Migrating Mailboxes From On-Premises to Office 365

KB ID 0001419

Problem

This post continues from Part-One where we connected both our domain, and on-premises Exchange server to Office 365. Now we will add our public domain, and migrate our mailboxes.

Step 3 Adding Domains to Office 365

Before proceeding you will need administrative access to your public DNS records so you can create new records.

Log into Office 365 > Admin Console.

Add a domain.

Enter your public domain name > Next.

Now you need to create a ‘Text Record” in you public domain, the TTL does not really matter but the TXT value must match exactly.

As below, once created click (Verify).

Ill manage my own DNS records > Next.

We are only concerned with Exchange > Next.

STOP: These are the DNS records you need to create if you want everything to point to Office 365, DO NOT CREATE THEM if you want your mail to still get routed to your on-premises, and you want your Autodiscover to point there. I leave everything pointing to my on-premises server!

So I DON’T create the records (below) unless I’m about to decommission an on-premises Exchange server.

If you DID want all mail and auto discover to route to Office 365 that’s fine BUT change the SPF record that Microsoft gives you to include the public IP of your on-premises server of you may start getting mail blocked.

i.e.

Microsoft Suggests: “v=spf1 mx include:servers.mcsv.net ?all”

Use: “v=spf1 ip4:123.123.123.123 mx include:servers.mcsv.net ?all”

Finish.

Test Mail Flow

If you have made any public DNS changes, then before you do anything else, make sure mail continues to flow in and out of your on-premises Exchange organisation as it did before!

Step 4 Mailbox Migration

Log into Office 365 and locate a user to perform a test migration on, then allocate them an office 365 licence.

Then from the Office365 Admin Center > Recipients > Migration > Add > Migrate to Exchange Online > Remote move migration > Next.

Add in your ‘Test user’ > Next.

Supply your Exchange administrative credentials > Next.

Put in your MRS proxy FQDN > Next

Note: You may see the following error

MRS Proxy Error ‘The connection to the server could not be completed’

Give the batch a name > Next.

Select an email address to be sent a migration report, Note: For the test migration I’m leaving it on ‘Manual Complete’ once Im happy I would select ‘Automatically Complete’ > New.

You can view a ‘hight level’ progress, or click the download link;

To view a more detailed report.

Note: You can connect to O365 PowerShell online, and view the migrations from command line like we normally do with an on-premises mailbox migration. See the following link;

Connect to Office 365 Exchange PowerShell

When finished complete the migration.

Migration completed.

Viewing the same thing from PowerShell;

Now test mallow in/out from on-premises and from Office365, then make sure mail also flows between on-premises and Office 365 (both ways).

Make sure calendar sharing scheduling also works between on-premises and Office 365 mailboxes.

Once you are happy, you can migrate the rest of the mailboxes.

 

Related Articles, References, Credits, or External Links

NA

Exchange AutoDiscover Errors – Creating an AutoDiscover SRV Record

KB ID 0001184

Problem

Ages ago I wrote the following article;

Outlook Error “The name of the security certificate is invalid or does not match the name of the site.”

You used to see this error a lot if your internal, and external domain names were different, and the ‘public’ domain name was on the certificate, in those cases I’d also setup split DNS like so;

Windows – Setting Up Split DNS

But you can simply create a DNS SRV record that your clients will use for Autodiscover.

Solution

Note: Before proceeding MAKE SURE you DON’T have an A record in your domain, for “autodiscover.{your-domain}”. or a CNAME record for autodiscover that points back to your Exchange. We want an SRV record ONLY.

Within your domain DNS, create a new ‘Other‘ record.

Choose service location (SRV) > Create Record.

Your domain name will be entered automatically, set the following;

  • Service: _autodiscover
  • Protocol: _tcp
  • Port number: 443
  • Host offering this service: {The FQDN of your CAS/Exchange server}.

You will need to expand the _tcp folder to see the record.

I Use Split DNS?

No problem, in your internal DNS, the forward lookup zone (that matches your public address space.) Create an SRV record as well, when you are finished, (if you have set it up properly),  you will see a tcp sub folder appear below the forward lookup zone.

What About My Public DNS Settings?

Exactly the same! Remove any A or CNAME records, and create an SRV record, how you do this, varies from DNS host to DNS host. Some oddities I’ve found;

  • Some public DNS vendors wont let you set a priority of ‘0’ Zero, on an SRV record, just use 1 (unless you have multiple ones!)
  • Some public DNS vendors SRV records don’t work, unless you put a ‘full stop’ at the end of the domain name. (In fact all domain names have a full stop at the end of them, it’s just you can’t normally see them!)

As an example, here’s me creating an SRV record on my DNS hosting provider (Vidahost)

So when it’s created it will look like this;

I’ve got Multiple Public E-Mail Domain names running from the same Server?

