PointBridge Blogs - Erik Enger

Migrating 5000 mailboxes to BPOS over a weekend and still have pilots - an option to consider

By: Erik Enger Posted: August 4, 2010 at 3:10 PM

Background

Let me explain what this means first and set some criteria for a statement like this. In the majority of cases this would involve moving little to no data which is usually the recommended approach for such a large cutover (a.k.a. flash cutover). Coexistence between on-premise mail systems and BPOS can be problematic and confusing for users as well as administrators. Shortening or eliminating this coexistence period is usually a pretty high priority goal for any mail migration project. We try to urge most customers to go with "green field" or minimal data such as calendars and contacts and maybe a few days' worth of email. While this might not seem like a lot of data it can still take several hours or days to move this data over given the number of seats involved and depending on the migration tools you're using.

Normally migrating this many users over a weekend doesn't just involve simple mail migration. There are also related requirements that need to be in place like:

Deploying the SSO and Outlook clients
Possible (re-)training for users and admins
BlackBerry devices need to be re-provisioned in BPOS, Windows Mobile/ActiveSync devices need to be updated to point to BPOS
Application integration testing and re-tooling to work with current workflows including email
Running a pilot or two
Testing all the above and more

There's also that dreaded post-migration support call barrage you just know is coming even though you've communicated How-To and FAQ docs and trained your staff so they're a lean, mean supporting team. Even will all of these challenges it still can be accomplished with a lot of proper planning and testing.

Back to the question at hand: How can you flash cutover 5000 users over a weekend, especially if you want to do a pilot or two ahead of time (without rolling them back)? You might also ask, what is the big problem here? Let's say you have registered your BPOS SMTP domains as external relay. This means that email sent from other activated BPOS users will be attempted to deliver locally to a BPOS mailbox first, then to your on-premise mail system via the MX records. The problem begins once you activate a BPOS user and you don't migrate them, meaning, they aren't treating it as their primary mailbox and mail is not forwarding to their BPOS mailbox. Once this activation occurs, mail flow back to the on-premise mailbox is broken, simply because there is already a valid local mailbox ready to receive messages. You end up with dual mailboxes for some folks with mail sent from other BPOS users ending up in the BPOS mailbox and mail sent from the on-premise system in their local mailbox. Unless the user is set up to connect to both mailboxes, they might never know they are missing mail.

The Strategy

Ok, I understand the problem. How do I fix it and still do pilots and a flash cutover?

Well, you simply set up mail forwarding in BPOS to forward mail back to the on-premise mailbox. Normally for on-premise to on-premise migrations the administrators can take care of all of this usually with whatever migration tool they're using or even a script. With BPOS, at least for now, you need to work with the BPOS support team to accomplish the same task. As of this writing, there are no BPOS PowerShell cmdlets available to set forwarding, although it's quite possible they will be available in the next major release of BPOS (a.k.a. Wave 14). Normally in Exchange we would use the targetAddress field to control where mail gets routed. For BPOS we establish forwarding through use of contacts.

Here's how it works at a high level:

You establish your directory sync between AD and BPOS.
You create a matching contact in AD/Exchange for each user participating in the flash cutover and pilot
You sync these contacts to BPOS
You mass activate the BPOS accounts
You submit a request to BPOS support that you need to establish email forwarding for the list of mailboxes and contacts you'll provide them in CSV format. You only need to include the mailbox's SMTP address and the contact's SMTP address in the file. They will run a script that will establish the forwarding. Be sure to request whether or not the mail sent to the mailbox will be stored and forwarded or just forwarded.
After you receive confirmation that the forwarding is in place, you'll want to hide these contacts in your local AD by setting the msExchHideFromAddressLists attribute to TRUE or you can use a utility like AD Modify to perform a bulk operation and set this value.
Run another dirsync and the contacts will be hidden in BPOS. The key here is you want BPOS users to send mail directly to the mailbox and not the contact.
Test forwarding from BPOS to the on-premise mailbox. If you're satisfied with the results, you're ready to proceed with pre-staging data and piloting.

Here's what the mail flow looks like during this period:

What You Need

For this option you'll need the following:

Local SMTP domain – one that your on-premise mail system can receive mail as (i.e. MX record points to on-premise mail system) and is also NOT registered in BPOS.
BPOS directory sync tool
AD with schema extensions for Exchange 200x

Ok. Now fast forward to the flash cutover weekend. Aside from migrating any last remaining data you'll need to break the forwarding on the BPOS accounts. Gladly, this part is under your control. Simply delete the local contacts in AD and run a directory sync with BPOS which removes the contacts along with the forwarding. Now, if required as part of your migration strategy, set forwarding on the local mailbox to forward mail to the cloud mailboxes. This is usually accomplished through the migration toolset. Yes, we're reversing the flow here. Since you now have a new primary mailbox hosted by BPOS you'll want to make sure new mail that ends up in the old mail system gets forwarded to the BPOS mailbox.

