Active Directory Synchronisation With BPOS

The Microsoft Online Services Directory Synchronisation tool provides one-way synchronisation from your local Active Directory directory service to Microsoft Online Services. Directory synchronization can also provide global address list synchronization between your local Microsoft Exchange Server environment and Microsoft Exchange Online.

Using Directory Synchronisation

If you plan to establish e-mail coexistence between your local Exchange Server environment and Exchange Online, you must establish e-mail coexistence before installing and configuring directory synchronisation.

When you first run the Directory Synchronisation tool, it will write a copy of each user account and mail-enabled contact and group to your organisation’s Microsoft Online Services directory.

When user accounts are first synchronised with your Microsoft Online Services company, they are marked as disabled. They cannot send or receive e-mail, and they do not consume licenses. When you are ready to assign Exchange Online mailboxes to specific users, you must select and activate these users.

While in e-mail coexistence, all edits of user accounts and mail-enabled contacts and groups must be performed in your local Active Directory. Directory synchronisation will update Microsoft Online Services with those changes every three hours, or you can manually force synchronisation at any time. For example, deleting a user account in your local Active Directory will delete that account in Microsoft Online Services.

Important 

Directory synchronisation is one way, from your local Active Directory environment to Microsoft Online Services. When synchronising Active Directory with Microsoft Online Services, it is important that you continue to create and edit all user accounts and e-mail enabled contacts and groups in your local Active Directory. Objects edited in the Microsoft Online Services Administration Center will be overwritten when the next synchronisation takes place.

Note 

Synchronised objects may take up to 24 hours to appear in the Offline Address Book (OAB) and Communicator.Objects that have been synchronized from your on-premises Active Directory directory service will appear immediately in your global address list (GAL), but it may take up to 24 hours before they appear in the OAB and in Microsoft Office Communicator.

Note 

When an account is migrated from your on-premises Active Directory, the account password is not migrated with the account. When the administrator activates the migrated account, a new password is assigned to that account.If the password associated with an on-premises Active Directory account is changed, that new password is not migrated. Users must change their Microsoft Online Services passwords manually.

Active Directory accounts are identified by a globally unique identifier (GUID) that is assigned to each account when it is created. If you delete an account and then create a new account with the same name, the new account will have a different GUID. Because the Directory Synchronization tool identifies the user accounts by their GUID, the Microsoft Online Services account associated with the deleted user account will be deleted during the next synchronization, and a new account will be created. The mailbox or other services associated with the deleted user account will also be deleted.If you accidentally delete a user in your local Active Directory, you should use the Active Directory tools to recover that user account. To prevent replication of the accidental deletion, disable directory synchronization in the Administration Center until you have recovered the deleted user account.

 

Install the Directory Synchronisation Tool

Before you install the Microsoft Online Services Directory Synchronisation tool, you’ll need:

  • Enterprise administrator credentials: With the Directory Synchronization tool, you will need to use enterprise administrator credentials on the computer on which it will be installed in order to create a local account with synchronization permissions. For more information, see Directory Synchronization Tool Prerequisites.
  • Windows Server 2003 SP2: The Directory Synchronization tool must be installed on a domain-joined computer that is running Windows Server 2003 with Service Pack 2 installed.

After you install the Directory Synchronization tool, you can upgrade the Directory Synchronization tool on the same computer or use a different computer. Using a different computer is recommended for customers who have an on-premise Active Directory with more than 50,000 objects to avoid missing deletions that occur on-premise while the upgrade is taking place.

There can be only one instance of the Directory Synchronization tool installed on your network. If you install the tool on a second computer that is networked with your first computer, synchronization will stop working on the first computer.

To install the Directory Synchronisation tool

  1. Log on to the Microsoft Online Services Administration Center, click Migration, and then click Directory Synchronisation.

  2. On the Directory Synchronisation page, complete steps 1 and 2.

  3. Under step 3, click Download and follow the instructions to save the installation file on your computer. If necessary, copy the installation file to the computer on which it will be installed.

  4. Run the installation file.

  5. On the last page of the installation program, select Run Configuration Wizard now, and then complete the configuration process.

    Important 

    You must successfully complete the Directory Synchronization tool Configuration Wizard before synchronization will begin.

