Active Directory

Using Group Policy to Manage Office 365 updates

Office 365 ProPlus deployments by default are configured to automatically update. This can be a good or bad thing depending on how you look at it. Good, because you are always current and up to date on the latest fixes and security updates from Microsoft. But bad for organizations that have an enterprise patching process that has testing and validation for patches and updates. These types of organizations need to have control to establish compatibility and support across many platforms.

There are several ways to manage updates in Office 365. During the deployment of Office 365 ProPlus you can configure the update settings the office deployment tool which modifies the XML file that is by the install process or you can simply skip that step and manage everything through Group Policy. In this post I will discuss how to use Group Policy to manage updates for your Office 365 deployments.

Getting Started…

Download the Office 2013 Administrative Template files (ADMX/ADML) and Office Customization Tool 

Once you have copied the Group Policy Administrative Template files into AD,  the policy settings will be located in the foloowing location in the Group Policy Managment Console:

Computer Configuration\Policies\Administrative Templates\Microsoft Office 2013 (Machine)\Updates

Some key settings to look at include:

Enable Automatic Updates – allows you to disable Office 365 from automatically updating. Be careful when using this option as you could miss out on security updates.

Update Path – This setting controls the source of where the Office 365ProPlus installs get their updates from. If this setting is not configured or left blank it will default to Microsoft’s CDN. If you have an internal source, such as network share, then you would include the path here.

Using Group Policy allows some flexible like applying patching sources for different groups of users, such as pilot users and production users. It also doesn’t require manual changes on each system and can make a change across multiple devices with 1 policy. Group Policy is useful when there are many deployment methods across your organizations but you want to manage the application without adding cumbersome deployment steps. If you decide to make a change later, update the Group Policy setting by using the Group Policy Management Console. The updated policy settings are automatically applied to Office 365 ProPlus, through the normal Group Policy update process.

Advertisement

Exchange 2010 and Active Directory Operation Failed on DC errors

An annoying problem that I have seen since we upgraded to Exchange 2010 is when in the Exchange Management Console (EMC) , you are not able to perform certain tasks because a DC could not be contacted .The domain controller in the error is usually one that has been demoted from your environment but sometimes not.  The issues can also occur after recent changes to a DC, which causes the EMC to lose contact with the Domain Controller

When this particular scenario was first noticed , it puzzled us because the DC in question  was still  running and Exchange was able to discover it. We did all the typical AD and exchange troubleshooting steps, checked permissions, AD replication, etc., but none these steps fixed the issue, the tech was still not able to create accounts.  After some more digging around we later found out some FSMO roles were removed from that DC. Aha! A major change to the DC.

Common error messages may contain  “Active Directory operation failed on Dcxxxx” or “ LDAP server was unavailable”. When the problem occurs  you are not able to perform certain actions in the EMC, such as creating accounts, mailbox moves, basically any operation that requires contact with the DC.

 An example of an error is shown below:

EMC

So what’s the problem you ask?

The problem is a result of the Exchange Management Console caching the domain controller details in the MMC temp files. It caches the data but it’s not smart enough to update the data or locate another DC. To fix the issue you have to remove the MMC cache file from the users profile.

Use the following steps to clear the EMC MMC cache file:

1. Close the EMC if you have it open
2. Go to the User’s profile directory and delete the Exchange Management Console file.
3. File location can be found here:

      • C:\users\<specific user>\AppData\Roaming\Microsoft\MMC\Exchange Management Console

EMC2

4. Reopen the EMC

See Microsoft KB article http://support.microsoft.com/kb/2019500