Office 365 Hybrid Configuration Wizard for Exchange 2010 free/busy bug

Recently we used the new Office 365 Hybrid Configuration Wizard for Exchange 2010.

The Office 365 Hybrid Configuration wizard has been updated to support Exchange 2010. This new wizard comes with the following advantages:

  • An updated user experience that simplifies the hybrid configuration process
  • The error handling experience allows for simple remediation of issues, meaning you can actually read and understand the error
  • Fixes for HCW can happen quickly and are no longer tied to the on-premises product release cycle
  • Inefficient code that caused the HCW to take hours to run has been completely reworked and now you should be in and out in minutes

The on-premises Exchange 2010 environment was updated to the latest SP and CU and had one multi-role hybrid server. For the new Office 365 HCW please read this article published by the Exchange product team.

The HCW ran smoothly without big issues and completed succesfully. However when testing the created functionality we noticed free/busy didn’t work from on-prem users to cloud users. The free/busy worked like a charm vice-versa.

When troubleshooting further we ran the following two PowerShell cmd-lets to test the created OrganizationFederation on the on-premises Exchange Organization.

Get-FederationInformation -DomainName contoso.mail.onmicrosoft.com

Test-OrganizationRelationship -Identity “On-premises to O365 – 9a4a2b73-ebb9-4925-91ec-3b4dae60
6805” -UserIdentity clouduser@contoso.com 

Both cmd-lets resulted in this generic error message:

WARNING: An unexpected error has occurred and a Watson dump is being generated:

After running the Test-OrganizationRelationship cmd-let with the -Verbose parameter we noticed all steps and iterations done and exactly where the cmd-let failed. The cmd-let failed on the EWS call to our tenant at this step:

Test-OrganizationRelationship : Calling the Microsoft Exchange Autodiscover service for the remote federation information.

Further down the pipeline we noticed this explicit error message which contained valuable troubleshooting information.

Test-OrganizationRelationship : The Microsoft Exchange Autodiscover service failed to be called at ‘https://autodiscover.outlook.com/autodiscover/autodiscover.svc’ because the following error occurred:
Exception:
Microsoft.Exchange.SoapWebClient.GetFederationInformationException: Discovery for domain contoso.mail.onmicrosoft.com failed. —>
System.Net.WebException: Unable to connect to the remote server —> System.Net.Sockets.SocketException: No connection
could be made because the target machine actively refused it 132.245.226.24:443
at System.Net.Sockets.Socket.DoConnect(EndPoint endPointSnapshot, SocketAddress socketAddress)
at System.Net.ServicePoint.ConnectSocketInternal(Boolean connectFailure, Socket s4, Socket s6, Socket& socket,
IPAddress& address, ConnectSocketState state, IAsyncResult asyncResult, Int32 timeout, Exception& exception)
— End of inner exception stack trace —

After comparing the current OrganizationRelationship (see image below)  with other clients hybrid configurations we noticed a difference on the TargetAutodiscoverEpr memberobject of the OrganizationRelationship object.

26-4-2016 10-48-56.png

At the OrganizationRelationship which was created by the new Office 365 Hybrid Configuration Wizard for Exchange 2010 the TargetAutodiscoverEpr was configured at the https://autodiscover.outlook.com/autodiscover/autodiscover.svc/WSSecurity namespace. At the other clients environment we used the built-in HCW from the Exchange 2010 EMC. And the namespace of the TargetAutodiscoverEpr was different. It had https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity configured and worked like a charm.

Now when we found the dissimilarity in both configurations we contacted Microsoft. We told Microsoft Suppoort that we used the brand-new Office 365 Hybrid Configuration Wizard for Exchange 2010 and showed them the other clients environment. Microsoft proposed to change the namespace on the environment to https://autodiscover-s.outlook.com/autodiscover/autodiscover.svc/WSSecurity and test free/busy calls. After changing the value to the correct namespace the free/busy availability information worked!

Microsoft is further investigating this behaviour but to me it looks a lot like a bug in the new Office 365 HCW for Exchange 2010 environments. So please be aware for this behaviour when running the newly published HCW on Exchange 2010 environments…

Cheers!

