Skype For Business Online PowerShell Cheat Sheet

There are just some things you can’t do inside the Office 365 portal. Exchange Online has matured to the point where remote PowerShell works perfectly and loads all of the cmdlets over the wire. Skype for Business Online is still building to that point. You need the separate PowerShell module ( ) to get started, and while installing it is the easy part using it takes a little bit of work. Here are a cheat sheet I’ve put together.

How to Connect

If you install the Skype for Business PowerShell module and try to load it in the Skype for Business Administrative Shell, you must use the -AllowClobber switch with running Import-PSSession ( Otherwise the Skype for Business on-premises cmdlets leach thru in place of the Online ones. Here’s the connection script that I usually save in a PowerShell file for quick launching:

Import-Module SkypeOnlineConnector
$cred = Get-Credential
$CSSession = New-CsOnlineSession -Credential $cred
Import-PSSession $CSSession -AllowClobber

Always have a cloud-only account (<tenant> available for emergency situations.

In a Single Sign-On environment ( you’ll have a back door if on-premises is down. Once directory synchronization is setup, administrators grant their domain account (<user>@<yourdomain>.com) Global Administrator rights for daily tasks. Nothing wrong with this, but it can cause Problem #1

Problem #1 – LyncDiscover

When trying to setup Skype for Business Hybrid using your domain account, Skype for Business Online PowerShell doesn’t resolve the Cloud and instead the on-premises lyncdiscover.<yourdomain>.com. This cases a 503 error when trying to login.

PS C:\Users\user> $CSSession = New-CsOnlineSession -Credential $cred

Get-CsPowerShellEndpoint : The remote server returned an error: (503) Server Unavailable
At C:\Program Files\Common Files\Skype for Business
Online\Modules\skypeonlineconnector\SkypeOnlineConnectorStartup.psm1:94 char:26
+ … $targetUri = Get-CsPowerShellEndpoint -TargetDomain $adminDomain
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-CsPowerShellEndpoint], WebException
+ FullyQualifiedErrorId : System.Net.WebException,Microsoft.Rtc.Management.OnlineConnector.GetPowerShellEndpointCm

This is a scenario where you will want to use that cloud-only account to sign in for an administrative tasks.

Problem #2 – The New Tenant

With a new Skype for Business Online tenant, even if you have users in your Office 365 tenant and have assigned them a Skype for Business Online license, there’s still that last bit of configuration that doesn’t seems to happen behind the scenes until at least 1 user logs in. If you don’t, when you go to connect to Skype for Business Online PowerShell you’ll get a 404 error:

PS C:\Users\user> $CSSession = New-CsOnlineSession -Credential $cred

Get-CsPowerShellEndpoint : The remote server returned an error: (404) File Not Found
At C:\Program Files\Common Files\Skype for Business
Online\Modules\skypeonlineconnector\SkypeOnlineConnectorStartup.psm1:94 char:26
+ … $targetUri = Get-CsPowerShellEndpoint -TargetDomain $adminDomain
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Get-CsPowerShellEndpoint], WebException
+ FullyQualifiedErrorId : System.Net.WebException,Microsoft.Rtc.Management.OnlineConnector.GetPowerShellEndpointCmdlet

Once everything is tied together, you’ll achieve a successful sign on to Skype for Business Online PowerShell!

PS C:\Users\user> $CSSession = New-CsOnlineSession -Credential $cred -Verbose
VERBOSE: Determining domain to admin
VERBOSE: AdminDomain = ‘’
VERBOSE: Discovering PowerShell endpoint URI
VERBOSE: TargetUri = ‘’
VERBOSE: Requesting authentication token
VERBOSE: Success
VERBOSE: Initializing remote session
VERBOSE: Success

Exchange Online 2016 Hybrid Guidance & Architecture

After doing quite a few Exchange Online hybrid deployments, I decided that it was time to do what I do best – build a design template so I don’t have to continue to reinvent the wheel for each project. I’ve done this for Exchange, Active Directory and SCCM audit documentation, but those are stories for another day…

In a typical scenario we’re taking an existing, highly available Exchange 2010 environment that is protected behind their own spam filtering devices (so this could change and be a services, no problems) and adding a secondary Exchange hybrid server dedicated for this purpose – be it Exchange 2013 or even Exchange 2016. I’ve deployed a few of these already and they work great, think Exchange 2013 SP2 but with better results. More of that in a moment.

