what are the AV exclusions for DirSync tool installed on 2008 R2 server ?

I have a hybrid Exchange environment, and have successfully migrated some mailboxes, however we have one user which is failing with the error "The target mailbox doesn't have an SMTP proxy matching 'domain.mail.onmicrosoft.com'.

I have checked this mailbox, and it does have this address (set by email address policy).  I checked the 'Attribute Editor' tab of this users AD object, and the proxyAddresses attribute is correct.  I have forced a sync (Start-OnlineCoexistenceSync), and it have been trying for more than a day, but I still get this error.  Has anyone seen this behaviour before?

Based on my testing and some older forum posts is appears that ExtensionCustomAttribute1 for Exchange is synchronized to Windows Azure AD, but it is not picked up by Exchange Online in Office 365.

My intent was to use this attribute for an organization with no on-premises Exchange for dynamic distribution groups. However, I'd like to use Dirsync for the password synchronization.

In my testing the attribute never appears in Exchange Online and I am unable to set the attribute because my on-premises AD is authoritative for the object.

Experts,

Environment:

ADFS 2.0

Domain: Federated to office 365

ADFS proxy

Issue: Authentication used to take time and moreover user experience was not great, as user had to provide credentails first on https://portal.microsoftonline.com & again for our STS server.

Thus enabled smart url, wherein users now provide credentials only at the STS server stage and Smart link takes care of Home realm as well token redirection.

However its takes average 20 seconds to reach the SharePoint post authentication page.
Thus would like to know, what best can be done to optimize the smart link access mechanism, so user are authenticated end to end in shorter span.

Internal authentication to reach ADFS, takes average 4 seconds.
16 seconds are been taken between ADFS , Office 365 federation gateway & SharePoint Online.

Any suggestion, will be deeply appreciated.

Hi,

One of our customers deployed Office 365 a long time ago only with SharePoint Online subscriptions, without syncronization with their local AD. Now they want integration because of an Exchange and Lync deployment.

Question is: Is there a way to match the Cloud identity with the one that will be synced? The customer has sites in SharePoint with a well defined hierarchy and user permision, so they're afraid of losing it after AD Sync. I went through the documentation and found the SMTP Matching KB that applies for Exchange Online (http://support2.microsoft.com/kb/2641663?wa=wsignin1.0), but I haven't found any regarding an existing  SharePoint Online deployment.

Regards,

Nicolás.

We setup fedration domain using saml2 IDP to complete the client user auth. When we login to https://login.microsoftonline.com/login.srf, we got error: 80047899.

When we are testing 365 office using Microsoft connectivity AnaLyzer. We got the result: Additional Details: The token could not be found in the response body.

The following is the result of Microsoft connectivity AnaLyzer. <!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN"  "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd"> <html xmlns="http://www.w3.org/1999/xhtml" xml:lang="en" lang="en"> <head>  <meta http-equiv="content-type" content="text/html; charset=utf-8" />  <title>POST data</title> </head> <body onload="document.getElementsByTagName('input')[0].click();">

 <noscript>  <p><strong>Note:</strong> Since your browser does not support JavaScript, you must press the button below once to proceed.</p>  </noscript>

 <form method="post" action="https://login.microsoftonline.com/login.srf">  <!-- Need to add this element and call click method, because calling submit()  on the form causes failed submission if the form has another element with name or id of submit.  See: https://developer.mozilla.org/en/DOM/form.submit#Specification -->  <input type="submit" style="display:none;" /> <input type="hidden" name="SAMLResponse" value="XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX" /><input type="hidden" name="RelayState" value="4ded2443-7036-4c4b-a1e4-8ccacb79f57a" />  <noscript>  <input type="submit" value="Submit" />  </noscript>  </form>

