ATA – Microsoft Advanced Threat Analytics – Deployment Guide Part 1

As some of you may be aware Microsoft Advanced Threat Analytic’s has just been released so I took the time to go through the RTM version and below is a step by step guide to getting the platform in place.

Before we start there are some pre-requisites that should be observed and understood. There are technically three roles within ATA which are:

  • ATA Center – The brain behind ATA
  • ATA Console – The admin front end portal
  • ATA Gateway – The collector of information

It should be noted at this time it is only supported to install this on premise and NOT within Azure. This is simply because it currently has not been tested by Microsoft. The servers can be either domain or work group joined depending on the environment.

The main challenge is the networking elements for port mirroring so depending on your environment the following are the main considerations which are supported port mirroring options:

ATA Gateway Domain Controller Considerations
Virtual Virtual on same host The virtual switch needs to support port mirroring.
Moving one of the virtual machines to another host by itself may break the port mirroring.
Virtual Virtual on different hosts Make sure your virtual switch supports this scenario.
Virtual Physical Requires a dedicated network adapter otherwise ATA will see all of the traffic coming in and out of the host, even the traffic it sends to the ATA Center.
Physical Virtual Make sure your virtual switch supports this scenario – and port mirroring configuration on your physical switches based on the scenario:
If the virtual host is on the same physical switch, you will need to configure a switch level span.
If the virtual host is on a different switch, you will need to configure RSPAN or ERSPAN*.
Physical Physical on the same switch Physical switch must support SPAN/Port Mirroring.
Physical Physical on a different switch Requires physical switches to support RSPAN or ERSPAN*.

*ERSPAN is only supported when decapsulation is performed before the traffic is analyzed by ATA.

I will come back to the importance of port mirroring shortly.

For the ATA Center Sizing below is the guidance provided by Microsoft. Note the ATA Center includes both the Center and the Console roles of which cannot be split and this is local storage as the Database cannot be on another server.

Packets per second* CPU (cores**) Memory (GB) OS Storage (GB) Database storage per day (GB) Database storage per month (GB)
1,000 4 48 200 1.5 45
10,000 4 48 200 15 450
40,000 8 64 200 60 1,800
100,000 12 96 200 150 4,500
200,000 16 128 200 300 9,000

This server should also have a single NIC with two IP addresses, it is possible to configure the service with one IP address although this is not recommended.

The ATA Gateway has the following hardware. For this server it should be noted that two NIC’s are required and the second NIC should be attached to the same switch as the domain controllers that it is monitoring, following the guidance regarding port mirroring above.

Packets-per-second* CPU (cores**) Memory OS Storage (GB)
10,000 4 12 80
20,000 8 24 100
40,000 16 64 200

*Total daily average number of packets per-second from all domain controllers being monitored

**This includes physical cores, not hyper-threaded cores.

Once you have all of this you will also need to create a service account as a standard user as this will be used by the ATA center to gather information on AD users.

The final note is that both ATA servers cannot be out of time sync by more than 5 minutes of each other.

In part 2 I will go through the installation in more detail.

Mailbox fails to move with a 404 error no service listening

So I was moving some mailboxes the other day and had a batch of mailboxes and two of them in the batch wouldn’t move it showed errors similar to the following:

Error(s): The call to failed because no service was listening on the specified endpoint

Error details:
There was no endpoint listening at that could accept the message this is often cause by an incorrect address of soap action. The remote server returned an error 404 not found.

However all the other mailboxes would sync just not these two. After further digging I found that these mailboxes had recently been converted from user mailboxes to shared mailboxes.

What I then did was to compare the Exchange GUID to see if they matched from on premise which they didn’t!!!

So to fix this I ran the following:

On Premise Exchange Powershell

get-mailbox “mailboxname” | fl ExchangeGUID

Office 365 Exchange Online Powershell

Set-mailuser “mailboxname” -ExchangeGUID “Result from above command”

Then as if by magic the move kicked into life and migrated successfully.

My scenario is Exchange 2013 CU9 hybrid with the legacy as the same version, however there is reports of Exchange 2013 CU2 hybrid’s with same issue!

Office 365 IRM templates in Outlook appear in Vietnamese although the local language setting in the Windows OS is “English – United Kingdom”

Shortly after Wave 15 was deployed I started testing functionality for issues and found the following the Office 365 IRM templates in Outlook appear in Vietnamese although the local language setting in the Windows 8 and above is “English – United Kingdom” as shown below when using Office 2013

The default “Confidential” and “Confidential – View Only“ templates provided by Office 365 IRM contain numerous languages.

