Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
devmd01
Mar 7, 2006

Elektronik
Supersonik


Oscar Wilde Bunch posted:

I've taken to using BitTitan or Skykick. No goofing with hybrid, no connectors to clean up. Sure it costs, but being able to do on the fly mailbox type remaps (person to shared, shared to resource, person to resource, etc...) plus having a deployable client that does auto Outlook profile switching was worth it.

Bittitan is great. Used it to migrate the mailbox contents for ~1400 employees from an acquisition a couple of years ago and it was super easy to use. That was a slightly different use case though as all we were doing was copying the mailbox contents off of the separating companyís exchange, no identity migration.

We made another smaller acquisition last year and are in the planning stages of throwing out pretty much all of their IT infrastructure to include their O365 tenant. This one is a bit more complex since we are migrating identities and domain ownership to our tenant. Bittitan licenses just arrived, so itís time to get to work!

Adbot
ADBOT LOVES YOU

Thanks Ants
May 21, 2004

#essereFerrari




I like Migrationwiz but *providing your on-prem Exchange is working well* then doing a hybrid would still be my preferred way to do that migration, even if it's just so everything can be done in phases without anybody noticing.

Submarine Sandpaper
May 27, 2007




If this wasn't a one off I may be more inclined to do that. I think I'm going to go bittitan. No need for trusts or rectifying GUIDs or SMPT matching with the 365 tenant.

nvrgrls
Apr 24, 2004



https://github.com/cisagov/CHIRP

find out how owned yr servers are

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



A ticket came in: Allow Access to Outlook Web Access only from US

Internet Explorer
Jun 1, 2005


Bob Morales posted:

A ticket came in: Allow Access to Outlook Web Access only from US

And to think, it could be as easy as a click of a button.

https://docs.microsoft.com/en-us/azure/active-directory/conditional-access/howto-conditional-access-policy-location

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!




It's easy in the firewall to do apply incoming GeoIP US-only

It's just going to create about 20 tickets to unblock certain things in the future.

nvrgrls
Apr 24, 2004



That's a problem for Future You.

nvrgrls
Apr 24, 2004



A few months ago I was in a meeting that got zoom-bombed and I was like "I know how to avoid this, I'll just make it so my Zooms can be US-only!" and then I got a call saying "hey so-and-so from Vancouver can't join the meeting"
whoopsy-daisy

Old Binsby
Jun 27, 2014



get patching boys/girls/x, 4 more critical exploits this month
https://techcommunity.microsoft.com/t5/exchange-team-blog/released-april-2021-exchange-server-security-updates/ba-p/2254617

snackcakes
May 7, 2005

A joint venture of Matsumura Fishworks and Tamaribuchi Heavy Manufacturing Concern



Performing some thread necromancy here...

I have a pretty new (to us) client that has an Exchange 2019 server and needs us to collect a bunch of emails for a legal matter.

I've run eDiscovery with Exchange online before but not on-premise. I'm running into a strange issue where it's not returning all emails.

If you use the eDiscovery preview it will show, say, 20000 emails but if you export to a discovery mailbox or pst it will only export 1400.

Checking the csv that gets exported with the pst shows a really big gap in emails returned.

Anyone have any ideas about what might be happening? Having a hard time even figuring out where I'd find an error log for this

you ate my cat
Jul 1, 2007



Has anyone ever dealt with cancelled meetings from a shared mailbox calendar being recreated on the attendees' calendars? There are a bunch of bits and pieces of suggestions online for it, but I'm trying to understand the underlying functionality of what's going on here. A user with delegate rights is cancelling a meeting, the recipients all receive cancellation notices, and the invite disappears as normal. The next day, the calendar repair assistant helpfully recreates the meeting with the "Exchange server re-created a meeting that was missing from your calendar" text.

I know I can probably do a search and destroy on everyone's calendars and remove the meeting that way, but I was hoping to understand more about what's happening. Is this a sync issue somehow? Or is there something else going on here? Any useful resources on the repair assistant or related topics that I can read?

bitterandtwisted
Sep 4, 2006






We're divesting part of our business and those staff have two email accounts while that is going on (one for us, one for the purchasing company)
The new company have set forwards from staff's new accounts to their old ones

Does that create an open relay if they get an external email that goes from eg gmail - > them -> us automatically via mail flow rule?

