Skip Ribbon Commands
Skip to main content
Benoit s Corner

Benoit's corner

Sep 21
Exchange Online / Office 365 - Exchange: Failed to enable the new cloud archive error for existing cloud mailboxes

Recently I ran into an issue which is well documented for mailboxes moved to Exchange Online, but not in this case.

This issue occurred on existing online mailboxes with online archive which has been already moved to online for a long time.

Nothing appears on the DirSync logs – neither an error or an update – but on the admin portal I had an error message on the User management section stating there has been some conflict. So, using the … I was able to find the user account in error and see the following error message (as said; well known for newly moved mailbox to online services)

Exchange: Failed to enable the new cloud archive 00000000-0000-0000-0000-000000000000 of mailbox bdff422d-b76e-4468-9436-4f3c0197808a because a different archive 0e88076e-4ee0-4b1e-a634-f640fb2b2459 exists. To enable the new archive, first disable the archive on-premises. After the next Dirsync sync cycle, enable the archive on-premises again.

Exchange: An unknown error has occurred. Refer to correlation ID: f7de317a-88b6-4c80-a27e-c844fe3ff5b7

image

While nothing has been done which could affect users account on Office 365, and mostly the Exchange service.

The issue appears because Outlook client was not able to connect anymore to the mailbox while accessing the mailbox using the direct URL for OWA works – I say direct URL because links to OWA from any other services were greyed. BUT user was not able to send email through OWA.

OWA is working OWA links greyed from other services
image image

ActiveSync was working as expected in both way receiving and sending emails.

That said, the other strange thing with this issue was, the user mailbox was correctly shown in the Exchange Control Panel as recipient and the online archive feature was correctly enabled and showing storage used by the archive.

All well known action to solved this issue were to disable the online archive, wait for directory synchronization and re enable the archive feature; BUT this was not a possible action as the mailbox has been used for few year already and the online archive had lot of content, and there is no way to export the content to be able to delete the faulty online archive.

On the On Premises Exchange, running the command Get-RemoteMailbox with FL parameter for the mailbox with the issue and it shows the all the details of this mailbox and indeed the ArchiveGuid was 00000000-0000-0000-0000-000000000000.

So, I ran the following command from the On Premises Exchange server Set-RemoteMailbox –identity <email address of the user account> –ArchiveGuid <GUID of the PREVIOUS online archive> and then ran a directory synchronization.

Then you have to wait a little until everything is replicated at the Exchange Online side.

Sep 21
Office 365 – Multi Factor allows to remember the device (preview)

As you may already, Microsoft has included on Office 365 Enterprise plans the ability to implement and use a multi factor authentication process to secure access to Office 365, in addition of the classic logon/password.

It seems this feature will now allows remembering the device for a period of days defined by the administrator; meaning end-users will not have to answer the MFA request each time they connect to Office 365 resources FROM THE SAME DEVICE.

To enable this new feature currently in PREVIEW, logon to the Office 365 admin portal and reach out the User management section and go to the Setup section for MFA

imageimage

To enable the Remember feature, drop the setup page and enable the Manage user devices and then define the number of days before the user has to answer again to the MFA request

image 

Sep 18
Office 365 / Microsoft Azure – Azure Active Directory Connect tool installation and configuration

Following the availability of the Azure Active Directory Connect tools allowing multi forest synchronization, attributes selection and much more (and even more to come Smile), this post will details the installation and configuration steps.

image

IMPORTANT this synchronization tool is not available from the usual link shown on the Office 365 Admin portal – this is one still support only ONE AD Forest

  • Install the prerequisites on a Windows Server 2008, 2008 R2, 2012 or 2012 R2
    • Framework 4.5
    • PowerShell

 

Azure Active Directory Connect Installation

  • And start the pretty straight forward installation

imageimageimage

  • Enter your Azure AD (or Office 365) global admin credentials; as for the ‘standard’ Office 365 DIrSync, I would recommend to use a dedicated cloud account with complex password which never expires. The good point with this tool is you can use it to provision your Azure Active Directory even if you don’t have an Office 365

image

If you forgot to enable the directory synchronization feature on your Azure/Office 365 tenant you will get the following error; the good news is you can still do it as it is pretty quick to be enabled (off course it may depend Smile)

image

If your account is not global administrator, you will get the following error – the problem here is it does not say you are not a global administrator, just you are not authorized to access the AAD.

