13 years of blogging and 2 000 000 views

26/01/202327/01/2023Ståle Hansen Leave a comment

Today, January 26th 2023, I hit a huge milestone. 2 000 000 views since I started blogging in 2009. msunified.net has been the home for me to share technical nuggets about Exchange, OCS, Lync, Skype for Business, Teams and Microsoft 365 for over 13 years. I have even shared productivity tips which has culminated in to my Digital Wellbeing thinking. I want to reflect and share my 10 all time most visited blogposts, my 5 favorited blogposts, some external articles I have written and share what I am working on these days.

If you have found any of my articles useful at some point, give this article or the social media post you found this through a like 👍 :)

10 all time most viewed blogposts

178 602 views: Installing Exchange 2010 Prerequisites on Server 2008 R2
158 401 views: Set the custom Focusing status in Microsoft Teams from PowerShell using Power Automate
70 810 views: Enabling Lync Server 2010 for Lync Mobile Clients
63 077 views: How to set custom presence states in Skype for Business on your Windows machine
62 637 views: Configure Exchange 2010 InternalUrl PowerShell script
62 082 views: Installing Lync Server 2010 Prerequisites on Windows Server 2008 R2
48 383 views: Lync Server 2010 features and how to configure them
43 957 views: Set the custom Focusing status in Microsoft Teams from To Do using Power Automate
41 229 views: Lync client sign-in and DNS records recommendations
40 545 views: How to set IPv4 as preferred IP on Windows Server using PowerShell

My 5 favorite blogposts which I often use today

External articles I have written for other sites and Tech Community

This Feature in Microsoft Teams is a Lifehack
Notifications is the #1 skill everyone needs to master in the next decade
Goodbye Skype for Business Online, you wont be missed
Plus a couple Microsoft Ignite session reviews on the Teams blog

Office 365 for IT Pros

For four years, between 2018 and 2022, I contributed to the calling and meetings chapter for Office 365 for IT Pros. I strongly believe in that format, because it gets updated monthly😱 Tony Redmond heads up that book and the author team does a fantastic job of keeping you up do date on best practices and technical facts in Office 365. Blogposts are seldom kept up to date and that is why you have seen less blogposts here these years, since they get outdated faster than you can type :) I recommend you go and buy a subscribtion to Office 365 for IT Pros right now👍

msunified.net moving forward and what I am currently working on

Do I think blogposts are still worth it today? yes and no. No for “how to” blogposts because learn.microsoft.com is so much better than Microsoft documentation has ever been. Maybe you would rather suggest a change to the learn article if you find information missing. Yes when you want to share a routine, script, your understanding and design principles. I would say no to opinion pieces on a personal blog, maybe you want to share those on LinkedIn or a third party blogsite

These days I work mainly in two areas

Digital Wellbeing and working smart with Microsoft 365 combined with Microsoft Viva
- I published 8 hours of deep dive training for free on YouTube which are indexed here
- I recently rebranded as a Digital Wellbeing coach delivering inspiration talks, keynotes, leadership training and organizational training based on my Digital Wellbeing thinking :)
- I run workshops, proof of concepts and talk at conferences about Microsoft Viva
- I am part of the #VivaExplorers an enthusiastic gang of over 60 MVPs who bring their own angle in to the broad world of Microsoft Viva thought leadership and understanding.
Complex hybrid deployment for Exchange/Skype for Business/Teams
- I see larger more complex and risk averse companies stretching or migrating to Microsoft 365
- In those more locked down environments we need to be more precise in knowing what works and how
- These past years i have spent a lot of time as advisor and hands-on with hybrid Exchange solving problems like free/busy, Autodiscover, oauth, hybrid modern auth, Outlook Mobile and making sure nothing is more open than it should be, some of it resulted in this blogpost and I might blog more about troubleshooting these scenarios
- Same for hybrid Skype for Business, but that is easier than hybrid Exchange, if you have gone down the route and set up a proper Edge server topology :)
Make sure you check out my YouTube channel to get my latest videos and talks I do that other channels shares