</body> </html>

But on my saml2 IDP side, we got these log, this is part of SAMLResponse: <saml:Subject> <saml:NameID Format="urn:oasis:names:tc:SAML:2.0:attrname-format:basic">c83a356bd6ff9b8456391530b5701fc024b17193</saml:NameID> <saml:SubjectConfirmation Method="urn:oasis:names:tc:SAML:2.0:cm:bearer"> <saml:SubjectConfirmationData NotOnOrAfter="2014-10-20T08:33:30Z" Recipient="https://login.microsoftonline.com/login.srf" InResponseTo="id-f5c11076-4d2b-4df1-89e0-4c89dee62452"/> </saml:SubjectConfirmation> </saml:Subject> <saml:Conditions NotBefore="2014-10-20T08:28:00Z" NotOnOrAfter="2014-10-20T08:33:30Z"> <saml:AudienceRestriction>

<saml:AttributeStatement> <saml:Attribute Name="IDPEmail" NameFormat="urn:oasis:names:tc:SAML:2.0:attrname-format:basic"> <saml:AttributeValue xsi:type="xs:string">xxx@xxxx.com</saml:AttributeValue> </saml:Attribute> </saml:AttributeStatement>

How can I improve those errors?

thanks.

I apologize in advance for being long winded, but here goes.  Our organization is going from Google Apps to Office 365 for compliance reasons.  Not only are we having to manage email with our migration, but we are also (naturally) having to plan our office installations according.  The email migration seems to be pretty straightforward, but not so much with Office.  Management's plan was to go about half and half on the amounts of E1 and E3 licenses that we had and to basically allow the E3 users to distribute their 5 installs to additional users as needed.  This sounded like an extremely bad idea, and that giving all but a few of them E3 licenses would have made more sense, but the rest of our IT department eventually agreed to it.

I know that Office 365 lets the users manage their installs.  I know that if E3 users quit or move around, we're going to be facing a management nightmare on determining whose PCs are activated where, and the users will not be able to keep up.  We are planning to also tie in ADFS. What I haven't been able to find a straight answer on (I tried to ask the vendor helping us with our conversion but for some reason I couldn't get them to understand the question) is if ADFS will also affect this in any way.  If we do so, is this going to affect how these installs are authenticated?  The behavior that we've currently noticed is that if an E3 user logs in and activates a install on a computer, that computer is usable to any other users regardless of access level.  If ADFS is implemented, do these other users still have access or would the E3 user that activated it only have access when they log in?

I stuffed up the installation of the directory sync tool.  I'm not sure what caused the FAIL to occur, although I think the hint may be in the error I received when trying to uninstall the tool, stating that the server has lost it's trust connection with the domain.

Anyway, I reestablished the trust and tried to remove the tool, but it still would not let me.  So I deleted the files, and then went through the registry deleting what I could find.  I even ran ccleaner on it to try and remove any last vestige - with no luck.

The documentation that I've read through (and I've read each one a dozen times) just seems to always bring up the most helpful statement 'Manually remove the registry keys to complete the installation.'...with no indication as to what to actually remove.

Can anyone please describe to me how to persuade this server that the AD Sync Tool has been uninstalled so I can go about attempting to reinstall it?

Currently, we are in a Hybrid Configuration with Exchange 2010 SP3 on-premise using DirSync for same sign-on. For all of our other users, the UPN and SamAccountName are the same as the Office365 username created from DirSync. In this instance, it is not.  The UPN and SamAccountName in the on-premise AD are user1a@domain.org.  The username in Office365 is user1b@domain.org. I opened the user in the on-premise EMC and navigated to the user’s properties under the Office365 site.  Under the account tab, his UPN shows up as user1b@domain.org which is incorrect as well.

How do I go about changing this so that the Office 365 username is the same as the UPN/SamAccountName?

Note: I have previously went through the process of changing a username with a user that is already DirSynced. Do I just go through the same process of running the remote powershell below even though the user did not sync in the same fashion as all of the other users from the beginning?

