Just Announced – Office 365 Video!

Office 365 development continues on at a fast pace, and the latest product to be added to the portfolio comes in the shape of Office 365 Video. Video is becoming a more and more prevalent way to share content, ideas and information and using Office 365 Video, you will be able to have your own corporate YouTube style portal for video content. The portal allows for Yammer conversations to take place in line with the video content, and allows for uploading and consuming video content on any device, right in line with Microsoft’s vision for a mobile-first, cloud-first world.

SharePoint Online is required for Office 365 Video to be functional, and it will become available worldwide in early 2015 on a per tenant basis. Enterprise and Academic plans only will be able to use the feature, and I can see it being a hit with the Academic plans in particular! For all the government Office 365 customers out there, this features is planned but no release dates set yet.

There will be no additional cost for the storage of videos, however it will count against your Team Site pooled storage, so this needs to be kept in mind with regards to large file sizes. Like most Office 365 features, you will also be able to enable and disable Office 365 Video at will.

To find out more information, check out http://blogs.office.com/2014/11/18/introducing-office-365-video/

Exchange 2013 CU6 – Hybrid Configurations and Hardware Load Balancing…

Exchange 2013 CU6 was released at the end of August, and it’s fair to say it wasn’t Microsoft’s most elegant CU release ever. If you are already using a Hybrid Configuration, the following problems are faced after installation:

– You cannot use the On Premise Exchange Admin Center to create new Office 365 mailboxes, move mailboxes to Exchange Online, or create In-Place Archive mailboxes.

– You also cannot perform administration of Office 365 through the EAC, because when you click on the Office 365 management tab, it takes you to a marketing page for Office 365 rather than the 365 login page.

There has been a script released by Microsoft to fix this behaviour, which is available here: http://support.microsoft.com/kb/2997355/en-us

It’s lucky that this script is available, because Microsoft made some changes to Exchange Online in the last few weeks. These changes mean that if you now attempt to create or manage a Hybrid Configuration in Exchange 2013 CU5 or older, you will see the following error:

Subtask CheckPrereqs execution failed: Check Tenant Prerequisites

Deserialization fails due to one SerializationException: 

Microsoft.Exchange.Compliance.Serialization.Formatters.BlockedTypeException: The type to be (de)serialized is not allowed: Microsoft.Exchange.Data.Directory.DirectoryBackendType

This can be resolved by, you guessed it, upgrading to Exchange 2013 CU6. Just remember to run the script which I linked to above after installation!

Another problem which a colleague of mine witnessed a few days back was related to CU6 and CAS Load Balancing. If you use a hardware load balancer such as a Kemp or NetScaler, and you install CU6, you will need to make some configuration changes to your availability monitors. Application aware load balancers will monitor Exchange Server 2013 using the Default Web Site in IIS, and a design change has been made in CU6 which will cause the load balancer to mark the Exchange 2013 server as down.

If you attempt to access the Default Web Site of an Exchange 2013 CU6 CAS server, it will return a status 302 and redirect you to the OWA site. A load balancer will see this and mark the server as being down. To resolve this problem, configure your load balancer to monitor https://CASFQDN/protocol/healthcheck.htm. For example, to monitor OWA you would use https://CASFQDN/owa/healthcheck.htm. The KB for this issue is here: http://support.microsoft.com/kb/3002351

Exchange Server 2013 CU6 has been a bit of a box of tricks so far, but if you are about to modify or create a Hybrid Configuration, then you MUST upgrade in order to be successful. Hopefully this article will help you in your quest for Hybrid greatness!

Convert Server 2012 or R2 evaluation to Standard or Datacenter

Today I had to convert an evaluation copy of Server 2012 to a full retail version. This is documented on TechNet but here is the lowdown:

1. Open an Administrative command prompt
2. Run DISM /online /get-currentedition to see what edition you are currently running. If you are running the evaluation copy this will report back as ServerStandardEval or ServerDatacenterEval.
2. Run DISM /online /get-targetedition to list which versions you can upgrade to. For my purposes, ServerStandard was the one to go for.
However ServerDatacenter was also an option, even when running the ServerStandardEval copy.
3. To upgrade, run the following command:
DISM /online /Set-Edition:ServerStandard /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

You will then need to reboot a couple of times for the changes to take effect. You’re now running a full retail version of the product!

This method is also the method used to upgrade from Standard to Datacenter. Note, you cannot go from Datacenter to Standard, or from a retail copy back to an Evaluation.

Allow login to Azure AD/Office 365 using Primary SMTP address

The new Directory Synchronisation tool from Microsoft, AAD Sync, went into General Availability a few weeks back. This new tool is toting new features such as Password Write-back, AD Attribute Filtering and multi-forest synchronisation. All in all it is a great replacement to the now defunct DirSync product.

