Random Tech/IT Thread

[SoulSkin]

Anybody here done a cutover migration from Exchange 2016 to Office 365? I did the migration fine and have our email going through O365 now, but am having a little bit of difficulty figuring out what to do with our existing Exchange server at this point. It's on a VM that is turned off for now. I keep seeing some conflicting documentation, with perhaps the need to change users' mailboxes to 'mail-enabled users'. I think there's a possibility of certain user AD attributes being unavailable if this process is done incorrectly. I keep getting pushed from support team to support team. Started with 0365 support, who pushed me to Azure support, and they've pushed me on to 'Fasttrack' support, which looks more like a sales team. I haven't heard back from them yet. What I'm trying to do is to make sure there's no need for an on-site Exchange server, and get our AD working with Azure AD Connect (I haven't touched that yet).

 

I'm not looking for a step-by-step. Maybe just a nudge in the right direction. I've got probably 20 different tabs open talking about it, with lots of different opinions/advice. I might just take a break from it and the Google overload, and come back to it after the holiday.

Edited November 20, 2017 by SoulSkin

[tshile]

@SoulSkin

Im tired and on my phone. I'll pm you tomorrow. No worries. I've done like 15 different migrations to o365 in the last 2 years including an Exchange 2003 migration which isn't even supported. 

 

You're on the right track. It's not difficult.

 

https://threatpost.com/centcom-says-massive-data-cache-found-on-leaky-server-is-benign/128944/

 

In case you're still holding out hope our gov't isn't arching every publicly accessible thing on the internet.

 

[SoulSkin]

29 minutes ago, tshile said:

@SoulSkin

Im tired and on my phone. I'll pm you tomorrow. No worries. I've done like 15 different migrations to o365 in the last 2 years including an Exchange 2003 migration which isn't even supported. 

 

You're on the right track. It's not difficult.

 

 

That's extremely kind of you. Please don't go out of your way, at all. I did make a little progress after I posted. We're coming from a .local domain, so I added UPN suffixes for .com, and set that on all AD user accounts. I ran a tool called IDFix and, sure enough, that identified a couple of mysterious system mailboxes with the .local UPN. I'm thinking that uninstalling Exchange on the server will do the trick, but that seems like it's not as easy as an Add/Remove Programs thing, and might require some powershell for the Exchange DB and system mailboxes. I'm thinking the uninstall will fail, but it'll throw up errors that show why, and lead to the solutions.That's about where I stopped today. If you have some tips and possible gotchas, I am so all ears. Thanks a lot! 

Edited November 21, 2017 by SoulSkin

[tshile]

Don't screw with it anymore until I sent you some stuff.

 

It's not hard but there's some gotcha's. Like when you remove exchange all the exchange attributes from your AD accounts go with it, so you better know who had what aliases and which were their primaries cause it's gone after you remove exchange.

 

And as for AD sync you may need to edit addresses using the advanced attributes tab in AD for Mail and smtpproxy. You can pick what attributes sync with AD sync but I've never excluded the email addresses and managed them solely in o365. I alway managed them in AD.

 

So I realize you did a Cutover so all your stuff is in o365, but what I'm not sure is what will happen if you just set up ad sync without carefully thinking it through. You can match objects using a variety of ways. I always match using the mail address. But once you remove exchange those are gone. And if you sync with another attribute, and forget to either populate smtp proxy and mail correctly, you could lose all that info in O365...

 

It's not a big deal, just need to think it through.

 

But yes, you just remove exchange from control panel. It will fail until you remove those mysterious mailboxes.

 

They're called arbitration mailboxes

 

You do it via powershell, something like

Get-mailbox -arbitration | remove-mailbox

 

I think. Google removing arbitration boxes in 2016. There may also be system mailboxes in addition to arbitration mailboxes.

 

I've set up and run 2016 a few times but I've yet to decommission it... seems weird, it's the latest tech. Unless you have a "to the cloud" initiative...

