Issue:

User is trying to send email from his O365 Tenant in to the OnPrem Exchange 2013 environment. The email fails with the following reason (as seen in the message tracking logs in O365:

Reason: [{LED=450 4.7.320 Certificate validation failed};{MSG=SubjectMismatch};{FQDN=hybrid.domain.com};{IP=###.###.###.###};{LRT=4/14/2017 1:07:17 PM}]. OutboundProxyTargetIP: ###.###.###.###. OutboundProxyTargetHostName: hybrid.domain.com

Cause:

We found that the certificate it was trying to use for TLS in the Exchange OnPrem space was not the certificate that was being presented by the O365 connector. By looking in the SmtpReceive protocol logs in Exchange 2013 onPrem, we saw the following:

2017-04-14T17:00:41.125Z,SERVER1Default Frontend SERVER1,08D479E14521204D,20,172.20.102.10:25,155.39.36.248:30648,*,,Sending certificate
2017-04-14T17:00:41.125Z,SERVER1Default Frontend SERVER1,08D479E14521204D,21,172.20.102.10:25,155.39.36.248:30648,*,CN=SERVER1,Certificate subject
2017-04-14T17:00:41.125Z,SERVER1Default Frontend SERVER1,08D479E14521204D,22,172.20.102.10:25,155.39.36.248:30648,*,CN=SERVER1,Certificate issuer name
2017-04-14T17:00:41.125Z,SERVER1Default Frontend SERVER1,08D479E14521204D,23,172.20.102.10:25,155.39.36.248:30648,*,1234567890ABCDEF1234567890ABCDEF,Certificate serial number
2017-04-14T17:00:41.125Z,SERVER1Default Frontend SERVER1,08D479E14521204D,24,172.20.102.10:25,155.39.36.248:30648,*,9876534210FEDCBA9876534210FEDCBA123456789,Certificate thumbprint
2017-04-14T17:00:41.125Z,SERVER1Default Frontend SERVER1,08D479E14521204D,25,172.20.102.10:25,155.39.36.248:30648,*,SERVER1;SERVER1.domain.com,Certificate alternate names

The certificate with the thumbprint of 9876534210FEDCBA9876534210FEDCBA123456789 was a self signed exchange certificate in the OnPrem environment and did not have the SAN name of Hybrid.domain.com in it. The correct certificate is a third party SAN certificate which was already installed in exchange but for whatever reason was not being used by the Default Frontend Receive Connector. For this articles sake, we will say that certificate had a thumbprint of 4C0FA622D0D66E777AA123B1AF123456F001AE23.

We did a Get-ReceiveConnector “SERVER1Default Frontend SERVER1” | fl TlsCertificateName and saw that it was set to Null.

Resolution:

We resolved this by adding the TlsCertificateName for the Default Frontend Receive connector using the following commands:
$tlscert=Get-ExchangeCertificate 4C0FA622D0D66E777AA123B1AF123456F001AE23
$tlscertname=”<I>$($TLScert.Issuer)<S>$($TLSCert.Subject)”
Get-ReceiveConnector “SERVER1Default Frontend SERVER1” | Set-ReceiveConnector -TlsCertificateName $tlscertname
We then bounced the transport service and the issue remediated.

NOTE:

This issue can also occur in Exchange 2016. The fix is the same for both.

ISSUE:

When attempting to migrate an onPrem User mailbox from Exchange 2013 to O365, the following error is generated and the migration fails:

The request channel timed out while waiting for a reply after 00:00:00.0012345. Increase the timeout value passed to the call to Request or increase the SendTimeout value on the Binding. The time allotted to this operation may have been a portion of a longer timeout.

CAUSE:

This typically happens when the ExchangeGUID property of the mail-enabled user in O365 does not match the ExchangeGUID property of the corresponding on-premises mailbox that you are trying to migrate. The migration will then timeout because it is trying to look up the wrong ExchangeGUID and will never find it.

RESOLUTION:

Set the ExchangeGUID property of the mail-enabled user in Exchange Online (O365) to match the ExchangeGUID property of the corresponding on-premises mailbox, and then retry the move. To do this, follow these steps:

1. Retrieve the value of the ExchangeGUID property for the on-premises mailbox that you want to move. To do this, open the Exchange Management Shell on the on-premises server, and then run the following command:

   Get-Mailbox <MailboxName> | Format-List ExchangeGUID

   Make a note of the value. You’ll need it later in step 2B.

    

2. Connect to Exchange Online by using remote PowerShell. Then, do the following:

   A. Determine the value of the ExchangeGUID property of the mail-enabled user in Exchange Online. To do this, run the following command:

   Get-MailUser -Identity <UserName> | fl displayname,ExchangeGuid

   B. Set the value of the ExchangeGUID property of the mail-enabled user in Exchange Online to match the ExchangeGUID property of the on-premises mailbox. To do this, run the following command:

   Set-MailUser -Identity <UserName> -ExchangeGUID <Value Retrieved From Step 1>

3. Retry the move.

NOTES:

There are other similar issues but I see this one more than any other when it comes to failed migrations, so I am singling it out for the purpose of this article. If this does not address your issue, please refer to TechNet for other possibilities.

ISSUE:

My customer put their Exchange 2016 environment into maintenance mode so they could apply bitlocker to their drives. After applying bitlocker following the guidances outlined in the following article, they were not able to set the ServerComponentState to Active for OWA Proxy:

https://blogs.technet.microsoft.com/exchange/2015/10/20/enabling-bitlocker-on-exchange-servers/

The customer runs the following command to see whether the state is enabled or not:

Get-ServerComponentState ServerName | ?{$_.Component -eq “OwaProxy”}

It returns the following:

Server                                  Component                               State
——                                     ———                                      —–
ServerName                      OwaProxy                                  Inactive

They then tried to set it manually, using the following command, specifying the Maintenance Requester because that is the one that is actually showing Inactive:

Set-ServerComponentState ServerName -Component OwaProxy -Requester Maintenance -State Active

We do not get an error but when we do the Get command again, it still shows inactive.

CAUSE:

We noticed in Active Directory, that the OwaProxy.Maintenance values in msExchComponentStates had two opposing settings that looked as such:

1:OwaProxy:Maintenance :0:636264117313332389

1:OwaProxy:Maintenance :1:636272763659703237

These values will also exist in the registry of the Exchange server. Because it has competing values in there, the server will side with the most restrictive which is to keep it at Inactive.

RESOLUTION:

In Active Directory Users and Computers, go to the computer object of the server that you are having the issue on, and right-click on it and select properties. Then click on the msExchComponentStates attribute. You should see the various component values. From there, delete the OwaProxy values from the attribute.

Then go to the registry on the Exchange server and delete up the OWA Proxy reg key using the following process:

Backup and delete the reg key HKEY_LOCAL_MACHINESOFTWAREMicrosoftExchangeServerv15ServerComponentStatesOwaProxy

Allow enough time for Active Directory to replicate and then run the set command again:

Set-ServerComponentState ServerName -Component OwaProxy -Requester Maintenance -State Active

Finally, test again to see if the component is now active:

Get-ServerComponentState DENXCHMBXC1N4P -Component OwaProxy | fl

The component value should then be recreated in AD and in the registry reflecting the proper value for the active state.

