Tag Archives: Office 365

Outlook 2010 disconnected with TLS 1.2

September 23, 2018 jaapwesselius 1 Comment

When my normal laptop died last week I had to use an older laptop, and this laptop had Windows 7 and Outlook 2010 installed, one of my personal favorite Outlook clients.

However, Outlook 2010 did work correctly with Mailboxen in Exchange Online, but Outlook refused to work with Mailboxen on my on-premises Exchange 2016 server. The only thing I saw in the lower right corner was “Disconnected” and every now and then Outlook tried to connect, but no luck.

When checking the Connection Status in Outlook I could see that the directory connection was established, but the Exchange Connections disconnected. The Exchange sever and mailbox were ok since I was able to connect using OWA and my Outlook for iPhone client.

The Test Email AutoConfiguration option in Outlook wasn’t very helpful either, it just showed that it was unable to determine the settings and none of the Autodiscover options worked.

Using the Internet Explorer browser I tried to access my Autodiscover.exchangelabs.nl site, and after a logon prompt I got the famous ErrorCode 600. This is good, so I know my Autodiscover is at least listening properly.

The Exchange Remote Connectivity Analyzer (http://aka.ms/exrca) showed that there was an issue with my SSL certificate:

The SSL certificate however is a valid Digicert UC certificate and there’s nothing wrong with this certificate. IE does use it, and the Digicert help utility doesn’t show anything strange either.

Oh, and my Outlook 2016 running on another computer did work correctly, so there should be a configuration error impacting Outlook 2010 only.

Then I realized that a week before I accidentally ruined the Virtual Service on my Kemp Load Balancer and I quickly created a new Virtual Service using the correct template. As a security measure I only selected TLS 1.2 on the SSL properties of the Virtual Service.

After enabling TLS 1.0 on the Virtual Service, Outlook 2010 started to work correctly again and (to my surprise) so did the Remote Connectivity Analyzer.

So, obviously TLS 1.0 was the culprit here and by enabling TLS 1.0 Outlook 2010 started to work again.

When checking my laptop using the SSLLABS website (https://www.ssllabs.com/ssltest/viewMyClient.html), all looks fine and TLS 1.2 is fully supported by my Windows 7 client:

It must be something with Outlook 2010 and TLS1.2. I found an interesting article on Technet regarding enabling of TLS 1.1 and TLS 1.2. Create a DWORD value DefaultSecureProtocols in the registry under the following keys:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Internet Settings\WinHttp

Its value should be one of the following:

For only TLS 1.1 and 1.2: A00 (hexadecimal)

For TLS 1.0, 1.1, and 1.2: A80 (hexadecimal)

Also, create the following DWORD values DisabledByDefault in the following locations and assign it the value of ‘0’:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client

When needed create the necessary subkeys under the \Protocols key.

Now your Windows 7 and Outlook 2010 will support a TLS 1.2 environment only (this is also true for Windows 8 BTW).

Summary

Outlook 2010 does not support TLS 1.2 out of the box. This can be an issue if you or your network department starts implementing a TLS 1.2 environment only. You have to enable TLS 1.2 on the workstation by setting a registry key. After this it works fine.

Next October Microsoft will stop support for TLS 1.0 and TLS 1.1. This means that if you run into an issue caused by TLS 1.0 or TLS 1.1 it won’t be fixed. Please note that Microsoft will continue to accept TLS 1.0 and TLS 1.1 connection from clients, it just won’t be supported anymore.

Microsoft is working on a plan to disable TLS 1.0 and TLS 1.1 but that won’t happen anytime soon. When this is going to happen, Microsoft will give notification 6 months in advance of disabling TLS 1.0 and TLS 1.1.

More information

https://www.ssllabs.com/ssltest/viewMyClient.html

https://blogs.technet.microsoft.com/schrimsher/2016/07/08/enabling-tls-1-1-and-1-2-in-outlook-on-windows-7/

https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365

https://technet.microsoft.com/en-us/library/dn786418(v=ws.11).aspx

Last edited on October 26, 2018.

Exchange Hybrid

Cannot find a recipient that has mailbox GUID when moving from Exchange Online to Exchange 2016

June 14, 2018 jaapwesselius 10 Comments

When moving mailboxes from Exchange Online to Exchange 2016 on-premises in a hybrid environment, the move fails with an error “Cannot find a recipient that has mailbox GUID ‘ ‘

The error is listed here for Search Engine purposes:

Error: MigrationPermanentException: Cannot find a recipient that has mailbox GUID ‎’add02766-9698-48e6-9234-91c3077137bc’. –> Cannot find a recipient that has mailbox GUID ‎ add02766-9698-48e6-9234-91c3077137bc ‎’.
Report: bramwess@exchangelabs.nl

When checking the user account with ADSI Edit in the on-premises Active Directory it is obvious that this property is empty:

When checking the Mailbox in Exchange Online (using Remote PowerShell) the Exchange GUID is visible when using the command

Get-Mailbox -Identity name@exchangelabs.nl | Select Name,*GUID*

As shown in the following screenshot:

It took me some time to figure out why this property was empty. Normally when moving mailboxes from Exchange on-premises to Exchange Online the Mailbox GUID is retained. Keeping the Mailbox GUID makes sure you don’t have to download the .OST file again after moving to Exchange Online.