Set-MSolUserPrincipalName –UserPrincipalName oldusername@domain.org–NewUserPrincipalName newusername@domain.org

Greetings,

 Well, I made the mistake of doing a dirsync before verifying the domain, so my UPNs are all defined as the UPN issues by the O365 product.  No problem!

I was able to change several of these manually issuing this command:

Set-MsolUserPrincipalName -UserPrincipalName user@O365UPN.com -NewUserPrincipalName user@mydomain1.com.

Well, I have several domains.  Now, someone I've set to user@mydomain1.com, I actually want to set to user@mydomain2.com.  Trying to issue the same UPN command results in:

Set-MsolUserPrincipalName : Unable to complete this action. Try again later.

I went ahead and changed the UPN in AD, but the dirsync fails with:

Unable to update this object in Microsoft Online Services, because the attribute FederatedUser.UserPrincipalName is not valid. Update the value in your local Active Directory.

I'm not sure what the process is for this, but nothing I am trying works.  Help would be appreciated!

Thanks!

In our environment when a user leaves the company we move the AD account to an OU that we do not sync to O365.  The next time Dirsync runs it removes or disables the mailbox and it also soft deletes the user account in O365. What I am noticing is when the user account is soft deleted, the O365 license for the user accounts is not removed, is this by design?  After 30 days will the license be removed from the account and available for another user?  I also notice that when I run the command "get-msoluser -userprincipalname user@mydomain.com -returndeleteduser" The softdeletedtimestamp shows 10/13/2014 (less than a month) However if I run get-removedmailbox -identity user@mydomain.com  I get back "object user@mydomain.com couldn't be found"   from my understanding mailboxes are kept for 30 days? why wouldn't the get-removedmailbox not find the disabled mailbox?

I'm trying to determine if it is possible / supported practice to set a user for litigation hold where:

- Dirsync is in use

- The user's mailbox is on Office365

Considering that DirSync syncs the necessary attributes:  msExchECLMailboxFlags, msExchLitigationHoldOwner and msExchLitigationHoldDate,

would it be possible to set Litigation holds by setting these attributes in our on premises AD directory and letting them sync to MSOL?

We have recently setup two disclaimer rules based on two mailing groups so that :-

Rule 1) If the sender is a member of group "ddi only" AND the recipients domain is "our domain" then add the disclaimer to match group

Rule 2) If the sender is a member of group "mobile" AND the recipients domain is "our domain" then add the disclaimer to match group

Basically to add a disclaimer that pulls info in from the directory about the user including name, job title, and either DDI phone number, or DDI & Mobile, but inly applies it if the mail is sent to someone internal.

Now this seems to work for every user other than mine.  If I send to a single internal person, or if someone internal send just to me, no disclaimer is added.  However if I send to two or more people (one can be external too), then the disclaimer is added.  The same for people sending to me i.e. if the mail is sent to me and a number of other people, the disclaimer is added to the mail I get.

I've tried adding my user higher privileges, and also removing them - no change.

The only thins that I have managed to do to get any difference is to change my primary SMTP email address to a slightly different one in my local AD structure, and Dirsync it up to O365.  In this way, it all works, but I get weird permissions with old calendar appointments and things.

The only advice that our O2 O365 support guys have been abel to give is to delete and re-create my local AD user as they are convinced it's an AD issue.

Does anyone else have any advice on what I can try or what might be causing the issue?

Hi,

The current server infrastructure has all Windows Server 2003 and no Windows Server 2008, 2012 already.

 We have successfully migrated the on-premises exchange 2003 based mail system to Office 365 by using Cutover process.

We want to use DirSync in future (not now as we want to upgrade the server infrastructure first and don't want on-premises exchange 2003 in the infrastructure).

 Now we are going to decommission the on-premises exchange server.

 We are looking for deploying DirSync AD integration for same password in future after their current server infrastructure is upgraded.

