Forum Widgets
Latest Discussions
Will server to server migration work cross-domain/cross-active directory?
Back in 2016, I upgraded a client from Exchange 2008R2 to Exchange 2016. The way I did it was "the textbook way" I built the new Exchange 2016 server on the same network as the 2008R2 server, and migrated the mailboxes from the old server to the new server, using the migration tool in the ECP interface, then deinstalled the server. It was a pretty cake migration except for one problem - the internal AD domain name was "wonkulating.com" however the client had failed to maintain public registration for that domain, and had registered "wonkulatinggronkulator.com" for use on the Internet. So I set it up so that all internal and external access was to "email address removed for privacy reasons" User were happy, and the IT dept was able to kick the migration can down the road again. Well fast forward a decade. Now I'm an employee for the former client and worse I manage the IT group there - so my can-kicking bandaid has come back to haunt me now that it's time to update to exchange SE. (it also adds to the fun that there's a couple hundred more users on the network than there were a decade ago) I decided to cut the Gordion knot and kill off "wonkulating.com" since there's not a snowball's chance in hades we could afford to buy it now. So I built a new AD for wonkulatinggronkulator.com, and did the jiggery pokery with the DNS servers and setup trust between the forests and so on and now, servers on both domains are happy happy, I can apply both wonkulating.com and wonkulatinggronkulator.com security objects to server filesystems, users can login to either domain at any workstation regardless of what domain the workstation was joined to, and so on, and we are getting ready to migrate the users and workstations off the old AD and on to the new AD. My question to all of you is this. I'm planning on installing Exchange SE into the new AD forest wonkulatinggronkulator.com and we will move the users over in groups of 10 or 20 or so, so that staff can make sure everyone is happy, can login, get at their files, etc. But what I am wondering is if the exchange servers will cooperate with each other. I'm not using ADMT or any of that to move user objects over to the new server so userIDs will exist in parallel for some time to allow a gradual migration of file and application servers. (we are too big now for the come-in-on-weekend-and-hose-everything-up-in-a-mad-rush-migration-fueled-with-pizza-and-mountain-dew routine) It would be very nice to just kick off a migration job on one of the mailservers and have the inbox copied over, but if I have to I can tear out the mailbox on the old server into a PST file and jam it into the new server via import. Documentation on microsoft.com seems to say at some points the servers will cooperate with each other and at other points it seems to say each mailserver is atomic. Like most orgs we have a bastion host mailserver that touches the actual Internet, the exchange server is only allowed to provide OWA services to the Internet, while the bastion host server (running Linux, by the way) does the actual heavy lifting of spam scanning and filtering out scam mails. Only cleaned mail is passed to the on-prem exchange server. So if the servers -won't- cooperate cross-forest, then I can adjust mail routing on a per-user basis on the bastion host to send incoming mail to the server in wonkulating.com or the server in wonkulatinggronkulator.com depending on which server they are on. Technically, the ACTUAL user ID on the old AD is WONKULATING\exampleuser while on the new AD it will be WONKULATINGGRONKULATOR\exampleuser, so the servers SHOULD be smart enough to know they are different userIDs - except that the server on wonkulating.com was hacked up by me a decade ago to believe it was authoritative for BOTH "email address removed for privacy reasons" and "email address removed for privacy reasons" email addresses and that they were the same userID basically. So, I don't know what's going to happen until I try it and all of the documentation I can find on this matter is pretty fluffy, as it assumes you are moving from a domain name you own to a different domain name you own because you bought a company or something, or you are moving from one mailserver to the other inside of the same forest/domain. Lastly, suggestions to install Exchange SE into wonkulating.com then move it later into wonkulatinggronkulator.com will be /dev/nulled immediately, I'm done kicking the can down the road. There's more than 20 years of garbage in the wonkulating.com AD and the nonsense described here is just the tip of the iceberg. (you should see the GPO's in wonkulating.com, simply horrifying) Thanks!Reporting Recent Distribution List Changes
