Microsoft Office365 Uncategorized

Even when you fully test, something still bites… #MailEnabled #PublicFolders can NDR after an #Office365 cutover migration

The office 365 “big bang” cutover migration took place over the weekend.  Testing had proven everything we wanted to see, and – apart from the logistics of transferring GB’s email up a 3Mb down/710Kb up ADSL connection (it’s measured in days if you want to know!) – all went as planned.
And then we noticed incoming emails to some mail enabled public folders were not working.  Some desperate testing (including borrowed external accounts) proved that internally all email to Mail Enabled public folders worked; but that some of these public folders were receving external email, some not.
At which point the tech support incident was created.  Thankfully, within 90 minutes the problem was solved and the incident closed.  Again, nice one Office 365 support.
The lesson though.  It seems Microsoft have a bit of a bug in the system for newly migrated domains in a cutover migration; in that email addresses may not function for externally sent email and cause the sender to get a 5.4.1 NDR:
But didn’t I test this?  Yes, I did.  However the testing was done on a spare domain that was handed over to the Office 365 over a month ago.  So by the time I was testing the Mail Enabled Public Folder function, they all worked.  It seems the sequence that can create the problem is to add and authenticate the domain during the cutover (but that’s how you have to do it).
The explanation.
It seems that in a cutover migration when you add further SMTP domain aliases to Office 365, it is possible for the data not to propagate around the entire O365 world quickly enough.  The net effect is that when an external party emails that public folder, the address goes unrecognised and the message NDR’s.
But, there is a fix, whizz over to the office 365 portal and take the following steps

1. Go to the admin page
2. At the bottom, go to Exchange admin
3. Click on Mail Flow down the left hand side and select accepted domains across the top to get to here (domain names hidden to protect the innocent!)

4. Now double click on the domain in question and change it from Authoritative to Internal Relay, and accept the prompt that comes up and save this (see below).

5. The net effect is that when your sender’s email hits the office 365 setup, it will (instead of NDR’ing as an unknown alias) pass on the email through the environment until it reaches your public folder.  Internal Relay forces the server accepting the incoming email to assume that if it does not know the addressee, another server will, so it works it way through.  In authoritative mode it will just NDR the email immediately.
The advice Microsoft support gave was that this setup could be left on internal relay indefinitely, but if you give it a few days (well, a week), then you could move it back to authoritative, but feel free to leave it on internal relay.

Although it wasn’t stated, I suspect the propogation issue is one related to mail enabled public folders and not mailbox or shared mailbox aliases, but I have no evidence for htat.

In hindsight I might have been able to create all the aliases on the new domains in the Office 365 setup but that would have hampered testing in that during testing we could send and receive email between the live setup and office 365 testing world.  I don’t think I would want to have given that up.

But, my recommendation?  Unless there is a good reason for not doing so, setup up your domains as internal relay before, during and for a few weeks after your cutover migration.

Microsoft Office365 Uncategorized

Office 365 mail enabling public folders #Office365 #MailEnabled #PublicFolders

I\’m about to publish details of a bug we encountered (and bypassed) with mail enabled public folders in Office 365, but thought a quick post on how it\’s done might be useful.

You can create the public folder in the Exchange interface and create the folders, but they will not be mail enabled until you do the following:

1. Enable the mail address (either by the GUI or through PowerShell)
2. Set the email address (either by the GUI or through PowerShell)
3. Disable the Address Policy
4. Most importantly (and only via PowerShell as far I can see), enable Anonymous users to Create Items in the folder (otherwise incoming emails cannot reside in the Public Folder).

The code to do this is straightforward, and turned into a script so that it is repeatable in the event of any changes in your plans (and also why do repetitive tasks in the GUI, when one script will do it all?!)