 I tried using process for making the MBE users to MEU users by using PS1 but it is looking for migration.csv (which is not applicable as we didn’t perform staged migration), hence I tested the script for individual Mailbox Enabled User MBE user which converted the user account to mail enabled user account but as I tried to purge the mailbox in exchange 2003, the system didn’t allow me to remove and popped up message “The mailbox is already connected to existing user”, which it is not.

 On research, according to Microsoft, in such situations if we remove exchange attributes of the user account then we can remove the disconnected mailbox but in this case the user account also loses all attributes it fetched from Office 365 and we cannot create an external email account after the exchange server will be removed.

 My question is what is the best option to remove the on-premises exchange 2003 now, should we use PS1 script for individual mbe user first to make it MEU user (as migration.csv is not available).

 Or should we remove the exchange server 2003 by simply disconnecting all mailboxes from user accounts and

• In future for using dirsync, we simply install exchange 2010 on-premises.
• Create the dummy mailboxes on the exchange server 2010 for existing users accounts
• Use PS1 script to populate all MBE user accounts with Office 365 mail attributes for creating MEU users.
• Installed DirSync feature.

 Please suggest the best option accordingly.

regards,

I may have the need to remove and re-create a user in my AD structure, but as I understand it, as soon as I remove the run Dirsync, that users mailbox will be deleted.

So i've been testing with a staff member who has just left and am getting nowhere.

So if I delete the AD user and run a sync, the mailbox is removed.

I've tried to restore the mailbox but cannot get dirsync to work against it.

If I add a new AD user with the same SMTP address first, dirsync, then restore the mailbox, O365 says it can't restore to an existing user without changing the ad users details, which it can't do as it's dirsync so one way only.

If I restore the mailbox first so that it is cloud based, and the create an AD user with the same SMTP address, Dirsync errors that there is an existing user with the same SMTP address.

What do I need to do to get the two matched up?

We have recently migrated to O365. We have offices all over the world. Our head office is in Asia and so is the location of our mail server. Access to the mail server is very slow. Its a bit faster if we use outlook web access. Just to give an example: to open an e-mail using outlook takes 15-20 seconds. If you want to attach a document with your e-mail it can easily take 25-30 seconds. Any suggestion how to improve this situation? Can you install a cache server or something which will store all the e-mails on-premises as well as on the cloud? We are using outlook 2010. 

Hi there,

I`m new to using dirsync and have a problem with regards to duplicate values. I may be missing something really obvious...

I have several office 365 accounts that I have been using for the past few months, we have since implemented a server into our small business with Active Directory with a .local internal domain, I have created the usernames with a UPN of the domain we are using in office 365, installed dirsync, enabled in office 365 etc. 

I get error messages in synchronization service manager with regards to export errors, saying the attribute value must be unique. When I create a brand new user in AD it syncs to office 365 where I can assign licences etc but it seems as though there are problems with the syncing of the office 365 accounts already there.

As I mentioned, am I missing something blindingly obvious?, how do i get synchronization to work with 365 accounts already there apart from deleting them?

Hope someone can help,

Thanks, Mark

I have an Office 365 subscription and I have created a group in the OneDrive/Outlook online. I am able to upload files to the group but I am not able to see the files in my OneDrive for Business desktop app. Is this even possible to sync group files to the desktop app?

One of our dirsynched users has switched into an error condition, we have tried removing the user after disabling ad sync but the issue still stands.

Our exact errors is as follows:

Exchange: An unknown error has occurred. Refer to correlation ID: 5593ea34-9701-4dc7-ac17-8d3231463468

How can we restore the user into a healthy status?

Best Regards,

Matteo

Hi all,

I found an error from the dirsync manager. The error came from one user only.

Please see the error information below:

Running management agent: Active directory connector

Error: cd-error

Retry count: 20

Connected data source error code: 87

Connected data source error: The parameter is incorrect.

I did not change any settings on this user recently, but the initial occurrence was 2 days ago.

Does anyone can help on the case?

Thanks

Oscar