Office 365 share free busy between tenants

Introduction

Recently I have seen scenario’s where customer was looking for a way in Office 365 to share free busy between tenants. Nowadays, it seems to be a common ask by customers if its possible for two different organizations hosted on two different Office 365 tenants owned by two different companies to share free busy information with each other like they are used to doing with on premises Exchange.

By default, all office 365 tenants have a federation trust setup with Microsoft federation gateway.

Office 365 has a federation gateway configured with Microsoft Federation Gateway. This allows organizations to setup free busy between tenants by setting up “Organizational Relationship” to allow access and sharing permissions.

Configuring Office 365 share free busy between tenant

Let’s start out with the two domains of msexperttalk.com and msmvpservices.com, and then we will assume they have both been updated to Office 365 tenants. Now, we want to share free busy information between them. Configuring Office 365 share free busy between tenant’s is a two step approach. Each step will set up the relationship from its side.

Part 1 – MSExpertTalk to MSMVPServices

We need to pull the federation information from the Microsoft federation gateway and use that to establish an organizational trust from MSExpertTalk.com to msmvpservices.com. User the following PowerShell cmdlets to connect with Exchange online using Global Admin credentials.

C:\> $Cred = Get-Credential

C:\>$session=new-pssession -ConnectionUri https://ps.outlook.com/powershell -ConfigurationName microsoft.exchange -Credential $Cred -Authentication basic -AllowRedirection

C:\>Import-PSSession  $session -AllowClobber | Out-Null

Office 365 share free busy between tenantsYou can connect with Office 365 PowerShell by using a PowerShell script available at TechNet Gallery. Once you are connected with the MSExpertTalk Office 365 tenant, run the following cmdlet to retrieve the federation information of contoso.com

C:\> Get-FederationInformation -DomainName msmvpservices.com

This step verifies everything is good with MSExpertTalk and the Microsoft federation gateway.

Now we need to establish the organizational relationship.

C:\> Get-FederationInformation-DomainName Msmvpservices.com | New-OrganizationRelationship -Name FreeBusyMSMVP -Enabled $true -FreeBusyAccessEnabled $true -FreeBusyAccessLevel ‘AvailabilityOnly’ -FreeBusyAccessScope $null

After this completes, run Get-OrganizationRelationship to verify.

This will complete your step 1 to configure the free busy sharing from your tenant with msmvpservices.com. Next step is to configure msmvpservices.com to share free busy information with your office 365 tenant.

Part 2 – MSMVPServices to MSExpertTalk

Now we need to pull the federation information from the Microsoft federation gateway and use that to establish an organizational trust from MSMVPServices to MSExpertTalk.

From MSMVPServices.com, we open Powershell and connect to Office 365.

C:\> $userCredential = Get-Credential

C:\> $session=new-pssession -ConnectionUri https://ps.outlook.com/powershell -ConfigurationName microsoft.exchange -Credential $usercredential -Authentication basic -AllowRedirection

C:\> Import-PSSession $session -AllowClobber | Out-Null

C:\> Connect-MsolService -Credential $userCredential

Now that we are connected to the MSMVPSerivces Office 365 tenant, we need to collect the federation information for MSExpertTalk.com

Now, we establish the organizational relationship.

C:\> Get-FederationInformation -DomainName msexperttalk.com | New-OrganizationRelationship -Name MSExpertFreeBusy -Enabled $true -FreeBusyAccessEnabled $true -FreeBusyAccessLevel ‘AvailabilityOnly’ -FreeBusyAccessScope $null

After this completes, run Get-OrganizationRelationship to verify.

Conclusion

With both sides set up, we can log into OWA from either side and set up a meeting with a user in the other domain to check for availability. Since you followed this handy guide, you should see the availability and life is good. Please note that this configuration only enables you to setup free busy sharing between two tenants. It will not allow users to view users in address book from other organization. For users to show up in address book, you need to configure GAL Sync between tenants.