Using the SimpleDisplayName attribute for Exchange and Exchange Online in Office 365 with PowerShell

So I came across a scenario where a organization doesn’t use the DisplayName field for external mailflow and has this disabled on their Remote Domain. In this scenario messages will use the SMTP address.

This setting is enabled by default and Exchange Server will use the DisplayName field for external mailflow. Now imagine the scenario you want your users to use a different and somewhat more catchy name for external parties and suppliers. A nice additional attribute can be used for this, which is the SimpleDisplayName attribute. By populating this object with for instance “John Doe – Microsoft Corporation” you will use this information for external parties, and keep using the already in-place DisplayName attribute for internal mailfow and these changes wont affect your Global Address List.

Now to enable Exchange Server, or Exchange Online to use start using the SimpleDisplayName object this needs to be enabled on your Remote Domain. This can be done via a simple PowerShell one-liner.

Set-RemoteDomain -Identity Default -UseSimpleDisplayName $true

Now once this is done Exchange will stop using the populated DisplayName field, and it will use the empty SimpleDisplayName field on userobjects. While being empty and not populated Exchange will use the SMTP Address for external mailflow, so next step will be populating all the empty fields  with the new desired values.

To accomplish this I use this handy PowerShell script which uses the FirstName and LastName attribute and adds a catchy company name behind it.

$users = Get-User -ResultSize Unlimited
foreach ($user in $users) {

$name=$user.DisplayName

$SDN=[string]::Concat($user.FirstName.Trim(), ” “, $user.LastName.Trim(), ” – Microsoft Corporation”)

Set-User $user.Identity -SimpleDisplayName $SDN

}

Add Office 365: Exchange Online e-mail address on every mailbox with PowerShell

When carrying out hybrid Exchange deployments to Office 365: Exchange Online one of the challenges I commonly face is the disablement of the e-mail address policy on stacks of mailboxes. To handle mailflow in a hybrid scenario every mailbox needs an e-mail routing address matching the tenant e-mail domainname (contoso.mail.onmicrosoft.com). Now this requirement is covered by running the Hybrid Configuration Wizard in stage 8: configuring mailflow. This phase simply adds the new e-mail routing address to the “Default Policy”.

This new configuration automatically adds the new e-mail address on every mailbox which has the e-mail address policy enabled on it. Now this is where the challenge appears. What to do when a lot of mailboxes within your Exchange organisation do not have the e-mail address policy enabled?

The easiest fix is enabling the e-mail address policy on every mailbox with a simple one-liner of PowerShell right? Well in a lot cases this solution doesn’t suffice because this would mess up naming conventions. A lot of IT departments knowingly disabled the policy on mailboxes over the years to configure the desired e-mail address by hand for their end-users.

To automatically configure or add the new e-mail address on every mailbox without enabling the e-mail address policy I use this great PowerShell script.

<#
.SYNOPSIS
The Add-O365MailAddress script is used to add your Office 365 e-mail address on every mailbox within your Exchange Organisation.

.DESCRIPTION
The Add-O365MailAddress script is used to add a new Office 365 e-mail address on every mailboxes where it is currently not present.

Make sure script execution is set to unrestricted by running “Set-ExecutionPolicy -ExecutionPolicy unrestricted -Force”

Please note that this script is only tested on Windows Server 2008 R2 and higher servers which have the Exchange Management Shell installed.
#>

$mailbox = Get-Mailbox -ResultSize Unlimited -Filter {EmailAddresses -notlike “*@contoso.mail.onmicrosoft.com*”}
foreach ($user in $mailbox) {

$alias=$user.alias

$email=$alias + “@contoso.mail.onmicrosoft.com”

Set-mailbox $user.Identity -EmailAddresses @{add=$email}
}

Export-Csv -Path c:\temp\mailboxes_output.csv

 

DOWNLOAD HERE

The script iterates trough every mailbox in the Exchange Organisation. Every mailbox which does not have a present Office 365 routing address (contoso.mail.onmicrosoft) is put in the pipeline. Next the script will add the new e-mail address on every selected mailbox which is required for for Office 365 hybrid mailflow.

