Thomas Stensitzki is a leading technology consultant focusing on the Microsoft messaging and collaboration technologies and the owner of Granikos GmbH & Co. KG.
He is an MVP for Office Apps & Services since 2018.
Thomas is an MCT Regional Lead for Germany and delivers Microsoft Learning training courses for Office 365, Microsoft Teams, and Exchange Server.
He holds Master certifications as Microsoft Certified Solutions Master Messaging and as Microsoft Certified Master for Exchange Server 2010. These certifications make him a subject matter expert for any messaging topic related to Microsoft Exchange, Exchange Online, Microsoft 365, and hybrid configurations.
Follow Thomas: LinkedIn, Twitter
His sessions: https://sessionize.com/thomas-stensitzki
MVP Blog: https://blogs.msmvps.com/thomastechtalk Personal blog: http://justcantgetenough.granikos.eu Personal website: http://www.stensitzki.de Thomas' Tech Talk: youtube.com/ThomasStensitzki
Contact Thomas at thomas@mcsmemail.de
Microsoft 365 Groups are the backbone of various Microsoft 365 workloads. As you might know, each group utilizes a SharePoint site collection, and an Exchange shared mailbox.
When you create a new Microsoft 365 group, SharePoint Online must store the associated site collection somewhere. SharePoint Online uses predefined paths to determine the storage location. These paths are called: Managed Paths.
SharePoint Online uses two different pre-configured managed paths:
With /sites as the default setting for the Microsoft 365 tenant.
Whenever you create, e.g., a new team in Microsoft Teams, the associated site collection is stored in https://TENANTNAME.sharepoint.com/sites/TEAMNAME. As a SharePoint administrator, you see the site collection paths in the list of active sites in the SharePoint Admin Center.
But what can you do, if you want to store the associated site collections in the /teams managed path?
The SharePoint Admin Center provides you with an option to change the managed path for sites, created by users.
Open the SharePoint Admin Center, navigate to Settings -> Site Creation.
Change the setting for Create team sites under to /teams/.
The description of this setting is misleading. This setting affects not only SharePoint team site creation initiated by users on the SharePoint start page or OneDrive, but site collections created by Microsoft 365 Groups as well.
You do not need to enable the checkbox to let users create sites from the SharePoint start page and OneDrive. This setting is only required, when you want to enable self-service site creation of modern SharePoint sites for users. The modern SharePoint sites are based on Microsoft 365 Groups.
After changing the path, SharePoint Online creates new associated site collections for Microsoft 365 Groups in /teams/.
Enjoy SharePoint Online.
The Microsoft 365 Virtual Marathon is happening on May 27-28 2020.
This is a free online event, providing you with 36 hours of non-stop sessions from speakers around the globe. You can join every time.
The virtual conference is a joint effort with SPC.
I speak at Microsoft 365 Virtual Marathon about:
The marathon session plan is available here.
Register now.
Enjoy!
When you plan to implement an Exchange Hybrid Configuration between your on-premises Exchange Organization and Exchange online you have to choose between two variants and five operating modes. It is not as complicated as it sounds.
I have written a blog post about the different options available.
The post is published in ENow's ESE blog.
Enjoy.
Exchange Server 2016 introduced the PowerShell cmdlet Get-MailboxServerRedundancy. This cmdlet helps you plan and prepare for Exchange Server maintenance by querying the current maintenance readiness of the database availability group (DAG).
Interestingly, there is no PowerShell help available for this vital cmdlet. Microsoft Docs or Exchange Management Shell's Get-Help provide any valuable information.
When querying a DAG about the server redundancy status, the cmdlet's default output provides you with the essential information.
The default output contains information about:
This example shows the Get-MailboxServerRedundancy output of a six server DAG, before activating maintenance mode for server LOCEXS06.
Get-MailboxServerRedundancy -DatabaseAvailabilityGroup EXDAG01 Identity IsServerFound IsInMainten RepairUrgency SafeForMaintenance HealthInfoLastUpdateTime InAD ance -------- ------------- ----------- ------------- ------------------ ------------------------ LOCEXS01 True False Prohibited False 17.02.2020 09:10:11 LOCEXS02 True False Normal True 17.02.2020 09:10:11 LOCEXS03 True False Normal True 17.02.2020 09:10:11 LOCEXS06 True False Normal True 17.02.2020 09:10:11 LOCEXS05 True False Normal True 17.02.2020 09:10:11 LOCEXS04 True False Prohibited False 17.02.2020 09:10:11
As Exchange Administrator, you are most interested in the information displayed in columns RepairUrgency and SafeForMaintenance.