What happened here is that the user was created in Active Directory on-premises, and a Mailbox was directly created in Exchange Online using the Enable-RemoteMailbox command. In this scenario, there never was a Mailbox on-premises and thus never a Mailbox GUID.

The solution is to copy and paste the Mailbox Guid as found in the previous command into the Remote Mailbox object on-premises using the Set-RemoteMailbox command

Set-RemoteMailbox user@exchangelabs.nl -ExchangeGuid “copied value”

As shown in the following screenshot:

When setting the Mailbox Guid the mailbox can be moved from Exchange Online to Exchange on-premises.

Ps. Don’t forget to repeat this for anchive mailbox (if one exists)

Exchange Hybrid

Exchange Resource Forest and Office 365 – Part I

April 25, 2018 jaapwesselius 8 Comments

A fully supported scenario in Exchange is the so-called Resource Forest model. In this scenario there’s an Active Directory account forest where all user accounts and regular services exist, and there’s an Active Directory resource forest where Exchange is installed. This scenario is supported for Exchange 2010, Exchange 2013 and Exchange 2016 and I’ve seen this several times at several customers, with several Exchange versions.

So, Exchange is installed in the resource forest, and the mailboxes in this Exchange implementation are so-called Linked Mailboxes. The Mailbox here is linked to a user account in the account forest. There’s a user account for the Linked Mailbox in the resource forest, but by design this is a disabled account.

When provisioning a Mailbox, a user account is created in the account forest, an identical (but disabled) user account is created in the resource forest and a linked mailbox is created. Provisioning can be done using a Microsoft tool like Microsoft Identity Manager (MIM), a third party tool like Quest or using plain PowerShell scripts. The process is shown in the following figure:

This can be useful if you have multiple account forests that need to use one Exchange organization, a situation that I’ve seen at multiple customers. You end up with a scenario like this:

I must agree, things can become complicated pretty fast, but it’s a fully supported scenario and in some cases, it can be useful. One of my customers has implemented this scenario because of multiple acquisitions.

In my lab environment I’m working with the first scenario. I’ve installed an account forest (accounts.local) and a resource forest (resources.local). The installed Exchange version is Exchange 2010, there’s one multi-role Exchange 2010 server, and there’s one Exchange 2010 Edge Transport server. Both servers are running Service Pack 3 with Rollup Update 20. Accounts are created in the account forest, and a linked mailbox is created in the resource forest.

Every mailbox has a property called msExchangeRecipientTypeDetails, and this tells what kind of mailbox it is. When this property has a value of “2” it is a linked mailbox, if it has a value of “1” it is regular mailbox. An overview of this property and its values can be found in a blog from John Baily on TechNet.

The second important property of a mailbox is the msExchMasterAccountSID. For a linked Mailbox, the msExchMasterAccountSID attribute is populated with the value of the objectSID of the corresponding user in the account forest. When using ADSI Edit and checking the objectSID of the user account and the msExchMasterAccountSID of both account you’ll see that they have the same value. For a test user called Don Drop in the account forest you can see the following objectSID:

And for the corresponding disabled account in the resource forest we can see the following msExchMasterAccountSID:

Or if you prefer to use PowerShell, execute the following commands in a PowerShell window (in the Exchange forest) to retrieve the msExchMasterAccountSID:

Import-Module ActiveDirectory
$MBXUser = Get-ADUser -Identity Don -Properties *
$MBXUser.msExchMasterAccountSID | fl

To retrieve the user’s objectSID from the account domain execute the following PowerShell commands:

$AccountsCred = Get-Credential "accounts\administrator"
Get-ADUser -Filter {ObjectSID -eq $MBXUser.msExchMasterAccountSid} -Properties * -Server accdc01.accounts.local -Credential $AccountsCred | fl Name,ObjectSID

Note. You will see this objectSID and MSExchMasterAccountSid again in the next blog on Azure AD Connect in this scenario.

To check permissions on the mailbox you can use the Get-ADPermission command against the output of the Get-Mailbox command:

Get-Mailbox -Identity Don | Get-ADPermission -User Accounts\Don | fl *

As you can see Don has the appropriate permissions on his mailbox.

Note. To convert a linked mailbox to a regular mailbox you can remove the value for the msExchMasterAccountSID by using Set-User command:

Set-User -Identity Don -LinkedMasterAccount $NULL

This will reset the msExchMasterAccountSID, but at the same time changes the value of the msExchRecipientTypeDetails from “2” (linked Mailbox) to “1” (normal Mailbox).

Summary

So, by now you should know more about the Exchange resource forest model. It is a little more complex than a single forest, single domain model with Exchange installed, but it is a fully supported scenario. And a scenario I see at customers very regularly.

