Quick Start Guide and Prerequisites for Exchange 2016 and Office 365
Below are the prerequisites for installing Add2Exchange. This topic includes information for those running an on premise Exchange 2016 and for those running Office 365. Please reference the sections which applies to your platform.
If you have any questions after reading through this document and prior to installing, please open a ticket online to request a preflight phone consult.
If you are already a licensed Add2Exchange user, please open a ticket online to request a preflight phone consult before migrating to Exchange 2016 or moving to an Office 365 platform. If any crossgrade licenses, add ons / tools or Premier Support are needed, we'll provide you with your options.
Typical Sync Scenarios
Simple Sync Request – Send a shared Public Contacts folder to a new user’s subfolder “Contacts\Pubfoldername Sync”
Make one unhidden email enabled distribution group called Z_PubfoldernameSync
And add a test user
Make an information template, attach it to the distribution group and the relationships and new folder will get created in the user’s mailbox automatically.
Another Sync Simple Request – Send Gal information to users default folder
Make one unhidden email enabled distribution group called Z_GalSync
And add a test user.
Make an information template, exclude your service accounts from syncing, attach it to the distribution group and the relationships will get created to the user’s mailbox and sync the data.
Quick Start of Prerequisites
What follows is a Quick Start of Prerequisites and what is needed before and during install date to sync to Exchange 2016 or Office 365. Please reference the sections for the platform you’re running; if you have any questions prior to installing, please contact us for a preflight phone consult beforehand.
For all other Exchange versions, see other Quick Start Guides for syncing to Exchange 2003/2007/2010/2013. If you are currently on any of these Exchange versions and doing an imminent migration to Exchange 2016 or Office 365, these instructions will work, but before migrating, please consult with one of your technicians about the process beforehand.
Qualifiers
If you are trying to install Add2Exchange directly on the 2016 Exchange Server, these instructions will not work. For Exchange 2016, (and most other versions) you must (should) use a separate “replication server” or utility server. Add2Exchange cannot be installed directly on an Exchange 2016 server, but can be configured to talk to the Exchange 2016 Server. For earlier versions of Exchange you can install directly on the Exchange server, but may not be recommended, especially if an imminent migration is to take place.
Hardware Required
The replication machine: Use either one of our hosted environments or one of yours; it can be a real machine or virtual machine of any flavor. Do not run this on a Terminal Server. We prefer a NEWLY FORMATTED and installed Windows box, either Win7, 10, 2008R2, Win12, Win16, 8 GB RAM, 2 processors and 250 GB (or so) of space. We would install the complete Outlook 2013 OR 2016 but only the 32 bit version.
Tip: If 64 bit version of Office or Outlook was ever installed on the machine, it will not work to downgrade to 32 bit version.
At that step we will use a custom installation and ONLY install Outlook, make a custom ONLINE Outlook profile for the (zadd2Exchange) replication service account. We would not specify cached mode.
The Synchronization still runs as a Service, and if syncing to Exchange 16 or Office365, the sync service account HAS to be logged in as that user, with Add2Exchange Service running and can be locked. Nothing else has to be open. We suggest autologin as the service account to assist with mandatory MS Critical Updates and enable smoother fault tolerance.
We suggest turning off auto updates, to download and notify, full performance and manage in AD the replication server as a “server” class machine with no automatic updates installed for consistent replication.
We would turn off UAC in the registry. Make sure UAC is OFF in registry for the replication server - not by the GUI interface
- Open regedit
- Go to Start, Run
- At the common prompt type regedit and press enter to open the Registry Editor
- Drill down to the System folder found under
- When you click on the System folder, on the right hand side you will see a key for EnableLUA
- Double click to open the Edit DWORD Value window. Under Value data: change from 1 to 0
- Click OK
- Close regedit
- Install .Net 3.5.1 (+ optional .NET 4.x.x)
- Reboot
- Complete all current critical Windows updates on the replication machine (before Outlook is installed) in the section above, however, if you are running Exchange 2016 or Office 365 with Outlook 2013 or 2016 32 bit bit, do not update Outlook to the latest patches.
