Wednesday, October 26, 2016

Missing ComputerName Field in Azure (ARM)

Have you noticed that some of your VMs in Azure ARM is missing a ComputerName field? All you get is a dash "-", like:

It turns out that you probably uploaded a non-generalized VHD (aka - it was not sysprepped). In Microsoft terms, this is also known as "specialized" VHD.

According to Microsoft, this is because the "OSProfile" field is missing, which is by design because this is a specialized image. One can only specify the OSProfile field when creating VMs using a generalized image.

Resolution: This is unfortunately a known issue and there is no way around it.

With a VM created from a specialized image the OSProfile field is set using the command "Set-AzureRMVMOperatingSystem". For example, to set it Windows, the following command is run:

Set-AzureRmVMOperatingSystem -VM $vmConfig -Windows

For more information about specialized image and generalized images in Azure:

Friday, September 16, 2016

Microsoft Word: Continuous Heading Numbering

I seem to constantly struggle with keeping the numbering in headings straight. I have read various articles on this but this article is the best way of doing this:

Works with Microsoft Office 2016 too!

Wednesday, August 31, 2016

Azure Site Recovery - Random Field Notes

Just some notes on random knowledge I picked up that I did not see on official Microsoft documentation.


  • Azure Resource Manager model (ARM)
  • VMware to Azure (and back)
  • vCenter and vSphere 5.5

Field Notes:
  • Make sure all protected VMs have .NET Framework 3.5.1 installed, as it is required by Mobility Service. Mobility Service push install will fail with cryptic errors if this is not met,
  • Make sure you patch your if you have vSphere (ESXi) 5.0 to 5.5 make sure it is patched to the levels - for more information (
    • ESXi 5.5, Patch Release ESXi550-201410001
    • ESXi 5.1 Update 2
    • ESXi 5.0 Patch Release ESXi500-201401001

Regarding the VMware patch, it is very important as your entire VMware farm (yes, every hosts in your farm!) will go into purple screen of death (PSOD) randomly when installing your Configuration Server or when protecting (replicating) VMs into ASR.

Azure Traffic Manager - CNAME Flattening

Scenario: You have moved some VMs into the cloud, where they serve your website. You have several VMs which are load balanced within one Azure region, and another bunch of identical VMs in another Azure region for high availability reasons. You deployed an Azure Traffic Manager to load balance between both Azure regions. Your Azure Traffic Manager URL is  and your website's domain is

Issue: When you try to create the CNAME "" record for "", your DNS provider will reject it, saying that it violates RFC1912 - which states that:

  • A CNAME record is not allowed to coexist with any other data,
  • If a CNAME RR is present at a node, no other data should be present; this ensures that the data for a canonical name and its aliases cannot be different.

"" type of record is commonly known as (all terms are interchangeable):

  • Root URL
  • Apex URL
  • Naked URL

The alternative would be to use "" instead and but your company have probably invested a lot of money on SEO to ensure that "" shows up high in search ranking results.

Resolution: At the moment, CloudFlare seems to be your best bet. They introduced "CNAME flattening" back in March 2014 which allows exactly the scenario we need.

Read more about CNAME Flattening here:

I've tested it with Azure Traffic Manager and it works perfectly.

Tuesday, August 09, 2016

Error Creating Cross Subscription VNet-to-VNet Connection on Azure Resource Manager Using PowerShell

So you are trying to create a VNet to VNet connection across subscriptions in Azure Resource Manager. The official documentation states that this cannot done by portal, and only PowerShell is supported:

When you run the final piece of code to create the connection:

$vnet1gw = New-Object Microsoft.Azure.Commands.Network.Models.PSVirtualNetworkGateway
$vnet1gw.Name = "VNet1GW"
$vnet1gw.Id   = "/subscriptions/b636ca99-6f88-4df4-a7c3-2f8dc4545509/resourceGroups/TestRG1/providers/Microsoft.Network/virtualNetworkGateways/VNet1GW "
New-AzureRmVirtualNetworkGatewayConnection -Name $Connection51 -ResourceGroupName $RG5 -VirtualNetworkGateway1 $vnet5gw -VirtualNetworkGateway2 $vnet1gw -Location $Location5 -ConnectionType Vnet2Vnet -SharedKey 'AzureA1b2C3'

You get the following error message:

UInt64 -> Nullable`1
System.UInt64 -> System.Nullable`1[[System.Int64, mscorlib .....