Thanks to everyone who visits my blog on a daily basis and I think I struck a nerve when blogging about Set the custom Focusing status in Microsoft Teams from PowerShell using Power Automate which is daily the most visited blogpost on my site :)

Office 365 Multi-Factor Authentication requirements explained

05/01/201727/04/2017Ståle Hansen 5 Comments

Short version

Multi-Factor Authentication (MFA) in Office 365 is dependent on Modern Authentication which is oAuth 2.0 via ADAL that authenticates the user in Azure AD

Longer version with links to deep dives

What is MFA?
- Multi-Factor Authentication (MFA) in Office 365 requires Modern Authentication (oAuth2.0 + ADAL) to be enabled for the clients and services that are going to use MFA
- MFA, Two-step verification, is a method of authentication that requires more than one verification method combined with the Azure Authenticator App, SMS or phone call verification
- Read more here
What is Modern Authentication?
- Modern Authentication is oAuth 2.0 used via ADAL to enable newer applications (Outlook, Word, OneNote, Skype for Business and other Office applications) to authenticate to services such as Skype for Business, Exchange and SharePoint
- In Office 2013 march 2015 update and later Modern Authentication is supported and in Office 2016it is enabled by default and will use an in-application browser control to render the Azure AD sign-in experience
- Read more here
What is oAuth?
- Open Authentication 2.0 (oAuth 2.0) is used as a component via ADAL as the web-based authorization flow between servers or clients and servers
- Read more here
What is ADAL?
- Microsoft Azure Active Directory Authentication Library (ADAL) is a tool in the .NET framework that lets client applications authenticate users to Office 365 and Azure AD
- Read more here
Two options are available for SSO with on-premises AD that requires Modern Authentication
- Pass Through Authentication (PTA)
  - Works with Office 365 only
  - Enabled on latest AADC with outbound connection only, no DMZ server
  - Just set up several AADC and it is automatically loadbalanced resulting in low operational cost
  - Does not store password in Azure AD, authenticates user in on-premises AD first and presents MFA after that if enabled
  - In combination with password sync you are not dependent on AADC uptime
  - Read more here and here
- ADFS 3.0
  - Used for hybrid Skype for Business and Exchange environments
    - Skype for Business server Hybrid supports Modern Authentication, but will do NTLM authentication to on-premises AD and give MFA pop-up when authenticating to Exchange Online, read more here
    - I recommend Pointsharp MFA for on-premises and hybrid Skype for Business deployments
    - Exchange Server hybrid requires MFA Server, read more here
    - For best Azure MFA result an Online only deployment is recommended
  - ADFS is best for larger organizations
  - More complex and requires proxy servers in DMZ with public IP and Certificate
  - Requires loadbalancer for high-availability
  - Is required when doing MFA with Smart Card, 3rd party tokens and certificate based authentication
  - Read more here
You can now use Microsoft Intune to control MFA options and turn of MFA for certain subnets and conditions, read more here
Read about conditional access, MFA with Intune Hybrid and SCCM
Use Azure AD Premium with automated password roll-over for business social media profiles protected by a MFA enabled identity with centrally controlled delegation, read more here

mfastalehansen

My TechNet Live Exchange 2010 Screencasts are Now Online at TechNet Edge

02/05/201005/05/2010Ståle Hansen Leave a comment

[tweetmeme source=”stalehansen” only_single=false]This year I got the honour to be the speaker at the Exchange track on TechNet Live in Norway. TechNet Live is hold in the four largest cities in Norway every year and this year it was about 1800 attendees for all the cities. Below are the Screencast from my sessions in Bergen. The presentations are in norwegian.

