Change AD FS 2.0 Primary Server

I was asked today how to decommission the primary AD FS 2.0 server in a farm, minimising any potential interruption. The solution is simple and like all good things uses PowerShell.

The original AD FS 2.0 server was deployed using the WID and Farm options for Office 365.
  • WID is suitable for the majority of deployments (if it is not you will know about it)
  • Choosing WID sets the first server deployed to be the primary
  • Only the primary server can write configuration changes to the database
  • Opting for a Farm provides scope for HA and scale
The AD FS farm had been extended with new highly available nodes load balanced in geographically dispersed data centres. DNS had been updated and the primary server was in effect redundant.

Log on to the new primary server (NEUADFS02) and run PowerShell.

Add-PsSnapin Microsoft.Adfs.PowerShell

Set-AdfsSyncProperties -Role PrimaryComputer

On all other AD FS servers in the farm run the following.

Add-PsSnapin Microsoft.Adfs.Powershell

Set-AdfsSyncProperties -Role SecondaryComputer -PrimaryComputerName NEUADFS02.EXCHANGEGEEK.COM

On a related note, I also identified that TCP/80 should be open between farm members, despite all resources and configuration identifying only TCP/443 as required. This came up when extending the farm across data center boundaries.

Do it “ONCE”–Cloud based SSO from IMGROUP

Microsoft Office 365 provides a couple of great options for managing user accounts, with the most complete solution leveraging an existing on-premise Active Directory to authenticate in to Office 365 services. IMGROUP have built a multi-data centre hosted Single Sign-On (SSO) solution for Office 365 and Windows Azure, lowering the barrier to entry for this type of deployment and accelerating the deployment.


If we choose the route of using on-premise Active Directory to authenticate the organisation first needs to deploy new roles on to servers. Office 365 offers guaranteed high levels of availability, however this is of no comfort should the single AD FS deployed server fail. With this is mind AD FS and AD FS Proxy should be deployed using N+1, with load balancing configured between the servers for each role.

  • 2x AD FS 2.0 Server (x64)
  • 2x AD FS 2.0 Proxy Server (x64)
  • 1x Directory Synchronisation (DirSync) Server (x64)

These are the server roles required in a single site only, to provide site resilience the server count is doubled and additional network hardware is required to provide Live-Live load balancing between locations.

The specs for an AD FS, AD FS Proxy and DirSync server vary depending on size of deployment. The Microsoft recommended minimum hardware requirements for the roles are below, add to this licencing and maintenance (support, backup, monitoring) costs for all servers.




Dual Quad Core 2.27GHz CPU (8 cores)*


4 GB


70 GB (DirSync)

*DirSync minimum CPU starts at 1.6 GHz

What we have done at IMGROUP is provide these roles as a geographically load balanced Cloud service requiring just a secure Virtual Private Network (VPN) connection to a client site containing an existing Active Directory server(s).

Authentication traffic is routed to the closest data centre to the client device, access is brokered in the usual way for Office 365 SSO and access is granted to the service. In the (much simplified) diagram below AD FS is geographically load balanced between DC1 and DC2, if DC1 should fail all traffic is routed to DC2 until service is restored.


Using the economies of scale Cloud provide we can get this up and running in a short time frame, with a low impact to the existing IT staff workload.

We initially built the solution to support our own dispersed work force in the UK, India and New York. We had SSO in the UK, but if it was unavailable our workers in other time zones cloud not access services until someone in the UK had resolved the issue. From the start we identified this would fit the needs of other organisations and have built the robust solution to cater for large and small deployments.

You can request more information via our web site,

We have submitted the solution to Microsoft Pinpoint,

Feel free to add comments, ask a question or contact me directly about this.

AD RMS on devices

Active Directory Right Management Services (AD RMS) enables the protection of emails and documents within the domain for users and computers.

If you have RMS in place with Exchange Server or Exchange Online, how do your mobile workers gain secure access? Some platforms (Windows Phone) support this out of the box, but it does require a bit of configuration. If you have Apple, Android or even the creaking BlackBerry OS in the mix I have used the following apps fill the gap.

NitroDesk TouchDown 7.3+ for Android

GigaTrust for Apple iOS and BlackBerry

I will write a follow up post covering RMS/IRM for Exchange Server and Exchange Online and how Windows Phone can leverage this in the coming weeks.