I was running Azure PowerShell 1.6.0 at the time.

Fix: Upgrade to Azure PowerShell 2.0.0 (download here).

To check your Azure PowerShell version, run the following script:

(Get-Module -ListAvailable | Where-Object{ $_.Name -eq 'Azure' }) `
| Select Version, Name, Author, PowerShellVersion  | Format-List;

Wednesday, July 13, 2016

Office 2013 Cannot Sign Into Office 365 with Functional ADFS Federated Domain

You deployed ADFS. You converted your Office 365 verified domain into federated domain. Single Sign On works on Internet Explorer inside the corporate network.

You sit back and relax and pat your back for a good job.

Then someone rings in saying that they:

  1. Cannot open a document from SharePoint Online using "Open with Word" option
  2. Cannot sign into Office 365 from Microsoft Word (or any other Office programs). The sign in screen sits there, and complains that it does not recognise your username or password, although the user swears on the life of all their children that they have entered the correct credentials
  3. It was working fine before (or maybe not).

The fix is to blow away everything under the following registry key:


You might want to back it up, but it's pretty harmless (for me anyway).

Restart your computer, and try signing into Office 365 in Office programs - it should work now.

Friday, July 08, 2016

Azure Active Directory Connect - OU Filtering not working as intended

I have recently encountered an Azure AD Connect sync engine that refuses to respect the recent changes to exclude an OU that was previously included.

Azure AD Connect version in question is - April 2016

If you are wondering how to exclude OUs, go to Synchronization Service > Connectors > pick your Active Directory connector > Properties > Configure Directory Partitions > Containers button > enter your Azure AD Connect service account password:

You then wait for the next sync cycle or manually force the sync cycle, and yet you noticed that the objects are not being disconnected from the metaverse, and continue to sync to Azure AD.

To fix this, simply restart the "Microsoft Azure AD Sync" service and wait for the next sync cycle.

Bonus tip:

A grey box with a tick = objects in that OU (not the sub OU) will be synced:

A grey box (without a tick) = objects in that OU will not be synced, but some sub-OUs are selected for sync.

Friday, June 24, 2016

OWA Redirection Does Not Work for Migrated Mailbox to Exchange Online

So you have migrated a user to Exchange Online (via hybrid configuration). You told the user upfront that they should still be able to use the existing OWA hyperlink and will get a page reminding them that their mailbox has migrated to Exchange Online and bookmark instead.

But instead, the user is presented with this page with a sad face instead:

The error message is:

We could not find a mailbox for this user. Either this recipient has not been configured with a user mailbox or does not have a license assigned. Please contact your helpdesk for further assistance.

X-OWA-Error: Microsoft.Exchange.Clients.Owa2.Server.Core.OwaUserHasNoMailboxAndNotLicenseAssignedException

Of course you have assigned Exchange Online licenses (or E3), and the mailbox has obviously moved to Exchange Online.

The resolution is rather simple but rarely documented.

Clear your browser cache, close the browser and login again.

Boom! The error goes away and the correct page showing the correct URL to be bookmarked.

Tuesday, April 26, 2016

Outlook.exe Lync.exe (and others) & nVidia GPU

So I have been noticing that for some reason, some Microsoft Office apps is starting to use my nVidia dGPU, even though I have set it to use integrated graphics using the nVidia Control Panel app.

I would see the following in my tray:

The only way for me to get rid of them is to disable my nVidia dGPU from device manager.