Session 1: Exchange 2010 Installation and Migration. Talks about:

Some new features in Exchange 2010
How to prepare before an installation
How to Migrate to Exchange 2010
How Client Access coexistence works
Gotchas during the first Exchange 2010 migrations
Download PDF

Session 2: Exchange 2010 Performance and Scalability. Talks about:

Memory and Processor requirements
Virtualization
Planning for Scalability
Some new High Availability features
Walks through some new HA scenarios for Exchange 2010
Download PDF

Install Exchange 2010 with latest update in Unattended Mode

06/03/201006/04/2010Ståle Hansen Leave a comment

[tweetmeme source=”stalehansen” only_single=false]If you are planning to install a new Microsoft Exchange Server 2010, you should probably consider installing the latest update before configuring any of the server roles.

The below guide is not written by me. I found it so useful that I want to repost it here on my blog for later reference. This guide is written by Elie Bou Issa and the original article can be found here: http://blog.elieb.info/2010/03/06/exchange-2010-with-ur2-installation-in-unattended-mode.aspx

In the below scenario, we are installing the Mailbox role, the Client Access role and the Hub Transport role along with Update Rollup 2 in unattended mode. The exchange installation root folder is called exch and the Update Rollup 2 is placed under C:\Exchange2010\Patches. To install the exchange prerequisites, run “Exchange-Typical.xml” from the Scripts folder found in the installation directory. You can also take a look at this post for installing the prerequisites manually: https://msunified.net/2009/10/30/exchange-2010-prerequisites-on-server-2008-r2/

After successfully installing the prerequisites, set the NetTcpPortSharing service startup type to automatic by running the below command

Now, it is time to run the setup in unattended mode.

To do that, run the following command from the exchange installation directory:

Setup.com /m:Install /r:M,C,H /OrganizationName:Name of the Organization /UpdatesDir: Updates path

If you wish to check the different options for unattended setup, you can refer to Install Exchange 2010 in Unattended Mode

After completing the installation, you can check the product version by clicking Help-> About from the Exchange Management Console as shown below:

Exchange and OCS Google custom search

07/08/200924/10/2010Ståle Hansen 11 Comments

I have created a Custom Search engine using Google custom search. I have set it up to only search the sites, blogs and technical resources that I have specified. I will use this search engine when troubleshooting and finding useful information. The point is to remove all the unnecessary hits you get from using the regular search engine and make sure I get hits from the brightest bloggers out there.

I have tried to collect good blogs and resources for Exchange and OCS and have made a list of the sites that are added. Try it out and please let me know if there are sites that should be in the search engine and I’ll add them.

Update 11.08.09: Added Exchange and OCS blogs from Pointbridge
http://blogs.pointbridge.com/Blogs/mcgillen_matt/pages/
http://blogs.pointbridge.com/Blogs/steele_aaron/Pages/
http://blogs.pointbridge.com/Blogs/nielsen_travis/pages/
http://blogs.pointbridge.com/Blogs/enger_erik/pages/
http://blogs.pointbridge.com/Blogs/greve_david/pages/

Update 07.02.10 added the following blogs
http://www.msexchangeguru.com
http://www.msexchangegeek.com
http://www.nitingupta.in/blogs
http://howtoexchange.wordpress.com/

Update 02.05.10 added the following blogs
http://www.mikepfeiffer.net
http://sysadmin-talk.org/

Update 24.10.10 added the following blog
http://blog.schertz.name/
http://marjuss.wordpress.com/

Allowing application servers to relay off Exchange Server 2007

14/05/200901/07/2009Ståle Hansen Leave a comment

To allow application servers to relay through your Exchange 2007 server do the following

Create a new internal receive connector in EMC
Add the servers that need to relay
When created edit the settings and navigate to Permission Groups
Select only Anonymous users, deselect other options
Navigate to the Authentication tab
Deselect every checkbox so that nothing is selected
Apply changes
Open EMS and run the following commandlet
Get-ReceiveConnector “InternalRelay” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”
Relay should now work for the selected servers

This information was based on this blog, http://msexchangeteam.com/archive/2006/12/28/432013.aspx

Deleted Mailbox not appearing in Disconnected mailbox in Exchange 2007

13/05/200906/04/2010Ståle Hansen 1 Comment

[tweetmeme source=”stalehansen” only_single=false]Deleted mailboxes will appear in disconnected mailbox list, but it will not reflect immediately. You have to wait for online maintenance to run and complete.