 

 

 

Edited November 21, 2017 by tshile

[zCommander]

10 hours ago, SoulSkin said:

Anybody here done a cutover migration from Exchange 2016 to Office 365? I did the migration fine and have our email going through O365 now, but am having a little bit of difficulty figuring out what to do with our existing Exchange server at this point. It's on a VM that is turned off for now. I keep seeing some conflicting documentation, with perhaps the need to change users' mailboxes to 'mail-enabled users'. I think there's a possibility of certain user AD attributes being unavailable if this process is done incorrectly. I keep getting pushed from support team to support team. Started with 0365 support, who pushed me to Azure support, and they've pushed me on to 'Fasttrack' support, which looks more like a sales team. I haven't heard back from them yet. What I'm trying to do is to make sure there's no need for an on-site Exchange server, and get our AD working with Azure AD Connect (I haven't touched that yet).

 

I'm not looking for a step-by-step. Maybe just a nudge in the right direction. I've got probably 20 different tabs open talking about it, with lots of different opinions/advice. I might just take a break from it and the Google overload, and come back to it after the holiday.

 

1. DISABLE and then the user(s) will be purged after the retention policy days have expired

 > Disable-Mailbox danj - Don't use delete user as it will also delete the user from AD. You can also disable using EAC.

 

 - You can purge the mailbox sooner if you like by doing this:

 >Get-MailboxStatistics -Database MBD01 | where {$_.disconnectdate -ne $null} | select displayname,MailboxGUID

 >Remove-Mailbox -Database MBD01 -StoreMailboxIdentity YourIDHere

 

To remove all 

>Get-MailboxStatistics -Database MBD01 | where {$_.DisconnectReason -eq "SoftDeleted"} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted}

 

Note: Replace SoftDeleted with Disconnected depending on the state of the mailbox. 

 

2. Remove mailbox db and public folder db (if you have one) - if you get any errors and you can't resolve it normally then my last ditch effort is always using AdsiEdit.msc to remove the mail databases. 

3. Delete any hidden or arbitration mailbox. 

4. Add/Remove exchange from server. 

 

Not sure why you are getting a run-a-round from MS on this.

 

Hopefully this will point you to the right direction you were looking for. 

[SoulSkin]

@tshile @zskins I managed to fight my way through getting Exchange 2016 uninstalled properly today, in no small part due to both of your helpfulness.Thanks a lot to both of you. I used your guidance and this technet post, mostly.

https://social.technet.microsoft.com/Forums/ie/en-US/09d2e0ca-7553-48ab-a9ed-4d0ff4e2e543/correctly-uninstall-exchange-2013?forum=exchangesvrdeploy

 

I hit a lot of snags along the way, but got there eventually. The last couple of steps that ultimately set me free were to remove the Offline Address Book and disabling the auditlog mailbox (new in Exchange 2016). I found that info tucked away in another technet forum post. None of the shell commands I was running ever showed it was there until I found that post. Maybe that tidbit will save one of you the headache in the future. If you dm me a paypal, I'll shoot you a ten spot for a six pack, or whatever. Not to be a cheapskate, but I'm poor as dirt right now. Appreciate the help fellas.

Edited November 22, 2017 by SoulSkin

[zCommander]

1 hour ago, SoulSkin said:

@tshile @zskins I managed to fight my way through getting Exchange 2016 uninstalled properly today, in no small part due to both of your helpfulness.Thanks a lot to both of you. I used your guidance and this technet post, mostly.

https://social.technet.microsoft.com/Forums/ie/en-US/09d2e0ca-7553-48ab-a9ed-4d0ff4e2e543/correctly-uninstall-exchange-2013?forum=exchangesvrdeploy

 

I hit a lot of snags along the way, but got there eventually. The last couple of steps that ultimately set me free were to remove the Offline Address Book and disabling the auditlog mailbox (new in Exchange 2016). I found that info tucked away in another technet forum post. None of the shell commands I was running ever showed it was there until I found that post. Maybe that tidbit will save one of you the headache in the future. If you dm me a paypal, I'll shoot you a ten spot for a six pack, or whatever. Not to be a cheapskate, but I'm poor as dirt right now. Appreciate the help fellas.