In our case, we set the local settings to “English – United Kingdom” in Windows (LCID: 2057) using windows 8 or 8.1
There is no translation in the templates for LCID 2057 – so Office 2013 simply defaults to the first one listed in the template; LCID 1066 (Vietnamese)
There is a possible solution to this issue:
1)      Set the 1033 (English – US) locale to be the first in the list, so that the default Language seen in Office is English.

I also have a bug call logged with Microsoft who state that by the end of December 2013 the template will be updated and fixed I will keep you updated!

Update as of 24th Jan 2014 this issue should be resolved for EMEA tenants you will need to re download the templates by carry out the following:

  1. Shut down any office application such as Work and Outlook
  2. In regedit Rename the following key or delete it: HKEY_CURRENT_USER\Software\Classes\Local Settings\Software\Microsoft\MSIPC
  3. The browse to C:\user\<userprofilename>\appdata\local\microsoft and rename the MSIPC folder to old or even delete it
  4. Restart the machine and then upon restarting Outlook or Word it will then download the templates upon going into the IRM settings.


Relinquishing job because the mailbox is locked

Relinquishing job because the mailbox is locked


I was getting this error constantly when trying to move a mailbox from Exchange 2013 back to Exchange 2010. For the life of me I could not get to the bottom of it then I looked through the event logs and noticed this happening every time the mailbox tried to move as shown below.

(highlighted sections in red) – Which to me looked like there was search issues upon conferring with a colleague it was suggested that the outlook profile has a corrupt index and would need resetting. Easy enough:

fire up a cmd prompt and run outlook.exe /cleanfinders  /cleanviews

Give it 5 minutes then try the move again and it went through successfully!


Event id 1012

MSexchange mailbox replication

The Microsoft Exchange Mailbox Replication service hit an unexpected failure.

Failure type:


Unable to cast object of type ‘System.String’ to type ‘System.String[]’.

Stack trace:

at Microsoft.Mapi.PropValue.GetBytesToMarshal()

at Microsoft.Mapi.Restriction.ContentRestriction.GetBytesToMarshal()

at Microsoft.Mapi.Restriction.AndOrNotRestriction.GetBytesToMarshal()

at Microsoft.Mapi.Restriction.AndOrNotRestriction.GetBytesToMarshal()

at Microsoft.Mapi.Unmanaged.SafeExMapiContainerHandle.InternalSetSearchCriteria(Restriction lpRestriction, Byte[][] lpContainerList, Int32 ulSearchFlags)

at Microsoft.Mapi.MapiContainer.SetSearchCriteria(Restriction restriction, Byte[][] entryIds, SearchCriteriaFlags flags)

at Microsoft.Exchange.MailboxReplicationService.MapiDestinationFolder.Microsoft.Exchange.MailboxReplicationService.IDestinationFolder.SetSearchCriteria(RestrictionData restriction, Byte[][] entryIds, SearchCriteriaFlags flags)

at Microsoft.Exchange.MailboxReplicationService.DestinationFolderWrapper.<>c__DisplayClass28.<Microsoft.Exchange.MailboxReplicationService.IDestinationFolder.SetSearchCriteria>b__27()

at Microsoft.Exchange.MailboxReplicationService.ExecutionContext.Execute(Action operation)

at Microsoft.Exchange.MailboxReplicationService.DestinationFolderWrapper.Microsoft.Exchange.MailboxReplicationService.IDestinationFolder.SetSearchCriteria(RestrictionData restriction, Byte[][] entryIds, SearchCriteriaFlags flags)

at Microsoft.Exchange.MailboxReplicationService.CommonUtils.ProcessKnownExceptions(Action actionDelegate, FailureDelegate failureDelegate)

at Microsoft.Exchange.MailboxReplicationService.MailboxCopierBase.CopyFolderProperties(FolderRecWrapper folderRec, ISourceFolder sourceFolder, IDestinationFolder destFolder, FolderRecDataFlags dataToCopy, Boolean& isContentAvailable)

at Microsoft.Exchange.MailboxReplicationService.MoveBaseJob.<>c__DisplayClass2d.<>c__DisplayClass31.<CreateFolderHierarchy>b__2a()

at Microsoft.Exchange.MailboxReplicationService.ExecutionContext.Execute(Action operation)

at Microsoft.Exchange.MailboxReplicationService.MoveBaseJob.<>c__DisplayClass2d.<CreateFolderHierarchy>b__29(FolderRecWrapper folderRec, EnumFolderContext context)

at Microsoft.Exchange.MailboxReplicationService.FolderMap.EnumSingleFolder(FolderRecWrapper folderRec, EnumFolderContext ctx, EnumFolderCallback callback, EnumHierarchyFlags flags)