ISSUE:

Recently, I had a customer call in an issue where their transport services were failing on all Exchange 2013 servers usually within minutes of each other. Transport would restart on its own and then 15 minutes to an hour later, they would crash yet again. The following errors were showing up in the Event logs:

Log Name:      Application
Source:        MSExchangeTransport
Date:          4/14/2017 7:41:23 AM
Event ID:      17017
Task Category: Storage
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server1.contoso.com
Description:
Transport Mail Database: Quota was exceeded while performing a database operation. The Microsoft Exchange Transport service is shutting down. Exception details: Microsoft.Isam.Esent.Interop.EsentTransactionTooLongException: Too many outstanding generations between JetBeginTransaction and current generation.
   at Microsoft.Isam.Esent.Interop.Api.JetSetColumn(JET_SESID sesid, JET_TABLEID tableid, JET_COLUMNID columnid, Byte[] data, Int32 dataSize, Int32 dataOffset, SetColumnGrbit grbit, JET_SETINFO setinfo)
   at Microsoft.Exchange.Transport.Storage.DataStreamImmediateWriter.Write(Int64 position, Byte[] data)

Log Name:      Application
Source:        MSExchange Common
Date:          4/14/2017 7:41:24 AM
Event ID:      4999
Task Category: General
Level:         Error
Keywords:      Classic
User:          N/A
Computer:      Server1.contoso.com
Description:
Watson report about to be sent for process id: 32864, with parameters: E12N, c-rtl-AMD64, 15.00.1104.005, edgetransport.exe, KERNELBASE.dll, 8b9c, c0020001, 3cb8, 6.3.9600.17031 (winblue_gdr.140221-1952).
ErrorReportingEnabled: True
%14

Log Name:      Application
Source:        MSExchangeTransport
Date:          4/14/2017 7:38:19 AM
Event ID:      15004
Task Category: ResourceManager
Level:         Warning
Keywords:      Classic
User:          N/A
Computer:      Server1.contoso.com
Description:
The resource pressure increased from Medium to High.

The following resources are under pressure:
Version buckets = 2585 [High] [Normal=1750 Medium=2000 High=2500]

The following components are disabled due to back pressure:
Inbound mail submission from Hub Transport servers
Inbound mail submission from the Internet
Mail submission from Pickup directory
Mail submission from Replay directory
Mail submission from Mailbox server
Mail delivery to remote domains
Content aggregation
Mail resubmission from the Message Resubmission component.
Mail resubmission from the Shadow Redundancy Component

The following resources are in normal state:
Queue database and disk space (“D:TransportDBdataQueuemail.que”) = 66% [Normal] [Normal=95% Medium=97% High=99%]
Queue database logging disk space (“D:TransportDBdataQueue”) = 66% [Normal] [Normal=95% Medium=97% High=99%]
Private bytes = 4% [Normal] [Normal=71% Medium=73% High=75%]
Physical memory load = 67% [limit is 94% to start dehydrating messages.]
Submission Queue = 0 [Normal] [Normal=2000 Medium=10000 High=15000]
Temporary Storage disk space (“D:TransportDBdataTemp”) = 66% [Normal] [Normal=95% Medium=97% High=99%]

In the Protocol logs for SmtpSend, we could see several 452 4.3.1 status codes where the system had insufficient system resources. All of these showed up on Shadow Copy traffic or XProxyFrom traffic.

CAUSE:

One of the first things we noticed was the Back Pressure event (15004) was happening about 3 minutes before the 17017 event every time. So we knew the MSExchange Transport service would crash in about 3 minutes after the 15004 event fired off. We decided we needed to see what was killing the transport service so we ran procdump. We got the pid of the edgetransport.exe process and then waited until the next 15004 event fired. At that point we ran the following command from an elevated command prompt:

procdump -ma -s 60 -n 3 <edgetransport.exe pid>

This captured 3 dumps, 60 seconds apart (since we knew the process would crash in 3 minutes).

We also did a different dump to catch it upon crashing using the following command (You can change the path at the end of the command to something relevant for your system):

procdump.exe -e 1 -ma -f *EsentTransactionTooLongException* edgetransport.exe -accepteula C:dumpscrashdump.dmp

We sent those dumps to our Escalation Engineer and ultimately he came back saying that a large message, over 1.5GB, was trying to come in, getting through the receive connector and then blowing up the Transport service when trying to proxy to the backend servers. He identified the message telling us the server name and IP that sent the message, the Exchange server name and IP it was trying to proxy to,   the Exchange server IP that had received the message from the sender, and the name of the connector that was proxying the message (not the receive connector the message came in under).

The sending server the dump identified was an application server trying to deliver the message through the relay connectors in Exchange. The Escalation Engineer then provided us the messageID and sender of the problematic message:

<2017041410354.AB1234@appserver1.contoso.com>
App1@appserver1.contoso.com

So, we have a really large message that has come in to the Exchange environment and was wreaking havoc on it.

How did that 1.5GB message get into my Exchange environment anyway?

This is the question that hounded the customer the most. How did this message get in? I mean, their relay connectors and their Default Connectors all had 20MB message limits. Why did that not stop the message from even making it into transport?

Well, to answer that, we looked into all of the relay connectors to see which one was being used by the IP of the Application server. We found it on Relay3. We took a closer look at the relay and found that the relay receive connector under the Security tab, had been set up with Externally Secured for the authentication security mechanism, and Exchange servers as the Permission group.

Externally secured requires you to set the Permission group to Exchange servers because that is what it treats those connections like. Anything coming in under this connector will be treated like an internal Exchange Server. It will assume the sender is 100% trusted and will not apply any checks to it, including the checks on message size. So that is how the 1.5GB message got in.

Now, because the message had gotten in, and Transport was crashing before the message could deliver, the sending server, an Unix server using SendMail, never got a response from Exchange that the message had been delivered, nor did it get an error. All it got was a severed connection due to the transport service crashing. So it waited a few minutes and then resubmitted the message. Depending on the configuration of the sendMail server, it could potentially do that indefinitely, which was the case in our scenario. So the cycle of crashing transport could have gone on forever if left unchecked.

RESOLUTION:

We spent a lot of time trying to find the message and remove it from the queues before we realized it was being resubmitted over and over again after every crash. So we finally looked at the receive connectors and realized the issue was with how it was configured. For rules to apply to a receive connector, such as the Maximum receive message size, it simply couldn’t be set up with externally secured. So how do we set it up so the application can still send messages through the relay to both the internal and external customers? It is easier than it sounds.

First, uncheck all of the Authentication and Permission groups in the current relay connector, and then check the Anonymous users permission group. Save that, then from the Exchange Management Shell, run the following to give the relay receive connector the permissions it needs to send internal and externally:

Get-ReceiveConnector “Server1Relay 3” | Add-ADPermission -User “NT AUTHORITYANONYMOUS LOGON” -ExtendedRights “Ms-Exch-SMTP-Accept-Any-Recipient”

For good measure, I would then restart the MSExchange Transport service.

The next time the sendMail server tries to send that message into Exchange, Exchange will check it’s message size and reject it immediately, sending a response over the SMTP connection back to the sending server that the message was rejected due to the message being too large. This would show up in the sendMail servers mail logs as a 5.3.4 status saying: “Message too big for system” or a 5.2.3 status stating: “Message too large”. Since the sendMail server received the rejection response, it would discard the message and not try to send it in again.

NOTES:

Information on Anonymous versus Externally Secured permission groups can be found in the following article as well as the steps to set up either of the two types of relays: https://technet.microsoft.com/en-us/library/mt668454(v=exchg.160).aspx

WARNING:

If your distribution groups are set up to only accept mail from “Only senders inside my organization”, then anonymous relays will not work for that. In order for an application to send as an internal sender so that it can successfully send to one of those distribution groups, it has to come in as Externally Secured. The other option is to set the distribution group for “Senders inside and outside my organization”. Then anonymous relays would work fine and still grant you the protection of the size limitations and other rules.

There is another scenario where Externally Secured is needed for a relay. If the application is trying to send from OnPrem to a distribution group that lives in O365 that is set to accept messages only from authenticated users, even though the O365 Tenant has the same name space as the OnPrem environment, the message would need to appear to be internal. When it comes through an anonymous relay, the header is stamped with X-MS-Exchange-Organization-AuthAs: Anonymous and will be rejected as it would not be authorized to send to that distribution group. If the relay is set as Externally Secured, then it comes in a X-MS-Exchange-Organization-AuthAs: Internal and O365 accepts the message.

In a nutshell, only use the Externally Secured option when the application is 100% trusted to abide by the policies you have enforced on the Exchange environment. Make sure the application developers know that you have a size limit and make them code with that in mind. Otherwise, make them use the anonymous connectors and inform them they will not be able to send to any Distribution groups that are locked down to only receive from internal senders.