As you can see in this screenshot, no server is in maintenance mode. Servers S01 and S04 have a RepairUrgency state of Prohibited, and a SafeForMaintenance state of False. The latter tells us that we cannot activate maintenance mode for servers safely without risking mailbox database redundancy.
What is the reason for this? Let's have a look.
You can use the same cmdlet to query detailed information for each member server of the DAG. The default output for a single server does not provide any additional information on the server status.
Get-MailboxServerRedundancy -DatabaseAvailabilityGroup EXDAG01 -Identity LOCEXS01 Identity IsServerFound IsInMainten RepairUrgency SafeForMaintenance HealthInfoLastUpdateTime InAD ance -------- ------------- ----------- ------------- ------------------ ------------------------ LOCEXS01 True False Prohibited False 17.02.2020 09:11:11
Because we cannot activate maintenance mode for server LOCEXS01 safely, we are interested in identifying which redundancy state is responsible.
You can find this information by displaying the detailed server information.
Use the Format-List, or short FL, cmdlet to display the Get-MailboxServerRedundancy cmdlet output as a formatted list.
Get-MailboxServerRedundancy -DatabaseAvailabilityGroup EXDAG01 -Identity LOCEXS01 | FL RunspaceId : 70d82f8d-e6ca-4bfc-863f-11300a9784ff Identity : LOCEXS01 IsServerFoundInAD : True IsInMaintenance : False RepairUrgency : Prohibited SafeForMaintenance : False ServerContactedFqdn : LOCEXS04.VARUNAGROUP.DE HealthInfoCreateTime : 15.06.2018 15:16:19 HealthInfoLastUpdateTime : 17.02.2020 09:11:11 ServerFoundInAD : CurrentState: Active; LastActiveTransition: 15.06.2018 15:22:16; LastInactiveTransition: InMaintenance : CurrentState: Inactive; LastActiveTransition: 17.01.2020 09:07:02; LastInactiveTransition: 17.01.2020 10:42:02 AutoActivationPolicyBlocked : CurrentState: Inactive; LastActiveTransition: 09.01.2020 10:14:50; LastInactiveTransition: 09.01.2020 11:00:51 ActivationDisabledAndMoveNow : CurrentState: Inactive; LastActiveTransition: ; LastInactiveTransition: 15.06.2018 15:22:16 HighAvailabilityComponentStateOffline : CurrentState: Inactive; LastActiveTransition: 17.01.2020 09:07:02; LastInactiveTransition: 17.01.2020 10:42:02 CriticalForMaintainingAvailability : CurrentState: Inactive; LastActiveTransition: 31.01.2020 16:52:49; LastInactiveTransition: 31.01.2020 16:56:49 CriticalForMaintainingRedundancy : CurrentState: Active; LastActiveTransition: 29.01.2020 11:43:06; LastInactiveTransition: 29.01.2020 11:42:06 PotentiallyCriticalForMaintainingRedundancy : CurrentState: Active; LastActiveTransition: 01.02.2020 05:49:37; LastInactiveTransition: CriticalForRestoringAvailability : CurrentState: Inactive; LastActiveTransition: 06.05.2019 09:16:36; LastInactiveTransition: 06.05.2019 09:20:36 CriticalForRestoringRedundancy : CurrentState: Inactive; LastActiveTransition: 29.01.2020 11:42:06; LastInactiveTransition: 29.01.2020 11:43:06 HighForRestoringAvailability : CurrentState: Inactive; LastActiveTransition: 29.01.2020 11:42:06; LastInactiveTransition: 29.01.2020 11:43:06 HighForRestoringRedundancy : CurrentState: Inactive; LastActiveTransition: 10.02.2020 09:05:02; LastInactiveTransition: 10.02.2020 09:06:02 IsSafeForMaintenance : CurrentState: Inactive; LastActiveTransition: 03.11.2019 09:42:35; LastInactiveTransition: 12.11.2019 06:29:58 IsValid : True ObjectState : Unchanged
The lines 24-27 show the information we want to know. Both, the CriticalForMaintainingRedundancy and PotentiallyCriticalForMaintainingRedundancy parameters have a CurrentState value of Active. The Primary Activation Manager (PAM) considers the server availability critical to provide redundant availability of the database copies hosted by this server.
Each of state-parameter shows three pieces of information:
But there is still the bothering question of why are two of the six servers not safe for activating maintenance?
The reason is simple. The mailbox databases mounted by the member servers of the DAG have a different number of database copies. This configuration is due to data storage capacity constraints.
The mailbox databases storing primary user mailboxes use four database copies per database. Those copies are evenly distributed across all six mailbox servers. Mailbox database storing online archive mailboxes use three copies per database. This database copy layout allows for safely activating server maintenance for one server at a time without risk to database redundancy.