at Microsoft.Exchange.MailboxReplicationService.FolderMap.EnumSingleFolder(FolderRecWrapper folderRec, EnumFolderContext ctx, EnumFolderCallback callback, EnumHierarchyFlags flags)

at Microsoft.Exchange.MailboxReplicationService.FolderMap.EnumSingleFolder(FolderRecWrapper folderRec, EnumFolderContext ctx, EnumFolderCallback callback, EnumHierarchyFlags flags)

at Microsoft.Exchange.MailboxReplicationService.FolderMap.EnumerateSubtree(EnumHierarchyFlags flags, FolderRecWrapper root, EnumFolderCallback callback)

at Microsoft.Exchange.MailboxReplicationService.MoveBaseJob.CreateFolderHierarchy(Object[] wiParams)

at Microsoft.Exchange.MailboxReplicationService.CommonUtils.ProcessKnownExceptions(Action actionDelegate, FailureDelegate failureDelegate)

at Microsoft.Exchange.MailboxReplicationService.WorkItem.Run()Failure context:


Operation: IDestinationFolder.SetSearchCriteria

OperationSide: Target

Primary (xxxxxxx)

Restriction: Restriction: AND[count:2, PROPERTY[ptag:0x360003(Sensitivity), NotEqual, val:[Tag:0x360003(Sensitivity), Value:2(int)]]; OR[count:16, CONTENT[ptag:0x8002001f(NamedProp), SubString, IgnoreCase, val:[Tag:0x8137001f(NamedProp), Value:”naick”(string)]]; CONTENT[ptag:0x8013001f(NamedProp), SubString, IgnoreCase, val:[Tag:0x8138001f(NamedProp), Value:”naick”(string)]]; CONTENT[ptag:0xe02001f(DisplayBcc), SubString, IgnoreCase, val:[Tag:0xe02001f(DisplayBcc), Value:”naick”(string)]]; CONTENT[ptag:0xe03001f(DisplayCc), SubString, IgnoreCase, val:[Tag:0xe03001f(DisplayCc), Value:”naick”(string)]]; CONTENT[ptag:0xe04001f(DisplayTo), SubString, IgnoreCase, val:[Tag:0xe04001f(DisplayTo), Value:”naick”(string)]]; CONTENT[ptag:0xc1f001f(SenderEmailAddress), SubString, IgnoreCase, val:[Tag:0xc1f001f(SenderEmailAddress), Value:”naick”(string)]]; CONTENT[ptag:0xc1a001f(SenderName), SubString, IgnoreCase, val:[Tag:0xc1a001f(SenderName), Value:”naick”(string)]]; CONTENT[ptag:0x65001f(SentRepresentingEmailAddress), SubString, IgnoreCase, val:[Tag:0x65001f(SentRepresentingEmailAddress), Value:”naick”(string)]]; CONTENT[ptag:0x42001f(SentRepresentingName), SubString, IgnoreCase, val:[Tag:0x42001f(SentRepresentingName), Value:”naick”(string)]]; CONTENT[ptag:0x8004001f(NamedProp), SubString, IgnoreCase, val:[Tag:0x807d001f(NamedProp), Value:”naick”(string)]]; CONTENT[ptag:0x3703001f(AttachExtension), SubString, IgnoreCase, val:[Tag:0x3703001f(AttachExtension), Value:”naick”(string)]]; CONTENT[ptag:0x3707001f(AttachLongFileName), SubString, IgnoreCase, val:[Tag:0x3707001f(AttachLongFileName), Value:”naick”(string)]]; CONTENT[ptag:0xea5001f, SubString, IgnoreCase, val:[Tag:0xea5001f, Value:”naick”(string)]]; CONTENT[ptag:0x8003101f(NamedProp), SubString, IgnoreCase (mv), val:[Tag:0x8002101f(NamedProp), Value:”naick”(string)]]; CONTENT[ptag:0x1000001f(Body), SubString, IgnoreCase, val:[Tag:0x1000001f(Body), Value:”naick”(string)]]; CONTENT[ptag:0x37001f(Subject), SubString, IgnoreCase, val:[Tag:0x37001f(Subject), Value:”naick”(string)]]]]

EntryIDs: [count:1, [len=46, data=00000000BDDED84A13037743AF12A0FBB395C0D9010093A0DC80C8953B4B88DB2726AE921E26004DDB4EC4E80000]]

Flags: Restart, NonContentIndexed, FailOnForeignEID

Skype for Business Online for Office 365 Firewall Requirements

The following are the requirements of Skype for Business Online for Office 365, note this information can change as the service evolves. This is from the clients machine to Office 365