- Reboot the box and log back on a local administrator account. Do not install anything, we will only install as the new replication service account we create next
Creating the Service Account: Overview
- Make a sync service account such as Zadd2exchange, and give rights to users or to all users in the database to facilitate any other relationships in the future.
- Make the new account part of local administrators of the replication server machine.
Permissions Needed: Overview
Manually make an unhidden account in Exchange 2016 with Mailbox, such as zadd2exchange@companydomain.com
TIP: We call it “zadd2exchange” because the account will show up at the bottom of the GAL. You can make the account named whatever you want, such as SVC_ zadd2exchange to match your convention, but it cannot be hidden. Protect the account from Accidental Deletion. We suggest creating this account in Exchange and creating or moving the account to an unmanaged “Service accounts” Container.
If using Add2Exchange Enterprise’s “Relationship Group Manager”, next make Distribution groups in Exchange.
To simplify installation and maintenance, if creating many of the same relationships of the type many to one, one to many or many to many, make (a) distribution list(s) and name it something similar to what it does. This is done with an Add2Exchange Enterprise feature called using the Relationship Group Manager. We make a template and attach it to the distribution group for automatic creating and removing of relationships based on the inclusion or exclusion in the attached distribution list.
For example you would make a distribution list called something like ZSharedContactSync or zGAL or ZFirmCalSync etc., and make it not hidden from the Global Address List (GAL), and add as members those who will get or will give information synced. Close the membership in Exchange Management and set delivery restrictions so only admins can send email to it, effectively shutting it down as being used as a true distribution list.
The members of this distribution list would be used to give or get information to or from. In our Example it could be ZGalSync or Z-PublicFolderNameSync.
Tip: If it is a one to many, we would NOT include the one (source) mailbox.
Make any and all other distribution groups necessary for any desired Templates following some similar naming convention. Remember, these cannot be hidden, and should not be named DidItBetter or Add2Exchange since it doesn’t explain what it does. Using this convention and making just a few distribution lists to be used for Add2Exchange synchronization and it will get confusing without a naming convention.
Setting Permissions
Overview: Remove any older permissions and give Full mailbox permissions with no automapping. If granular permissions are to be added, see section Adding Granular permissions below.
Download Add2Exchange from here: http://support.diditbetter.com/downloads.aspx Create an account for your organization. Extract it but do NOT install.
Connect to Exchange Management Shell
In Exchange 2016, log in as Exchange Organizational Administrator or Domain admin
There are two ways to give permissions, by Security Group (Preferred) or directly to the replication account zadd2exchange.
Preferred - In Exchange Management Console (EAC or ECP)
Make an email enabled global security Group called Za2ESecurityGroup, make zadd2exchange a member
Then in Exchange Command Shell we will give Full mailbox access to the Security Group as specified below.
Or, give permissions to the “zadd2exchange” Service account after the account has been created as specified below.
Automatic Permissions utility: Preinstaller for Exchange 2016 Only
To give permissions to the security group or the replication service account from the Add2Exchange self extracting Executable Setup directory.
You must run this from a local copy on the Exchange Server. Copy the Preinstaller Directory to the Exchange Server.
Running the Preinstaller:
- Log on the Exchange server as Domain Admin/Exchange Organization Admin and right click the (LOCAL COPY) Preinstaller.exe and Run the Preinstaller as Administrator –
- When prompted, type in the new security group name (if created) such as Za2ESecurityGroup
- Next, specify that the “service account” (security group) already exists and Continue.
- There is no need to specify anything else on the page such as OU, or password since the account already exists.
TIP: Nothing is to be installed on this Exchange Server, so when prompted, do not install Exchange Mapi on the Exchange Server.
If this is a 2016 server, it will incorrectly state it is a 2013 Exchange Server, and you can continue.
If Add2Exchange is trying to be installed directly on the Exchange server, this will not work. For Exchange 2016, you must use a “replication server” or utility server. Add2Exchange cannot be installed directly on an Exchange 2016 server, but can be configured to talk to the Exchange Server.
TIP: If this is Exchange 2007, 2010, 2013, STOP and refer to Exchange 2007, 2010, 2013 Quick Start permissions.