A recent discussion about reporting changes to Microsoft 365 groups provoked the question about how to report distribution list changes. The answer is that the same structure can be taken in a PowerShell script to fetch and report data, including the audit records containing the information about the changes, but the actual code is very different. Distribution lists Exchange Online objects and not Entra ID groups… https://office365itpros.com/2026/06/02/distribution-list-changes/
FIX - Outlook 2013,2016,2019 fails open mailbox Exchange 2019 on-prem in offline LAN
Exchange 2019 on-prem + Outlook 2013/2016/2019 in offline LAN Symptoms: - OWA works - ECP works - Autodiscover works - Test-MAPIConnectivity is successful - Outlook profile can be created - Outlook fails to open the mailbox / “Cannot start Microsoft Outlook” / “The set of folders cannot be opened” / “The attempt to log on to Microsoft Exchange has failed” - Environment has no internet connection Root cause: The Windows client had a default gateway configured, but the gateway IP did not respond to ping. In our case the client received 192.168.1.1 as default gateway, but this IP was unreachable in the offline network. Fix: Set the client default gateway to an existing reachable IP address, for example the Exchange/DC server IP 192.168.1.5. Internet access is not required, but the default gateway must be reachable/responding. After changing: Default gateway: 192.168.1.5 DNS: 192.168.1.5 mail/autodiscover DNS or hosts pointing to Exchange 2019 Result: Outlook 2013, Outlook 2016 and Outlook 2019 connected to Exchange 2019 successfully.Tenant-to-Tenant Migration with Orchestrator – Technical Overview (Microsoft 365 | Preview)
Tenant-to-tenant migration with Orchestrator in Microsoft 365 introduces a native, API-driven, and highly validated approach for cross-tenant migrations. It is designed for enterprise scenarios where sequencing, dependencies, and governance are critical. Note: This capability is currently in preview. Features and behavior may change before GA. Architecture and execution model Migration is executed through batches (jobs) managed via Microsoft Graph (Beta) User-level execution: one user failing validation does not block others in the same batch Mandatory Standalone Validation before migration submission Date-driven cutover using completeAfterDateTime Supported workloads (actual scope) Exchange Online Microsoft Teams ODSP (OneDrive for Business) Important clarification on SharePoint Orchestrator does not migrate shared SharePoint content such as Team sites, Channel sites, or collaboration sites. The ODSP workload covers personal user data (OneDrive) only. SharePoint team/workload sites remain out of scope and require separate tooling or processes. Critical prerequisites Identity Mapping (CTIM) is mandatory and must remain stable during migration Target users must not have Exchange mailboxes or OneDrive sites provisioned before migration Licenses must be assigned only after Identity Mapping (ExchangeGuid stamping) Migration apps and service principals (Teams, Meetings, CTMS) must be correctly provisioned Organization Relationships and Migration Endpoints must be in place Exchange autoforwarding must be enabled for Meetings migration Validation and lifecycle Standalone Validation acts as a full “what-if” check Key states include: Cancellation or user removal is possible only before cutover Post-migration cleanup After completion, tenants must be returned to a non-migration state: Remove Identity Mapping data Remove Organization Relationships Remove Migration Endpoints Revoke migration app permissions and service principals Decide whether to retain or remove MailUsers in the source tenant Skipping cleanup leaves the tenant in an exception state. When this approach fits Mergers and acquisitions Divestitures and tenant splits Regulated environments requiring strict control Scenarios where dependency-aware sequencing matters more than speed Technical conclusion Orchestrator is not a one-click solution. It delivers native orchestration, deep validation, and predictable execution when Identity Mapping, licensing order, and scope boundaries are fully understood. For experienced administrators and architects, it represents a major step forward in tenant-to-tenant migrations within Microsoft 365, even while still in preview.HVE for Microsoft 365: When to Use It, When Not To, and Who Should Be Allowed to Send at Scale