Forefront changes, TMG is no more

Threat Management Gateway and ISA before it provided a pretty simple way to get client connectivity to Exchange mailboxes from the internet. Microsoft have announced changes to the Forefront roadmap, which when you consider the next wave of server products and partner solutions makes sense.

Discontinued, but supported:

  • Forefront Protection 2010 for Exchange Server (FPE)
  • Forefront Protection 2010 for SharePoint (FPSP)
  • Forefront Security for Office Communications Server (FSOCS)
  • Forefront Threat Management Gateway 2010 (TMG)
  • Forefront Threat Management Gateway Web Protection Services (TMG WPS)

This kind on makes sense, for example Exchange 2013 comes with a basic level of protection built-in and a lot of organisations will already have a third party mail gateway or service deployed on the “perimeter”. The CAS role has also changed resulting, as Hosters have been doing it for years, in reduced risks in exposing this to the internet (via HLB etc).

Direct Access will play a big part in remote access, the UAG cash cow (heavy on licencing compared to TMG) will also continue as a product.

Azure AD Standalone Tenants

Over of the Windows Azure blog there have been some cool announcements,

I’ve been using for a while now and with the announcement of “standalone tenants” this presents huge possibilities. In hosting circles I have often had discussions for providing “multi-tenant” AD available on demand, but have always come to the conclusion it would require Microsoft to make some key changes.

Check it out now,

Windows 8 tip: Browser choice

If you have windows 8 RTM editions you will have recently had to complete the browser choice wizard. This is great until you realise it unpins desktop IE from the taskbar and the Start Screen only provides Windows Store/Modern UI (Metro) IE.

There are 2 simple solutions:

1. Start > type “iexplore.exe” > right click > Pin To Taskbar

2. Open Windows Store style IE > click the spanner/tools option > View on Desktop > right click IE on taskbar > Pin To Task Bar

Anyway, hope that helps some folks out.

Office 365 Outlook Password Notifications

Microsoft have released updates for Outlook 2007 and Outlook 2010 which provide password expiry notifications for non-federated users using a balloon in the system tray. If it is the first logon or the password has expired the user will receive a dialogue prompting them to change the password. In either case the user is directed to the Office 365 portal.

Password expiration notification.

Password has expired notification.

Get the updates for Outlook here:

  • 2687351 Description of the Outlook 2010 hotfix package (Outlook-x-none.msp): August 28, 2012
  • 2687336 Description of the Outlook 2007 hotfix package (Outlook-x-none.msp): August 28, 2012

For some organisations SSO just isn’t important, combining these Outlook updates with the Set-MSOLPasswordPolicy allows the customisation and enforcement of policy with reduced user training and helpdesk calls.

As always, the Exchange Team have created a great post with videos.

There is also a TechNet article explaining it all,

Windows 8 Release Preview Upgrade

I wanted to share a few tips I used when upgrading the Windows 8 Release Preview to Windows 8 Enterprise.

Bit Locker

The fist challenge I had is Bit Locker was enabled. Not really a challenge as the upgrade told me how to suspend it, which takes all of 10 seconds.

Host Version

Next I was informed I could not upgrade the Release Preview version I had. I over came this by changing the install files to allow upgrade from a much earlier version, do this at you own risk.



Above the RTM upgrade host version was higher than the the current installed version. I lowered this to 8200.0. Remember, do this at your own risk.


If Windows 8 won’t activate run the following from an elevated command prompt

slmgr.vbs –ipk 0123-4567-89AB-CDEF-GHIJ

Other than these 3, everything else just worked. I really like the very simple guide advising users to push the cursor to the corner of the screen. I think though it should cover a little more and highlight keyboard shortcuts.

Securing Exchange Online BlackBerry Devices with BlackBerry Business Cloud Service and Blocking BlackBerry Internet Service

Using the BlackBerry Business Cloud Service (BBCS) hosted by RIM allows Office 365 administrators to provision and manage BlackBerry device access to mailboxes. A savvy end user might realise the BlackBerry Internet Service (BIS) can also connect to mailboxes, historically this was just over IMAP but now also uses Exchange Web Services (EWS). As a business I would be concerned about unknown and unmanaged devices accessing corporate data.