SharePoint 2010 Search: The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Last night we stumbled intoo an issue at one of our clients.The clients supplier had recently performed a lot maintenance activities in a maintenancewindow on their SharePoint 2010 environment. One of them was replacing the existing SSL certificates with a new wildcard certificate. The SharePoint farm exists of two WFE’s, one APP and a SQL server. The regular three-tier-farm you see alot.

Usually this change activity should not be a problem however, the supplier was somewhat to enthasiastic with replacing the SSL certificates. They unconsciously replaced the self-signed SharePoint Services SSL certificate on the SharePoint Web Services site in IIS with the new wildcard SSL certificate. Without knowing this history we started troubleshooting SharePoint Search which was causing issues. When browsing to the Search Service Application Administration component it showed this error message on the Administration Page:

The underlying connection was closed: Could not establish trust relationship for the SSL/TLS secure channel.

Users were not getting back any search hits and when browsing to the Content Sources in Central Administration, SharePoint threw a Correlation ID.

After going through the logging and finding the error related to the correlation ID we noticed this error in the ULS logging:

An operation failed because the following certificate has validation errors:\n\nSubject Name: CN=*contoso.com, OU=IT, O=”Contoso”, L=Paris, S=Paris, C=FR\nIssuer Name: CN=Thawte SSL CA – G2, O=”Thawte, Inc.”, C=US\nThumbprint: AB12CD34XX123456ABCDEFG123XXX\n\nErrors:\n\n SSL policy errors have been encountered.  Error code ‘0x2’

This error pointed us to SharePoint Search trying to communicate over HTTPS to it’s back-end web-services with the use of the clients wildcard SSL certificate and failing. After troubleshooting further we noticed the wilcard certificate was indeed binded on the HTTPS listener on port 32844. Now you would think, that’s an easy fix to do. Just remove the certificate on the binding and there you go. Well, when configuring a SSL certificate on a binding in IIS you are required to select a SSL Certificate located in the servers Personal Certificate store. And that’s not the correct store for SharePoint web-services.

The rootcause:

SharePoint uses it’s own “SharePoint Services” self-signed certificate to securely communicate over HTTPS with it’s web-services and other farm memberservers. You can find this specific certificate looking in the Local Computer Certificate Store using the MMC snapin. I discovered a folder called SharePoint which had three certificates in it, all issued by the Sharepoint Root Authority:

  • SharePoint Security Token Service
  • SharePoint Security Token Service Encryption
  • SharePoint Services

The solution:  

Now to undo the faulty configuration and reconfigure the correct “SharePoint Services” SSL certificate on the SharePoint Web Services IIS site – which can’t be done with the IIS Manager Console –  you can either use good old netsh command-line or use PowerShell. Now the last method is the method I personally prefer so that’s what you’re getting.. =)

$iisBinding = “SharePoint Web Services”
$webservice = Get-WebBinding -name $iisBinding -protocol “https” -port 32844
if ($webservice)
{
$pfx = get-childitem cert:\\localmachine\sharepoint | where { $_.subject -contains “^CN=SharePoint Services” }
if (!$pfx)
{
throw “No certificate found with the name “SharePoint Services” in the SharePoint certificate store in MMC. The script has stopped”
}

[void]$webservice.AddSslCertificate($pfx.ThumbPrint, “SharePoint”)
}
else
{
throw “The certificate cannot be assigned to the designated IIS Binding. Check servers eventviewer for further information.”
}

if (!(Get-WebBinding -name $iisBinding -protocol “http” -port 32843))
{
New-WebBinding -name $iisBinding -ip “*” -port 32843 -protocol “http”
}

This script looks for an existing IIS site or binding with the port 32844 (which SharePoint uses OOTB). Once found it checks whether it can find an existing valid SSL certificated in the computer which contains the name “SharePoint Services”. If both are found it adds the correct certificate to the designated SharePoint Web Services binding. An action which can’t be done via the ISS Management Console.

This recovers the Search Service Application to it’s original healthy state. In our specific scenario we had to run a “Full Crawl” to on all the Content Sources since the index became inconsistent too. I always use this small PowerShell script to initiate the Full Crawls:

$searchapp = Get-SPEnterpriseSearchServiceApplication “Search Service Application” 
Get-SPEnterpriseSearchCrawlContentSource -SearchApplication $searchapp | where-object { $_.Type -contains “Sharepoint”} | foreach-object { $_.StartFullCrawl() }

If this still doesn’t fix your issue you’re being really unlucky. You will still be getting this error message prompted when initiating searchresults:

“Property doesn’t exist or is used in a manner inconsistent with schema settings” and not receiving any People results.