This line of PowerShell will enable Anonymous Create Item rights:
Get-PublicFolder “” | Add-PublicFolderClientPermission -User Anonymous -AccessRights “CreateItems\”

This line does the mail enabling, setting the address, and blocking Address Policy Enabling all in one go:
Set-MailPublicFolder \”” -EmailAddressPolicyEnabled $false -PrimarySmtpAddress “\”

Note that the full path to the public folder is the folder heirarchy so something like this for a folder 3 levels down a tree called \”Fred\”
“\\Root Folder Name\\Second Level Folder Level\\Fred”
and the Public Folder Name in this instance is just

So, if the fred PF alias was your two lines of code would be:
Get-PublicFolder “\\Root Folder Name\\Second Level Folder Level\\Fred” | Add-PublicFolderClientPermission -User Anonymous -AccessRights “CreateItems\”
Set-MailPublicFolder \”Fred” -EmailAddressPolicyEnabled $false -PrimarySmtpAddress “\”

My thanks to the following 2 blog entries for pointing the direction:
Exchangepedia Blog

NB. use the code at your own discretion and please note that this was done in a single Public Folder Mailbox environment.

Denim Lumia Microsoft Uncategorized

update on the #Lumia #Denim failure – it now works :-)

In lumia denim upgrade failure I reported a significant problem with the upgrade in that the handset no longer reported back correctly it was honouring the Exchange ActiveSync policy of handset encryption.

Happy to report that having working with Lumia support staff and even had them connecting their handsets to my infrastructure the problem is fixed.  It turns out there was a corrupt \”something\” that was cleared by doing what is called a soft reset (but in reality is more of a \”clear cache\” operation on the handset.  This is done by pressing the power and volume down buttons simultaneously for about 10 seconds until the handset restarts.

Afterwards, the date/time might need to be sorted, but the ActiveSync connection now worked, and the handset remained encrypted.


Denim Lumia Microsoft Uncategorized

#Lumia #Denim upgrade failure.

I tweeted last night about a Lumia 620 that seemed bricked by the Denim upgrade.  The jury is now in!

The handset is an unlocked “any network” device; it has taken all the upgrades to date and been used by Mrs B for about 2 years without any issues.  It’s entirely a business device – email, internet, phone and text – no games and only about 4gb in use of the 7.2gb free space.
Yesterday the phone presented a critical upgrade, (the language used did not describe it as either Windows 8.1 update 1 or denim, just critical).  So the upgrade was performed.  All went smoothly (no error messages, the standard reboot) and all seemed well.
However after a few hours, it was clear email was not coming down to the phone and when a sync was forced, an error was presented.  At this point the device became my problem (correctly so, I’m the local IT admin!).
Quick investigation demonstrated that the phone was no longer able to comply with security policies of the exchange server to which it was attached (albeit an Exchange 2010 box, not 2013); but, to be fair, MDM in 2013 and 2010 isn’t much different and the options there are the same. 
A quick trip to the exchange server EAS policies (Exchange Console, Organisation, Client Access) and I inspected the policy, a perfectly normal policy here:
So, some investigation – I found a few references to 86000C2A error code I was getting and discovered this post from a couple of years ago –
It was good advice, and on checking I found that -WSSAccessEnabled  -UNCAccessEnabled were indeed $true instead of $false.  So, correcting that with a quick bit of PowerShell (as guided in that article) I was a tad surprised to find that the policy still failed.
Rather than muck around any further with a policy managing a number of devices  I created a new policy (through the EMC) to mirror the policy in use and more by instinct than anything else set the require encryption on device option to disabled.  Email started to flow.  Whether those two AccessEnabled polices were set to true or false; hmmm.
However, this was not the end of the problems.  The handset was largely unresponsive and spontaneously rebooted a couple of times.
Looking around there was plenty of free space, but a couple of issues:
  1. when I investigate the maps on the phone it reported that the UK maps (which were previously on it) required 1% more to complete downloading at about 340MB. I resumed the download, and it was very slow.
  2. Whenever I tried to use the internet, IE, Search tool, Microsoft Store – the phone would not connect (either on Wi-Fi or 3G data).
I noticed that when using search/IE a “checking location” message appeared at the top of the screen, disappeared and then nothing would happen.  The phone has location settings off for privacy reasons.
So, without any solid reason I deleted the maps (this took several attempts, included a deletion of the HERE Maps app) and although I eventually got them fully off the device, the problem remained.  Nor was I able to get to the store to reinstall the HERE Maps app.  But, via System, Applications, Maps I was able to get the UK maps downloading in full – but (interestingly, and perhaps critically) the download was about 540MB, not the 340MB it was previously reporting.
Upon completion of the download and a reboot, the phone’s IE, Search and Store functions all fired up again and things were back to normal.
I don’t pretend to understand what was going on, but I notice that even now search/ie check for location very briefly during their start up.  However I do wonder if somehow with the corruption in the mapping part of the system the location checks were somehow failing and the system was refusing to play ball with internet connections because it no longer was certain where it was.  I really doubt it’s that, or as simple as that, but…
Oh, for the record, I also connected the phone to an Office 365 Enterprise email account and tried the same policy issues there – and got the same result.

