Once again the OffCAT team has shipped a new version (v2.2) that includes some pretty cool features to those found in earlier versions. Hopefully, you will find these features useful and that you understand why there were added in v2.2.

Let OffCAT fix issues for you

We heard you loud and clear that OffCAT needs to be able to fix issues that it finds. Well, in OffCAT v2.2 we added a ‘Fix it for me’ option for rules that detect problems in the registry.

Depending on the detected issue, you may also see a Fix it for me link at the top of the Solution and Issue Description pane.

When you click the Fix it for me link, OffCAT will make the necessary changes to your registry to fix this problem.

Note: When you click Fix it for me, the changes made by OffCAT are the same changes provided in the article referenced by the Click there to see possible solutions to this issue link and the changes can be undone, as shown in the following figure.

We are adding this functionality to more rules in the near future, so the list of issues that can be fixed by OffCAT will certainly grow over time.

Addition of ROIScan to the tools found under ADVANCED Tools

The Robust Office Inventory Scan (ROIScan) tool is a very popular tool that has lived as a vbs script in TechNet for many versions of Office. It is such a great tool for troubleshooting issues such as Office installation and Office updating that we decided to offer it as an advanced tool in OffCAT.

Just click that link, select your scan type, and then click the ‘Click to scan’ control to start the scan.

When the scan is finished, the results are displayed in a format similar to other types of OffCAT scans.

To view and/or save any of the files generated by the scan, select the (new) Collected Log Files tab of the report.

Easier access to log files

As you can see in the previous figure, there is a new tab called Collected Log Files found under Configuration Details in your reports. The list of files found in Collected Log Files varies by the application scanned or the tool run under Advanced Tools. For example, the following figure shows files available for an Excel scan.

And, the following example shows the files available when you use the Real-Time Logging feature in Advanced Tools.

Just click any file to save it to your local drive. Then, open the file in the your favorite program associated wth the file extension.

Note: The .etl log files are binary files that can’t be read without a conversion process. If you are working with a Microsoft Support engineer, you can upload the log files to a secure location that is provided by Microsoft Customer Support Services. A support engineer from Microsoft can then process and analyze the log file(s) for issues.

More control over the OffCAT icon in the Windows Notification area

OffCAT adds an icon to the Windows Notificaton area that is part of a feature set that manages rule file updates, add-in integration, and real-time crash detection. To give you more control over the display of this icon we added the Disable option to the context menu for the icon.

If you select Disable, the following changes occur:

1. The OffCAT icon is no longer displayed in the Windows Notification area
2. Notifications from OffCAT will not be displayed (for example, real-time crash alerts will not be displayed)

Give OffCAT a 5-star rating

In addition to the ‘Tell us what you liked’ and ‘Tell us what we could do better’ feedback options, you can also rate your OffCAT experience with the new 5-star rating control found on the HELP/FEEDBACK page.

We encourage you to use this new feedback option as it is a quick and easy way to let us know how we are doing.

Additional information

The OffCAT v2.2 ReadMe – full version.docx file contains a great deal more information on features, functionality, and administration of OffCAT. This includes, but is not limited to:

• Installing OffCAT, including system requirements
• Scanning programs with the command-line version of OffCAT (OffCATcmd.exe)
• Managing OffCAT through policy settings

We encourage everyone, especially people that use OffCAT in any Help Desk/Support context, to review the ReadMe file so you can take full advantage of everything found in this latest version of the tool.

OffCAT v2 ReadMe – full version

Note that we also published a ‘basic’ version of the ReadMe file. This version of the file is a much shorter version of the ReadMe and is aimed at first-time users of OffCAT.

Greg Mansius

As customers prepare to deploy Exchange Server 2016, we are receiving inquiries when the System Center Operations Manager (SCOM) Management Pack for Exchange Server 2016 will be released. The short answer to the question is, there are no plans to release an Exchange Server 2016 Management Pack.

Now that we have your attention, let’s delve a bit deeper into why that is the case.

As announced in Lessons from the Datacenter: Managed Availability, Exchange Server 2013 rewrote the rules on how Exchange Server was monitored. With the release of Managed Availability, Exchange became self-healing and the role of a monitoring system was reduced to simply providing “Red/Green” console status on the health of the system. The Exchange code natively monitored the system and took corrective action when things weren’t as expected. The role of the Management Pack (MP) was reduced to listening to the activity of Managed Availability probes, monitors and responders, and forwarding to a management console a health indication of the system or the need for an administrator to intervene when Managed Availability could not remediate an action. Removed from this paradigm was the notion of initiating corrective actions through the use of the Management Pack.

Managed Availability still exists in Exchange Server 2016. It has in fact benefited from three additional years of running inside the Office 365 datacenters. The version installed with Exchange Server 2016 provides additional learnings and improvements from the Exchange team’s experience operating Office 365. What has not changed is the role the MP plays in forwarding events to the management console. The MP version shipped with Exchange Server 2013 continues to function against Exchange Server 2016 without any modification. Customers deploying Exchange Server 2016 receive all of the benefits of improved Managed Availability without a single change to their monitoring infrastructure.

The only downside of not releasing a new version of the MP is that there is not a dedicated grouping in the console for servers running Exchange Server 2016. The console view does, of course, provide the version of all Exchange servers, making it easy to determine what version of Exchange is installed on any given server.

So there you have it. Rather than deploying and maintaining multiple versions of a MP which provides no improvement, we have chosen to stick with the much simpler MP developed for Exchange Server 2013 (and later). For those customers coming from Exchange Server 2010, we believe Managed Availability and a simpler MP dependency represent significant improvements over the experience with the correlation engine and SCOM-heavy approach used in Exchange Server 2010.

The Exchange Team

Every copy of a mailbox database in a DAG is assigned an activation preference number. This number is used by the system as part of the passive database activation process, and by administrators when performing database balancing operations for a DAG. This number is expressed as the ActivationPreference property of a mailbox database copy. The value for the ActivationPreference property is a number equal to or greater than 1, where 1 is at the top of the preference order. When a DAG is first implemented, by default all active database copies have an ActivationPreference of 1. However, due to the inherent nature of DAGs (e.g., databases experience switchovers and failovers), active mailbox database copies will change hosts several times throughout a DAG’s lifetime. As a result of this inherent behavior, a mailbox database may remain active on a database copy which is the not the most preferred copy.

Prior to Exchange 2016 Cumulative Update 2 (CU2), Exchange Server administrators had to either manually activate their preferred database copy, or use the RedistributeActiveDatabases.ps1 script to balance the databases copies across a DAG. Starting with CU2 (which will be releasing soon), the Primary Active Manager in the DAG performs periodic discretionary moves to activate the copy that the administrator has defined as most preferred is now built into the product. A new DAG property called PreferenceMoveFrequency has been added that defines the frequency (measured in time) when the Microsoft Exchange Replication service will rebalance the database copies by performing a lossless switchover that activates the copy with an ActivationPreference of 1 (assuming the target server and database copy are healthy).

Note: In order to take advantage of this feature, ensure all Mailbox servers within the DAG are upgraded to Exchange 2016 CU2.