Microsoft recently announced the General Availability of High Volume Email for Microsoft 365, also known as HVE, in Exchange Online. This is an important and long-awaited capability for organizations that need to send large volumes of internal email from applications, devices, or line-of-business systems without using regular user mailboxes as bulk-sending engines. But HVE should not be misunderstood. It does not mean that every mailbox in Exchange Online should now be used for mass email. It does not mean Exchange Online has become a general-purpose marketing platform. And it does not remove the need for proper outbound email governance. Why HVE Matters For years, many organizations have used regular Exchange Online mailboxes, shared mailboxes, or service accounts to send automated messages from applications, scanners, monitoring platforms, ticketing platforms, and custom business applications. That approach creates several problems. Standard mailboxes are designed for human and business communication, not for sustained high-volume automated traffic. Exchange Online has recipient limits, message rate limits, outbound spam protections, and tenant-level controls to protect the service and reduce abuse. HVE introduces a more appropriate model for specific high-volume scenarios. Instead of using a normal mailbox for automated traffic, organizations can create dedicated HVE accounts and use specific SMTP endpoints, admin controls, reporting, and governance for approved high-volume internal messaging scenarios. What HVE Is Designed For HVE is designed for automated, operational, and transactional messaging at scale, primarily for internal recipients within the tenant. Examples include: Internal application notifications. Line-of-business system messages. Device-generated messages. Operational alerts. Security advisories. Internal workflow communications. Monitoring platform alerts. IT service notifications. Large-scale internal announcements generated by systems. This is especially relevant when the organization needs to send messages at scale but still wants to keep the workload within Microsoft 365 governance and Exchange Online mail flow. In practical terms, HVE is useful when the sender is not a human user, but a controlled business system. What HVE Is Not HVE is not a replacement for marketing platforms. HVE is not a general-purpose internet bulk email engine. HVE is not a way to bypass Exchange Online sending limits for external campaigns. HVE is not the correct platform for newsletters, promotional campaigns, large-scale customer communication, or high-volume external transactional email. For external transactional, marketing, or customer-facing bulk email, organizations should evaluate platforms designed for that purpose, such as Azure Communication Services Email, SendGrid, Amazon SES, Mailchimp, Brevo, or another specialized delivery platform. When to Use HVE Use HVE when the workload matches these characteristics: The sender is an application, device, service, or business system. The recipients are primarily internal users in the Microsoft 365 tenant. The volume is higher than what should be sent from a standard mailbox. The workload is operational, automated, or transactional. The organization needs centralized Microsoft 365 administration and reporting. The organization wants to avoid impacting user mailbox sending limits. The use case is approved, documented, monitored, and governed. Good examples: A security platform sending internal security advisories. A monitoring system sending infrastructure alerts to internal teams. A business workflow system sending high-volume approval or status notifications. An IT service platform sending internal notifications. A service management platform sending ticket updates to internal users. A device management system sending operational messages to internal teams. When Not to Use HVE Do not use HVE when the workload is external bulk email. Avoid HVE for: Marketing campaigns. Newsletters to customers. Promotional email. Mass external invitations. External transactional email at scale. Customer invoices and receipts in high volume. OTP or password reset flows for external users. External portal notifications. Any workload where deliverability, bounce handling, reputation management, unsubscribe handling, analytics, or customer consent management are required. Those workloads require a platform designed for external delivery, reputation management, suppression lists, opt-out, tracking, bounce handling, and compliance. Who Should Be Allowed to Use HVE HVE should not be enabled casually for every team or every application. It should be treated as a controlled platform capability. Recommended eligible senders: Approved line-of-business applications. Corporate systems owned by IT, Security, Operations, Facilities, or Service Management teams. Managed devices or services with a clear business purpose. Internal platforms that send operational messages to employees. Applications with documented ownership, authentication, monitoring, and expected volume. Recommended non-eligible senders: Normal users. Shared mailboxes used by humans. Marketing teams sending to external audiences. Unmanaged scripts. Legacy systems with no owner. Applications with unknown volume. Systems that send to external recipients at scale. Any application using HVE just to avoid standard mailbox limits. The core principle is simple: HVE should be enabled for workloads, not for convenience. Governance Model Before enabling HVE, organizations should define a governance model. At minimum, each HVE account should have: A named business owner. A technical owner. A documented purpose. Expected daily and monthly volume. Recipient scope. Authentication method. Monitoring process. Incident response path. Decommissioning criteria. Review frequency. HVE accounts should not become invisible service accounts that nobody owns. They should be treated as privileged communication identities. Security and Authentication HVE supports OAuth authentication, and Microsoft provides guidance for restricting OAuth authentication to specific Microsoft Entra ID applications. This is important because organizations should avoid broad, uncontrolled access. They should restrict which applications can send through each HVE account, monitor usage, and separate workloads by purpose. For example: One HVE account for security alerts. One HVE account for monitoring systems. One HVE account for IT service notifications. One HVE account for internal operational communications. This separation improves visibility, investigation, accountability, and risk containment. HVE vs Standard Exchange Online Mailboxes A standard Exchange Online mailbox should be used for normal human communication. A shared mailbox should be used for collaborative business processes. An HVE account should be used for approved high-volume internal system email. A dedicated external delivery platform should be used for marketing, bulk external communication, or high-volume transactional email. Scenario Recommended Platform Human business email Exchange Online mailbox Team or department mailbox Shared mailbox Low-volume application notifications Standard Exchange Online, if approved High-volume internal system notifications HVE Internal operational alerts at scale HVE Marketing campaigns Marketing platform External transactional email Transactional email service Customer newsletters Marketing automation platform OTP/password reset for external users Dedicated transactional platform External bulk email Dedicated bulk email provider HVE and the Mailbox External Recipient Rate Limit Cancellation Microsoft also announced that the Mailbox External Recipient Rate Limit in Exchange Online was cancelled indefinitely. However, that cancellation should not be interpreted as permission to use Exchange Online for uncontrolled bulk sending. Microsoft was clear that other limits remain unchanged, including the existing Recipient Rate Limit and the Tenant-level External Recipient Rate Limit. That distinction is important. The cancellation of one mailbox-level external recipient limit does not remove the need for proper architecture. Exchange Online still has service limits. Outbound spam controls still apply. Tenant-level protections still matter. And HVE is still not a marketing engine. Practical Architecture Decision Before enabling HVE, ask these questions: Who is sending? Is the sender a human, shared mailbox, application, or device? Who are the recipients? Are they internal or external? What is the expected volume? Is the workload operational, transactional, promotional, or human communication? Does the business need Microsoft 365 mail flow and governance? Does the use case require bounce handling, unsubscribe, tracking, or reputation management? Is the application properly authenticated and monitored? Who owns the account? Who approves the sending pattern? Who responds if the account is abused? If the workload is internal, automated, high-volume, and business-approved, HVE may be the right answer. If the workload is external, promotional, customer-facing, or marketing-driven, use a dedicated email delivery platform. Recommended Enablement Approach Organizations should enable HVE in phases. First, identify existing systems currently using user mailboxes, shared mailboxes, or SMTP AUTH for automated sending. Second, classify each workload as internal, external, operational, transactional, marketing, or human communication. Third, migrate only approved internal high-volume workloads to HVE. Fourth, move external high-volume workloads to dedicated email delivery platforms. Fifth, monitor usage and review HVE accounts regularly. This avoids turning HVE into another uncontrolled sending layer. Conclusion High Volume Email for Microsoft 365 is an important addition to Exchange Online. It gives organizations a native way to support high-volume internal system messaging without using standard mailboxes for automated high-volume traffic. But HVE is not a free pass for bulk email. It is not a marketing platform. It is not a replacement for transactional email services. And it should not be enabled for every mailbox or every application. The right approach is workload classification. Use Exchange Online for corporate communication. Use HVE for approved high-volume internal system messaging. Use dedicated platforms for external bulk, marketing, and transactional email. The question is not only: “Can this system send email through Microsoft 365?” The better architectural question is: “What type of email is this, who is the audience, and what is the correct platform for this workload?” That is where proper email architecture begins.
Exchange Server 2019 to Subscription Edition (SE) Licensing and Migration Guidance
1. Current Infrastructure Setup Component Detail Notes Product Microsoft Exchange Server 2019 Enterprise Edition Servers 3 Virtual Servers (VMware) Configured in a Database Availability Group (DAG) Version Cumulative Update (CU) 15 Licenses Server License and 1100 CALs (Standard/Enterprise) Purchased in 2019 without Software Assurance (SA). 2. Core Licensing and Compliance Queries We require definitive guidance on the following compliance and purchase requirements: Software Assurance (SA) Requirement: Is Software Assurance mandatory for our existing Exchange Server 2019 setup for ongoing compliance and full support? Please advise on the status of our current setup without SA. Standalone SA Purchase: As our Exchange Server licenses/CALs were purchased in 2019 without SA, is it possible for us to purchase standalone Software Assurance for our existing Exchange Server 2019 licenses now, or must we purchase a completely new license with SA? Client Access License (CAL) Migration: Will our existing Exchange Server 2019 Standard/Enterprise CALs be compatible and automatically migrate to the Subscription Edition (SE) requirement, or must we purchase new CALs specifically for Exchange Server SE? Please clarify if the old CALs will become obsolete. 3. Recommended Migration Path (Budgeting Focus) Based on the licensing realities, we need advice on the most financially responsible path to move to Exchange Server SE. Please guide us on which of the following scenarios is recommended: Option A: Purchase Software Assurance for our existing Exchange Server 2019 infrastructure, and then migrate to SE, utilizing the same 2019 CALs (if permissible). Option B: Forego purchasing SA for the 2019 environment and directly purchase new Exchange Server Subscription Edition (SE) licenses and corresponding new CALs (if necessary). We look forward to your detailed guidance to ensure full compliance and a smooth transition to Exchange Server SE. Thank you, Narayan Das Senior System AdministratorExchange Hybrid Configuration Wizard - Error 1603 - Connector registration failed
Did any of you encounter this error while installing hcw on an exchange server? Here is the event viewer error details: Connector registration failed: Make sure you are a Global Administrator of your Active Directory to register the Connector. Error: '"The registration request was denied. "'Offboarding mailboxes fails with “PropTagToPropertyDefinitionConversionException.”
Hybrid M365 setup, just recently upgraded the on-prem server from Exchange 2019 to Exchange SE. After doing so, migrations from Exchange Online back to Exchange On-prem fail at 10% with the error “PropTagToPropertyDefinitionConversionException.” I opened a case with M365 exchange support, and after some time, they came back to tell me that the Exchange Online portion of the process is not at fault, and that I have to engage the on-premise support team (this seems a little nuts to me, as its all connected and all supported, but I've been in this business for 30 years now, and it's not the first time I've seen buck-passing), and/or ask this community for help. Hence, this post. That error appears exactly two places on the internet, as far as I can tell: a blog (in German) from an Exchange expert doing cross-tenant migrations, and a page at https://west.jcteams.info/bhit11/docs/EX1232513.html that seems to describe my exact issue. Neither had useful suggestions - mostly, they say this: Set-MoveRequest -Identity "<UserPrincipalName>" -SkipMoving FolderRestrictions Resume-MoveRequest -Identity "<UserPrincipalName>" That didn't actually work, but when I tried the same parameters with Set-MigrationBatch, they worked as long as I ignored the message "The SkipMoving parameter is deprecated. Use the MoveOptions parameter instead. If you have any scripts that use the SkipMoving parameter, update them to use the MoveOptions parameter." So what was a simple process is now a more cumbersome workaround. Does anyone have an idea on how to troubleshoot "PropTagToPropertyDefinitionConversionException?"
About Command Return Values
When I ran the following command in PowerShell, it used to return an `Object` type, but recently it has started returning a `System.Collections.ArrayList` type. Does anyone know why this is happening? ------------------------------------------------------------------ $dg = Get-DistributionGroup -Identity "Group Name" $dg.AcceptMessagesOnlyFromSendersOrMembers.GetType().FullName
