Configure and Test SMTP for Office 365

After done about 60+ Office 365 migrations, I’ve noticed that almost all customers have Applications, Multi function printers or other devices that send some kind of email to end-users or suppliers/Customers.
These devices normally use the SMTP-Protocol.

To make sure that the emails is sent secure, Microsoft recommend to Authenticate the Application or Device which is going to send email.

I always recommend the customers to create one or several specific Office 365 Accounts with a Exchange Online license.This way you can set password never expire and choose a complex password with 16 characters.

Configure the Application or Device with the following settings:
SMTP Server: smtp.office365.com
Encryption/TLS: YES
Port: 587
And of course, make sure to enter the specific account under username and password.

Can I test the SMTP connection?

Of course you can test the connection and the credentials before you deploy this solution.
I’ve created a simple Powershell script that can test this:

$smtpcred = Get-Credential
Send-MailMessage –From SMTP@thecloudgeek.net –To Administrator@thecloudgeek.net –Subject “Testing SMTP” –Body “This email is sent from Office365 SMTP server for test purpose” -SmtpServer smtp.office365.com -Credential $smtpcred -UseSsl -Port 587

This script can come in handy when some customer call you to report that the email from the Applications/Devices isn’t working correctly. You can test the connection and the credentials easily.
Make sure that you change the mail-addresses, the Subject and Body after your needs.

Remember
not all application and devices have support for TLS and or to use specific credentials when sending mail through smtp servers.
To solve this, you might need to install a SMTP relay server in your server-infrastructure.

 

For more informations about other solutions and limits, visit Technet

Getting Started with Office 365

The great benefits of working with SaaS,is that you don’t really need any infrastructure to get started. For example you could basically get started with an Office 365 tenant in just a couple of minutes.

With all new startup companies and young and bright people start up there own business, its critical to have basic it-structure from start to a limited cost.

Therefor, I will simply show how easy you could get started with office 365 with the basic functions like email, OneDrive for Business, Skype for Business, Sharepoint, so on and so forth.

 

Create a Office 365 tenant with E3 trail licenses:

Go to Microsoft Office 365 setup guide for E3 licenses here.

Enter the information as required:

Be sure to select the correct country, so the tenant is provisioned in the correct datacenter for your location and then press next.

Office365_start_tenant

(If you want to choose witch license to get started with, you can do this at https://products.office.com/en-us/business/compare-office-365-for-business-plans Select the subscription you would like to try by clicking “Free trail”)

Now its time to enter the information for the first Office 365 account in your tenant.
Normally, you would like to create a account named “Admin” of some sort.

Be sure to double-check the “Company name” that creates the first account.
This name cannot be changed later on. This name will also appear in the tenant, for example thecloudgeek.sharepoint.com.
Also make sure to save the credentials you insert!

Office365_first_user

Confirm you´re not a robot:

office365_robot

Enter the code, and press “Create my account”

office365_create_account

The tenant will now be provisioned, it make take a couple of minutes before all services are functional and working as planed.

 

The tenant will now be provisioned, it make take a couple of minutes before all services are functional and working as planed.

office365_settingthingsup

 

Get all Office 365 services working with your custom domain!

When the tenant is provisioned, you will only have the *.onmicrosoft domain in your tenant. Of course you need to add your private custom domain.

Here is how to!

  1. Go to the office 365 portal site Portal.office365.com and login with your Admin-credentials
  2. Go to the admin center and select “Domains”
  3. Click on “Add Domain”

 

domains

 

 

 

 

4. Add your domain by following the guide.

You will need to verify that you own the domain before you can start using it.
This is normally done by adding a TXT record into your dns zone.
It regularly looks something like this:

TXT name TXT value TTL
@ MS=ms35523824 3600

5. When the domain is verified, you can add all those records that actually will make office 365 work:

 