Exchange 2016: If yours is a local Exchange 2016.
If you are in an Office 365 environment, skip to next section "Office 365"
If you RAN the Preinstaller, or have in the past - Next, Remove any full access, AD permissions and/or automapping access to the zadd2exchange service account.
Connect and run Exchange Management Shell as administrator
Set-ExecutionPolicy unrestricted
Set-ADServerSettings -ViewEntireForest $true
Run this if you have had Add2Exchange in the past; otherwise, skip to next SECTION Add Permissions to Security Group or Service Account.
Tip: - change 'Zadd2Exchange@domain.com’ in these commands to match your replication service account before running
Remove-ADPermission -Identity “Exchange Administrative Group (FYDIBOHF23SPDLT)” -User 'Zadd2Exchange@domain.com’ -AccessRights ExtendedRight -ExtendedRights "View information store status" -InheritanceType Descendents
Get-MailboxDatabase | Remove-ADPermission -User 'zAdd2Exchange' -AccessRights GenericAll
Get-Mailbox -Resultsize Unlimited | Remove-mailboxpermission -user zadd2exchange -accessrights FullAccess –verbose
If fail, run this
Get-MailboxDatabase | Remove-ADPermission -User 'Zadd2Exchange@domain.com’ -AccessRights ExtendedRight -ExtendedRights Send-As, Receive-As, ms-Exch-Store-Admin -confirm:$false
If fail, find database names and run this for each:
Tip: - change these commands to match your Mailbox DATABASE name in quotes before running
Get-MailboxDatabase "Mailbox Database 1363208640" | Remove-ADPermission -User 'Zadd2Exchange@domain.com’ -AccessRights GenericAll
Next Add Permissions to Security Group or Service Account.
Add permissions to the Za2ESecurity Group, or skip to next section to Add Permissions to Service Account.
Tip: - change these commands to match your Security Group account before running
Get-Mailbox -Resultsize Unlimited | Add-MailboxPermission -User 'za2esecuritygroup' -AccessRights 'FullAccess' -InheritanceType all -AutoMapping $false -confirm:$false
Add permissions to the Service Account.
Tip: - change these commands to match your replication service account before running
Or you can add the permissions directly to the sync Account – NOTE – this method doesn’t give access to new users added to the database stores for new users
Get-Mailbox -Resultsize Unlimited | Add-MailboxPermission -User 'zAdd2Exchange' -AccessRights 'FullAccess' -InheritanceType all -AutoMapping $false -confirm:$false
If fail on any accounts on any accounts, run this and confirm:
Get-Mailbox -Resultsize Unlimited | remove-mailboxpermission -user 'Zadd2Exchange@domain.com’ -accessrights 'FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner' -InheritanceType all -confirm:$true
Get-Mailbox -Resultsize Unlimited | Add-MailboxPermission -User 'Zadd2Exchange@domain.com’ -AccessRights 'FullAccess' -InheritanceType all -AutoMapping $false -confirm:$true
To manually assign PERMISSIONS to Public folder(s)
Open Exchange Command Shell, as Administrator
.\AddUsersToPfRecursive -TopPublicFolder "\" -User 'Zadd2Exchange@domain.com' -Permissions "Owner"
Office 365: If yours is an Office 365 Environment, review the section below.
If you’re not on Office 365, skip to next section: Configuration is Complete
Connect to Office 365 or Exchange - If Exchange; see Connect to Exchange Management Shell below
Connect to Office 365
From the downloaded Full Add2Exchange Self extracting executable, there is a directory entitled: Azure. Run both those setup files.
From the directory or download from here: Connect to Exchange Online Using Remote PowerShell
Install Microsoft Single Sign-On Assistant: https://www.microsoft.com/en-us/download/details.aspx?id=41950
Install Azure AD Powershell: http://go.microsoft.com/fwlink/p/?linkid=236297
Multifactor download: http://connect.microsoft.com/site1164/Downloads/DownloadDetails.aspx?DownloadID=59185
Run Azure AD Powershell in Administrator mode:
Run both these commands
Set-ExecutionPolicy unrestricted
Set-ADServerSettings -ViewEntireForest $true – if it fails, continue
Powershell commands to connect to Office 365:
Copy this next entire block to the clipboard and paste in the Azure Shell.