An error occurred. Error code: 6. Error Description: Your credentials are not authorized to access Windows Azure Active Directory.

image

  • Then you can add your On Premise AD Forests (off course this tool can work with only ONE AD Forest too Smile). Once again, I recommend to use a dedicated service account for this – good news, this account does not need to have other privileges than a ”standard” user. Don’t forget to enter the service credential like domain\user

imageimageimage

  • Then you have to define a way to identity users across your forests in case you have duplicate user account across each forest (you can even choose your own attribute) as well as what attribute to use as source anchor for AAD

To know more about user matching, go to http://go.microsoft.com/fwlink/?LinkID=395087#UserMatchingHelp

imageimageimage

  • Then you enable optional features like Azure AD Premium password write back or Exchange Hybrid. If you are using Azure Access Control to publish application, you can also define this option.

NOTE if enable Password Write Back here BUT do not have it enabled on your AAD, the setup will continue and does not notify you

image

  • If you don’t enable the Azure AD App and attribute filtering you are almost done

image

  • If you enable the Azure AD App and attribute filtering you have to define which application and attributes you want to use

imageimageimage

  • You are done. Just validate your configuration and let the tool configure itself

imageimage

  • As usual, if you want to use OU (or attributes) based filtering, do not start the synchronization now and open the MIIS console (C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe)

NOTES

  1. You can not start manually the synchronization using the well known PowerShell command Start-OnlineCoexistenceSync. If you want to start manual synchronization, you need to run the scheduled task (see below)
  2. There is no more web.config to setup the schedule of the synchronization which is set to every 3 hours by default (as for Office 365 DIrSync). Now there is a schedule task called Azure AD Sync Scheduler. At this time, Microsoft does not say if this is supported to change the scheduling or not (I was told during the beta they will not support this)

 

Azure Active Directory Connect Configuration Change

After setting up AAD Connect, you may need to change some settings such as enabling/disabling option features, adding/removing an AD Forest…

To so, first disable the schedule task (to ensure no operations are {or will be} in progress during your configuration update) and then just launch the Directory Sync tool again (using the shortcut on the desktop – or by going directly to C:\Program Files\Microsoft Azure AD Connection Tool\DirectorySyncTool.exe)

image

Remove an AD Forest

After starting again the tool, just reach the Connect to AD DS step and click on the cross on the left side of the forest you want to remove

image 

Sep 18
Microsoft Azure – Azure Active Directory Synchronization tool is now live (Office 365 Multi AD Forest sync)

Microsoft has announced the availability of the Azure Active Directory Synchronization tool – do not mix with Office 365 Directory Synchronization which supports ONLY one AD Forest Smile.

This synchronization tool helps to synchronize your On Premises AD with Azure AD, covering multi AD forest sync, attributes selection…

This is the first release of this tool and more feature will come.

To download this tool go to http://go.microsoft.com/fwlink/?LinkId=511690

You can also take a look on my previous based on a public beta build http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=592

Sep 15
Office 365 – Simplified Service Settings page

As Microsoft Office 365 is continuously evolving, a new Service Settings page is going to be deployed and available

At the time of writing, this new simplified page is only available for new tenant but it should come very soon to all existing tenants.

This simplified page does not required submenu anymore and displays all Service Settings within one page as shown below.

