I am honored to be a speaker at the Virtual Scottish Summit 2021 conference, taking place on Saturday, 27. February.
The Scottish Summit is a truly European event. You can choose from 365 sessions covering mostly any about Microsoft 365 workloads in seven languages:
Attend my session when you are interested in the challenges of implementing Exchange Server Hybrid, and the requirements to make it work with Microsoft Teams and on-premises mailboxes.
My session at Scottish Summit 2021:
See you online for the Virtual Scottish Summit.
This year's MCT Summit Middle East took place on 19-20 March, with two full days of content about Microsoft technologies. Four session tracks plus a workshop track offered possibilities to learn and share knowledge, not only with the MCT community.
The session recording will be made available on the event website.
I enjoyed talking about Exchange Hybrid, what it is, why you need it and how you implement it using the Hybrid Configuration Wizard.
My PowerPoint presentation is available on Slideshare.
I look forward to next years' event.
The Microsoft 365 Virtual Marathon is happening on May 27-28 2020.
This is a free online event, providing you with 36 hours of non-stop sessions from speakers around the globe. You can join every time.
The virtual conference is a joint effort with SPC.
I speak at Microsoft 365 Virtual Marathon about:
The marathon session plan is available here.
The Microsoft 365 Virtual Marathon took place on May 27-28 2020.
The recording of my session "Exchange Hybrid - What, Why, and How" is available on YouTube.
Browse all recordings of the Microsoft 365 Virtual Marathon here: https://www.youtube.com/channel/UCrtmT6Ir1MIs0ZES7sKMmqA
Lastly I've encountered an interesting PowerShell error after upgrading several servers running Exchange Server 2013 CU9 to Exchange Server 2013 CU11.
After a successful upgrade, the Exchange PowerShell script to redistribute the DAG databases failed with an error.
.\RedistributeActiveDatabases.ps1 -DagName DAG01 -BalanceDbsByActivationPreference -Confirm:$false
Cannot process argument transformation on parameter 'Identity'. Cannot convert value "MAILBOXDB01" to type
"Microsoft.Exchange.Configuration.Tasks.DatabaseCopyIdParameter". Error: "Cannot convert hashtable to an object of the
following type: Microsoft.Exchange.Configuration.Tasks.DatabaseCopyIdParameter. Hashtable-to-Object conversion is not
supported in restricted language mode or a Data section."
+ CategoryInfo : InvalidData: (:) [Get-MailboxDatabaseCopyStatus], ParameterBindin...mationException
+ FullyQualifiedErrorId : ParameterArgumentTransformationError,Get-MailboxDatabaseCopyStatus
+ PSComputerName : SERVER01.mcsmemail.de
The interesting part to note is conversion is not supported in restricted language mode
The supported language mode is configured in the application settings of the PowerShell virtual directory of the Exchange Back End website.
The application settings after Exchange Server 2013 CU11 update:
Running PSLanguageMode with value RestrictedLanguage is the default setting. You should change this setting only, if you encounter PowerShell issues.
Double-click PSLanguageMode and change the value to FullLanguage.
Currently I have not validation why a clean Exchange 2013 CU11 setup does not show this behaviour. A plain Exchange 2013 CU11 setup executes the script without any issues.
You might have the requirement to authenticate mobile devices and authorize user access to on-premises Exchange Server mailboxes using a multi-vendor strategy. This blog post focuses on the configuration of a Kemp LoadMaster located in an internal network segment. The Kemp LoadMaster ESP functionality is used to allow ActiveSync connections for members of a dedicated security group only.
This results in the following authentication and authorization endpoints:
The following diagram shows a simplified overview for mobile devices connecting to an on-premises Exchange Server. The perimeter and internal network segments are omitted for simplification reasons.
The following screenshots illustrate a working setup for a virtual service load balancing mobile device connections from MobileIron Sentry to Exchange Server. It's assumed that you've already configured the following:
The SSL Traffic is offloaded and re-encrypted as we need to authenticate the user with ESP. Ensure to select a Cipher Set that does not provide any weak or unsecure cipher suites. In this example I've selected the predefined set BestPractices.
Enable ESP to activate the ESP configuration section. The settings are as follows:
In the Real Servers section you add all member servers of your Exchange Server DAG. Ensure to use the HTTPS protocol the health checks and ensure to query the /Microsoft-Server-ActiveSync/healthcheck.htm document.
Using this configuration you've added your Kemp LoadMaster as an additional authentication endpoint to secure mobile device access to Exchange Server mailboxes.
When you run software solutions that make use of TLS secured communication channels the applications need to have access to the certificate's private key. The private key is part of the certificate stored in the local certificate store of the computer. In most cases the software solution creates a new self-signed certificate and configures access rights appropriately.
When establishing TLS communication channels to external partners, the use of a public SSL/TLS certificate is a must have requirement.
The following step-by-step instructions describe how to assign Read permisson for the Email Security Solution Gateway NoSpamProxy. In this case the solution does not utilize a classic service account, but a so-called virtual service account. Virtual service accounts provide a much better access security when executing Windows services.
Open the local computers certificate store using the MMC Snap-Ins.
Select the certificate to use and open the context menu (right click).
Select Manage Private Keys to manage the private key permissions.
Click Add and add the required service accounts.
In this case the virtual service accounts are part of the local computer entity. Select the local computer and not the Active Directory domain as source when searching accounts. Virtual accounts us the prefix NT Service.
Add the follow accounts to configure read access for NoSpamProxy on a server having the Gateway and Intranet role installed.
Add the follow accounts to configure read access for NoSpamProxy on a server having the Gateway role installed only.
Click Check Names to verifiy the existence of the entered service accounts.
When correctly resolved the accounts names are replaced by theis respective display names. Click OK to add the accounts.
Configure read access for all added service accounts and click OK.
The software solution is now capable of accessing the private key of the certificate.