But you ask “why not just run Hybrid on the existing Exchange servers? The biggest one is that the Hybrid wizard on Exchange 2010 hasn’t gotten any better since SP3. Sure the Cumulative Updates have fixed some bugs but with Exchange Online running on the Exchange 2016 build, the gap is getting wider in regards to the success rate of being able to run thru the Hybrid Wizard the first 5-6 times without having to go back and fix issues (or create new ones).

Or, let’s say that eventually you’ll be migrated to Exchange Online, you’ll have your MX records flipped, most likely using Exchange Online Protection (and the rest of the stack), but may still have that need to run some mailboxes on-premises, or you want a nice GUI to provision your users / groups (yes, you CAN run without a Hybrid server but we’re talking a LOT of Powershell), or you have a LOT of SMTP endpoints and switching them all to the Cloud for relay just doesn’t make sense. Having a newer version of Exchange in the environment that’s NOT on extended support.makes the most sense.

There are some “gotchas” however: as of Exchange 2013 CU8 Microsoft has introduced their new hybrid wizard – and let me tell you this thing it’s amazing. Of course now with Exchange 2016 its built in.


Once of the previous “gotchas” with Exchange 2013 hybrid was the requirement to flip all of the CAS traffic over on day one to make things work/ Now, with Exchange 2016, this is no longer a requirement. More on that over at the Technet blog. The only thing you have to remember is that if you keep your existing Exchange 2010 environment, and still have Autodiscover pointed there, you’re going to run into a few issues: free/busy will be broken, migration batches will be broken, however mail flow will still work, and the only way to move a mailbox is thru New-MoveRequest.

This is because when you create the organization relationship, even in Exchange 2016, it does NOT use the organization FQDN you’ve specified but instead populates with the typical autodiscover URL.


To fix this, you need to run:

Get-OrganizationRelationship | Set-OrganizationRelationship -TargetAutodiscoverEpr ""

There are a few instances that have been documented as well where you also need to run:

Get-OrganizationRelationship | Set-OrganizationRelationship -TargetSharingEpr ""

There’s also a great blog post that goes into troubleshooting Authentication on the Exchange 2010 side as well, where Negotiate authentication (which is there by default but against best practice) can cause Cloud -> On-Premises authentication issues.

So you’ve seen some pretty compelling reasons to deploy Exchange 2016 for your hybrid environment. Whether it be in a Federated or Synchronized identity model, and with in conjunction with AD Connect for directory synchronization, you can get setup with hybrid easer than ever.

Also Microsoft has recently updated the Exchange Hybrid Product Key Distribution wizards so you can finally deploy Exchange 2016 in an Exchange 2010 environment as your Hybrid server and be covered under Microdot proper licensing and support. You can grab your key at:


So without further adieu, here is version 2 of my EO Hybrid architecture.


Deep Dive in On-Premises Public Folder Hybrid with Exchange Online

Public Folders have been on the way out ever since Exchange 2007 but there are still organizations that are slow to migration to “better” options (IE, Shared Mailboxes or Sharepoint sites).

Previous processes required migration before moving mailboxes however the Hybrid process will allow the migration of end user mailboxes up to Exchange Online while at the same time providing additional time for moving the data to other options.

The biggest “gotcha” of this scenario requires the configuration of the CAS role to be added to the server hosting the public folder database

The key comment in the Technet blog spelling this out starts with:

The addition of the CAS role will ensure public folder replica referrals happen appropriately if a folder a user is accessing does not have a local replica in the PFDB.

Exchange Online uses RemotePublicFolderMailboxes on the on-premises server with the public folder database in conjunction with the Client Access Server role.
We also need a dedicated mailbox database and mailbox because of how RPC client traffic is relayed thru this role.
In an Exchange 2010 CAS array environment, mailbox databases are stamped with the array name. This won’t work in routing RPC client access traffic properly, thus the separate database.