In Summary

Benefits/drawbacks of this solution:

Benefit – you can mass activate all your users and still have coexistence and run pilots.
Benefit – you can pre-stage data well in advance of the cutover weekend allowing you more time if more data is needed.
Drawback – pre-staging data can be problematic in that usually data is migrated as a snapshot of what the on-premise mailbox looks like at the time you migrated that particular user. Any subsequent changes might not end up in the same folder or status the user has it in when they get cutover. You might end up with a lot of calls about this so proper and frequent communication with the users is necessary.

Exchange 2010 Play-on-Phone

By: Erik Enger Posted: December 28, 2009 at 11:35 PM

This is just a quick heads up on the Play-on-Phone feature in Exchange 2010. I was testing several of the new UM features in my lab and one that had me scratching my head was Play-on-Phone which allows a UM user to play messages at their internal extension or any number they choose, providing the dialing rules and policies are in place to allow that. This is a useful feature for connections that might not provide audio functions, such as a kiosk or corporate desktop. This is also useful when privacy is needed. Users can simply click on the button and dial their internal or external extension and have the messages played over the phone.

In Exchange 2007 OWA, for example, you would normally see the Play-on-Phone button located at the top of the preview pane and would simply click on this button to initiate dialing a number. Well, in Exchange 2010 things have changed slightly. Aside from the virtual UnifiedMessaging directory being deprecated in 2010 in lieu of the EWS virtual directory, the Play-on-Phone feature only seems to be available when you open the message instead of just previewing it. I confirmed this with another professional who also saw this behavior in their lab. This seems to only affect OWA clients. The fat Outlook client still displays the Play-on-Phone in the preview window.

In the OWA preview pane there is no more Play-on-Phone button available.

Opening the message in OWA reveals the Play-on-Phone button.

I don’t know how many people may be used to this particular feature but I thought it might be useful to know that administrators and support staff may need to update their instructions and notify users of this cosmetic change for OWA users. I’m not quite sure why MS decided to make this change but perhaps this was by popular demand as do some of their feature enhancements that make their way into final release of the product.

There are quite a few great new features in Exchange 2010 UM like call answering rules, rights management for voicemail messages and voicemail message preview. One note about voicemail preview is that if the voice connection isn’t clear or Exchange doesn’t quite understand the words spoken in the message, the preview text can be incorrect and potentially confusing or even embarrassing. My test message in the voicemail sample above was supposed to read, “Hi Ryan, it’s Erik. Give me a call.” Not a major problem considering this was a test but far from the message I left.

Exchange 2010 Federation (well, half-way there for now)

By: Erik Enger Posted: December 17, 2009 at 10:11 AM

2
Comments

Federation is certainly a welcome and interesting feature in Exchange 2010. Being able to share calendar information with other organizations will greatly improve collaboration efforts, especially with shops leveraging both on-premise and Exchange Online services for their information workers. There is a modest amount of information on this feature and how to set it up in the form of TechNet articles, blogs and even a webcast. I read through the available material and webcast set out to try and demo this feature for this blog but ran into a roadblock.

The roadblock I’m referring to has to do with certificates. After reading through the TechNet article you’ll find a link to the CAs you can use for Federation.

CA Certificate Friendly Name	Thumbprint
Comodo	NA
Digicert Global Root CA	083B:E056:9042:46B1:A175:6AC9:5991:C74A
Digicert High Assurance EV Root CA	91 8d a5 e4 99 c1 5f 7c 62 75 b1 24 fe de 53 35 7c 34 bd 36
Entrust.net CA (2048)	801D 62D0 7B44 9D5C 5C03 5C98 EA61 FA44 3C2A 58FE
Entrust Secure Server CA	99A6 9BE6 1AFE 886B 4D2B 8200 7CB8 54FC 317E 1539
Go Daddy Secure Certification Authority	‎7c46 56c3 061f 7f4c 0d67 b319 a855 f60e bc11 fc44

After going through the steps in the articles to get this set up I was hit with this error in the New Federation Trust wizard.

“InvalidManagementCertificate: Certificate not valid for this operation”

I was baffled by this one. Everything checked out with my certificate according to the information below. What was wrong?

