Azure AD Connect version 1.1.880.0 includes many updates

Friday, July 27, 2018
AAD Connect version 1.1.880.0 is being released and includes many new features and improvements. I've highlighted the ones that I think most customers are interested in with some comments.

This update is also supposed to fix fixes the issue with high CPU by the Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe process after installing .NET Framework 4.7.2. (8/1/2018 - They just updated the release notes to reflect this.)

New features and improvements

  • The Ping Federate integration in Azure AD Connect is now available for General Availability. Learn more about how to federated Azure AD with Ping Federate
  • Azure AD Connect now creates the backup of Azure AD trust in AD FS every time an update is made and stores it in a separate file for easy restore if required. Learn more about the new functionality and Azure AD trust management in Azure AD Connect .
  • New troubleshooting tooling helps troubleshoot changing primary email address and hiding account from global address list
  • Azure AD Connect was updated to include the latest SQL Server 2012 Native Client
  • When you switch user sign-in to Password Hash Synchronization or Pass-through Authentication in the "Change user sign-in" task, the Seamless Single Sign-On checkbox is enabled by default.
  • Added support for Windows Server Essentials 2019
  • The Azure AD Connect Health agent was updated to the latest version Hopefully this fixes the high CPU issue with .NET 4.7.2.
  • During an upgrade, if the installer detects changes to the default sync rules, the admin is prompted with a warning before overwriting the modified rules. This will allow the user to take corrective actions and resume later. Old Behavior: If there was any modified out-of-box rule then manual upgrade was overwriting those rules without giving any warning to the user and sync scheduler was disabled without informing user. New Behavior: User will be prompted with warning before overwriting the modified out-of-box sync rules. User will have choice to stop the upgrade process and resume later after taking corrective action.
  • Provide a better handling of a FIPS compliance issue, providing an error message for MD5 hash generation in a FIPS compliant environment and a link to documentation that provides a work around for this issue.
  • UI update to improve federation tasks in the wizard, which are now under a separate sub group for federation.
  • All federation additional tasks are now grouped under a single sub-menu for ease of use.
  • A new revamped ADSyncConfig Posh Module (AdSyncConfig.psm1) with new AD Permissions functions moved from the old ADSyncPrep.psm1 (which may be deprecated shortly)

Fixed issues

  • Fixed a bug where the AAD Connect server would show high CPU usage after upgrading to .Net 4.7.2. The release notes were updated to add this on 8/1/2018.
  • Fixed a bug that would intermittently produce an error message for an auto-resolved SQL deadlock issue
  • Fixed several accessibility issues for the Sync Rules Editor and the Sync Service Manager
  • Fixed a bug where Azure AD Connect can not get registry setting information
  • Fixed a bug that created issues when the user goes forward/back in the wizard
  • Fixed a bug to prevent an error happening due to incorrect multi thread handing in the wizard
  • When Group Sync Filtering page encounters an LDAP error when resolving security groups, Azure AD Connect now returns the exception with full fidelity. The root cause for the referral exception is still unknown and will be addressed by a different bug.
  • Fixed a bug where permissions for STK and NGC keys (msDS-KeyCredentialLink attribute on User/Device objects for WHfB) were not correctly set.
  • Fixed a bug where 'Set-ADSyncRestrictedPermissions’ was not called correctly
  • Adding support for permission granting on Group Writeback in AADConnect's installation wizard
  • When changing sign in method from Password Hash Sync to AD FS, Password Hash Sync was not disabled. This is interesting, since Microsoft recommends configuring Password Hash Sync with AD FS. I'm checking with the Product Group...
  • Added verification for IPv6 addresses in AD FS configuration
  • Updated the notification message to inform that an existing configuration exists.
  • Device writeback fails to detect container in untrusted forest. This has been updated to provide a better error message and a link to the appropriate documentation
  • Deselecting an OU and then synchronization/writeback corresponding to that OU gives a generic sync error. This has been changed to create a more understandable error message.
AAD Connect version 1.1.880.0 has been released for auto upgrade. Customers with auto upgrade enabled will automatically download and install this new version in the coming days. Those who do not have auto upgrade enabled will need to download and install the update manually. Check the details for the download page to make sure you're downloading version 1.1.880.0.
Read more ...

