MVP - Most Valuable Professional
rss

Just can't get enough of IT

This blog is about mostly anything in IT. But the primary focuses are Microsoft technologies like Exchange Server, Microsoft 365, Microsoft Teams, and Cloud Security.

Microsoft 365 Groups are a more modern way to work in teams and to distribute email messages. We still have the option to use classic distribution groups.

Exchange Online provides us with an option to upgrade classic distribution groups to Unified Groups, which is the Exchange Online term for Microsoft 365 Groups.

When you try to upgrade an existing distribution group, you might receive an error.

PS C:\> Upgrade-DistributionGroup -DlIdentities info@varunagroup.de

RunspaceId                      : b7f07a8b-cec0-45e8-a50d-00c278d48d76
dlIdentity                      : info@varunagroup.de
ErrorReason                     : The specified distribution group is not eligible to be upgraded or you are not
                                  allowed to upgrade this distribution group.
ExternalDirectoryObjectId       : 0352193a-XXXX
SuccessfullySubmittedForUpgrade : False
Identity                        :
IsValid                         : False
ObjectState                     : Unchanged

 

When you get this error, verify that the distribution group owner is a licensed user. While there is no such requirement for a classic distribution group, the owner of a Unified Group must be a licensed user. After adjusting the group owner the upgrade is successful.

PS C:\> Upgrade-DistributionGroup -DlIdentities info@Varinagroup.de

RunspaceId                      : b7f07a8b-cec0-45e8-a50d-00c278d48d76
dlIdentity                      : info@varunagroup.de
ErrorReason                     :
ExternalDirectoryObjectId       : 0352193a-1XXXX
SuccessfullySubmittedForUpgrade : True
Identity                        :
IsValid                         : True
ObjectState                     : Changed

 

Links

 

Enjoy Exchange Online.

Read More »

These are the results of the  Exchange Server Questionnaire from August 2021.

First of all, I want to thank all of you who participated in the questionnaire. The results are pretty interesting. Even though, that the results are not 100% representative they provide a high-level view of the Exchange Organizations, the mail flow configurations, and the future plans regarding hybrid and Exchange Online.

With 55 replies the questionnaire is far from being a comprehensive representation of the Exchange organizations. But the answers provide an idea of the Exchange landscape used by organizations globally.

  

1. Exchange Server Versions in use (Production)

Exchange Server 2016 is the dominant version currently in use, followed by Exchange Server 2019. The vast majority of 93% runs modern Exchange Server versions. But there are still older and unsupported Exchange Server versions in use. 7% use Exchange Server 2010 and older. 

 

Diagram Exchange Server Versions in use (Production)

 

2. How many Exchange Server systems do you operate?

76% of the organizations maintain up to ten Exchange servers. 20% prefer to rely on just one Exchange server. It is interesting that only 2 (not percent) plan to go hybrid or to move to Exchange Online.  

 

Diagram How many Exchange Servers do you operate?

 

3. How many mailboxes do your Exchange Servers host?

The majority of on-premises Exchange organizations are in the 1,000 - 10,000 mailboxes range. Nevertheless, the SMBs with 1 to 1,000 mailboxes adds up to 50% of the Exchange organizations that took part in this questionnaire. There are just a few organizations that host more than 50,000 mailboxes.    

 

Diagram How many mailboxes do your Exchange Servers host?

 

4. Do you use an on-premises or cloud-based SMTP gateway solution?

There are Exchange organizations that do not use an SMTP-Gateway solution as part of the mail-flow implementation. Thor organizations that do not use a gateway solution run 1 to 10 Exchange servers on-premises. The majority of those have less than 1,000 mailboxes but there are a few that are responsible for more than 1,000 mailboxes. That leaves the question of why an organization prefers to not secure mal-flow with a gateway.

 

Diagram Do you use an on-premises or cloud-based SMTP gateway solution?

 

5. Which product do you use as a gateway solution?

The use of SMTP gateways is a must, as you do not want to expose your domain member servers to the Internet, not even for the SMTP protocol. A majority of 28 answers for other gateways shows, that there are so many products available and that I did not choose valid answer options upfront. 

 

Diagram Which product do you use as a gateway solution?