Will Styles
Jan 19, 2005


That's not technically an open relay. An open relay would be a third party connects to your server and is able to send an email to any recipient they wish, not just users at your domain. In your scenario the gmail.com sender would need to be sending specifically to recipients at a domain the other company is configured to accept mail for, and then those are sent to your servers.

Depending on how forwarding is done, and the trust relationship established between the two companies, you may run into some DMARC problems though. From your example, when the message arrives at your border it could be from a gmail.com sender, but sent by servers from the other company. This would fail SPF and if the message isn't signed with DKIM or DKIM doesn't align then the message would fail DMARC. Of course if you've safe listed messages coming from the other company then you won't have to worry about that (most likely).

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



Is there a way to view the full message headers in 365 Message trace? Would be useful for troubleshooting.

Only registered members can see post attachments!

Thanks Ants
May 21, 2004

#essereFerrari




At a guess you can take the message ID and shove it into eDiscovery and get the message itself, not sure if there's a way to restrict access to just the headers though.

Old Binsby
Jun 27, 2014



Afaik there is no method to do this on delivered user messages but you can check the headers of quarantined mail. You have to access the quarantine via the gui and click around until you find a 'preview message' button. Or use Get-QuarantineMessageHeader in powershell with the appropriate message ID.

Outside of quarantine, do the Thanks Ants thing. Or, if you don't like the clunkiness of eDiscovery/it's just a small number of messages, you could also ask a user to select it in Outlook and press ctrl+alt+f. A new mail window with the original message attached will appear, they can simply address it to you and send. It retains the headers of the original in attachment. Hard to do large scale, i guess

nvrgrls
Apr 24, 2004



A client has asked for a way to block an Exchange Online user from sending emails during specific time windows. Is this possible?

Boogalo
Jul 8, 2012

Meep Meep






nvrgrls posted:

A client has asked for a way to block an Exchange Online user from sending emails during specific time windows. Is this possible?

I guess you could set up a power app (or power automate? i get them confused) to powerhsell disable sending and then enable it on a schedule.

Thanks Ants
May 21, 2004

#essereFerrari




Countries are writing laws about being contacted outside of work, I'd have assumed companies have sprung up to control access to things on a schedule.

Maneki Neko
Oct 27, 2000



In the olden days I've seen companies using Windows Logon Hours to control that but I haven't seen a cloud version of that.

I suppose you could probably do something crazy with Azure AD Connect and pass through authentication but that kind of makes me shudder and the long auth times for things like activesync would probably get around it.

J
Jun 10, 2001



Happy 2022 to any suckers like myself still responsible for on-prem exchange, your mail flow is probably down! Fortunately there is a workaround that is easy to do even if you're still drunk.

https://borncity.com/win/2022/01/01/exchange-fip-fs-scan-engine-failed-to-load-cant-convert-2201010001-to-long-1-1-2022/

Disable-antimalwarescanning.ps1 as seen here: https://docs.microsoft.com/en-us/exchange/disable-or-bypass-anti-malware-scanning-exchange-2013-help got our mailflow working again.

Bandire
Jul 12, 2002

Ding!


J posted:

Happy 2022 to any suckers like myself still responsible for on-prem exchange, your mail flow is probably down! Fortunately there is a workaround that is easy to do even if you're still drunk.

https://borncity.com/win/2022/01/01/exchange-fip-fs-scan-engine-failed-to-load-cant-convert-2201010001-to-long-1-1-2022/

Disable-antimalwarescanning.ps1 as seen here: https://docs.microsoft.com/en-us/exchange/disable-or-bypass-anti-malware-scanning-exchange-2013-help got our mailflow working again.

Seriously wtf. Luckily I discovered the problem early in the evening because of external mail flow monitoring. I'm not even sure if this is something that can be fixed by automated self updating.