I hope you found this helpful in getting your tenants connected, availability working, and keeping it working as you grow with Office 365.

Setup Azure VNET Peering

Introduction to Azure VNet Peering

Azure Virtual Networks (VNet) capabilities enables organizations to securely connect azure resources. VNet in Azure represents its own isolated network and dedicated to the subscription. Azure VNet peering enables organizations to connect two or more VNets leveraging Azure backbone network infrastructure within a same region. Once peered the azure VNets will work as a single network and resources can be accessed from both VNets.

After VNet Peering, VNets are still managed as separate resources, but virtual machines in the peered VNets can communicate with each other directly by using private IP addresses

Setup Azure VNET Peering

Backbone Azure infrastructure within a region is being used for communication between VMs in the peered VNets to provide performance by providing a low-latency, high bandwidth connection between resources and access to resources on a private network in different VNets and allowing VPN gateway or network appliances as transit points in a peered VNet.

Setup Azure VNET Peering

Before we start the implementation of Azure VNet Peering, we need to ensure that we meet the following per-requisites to configure VNet Peering.

  • All VNets are in the same region
  • IP addresses in VNet should not overlap with each other
  • Ensure these are not transitive routes

Once you fulfill the requirements for VNet Peering, follow the steps below to setp Azure VNet Peering.

I have two VNets configured in Azure West US region.

Setup Azure VNET Peering

  • Select VNet_01 and click on peering

Setup Azure VNET Peering

  • Click on Add on right side to add the VNet Peering

Setup Azure VNET Peering

  • You can see the VNet Peering is added and currenty in Initiated state on VNet 1. To complete the VNet Peering, Add the VNet Peering on VNet 2

Setup Azure VNET Peering

  • Navigate to VNet 2 > Peering > Click on Add to add the peering

Setup Azure VNET Peering

  • Once the VNet Peering is added on both VNets, you will see the status of VNet peering will be updated to “Connected”
  • Setup Azure VNET Peering
  • Setup Azure VNet Peering using PowerShell

To setup Azure VNet Peering using Powershell, run the following cmdlets.

  • Connect with ARM using the PS cmdlet

C:\> Login-AzureRMAccount

  • Get the VNet objects for both VNets

C:\> $AzVNet1 = Get-AzureRmVirtualNetwork -ResourceGroupName AZUSWestDC01  -Name VNET_01
C:\> $AzVNet2 = Get-AzureRmVirtualNetwork -ResourceGroupName AZUSWestDC02  -Name VNET_02

  • Configure the VNet Peering by running the following cmdlets

C:\> Add-AzureRmVirtualNetworkPeering -name VNetPeering_01 -VirtualNetwork $AzVNet1 -RemoteVirtualNetworkId $AzVNet2.id
C:\> Add-AzureRmVirtualNetworkPeering -name VNetPeering_02 -VirtualNetwork $AzVNet2 -RemoteVirtualNetworkId $AzVNet1.id

Conclusion

Azure VNet Peering is a great functionality that allow us to connect multiple VNets to a act as a single network from a connectivity standpoint. This can help us to configure multiple subscriptions together in a same region or integration of test or different business applications deployed in different VNets from security standpoint. VNet peering help us eliminate the need of using public network for communication between resources in different VNets and help improve the performance and business productivity.

 

 

Step by Step Skype for Business Installation Part 1

Introduction

Skype for Business is a communications and collaboration platform of Microsoft that provides enterprise-grade security, compliance, and control. Skype for Business offers features including presence, IM, voice and video calls, and online meetings.

Skype for Business also supports the Lync client experience so that you can choose a phased upgrade approach to the new client experience for your users. For example, you might want to deploy the Lync client experience until users in your organization are fully trained in the new Skype for Business experience, or until all users are upgraded to the new server.

Step by Step Skype for Business Installation

To install a first Skype for Business in your organization, you need to perform the following steps.