Until I stumbled onto this link:

So I followed the article and turn off hardware graphics acceleration in Outlook 2016, and even without restarting Outlook, all the Microsoft Office apps stopped using the nVidia GPU:

So hopefully this helps someone :)

Tuesday, April 12, 2016

Exchange Online In-Place Archive not showing up in Outlook Web App

Ever had the problem when you have enabled the user's mailbox with In-Place Archive (a.k.a. Hosted Archive or Archive Mailbox), but yet it doesn't show up in OWA?

And you have tried to enable it for a hybrid mailbox, as well as a cloud only mailbox and both has the same behaviour?

The fix for me was a simple one - just clear your browser cache - for some reason that solved the problem for me.

Monday, April 11, 2016

Exchange Hybrid Free/Busy - Fails after running HCW to add more domains

So you have decided to run HCW again to include additional domains that you have skipped in the initial setup.

And immediately, you notice that free/busy query from Exchange Online to On Premises have started to fail again.

If you have already fixed it from my previous post, why is this happening again?

Firstly, run the following command from Exchange Online PowerShell:

Test-OrganizationRelationship -UserIdentity -Identity “O365 to On-premises 6633cadc-0124-4111-2a22-e51f8853d1c5” -Verbose

Note that it will fail at STEP 4:

STEP 4: Getting organization relationship settings from remote partner...

RESULT: Unable to retrieve organization relationships from remote organization.
RESULT: Error.

But if you look back at STEP 3 - you will notice that the target URL is probably showing the new domain that you just added:

STEP 3: Requesting delegation token from the STS...

RESULT: Success.
Retrieved token for target for offer Name=MSExchange

So what's the problem here? Most likely, this is used as a secondary email address and you haven't bothered to configure autodiscover for it.

To confirm this, run the following command from Exchange Online PowerShell:

Get-OrganizationRelationship | FL

Check out the "TargetAutodiscoverEpr" field, it is probably pointing to, instead of

To solve the problem, either configure autodiscover for that domain (add it in public DNS, and update your TMG rules + add the SAN into your certificate), or just repoint it back to the correct autodiscover URL.

This can be done by executing the following command from Exchange Online PowerShell:

Get-OrganizationRelationship | Set-OrganizationRelationship -TargetAutodiscoverEpr

Friday, April 08, 2016

Exchange Online - Mailbox Move Back On Premises Error

So you are trying to move a mailbox from Exchange Online back to your on premises Exchange Server and received the following error:

Error: MigrationTransientException: The call to ‎' ‎( caps:05FFFF)‎‎' failed. Error details: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults ‎(either from ServiceBehaviorAttribute or from the configuration behavior)‎ on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.. --> The call to ‎' ‎( caps:05FFFF)‎‎' failed. Error details: The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults ‎(either from ServiceBehaviorAttribute or from the configuration behavior)‎ on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs.. --> The server was unable to process the request due to an internal error. For more information about the error, either turn on IncludeExceptionDetailInFaults ‎(either from ServiceBehaviorAttribute or from the configuration behavior)‎ on the server in order to send the exception information back to the client, or turn on tracing as per the Microsoft .NET Framework 3.0 SDK documentation and inspect the server trace logs. 

Looks horrifying right? You have probably tried to use different credentials, created another Migration Endpoint object in Exchange Online, all without avail?

Also you would be scratching your head because you were able to move mailboxes to Exchange Online using the same MRSProxy without issues,

This is probably due to the fact that you have entered the database name wrong:

You probably have databases in a DAG, and when you copied the database name, it ended up something like "database name\server name".

The fact that database names are unique in an Exchange organisation, there is no need to specify the server name.

So what you need to do is enter "database name" into the Target Database field and your migration should be fine.

Office 365 - Exchange Online - Free/Busy Query from Exchange Online Mailbox to On Premises Exchange Fails

This topic is quite a common one, but in my case, the resolution is not.

So let's start with the environment:

  • Exchange 2010 SP3 RU12
  • TMG 2010 
  • HCW v3

Here is the problem: Exchange Online users cannot get free/busy information of users still on premise Exchange. The other way works fine, i.e. Exchange 2010 users can see free/busy information of Exchange Online mailbox users.