BlackBerry Business Cloud Service

When the BBCS is enabled in the Office 365 portal a Foreign Principal Object (FPO) is created for RIM and authorized rights by Microsoft to access the tenant mailboxes. BBCS connects to Exchange Online using EWS. The administrator has access to the BlackBerry Administration Service Portal to set policy, create BlackBerry users and manage all BlackBerry devices. The end user gets access to the BlackBerry Web Desktop to configure and manage their own device.


BlackBerry Internet Service

With BIS the end user is in control of setup and device administration, there is no reference the user has even connected a device to Exchange (on-premise or Office 365). Accessing the carrier BIS portal the user enters email address and mailbox password, EWS or IMAP is then used to access the mailbox. Only the end user has the ability to manage or wipe the device.


Restrict Blackberry Internet Services

Using Exchange Online (or on-premise) PowerShell we can restrict EWS by either completely disabling it or by using allow/block lists for known applications. I mentioned an authorised FPO is created for BBCS access to mailboxes, so if we do disable EWS on the mailbox user object it will continue to function. We also need to make sure IMAP and POP are disabled.

Important Note: EWS is used by Outlook and other applications, I would not recommend completely disabling it.

I am going to connect to Exchange Online PowerShell:

$Sess1 = New-PsSession –ConfigurationName –ConnectionUri -AllowRedirection -Authentication basic -Credential (Get-Credential)
Import-PsSession $Sess1

Using the following PowerShell I am going to leave EWS enabled for Outlook and a custom app agent ID (CustomEWSAppAgentID) which also uses EWS, but everything else will be blocked:

Set-CasMailbox –Identity –EwsEnabled $True –EwsAllowOutlook $True –EwsAllowMacOutlook $True –EwsAllowEntourage $True   –EwsApplicationAccessPolicy: EnforceAllowList –EwsAllowList: {“*CustomEWSAppAgentID*”} -PopEnabled $False -ImapEnabled $False

Replacing Set-CasMailbox with Set-OrganizationConfig the EWS settings can be applied to all tenant mailboxes.

Important Note: I would test on a few mailboxes before applying organisation wide.

If the user is federated BIS will first have to authenticate on the ADFS Proxy so another solution could be to block RIM IP addresses. The IP addresses will be subject to change and can be found at the following locations.



I hope you find this useful, it took me a week to get confirmation that BIS now uses EWS.

Updated - 20/08/12:

If you want to be 100% sure BBCS will not be affected by the EWS Application Policy, use the following.

Set-OrganizationConfig –EwsEnabled $True –EwsAllowOutlook $True –EwsAllowMacOutlook $True –EwsApplicationAccessPolicy: EnforceAllowList –EwsAllowList: {“*BES/*”}

I received confirmation from RIM this week that “BES/<version>” is the application user agent used by BES and BBCS.

Basic Office 365 PowerShell Tip

I'm setting a new PC this week and getting used to a different keyboard, joy. I connect to Office 365 Exchange Online a lot, so the first for me is to run the following.

Using an elevated PowerShell window.

Set-ExecutionPolicy -ExecutionPolicy Unrestricted

Next I register my scripts directory in PS.

$env:path = $env:path + ";C:\Scripts\PowerShell"

Then to create my most used script, I save it as O365Session.ps1.

$O365PSSess1 = New-PSSession -ConfigurationName -ConnectionUri -Credential (Get-Credential) -Authentication basic -AllowRedirection
Import-PSSession -Session $O365PSSess1

To run I just open a PowerShell session window and type O365Session.ps1.

This post is really just a reminder for me, I hope that if you didn't know about this you have now tried it.

Public Folders – Exchange 2013 Preview and Office 365 Preview

imageWith the release of Exchange 2013 Preview Microsoft did something awesome, which even going back Exchange Server 2007 I thought would never happen. Public folders, in my opinion have been re-elevated in importance. Gone are separate Public Folder databases as the new Public Folder Mailboxes have moved from multi-master to single-master using continuous replication in the DAG alongside other mailboxes on-premise or in the cloud.

Public Folder Mailboxes are now created to store public folder content, the first of which also stores the folder hierarchy. Not only does this simplify HA/DAG deployment, but also makes e-discovery easy. Coupled with Site Mailboxes I see a new chapter of sharing and collaboration opening up in Exchange Server, both can be easily managed using the new Exchange Administration Center (EAC) or EMS.