By default, the Replication service will inspect the database copies and perform a rebalance every one hour. You can modify this behavior using the following command:

Set-DatabaseAvailabilityGroup <Name> -PreferenceMoveFrequency <value in the format of 00:00:00>

To disable this behavior, configure the PreferenceMoveFrequency value to ([TimeSpan]::Zero) and restart the Microsoft Replication Service on all servers in the DAG.

If you are leaving the behavior enabled, and you have created a scheduled task to execute RedistributeActiveDatabases.ps1, you can remove the scheduled task after upgrading the DAG to CU2.

We recommend taking advantage of this behavior to ensure that your DAG remains optimally balanced. This feature continues our work to improve the Preferred Architecture by ensuring that users have the best possible experience on Exchange Server.

As always, we welcome your feedback.

Ross Smith IV
Principal Program Manager
Office 365 Customer Experience

Today we are announcing the latest set of Cumulative Updates for Exchange Server 2016 and Exchange Server 2013. In addition to normal fixes to customer reported issues, these releases also include updated functionality. Exchange Server 2016 Cumulative Update 2 and Exchange Server 2013 Cumulative Update 13 are available on the Microsoft Download Center.

.Net 4.6.1 Support

Support for .Net 4.6.1 is now available for Exchange Server 2016 and 2013 with these updates. We fully support customers upgrading servers running 4.5.2 to 4.6.1 without removing Exchange. We recommend that customers apply Exchange Server 2016 Cumulative Update 2 or Exchange Server 2013 Cumulative Update 13 before upgrading .Net FrameWork. Servers should be placed in maintenance mode during the upgrade as you would do when applying a Cumulative Update. Support for .Net 4.6.1 requires the following post release fixes for .Net as well.

• Windows Server 2008/2008R2 – KB3146716
• Windows Server 2012 – KB3146714
• Windows Server 2012R2 – KB3146715

Note: .Net 4.6.1 installation replaces the existing 4.5.2 installation. If you attempt to roll back the .Net 4.6.1 update, you will need to install .Net 4.5.2 again.

AutoReseed support for BitLocker

Beginning with Exchange 2013 CU13 and Exchange 2016 CU2, the Disk Reclaimer function within AutoReseed supports BitLocker. By default, this feature is disabled. For more information on how to enable this functionality, please see Enabling BitLocker on Exchange Servers.

SHA-2 support for self-signed certificates

The New-ExchangeCertificate cmdlet has been updated to produce a SHA-2 certificate for all self-signed certificates created by Exchange. Creating a SHA-2 certificate is the default behaviour for the cmdlet. Existing certificates will not automatically be regenerated but newly installed servers will receive SHA-2 certificates by default. Customers may opt to replace existing non-SHA2 certificates generated by previous releases as they see fit.

Migration to Modern Public Folders resolved

The issue reported in KB3161916 has been resolved.

Change to Get-ExchangeServer cmdlet

The Get-ExchangeServer cmdlet has been updated in Exchange Server 2016 Cumulative Update 2 to reflect the Exchange 2016 ServerRole definitions; Mailbox or Edge. Due to the way Remote PowerShell (RPS) works, the ServerRole definition output will be based upon the version hosting the RPS session, e.g. CU2 endpoints will report CU2 ServerRole definitions for all servers in the org. Customers should use the properties assigned to a particular service on the Exchange Server object to determine capabilities of a server, if needed. For instance, customers with scripts relying upon ServerRole Output looking for ClientAccess to be installed will need to look for the IsClientAccessServer property in the cmdlet output instead. An example follows:

[PS] C:\Windows\system32>$MyServer = Get-ExchangeServer EXHV-9895
[PS] C:\Windows\system32>$MyServer.ServerRole
Mailbox
[PS] C:\Windows\system32>$MyServer.IsClientAccessServer
True
[PS] C:\Windows\system32>

Installing from a mounted ISO displays English UI only

We are aware that customers who mount the ISO image and install Exchange from the mapped drive will not receive a local language setup experience. For customers who desire a local language setup experience, the workaround is to copy the files from the mounted ISO to a local OS drive and execute Setup from the local OS drive instead of the mounted ISO. We are working to resolve this in a future cumulative update.

Release details

KB articles which contain greater depth on what each release includes are available as follows:

• Exchange Server 2016 Cumulative Update 2 (KB3135742), Download, UM Lang Packs
• Exchange Server 2013 Cumulative Update 13 (KB3135743), Download, UM Lang Packs

Exchange Server 2016 Cumulative Update 2 does include updates to Active Directory Schema. These updates will apply automatically during setup if the permissions and Active Directory requirements are met during installation. If the Exchange Administrator lacks permissions to update Active Directory Schema, a Schema Admin should execute SETUP /PrepareSchema before installing Cumulative Update 2 on the first Exchange server. The Exchange Administrator should also execute SETUP /PrepareAD to ensure RBAC roles are updated correctly.

Exchange Server 2013 Cumulative Update 13 does not include updates to Active Directory, but may add additional RBAC definitions to your existing configuration. PrepareAD should be executed prior to upgrading any servers to CU13. PrepareAD will run automatically during the first server upgrade if Setup detects this is required and the logged on user has sufficient permission.

Additional information

Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation.

Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.

For the latest information on Exchange Server and product announcements, please see What’s New in Exchange Server 2016 and Exchange Server 2016 Release Notes. You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.

Note: Documentation may not be fully available at the time this post was published.

Exchange Team

Over the past several years, we have received feedback from all sorts of customers on how the Hybrid Configuration Wizard can be improved. One highly requested piece of feedback has been focused around providing an option to allow a customer to configure the bare essentials to support a hybrid configuration with Office 365.

One of the challenges we needed to overcome is that a Staged Exchange Migration is not supported for customers that are deployed on Exchange Server 2010 or later. That left customers with two options, either perform a cutover migration or a hybrid configuration. A cutover migration is designed for small customer deployments because all the users need to be migrated at the same time, and all Outlook profiles have to be recreated. The limitation of the cutover migration led many customers to deploy a Hybrid configuration. The Hybrid configuration has strict prerequisites around certificates and configuration scenarios that for some customers are confusing and unnecessary.

Today, we are pleased to announce that the Minimal Hybrid Configuration feature is available. When you launch the Hybrid Configuration Wizard (for the first time), you will be presented with a new dialog option, entitled Hybrid Features. This dialog allows you to choose between a Minimal Hybrid Configuration or a Full Hybrid Configuration.

What’s the difference? In a nutshell, the Minimal Hybrid Configuration allows you to just to perform migration and administration in a hybrid deployment. The Minimal Hybrid Configuration excludes configurations of secure email and any Exchange Federation related features, such as free/busy. This new configuration allows a customer to have the user experience benefits tied to a Hybrid migration: when a mailbox is moved you will not have to recreate the user’s Outlook profile; online mailbox moves are performed, unlike in a staged or cutover migration (users are for the most part not disconnected from the mailbox during the move); user account credentials are synchronized; and you get to enjoy uninterrupted mail flow.

What customers should use the Minimal Hybrid Configuration?