CNAME RECORDS
Host name Points to address or value  TTL
autodiscover autodiscover.outlook.com 3600
sip sipdir.online.lync.com 3600
lyncdiscover webdir.online.lync.com 3600
msoid clientconfig.microsoftonline-p.net 3600
enterpriseregistration enterpriseregistration.windows.net 3600
enterpriseenrollment enterpriseenrollment.manage.microsoft.com 3600

 

TXT RECORDS
TXT Name TXT value   TTL
@ v=spf1 include:spf.protection.outlook.com -all 3600

 

SRV RECORDS
Service Protocol Port Weight Priority Name Target
_sip _tls 443 1 100 @ sipdir.online.lync.com
_sipfederationtls _tcp 5061 1 100 @ sipfed.online.lync.com

 

MX RECORDS
Priority Host name Points to address or value TTL
0 @ testcompany-com.mail.protection.outlook.com 3600

 

6. When all above records is tested, your Office 365 services will be online and all functional!

7. Now you need to create some new users and assign some licenses, and you are good to go with a basic office 365 tenant

 

Office 365 – Shared mailbox sync issues

I have been using shared mailbox for the majority of customers running Office 365 for a long time.Its a great way to create a mail-structure for different type of groups in an organisation.

For exampel Order@thecloudgeek.net,Info@thecloudgeek.net,Billing@thecloudgeek.net so on and so forth.
This is completely free, but to access this “Shared mailbox” you need an Office 365 account with an valid license and a outlook 2010+ client installed.

However, i’ve seen a couple of issues with “Shared mailbox” as well.
Several customers have reported that they don’t get regular updates in the shared mailbox. In some case, the mailbox is not updated in several days for some users.

This is a known issue, its a bug in the “Automapping” function that make the shared mailbox automapp in the outlook client.

Here is one way to solve the issue:

 

Step 1:

Remove the users “Full permission” to the “shared mailbox” witch isn’t syncing.

Step 2:

Make sure the “Shared mailbox” disappears from the users outlook client.
(You might speed up the process by restarting outlook.)

Step 3:

Disable the automapping function and add FullAccess to the specific shared mailbox through powershell:

Add-MailboxPermission -Identity “shared mailbox name” -User ‘Users name’ -AccessRight FullAccess -InheritanceType All -Automapping $false

Step 4:

Add the shared mailbox manually through the following steps:

Right-click on your main account and select “Data file properties” -> “Advanced” -> “Advanced” -> Press “Add” and type the emailadress of the “shared mailbox

 

The mailbox will now start to sync as it should.
Be aware of “Use cached exchange Mode” This might take up alot of disk space in the user profile disk or on C:\ depending on setup and environment.

Getting Started with Nano Server

The next generation of Windows server is soon to be released, the final release date is estimated to Q2/Q3 2016.

Windows server 2016 is very exiting and will for sure change things up the way we administer servers.
Microsoft have added a new installation mode in Windows Server 2016. Nano Server.

Nano Server is truley a “Core Server”. It will not include the option to install GUI, you will not be able to logon to the server localy or through RDP.
This make it possible to build the microsoft OS on a completely new minimal level than before.
All management will be handeld remotly through WMI/Powershell.

Several microsofts enginners claims that the Nano server will require up to 80% less reboots.
This thanks to the servers will not contain any gui,it will have fewer services and processes running and it will require less critical patches.

Checkout some information from Teched’s great video at:
https://www.youtube.com/watch?v=HLtfDzJngQg

Lets go!!

Its time to get familiar with the new Windows Nano server.
Im going to run a Nano Server as a VM in my test-enivoroment. Here is how to get started:

Step 1:

Download the Windows Server 2016 TP4 at:
https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview

Be sure to login and registry for the evaluate copy.

