Office 365 Hybrid Configuring Using Windows Azure – Part 2

January 3, 2015Krishna - MVPExchange 2007, Exchange 2010, Exchange 2013, Office 365Leave a comment

In the first part of the article series, we created new windows Azure LAB, installed and configured a new domain controller and Exchange server. We also created additional windows 2012 Azure servers for ADFS, ADFS Proxy and Directory synchronization (DirSync). ADFS (Krisadfs.cloupdapp.net) and Dirsync (krisdrisync.cloudapp.net) are joined to the windows domain ‘checkwhatsin.com’. ADFS Proxy (krisadfsproxy.cloudapp.net) is not joined to the domain, since it is designed to be placed in DMZ

Office 365 Hybrid Configuring Using Windows Azure – Part 1

Office 365 Hybrid Configuring Using Windows Azure – Part 3

Office 365 Hybrid Configuring Using Windows Azure – Part 4

Office 365 Hybrid Configuring Using Windows Azure – Part 5

Office 365 Hybrid Configuring Using Windows Azure – Part 6

In this part of the article series, we will perform the activities shown below to configure Single Sign on (SSO). With single sign-on (SSO), users in your organization will be able to use their corporate credentials to access the Office 365 service offerings, thereby, removing the burden of managing multiple logon identities and passwords. Without an SSO, an Office 365 user would have to maintain separate user names and passwords.

I. Installation and configuration of ADFS server

II. Installation and configuration of ADFS proxy server

Installation and configuration of ADFS server

Active Directory Federation Services (AD FS) is a server role in Windows Server that provides Web single-sign-on (SSO) technologies to authenticate a user to multiple Web applications over the life of a single online session. At the outset, we need to create a service account before configuring Exchange

1. Login to the Krisadc.cloudapp.net with the domain admin credentials

2. Using Active Directory users and computers, Create a new service account to configure ADFS federation server and set password never expires

Account name: svr-federation

3. Access DNS Manager and create a new ‘A’ record to point to the internal IP address of ADFS server.

4. Login to ADFS server Krishadfs.cloudapp.net with the domain credentials

5. ADFS server needs a Third Party CA Certificate. Since, we already have wild card certificate configured on the Exchange server, we will have to simply export it from the exchange server and import into the ADFS server

Export the wildcard certificate with the private key from the Exchange 2013 server and copy to the root (C:\) directory of the server krisadfs.cloudapp.net

6. Start the PowerShell on the server krisadfs.cloudap.net and execute the command given below. Type the certificate password which had been used to export the certificate. Given below is the command that imports the certificate into the local computer personal certificate folder

Certutil.exe –f –importpfx c:\checkwhatsin.pfx

7. Install Active Directory Federation Server is as simple as running a PowerShell command. Execute the below PowerShell cmdlet to install ADFS server

Add-WindowsFeature ad-federation-services

8. ADFS server need to be configured once is it installed. Start Server manager and click on the amber symbol -> click on ‘Run the AD FS management snap-in’ to configure it.

9. It will open a new ADFS Snap-in page. Click on “AD FS federation server configuration Wizard” to start the configuration wizard.

10. To create new federation service, select ‘Create a new Federation service’ on the welcome page and click on ‘Next’

11. Select ‘New Federation Server Farm’ on the Development type page and click on ‘Next’

12. At the Federation Service Name page, select the SSL certificate as ‘Checkwhatsin’ and provide the Federation service name as ‘sts.checkwhatsin.com’ and click on ‘Next’

13. Input the ADFS service account ‘checkwhatsin\svr-federation’ and password at ‘Specify service Account’ page and click on ‘Next’

14. Verify details at the summary page and click on ‘Next’ to start the installation

15. Wait for the installation to be completed and make sure that the entire component configuration is finished and click on ‘Close’ to finish the installation.

16. To validate the successful installation, click on the below link and make sure you get the page displayed below image on the Internet Explorer

https://sts.chekcwhatsin.com/FederationMetadata/2007-06/FederationMetadata.xml

With this we have created and configured ADFS server and it is ready to use.

Installation and configuration of ADFS proxy server

The AD FS 2.0 Proxy is a service that brokers a connection between external users and internal AD FS 2.0 server. It acts as a reverse proxy and typically resides in your organization’s perimeter network (aka DMZ). Since the Krisadfsproxy.cloudapp.net is not a domain joined computer, it does not know to resolve nodes at the internal network. We need to create a host entry to resolve internal ADFS server.

