The post from Sean Erp says it all, good to have in mind when you try to explain to customers!
Source: https://blogs.technet.microsoft.com/ptsblog/2013/06/20/office-365-mail-flow-troubleshooting/
To make sure that the emails is sent secure, Microsoft recommend to Authenticate the Application or Device which is going to send email.
I always recommend the customers to create one or several specific Office 365 Accounts with a Exchange Online license.This way you can set password never expire and choose a complex password with 16 characters.
Configure the Application or Device with the following settings:
SMTP Server: smtp.office365.com
Encryption/TLS: YES
Port: 587
And of course, make sure to enter the specific account under username and password.
Of course you can test the connection and the credentials before you deploy this solution.
I’ve created a simple Powershell script that can test this:
$smtpcred = Get-Credential
Send-MailMessage –From SMTP@thecloudgeek.net –To Administrator@thecloudgeek.net –Subject “Testing SMTP” –Body “This email is sent from Office365 SMTP server for test purpose” -SmtpServer smtp.office365.com -Credential $smtpcred -UseSsl -Port 587
This script can come in handy when some customer call you to report that the email from the Applications/Devices isn’t working correctly. You can test the connection and the credentials easily.
Make sure that you change the mail-addresses, the Subject and Body after your needs.
For more informations about other solutions and limits, visit Technet
Go to Microsoft Office 365 setup guide for E3 licenses here.
Enter the information as required:
Be sure to select the correct country, so the tenant is provisioned in the correct datacenter for your location and then press next.
(If you want to choose witch license to get started with, you can do this at https://products.office.com/en-us/business/compare-office-365-for-business-plans Select the subscription you would like to try by clicking “Free trail”)
Now its time to enter the information for the first Office 365 account in your tenant.
Normally, you would like to create a account named “Admin” of some sort.
Be sure to double-check the “Company name” that creates the first account.
This name cannot be changed later on. This name will also appear in the tenant, for example thecloudgeek.sharepoint.com.
Also make sure to save the credentials you insert!
Confirm you´re not a robot:
Enter the code, and press “Create my account”
The tenant will now be provisioned, it make take a couple of minutes before all services are functional and working as planed.
The tenant will now be provisioned, it make take a couple of minutes before all services are functional and working as planed.
4. Add your domain by following the guide.
You will need to verify that you own the domain before you can start using it.
This is normally done by adding a TXT record into your dns zone.
It regularly looks something like this:
| TXT name | TXT value | TTL |
|---|---|---|
| @ | MS=ms35523824 | 3600 |
5. When the domain is verified, you can add all those records that actually will make office 365 work:
| CNAME RECORDS | ||||||
| Host name | Points to address or value | TTL | ||||
| autodiscover | autodiscover.outlook.com | 3600 | ||||
| sip | sipdir.online.lync.com | 3600 | ||||
| lyncdiscover | webdir.online.lync.com | 3600 | ||||
| msoid | clientconfig.microsoftonline-p.net | 3600 | ||||
| enterpriseregistration | enterpriseregistration.windows.net | 3600 | ||||
| enterpriseenrollment | enterpriseenrollment.manage.microsoft.com | 3600 | ||||
| TXT RECORDS | ||||||
| TXT Name | TXT value | TTL | ||||
| @ | v=spf1 include:spf.protection.outlook.com -all | 3600 | ||||
| SRV RECORDS | ||||||
| Service | Protocol | Port | Weight | Priority | Name | Target |
| _sip | _tls | 443 | 1 | 100 | @ | sipdir.online.lync.com |
| _sipfederationtls | _tcp | 5061 | 1 | 100 | @ | sipfed.online.lync.com |
| MX RECORDS | |||||
| Priority | Host name | Points to address or value | TTL | ||
| 0 | @ | testcompany-com.mail.protection.outlook.com | 3600 | ||
6. When all above records is tested, your Office 365 services will be online and all functional!
7. Now you need to create some new users and assign some licenses, and you are good to go with a basic office 365 tenant
Remove the users “Full permission” to the “shared mailbox” witch isn’t syncing.
Make sure the “Shared mailbox” disappears from the users outlook client.
(You might speed up the process by restarting outlook.)
Disable the automapping function and add FullAccess to the specific shared mailbox through powershell:
Add-MailboxPermission -Identity “shared mailbox name” -User ‘Users name’ -AccessRight FullAccess -InheritanceType All -Automapping $false
Add the shared mailbox manually through the following steps:
Right-click on your main account and select “Data file properties” -> “Advanced” -> “Advanced” -> Press “Add” and type the emailadress of the “shared mailbox”
The mailbox will now start to sync as it should.
Be aware of “Use cached exchange Mode” This might take up alot of disk space in the user profile disk or on C:\ depending on setup and environment.
Download the Windows Server 2016 TP4 at:
https://www.microsoft.com/en-us/evalcenter/evaluate-windows-server-technical-preview
Be sure to login and registry for the evaluate copy.
Save the .ISO file to C:\TEMP\NanoServer
Now its time to download all powershell scripts needed
Download the script “Create a New Nano Server VHD/VHDx” from Script center
Save the .ps1 script to C:\TEMP\NanoServer
You will also need the Convert-WindowsImage.ps1 from https://raw.githubusercontent.com/PlagueHO/Powershell/master/New-NanoServerVHD/Convert-WindowsImage.ps1
Save the .ps1 script to C:\TEMP\NanoServer
This becuase there is currently a bug in the orgiginal Convert-WindowsImage.ps1 that causes the TP4 not to work as it should.