Save the .ISO file to C:\TEMP\NanoServer

download_iso

 

Step 2:

Now its time to download all powershell scripts needed

Download the script “Create a New Nano Server VHD/VHDx” from Script center
Save the .ps1 script to C:\TEMP\NanoServer

download_script

You will also need the Convert-WindowsImage.ps1 from https://raw.githubusercontent.com/PlagueHO/Powershell/master/New-NanoServerVHD/Convert-WindowsImage.ps1
Save the .ps1 script to C:\TEMP\NanoServer

This becuase there is currently a bug in the orgiginal Convert-WindowsImage.ps1 that causes the TP4 not to work as it should.

Now you should have the thease files under C:\TEMP\NanoServer

10586.0.151029-1700.TH2_RELEASE_SERVER_OEMRET_X64FRE_EN-US.iso
Convert-WindowsImage.ps1
New-NanoServerVHD.ps1

Step 3:

Now it´s time to start the accual making of the .vhd file:

Start powershell ISE as Administrator

cd to C:\TEMP\NanoServer

Paste the following script and edit it how you would like to have the settings:

.\New-NanoServerVHD.ps1 `
-ServerISO ‘c:\temp\NanoServer\10586.0.151029-1700.TH2_RELEASE_SERVER_OEMRET_X64FRE_EN-US.iso’ `
-DestVHD c:\temp\NanoServer\NanoServerTP4_C.vhd `
-ComputerName NanoServerTP4 `
-AdministratorPassword ‘Secr3Tp@ssw0rd’ `
-Packages ‘OEM-Drivers’,’Guest’ `
-IPAddress ‘192.168.1.55’

The .vhd file is now beeing created with the specifics above.

crate_vhd_file.JPG

Now when you have the .vhd file ready, you only need to create a new GEN 1 vm and attach the .vhd disk, and then youre all set to start using Windows Nano Server!

This is how Nano Server looks through the Console in Hyper-V:

nanoserver_ready

 

Connect to the Nano server through powershell:

# Enable powershell remoting
Enable-PSRemoting -Force

# You might want to change * to the name or IP of the machine you want to connect to
Set-Item “wsman:\localhost\client\trustedhosts” -Value “*” -Force

# Credentials
$creds = Get-Credential servername\Administrator

# Enter PSSession, you must change “ServerAddress” to the name or IP you want to connect to
Enter-PSSession -Computername 192.168.1.55 -Credential $creds

 

Some (hopefully) basic usable powershell scripts:

Allowing ICMP trafic in the Nano firewall:

# Enable ICMP on Nano Server

# Start by importing the NetSecurity Module
Import-Module NetSecurity

# Create a new Firewall rule that will allow ICMP
New-NetFirewallRule -DisplayName “Allow ICMP” -Direction Inbound -Action Allow -Protocol icmpv4 -Enabled True

# Controle that the new firewall rule is listed in the rules list
Get-NetFirewallRule -DisplayName “Allow ICMP”

Result:

Nanoserver_ICMP.JPG

Allowing SMB browsing to the Nano Server:

# Enable SMB browsing on the Nano Server

# Start by importing the NetSecurity Module
Import-Module NetSecurity

# Create a new Firewall rule that will allow SMB Sharing
Set-NetFirewallRule -DisplayGroup “File And Printer Sharing” -Enabled True

Before:

SMB_access

After:

smb_working

 

More about the Nano Server:
https://technet.microsoft.com/en-us/library/mt126167.aspx

Adobe Reader DC – There was an error opening this document. Access denied

adobereaderx

I came across this issue when Adobe reader 11.0 was updated to Adobe Reader DC 2015.007 on a Remote desktop server.

Users who tried to open a .pdf file from outlook were prompted with the issue “There was an error opening this document. Access denied.”

However, if the users on the RDS server saved the file there was no issues opening the file.
This because the attachment .pdf file in outlook is classed as an unknown source from internet.

 

Why?

