Though this could seems an outdated post, I forgot its core so I will write it down again.
I would to share some advance Office 365 troubleshooting techniques I used to investigate problems with sign-in, activation, authentication, installation and update.
Troubleshooting Authentication/Sign-in/Activation Errors
To investigate about random user problem, usually sign-in prompt, you should enable Office 365 logging and compare a “working attempt” vs a “non working attempt” to compare the results.
Launch cmd as administrator and run the following command:
reg add HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Debug /v TCOTrace /t REG_DWORD /d 1 /f
Once the error occurs collect the following logs:
Collect logs from %temp% Office.log <appname>.exe.log (where <appname> is the name of the application used for the Sign-In attempt, for example, Excel.exe.log or Winword.exe.log)
Remove the regkey added. To do this, launch cmd as administrator and run the following command:
reg delete HKCU\SOFTWARE\Microsoft\Office\15.0\Common\Debug /v TCOTrace /f
Note: if you are, as in my case, in a RDS environment, you should create a GPO to deploy/remove this registry key and cooperate with the users to collect logs when error popup
When you try to access to a consumer or old NAS with your brand new Windows 10 Fall Creators Update you will face a network access error.
Due to security issue in SMB protocol, the new Windows 10 and Windows Server 2016 release 1709 start with some SMB feature disabled by default:
- SMBv1 not installed (enable it with Enable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol)
- SMBv2 Guest Access disabled
As Microsoft state:
In Windows 10 Fall Creators Update and Windows Server version 1709, the SMB2 client no longer allows the following actions:
- Guest account access to a remote server
- Fallback to the Guest account after invalid credentials are provided
Windows 10 Fall Creators Update was released and I want to point at some enterprise features we could rely on (most of them are in Client Hyper-V feature).
Please refer to Windows 10 Blog to read about all the new features added with this release.
Microsoft are introducing Windows Defender Exploit Guard that helps protect files from unauthorized changes by nefarious applications and your applications from unknown exploits. Additionally, Windows Defender Antivirus now has specific safeguards in place, along with default enhanced coverage that is delivered instantly via the cloud protection service. These and other security technologies protect against persistent ransomware campaigns like Cerber, Locky, and Spora, as well as global outbreaks like WannaCry, and Petya. Read More
Due to the rapid changes of mobile device OS and Office 365 specifications, Microsoft release a communication to inform us to update your Apple devices to a new iOS version to have a better Outlook for iOS compatibility:
With the release of iOS 11, we want to remind you that Outlook for iOS is supported only in the last two releases of iOS. This means new app updates to Outlook will now only be supported on devices with iOS 10 or iOS 11. How does this affect me? You are receiving this message because our reporting indicates one or more users in your organization are using Outlook for iOS on iOS 9. Devices with iOS 9 are no longer be supported. While older versions of Outlook will still work on devices running iOS 9, these devices will not get new app updates after build 2.48. Users can expect a degraded experience of the Outlook for iOS app over time, if they do not stay up-to-date. What do I need to do to prepare for this change? We encourage you to stay up-to-date to maintain the best Office 365 experience.
Certification Authority 2012/2012R2 and XP clients
Some Customers still have Windows XP though it is in End of Support since 8 April 2014. I found one of this *#$%§ clients where I have an 802.1x implementation with an Enterprise Certification Authority with Windows Server 2012 R2.
Why I detailed my configuration? Because Windows 2012 and newer raised RPC security settings even on PKI CA and this cause failing certificate requests on Windows XP/Windows Server 2003.
When trying to issue certificate on Windows XP I got the error “The certificate request failed. The permissions on this certification authority do not allow the current user to enroll for certificates. ”
At first glance it has to be Permissions issue but when I verify them on CA and on the template level they are ok. If we go to the “Failed Request” container on CA we cannot see any request which has been denied by the CA. This is because the request is never delivered to the server.
So how to let Windows XP enroll certificates from Windows 2012/2012R2 Certification Authority?
Upgrade Windows clients to higher OS as XP is not supported anymore
Disable Enhanced RPC security for certificate requests
In my case, the first option wasn’t viable.
Often happen that a customer has more then one email domain in his On-Premises infrastructure. This should be considered when you plan to deploy AD FS Services to enable Single Sign-On with Office 365.
With the newest version of Azure AD Connect, steps to federate On Premises AD DS with Azure AD is fully automated though it assumes that the domain specified during the wizard steps is the only one domain you want to federate (If you need an overview of Azure AD Connect step-by-step configuration, please refer to Microsoft Docs here).
This will cause disruption of users login to Office 365 apps. To solve this situation you need to change the federation mode configured by the wizard manually using Powershell and set it to a Multi Domain federation. Read More
The scenario: Windows Server 2016 with Hyper-V role enabled.
When I pop out Powershell and try to get a list of VM i run in this error:
get-vm : Hyper-V encountered an error trying to access an object on computer 'S-HV01' because the object was not found. The object might have been deleted. Verify that the Virtual Machine Management service on the computer is running. At line:1 char:1 + get-vm + ~~~~~~ + CategoryInfo : ObjectNotFound: (:) [Get-VM], VirtualizationException + FullyQualifiedErrorId : ObjectNotFound,Microsoft.HyperV.PowerShell.Commands.GetVM
The same happen if I try to use Hyper-V Manager and connect to localhost.
Even the Event Viewer didn’t record any error/warning.
Rebuild WMI solve the problem. Run the command
Sometime happen strange things. In the past days I faced a really weird issue with a migration from Exchange 2010 to Exchange 2016 for a customer.
I was at the point in which Exchange 2016 should be inserted as frontend server for all communications: all the load balancer Kemp (LAN and DMZ) was switched and all the checks was ok.
SMTP, ActiveSync, Outlook Anywhere, Autodiscover ECP and OWA was ok and the authentication between servers works fine. SMTP mail flow inbound and outbound moved to brand new servers. I also tested some mailbox migration and access to OWA and ECP.
That’s was fine, mailbox migration time! Customer’s IT responsible start to migrate some test mailbox before start a massive migration and after a couple of day they had problem to access to Outlook Web Access. It’s my turn to check which is the problem.
Sometimes happen that Exchange Database Content Index switch from Healthy to Fail. The first behaviors the users experiences is a fail on Search in their Outlook client (even if on Premises and Outlook Web Access).
Usually this fail go unnoticed when everything else is working fine however they will eventually begin to cause problems if you have a Database Availability Group (DAG) in place, for example by preventing database switchovers, thus it’s a good practice to monitor the status.
To achieve monitoring, I’m using a specific powershell sensor when customers have active Monitoring Services (in my case Peassler PRTG), otherwise here you could download an usefull script provided by Paul Cunningham to use as your needs. Read More