If you accidentally delete mailbox and if you wanted to reconnect it back then you may not be able to find it Disconnected Mailbox. You have to run Clean-MailboxDatabase to get the deleted mailbox. Also if you want to disconnect the mailbox to re-add it to an other user or the same user do the following:

Disable the mailbox in EMC
When you disable a mailbox the user object stays in AD and the mailbox is marked for deletion.
The disconnected mailbox should appear in the disconnected mailbox view
If it is not appearing in the disconnected mailbox view run one of the following commands from powershell

Clean-MailboxDatabase \servername\SGName\Store
Cleaning Database of Individual Store

Get-Mailboxdatabase | Clean-MailboxDatabase
Cleans all the database in the Organization

Get-Mailboxdatabase | Where{ $_.Server –eq “<servername>”}| clean-MailboxDatabase
Cleans all the database in the specific store

Get-Mailboxdaatabase | Where{ $_.Name –eq “<DatabaseName>”}| clean-MailboxDatabase
Cleans all the Database which matches the specific name given in Databasename

After the command completes, check the event viewer for the following event ID’s
- Event ID 9531 – the clean mailboxdatabase process has begun
- Event ID 9533 – a user does not exist in the directory or is not enabled for Exchange mail. This mailbox will be removed from mailbox store in after the retention time has passed
- Event ID 9535 – the process completes and lists that the mailbox was retained in the store
Finally you should see it in the disconnected mailbox view and you can connect it to the same AD user or an other AD user.

This blog was based on smtpport25’s blog, http://smtpport25.wordpress.com/2009/04/22/deleted-mailbox-not-appearing-in-disconnected-mailbox-in-exchange-2007/

If you need to restore the mailbox because it is not retained in the mailbox store, see these great sites for restore guide using Recovery Storage Groups
http://www.petri.co.il/using_rsg_in_exchange_2007.html
http://www.msexchange.org/tutorials/Working-Recovery-Storage-Groups-Exchange-2007.html

Request certificate using Exchange Management Shell

11/05/200922/03/2010Ståle Hansen 2 Comments

If you use the self-signed certificate assigned by the Exchange server itself there is a simple process to renew the certificate. You will typically get a note in the event viewer when the certificate is about to expire. Here’s a great blog that explains the process: http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html

To request or renew a 3rd-party (or from internal PKI infrastructure) SAN certificate that resides on your Exchange server using EMS I found this approach being useful. In this example I used an internal PKI infrastructure to assign a certificate to my internal Exchange Servers behind a NLB cluster for the ClientAccess role. I found that if the certificate is requested through an internal PKI infrastructure the certificate is issued for a period of one year and has to be manually renewed.