But don’t worry, there’s still one option to be checked. We found out that after this issue is dependant on the actual webparts used by search (including People Search). For this the solution in the end was to edit the People Core Result Web Part on the search results page and expand the “Display properties” and make sure “Use Location Visualization” is checked.

Remove SMTP aliases and e-mail addresses from all mailboxes on Exchange 2007 with PowerShell

When migrating your on-premises Exchange organization to Office 365: Exchange Online a common challenge is removing old and unused SMTP aliasses or e-mail addresses.

It’s rather easy to create new SMTP addresses to a mailbox or recipient in Exchange via an e-mail address policy. However it can be a real pain in the ass removing specific e-mail addresses and namespaces on mailboxes. Since it is not allowed to have unaccepted domain SMTP addresses on a mailbox prior migrating to Exchange Online this is a core requirement and activity to be carried out.

Another challenge is the incapability of the version of the Exchange 2007 Management Shell to run this special hash table syntax which is only supported for Exchange 2010 SP1 or higher. Most of the PowerShell scripts I looked for use this particular syntax, making them useless for Exchange 2007.

For this example I used the domainname contoso.com to be removed from all User and Shared Mailboxes within the Exchange organization.

$alias = Get-Mailbox -ResultSize Unlimited | Where {$_.EmailAddresses -like ‘*contoso.com’}
$alias | Select-Object -property SamAccountName,UserPrincipalName,EmailAddresses,PrimarySmtpAddress | Export-Csv “mailboxes_with_contoso.com.csv”

foreach($L in $alias)
{
$x = $L
$y = $x.EmailAddresses | where{$_.AddressString -like ‘*@contoso.com’}
$z = $y.SmtpAddress
$T = $x.UserPrincipalName
Write-host $x.EmailAddresses
Write-host “*****”
if($z){
$x.EmailAddresses -= $z
$x | Set-mailbox
Write-Host “$z is removed”
Write-Host “Check”
Write-host $x.EmailAddresses
}else{
Write-Host “$T does not have a contoso.com SMTP Address.”
}
Write-host “####################################################”
#Return
}

This script will iterate through each mailbox, and look for an address containing the @contoso.com namespace. Any matches are removed. To use this code, just replace contoso.com with the e-mail domain you want to remove. The script also contains some logging for you to digg to if you’re up for it.

In my scenario this was required for removing the unvalidated Office 365 domains prior to migrating mailboxes. When you have succesfully executed the script don’t forget to kick off a Full DirSync to make sure the changes are synced to Windows Azure Active Directory.

Best of luck to you all with carrying out succesfull Office 365 deployments. Before I publish the post, I have thank to my colleague and teammate Dev Chaudhari for working on the scripting!

Import distribution groups to Office 365: Exchange Online with PowerShell

Today we faced an issue where a client needed to migrate their GroupWise distribution groups to Office 365. Since there is no easy way doing this we developed a PowerShell script to automate this proces. Well, actually it are two scripts.

The scripts are divided in one, creating the distribution groups and part two is adding the members to the newly created groups. First we have to gather the input for creating the distribution groups in Office 365. For this I only used the required attributes for creating a distribution group.

$import = Import-Csv -Path “C:\temp\Create-DG.csv” -Delimiter “;”
foreach ($item in $import) {
New-DistributionGroup -Name $item.Name -DisplayName $item.DisplayName -PrimarySmtpAddress $item.PrimairyEmailAddress -Type $item.Type
Export-Csv -Path “C:\temp\New-DistributionGroup_LogFile_$(get-date -Format ddMMyyyy).csv”
}

Once the distribution groups are created we can head on adding the members to them using the PowerShell script below.