PDF files have grown from beeing static documents to beeing dynamic and smart documents.
PDF files have functions like running scripts on startup. This make pdf files a vulnerability from a security perspective.
Therefor Adobe have a builtin protection from pdf files from unknown sources called “Protection mode” or “Sandbox Protection”

 

Turn of “Protected mode” on a client/users RDS profile:

Open Adobe Reader DC

Click “Edit” and choose “Preferences”

Click on “Security (Enhanced)” and unmark “Enable Protected mode at startup”

adobe_security_pref

This might be a quick solution if you have a handful users, but if you have 250 users in a RDS enivoriment? Not so much.

Turn of “Protected mode” through GPO ( The fast way )

You can turn of “protected mode” through changing a registry key:

HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\DC\Privileged\
Change the valvue “bProtectedMode”=dword:00000001 to “bProtectedMode”=dword:00000000

This will workout just fine, but there is a better way, Through ADMX files.

 

Turn of “Protected mode” through ADMX GPO:

When using a ADMX template for the appropriate software, you can make several changes in the software easy. You will have easier to understand the changes and valvues in the GPO instead of having registry keys changed.

How to:

  1. Access one of your domain controller
  2. Download the ADMX files from adobe ( ftp://ftp.adobe.com/pub/adobe/reader/win/AcrobatDC/misc/ReaderADMTemplate.zip )
  3. unzip the files
  4. Take a copy of C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions  (in case of something will go wrong when you import the ADMX files)
  5. Copy the ADMX files into the folder C:\Windows\SYSVOL\domain\Policies\PolicyDefinitions
  6. Start Group Policy Management
  7. Create a new gpo, or use a current gpo
  8. Edit the gpo and go to Computer Configuration->Policies->Administrative Policy->Adobe Acrobat 2015->Startup-> Disable “Enable Protected mode on startup”

gpo

 

How to delete windows.old folder in Windows 10

windows.old

Windows 10 have been out for a couple of months, and with the threshold 2 it feels great!

When you have upgraded to windows 10 from win 7 or 8.1 you get a folder under C:\ named “windows.old”.
This folder contains your old operating system, if you would restore back to your old os this is the data that will be used.

If you have decided to stick with windows 10, this folder is unnecessary and will only take up space on your delicious ssd drive 🙂

The folder contains systemfiles, therefore you will not be able to delete all files. The system just won’t let you.

 

This is how I solved this and saved about 16GB of space:

Press windows key + R and type cleanmgr.exe then press “OK”

cleanmgr

 

Press “Clean up system files”

cleanup system files

 

Scroll down to “Previous Windows Installations and select it, then “OK”

cleanup old_os

 

Click “delete files”

delete

 

Click “Yes” to confirm the delete

delete2

 

Windows will now delete the files, this will take all from 30 seconds to a couple of minutes depending on size and disk preformance.

working

 

Transferring FSMO Roles

Hey!

So it´s time to phase out a older DC and demote it?

Here´s a basic description of how to:

There is a total of 5 roles that needs to be transferd before demoting and uninstalling the DC roles on the existing DC:

  • RID master
  • PDC Emulator
  • Infrastructure master
  • Domain naming master
  • Schema master

 

 To confirm where the roles are located:

Start cmd.exe and type:
netdom query fsmo

Now you should get a list of all FSMO roles and witch server that holds the specific role:

Capture

 

Stage 1:

Transfer RID Master, PDC Emulator, and Infrastructure Masters

 

Open the Active Directory Users and Computers

Right-click the Active Directory Users and Computers icon again and press Operation Masters.

Select the appropriate tab for the role you wish to transfer and press the Change button.

 

Stage 2:

Transfer Domain Naming Master Role

Open the Active Directory Domains and Trusts

Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.

Press Change.

 

Stage 3:

 Transfer the Schema Master Role

 

RUN regsvr32 schmmgmt.dll , success confirmation

Open MMC and add Active Directory Schema

Right-click right-click the Active Directory Schema icon again and press Operation Masters.

Press the Change button.

 

Be sure to check that the new DC have Global Catalog and that it is synced before demoting the old DC.
You should of course deactivate GC before phasing out the old DC.