Monday, December 15, 2014

ActiveSync maintenance in O365

I manage a hybrid O365 + On-premises Exchange 2010 environment.  As such, general management is a bit of a pain, as I still have a handful of production users on-prem.  These are mostly contractors, and we kept them on-premises to avoid hitting our O365 license cap.  I like to have a bit of padding there.

Long story short, I need to report on associated ActiveSync devices in our environments. In either case this is fairly simple, but to combine the data I need to correlate info from Exchange 2010 and O365.

Let's start with O365.  The current command is Get-MobileDevice [see also: Get-MobileDeviceStatistics].  This can be piped out via Select and we can get relevant Properties.  Once we get relevant fields down, we will send this to CSV for consumption.

Get-MobileDevice | Select -Property UserDisplayName,DeviceType,DeviceModel,FriendlyName,DeviceOS,DeviceTelephoneNumber,DeviceAccessState,WhenChanged


  • UserDisplayName - Display name of user mailbox owning the Device.
  • DeviceType - Class of Device connection.  iPhones are straightforward, but other manufacturers give any kind of info you could imagine.
  • DeviceModel - Similar to DeviceType, iPhones are clearly enumerated, others not so much.
  • FriendlyName - This is the Device Name as assigned by it's owner.  Typically "so-and-so's iPhone" or similar.
  • DeviceOS - Helpful when running reports to know what device versions are connecting.  
  • DeviceTelephoneNumber - another useful bit of info.
  • DeviceAccessState - Allowed or Blocked, defines whether a given device has been blocked for ActiveSync.
  • WhenChanged - I was hoping for a "last check-in", but this isn't it.  This merely shows when the connection was configured or updated.  A device system update seems to cause the info to change/refresh and changes this value.
This covers the O365/Exchange Online portion.  I piped Export-CSV to the end to deliver a consumable document.

Exchange 2010 is a bit of a different beast.  Since this is the on-premises environment, I'll have fewer entries overall.

Get-ActiveSyncDevice | Select -Property UserDisplayName,DeviceType,DeviceModel,FriendlyName,DeviceOS,DeviceTelephoneNumber,DeviceAccessState,WhenChanged

Note that here, the UserDisplayName returns the full cn from LDAP.  That's not as friendly as it is in 2013/O365.  Otherwise, the dataset matches well.

Tuesday, December 2, 2014

Yammer SSO gotcha - ADFS certificate autorenewal

This is a fast publish post, it is subject to change. - 12/2/2014

My organization uses Active Directory Federation Services (ADFS) to enable federation with Office365, as well as some other services.  O365 started warning about the signing certificates upcoming expiration a few weeks ago, and our investigation resulted in us determining that this is an automated process which O365 should handle gracefully.

Fast forward to last week, Thanksgiving (naturally), and Office365 is seeing our ADFS updated cert just fine.

Fast forward to Monday, and Yammer Single Sign-On is no longer working.  After doing some investigation with Yammer's DSYNC application (not SSO related, but it had some issues as well) and then looking at the Yammer configuration in ADFS, everything seemed happy.  I decided to dig into Yammer's support documentation, since I knew the ADFS certificate used for signing our SAML tokens was updated.

Per the Yammer SSO Implementation Guide, the certificate needs to be updated with Yammer Support manually. In this case, a MS Premier case was needed to get this accomplished.  Provided we have advance knowledge this is coming in the future, we could probably get away with a lower cost change method going forward.

Yammer Support needs the new ADFS Token Signing certificate.  Open up the ADFS console, browse to Service > Certificates, and select the new Token-Signing certificate (highlighted below).

 View this Certificate, go to the Details tab, and click Copy to File...  This opens the Certificate Export Wizard.  Click Next > to get the export format selection page of the wizard. Select DER encoded Binary X.509 (.CER)

Pick a file path to save the exported certificate, then ZIP it and send it to Yammer Support.  .CER files commonly come across as unsafe attachments in outlook, thus the need to ZIP it.)

Once Yammer has the cert, have them verify the details.  They need the current ADFS Token Signing certificate for your ADFS environment.  I mistakenly send them the Token Decrypting cert, thus exacerbating a production outage. :(

The moral of the story:  ADFS uses a lot of certificates.  O365 will autorenew (gracefully in our case, your mileage may vary), but Yammer requires intervention and planning if you're using SSO.  I would guess the same goes for any third party federation that uses SAML2 instead of native ADFS.

Monday, October 6, 2014

Projector tech - my experiences

My organization strives to be on the cutting edge of technologies.  Toward this end, we installed some alternative projectors in the environment, as we were spending a good deal of money on replacement lamps.