$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic –AllowRedirection
Import-PSSession $Session
Import-Module MSOnline
Connect-MsolService –Credential $Cred
When prompted, Login with your Tenant admin account
If the above fails, you may have multifactor authentication, so copy this entire block to the clipboard and log in
$Cred = Get-Credential
\$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic –AllowRedirection
Import-PSSession $Session
Import-Module MSOnline
Connect-MsolService
When prompted, Login with your Tenant admin account
https://docs.microsoft.com/en-us/powershell/module/msonline/get-msoluser?view=azureadps-1.0
https://support.microsoft.com/en-us/help/2212902/unexpected-autodiscover-behavior-when-you-have-registry-settings-under
For either session, run the following commands
Set-ExecutionPolicy Unrestricted
Set-ADServerSettings -ViewEntireForest $true
Next Add Permissions to Security Group or Service Account.
Add permissions to the Za2ESecurity Group, or skip to next section to Add Permissions to Service Account.
Tip: - change these commands to match your Security Group account before running
Get-Mailbox -Resultsize Unlimited | Add-MailboxPermission -User 'za2esecuritygroup' -AccessRights 'FullAccess' -InheritanceType all -AutoMapping $false -confirm:$false
Add permissions to the Service Account.
Tip: - change these commands to match your replication service account before running
Get-Mailbox -Resultsize Unlimited | Add-MailboxPermission -User 'zAdd2Exchange' -AccessRights 'FullAccess' -InheritanceType all -AutoMapping $false -confirm:$false
If fail on any accounts on any accounts, run this and confirm:
Get-Mailbox -Resultsize Unlimited | remove-mailboxpermission -user 'Zadd2Exchange@domain.com’ -accessrights 'FullAccess, DeleteItem, ReadPermission, ChangePermission, ChangeOwner' -InheritanceType all -confirm:$true
Get-Mailbox -Resultsize Unlimited | Add-MailboxPermission -User 'Zadd2Exchange@domain.com’ -AccessRights 'FullAccess' -InheritanceType all -AutoMapping $false -confirm:$true
To manually assign PERMISSIONS to Public folder(s)
Open Exchange Command Shell, as Administrator
.\AddUsersToPfRecursive -TopPublicFolder "\" -User 'Zadd2Exchange@domain.com' -Permissions "Owner"
365 Command Shell
Get-PublicFolder -Recurse | Add-PublicFolderClientPermission -User "zadd2exchange365" -AccessRights Owner
Permissions Configurations are Complete
- Make the new zadd2exchange Service Account part of the local administrators group of the Replication Server
- Log in as the zadd2exchange Service Account
Add2Exchange Enterprise Edition Installation Instructions
Continue setting up the Replication Server for Exchange 2016 or Office 365
For Exchange 2016 or Office 365
- On the replication server Log in as the service account
- On the replication server make sure UAC as specified above and it has been rebooted.
- Install Outlook2013 32 bit or 2016 32 bit ONLY. Do a customized install and remove all other options. Configure Outlook Custom install not to install any Add ins.
- Once done, Go to Control Panel and make an Outlook online profile for the zadd2exchange Service Account you created. It must be in online mode.
Install Add2Exchange Enterprise.
When prompted, it is most common to specify the defaults during installation. When prompted for SQL, install locally and create a new instance.
When done with installation, open the Add2Exchange Console from the shortcut on the desktop and it will install SQL.
When the Add2Exchange Console appears, you are ready to make information relationships. See the Helpful Resources below for recommended settings or contact us for a guided tour of your first “Information relationship” by Opening a Ticket online to submit an Email Support Request
Clean Up Post Install
Post Installation Steps
Add Antivirus exclusions for our directories.
There is no need to add Data Execution Prevention (DEP) exclusions as specified on that page.
If doing Contact Sync - Disable Outlook Social Connector from the replication server Outlook profile and consider to doing it for the domain. See link below.
