Microsoft System Center Introduction to Microsoft Automation Solutions

Microsoft System Center Introduction to Microsoft Automation Solutions

Get advice from experts in the field on how to use Microsoft automation solutions! This free ebook introduces you to two Microsoft Automation solutions: Azure Automation and Service Management Automation. It explores

both of these tools and how they can be used to meet the automation needs of your Microsoft Azure cloud solutions or your enterprise datacenter environments.


Authors: Rob Costello, Richard Maunsell; Mitch Tulloch, Series Editor

Published: December 2014
Pages: 112


Get your Free eBook:






April 2, 2015   Posted in: Uncategorized  No Comments

BinScope 2014


BinScope is a Microsoft verification tool that analyzes binaries on a project-wide level to ensure that they have been built in compliance with Microsoft’s Security Development Lifecycle (SDL) requirements and recommendations


Microsoft BinScope was designed in order to help detect potential vulnerabilities that can be introduced into Binary files. The tests implemented in BinScope examine application binary files to identify coding and building practices that can potentially render the application vulnerable to attack or to being used as an attack vector.



 Configurability РBinScope allows users to enable and disable checks. By default, all SDL checks are enabled. BinScope detects the type of assembly that is being scanned and determines whether or not the enabled check is applicable.

Command Line Mode- To run BinScope in Command Line mode, open the command window in the BinScope install directory.

Included Tests

 Validating compiler and linker flags

  • Ensuring the use of ‚Äúknown good‚ÄĚ ATL headers
  • Verifying that current compiler versions are used
  • Identifying specific coding constructs that are deemed “dangerous”

IT Users of BinScope

 Developers Рto verify compliance with coding and building best practices.

  • IT Security Auditors - during reviews, can evaluate the risk presented by a particular piece of software installed on the Windows platform.


Supported Operating System

 Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2012

.NET Framework 4.0 or later



 For support, please visit the following links:



April 2, 2015   Posted in: Security  No Comments

Skype for Business – In Place Upgrade



In our previous blog post, we discussed different components included in Skype for Business infrastructure. In this post, we’ll be focusing on key manageability overview for Skype for Business server i.e. In-place upgrade and how it makes upgrade easier. In our next post we will introduce other manageability improvements as well for you.

In-Place Upgrade

Skype for business provides simplified upgrade from Lync Server 2013 by allowing setup to execute on top of existing deployment. In-place upgrade is not supported if you wish to upgrade underlying Windows OS as well, in that scenario you will have to rely on swing migration discussed in later section of the post.

Before performing in-place upgrade, you need to determine if your existing deployment does support in-place upgrade or not. In a nut-shell if you’re Lync Server 2013 only, then you can go for in-place upgrade. If not, please review table below for same.


The upgrade process is as easy as few clicks (unless you run into some issue OR are upgrading from SQL mirroring to SQL AlwaysON to be discussed later) but before we dig into in-place upgrade steps, we need to discuss mandatory pre-requisites for same.

  • Latest Windows Server updates are installed on machine.
  • SQL Express 2012 SP1 or higher is installed on all local instances.
  • Lync Server 2013 with latest available cumulative updates. That is CU5 + Latest Hotfix

One recommended but not mandatory pre-requisite being Windows Server 2012 R2 Operating system to be used for Skype for Business servers. Prime reason for this being Windows Fabric v3 installed with said OS and latest fixes of windows fabric may not be available for older operating systems. Windows Fabric v3 provides following benefits:

  • Faster replica rebuilds under slow network conditions
  • Ability to enable remote copying of fabric logs.
  • Better resiliency of fabric services.
  • Reduce size of windows fabric performance counter logs.
  • Ability to control the size of windows fabric trace files
  • Better handling of certain error conditions.

Now that we have pre-requisites installed on our Lync Server 2013 boxes, we can go ahead with in-place upgrade process. The overall steps included are:

  1. Install the core components and administrative tools on a management workstation or computer in topology with no Lync 2013 components. This is required because we cannot install binaries for SFB along with Lync 2013 binaries.
  2. Upgrade the pool in topology and simply publish the topology.
  3. You can now upgrade the binaries by simply running the setup.

The order of upgrade will be from Inside to Outside 1) Front End Pools / Standard Edition Servers, 2) Directors, 3) Mediation, Persistent Chat, 4) Edge

Below table summarize steps involved in upgrading different Lync 2013 pools:


Once you’ve installed administrative tools, you can open topology builder for SFB and download topology. Once downloaded, you can right click on pool to be upgraded -> upgrade to SFB. This will update the pool along with associated databases:


Once done, you should see the pool moved under Skype for Business section of topology as shown below:


Once done, you can simply publish your topology and make sure there are no errors or show stopper warnings:


Once you’ve published the topology, you’re ready to install SFB binaries on Lync 2013 pool computers. Before starting installation please ensure:

  • Central management store has been replicated on all servers using Get-CsManagementStoreReplicationStatus cmdlet.
  • You’ve stopped Lync services on all Lync servers within upgraded pool using Stop-CsWindowsService cmdlet. This will start user outage window.

Once done, you can run SFB smart setup which will allow you download any missing updates and notify you about missing pre-requisites. If you wish to let smart setup download, you need to ensure server being updated can has internet access.