ACKNOWLEDGEMENTS:

Thanks to Kary Wall our friendly Escalation Engineer, Tom Kern and Stephen Gilbert our Exchange Connector SMEs, and Sainath Vijayaraghavan out local team lead, for their help in coming to these conclusions and being a sounding board for me as I worked this case.

East Region SMB Techcast

WHAT: Office 365 E5!  Auto-Attendant, Call Queues!  But wait, there’s more!

WHEN: 4/20 @ 11:00 AM EST

Now that the Skype for Business Cloud PBX can deliver the needed Auto-Attendant and Call Queues, it’s time to revisit what voice and collaboration solutions Skype for Business Online can now provide in some detail.  We will also overview the other value added benefits in the always important area of Security (including Advanced Threat Protection and Security Management) and how data insights can be enabled for all via the Analytics tools Power BI Pro and Delve Analytics!  Come hear how this can be a great offering for both new customers and a great upsell opportunity for your current customer base!

Live demos including:

• Licensing calling plans
• Transferring and assigning phone numbers
• Creating Call Queues
• Defining an Auto Attendant
• Bringing it all together

Click here to Register: https://aka.ms/smbeasttechcast

Office 365 E5: Your complete communications solution

Microsoft is pleased to announce that two new advanced calling features, Auto Attendant and Call Queues, has just launched within Skype for Business Cloud PBX. Auto Attendant provides an automated system to answer and route inbound calls using dial pad inputs and speech recognition. Call Queues enable incoming calls to be routed to the next available live attendant in the order they are received.

These rich Cloud PBX features are available as enterprise add-ons or are included within the Office 365 E5 suite. The E5 suite includes a full telephony solution with Skype for Business, Cloud PBX, PSTN Conferencing and PSTN Calling, not to mention the Security and Analytics features, for only $35 per user per month.

This is a great opportunity for you to find NEW customers in search of one solution for all of their business needs in the Small and Midsize Business space.

With Skype for Business, companies can replace their legacy meeting and phone systems, and enable their employees to join meetings, as well as to make, receive and manage calls right within Office 365—all on any device. People around the globe conduct over one billion meetings per year on the Skype network, and usage of Skype for Business Online has doubled in the last year. Skype for Business is the backbone for enterprise voice and video meetings in Office 365.

Learn more about the power of Skype for Business and Cloud PBX by:

• Registering for the ‘Auto Attendant and Call Queues’ partner webcast on Tuesday April 18, 2017 at 9 a.m. PST here.
• Encouraging your customers to attend the ‘Lower costs with Modern Meeting & Voice Solutions’ webcast on April 20, 2017 at 10 a.m. PST here.

（この記事は  2017 年 2 月 23  日にMicrosoft Partner Network blog に掲載された記事 Understanding the Cloud Infrastructure & Management Opportunity の翻訳です。最新情報についてはリンク元のページをご参照ください。)

先日は、新しいプレイブック　成功するクラウド プラクティス構築についてご紹介しました。今回は、クラウドのインフラストラクチャと管理に関連するビジネス チャンスについて詳しくご説明すると共に、現在のクラウドの好況下でパートナー様が自社のクラウド ビジネスを特徴付ける方法についてご説明したいと思います。

クラウドの IaaS (サービスとしてのインフラストラクチャ) および管理に関連する分野では、膨大なビジネス チャンスが広がっています。2015 年の市場成長率は 51% を超え、IDC の予測 (英語) によると、2017 年の年平均成長率は 41% 以上になると見込まれます。

お客様は、ハイブリッド IT インフラストラクチャへの移行を進めています。従来型の IT 環境では、俊敏性の向上やコスト削減のほか、限られたリソースで多くの成果を上げることが求められています。企業は、ニーズに応じてスケーリングできる柔軟なインフラストラクチャを必要としています。ハイブリッド クラウドなら、必要に応じて IT リソースを追加できるので、IT 部門は変化の激しいビジネス要件に対処することができます。

さらに、IDC の予測 (英語) によると、2017 年にはパブリック クラウド IaaS 市場全体で最適化およびハイブリッド クラウドへの移行が進むことが見込まれ、2018 年には企業の 80% がハイブリッド アーキテクチャを導入するものと見られます。このビジネス チャンスを十分に理解するために、ぜひクラウド インフラストラクチャおよび管理プレイブックをダウンロード (英語) して、インフラストラクチャの刷新、ハイブリッド クラウドの管理とセキュリティ、ハイブリッド クラウド インフラストラクチャの導入に関する調査結果やガイダンスをご確認ください。

収益向上に向けて

プレイブックの作成にあたっては、クラウド ビジネスを展開している 1,100 社以上のパートナー様を対象に大規模な調査を行いました。この調査によれば、現時点においてクラウドを基盤とするビジネスの半数以上が事業開始後 2 年未満であり、パートナー様の 74% が新規ビジネスとして収益を上げるために 6 か月から 2 年を必要としています。

さらに、多くのクラウド プロジェクトを進めるうえで障害となり、ビジネスを成功させるうえで対応が必要な点についても調査しました。

• 回答者の 32% が、クラウドへの移行に否定的なお客様について、クラウドへの反発を払拭することが困難だと答えています。
• 回答者の 31% が、技術スタッフに常に最新のテクノロジを習得させることが困難だと答えています。
• 回答者の 29% が、リード パイプラインを継続的に生成することが困難だと答えています。

マイクロソフトではこうした主要な課題を踏まえ、数多くのソリューションをご提供しています。パートナー様のビジネスに取り入れて、収益向上にお役立てください。

リードの獲得

リードの獲得については、調査対象のパートナー様から以下のような回答が得られました。

• リードの 83% は、営業活動を通じて獲得されたものです。
• リードの 43% は、需要創出とマーケティング活動を通じて獲得されたものです。
• リードの 20% は、自社の Web サイトを通じて獲得されたものです。

上記の結果から、Web サイトを更新する必要性が明らかになりました。Web サイトでは、クラウドの導入支援を求めている潜在顧客に対して、自社の専門知識、ソリューション、能力をアピールし、信頼を獲得することができます。

マイクロソフトの主要サービスの活用

パートナーの皆様によれば、クラウドのインフラストラクチャおよび管理プロジェクトで最も利用されている Microsoft Azure サービスは、Virtual Machines、Virtual Network、Azure Backup、Azure Site Recovery、Automation (テンプレートとスクリプト)、Operations Management Suite (OMS)、ExpressRoute です。

クラウドのインフラストラクチャおよび管理ビジネスを展開している企業において、お客様に最も多く導入しているサービスは以下のとおりです。

• プロジェクト サービス: バックアップとストレージの導入、クラウド移行計画、仮想化の移行と導入、概念実証、システム統合、導入サービス
• マネージド サービス: 仮想マシンの管理とアップグレード、構成管理、マイクロソフト サポート、ドメイン管理
• 知的財産サービス: バックアップと障害復旧の自動化、監視/アラート/記録の自動化、Office への接続、その他のプラグインとアドオン

トレーニングと実務経験

クラウドのインフラストラクチャおよび管理に関連するビジネスを成功させるために、スタッフにどのようなスキルや経験が必要とされるかを分析した結果、パートナー様のビジネス全般を成功に導くうえでは経験を積んだスタッフが大きな役割を果たしていることがわかりました。クラウドのインフラストラクチャおよび管理サービスの提供によって成功を収めている企業では、スタッフの実務経験は平均 5 年に上ります。

継続的に追加される Azure 関連のトレーニングや大規模公開オンライン講座 (MOOC) をご利用いただき、引き続き技術スタッフのスキル向上に取り組むことをお勧めします。

ビジネスの構築

パートナー様の支援に向けたマイクロソフトの取り組みは、提供しているリソースや、収支バランスへの影響度に表れています。たとえば、平均的なパートナー様は、販売または売上に貢献したマイクロソフト クラウド ソリューション 1 ドルにつき、4 ドル以上の自社サービスを販売していますが、クラウドに特化したパートナー様の場合は 6 ドル近くにまで跳ね上がります。