Certificate Requirements for Federation

To establish a federation trust, you must procure and install an X.509 certificate on the Exchange 2010 server used to create the trust. The certificate is used only to sign and encrypt delegation tokens. The certificate must meet the following requirements:

Trusted certification authority The certificate must be signed by a trusted certification authority (CA). For a list of trusted CAs, see Trusted Root Certification Authorities for Federation Trusts.
Subject key identifier The certificate must have a subject key identifier field. Most X.509 certificates issued by commercial certification authorities have a subject key identifier.
CryptoAPI cryptographic service provider (CSP) The certificate must use a CryptoAPI CSP. Certificates that use Cryptography Next Generation (CNG) providers aren't supported for federation. If you use Exchange to create a certificate request, a CryptoAPI provider is used. For more information, see Cryptography.
RSA signature algorithm The certificate must use RSA as the signature algorithm.
Exportable private key The private key used to generate the certificate must be exportable. You can specify that the private key of a certificate be exportable when you create the certificate request using the New Certificate wizard in the EMC, or the New-ExchangeCertificate cmdlet in the Shell.
Current certificate The certificate must be current. You can't use an expired or revoked certificate to create a federation trust.
Enhanced key usage The certificate must include the enhanced key usage (EKU) type Client Authentication (1.3.6.1.5.5.7.3.2). This usage type is intended for the purpose of proving your identity to a remote computer. If you use Exchange tools to generate the certificate request, this usage type is included by default.

I tried a couple other things thinking it was something wrong with my Exchange setup, firewall, etc. Finally I started searching for similar issues on blogs and forums. There was nothing so I decided to post on the Exchange 2010 forum hoping someone has seen this. I did get a rather quick response and after a couple of exchanges I was presented with this list of CAs that can be used for federation posted on the MSDN site.

CA Certificate Friendly Name	Issued To
Entrust	Entrust.net Secure Server Certification Authority
Go Daddy	Go Daddy Class 2 Certification Authority
Network Solutions	Network Solutions Certification Authority
VeriSign	Class 3 Public Primary Certification Authority
VeriSign	VeriSign Trust Network
VeriSign	VeriSign Class 3 Public Primary Certification Authority - G5

As you can see, quite different. I decided to take a chance and purchased one of the certs from a CA on the MSDN list. This worked! Although I had to go to the time and expense of getting another cert I was at least able to establish federation with the MFG (Microsoft Federation Gateway). This is frustrating to find out this was the problem all along due to some contradictory information posted by Microsoft. My hope, however, is that more CAs will be added to the working list so customers like me don’t have to purchase new ones just to prove a point.

So now, you’ve been warned! :-)

Exchange 2010 Multi-Mailbox Searching

By: Erik Enger Posted: December 15, 2009 at 4:36 PM

4
Comments

One of the improved features in Exchange 2010 is multi-mailbox searching. While you could do this to a degree in Exchange 2007 it usually required too many rights to delegate it to a compliance officer and the searches had to be run from PowerShell so it was often problematic for the user to perform these searches on their own and too burdensome for the administrator to do it on behalf of the user. The normal Exchange search you’re used to doing is still available in case of other requirements like removing an email from everyone’s mailbox (i.e. virus, inappropriate content, etc). This blog focuses on the e-discovery aspect in Exchange 2010.

In 2010 things are much improved when it comes to e-discovery. With Microsoft’s use of RBAC in 2010 you can delegate this control rather easily. Adding someone to the new Discovery Management group is all it takes to get started.

You also want to think about the target mailbox for these searches. Typically you’ll want to dedicate this type of activity to dedicated mailboxes and even databases if you’re a large company. A copy of each message matching your search criteria will end up in this mailbox even if it’s temporary so make sure you have enough resources available to store this data. For this example I’ll be using the default search mailbox that’s created when installing Exchange 2010. You’ll want to delegate control of this mailbox to the compliance officer so they will be able to open the mailbox and view the collected data.

Accessing the multi-mailbox search by the delegated individual is done by opening OWA and clicking on the Options button in the upper right corner.

This brings up the new Exchange Control Panel (ecp) in which you can perform a host of operations previously unavailable in 2007. For now we’ll focus on the e-discovery stuff. Once in the control panel, select the “My Organization” from the “Select what to manage” drop-down box.

This brings up another set up tabs for managing users, groups and reporting. For now, select the Reporting tab and click New… to create a new search.