After accepting EULA, you can see setup downloading required windows updates:


Once done, setup will start running through update process which consists of multiple steps shown below:


The setup will not install or skip administrative tools if same are not installed on the Lync server being updated. The setup will check that Lync services are stopped on all Lync servers within said pool. If due to any reason setup fails, you can fix that error and re-run setup, it will pick-up where it left.


You should install SFB update on all Lync servers within pool simultaneously. Once setup is complete, it will show final window which will recommend you to use new cmdlet Start-CsPool that will start Lync services on all Lync servers within given pool.


Post update, you can verify version using Get-CsServerVersion and start services using Start-CsPool as shown below, once started, your services are up and users are back in business.


And that’s that, with above steps, you’ve your Lync 2013 pool upgraded to Skype for Business ! :)

Using Skype for Business In-place upgrade you didn’t have to:

  • Get new hardware or build new virtual machines.
  • Perform extensive planning for upgrade
  • Spend lot of money on new deployments.
  • Add or remove server object.
  • Move users from one pool to another.

It’s a good thing to have, but it is still recommended to perform swing migration i.e. build new SFB pool and move users from one pool to another if you do not wish to have outage window for performing this upgrade.

Below are couple of issues that setup might run into:

  1. SQL 2014 Express not installed on SFB server, in this case you need to install appropriate version of SQL express and continue setup again:


  1. Error un-installing certain Lync 2013 component, in this case you can manually un-install the component in question and continue upgrade again:


With this, we conclude our Skype for Business In-place upgrade process post. Hope you find above post helpful to upgrade your existing infrastructure to Skype for Business and you’re ready to enjoy the new features introduced with this version ! :)

In our next post, we’ll be discussing about other manageability improvements like Call Quality Dashboard and SQL AlwaysON functionality.

See you again soon !

March 18, 2015  Tags: , , , , , , ,   Posted in: Lync 2013, Lync Server, Lync Server 2010, Skype for Business  No Comments

Skype for Business – Infrastructure Components & Design



In our previous blog post, we introduced Skype for Business as successor of Lync 2013 in communications platform. This post will be focusing on different components associated with Skype for Business server and what are key architecture design considerations to keep in mind while designing your topology/deployment for SFB.

Skype for Business Lifecycle

For any successful deployment, we need to consider product’s lifecycle and plan accordingly. Like any other deployment, SFB lifecycle includes four key components Plan -> Deploy -> Run -> Adopt summarized in below figure:






Skype for Business Deployment Options

Customers looking for new communications/Lync platform deployment in their organization, you’ll have below options to choose from:


  1. Skype for Business Online: This deployment is cloud only where you’ll be hosting your communications environment with Microsoft office 365 tenant. This model should work if there are no legal requirements in your organization to keep communication data on premise and you’ve no requirements for Enterprise voice as currently office 365 doesn‚Äôt supports SFB enterprise voice component (this might change 2 to 3 years down the road)
  2. Skype for Business Hybrid: This deployment is where you have some users hosted on premise and some on cloud on Skype online. This model is best suited for organizations where here are no legal requirements in your organization to keep communication data on premise and not all users require enterprise voice feature OR there are some prohibitive infrastructure requirements to move all users on cloud.
  3. Skype for Business On Premise: As name indicates, this is pure on premise deployment where all servers and users are present within your environment. With this deployment, you also need to consider high availability and disaster recovery properly.

How to determine which deployment option to use?

So now that you know what deployment options you have – how do you determine which option best suits your needs? Below is quick flowchart that you can refer to for same:


Skype for Business AD Design Considerations

Now that you have determined which deployment mode you’ll be going with, for each deployment option there are some key Active directory design consideration to keep in mind.

Common to all, there are no AD schema and domain changes when you’re upgrading from Lync Server 2013 to Skype for Business. Currently not confirmed, but same AD pre-requisites that applied for Lync 2013 applies to Skype for Business as well. For more information, refer to TechNet article here.

Skype for Business Online: If all your users will be hosted on Office 365, you need to ensure:

  1. All users are in a single user forest. There is no resource forest and there is only a single user forest.
  2. There is only one Office 365 tenant associated.
  3. Exchange is provided with Office 365 (Exchange online). This ensures proper Outlook & SFB integration for end users.
  4. If on a later date, you decide to introduce SFB Hybrid, that’s feasible as well.

Skype for Business Hybrid: Similar to SFB online, for SFB Hybrid you need to ensure:

  1. All users are in a single user forest. There is no resource forest and there is only a single user forest.
  2. Skype for Business servers are installed in user forest.
  3. Exchange for users on cloud is provided using Exchange online and Exchange for users on premise is provided using an on premise Exchange server.
  4. User sign-in and federation will be provided using SFB Edge server discussed later in this blog post.

Skype for Business On Premise: For an on premise deployment:

  1. Skype for Business servers are installed in user forest.
  2. Exchange is provided via On premise Exchange OR Exchange Online OR Exchange Hybrid.
  3. If on a later date, you decide to introduce SFB Hybrid, that’s feasible as well.

Many of us might be wondering what happened to the three forest support that was introduced for Lync Server 2013 (reference architecture below). Currently Skype for Business doesn’t supports this model, this might however change in near future.


Now that we have covered design considerations for SFB, let’s dive into different components & planning for deployment of same.

Skype for Business infrastructure components

Most of components associated with Skype for Business are same as Lync Server 2013 with couple of new additions which will be discussed in later section of this post.