Firewall Ports

Port Destination Protocol Client Usage Direction



SIP Signalling




Audio, Video, Application sharing sessions and Web Conferencing




Audio and Video Sessions




SfB Mobile push notifications –  iOS Only


50000 TO 59999 INCLUSIVE


Audio and Video Sessions


50000 TO 59999 INCLUSIVE


Application Sharing and File   Transfer


The following is the URL’s that SfB Online from the client will use to get to the SfB Online servers so if the traffic is going through internet proxies and you are having issues these URL’s will be helpful:


Finally the last point is if your firewall guys want to lock down access to specific IP addresses (although NOT recommended due to the fact these can be changed) Please refer here:

Converting a User to a Shared Mailbox or Vice Versa in Office 365

I was working with a customer recently who wanted to convert a shared mailbox back to a user and found that I was given the following error message:

Error on proxy command ‘Set-Mailbox -Type:’Regular’ -Identity:’BLAH’ -Confirm:$False -Force:$True’ to server Server version 1941996335, Proxy method PSWS:
Request return error with following error message:
The remote server returned an error: (500) Internal Server Error…

After some digging and a quite conversation with my contacts within Microsoft, it was discussed that this is a known issue which to affects all EMEA customers. However being the bearer of good news there is a workaround:

Instead of connecting to ExO Ps the normal way you have to use the following:
New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri $Cred -Authentication Basic -AllowRedirection

Ensuring a targetserver is set and the target server should be the server in the error message as also shown above.

MS are aware of this bug and have advised that this will be resolved in the next build release which should be within the next quarter.

Office 365 Hosted IRM Configuration for Exchange Online

I recently had the opportunity to actually deployed hosted IRM for a customer with Exchange Online. Now there are some restrictions to this which is you only get what the templates are you don’t have the ability to customize the templates. If you want this then AADRM should be deployed on premise and then connected to Exchange Online.

Before we start the following needs to be installed locally:

Sign in Assistant:

Then download the Azure AD Module for PowerShell – – Note this is the 64 bit version if you are running 32 bit go here

Then download the Azure AD RM Tools – – Note this states 2010 but is the current version as of writing.


Then open PowerShell on your machine and run the following commands

Import-module AADRM

Connect-aadrmservice – you will be then prompted for credentials enter your admin account on the tenant.

Then run get-aadrmconfiguration – and look for functionalstate is enabled this proves it has been enabled successfully for your tenant.

Then run the following command to connect to Exchange Online

Import-module msonline


$Sess = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $Cred -Authentication Basic -AllowRedirection Import-PSSession $Sess

Once connected run


Set-IRMConfiguration –RMSOnlineKeySharingLocation “

Note this is for the EMEA region if you want the other regions they are listed below: for North America for Asia Pacific

Import-RMSTrustedPublishingDomain -RMSOnline -name “RMS Online”

Get-IRMConfiguration – you should get back the same as below you will notice internallicensingenabled is set to false which blocks OWA the next step is to turn this on




Set-IRMConfiguration -InternalLicensingEnabled $true

Test-IRMConfiguration –sender – note this is an dummy account replace the name and the domain for the tenant you are trying it out on.

You should get back the following:



After this time I have noticed that it can take up to 24 hours for it to work in OWA but in Outlook it should be instant. Viola you are free to play and test with.

Now from this you have the ability to create rules that will also apply these templates otherwise by default a user will have to select them for each email.

DirSync installation ERROR on Server 2012 – Timeout has occured

Issue:  During the latest DirSync Install released in June 2013 you get following error when installing Dirsync on Windows Server 2012:



  1. First from Control panel uninstall all DirSync related components
  2. Open CMD as an Administrator and browse to DirSync directory
  3. Run dirsync.exe /FULLSQL (This will install Sync Tool without SQL bits)
  4. Once Installation in complete, go ahead and Uninstall Windows Azure Active Directory Sync tool” from Control Panel
  5. Now re-run DirSync.exe (WITHOUT the /FULLSQL switch), to complete DirSync installation.


Office 365 Auto Attendant with Lync 2013 On Premise

In my previous post I discussed Unified Messaging for the Voicemail feature of Office 365 with Lync 2013 on premise now in this article I will discuss how to configure the auto attendant in the same scenario.

