Connecting to Lync Online


Issue when connecting to Lync Online you may receive one of the the following errors

“The ‘New-CsOnlineSession’ command was found in the module ‘LyncOnlineConnector’, but
the module could not be loaded. For more information, run ‘Import-Module LyncOnlineConnector’.”

and

“Unable to discover PowerShell endpoing URI
At C:\Program Files\Common Files\Microsoft Lync Server
2013\Modules\LyncOnlineConnector\LyncOnlineConnectorStartup.psm1”

 

Lets deal with the first one,:

First ensure you have downloaded and installed the Powershell Module for Lync Online

Next, and this is the weird part set the powershell execution policy to “unrestricted”, is seems there is an issue with the modules loading, we were able to discover this by comparing a powershell session for one system that worked and other that did not. (if you are security conscious you may want to set this back when you are done)
The specific command is set-ExecutionPolicy unrestricted

For the last error ensure you have configured your Lyncdiscover records in your External DNS, this is needed for powershell to detect and connect to your online Lync environment, if you are in a hybrid configuration you may be pointing this to on-prem Lync and not Lync online. you can find your specific configuration by clicking on your domain in the office 365 admin center.

Finally the syntax to connect to your Lync Online is:esco over anything in particular let

$LiveCred = Get-Credential
$LyncSession = New-CsOnlineSession -Credential $livecred
Import-PSSession $LyncSession

Unable to open Local Windows Backup Snap-in.


A fatal error occured during a Windows Server Backup Snap-in (wbadmin.msc) operation. Error details: the Windows Server Backup service has stopped. Close wbadmin.msc and then restart it

Background:

  • I had installed the beta version of Microsoft online backup
  • I had backed up locally to a USB drive that has since failed
  • Backups were scheduled locally and to the online backup service.
  • When I removed the online beta backup software (Now Azure) and my failed drive, I was no longer able to manage windows backup from the GUI.

This is the error I received in the event log.

Event ID 1000
Source Application Error

Faulting application name: wbengine.exe, version: 6.2.9200.16384, time stamp: 0x50108cb6
Faulting module name: wbengine.exe, version: 6.2.9200.16384, time stamp: 0x50108cb6
Exception code: 0xc0000005
Fault offset: 0x000000000012623a
Faulting process id: 0x2678
Faulting application start time: 0x01ce64c42da7256f
Faulting application path: C:\Windows\system32\wbengine.exe
Faulting module path: C:\Windows\system32\wbengine.exe
Report Id: 6c2d3105-d0b7-11e2-9415-c86000003091
Faulting package full name:
Faulting package-relative application ID:

Cause:

I had backups placed on a failed drive, this was causing the backup software to crash when it tried to enumerate them. (Not that the error or events point to that at all!)

Resolution:

I ran the following PowerShell cmtlets and re-setup my backups (Caution this will remove all record of any backup have taken place!!)

    1. Get-WBPolicy | Remove-WBPolicy
    2. Remove-WBBackupSet
    3. Remove-WBCatalog
    4. get-Service *wb* | Start-Service
    5. Restart Windows Server Backup

Sweet! may backup works again!

Note: I was also able to re-download the Azure Backup agent and that is now working like a charm as well.

Creating Custom DLP Classification Rules and Policy


When at first I was looking into this the TechNet documentation was extensive and yet not as specific as I would prefer, so here is the quick and dirty DLP classification!

Creating and importing custom Classifications

  1. First you need to create your custom policy XML (Example Below)
  2. Save as XML Unicode file type (C:\MyNewPolicy.xml)
  3. Open the XML in internet explorer if its formatted correctly you will see the XML.
  4. Then import with Powershell
    New-ClassificationRuleCollection –FileData ([Byte[]]$(Get-Content -path C:\MyNewPolicy.xml -Encoding byte -ReadCount 0))
  5. Once its imported you should be able to create a new DLP policy using the EAC

Creating a custom DLP Rule

  1. Login to EAC (i.e https://mail.domain.com/ecp)
  2. Click Compliance Management, data loss prevention
  3. Click the Plusimage , then New custom policy
    image
  4. Name your policy and Choose your mode (I like to test with Policy tags), and click Save
    image
  5. Select the policy and click the image edit your new policy
  6. Select Rules from the left
  7. Click the imageto Create a new rule
  8. On the Apply this rule if field choose The message contains Sensitive information..
  9. Click *Select sensitive information types….. (if applicable)
  10. Click the imageto choose from the list,
  11. You should now see your new classification (from the example below it would be Secure Product Codes\ DLP by Exchangemasters.info)

image

Useful Tools

Example of a Rule Classification XML

 <?xml version=”1.0″ encoding=”utf-16″?>

 <RulePackage xmlns=”http://schemas.microsoft.com/office/2011/mce”&gt;