SFB_EEPool_LogoFront-End Server: Most of administrators have been working with this role since OCS 2007 days, like previous versions of Lync, it can be deployed in enterprise edition pool or standard edition pool as required. When deployed in Enterprise edition pool, you need to ensure:


  1. There are minimum three front end servers in pool. Two servers are supported however not recommended, it makes rebooting pool/servers a complicated procedure.
  2. DNS load balancing is still supported for SIP traffic. Hardware load balancer is required for web traffic as in Lync server.
  3. Never lose two or more front end server at same time unless they’re part of same upgrade domain (discussed later)
  4. Consider server placement failure domain deployment discussed later in this post.

Enterprise Edition Pool Quorum: Pool quorum determines the number of front-end server failures that enterprise edition pool can sustain or run online with. Complete pool will go offline if less than 50% of front-end servers are online OR exactly 50% are online with SQL database offline. Below is quick reference table for same.


Fault Domains: A fault domain is a set of hardware components – computers, switches & more – that shares a single point of failure. Keeping this in mind, you need to deploy front-end servers in appropriate fault domains such that you never lose two front end servers at same time (unless they are part of same upgrade domain). Make sure you plan your deployment keeping n+1 model in mind.

Routing Groups: This logical design was introduced in Lync Server 2013 where when you provision a user, account is immediately put into a particular routing group which holds information about this user like presence, contacts, conferencing, voice etc. Each routing group is assigned to a particular Front end server until that server is rebooted. The routing information can be seen in the AD object attribute msRTCSIP-UserRoutingGroupId.

Each routing group has a primary copy & two secondary copies. If one copy is down or lost, pool will recover. However if two copies are lost, replica will lose quorum.

Upgrade Domains: Introduced with Lync Server 2013 and continues to work in same fashion in SFB pool, each front end server is grouped into an upgrade domain which can be taken offline without impacting service availability. Administrators do not have control on managing membership of upgrade domains. Lync uses routing group distribution pattern across front end servers to determine the membership & prepare upgrade domains accordingly.

Below is quick table on how upgrade domain membership works in given size of enterprise edition pool.


SFB_BEPool_LogoSQL Back-end Database: Same as any legacy version of Lync server, SQL backend databases are used for holding Central management store, Archiving, Monitoring, Response group etc. databases along with backup copy of user contacts & conferencing data (as this is now primarily stored & managed on Front end servers itself since Lync Server 2013). The SQL servers are recommended to be placed in same geographical location/datacenter as front end servers itself for optimal performance.

Continued from Lync Server 2013, Skype for Business server still support SQL mirroring for SQL high availability solution, where there is one SQL mirror and one SQL witness box. However this is planned to be discontinued in future. It is recommended to switch to SQL always on for high availability as discussed below.

New with Skype for Business is support for SQL AlwaysOn high availability which is next generation of database mirroring technology and runs on top of windows failover cluster service and provides up-to three replicas of single database. You require SQL enterprise edition for running more than one replica with SQL AlwaysOn.

SQL AlwaysOn provides you with multi-database failover that is useful in application with several databases. Database can be configured into Availability groups which allows different databases part of same group to be failed over between replicas at same time.

SFB_FSPool_LogoFile Share: Continuing from previous version of Lync server, file share is used for holding meeting content / address book files / Lync phone updates etc. The file servers are recommended to be placed in same geographical location/datacenter as front end servers itself for optimal performance.


File share server role can be provided high availability by deploying the file share on Distributed File Share (DFS).


SFB_OWAPool_LogoOffice Web App Server: Same as Lync Server 2013, Office web app component is used for PowerPoint sharing over Lync sessions (peer to peer or conference). Same as SQL & file server, the office web app servers are recommended to be placed in same geographical location/datacenter as front end servers itself for optimal performance.


Office web app servers can be provided high availability by deploying pool of office web app servers load balanced using a Hardware Load balancer

SFB_MonPool_LogoMonitoring Server Database: Same as previous version of Lync server, monitoring database is used for collecting call of experience and call detail reporting (CDR) data.

You can have single Monitoring database globally for having all data in one view for your environment. If you’ve a large environment, you can consider maintaining copy of same database and run SQL reporting against copy of database for better performance.

Monitoring database is provided high availability using SQL server it runs on.


SFB_EdgePool_LogoEdge Server Role: Skype for Business Edge server is used for remote access, federation and office 365 integration. If you’re deploying SFB in hybrid mode, this is a must as all sign-in happens through on premise environment.

You can deploy pool of edge servers using DNS load balancing for high availability. You’ll need to use hardware load balancer If you’re federating with an organization that is using OCS 2007/OCS 2007 R2 OR Exchange UM 2007/Exchange UM 2010. In disaster recovery situations, edge server leverages pool failover.

You can upgrade internal Lync servers without upgrading Lync 2013 edge servers to Skype for Business. However you cannot do vice-versa. i.e. if you’re planning to install Skype for Business on Edge server, you have to have front end pool/internal Lync servers upgraded already. With Lync Server 2013 Edge server, you cannot use certain features available with SFB, major one being Skype Search.

SFB_RPPool_LogoReverse Proxy: Same as previous version of Lync Servers, reverse proxy is used for joining meeting, mobile clients, file downloads, DL expansion etc. The reverse proxy device should be placed in same proximity of Edge servers for optimal performance.