パートナー様への支援をさらに強化するために、新しいクラウド インフラストラクチャおよび管理プレイブック をご用意しています。このプレイブックでは、イノベーションを短期間で実現し、新しいハイブリッド クラウド機能を基盤とする最適な管理機能とセキュリティ機能を実装する方法についてご紹介します。市場の情報やガイダンスを通じて、パートナー様が今の時代に収益向上を目指すためのロードマップをわかりやすくご説明しています。

「プレイブックは、幅広く高度な内容を扱っており、想像をはるかに上回るものでした。クラウド ビジネス計画テンプレートは、2017 年度の売上目標や、営業、マーケティング、サービス提供に関する計画を策定するうえで非常に役立ちました。このビジネスで成長を重ねてきてはいるものの、今まで知らなかった情報や疑問点に気付き、ビジネスを違う角度から見られるようになりました」

– Perficient、クラウド プラットフォーム プラクティス ディレクター、Joe Crabtree 氏

皆様がクラウドのインフラストラクチャおよび管理ビジネスの収益性や持続可能性の向上、最適化を図るうえで、この新しいプレイブックがお役に立つことを願っています。

Today, Microsoft triaged a large release of exploits made publicly available by Shadow Brokers. Understandingly, customers have expressed concerns around the risk this disclosure potentially creates. Our engineers have investigated the disclosed exploits, and most of the exploits are already patched. Below is our update on the investigation.

When a potential vulnerability is reported to Microsoft, either from an internal or external source, the Microsoft Security Response Center (MSRC) kicks off an immediate and thorough investigation. We work to swiftly validate the claim and make sure legitimate, unresolved vulnerabilities that put customers at risk are fixed. Once validated, engineering teams prioritize fixing the reported issue as soon as possible, taking into consideration the time to fix it across any impacted product or service, as well as versions, the potential threat to customers, and the likelihood of exploitation.

Most of the exploits that were disclosed fall into vulnerabilities that are already patched in our supported products. Below is a list of exploits that are confirmed as already addressed by an update. We encourage customers to ensure their computers are up-to-date.

Of the three remaining exploits, “EnglishmanDentist”, “EsteemAudit”, and “ExplodingCan”, none reproduces on supported platforms, which means that customers running Windows 7 and more recent versions of Windows or Exchange 2010 and newer versions of Exchange are not at risk. Customers still running prior versions of these products are encouraged to upgrade to a supported offering.

We have long supported coordinated vulnerability disclosure as the most effective means to ensure customers and the computing ecosystem remains protected. This collaborative approach enables us to fully understand an issue and to deliver protection before customers are at risk due to public disclosure of attack methods. We work closely with security researchers worldwide who privately report concerns to us at secure@microsoft.com. We also offer bug bounties for many reported vulnerabilities to help encourage researchers to disclose responsibly.

Phillip Misner,
Principal Security Group Manager
Microsoft Security Response Center

Hello, Wiki Ninjas!

Today is Friday with International Community Update.

The end of March is as follows:

The topic of this month:

• The 41st Language/Locale appeared!!  Punjabi is the 10th most widely spoken language in the world.
• Japanese articles increased for the first time in 1 year.

The appearance of Punjabi was February. Thank you for telling me this information, Kamlesh!

Thank you!!

Tomoaki Yoshizawa (yottun8)
Blog: blog.yottun8.com
Facebook: Tomoaki Yoshizawa
twitter: @yottun8
TechNet Profile: Tomoaki Yoshizawa

PRODUCT FOCUS

• Password Change Notification Service (PCNS)

PROBLEM SCENARIO DESCRIPTION

• Recently worked on an issue where after a database restore, passwords were no longer synchronizing from Active Directory to the Target datasource.

CAUSE

• In reviewing the Application Event Log on the Source Domain Controller, the Event ID 6025 was found. An Event ID of 6025 is an indication that there is something wrong with the Password Change Notification Service (PCNS) service.       Event ID 6025 is a very common Event ID with several different messages/stacks, so it will need to be opened and reviewed to understand what is happening.

• In the particular issue I was working on, the Event ID 6025 contained a Status of 1753. (Status is 1753 – There are no more endpoints available from the endpoint mapper)
  • The status of 1753 is an indication that there is a connectivity problem between the domain controller and the Synchronization Service Engine
  • In the Event ID 6025 Troubleshooter, information exists about this particular status. (https://social.technet.microsoft.com/wiki/contents/articles/4159.pcns-troubleshooting-event-id-6025.aspx#Status_1753_There_are_no_more_endpoints_available_from_the_endpoint_mapper)
• The cause was identified in the Options dialog. Password Synchronization was not enabled. (Synchronization Service Manager Console > Tools > Options > Enable Password Synchronization)
  • Enable Password Synchronization check box can become unchecked, disabling Enable Password Synchronization, if a Synchronization Service Database is restored from back up.

RESOLUTION

• In the Synchronization Service Manager Console, select Tools > Options
• Check Enable Password Synchronization at the bottom of the dialog
• Click Ok
• Test a password reset

LINKS

Here are some links about the issue and that may assist in future Password Management (PCNS – Password Synchronization) issues.

1. Status 1753: There are no more endpoints available from the endpoint mapper: https://social.technet.microsoft.com/wiki/contents/articles/4159.pcns-troubleshooting-event-id-6025.aspx#Status_1753_There_are_no_more_endpoints_available_from_the_endpoint_mapper
2. Event ID 6025 Troubleshooter: https://social.technet.microsoft.com/wiki/contents/articles/4159.pcns-troubleshooting-event-id-6025.aspx
3. PCNS Resources Wiki: https://social.technet.microsoft.com/wiki/contents/articles/2762.fim-password-synchronization-pcns-resource-wiki.aspx

S2D oder Software Defined Storage

Jeder der sich mit Windows Server 2016 schon näher befasst hat, wird wohl über das Thema S2D gestolpert sein. Nun um was geht es? Es geht um die Storage Fähigkeiten die der Server 2016 mitbringt und dies ist weitaus mehr als es auf den ersten Blick aussieht.

Wie bei jeder Technologie, ist es auch bei S2D wichtig, zu verstehen wie sie denn funktioniert. Dadurch das wir diese Funktionalitäten in Windows Server anbieten, mögen die einen denken, dass es ja nicht so anspruchsvoll sein kann. Bei S2D verhält es sich in Wahrheit aber noch anspruchsvoller als an anderen Orten. Es ist ungemein wichtig ein richtiges Design der Lösung zu machen. Wenn man die falsche Hardware hat kann das schnell schiefgehen.

Ich werde daher in den nächsten Beiträgen versuchen euch Schritt für Schritt an die Technologie zu führen.

Im heutigen Beitrag geht es nur mal um Grundsätzliches.

Wieso?

Nun, diese Frage werden sich viele von euch schon gestellt haben. In den meisten Umgebungen sind grosse, teure, hochverfügbare SAN Installationen vorhanden und auf den ersten Blick erschliesst sich nicht wieso nun Microsoft da mitspielen will.

• Kosten Eine SAN ist in der Regel eine extrem teure Anschaffung. Insbesondere die FibreChannel Infrastruktur kostet eine Menge.
• Flexibilität Durch die Kostenstruktur im SAN Umfeld wird eine SAN meist auch zum zentralen Speichersystem. Dadurch schafft man zwangsläufig Abhängigkeiten in alle Richtungen, was die Flexibilität der IT stark eingrenzen kann.
• Integration Bei vielen Kunden von uns ist die grosse Masse an Systemen Windows. Aus technologischer Sicht macht es so auch absolut Sinn ein End to End Szenario zu betreiben. Eine 3rd Partie Lösung wird nie 100 Prozent Windows sein. Daher macht es bei homogenen Umgebungen auch Sinn die Integration zu optimieren.
• Performance Hier werden mir wohl viele widersprechen, doch viele SAN Systeme bringen einfach nicht die Performance die gewünscht wäre. Dies hat mit vielen Faktoren zu tun die dazu beitragen. Im Kern sind es jedoch die Kosten und die massive Virtualisierung die wir heute betreiben.

Wir möchten euch nun mit Windows Server Software Defined Storage oder S2D eine Lösung in die Hand geben die alle diese Punkte lösen kann wenn man es richtig anstellt.