 

Current Service Settings Page

New Service Settings Page

image image
Sep 11
Office 365 – Advanced configuration and troubleshooting tools

While working with my Exchange 2013 hybrid configuration, especially updating the hybrid configuration after certificate and domain updates, I ran the HCW on Exchange 2013 SP1 CU 6 and discover few new stuff (I already introduced it with my previous post about the automated OAuth configuration http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=622)

As part of this, I took care on the URL displayed while running this new wizard (https://configure.office.com/scenario.aspx?sid=2) and so was interested to see what is hosted/offered by https://configure.office.com/

NOTE I had confirmation this site is not completely ready and any configuration options should be performed using the usual steps – such as the HCW for Exchange Hybrid.

So if you open this link https://configure.office.com/ using an Office 365 admin account, you will reach a specific page of the Office 365 admin portal. Please note that this page is not directly referenced from the “normal” admin portal neither documented anywhere. If you use a “normal” account, you will also reach the same page but there is NO filtering based on the user permission, so configuration options will be displayed anyway.

image

As you can see, this page is mainly oriented to troubleshoot issues with Office 365 uses.

For any of the option, the Cancel button returns to the main/normal admin portal; if you want to go back to the Configure page you have to enter again the URL. I recommend to run the option from a server using the service, I mean if you run a mail option (configuration or troubleshooting), run it from an Exchange server; even if you can run these tools from any client, some actions may requires server configuration updates.

Dashboard

This page is “under construction” Smile - so we may assume this should display the same details than the current dashboard on the “normal” admin portal

image

Setup

This page is assisting you in the Office 365 setup. You can install and use an App if you match the requirements or continue using a web wizard.

image

For the purpose of this post, I ran the 2 options – with and without the app

Running the app

image

The app automatically discovers what you already have setup or can configure according to the current states of your tenant

image

Not using the app

This page displays the different options/scenarios you can setup with Office 365 (from identities management to service setup).

image

When you select a first option, it will automatically disabled options which are not compatible with your selection; you can choose your first option as you want, meaning you can select a service configuration (Hybrid deployment for your mail for example)

imageimage

Cloud Connect

This option is used for Exchange Hybrid configuration; you should not have to run this manually as this is the one which is automatically launched from the HCW to configure OAuth with your on premises system.

 

After these first 3 option related to service configuration, the others are related to troubleshooting.

Lync Diagnostic

This helps troubleshooting Lync connectivity.

imageimage

It seems there is some bug(s) here in the results as the so called missing entries already exist and are working fine.

Outlook Diagnostic

As for Lync, this option helps troubleshooting Outlook connection to Exchange Online. This is obvious but it will start to check if you have Outlook installed and his version. Checks are performed against the current Outlook profile (current connected account).

imageimage

OWA Diagnostic

This helps to diagnostic OWA connection and use. The tool is checking connectivity as well as Internet Explorer settings to ensure nothing blocks or disturb OWA access. NOTE I did not test using another web browser, so I’m not sure if this will check only IE or any compatible browser.

imageimage

Readiness

This option will help you to ensure your readiness for onboarding to Office 365. You have 2 options here: one quick and basic, and one more advanced. Both options need you to download and install a tool. It may take some time to be completed as it checks all services/features used by your users (like Exchange Online Archive) to ensure current level of usage does not affect performance.

image

image

And this generates a report. Please note it seems there is some bug(s) here as the tool reports some missing DNS entries BUT these entries exist and I can say it is working perfectly. This also returns I’m not running the most recent version of Office but (off course) this is not the case as I’m using Office 2013 Pro.

Apart of this false positive errors, this is always interesting to get some health analysis.

image

Quick and Basic

You have nothing to do with this option. The tool run automatically the checks. From DNS configuration to Office 365 services configuration and usage level.

imageimage

Advanced

 

Mail Flow Troubleshooter

This one is self explaining.