To upgrade the Directory Synchronisation tool

  1. In the Microsoft Online Services Administration Center, on the Migration tab, click the Directory Synchronisation page. Click Download, and then follow the instructions to save the latest version of the Directory Synchronization tool installation file to the directory synchronization computer.

  2. On the computer on which the Directory Synchronisation tool is installed, open the Control Panel, select Add and Remove Programs, and then uninstall the Directory Synchronisation tool.

    Note 

    If a synchronisation session is in progress, you will receive a warning when you try to remove the Directory Synchronisation tool. If you receive this warning, wait until synchronisation is complete and then repeat this step.

  3. Run the latest version of the Directory Synchronisation tool installation file.

  4. On the last page of the installation program, select Run Configuration Wizard now, and then complete the configuration process.

    Important 

    You must successfully complete the Directory Synchronisation tool Configuration Wizard before synchronisation will begin.

To update the Directory Synchronisation tool using a different computer

  1. Log on to the current directory synchronisation computer, click Start, click Control Panel, open Administrative Tools, and then, in Services, stop the MSOL_AD_Sync service.

  2. On a different computer, download and run the Directory Synchronisation tool installation file as usual, and then run the Configuration Wizard.

  3. On the last page of the Configuration Wizard, select Start directory synchronisation now, and then click Finish.

    This will reset the synchronisation service password, break the synchronization relationship with the old computer, and establish a synchronisation relationship with the new computer.

  4. When the Event Viewer on the new directory synchronisation computer shows that synchronisation is complete, log on to the old directory synchronisation computer, run the Configuration Wizard, and force a synchronisation.

    This will identify and synchronise any objects that were deleted while directory synchronisation was stopped.

  5. On the new directory synchronisation computer, run the Configuration Wizard again, and force another synchronisation.

    This will reset the synchronisation service password and reestablish the synchronization relationship.

  6. Uninstall the Directory Synchronisation tool from the old directory synchronisation computer.

Additional Information

Important 

Installing the Directory Synchronisation tool creates the MSOL_AD_SYNC account in the standard Users organizational unit (OU) of the local Active Directory. This account is used by Directory Synchronisation tool to read the local Active Directory information. Do not move or remove this account. Moving or removing this account will cause synchronisation failures.

Issue: Items deleted on local computer while tool is uninstalled aren’t deleted from Microsoft Online Services

If you uninstall and then reinstall the Directory Synchronisation tool on your local computer (or move the tool from one computer to another), items deleted on your computer during the time that the Directory Synchronisation tool is uninstalled will not be deleted from Microsoft Online Services. This issue occurs when you are using the Directory Synchronisation tool to provide one-way synchronization from your local Active Directory directory service to Microsoft Online Services.

Issue: Can’t uninstall Directory Synchronisation tool

When the Directory Synchronisation tool installation fails before the MIISAdmins group is created, the account that would be used to uninstall the Directory Synchronisation tool does not exist; hence, the Directory Synchronisation tool is not uninstalled.

To work around this, you need do the following:

  1. Create a Local Machine Group called MIISAdmins.
  2. Add yourself to the group.
  3. Attempt to uninstall the Directory Synchronisation tool.

Enable Directory Synchronisation

Enabling directory synchronisation is one simple step in the process of implementing e-mail coexistence and directory synchronisation. It must be done before installing the Microsoft Online Services Directory Synchronisation tool.

Directory synchronisation is one way, from your local Active Directory environment to Microsoft Online Services. When synchronizing Active Directory with Microsoft Online Services, it is important that you continue to create and edit all user accounts and e-mail enabled contacts and groups in your local Active Directory. Objects edited in the Microsoft Online Services Administration Center will be overwritten when the next synchronization takes place. For more information about directory synchronization, see About Directory Synchronisation.

Note 

If you plan to establish e-mail coexistence, you must enable directory synchronization.

To enable directory synchronisation

  1. Log on to the Administration Center, click Migration, and then click Directory Synchronisation.

  2. In the Enable one-way synchronisation from your local Active Directory to Microsoft Online Services step, click Enable.