$import = Import-Csv -Path “C:\temp\Add-DGMembers.csv” -Delimiter “;”
foreach ($item in $import) {
Add-DistributionGroupMember -Identity $item.GroupName -Member $item.UPN -Verbose
Out-File -FilePath “C:\temp\Add-DGMembers_LogFile_$(get-date -Format ddMMyyyy).log”
}

As we can see both the scripts import a .csv file containing the content. The .csv files and the PowerShell scripts can be downloaded below.

DOWNLOAD HERE

Please note that the distribution groups can be either created on-premises in Active Directory and then synced to Windows Azure Active Directory (Office 365) or either directly created in Office 365 with the help of remote PowerShell. Based on your infrastructure and migration scenario it can differ which is the best way to go. Functionally there will be no difference for Exchange Online. However in some hybrid scenarios it can be best to create the distribution groups on-premises and sync them to Office 36 with the help of Azure Active Directory Sync (DirSync).

Convert security groups to mail-enabled and universal for Office 365 with PowerShell

When carrying out projects for Enterprise clients I commonly face challenges with companies not meeting the system requirements for Office 365. One of the most commonly seen missing requirements are on the Identity and Access Management part of Office 365.

When migrating legacy Identity and Access Management infrastructures to Office 365 you quickly bump in to Microsoft’s Active Directory Services (ADS). To migrate this service to Windows Azure Active Directory – which is part of every Office 365 license – you can use the Windows Azure Active Directory Sync tool. Or as most IT Professionals know it “DirSync”, this is a special edition of FIM.

Now back to businness. To migrate legacy security groups to Windows Azure Active Directory, for products such as Exchange Online it is a requirement to have a GroupScope of Universal.(see image below)

Get-ADGroup-GroupScope

Since most companies still use Global security groups these need to be converted. Therefore I use a PowerShell script which automates this proces. For this script to work, import the ActiveDirectory module in PowerShell or run the script with Active Directory Module for Windows PowerShell.

Clear-Host

if((Get-Module | where {$_.Name -eq “ActiveDirectory”}) -eq $null){
Import-Module ActiveDirectory
}
$scriptPath = split-path -parent $MyInvocation.MyCommand.Definition
Set-Location $scriptPath
Write-Output “Output will be stored in ” (Get-Location)

$SeaBase = “DC=corp,DC=local”
$SeaVal = “CN=Mailbox_*”
$SeaScope = “Subtree”
$GrpList = “ADSecGrp.csv”
$UniGrpList = “Uni_ADSecGrp.csv”
$strLogFile = “ErrorLog.txt”
$DomainAdmin = Get-Credential

#Search for all Groups that are of type Security and scope is Global and starts with “Mailbox_”
$SecGrps = Get-ADGroup -SearchScope $SeaScope -SearchBase $SeaBase -Filter {GroupCategory -eq “Security” -and GroupScope -eq “Global”}

foreach ($secGrp in $SecGrps) {
try {
$DN = $secGrp | Where-Object {$_.DistinguishedName -like $SeaVal}
$DN | Export-Csv $GrpList -Append
} catch {
throw
Break
}
}

(Get-Content $GrpList | Select-Object -Skip 1) | Set-Content $GrpList

Write-Output “Check $GrpList to verify all exported security Groups are of type Global”
Write-Output “Press Y to continue”
$selection = read-host
if ($selection -eq “y” -or $selection -eq “Y”){
Write-Output “$GrpList CSV File Checked….”
foreach($G in Import-Csv $GrpList){
try {
$D = $G.DistinguishedName
Get-ADGroup -Identity $G.SID
Set-ADGroup -Identity $G.SID -GroupScope Universal -Credential $DomainAdmin
} catch {
$ErrorMessage = $_.Exception.Message
Write-Output “Error converting for $D ..`n Error Message : $ErrorMessage” | Add-Content $strLogFile
Throw
Break
}
$DN = Get-ADGroup -Identity $G.SID
$DN | Export-Csv $UniGrpList -Append
}
(Get-Content $UniGrpList | Select-Object -Skip 1) | Set-Content $UniGrpList
Write-Output “Check $UniGrpList to verify all modified security Groups are of type Universal”
}else{
Write-Output “Script Stopped by User” | Add-Content $strLogFile
Break
}

As you can see the script contains several variables. With these you can define the scope of OU’s or name convention for existing security groups. When running the PowerShell script it builds up a CSV-file called Uni_ADSecGrp.csv. When paused you can open and check the file to see if it contains the groups which you wish to convert. If so, you can insert “Y” to the script and it proceeds running.