Say Bye-Bye to Exchange Unified Messaging in Exchange Server 2019

Wednesday, July 25, 2018

Exchange Unified Messaging was first introduced in Exchange Server 2007 and has been in every version of Exchange server since - until now. In the Exchange Server 2019 Public Preview announcement it was revealed that UM is being dropped in Exchange Server 2019.

Exchange UM provides the following features and functionality:
  • Access a full set of voicemail features from Internet-capable mobile phones, Microsoft Office Outlook (2007 and later), and Outlook on the web (OWA).
  • Auto Attendants allow you to create sophisticated calling trees using both speech and keypad controls.
  • Play on Phone lets you play voice messages on a telephone.
  • The Outlook and OWA voicemail form includes the controls for actions such as playing, stopping, or pausing voice messages, playing voice messages on a telephone, and adding and editing notes.
  • Call Answering Rules allow users to decide how incoming calls are answered.
  • Voice Mail Preview provides (sometimes humorous) email transcriptions of voicemails which allow users to get a sense of the urgency of a recorded voicemail.
  • Outlook Voice Access (OVA) allows users to access and manage their voicemails using voice or keypad controls.
  • Protected Voice Mail enables users to send private voicemails protected by Active Directory Rights Management Services (AD RMS).
  • For a full set of Exchange UM features see the article, Introduction to Microsoft Exchange Unified Messaging.
Exchange Server 2019 no longer includes Exchange Unified messaging. If your organization wants to migrate to Exchange 2019 and uses Exchange UM for company voicemail, you'll need to implement a new voicemail solution. Read on for some options.

The simplest option, of course, is to migrate everyone from on-premises to Office 365. Not only will you get Cloud Voicemail (aka Azure Voicemail), but you'll get all the hotness that only comes from the Office 365 -- Exchange Online, Teams, SharePoint Online, etc.

Organizations with no intention of using Office 365 will either need to implement a new voicemail system, or upgrade to or remain on Exchange 2016, the last Exchange Server version to support UM. In case it isn't obvious, this is because Cloud Voicemail runs in Office 365. Of course, upgrading to or staying on Exchange 2016 only buys you time. Mainstream support for Exchange 2016 is expected to end on October 13, 2020.

As announced on the EHLO Blog last year, Microsoft is discontinuing support for Session Border Controllers in Exchange Online in July 2018. Recently, they extended this deadline to April 30, 2019 due to customer feedback. This decision was surely a precursor of things to come (or not come, as it turns out) to Exchange Server 2019. Without SBC support, Cloud Voicemail will require Skype for Business Server as your on-prem PBX. You will not to be able to connect any other on-prem PBX, such as Cisco Call Manager or Avaya, to Cloud Voicemail.

Microsoft has received a lot of feedback from enterprise organizations about the removal of UM from Exchange and Exchange Online, as seen in the forum feedback above. It appears they may have misjudged how much this change will cost organizations and its impact to their customers. In an effort to reduce some of the cost, they have created a path to use Cloud Voicemail almost for free.

Customers running Exchange 2019 with Skype for Business Server 2019 with Enterprise Voice will be able to use Cloud Voicemail natively, as long as they have a tenant with at least one license that includes Skype for Business Online. No other licensing, gateways, or SBCs are required, but it will require implementing Azure AD Connect to sync your AD to your Azure AD for your tenant.

Customers running Exchange 2019 with Skype for Business Server 2015 with Enterprise Voice, or customers who cannot/will not have an Office 365 tenant, will have no other option than to use a third-party voicemail system. All voicemail support must come from the third-party provider.

I put together the following table that shows the different voicemail scenarios for Skype for Business and Exchange, both on-prem and in Office 365.