This pops up another window allowing you to define your search criteria. At a minimum you’ll need to define your search name, mailbox scope and target mailbox. Actually you are going to want to narrow your search considerably to avoid unnecessarily long searches which might not give you what you want in addition to overburdening the system. For my test I entered some keywords to look for in the emails. I also turned on logging and the option to send you an email for additional information. Once you’re happy with the search, click on Save.

The search immediately begins and you can see the progress in the search window.

When your search has completed, you’ll receive an email similar to this one. Notice that the search partially succeeded. This is due to some of the mailboxes being on an Exchange 2007 database. If you click on the hyperlink in the message it will open the target discovery mailbox in an OWA window. You could also open the target mailbox in Outlook if that is preferred.

From here you’ll be able to view the messages collected. Expand the folders to drill down and view the messages found in your search. You’ll be able to act on these messages to further filter, categorize and narrow down your search to end up with only the ones you want.

When you’re finished with your search and want to remove it from your saved searches, please note that this will also remove the collected messages from the target discovery search mailbox. You will receive this warning if you attempt this.

While the e-discovery search feature in Exchange 2010 may not be as robust as some third party products it is still a nice alternative to having nothing at all and it’s much better than it was in 2007.

Mass password resets in BPOS

By: Erik Enger Posted: November 21, 2009 at 9:26 AM

1
Comment

Following on from mass BPOS account activations you can now perform mass password resets with the latest Microsoft Online Services Migration Tools. The PowerShell script below will read in a list of BPOS accounts and reset the password. The two fields you need in the CSV file are the email address and desired password. See the BPOS password requirements before establishing a new password. In the script below you can choose not to force the user to change the password you assign to them by changing the value of “-ChangePasswordOnNextLogon:$true” to “-ChangePasswordOnNextLogon:$false”.

To run this you must have admin privileges in BPOS and you must have the MSOL Migration Tools installed locally. Save this text with a PowerShell extension (i.e. massPwdChg.ps1) and open a Migration Command Shell and run the command by typing “.\massPwdChg.ps1”. Make sure the paths in the script exist or change them to suit your needs (i.e. “C:\Migration” and “C:\Migration\ScriptLogs”). The input file is assumed to be massPwdChg.csv.

Here’s a sample CSV file format:

name,mail,passwd
”Test Account”,Testaccount@contoso.com,P@ssw0rd

# Microsoft PowerShell Source File -- Created with SAPIEN Technologies PrimalScript 2009

# NAME: massPwdChg.ps1

# AUTHOR: Erik Enger , PointBridge

# DATE  : 11/03/2009

# COMMENT: Use this script to perform a mass password change of BPOS accounts

# Note: This script requires the Microsoft Exchange Transporter snapin

# Modify the default PowerShell profile to add the Quest Snap-In

#        c:\windows\system32\windowspowershell\v1.0\profile.ps1

#        add-pssnapin Microsoft.Exchange.Transporter

# ==============================================================================================

cls

# Get the login ID for the BPOS admin account

write-host 'Enter the username for the MS Exchange Online admin (i.e. admin@contoso.com): '

$bposlogin = Read-Host

# Get the password for the BPOS admin account in a secure fashion (display * for password)

write-host 'Enter the password for the MS Exchange Online admin (i.e. admin@contoso.com): ' -foregroundcolor yellow -BackgroundColor darkmagenta

$bpospwd = read-host -assecurestring

Write-Host

# Form the BPOS encrypted credential information and store it in a variable to be passed to upcoming commands

$bposcred = new-object -typename System.Management.Automation.PSCredential -argumentlist $bposlogin, $bpospwd

Write-Host

write-host "`n`n`n"

"************************************************************************************************"

import-csv c:\migration\massPwdChg.csv | foreach {

## Start a Transcript

$file="C:\Migration\ScriptLogs\"

$file+= $_.name +"-massPwdChg.log"

"************************************************************************************************"

Start-Transcript -Path $file -NoClobber:$false

Write-Host "Resetting BPOS password for:" $_.name

Date

"************************************************************************************************"

# Set the password and prompt for change on next logon

Set-MSOnlineUserPassword -Identity $_.mail -Password $_.passwd -ChangePasswordOnNextLogon:$true -Credential $bposcred -Verbose

## Stop the log

Date

Stop-Transcript

"************************************************************************************************"

Write-Host `n`n`n

Quick Launch
View All Site Content

About Erik Enger

‭(Hidden)‬ Admin Links

Tag Cloud

External Links

Quick Launch View All Site Content

About Erik Enger

‭(Hidden)‬ Admin Links

Tag Cloud

External Links

Quick Launch
View All Site Content