This will help you to troubleshoot mail flows between your environment and Office 365. This covers multiple scenario from delay for incoming emails to message stuck in the Outbox folder.

image

image

Exchange Hybrid Product Key Distribution

This is the page where you can get the Exchange license (if you are eligible) for your Hybrid server. So this option is self explaining too Smile

image

SharePoint Online Diagnostic

This

If you click to run the tool you will be redirected to another page to download and install the tool. NOTE at the time of writing this post, there is a certificate error so you must click on Continue. This is due to certificate used by Azure services which are used to host this service.

imageimageimage

I don’t know if this is option is already implemented or not as I got the error. So I can’t say more about this option. Maybe this is also because I did not configure “hybrid” mode for SharePoint (http://technet.microsoft.com/en-us/library/jj838715(v=office.15).aspx)

The requested URI does not represent any resource on the server.

image 

Sep 09
Office 365 – Delve is now available in preview

As you may already know – if not this will be the case, Microsoft has introduced a new setting to allow you to get future release of Office 365 features before these are widely deployed and available. This settings is called Updates\First Release and it can be activated from the Office 365 Admin portal (it may take up to 24 hours to get this fully activated).

image

Why am I talking about this? It is just because the first feature part of this pre-activation is now available for those who have already enabled this settings. This new feature is called Delve – previously also called Oslo

Delve is a feature to help providing relevant information to end-users – in some way this is an improvement to the search service (but not the search service). More about Delve here http://office.microsoft.com/en-us/business/what-is-delve-FX104369201.aspx and here http://blogs.office.com/2014/03/11/introducing-codename-oslo-and-the-office-graph/

Delve is included in all Office 365 Enterprise plans (E1 to E4) and will be fully deployed starting January 2015, when it will also be available for Business Essentials and Business Premium plans.

If you have an Enterprise plan and want to try Delve, just start by enabling the First Preview settings.

Then Delve will be available from any SharePoint sites thanks to the shortcut displayed in the top nav bar

image

imageimage

You may have to enable Office Graph for the SharePoint Online admin portal (Settings\Office Graph) – for my tenant I did not had to.

image

Finally take in mind, it may take 24 hours to get content updated on Delve after you have uploaded new documents on SharePoint.

Sep 03
Office 365 – Update your federation trust with Office 365 by September 23rd

In case of you missed it, Microsoft has published an announcement in the Message Center on the Office 365 Administration portal to request you to update you federation trust by September 23rd. If you don’t do it, your authentication may stop working after this date.

This is because they have updated the certificate associated with the tenant to secure the federation trust.

To update your trust, just logon on your Exchange server (if you run a farm of servers) and run the command Get-FederationTrust | Set-FederationTrust –RefreshMetadata using an Exchange PowerShell command prompt, as usual executed using the run as administrator.

 

Here is the message posted

Update your Federation Trust by September 23

On September 23, 2014, you may encounter issues if you haven’t refreshed your federation trust information for your Exchange hybrid deployment. We’ve refreshed your Office 365 Organization ID certificates. Please run the following PowerShell cmdlets to update your federation trust information:
Get-FederationTrust | Set-FederationTrust -RefreshMetadata
Please click Additional Information to learn more.

Additional Information

Sep 01
Office 365 – New settings to set Office 365 landing page

As you may already know, Office 365 services are accessible either directly using their own URL’s (like https://outlook.office365.con or https://<you tenant>.sharepoint.com) but they are also accessible from the Office 365 portal which also allows end-users to install software, update their settings…

However, when an end-user type https://portal.office.com , he is usually redirected by default to his OWA mailbox, while admins are directed to the admin portal.

A coming update will allows you to define the landing page.

Setup your Start Page

To do this, just logon to any Office 365 services, and go to the Office 365 settings menu available from the Gear

image

Then click on the new option called Start Page and select your start page from the Office 365 portal to Yammer, or Outlook; off course, option to choose the Office 365 admin center is only available to administrators.

image

The settings will be take into account the next time user logged on Office 365.

