Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



I think am just going to make another connector specifically for the spam appliance. Not sure who set this up.

Adbot
ADBOT LOVES YOU

devmd01
Mar 7, 2006

Elektronik
Supersonik


I have a really, really weird one going on. We have a communications@contoso.com shared mailbox that is used for employee communications. Sometimes, a calendar invite for an event is created out of this mailbox and it is then either attached to the email or thrown on to sharepoint for someone to import into outlook.

Here is where things get wierd. If someone then forwards the event from their calendar, randomly the meeting forward notification gets sent to a DL for the office executive assistants as well as two people that havent even been with the company for over five years if you look at message tracing. Those two people dont even exist in AD/azure ad/365 anymore.

One of our ops people worked with Microsoft a couple of years ago and got nowhere, but the complaints have risen up again. Any ideas?

devmd01
Mar 7, 2006

Elektronik
Supersonik


Q!=E

Thanks Ants
May 21, 2004

#essereFerrari


Is the shared mailbox so important that you can't rename it and just make a new one?

Internet Explorer
Jun 1, 2005


Oven Wrangler

Alright, bit of a hail mary as I am out of my depth here.

Troubleshooting an issue that I don't have much info on. We're hybrid Exchange and apparently 3 old users are coming back and when they got re-provisioned, something went wrong to the point where on-prem Exchange thinks it's an O365 mailbox and there's no mailbox in O365. Confirmed the account was synced to O365 and is properly licensed. It's not a matter of it having been provisioned in O365 first, as when I try to get the ExchangeGUID there it doesn't see a mailbox. I noticed that there are some extra X500/x500 addresses, but I don't think that would cause a mailbox not to create in O365. I can't attempt to migrate the mailbox either direction because of the confusion.

I don't need to save anything in anyone's mailboxes. I have a feeling they were migrated from O365 to on-prem when they were retired back in the day, then that database was offlined at some point. Is there any good way to just tell on-prem Exchange "this is an on-prem mailbox now" and then migrate it to O365 again? Or somehow force O365 to try creating the mailbox again?

Thanks Ants
May 21, 2004

#essereFerrari


At last



No more creating a DL and then granting send-as for one person to send out as their alias

George H.W. Cunt
Oct 6, 2010



Internet Explorer posted:

Alright, bit of a hail mary as I am out of my depth here.

Troubleshooting an issue that I don't have much info on. We're hybrid Exchange and apparently 3 old users are coming back and when they got re-provisioned, something went wrong to the point where on-prem Exchange thinks it's an O365 mailbox and there's no mailbox in O365. Confirmed the account was synced to O365 and is properly licensed. It's not a matter of it having been provisioned in O365 first, as when I try to get the ExchangeGUID there it doesn't see a mailbox. I noticed that there are some extra X500/x500 addresses, but I don't think that would cause a mailbox not to create in O365. I can't attempt to migrate the mailbox either direction because of the confusion.

I don't need to save anything in anyone's mailboxes. I have a feeling they were migrated from O365 to on-prem when they were retired back in the day, then that database was offlined at some point. Is there any good way to just tell on-prem Exchange "this is an on-prem mailbox now" and then migrate it to O365 again? Or somehow force O365 to try creating the mailbox again?

Delete the Exchange GUID stuff in AD if its there and rerun whatever script you have that provisions a mailbox and makes it a remote mailbox.

https://jaapwesselius.com/2018/06/14/cannot-find-a-recipient-that-has-mailbox-guid-when-moving-from-exchange-online-to-exchange-2016/

This seems similar though?

Internet Explorer
Jun 1, 2005


Oven Wrangler

George H.W. oval office posted:

Delete the Exchange GUID stuff in AD if its there and rerun whatever script you have that provisions a mailbox and makes it a remote mailbox.

https://jaapwesselius.com/2018/06/14/cannot-find-a-recipient-that-has-mailbox-guid-when-moving-from-exchange-online-to-exchange-2016/

This seems similar though?

The link you shared has an Exchange GUID in O365, which is something we were missing.

