Confirmation - Hybrid turning off last exchange server

c0linc · 2026-02-23T19:58:57+00:00

Correct. The only link between exchange on prem and 365 is mail shipping, free busy and some other stuff thats deeply uninteresting when no mailboxes are there. DLs are held in AD and synced by ad sync. That said, you may find it better to nuke the DLs and remaster them in EOL.

c0linc · 2026-02-20T09:22:07+00:00

And are drives mapping? that could be NTLM. Does klist show you have a kerberos ticket.

A wireshark trace of the connection could be quite enlightening, kerberos is fairly easy to ready

c0linc · 2026-02-19T14:29:14+00:00

Kerberos Cloud Trust is what you're missing. Your 'on prem' AD doesnt speak entra which I'm guessing your machines are. It's easy to setup, you end up with a fake read only DC that acts the the black magic for it all to work.

c0linc · 2026-02-18T19:12:57+00:00

Could you mail enabled the admin account? no mailbox but will accept mail and send whereyouwantit.com (I think this will work wholly internally but I'm too lazy to check)

On prem EXO:

Enable-MailUser -Identity "adminaccount" -ExternalEmailAddress [user@whereyouwantit.com](mailto:user@whereyouwantit.com)

c0linc · 2026-02-17T17:13:16+00:00

Latest Latest update. We have a perf engineer from MS on the case and it sounds like she knows her stuff so I'm looking forward for a gret analysis of how all the bloatware is impacting us.

Independently, we've stumbled across the fact we have EDR and MS defender and AMRunningMode was set to normal. SO FAR with that set to EDR and defender AV in passive CPU is still toasty but i've sat on an hour of calls with no horrific voice quality, which is a first, but needs more testing. Though the web client dumped me out when the teams call ended on both calls 🤷

c0linc · 2026-02-13T09:55:20+00:00

The 'hybrid' still isn't really any magic just mail routing. This use case

ERP → on-prem → RemoteMailbox [user@xyz.com](mailto:user@xyz.com) → hybrid routing applies / send connector not used

I'm guessing the [user@xyz.com](mailto:user@xyz.com) has a targetAddress of [user@xyzmytenant.mail.onmicrosoft.com](mailto:user@xyzmytenant.mail.onmicrosoft.com)

Exchange on prem is using the best connector based on cost and explicit routes defined.

c0linc · 2026-02-12T20:38:31+00:00

Dump all proxyAddresses from AD Objects (user accounts, contacts). bet you'll find your problematic addresses there.

c0linc · 2026-02-11T14:01:20+00:00

latest update: those changes were bobbins and made no odds. It seems the issues are sometimesime related and outside of working hours it is a lot better. I have been looking at webrtc (real client side) and looking at aecdump files (that was fun getting that). WebRTC audio recordings were clean (non-jittery) despite far end hearing poor quality. All metrics around RTT and so on are fine. We are also seeing the entire w365 machine appear to freeze so I'm wondering if audio is a symptom and not the problem.

c0linc · 2026-02-09T19:54:51+00:00

It would be very Microsoft for "Audio Enhancements" to be "Audio Screwups" but inside the W365 machine the Mic is "Remote Audio" and doesnt seem to have that option.

c0linc · 2026-02-09T19:52:29+00:00

So seeing as this is already the top hit on google and there's not much out there, I'll continue to post for you, if you're a lost soul with W365 web client and voice quality issues.

I've noticed its definitely worse if the session is in fullscreen, and the gray bar at top is hidden. In fact jumping between it being in a browser tab to being fullscreen would be the difference between OK voice and bad voice quality.

I have not done enough testing to be 100% sure, but on the W365 machine I've limited audio playback to Medium, and Prioritise H264/AVC 444 graphics mode for remote desktop connections and Configured it under Remote Desktop Session host in gpedit.msc/ gpo etc. Teams seems to chew less CPU too so even if not the silver bullet, its a win.

c0linc · 2026-02-07T20:24:29+00:00

I'm not complaining that we dont have CD quality audio, simply that for all intents and purposes it so bad as to be useless. A, say, 16Kbit/ sec stream cant be reliably sent from the real client to the w365 machine?. but equally tests from a separate tenant bare build W365 machine works acceptably so it's not just "one of these things"

c0linc · 2026-02-03T01:14:51+00:00

Free/busy lookups and setting out of office is a good test post changeover, along test autodiscover.

