud.

A number of issues to be aware of: not all clients do support PTA or sSSO as outlined in this article. For example, Internet Explorer does support it, but the Edge browser doesn’t. Outlook 2013/2016 do support it (modern authentication) but Outlook 2010 does not. Also, the Lync/Skype for business clients do not support this at all. I expect this to change in the (near) future, and when it does I will update this article.

More information

Azure Active Directory Seamless Single Sign-On: Frequently asked questions –

Microsoft UC Specialist