Enterprise Voice Mailbox Exchange UM EXO UM Cloud Voicemail
Skype for Business 2015 Exchange 2016 Yes No No
Skype for Business 2015 Exchange 2019 No No No
Skype for Business 2015 Exchange Online No Yes No
Skype for Business 2019 Exchange 2016 Yes No No
Skype for Business 2019 Exchange 2019 No No Yes
Skype for Business 2019 Exchange Online No No Yes
Skype for Business Online Exchange 2016 No No Yes
Skype for Business Online Exchange 2019 No No Yes
Skype for Business Online Exchange Online No No Yes
Skype for Business Online (No EV) Exchange 2016 No No No
Skype for Business Online (No EV) Exchange 2019 No No No
Skype for Business Online (No EV) Exchange Online No No No

Cloud Voicemail requires that the tenant has at least one license that includes Skype for Business Online to provide Cloud Voicemail capabilities for everyone in the tenant. It should be noted that in the preview Cloud Voicemail won't work if the organization is configured with Exchange hybrid, but this is expected to be fixed before General Availability. As a reminder, this is a preview, folks. Only try this stuff out in a lab.

An important feature for most companies is Auto Attendants. Currently, Auto Attendants in Phone System are rudimentary, but investments are being made to bring them up to feature parity previously available in Exchange UM. The biggest missing feature is the inability to invoke outbound calls from an Auto Attendant.

Cloud Voicemail features include simple voicemail, voicemail transcription with an MP3 attachment sent to the user's Inbox, ability to record personal greetings, message waiting indicator (MWI), and reply with call. It does not include Outlook integration like visual voicemail, Play on Phone, call answering rules, text notifications, or any Outlook Voice Access features. For further information on how to access Cloud Voicemail features, read Check Skype for Business voicemail and options.

So what do you think? Is this a big deal for your organization? Comments or questions? Leave a comment below.

Special thanks to fellow Office Servers & Apps MVP Adam Ball for help with the licensing aspects of this article.

EXPTA Consulting helps small, medium, and enterprise customers with their Exchange on-prem and Office 365 needs. We offer design, planning and migration services, identity and security solutions, and other IT services. Past customers include higher education, SAS providers, ITAR organizations, and insurance brokers. Contact us today to see how we can help you!
Read more ...

How to install Exchange Server 2019 on Windows Server 2019 Core Step-by-Step

Tuesday, July 24, 2018
The following article is a step by step walk-through for installing Exchange Server 2019 on Windows Server 2019 Server Core.
If you're looking for a super-fast and inexpensive lab server, check out my home lab server builds!
As announced, Exchange 2019 can be installed either on Windows Server 2019 with a GUI or Windows Server 2019 Core. Since Server Core lacks most GUI aspects, we need to use PowerShell and Remote Server Administration Tools (RSAT) to manage and administer Server Core. Here's how to install Windows Server 2019 Core and install Exchange Server 2019.

Install Windows Server 2019 Core:

You can download the Windows Server 2019 preview here.
Boot to the Windows Server 2019 Core ISO and run setup:
  • Set Language, Time, and keyboard, Next
  • Click Install Now
  • Select the Operating System you want to install (Windows Server Standard or Windows Server Datacenter), Next
  • Accept the license terms, Next
  • Select Custom Installation
  • Select the drive where you want to install Windows, Next. Windows will install and the server will restart.

The Administrator's password must be changed before signing in:
  • Select OK to change it. 
  • Enter the password twice to confirm and select OK again to sign in.
  • Welcome to Server Core! Exciting, ain't it?

Run sconfig.cmd to configure the server (in this order):
  • 2) Change Computer Name and restart. You must do this first if you're recovering an existing Exchange 2019 server.
  • 8) Configure Network Settings (it's currently using DHCP). Set static IP, netmask, and default gateway. Then configure the DNS Servers.
  • 7) Enable Remote Desktop (optional)
  • 5) Configure Windows Update Settings (Automatic, DownloadOnly, or Manual)
  • 6) Download and Install Updates
  • 10) Configure Telemetry settings (optional)
  • 1) Change Domain/Workgroup to join a domain. Restart.

Press Ctrl-Alt-Del to sign-in to the server with the Domain Admin account:

  • Enter the username and password for the Domain Admin account

To enable file sharing so you can copy files to the new server, run the following from the CMD window:
netsh advfirewall firewall set rule group="File and Printer Sharing" new enable=Yes
To enable the High Performance power configuration (recommended for Server Core VMs) run:
powercfg -setactive 8c5e7fda-e8bf-4a96-9a85-a6e23a8c635c
Now that Server Core on Windows Server 2019 is setup, we can install Exchange Server 2019.

