Featured Post

How the Sumatra Double-Booking cmdlet works

Free trial if you qualify and contact us . First: you can always get help at the PowerShell prompt with: get-help Get-suDoubleBookedMeeti...

Thursday, December 14, 2017

Surviving a botched Windows update: recover your Outlook profiles

I returned from a client meeting and saw a required reboot after a Windows 10 or Office 2016 Update (I'm not sure which).  After the reboot, the Windows startup said the boot drive was inaccessible.  After spending a half day trying to recover, I gave up and "recovered Windows 10."  Of course that meant I lost every installed application on my hard drive.  Recover kept my user files.  Fortunately most are stored on a different drive and on Sumatra's SAN and cloud drives.

The hardest part was recovering my Outlook Profile -- i was not looking forward to re-entering all of the credentials for my various email accounts.  Windows moved the old windows to a new folder "Windows.Old"  found my old registry hive, and was able to extract the Outlook Profile.

Here's the steps.   Thanks to JRich from Mass General for blog post that pointed me in the right direction!!

In Powershell, run as the administrator:
1. Use the REG command to load the "old hive" into your registry under the HK Local Machine

reg load 'HKLM\_OldOutlook' "C:\Windows.old\Users\riuliano\NTUSER.DAT"

2. Open RegEdit navigate to Outlook, i.e.
HKEY_Local_Machine\_OldOutlook\Software\Microsoft\Office\16.0\Outlook\

3. In Regedit, right-click on "Profiles" and Export the file

4. Edit the exported profile file, and replace "Hkey_Local_Machine\_OldOutlook" with "HKey_Current_User\".  Save the file

5. Back in RegEdit, Import the "reg" file you just edited.

6. Back in Powershell, remove the registry key and garbage collect.
reg unload hklm\OldOutlook

[gc]::collect()

That's IT!



BTW, if you want to see what the director looks like in powershell, you can create a virtual directory of the old hive:
New-PSDrive -Name OldOutlook -PSProvider Registry -Root "HKLM\_OldOutlook"

then you can "cd OldOutlook:"
and get-item and value.  I'm sure i could have looped through and copied each profile key from the old hive to the new hive.  Export seemed much simpler, though.

Remember to remove the PSDrive:
Remove-PSDrive OldOutlook


Tuesday, December 12, 2017

Access Runtime in a click-to-run world

A quick FYI:

Some Sumatra products require MS Access Runtime.   Microsoft offers two versions:

Microsoft Access 2016 Runtime Download  and
Microsoft Access 2013 Runtime Download

Both version of the Access Runtime products are installed via an "MSI" or Windows installer.

Here's the rub: C2R and MSI of the same major version cannot be installed side by side. 

If you have Office 365, you are likely to have the Office "click-to-run" (C2R) version.  Since there is no C2R for either Access Runtime, you'll have to install the Access 2013 Runtime.  Microsoft says the two versions are functionally equivalent, and this installation should work smoothly.

If you wonder what will happen if you install the Access 2016 Runtime and Office C2R, this is what you'll see:


Migrating calendar user settings into Exchange / Office 365

Today's topic on migrating into Exchange or Office 365 from a legacy system is USER SETTINGS.

Spoiler alert: I'm going to make the case that this is something you should put in the hands of your end users post-migration.  At best it's a necessary evil for a subset of high value individuals in your organization and at worst an example of sticking your finger in an already hopelessly broken dike hoping to keep it all together before the deluge overwhelms you and you needlessly drown.

In our 80/18/2 rubric, we're in the 2% in terms of user satisfaction, and that's also about as much of this as you can successfully automate server-side.

Let's begin with the end in mind and look at how the settings get put into Exchange.  Then we'll work back from there.

Set-MailboxCalendarConfiguration is your major asset in this endeavor.

Read it.  Study it.  Grok it. 

You can now take server-side control of SETTING user preferences in your organization. 
Notice I did not write MIGRATING user preferences, keep an eye on this.

Let's take DefaultReminderTime as a simple starter example.

Set-MailboxCalendarConfiguration ^
    -Identity "Jimi Hendrix" ^ 
    -DefaltReminderTime 00:30:00

Sets the default reminder time for Jimi Hendrix at 30 minutes.

We could also on the Exchange side set:  WorkDays, 
WorkingHoursStartTime, WorkingHoursEndTime, WeekStartDay, all really useful in calendar management.  You can set this via Group Policy “Microsoft Outlook”, “Outlook Options”, ”Preferences”, ”Calendar Options”.  We find it’s much more convenient to set the hours via “Set-MailboxCalendarConfiguration” than Group Policy since it allows the users to change their work hours. The down side of the cmdlet: you’ll have to run this for every new mailbox-enabled account you create.

Let's look at an Oracle Calendar Server legacy system

Now, working backwards, we need to get that default reminder time information out of our legacy system.  

In Oracle Calendar Server you can use uniuser to get your user lists and you can use it to provision users.  But you cannot use uniuser or any other server-side tools  to get individual user preferences.

Let me repeat: you cannot get the info you want on an individual basis from the server.

You CAN get the default user profile in $ORACLE_HOME/ocal/misc/user.ini 

Looking at that:

Notice that the TimeBeforeReminder is FAR MORE CONSTRAINED than Exchange/Office 365/Outlook allow.

Remember in an earlier post when I wrote about disconnects between your legacy and Exchange?  Welcome to the disconnects.

And just because this is more popular lately let's consider Oracle Communications Calendar Server which we access server-side via WCAP.  The user settings are not in general available by any of the options.  get_accountprops.wcap is the most obvious, but is highly limited.  We can get ACLs, but see our earlier comments on delegate migration.

So your users have more discretion than they had before and setting their preferences in the client user interface takes a few minutes as opposed to a few hours.

You COULD use the PowerShell cmdlet to set the same default for all users.  You could probably also apply a Group Policy to accomplish the same business goal.  But re-creating individual user preferences server-to-server is a no-go from the start.

Our conclusion: Don't bother.  But tell them in advance.

We've only looked at Oracle calendars so far.

Let's look at one more legacy system -- Zimbra calendaring.

From the administration console we can see the preferences information for a given user:



Yes, the data is there, but again there is no server-side means of exporting it.  You can get at all the users on the system but their specific calendar preferences require client-side methods (which are SLOOOOOOOWWWWWW and inefficient).  We've actually looked at the mySQL database where all this info is stored and while it is possible to extract, we also found significant reticence among migration sites when we used tools like putty and HeidiSQL to extract data.  And that was mainstream calendar data!  We've since refined our calendar migration methods to avoid those requirements.

Email and calendar migration get you accolades and you can accomplish them successfully.  Leave the user preferences in a new system where they belong -- in the hands of the users.

We recommend you communicate this to your users in advance.  95% of them won’t know or care, and you will force the remaining 5% to find something else to whine about.

Tuesday, December 05, 2017

Calendar Migrations: The 80/18/2 rule

Enterprise migrations are as much a social engineering issue as a data conversion issue.

Keep in mind, we're talking organizations here as opposed to single-users, and we're focused on server-to-server solutions as opposed to client-to client solutions.

Let's get into that social engineering by way of the perceived utility among your user base, shall we?

If you're acquainted with the 80/20 rule, we're going to give you, based on our experience of doing this kind of stuff since 2001, our own 80/18/2 rule when it comes to migrating into Exchange or Office 365.

To wit:
  • 80% of what you need to migrate is email.
  • 18% is calendars (full-state or flat, doesn't matter), contacts, tasks 
  • 2% is user preferences, settings, delegates 
Getting 80% done should cost you NOTHING
Email is manageable with imapsync and your cost is  €100 EUR for product and support no matter your enterprise size.  Why on earth would you pay anybody for email migration when this is available (unless you have a backroom deal with a consultant)?  We've even done a couple of guides one of which you can download here.

We've done several posts on how to use imapsync to migrate into Exchange / Office 365.

If all you (need to) care about is email you're done here.

Your likely result in this 80%:  
Your end-user efforts: Minimal
Your Admin efforts: Moderate to high
Your End User Satisfaction: Moderate (if you stop here)

Your next 18%
Contacts and tasks are not other-user-connected information and (worst case) you can move them via CSV/TXT file methods.

Calendars are a more complex discussion.  In fact this entire blog is dedicated to migrating calendars and keeping as much of the useful connections between users intact.

Anybody who's promising you "no data loss" in a migration and takes calendars without re-creating the guest list has been dealing in alternate facts.

If you do not care about attendees, attendee responses, and resource bookings, there are a variety of solutions.  If your enterprise wants "no data loss" when it moves to a new collaboration platform, i.e.,  to keep its meetings as meetings, please search this blog for the legacy system and read the appropriate articles.

We do charge for that capability.

Your likely result in this 18% with Sumatra methods: 
Your end-user efforts: Minimal
Your Admin efforts: Moderate to high (depends on experience level)
Your end-user satisfaction: HIGH

Your likely result in this 18% without Sumatra methods:  
Your end-user efforts: HIGH (Need to re-create meetings, resource bookings)
Your Admin efforts: Low.  (We have seen sites choose based on Admin efforts -- their call)
Your end-user satisfaction: Low to moderate

The final 2% (the last mile to the finish line)
Let's talk about that last part since it's portrayed out of proportion to its time value: 
  • User preferences, 
  • Delegates
  • Junk Mail filtering rules
  • Client-side Outlook re-configuration
User Preferences
Many of these are scriptable.
One of us has in fact has been itching to write about how to script user preference migration so keep an eye on this blog.
The important things to keep in mind here are:
  1. From almost any legacy system there is going to be a disconnect between user preferences offered and Exchange / Office 365.
  2. Even if there is not a disconnect in a specific functionality, the question is can you get at the legacy data via server-side utilities?
  3. Setting user preferences is a great opportunity (a "teachable moment") to enforce encourage your users getting training and actually taking steps in Exchange before or after a migration.
Delegates
You would LIKE to think Delegates are a simple matter.

This is exactly incorrect.

First off, because the model for delegates is usually very different between your legacy system and Microsoft Exchange.  Example: In Oracle Calendars delegate access (called Designate access in OCS) is OBJECT-BASED and in Exchange it's FOLDER-BASED.  

Second because over time the number of delegates in legacy systems has usually out-grown the organization's needs and some re-thinking is most definitely in order.  During a migration is the perfect time to reset those access permissions. Or, worst case, you migrate all legacy delegates (and we mean it’s the worst case.) 

Third because after you set those delegate permissions in Exchange you discover that users can edit conference room bookings, and can see other’s calendar information. What’s the worst case: there is no good way to reverse the permissions.  Exchange has some native peculiarities that you're not going to really understand until you're in the thick of actually production deploying it and then it's either too late to change or a pain in the neck to re-do.  See: Two ways to grant access to a Resource in #MSFTExchange.

While it is possible to devise very clever technical solutions (and we have!) experience in this shows that (in stark contrast to a full-state calendar migration) it always leaves a subset of users grumbling that it did not do what they wanted.  

And grumbling is the enemy of a successful enterprise migration.  We prefer a few whining grumbling users to the entire organization ready to “run you out of town.”

Our conclusions from doing these: The effort is better spent as a training opportunity to get users active in setting up their delegates post-migration. 

Junk Mail / filtering Rules
This is potentially a real pain.  Thunderbird HAD a tool for email filtering migration but it's atrophied.

While Microsoft makes it possible to export rules from Outlook and import them to other Outlook clients, in general the methods for taking rules from legacy systems and migrating them simply to Outlook are lacking. And we've never seen it done server-side.


Best strategy we've seen for those who need to deal with it is to identify the high need individuals and get them or their admins training to help re-create essential rule sets. 

Client-side Outlook re-configuration
If users were using Outlook as a client in your legacy system you need to point them all to your Exchange domain now.

Not too difficult.  See Deploy Outlook mail profile settings via GPO or script


The process as described in that link is solid, but we have found problems with the VB script in it. If you are a Sumatra client please feel free to ask us for our VB script:  deployprf.vbs

Your likely result in this 2%:  Experience tells us user response is almost a complete crap-shoot if you try to automate it.  Best you can hope for is a low complaint level.  No one is ever really grateful for it.
Your end-user efforts: Low to Moderate
Your Admin efforts: Moderate to high
Your end-user satisfaction: it’s dependent upon end-user communication and expectation management

Tuesday, November 28, 2017

Prevent Double-Bookings in Office 365 Calendar

We keep getting Office 365 sites coming the blog with search terms something like "prevent double bookings in 365 calendar."  

Invariably they find our post Double-Booked Meeting Rooms in Office 365 (and how to avoid them)

Let's keep in mind this is usually a problem for conference rooms.  People are double-booked all the time and it's expected.
Lots of technical info there, but as with anything in calendaring you need to also put it into a social context.

The only ways to prevent double-bookings entirely in advance and at meeting creation time are:
  1. Disallow recurring bookings for resources
  2. Set the allowable conflict rate to 0%
  3. Make the resources go through a human gatekeeper
Now the social aspect of this:  Your users are probably going to balk at any of these.  And with good reason: 
  1. Recurring meetings are just so darned useful. 
  2. An allowable conflict rate of 0% is highly unrealistic
  3. Having someone in charge of each resource defeats the purpose of calendaring
This is also a big issue because there is no easy mechanism for individuals to scan ahead and see if there is a possible conflict on the horizon with their meetings.  One of my daughters actually has this problem with a recurring meeting at her organization.

This is what makes double-booking a thorny problem. 


It's configurable and customize-able for a variety of situations.  Since it's a cmdlet it seems to be making more headway with on-prem Exchange sites, but it there's demand for something entirely cloud-based we're happy to discuss the issue.

Documentation is here as a PDF.

Tuesday, November 21, 2017

SuPump when used on disabled accounts

We had an issue crop up in one of our favorite sites using the Sumatra Pump.

Calendar item insertion jobs were hanging and the error logs were showing things like this:

GetUserFromAD-ERROR: Failed while reading AD: (employeeId=F112ZHW); err: Object reference not set to an instance of an object.
GetUserFromAD-ERROR: Failed while reading AD: (employeeId=F112ZHY); err: Object reference not set to an instance of an object.
'ERROR: Failed while reading AD.(employeeId=F112ZHT)
ERROR: Failed while reading AD.(employeeId=33460A)

Simple to diagnose: The accounts causing the problem were DISABLED accounts.

To deal with it exclude the disabled accounts.
      Patient: "Doctor, it hurts when I do this."  
      Doctor: "Don't do that!"

WHAT (NOT) TO DO

An easy fix: add this criteria to exclude disabled accounts to the LDAP string in the _config.xml file:
(!userAccountControl:1.2.840.113556.1.4.803:=2)
Thus,  your LDAP4USER setting should look something like this  
LDAP://DC=YOUR_DC,DC=COMPANY,DC=COM;(&(mailNickName=*)(employeeID=*)(!userAccountControl:1.2.840.113556.1.4.803:=2))

What the heck do those strange numbers mean????

It’s a bitwise AND filter for the UAC.  

For more info on the UAC please see:


Tuesday, November 14, 2017

OWA :-( Something went wrong (owa/auth/errorFE.aspx?httpCode=500)

We were testing the Attachments in Oracle Calendar.  It works without problem in Office 365 as it seems to do on our Exchange 2016 On-Prem servers.  BUT, we can't confirm it, because OWA (o.k, Outlook on the web) puts up a ":-( Something went wrong " page (the URL is owa/auth/errorFE.aspx?httpCode=500) with no helpful information.




This walks through the testing and debugging I went through.  If you want to skip this and move directly to the answer, it was to recreate the certificates (see the bottom of the blog). Note, Google search results offered solutions that caused me to spin my wheels.  Before you try my solution, I urge you to ensure that your problem is the same as my problem.

What I tried:
Set TimeZone and Language. We provisioned a few test user mailboxes and started the insertion without first logging into those mailboxes.  A quick Google search suggested the problem is due to incompletely configured mailboxes, i.e., no time zone and language. The typical workflow: the user should be redirected to languageselection.aspx, choose the correct setting and then return. But not for us.  The Exchange Shell command, Set-MailboxRegionalConfiguration, without success.  

Get-Mailbox myuser | Set-MailboxRegionalConfiguration -Language 1033 

-TimeZone "Eastern Standard Time"

Cogmotive's blog conveniently provides the enumerated language and timezone values.

"Test-OWAConnectivity" -- It's removed in Exchange 2016!

Check  the event log.  
a) Looking at errors.  Came across. Can't find the  URL officeclient.microsoft.com?  A MSExchangeApplicationLogic Error 3018. It can't get out to the internet? 
Set proxy, -- no change: 
Set-ExchangeServer Server01 -InternetWebProxy http://10.3.3.3:80




b) Many Event 1309 Warnings
I was looking for errors -- but broadened the filter to include warnings.  I found many problems with Asp.Net.4.0.30319.0



This warning pointed me to a MS Support article: Event ID 1309 and you can't access OWA and ECP after you install Exchange Server 2016 or Exchange Server 2013.  It suggests "SharedWebConfig.config" is missing from the FrontEnd and ClientAccess.  The files are present. Recreating them one-at-a-time and restarting IIS made no difference. 




OK, that didn't work. onto the next one

c) Many 2004 Warnings -- Unable to find Certificate with thumbprint....

Checking Get-ExchangeCertificate, and Get-AuthConfig, I see the authCOnfig has the certificate, but not the Exchange Certificate.  This is getting closer!

What finally worked -- Create a new "Microsoft Exchange Server Auth Certificate": 

New-ExchangeCertificate  ...
* Don't replace the SMTP certificate 
* Note the thumbprint of the new certificate
* Put in place
$a=get-date
Set-AuthConfig -NewCertificateThumbprint EZxxxxx –NewCertificateEffectiveDate $a
Set-AuthConfig –PublishCertificate
* Remove reference to the old certificate
Set-AuthConfig -ClearPreviousCertificate.
iisreset

Bingo!

Saturday, August 12, 2017

Special Cases of Attachments in Oracle Calendar Migrations to Microsoft Exchange

Secure signed attachments in Oracle Communication Convergence Calendar, that is anything named “smime.p7m” or with a “.p7m” extension.  These are signed, secured attachments in in Oracle Communication Convergence Calendar so the Sumatra process takes them as the secured, signed (therefore encrypted) attachments they are.
Please make sure your security-tasked admins know this and are prepared to deal with it in a post-migration Microsoft Exchange environment and have their certificates and security arranged appropriately.
Otherwise we are migrating data that cannot be read in your Office 365 / Microsoft Exchange environment.
Inline attachments in Oracle Communication Convergence Calendar
OCC identifies inline attachments by excluding the file name and the format type.  Since Sumatra doesn’t know the file name or file type, we name the attachment “att_” + <>, without extension, and attach as a FILE (not inline.) 

Oftentimes users can leverage their browsers to view each attachment.  In the calendar event select the attachment and Right-Click-Open, selecting the appropriate application if you know what it is or Microsoft Explorer if you do not.  If the attachment does not display correctly please contact the meeting organizer.