After we have succesfully changed the GroupScopes to Universal we can carry on and use the second PowerShell script which mail-enables the security groups so they meet the requirements for Exchange Online. Besides the conversion to mail-enabled it also hides the groups from the Global Address List.

Run this script on one of the legacy Exchange servers with the use of the  Exchange Management Shell.

Clear-Host

if((Get-Module | where {$_.Name -eq “ActiveDirectory”}) -eq $null){
 Import-Module ActiveDirectory
}

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010
 $env:ExchangeInstallPath\bin\RemoteExchange.ps1
Connect-ExchangeServer -auto

Write-Output “Output will be stored in ” (Get-Location)

$GrpList = “Final_ADSecGrp.csv”
$strLogFile = “enableErrorLog.txt”
$log = “AfterLog.txt”
$ErrorLog = “ErrorLog.txt”

foreach($G in Import-Csv “Uni_ADSecGrp.csv”){

try {
Get-ADGroup -Identity $G.SID

Enable-DistributionGroup -Identity $G.DistinguishedName -Alias $G.Name
Set-DistributionGroup -Identity $G.DistinguishedName -HiddenFromAddressListsEnabled $true
Get-DistributionGroup -Identity $G.DistinguishedName | Add-Content $Log
$x = Get-DistributionGroup -Identity $G.DistinguishedName
if($x -ne $Null){
Write-Output $G.DistinguishedName
}else{
Write-Output $G.DistinguishedName | Add-Content $ErrorLog
}
} catch {
$ErrorMessage = $_.Exception.Message
Write-Output “Error Enabl-DistributionGroup for $G.DistinguishedName …..`nError Message : $ErrorMessage” | Add-Content $strLogFile
throw
Break
}

}

Once you have succesfully executed the second script you can add these objects to your Windows Azure Directory Sync cycle. Please be aware that when you convert the groups, the groups may not contain unsupported characters such as namespaces or & characters.

Best of luck to you all with carrying out succesfull Office 365 deployments. Before I publish the post, I have thank to my colleague and teammate Dev Chaudhari for working on the scripting!

Change explicit User Principal Names to match Office 365 domain suffix

Most Enterprise Office 365 clients will use Active Directory Federation Services and Windows Azure Active Directory Sync, also known as DirSync for Single Sign-On functionality with Office 365.

Standard AD FS will use the on-premises UPN to access services in Office 365. Therefore Microsoft advises to make sure User Principal Name suffixes and e-mail adress suffixes match to make life simpler. Most ADS domains still use an internal routable domainname for instance contoso.local. However when implementing AD FS with Office 365 it permitted to have an “internet routable” domain suffix for instance contoso.com.

The best solution for this before implementing and running a DirSync is to create a new User Principal Name suffix to match your Office 365 domain suffix. This can be done by adding a new UPN suffix by going to:

  1. Open Active Directory Domains and Trusts
    2. Right click on the top level of the tree in the left pane and select properties
    3. Add the new internet routable UPN suffix e.i. contoso.com

Next step is to change the explicit User Principal Names for all the designated user objects in Active Directory which you plan to synchronize to Office 365. The easiest way to do this is with the help of allmighty PowerShell.

I wrote this easy one-liner which allows you to target a specific OU in Active Directory. Don’t forget to use the Active Directory Module for PowerShell.

Get-ADUser -Filter * -SearchBase ‘OU=Users,DC=fabrikam,DC=local’ -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName “$($_.samaccountname)@contoso.com”}

After succesfully running the cmd-lets you will notice the new UPN suffix is configured for the targeted user objects in ADS.

Set Calendar Reviewer rights to all users in Office365

Most companies have policies which permit all users to share their calendars with everyone. There are several PowerShell scripts available online to configure this. However the tricky thing is most enterprises have different Outlook client languages. Because the Outlook client language determines the mailboxfolder attribute to it’s unique language. In this case it is set to the Dutch version “kalender” and the Engilsh version “calendar”.

