Tuesday, May 30, 2017

Hybrid Exchange Writeback Permissions

I recently ran into an issue after configuring Azure Active Directory Connect with hybrid Exchange that certain attributes couldn't be written back to the on-prem directory.  This manifests as errors in the sync tool, specifically a "Connected data source error code 8344" and "Insufficient access rights to perform the operation" on the export task. There's plenty of documentation that shows which permissions are required to support writeback of exactly 8 attributes.   For some reason it seems that the AAD Connect setup tool does not correctly add these permissions when selecting Hybrid Exchange mode.  There's a number of scripts out there, but two that I'll point out are this one from the Technet Gallery which appears to support a number of different configuration scenarios, as well as this one from c7solutions which is quite simple but effective.  The c7 post also has a great explanation of why these types of scripts are necessary.  The script is so useful that I've also generated an archive of the page here, in case it is ever moved/removed.

After running the script for a couple of minutes most export errors were resolved.  The specific issue can also be caused by an AD object with blocked inheritance.  This script from the technet gallery can be used to discover which users have inheritance blocked.  Once found they can either be fixed, or could be manually targeted for permissions with the aforementioned scripts.

Thursday, May 25, 2017

Princeton Bitcoin Textbook

In case you hadn't heard Bitcoin hit at an all-time high of over $2,400 USD / BTC today.  There's plenty of good cursory information about Bitcoin but if you're looking for a decent in depth discussion of Bitcoin, related protocols, and other associated topics check out this book published by Princeton University Press.  The book is particularly suited to readers who already have an understanding of cryptography, computer science, networking etc.  If you're interested in going even deeper there's also a Coursera course to accompany it developed by one of the authors of the book.

Friday, May 19, 2017

O365 Migration Endpoint Creation Error

When creating a migration endpoint you may receive the error that "No MRSProxy was found running at 'name.domain.com'" with the name of your email server from autodiscover.  If you check the EWS virtual directory you will see that in fact the MRSProxy is enabled.  Further, if you check the application event log on the Exchange server you will see Event ID 1309 from Source ASP.NET.  This was a very frustrating error as it prevented the creation of migration endpoints on either the Exchange on-prem or online side of the equation.  Luckily I came across this thread which explained that it's necessary to  recycle the MSExchangeServicesAppPool on the on-prem Exchange server.  This was a quick fix with no observable impact to users.  After performing this step migration endpoint creation was quick and painless.