The Other answers include:

  • Cisco ESA
  • Clearswift
  • Eleven
  • Fortigate
  • IronPort
  • Postfix
  • Reddoxx
  • Trustwave

 

6. Is your current Exchange organization using a hybrid configuration with Exchange Online?

65% of the Exchange organizations of this questionnaire already run in a hybrid configuration with Exchange Online. Only 35% are (still) not using a hybrid setup.  

 

Diagram Is your current Exchange organisation using a hybrid configuration with Exchange Online?

 

7. Do you plan to implement a hybrid Exchange configuration or to move to Exchange Online?

Of those who currently do not run a hybrid configuration only 37% plan on implementing Exchange Hybrid or migrate fully to Exchange Online. Staying on-premises is the only option.

 

Diagram Do you plan to implement a hybrid Exchange configuration or to move to Exchange Online?

 

8. Until when do you plan to implement a hybrid configuration or go cloud-only?

The majority of the organizations still running only an on-premises Exchange organization plan on implementing Exchange Hybrid or migrating to Exchange Online by the end of 2021. None of the participating organizations has plans scheduled after 2022.

Diagram Until when do you plan to implement a hybrid configuration or go cloud-only?

 

9. Which hybrid model did you choose?

It is no surprise that Classic Full Hybrid is the most adopted hybrid configuration. And, no surprise either, none of the other classic hybrid options is implemented. The modern hybrid approach is implemented but with lesser.

Diagram Which hybrid model did you choose?

 

10. What are the reasons for staying 100% on-premises?

The reasons for staying with an on-premises Exchange organization vary. the reasons mentioned are:

  • Enclosed environment, external access with BlackBerry UEM, due to public sector data security requirements
  • Mailbox data is classified as too sensitive
  • Too expensive and low internet bandwidth
  • Legal and clients audits 

There are still organizations that choose an on-premises Exchange organization in favor of Exchange Online. I wonder if company policies for reducing the carbon footprint might drive the migration of on-premises data center resources to hosted cloud services.  

 

11. Will you implement Exchange Server vNEXT?

Exchange Server vNEXT is in scope for 47% of the organizations. When comparing it with the used Exchange Server version currently in use (~50% Exchange Server 2016) it is an indicator that some companies just skip Exchange Server 2019. Some organizations prefer not to follow the full life-cycle of Exchange Server. s7% of those who do not want to implement Exchange Server vNEXT and want to stay on-premises are single server implementations of Exchange. 

Diagram Will you implement Exchange Server vNEXT?

 

 

Summary

The product Exchange Server is still widely used in on-premises deployments. The reasons vary from legal and compliance requirements, network bandwidth constraints, and the overall costs for Exchange Online. Exchange Server vNEXT is a must-have for nearly 50% of the organizations participating in this questionnaire. There are still older and unsupported versions in productive use. Why this is the case is unanswered in this questionnaire.

Organizations running a hybrid Exchange configuration primarily use a Classic Full Hybrid configuration. This might be due to an early implementation in those days when nothing else was available, or due to requirements using Microsoft Teams with on-premises mailboxes. The adoption of Modern Hybrid shows that the Hybrid Agent approach helps organizations that cannot implement a Classic Full Hybrid. 

I leave the results of this questionnaire to your interpretation and look forward to your replies, either to this blog post or by social media on Twitter and LinkedIn. Please use the hashtag #ExchangeQuest2021.

There will be a new Exchange Server questionnaire in early 2022, covering various implementation scenarios in more detail. If you want to see a specific Exchange topic covered in the 2022 questionnaire, just let me know.

Again, thank you all for participating in this questionnaire.

 

 

Read More »

IllustrationThe Problem

Mail flow from on-premises devices and applications to Exchange Online is a tricky topic. The documentation allows for different solutions.

Recently a client ran into a situation where an on-premises application was not able to deliver messages to a configured inbound connector in the Exchange Online tenant. The connector was configured for remote IP address selection.

Exchange Online responded to each connection attempt with the following error message:

  • 451 4.4.3 Temporary server error. Please try again later ATTR3.1

There weren't any changes on the on-premises configuration and the setup was in use for multiple months without any issues.

 

The Solution

It took some time to identify the solution, but in the end, the solution was easy.

Disabling and re-enabling solved the issue.  

 

Enjoy Exchange Online.

 

Read More »

Microsoft 365 Collaboration BootCamp 2021The Microsoft 365 Collaboration BootCamp takes place on 21th & 21st  August 2021.