Now you should have the thease files under C:\TEMP\NanoServer
10586.0.151029-1700.TH2_RELEASE_SERVER_OEMRET_X64FRE_EN-US.iso
Convert-WindowsImage.ps1
New-NanoServerVHD.ps1
Now it´s time to start the accual making of the .vhd file:
Start powershell ISE as Administrator
cd to C:\TEMP\NanoServer
Paste the following script and edit it how you would like to have the settings:
.\New-NanoServerVHD.ps1 `
-ServerISO ‘c:\temp\NanoServer\10586.0.151029-1700.TH2_RELEASE_SERVER_OEMRET_X64FRE_EN-US.iso’ `
-DestVHD c:\temp\NanoServer\NanoServerTP4_C.vhd `
-ComputerName NanoServerTP4 `
-AdministratorPassword ‘Secr3Tp@ssw0rd’ `
-Packages ‘OEM-Drivers’,’Guest’ `
-IPAddress ‘192.168.1.55’
The .vhd file is now beeing created with the specifics above.
Now when you have the .vhd file ready, you only need to create a new GEN 1 vm and attach the .vhd disk, and then youre all set to start using Windows Nano Server!
This is how Nano Server looks through the Console in Hyper-V:
# Enable powershell remoting
Enable-PSRemoting -Force
# You might want to change * to the name or IP of the machine you want to connect to
Set-Item “wsman:\localhost\client\trustedhosts” -Value “*” -Force
# Credentials
$creds = Get-Credential servername\Administrator
# Enter PSSession, you must change “ServerAddress” to the name or IP you want to connect to
Enter-PSSession -Computername 192.168.1.55 -Credential $creds
Allowing ICMP trafic in the Nano firewall:
# Enable ICMP on Nano Server
# Start by importing the NetSecurity Module
Import-Module NetSecurity
# Create a new Firewall rule that will allow ICMP
New-NetFirewallRule -DisplayName “Allow ICMP” -Direction Inbound -Action Allow -Protocol icmpv4 -Enabled True
# Controle that the new firewall rule is listed in the rules list
Get-NetFirewallRule -DisplayName “Allow ICMP”
Result:
Allowing SMB browsing to the Nano Server:
# Enable SMB browsing on the Nano Server
# Start by importing the NetSecurity Module
Import-Module NetSecurity
# Create a new Firewall rule that will allow SMB Sharing
Set-NetFirewallRule -DisplayGroup “File And Printer Sharing” -Enabled True
Before:
After:
More about the Nano Server:
https://technet.microsoft.com/en-us/library/mt126167.aspx
I came across this issue when Adobe reader 11.0 was updated to Adobe Reader DC 2015.007 on a Remote desktop server.
Users who tried to open a .pdf file from outlook were prompted with the issue “There was an error opening this document. Access denied.”
However, if the users on the RDS server saved the file there was no issues opening the file.
This because the attachment .pdf file in outlook is classed as an unknown source from internet.
Why?
PDF files have grown from beeing static documents to beeing dynamic and smart documents.
PDF files have functions like running scripts on startup. This make pdf files a vulnerability from a security perspective.
Therefor Adobe have a builtin protection from pdf files from unknown sources called “Protection mode” or “Sandbox Protection”
Open Adobe Reader DC
Click “Edit” and choose “Preferences”
Click on “Security (Enhanced)” and unmark “Enable Protected mode at startup”
This might be a quick solution if you have a handful users, but if you have 250 users in a RDS enivoriment? Not so much.
You can turn of “protected mode” through changing a registry key:
HKEY_CURRENT_USER\SOFTWARE\Adobe\Acrobat Reader\DC\Privileged\
Change the valvue “bProtectedMode”=dword:00000001 to “bProtectedMode”=dword:00000000
This will workout just fine, but there is a better way, Through ADMX files.
When using a ADMX template for the appropriate software, you can make several changes in the software easy. You will have easier to understand the changes and valvues in the GPO instead of having registry keys changed.
Windows 10 have been out for a couple of months, and with the threshold 2 it feels great!
When you have upgraded to windows 10 from win 7 or 8.1 you get a folder under C:\ named “windows.old”.
This folder contains your old operating system, if you would restore back to your old os this is the data that will be used.
If you have decided to stick with windows 10, this folder is unnecessary and will only take up space on your delicious ssd drive 🙂
The folder contains systemfiles, therefore you will not be able to delete all files. The system just won’t let you.
This is how I solved this and saved about 16GB of space:
Press windows key + R and type cleanmgr.exe then press “OK”
Press “Clean up system files”
Scroll down to “Previous Windows Installations and select it, then “OK”
Click “delete files”
Click “Yes” to confirm the delete
Windows will now delete the files, this will take all from 30 seconds to a couple of minutes depending on size and disk preformance.
Hey!
So it´s time to phase out a older DC and demote it?
Here´s a basic description of how to:
There is a total of 5 roles that needs to be transferd before demoting and uninstalling the DC roles on the existing DC:
To confirm where the roles are located:
Start cmd.exe and type:
netdom query fsmo
Now you should get a list of all FSMO roles and witch server that holds the specific role:
Open the Active Directory Users and Computers
Right-click the Active Directory Users and Computers icon again and press Operation Masters.
Select the appropriate tab for the role you wish to transfer and press the Change button.
Open the Active Directory Domains and Trusts
Right-click the Active Directory Domains and Trusts icon again and press Operation Masters.
Press Change.
RUN regsvr32 schmmgmt.dll , success confirmation
Open MMC and add Active Directory Schema
Right-click right-click the Active Directory Schema icon again and press Operation Masters.
Press the Change button.
Be sure to check that the new DC have Global Catalog and that it is synced before demoting the old DC.
You should of course deactivate GC before phasing out the old DC.