  • Prepare Skype for Business Server
  • Install Skype for Business Admin tools
  • Prepare Active Directory for Skype for Business
  • Add user to Skype for Business administrative group
  • Prepare First Skype for Business Server
  • Define and Deploy Topology
  • Install Skype for Business Server
  • Enable Users

Step by Step Skype for Business Installation Part 1

Prepare Skype for Business Server

Before you start the implementation of your first Skype for Business server, make sure you meet the minimum hardware requirements. As per Microsoft minimum recommended hardware requirements are as below for standard Skype for business server.

Step by Step Skype for Business Installation Part 1As part of the Skype for Business server preparation, perform the following steps.

  • Ensure that you’ve all windows updates installed on your server

Step by Step Skype for Business Installation Part 1

  • Install the hotfix KB2982006 for Windows Server 2012R2

To install the KB2982006 hotfix for Windows Server 2012 R2. You need to first install KB2919442 and then install KB2919355. Once these prerequisites are installed then you can install KB2982006 hotfix

  • Install Skype for Business Prerequisites by running the following PowerShell cmdlet

Add-WindowsFeature NET-Framework-Core, RSAT-ADDS, Windows-Identity-Foundation, Web-Server, Web-Static-Content, Web-Default-Doc, Web-Http-Errors, Web-Dir-Browsing, Web-Asp-Net, Web-Net-Ext, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Http-Tracing, Web-Basic-Auth, Web-Windows-Auth, Web-Client-Auth, Web-Filtering, Web-Stat-Compression, Web-Dyn-Compression, NET-WCF-HTTP-Activation45, Web-Asp-Net45, Web-Mgmt-Tools, Web-Scripting-Tools, Web-Mgmt-Compat, Server-Media-Foundation, BITS

Step by Step Skype for Business Installation Part 1Step by Step Skype for Business Installation Part 1

  • After the server is rebooted, Install Microsoft Silverlight for Skype for Business Server Control Panel

Install Skype for Business Admin Tools

Once the skype for business prerequisites are installed, the next step is to install skype for business admin tools. To install the Skype for Business admin tools, perform the following steps.

  • Launch Setup.exe for Skype for business

Step by Step Skype for Business Installation Part 1

  • Accept the license agreement and click Ok

Step by Step Skype for Business Installation Part 1

  • In Skype for Business Deployment Wizard, Click on Install Skype for Business Administrative Tools and follow the wizard

Step by Step Skype for Business Installation Part 1

  • Click on Next to start the installation of administrative tools

Step by Step Skype for Business Installation Part 1

 

  • Click on Finish to exit the installation wizard

Step by Step Skype for Business Installation Part 1

  • This process has installed the Skype for Business admin tools on your server. Next step is to Prepare Active Directory using Skype for Business admin tools.

Step by Step Skype for Business Installation Part 1

Prepare Active Directory for Skype for Business

Now, we have administrative tools installed. Next step is to Prepare Active Directory by running the prepare active directory wizard. Active Directory wizard will have you to perform the following steps to prepare the AD.

  • Schema Preparation
  • Verify Schema Replication
  • Forest Preparation
  • Prepare Domain
  • Add user to CSAdministrator AD group

Schema Preparation

To prepare AD schema, click on Prepare Schema

Step by Step Skype for Business Installation Part 1 Step by Step Skype for Business Installation Part 1Step by Step Skype for Business Installation Part 1 Step by Step Skype for Business Installation Part 1Once schema preparation is completed. Review the logs and wait for the AD replication to be completed or you can manually initiate a full AD replication by running the following cmdlet on domain controller.

Repadmin /Syncall /Full /Force

Forest Preparation

Once the AD Schema preparation is completed, next step is to start the forest preparation for Skype for Business. Click on Prepare Forest to initiate the process of forest preparation.

Step by Step Skype for Business Installation Part 1 Step by Step Skype for Business Installation Part 1Once the forest preparation is completed, click on close to exit the wizard.

Step by Step Skype for Business Installation Part 1Prepare Domain

The last step to ensure the Active Directory preparation is to prepare the domain. Perform the following steps to prepare the domain for Skype for Business Server.