If you plan to migrate existing public folders you need to consider the following:

  • Exchange Server 2010 SP3 is a requirement.
  • You need to use the new *PublicFolderMigrationRequest cmdlets, new *OrganizationConfig parameters and PowerShell scripts:
    • Export-PublicFolderStatistics.ps1   This script will create the folder name to folder size mapping.
    • PublicFolderToMailboxMapGenerator.ps1   This script will create the public folder to mailbox mapping file.
  • Make sure you have validated Public Folder database backups before you start.
  • Use Get-PublicFolder cmdlet to list information about the Public Folder hierarchy for later comparison.

At the time of writing Microsoft have made pre-release information available for Exchange 2013 Preview here,

Exchange ActiveSync - Firewall Timeout

Since Exchange Server 2003 SP2 Microsoft has included Direct Push as a feature of ActiveSync. Direct Push simply keeps the device up to date as new content is ready to synchronise. ActiveSync Direct Push has been licenced or is supported on a wide range of platforms from devices to competing mail servers.

It’s pretty straight forward:

  1. The client sends a long standing HTTPS request to the server to notify the device if any items configured to synchronise change in the next 15 (heartbeat) minutes.
  2. If after 15 minutes no items change the server returns a HTTP 200 OK, the client wakes up and send a new HTTPS request.
  3. If there is an item change on the server within the heartbeat internal a response is sent to the client which triggers a synchronisation for the changed item.

If the firewall/network timeout is set lower than the 15 minute heartbeat this can result in clients sending HTTPS requests more frequently, increasing the wake up time and battery consumption.

For optimum performance you should look to have firewall timeout values set between 15-30 minutes, I often opt for the 30 minute mark. You will need to configure this on firewalls or proxies between your CAS and the internet.

I’m pretty sure any mobile operator will have a decent timeout value so shouldn’t present an issue, but in the early days of Direct Push and WM5.x + MSFP I do remember this causing problems.


Windows 8 Mail app + Exchange ActiveSync Policy = BYO PC?

It’s been my “dream” for a long time to be able to remote wipe Outlook, this is one of the remaining hurdles I had with allowing BYO PC within Noakesy Hosting.

With the Mail app in Window 8 Release Preview I’m glad to see they are making use of Exchange ActiveSync, which in turn sets out some policies which devices must comply with.

Setting up an Exchange account presents the user with warning.image

Looking in ECP I can now see a device called Windows Mail, great. The coolest part is I can wipe just the Windows Mail app, I think future versions of Exchange will need to reflect the entire device will not be wiped. Maybe a rename to “Apps and Devices”, with an indication of what is possible is needed.


I can also see my EAS policy has been applied in full under Details.


Released: BES SP3 MR7

RIM have release BlackBerry Enterprise Server Service Pack 3 Maintenance Release 7 for Microsoft Exchange Server.

The release includes new fixes for the BlackBerry Administration Service, BlackBerry Mail Store Service, BlackBerry MDS Connection Service, BlackBerry Messaging Agent and BlackBerry Policy Service

Select and download the update here,

Installation is straight forward as usual and covered in the release notes,

Update Rollup 2 for Exchange Server 2010 Service Pack 2

Microsoft have release Update Rollup 2 for Exchange Server 2010 Service Pack 2. full information available here,

Don’t forget (as I almost always do – only in the lab of course) to run fscutility /disable to disable Forefront before you run the update. More on how to do that here, Just remember to enable it afterwards using, fscutility /enable.

Windows 8 + Exchange ActiveSync

The Windows Team Blog has post about the Windows 8 editions which will be available, It’s a much simpler line up consisting of Windows 8 (consumer), Windows 8 Pro (pro-consumer, business) and Windows RT (ARM powered devices). There will also be an Enterprise SKU of Windows 8.

For me there are a couple of interesting items in the feature table. First off all editions support Exchange ActiveSync suggesting to me support for "Exchange” is built in – great. This also potentially plugs a gap for me which is missing from Outlook – the ability to remotely remove (either selectively or by device wipe) corporate mail from a device, be it personal or company issued.