（この記事は 2017 年 3 月 5 日にMicrosoft Partner Network blog に掲載された記事 How to Design a Value Prop that Gets Attention の翻訳です。最新情報についてはリンク元のページをご参照ください。）

パートナー様とお話ししていると、マーケティングの基本概念について、中でも特に価値提案の作り方について、よく話題になります。どの企業も価値提案を用意しているものの、その魅力を正しく理解してもらうためにはちょっとした手間が必要です。

ごく簡単に説明すると、価値提案とは、製品やサービスによって顧客に提供されるはずのメリットのことであり、これによって企業は独自の強みを活かして顧客の課題を解決できることをアピールします。

私はパートナー様がより魅力的な価値提案を作成できるように、ある書籍を参考にしてお手伝いしています。その書籍とは、アレックス・オスターワルダー氏、イヴ・ピニュール氏、グレッグ・バーナーダ氏、アラン・スミス氏による著書『バリュー・プロポジション・デザイン 顧客が欲しがる製品やサービスを創る』です。同書は、顧客の心に響くメッセージを考えるためのヒントについて、イラストを交えわかりやすく解説しています。今回はその内容をご紹介します。

ステップ 1: 顧客をよく観察する

まず、顧客のことをじっくりと観察して、顧客のペイン (リスクや障害など) を見つけ出します。そのために次の 3 つのポイントに分け、顧客についての理解を深めます。

1. 顧客の仕事 – 顧客が職業や人生を通して達成したいことを、顧客自身の言葉で表現したもの
2. 顧客のペイン – 顧客が仕事を達成しようとしているときに直面する悪い結果、リスク、障害
3. 顧客のゲイン – 顧客が達成したいことや、顧客が求める恩恵

ステップ 2: 顧客のニーズに合致する価値提案を描く

価値提案を作成するにあたり、自社の製品やサービスについて次の 3 つのポイントから分析します。

1. 製品とサービス – すべての製品やサービスをリスト化し、価値提案のベースとする。
2. ペイン リリーバー (悩みを取り除くもの) – 製品やサービスによって顧客の悩みを取り除く方法を考える。
3. ゲイン クリエイター (恩恵をもたらすもの) – 製品やサービスによって顧客に恩恵をもたらす方法を考える。

顧客が自社に対して感じている魅力や、課題を解消できる自社の強みなどを顧客から聞き出して、それを基に価値提案を作成します。たとえば、ある顧客が地元の企業であることと、問題をすばやく解決できることを高く評価しているとします。この顧客がクラウド上にデータや情報を保存することを不安に思っているときには、こんな価値提案が有効でしょう。「Acme Tech Partners は貴社と同じ地域を拠点としており、どんな問題でも当社のスタッフがスピーディに解決します。Azure に関する豊富な経験を誇る当社が、皆様の業務を妨げることなく、大事なデータを安全にお守りします」

価値提案と顧客プロフィールが重なり合うところに、フィット (合致) が生まれます。

ステップ 3: 価値提案の精度を高める

重要なのは、明確な価値提案を作成することです。顧客がその価値をどのように利用するのか、はっきりと理解する必要があります。『バリュー・プロポジション・デザイン』には、具体的な価値提案を描けるように、顧客の仕事を次のように分類して掘り下げる必要があると書かれています。

1. 機能的な仕事 – 顧客が達成しようとしている具体的な任務または解決したい課題 (例: 芝を刈る)。
2. 社会的な仕事 – 顧客が周囲から良く見られるため、または権力やステータスを得るための活動 (例: トレンディに見せる)。顧客自身が他人にどう見られるかを左右するような行動。
3. 個人的/感情的な仕事 – 顧客の気分が上向いたり安心したりすること (例: 良い買い物をしたと満足する)。
4. サポート的な仕事 – 価値を購入すること、価値を共創すること、価値提案のライフ サイクルを終わらせることに関係する仕事。

仕事の前後や最中に困っていることや、実際に仕事の妨げになっているものについて、顧客に直接問い掛けます。たとえば、障害やリスク、深刻度などを聞き出します。

ペインの根本原因を解明するには、以下の項目を確認してみましょう。

• 顧客をいやな気分にさせているもの
• 顧客が直面している主な問題や課題
• 顧客が恐れているリスク
• 顧客にとって一番の心配事
• 顧客が陥りがちな失敗
• 顧客が価値提案を取り入れる妨げになっているもの

『バリュー・プロポジション・デザイン』によると、上記と同じ方法でゲインも明らかにすることができます。顧客に必要なゲイン、期待されるゲイン、望ましいゲインとは何かを考えます。さらに顧客が予想していないようなゲインについても考え、その実現を目指しましょう。そのためには次の項目が良いきっかけとなります。

• 何を節約できれば顧客は喜ぶ?
• 期待されている品質の水準は?
• 現在の価値提案への満足度は?
• 顧客の仕事や生活に役立つものは?
• 顧客が夢見ているものは?
• 顧客にとって成功と失敗とは?

このように、価値提案は顧客の声に真摯に耳を傾け、ニーズを最優先に考慮し、それに応えることで作られます。最高の価値提案は、顧客の期待を超える成果をもたらし、顧客を幸せにします。Smart Partner Marketing ページのこちらの動画 (英語) では、パートナー様独自の魅力的な価値提案の作成に役立つヒントを紹介しているので、ぜひご覧ください。

用 EventID 過濾 SecurityEvents

若現在有一個很基本的搜尋：Type=SecurityEvent，您可以查看個別事件的詳細資訊。在此範例中，可以看到一個 Activity 4625，並顯示了有一個帳戶登入失敗。

接著要深入查尋 EventID 為 4625 的事件，運用以下搜尋指令：

Type=SecurityEvent  EventID=4625

搜尋結果顯示在過去的一天內有 423K 個結果。您可以在畫面左手邊上下拉動查看搜尋資料：

您可以選擇任何想要查看的 SecurityEvent 屬性，藉由加入 Measure 指令。您也可以選擇您想要測量的東西，包含以下幾種：Count、Max、Min、Sum、Avg、和 Stddev。此範例選擇 Count。

而要計算什麼呢？此範例計算了登錄失敗的個別帳戶，利用以下指令：

Type=SecurityEvent  EventID=4625 | measure count() by Account

執行搜尋時，會透過一個長條圖來顯示登錄失敗的聚合值：

此範例示範的是客製化的搜尋結果，而這個結果數據一樣可以輸出並用 Excel 開啟，只需點擊畫面左上的匯出即可。匯出結果如下圖：

The Microsoft Graph is a single endpoint that provides access to multiple APIs for Office 365 and other Microsoft cloud services. A preview Reporting API was recently released that brings Office 365 usage and analytics reporting into the Microsoft Graph.

Along with this release, the deprecation of the several reporting APIs and PowerShell cmdlets in the Reporting Web Service was announced and these will be disabled on 10/1/2017. This post and sample script demonstrates how to consume Office 365 usage information from the Microsoft Graph using Windows PowerShell. A basic understanding of OAuth is helpful but not required.

Understanding the Usage Reports

The Office 365 Usage reports provide two main types of reporting

Activity – The amount of interaction with the service such as number of files viewed

Usage – The amount of content created or generated in the service, such as total storage used

A full list of the available reports and details on each report type can be found in Activity Reports in the Office 355 Admin Center.

Details on the corresponding Reporting API can be found in the Microsoft Graph Documentation

Accessing the Office365 Usage and Activity reports using Windows PowerShell

Accessing the Microsoft Graph requires that you register an App in Azure Active Directory and grant that app permission to view the usage reports. In this case we will use this App and the administrators credentials when authenticating to the Microsoft Graph. You could also use an app with an app secret to provide access without requiring the administrators credentials. This post will walk through the steps to configure the app permissions to use with the script, but if you want more information on authentication and authorization please see App authentication with Microsoft Graph.