First and foremost, you should run through the following tool and checking everything is in place:

It is a very comprehensive tool, and make sure you don't skip any steps.

In my case, everything checks out in that tool. Even running Office 365 Free/Busy test from Microsoft RCA also returns free/busy data from on premise user:

And the result would be successful, and returns the free/busy data for the on premise user:

As part of the troubleshooting process, you would run the following PowerShell command from Exchange Online:

Test-OrganizationRelationship -UserIdentity  -Identity “O365 to On-premises
- 668sscac-01as-41s1-sd21-e5sslsh3d1c5” -Verbose

And the result would be:

STEP 5: Getting organization relationship setting from remote partner…

RESULT: Unable to retrieve organization relationships from remote organization.
RESULT: Error.

LAST STEP: Writing results...

And that's your first indication that something is broken.

If you dig into your Exchange CAS server's IIS log, and search for "testorg", you will see the following entries:

2016-04-07 07:03:12 POST /autodiscover/autodiscover.svc - 443 - TestOrganizationRelationship/1.1 200 0 0 109

2016-04-07 07:03:12 POST /autodiscover/autodiscover.svc/WSSecurity - 443 - TestOrganizationRelationship/1.1 500 0 0 0

By running the "Test-OrganizationRelationship" PowerShell command, it generates a test against the on premise Exchange server, and although when accessing "/autodiscover/autodiscover.svc" worked (as indicated by HTTP 200 code), but when accessing "/autodiscover/autodiscover.svc/WSSecurity", HTTP error code 500 (internal server error) is record.

OK, we are getting somewhere here. Why is /WSSecurity not accessible?

Let's check our WSSecurity settings on all CAS servers. Go to Exchange Management Shell, run the following commands:

Get-AutodiscoverVirtualDirectory -server | fl *wss*
Get-WebServicesVirtualDirectory -server |  fl *wss*

Notice that the result shows that WSSecurityAuthentication is already set to $true. So what now?

Well, we fixed our problem by setting the flag to $true again.

I know it sounds counter-productive, but apparently setting the flag does something at the backend and actually fixes the problem. 

So execute the following commands from Exchange Management Shell (on premise Exchange):

Get-AutodiscoverVirtualDirectory -server | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $true

Get-WebServicesVirtualDirectory -server | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $true

Next, either do a IISReset or just recycle the following AppPools from IIS Manager:
  • MSExchangeAutodiscoverAppPool
  • MSExchangeServicesAppPool

VoilĂ ! Problem fixed. Run "Test-OrganizationRelationship" from Exchange Online PowerShell and it would work now. And now if you do the free/busy test, it should work.

This took 2 weeks to troubleshoot with 2 different Microsoft engineers, so hopefully this will help someone.

Wednesday, March 23, 2016

Lync Hybrid, or Exchange Hybrid with hosted UM - CS Static Route is not supported

Learnt this the hard way from two different clients.

Basically, when you need to have Lync Hybrid setup with Skype for Business Online ("SfBO" - same below), or when you are doing Exchange Hybrid with Exchange Online in an environment where there is already Lync setup with Unified Messaging, you have to make sure that there are no CSStaticRoute that exists, or else co-existence will fail.

Symptoms include:

  • Lync Hybrid only: On premise Lync users cannot initiate IM with migrated SfBO user
  • Exchange Hybrid with Unified Messaging: When calling the user's extension number, the call is directed somewhere else and not to the user's voicemail

This all boils down to the fact that when SharedAddressSpace is configured in Lync on premise with SfBO, CSStaticRoutes are no longer supported, and have to be deleted.

To confirm that you have a static route, run the following from Lync Management Shell:

Get-CsStaticRoutingConfiguration -identity global | Select-Object -ExpandProperty Route

The quickest way to fix this is to issue the following command to delete all static routes:

Set-csstaticroutingconfiguration -identity global -route $null

Wait for a few minutes and the problem will resolve itself.