Since the demise of ISA 2006/TMG 2010. You need to use third party reverse proxy solution list of which is available on TechNet OR you can use IIS ARR for achieving same functionality provided with reverse proxy for smaller environments.


SFB_MSPool_LogoMediation Server: This server is used for transcoding voice signals between Lync server & PSTN gateway or is required for connecting Lync infrastructure to PSTN gateway. The placement of Mediation server depends on if you’ll be using Media bypass feature. If Media bypass is feasible, then you can place the server within datacenter. If media bypass is not feasible then it is recommended for keeping this server close to PSTN gateway for optimal performance.

You can deploy pool of Mediation servers for high availability. With inter-trunk feature introduced in Lync Server 2013, disaster recovery for Mediation server has become fairly easy compared to its previous versions.

Mediation server can be collocated along with front end server, however its collocation depends majorly on how much performance load we’re putting on this role. Depending on media bypass usage & counting in calls which will never use media bypass, you can make this determination. Additionally if you need dual homed Mediation server, you have to have a dedicated box for same.

SFB_SBA_LogoSBA / SBS: Survivable branch appliances or servers are used in branch sites with 100 to 500 users connecting over WAN to central site. In case of WAN failure, to provide voice & registration features – these devices come into play. Similar to Mediation server, these roles can be connected to multiple gateway for high availability. However they can be associated only with one central front end pool which provides them with SFB user services.

In case of disaster recovery, SBA/SBS provide limited functionality in case of pool failover.


NEW! Call Quality Dashboard (CQD): This is a new component & dashboard included with Skype for Business


SFB_CQD_LogoCall quality dashboard consists of an Archive database which stores & replicates QoE data from environment. This database is aggregated for optimized and fast access (QoE cube) and a reporting web portal which is used for querying and visualizing QoE data.


Call quality dashboard requires a separate SQL instance running Enterprise or business intelligence edition. Currently it cannot be collocated with backend servers already used by SFB enterprise edition pool or monitoring database.


SFB_VISPool_LogoNEW! Video Interoperability Server (VIS): New with Skype for Business, this role is used for connecting your Skype for Business infrastructure into existing video teleconference (VTC) and video gateways like Tandberg. For optimal performance, you need to place this server close to video gateways .

You can deploy pool of VIS servers for high availability. Additionally these servers can be connected to multiple trunks by leveraging DNS load balancing. VIS can connect to multiple SFB pools and can connect to failover front end pool in case of Disaster recovery.


Skype for Business Server Sizing: Now that we know all about various components associated with Skype for Business infrastructure. We need to have a health planning cycle for this new infrastructure. Below workflow give us good information regarding same.


At present, we’re using same user model as available for Lync Server 2013 for testing. However this can change once the Skype for Business is released in market for production use. Sizing based on user model is only a starting point, you need to have good monitoring in place and leverage key health indicators (KHI) for assessing your infrastructure and ensure its healthy state.

With this, we conclude this blog post. In our next post, we’ll be discussing about improvements in management of Skype for Business server specifically focusing on In-place upgrade & smart setup introduced with SFB.

Hope you find above post informative. Thanks for reading !

March 10, 2015  Tags: , , , , , , , , , , , ,   Posted in: Lync 2013, Lync Server, Lync Server 2010, Skype for Business  3 Comments

Introducing Skype for Business (a.k.a. Lync 2014)



In coming series of blogs, we’ll be evaluating and sharing as much information as we can for Skype for Business, next chapter in Lync platform.

Through course of these blogs, we’ll be referring Skype for Business as SFB.

On 11th November, Microsoft announced that the Lync Server product will be rebranded as Skype for business. This basically means that the next on-premises server, clients, and Office 365 releases of what would be Lync will now simply be renamed, and the Lync name will be apparently be deemphasized. Surely this does not mean that the existing consumer Skype platform would be positioned to businesses, or mean the death of Lync as a platform. For all intents and purposes the two separate products must still exist : the consumer ad-driven solution known as Skype, and the enterprise-grade solution known to all as Lync which will simply be rebranded as Skype for Business.


Currently we notice many administrators referring to SFB as Lync 2014, however that’s not right. It’s strongly recommended that you accept the change and come on-board with Skype for Business. :)

What are the new features introduced with Skype for Business?

Name for Lync Server platform isn’t changed for just namesake. Skype for Business at its core integrates familiar Skype design with enterprise grade Lync platform solution. So the first change that you’ll notice with Skype for Business is client UI itself.

Universal Communications: SFB allows people to do more by using rich communications for all their relationships. It provides them with consistent experience with its simple, elegant, pervasive looks. The client scales from mobile to meeting room with same user experience. It provides them with interconnection with different platforms (like Tandberg room) and keeps their presence everywhere.

Color and minimum Chrome: The user interface will be using familiar color & minimum chrome layout available with Skype and merge it with Lync client to give users more comfortable and friendly client without too much of changes for end users.













Improved Chat Experience: SFB provides with text in bubbles which is another signature feature of Skype. If the next message is sent within 60 seconds window, the message is combined within single bubble. This helps prevent that spinning circle mostly seen on mobile clients due to slow data network. It also provides with file preview feature during file transfers making it more user friendly.


Common Icons and Placement: Beside improving & re-arranging common icons placement like IM/add a contact, product team has also worked on providing more easier & faster access mid-call control features like call transfer/forwarding based on feedback from many power users that earlier had difficulty finding these buttons in middle of call.