With Exchange ActiveSync we can also enforce policies on devices, which covers off how we can secure Windows RT devices with a policy which cannot be domain joined. Exchange is great at doing this and I know RBAC roles could be created for a Mobile Team, but mobile is such a broad topic I don’t believe Exchange is the best place to manage this. What happens if you want to secure a Windows RT device with policy, but it doesn’t need email? Maybe in time ActiveSync security polices will evolve in to more of a broad MDM (Mobile Device Management) product.

There seems to be 2 types of encryption. Windows 8 and Windows 8 Pro get BitLocker and EFS while Windows RT gets “device encryption”. I’m guessing the latter is similar to that of iDevices and Windows Phone controlled by ActiveSync policy or a local switch.

On a related note, I’m not sure Windows RT is a great name. Windows on Arm (WOA) sounds way better.

Windows 8: Cisco AnyConnect VPN Client

If you have installed the Windows 8 Consumer Preview and use Cisco AnyConnect you may run in to a problem when attempting to connect. I got the error “The VPN client driver has encountered an error”.

AnyConnect VPN Client error after Windows 8 upgrade

First off I spotted a warning in the event log instructing the Cisco AnyConnect VPN Client must be reinstalled after upgrading Windows, which I completed and still found I could not connect.

Event log - ApplicationExperienceWarning

After a bit more digging I noticed the VPN adapter, Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64, was not Enabled (usually disabled when not in use) when the connection was initiated. Looking in the Registry I could see the DisplayName string value did not match the name of the adapter, so updated as below.

Windows Registry Editor Version 5.00[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\vpnva]
"DisplayName"="Cisco AnyConnect VPN Virtual Miniport Adapter for Windows x64"

Restarting the Cisco AnyConnect VPN Client and clicking Connect now works.

If connecting from Internet Explorer 10 ( E.G. you may need to set the web page to use Compatibility View to launch the client using ActiveX and connect.

Old School - Exchange Exports

We can’t always perform mailbox moves, cross forest moves or use web based mail migration service, such as From time to time we just have to get our hands dirty a shift PST files around.

If you have ever tried to use Exmerge to export a large (around 2GB) mailbox you will have run in to errors. Luckily Glen Scales and Michael Smith came to the rescue years ago.

I really like Michaels solution, I just edit the 3 lines below and run from the command prompt with cscript ExMBspanPst.vbs mailboxname.

servername = "EX01"
bfBaseFilename = mbMailbox
pfFilePath = "c:\PST\"

I thought I had seen the last of PST files, but we became reacquainted this weekend. Open-mouthed smile

vCloud & NIC binding

When adding additional NICs to existing VMs using vCloud Director I have observed the bind order in Windows can end up wrong potentially leading to issues when services start up.

This is simply corrected under Advanced > Advanced Settings in the Network Connections window.


I found a useful PowerShell link to check and set the bind order here,

Exchange 2010 SP2 Update – IIS6 WMI requirement

Having recently completed a round of Exchange 2010 SP2 upgrades I haven’t really found any gotchas, assuming you read the documentation first.

One item I think could catch a few people out is the requirement for “IIS 6 WMI Compatibility” to be installed of CAS role servers. This can easily be installed as part of the upgrade using: /m:upgrade /installwindowscomponents

If you choose to run the GUI (setup.exe) you will need to install the IIS6 WMI Compatibility component of IIS or run the following PS:

Import-Module ServerManager
Add-WindowsFeature Web-WMI

Microsoft Exchange PST Capture – At Last!

Over on the Exchange Team blog they have posted .PST, Time to Walk the Plank, about a new tool called Microsoft Exchange PST Capture to discover, capture and import PST files distributed on computers within your organisation.

Read about it on TechNet here,

Obviously it works with Exchange Online as well as partner Hosted Exchange or on-premise Exchange Server 2010. You can import to either primary mailbox or Archive Mailbox.

Fig1. Server Connection Settings

If the PST is open/in-use it can’t be imported, so maybe a tool to run over night or at the weekend in combination with waking PC’s up.

Fig2. Configuring Search

I have previously used a tool which also ripped out PST encryption/password protection easing imports for those users attempting to protect PST data. It appears Microsoft Exchange PST Capture does not do this yet.

Fig3. PST Capture Console