• Small or medium sized customers that need a seamless migration experience for their users.
• Customers that do not require enhanced features like:
  • Cross-premises Free/Busy
  • TLS secured mail flow between on-premises and Exchange Online
  • Cross-premises eDiscovery
  • Automatic Outlook on the web and ActiveSync redirection for migrated users
  • Automatic Retention for Archive Mailbox
• Customers that plan on moving to the service quickly and, therefore, do not require the enhanced features previously mentioned.
• Merger or acquisition scenarios may benefit from this configuration since you can move the mailboxes to a tenant without having to configure all of the Hybrid features.

What conditions expose the Hybrid Features dialog?

Customers that are setting up hybrid by executing the Hybrid Configuration Wizard for the first time will see the Hybrid Features dialog and will be able to choose the type of hybrid deployment they want.

If you have already run the Office 365 Hybrid Configuration Wizard in the past, this new dialog option will not be exposed. In addition, once a customer chooses to deploy the Full Hybrid Configuration option, this new dialog option will no longer be available. This new feature is not intended to enable customers to remove a hybrid configuration and start over.

However, if a customer was to choose the Minimal Hybrid Configuration option, subsequent executions of the Hybrid Configuration Wizard will continue to expose the Hybrid Features dialog. This allows a customer to change and deploy a Full Hybrid Configuration in the event they find they need certain additional features, like cross-premises Free/Busy.

Will cross-premises mail flow function in a Minimal Hybrid Configuration?

Yes, mail flow will function between your on-premises environment and Office 365 as the routing domain (e.g., contoso.mail.onmicrosoft.com) is a target address for migrated users. However, the mail flow between your on-premises environment and Office 365 will not be TLS protected. If you require TLS protection, you have two options – you can manually create connectors or you could run the HCW and select the Full Hybrid Configuration option if there is a need for an enhanced feature, like TLS protected mail flow.

Will Exchange Online Archive mailbox access function in a Minimal Hybrid Configuration?

Yes, on-premises mailboxes will be able to access Exchange Online archive mailboxes in a Minimal Hybrid Configuration. However, if you want to have retention policies that move items to the Exchange Online archive mailboxes automatically, then you will need to select the Full Hybrid Configuration option.

How do I move mailboxes after I run the wizard?

We are working on a new MRS migration portal interface for MRS based moves, but you can still use the Exchange Administration Center to move your mailboxes. Even when the new portal experience for migrations is ready the EAC options will still be present.

Summary

We are working hard to take the entire on-boarding and hybrid experiences to the next level and this is an important step in that journey. This will allow us to improve the experience for customers that want to move to the service quickly or just want a less painful way to cutover to Exchange Online.

As always, please keep the feedback coming by using the feedback option in the Hybrid Configuration Wizard. We read it all…

Office 365 On-boarding Team

Today, we released an updated version of the Exchange Server Role Requirements Calculator.

This release doesn’t contain many enhancements, but does contain a number of bug fixes, especially in the deployment scripts. You can view what changes have been made, or download the update directly.

Ross Smith IV
Principal Program Manager
Office 365 Customer Experience

Consider a hypothetical scenario where Contoso merges with World Wide Importers, and the two combine each others resources. World Wide Importers has Exchange 2016 deployed, so it’s decided that users from Contoso will link their accounts to mailboxes in worldwideimporters.com as a resource forest.

Each company’s corporate identity will remain intact, so they will maintain the contoso.com and worldwideimporters.com namespaces. Following Microsoft best practices, Kerberos will be enabled for client authentication when contoso.com forest users access Exchange in worldwideimporters.com.

To set up Kerberos in this topology the resource forest’s namespace will be used as the realm for issuing tickets to users requesting access. So clients requesting tickets from this realm will need a few extra considerations to get this all working:

Preparing DNS

For the scenario to work each forest’s namespaces and domains need to be resolvable by mutual name lookups. That means each namespace will be added to the other forest’s DNS solution. When using Windows Server DNS this can (for example) be achieved with a stub zone called contoso.com added to the worldwideimporters.com DNS servers:

. . . and a stub zone in the contoso.com forest:

Autodiscover name records, or an SCP, must be added to the authentication forest so that queries for mailbox information based on a user’s primary SMTP domain get directed to Exchange with the new namespace. In this example, a CNAME record for autodiscover.contoso.com is added which resolves to autodiscover.worldwideimporters.com.

Preparing Active Directory

For a resource forest deployment we recommend a forest trust between the authentication and resource forests. At a minimum, it should be a one-way outgoing trust, where the Exchange forest trusts the authentication forest.

For information on deploying Exchange in a resource forest topology visit, Deploy Exchange 2013 in an Exchange resource forest topology.

Preparing Exchange

Since Contoso users will keep their @contoso.com SMTP addresses the domain has to be added to Exchange (in worldwideimporters.com) as an accepted domain:

Configuring and Enabling Kerberos

With DNS and Active Directory prepared it is now possible to configure Kerberos according to readily available guidance.

First, an Alternative Service Account (ASA) must be added to Active Directory in the resource forest, using this format:

New-ADComputer -Name <CAName> -AccountPassword (Read-Host ‘Enter password’ -AsSecureString) -Description ‘Alternate Service Account credentials for Exchange’ -Enabled:$True -SamAccountName <CAName>
Set-ADComputer <CAName> -add @{“msDS-SupportedEncryptionTypes”=”28”}

So for our scenario:

New-ADComputer -Name EXCH2016ASA -AccountPassword (Read-Host ‘Enter password’ -AsSecureString) -Description ‘Alternate Service Account credentials for Exchange’ -Enabled:$True -SamAccountName EXCH2016ASA
Set-ADComputer EXCH2016ASA -add @{“msDS-SupportedEncryptionTypes”=”28”}

Next, the new ASA must be configured on each Mailbox server in the organization with RollAlternativeServiceAccountPassword.ps1:

.\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer <ExchangeServer> -GenerateNewPasswordFor <Domain\CAName$>

For this scenario:

.\RollAlternateServiceAccountPassword.ps1 -ToSpecificServer wwiex1 -GenerateNewPasswordFor WWI\EXCH2016ASA$

After that we can register the SPNs for Exchange services:

Setspn.exe -S http/<AutodiscoverServiceHostname> <Domain\CAName$>
Setspn.exe -S http/<ExchangeServicesHostname> <Domain\CAName$>

For the scenario:

Setspn.exe -S http/autodiscover.worldwideimporters.com WWI\EXCH2016ASA$
Setspn.exe -S http/mail.worldwideimporters.com WWI\EXCH2016ASA$

Verification

Outlook Anywhere RPC/HTTPS: verify Kerberos is in use by following the section in the Technet article referenced above called “Validate Kerberos from the Client Access server”. As described the HttpProxy\RpcHttp logging will show a user’s connection with the “Negotiate” authentication protocol only. This ensures Kerberos is working for that user:

If for some reason the client is not able to authenticate with Kerberos it should fall back to NTLM authentication. In that case, the log will show either “NTLM” or “Negotiate+NTLM”.

MAPI/HTTPS: The HttpProxy log for MAPI always shows “Negotiate” if it’s configured as an available authentication method, so the method to verify Kerberos authentication described for Outlook Anywhere won’t be reliable. Instead, running KLIST.EXE can reveal whether the logged in user has received a ticket for the Exchange SPN.

Conclusion

Complex organizations with diverse Active Directory deployments may need to consolidate services under a simplified namespace. This necessitates additional steps for enabling Kerberos for authenticating user forest clients to access Exchange in a resource forest. With the concepts and examples presented here it should be straightforward to adapt them to a production deployment for a fully-supported, best-practice-compliant Exchange solution.

Jesse Tedoff
Senior Premier Field Engineer

On-premises Exchange environments support the ability for certain mobile apps to utilize certificate-based authentication (CBA). Today, we are pleased to announce that CBA is available in preview for customers using Office 365 Enterprise, Business, and Education plans. This feature is available in Outlook for Android and Exchange ActiveSync (EAS) protocol. Support for Outlook for iOS is coming soon.

What is certificate-based authentication?

CBA allows users to authenticate using a client certificate. The certificate is used in place of the user entering credentials into the device.

Why would I want certificate-based authentication?

By utilizing certificate-based authentication, administrators can allow their users to access resources without the need to enter credentials.

Prerequisites

The following are required to use CBA:

• Access to a certification authority (CA) to issue client certificates.
• Each CA must have a certificate revocation list (CRL) that can be referenced via an Internet-facing URL.
• Client certificates must be provisioned on mobile devices, typically done using MDM.
• For EAS clients, the RFC822 Name OR Principal Name value in the certificate’s Subject Alternative Name field must have the user’s email address.
   

  
  Figure 1: Client certificate with email address in RFC822 Name and Principal Name values in the SAN field

Using certificate-based authentication

Configuration in Azure Active Directory is required to use certificate-based authentication. All certificate authorities (and their associated CRL URLs) must be uploaded to Azure Active Directory. More information on getting started with CBA can be found in Get started with certificate-based authentication on iOS – Public Preview.

Certificate-based authentication in Outlook for iOS/Android

Currently, certificate-based authentication is only supported in Outlook for Android on Android Lollipop 5.0 and above. Support in Outlook for iOS is coming soon.

A federation server that is configured to perform certificate-based user authentication is also required when using Outlook for Android.

Certificate-based authentication in Exchange ActiveSync applications

Certain EAS applications may support certificate-based authentication. To determine if your application supports CBA, contact the application developer. Preview documentation on how EAS applications can support CBA can be found in Microsoft Exchange protocol documentation.

Tyler Lenig
Program Manager
Office 365

Exchange Server 2013 introduced modern public folders and also shift in the way clients access the public folders. Ever since, the Outlook for Mac client had limited or no support for public folders.

This article provides an update on how Outlook 2016 for Mac clients can access public folders in various topologies.

Current Scenario

The Outlook for Mac clients could not access public folders if:

Co-existence with legacy public folders

• Legacy public folders deployed on Exchange Server 2010 SP3 and user mailbox present on Exchange Server 2013/Exchange server 2016 in same organization.

Modern public folder access in Hybrid topology

• Exchange Server 2013/Exchange Server 2016 in hybrid mode with an Office365 tenant.
  • Scenario1 – Modern PF’s deployed on-premises – on-premises users, with mailbox on Exchange Online, accessing modern public folders deployed in Exchange on-premises.
  • Scenario2 – Modern PF’s deployed in Office 365 – on-premises users, with mailbox on Exchange on-premises as well, accessing modern public folders deployed in Office 365 tenant

Solution

The April 2016 update of Outlook 2016 for Mac clients, along with changes in Cumulative Update for Exchange Server, will make public folders in above scenarios work for Outlook 2016 for Mac.

The following table summarizes access state for Outlook 2016 for Mac (post April 2016 update) access to public folder deployments, as well as the minimum Exchange CU required to enable access:

We’ll take a look at one of the common scenarios and explain the steps required. TechNet has detailed steps on how to configure public folder access in hybrid as well as for co-existence scenarios.

Scenario

EXO users accessing modern public folders hosted in on-premises organization.

Pre-requisites

Make sure all of the following pre-requisites are met before making any changes to your configuration:

Client side:

Make sure the Outlook 2016 for Mac client is installed with the April 2016 update, at the minimum. It’s recommended to install the latest available update.

Server side:

1) Exchange organization is configured in hybrid with Office 365 tenant, and DirSync is working and the mail sync script is performed.

2) The on-premises Exchange Servers, hosting public folder mailbox must be on or above:

1. Exchange Server 2013 CU13
2. Exchange Server 2016 CU2

3) Make sure the user that will be accessing public folders has a user account on-premises and mailbox in EXO.

You should be able to see the user listed in Get-RemoteMailbox:

On-premises:

Note:

Pure EXO user mailboxes cannot access public folders hosted on-premises.

4) Make sure the PF mailbox from on-premises shows as Mail User:

On-premises:

Office 365 tenant:

Configuration

1) Configure public folder access settings at EXO Tenant:

Command:

Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes <Mail User representing on-premises PF>

Example:

Set-OrganizationConfig -PublicFoldersEnabled Remote -RemotePublicFolderMailboxes OP1

2) The EXO User mailboxes are automatically assigned with DefaultPublicFolderMailbox:

That’s it! Now Outlook 2016 for Mac can subscribe and access public folders.

Related articles

Detailed configuration steps for each scenario are in following articles:

Co-existence with legacy public folders

User mailboxes are on Exchange 2013/Exchange 2016 servers accessing legacy public folders on Exchange Server 2010

https://technet.microsoft.com/en-us/library/dn690134(v=exchg.150).aspx

Hybrid topology

Scenario1 – modern PF’s deployed on-premises

On-premises users, with mailbox on Exchange Online, accessing modern public folders deployed Exchange on-premises:

https://technet.microsoft.com/en-us/library/dn986544(v=exchg.150).aspx

Scenario2 – modern PF’s deployed in Office 365

On-premises users, with mailbox on Exchange on-premises as well, accessing modern public folders deployed in an Office 365 tenant:

https://technet.microsoft.com/en-us/library/mt729076(v=exchg.150).aspx

Public Folder Team

We are excited to re-announce that the Exchange On-Premises TAP Program is accepting nominations! 

The purpose of this post is to provide you with the opportunity to nominate your company for the Exchange On-Premises Technology Adoption Program (TAP) Program. Joining the Exchange On-Premises TAP Program provides companies with a number of advantages, such as providing input and feedback for future releases, developing a close relationship with the Exchange Product Team; receiving Pre-Release information about Exchange, and more. 

Exchange On-Premises TAP Program Overview

The Exchange On-Premises TAP Program is designed to validate the next version of Exchange Server by having customers test deployments of Pre-Release builds of Exchange in their own production environment. This gives participants the opportunity to provide feedback to the Exchange product development team. Customers in the TAP Program are provided free support from Microsoft Customer Services and Support (CSS) for issues encountered with Exchange. Additional information on the TAP Program is discussed in this blog entry from a number of years ago, which is still quite relevant today.

What’s in it for TAP Program customers?

• A close relationship with the Exchange product team.
• An opportunity to provide feedback on future releases of Exchange directly to the product team.
• Technical conference calls with members of the product team.
• Production grade Pre-Release builds of Exchange Server.
• Access to free CSS Support for Exchange issues for the duration of the Exchange TAP Program (CSS support is 24/7 for any critical issues found in production).
• A head start in the next deployment cycle, taking advantage of new and enhanced features available in the next version of Exchange Server.

What do I have to commit to in order to participate in the Exchange TAP Program?

• Jump through a few legal hoops (signing some legal documents such as an NDA).
• Go through a few steps that will help assure easy communication between you and Microsoft (details will be provided when applicable)
• Deploy Pre-Release versions of Exchange Server in your production environment.
• Commit to timely response of surveys and feedback requests from Microsoft.
• Commit to providing resources for TAP Program activities for the duration of the program – people/time as well as machines needed for testing and production, and associated operating system software licenses.
• Provide us with deployment plans, including details of network topologies and additional reports, as applicable.  (Required before we can give production approval for the Pre-Release code.)

What makes a good TAP Program candidate?

• Willing to dedicate the resources (people/time and machines) to testing Pre-Release builds of Exchange in production. We find that we get some of our best feedback through production deployments, and so we will prioritize nominations from customers willing to be aggressive in their production rollouts higher.
• Responsive to our requests for feedback, including responding to surveys and attending conference calls and participating in a distribution list.
• Gives constructive criticism with context – don’t just stop at “I don’t like feature X,” provide us more information like “Here’s why feature X won’t work for my Exchange environment, and here’s why I think doing it another way would be better.”
• Gives feedback even when not requested. We may not have sent out a survey or had a call about a topic, but if something about the product is problematic for you– or you love it! :-) – we want to know.

Summary

If you feel your Company fits what we are looking for, you can nominate yourself by sending email to:

Davidesp@microsoft.com

Please place “TAP Customer Nomination” in the subject line.

Also please gave the following info;

• Legal company name
• Size in terms of number of mailboxes in your org
• Versions of Exchange you are currently running
• Name of a contact person we can speak to with email address
• Reason for interest in our program 

Note: This is for our business customers to self-nominate for inclusion in future Exchange Pre-Release programs. If you are a Microsoft representative and would like to nominate a customer you are working with, please contact us directly and we will provide appropriate guidance.

All nominations, internal and external, are reviewed and screened prior to acceptance into a program. No customers are allowed access to any Pre-Release downloads or information until all legal paperwork is properly executed. Nomination does not mean acceptance… not all nominees will be chosen for a program.

Thank you!

David Espinoza
Senior Program Manager, Customer Experience Team

Just wanted to let you know that the VSSTester script has now been updated to version 1.2. The main feature in this version is that the script now supports Exchange 2016 servers.

To read more about previous update see this, or for much more comprehensive information about the script, see the original blog post here.

Matthew Huynh

Right on the heels of our recent TAP program announcement, we wanted to see if there are customers who would like to help us validate migration of modern public folders from Exchange 2013/2016 to Exchange Online (EXO). This is a scenario that at this time we do not support, but plan on doing so. Estimated availability of bits for testing those topologies (subject to change):

• Exchange 2013 public folders > EXO: September 2016
• Exchange 2016 public folders > EXO: November 2016

In order to participate, you will need to enroll into the above mentioned TAP program.

If you are interested in trying out the migration, please contact the PF migration team at modernpfmigrationtoexo@service.microsoft.com with the following details:

1. Organization Name
2. Exchange version
3. Total size of Public Folders
4. Number of PF mailboxes
5. Largest Public Folder size
6. Total count of Public Folders
7. Count of Mail enabled Public Folders
8. Which clients are used by users to access PF?
9. Number of users
10. Number of exchange server installations
11. Is Exchange Hybrid setup done?
12. When is the plan to migrate users to EXO?

We will review the details and see if we can on-board the organization into TAP/Beta program. We are looking for customers with <250GB of public folder data.

Let us know!

Public Folder Migration team

Over the past few months, customers are increasing both the number of Office 365 Groups created and average monthly usage. It’s great to see customers getting value out of the service. If you are using Office 365 and haven’t yet moved traditional Distribution Groups (also known as Distribution Lists or DLs) over to Office 365 Groups, here are a few of the advantages of making the move.

1. Every Office 365 Group has a shared mailbox with a searchable history of email conversations within the group, so new members have access to all of the content and context that predates their membership

• With a Distribution Group, new members only see discussions starting from when they joined

2. By default, Office 365 Groups are ‘public,’ i.e., discoverable for users within your Office 365 tenant. That makes it easy for people in your organization to search for a topic name and/or description and join any related groups.

• Distribution Groups are often searchable by name only

3. Office 365 Groups provide a convenient self-service option for an organization’s users to create new groups, as well as join or depart groups

• Creating Distribution Groups, as well as adding and removing members, is usually done by the organization’s Exchange administrators on behalf of the users.

4. Group members also have access to a shared calendar, document library, OneNote notebook, etc. for collaboration needs beyond email

• Distribution Groups are designed for collaborating via email. Separate sets of manual steps are required to set up and use addition collaboration tools such as a shared calendar or a OneNote notebook.

New ways to migrate DLs to Groups

We’ve listened to feedback that customers want an easy way to transform traditional Distribution Groups to Office 365 Groups and have recently added two sets of tools to meet this request.

• The Exchange Admin Center now offers an option to upgrade eligible Distribution Groups to Office 365 Groups with one click (see image); or Office 365 administrators can use PowerShell scripts that we’ve published to accomplish this task.

• We’re also rolling out a change to the Exchange Admin Center to help remind Office 365 administrators about the advantages of Office 365 Groups. When administrators begin to create a new Distribution Group, they’ll be taken to the Office 365 Group creation page and encouraged to create a group there. If administrators want to create a traditional Distribution Group instead, a link gives them quick access the Distribution Group creation page.

For more information

At the current time, traditional Distribution Groups with the following capabilities won’t upgrade to an Office 365 Group, but as we add these capabilities to Groups, migration support will follow:

• Nesting – a Distribution Group which has another Distribution Group as one of its members
• Moderation – messages sent to the Distribution Group must be approved by a moderator before they’re delivered to the members
• Hidden groups in the Global Address List – Distribution Groups can be hidden, so that they don’t appear in the organization’s Global Address List.

We are not able to migrate security groups to Office 365 Groups at this time, but are looking at ways to do so. Also, for customers with a hybrid infrastructure, migration will work for the Distribution Groups that are based in Office 365; but not for those based in the on-premises infrastructure. You’ll need to delete or rename the on-premises Distribution Group and create a new Office 365 Group in Office 365 using the same membership.

Distribution Groups aren’t being deprecated in Office 365, but since Office 365 Groups already support most of the scenarios that Distribution Groups do, and add collaborative capabilities not found in Distribution Groups, we’re encouraging the creation of, and migration to, Office 365 Groups.

Office 365 Groups Team

Note: This post, originally published in March, got accidentally re-published on 8/23/16 when updating step 5 below. We are leaving it published as a reminder to our customers as the time for this change is now closer.

If you’re an Exchange Online or Exchange Online Protection (EOP) subscriber and you have configured connectors, this post contains important information that might impact your organization. To make sure that your mail flow isn’t interrupted, we strongly recommend that you read this post and take any necessary action at your earliest convenience.

The change will impact you if one of the following scenarios apply to your organization:

• Your organization needs to send NDR (non-delivery report) messages to a recipient on the Internet and needs to relay them through Office 365.
• Your organization needs to send messages from your own email server (on-premises environment) from domains that your organization has not entered in Office 365 (see Add Domains in Office 365). For example, your organization Contoso needs to send email as the domain fabrikam.com, which doesn’t belong to your organization.
• There is a forwarding rule configured on your on-premises server, and messages need to relay through Office 365. For example, contoso.com is your organization’s domain, a user in your organization’s on-premises server, kate@contoso.com, has enabled forwarding. All her messages go to kate@tailspintoys.com. If john@fabrikam.com sends a message to kate@contoso.com, the message gets automatically forwarded to kate@tailspintoys.com. From Office 365’s point of view, the message is sent from john@fabrikam.com to kate@tailspintoys.com. Because Kate’s mail is being forwarded, neither the sender domain nor the recipient domain belongs to your organization.

Beginning February 1, 2017, Office 365 will no longer by default support relaying messages for the scenarios described above. If your organization needs those scenarios to continue to work, you need to make sure that the following are all true:

• You have created a connector in Office 365 that instructs the service to use certificate to authenticate emails coming from your organization’s own email server (on-premises environment).
• Your own email server (on-premises environment) is configured to use the certificate to send email to Office 365.
• This certificate is CA signed and its certificate name (CN) or subject alternative name (SAN) contains a domain that you have entered in Office 365.

To do so, use the following instructions.

Create or Edit a certificate-based connector in Office 365

For Office 365 to relay messages to internet that match with the scenarios listed above, you need to follow the below steps.

1. Sign in to Office 365 admin center, and go to Admin > Exchange.

2. Go to mail flow > connectors, and do one of the following:

If there are no connectors, choose ’+’ (Add) to create a connector.

If a connector already exists, select the connector, and choose Edit to modify it.

3. On the Select your mail flow scenario page, choose From: Your organization’s email server and To: Office 365. This creates a connector that indicates that your on-premises server is the sending source for your messages.

4. Enter connector name and other information, and then choose Next.

5. On the New connector or Edit connector page, choose the first option to use a TLS certificate to identify the sender source of your organization’s messages. The domain name in the option should match with the CN name or SAN in the certificate that you’re using and this domain must be a domain that belongs to your organization and you need to have added the domain to Office 365. For example, contoso.com belongs to your organization, and it’s part of CN name or SAN name in the certificate that your organization uses to communicate with Office 365. If the domain in cert contains multiple domains (such as mail1.contoso.com, mail2.contoso.com), It is recommended that domain in the connector UI to be *.contoso.com.

Configure your on-premises environment

Use the following steps to prepare your on-premises servers to relay messages through Office 365:

1. If your organization uses Exchange server for its on-premises server, you need to configure your server to send messages over TLS. To do this, follow Set up your email server to relay mail to the Internet via Office 365, which is part 2.2 of “Set up connectors to route mail between Office 365 and your own email servers.” If you have already used Hybrid Configuration Wizard, then continue to use it, but ensure to use a certificate that matches the criteria outlined in step 5 of the previous section.
2. Install a certificate in your on-premises environment. For details, follow “Step 6: Configure an SSL certificate” of Configure mail flow and client access.

For more details about how to relay messages through Office 365, see the Setting up mail flow where some mailboxes are in Office 365 and some mailboxes are on your organization’s mail servers section of Mail flow best practices for Exchange Online and Office 365.

Carolyn Liu

What are we announcing?

1. On November 1, 2016, Microsoft will stop generating updates for the SmartScreen spam filters in Exchange Server 2016 and earlier (2013, 2010, 2007), Outlook 2016 for Windows and earlier (2013, 2010, 2007) and Outlook 2011 for Mac.
2. The SmartScreen spam filter will be removed from future versions of Exchange Server and Outlook for Windows. (SmartScreen is not available in any other version of Outlook).
3. This announcement does not affect the SmartScreen Filter online protection features built into Windows, Microsoft Edge and Internet Explorer browsers. While branded similarly, those features are technically distinct. These SmartScreen Filters to help people to stay protected from malicious websites and downloads.

What is SmartScreen? What does it provide customers today?

Within Outlook and Exchange, SmartScreen is a spam content filter. It evaluates each message and returns an overall message Spam Confidence Level (SCL). Items that are rated as spam are send to Outlook’s junk folder. Microsoft provides periodic updates to the filters, and administrators and users can download and install the updates to improve their junk email protection.

For more details, see articles describing how this was done for Exchange and Outlook.

In Windows, Microsoft Edge and Internet Explorer browsers, the SmartScreen Filter online protection feature helps consumers to stay protected from malicious websites and downloads. This feature is not affected and it is not subject of the today’s announcement.

Why is Microsoft deprecating support for SmartScreen in Outlook and Exchange?

SmartScreen spam filters in Outlook and Exchange have become obsolete and have been replaced by Exchange Online Protection (EOP), a more effective cloud-based email filtering service. EOP is built into to all Office 365 and Outlook.com accounts and available for purchase to protect Microsoft Exchange Server (on-premises).

This spam filtering technology was first released in 2003, which provided Outlook and Exchange a content filter able to identify spam campaigns and direct them in the junk folder. As spammers have evolved and increased the volume and sophistication of their attacks, this type of spam prevention is no longer a useful way to prevent spam.

For example, spammers now routinely randomize their campaigns and use reputation high jacking from legitimate sending domains to trick content filters. Spam attacks no longer take days and weeks, they often complete or significantly morph within minutes. To be effective, filters should be real-time, always tapping into the intelligence of email campaigns happening within recent minutes or hours.

Further, SmartScreen often conflicts with EOP (or other 3^rd party cloud filtering solutions). This is especially painful when emails declared legitimate by upstream filters or administrator policies (e.g. IPAllowLists, ETRs) are actually junked by SmartScreen, because SmartScreen is unaware of the upstream settings.

Microsoft developed Exchange Online Protection to protect Office 365 and Outlook.com mailboxes and remove the need for SmartScreen. Most customers using Exchange Server (on-premises) have either added EOP or use a 3^rd party filtering service or appliance to sanitize their mail flow.

What is Exchange Online Protection (EOP)?

Microsoft Exchange Online Protection (EOP) is a cloud-based email filtering service that helps protect end users and organizations against spam and malware, and includes features to safeguard organization from messaging-policy violations. EOP is backed by a modern spam filtering stack, where content filters have a lesser role and sending IP and domain reputation, authentication, campaign detection, and spammer hosting infrastructure reputation are now responsible for filtering.

For more details, review the EOP documentation on TechNet and this help article on Office 365 email anti-spam protection.

What will happen on November 1, 2016?

Microsoft will stop producing new spam definition updates to the SmartScreen filters in Exchange and Outlook. The existing SmartScreen filter and definitions will be left in place, and continue to provide some basic level of protection. The current definition will continue to junk some obvious spam emails, with an effectiveness that will degrade over time.

As stated above, most users are protected by superior spam filtering arrangements and should not experience any change in their email experience or see an increase in spam.

Again, this change does not affect the SmartScreen Filter online protection feature built into Windows, Microsoft Edge and Internet Explorer browsers.

Will the deprecation of SmartScreen have any impact on users using Outlook with Office 365 or Outlook.com?

No. Customers using Outlook with Office 365 (for work email) or Outlook.com (for personal email) already have the advanced spam and malware protection found in Exchange Online Protection built into those services. These customers need to take no action.

Note: Some Office 365 customers may have replaced EOP with a 3^rd party filtering solution. Those customers will also continue to be protected by those solutions and do not need to take any action.

Will the deprecation of SmartScreen have any impact on users using Outlook with Exchange Server (on-premises)?

Most likely not. Due to the reasons stated earlier, SmartScreen has stopped being a useful tool for combatting spam. The vast majority of customers using Exchange Server have either added Exchange Online Protection or use a 3^rd party filtering service or appliance to sanitize their mail flow.

Customers using Exchange Server should ensure they have their spam protection solution properly configured before November 1, 2016. Customers not using a separate spam solution today can purchase Exchange Online Protection for $1/user/month.

Will the deprecation of SmartScreen have any impact on users using Outlook with Gmail, Yahoo or other online email solutions?

Customers using Gmail, Yahoo or other online email solutions will be protected by the spam and malware protection found in those services.

How does this deprecation impact Outlook’s Junk Email Options?

Outlook’s Junk Email Options are stay the same. Since the existing SmartScreen filter and definitions will be left in place, the Options tab will continue to control the SmartScreen protection level. As noted above, those definitions will continue to junk some obvious spam emails, with an effectiveness that will degrade over time.

The other tabs are user driven settings and not related to SmartScreen. They will be unaffected by this deprecation (e.g. items in your Safe/Blocked Senders list will still be filtered per your settings).

Check out this help article for more on how the Junk Email options work.

Will I still have a Junk folder in Outlook?

All customers will continue to have a Junk folder.

For customers using Outlook with their mailbox in Office 365 or Outlook.com, emails landing in the Junk folder will be determined by Exchange Online Protection (or a 3^rd party solution) or by Outlook’s Blocked Senders list.

Customers using Outlook with other email servers or services will benefit from upstream email filtering (such as EOP or 3^rd party solutions) in their respective environments. These email providers and filters will send items to Outlook’s junk folder.

Does this deprecation affect the SmartScreen technologies in Windows 8-10, Edge and Internet Explorer?

As stated before, this does not impact the SmartScreen Filter online protection feature built into Windows, Microsoft Edge and Internet Explorer browsers to help people to stay protected from malicious websites and downloads. Those protection tools will remain in place. For more information on how these SmartScreen technologies provide protection, see this link for Windows and this for Edge.

The Exchange Team

There are times when the deletion of a user account or a mailbox needs to be undone. It could be that you accidentally deleted the wrong user or maybe you are not really sure what happened to a mailbox, but want to attempt a recovery. Regardless of the reason, we have created a troubleshooter that will guide you to the best possible recovery option (https://aka.ms/MailboxRecovery).

How it works

We will ask you few questions about the current state of the user and mailbox you want to recover, then we will provide a solution based on the answer provided. For the most part we provide a solution that can be handled by a Tenant Administrator, but there are a couple of instances where we recommend calling support.

Who Should Run this tool

We recommend that only administrators that are very comfortable with PowerShell run this troubleshooter. The mailbox recovery process can be pretty complex and while this tool helps streamline you to a solution, the process of solution discovery and remediation can be challenging.

Is this only for Hybrid customers?

No, this troubleshooter is meant for any customer using Exchange Online that find themselves in a place where they need to recover a mailbox. You can have Directory Synchronization in place or you could be running cloud only with no sync. We will walk you through the appropriate scenario with three simple questions.

Conclusion

The recovery of a user and their associated mailbox can be a hard thing to accomplish, especially considering most of us perform these operations infrequently. If it is done incorrectly the results can lead to account and or mailbox data loss. Following this guide will ensure that you are doing what you can to prevent those issues.

I would like to thank everyone who has contributed to the development and publishing of this tool. Especially: Charlotte Raymundo, Jon Bradley, Murali Natarajan, and Timothy Heeney.

Bio Awojobi

Today we are announcing the latest set of Cumulative Updates for Exchange Server 2016 and Exchange Server 2013. These releases include fixes to customer reported issues and updated functionality. Exchange Server 2016 Cumulative Update 3 and Exchange Server 2013 Cumulative Update 14 are available on the Microsoft Download Center.

Windows Server 2016 Support

Windows Server 2016 support is now available with Exchange Server 2016 Cumulative Update 3. Customers looking to deploy Windows Server 2016 in their Exchange environments require Exchange Server 2016 Cumulative Update 3 or later. Domain Controllers running Windows Server 2016 are supported provided Forest Functional Level is Windows Server 2008R2 or later. Exchange does not currently support any new functionality provided by the updated operating system except for improved restart support in the Windows Installer. Installing Exchange on Windows Server 2016 provides a seamless installation experience including prerequisites. Exchange Server 2013 will not be supported on Windows Server 2016.

Windows Defender is on by default in Windows Server 2016. Attention to malware settings is particularly important with Exchange to avoid long processing times during installation and upgrade, as well as unexpected performance issues. The Exchange team recommends the Exchange installation and setup log folders be excluded from scanning in Windows Defender and other Anti-Virus software. Exchange noderunner processes should also be excluded from Windows Defender.

.Net 4.6.2 Support

.Net 4.6.2 is included with Windows Server 2016. Customers deploying Exchange on Windows Server 2016 must use .Net 4.6.2 and Cumulative Update 3 or later. We plan to add support for .Net 4.6.2 on Windows Server 2012 or Windows Server 2012R2 in our December releases of Exchange Server 2016 and 2013. .Net 4.6.2 will be required for Exchange Server 2016 and 2013 on all supported operating systems in March 2017. We advise customers to start evaluating requirements to move to .Net 4.6.2 now.

High Availability Improvements

One of the challenging areas in some on-premises environment is the amount of data replicated with each database copy. In Exchange Server 2016 Cumulative Update 3, network bandwidth requirements between the active copy and passive HA copies are reduced. The Exchange Server Role Requirements Calculator has been updated to reflect these improvements. The local search instance reads data from a database copy on the local server, also known as “Read from Passive”. As a result of this change, passive HA copy search instances no longer need to coordinate with their active counterparts in order to perform index updates. Lagged database copies still coordinate with their active counterparts to perform index updates. This change also reduces database failover times when compared to Exchange Server 2013.

Installing from a Mounted .ISO using Local Languages

.ISO’s mounted on localized versions of the operating system function correctly with Cumulative Update 3. Support for local language setup experience is limited to the 11 server languages supported by Exchange Server 2016.

Pre-Requisite Installation Behavior Updated

In previous releases of Exchange Server 2016 and 2013, servers were placed into server-wide off-line monitoring states during pre-requisite analysis and pre-requisite installation. This behavior is changed in the September cumulative update releases. Setup will now place a server in off-line monitoring mode when installation of new Exchange binaries begins. This change allows customers who are using the GUI upgrade experience to delay changing the monitoring state until after pre-requisite analysis confirms the server is ready for installation. The monitoring state will be configured when the user selects to proceed to the binary installation step. For customers using command line setup, placing the server into the off-line monitoring state is also delayed until pre-requisite analysis is completed and all pre-requisites are met. Once pre-requisites are confirmed, command line setup will change the monitoring status and proceed without a delay into the actual binary upgrade process.

Latest Time Zone and Security Updates

Exchange Server 2016 Cumulative Update 3 and Exchange Server 2013 Cumulative Update 14 include the security updates released in MS16-108. All of the September Exchange releases include support for Time Zone updates released through the month of August. Update Rollup 21 for Exchange Server 2007 and Update Rollup 15 for Exchange Server 2010, part of our September releases, were released as security bulletin MS16-108.

Refreshed People Experience in Outlook on the web

Exchange Server 2016 Cumulative Update 3 includes an updated view of Contact information and Skype for Business presence information. These changes mirror the current experience of Office365.

Countdown to Exchange Server 2007 End of Life (EOL)

We are now only seven months away from Exchange Server 2007 going out of support (Exchange Server 2007 T-1 year and counting). Customers still running Exchange Server 2007 should be implementing plans to move to Exchange Server 2013 or Office 365 to ensure uninterrupted access to support and product fixes.

Release Details

KB articles which contain greater depth on what each release includes are available as follows:

• Exchange Server 2016 Cumulative Update 3 (KB3152589), Download, UM Lang Packs
• Exchange Server 2013 Cumulative Update 14 (KB3177670), Download, UM Lang Packs

Exchange Server 2016 Cumulative Update 3 does include updates to Active Directory Schema. These updates will apply automatically during setup if the permissions and AD requirements are met during installation. If the Exchange Administrator lacks permissions to update Active Directory Schema, a Schema Admin needs to execute SETUP /PrepareSchema before installing Cumulative Update 3 on the first Exchange server. The Exchange Administrator should also execute SETUP /PrepareAD to ensure RBAC roles are updated correctly.

Exchange Server 2013 Cumulative Update 14 does not include updates to Active Directory, but may add additional RBAC definitions to your existing configuration. PrepareAD should be executed prior to upgrading any servers to Cumulative Update 14. PrepareAD will run automatically during the first server upgrade if Setup detects this is required and the logged on user has sufficient permission.

Additional Information

Microsoft recommends all customers test the deployment of any update in their lab environment to determine the proper installation process for your production environment. For information on extending the schema and configuring Active Directory, please review the appropriate TechNet documentation.

Also, to prevent installation issues you should ensure that the Windows PowerShell Script Execution Policy is set to “Unrestricted” on the server being upgraded or installed. To verify the policy settings, run the Get-ExecutionPolicy cmdlet from PowerShell on the machine being upgraded. If the policies are NOT set to Unrestricted you should use the resolution steps in KB981474 to adjust the settings.

Reminder: Customers in hybrid deployments where Exchange is deployed on-premises and in the cloud, or who are using Exchange Online Archiving (EOA) with their on-premises Exchange deployment are required to deploy the most current (e.g., 2013 CU14, 2016 CU3) or the prior (e.g., 2013 CU13, 2016 CU2) Cumulative Update release.

For the latest information on Exchange Server and product announcements please see What’s New in Exchange Server 2016 and Exchange Server 2016 Release Notes. You can also find updated information on Exchange Server 2013 in What’s New in Exchange Server 2013, Release Notes and product documentation available on TechNet.

Note: Documentation may not be fully available at the time this post was published.

The Exchange Team

Today, we released an updated version of the Exchange Server Role Requirements Calculator.

This release focuses around two specific enhancements.

1. Exchange 2016 designs now take into account the CU3 improvement that reduces the bandwidth required between active and passive HA copies as the local search instance can read data from its local database copy.
2. The calculator now supports the ability to automatically calculate the number of DAGs and the corresponding number of Mailbox servers that should be deployed to support the defined requirements. This process takes into account memory, CPU cores, and disk configuration when determining the optimal configuration, ensuring that recommended thresholds are not exceeded.

As a result of this change, you will find that the Input tab has been rearranged. Specifically, the DAG variables have been moved to the end of the worksheet to ensure that you have completely entered all information before attempting an automatic calculation.

As with everything else in the calculator, you can turn the automatic calculation off and manually select the number of Mailbox servers and DAGs you would like to deploy.

For all the other improvements and bug fixes, please review the Release Notes, or download the update directly.

As always we welcome feedback and please report any issues you may encounter while using the calculator by emailing strgcalc AT microsoft DOT com.

Ross Smith IV
Principal Program Manager
Office 365 Customer Experience

We are on a roll! Following our recent migration program announcement, we wanted to see if there are customers who would like to help us validate migration of larger scale public folders from Exchange on-premises to Exchange Online (EXO). Here are two parameters that define what we are looking for at this time:

1. Public folders are currently homed on Exchange 2010 servers on-premises
2. You have between 100,000 – 500,000 public folders in your legacy PF hierarchy

If you have wanted to migrate to EXO in the past and have been blocked due to the 100K Public Folder limitation, this is your chance!

In case you are interested in trying out the migration from the above setup to Exchange-Online (EXO), please contact the PF migration team at modernpfmigrationtoexo@service.microsoft.com with the following details:

• Organization Name
• Tenant domain name in Exchange Online
• Exchange version
• Total size of Public Folders
• Largest Public Folder size
• Total count of Public Folders
• Count of Mail enabled Public Folders
• Which clients are used by users to access PF?
• Number of users
• Number of exchange server installations
• Is Exchange Hybrid setup done?
• When is the plan to migrate users to EXO?

We will review the details and get back to you at the earliest.

Let us know!

Public Folder Migration team

There are times when the deletion of a user account or a mailbox needs to be undone. It could be that you accidentally deleted the wrong user or maybe you are not really sure what happened to a mailbox, but want to attempt a recovery. Regardless of the reason, we have created a troubleshooter that will guide you to the best possible recovery option (https://aka.ms/MailboxRecovery).

How it works

We will ask you few questions about the current state of the user and mailbox you want to recover, then we will provide a solution based on the answer provided. For the most part we provide a solution that can be handled by a Tenant Administrator, but there are a couple of instances where we recommend calling support.

Who Should Run this tool

We recommend that only administrators that are very comfortable with PowerShell run this troubleshooter. The mailbox recovery process can be pretty complex and while this tool helps streamline you to a solution, the process of solution discovery and remediation can be challenging.

Is this only for Hybrid customers?

No, this troubleshooter is meant for any customer using Exchange Online that find themselves in a place where they need to recover a mailbox. You can have Directory Synchronization in place or you could be running cloud only with no sync. We will walk you through the appropriate scenario with three simple questions.

Conclusion

The recovery of a user and their associated mailbox can be a hard thing to accomplish, especially considering most of us perform these operations infrequently. If it is done incorrectly the results can lead to account and or mailbox data loss. Following this guide will ensure that you are doing what you can to prevent those issues.

I would like to thank everyone who has contributed to the development and publishing of this tool. Especially: Charlotte Raymundo, Jon Bradley, Murali Natarajan, and Timothy Heeney.

Bio Awojobi