Aug 29
Azure Active Directory – Registered Devices are not synched between Active Directory and Azure Active Directory

Following my previous post about this feature in preview on Azure Active Directory allowing you to set up Join Workplace / Register Devices – see http://blog.hametbenoit.info/Lists/Posts/Post.aspx?ID=609, I ran into an issue. Registered devices are not synched between AD and AAD; devices registered on AD do not show up on Azure portal and device registered on AAD are not synched back on AD.

image 

On the directory sync tool, it shows the following error

Stack Trace

Microsoft.MetadirectoryServices.ProvisioningBySyncRuleException: The partition filter criteria for management agent "Active Directory Connector" do not include an object with DN "CN=5111aac0-ceae-48fa-885b-cecf9f21bb17,CN=RegisteredDevices,DC=<removed>,DC=<removed>" and object classes msDS-Device.

imageimage 

Off course, there is no RegisteredDevices OU available for selection in the MA; it would have been to simple Smile

image 

 

So, the solution is anyway relatively simple

On the server where the Azure Active Directory Synchronization tool has been installed, open the FIM console (located within the directory "C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\" and run miisclient.exe)

Then go to the Management Agents tab and open the properties for your Active Directory Connector

image 

Reach the Configure Directory Partitions section and open the Select containers for this partition and enter your AD admin credentials

image 

Do not change any OU selection (except if you want to update your OU filtering in the same time); click on the Advanced button

image 

Add the DN (Distinguished Name) of the RegisteredDevices container (should looks like CN=RegisteredDevices,DC=<domain>,DC=<top level>) in the Specify additional containers to add and ensure the Include container option is selected

image 

Close all window and run a full synch, while still within the Management Agents tab

  1. Select Active Directory Connector and click Run\Full Import Full Sync
  2. Select Windows Azure Active Directory Connector and click Run\Full Import Full Sync
  3. Select Windows Azure Active Directory Connector and click Run\Export
  4. Select Active Directory Connector and run Run\Export

Et voila, all registered devices – from AD or AAD – are synched

image 

1 - 10Next

 ‭(Hidden)‬ Blog Tools

 Copyright

 About

Benoit is specialized on Microsoft infrastructure (Active Directory, Azure, ForeFront products, Hyper-V, Identity Management, System Center, Windows) and collaboration (BPOS, Exchange, Office 365, SharePoint) technologies.

He has been awarded as Microsoft Most Valuable Professional (MVP) since 2002 - on Windows, then SharePoint and finally Office 365. Ha has been recoginzed as Microsoft Community Contributor for his work on the Office 365 community in 2013 and 2014.

He has been involved in early stage of testing phase for many Microsoft products - from Windows to Office 365, including Exchange, SharePoint or Office client and WindowsUpdate.

He has participated as speaker or Ask The Expert (ATE) at many Microsoft or Quest events. He also participed in writing several books on SharePoint (2003 to 2010).

He is now working as Cloud Solution Architect for an australian based company, Kloud, in Sydney. After working at Capgemini Australia, Capgemini and Sogeti France, Microsoft France and Avanade France.

With more than 10 years of professional experience, he has a deep knowledge of the Microsoft market and his competitor.

​Privacy Information

This blog is using tracking code for analytics purpose.

No personal data are stored and maintained.

 Follow me on

 Share This

 Office365 Undercover by Arnaud ALCABEZ

Retrieving Data

 Certifications

Microsoft Certified Systems Administrator 
Microsoft Certified Systems Administrator - Messaging
Microsoft Certified Systems Engineer 
Microsoft Technology Specialist 
 Microsoft Certified IT Professional

 Translation Tool

Translate this page

 FaceBook Fan's Page

 Books I wrote

Le portail Microsoft SharePoint 
Microsoft Office SharePoint Portal Server 2003 et WSS au quotidien 
Microsoft Office SharePoint Server (MOSS) et Office 2007  
Microsoft Sharepoint 2010