Its kind of amazing that the cause is the variable they use for the definitions serial number is too small when the year rolled over to 2022, and the failurestate is oops no mail flow.

underlig
Sep 13, 2007


J posted:

Happy 2022 to any suckers like myself still responsible for on-prem exchange, your mail flow is probably down! Fortunately there is a workaround that is easy to do even if you're still drunk.

https://borncity.com/win/2022/01/01/exchange-fip-fs-scan-engine-failed-to-load-cant-convert-2201010001-to-long-1-1-2022/

Disable-antimalwarescanning.ps1 as seen here: https://docs.microsoft.com/en-us/exchange/disable-or-bypass-anti-malware-scanning-exchange-2013-help got our mailflow working again.
I'm in healthcare-it and we had a problem over the weekend where our Computer-based Patient Record stopped accepting results from an external pathology system.
I'm more in infrastructure so i wasn't involved in the first hour of troubleshooting, but i'm also in charge of making sure our Biztalk-servers do their stuff correctly and they were involved in the flow, so i got involved in the troubleshooting.

One of the first things i asked, jokingly, was if the CPR handled dates as int32.

Turns out an hour later when the developers checked on their end that it actually did.
So now we have an emergency patch on the way, combined with updates to the database because of course the table stores the date as int32.

I wonder what Stack overflow-post Microsofts Exchange-team and our CPR supplier might have copied the code from

Mierdaan
Sep 14, 2004



Pillbug

We've been migrated to hybrid Exchange Online for years now, but one of my users just had a very strange error. When she accepted meeting invites from her Outlook client, the responses would fail because she didn't have permissions to send on behalf of a user. That user was herself, and looking at her sent items folder showed that her X500 address was trying to send on behalf of... herself?

Accepting a meeting invite via OWA worked fine, and a restart of Outlook fixed the issue, but has anyone ever seen that before?

https://imgur.com/ySJy1Pj

wa27
Jan 14, 2007



This is a longshot but I'm getting desperate to solve this.

For the last couple weeks, Win10 profiles on my domain can't autodiscover 365 accounts in Outlook (2016, 2019, and Outlook365). Looking at the autodiscover log, the redirection from our domain is happening, but they get a 401 error (which prompts for password), and then just fails after that with error 0x80040413.

It's only happening on:
-win10 and server 2016. Win7 is fine.
-Domain accounts only. Local accounts are fine.
-NEW windows profiles only. Everyone who logged into their PC prior to February can autodiscover just fine, to any 365 account.

Which domain profile doesn't matter. 365 account doesn't matter. It also doesn't matter if it's on our own network (Putting a domain PC on a hotspot still fails, but logging into a local account on that same PC succeeds)

Example of a failure:


Example of a success:


(same email account, PC, and domain. Only difference is this is from a windows profile that was established on the PC several months ago)

The 0x80040413 seems important since it's a fairly uncommon error, but the few results that come up are old posts involving hosting their own exchange servers, and it hasn't helped me get closer to a solution.

It's extra frustrating because I don't know a way to work around this, so we have a new person that just started and has to use OWA to access email.

nielsm
Jun 1, 2009




Is it the Windows profile or the Outlook profile that matters?
Not that I have any particular ideas, but it might be worth trying to add a fresh Outlook profile to a working Windows profile to see if that fails too.

Bandire
Jul 12, 2002

Ding!


Do you get any errors running an autodiscover/Outlook connectivity check on https://testconnectivity.microsoft.com/ ?

underlig
Sep 13, 2007


wa27 posted:

For the last couple weeks, Win10 profiles on my domain can't autodiscover 365 accounts in Outlook (2016, 2019, and Outlook365). Looking at the autodiscover log, the redirection from our domain is happening, but they get a 401 error (which prompts for password), and then just fails after that with error 0x80040413.
Apologies if i'm completely off track, but it's no that they've changed authentication methods? https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online

wa27
Jan 14, 2007



nielsm posted:

Is it the Windows profile or the Outlook profile that matters?
Not that I have any particular ideas, but it might be worth trying to add a fresh Outlook profile to a working Windows profile to see if that fails too.

Outlook profile doesn't matter at all. As long as I'm on a "working" windows profile (or off the domain), I can set up any new or old email account I try. As for the windows profiles, it's only fresh logins that are failing. Even if an old domain account logs into a new PC for the first time, it will fail. I assume that means something is cached on all the existing profiles that I'm not realizing, and that's the difference.