  • Click on Prepare Domain to start the domain preparation wizard
  • Enter the FQDN of your domain. In my case we entered MSEXPERTTALK.COM and click Next
  • Wait for the domain preparation to be completed and click on Close to exit the wizard
  • Once the domain preparation is completed, wait for Active Directory Replication to be completed
  • Login to the Domain Controller and add your user account to CSAdministrator Group

Step by Step Skype for Business Installation Part 1

  • Log off from Skype for Business server login for the permissions to take effect.

Once all steps are completed, You’ll see that the Active Directory preparation is marked as completed in Skype for Business Deployment Wizard.

Step by Step Skype for Business Installation Part 1Conclusion

In Part of Skype for Business server installation step by step, we have successfully installed the prerequisites for Skype for business server and prepare the Active Directory infrastructure for Skype. In part of 2 of this series we will install the first Skype for Business Standard edition, Create network share for Skype topology builder, build and publish topology.

Resources

Step by Step Active Directory Certificate Service – Part 2

Introduction

In part 1 of this blog series, we have successfully installed Active Directory Certificate Services and performed post-installation tasks. In this blog series, we will configure certificate template for client and workstation authentication and configure a group policy to auto enrollment of certificate.

To secure AD CS infrastructure, It’s highly recommended to deploy subordinate certificate authority and shutdown your root certificate authority.

Step by Step Configure Certificate Template

So far, we have AD CS installed and configured. To proceed with further configuration of AD CS, we need to configure a certificate template for workstations and clients authentication. To configure a certificate template, perform the following steps.

  • Navigate to Server Manager > Tools > Certification Authority

Step by Step Active Directory Certificate Service – Part 2

  • Navigate to Certification Authority > Machine Name > Certificate Template. Right click on Certificate Template and click on Manage

Step by Step Active Directory Certificate Service – Part 2

  • Duplicate the template for “Workstation Authentication

Step by Step Active Directory Certificate Service – Part 2

Step by Step Active Directory Certificate Service – Part 2

  • Setup the template properties as per your requirement. Under General Template, define the name of the duplicate template and setup validity period

Step by Step Active Directory Certificate Service – Part 2

  • Under Security Tab, Ensure that domain joined machines has permissions to Read, Enroll and auto-enroll

Step by Step Active Directory Certificate Service – Part 2

  • Click on Extension Tab and edit Application Policies to add Server Authentication to the template

Step by Step Active Directory Certificate Service – Part 2 Step by Step Active Directory Certificate Service – Part 2 Step by Step Active Directory Certificate Service – Part 2 Step by Step Active Directory Certificate Service – Part 2

  • Click on Subject Name and ensure DNS and User Principal Name options are selected

Step by Step Active Directory Certificate Service – Part 2

  • Click on Apply and close the certificate properties.
  • Navigate to Certification Authority > Certificate Template > Right Click New > Certificate Template to Issue

Step by Step Active Directory Certificate Service – Part 2

  • Select the certificate and click ok

Step by Step Active Directory Certificate Service – Part 2So far we have the certificate template created for workstations authentication. Next step is to create a group policy to configure the automatic enrollment of the certificate via Group Policy.

Group Policy for Automatic Certificate Enrollment

As of now, we have our AD CS setup ready for certificate enrollment. With the help of group policy we will setup our workstations on domain joined machines to request AD CS for certificate. To configure a group policy for AD CS, perform the following steps.

  • Login to domain controller and launch Group Policy Management Console from Control Panel > Administrative Tools > Group Policy Management

  • Navigate to the OU where you have all your domain joined computers. In my case, I’ve a server OU that contains all domain joined computers.