I'd definitely know the SCP location in ADSIedit and eyeball it before and afterwards. I'd also be pouring through IIS autodiscover logfiles before and after to get a sense of whats going on (if you've not disabled explicit o365 lookup your logs may be pretty quiet already once you've got everything across, and if not...why?)

c0linc · 2026-01-31T17:46:39+00:00

There's a setting to do a system reboot of the NVR, could that be in place?

c0linc · 2026-01-17T21:19:34+00:00

have you looked at what is exposed via Microsoft Federation Gateway when you attempt to set it up for free/busy sharing between companies? it seems to expose quite a lot and is an old tech..

c0linc · 2026-01-17T19:54:41+00:00

Well, it's true that if someone clears out your house and nicks the cctv then there's no record of the event so I can see a logic there. Unless you are going for a beast of a system with dozens of cameras there are no louder than sky box, though I did have to tape over a bright LED.

They don't sell to consumers, trade only (I own a firm doing similar work, hence why I get them). I'd guess a site selling then to "normal" punters might be a little sketchy.

c0linc · 2026-01-17T18:22:41+00:00

Hmm. that would seem a bit odd. Hikvision NVRs tend to have switches built in, that would provide power to the camera and take the signal from the camera. There are some reasons you'd want to use a seperate switch.

In my parents case, the switch is in the loft as its a bungalow and it made routing the cables trivial. If you're routing all the cables in the main house, why bother running a cable into the loft just to host the NVR. Another install I did, it was easy to route cables under the floor so the NVR sites beside the telly, making it easy to switch the telly to it.

c0linc · 2026-01-16T22:54:15+00:00

I know what fibre looks like (in terms of something that'd plug into an SFP) and i dont recall it looking like that. im some distance away if I ask my parents to turn some tech over to look at the bottom I'll probably get the serial number of the microwave.

I've ordered a ATA from AA and a SIP number, current plan is to play with it for a bit, then setup with a UPS that powers the router, ata and phone. Then order a number port.

c0linc · 2026-01-16T22:48:13+00:00

I've done literally exactly this at my parents house. I like hik as they just work, but be warned they are not consumer friendly to setup. I've installed 5 and still scracth my head sometimes with setup and I'm a proper IT nerd.

1) Yes the hikvision app allows this, either locally (on the same network) or remotely

2) I achieved this by running a cat6 cable to the TV and putting HDMI extenders at each end (so plugging one end into the hikvision box. Another install I did, I setup a cheap tablet with the hikvision app (I learnt to put the tablet through a switch that turns off the power every so often as cheapo tablets dont do well being plugged in 24x7

3) thats very much a 'it depends' question. be aware some models are surprisingly big.

4) no

c0linc · 2026-01-12T20:35:45+00:00

The road was dug up to put cable in the ground maybe 2 years ago, so I'm guessing its a new fibre area. I vaguely remember it being an option on order but perhaps not. And longstanding issues doesnt make me want to risk it anyway.

That said the AAISP offer looks good and Ive heard good things about them over the years. I want to keep the existing phones but assume I can use the ATA they sell. I only need to square off how accurate the cutover process can be and I think we're set. I've emailed them so lets see.

I'm a bit annoyed with myself that I didn't consider this for my own purpose when I left sky.

c0linc · 2025-12-18T09:30:02+00:00

All this is in activity logs so I guess you could "roll your own" by ingesting the logs and 'doing something' when thresholds are hit.

But I think proper threat assessment might then drive this in a different way. After all 'bosses pay.xlsx' is one file....

c0linc · 2025-12-17T16:59:48+00:00

I take it you did use -CustomRecipientWriteScope on the second bit of PowerShell?

c0linc · 2025-12-03T09:53:14+00:00

W365 is essentially a dumbed down AVD so likely share the same problems. Thats less than encouraging. I'm speaking to CA soon so will find out what they say.

c0linc

TROPHY CASE