Bandire posted:

Do you get any errors running an autodiscover/Outlook connectivity check on https://testconnectivity.microsoft.com/ ?
No errors, which I suppose makes sense since every PC outside our domain is fine. I forgot to mention, DNS health checks in O365 are all green. And I tried the Support/recovery assistant and it seemed to think that everything was working fine and set up an outlook profile. But loading outlook after that didn't actually load the mailbox.


underlig posted:

Apologies if i'm completely off track, but it's no that they've changed authentication methods? https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/deprecation-of-basic-authentication-exchange-online
We're definitely using basic auth still. I actually didn't know MS was forcing it so soon though, so thanks for that. :v:

I do wish I could try modern authentication just to see if that works, but as far as I know you can't just enable it for certain users, and I'm really not ready to turn that on for the whole agency at this time.

devmd01
Mar 7, 2006

Elektronik
Supersonik


Also why are you pointing to on-prem exchange for the auto discover handoff, do you still have resources homed in on-prem mailbox servers?

You need to get on modern auth, and fast. Itís not really that big of a deal or impact.

wa27
Jan 14, 2007



devmd01 posted:

Also why are you pointing to on-prem exchange for the auto discover handoff, do you still have resources homed in on-prem mailbox servers?

You need to get on modern auth, and fast. Itís not really that big of a deal or impact.

I think that's just Outlook 2016's preferred order of operations? We haven't had on-prem exchange since we migrated years ago. At that time I set up our DNS as the migration instructions specified, and the DNS check in the admin console seems happy with how we have it set up. When I try with Outlook 2019, it first tries outlook.office365.com/autodiscover/autodiscover.xml, which normally works and skips all the redirection. But even that is failing in the exact same way.

I hear you on the modern auth bit. It's on my priorities for the near future now. I'm a bit wary about throwing that switch right this moment though. Will it make everyone log in again? I worry that I'll then be stuck with 60 users unable to access their email instead of just 2 (for now).

edit: I'm reading more about enabling modern auth and I didn't realize disabling basic auth was a different process. I am going to read up more on this and may try it out tomorrow and see if that solves the problem in a roundabout way.

wa27 fucked around with this message at 22:12 on Feb 21, 2022

Bandire
Jul 12, 2002

Ding!


Yep, Enabling modern auth and disabling legacy auth are two distinct steps. We are running modern auth preferred, but haven't gotten the go ahead to turn off basic yet.

If this is working for non-domain joined machines, it sounds like it could be something in your provisioning process that changed. Are the affected boxes in the same OUs/SGs/GPOs as the ones that work?

Thanks Ants
May 21, 2004

#essereFerrari




So you don't have any on-prem Exchange servers, did you ever have on-prem Exchange, how did you decommission it? Where does autodiscover.yourdomain.com resolve to when you're on the network? Do you still have the SCPs in AD for any on-prem infrastructure?

I presume you are doing Azure AD sync from your AD to Microsoft 365? Do clients work for SSO if you browse to https://outlook.office.com or do they have to authenticate again?

wa27
Jan 14, 2007



Bandire posted:


If this is working for non-domain joined machines, it sounds like it could be something in your provisioning process that changed. Are the affected boxes in the same OUs/SGs/GPOs as the ones that work?
This is the path I've been going down recently, even though I know nothing has changed in those configs. It just seems like it *has* to be something on the profile that is being messed up by the domain. It appears that every Win10 PC is being affected. I've tried cleaning up old GPOs that aren't relevant anymore, and using admin accounts that have very few GPOs applied.

Thanks Ants posted:

So you don't have any on-prem Exchange servers, did you ever have on-prem Exchange, how did you decommission it? Where does autodiscover.yourdomain.com resolve to when you're on the network? Do you still have the SCPs in AD for any on-prem infrastructure?
It was Exchange 2003 and I wasn't in charge of the decommissioning back then, or much of the migration for that matter. If I recall, outlook accounts used to be manually set up since Exchange 2003 had no autodiscover capability, and I'm not seeing any remnants of the server in the AD now. autodiscover.mydomain.com goes to the OWA login for O365.

Thanks Ants posted:

I presume you are doing Azure AD sync from your AD to Microsoft 365? Do clients work for SSO if you browse to https://outlook.office.com or do they have to authenticate again?
No, our on-prem AD is separate.

Adbot
ADBOT LOVES YOU

Bandire
Jul 12, 2002

Ding!


Maybe get a freshly imaged machine before it is domain joined and test. If that works, then join it to the domain and test both local and domain accounts, and then disjoin it from the domain and test one more time.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply