Office 365 Mailbox Migration Status Stuck Syncing

Office 365 Mailbox Migration Status Stuck Syncing

We had a mailbox that wouldn’t complete migrating from a hybrid setup with on-premise Microsoft Exchange 2013 Server to Office 365. We’ve cancelled the migration several time and restarted it but it always got hung up at the end without completing, with status Syncing or InProgress… left it even for days and wouldn’t complete

We’ve found out that some corruption in the calendar ACLs that was causing the issue… Office 365 portal wouldn’t show any message about corruption or skipped items….

We connected to Office 365 through PowerShell and issued the following commands which would approved skipped items (that we never prompted to approve in the migration using the browser which was odd, then the 2nd command would complete it)

Set-MigrationBatch  -Identity  TypeNameOfTheBatchHere  -ApproveSkippedItems
Complete-MigrationBatch  -Identity  TypeNameOfTheBatchHere

Outlook “Need Password” With No Prompt – Office 365 Multifactor Authentication

After migrating mailboxes from on-premise Exchange 2013 to Office 365, some Microsoft Outlook 2016/2019/Office 365 clients kept on getting a message on the bottom right-hand corner of Outlook saying “Need Password” without being prompted to enter it, they would click on the message and it would disappear, and Outlook would resume receiving emails but after a little time that message would come up again.. this behavior continues persistently through the day…

Modern Authentication is enabled and might have contributed to the issue.

1- The following registry keys fixed the issue (Close Outlook and other MS programs before making changes).  Reboot computer after making changes.  Add as DWORD and set to 1.  You can save it to a reg file and double-click to add the keys automatically:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity]
“Version”=dword:00000001
“EnableADAL”=dword:00000001
“DisableADALatopWAMOverride”=dword:00000001
“DisableAADWAM”=dword:00000001

 

2- Now browse to the following registry location:

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Outlook\AutoDiscover

Find out if the following DWORD exists

ExcludeExplicitO365Endpoint”

and if it does delete it.

3- Reboot your the computer after that.

Modern Authentication / Outlook 2016 Password / OWA / App Password

In Office 365 two factor authentication (2FA), App Password is used for older versions of Microsoft Outlook or for non Microsoft email clients on devices like MACs or smart phones.

After enforcing 2FA in Office 365 and if you are trying to configure Outlook 2016 for email, and Outlook keeps rejecting the password that you have been using and that works with OWA, while if you try the App Password it works in Outlook, then you might want to add a registry key to enable and enforce Modern Authentication.

Make sure Modern Authentication is turned on on the Office 365 Portal.  Login as admin, expand Settings, click Org Settings, Select Modern Authentication and turn it on.

  • Outlook 2010 doesn’t support Modern Authentication
  • Outlook 2013 supports Modern Authentication but you need to add the following two registry keys.  DWORD and set to 1.

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\EnableADAL

HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Identity\Version

The following key will enforce it.

HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover

 

  • Outlook 2016 supports modern authentication and it is ON by default but we’ve had to enforce it in some instances because Outlook kept prompting for a password and wouldn’t take the password that worked with OWA but Outlook worked with App Password.  Enforcing Modern Authentication made Outlook 2016 accept the regular office 365 password (that worked OWA password).   Add the following DWORD and set to 1

HKEY_CURRENT_USER\Software\Microsoft\Exchange\AlwaysUseMSOAuthForAutoDiscover

Note: registry changes might result in problems and serious issues with computers and software.  Do it at your own risk.

 

How to Force Sync Azure AD Connect with Azure Office 365

 

If you have Azure AD Connector with Azure Office 365 and want to force Sync AD with Azure when you have just created a new user, start PowerShell on the server that has Azure AD Connect installed and type:

import-Module ADSync

Get-ADSyncScheduler

Start-ADSyncSyncCycle -PolicyType Delta

 

How to Connect to Office 365 Through Powershell

1- In Windows run PowerShell as an admin

2- Install PowerShell v2 if not installed:

Install-Module -Name ExchangeOnlineManagement

3- Import Exchange Online Management module:

Import-Module ExchangeOnlineManagement

For Windows 11 you might have to allow running scripts because running scripts is  disabled by default, run this command to allow running scripts.

Set-ExecutionPolicy RemoteSigned 

4- Connect to Office 365 with admin user:

Connect-ExchangeOnline  -UserPrincipalName  Admin@WhateverDomain.com

Replace admin@whateverdomain.com above with office 365 administrator account.  You will be prompted for credentials and a code if multi-factor authentication is enabled.

5- After that if you want, for instance, to grant a user named User1 “Author” permissions on root of public folders

Get-PublicFolder -Identity “\” -Recurse | Add-PublicFolderClientPermission -User  User1 -AccessRights Author

Replace User1 above with the user you want to grant access

6- To view permissions on the public folders called My Public Folder

Get-PublicFolderClientPermission “\My Public Folders”

How to renew OAUTH SSL Certificate in Exchange

 

Open Exchange PowerShell on the Exchange server

Run the following command (replace *.domainname below with the domain name)

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName “CN= Microsoft Exchange Server Auth Certificate” -DomainName “*.domainname” -FriendlyName “Microsoft Exchange Server Auth Certificate” -Services SMTP

Answer No to over-write

Write down the certificate thumpprint

Type:

$date = Get-Date

Type:

Set-AuthConfig -NewCertificateThumbprint <certificate_thumbprint> –NewCertificateEffectiveDate $date

Substitute <certificate_thumbprint> above with certificate thumpprint that you wrote down.

Confirm Y

Type:

Set-AuthConfig –PublishCertificate

Type:

Set-AuthConfig -ClearPreviousCertificate

Restart the Microsoft Exchange Service Host service

Restart IIS
IISReset

Site link to create or delete Microsoft Office 365 App password

Below is the site used to create or delete Microsoft Office 365 App Password needed for Multi Factor Authentication used in conjunction with non-Microsoft Office apps like native mail clients on smart phones, MAC mail or even older versions of Microsoft Outlook.

https://aka.ms/mysecurityinfo

 

 

Renewing VMware esxi 6.0 SSL certificate – Certificate Error – Host – vCenter

If the self-assigned VMware esxi 6.0 SSL Certificate expired on a Host and displaying a warning or an error in vCenter on the Host, you will need to renew that SSL Certificate.

The certificate can’t be renewed through the VMware vSphere client, but can be renewed via the Web Client but unfortunately that would require Adobe Flash to work, and Adobe Flash has been deprecated and unavailable to download unless you had an old browser with flash installed and you never removed flash from it.

We had this issue last week.  We found another way to renew that certificate and that is by going to vSphere client, right-clicking on the Host and disconnecting it, wait a few seconds then choose to reconnect it.  By reconnecting the Host, that will automatically renew that ssl Certificate.

 

 

Do at your own risk.  We take no responsibility for anything that could go wrong.

PowerShell failed to invoke ‘New-FederationTrust’: Unable to access the Federation Metadata document from the federation partner

We were in the process of migrating mailboxes on-premise Exchange 2013 running on Windows Server 2012 to office 365  and while installing the Hybrid Configuration Wizard we were getting the following error.

PowerShell failed to invoke ‘New-FederationTrust’: Unable to access the Federation Metadata document from the federation partner. Detailed information: “The underlying connection was closed: An unexpected error occurred on a receive

After some troubleshooting and collecting logs, we found out that the reason we were getting that error is that a few years ago and to comply with PCI requirements, we disabled SSL and weaker TLS encryptions and enabled TLS 1.1 and 1.2 on the Exchange server.  We only did the HTTPS part.   The Hybrid Configuration was invoking .NET that was trying to use those disabled protocols and therefore the Hybrid Configuration Wizard was failing.  In Registry we forced .NET to use the new TLS protocols not the disabled ones.

Added the following Registry values

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\.NETFramework\v4.0.30319]

“SystemDefaultTlsVersions”=dword:00000001

-AND-

[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft\.NETFramework\v4.0.30319]

“SystemDefaultTlsVersions”=dword:00000001

Windows server 2008 crashes at startup – c00002e2

STOP: c00002e2 Directory Services could not start because of the following error: a device attached to the system is not functioning.

Applies to: Windows Server 2008, Windows Server 2008 R2 with Exchange 2007 installed on single node.

You might face this issue while you are running your daily work, first you will panic and think that there is a huge problem and your domain controller is failing, not to mention the heat you will face if that domain controller machine is hosting your exchange 2007 too, which is typically the scenario I have seen in small business environment.

Cause: 

This problem occurs because one or more of the following conditions are true:

– The NTFS file system permissions on the root of the drive are too restrictive.

– The NTFS file system permissions on the NTDS folder are too restrictive.

– The drive letter of the volume that contains the Active Directory database has changed.

– The Active Directory database (Ntds.dit) is corrupted.

– The NTDS folder is compressed.

Troubleshooting steps:

  1. Boot into Directory Services Restore Mode (F8). You might need to do it twice if you have an error on your HDD.
  2. Run CHKDSK in read only mode to verify that there are no errors on your hard drive. If the system prompts you that there was an error on the hard disk, then feel safe to run /R command CHKDSK /R will not ruin your hard disk data, so don’t believe all the myths said.
    1. Boot again into Directory Services Restore Mode (F8).
    2. Go to command prompt (administrative privileges) and run the following command:
    3. NTDSUTIL
    4. activate instance NTDS
    5. files info

You will see an error similar to the following:

“Error: Could not initialize the Jet engine: Jet Error -501. Failed to open DIT for AD DS/LDS instance NTDS. Error -2147418113”

Event log: 

  • Error 1003: Active Directory Domain Services could not be initialized. The directory service cannot recover from this error. Restore the local directory service from backup media. Error value: -501 JET_errLogFileCorrupt, Log file is corrupt
  • Error 465: NTDS (2156) Corruption was detected during soft recovery in logfile C:\Windows\NTDS\edb.log. The failing checksum record is located at position END. Data not matching the log-file fill pattern first appeared in sector 6697 (0x00001A29). This logfile has been damaged and is unusable.
  • Error 454: NTDS (2256) Database recovery/restore failed with unexpected error -501.

Solution: 

The solution of this error is very simple and will be done in one step:

Go to C:\Windows\NTDS folder and rename all *.log files to .old and restart system.

Example, edb.log should be renamed to edb.log.old

This will solve the issue and your active directory domain services will be started again.

It might be wise in this phase to consider replacing your HDD and checking your GPO policies, if you see any more file corruption.

If you find this article helpful, please send us a note to WDallal@bostonIT.com so we can keep on adding quality hands-on articles.