Within The New Office 365 portal (Wave 15)

Select Dial Plan in O365 tenant > under UM Auto Attendants click + and fill out the information you can enable this straight away or come back and enable later on.

auto attendant

Then select the new Attendant and set the following as per the currently deployed options or query with customer.



business hours



dialling author auto

Then with Lync 2013 on premise open PS and run the following command to create the account:

  • New-CsExUmContact –sipaddress -RegistrarPool “” -OU “OU=Blah,DC=yourcompany,dc=com” -DisplayNumber “+14255550101” -AutoAttendant $True
  • Grant-cshostedvoicemailpolicy –identity “post the GUID that has been created” –policyname CloudUM

Then within Exchange Online Powershell

  • Set-UMmailboxpolicy -identity “Policy Name in O365” -SourceForestPolicy “CloudUM”

Viola auto attendant should be ready to go. Bear in mind the settings show here are pretty much the defaults and can be changed as you choose.

Office 365 Unified Messaging with Lync 2013 On Premise

Update – 30/04/2018 – Minor changes

UPDATE – 13/01/16 – Further updates and some tasks removed. Also note this does not contain any information for configuring Cloud PBX using UM in O365.

UPDATE – 10/06/15 I have also tested this configuration with Skype for Business and Exchange 2013 SP1 RU5 Hybrid with the current Office 365 wave.


I recently was working with a customer who had Exchange 2010 SP3 on premise but wanted to move all the functionality onto Office 365 whilst keeping Lync 2013/SfB 2015 on premise as this was the companies telephony system. No sweat I thought, well this blog is a list of my findings and how to actually get it configured. We will start with Voicemail and then discuss Auto attendant later on.

Lync 2013/SfB 2015 Enterprise Voice On Premise – Exchange 2010 Sp3/ 2013 CU11 Hybrid with The New Office 365 tenant (Wave 16)

First of all open up a PS shell on your Lync/SfB FE on premise then run:

  1. Set-csaccessedgeconfiguration –allowfederatedusers $true
  2. New-CsHostingProvider -Identity “Exchange Online” -Enabled $True -EnabledSharedAddressSpace $True -HostsOCSUsers $False -ProxyFqdn “” -IsLocal $False -VerificationLevel UseSourceVerification
  3. Get-csmanagementstorereplicationstatus ( to ensure replication has occurred between all Lync/SfB servers make sure they all say true before moving on)
  4. Get-cshostingprovider -localstore to show the following
  5. Cshostingprovider
  6. Set-CsAccessEdgeConfiguration -UseDnsSrvRouting -AllowFederatedUsers $true -EnablePartnerDiscovery $true
  7. New-CsHostedVoicemailPolicy -identity CloudUM -Destination -Description “Office 365 Voicemail” -Organization “” (Ensure you use the tenant name and NOT your on premise domain otherwise the traffic will not route and this will not work)

Log onto the O365 Wave 16 tenant

Go to Unified Messaging > UM Dial Plans > New

new um dial

Then Edit the Dial Plan > Configure

For this you should try and match the company’s on premise configuration so that it matches but below is an example:


dial codes

outlook voice access

Under the Outlook Voice Access numbers also add the number without the E164 format and any shorter version such as 3/4/5 digits.


dialling rules

dialling auth


Then on premise Lync 2013/ SfB 2015 you need to create the Exchange UM Contact for O365 within Lync/SfB Powershell

  • new-csexumcontact -displaynumber +44203XXXXX –sipaddress -registrarpool -ou “OU=User,DC=yourcompany,dc=com”
  • Grant-cshostedvoicemailpolicy –identity “post the GUID that has been created” –policyname CloudUM

Then switch to Exchange Online Powershell

  • Set-UMmailboxpolicy -identity “Policy Name in O365” -SourceForestPolicy “On Premise UM Policy Name”

Then finally on your on premise Exchange 2010 SP3/ Exchange 2013/2016 server (Note this is only if Unified Messaging is already configured on premise so that when you migrate a UM mailbox it doesn’t fail otherwise if you don’t run this step the remote move request will fail)

  • Set-UMmailboxpolicy -identity “On Premise UM Policy” -SourceForestPolicy “Policy Name in O365”

The Very last step is to configure the user. Now if you are setting up UM brand new then carry out the following steps but if you are migrating a user then ONLY carry this out after the user has migrated to Office 365 or you have suspended the move before completion. As otherwise UM will route to the cloud and until the mailboxes exists the voicemail message will never be delivered to the end user. As you cannot have a split UM in cloud and mailbox on premise and vice versa.

Within Lync 2013/ SfB 2015 PowerShell

  • Grant-cshostedvoicemailpolicy –identity “accountname” –policyname CloudUM
  • Run get-csuser –identity “accountname” and check that hostedvoicemail is set to true if not run the following command.
  • Set-csuser –identity “youraccount” –hostedvoicemail $true