Step 1: Register an App in AzureAD to access the Usage Reports

Login to https://portal.azure.com and navigate to “Azure Active Directory” > “App Registrations” and click “New Application Registration”

Give your application a friendly name, Select application type “native”, and enter a redirect URL in the format urn:foo and click create. Note: For this script we do not have a specific requirement for the Redirect URI, the exact values doesn’t matter as long as it’s in the format URN:<Value>

Click on the App, navigate to required permissions, click add and select the Microsoft Graph API

Choose Select Permissions and grant the App the “Read All Usage Reports” permission

Copy the Application ID and Redirect URI and save them for use in the script

Step 2: Use Get-Office365Report.ps1 to access the Graph API and download your report

A sample script for using PowerShell with the Microsoft Grapth API is available in the TechNet Gallery. This script will return the chosen report as a system.array object. You can then manipulate that further in Windows PowerShell using standard cmdlets. In this example we are going to export the output to a CSV file using Export-CSV

[powershell]#Get the credentials for the user with access to usage reports
$cred = Get-Credential
#Run the report
$report = .Get-Office365Report.ps1 `
-TenantName "contoso.onmicrosoft.com" `
-ClientID "b5dc219e-58b4-458a-a415-c203b10380f5" `
-Report SharePointSiteUsage `
-Period D180 `
-View Sites `
-Credential $cred `
-RedirectURI "urn:contoso"

#Export report to CSV file
$report | Export-CSV -path C:tempSharePointSiteUsage.csv -NoTypeInformation[/powershell]

Once you have the CSV file you can open it your BI tool of choice and build your visuals. In a future post I will show how to analyze this data in PowerBI and use this script to automatically refresh the data on demand.

Resources

Get Office365 usage reports from the Microsoft Graph using Windows PowerShell
https://gallery.technet.microsoft.com/Get-Office365-usage-f955ade4

Overview of Microsoft Graph
https://developer.microsoft.com/en-us/graph/docs

App authentication with Microsoft Graph
https://developer.microsoft.com/en-us/graph/docs/authorization/auth_overview

What’s new in Office 365 administration—public preview of Microsoft Graph reporting APIs
https://blogs.office.com/2017/03/31/whats-new-in-office-365-administration-public-preview-of-microsoft-graph-reporting-apis/

Microsoft Graph: Office 365 Usage Reports
https://developer.microsoft.com/en-us/graph/docs/api-reference/beta/resources/report

Windows 10 Creators Update が 2017 年 4 月 11 日（米国時間）から順次提供開始となりました。
Windows 10 Creators Update により、Beam ゲーム配信機能が標準搭載され、ゲームモードによるパフォーマンス改善が実現、ゲームに関する設定が 1 カ所に集約されます。これらの新しい機能についてご紹介します。
詳細についてはこちら（英語）もご参照ください。

Beam でゲーム配信

Creators Update には、Beam によるゲーム配信機能が標準で搭載され、簡単にゲームのプレイ画面を配信して視聴者と交流できます。プレイ中に Windows ロゴ キー + G を押すと、ゲーム バーが表示されます。ゲーム バーに新しく追加された [配信] アイコンをクリックすると Beam が起動します。追加のソフトウェアは一切不要です。

Windows 10 にゲーム配信機能が標準で搭載されました。ゲーム バーを使用すると、ゲームのプレイ画面を簡単にストリーミング配信できます。Windows ロゴ キー + G を押して [配信] アイコンをクリックすれば、Beam での配信がスタートします。一連の操作中に追加でログインする必要はありません。
この機能により、だれでもゲーム配信者となって自分の創造性を世界に発信できます。また、Beam の低遅延テクノロジは、遅延が 1 秒未満の視聴エクスペリエンスを実現しており、配信中も視聴者とほぼリアルタイムにやり取りできます。この低遅延テクノロジによって、Beam の配信者は、アニメーションやサウンドを再生するボタンなどのインタラクティブな機能を配信に取り入れられます。

ゲームモード

Windows 10 で一貫した快適なゲーム エクスペリエンスを提供するという目標を達成するために、優先的にシステム リソースをゲームに割り振る「ゲーム モード」を開発しました。従来の Win32 ゲームでも Windows ストア ゲームでも機能します。プレイ中にゲーム モードを有効化するには、Windows ロゴ キー + G でゲーム バーを表示し、[設定] ボタンをクリックして、実行中のゲームでゲーム モードを使用するように設定します。ゲーム モードの開発と、PC でのゲーム プレイに関する Windows 10 のパフォーマンス強化については、Creators Update を皮切りに、今後もさらに取り組んでまいります。

ゲーム バーでサポートされるゲームが拡大

Windows 10 Creators Update では、全画面モードでも Windows ゲーム バーが使用できるように、80 以上の人気 PC ゲームにサポートを拡大しました。この機能は、Windows のシステム設定に追加された [ゲーム] セクションでも管理できます。[ゲーム バー] に移動し、[Microsoft が承認したゲームを全画面でプレイするときに、ゲーム バーを表示] の設定がオンになっているか確認してください。サポート対象のタイトルの一覧は、こちら (英語) でご確認いただけます (定期的に更新されます)。

システム設定に追加されたゲーム セクション

Windows のシステム設定のメイン画面に、Xbox のロゴを配した [ゲーム] セクションが新たに追加されました。この新しいセクションには、Windows 10 のゲームに関する設定が集約されています。Creators Update では「ゲーム バー」「ゲーム DVR」「ブロードキャスト」「ゲーム モード」の 4 つの設定オプションを用意しました。特定のゲームに対するゲーム モードの設定は、ゲーム バー (Windows ロゴ キー + G) から簡単にオンとオフを切り替えられます。

Hello,

Remote Web Access, a feature inside Windows Server Essentials 2016 (also used in the Windows Server Essentials role that is available in Windows Server Standard 2016 and Windows Server Datacenter 2016) may cause users to experience trouble connecting remotely. The issue occurs after Office 365 with AAD Integration is completed and a certain amount of time passes without a reboot, typically 36-48 hours.

The server will be responsive, but the https://servername/remote web site will indicate that it is not accessible and will redirect users to their Administrator with the following message:

“Cannot connect to Remote Web Access. Please contact the person who manages the server. “

There is a temporary workaround discussed on the windows server forum here, and it is a safe workaround to use until the fix is available. The issue is caused by WCF connections not being cleaned up by the Essentials provider framework and they are no longer removed by the CLR in Windows Server 2016. To verify this, you can check the amount of WCF connections by running the following PowerShell command in an elevated console:

netstat -a | select-string ‘:65532’ | measure-object -line

There should be 100-300 connections typically.

The fix has been tested and checked in and it will be available in the May update package for Windows Server 2016. When the kb article is published and the fix is available, I will post about it here.

Thanks,
Scott Johnson
Windows Server Essentials

Tradicionalmente, información sobre las vulnerabilidades y actualizaciones de seguridad (también conocido como parches) eran publicados en el sitio de los Boletines de Seguridad de Microsoft.

Los clientes pidieron una mejor manera de acceder a la información de actualizaciones de seguridad, así como una manera más fácil de personalizar la pantalla para cumplir con un conjunto diverso de necesidades.

Ahora, Microsoft ha lanzado un nuevo destino de información de vulnerabilidad y de seguridad, la Guía de Actualizaciones de Seguridad (SUG- Security Update Guide, por su sigla en inglés).

¿Qué es la Guía de las Actualizaciones de Seguridades?

Guía de las Actualizaciones de Seguridades es un nuevo destino para información de vulnerabilidades de seguridad y actualizaciones de seguridad. Además de proporcionar una gran cantidad de datos de boletines de seguridad tradicional, la nueva Guía de las Actualizaciones de Seguridades agregará soporte para nueva información y nuevas formas de navegar por esta información.

Soporte para filtrado y clasificación

En  el panel de control de la Guía de las Actualizaciones de Seguridades, puede ver las notas asociadas con la liberación de seguridad mensual. Además, puede filtrar y ordenar por rango de producto o fecha y búsqueda de actualizaciones vía el número CVE o KB.

También puede ver los detalles de cada vulnerabilidad. Hay enlaces al artículo KB, paquetes y páginas de detalles de CVE.

Una nueva API RESTful

Si hace clic en la pestaña de “Developer”, ofrecerá la posibilidad de crear una API key y ver los ejemplos de código y descripciones de API para el script extraer datos Microsoft en un formato estándar de la industria CVRF.