  1. The fist thing which needs to be done is creating a mail-enabled universal securitygroup on-premises which contains all user objects. Make sure it syncs to Office365 with Windows Azure DirSync.
  2. Once the objects have been succesfully synchronized to the cloud run the script below to determine which language the calendar mailbox folder is:

    $GroupMembers = Get-DistributionGroupMember SG_CalendarReviewer
    $GroupMembers | foreach {
    try
    {
    $isNL = ((Get-MailboxRegionalConfiguration -Identity $_.PrimarySmtpAddress | where {$_.Language -eq “nl-NL”} | Measure).Count -eq 1)
    if ($isNL)
    {
    $identity = $_.PrimarySmtpAddress + “:\Kalender”
    }
    else
    {
    $identity = $_.PrimarySmtpAddress + “:\Calendar”
    }$permission = Get-MailboxFolderPermission -Identity $identity -ErrorAction SilentlyContinue | where {$_.User.toString() -eq “SG_CalendarReviewer”}
    if ($permission)
    {
    write-host “$identity has permission”
    }
    else
    {
    write-warning “$identity doest not have permission”
    } }
    catch
    {

    }
    }

  3. Once you have determined which language the mailboxfolder is for the calendar run this PowerShell script to grant all users in the created securitygroup with the ” Reviewer” on every mailbox belonging to each user object in the securitygroup. The PowerShell script listed below grants the access-right to all English calendars:

    $GroupMembers = Get-DistributionGroupMember SG_CalendarReviewer
    $GroupMembers | foreach {
    $identity = $_.PrimarySmtpAddress + “:\calendar”
    $permissionExists = ((Get-MailboxFolderPermission -Identity john.doe@domain.com:\calendar | where {$_.User.toString() -eq “SG_CalendarReviewer”} | measure).Count -eq 0)
    #Add-MailboxFolderPermission -Identity -User SG_CalendarReviewer -AccessRights Reviewer
    }

  4. Now change the mailboxfolderpermission attribute to the appropiate language and run the last script again.

Nintex Workflow 2010 issue: Error establishing database connection. SQL Error: 515 VALUE NULL

Today I came across an issue at one or our clients where Nintex Workflow 2010 was up/downgraded. After starting a workflow it threw an correlation ID. After looking up this error in ULS Logging I could find the error message described below:

Error establishing database connection. SQL Error: 515.: System.Data.SqlClient.SqlException: Cannot insert the value NULL into column ‘DatabaseID’, table ‘DEV_Nintex_Workflow4.3.3.dbo.Storage’; column does not allow nulls. INSERT fails.  The statement has been terminated.  at System.Data.SqlClient.SqlConnection.OnError(SqlException exception, Boolean breakConnection)   

 at System.Data.SqlClient.TdsParser.ThrowExceptionAndWarning(TdsParserStateObject stateObj)    at System.Data.SqlClient.TdsParser.Run(RunBehavior runBehavior, SqlCommand cmdHandler, SqlDataReader dataStream, BulkCopySimpleResultSet bulkCopyHandler, TdsParserStateObject stateObj)    at System.Data.SqlClient.SqlDataReader.ConsumeMetaData()    at System.Data.SqlClient.SqlDataReader.get_MetaData()    at System.Data.SqlClient.SqlCommand.FinishExecuteReader(SqlDataReader ds, RunBehavior runBehavior, String resetOptionsString)    at System.Data.SqlClient.SqlCommand.RunExecuteReaderTds(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, Boolean async)    at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method, DbAsyncResult result)    at System.Data.SqlClient.SqlCommand.RunExecuteReader(CommandBehavior cmdBehavior, RunBehavior runBehavior, Boolean returnStream, String method)    at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior, String method)    at System.Data.SqlClient.SqlCommand.ExecuteReader(CommandBehavior behavior)    at Nintex.Workflow.Administration.Database.ExecuteReader(SqlCommand command, CommandBehavior behavior) (Build:2330)

The resolution for this issue is related to either a missing Config or Content Database for Nintex. If you look within Central Admin, you actually have to specify the database to use TWICE. This is due to the fact that Nintex has a “Config” and “Content” database – mostly (usually) within the same SQL database.

NintexIssue