OK, you might ask what are the effects of deleting all CSStaticRoutes - it could range from breaking your Polycom RMX integration with Lync to breaking a PSTN conferencing solution.

Unfortunately I have no advice on how to get around with this, other than paying a support ticket to Microsoft and get them to work with the third party vendors.

I was lucky because the customer no longer wants to use the RMX integration, and Polycom RMX integration does not work with Skype for Business Online anyway.

Hope this helps someone.

Tuesday, March 15, 2016

Determine the Azure AD Connect Installation File Version

Sometimes you want to use an older AADConnect installation file for some reason (usually due to a broken update), and you would want to know the version *before* installing it.

The easiest way to find out is to use 7-Zip to open up the MSI file, expand file, and extract the file "Microsoft_Azure_ActiveDirectory_Synchronization_Setup_dll".

Rename it to "Microsoft_Azure_ActiveDirectory_Synchronization_Setup_dll.dll" and right click on the file, Properties and then Details tab:

In my case, it's version 1.0.9131, released in December 2015.

You can get the full version history for Azure AD Connect here:

Bonus tip! To manually force a sync using AADConnect 1.1, run the following PowerShell cmdlets:

Full Sync: 
Start-ADSyncSyncCycle -PolicyType Initial

Delta Sync:
Start-ADSyncSyncCycle -PolicyType Delta

Tuesday, March 01, 2016

Office 365: Maximum Number of Unverified Domains

Apparently there is a limit of how many unverified domains that you can have within an Office 365 subscription, and the magic number (as of 1 March 2016) is:


When you add more than 55 domains using PowerShell, you get the following error message:

Number of unverified domains exceeded.
Your account has too many unverified domains. Verify or delete one of your unverified domains, and then add the new domain.

The following article talks about the error, but does not mention the limit:

This article mentions more errors when adding domains into Office 365:

TMG 2010 - Error when importing configuration

Before we start, please read the large disclaimer:

I do not know what is the implication of performing these steps on a production TMG 2010 server/array, so please make sure you backup everything before doing this!

OK, back to business.

Have you every tried to restore a TMG backup (right cick on Array/Server > Import (Restore)) and received the following error message?

Error: 0xc0040411 - The file cannot be imported because the array is of version 2010SP2 in the exported file and version 2008 in the stored configuration.

You have already done the following with no avail:

  • Checked that the patch level is the same from the XML file and the destination TMG 2010 server
  • Make sure that you have chosen "Overwrite (restore)" option
  • Untick "import server-specific information"

There is one more thing you can try. You can tweak the following lines in the XML file, and lower the version number. For my case, I changed "4" to "2" and the import worked, e.g:

Again, I am not sure what implication of lowering the CompatibilityVersion number, and I urge you to test it out before going production. Hopefully this will help someone in the future.

Wednesday, February 10, 2016

Microsoft Word: Exclude Heading from Table of Content

Have you ever been annoyed that when you create a new TOC in Microsoft Word, the TOC's heading is included in the TOC as well?

Well, this week I learnt how to exclude specific headings from TOC. Move your cursor to the offending header, and go to References > Add Text > Do Not Show in Table of Contents:

Tada, update your TOC and you should see the "unwanted" heading gone from your TOC!

Thursday, January 21, 2016

Deploying a Azure Resource Manager (ARM) JSON Template

For the non-developers in us, it's a lot more harder than it looks.

  1. Using Web Platform Install, install the following (
    1. Install Visual Studio Community 2015
      1. Make sure that the "Microsoft SQL Server Data Tools" is installed, if not, then you can add it later in Add/Remove Programs
    2. Install Azure Tools
    3. Install Azure PowerShell 1.0
  2. Run Visual Studio Community 2015 with Administrator rights - make sure it's admin rights or else your deployment (which runs Azure PowerShell in the background) will fail with very odd error messages! (See error below)
  3. Create new project
    1. File > New > Project > Installed > Templates > Visual Basic > Cloud > Azure Resource Group
  4. Pick a Azure Template, I recommend "Blank Template" from Microsoft to start with
  5. Under Solution Explorer (on right), expand Templates > azuredeploy.json
  6. Click "JSON Outline" on bottom left and start creating resources by clicking "Add Resource"
  7. When template is complete, right click on "AzureResourceGroup" under Solution Explorer and select Deploy.