Microsoft Uncategorized Windows Server 2008 R2 WSUS

WSUS on Windows 2008 R2

If you are doing a fresh build on this platform, a couple of gotchas (1 well published, the other not so…)

Firstly on this platform you’ll need to use the SP2 version of WSUS 3 (KB 972455 refers).  However, if you install the pre-requisite role of IIS by default and then try the WSUS 3.0 SP2 install, it will still fail reporting that IIS is required and not installed!
This is because the default IIS role services are not the full set for WSUS.  So, go into Server Manager, and select the following role services and switch them on too.
Also, it is worth at this point grabbing and installing the report viewer 2008 redistributable as well.
Then your WSUS SP2 install will proceed and you should see this next!

Exchange 2010 Microsoft Uncategorized

The joys of Exchange 2010 Service Pack 3 installation

Having just completed this process on a few of several servers.  Some news from the frontline…

  1. If you have Backup Exec in the mix, then stop the service before you start installing SP3 on any of your boxes.
  2. You may want (or need) to do the schema update to Active Directory before you start.  Either way, it’d be a good idea to ensure the upgrade is done and replicated before proceeding too far down the install
  3. You may get a warning about obtaining a Hotfix from during preparation on servers with a MBX role – grab it now, and have a look.  But it only applies to improved Failover Cluster performance in stretched DAG’s across datacentres.  So you may well not need it.
  1. You may wish to stop your exchange services before running setup.exe, I have seen it fail to wait long enough to stop services properly during the upgrade.  The SP3 install actually disables them before stopping (if you run services.msc you can see it happening).
  2. Lastly, when the setup is close to finishing and attacking the server roles, make sure Microsoft Exchange Active Directory Topology service is running, if not then the AD communication will fail and you will have a big red cross on your screen, that may have an impact on your cardiac health!  This can be monitored for and the services started by hand when the installation moves onto “Restoring services”.  So far I have seen this issue on MBX servers.  I decided to do it for all servers irrespective as the upgrade rolled out
Web pages that may help you:
So, onto further servers!
PS1: Oh, yes, you really mustn’t ignore a good backup as a really good idea – especially for those cardiac moments!
PS2: version changes in the management console (at the site on which I’m working) moved from 14.2 (Build 247.5) to 14.3 (Build 123.4)

.NET Framework Fail Microsoft Uncategorized

#Microsoft, your .NET patching is really beginning to annoy

You know the score, you install or update something within the .NET framework and that friendly mscorsvw.exe kicks off recompiling assemblies for you (a good thing) and takes up nearly all your CPU.

But when you have an occasionally used machine, it might be nice if it did not do it for each of 10-20 patches for the framework.  And not in turn for each one.  It’s bloody annoying, especially when that machine has been turned on especially for an unplanned piece of work.
Is there a good reason it cannot be run once, after the last patch is applied?  Or is that just too sensible…
(added later)

Yes I know you can park the jobs, or run them later, or drop the priority.  But the whole point of the patching is to be done under the covers, and just done seamlessly and easily.  Not to intrude so much!

Apple Fail Mango Microsoft Succeed Uncategorized WP7

Device upgrade – how #Apple was a #Fail and #Microsoft was a #Success

So yesterday was a bad day with apple.  You can read more – see the links below.  But I think the title of the post says most of it.