As to your comment, is deleting the Exchange GUID in AD enough to have Exchange no longer think the user has a mailbox?

We ended up deleting these accounts and recreating them. That fixed the problem, but at the time I was trying to figure out exactly what caused it. Oh well, next time!

snackcakes
May 7, 2005

A joint venture of Matsumura Fishworks and Tamaribuchi Heavy Manufacturing Concern



I'm doing my first ever Exchange 2016 to 2019 migration. I've never done an Exchange migration before, but have done plenty of Office 365 hybrid migrations.

I've done my initial configuration and database move testing. So far so good.

The cutover appears to be that you update records/external rules to point to the new server, uninstall Exchange 2016, and be good to go

With an O365 hybrid migration the Outlook auto reconfigures itself. Does something similar have to happen with this Exchange migration, or is the change invisible to the user (when done correctly)?

Thanks Ants
May 21, 2004

#essereFerrari


2016 and 2019 are new enough that this is just a member server joining an Exchange cluster, picking up roles, running alongside the old server for a bit and then the old server having roles removed before being shut down. As long as your autodiscover points to a server running the mailbox role then you should be golden.

Old Binsby
Jun 27, 2014



it should be a smooth transition if you do it the way Thanks Ants suggested so long as your autodiscover records are pointing towards that cluster and not any individual servers. In a domain environment, this might not be a problem because clients can autodiscover through AD with an SCP, but it's something to keep in mind. You can check which server the client uses with the outlook built in diagnostics, they might already be using your new one.

Same for external records, but it depends on your company firewall and policies whether your clients get through. It can be a bit of pain to figure out but you can use the remote connectivity analyzer tool to check that scenario.

No. 1 Juicy Boi
Jun 1, 2003

#1 JUICY BOY



Buglord

Weird question, but I'm not sure where else to look for this. Google's been unhelpful.

One of our C-levels is sharing his calendar with editor rights with an assistant, who helps him book meetings. He also has a bunch of "private"-flagged out of office meetings on his calendar. However, when the assistant tries to use the scheduling assistant to see when he's available, the private stuff on his calendar doesn't show up at all. Not just the details, it's empty space. The guy gave me the same permissions to test it out and I'm able to see everything just fine so I'm kind of stumped.

How the calendar looks (even for the assistant):


How scheduling assistant looks for the assistant:

Thanks Ants
May 21, 2004

#essereFerrari


Doesn't the dotted outline represent a tentative event, e.g. your C-level hasn't accepted it yet?

bobua
Mar 23, 2003
I'd trade it all for just a little more.



If I'm running a hybrid environment, can a cloud exchange account have a on-premise archive box? Can a cloud exchange account still 'open other user's folder' when the other user is on-premise?

Maybe a better question, is there any feature or access a user will lose if they are transitioned to off-premise?

Old Binsby
Jun 27, 2014



you can have an on-prem mailbox with a cloud-based archive but not the other way around.

Cross premises calendar sharing works. Individual mailbox folder access lists are not supported cross prem afaik, but full access permissions are and so are mailbox delegations set by the user.

off the top of my head you lose support on the Send As permission. This does not mean Send As permissions don't work, they do usually and you can get them to work in most cases if not. But it's not a service MS will guarantee to work or support
Full Access permissions and delegations set manually will not be applied on the cloud mailbox after migration in most cases. There's more but these are the big ones. here's the details

snackcakes
May 7, 2005

A joint venture of Matsumura Fishworks and Tamaribuchi Heavy Manufacturing Concern



This seems like something that should be easy to google, but I am failing miserably.

Got two Exchange servers setup with a DAG, and the goal is to make things highly available.

The concern now is with things like scan to email. Currently they're pointing to a single exchange server's IP address. If that server goes down and the other server takes over, I imagine that means these scans and such won't go through anymore.

Is there a way to have some kind of virtual IP address that both servers respond to? Is that going to be the DAG IP?

Sorry if this is a stupid question. I mostly work in Office 365 so this sort of thing doesn't come up much.

