Office365

Inbound DANE authentication for Exchange Online

2 Comments

Outbound DANE in Exchange Online is available for some time now and I wrote about this before in the following blogpost: DNSSEC and DANE support in Exchange server and Exchange Online.

Microsoft recently announced the public preview (!) of inbound SMTP DANE for Exchange Online and it’s fairly easy to configure.

Implementing DANE consist of two steps:

  • Enabling DNSSEC in Exchange Online.
  • Enabling DANE in Exchange Online.

I will show both in the following sections.

Enable DNSSEC in Exchange Online

An important prerequisite of course is that you have DNSSEC up and running. If you have, you can open an PowerShell window and connect to Exchange Online.

When connected, execute the following to command:

Enable-DnssecForVerifiedDomain -DomainName Exchangelabs.nl

The output of the command will show the (new) MX record for the domain as shown in the following screenshot:

Add the new MX record to your domain, but give it a lower priority than the existing MX record (which typically should also point to Exchange Online).

Important: If you have configured MTA-STS for your inbound mail in Exchange Online, DO NOT FORGET to change the MTA-STS policy to reflect the new MX record!

Use the Remote Connectivity Analyzer (https://testconnectivity.microsoft.com/tests/O365InboundSmtp/input) to check the MX records and if all is working correctly.

In the following screenshot you can see both MX records and all is green:

You can now lower the priority of the new MX record to ’10’ and delete the old MX record.

Enabling DANE in Exchange Online

The second step is to actually enable DANE for inbound message. To do this, execute the following command in Exchange Online PowerShell:

Enable-SmtpDaneInbound -DomainName Exchangelabs.nl

Not much output as can be seen in the following screenshot:

It takes approximately 15 to 30 minutes for the TLSA record to propagate. After this time, you can use the Remote Connectivity Analyzer on https://testconnectivity.microsoft.com/tests/O365DaneValidation/input (or any other tool like https://www.huque.com/bin/danecheck-smtp
) to check as shown in the following screenshot:

DNSSEC and DANE are now ready to use.

Windows

MMC crashes when managing SMTP service in Windows 2022

Leave a comment

Important note before I continue: The SMTP stack in Windows is a legacy of the old IIS6 service that was part of Windows 2003. As such, it is long out of support but it is still available in Windows 2022. You can use it, but it’s your own risk and there’s no support.

You can install the Windows SMTP Service on Windows 2022 using the following command:

Install-WindowsFeature -Name SMTP-Server,Telnet-Client -IncludeAllSubFeature -IncludeManagementTools -Restart

But when trying to manage the SMTP service, the MMC span-in crashes.

There’s an easy way to fix this by editing the MetaBase.xml file. Run the following commands:

Stop-Service SMTPsvc
Stop-Service IISAdmin

Under the IIsSmtpServer node, add a new line RelayIPList=”” as shown in the following screenshot:

Start the services again using the following PowerShell commands:

Start-Service IISAdmin
Start-Service SMTPsvc
Set-Service SMTPsvc -StartupType Automatic

You can use the last command to set the startup mode of the SMTP service to automatic (manual is the default setting).

You SMTP Service on Windows 2022 can now be managed using the MMC snap-in.

Exchange, Exchange Hybrid

Remove the last Exchange server

7 Comments

Removing the last Exchange server in a hybrid environment was announce more than 2 years ago with Exchange 2019 CU12 and Exchange 2016 CU23 (Released: 2022 H1 Cumulative Updates for Exchange Server) but finally I’m working with a customer that wants to do this, remove that last Exchange server in a hybrid environment.

This customer not in the process of decommissioning their datacenters yet, but they do want to decommission their last Exchange 2019 server (all their mailboxes are in Exchange Online). The Domain Controllers are still running on-premises, so the Exchange 2019 server is only used for management purposes (SMTP Relay is already moved elsewhere).

The first thing is to remove the Hybrid Configuration. I wrote about that in 2020, but the article is still valid: https://jaapwesselius.com/2020/12/15/remove-exchange-hybrid-configuration/.