Apple upgrade woes
Where do itunes backups go on windows
With Apple it doesn\’t just work, in fact…
Oh and if you independantly download the IPSW
3 hours on tech support phone call
7 hours+ to do upgrade
Upgrade incomplete
Data lost
Result: Misery

Microsoft Upgrade works a treat
Want mango wp7 now but your network connection is not easy to get to?
0 hours on tech support
3 hours to upgrade
Upgrade complete
No data lost
Result: Happiness

Oh, PS I upgrade both of the family Satnav’s last night, Garmin’s upgrade tools worked a treat.
Backdoor HTC Mango Microsoft OrangeUK PowerShell Problem Succeed Uncategorized Windows Mobile WP7

Want #Mango #WP7 now? But your network connection is not immediately adjacent to your desk, or awkward to break. #PowerShell

Mango is now available, and there is a cheat that seems to bypass the “wait until Microsoft/Your Carrier” make it available to you.  Read more here:
However the trick relies on disconnecting your internet connection within a few seconds.  This is fine and dandy if the cable is right by your keyboard, mouse and monitor, but not if it isn’t.
Obviously you can enable/disable the NIC, but Windows 7 (at least here) takes a variable amount of time to perform the disconnect.  Factor in UAC asking you for permission to disconnect then you have a bigger timing problem.
So a quick jump to the internet.  The following lines of code sort it out.
Firstly, start a PowerShell session (ISE or prompt), but with Run as Administrator rights to avoid issues.
Then use the line:
Get-WmiObject -Class Win32_NetworkAdapter | Format-Table Name, NetEnabled, NetConnectionStatus, DeviceId –auto
This lists all your network connections, (extract below)
Name                                       NetEnabled NetConnectionStatus DeviceId
—-                                       ———- ——————- ——–
WAN Miniport (Network Monitor)                                            6      
Intel(R) PRO/1000 MT Server Connection     True       2                   7      
Identify the Device ID for your network connection.  In this case 7.
The following lines of code needs to run once only in your ISE session
$Nic = Get-WmiObject win32_networkadapter -computerName LocalHost -filter \”DeviceId = 7\”
Note that the number 7 at the end will need to be changed for your environment.
Then finally –
As you wish to switch your NIC on and off. 
So, having prepped all that, a quick click on linking on the Zune screen below
Followed by a click on UPDATE, and then immediately run the disable command, and Robert’s your mother’s brother.  When you click on the presented choice to download an update – don’t forget to enable your link again.
Note you may need to update teh Zune software, so you\’ll get a bit of this:

For a bit.

But then you should see an update offered, something like this.

7403 offered to user
7403 ready to download

Repeat until you have Mango installed


Microsoft twitter Uncategorized Windows 8

Microsoft, Redundancies and Mojo

Yesterday was the start of Build, Microsoft\’s most important conference since… …the last most important conference. But it is and was important.

During the day. Jon Honeyball said this:

I almost immediate RT\’d with the comment

But it\’s more than the obvious.

It\’s not that long ago that Microsoft made some pretty heavy duty redundancies. I can still remember the shock and surprise of names like Steve Riley and Eileen Brown being identified as \”at risk\” and then receiving their redundancy notice. It felt like a mistake. In some respects it was.

But when you have been made redundant (as Mrs B and I have been about 9 times if I\’ve counted them correctly!) then you can look back at the company you have just left with a number of views. It may take some time before the sadness, regret and anger wear off; but when they do you\’ll probably end up seeing why the company did it and either consider them complete idiots for choosing you, or understanding why you were the candidate chosen.

If the company is fundamentally a decent one, and has operated through the process reasonably (and legally) then hopefully you will understand and accept. This will mean you probably have residual good feelings towards your former employer and good wishes for your former colleagues.

Many have commented on the flat profile of Microsoft since Ballmer took over the helm. For Microsoft to get it\’s mojo back, it means that the company can once again be on an upward curve. It means that your former colleagues have a better chance of not experiencing your fate.

But it also means that, despite everything, your redundancy was not in vain. Collective good has come from the process – it wasn\’t just a crappy decision made to lever you out and exact some pointless revenge for your face not fitting, or a perceived misdemeanour.

Thinking back to the companies that made me redundant, most have gone bust a year or two later. I just felt lucky enough to get out whist the going was good, but for those companies that made good decisions and recovered and thrived – I\’m glad for them. If the Microsoft mojo has recovered from the trauma of restructuring, grows from Build and becomes a colossus again, bestriding the industry with unambiguously leading desktop and tablet systems (the servers speak for themselves already) along with continuing and improving good practices; then I, for one, will be cheering from the sidelines.