 <RulePack id=”b4b4c60e-2ff7-47b2-a672-86e36cf608be”>

  <Version major=”1″ minor=”0″ build=”0″ revision=”0″/>

  <Publisher id=”7ea13c35-0e58-472a-b864-5f2e717edec6″/>

  <Details defaultLangCode=”en-us”>

  <LocalizedDetails langcode=”en-us”>

  <PublisherName>DLP by Exchangemasters.info</PublisherName>

  <Name>Secure Product Codes</Name>

  <Description>Secure Products</Description>

  </LocalizedDetails>

  </Details>

  </RulePack>

  <Rules>

  <!– Product Code –>

  <Entity id=”acc59528-ff01-433e-aeee-13ca8aaee159″ patternsProximity=”300″ recommendedConfidence=”75″>

 <Pattern confidenceLevel=”75″>

  <IdMatch idRef=”Regex_Product_Code” />

  <Match idRef=”Code” />

  </Pattern>

  </Entity>

  <Regex id=”Regex_Product_Code”>[A-Z]{3}[0-9]{9}

  </Regex>

  <Keyword id=”Code”>

  <Group matchStyle=”word”>

  <Term>Code</Term>

  </Group>

  </Keyword>

  <LocalizedStrings>

  <Resource idRef=”acc59528-ff01-433e-aeee-13ca8aaee159″>

  <Name default=”true” langcode=”en-us”>

  Product Code

  </Name>

  <Description default=”true” langcode=”en-us”>

 A custom classification for detecting product codes that have 3 uppercase letters and 9 numbers

 </Description>

 </Resource>

</LocalizedStrings>

</Rules>

</RulePackage>

Exchange 2010 Powershell Lab Tools


Recently a good friend of mine pointed out some great tools that Mike Pfeiffer posted and I have to say they are pretty awesome and I would recommend checking them out.

Populating Exchange Labs with Mailboxes using PowerShell

Provision Exchange Mailboxes from CSV using PowerShell Advanced Functions

Generating Test Email Data for Exchange Labs with PowerShell

Microsoft Exchange Conference


9/24 Starts the first day of the Microsoft Exchange Conference (MEC).

For those that don’t yet know, this awesome event has been MIA for 10 years, we are excited to say it’s back!

This is a great time to see what’s new in Exchange, meet product group, MCMs, MVPs and other exchange enthusiasts.

All of our authors will be there, you can find us in whiteboard sessions, the Dell/Quest booth, and of course “in the halls” of MEC.

Stop by the booth and visit, or say hi if you see one of us in the halls!

Can’t run Tracking Log Explorer : Access Denied


 

Issue: User is a standard user (not a domain admin) and his RBAC permissions allow him to do message tracking but he is not not an Organization Admin.

  • Running with Exchange PowerShell (get-messagetrackinglog): works
  • Running with ECP: works
  • Running with Tracking Log Explorer : Broken

“Failed to connect to the Microsoft Exchange Transport Log Search service on computer “Exchange_Servername”. Verify that a valid computer name was used and the Microsoft Exchange Transport Log Search service is started on the target computer.” The error message is: Access is denied.”

image

Reason: EXTra.exe is what is used to run Tracking Log Explorer and it doesn’t use remote PowerShell therefore your permissions are based on  your AD login permissions not RBAC.

Solutions:

    1. Add the users to the “Exchange View-Only Administrators” (2007) or “Public Folder Management” (2010 Green Field) AD Group to be able to use the GUI.
    2. Use Exchange PowerShell or ECP to pull the tracking logs.

Thanks to Andrew and Ron for Figuring this out!

Note: Walkthrough on setting up ECP\ EMS Message tracking access

Getting Lync PowerShell to use RBAC


You may find that some things will work in the Lync GUI that will not work in PowerShell (Access Denied), the reason for this is that RBAC only applies to remote PowerShell and local PowerShell uses the AD permissions and not RBAC.

