question

PaulH-9956 avatar image
0 Votes"
PaulH-9956 asked EricYin-MSFT commented

Exchange 2010 move to Kerberos

We are moving an Exchange 2010 cluster to Kerberos in prep for migration to Exchange online and have run into a problem regarding the script "ConvertOABDir.ps1". According to a few different sites I need to do the following:
1. Create an ASA computer account.
2. Run the script: .\RollAlternateserviceAccountPassword.ps1 -ToArrayMembers {CAS array name} -GenerateNewPasswordFor "{Domain}{ASA}" –Verbose
(This script appears to be located in the SP3 scripts directory)
3. Convert OAB virtual directory to web application with the script ConvertOABDir.ps1, just download and run.

The problem is I can't find that script. All the links that have been provided to Microsoft don't have this file. Searching Microsoft can't find this file. The closest I can get is post here which appears to have pasted the contents but I can't validate whether or not this is the actual script, unchanged for Exchange 2010 SP3.
https://social.technet.microsoft.com/Forums/lync/en-US/ab5409ff-f20c-4d66-a261-c3c73f01a919/cant-enable-kerberos-in-outlook-and-exchange-2013-bug-in-convertoabvdirps1?forum=exchangesvrclients

Can anyone help? Or is there a different way to achieve this same goal?

office-exchange-server-deploymentoffice-exchange-server-ha
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Why the need to do this if you are migrating to Exchange Online anyway?

0 Votes 0 ·
EricYin-MSFT avatar image
0 Votes"
EricYin-MSFT answered EricYin-MSFT commented

Hi,

It's still in %Exchangeinstallpath\scripts folder in Exchange2016:

95082-3.png

In case your folder not complete, I post it here in txt:

95045-1.txt


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.



3.png (42.7 KiB)
1.txt (19.6 KiB)
· 1
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

I am writing here to confirm with you how the thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.


If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.


0 Votes 0 ·
PaulH-9956 avatar image
0 Votes"
PaulH-9956 answered PaulH-9956 commented

This is Exchange 2010. THAT script is not on either server. However I've modified my search and found the file "convertoabvdir.ps1". Is that the same thing?

Edit: this is in the SP3 install directories. I assume it's the same but would like to know for sure.

· 2
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Sorry, have to ask again. Why the need to do this if you are moving mailboxes to Exchange Online?

0 Votes 0 ·

We're doing a hybrid deployment and need to connect our domain to Azure AD. One of the strongly recommended things to do is to NOT allow NTLM traffic outside of your organization. In order to turn off NTLM I need to migrate the Exchange 2010 cluster to Kerberos, away from NTLM.

0 Votes 0 ·
AndyDavid avatar image
0 Votes"
AndyDavid answered AndyDavid commented

Hmm, not sure what you are referring to, but there is no relationship between kerberos and migrating to Exchange Online. :)

Moving to Kerberos auth only makes sense if you want to reduce the load mail clients have on Domain controllers, otherwise there is no reason to introduce this change now and it doesn't buy you anything if you are moving to Exchange Online.

Another thing to remember is that kerberos auth only works for domain-joined clients, so enabling this wont make a difference for non-domain joined clients and won't have any benefit for this that you mentioned above "One of the strongly recommended things to do is to NOT allow NTLM traffic outside of your organization"

· 11
5 |1600 characters needed characters left characters exceeded

Up to 10 attachments (including images) can be used with a maximum of 3.0 MiB each and 30.0 MiB total.

Maybe you can enlighten me. In my research regarding migrating to Exchange Online we've decided to do a hybrid deployment. And in the documentation I've found for that it indicates we need Azure AD connect. This Microsoft doc that indicates the need to harden the Azure AD Connect server:
https://docs.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites

And half way down that document it indicates: "Deny use of NTLM authentication with the AADConnect server."
THEN... in further research I've not found a way just to turn off NTLM for one server but for the whole domain.

Is there a better way?

0 Votes 0 ·

You can certainly set that for just the AADConnect server or the domain, but before you do, you would need to audit the domain to ensure you arent using apps or clients that use only NTLM.

But that's really a separate issue, because once you move the mailboxes to Exchange Online, you will want to ensure the clients are using Modern Authentication, Modern Auth isnt NTLM or kerberos but rather Oauth/ token based

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/enable-or-disable-modern-authentication-in-exchange-online

https://docs.microsoft.com/en-us/exchange/clients-and-mobile-in-exchange-online/outlook-for-ios-and-android/setup-with-modern-authentication

So, given that, there is no reason to transition to kerberos on-prem if you are migrating since once you do, Kerberos wont be used by any clients anyway.


0 Votes 0 ·

First, thanks for this help. Much appreciated.

Second, let's step back to the NTLM auditing. Because of the need to do hybrid Exchange I have to use the AADConnect.

So how do I audit for NTLM only applications? I am not aware that we have anything that old other than Exchange 2010. I know that I can restrict Exchange from using any domain controller that has NTLM denied. If turning off NTLM on a single server is an option I'd prefer to go that route. Then the question becomes what could be using NTLM only and how do I find out?

0 Votes 0 ·
Show more comments