The second step is to install the Exchange 2019 management tools. This can be on a Domain Controller or on a Management Server. To install the Exchange 2019 management tools, the Active Directory management tools, the Visual C++ Redistributable Package for Visual Studio 2012 and the IIS6 management tools must be installed first. Execute the following commands in an elevated PowerShell window:

PS C:\> Install-WindowsFeature rsat-adds,telnet-client
PS C:\> Enable-WindowsOptionalFeature -Online -FeatureName IIS-IIS6ManagementCompatibility, IIS-Metabase -All

The Exchange Management Shell is installed, when starting this it connects to an Exchange 2019 server. But when this server is not available the Exchange Management Shell fails. To work with Exchange PowerShell, open a regular Windows PowerShell and execute the following command:

PS C:\> Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn

This uses the Exchange PowerShell module that’s installed on the management server, but it does not connect anywhere, and it does not use any RBAC configuration.
When using this, the following Exchange PowerShell commands are available:

  • *-MailUser
  • *-MailContact
  • *-RemoteMailbox
  • *-DistibutionGroup
  • *-DistributionGroupMember
  • *-EmailAddressPolicy
  • Set-User and Get-User

When enabling an existing user account with a mailbox in Exchange Online, you can use the Get-User command and pipe it to the Enable-RemoteMailbox command, like this:

PS C:\ > Get-User JaapICT | Enable-RemoteMailbox -RemoteRoutingAddress JaapICT@contoso.mail.onmicrosoft.com

The Remote Mailbox will be created and all properties will be set correctly, including the email address conforming to the existing Email Address Policy. This is clearly visible when requesting the properties of the mailbox:

PS C:\> Get-RemoteMailbox -Identity JaapICT | select name -ExpandProperty EmailAddresses

Name               : JaapICT
AddressString      : C=NL;A= ;P=Corporation;O=Contoso;S=JaapICT;
ProxyAddressString : X400:C=NL;A= ;P=Corporation;O=Contoso;S=JaapICT;
Prefix             : X400
IsPrimaryAddress   : True
PrefixString       : X400

Name               : JaapICT
SmtpAddress        : JaapICT@Contoso.com
AddressString      : JaapICT@Contoso.com
ProxyAddressString : SMTP:JaapICT@Contoso.com
Prefix             : SMTP
IsPrimaryAddress   : True
PrefixString       : SMTP

Name               : JaapICT
SmtpAddress        : jaapict@Contoso.mail.onmicrosoft.com
AddressString      : jaapict@Contoso.mail.onmicrosoft.com
ProxyAddressString : smtp:jaapict@Contoso.mail.onmicrosoft.com
Prefix             : SMTP
IsPrimaryAddress   : False
PrefixString       : smtp

Now everything is working the last Exchange 2019 server can be removed. What I normally recommend is to disable all Exchange services on the server and leave it running for one or two weeks. If any issues arise it is easy to start the Exchange services again and fix the problem.

When nothing bad happens, you can remove the last Exchange server. After disabling the last mailboxes and removing the Mailbox Databases and Send Connectors, turn off the Exchange 2019 server. DO NOT UNINSTALL Exchange 2019, but shutdown the Exchange 2019 and remove the server. That is, delete the VM or reconfigure the bare metal server with something else, but DO NOT UNINSTALL the Exchange 2019 server. The management tools that are installed still use configuration settings in Active Directory.

From this moment on you must manage your recipient in Exchange Online using the on-premises management server where the Exchange Management Tools are installed (I say on-premises server, but this can also be a VM in Azure of course, as long as it is a domain joined server you are good).

Exchange

Exchange vNext will be Exchange Server Subscription Edition

Leave a comment

Today Microsoft silently released an update to their Exchange roadmap, which includes information regarding Exchange 2019 CU15 and Exchange vNext. You can read all the Microsoft marketing stuff on the Exchange Server Roadmap Update article.

What’s new is that vNext is rebranded to Exchange Server Subscription Edition, just like we have Sharepoint Subscription Edition.

The most important part about Exchange Server Subscription Edition is that it is ‘code equivalent’ to Exchange 2019 CU15. So, if you have Exchange 2019 CU15 running later this year, then updating to vNext is just a matter of an in-place upgrade. There’s one thing we need to look out for, the underlying Operating System. If you install CU15 on Windows Server 2022 (or worse, on Windows Server 2019) and SE only supports Windows Server 2025 we will be very unhappy 🙂

What are new features in Exchange 2019 CU15 and thus Exchange Server SE?