Thanks Ants
May 21, 2004

#essereFerrari


Here are your options

https://docs.microsoft.com/en-us/exchange/architecture/client-access/load-balancing?view=exchserver-2019

Just setting the DNS record with the CNAMEs of all the mailbox servers should get you 99% of the way there, it's probably not worth deploying (redundant) load balancers to add a small amount more availability.

snackcakes
May 7, 2005

A joint venture of Matsumura Fishworks and Tamaribuchi Heavy Manufacturing Concern



Thanks Ants posted:

Here are your options

https://docs.microsoft.com/en-us/exchange/architecture/client-access/load-balancing?view=exchserver-2019

Just setting the DNS record with the CNAMEs of all the mailbox servers should get you 99% of the way there, it's probably not worth deploying (redundant) load balancers to add a small amount more availability.

DNS is what I was thinking originally, but my concern was that if you happened to resolve to the server that was currently down you'd be out of luck. Unless that's not how it works?

Edit: after reading that article I see that I have underestimated DNS and I won't have this issue

snackcakes fucked around with this message at 17:14 on Feb 28, 2021

Thanks Ants
May 21, 2004

#essereFerrari


Outlook is getting a new feature if you use Exchange Online, where you can tag external messages in the application rather than having to use a transport rule to banner the messages

I can't see a blog post so you can have these screenshots from the admin portal




The cmdlet is https://docs.microsoft.com/en-gb/powershell/module/exchange/set-externalinoutlook?view=exchange-ps

Internet Explorer
Jun 1, 2005


Oven Wrangler

That's a way better solution than embedding it into the message. We don't use such a banner currently, but I would be way more accepting of this than the current way it's done. Thanks for sharing.

[Edit: Just noticed it's not available in Outlook for Windows yet. Kind of odd. I am sure that is coming soon, will hold off until then.]

Internet Explorer fucked around with this message at 15:55 on Mar 5, 2021

NevergirlsOFFICIAL
Apr 24, 2004



haaaaaaaaay

https://us-cert.cisa.gov/ncas/alerts/aa21-062a

Did everyone talk about this already

Boogalo
Jul 8, 2012

Meep Meep






Been too busy patching exchange from 15.6 to .19

Internet Explorer
Jun 1, 2005


Oven Wrangler

https://www.theverge.com/2021/3/5/22316189/microsoft-exchange-server-security-exploit-china-attack-30000-organizations

quote:

“if you’re running Exchange and you haven’t patched this yet, there’s a very high chance that your organization is already compromised.”

devmd01
Mar 7, 2006

Elektronik
Supersonik


Bumped to 2019 CU8 yesterday, then dropped the mitigation patch when I woke up early this morning. I am protected

E: I also wasnt really at risk since our poo poo isnt exposed externally

devmd01 fucked around with this message at 21:01 on Mar 6, 2021

underlig
Sep 13, 2007


Someone on Reddit posted that as Microsoft Security Response Center says, at the bottom of the post, the Microsoft Safety Scanner can now scan Exchange for vulnerabilities.
Might be worth a try?

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010


This probably has to be the nastiest Exchange exploit in quite a while.

NevergirlsOFFICIAL
Apr 24, 2004



incoherent posted:

This probably has to be the nastiest Exchange exploit in quite a while.

Yeah and this is just the beginning.

Maneki Neko
Oct 27, 2000



Hopefully this is the push required to get rid of the on-Prem server requirement for hybrid.

Bob Morales
Aug 18, 2006


Just wear the fucking mask, Bob

I don't care how many people I probably infected with COVID-19 while refusing to wear a mask, my comfort is far more important than the health and safety of everyone around me!



quote:

xxx xxxx (Cygilant)
Mar 9, 2021, 4:57 AM UTC
Team,


Weve received an alert of detection of a potential Exchange 0-Day Indicator of Compromise. Were reaching out to alert you to the fact that we are currently investigating your environment further. In the mean time, wed like you to consider the following guidance:
...
hide ya servers
hide ya wife
...