Always visible call monitor: This is a signature Skype feature which will now be available in enterprise applications as well. The call monitor appears in all audio & video calls and provides easier access to mid-call control discussed above. It shows picture or video of active speaker and if closed between call cannot be brought back. Double clicking on call monitor brings back your main SFB window


Video between enterprise and Skype applications: SFB makes it easier to connect to people everywhere. Lync already offers instant messaging and audio calling with Skype users. Skype for Business adds video calling and the Skype user directory making it possible to call any Skype user on any device.

Coaching for First time Users: Many organizations might feel strongly that changing or upgrading client can create nuisance for end users. With an upcoming patch for Lync 2010/2013, you’ll be able to apply SkypeUI using client policy setting from Lync Server 2013 itself. This will allow you certain training time phase where you can introduce users with this new client and train them as needed. We’ll be sharing more details on how to do same with our next blog covering SFB server in details. However, there will be certain features that only work with full SFB client and not just UI, detailed below.


Call via Work: The main expansion in enterprise voice capabilities for SFB is with call via work feature where SFB can call out to user desk phone via PBX/PSTN system and then dial-out the far-end number user is trying to call using his/her work phone. This provides user with enhanced presence on SFB client indicating that user is on call and also provides mid-call control available with SFB as discussed above. If someone calls user on his/her desk phone, then SFB doesn’t comes into picture, it is just for outgoing calls. Below is quick snap-in on how call via work setting will look on end user side/settings:


Above are just major features that we can see with Skype for Business client. There are few other minor features which includes Rate My call, Skype Emoticons, First Run tutorials etc.

In the next blog series, we’ll be seeing what’s new in Skype for Business server for administrators and different features & control options that will be available for you guys.

Stay tuned !


March 2, 2015  Tags: , , , , , ,   Posted in: Lync 2013, Lync Server, Lync Server 2010, Skype for Business  One Comment

Predicted Actions Enabled

Categories & Subject Descriptors: User Interface evaluation, Interaction Styles.

General Terms: Experimentation, Human Factor, Performance.

Keywords: Customization, interaction Techniques, menu design, user study, Adaptable Interface, Adaptive actions, Predict actions.


As Administrators we are very much aware of every user friendly mailbox policies and features which might help the everyday user in your organizations. I would like to touch upon a topic which might not be that very important and useful from an admin point of view but something which most of the Microsoft office administrators may be familiar with. It’s not a widely used feature but is very much similar to Adaptive menus in legacy MS Office applications like word, excel etc..

What is it all about?

Here, we are speaking about an OWA MAILBOX POLICY which is by default disabled for all Outlook Web App (OWA) users and which can be enabled by exchange administrators. PredictedActionsEnabled is an Outlook Web App Feature, and which helps an Outlook Web App user to customize the commands and icons they see according to what they are doing. This is very similar to Adaptive Menus feature from earlier Office applications. This is a very complex approach which is appreciated by users who have a regular pattern of use, but can be disliked by users who do not want their menus or available buttons to be constantly changing. This is a feature which is NOT a USER CONTROLLED Feature. Even then we do not know much about the PredictedActionsEnabled feature as it’s not widely in use by users in OWA, so if it’s beneficial or a pain is yet to be identified. We aren’t even sure if users are aware that they have such a feature available to be explored.

Setting values for this Policy:

As administrators are aware, there are many OWA mailbox policies which are only available through Exchange Management Shell (EWS). PredictedActionsEnabled is one of them.

To check if it’s there in your environment try this cmdlet

Get-OWAMailboxPolicy XXX |fl

This is what you’ll probably see…

RecoverDeletedItemsEnabled                          : True
InstantMessagingEnabled                             : True
TextMessagingEnabled                                : True
ForceSaveAttachmentFilteringEnabled                 : False
SilverlightEnabled                                  : True
InstantMessagingType                                : None
DisplayPhotosEnabled                                : True
SetPhotoEnabled                                     : True
AllowOfflineOn                                      : AllComputers
SetPhotoURL                                         :
PlacesEnabled                                       : False
AllowCopyContactsToDeviceAddressBook                : True
PredictedActionsEnabled                             : False
UserDiagnosticEnabled                               : False
FacebookEnabled                                     : True
LinkedInEnabled                                     : True
WacExternalServicesEnabled                          : True
WacOMEXEnabled                                      : False
ReportJunkEmailEnabled                              : False
WebPartsFrameOptionsType                            : SameOrigin
AdminDisplayName                                    :
ExchangeVersion                                     : 0.10 (
Name                                                : Enterprise
DistinguishedName                                   : CN=Enterprise,CN=OWA Mailbox Policies,CN=ENTERPRISE,CN=Microsoft

Although, this feature has a ‚ÄúFALSE‚ÄĚ Value by default, it can be set to ‚ÄúTRUE‚ÄĚ by using a simple power shell cmdlet.

Set-CASMailbox -Identity Default -OWAMailbox policy -PredictedActionsEnabled $true


Now to the icing on the cake:

Thanks for reading the article but the bad news is, that this feature/parameter currently can’t be changed in EXCHANGE 2013. Feedback has been sent to Exchange product/testing team         (Confirmed by Microsoft Contingent Staff).


Closing comments:

Hopefully in your environment (apart from EXC 2013) you can try and use these feature and come up with questions and suggestions.