If you forgot to run Visual Studio Community 2015 without admin rights, you will get the following cryptic messages:

14:04:09 - Build started.
14:04:09 - Project "AzureResourceGroup2.deployproj" (StageArtifacts target(s)):
14:04:09 - Project "AzureResourceGroup2.deployproj" (ContentFilesProjectOutputGroup target(s)):
14:04:09 - Done building project "AzureResourceGroup2.deployproj".
14:04:09 - Done building project "AzureResourceGroup2.deployproj".
14:04:09 - Build succeeded.
14:04:09 - The following parameter values will be used for this deployment:
14:04:09 - Launching deployment PowerShell script with the following command:
14:04:09 - 'c:\users\username\documents\visual studio 2015\projects\azureresourcegroup2\azureresourcegroup2\Scripts\Deploy-AzureResourceGroup.ps1' -StorageAccountName '' -ResourceGroupName 'RG_Test1' -ResourceGroupLocation 'southeastasia' -TemplateFile 'c:\users\username\documents\visual studio 2015\projects\azureresourcegroup2\azureresourcegroup2\templates\azuredeploy.json' -TemplateParametersFile 'c:\users\username\documents\visual studio 2015\projects\azureresourcegroup2\azureresourcegroup2\templates\azuredeploy.parameters.json' -ArtifactStagingDirectory '..\bin\Debug\staging'
14:04:09 - Get-AzureEnvironment : The term 'Get-AzureEnvironment' is not recognized as the name of a cmdlet, function, script 
14:04:09 - file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct 
14:04:09 - and try again.
14:04:09 - At line:1 char:174
14:04:09 - + ... zure_PS_Data_Collection = 'true' }; if ((Get-AzureEnvironment -Name ' ...
14:04:09 - +                                              ~~~~~~~~~~~~~~~~~~~~
14:04:09 -     + CategoryInfo          : ObjectNotFound: (Get-AzureEnvironment:String) [], CommandNotFoundException
14:04:09 -     + FullyQualifiedErrorId : CommandNotFoundException
14:04:09 -  
14:04:10 - Get-AzureEnvironment : The term 'Get-AzureEnvironment' is not recognized as the name of a cmdlet, function, script 
14:04:10 - file, or operable program. Check the spelling of the name, or if a path was included, verify that the path is correct 
14:04:10 - and try again.
14:04:10 - At line:1 char:2183
14:04:10 - + ...' -Environment (Get-AzureEnvironment -Name ' ...
14:04:10 - +                                              ~~~~~~~~~~~~~~~~~~~~
14:04:10 -     + CategoryInfo          : ObjectNotFound: (Get-AzureEnvironment:String) [], CommandNotFoundException
14:04:10 -     + FullyQualifiedErrorId : CommandNotFoundException
14:04:10 -  
14:04:10 - & : The script 'Deploy-AzureResourceGroup.ps1' cannot be run because the following modules that are specified by the 
14:04:10 - "#requires" statements of the script are missing: AzureRM.Resources.
14:04:10 - At line:1 char:2227
14:04:10 - + ... eCloud')));&'c:\users\username\documents\visual studio 2015\projects\ ...
14:04:10 - +                 ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
14:04:10 -     + CategoryInfo          : ResourceUnavailable: (Deploy-AzureResourceGroup.ps1:String) [], ScriptRequiresException
14:04:10 -     + FullyQualifiedErrorId : ScriptRequiresMissingModules
14:04:10 -  
14:04:10 - Deploying template using PowerShell script failed.
14:04:10 - Tell us about your experience at

So make sure you "Run as administrator"!