How to Set Up Custom Domains and Receive Email with Microsoft BPOS

One of the first tasks for many admins switching to the Microsoft Business Productivity Online Services (BPOS) is to configure email messaging.  This can be accomplished a few different ways, depending on your migration strategy.

clip_image001

Grow Your Business with Microsoft Cloud Services

In this article we’ll walk through the simplest way of getting BPOS up-and-running: configuring BPOS as primary mail server for a domain without any data migration; and no Exchange co-existence.

When would this scenario be used? Most likely for one of these reasons:

  • You are setting up a brand new domain with BPOS.
  • You are running a trial evaluation of BPOS with a test domain before committing and migrating users.
  • You’re switching to BPOS from another hosting provider, and have no (or little) mailbox data to migrate.
  • You want to switch to BPOS, but only have a small number of mailboxes, so creating new mailboxes is low-effort.

High-Level Summary of the Steps

Setting up BPOS as your primary mail server is very easy.  There are only a few tasks involved, and we’ll walk through them step by step.

First, a couple of prerequisites.

If you haven’t already, sign up for a BPOS trial or pay account. I’m going to assume you can handle this one on your own.

Second, log in to the BPOS Admin site with the Administrator ID you just created. The link will be in the welcome email from Microsoft.

Third, you’ll need account login information for your domain registrar.  Setting up email involves creating a DNS record with your domain registrar or DNS hosting service.  So, get their login information handy and find their DNS management tool.  Some registrars require that you contact their support staff to make DNS changes, the good ones let you do it yourself. (Tip: Unsure who your registrar is? Here are some ways to find out.)

We’ll go into great detail below, but here’s a high-level summary of what you’re about to do, and why the steps are required. There are really only five main steps:

  1. Add your custom domain(s) to BPOS. Microsoft creates a generic domain that you could use for messaging, but it’s pretty ugly. Something like “user@bpostutorial.microsoftonline.com”. In this example we’ll add a new domain called bpostutorials.com.
  2. Verify your domain – a procedure to confirm that you own the domain you’re attempting to add to BPOS. This step involves creating a DNS record with your DNS host or domain registrar.
  3. Create user accounts and mailboxes in BPOS.
  4. Enable inbound messaging so that internet hosts send mail to BPOS instead of your old servers. This involves changing your DNS MX (Mail-Exchanger record) to point to Microsoft.
  5. Test it out!

In Detail: How to set up Messaging and DNS

Step 1: Add Custom Domains to BPOS

Open up the BPOS Admin site.  You may have a helpful “Tasks I Need to Do” shortcut in the middle of your screen. If so, click “Add your domain to Microsoft Online Services”. If not, click on the Users tab, then the Domain menu item.

clip_image003

If you’re using the Users/Domains tab, click the “New” link in the upper-right corner.

clip_image005

A screen will pop-up, like the one below. Enter your Domain name in the box provided – in my example I’ve used bpostutorials.com.

The two options in the lower-half of the screen determine if BPOS will be the primary mail server, or if it will co-exist with an external Exchange system.  Since we want BPOS to be your primary mail server, choose the “Authoritative” option.

clip_image007

Click “Create” and a window like the one below will be displayed. Select the box to “Start the Verification Wizard” if you’re ready to go to the next step and Verify the domain now.

clip_image009

Step 2: Verify Your Domain

Verifying a domain is accomplished by creating a DNS entry called a CNAME, or Alias into your DNS records.  Your DNS records are generally hosted by your domain registrar, though in some cases your DNS may be hosted elsewhere.

First we need Microsoft to tell us how to configure the CNAME. If you didn’t select the option to start the Verification wizard in the previous step, then go back to the Users tab, and click on the Domains menu item.  The newly added domain will now appear in the domains list. Click the “Verify Now” link.

clip_image011

Select your registrar from the drop-down if available, otherwise select “Other” and click “Next“.

clip_image013

On the next screen you’ll be provided with DNS settings that you’ll need to configure with your domain registrar. Don’t use the ones in the screenshot here, they will all be unique. Make a note of the Host name, and “Points To” information.

clip_image015

Keep this window open. Now, fire up a new browser window and log in to your domain registrar’s admin site.  The example below was created using Go Daddy, but most registrars will have a similar tool. Microsoft has also compiled a detailed list of instructions for popular registrars.