  • Support for TLS 1.3 (which was planned for CU14).
  • Certificate management in the Admin Center.
  • Removal of the UCMA (makes sense, since there won’t be any support for Unified Messaging.
  • Removal of the MSMQ components in the setup application (MSMQ components are not needed in earlier versions of Exchange 2019, please check the Exchange 2019 requirements article).
  • Re-introducing certificate management in the Admin Center.

So, when can we expect Exchange Server Subscription Edition? As Exchange Server SE is identical to Exchange 2019 CU15 (in will include the necessary security updates of course) the only difference is the licensing of Exchange Server SE. You need a subscription license for the server, and old Client Access Licenses are no longer supported and you can use the regular Office 365 licenses for clients.

Microsoft states it will be available early Q3 2025, which means early July 2025. Since support for Exchange 2016 and Exchange 2019 will end in October 2025 Microsoft cannot afford to slip this date since you need sufficient time to upgrade from earlier versions of Exchange server.

What’s also interesting is that Microsoft is already releasing information about Exchange Server SE CU1, which should be released by the end of 2025 (can slip though).

The most interesting features in Exchange Server SE are Kerberos authentication for server-to-server authentication, the removal of Outlook Anywhere and the deprecation of Remote PowerShell. This brings Exchange server SE nicely inline with Exchange Online.

There’s one very important announcement Microsoft makes: Exchange server SE CU1 will stop supporting co-existence with ALL PREVIOUS VERSIONS of Exchange server. So, this means that in that timeframe, only Exchange Server SE CU1 (and later) will be supported and all previous versions of Exchange server must be removed from your environment.

Exchange Server SE is still approx 18 months away from now, but it is time to start thinking about your Exchange environment. Do you want to fully move to Exchange Online, or do you want to keep mailboxes on-premises in Exchange Server? If so, it’s time to start working on moving to Exchange 2019 CU14 and upgrade to CU15 later this year (or skip CU14 and move directly to CU15).

It is not a strange idea, I’m currently working with three large Exchange 2016 on-premises deployments to move them to Exchange 2019 and prepare for Exchange server SE.

So, lots of work to do the upcoming 18 months 🙂

Exchange

Hotfix Update for Exchange 2016 and Exchange 2019

Leave a comment

Wait, what? On April 23, 2024 Microsoft has released a hotfix update for Exchange 2016 and Exchange 2019 and as MVP’s we only learned about this last week.

A hotfix update or HU contains fixes for issues that might arise with a security update in Exchange server. For example, the March 2024 SU for Exchange server introduced a number of issues, and these are fixed with this HU. Besided hotfixes, a HU can also contain new features that did not make it in the last security update (SU) or Cumulative Update (CU). In this HU for example, Hybrid Modern Authentication for OWA and ECP is introduced as a new feature. Another new feature introduced in this HU is the support for ECC (Elliptic Curve Cryptography) certificates. ECC certificates however are not supported for the federation trust certificate, the Exchange server OAuth certificate and ECC certificates cannot be used when ADFS claims-based authentication is used.

The following issues are fixed in this HU:

  • “We can’t open this document” error in OWA after installing March 2024 SU
  • Search error in Outlook cached mode after installing March 2024 SU
  • OwaDeepTestProbe and EacBackEndLogonProbe fail after installing March 2024 SU
  • Edit permissions option in the ECP can’t be edited
  • Outlook doesn’t display unread message icon after installing Exchange Server March 2024 SU
  • My Templates add-in doesn’t work after installing Exchange Server March 2024 SU
  • Download domains not working after installing the March 2024 SU

You can download this hotfix update for Exchange server here:

Exchange 2019 CU14 HU2 – https://www.microsoft.com/en-us/download/details.aspx?id=106021
Exchange 2019 CU13 HU6 – https://www.microsoft.com/en-us/download/details.aspx?id=106022
Exchange 2016 CU23 HU13 – https://www.microsoft.com/en-us/download/details.aspx?id=106023

Be aware that the filename for all versions of this HU is the same (Exchange2019-KB5037224-x64-en.exe) so when downloading multiple versions make sure you store them at different locations.

A hotfix update is cumulative and includes all security features and fixes from the previous security updates. When running Exchange 2019 CU14 and you have not installed the March 2024 security update then there’s no need to install this first. Just continue with the immediate installation of this HU.

More information