In ~2011, we purchased some Casio XJ-M245 projectors.  These do not use a typical lamp (~3,000 hours), but instead a hybrid LED/Laser lamp, which is supposed to offer 10,000 hours.

These models were pretty much the first ones around with this tech, and we saw good performance with some degradation at 9,000 hours.  We were able to get the light engine replaced under warranty for one, and we paid on another (so far).

Projectors ran $1200 or so, lasted around 10,000 hours, and a light engine replacement ran $289 (incl. tax and shipping to the repair facility).

We have 5 or 6 of these projectors in our environment.  We have bought some of the higher-output versions of the same Casio, as well as some nice Panasonic models since.

In all, the Laser/LED hybrid light engine has worked well.  Panasonic and Casio use different methods (one uses a green laser, the other blue, if I recall), but both offer good business graphics performance.  I have not tested either in a "theater" environment, ours were primarily used for digital signage (caution: lasers!)

In all, cost-effective and low maintenance.  The panasonics look GREAT in large conference rooms.  I'm very happy with their performance.

Tuesday, September 30, 2014

New "Groups" in Office365 walkthrough

Now out in First Release in Office365 - Groups!

I don't see it as an option...

Turn on First Release in Admin -> Office365 -> Service Settings -> Updates.

Okay, what am I looking at?

As someone who has worked with Exchange, SharePoint, Active Directory, etc. calling something Groups is really ambiguous.  What we are really dealing with is an integrated platform with the following functions:

  • Shared Mailbox
  • SharePoint Document Library
  • Shared Calendar
  • Ad-hoc creation by users, as well as ad-hoc user administration (yay?)

Let's get started!

In the People or Outlook views in OWA, GROUPS is now listed in the left hand Navigation.  Click the Plus to launch the wizard in the right margin.

Type in a name for your group.  You can customize the Group ID (I do not yet know what this means.  Presumably it's an ID that spans Exchange and SharePoint services for integration.  Maybe it's something else entirely!).  Also include a description, hopefully something more useful than my example.

Public and Private setting: 

From what I can tell, this setting is permanent.  A private group cannot be opened to the public.  I'm going to assume for now that Anyone/Public means anyone in the organization or federated.  

Subscribe users: 

As shown, you can force group membership to push updates to users' inboxes.  This sounds a lot like Yammer to me.

Add some users, and wait for magic to happen!


In the Groups view, users will see Groups they're a part of.  This functionality is rendered in Outlook Web App.

As a member/admin I can make changes to the group. Notable in my example: changing the picture to Hannibal with a thumbs-up.
After creation, we can choose to let external emails into this newfangled mail-enabled object. (Note: at this point I still haven't figured out if this is a SharePoint thing or an Exchange thing, or something else.) My example group is marked Private, but presumably this option is available in either Privacy mode since I picked the more restrictive option.

It would appear we're now ready to use our Group to synergize backward overflow.

How to interact with a Group:

A Group Conversation is essentially a message to a Shared Mailbox.  If users Subscribe they will get mail items delivered to their inboxes, similar to a distribution list.

Clicking Files takes you to a SharePoint Document Library for the Group.  It doesn't appear you get a Workspace to customize.

Calendar takes you back to OWA.  I'm using MSDN, and I haven't added users to test how Free/Busy works with regard to the Calendar.  I think it acts more like a resource, rather than aggregating Group Members availability, but I could be wrong here.

Should you enable Groups?

In all, I think the best description of a "Group" is a Shared Calendar + Distribution List + Document Library.  They have the benefit of central administration or ad-hoc usage, and the free ability for members to leave and join as they see fit.  Keep in mind the big time caveat of Public/Private when creating Groups.

Monday, September 22, 2014

Change of PST migration platform

PSTcapture, with all of its ambiguities and issues, is being dropped.  I looked into Quest PST (something, Migrator?), and couldn't even get through the install process, IIS config kept failing and I didn't have time to mess with it.

MessageOps O365 Exchange Migrator is what I'm picking for the time being.  They have a free trial (account needed), and the trial let's you see how it performs on up to 15 items per folder.  You can register them as your O365 partner in the O365 portal and they'll get their cut from Microsoft, or you can buy the software outright for your organization size.  The whole partner thing was pretty ill-defined, so we bought the site license.

Here we are now, with a 500-seat license for a year, and ~320 users in O365.  MessageOps is pretty clear about the limitations on PST ingestion:  Too many threads/data running on a single import account will get you throttled!  As such, they give the recommendation to do concurrency via multiple admin accounts.