1. Login to Krisadfsproxy.cloupdapp.net using the local admin credentials

2. Create a manual host entry to connect to point to the AD FS server

Access the ‘Hosts’ file using the notepad from the path C:\Windows\System32\drivers\etc\. Add a new entry to point to the ADFS server IP address with domain name sts.checkwhatsin.com

3. ADFS Proxy server also needs a Third Party CA Certificate. Since, we already have wild card certificate on the Exchange server, we will just need to export it and configure on the ADFS server

Export the wildcard certificate with private key from the Exchange 2013 server and copy to the root (C:\) directory of the server krisadfs.cloudapp.net

4. Start the PowerShell on the server krisadfsproxy.cloudapp.net and execute the below command. Type the certificate password which was used to export the certificate. Shown below is the command that imports the certificate into the local computer personal certificate folder

c:\KrishnaCertutil.exe –f –importpfx c:\checkwhatsin.pfx

5. Configure the Imported certificate on the Internet Information Service (IIS) Manager

a. Start IIS from the control panel, select ‘Default Web Site’ and select ‘Bindings’ on the action pane

b. Click on ‘Add’ to add a new site binding. Make sure to select the type as “https” and “Checkwhatsin” for SSL certificate and click on “OK”.

c. Click on “Close” to finish the IIS configuration

6. Install ADFS proxy using the below PowerShell cmdlet

Add-WindowsFeature ADFS-Proxy

7. Post installation of ADFS Proxy, it needs to be configured. Start ‘Server Manager’ and click on the amber symbol and select ‘Run the AD FS Federation Server Proxy Configuration’

8. On the Welcome page of ‘AD FD Federation Server proxy configuration wizard’ click on ‘Next’

9. Specify Sts.checkwhatsin.com as the Federation Server name and click ‘Test Connection’ to get connection successful status. Click on ‘Next’ to continue

10. Input the ADFS service account credentials at the windows security credentials pop up and click on ‘OK’ to continue.

11. Verify the settings on the ‘Ready to Apply Page’ and click on ‘Next’ to start the configuration

12. Verify the ‘configuration results’ page with the successful completion status and click on ‘Close’

13. Since ADFS proxy server is the internet facing server and ADFS server is configured using STS.checkwhatsin.com as federation name. We need to create a CNAME record at DNS for STS.checkwhatsin.com to point it to ADFS proxy server ‘Krisadfsproxy.cloudapp.net’.

Below is the reference snap from Go Daddy DNS.

With this we have created and configured ADFS and ADFS Proxy server. We have also made all the necessary changes in configuration so as to deploy SSO.

In the next part of the article, we will be completing the configuration of SSO and Directory Sync between Office 365 and on-premises exchange server.

Office 365 Hybrid Configuring Using Windows Azure – Part 1

Office 365 Hybrid Configuring Using Windows Azure – Part 3

Office 365 Hybrid Configuring Using Windows Azure – Part 4

Office 365 Hybrid Configuring Using Windows Azure – Part 5

Office 365 Hybrid Configuring Using Windows Azure – Part 6

Exchange 2007 – Activation of DR Site and Failback to primary

November 26, 2010Krishna - MVPExchange 2007, PowershellLeave a comment

Exchange 2007 – Activation of DR Site and Failback to primary – Quick Reference..

http://technet.microsoft.com/en-us/library/bb738150(EXCHG.80).aspx

http://messaging24x7.wordpress.com/2010/08/04/exchange-server-2007-ccr-with-standby-continuous-replication-target-disaster-recovery/

Exchange 2007/2010 Dynamic Distribution List filter customizing

July 29, 2010Krishna - MVPExchange 2007, Exchange 2010, Powershell4 Comments

As the name says Dynamic Distribution List is the group which maintains the list of users in the group dynamically. Every time it’s hard to maintain Static list. Static list needs to be manually managed for adding and removing users. If it’s the smaller list then it can be managed easily and if the group is very big and it bigger the problem

Dynamic Distribution list is can be created using Exchange management Console or Exchange management shell. Dynamic Distribution list manages the users using filter condition. Default filter condition provides us limited filter options like State, Department, Company, and other custom attributes like 1 to 15. Same has been shown in Figure 1.

Figure 1. List of Condition Options for filtering members to group

With this option we can build the Dynamic DL and these options some times can match our requirement and some times it may not.

For example we need to build a Dynamic DL with the list of users belonging to the specific Mailbox Server. Requirement option can vary depending on the business. Here i am just trying to take one example and explaining the concept.

Dynamic DL saves all the filters in the Active directory. AD Attribute msExchQueryFilter, msExchDynamicDLFilter has all filters settings.

msExchQueryFilter:
msExchQueryFilter hold the OPATH filters. OPATH is basis for the filtering syntax used by Powershell.

msExchDynamicDLFilter:
msExchDynamicDLFilter hold the LDAP filter which is available in msExchQueryFilter attribute

If we wanted to change the filter to match the requirement then we need to use ADSI Edit and edit the AD attributes and apply the new filter.