 

You are most welcome. No need to pay me I am just glad you got it all sorted out. 

 

Do you still need help on the AD sync with o365?

[tshile]

 

Good job

[SoulSkin]

Just now, zskins said:

 

You are most welcome. No need to pay me I am just glad you got it all sorted out. 

 

Do you still need help on the AD sync with o365?

 

That seems pretty straightforward, so I think I'll be able to get that done fairly easily...famous last words. I didn't want to start on that after fighting Exchange all day. I really did work from about 9am to 4pm on getting that done, with a short break in there. Lots of eyestrain, googling, and  by the time all was said and done. Cheers to you.

[tshile]

https://docs.microsoft.com/en-us/windows-server/manage/honolulu/honolulu

 

hmmmmmmmmmmm

 

i just want to say honolulu in our meetings

[zCommander]

6 hours ago, tshile said:

https://docs.microsoft.com/en-us/windows-server/manage/honolulu/honolulu

 

hmmmmmmmmmmm

 

i just want to say honolulu in our meetings

 

Did you read some of the comments below that article? There is a security risk in how the servers are accessed by a non-admin user. I will still try it just to see what in Hawaii all this about.

[Zguy28]

Question for the community: what solution do you use for "internet printing" from your guest networks? I have been handed a 2018 goal of architecting a solution that would allow computers on the guest wifi vlan to print to existing printers on the internal LAN.

 

Before you go there, I know the security risks, but this request came from the IT security guys themselves since they manage the printers. We don't have a budget for guest printers.

[mattsb84]

Why do non-employees need to print in your environment?

 

 

 

 

[Zguy28]

1 hour ago, mattsb84 said:

Why do non-employees need to print in your environment?

 

 

 

 

Customers are in our spaces a lot including government folks.

[zCommander]

4 hours ago, Zguy28 said:

Question for the community: what solution do you use for "internet printing" from your guest networks? I have been handed a 2018 goal of architecting a solution that would allow computers on the guest wifi vlan to print to existing printers on the internal LAN.

 

Before you go there, I know the security risks, but this request came from the IT security guys themselves since they manage the printers. We don't have a budget for guest printers.

 

In your guest network look for allowed IP address section. Add the IP address of the network printer. That should do it. 

[Zguy28]

51 minutes ago, zskins said:

 

In your guest network look for allowed IP address section. Add the IP address of the network printer. That should do it. 

If only that simple. The powers that be want true "internet printing" similar to what Windows 2003 used to do: https://technet.microsoft.com/en-us/library/bb457170.aspx

 

They want something with like a web front end.

[zCommander]

6 hours ago, Zguy28 said:

If only that simple. The powers that be want true "internet printing" similar to what Windows 2003 used to do: https://technet.microsoft.com/en-us/library/bb457170.aspx

 

They want something with like a web front end.

 

What version of server are you guys using? The same procedure still works today. See this: 

 

https://technet.microsoft.com/en-us/library/cc731368(v=ws.10).aspx?f=255&MSPPError=-2147217396

 

Also see this:

 

https://www.technig.com/install-and-configure-print-server/

 

 

Edited December 12, 2017 by zskins

[Zguy28]

10 hours ago, zskins said:

 

What version of server are you guys using? The same procedure still works today. See this: 

 

https://technet.microsoft.com/en-us/library/cc731368(v=ws.10).aspx?f=255&MSPPError=-2147217396

 

Also see this:

 

https://www.technig.com/install-and-configure-print-server/

 

 

Windows Server 2016. Are you really posting links on how to install the Print Server role in Windows? Come on man.