We have since found the Microsoft Social Connector in Outlook is updating the contacts from the GAL and several other locations which negatively affects syncing when used, causing longer sync times and reversions of updated items. This process and the other options of the Social Connector can be granularly controlled through active directory policy rules. A turn off for Contact Sync for your organization is recommended. The client machine updates the contacts, causing a change for our sync program to consider, and then someone wins, or we overwrite the changes, as per the relationship settings, and it ping pongs back and forth. This lengthens subsequent sync times and can easily avoided.
If using Contacts sync or GAL Sync, make a group policy to turn off Outlook Social Connector for each version of Outlook supported.
If users have personal Outlook on a machine which is off the domain, and not part of Group Policy, it is best practices to disable the Outlook Social Connector in Addins of Outlook. See here:
Contacts:
For higher security and more consistent synchronization, if your users are using iPhone and iPad for PIMs, it would be best not to sync your corporate Exchange data to iCloud.
Disable just the Syncing of Mail, Contacts, Calendars and reminders on the phone with this link: http://support.diditbetter.com/best-practices-on-syncing-calendar-appointments-and-contacts.aspx
Optional Information
Optional - Adding Granular Permissions
See above for programs to install instead of running the Preinstaller. If you have done the Preinstaller, you would need to remove full permissions as outlined above prior.
Run Azure Powershell as administrator
For Single Sign on authentication, Powershell commands to connect to Office 365:
Copy this next entire block to the clipboard and paste in the Azure Shell.
$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic –AllowRedirection
Import-PSSession $Session
Import-Module MSOnline
Connect-MsolService –Credential $Cred
When prompted, Login with your Tenant admin account
For multifactor authentication, so copy this entire block to the clipboard and log in
$Cred = Get-Credential
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic –AllowRedirection
Import-PSSession $Session
Import-Module MSOnline
Connect-MsolService
When prompted, Login with your Tenant admin account
For either session, run the following commands
Set-ExecutionPolicy Unrestricted
Set-ADServerSettings -ViewEntireForest $true
To grant just default Calendar Access use the scripts below and change the service account name zadd2exchange to whatever service account we use to sync:
$mb=get-mailbox
foreach ($m in $MB){Add-MailboxFolderPermission -Identity $m.identity -User zadd2exchange@Domain.com -AccessRights FolderVisible}
$fl2 = ":\Calendar"
foreach ($m in $MB){Add-MailboxFolderPermission -Identity ([string]::Concat($m.PrimarySmtpaddress,$fl2)) -User zadd2exchange@Domain.com -AccessRights Owner}
Individual scripts
Add-MailboxFolderPermission -Identity user1@Domain.com -User zadd2exchange@Domain.com -AccessRights FolderVisible
Add-MailboxFolderPermission -identity user1@Domain.com:\Calendar -User zadd2exchange@Domain.com -AccessRights Owner
Check for Public folder migration
Non local public folder or locked during migration will get catastrophic error when syncing
Get-OrganizationConfig | fl *mapi*
PublicFolderMailboxesMigrationComplete : False
MapiHttpEnabled : False
Helpful Resources
Please review the following topics for additional information.
First Time Trial Users -- need help installing the trial version?
We offer a DidItBetter Software Professional Services Proof of Concept (PoC) Trial Remote Install Session. One of our engineers will remote in to assist with your Add2Exchange 'Proof of Concept' trial installation. We will use our (or your) remote control software to install and configure the relationships while training you on best practices, folder relationship replication settings for your specific sync needs, and also review the norms for your configuration. The PoC trial install is actually us certifying your install for a ready to go live once the license needed is purchased. You will have a general understanding of the product, the Recovery and Migration Tool, and Toolkit and we will give and get all the permissions you need to make it easy to manage. It normally takes about an hour to an hour and a half. The session is $199 Buy online
Have Questions?
- Open a ticket or Schedule Premier Support if you have time remaining, please follow this link: Submit a Support Request
- For a licensing recommendation, email us at info [at] diditbetter.com or initiate Live Chat or leave us a message.