1. Access ADSI Edit from your computer and connect to Default naming context. Figure 2

Figure 2. connecting to Active Directory – Default naming context

2. Create the Dynamic DL in Advance and Browse the Adsiedit to the Dynamic DL which is create and right click and properties

3. Copy and paste the below OPATH filter on msExchangeQueryfilter and replace server name with the mailbox servrname, if clusterd then cluster CMS name

(((RecipientType -eq ‘UserMailbox’)) -and (-not(Name -like ‘SystemMailbox{*’)) -and (-not(Name -like ‘CAS_{*’) -and (ServerName -eq ‘Servername’)))

4. Now you have configured the filter. If you wanted to see if this filter is applied then you can use the below Powershell cmdlet. Replace DymamicDL with the name of the DL which we have worked on and it will get the result of all the users’ name that belongs to the specific server.

$DynamicDL = Get-DynamicDistributionGroup -Identity “DynamicDL”

Get-Recipient -RecipientPreviewFilter $DynamicDL.RecipientFilter |select name,servername

You can get this requirement if you wanted to send communication to specific users on the specific server when there is any maintenance etc. As I said earlier we can use similar filters based on the requirement to add users dynamically into the list. Technically you can get any Powershell filter into Dynamic DL

Move-mailbox – Dumpster Difference between Exchange 2010 and Exchange 2007

April 8, 2010Krishna - MVPExchange 20071 Comment

For various reason we move the mailbox, some times to fix a issue or some other reason. One big disadvantage of moving user in Exchange 2003 or Exchange 2007 is it will lose Dumpster.

Exchange 2010 Move-Mailbox does not delete dumpster when you move the mailbox. This is one of the good Interesting Features of Exchange 2010

Hidding Global Address List (GAL) for a users in Exchange 2007

April 5, 2010Krishna - MVPExchange 2007Leave a comment

Here we have a very good article on how to hide a GAL for a specific user or pointing user to specific GAL in place of default GAL

http://www.exchange-genie.com/2007/10/hidding-global-address-lists-gal-with-exchange-2007/

Diagnostic Logging to find Deletion of Public folder in Exchange 2007 and Exchange 2010

February 4, 2010Krishna - MVPExchange 2007, Exchange 20104 Comments

Many users will have access to the Public Folder and Many are the owner of Public folder and have full access to it. Chances are that use accidently deletes the folder or some times intentional. To identify this we have to Enable logging on Public folder. Below has the steps to enabled the same

1. Open Exchagne Management Console
2. Expand and select Server Configuration
3. On the right you will find all the servers
4. Select the Exchange Server where public Folder Database is residing
5. Right click on the Server and select Manage Diagnostic Logging
5. Expand to reach MSexchangeIS-> 9001 public and click on General and
6. Select Medium and configure to enable this settings

7. When a Public Folder is deleted Event ID 9682 is logged in the Application log. You can search for the evet Id in the application logs.

How to use SSL Certificates with Exchange 2007

January 30, 2010Krishna - MVPExchange 2007Leave a comment

Below link has a Easy step by Step by Instruction on how to configure SSL certificate with Exchange 2007. It has instruction on how to get the certificaet, import and Enable for SMTP to Accept SSL connection..

http://www.sslshopper.com/article-how-to-use-ssl-certificates-with-exchange-2007.html

Prepare Active Directory and Domains for Exchange 2007 Installing and Permissions Requied

December 23, 2009Krishna - MVPExchange 2007Leave a comment

http://technet.microsoft.com/en-us/library/bb125224%28EXCHG.80%29.aspx

Exchange 2007 IMAP and POP Protocol Logging

December 7, 2009Krishna - MVPExchange 2007Leave a comment

IMAP and POP Protocol logging is made easy in Exchange 2007. Below are the step by step to enabled the same.

1. Login to Exchange 2007 client access server
2. Browse to C:\Program Files\Microsoft\Exchange Server\ClientAccess\PopImap
3. Open Microsoft.Exchange.Imap4.exe.config with notepad
4. Find the <addkey=”ProtocolLog” value=”false” /> in the file
5. Change False to True
6. Below link <add key=”LogPath” value=”C:\Program Files\Microsoft\Exchange Server\Logging\Imap4″ /> is the path of the Imap4 log file location
7. Restart MSExchangeIMAP Service

Powershell to send email with delivery notification enabled

October 28, 2009Krishna - MVPExchange 2007, Powershell1 Comment

Powershell to send email with delivery notification enabled. Once mail is delivered to the recipient mailbox and delivery notification mail will be sent to the sender mailbox. Below powershell help you to atchive the same

$msg = new-object Net.Mail.MailMessage
$smtp = new-object Net.Mail.SmtpClient($smtpServer)
$msg.Headers.Add(“Disposition-Notification-To”, “from@domainname.com”)
$msg.DeliveryNotificationOptions = “OnSuccess”
$msg.From = “from@domainname.com”
$msg.To.Add(”to@domainname.com”)
$msg.Subject = “Make the Delivery Recipt Work Please”
$msg.Body = “In a perfect world this email will generate a delivery receipt”
$msg.Attachments.Add($att)
$smtp.Send($msg)

Shameless Null Neutrality

Microsoft Exchange & OWA Resources, Information – Optimize, Support, Manage | How-To | Guides | Reference | Admin

Tag Archives: Exchange 2007