In my next blog I will discuss more about Azure AD Connect in this resource forest model.

Office365

MigrationTransientException: Target database GUID cannot be used (Mailbox database size limits in Exchange Online)

August 21, 2017 jaapwesselius 4 Comments

If you are designing Exchange 2016 (or have been designing Exchange 2013) environment you are aware of the The Exchange 2016 Preferred Architecture (https://blogs.technet.microsoft.com/exchange/2015/10/12/the-exchange-2016-preferred-architecture/) and articles like Ask the Perf Guy: How big is too BIG? (https://blogs.technet.microsoft.com/exchange/2015/06/19/ask-the-perf-guy-how-big-is-too-big/) which explain pretty much how to design an Exchange solid (and large) Exchange environment.

When it comes to Mailbox databases, the recommended size limit for non-replicated databases is 200GB and for replicated databases 2 TB (when running 3 or 4 copies of a Mailbox database).

One can only guess how Microsoft has designed their Exchange servers in Exchange Online, but we can assume that the Preferred Architecture is written with their Exchange Online experiences in mind.

Sometimes error messages that are generated in Exchange Online can reveal more information. While moving mailboxes from Exchange 2010 to Exchange Online in a hybrid configuration the following error message was returned in a migration batch for a number of Mailbox databases:

Error: MigrationTransientException: Target database ‎’07bdf507-ab94-479b-aeb6-1bfef1458c4c‎’ cannot be used: Current database file size: 1502835900416 Current space available inside database: 100237312 Allowed database growth percentage: 90 Maximum database file size limit: 1622722691784 Is database excluded from provisioning: ‎’False‎’. –> Target database ‎’07bdf507-ab94-479b-aeb6-1bfef1458c4c‎’ cannot be used: Current database file size: 1502835900416 Current space available inside database: 100237312 Allowed database growth percentage: 90 Maximum database file size limit: 1622722691784 Is database excluded from provisioning: ‎’False‎’.

Obviously it’s telling us the migration cannot proceed since the target Mailbox (in Exchange Online!) has reached its size limit. The following sizes are reported:

Current database file size: 1502835900416 (1,502,835,900,416 bytes, approx. 1.5TB)
Current space available inside database: 100237312 (100.237.312 bytes, approx. 100MB)
Maximum database file size limit: 1622722691784 (1.622.722.691.784 bytes, approx. 1.6 TB)

So, the maximum size limit for Exchange 2016 in Exchange is not really used in Exchange Online, but it’s getting close, which is interesting to see.

What I don’t understand is why this issue occurs in the first place. To me it looks like a failing part in the provisioning service but I have to admit I’ve never seen this before in the last couple of years so I expect it’s only one Exchange server that’s failing here.

Exchange

Moving from Exchange 2010 to Office 365 Part II

May 16, 2017 jaapwesselius 25 Comments

In my previous blogpost, I’ve discussed the prerequisites for moving from Exchange 2010 to Office 365 when using Directory Synchronization (using Azure AD Connect). In this blogpost I’ll discuss how to create an Exchange 2010 hybrid environment.

Exchange 2010 Hybrid

Now that Directory Synchronization is in place using Azure AD Connect we can focus on connecting the on-premises Exchange environment to Exchange Online, this a called an Exchange Hybrid Configuration.

Hybrid configurations can consist of Exchange 2010, Exchange 2013 or Exchange 2016 or a combination of versions, so it is possible to have an Exchange 2010 and Exchange 2013 coexistence scenario on-premises, and connect this to Exchange Online. However, when using multiple versions of Exchange in a Hybrid configuration there’s always add complexity, and when configured incorrectly you can get unexpected results. Therefore, I typically recommend using only one version, so if you’re running Exchange 2010 on-premises, there’s no need to add an Exchange 2013 or Exchange 2016 server to your configuration, just as a ‘hybrid server’. Despite what other people tell you, there’s no need to add a newer version, and Exchange 2010 Hybrid is fully supported by Microsoft. Better is to create an Exchange 2010 hybrid environment, and when the mailboxes (or most the mailboxes) are moved to Office 365 upgrade your existing Exchange 2010 environment to Exchange 2016. But that might be an interesting topic for a future blog post Smile .

Basically, we will create the following configuration (again, there is no Exchange 2016 server installed in the existing organization):

Figure 14. Exchange 2010 hybrid configuration.

Continue reading Moving from Exchange 2010 to Office 365 Part II →

Jaap Wesselius

Tag Archives: Office 365

Outlook 2010 disconnected with TLS 1.2

Summary

More information

Cannot find a recipient that has mailbox GUID when moving from Exchange Online to Exchange 2016

Exchange Resource Forest and Office 365 – Part I

Summary

MigrationTransientException: Target database GUID cannot be used (Mailbox database size limits in Exchange Online)

Moving from Exchange 2010 to Office 365 Part II

Exchange 2010 Hybrid

Messaging Consultant