The servers LOCEXS01 and LOCEXS04 hold mailbox databases with just two copies per configured database. Placing one of those two servers into maintenance mode reduces the database availability for these mailbox databases to one. Therefore, PAM informs us that database redundancy is at risk when activating maintenance for those two servers.
This example shows the member server redundancy state while LOCEXS06 is in maintenance. The reason for monthly maintenance for installing Windows updates.
Maintenance was activated using the StartDagServerMaintenance.ps1 PowerShell script.
Get-MailboxServerRedundancy -DatabaseAvailabilityGroup indag01 Identity IsServerFound IsInMainten RepairUrgency SafeForMaintenance HealthInfoLastUpdateTime InAD ance -------- ------------- ----------- ------------- ------------------ ------------------------ LOCEXS01 True False Prohibited False 17.02.2020 11:04:12 LOCEXS02 True False Normal True 17.02.2020 11:04:12 LOCEXS03 True False Prohibited False 17.02.2020 11:04:12 LOCEXS06 True True High True 17.02.2020 11:04:12 LOCEXS05 True False Prohibited False 17.02.2020 11:04:12 LOCEXS04 True False Prohibited False 17.02.2020 11:04:12
Having a single server in maintenance has a significant impact on all other servers in the DAG. The servers LOCEXS03 and LOCEXS05 are not safe for maintenance as well. Activating maintenance for those two servers would affect the database redundancy for the databases hosted by those two servers.
After completing all maintenance tasks, e.g., installing Windows Updates or a new Exchange Server Cumulative Update, you end server maintenance using the PowerShell script StopDagServerMaintenance.ps1.
We query the server redundancy state again.
Get-MailboxServerRedundancy -DatabaseAvailabilityGroup indag01 Identity IsServerFound IsInMainten RepairUrgency SafeForMaintenance HealthInfoLastUpdateTime InAD ance -------- ------------- ----------- ------------- ------------------ ------------------------ LOCEXS01 True False Prohibited False 17.02.2020 11:23:12 LOCEXS02 True False Normal True 17.02.2020 11:23:12 LOCEXS03 True False Normal True 17.02.2020 11:23:12 LOCEXS06 True False High True 17.02.2020 11:23:12 LOCEXS05 True False Normal True 17.02.2020 11:23:12 LOCEXS04 True False Prohibited False 17.02.2020 11:23:12
Server LOCEXS06 is not in maintenance, but the RepairUrgency state is High. The local Exchange Server replication engine is still busy replicating and processing log files, and updating the search indices. When CopyQueueLength and ReplayQueueLength are back to 0, and ContentIndexStates are back to Healthy, the RepairUrgency switches to Normal.
You receive an error message when activating maintenance for an Exchange Server not safe for maintenance using StartDagServerMaintenance.ps1 -serverName [SERVER] In this case, you must use:
.\StartDagServerMaintenance.ps1 -serverName SERVERNAME -overrideMinimumTwoCopies:$true
Enjoy Exchange Server!
Azure AD Pass-through authentication (PTA) recommends that you run at least three authentication agents to provide high availability for authentication.
When you download and install the PTA agent, registering the PTA agent to Azure AD might fail. This happens most of the time when the network connectivity to Azure AD requires the use of a proxy server. In such a network setup you normally encounter configuration errors only, if the proxy server is misconfigured or the Internet Explorer zone configuration is missing required entries for trusted sites.
When you encounter an error during installation and registration of the dedicated PTA agent I recommend to separate these two steps. You need the credentials of an Azure AD account that is a member of the Global Administrator management group.
AADConnectAuthAgentSetup.exe REGISTERCONNECTOR="false" /q
# navigate to the default installation location cd "C:\Program Files\Microsoft Azure AD Connect Authentication Agent" # enter the global admin credentials $cred = Get-Credential # register the PTA agent using the RegisterConnector.ps1 script # multiline example .\RegisterConnector.ps1 ` -ModulePath "C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\" ` -ModuleName "PassthroughAuthPSModule" ` -AuthenticationMode Credentials ` -UserCredentials $cred ` -Feature PassthroughAuthentication # single line example .\RegisterConnector.ps1 -ModulePath "C:\Program Files\Microsoft Azure AD Connect Authentication Agent\Modules\" -ModuleName "PassthroughAuthPSModule" -AuthenticationMode Credentials -UserCredentials $cred -Feature PassthroughAuthentication
The Azure AD Pass-through agent Quickstart documentation has an example for automating the installation of the PTA agent as part of a server provisioning process. The current example references the wrong PowerShell module named AppProxyPSModule. The most recent release of the PTA agent does not contain a PowerShell module by that name. Use the PowerShell module PassthroughAuthPSModule, as shown in the PowerShell example shown above.
Enjoy Azure AD!