One issue which AAD Sync allows you to solve is the use of UPNs for usernames in Azure Active Directory. A UPN appears as if it is an email address, and often AD user accounts have different UPNs to their Primary SMTP addresses. This can cause confusion for users who expect to be able to login using their email address, just like they would in any cloud service out there. You could change the users UPN to match this, however in some situations this is not possible, either due to existing applications which use the UPN or due to Security policies which do not permit internet routable UPN suffixes.

Before I explain how this works, I must say that this process should only be done on initial synchronisation as you could cause issues if you change this parameter on existing Azure AD instances. More information on the limitations and risks of doing this can be found here: http://social.technet.microsoft.com/wiki/contents/articles/24096.dirsync-using-alternate-login-ids-with-azure-active-directory.aspx

When you configure AAD Sync, you can select which username your AAD users receive based on particular AD attributes, for example, the Primary SMTP address. This allows us to give users with strange/non-conformed AD usernames (such as 17047dd) a useable and memorable AAD username which is the same as their Primary SMTP address (David.Dixon). This configuration is performed in the User Matching section of the configuration, and you must change the userPrincipalName attribute to use the mail attribute.

UPN Matching in AAD Sync

If your organisation is planning to use ADFS, this poses a problem as the authentication is performed on premise, and your users cannot authenticate using their SMTP address if their UPN is different! To get around this, we can configure ADFS to use the mail attribute for authentication, as per the article below.

http://technet.microsoft.com/en-us/library/dn659436.aspx

There are a couple of issues with this concept of user provisioning and authentication in Office 365, particularly when hybrid deployments are in use. The first is that when users authenticate against ADFS internally using IWA, the UPN will be the authentication mechanism. For domain joined machines this is not a problem (as long as the ADFS hostname eg. sts.doubledit.co.uk is added to Trusted Sites in IE) however if a machine is non domain joined or outside of the internal LAN, the user will receive 2 authentication prompts, one against Exchange Autodiscover (using the UPN) and another to Office 365 once the Autodiscover redirection has taken place (using the Primary SMTP). The second issue is that ActiveSync devices cannot support double authentications and will need to be manually reconfigured to use outlook.office365.com when the users mailbox is moved.

For these reasons it is generally good practice to only implement this solution for migrations with no autodiscover redirection in place, such as pure Office 365 or cutover/staged migrations. It can be successfully used with either AADSync/DirSync w/ Password Sync or ADFS.

Quite often, a users UPN will be different from their Primary SMTP address, and this is a way to allow your Azure AD users to login using their Primary SMTP address without changing the User Principal Name, reducing confusion for the users and creating a more consistent experience.

Exchange 2013 – File Share Witness on an Azure VM

My last TechEd session of the year was on Exchange 2013 HA and Site Resilience. This session came with an exciting announcement. As of January 1st 2015, Microsoft will support using an Azure IaaS VM as a File Share Witness for an on-premises DAG. This provides the ability for deployments with a 2 datacenter DAG solution to add a FSW in a 3rd datacenter, providing the ultimate in Site Resiliency for Exchange Database Availability Groups. It’s worth pointing out that this is not the same as a Cloud Witness in the new Windows Server Technical Preview. The Exchange team have not yet decided whether they will do the work to make sure the Cloud Witness feature will be supported in Exchange 2013. The high level steps for doing this will be as follows: – create Azure networking and establish VPN (if not already in place) – configure Azure VMs (directory server and file server) – configure Exchange 2013 to use Azure FSW This is exciting news and is sure to be a guaranteed hit for those with a DAG stretched over 2 datacenters as it allows Quorum to be maintained when a single Datacenter is lost.

TechEd Europe 2014 – The end of an era

After an exciting but exhausting week in Barcelona, my mind is on the epic week that I’ve had. This was my first (and last) TechEd experience, and I’m glad that I can say I’ve been there and done it. It really is a very valuable experience and I’m stoked about the future of Microsoft and have also learned so much about the products which I work with on a daily basis. Not to mention that the parties and swag were awesome 🙂

Next year there will be the Ignite conference, bringing together all the technical Microsoft conferences under one, gigantic roof. For now though I’m going to do my best to soak up what I’ve learned and put it to practice.

My last 2 days covered the following subjects:
– Exchange 2013 Troubleshooting and Performance
– The Dark Web Rises – The Tor Network and Dark Web by Andy Malone
– Office 365 network infrastructure
– Exchange 2013 High Availability and Site Resilience

I also attended a Focus Group about new UX enhancements coming to Azure services. We were shown some awesome new functionality which I, unfortunately, cannot speak more about, and also discussed our ideas around Azure backup services. It was a really interesting session and made me feel like Microsoft were interested in making improvements that customers want, not improvements which they think we want.

There were also lots of vendors to speak to and I’ve found some interesting new products for use with Office 365 in particular. The networking was great and I met lots of people who I am sure to speak to more in the future.

Overall I had a fantastic time and all I can say is that I hope Europe isn’t left out of the loop when it comes to the the Ignite conference.