  • Right click on Servers OU and click on “Create a GPO in this domain, and link it here”

  • Define the name of the GPO and Click ok

  • Select the GPO, Right Click and click on Edit to modify the GPO Settings

  • Navigate to Computer Configuration > Windows Settings > Security Settings > Public Key Policies

  • Select the Certificate Services Client – Certificate Enrollment Policy and click on Properties

  • Under configuration model, select enable

  • Next step is to select “Certificate Services Client – Auto Enrollment” and go to properties and enable configuration model

  • Once done, Right click on GPO and click on Enforce and then Group Policy Update

  • Click ok on Group policy pop up message to finish the process

Now your Group policy deployment for certificate authority is completed now. You can now navigate to Issued certificate to see that the computer accounts has started to receive the certificate from your AD CS infrastructure.

Conclusion

In this blog article we have configured the Active Directory Certificate authority template for end user workstations and deployed a group policy on server OU to request the certificate from internal CA. Hope this series help you deploy your PKI infrastructure using AD CS.

 

 

Step by Step Active Directory Certificate Service – Part 1

Introduction

Microsoft Active Directory Certificate Service (AD CS) provides an infrastructure for securely issuing and managing your public key infrastructure. Active Directory Certificate Services can also be leverage to authenticate the computer, user or devices on corporate network based on Infrastructure security requirements.

In this blog series, we will setup a single server AD CS on a domain joined machine and configure active directory group policy to auto enroll the certificate on one OU. Please note that it’s a single server deployment and enterprise deployments of Active Directory Certificate Service requires a detailed planning and designing of the solution.

To secure AD CS infrastructure, It’s highly recommended to deploy subordinate certificate authority and shutdown your root certificate authority.

Active Directory Certificate Service design options are discussed on TechNet. AD CS includes programmable interfaces so that developers can create support for additional transports, policies, and certificate properties and formats. Active Directory Certificate Service service architecture is defined here that helps customizing AD CS.

Step by Step Active Directory Certificate Service Role Installation

Below is a step by step active directory certificate service role installation guide to deploy the services.

  • Login to Active Directory Certificate Service server and launch Server Manager
  • On Server Manager, Click on Add Roles and Feature

Step by Step Active Directory Certificate Service - Part 1

 

  • Click Next on the following screen

Step by Step Active Directory Certificate Service - Part 1

  • By default, Role based or feature based installation is selected, click next

Step by Step Active Directory Certificate Service - Part 1

  • Select the server you want to install this role and click Next

Step by Step Active Directory Certificate Service - Part 1

 

  • Select Active Directory Certificate Service. Click on Add Features in the pop up window and click on Next

 

  • Click on Next as we don’t need to install any additional feature for AD CS

Step by Step Active Directory Certificate Service - Part 1

 

  • Click Next on AD CS Page

 

  • On Role Services page, Select Certificate Authority and Click Next

 

  • Click Install to start the installation process

 

  • Once the installation is completed, Click on Close to exit the wizard.

Configure Active Directory Certificate Service

As of now, We have our Active Directory Certificate Service server role installed. Next step is to perform post installation steps and configure active directory certificate service. To configure active directory certificate service, perform the following steps.

  • Click on Configure Active Directory Certificate Services on target computer. This will open a configuration wizard for certificate authority

  • Provide the credential of a user account that has Enterprise Admin and Local Admin rights and click next

  • Select the Role Service to configure, We’re setting up on Certificate Authority

 

  • As we are using a domain joined machine and setting up for Domain infrastructure, select Enterprise CA and click Next

  • As it’s our first Active Directory Certificate Services server, select Root CA and Click next

  • Select “Create a new private key” and click next

  • Select your cryptography options and Click next

We are using SHA256 as SHA1 is depreciated by all browsers and Microsoft Server Authentication.

  • CA Name will be automatically pop up and click next

  • Define validity period and click Next

 

  • Specify the database location for certificate and click Next

 

  • Review the configurations and Click Configure

 

  • Once the configuration is completed, click on Close to exit the configuration wizard.

Conclusion

In this blog article of Active Directory Certificate Services series, we have successfully installed and completed post installation tasks Active Directory Certificate services. In part 2 of this series we will Configure the certificate template and group policy for Certificate authority auto enrollment.

1 2 3 19