Categories
Exchange Microsoft Office 365 PowerShell

Enable a Remote Mailbox in Office 365

So I recently ran into an issue where I had a user who’s Local AD account had been deleted but their Office 365 Mailbox was still showing up. We tried to bring the user account back, however the AD recycle bin was not enabled. So we had to create a brand new account for the user and then work from there.

We originally planned to create a new mailbox and let the user start from scratch. However we ran into an issue were the old mailbox would not go away, and it was preventing us from migrating a new mailbox into Exchange Online for the user.

I then found the following Exchange Management Shell command which will allow you to connect the local AD account to the Exchange Online Mailbox.

Enable-RemoteMailbox USERNAME -RemoteRoutingAddress [email protected]

After running the command the user is now able to log in with their new AD account and have access to their mailbox.

I hope you found this post helpful, and if you did, please share it with your friends.

Categories
Exchange Microsoft Office 365 PowerShell Windows

Office 365 Hybrid – Shared Mailboxes Created in Exchange Online do not appear to users whose mailboxes exist on local Exchange

I have been working on an Hybrid Exchange Solution using Office 365. The Client has several shared mailboxes and I wanted to see if a Shared Mailbox created in Office 365 would appear for users who have not been migrated.

Long Story short, the answer is no, they cannot. The reason for this is actually pretty simple. Anything created in Office 365 is not assigned a GUID by Active Directory (because we are only doing a unidirectional sync) so Exchange does not have any record of it.

 It turns out however, that if you migrate the mailbox to the On Premise Exchange server a GUID can be assigned.

I found this Article on Microsoft’s support site on how to do it:
https://support.microsoft.com/en-us/help/3129334/users-in-a-hybrid-deployment-can-t-access-a-shared-mailbox-that-was-cr

Here is the process that you would need to follow in order to get it to work

Please note, the website says that you do not need to do this if your are running Exchange 2016 CU 10 or later. The Client was running 13 at the time, however these steps did work.

  1. Convert the shared mailbox to a regular mailbox by using the Exchange admin center in Exchange Online. To do this, follow these steps:
    1. Open the Exchange admin center in Exchange Online.
    2. Click recipients, and then click shared.
    3. Select the shared mailbox, and then click Convert.
    4. On the Warning page, select Yes to convert the shared mailbox.
  2. Create an on-premises object for the cloud mailbox by using the New-RemoteMailbox cmdlet in the Exchange Management Shell.

    Note This object must have the same name, alias, and user principal name (UPN) as the cloud mailbox.
  3. Set the ExchangeGuid property on the new on-premises object that you created in step 2 to match the cloud mailbox. To do this, follow these steps:
    1. Connect to Exchange Online by using a remote session of Windows PowerShell.
    2. Use the Get-Mailbox cmdlet to retrieve the value of the ExchangeGuid property of the cloud mailbox. For example, run the following command:

      Get-Mailbox <MailboxName> | FL ExchangeGuid 
    3. Open the Exchange Management Shell on the on-premises Exchange server.
    4. Use the Set-RemoteMailbox cmdlet to set the value of the ExchangeGuid property on the on-premises object to the value that you retrieved in step 3b. For example, run the following command:
      Set-RemoteMailbox <MailboxName> -ExchangeGuid <GUID>
  4. Wait for directory synchronization to occur. Or, force directory synchronization.
  5. Make sure that the Office 365 user object is displayed as “Synced with Active Directory.”
  6. Move the mailbox from Exchange Online to the on-premises environment.
  7. Convert the mailbox to a shared mailbox by using the Set-Mailbox cmdlet in the Exchange Management Shell. For example, run the following command:
    Set-Mailbox <MailboxName> -Type Shared
  8. Move the mailbox from the on-premises environment to Exchange Online.
I hope you found this guide helpful, and if you do please tell your friends.

How to tell if your users AD account password has expired

Like I said in a previous post we are dealing with the after math of a disaster so most of our Administrative tools are still offline until we get around to bringing back online. One of those tools was a real life saver and would email not only the admin team but the end users that their AD password was about to expire. So without that we are flying blind, which is not a big deal for the day to day management of our network.

Moving along I got a call the other day from one of my users who was working remote who said that he could not connect to email. So I asked him when was the last time he reset his password, which he said he did not know.

So I opened up my command line and ran the following command

net user %USERNAME% /domain

Replace %Username% with the username you want to query and it will return a ton of information about the user account including the date the password will expire. 

Scenario 001 – You have a remote user who says they are not able to connect to the VPN. Claims that their password may have expired.

So you come in Monday morning and you get a phone call from your Director of Sales who says he is unable to log into the VPN. He is on the road all week in Canada and is not able to have you remote in to see what is going on. He has 30 minutes to prep for a very important meeting and he left his powerpoint deck on his H: Drive. He also tells you that he thinks he saw a message telling him that he needed to reset his password for the last two weeks but he just forgot to do it.

How can you find out what  is going on with his account?
Since we are working with a Microsoft AD environment there are hundreds (if not thousands) of ways to find your answer. One of my favorite ways to see what is going on with a AD account is by using NET USER “Username” /DOMAIN
This command will give you every piece of information about the user account that you could want including:
  •  AD Group Memberships
  • Last time the Password was reset
  • When is the next time it can be reset.
Next time you have a chance to play with your AD Domain try familiarizing yourself with this Command as it may help you in the future. 

Active Directory Forrest Trust – Allow to Authenticate and why it is so important….

When setting up a Active Directory Forrest Trust for one of my customers I came across this issue. 
Now this was the first AD Trust that I have set up since being in school where Server 2000 was not the best tool to learn on. Needless to say I was a little rusty. 
So being tasked with this job by our Project Manager I decided to do what any good engineer would do… GOOGLE IT!!!!
So I came across many good articles on Technet at also from regular bloggers, and I am pretty sure I used this blog as my reference material 
http://blogs.interfacett.com/how-to-configure-forest-level-trust-in-windows-server
Feeling confident I go to the client site and I begin to work on getting the Forrest Trust setup. Now please be mindful that there was a whole list of prerequisites that were done for basic network connectivity before I even got to this point. Some day I may even do an article on them but not today. 
By the time I get done with following the directions above and I think everything is good to go I attempt to access a file from the remote AD Domain to a folder in the Local Domain. Immediately I am met with Access is Denied or one of those messages that cause my eye to twitch. Before you ask, Yes I already assigned Security Permissions and Share Permissions. 
After some research into the subject and rebuilding the trust several time (which was unnecessary). I find on a remote blog somewhere what although the Trust has been created there are no permissions for the remote uses to be able to authenticate using SMB to access the files on the network. 
So here is what I had to do: 
1.Open up ADUC (Active Directory Users and Computers)
2. Go to the Computer/Server in AD that is hosting the files that I wanted the remote users to be able to access. 
3.Open the Properties window and go to the Security tab.
4. Add the Security Group from the remote domain and make sure that they have the “Allow to authenticate” permission applied. 
After doing that I tried again and like magic it just worked. 

I hope you find this helpful down the road and good luck.