Open up your registrar’s DNS tool and add a CNAME record. For example, with Go Daddy I would click the “Add New CNAME Record” button on the right-hand side of the screen.

clip_image017

Enter the Alias information that BPOS gave you. Note that you usually don’t have to fully qualify an Alias (i.e. the full domain name isn’t required, just the host name).

clip_image019

Success! Keep your registrar’s admin site open, because you’ll need it again in a minute.

clip_image021

Flip back to your BPOS window (you left that open right?) and click the “Verify” button. If you did it right, then you should see a message like the one below. If it was unsuccessful then go back and confirm that you typed in the alias properly. Some registrars may take a few moments to process the change, so you could also try doing a DNS lookup from another system to confirm that the alias is working. BPOS won’t verify the domain until it can resolve the new alias you created to the server name it provided you in the previous steps.

clip_image023

Step 3: Create Users

Without going into detail, this would be a good time to create some user mailboxes. In a moment you’ll tell the world to start sending mail to the new BPOS server for your domain. If you haven’t configured accounts before making the next changes, then mail delivery could be refused.

Make sure to select the correct domain from the domain drop-down box when creating users!

clip_image025

Tip – make the domain you just created your “Default user account domain” on the domain properties screen. This will add new users to this domain by default.

clip_image027

Step 4: Enable Inbound Messaging

This is it, the big moment when you enable messaging with BPOS. Before you proceed, make sure that you’re ready to make this change. This will make BPOS the primary, and only, mail server for your domain. Make sure you’ve created mailboxes, notified your users how to access the new system, and that you’re sure you want to direct all incoming mail to BPOS.

By now your domain should show as Verified on the Users/Domains menu:

clip_image029

Click on the name of the domain to access the domain properties box, then go to the “Inbound Messaging” tab. Click “Enable”.

clip_image031

Click “Enable” again on the next screen:

clip_image033

And you’ll see a Success window like this one. But you’re not done yet! The dialogue box will provide a new MX record that needs to be set-up with your domain registrar. Make a note of the new MX information (e.g. in “Step 2” in the window below).

clip_image035

Now go back to your domain registrar’s Domain management tool. Create a new MX record using the information provided in that last window. Set the Priority to 0 so that this record takes priority over other ones that might exist. Once again, for Go Daddy it would look like something like this:

clip_image037

Check to make sure that no other MX records have a higher priority. If they do, change them to a lower priority (e.g. 10 or 20. Larger numbers = lower priority), or delete them if appropriate. The new record needs to be the highest priority or mail delivery will not work.

clip_image039

Done? Great! Switch back to your BPOS admin window, and click Finish on the Enable Inbound Messaging box. That’s it! You’ve just configured BPOS for email.

Step 5: Test

Use a different mail system to send an email to one of the newly created mailboxes. Then, log in to OWA and you should see something like this:

clip_image041

Allowing application servers to relay off Exchange Server 2007 /2010

 

From time to time, you need to allow an application server to relay off of your Exchange server. You might need to do this if you have a SharePoint, a CRM application like Dynamics, or a web site that sends emails to your employees or customers.

You might need to do this if you are getting the SMTP error message “550 5.7.1 Unable to relay”

The top rule is that you want to keep relay restricted as tightly as possible, even on servers that are not connected to the Internet. Usually this is done with authentication and/or restricting by IP address. Exchange 2003 provides the following relay restrictions on the SMTP VS:

Here are the equivalent options for how to configure this in Exchange 2007.

Allow all computers which successfully authenticate to relay, regardless of the list above

Like its predecessor, Exchange 2007 is configured to accept and relay email from hosts that authenticate by default. Both the “Default” and “Client” receive connectors are configured this way out of the box. Authenticating is the simplest method to submit messages, and preferred in many cases.

The Permissions Group that allows authenticated users to submit and relay is the “ExchangeUsers” group. The permissions that are granted with this permissions group are:

NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Submit}
NT AUTHORITY\Authenticated Users {ms-Exch-Accept-Headers-Routing}
NT AUTHORITY\Authenticated Users {ms-Exch-Bypass-Anti-Spam}
NT AUTHORITY\Authenticated Users {ms-Exch-SMTP-Accept-Any-Recipient}

The specific ACL that controls relay is the ms-Exch-SMTP-Accept-Any-Recipient.