Again not a problem, for each domain, delete the A and CNAME records for autodiscover. Then point your SRV record to the DNS name that is actually presented by the Exchange server (even if that’s with another DNS vendor).

Why Does This work?

Well I’m glad you asked! When outlook looks for Autodiscover the first thing it does is look for the Autodiscover SCP point in your Active Directory. You can see this in your  ‘AD sites and services’, (you need to add in the Service node from the view options before you can see it).

If it can’t get a response from there, it takes your domain name and tries the following locations;

[box]

https://{domain-name}/autodiscover/autodiscover".fileExtension
AND
https://autodiscover.{domain-name}/autodiscover/autodiscover".fileExtension

[/box]

Note: The file extension is usually .xml but it can be .svc

If it STILL can’t get a response it tries the following;

[box]

http://autodiscover.{domain-name}/autodiscover/autodiscover.xml

[/box]

Note: If you are wondering that the difference is, that’s on port 80 not port 443.

If it STILL can’t get an answer then to looks for the SRV record in DNS you created above.

How To Test the AutoDiscover SRV Record

It’s a DNS record so we can query it with nslookup to make sure its OK.

[box]

nslookup -q=srv _autodiscover._tcp.{domain-name}
OR

nslookup
set q=srv (or you can use SET TYPE=SRV)
_autodiscover._tcp.{domain-name}

[/box]

Like this;

Or if you use macOS or Linux;

Why Do I have to remove my A and CNAME Records for Autodiscover

If they exist they will get used before the SRV record, you may think that’s fine but it may lead to all sorts of horrible Outlook Setups and errors about certificate names. 

Outlook Error “The name of the security certificate is invalid or does not match the name of the site.”

Related Articles, References, Credits, or External Links

Outlook – Constantly Prompts for a Password

Original article written: 12/05/16

Error When Trying to Set Out of Office ‘Your automatic reply settings cannot be displayed because the server is currently unavailable. Try again later’

KB ID 0000897 

Problem

When attempting to set my Out of Office automatic replies within Outlook, I was greeted with this.

Your automatic reply settings cannot be displayed because the server is currently unavailable. Try again later.

If I logged into Outlook Web Access, (Options > Set Automatic Replies) I could set it up and it worked fine.

It’s never really bothered me, but my colleagues were complaining about it, and when they used Outlook on our Terminal Server they also got this.

MailTips could not be retrieved.

Solution

Before proceeding you need to make sure of TWO things.

1. You are logged in, or authenticated against your domain.

2. If you are accessing web pages via a proxy server, the name of the Exchange server should be added to the Proxy Exceptions list. (Note: If you have multiple entries, you separate them with a semi colon).

Assuming you have met the two requirements above, then do the following.

1. Open Outlook > In the task bar (in the system tray) > Hold down CTRL and Right Click the Outlook Icon > Select Test E-mail AutoConfiguration.

2. Enter your details > Use AutoDiscover > Test.

Note: Here I got the following error message;

Autoconfiguration was unable to determine your settings

This was because the client I was on, could not resolve autodiscover.my-domain-name.co.uk, once that was rectified I could get further.

3. In the first section Locate the URL that is being used for OOF, and make a note of it.

4. Open your web browser and make sure you can open that URL. (Note: It will redirect to Services.wsdl that is normal).

Note: If you are asked for logon credentials, you are NOT authenticated against the domain.

5. Repeat the same with the URL that is listed in the HTTP section of the test.

6. At this point mine started working. My problem was the lack of DNS resolution, if you find another fix drop me a line and Ill update this article (link at the bottom of the page).

Incorrect Permissions on the EWS Virtual Folder.

Just after I wrote this site follower Peter Dorner Emailed me to say,

Another common problem, is that the EWS virtual directory has misconfigured permissions in IIS.

So I checked permissions on some working systems, to see what they should be.

EWS Permissions Exchange 2007 on IIS 5

EWS Permissions Exchange 2007 on IIS 6 onwards

EWS Permissions Exchange 2010 on IIS 6 onwards

Note: As shown anonymous is enabled for the IUSR account.

EWS Permissions Exchange 2007 on IIS 6 onwards

EWS Permissions Exchange 2013 on IIS 7 onwards

Note: As shown anonymous is enabled for the IUSR account.

 

Related Articles, References, Credits, or External Links

NA

 

Exchange 2010 – Working with Certificates

KB ID 0000453

Problem

Exchange 2010 installs with it’s own (self signed) certificate. To stay free of security errors and warnings, the best bet is to purchase a “publicly signed” digital certificate and use that.

The following process uses the Exchange Management console to create a CSR (Certificate Signing Request). Then what to do with the certificate, when it has been sent back to you.

Solution

Certificate Vendors

Buy Your Exchange Certificates Here!

 

Related Articles, References, Credits, or External Links

NA