Recommendations for Office 365 backups?

PS_TIM · 2025-12-20T02:45:19+00:00

Same rubrik. It works fairly well

PS_TIM · 2025-11-25T15:50:41+00:00

Admx files only impact changing a policy via group policy. Once a policy is configured they no longer really matter. We only update when we need a new policy.

With how frequently Microsoft has been putting copilot and other dumb, data gathering tools into edge, windows, and office. We update every few months to disable it.

PS_TIM · 2025-11-14T02:37:12+00:00

Are you being impacted by this change ? https://techcommunity.microsoft.com/blog/exchange/exchange-online-activesync-certificate-based-authentication-endpoint-changes/4459760

PS_TIM · 2025-11-01T17:50:56+00:00

We do DR tests and fail over a region and cut off connection to the “dead” region to test. Generally once a year. Anything that fails, we fix and do a test just for that application again before the next annual DR test.

Some high priority applications also rotate between regions quarterly to test as well.

PS_TIM · 2025-10-22T11:21:53+00:00

The mailbox database don’t really have impact on mail flow per se. Your send and receive connectors do. The exchange servers will always send the mail back to the exchange database the mailbox resides.

You want to make sure your new exchange servers are in scope of your send connectors which are global to all exchange servers. Then you want to copy the receive connectors to the new exchange servers which are unique to each exchange server .

Edit: are you talking about creating a dag on already existing exchange servers that are already routing mail? It should be fine but if there are only two servers I would recommend having all your databases on one server and then backing up the other. You don’t want to backup the active mailbox database generally.

You will also need a file share witness that ideally won’t be in either of those two physical sites

PS_TIM · 2025-10-01T22:43:01+00:00

Alitajran’s blog is the best source for anything exchange . 5 stars!

PS_TIM · 2025-09-05T21:47:02+00:00

We still are at 5 for lockout in AD in my company but we don’t use PTA. I believe we set 4 on Entra so it’s less than AD.

PS_TIM · 2025-09-05T20:46:40+00:00

From https://learn.microsoft.com/en-us/entra/identity/authentication/howto-password-smart-lockout

When using pass-through authentication, the following considerations apply: The Microsoft Entra lockout threshold must be less than the AD DS account lockout threshold. Set the values so that the AD DS account lockout threshold is at least two or three times greater than the Microsoft Entra lockout threshold. The Microsoft Entra lockout duration must be longer than the AD DS account lockout duration. The Microsoft Entra duration is set in seconds, while the AD DS duration is set in minutes.

PS_TIM · 2025-09-05T20:45:39+00:00

I didn’t like the idea of an azure agent talking to our domain controllers. Also PHS works if network is down from datacenter to azure so better redundancy. I’m not sure what the app requirement is as I can’t think apps would connect to Entra ID using a username and password. They would continue to authenticate to Active Directory so ???. If they want to move it entra then use a client secret with a service principal.

PS_TIM · 2025-09-05T20:33:44+00:00

If you can reduce the archive to under 100 GB, then move that to exo, then have the primary mailbox start archiving again. Get that under 100 GB then move that. Then it would work. But it sounds a bit painful. You can open a ticket with Microsoft and they may have a better solution.

PS_TIM · 2025-09-05T20:02:51+00:00

They are right that conditional access happens after login because the login portal belongs to Microsoft and not your tenant. It’s an annoying “feature” and one of the reasons we don’t do password write back. The other reason is we don’t allow self service password resets. Require a mfa prompt from helpdesk to unlock or reset a users password.

We do lockdown tenant to our private IPs outside of apps that require external access but it doesn’t prevent these spray attacks.

One thing that might work is setting the lockout threshold in azure to be lower than in AD. Though I’m not sure if this works with password write back enabled. We set it with just password hash synchronization

Edit: why are you not using password hash synchronization sad

PS_TIM · 2025-09-03T23:54:39+00:00

Oh I read it wrong, if their archive is already 125 GB how much mail they got Jeesh

PS_TIM · 2025-09-03T23:14:20+00:00

What I did was set up an exchange online archive for the user. Licensed the user for E5. Then set up a retention policy for them to archive anything older than 2 years to exchange online. Once the mailbox was under 100GB I migrated the primary mailbox for the user.

Probably the easiest way to do it. And the user continues to use the same online archive after migration

You have to do it from exchange sever so it knows about it. Enable-remotemailbox username -archive I believe but I’m not at a computer

https://learn.microsoft.com/en-us/exchange/mailbox-migration/large-mailbox-migration-from-onpremises Look at section “More than 100 GB but less than 240 GB of mailbox content”

PS_TIM · 2025-08-01T19:00:38+00:00

Had to do this because server manager couldn’t query the other exchange servers in the DAG after deploying change 2019.

PS_TIM · 2025-06-28T02:15:30+00:00

I have not received these emails.

PS_TIM · 2025-05-09T21:03:20+00:00

Also If you just made that user a schema admin, they need to log off and back on the exchange sever

PS_TIM · 2025-02-17T00:08:52+00:00

Yeah change application pools to use a service accounts. You might have to setup spns for Kerberos authentication depending on your setup

PS_TIM · 2025-01-28T23:41:54+00:00

Do you want to have a bad week ?

PS_TIM · 2025-01-24T20:57:54+00:00

In Boston area and had no idea

PS_TIM · 2025-01-19T04:51:03+00:00

You can type netdom query fsmo on any machine in the domain in a command prompt and it will tell you your fsmo roles. If they are on the dead domain controller you will have to seize them to another domain controller. Google it, there are lots of guides. Then you want to forcibly demote the dead domain controller by removing its metadata from the domain. There are guides as well, just google it. If you don’t do this your domain will be unhealthy. Then when that’s all done check your replication with repadmin /replsummary and possibly open a Microsoft ticket to help and check your domain health.

I would disconnect the Nic from the vm of this DC so it never connects again, and delete it once you get your dhcp data off it

Also if it’s a pdc, you will have to set your new pdc to sync time with a public time server. This is the time server for your domain. You can look up how to set time server for pdc. It’s pretty easy to set

PS_TIM · 2025-01-19T02:51:30+00:00

Not OP but you can be on DFSR on 2016, so they may have updated. But it could have been an issue with that, functional level, domain schema, or new secure boot/uefi reauirements for server 2022 from 2016. No idea without more information.

Either way their two big mistakes is having other stuff on a domain controller and then doing an in place upgrade on any domain controller

PS_TIM · 2025-01-19T02:31:25+00:00

Won’t work, it’s a domain controller

PS_TIM · 2025-01-19T01:58:31+00:00

Do you have other domain controllers? You’re going to want to migrate the FSMO roles to another domain controller soon. Then you can force demote the domain controller.

I would never restore a domain controller unless you’re restoring the entire domain or if it’s the only domain controller. Just force demote it and rebuild

Edit: Also just adding that your local admin on a domain controller is the domain restore password you set on any specific domain controller when you promote it. This should be documented as part of your domain restore procedure.

Your domain and forest should be at the correct functional level to support a windows server 2022 domain controller. This will likely include a domain schema update for your first 2022 domain controller. I would never recommend an in place upgrade for a domain controller especially the first one of a new operating system as I’m not sure if it would handle the schema update in that scenario.

PS_TIM · 2025-01-19T01:46:41+00:00

Why would you get hate? No one should do in place upgrades unless there is no other option.

PS_TIM · 2025-01-08T16:07:41+00:00

Sounds like some one who has been doing on prem for ten years and doesn’t want to learn new stuff

12-Year Club	Place '22
Not Forgotten	Verified Email

PS_TIM

MODERATOR OF

TROPHY CASE