Más información está también disponible en Guía de las Actualizaciones de Seguridades del proyecto en GitHub

Ejemplo: Generar un documento HTML de actualizaciones mensuales

Como un ejemplo de secuencias de comandos de PowerShell, permítame mostrarle cómo generar el resumen mensual de actualizaciones de seguridad usando PowerShell.

1. Vaya a la Guía de las Actualizaciones de Seguridades, y a la pestaña de “Developer”, de seguridad y entra en tu cuenta (hotmail, live, outlook.com, etc) para generar una clave de API.
   

Copiar la llave en un lugar fácilmente accesible para posterior transferencia.

Por ejemplo, un archivo de texto rápido creado en Bloc de notas, guardado en el escritorio.

2. Accesar a la página de ejemplos de código de GitHub y copiar el script de ejemplo

3.. Editar el script para insertar la API key en la siguiente línea:

Set-MSRCApiKey -ApiKey “<your API key>” -Verbose

4. Editar el script para entrar en el mes de interés en la línea siguiente. Si es abril de 2017. Será 2017-Apr

$monthOfInterest = ‘<year-month>

5. Ejecute el script. En esta secuencia de comandos de muestra un, documento HTML será generado con las actualizaciones mensuales en c:tempMSRCAprilSecurityUpdates.html

Version:1.0 StartHTML:000000249 EndHTML:000003084 StartFragment:000002813 EndFragment:000003036 StartSelection:000002813 EndSelection:000003036 SourceURL:https://blogs.technet.microsoft.com/seguridad/wp-admin/post.php?post=10485&action=edit

Version:1.0 StartHTML:000000249 EndHTML:000003084 StartFragment:000002813 EndFragment:000003036 StartSelection:000002813 EndSelection:000003036 SourceURL:https://blogs.technet.microsoft.com/seguridad/wp-admin/post.php?post=10485&action=edit

Nota: Ejecutar el Script por primera vez

Pronto se le pedirá para instalar la biblioteca de
GitHub NuGet
como abajo, por favor haga clic en “Y”, luego presione Enter. Tenga en cuenta que este mensaje aparece sólo la primera vez que ejecute el script

¿Dónde está el número del boletín (MSxx-xxx)?

Con el lanzamiento de actualizaciones de seguridad, guía la forma en que Microsoft documenta su vulnerabilidad ha cambiado. Esta vieja forma de actualización de documentación de seguridad, incluyendo los números de identificación del boletín fueron jubilados y ya no más son utilizados. El nuevo modelo para actualizaciones de seguridad del documento es la Guía de las Actualizaciones de Seguridades.

La nueva guía de boletín de actualizaciones de seguridades gira en torno a números de identificación de la vulnerabilidad y números de ID de artículo KB. No hay ningún número de identificación del boletín en el nuevo modelo.

¿Hay algún cambio en cómo implementar las actualizaciones de seguridad?

Esta es la nueva forma de entregar la información de vulnerabilidades y actualizaciones de seguridad.

No hay cambios en el despliegue de actualizaciones de seguridad o paquetes de actualización de seguridad.

Herramientas de administración de parches de Microsoft (WSUS, SCCM) seguirán funcionando normalmente.

¿Preguntas, comentarios?

Si tienes preguntas y comentarios, por favor visite la
Guía de las Actualizaciones de Seguridades – preguntas frecuentes (FAQ) yGuía de las Actualizaciones de Seguridades-Foro de usuarios. 

Durante muchos años, era un proceso costoso para reunir la vulnerabilidad, la seguridad y actualizar los datos del boletín cada mes y utilizaban muchos profesionales. Ahora, con esta nueva Guía de las Actualizaciones de Seguridades, creo que es muy fácil y utiliza el proceso estándar de la industria.

Yurika Kakiuchi

Gerente de programa de seguridad, servicio al cliente y soporte

Original: https://blogs.technet.microsoft.com/yurikasensei/2017/04/13/get-started-with-security-update-guide-new-portal-for-security-updates 

Tradicionalmente, informações sobre as vulnerabilidades e atualizações de segurança (também conhecido como Patches de Segurança) eram publicadas no site sobre os Boletins de Segurança da Microsoft .

Clientes pediram uma maneira melhor de acesso às informações de atualizações de segurança, bem como um jeito mais fácil de personalizar sua exibição para atender a um conjunto diversificado de necessidades.

Agora, a Microsoft lançou um novo destino para informações de vulnerabilidade e de segurança, o Guia de Atualizações de Seguranças (SUG- Security Upate Gate por sua sigla em inglês)
. 

O que é o Guia de Atualizações de Seguranças?

Guia de Atualizações de Seguranças é um novo destino único para informações das vulnerabilidades de segurança e de atualizações de segurança. Além de oferecer uma riqueza de detalhes dos boletins de segurança tradicionais, o novo Guia de Atualizações de Seguranças irá adicionar suporte para novas informações e novos métodos de navegar esta informação.

Suporte para filtragem e classificação

Na página do Dashboard do Guia de Atualizações de Seguranças , você pode ver as notas da versão associada com o lançamento de segurança mensal. Além disso, você pode filtrar e classificar por produto ou intervalo de datas e procurar por atualizações via CVE ou número KB.

Você também pode ver detalhes de cada vulnerabilidade. Há links para o artigo do KB, pacotes e páginas de detalhes do CVE.

Uma nova API RESTful

Quando você clicar na guia “Desenvolvedor”, será disponibilizado a possibilidade de criar uma chave de API e ver os exemplos de código e descrições de API para programaticamente puxar dados da Microsoft, no formato padrão da indústria CVRF.

Mais informação está também disponível em Guia de Atualizações de Seguranças de projeto no GitHub

Exemplo: Gerar um documento de HTML de atualizações mensais

Como um exemplo de scripts do PowerShell, deixe-me te mostrar como gerar o resumo mensal de atualizações de segurança usando o PowerShell.

1. Navegar para o Guia de Atualizações de Seguranças , Guia desenvolvedor e entre sua Conta da Microsoft (hotmail, live, outlook.com, etc) para gerar uma chave de API.
   

Copie a chave para um local de fácil acesso para posterior transferência para salvá-la.

Por exemplo, um arquivo de texto rápido criado no bloco de notas, salvo no Desktop.

2.Acessar a página de exemplos de códigos GitHub e copiar o exemplo de script

3.Edite o script para inserir a chave de API na seguinte linha:

Set-MSRCApiKey -ApiKey “<your API key>” -Verbose

4. Edite o script para entrar o mês de interesse na linha a seguir. Se é abril de 2017. Será 2017-abr 

$monthOfInterest = ‘<year-month>’

5. Execute o script. Neste script de amostra, será gerado o documento HTML de atualizações mensais em c:tempMSRCAprilSecurityUpdates.html

Nota: Executando o Script pela primeira vez

Em breve você será solicitado para instalar a biblioteca do GitHub NuGet como abaixo, por favor, pressione “Y”, em seguida, Enter. Observe que este prompt aparecerá somente na primeira vez que você executar o script.

Onde está o número do boletim (MSxx-xxx)?

Com o lançamento do Guia de Atualizações de Seguranças, a maneira que a Microsoft documenta suas vulnerabilidade foi alterado. Este velho formulário de atualização de documentação de segurança, incluindo os números de ID do boletim foram decomissionados e não mais serão utilizados. O novo modelo para documentar as atualizações de segurança é o Guia de Atualizações de Seguranças.

Em vez de identificações de boletim, o novo Guia de Atualizações de Seguranças gira em torno de números de identificação de vulnerabilidade e números de ID de artigo KB. Não há nenhum número de ID do boletim no novo modelo.

Há alguma mudança sobre como implantar as atualizações de segurança?

Esta é a nova forma de entregar as informações de vulnerabilidades e atualizações de segurança.

Não há alteração na implantação das atualizações de segurança ou pacotes de atualização de segurança.

Ferramentas de gerenciamento de patches do Microsoft (WSUS, SCCM) continuarão funcionando normalmente.