Join the Forum discussion on this post

December 21, 2014  Tags: , , ,   Posted in: Exchange Server 2013, Exchange Server General, Outlook, Uncategorized  No Comments

Office 365 & Exchange 2013 In-Place Hold & E-Discovery

Data Governance and preserving Email has always been an important security concern in almost every type of business environments.

Attorneys in particular need access to search emails that are relevant for legal and compliance purposes.

With Office 365 – The process of searching, preserving and accessing email records was available all the time. The Technical terms that every Office 365 Admin should know when dealing with preserving emails are:

1. Litigation Hold … now, In-Place eDiscovery & Hold.

2. Discovery Management

3. Multi-Mailbox Search

With Exchange 2013 and Office 365, Multi-Mailbox Search is known as In-Place eDiscovery. The one place to visit in Office 365 portal to manage the email preservation is “In-Place eDiscovery & Hold ”

Let’s talk Technical now with Office 365. Consider the below Scenario.

SCENARIO: I’m an Office 365 Admin for my company. My Attorney wants to search and access emails and if required export the emails and he wants full access. The Attorney also wants to know how he can do this?

I login to the Office 365 portal first @

Once I login, I click on Admin at the top side of the portal and select Exchange. This opens up Exchange Admin center.


Now, I need to give the Attorney guy required permissions to perform Discovery Search and also place mailboxes or mail items he wants in-hold or to perform query based search.

All I need to do is to add Attorney to an admin role called ‘Discovery Management’,



Now, I need to train my Attorney so that he can do his legal work.

Attorney said: ‘I want to access emails for all users in the Org which has ‘confidential’ term in the subject.

Ok, Here you go, Mr. Attorney. You have been given an Admin role which means you are a Discovery Manager now.

Following steps are done on Attorney’s mailbox. His OWA in particular.

Open Exchange Control Panel. The ECP portal is:

Since the Attorney user has been added as a member for Discovery Management admin role group, The Attorney’s ECP will show Compliance Management tab where he can create in-place hold like shown below:

Attorney user created a new in-place eDiscovery & hold query with keywords ‘Confidential’ and hold indefinitely and specified Mailboxes for the Search query to be kept in-hold.

Attorney user can search, export the search results to PST, preview the search results & even copy the results to the Discovery Mailbox. The steps are very user-friendly and easy to do.







The Search results can be previewed and also copied to the DiscoverySearch mailbox.





  • In-Place Hold in Exchange 2013 and Exchange Online includes additional features like Query-based Search, types of items to preserve (email, calendar, notes), maximum of 5000 users per In-place hold object and placing multiple holds on a mailbox.
  • By default, the Discovery Management role group doesn’t contain any members. Administrators with the Organization Management role are also unable to create or manage discovery searches without being added to the Discovery Management role group.
  • Members of the Discovery Management role group have Full Access mailbox permissions for the Discovery mailbox that’s created by Exchange Setup.
  • You can open Discovery Mailbox from OWA by removing the mailbox attribute to hide from GAL.

July 24, 2014   Posted in: Microsoft Office 365 Integration  One Comment

Office 365 – Attachment Enhancements in OWA

Hello All




Earlier in the year at the Microsoft Exchange Conference, Office 365 team announced an enhanced document collaboration experience in Outlook Web App for Office 365 users. Today office 365 team introduced few of these enhancements, which aims to improve the way people interact with files as attachments in their email.


What’s new in Office 365 OWA? Below are features listed briefly that were introduced today by Office 365 team:

  1. Side-by-Sideview of document and email: When you open the attachment, you can now see the contents of that document in context (or ‚Äúside-by-side‚ÄĚ) with the email itself; you can see both at the same time. No more flipping back and forth between windows to get all the information you need. You can perform all of the standard messaging actions (reply, forward, and so on) right from within this view


  1. Easy document editing and reply: When you‚Äôre ready to edit the attachment and send your comments back, you no longer need to download the attachment, make your changes, rename the file, reattach it, and send your email reply back.‚ÄĮYou can now do all of this without leaving this new side-by-side view. To do this, you simply click‚ÄĮEdit a Copy‚ÄĮright above the attachment and message.


This new copy of the attachment is live, and any changes you make are automatically saved. Once you‚Äôre finished with your changes, you can simply type‚ÄĮa response in the email and click Send.

  1. Bigger attachment view: The‚ÄĮuser experience for attachments in the attachment well has been updated, so‚ÄĮnow when you attach files, they‚Äôre bigger and better looking than they‚Äôve ever been before.


  1. Download all attachments: This feature was available with from quite a while now.  You can now download multiple attachment at once in the form of a single zip file.

Note: This feature only supports attachment created with office 2007 and above. It will support viewing all Microsoft Word, Excel, and PowerPoint files, as well as .PDF files and most types of pictures.

Conclusion: Above enhancement will give end users richer experience in OWA clients and make emailing more efficient platform for them.

References: View article…

July 3, 2014  Tags: , , , , ,   Posted in: Office 365  No Comments

You Do not have permissions to Schedule Lync Meetings

Hello All



Many times I’ve seen delegates complaining that they’re unable to create Lync meeting on their manager’s or boss’s Outlook calendar, even though they’ve appropriate permission to create normal meetings. Today we’ll cover what permissions are required by delegate to carry out same operation and look at sefautil.exe as our rescue tool in these scenarios.