Create a request using EMS with this command
New-ExchangeCertificate –GenerateRequest –SubjectName “C=net, O=msunified, CN=webmail.msunified.net” –DomainName webmail.msunified.net, webmail.msunified.local, cashub01.msunified.local, cashub02.msunified.local –FriendlyName “CAS SAN Certificate” –KeySize 1024 –Path c:\CAS_SAN_cert.req –PrivateKeyExportable:$true
Open the req file, and copy everything except
—–BEGIN NEW CERTIFICATE REQUEST—–
—–END NEW CERTIFICATE REQUEST—–
Navigate to you CA server using the following url: http://CA-server/certsrv
click “request a certificate” and then select “advanced certificate request”
click “Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file.”
past the content in the “saved request” window
hit submit
- If you have a 2003 CA and it does not support SAN certificates you need to enable it using this command
- CERTUTIL -setreg policy\EditFlags +EDITF_ATTRIBUTESUBJECTALTNAME2
- Restart the certificate service and IIS
click “download certificate chain” and save the file
On the exchange server import the certificate
Import-ExchangeCertificate -Path c:\2009-2.p7b -FriendlyName “webmail.msunifed.net”
Copy the thumbprint and enable the certificate for the selected services
Enable-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91 -Services pop,imap,smtp,iis
Export the certificate for other exchange servers having the same role with certificate chain using IIS or open the local computer personal store
On the other servers import using IIS
On the other servers rund Enable-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91 -Services pop,imap,smtp,iis
Remove the old certificate with the following command Remove-ExchangeCertificate -Thumbprint 8192F31A99E9C89A41F572CC7AC88864551AFC91

To renew self-signed certificates on the EDGE servers for the SMPT transport service

On the EDGE servers open EMS and do the following
Get-ExchangeCertificate | New-ExchangeCertificate (if its the only certificate on the server)
Remove-ExchangeCertificate -Thumbprint 1025C608027188FFA4DFAE77089D183DABACD077
You then have to re-establish the EDGE syncronizations with the new certificate
New-EdgeSubscription -FileName c:\newsub.xml
Copy the xml file to the internal servers
On the EMC for the HUB role in the organizational view, remove old edge subscription and then do a new one, specify the correct xml file
To synchronize the first time run from EMS the following commandlet: Start-EdgeSynchronization
To test the synch, run the following commandlet: Test-EdgeSynchronization

To be able to deploy SAN certificates from intern CA, you may have to extend the attributes: http://support.microsoft.com/kb/931351

This blog is loosely based on these sites
http://telnetport25.wordpress.com/2008/07/13/windows-2008-exchange-2007-renewing-an-existing-ssl-certificate-on-your-client-access-server/
http://exchangepedia.com/blog/2008/01/exchange-server-2007-renewing-self.html
http://www.exchangeinbox.com/article.aspx?i=114
http://msexchangeteam.com/archive/2007/07/02/445698.aspx

Get-MailboxDatabase oneliner

06/05/200919/05/2009Ståle Hansen Leave a comment

If you run the Get-MailboxDatabase commandlet with no switches it returns all the Exchange 2007 databases in the organization. If you are looking for a list of when each database had a full backup you need to use the -Status switch.

Get-MailboxDatabase -Status | Sort -Property LastFullBackup |ft Identity,LastFullBackup

This will return the Identity and the time for the last full backup of each database in sorted order. This is a useful list when doing maintenance in an Exchange organization.

If you need a quick powershell script that dumps each Storage Group and its backup-related information visit the Exchangepedia Blog at: http://exchangepedia.com/blog/2008/09/script-get-storage-group-backup-status.html

Wrong version number on Exchange 2007 mailbox

24/04/200920/05/2009Ståle Hansen Leave a comment

I had a problem with a migrated user from Exchange 2003 to Exchange 2007 not showing the correct version number. It was not listed as Legacy Mailbox and it resided on a Exchange 2007 store. Running the get-mailbox command I saw that the version number on the mailbox was 0.0 and not 0.1 for Exchange 2007. Because of the mailbox being in this state the user could not connect to OWA. I got the following message:

Inner Exception
Exception type: Microsoft.Exchange.Data.Directory.InvalidADObjectOperationException
Exception message: Property Languages cannot be set on this object because it requires the object to have version 0.1 (8.0.535.0) or later.
Current version of the object is 0.0 (6.5.6500.0).

To resolve this problem you need to correct the properties of the mailbox. Do this by running the following commandlet in Exchange Management Shell:

Set-Mailbox -Identity <user> -ApplyMandatoryProperties

View KB 931747 article over at Microsoft Support, http://support.microsoft.com/kb/931747