Only the list below (specify IP address)

This option is for those who cannot authenticate with Exchange. The most common example of this is an application server that needs to be able to relay messages through Exchange.

First, start with a new custom receive connector. You can think of receive connectors as protocol listeners. The closest equivalent to Exchange 2003 is an SMTP Virtual Server. You must create a new one because you will want to scope the remote IP Address(es) that you will allow.

The next screen you must pay particular attention to is the “Remote Network settings”. This is where you will specify the IP ranges of servers that will be allowed to submit mail. You definitely want to restrict this range down as much as you can. In this case, I want my two web servers, 192.168.2.55 & 192.168.2.56 to be allowed to relay.

The next step is to create the connector, and open the properties. Now you have two options, which I will present. The first option will probably be the most common.

Option 1: Make your new scoped connector an Externally Secured connector

This option is the most common option, and preferred in most situations where the application that is submitting will be submitting email to your internal users as well as relaying to the outside world.

Before you can perform this step, it is required that you enable the Exchange Servers permission group. Once in the properties, go to the Permissions Groups tab and select Exchange servers.

Next, continue to the authentication mechanisms page and add the “Externally secured” mechanism. What this means is that you have complete trust that the previously designated IP addresses will be trusted by your organization.

Caveat: If you do not perform these two steps in order, the GUI blocks you from continuing.

Do not use this setting lightly. You will be granting several rights including the ability to send on behalf of users in your organization, the ability to ResolveP2 (that is, make it so that the messages appear to be sent from within the organization rather than anonymously), bypass anti-spam, and bypass size limits. The default “Externally Secured” permissions are as follows:

MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authoritative-Domain}
MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Anti-Spam}
MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Message-Size-Limit}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Exch50}
MS Exchange\Externally Secured Servers {ms-Exch-Accept-Headers-Routing}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Submit}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authentication-Flag}
MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Sender}

Basically you are telling Exchange to ignore internal security checks because you trust these servers. The nice thing about this option is that it is simple and grants the common rights that most people probably want.

Option 2: Grant the relay permission to Anonymous on your new scoped connector

This option grants the minimum amount of required privileges to the submitting application.

Taking the new scoped connector that you created, you have another option. You can simply grant the ms-Exch-SMTP-Accept-Any-Recipient permission to the anonymous account. Do this by first adding the Anonymous Permissions Group to the connector.

This grants the most common permissions to the anonymous account, but it does not grant the relay permission. This step must be done through the Exchange shell:

Get-ReceiveConnector “CRM Application” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

In addition to being more difficult to complete, this step does not allow the anonymous account to bypass anti-spam, or ResolveP2.

Although it is completely different from the Exchange 2003 way of doing things, hopefully you find the new SMTP permissions model to be sensible.

Creating a SharePoint Statement of Governance

Courtesy of the Burton Group.

Everything from maintenance to politics described as “governance”, but what is it really? What is the list of topics that should go into a web statement of governance that doesn’t overlap with what is already in maintenance and administrator’s manuals? Burton Group to the rescue! This poster provides a handy reference on how to create a SharePoint statement of governance (SOG). It is about 2.5 by 3.5 feet when printed and is the perfect companion to our Methodologies and Best Practices document “Website Governance: Guidance for Portals, SharePoint, and Intranets”.
And best of all, the poster is free for download! Just click on the link to register and then download the file. It is suitable for printing on a large format printer or just scanning online. Download Poster

HP Sizer For Microsoft SharePoint 2010

HP Sizer for Microsoft SharePoint is a complimentary planning resource that encapsulates knowledge gained from extensive performance characterization of Office SharePoint Server 2007 and SharePoint 2010 in the HP Alliances Performance and Solutions labs, widespread collaboration between HP and Microsoft, and numerous SharePoint performance whitepapers produced by HP engineering.

A new feature of this sizer is to configure the server requirements for a highly available Hyper-v R2 environment.

Get it from http://h71019.www7.hp.com/activeanswers/Secure/548230-0-0-0-121.html