Issue: Delegates receive error “You do not have permissions to schedule Lync meetings on behalf of the owner of this account. Please contact owner of this account to get delegate permission in Microsoft Lync”


Cause: As the error states, the issue is due to lack of appropriate permissions for delegate on manager’s or owner’s calendar OR Lync account.

Resolution: For delegate to be able to create Lync meetings on their manager’s calendar, they should have:

  1. Editor or above access on user’s Outlook calendar: To achieve this, you can
    1. Add assistant as delegate in Outlook by going to File – Account Settings – Delegate Access.


    1. Alternatively, you can add the calendar permission by going to user’s Outlook calendar section and selecting Calendar Permission under Home tab


    1. If you do not wish to manage permissions from user’s workstation and rather would prefer to manage it from server (my favorite), you can run below cmdlet on Exchange Management shell to configure calendar permissions:

    Add-MailboxFolderPermission <manageralias>:\calendar -user <delegatealias> -AccessRights Editor Get-MailboxFolderPermission <manageralias>:\calendar -user <delegatealias>

  2. You can configure AccessRights as Editor/PublishingEditor/Owner as per requirements. If you wish to check permissions before adding:
  3. Assistant should be added as Lync delegate on manager’s Lync account: Once you’ve ensured permissions on Outlook calendar are correct, you need to ensure that delegate is added as Lync delegate on manager’s Lync account. To do same, you can:
    1. Add assistant as delegate using manager’s Lync client. On manager’s Lync client, go to Settings – Tools – Call Forwarding Settings – Edit My Delegate Members as shown below.


    1. Again, if you are not fan of disturbing high end users with assistants to configure small settings and would prefer to manage it from backend, you can use Sefautil.exe for same which is discussed in later portion of this post below.

Once you configure both Outlook and Lync delegate access as described above, assistant should see a prompt stating “<Manager> has added you as delegate” on his/her Lync client and should now be able to create Lync meetings on their manager’s calendar without any issue.

What is Sefautil?

SEFAUtil (secondary extension feature activation) is a command-line tool that enables Microsoft Lync Server communications software administrators and helpdesk agents to configure delegate-ringing and call-forwarding settings on behalf of a Lync Server user. The tool also allows administrators to query the call-routing settings that are published for a particular user.

The SEFAUtil tool allows the administrator to enable/disable/modify call forwarding on behalf of the user. The administrator can specify the target (in the form of a SIP URI) or use a target that has already been published by the user. This tool also allows administrators to add or remove delegates on behalf of the user. The tool supports enabling or disabling simultaneous ringing, delayed ringing, or call forwarding to delegates

This tool requires administrators create a trusted application in the central management store for Sefautil using Lync Topology Builder.

The features in this tool allow administrators and helpdesk agents to do the following:

  • View all call routing settings for a user (includes call forwarding, delegation, team ringing, and simultaneous ringing)
  • Enable/disable/modify call-forwarding setting (includes destination and no-answer timer)
  • Enable/disable/modify call-forwarding immediate configurations
  • Enable/disable/modify delegation settings

How to use Sefautil for managing delegates?

The SEFAUtil tool can be run only on a computer that is a part of a Trusted Application Pool. UCMA 3.0 must be installed on that computer. To run the tool, a new Trusted Application with the sefautil application ID must be created on that pool.

  1. To Check user’s or manager’s existing call forwarding setting:

SEFAUtil.exe /


User Aor:

Display Name: Katarina Larsson

UM Enabled: True

Simulring enabled: False

User Ring time: 00:00:20

Call Forward No Answer to: voicemail

Set the Call Forward/No Answer Destination

  1. To add delegate for user’s or manager’s Lync account:

SEFAUtil.exe /server: /


User Aor:

Display Name: Katarina Larsson

UM Enabled: True

Simulring enabled: False

Delay Ringing Delegates (delay:10 seconds):

  1. To remove delegate for user’s or manager’s Lync account:

SEFAUtil.exe /server: /


User Aor:

Display Name: Katarina Larsson

UM Enabled: True

Simulring enabled: False

User Ring time: 00:00:30

Call Forward No Answer to: voicemail

Conclusion: Troubleshooting Lync meeting permission issue is mostly straight forward i.e. if you’ve configured Outlook calendar and Lync delegate access properly, you should not see this issue coming. You can find more details regarding above information in our reference section below.



Occasionally it might get more typical in nature. If you have encountered such typical scenarios, please do mention same in comment box below.

Thank you for reading, in the next blog we will be covering automation of Lync server performance monitors and discuss Call Quality management (CQM) and Key Health Indicators (KHI) for Lync server environment.

July 3, 2014  Tags: , , , , , , , ,   Posted in: Lync 2013, Lync Server 2010, Office 365, Outlook  3 Comments

Lync cannot connect to the Exchange Server

Hello All




I was working with couple users today who had issue with Lync conversation history not saving within their Outlook clients even though the option was enabled to save conversation history within client.




Issue: Conversation history folder appears in Outlook, however the Lync conversation history is not saving in the folder.

We covered similar thread few months ago where we explained scenario where conversation history folder doesn’t appears itself and conversation history doesn‚Äôt saves in Outlook:

As covered in our previous post, The conversation environment feature leverages both Exchange Web Services (EWS) and MAPI to manage Conversation History items. Unlike previous versions of Lync, EWS is now the primary method used to provide Microsoft Exchange integration features for the Lync client.  MAPI will be used if EWS is unavailable, but only in a limited capacity. For more details, we encourage you to read resource kit chapter Understanding & Troubleshooting Exchange server integration

Today’s issue was different from above though as conversation history folder was present, just conversations were not saving in the folders.