I had the priviledge of setting this up in an Exchange 2010 hybrid environment and wanted to share a few “gotchas” I encountered.
Let’s take our Mailbox server with the Public folder database, OCEX04


Continue reading “Deep Dive in On-Premises Public Folder Hybrid with Exchange Online” »

New Job, New Updates

Monday July 6th I started a new position here in Minneapolis with Concurrency, a rapidly growing consulting firm here in the Midwest and recently announced Microsoft National Solution Provider (NSP) – a very elite designation in the Microsoft consulting space that only a few dozen partners in the US land on in recognition for their deeply rooted partnership. I’m excited to be onboard!

I’ll have the opportunity to dig more into the UC space, which is something that I’ve been longing to do over the past 4 years, and tackling another big goal of mine – MCSE: Communication! It’s all around Lync….err…. Skype for Business (S4B), and will aid me as I work on Enterprise Voice implementations in my new role at Concurrency.

As part of preparation for these Microsoft certifications, I’ll also be updating and refreshing my lab environment. I’ve already put some needed updates to my Integrating Exchange 2013 + Lync 2013 for UCS & OWA integration post to account for updates and configuration changes. I hope to have more out of the door here shortly as well on Office 365 and the upgrade process to S4B!

Exchange Recipient Types and Office 365 – Setting Active Directory attribute values

In doing some digging for a recent post on Online Archives I found that I had to dig around multiple places on the internet (primary Technet blogs) to find exactly what each of the Active Directory attribute values around Exchange recipient types mean.


So instead of multiple places, here they are all in one!

Continue reading “Exchange Recipient Types and Office 365 – Setting Active Directory attribute values” »

Enabling Exchange Online Archive give error “Primary mailbox is located on an on-premises server”

So I’m deep in the throws of an Office 365 project, and after going thru the process of setting up Exchange Hybrid with on-premise ADFS, testing mailflow, and performing a mailbox move, the next step was working on Retention Policies to migrate email older than 1 year from their Primary Mailbox with 50gb storage to their Online Archive with 100GB of storage.

I tried to enable the archive from the Exchange Online portal as well as thru Exchange online Powershell but didn’t have any luck. With Powershell I was getting the message:

"Can't enable the archive for user because their primary mailbox is located on an on-premises server. To enable a cloud-based archive mailbox for this user, you must use your on-premises Exchange admin center or Exchange Management Shell."

I found this particularly odd because, well, the mailbox WASN’T on-premises any more nor was there any kind of archive mailbox enabled for my test acount.

After digging for hours (which is typically the catalyst for most of these posts) I came across a solution through the Office 365 community which detailed out adjusting the source AD user’s object on-premises attributes in order for the Archive to come online. Again, since this was a hybrid identity design, on-premises Active Directory was the source of truth and directory synchronization was in place to populate the objects in Azure AD / Office 365.

First, we need to modify the msExchArchiveName attribute to reflect the archive name (this can be whatever we want), as well as modify the msExchRemoteRecipientType to 3.

We’ll leave the msExchRecipientDisplayType and msExchRecipientTypeDetails as is – you can find what these means in a post I made here.

Once completed, force a Dirsync

Once complete, we run the Exchange Online powershell to see that the Get-Mailbox command to see the archive has been created

And that Outlook shows our online archive (with the name that we provided)


MDM in Office 365 Getting Closer to the Big Stage

After Microsoft announced that they would be rolling out the Mobile Device Management integration within Office 365 back in April, we’re finally starting to see the Mobile link show up into client’s portals.

Once Microsoft is done “setting things up for you” (which in the most recent case for me was a few days before it was done) you’ll see the MDM “dashboard”

There are still a few final steps that are required before you’re ready to start connectivity: setup DNS records & configure an APN (Apple Push Network) certificate

The keys to enabling this functionality rest in the Enterprise Mobility Suite (EMS) license, which essentially gives you:

  • Azure AD Premium
    Full AD management from the cloud. Allows IT to manage on premise password sync / write-back (here now) with self-service, user/group/device creation & attribute change (in preview with AD Connect), and provide multi-factor authentication
  • InTune
    Manage device policies and software, as well as access to corporate resources
  • Azure Rights Management
    Encrypt files, control access, and email encryption (in conjunction with Exchange online)

You’ll see the Mobile Device Management license type in the Office 365 portal

This backends in conjunction with the EMS license you’ll find in the Azure AD portal

Microsoft has been giving customers renewing their EAs a sweetheart deal by providing them the Enterprise Cloud Suite license, which includes the E3/G3 license as well as the EMS licenses bundled together. They’re trying to gain some hot & heavy traction in the MDM space this year, getting their foot in the door with the Gartner quadrant!