Install Exchange Server 2019 on Windows Server 2019 Core:

You can download the Exchange Server 2019 Public Preview here.
Sign-in to Server Core with an account with Domain Admin, Enterprise Admin, and Schema Admin rights. If you're adding another server to an existing Exchange organization, you'll also need to be a member of Organization Administrators.

Mount the Exchange Server 2019 ISO. You can either mount it in your VM or copy the ISO to the new server and mount it in PowerShell by running the following cmdlet:
Mount-DiskImage -ImagePath "C:\Temp\ExchangeServer2019-x64.iso"
Change to the drive letter that represents the mounted ISO and run Setup to install most of the Exchange 2019 prerequisites:
Setup.EXE /Mode:Install /InstallWindowsComponents /IAcceptExchangeServerLicenseTerms /Roles:MB
Notice I said "most" of the prerequisites. The command above will install all the Windows Server roles and features, but Exchange 2019 still requires the Unified Communications Managed API (UCMA) runtime 4.0. You can't install UCMA until the Windows Server features are installed first. You may ask, "Why does Exchange 2019 still need UCMA even though Unified Messaging has been removed from the product?" The answer is, it's required for Lync and Skype for Business integration.

Setup will tell you to download UCMA 4.0 from a URL, but that setup won't work on Server Core. Instead, install the version included in the Exchange Server 2019 ISO in the UCMARedist folder.

Setup will also tell you to install the Visual C++ 2013 Redistributable Package from here. This one you'll have to download and install. I expect this will be included automatically by the time Exchange 2019 ships.

If you'd rather install the Windows prerequisites yourself from PowerShell instead of letting Setup do it, run the following cmdlet:
Install-WindowsFeature Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Http-Redirect,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Basic-Auth,Web-Client-Auth,Web-Digest-Auth,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Tools,Web-Mgmt-Compat,Web-Metabase,Web-WMI,Web-Mgmt-Service,NET-Framework-45-ASPNET,NET-WCF-HTTP-Activation45,NET-WCF-MSMQ-Activation45,NET-WCF-Pipe-Activation45,NET-WCF-TCP-Activation45,Server-Media-Foundation,MSMQ-Services,MSMQ-Server,RSAT-Feature-Tools,RSAT-Clustering,RSAT-Clustering-PowerShell,RSAT-Clustering-CmdInterface,RPC-over-HTTP-Proxy,WAS-Process-Model,WAS-Config-APIs
Now install the UCMA runtime and the Visual C++ 2013 Redistributable Package, then run Setup again. This time we don't need to specify installing the prerequisites:
Setup.EXE /Mode:Install /IAcceptExchangeServerLicenseTerms /Roles:MB
If you'd rather run Exchange Setup in the GUI mode, you can do that too and take advantage of the rebootless Windows component installation in Windows Server 2019 server core. Simply run Setup and let it install the prerequisites. Setup will halt because UCMA 4.0 and the Visual C++ 2013 Redistributable Package are not installed - install them. Then click Retry in Exchange Setup and it will continue on with the installation. Awesome!

Once setup completes, restart the server and you can continue to configure the server using the Exchange Management Shell or the Exchange Admin Center from another PC.

Post-Setup Tips:

Run the LaunchEMS cmdlet from a CMD prompt to launch the Exchange Management Shell in another window locally on the server.

If you're new to Windows Server Core, read Manage a Server Core Server for basics on server administration.

I highly recommend Windows Admin Center (formerly Project Honolulu) for managing Server Core servers, or any other Windows server for that matter. It allows you to perform most all server tasks from a single browser window, including updating device drivers. Pretty cool!

Good luck with your Exchange 2019 Server Core implementations! If you need help with your deployments, please reach out to EXPTA Consulting.

Read more ...

Announcing Exchange Server 2019 Public Preview

Tuesday, July 24, 2018

Today Microsoft announced the public preview for Exchange Server 2019. It is likely to reach general availability later this year.