In idle scenario, under Lync configuration information, the MAPI and EWS status should show OK:


And we should see EWS cached data in user’s registry HKCU\Software\Microsoft\Communicator\[User SMTP Address]\Autodiscovery

When we checked the Lync configuration information, two users had two different EWS status which we’ll cover in this post.

Scenario 1 – EWS Status – EWS Unavailable: For first user, under Lync configuration information, EWS status showed as unavailable and below error was shown on Lync client:

EWS Unavailable

User had EWS Internal and External URLs populated in his client i.e. Lync was able to extract EWS URLs using Autodiscover service, however wasn’t able to connect to it. Hence the status.

Troubleshooting Scenario 1: EWS unavailable is generally caused due to:
1. Proxy/PAC file configuration on user’s workstation: In certain environments, all internal & external URLs are configured to go via proxy server and depending on infrastructure configuration, the proxy server may or may not be able to communicate directly with Exchange server on behalf of Lync client. At this point the communication breaks between Lync & Exchange server causing the issue. To resolve this issue, make sure EWS/OWA namespace is bypassed from proxy either using Internet explorer/group policy or hard coded in PAC/Proxy file itself
2. Invalid IP address or configuration issue: In this scenario, Lync was able to resolve the Autodiscover DNS values but was unable to contact the site due to invalid IP address or reverse proxy configuration.
3. Invalid Windows Credentials: User is logged in to windows using different credentials than normal user account (like admin account) due to which either Lync is unable to authenticate against EWS service OR Proxy server is unable to authenticate on behalf of user. In either scenario, EWS connection will fail and status will stay unavailable. To resolve the issue, ensure user is logged in using proper account and authentication is working without issue.

Resolution 1 РIn my case, it was point 3 above i.e. user was logged in using his admin account into Windows which wasn’t authenticating as expected into EWS. Once user logged in using his normal windows account, the EWS status turned OK and conversation history started to save as expected.

Scenario 2 – EWS Status – EWS is not fully initialized: In this scenario, user doesn‚Äôt has EWS URLs populated in the Lync configuration/client altogether and EWS status stays in “EWS is not fully initialized”

User gets same error notification on Lync client stating “Lync cannot connect to the Exchange Server”

Lync client’s MAPI status was ok, Lync & Outlook Autodiscovery was working ok as well. However, Lync client wasn‚Äôt able to determine internal and external EWS URLs.

Troubleshooting Scenario 2: The issue can be caused due to one of following:
1. Invalid DNS or DNS Lookup failure: If Lync client is unable to find appropriate DNS A or SRV record to reach out Exchange autodiscovery service for looking up EWS URLs, it fails to populate them in Lync client itself. To check if this is issue, you can use nslookup command for troubleshooting and ensure proper DNS records are populated.
2. Invalid certificate or untrusted certificate: If Exchange certificate authority is not trusted by local client/workstation, Lync cannot reach out to Autodiscover URL and hence doesn’t gets any response back with appropriate EWS information. To fix this issue, ensure certificate authority used to generate exchange certificates is also trusted by workstations in your environment.
3. Untrusted Server name for Sign-in Address: If client is  connecting to a server that is unknown to Lync. Lync must have your permission to verify whether to trust this server.


Above prompt can come for Lync client trying to connect to Lync server during sign-in OR Lync trying to connect to Exchange server after sign-in. This doesn’t reflects any issue in configuration, it is a security feature. Lync will not connect to any unknown server until you confirm that it is trusted.

Resolution 2 РIn my case, it was point 3 above i.e. when Lync was trying to connect to Exchange server, above prompt was displayed, however user ignored the prompt due to which Lync didn’t process the autodiscover response from Exchange server. Hence the EWS information stayed blank on Lync client.

To prevent the dialog box from being displayed, you can edit the following REG_SZ registry value:
‚ÄĘ Lync 2010 – HKEY_CURRENT_USER\Software\Microsoft\Communicator\TrustModelData\
‚ÄĘ Lync 2013 – HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\15.0\Lync

Add the Fully Qualified Domain Name (FQDN) of the server-based computer that is displayed in the Trust Model Dialog to the existing value data that is listed in the TrustModelData registry value. This will be the Lync Server/Exchange Server/Exchange CAS array for which you’re getting the prompt shown above.

If you have an Active Directory environment, you can push this registries via Group Policy as well. You can find sample GPO HTML report attached below for reference.


In above example, we’ve added Exchange CAS arrays name, to existing value of TrustModelData. You can also download this file from Onedrive ->

Conclusion: Lync not saving conversation history to Outlook client OR Lync status not changing based on Outlook calendar information are couple of most common issues encountered with Lync/Outlook integration. Depending on environment configuration and client side configuration, the troubleshooting can be complex. Hopefully above information gives you some starter points to check and reduce the troubleshooting time for you accordingly.

For more information regarding above post, please refer to reference section below.


In our next post, we’ll be discussing about Outlook delegate and Lync meeting issues. Till Next Time !

June 28, 2014  Tags: , , , , , ,   Posted in: Exchange Server, Exchange Server 2010, Exchange Server 2013, Exchange Server General, Lync 2013, Lync Server 2010, Office 365  One Comment