For for about the toolset available within the Office 365 portal, Microsoft has gone into detail with tasks as well as capabilities of MDM on the MDM TechNet page. Further capabilities are extended once you start integrating InTune with SCCM.

Office 365 Click-to-Run Something went wrong…

I was helping a client start to roll out their Office 365 Pro Plus click-to-run installs and some of their users were getting Error Code 30174-4

After looking around online to find anything about this error, most hits had to do with the Network connections on the machine, namely laptops with multiple network connections. In the case of this client, they had a wired LAN on one subnet and a wireless LAN on another. Plus they have multiple internet connections for redundancy.

On top of that, they also had a Cisco VPN client adapter, and several notorious Microsoft Virtual WiFi Miniport Adapters. Once all of these were disabled besides the wired LAN, the install went without a hitch!


Ultimate Lync / Skype for Business Registry Repository!

After search for days and days for a good “core” source for customizing the Lync / Skype for Business client (since I’m working with a client using Office 365 and we cannot use Client Policies), all I’ve found is sources here and there, a listing of “some” keys smattered on Technet, and the very limited list in the Office 2013 Administrative Templates, I’ve decided to compile my own list as a reference.

Includes the likes of EnableAppearOffline, DisableSavingIM, HidePersonPhoto, DuplicatePrimaryMonitorPresentingSetting, AlertsDisplayName, PublishResolution to name a few popular ones. Plus it includes the settings tab they’re references as well as usage. Something you won’t find anywhere else.

If you happen to come across one that is incorrect, or even a new one, I’d love to hear about it! Just drop me a comment and I’ll gladly add it in plus give you a plug 🙂

Here is the Repository!

When all is broken… It’s not as bad as you think.

It’s a bizarre blog title I know, but I was in the process of trying to spin up Exchange 2013 in a test environment with Exchange 2010 already existing and found that none of the services across any of these 3 servers would start. So the following details my day’s worth of diving into resolving this, and how quick/easy it was in the end. No fun pictures or how to’s this time, just some useful troubleshooting commands and concepts 🙂

First I looked in the Application event log. The MSExchangeADAccess event logs would return Error 2120 (ERROR_TIMEOUT) or Error 2014 (LDAP_SERVER_DOWN).
I tried the standard netdom /resetpwd /s:<dcname> /ud:domain\User /pd:* on the machines in question with no change (Note: full command details at:
Then I used the nltest /SC_QUERY:<domain> command, which came back saying the domain didn’t exist
Another great command that you can use via Powershell, Test-ComputerSecureChannel -server <dcname>, also came back saying the domain didn’t exist.

I checked the lastlogon & lastlogontimestamp attributes of these “problem” servers in AD – all showed 4 months before today – even with a reboot of the server. And of course the netdom /resetpwd registers properly in the pwdLastSet attribute in AD – but does me no good.

Then I became concerned it was the actual domain controller not correctly handing out Kerberos tickets or renewing the computer password accounts. I went as far as to reset the domain controller password against another working one using the netdom /resetpwd commands and other steps in Method 6 at with no luck.

But in stepping back and seeing of the 12 VMs in my environment 8 of them (most of which were recently built) had no problems, so I gave in to the notion that these older VMs must have had some hiccup when I was dealing with tombstoning from when a former counterpart built the environment and didn’t keep an eye on things.

I then stumled across this blog post:

In a production environment who in their right mind would disjoin a computer with an AD-tied role from the domain, reset the computer account, and join it back to resolve the problem? Well, it works for workstations, so why not servers – even if they are running Exchange 🙂

After working thru the apprehension, I had nothing to lose and did just this.

Guess what? Everything started working again. So while I’m still somewhat baffled on what would have caused this issues, nonetheless I had to admin – THIS WORKS!!!!!