OK easy enough.  Give an admin account a license and a mailbox (gotta have a mailbox).

We get into the app, logging into our tenant with some pretty sweet credentials (tenant admin, gotta have a mailbox.  Did I mention it has to have a mailbox?).  Blam, 323 seats recognized.

The next screen is where the magic happens.  It's not a pretty sight, but the support page describes every function, a heretical idea it seems in these days.

Here's their linky in case the instructions change:

CSV import!  after the initial smoke test, we can take the output we got out of PST Capture Central Server, mix up the columns as needed, and ingest it straight into the tool.

For my jobs, I'm selecting the following options:
Left column:
Address Rewriting: Enabled
Thread Settings: 8 Max Threads, 49 Batch size (reference their help for info) [we ended up throttling down the threads to 4/5 to use the same admin account to run two jobs.  This worked well and didn't seem to make import jobs run slower. It also prevented the excessive use of privileged service accounts for migration.]
Deleted items setting: (unchecked)
Folder Filtering: (Nothing specified here)
Duplicate Detection: CustId (Best)

Right Column:
I'll assume you assign the appropriate mailbox in question/
Destination: Archive
Destination Root Name: Root of Mailbox (I would like to combine folders, not set up new folder structure for each PST file)
Destination Auth: Use Administrator Credentials
Auto Grant Full Access: Enabled
Skip Auto Remove Access: Disabled (clean up permissions afterward)
Use Throttle Switching: Enabled
Use EWS Impersonation: Enabled
Error Processing - Ignore Single Property Errors: Enabled.  I want to know if things really go wrong, but not so much for individual items.  I see lots of issues with calendar appointments not getting recognized as the correct item type, but nothing to worry about.

Exclude Folders: Nothing selected
Email Status Notifications: my email address, not yours.  Please don't send me your email notifications.
Use MAPI and EWS for Upload: Enabled ((this will be automatically set by the tool when you authenticate to the cloud.  There is a "right" method to use if you're on a newer or older Exchange Online tenant))
Use Direct Discover: Unchecked.  See help file if you have questions.

Once your options are set, click Add to Import Queue.  Once your queue (list of PSTs to be imported) is set, click Start Import.

You can see it going.  It takes a minute or two to flesh out permissions and validate some steps, then it will start cooking.

Waiting for good average speed metrics.  The tool reports on average rate MB/min and average rate Items/min.

Data Rate/Metrics:

I'm seeing 15MB/min and 250 items/min on Julie's 614 MB PST file.  this should wrap up in ~40 min, so I'll check it when I get home.  {this job finished in 53 minutes}

Amy is running on another server, a 7313 MB PST.  about 5 min in, it's humming along at 21MB/Min, and 367 Items/Min

Update 9/16/2014 -
Server 1: 22 MB/min
Server 2: 56 MB/min
Server 3: 44 MB/min
Server 4: 35 MB/min

Average: 39 MB/min.  This was a big job, each worker had a list of at least 20 GB of PST files to go through.

A bit on how the tool works:

Check out the MessageOps\ExchangeMigrator\ folder in your logged on user profile.  In the Working folder, under the appropriate date stamp, you'll see items fly through based on GUID.

I'm keeping an eye on this MessageOps folder, as I'm using VMs with very small C: drives, and there was no configuration option to throw these logs and working directories anywhere else.

As far as system resources go, i'm using two-core, 4 GB ram VMs.  The cores are on recent servers, and right now I'm seeing more memory faults than anything, but 50% RAM utilization overall.  (Update: I've seen no reason to resize these VMs.  They cut through SCANPST when needed at a reasonable rate.)

Issues I've ran into, and what they mean:

  1. In an archive's Log File (individual PST files are logged separately from the "job"), the last line of the log reads: "Errors Processing PST File: (pathname) Catastrophic failure"

    • This means the PST has errors.  Run ScanPST against it.  You'll find Outlook will bitch about the file as well.  This service uses outlook to do the processing in a background sense.
    • It could also be a password-locked file.  Ask the user in question.
    • + Repairs don't work: sometimes a PST has invalid folders, or another issue that SCANPST doesn't fix.  Open it in Outlook and go into Folder view, so you can see everything:

Above, a folder with a "blank" name actually has some escaped characters.  In this case, check the folder for items, move if appropriate, and rename/delete the folder.  I had to log a support ticket to get into this one.  I figured SCANPST would resolve this type of issue. To it's merit, it tried but just created more problem folders in one case.

Oh, and remember to delete it permanently.  if it's still in the recycle bin (deleted items folder), it will still throw errors!