Office 365 Lessons Learnt
Exchange Online
Recoverable Items folder quota
Issue: The Recoverable Items folder has a quota of 30 gigabyte (GB); this quota isn’t charged against the quota for the user's primary mailbox. But when a mailbox is on litigation hold none of the items in the Recoverable Items folder are permanently deleted. This makes it possible to reach or exceed the 30 GB quota for the Recoverable Items folder.
Lesson learnt: If this happens, you can contact Office 365 support to request an increase of the Recoverable Items quota for a mailbox on litigation hold. We don’t directly call this out in the Exchange Online service description, however we do state limits for the number of messages per folder in the Recoverable Items folder.
Reference: Recoverable Items folder quota
Move mailbox fails
Issue: Move mailbox in a hybrid environment with Exchange 2013 fails in EAC with an error message `the connection to the server could not be completed'. However, the same move works fine when executed in PowerShell.
Lesson learnt: The password for the account that was configured in the migration endpoint had expired or was reset, either create a new migration endpoint or update the password in the existing owner.
Cannot off-board remote mailbox
Issue: If you create a remote mailbox, you cannot off-board it unless you take the GUID of the tenant mailbox (msExchMailboxGUID) and write it in to the on-premises user object. Mailboxes that have been migrated from on-premises won't have the problem, as DirSync syncs this attribute from on-premises.
Lesson learnt: This is by design and you would need to run the below and ensure its added to the customers off-boarding process.
On Office 365: Get-Mailbox | Select Name,ExchangeGUID On-prem: Set-MailUser -ExchangeGuid.
Synchronize Public Folders to Distribution Groups in Office 365
Issue: Synchronize Public Folders to Distribution Groups in Office 365
Lesson learnt: See this article
Cannot send mail after changing certificate
Issue: Customer has configured an Exchange 2010 SP3 based hybrid. They had to replace the certificate used for mail flow and a few other hybrid configuration related things. After doing so, EXO users could no longer send mail to on-premises Exchange users. After some troubleshooting (which included looking in the receive connector protocol logs), I found out that EOP tried to establish SMTP sessions to the default receiver connector and not the Inbound Office 365 connector created by the HCW. Via the protocol logs, I also noticed that the source IP address wasn't from the EOP IP range, but appeared to be one from the on-premises environment. Turned out customer routes all inbound messages through a hardware load balancer and after adding the VIP address associated with the SMTP virtual service on the load balancer to the Inbound from Office 365 receive connector mail flow from EXO to on-prem worked again
Lesson learnt: When updating the HCW, the list of source IP addresses on the Inbound from Office 365 receive connector is reset to only include the EOP IP ranges
Tenant has not been upgraded to 50GB mailboxes
Issue: My customers tenant hasn't been upgraded to 50GB mailboxes
Lesson learnt: See this article
Offboarding mailboxes fails
Issue: On boarding mailboxes to Exchange Online went well but we hit an issue when trying to off board mailboxes
Lesson learnt:The learning here is that to off board back to Exchange 2007 the remember the following:
- The name of the Exchange 2007 mailbox database must be unique
- Only enter the unique Exchange 2007 mailbox database name as the Target Database
SOME move requests fail/h2>
Issue: SOME move requests from Exchange Online to on-premises fail with continuous TransientFailure errors in the log
Lesson learnt:Through a support case we found that there was a problem with the search folders in those mailboxes, so the solution was to ask the affected user to run "outlook.exe /cleanfinders" which left the mailbox in a state where it could be migrated back to on-premises
Exchange Online will not migrate permissions
Issue: Exchange Online will not migrate permissions over for shared mailboxes if these permissions were granted to security groups in AD
Lesson learnt:You must either mail-enable groups before migrating mailboxes or add the required attributes to these groups so DirSync makes them available online. If you don't do this beforehand you will have to reassign permissions for the migrated objects once you fix the group
Issues communicating with MS Federation proxy
Issue: When configuring a new Exchange 2013 SP1 Hybrid for a customer with a heavily locked down proxy server we hit issues communicating with the Microsoft Federation Gateway
The maximum limit of 10K public folders has increased to 100K
Issue: The maximum limit of 10.000 public folders when migrating on premises public folders to modern public folders has been increased to 100,000
Lesson learnt: See this article
Networking
Change recommendation on network info of datacenter/region
Issue: In the past it was only required to configure your firewall solution to allow access to the URLs or IP address ranges associated with the region/datacenter in which your tenant was created. However, this recommendation has changed…
Lesson learnt: The URLs used to access Office 365 now uses Geo-DNS, which means that if you have an organization with users travelling between regions, the user will use the closest servers available. See this article
TCP Idle session settings cause performance issue
Issue: TCP Idle session settings on perimeter devices causing performance and connectivity issues with Office 365.
Lesson learnt: See this article
Tenant Administration
PS module for AAD in Windows 8.1 documentation not currently up to date
Issue: Power shell module for Azure AD in Windows 8.1 documentation not currently up to date.
Lesson learnt: In order to install the PowerShell module for Azure AD in Windows 8.1 it is necessary to install a newer version of the Sign-in Assistant (MOS SIA) MOS SIA. The page title still says "Beta", but older version won't allow you to install the PowerShell module.
Tenant to tenant moves
Issue: Tenant to tenant moves
Lesson learnt: See this article
Client
Slow performance on IE8
Issue: If the customer experience slow performance with IE 8, its recommended they move to IE9 or newer.
Lesson learnt: See here
Windows XP does not shut down
Issue: Your Windows XP-based computer does not shut down after you install Office Professional Plus.
Lesson learnt: See here
Identity
PING 6.10 is not currently supporting multiple top level domains
Issue: PING 6.10 is not currently supporting multiple top level domains. It will be released as an update in Q2/CY2014
Lesson learnt: This functionality is only being released for v7.0 so customers would need to upgrade
DirectoryOperationException: The server does not support the control
Issue: Customer running IdFix 1.06 was seeing the following error during the query run: "DirectoryOperationException: The server does not support the control. The control is critical."
Lesson learnt: Disabling the antivirus solution rectified this issue.
AAD Impact on AD permissions
Issue: Windows Azure Active Directory Synchronization tool (dirsync) Impact on AD Permissions
Lesson learnt: See here
SAML-Artifact Resolution and Token replay detection are not used
Issue: SAML-Artifact Resolution and Token replay detection are not used by Office 365 scenarios
Lesson learnt: See here
DirSync is unable to authentication to proxy server
Issue: DirSync is unable to authentication to proxy server when connecting to Windows Azure Active Directory