 

For clarity, the guest VLAN has no access otherwise to the internal LAN. The guest computers may be mobile BYOD, military laptops, subcontractors etc. that most likely do not have admin rights and can't install printer drivers.

 

I'm looking at something like Papercut.

 

https://www.papercut.com/tour/guest-printing/

 

 

[SoulSkin]

1 hour ago, Zguy28 said:

Windows Server 2016. Are you really posting links on how to install the Print Server role in Windows? Come on man.

 

For clarity, the guest VLAN has no access otherwise to the internal LAN. The guest computers may be mobile BYOD, military laptops, subcontractors etc. that most likely do not have admin rights and can't install printer drivers.

 

I'm looking at something like Papercut.

 

https://www.papercut.com/tour/guest-printing/

 

 

 

Just out of curiousity, I did a quick google yesterday, and Papercut was what I kept coming back too also. I was trying to find a way with Sharepoint anonymous access to a site with shared printers, but still they'd have to install drivers. Glad this is not something I have to deal with. Good luck!

[zCommander]

6 hours ago, Zguy28 said:

Windows Server 2016. Are you really posting links on how to install the Print Server role in Windows? Come on man.

 

 

 

At this point I am going to stop helping you. If you want help then you have to be nice to others. I was trying to understand your network and then help you beyond the links or point you into the right direction. Goodbye. 

[bearrock]

Can I ask a low level/consumer question?  Anybody have a suggestion for a good home router?  Willing to spend around $200 range.  Non of our stuff is mu-mimo capable, but I guess our next cycle of stuff might?.  Got a few ac, but mostly n.   We run fios gigabit with network drive, but not NAS (side question, is a NAS worth it over a just a network mapped drive?).  I rent a cable card so will likely hook up the ONT directly to the router and remove fios router from the picture.

[Zguy28]

17 hours ago, zskins said:

 

At this point I am going to stop helping you. If you want help then you have to be nice to others. I was trying to understand your network and then help you beyond the links or point you into the right direction. Goodbye. 

Sorry man, wasn't trying to be rude, but it seemed insulting. A little background on me: I'm an enterprise architect for a $5 billion global company. Been doing Windows Server in the enterprise level since NT4 days. What's your background?

[zCommander]

1 hour ago, Zguy28 said:

Sorry man, wasn't trying to be rude, but it seemed insulting. A little background on me: I'm an enterprise architect for a $5 billion global company. Been doing Windows Server in the enterprise level since NT4 days. What's your background?

 

You did say you were handed this project. One has to assume you are a junior IT.

 

I have been working on computers/programming since the Commodore 64 days. I have my own IT company. I have setup quite a few networks from scratch which also includes pulling cables and terminating them. I do it all.   

 

By the way, it really doesn't matter to me what size the company is or how much they are making.

 

So, why not just get Papercut or your IT dept. really wants you to build one?

[Zguy28]

26 minutes ago, zskins said:

 

You did say you were handed this project. One has to assume you are a junior IT.

 

I have been working on computers/programming since the Commodore 64 days. I have my own IT company. I have setup quite a few networks from scratch which also includes pulling cables and terminating them. I do it all.   

 

By the way, it really doesn't matter to me what size the company is or how much they are making.

 

So, why not just get Papercut or your IT dept. really wants you to build one?

Probably will go with papercut, since its only for the main HQ complex (where executives are). I was just looking for ideas for solutions. My normal area is messaging (Lync/Skype, mail, Jabber), but since it got ELT visibility, I got handed it as a goal for 2018.

[zCommander]

10 hours ago, Zguy28 said:

Probably will go with papercut, since its only for the main HQ complex (where executives are). I was just looking for ideas for solutions. My normal area is messaging (Lync/Skype, mail, Jabber), but since it got ELT visibility, I got handed it as a goal for 2018.

 

Ah. Have you looked into Google cloud print services? Would that type of setup work for your environment?

Edited December 14, 2017 by zskins