Perguntas, comentários?

Se você tem perguntas e feedbacks, por favor visite o Guia de Atualizações de Seguranças – perguntas frequentes (FAQ) eGuia de Atualizações de Seguranças – Fórum de usuários
 

Por muitos anos, foi um processo caro para reunir a vulnerabilidade, segurança e atualizar dados do site do boletim cada mês er equeria muitos profissionais de TI. Agora, com este novo Guia de Atualizações de Seguranças, eu acredito que se torna um muito fácil e utiliza o processo padrão de indústria.

Yurika Kakiuchi

Original: https://blogs.technet.microsoft.com/yurikasensei/2017/04/13/get-started-with-security-update-guide-new-portal-for-security-updates 

Reference: https://blogs.technet.microsoft.com/toml/2005/05/09/lcs-2005-user-replicator-faq/

This post starts of with a reference at the top, only because it is indeed a very well written blog post from a little over 10 years ago. Since LCS 2005, we have had User replicator and while a lot has changed, the principles for User Replicator is essentially the same.

User replicator runs under the Front-End Service context, rather than a different service. It now writes to the SQL Express installation on each server (RTCLocal Instance), and runs on every server in the pool. It runs on any server that has the registrar role installed.

What does User Replicator do?

User Replicator is responsible for ensuring that the Lync Server or Skype for Business Server database  and Active Directory are synchronized. What this means is that any time an user object or contact object is created or modified in Active Directory, it is User Replicator’s responsibility for ensuring that the changes are propagated to database. To accomplish this, User Replicator first performs a Full-Sync (or Initial Sync) and then subscribes to a Delta Sync (Incremental Changes) using DirSync.

What setting in User Replicator are configurable ?

With Lync Server 2010 we introduced Set-CsUserReplicatorConfiguration to allow an organization to control the user replicator. Here we discuss the different switches

ReplicationCycleInterval – Since UserReplicator only tracks delta changes from the Active Directory (AD), the using a smaller replication interval like 5 minutes, ensures that the Distribution List Expansion (DL Expansion) and Address Book Web-Query (ABWQ) provide accurate information. It also allows for users to be created in Active-Directory and be provisioned in Lync or Skype for Business within minutes.  It is to be noted that since we only subscribe to delta changes, the load on a domain controller is negligible.

ADDomainNamingContextList – specifies the Domains that may have user objects and contact objects, that need to be synchronized. When this is not-set, User replicator will try to locate all the different domains and perform replication. ADDomainNamingContextList can be used to exclude say an empty root domain, or a domain if it’s was used only to store computer accounts.

SkipFirstSyncAllowedDowntime – This was introduced only in Skype for Business Sever 2015. It sets the Front-End Service (RTCSrv)  from pending to started, even though a the initial Sync hasn’t been completed.

DomainControllerList – This was introduced only in Skype for Business Sever 2015, and allows to specify a list of domain controllers, however, we suggest to to leave this to default. I will explain why in a little bit.

Can I control which DC’s User Replicator connects to in order to perform synchronization?

In Skype for Business Server 2015 ( not in previous versions) , while its configurable, its not recommended, because the User replicator uses a Windows API called DsGetDcName to connect to a Domain Controller. The response of the DsGetDcName  API really depends on how your Active Directory Administrator has configured the AD Sites and Services in your organization. The response is either (i) An in-site Domain Controller or (ii) An out-of-site Domain Controller

It is to be noted, that an the definition of Site here is an AD Site, which is defined by a list of Subnets and should typically be a representation of your physical site.

To know which site your Lync / Skype for Business Server belongs to, all you need to do is run nltest.exe /DSGetSite from a command-prompt. If the server is not associated to a site, chances are User Replicator will connect to a less than optimal domain controller for both initial Sync and delta syncs.

If AD Sites are configured correctly, either an in-site domain controller  ( if one exists) is chosen, or an out-of-site, which has the lowest cost (based on the cost configured in AD Sites and Services). If the Lync or Skype for Business Server is not a member of any AD site, then the Lync / Skype for Business Server will connect to a random domain controller, which may not even be in the same continent.

How long does the initial replication cycle typically take?

There are a number of variables that affect the length of the initial cycle, chief among them the number of objects ( User object and Contact Objects combined) being synchronized, the domain controller that was chosen, the available band-width and load on the domain controller. Assuming minimum spec hardware or better and no serious network latency/bandwidth issues, an initial cycle with 100,000 objects will take about 30 minutes. In contrast, an SBA server can be in a remote location with limited bandwidth and potentially no in-site domain controller, in such a case, the initial sync can take considerably longer.

Examples #1:
A SBA server didn’t exist in any AD Site and this caused for User Replicator Initial Sync to connect to a Domain Controller in a different Continent, with poor network connectivity, eventually taking well over 6 hours to Synchronize, causing Front-End Service to be in Starting Mode for 6+ Hours. A simple AD Site configuration change caused the service to start in ~ 45 minutes when the initial Sync was interrupted, and the service was restarted. With Skype for Business Server 2015, the SkipFirstSyncAllowedDowntime parameter for Set-csUserReplicatorConfiguration would have been useful.  This is one of the many reason why we recommend not to configure the DomainControllerList parameter using Set-csUserReplicatorConfiguration

Examples #2:
In a particular case that I handled several months ago, we found that AD replication between sites was configured to occur only between 06:00 PM and 06:00 AM in 30 minute intervals. This caused users in a site to be able to communicate with a new hire almost immediately, while it took several hours ( up to 12 hours) for users on another site to view the newly created user. Once the AD replication interval was set to perform replication in 30 minute intervals, round the clock, we a newly created user was accessible in ~ 30+ minutes from both sites.

Q: (from Jeff)

How do I find out which O365 plans include MileIQ? It would be nice if there was more info…or a link to more info here: https://www.mileiq.com/office365

A:

Well this caught me by surprise. Frankly, we’ve owned the company for almost 18 months and I nor my peers even knew about the acquisition. Microsoft has acquired Mobile Data Labs

Further research and contact with the Outlook program manager revealed that the MileIQ benefit is available to customers subscribing to Office 365 Business Premium, Office 365 Enterprise E3, and Office 365 Enterprise E5.

What a nice surprise benefit,

  Steve

いつも Exchange Server をご利用いただきありがとうございます。Exchange サポート チームの松崎です。
今回は異なるバージョン間のメールボックスの移動についてご紹介します。

Exchange 2010 以降のバージョンでは、同一のバージョン間でのメールボックスの移動はオンライン移動となり、移動の最終処理を行う短い時間以外は、ユーザーはメールボックスの移動を意識することなくメールボックスへの接続が行えます。
また、異なるバージョン間 (Exchange 2000、Exchange 2003、Exchange 2007、Exchange 2010) でのメールボックスの移動については、以下の URL 先にある通り Exchange 2007 SP3 から Exchange 2010 への移動以外はオフラインの移動 (移動中はユーザーがメールボックスに接続できない移動) になります。

Title : 移動要求について
URL : https://technet.microsoft.com/ja-jp/library/dd298174(v=exchg.141)

上記の情報では Exchange 2013、Exchange 2016 に関する記載がありませんが、実際には以下の通りとなります。新しいバージョンから Exchange 2007 へ移動する場合のみ、オフラインが前提ということになりますので、何らかの理由で過去バージョンへ移動する場合にはご注意ください。
* 本 Blog 執筆 (2017/4/17) 時点で、Exchange 2007 につきましてはサポート ライフサイクルが終了しております。もし一時的に Exchange 2007 への戻しを行う必要が生じた場合でも、可能な限り早めにサポートされるバージョンへの移行をご計画いただきますようお願いいたします。

 
凡例

 
– 補足
メールボックス移動がオンライン移動かオフライン移動かどうかは Get-MoveRequest コマンドの “IsOffline” の値から確認を行うことができます。
以下のように “IsOffline” が False である場合はオンラインの移動となります。

 
今後も当ブログおよびサポート チームをよろしくお願いいたします。

※本情報の内容（添付文書、リンク先などを含む）は、作成日時点でのものであり、予告なく変更される場合があります。