The event addresses collaboration and best practices for using Microsoft Teams, SharePoint, Lists, Groups, and Microsoft Security & Governance.

I am honored to speak about one of my favorite Topics: Microsoft Teams and On-Premises Mailboxes - Troubleshooting 101

Join my session on Saturday 21st August at 12:00 pm (GMT/UTC)

 

 

 

 

 

 

Read More »

Exchange ServerWhen you create or update an Exchange hybrid configuration using the Hybrid Configuration Wizard magic things happen. That's why it is called a Wizard.

One essential step of the Hybrid Configuration Wizard (HCW) is the configuration of the hybrid mail-flow. The hybrid mail-flow is required for both, classic and modern Exchange hybrid. 

The wizard asks you to select one or more Exchange servers that you will utilize for handling inbound mail traffic from Exchange Online to your on-premises organization. You either configure direct mail flow to your Exchange Mailbox Servers in your internal company network, or to your Edge Transport Servers located in the perimeter network.

The following screenshot example shows the selection dialogue.

Screenshot - Hybrid Configuration Wizard Receive Connector Server Selection

 

You can only select a server object, but not a receive connector on that selected server. The HCW chooses the "right" receive connector on the selected servers for you. If you are using the default set of receive connectors, you will not encounter any issues. HCW will use the default frontend connector on a mailbox server. When you use an Edge Transport Server you will run into any trouble as well. There is only one receive connector which you must extend by setting some additional parameters.

But what about an Exchange Organization where each mailbox server hosts multiple receive connectors bound to TCP port 25? 

 

The Problem

When you use multiple receive connectors bound to TCP 25 you will see that HCW will choose a receive connector that you won't expect. You might think that HCW will select always the default frontend connector. That is not the case. 

When you select multiple servers for hybrid mail-flow, and each server has a different receive connector configuration, you might get the impression that HCW selects the receive connector randomly. That is not the case either.

While doing some testing in a large enterprise infrastructure with five different Exchange forests (development, testing, staging, pre-production, production) we saw an interesting behavior.

From all available receive connectors having a TCP 25 binding, HCW selects the receive connector with matching RemoteIPRanges values of:

  • IPv6 all (::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff) and IPv4 all (0.0.0.0-255.255.255.255)
    This is normally the default frontend receive connector when you do not adjust the RemoteIPRanges parameter
  • Just IPv4 all (0.0.0.0-255.255.255.255)
  • Just IPv6 all (::-ffff:ffff:ffff:ffff:ffff:ffff:ffff:ffff)
  • IPv6 any address and IPv4 any address
  • Just an IPv4 address

Adjusting the default receive connector does have a direct impact on how HCW selects a receive connector in your Exchange environment. When you use multiple receive connectors for internal relay purposes, your receive connectors might end up in a messing situation. As mentioned, HCW selects receive connectors with a TCP 25 binding, regardless of the transport location of the connectors, frontend, or hub transport. The enterprise environment mentioned had some deviations between the different environments and we saw TCP 25 receive connectors in frontend transport and hub transport. 

 

The Solution (sort of)

Run the HCW and select only one server for hybrid mail-flow and identify the receive connector configured by HCW. Configure an appropriate receive connector on all other mailbox servers used for hybrid mail flow. Update the hybrid configuration object of your on-premises Exchange Organization accordingly. 

Verify the following two Tls* parameters of the receive connector:

Get-ReceiveConnector 'EXSRV01\Default Frontend EXSRV01' | fl tls*
TlsCertificateName    : <I>CN=Sectigo RSA Domain Validation Secure Server CA, O=Sectigo Limited, L=Salford, S=Greater
                        Manchester, C=GB<S>CN=mail.varunagroup.de, OU=PositiveSSL, OU=Domain Control
                        Validated
TlsDomainCapabilities : {mail.protection.outlook.com:AcceptCloudServicesMail}

 

You must ensure that the hybrid receive connector uses the correct TLS certificate, enabled for SMTP. Additionally, you must set the TlsDomainCapabilitiers to allow cloud mail for connections incoming connections with a TLS certificate for mail.protection.outlook.com.

Keep your receive connectors at frontend transport.   

 

Links

 

Enjoy Exchange Server.

 

Read More »