To resolve this you can login to PowerShell using the following script: (Copy the contents to a file and name it Connect-Lync.ps1)

$usercredential = get-credential
$pso = new-pssessionoption -skipcacheck -SkipCNCheck -SkipRevocationCheck
$session= New-PSSession -ConnectionUri https://localhost/ocspowershell -credential $usercredential -sessionoption $pso
import-pssession $session

Note: 1. This script ignores the certificate (so it will work if your using a self signed cert)
          2. You may need to modify the execution policy to run this unsigned script in PowerShell “set-executionpolicy remote”

References:

http://technet.microsoft.com/en-us/library/gg399050.aspx
“Note
that RBAC applies only to remote management. If you are logged on to a computer running Lync Server 2010 and you open Lync Server Management Shell, RBAC roles will not be enforced. Instead, security is enforced primarily through the security groups RTCUniversalServerAdmins; RTCUniversalUserAdmins; and RTCUniversalReadOnlyAdmins.”

The Problem with Hardware VSS Providers and Cluster Technologies like CSV and DAG


In solutions like DAG and CSV you can have issues with VSS backups completing if you are attached to a SAN and using a hardware provider.
The reason for this is because the LUN needs to pause the processes accessing the LUN but if another server is the one in control  of data on that LUN its unable to do that on a single host.
Here are some details as well as ways to resolve this issue.

Scenarios:

1. CSV Issue

  • imageimageMultiple Servers with a shared CSV Volume and VMS distributed across nodes may fail if you are using hardware VSS providers because it wants to snapshot the entire LUN but the node you are running the snap shot from doesn’t have access to all the VMS in order to pause them before committing the snapshot.
  1. You can resolve this in one of 2 ways.
    1. Move all the VMs to a single node or host until the backup is completed.
    2. Disable or remove your hardware based VSS provider.

 

 

 

2. DAG Issue

imageimage

This issue may come up not because you are sharing LUNS and have active data  on separate nodes (as above) but because you may use a separate provider for Active and Passive backups. When you try to backup a LUN that has both active and passive databases a hardware provider may try to use two different writers to snapshot the LUN. You can verify this by moving all active databases to one node to backup.

  1. You can resolve this in one of 3 ways.
    1. Do not put multiple databases on a single LUN.
    2. Move all Databases to one node before running backup
  2. 3. Disable you hardware based VSS provider

 

NOTE: Disabling your hardware provider will likely cause your backups to take much longer

References

  • Disable Equal Logic VSS Writer – Run C:\Program Files\EqualLogic\bin>eqlvss /unregserver”
  • Disable Hardware VSS in DPM – Add the following key to the registry [Software\Microsoft\Microsoft Data Protection Manager\Agent\UseSystemSoftwareProvider]
  • How VSS Works
  • If you know how to disable other providers please let me know and I will add it to this document!

Moderated Calendar in Exchange 2010 (Using a Resource Mailbox for calendars)


  • Room1 is the room that needs to be moderated
  • MailUser2010 and MailUser2007 are the users that need to have authorization to approve and view the meeting requests

Create a Moderated Resource Calendar mailbox in 3 easy steps

  1. Open Exchange Management Shell
  2. New-Mailbox -Name ‘room1‘ -Alias ‘room1’ -UserPrincipalName ‘room1@MyDomain.Com’ -SamAccountName ‘room1’ -FirstName ‘room1’ –Room
  3. set-CalendarProcessing -Identity "Room1" –AutomateProcessing AutoAccept –ResourceDelegates “MailUser2010”,”MailUser2007” -AllBookInPolicy $false -AllRequestInPolicy $true

You can make further adjustments with: set-CalendarProcessing -Identity "Room1” or use the Exchange Management Console (EMC) and modify the properties of the mailbox you just created (Specifically the “Policy” Tabs)
And you can view settings with Get-CalendarProcessing -Identity "
Room1”

You can now add the calendar to view and approve in OWA and two users are now able to authorize room access.

To View the new Calendar

  1. Open OWA as a user that you have given delegate access
  2. Click on Calendar
  3. Click Share, then Add Calendar
  4. image
  5. Type in or browse for your new room calendar
  6. image
  7. You can now see both calendars
  8. image

To Book a room

  1. Open OWA as a standard user
  2. Click on calendar
  3. Click New (to create a new Calendar entry)
  4. Click the scheduling Assistant tab
  5. Either Type in room name under Select Rooms, or click select Rooms to find the room you want to book
  6. Click the check box on the room to add it
  7. image
  8. on the Appointment Tab enter the Subject, add other attendees and notes
  9. Click Send.

To Accept \ reject a Meeting invite

  1. Open the Calendar as a user that has access to moderate the room
  2. Find the Request in your inbox
  3. Double click the invite and choose Accept\or Accept (its defaulted to tentative already
  4. image