"Proactively eliminate threats"

"Comprehensive, up-to-the-minute threat intelligence, visibility into security events, real-time incident notification and guidance to quickly address security issues."

NevergirlsOFFICIAL
Apr 24, 2004



Maneki Neko posted:

Hopefully this is the push required to get rid of the on-Prem server requirement for hybrid.

‎إن شاء الله

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010


They're dropping patches for specific 2016 and 2019 CU builds so yeah, I guess the "keep exchange active for 0365 object management" and forget about those deployments it really bit them in the rear end this time.

Then again, how many CU required schema updates was a bit tiring and difficult to wrangle if your exchange admin wasn't also your domain admin.

Internet Explorer
Jun 1, 2005


Oven Wrangler

The whole thing has put me into "HTTP/S and SMTP gets blocked inbound for our Exchange server now. All it does is management and internal mail relay."

devmd01
Mar 7, 2006

Elektronik
Supersonik


Internet Explorer posted:

The whole thing has put me into "HTTP/S and SMTP gets blocked inbound for our Exchange server now. All it does is management and internal mail relay."

Weve been in that state for 3 years, its great. On prem relays to proofpoint, which then sends it to our tenant or out to the internet as appropriate.

Submarine Sandpaper
May 27, 2007



Has anyone done a 365 migration from an environment that has 2010 and 2016 servers? This breach has resulted in more work at my feet. The former are the front end with the latter DBs and I'm not sure if Hybrid will play nice or if I'll have to throw in an upgrade to all 2016 first.

Old Binsby
Jun 27, 2014



Submarine Sandpaper posted:

Has anyone done a 365 migration from an environment that has 2010 and 2016 servers? This breach has resulted in more work at my feet. The former are the front end with the latter DBs and I'm not sure if Hybrid will play nice or if I'll have to throw in an upgrade to all 2016 first.

I did this for a client using a fresh 2016 server as the migration endpoint. The 2010 servers were decommissioned shortly after, but we managed to make the hybrid period work. However, at the time 2010 was still supported. Right now according to the docs the recommended path is to upgrade your 2010 servers first (link). My gut feeling is you'll be able to migrate as is using a 2016 server as migration endpoint, but idk

Submarine Sandpaper
May 27, 2007



Thanks. I'll try that. New wrench with this client is the mail domain will not be the directory authority domain so I'll have to install exchange on that domain to sync back anyway. Doubt I'll get the hours to do a 2016 proper upgrade first.

NevergirlsOFFICIAL
Apr 24, 2004



Internet Explorer posted:

The whole thing has put me into "HTTP/S and SMTP gets blocked inbound for our Exchange server now. All it does is management and internal mail relay."

This is the way to go.

Thanks Ants
May 21, 2004

#essereFerrari


Im absolutely paranoid about having things exposed to the internet even if they are designed to be exposed and their network is segmented properly. Always looking for ways to get things working behind reverse proxies or whatever.

Oscar Wilde Bunch
Jun 12, 2012



Grimey Drawer

Submarine Sandpaper posted:

Thanks. I'll try that. New wrench with this client is the mail domain will not be the directory authority domain so I'll have to install exchange on that domain to sync back anyway. Doubt I'll get the hours to do a 2016 proper upgrade first.

I've taken to using BitTitan or Skykick. No goofing with hybrid, no connectors to clean up. Sure it costs, but being able to do on the fly mailbox type remaps (person to shared, shared to resource, person to resource, etc...) plus having a deployable client that does auto Outlook profile switching was worth it.

Adbot
ADBOT LOVES YOU

eonwe
Aug 11, 2008



Lipstick Apathy

Submarine Sandpaper posted:

Has anyone done a 365 migration from an environment that has 2010 and 2016 servers? This breach has resulted in more work at my feet. The former are the front end with the latter DBs and I'm not sure if Hybrid will play nice or if I'll have to throw in an upgrade to all 2016 first.

Its more of a pain but is it feasible to upgrade your 2010 and then migrate?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply