Showing posts with label Exchange 2019. Show all posts
Showing posts with label Exchange 2019. Show all posts

25 May 2023

Simply list all Shared Mailboxes from On-premises and in Exchange Online with PowerShell

Hey there, fellow tech enthusiasts!
Today, I have some lines to drop about how to simply list all your shared mailboxes.
In this case I wanted to get all email addresses.

Step 1: Connect to your environment

Connect to you on-premises Exchange environment.

Step 2: Retrieve On-Premises Shared Mailboxes

Let's start by fetching all the remaining shared mailboxes from your on-premises environment. Open up your PowerShell console and execute the following:

$OnPremSharedMailboxes = Get-Mailbox -RecipientTypeDetails SharedMailbox -ResultSize unlimited | Select-Object PrimarySmtpAddress

Step 3: Retrieve the remote shared mailboxes

Run the following commands

Get all mailboxes
  $RemoteMailboxes = Get-RemoteMailbox -ResultSize unlimited

Get all remotesharedmailboxes and filter only the smtpaddress
  $RemoteMailboxes | Where-Object { $_.RecipientTypeDetails -eq "RemoteSharedMailbox" } | select PrimarySmtpAddress

Step 5: Consolidate the Results

It's time to bring everything together and create a unified list of shared mailboxes. Run the following commands to consolidate the on-premises and Exchange Online results:

  $AllSharedMailboxes = $OnPremSharedMailboxes + $ExchangeOnlineSharedMailboxes

With this command, you'll combine the arrays of on-premises and Exchange Online shared mailbox addresses into a single array called '$AllSharedMailboxes'. You can make other choices in your filter to generate a different list.

Step 6: Display the Results

  $AllSharedMailboxes

And just like that, your PowerShell console will present you with a complete list of shared mailbox addresses, combining the best of both on-premises en Exchange Online.

Posted by at No comments:
Labels: , , , , ,
Location:Utrecht Utrecht, Netherlands

26 April 2023

Set-FederationTrust - "Unable to connect to the remote server"

Below are all the steps required to renew the "Exchange Delegation Federation" certificate.

By following the steps in the "Learn" document on https://learn.microsoft.com/en-us/exchange/renew-the-federation-certificate-exchange-2013-help eveuthing should work fine. But if you still use a proxy you could see this:

This is the part where I was trying to get the certificate activated but wasn't allowed through the proxy:

Welcome to the Exchange Management Shell!

Full list of cmdlets: Get-Command
Only Exchange cmdlets: Get-ExCommand
Cmdlets that match a specific string: Help *<string>*
Get general help: Help
Get help for a cmdlet: Help <cmdlet name> or <cmdlet name> -?
Exchange team blog: Get-ExBlog
Show full output for a command: <command> | Format-List

Show quick reference guide: QuickRef
VERBOSE: Connecting to sr-xxxxx.domain.lan.
VERBOSE: Connected to sr-xxxxx.domain.lan.
[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint CE7AB8B6603427556C825A1122E270E74F7B177A -RefreshMetaData
Unable to access the Federation Metadata document from the federation partner. Detailed information: "Unable to connect to the remote server".
    + CategoryInfo          : MetadataError: (:) [Set-FederationTrust], FederationMetadataException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=a22a6478-3923-408c-88f2-a54aa5db0f70,TimeStamp=25-4-2023 13:44:24] [FailureCategory=Cmdlet-FederationMetadataException] 67AB8D6B,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>
[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>netsh winhttp import proxy source=ie

Current WinHTTP proxy settings:

    Proxy Server(s) :  proxy.domain.lan:8080
    Bypass List     :  10.*;*.domain.lan;<local>

[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx -RefreshMetaData
Unable to access the Federation Metadata document from the federation partner. Detailed information: "Unable to connect to the remote server".
    + CategoryInfo          : MetadataError: (:) [Set-FederationTrust], FederationMetadataException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=c55ed676-399a-46ca-adca-13c851055ff4,TimeStamp=25-4-2023 15:13:47] [FailureCategory=Cmdlet-FederationMetadataException] 67AB8D6B,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy InternetWebProxyBypassList
---------------- --------------------------



[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy           InternetWebProxyBypassList
----------------           --------------------------
http://1.1.1.1:8080/


[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -Thumbprint xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx -RefreshMetaData
WARNING: The federation trust has changed to prepare for the usage of a new certificate for Federation. You should update all TXT proof-of-ownership records that were previously set in DNS for all the
domains configured for Federation before publishing the new certificate.
The new hash-value should be replaced with the OrgNextCertificate proof value output generated with "Get-FederatedDomainProof -DomainName example.com".
[PS] C:\windows\system32>Get-FederatedDomainProof -DomainName domain.nl


RunspaceId : 010137a2-e51c-41f7-88f6-f4e982724bb7
DomainName : domain.nl
Name       : OrgNextPrivCertificate
Thumbprint : xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Proof      : XXXXXXXXnUXZ5I2/1r4OtQd+Ajif1kUWjbE/ZV/CIQfijGJlvcXXXXXXxsATxs82lE5l56iO+37XXXXXXXX
DnsRecord  : domain.nl TXT IN XXXXXXXXnUXZ5I2/1r4OtQd+Ajif1kUWjbE/ZV/CIQfijGJlvcXXXXXXxsATxs82lE5l56iO+37XXXXXXXX

RunspaceId : 010137a2-e51c-41f7-88f6-f4e982724bb7
DomainName : domain.nl
Name       : OrgPrivCertificate
Thumbprint : XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Proof      : XXXXXXXXxqi4Dw2u377XXXXXXwpQUDo6TZrCyc+XgvWERobhE4b7WRnc2/lE89Sqta6FyFmOx++toIrBXXXXXXXX
DnsRecord  : domain.nl TXT IN XXXXXXXXxqi4Dw2u377XXXXXXwpQUDo6TZrCyc+XgvWERobhE4b7WRnc2/lE89Sqta6FyFmOx++toIrBXXXXXXXX



[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy $null
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy InternetWebProxyBypassList
---------------- --------------------------



[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Proxy Server(s) :  proxy.domain.lan:8080
    Bypass List     :  10.*;*.domain.lan;<local>

[PS] C:\windows\system32>netsh winhttp clear proxy
The following command was not found: winhttp clear proxy.
[PS] C:\windows\system32>netsh winhttp reset proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>$Servers = Get-ExchangeServer; $Servers | foreach {Get-ExchangeCertificate -Server $_ | Where {$_.Services -match 'Federation'}} | Format-List Identity,Thumbprint,Services,Subject


Identity   : sr-xxxxx.domain.lan\xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Thumbprint : xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Services   : SMTP, Federation
Subject    : CN=Federation

Identity   : sr-xxxxx.domain.lan\XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Thumbprint : XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Services   : SMTP, Federation
Subject    : CN=Federation

Identity   : sr-xxxxx.domain.lan\xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Thumbprint : xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
Services   : SMTP, Federation
Subject    : CN=Federation

Identity   : sr-xxxxx.domain.lan\XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Thumbprint : XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX
Services   : SMTP, Federation
Subject    : CN=Federation

The Exchange Certificate operation has failed with an exception on server sr-xxxx1.  The error message is: Access is denied
    + CategoryInfo          : InvalidOperation: (:) [Get-ExchangeCertificate], LocalizedException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=80e9b8ef-a09d-4128-a7c9-533951782758,TimeStamp=25-4-2023 15:41:21] [FailureCategory=Cmdlet-LocalizedException] 12503763,Microsoft.Exchange.Manageme
   nt.SystemConfigurationTasks.GetExchangeCertificate
    + PSComputerName        : sr-xxxxx.domain.lan

The Exchange Certificate operation has failed with an exception on server sr-xxxx1.  The error message is: Access is denied
    + CategoryInfo          : InvalidOperation: (:) [Get-ExchangeCertificate], LocalizedException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=a311f800-dc09-4efa-8ceb-ecd97b6f5965,TimeStamp=25-4-2023 15:41:21] [FailureCategory=Cmdlet-LocalizedException] 9671FFC8,Microsoft.Exchange.Manageme
   nt.SystemConfigurationTasks.GetExchangeCertificate
    + PSComputerName        : sr-xxxxx.domain.lan



[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
Creating a new session for implicit remoting of "Set-FederationTrust" command...
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:34:59] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>$webclient=New-Object System.Net.WebClient
[PS] C:\windows\system32>$webclient.Proxy.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials
[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:35:22] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp show proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>[Net.ServicePointManager]::SecurityProtocol = [System.Net.SecurityProtocolType]::Tls12;
[PS] C:\windows\system32>[Net.ServicePointManager]::SecurityProtocol = [Net.ServicePointManager]::SecurityProtocol -bor [Net.SecurityProtocolType]::Tls12
[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=42e63050-a895-4073-a082-6d835d11e3eb,TimeStamp=26-4-2023 07:35:57] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080
[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:36:47] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp import proxy source=ie

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>netsh winhttp import proxy source=ie

Current WinHTTP proxy settings:

    Proxy Server(s) :  http://proxy.domain.lan:8080
    Bypass List     :  10.*;*.domain.lan;<local>

[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:40:27] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan




[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=42e63050-a895-4073-a082-6d835d11e3eb,TimeStamp=26-4-2023 07:40:53] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp reset proxy

Current WinHTTP proxy settings:

    Direct access (no proxy server).

[PS] C:\windows\system32>netsh winhttp set proxy proxy.domain.lan:8080

Current WinHTTP proxy settings:

    Proxy Server(s) :  proxy.domain.lan:8080
    Bypass List     :  (none)

[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=4a2f2b24-cb84-4f2a-95c5-a87a4d36bc8f,TimeStamp=26-4-2023 07:43:46] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>netsh winhttp set proxy proxy.domain.lan:8080 bypass-list="*.microsoftonline-p.com"

Current WinHTTP proxy settings:

    Proxy Server(s) :  proxy.domain.lan:8080
    Bypass List     :  *.microsoftonline-p.com

[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=2f6f2f77-9d84-4029-b860-3274731a42b7,TimeStamp=26-4-2023 07:45:04] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Stop-Service -Name WinHttpAutoProxySvc -Force
Stop-Service : Service 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' cannot be stopped due to the following error: Cannot open WinHttpAutoProxySvc service on computer '.'.
At line:1 char:1
+ Stop-Service -Name WinHttpAutoProxySvc -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : CloseError: (System.ServiceProcess.ServiceController:ServiceController) [Stop-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotStopService,Microsoft.PowerShell.Commands.StopServiceCommand

Stop-Service : Collection was modified; enumeration operation may not execute.
At line:1 char:1
+ Stop-Service -Name WinHttpAutoProxySvc -Force
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Stop-Service], InvalidOperationException
    + FullyQualifiedErrorId : System.InvalidOperationException,Microsoft.PowerShell.Commands.StopServiceCommand

[PS] C:\windows\system32>Set-Service -Name WinHttpAutoProxySvc -StartupType disabled
Set-Service : Service 'WinHTTP Web Proxy Auto-Discovery Service (WinHttpAutoProxySvc)' cannot be configured due to the following error: Access is denied
At line:1 char:1
+ Set-Service -Name WinHttpAutoProxySvc -StartupType disabled
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : PermissionDenied: (System.ServiceProcess.ServiceController:ServiceController) [Set-Service], ServiceCommandException
    + FullyQualifiedErrorId : CouldNotSetService,Microsoft.PowerShell.Commands.SetServiceCommand

[PS] C:\windows\system32>whoami
domain\Username
[PS] C:\windows\system32>
[PS] C:\windows\system32>
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy           InternetWebProxyBypassList
----------------           --------------------------
http://1.1.1.1:8080/


[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080 -InternetWebProxyBypassList "10.*;*.domain.lan"
Cannot process argument transformation on parameter 'InternetWebProxyBypassList'. Cannot convert value "10.*;*.domain.lan" to type "Microsoft.Exchange.Data.MultiValuedProperty`1[Microsoft.Exchange.Data.Fqd
n]". Error: "Failed to convert 10.*;*.domain.lan from System.String to Microsoft.Exchange.Data.Fqdn. Error: Error while converting string '10.*;*.domain.lan' to result type Microsoft.Exchange.Data.Fqdn: "1
0.*;*.domain.lan" isn't a valid SMTP domain."
    + CategoryInfo          : InvalidData: (:) [Set-ExchangeServer], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-ExchangeServer
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy           InternetWebProxyBypassList
----------------           --------------------------
http://1.1.1.1:8080/


[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080 -InternetWebProxyBypassList @{"10.*","*.domain.lan","*.microsoftonline-p.com"}
>> ^C
[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080 -InternetWebProxyBypassList @("10.*","*.domain.lan","*.microsoftonline-p.com")
Cannot process argument transformation on parameter 'InternetWebProxyBypassList'. Cannot convert value "10.* *.domain.lan *.microsoftonline-p.com" to type "Microsoft.Exchange.Data.MultiValuedProperty`1[Mic
rosoft.Exchange.Data.Fqdn]". Error: "Cannot convert value "10.*" to type "Microsoft.Exchange.Data.Fqdn". Error: ""10.*" isn't a valid SMTP domain.""
    + CategoryInfo          : InvalidData: (:) [Set-ExchangeServer], ParameterBindin...mationException
    + FullyQualifiedErrorId : ParameterArgumentTransformationError,Set-ExchangeServer
    + PSComputerName        : sr-xxxxx.domain.lan

[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy http://1.1.1.1:8080 -InternetWebProxyBypassList @("domain.lan","microsoftonline-p.com")
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy           InternetWebProxyBypassList
----------------           --------------------------
http://1.1.1.1:8080/ {domain.lan, microsoftonline-p.com}


[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
An error occurred accessing Windows Live. Detailed information: "The remote server returned an error: (407) Proxy Authentication Required.".
    + CategoryInfo          : InvalidResult: (:) [Set-FederationTrust], LiveDomainServicesException
    + FullyQualifiedErrorId : [Server=sr-xxxxx,RequestId=c3dd4e8e-34bc-402a-9cdb-3cf6ca994637,TimeStamp=26-4-2023 07:56:54] [FailureCategory=Cmdlet-LiveDomainServicesException] 5A701C9F,Microsoft.Exchange
   .Management.SystemConfigurationTasks.SetFederationTrust
    + PSComputerName        : sr-xxxxx.domain.lan
And here I added the following domains "domains.live.com" & "www.msftconnecttest.com" to the bypass list on the proxy: 




[PS] C:\windows\system32>Set-FederationTrust -Identity "Microsoft Federation Gateway" -PublishFederationCertificate
WARNING: The federation trust has changed to use a new certificate for Federation. You should update all TXT proof-of-ownership records that were previously set in DNS for all the domains configured for
Federation. The new hash-value should be replaced with the OrgNextCertificate proof value output of the OrgNextCertificate generated with "Get-FederatedDomainProof -DomainName example.com".
[PS] C:\windows\system32>Get-FederationTrust | Format-List *priv*


OrgPrivCertificate     : xxxxxxB6603427556Cxxxx1122E270E74Fxxxxxx
OrgNextPrivCertificate :
OrgPrevPrivCertificate : XXXXXXXX1770CAA82C2XXXXXX385DD36XXXXXXXX



[PS] C:\windows\system32>Test-FederationTrust -UserIdentity user@domain.nl


Begin process.

STEP 1 of 6: Getting ADUser information for user@domain.nl...
RESULT: Success.

STEP 2 of 6: Getting FederationTrust object for user@domain.nl...
RESULT: Success.

STEP 3 of 6: Validating that the FederationTrust has the same STS certificates as the actual certificates published by the STS in the federation metadata.
RESULT: Success.

STEP 4 of 6: Getting STS and Organization certificates from the federation trust object...
RESULT: Success.


Validating current configuration for FYDIBOHF25SPDLT.domain.nl...


Validation successful.

STEP 5 of 6: Requesting delegation token...
RESULT: Success. Token retrieved.

STEP 6 of 6: Validating delegation token...
RESULT: Success.

Closing Test-FederationTrust...


RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : FederationTrustConfiguration
Type       : Success
Message    : FederationTrust object in ActiveDirectory is valid.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : FederationMetadata
Type       : Error
Message    : Unable to retrieve federation metadata from the security token service.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : StsCertificate
Type       : Success
Message    : Valid certificate referenced by property TokenIssuerCertificate in the FederationTrust object.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : StsPreviousCertificate
Type       : Success
Message    : Valid certificate referenced by property TokenIssuerPrevCertificate in the FederationTrust object.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : OrganizationCertificate
Type       : Success
Message    : Valid certificate referenced by property OrgPrivCertificate in the FederationTrust object.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : OrganizationPreviousCertificate
Type       : Success
Message    : Valid certificate referenced by property OrgPrevPrivCertificate in the FederationTrust object.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : TokenRequest
Type       : Success
Message    : Request for delegation token succeeded.

RunspaceId : 043079c7-9ca2-4188-ac0e-681276d2b6e5
Id         : TokenValidation
Type       : Success
Message    : Requested delegation token is valid.



[PS] C:\windows\system32>
[PS] C:\windows\system32>Set-ExchangeServer -Identity sr-xxxxx -InternetWebProxy $null -InternetWebProxyBypassList $null
[PS] C:\windows\system32>Get-ExchangeServer -Identity sr-xxxxx | select *proxy*

InternetWebProxy InternetWebProxyBypassList
---------------- --------------------------
Posted by at No comments:
Labels: , ,
Location:Utrecht Utrecht, Netherlands

27 May 2020

How to create a shared mailbox from hybrid Exchange directly in Exchange Online but also visible in on-premises Active directory

How to create a shared mailbox from hybrid Exchange directly in Exchange Online but also visible in on-premises Active directory
Now that's a mouthful, but a question that's asked often.
And that's not strange at all, because after moving most of your mailboxes to Exchange Online, the inevitable new shared mailbox request will pop up.

Only to find out that if created in the old way you need to manually move it Exchange Online.

And if you create shared mailbox in the ECP you will soon find that you problably made the wrong choice and the new mailbox is not visible in your on-premises Active Directory.

There's where this script comes to the recue.
It creates a remote shared mailbox, a distribution group for full access and send-as rights, adds that group to the mailbox, hides the distribution group because we only use it for access rights.
Then login to Exchange Online, disable POP, IMAP, Activesync and OWA, and resets the proxy settings if neccesary.

This can also be used to create usermailboxes, just tweak it to your needs.
It's also on my Github: https://github.com/brenkster/New-RemoteSharedMailbox

param ($Alias,$DisplayName)

#	Show countdown timer
           
Function Start-Countdown
{
    Param(
        [Int32]$Seconds = 600,
        [string]$Message = "Waiting for 10 minutes"
    )
    ForEach ($Count in (1..$Seconds))
    {   Write-Progress -Id 1 -Activity $Message -Status "Waiting for $Seconds seconds, `
$($Seconds - $Count) left" -PercentComplete (($Count / $Seconds) * 100)
        Start-Sleep -Seconds 1
    }
    Write-Progress -Id 1 -Activity $Message -Status "Completed" -PercentComplete 100 -Completed
}



#	Load Exchange Powershell module
#add-pssnapin Microsoft.Exchange.Management.PowerShell.E2010
add-pssnapin Microsoft.Exchange.Management.PowerShell.SnapIn
#	Load Active Directory Powershell module
import-module activedirectory
            
# Setup variables
$DomainController="servername.domain.lan"
$OU='domain.lan/Groups/Mail/Shared Mailboxes'
$OU2='domain.lan/Groups/Mail/Shared Mailbox Groups'
$UPNdomain = "@domain.nl"
$UPNRemoteDomain = "@domain.onmicrosoft.com"



if ($Alias)
{
    if ($Alias.Contains('@')) { $Alias = $Alias.Substring(0,$Alias.IndexOf('@')) }
    $AliasMailbox = Get-Mailbox $Alias -ErrorAction SilentlyContinue
    $AliasMailUser = Get-MailUser $Alias -ErrorAction SilentlyContinue
    if ($AliasMailbox -or $AliasMailUser)
    {
        Write-Host "The Alias specified already exists" -ForegroundColor red
        $Alias = $null
    }
}
while (!$Alias)
{
    $Alias = Read-Host -Prompt "Alias (max 20 caracters)"
    if ($Alias)
    {
        if ($Alias.Contains('@')) { $Alias = $Alias.Substring(0,$Alias.IndexOf('@')) }
        $AliasMailbox = Get-Mailbox $Alias -ErrorAction SilentlyContinue
        $AliasMailUser = Get-MailUser $Alias -ErrorAction SilentlyContinue
        if ($AliasMailbox -or $AliasMailUser)
        {
            Write-Host "The Alias specified already exists" -ForegroundColor red
            $Alias = $null
        }
    }
}

if ($DisplayName)
{
    $DisplayNameMailbox = Get-Mailbox $DisplayName -ErrorAction SilentlyContinue
    $DisplayNameMailUser = Get-MailUser $DisplayName -ErrorAction SilentlyContinue
    if ($DisplayNameMailbox -or $DisplayNameMailUser)
    {
        Write-Host "The Display Name specified already exists" -ForegroundColor red
        $DisplayName = $null
    }
}
while (!$DisplayName)
{
    $DisplayName = Read-Host -Prompt "Display Name (As many caracters as you like)"
    if ($DisplayName)
    {
        $DisplayNameMailbox = Get-Mailbox $DisplayName -ErrorAction SilentlyContinue
        $DisplayNameMailUser = Get-MailUser $DisplayName -ErrorAction SilentlyContinue
        if ($DisplayNameMailbox -or $DisplayNameMailUser)
        {
            Write-Host "The Display Name specified already exists" -ForegroundColor red
            $DisplayName = $null
        }
    }
}

# Setup more variables
$Alias=$Alias.ToLower()
$UPN=$Alias + $UPNDomain
$UPNRemoteRoutingAddress = $Alias + $UPNRemoteDomain

Sleep 10
# Create the SharedMailbox
Write-Host "Creating Shared Mailbox" -ForegroundColor green            
New-RemoteMailbox -RemoteRoutingAddress "$UPNRemoteRoutingAddress" -Shared -UserPrincipalName "$UPN" `
-OnPremisesOrganizationalUnit $OU -Alias $alias -Name $alias -DisplayName $displayname `
-PrimarySmtpAddress $UPN -SamAccountName $alias -DomainController $domaincontroller            
Write-Host "Created Shared Mailbox" -ForegroundColor green            
            
Sleep 10            
# Set the description for the SharedMailbox            
Write-Host "Set Description" -ForegroundColor green            
Set-ADUser $Alias -Description "Shared Mailbox t.b.v. $Displayname"            
Write-Host "Description set" -ForegroundColor green            
            
Sleep 10            
# Create the distributiongroup for security use            
Write-Host "Creating Office365 Distributiongroup" -ForegroundColor green            
New-DistributionGroup  -DisplayName "SM.$alias" -Type Security -Alias "SM.$alias" -Name "SM.$alias" -Organizationalunit $OU2            
Write-Host "Office365 Distributiongroup created" -ForegroundColor green            
            
Sleep 10            
# Hide distributiongroup            
Write-Host "Set Office365 distributiongroup hidden" -ForegroundColor green            
Set-DistributionGroup -Identity "SM.$alias" -HiddenFromAddressListsEnabled:$true            
Write-Host "Office365 distributiongroup set to hidden" -ForegroundColor green            
            
Sleep 30            
# Sync AADConnect and wait for the account to show up online            
Write-Host "Starting Adsynccycle now" -ForegroundColor red            
Invoke-Command -ComputerName servername.domain.lan -Port 5986 -UseSSL -ScriptBlock { Start-ADSyncSyncCycle -PolicyType Delta }            
Write-Host "Adsynccycle has run" -ForegroundColor green            
            
Write-Host "Waiting for AzureAD sync" -ForegroundColor green            
#Start-Countdown -Seconds 600 -Message "Waiting for 10 minutes"            
            
$Time = 600            
$i = 0            
Do {            
    $i++            
    Write-Progress -Activity 'Waiting for 10 minutes' -Status 'Status' -PercentComplete (($i/$Time)*100) -SecondsRemaining ($Time-$i)            
    Start-Sleep 1            
} Until ($i -eq $Time)            
            
# Set the PowerShell session to use the proxy            
netsh winhttp set proxy proxy.domain.lan:8080            
Write-Host "Proxy Set" -ForegroundColor green            
            
# Connect to ExchangeOnline PowerShell            
Connect-ExchangeOnline -ShowProgress $true            
Write-Host "Connected to ExchangeOnline" -ForegroundColor green            
            
# Disable Mailbox features            
Write-Host "Disabeling OWA, POP, IMAP, ActiveSync" -ForegroundColor green            
Set-CASMailbox -Identity $Alias -imapenabled $false -owaenabled $false `
-OWAforDevicesEnabled $false -popEnabled $false -ActiveSyncEnabled $false -PopUseProtocolDefaults $false -ImapUseProtocolDefaults $false            
Write-Host "OWA, POP, IMAP, ActiveSync disabled" -ForegroundColor green            
            
Sleep 10            
# Add the distributiongroup to the sharedmailbox with Full Access            
Write-Host "Setting Mailbox Full Access Permissions" -ForegroundColor green            
Add-MailboxPermission Ă¢€“Identity: $Alias Ă¢€“AccessRights:FullAccess Ă¢€“user:"SM.$Alias"
Write-Host "Full Access Permissions set" -ForegroundColor green

Sleep 10

# Add the distributiongroup to the sharedmailbox with Send-as
Write-Host "Setting Mailbox Send-as Permissions" -ForegroundColor green
Add-ADPermission Ă¢€“Identity "$Alias" Ă¢€“user "SM.$Alias" Ă¢€“ExtendedRights 'Send-as' -DomainController $DomainController            
Write-Host "Send-as Permissions set" -ForegroundColor green            
            
Sleep 10            
            
# Reset proxy to direct access            
netsh winhttp reset proxy            
Write-Host "Proxy Set to default" -ForegroundColor green            
Write-Host "Script Finished" -ForegroundColor green            
Write-Host "Close this window " -ForegroundColor Red
Posted by at No comments:
Labels: , , , ,
Location:Utrecht Utrecht, Netherlands
Subscribe to: Posts (Atom)