Exchange 2019 continues to deliver the security, performance, and improved administration and management capabilities that customers expect, along with additional enhancements. Exchange Server 2019 can now be installed on Windows Server 2019 Core. This greatly reduces the attack surface of Exchange Server.

Search has been completely rewritten (again) to provide better and faster results. A side effect of this change is that it provides faster DAG failovers.

Performance improvements include reengineering to support bigger and better hardware. Exchange 2019 can now run on servers with up to 48 cores and 256GB RAM. Exchange 2019 will support the use of SSDs for tiered storage when it is released (it currently is not enabled in the preview build). More details on this will be released in September at Microsoft Ignite in Orlando.

A very important thing to know is that Exchange Server 2019 no longer supports Unified Messaging. Customers who currently use UM will need to move to another voicemail solution before they move to Exchange 2019.

Talk with EXPTA Consulting to understand your upgrade options.

Download the public preview here.

Read more ...

"Fixed" .NET Framework Updates Still Cause High CPU on AAD Connect Servers

Friday, July 20, 2018
AKA - "What's that burning smell?" or "Why does my server sound like a Boeing 747?"

Continuing my rant about buggy Windows Updates -- especially .NET Framework -- I've found that even the latest "fixed" .NET Framework updates still cause high CPU on AAD Connect servers.

On Windows Server 2012 R2 the offending update is 2018-07 Security and Quality Rollup for .NET Framework 3.5, 4.5.2, 4.6, 4.6.1, 4.6.2, 4.7, 4.7.1, 4.7.2 for Windows 8.1 and Server 2012 R2 for x64 (KB4340558). This "quality" rollup is actually a package that contains three different .NET Framework updates:
  • KB4338415 - Security and Quality Rollup updates for .NET Framework
  • KB4338419 - Security and Quality Rollup updates for .NET Framework
  • KB4338424 - A rollup update that is not available as a stand-alone package
It turns out that KB4338419 is the real offender that causes a race condition on the Microsoft.Identity.Health.AadSync.MonitoringAgent.Startup.exe process. If your AAD Connect server is experiencing high CPU for this process, uninstall KB4338419 or the entire KB4340558 package.

Be advised:
  • There are different KB packages for different OS's. Find the update that matches your OS in "installed updates"
  • Uninstalling these updates requires a restart (again)
  • .NET will recompile its assemblies when the computer restarts (again)
  • Windows Update will recommend installing these updates again. Do not install them. Better yet, hide them so Windows Update no longer offers them.

Read more ...


Tuesday, July 17, 2018
I'm growing increasingly frustrated with .NET Framework updates. Microsoft released .NET Framework 4.7.2 as an "important" update on July 10, 2018 and problem reports immediately started pouring in.

I reported earlier that .NET Framework 4.7.2 is not supported on any Exchange Servers and many users, including myself, were seeing high CPU usage on AAD Connect servers.

Doesn't anyone test this stuff, or is that our job as customers? What's the point of pushing out an update as "important" that core functionality doesn't support and actually harms the infrastructure that enterprises rely on? It takes a server restart to install this update and another one to remove it. And every time we get a .NET Framework update and reboot, server performance is affected while all the .NET Framework assemblies are recompiled. NO MORE.

From now on, I don't plan to install any .NET Framework updates unless,
  1. It's required for server functionality.
  2. It fixes a security vulnerability that actually affects me.
  3. It's been deployed worldwide for at least two weeks.
Not everyone is a developer who has to have the latest API updates. 

Microsoft, stop pushing buggy updates as "important". It's embarrassing. Get your quality issues sorted out, test, and coordinate with other product teams.

Read more ...

Do you use AD RMS on-prem? You need to read this!

Thursday, July 12, 2018

Microsoft recently announced they will be automatically enabling the protection features in AIP (Azure Rights Management) beginning August 1, 2018. If your organization currently uses AD RMS and has hybrid coexistence with Office 365, it's important that you opt-out of this change immediately.

Please read my latest article on the ENow ESE Blog to learn what it's all about and what to you may need to do to prepare for this change.

Read more ...