Free/busy often fails to work out-of-the-box after configuring Hybrid Exchange with Office 365. Here are my top ten fixes:
-
Set the sharing policy to match on-premises and cloud.
First, Connect to Exchange Online Remote Powershell and run get-sharingpolicy
Then connect to on-premises Exchange Management Shell and run get-sharing policy
Then make the two match on both sides.
Set-SharingPolicy -Identity SharingPolicy01 -Domains ‘contoso.com: CalendarSharingFreeBusySimple’, ‘atlanta.contoso.com: CalendarSharingFreeBusyReviewer’, ‘beijing.contoso.com: CalendarSharingFreeBusyReviewer’
-
Set the organization relationship domains to include all accepted domains on both on-premises and cloud (always requires an IISRESET for it to take effect)
This script helps identify missing domains in an existing relationship:
if ( (Get-OrganizationRelationship).DomainNames -contains (Get-Mailbox user).PrimarySmtpAddress.Domain) { write-host “The domain was found” -ForegroundColor Green } else { write-host (Get-Mailbox user).PrimarySmtpAddress.Domain “was not found” -ForegroundColor Yellow}
$OrgRel = Get-OrganizationRelationship Contoso
$OrgRel.DomainNames += “contoso.com”
Set-OrganizationRelationship $OrgRel.Name -DomainName $OrgRel.DomainNames
-
If the autodiscover DNS name is not published in external DNS, and if the client doesn’t want to do that, then manually configure TargetSharingEpr to use the published EWS path
Get-OrganizationRelationship -Identity “O365 to On-premises – (GUID)” | Set-OrganizationRelationship -TargetSharingEpr https://mail.contoso.com/ews/exchange.asmx
4) For ‘401 errors’ try disabling the IOC connector in Exchange 2013 to have oAuth fall back to dAuth
5) Sometimes it’s necessary to set the on-premises EWS virtual directory “WSSecurityAuthentication” value back to defaults (some clients change this if they do load balanced CAS)
(this is commonly a last resort)
Need to change WSSecurityAuthentication to False for EWS Virtual directory.
a. Set-WebServicesVirtualDirectory “Exch CAS\ews*” –WSSecurityAuthentication $false
b. Need to Stop MSExchangeServicesAppPool.
c. Need to Start MSExchangeServicesAppPool.
Need to change WSSecurityAuthentication to True again for EWS Virtual Directory.
a. Set-WebServicesVirtualDirectory “Exch CAS\ews*” –WSSecurityAuthentication $True
b. Need to Stop MSExchangeServicesAppPool.
c. Need to Start MSExchangeServicesAppPool.
Need to change WSSecurityAuthentication to False for Autodiscover Virtual directory.
a. Set-AutodiscoverVirtualDirectory “Exch CAS\Auto*” –WSSecurityAuthentication $false
b. Stop MSExchangeAutodiscoverAppPool.
c. Start MSExchangeAutodiscoverAppPool.
Change WSSecurityAuthentication to True again for Autodiscover Virtual Directory.
a. Set-AutodiscoverVirtualDirectory “Exch CAS\Auto*” –WSSecurityAuthentication $true
b. Stop MSExchangeAutodiscoverAppPool.
c. Start MSExchangeAutodiscoverAppPool.
6) If the Exchange Server is behind a web proxy then it is usually necessary to configure InternetWebProxy Set-ExchangeServer <Server Name> -InternetWebProxy:http://<Proxy Address>:<Proxy Port>
7) Verify the availability address space and see required SMTP domain with access method.
Get-AvailabilityAddressSpace (Run this on-prem)
8) Try running diagnostic commands:
You can also use the Test-FederationTrust (on prem only) and Test-OrganizationRelationship (run this both on prem and in cloud too)
And you can also use this website to run tests: https://www.testexchangeconnectivity.com/
9) Make sure that the cloud user you are searching for has a valid (tenant).mail.onmicrosoft.com alias on their target mailbox (make sure Azure AD Connect is properly replicating that attribute, and/or, that the Exchange Address Policy is not blocking inheritance on that particular user/object).
10) Run these commands to gather diagnostic information:
Onpremises:
Start-Transcript
Get-FederationTrust | fl
Get-FederatedOrganizationIdentifier | fl
Get-OrganizationRelationship | fl
Get-WebServicesVirtualDirectory | Export-Clixml C:\temp\WebVdir.xml
Get-AutoDiscoverVirtualDirectory | Export-Clixml C:\temp\AutoDVdir.xml
Get-RemoteMailbox bobc_sync | fl
Get-Mailbox “on-premises John Doe User” | fl
Test-FederationTrust -UserIdentity [email protected] | fl
Test-FederationTrustCertificate | fl
Get-IntraOrganizationConnector | fl
Stop-Transcript
Online:
Start-Transcript
Get-FederationTrust | fl
Get-FederatedOrganizationIdentifier | fl
Get-OrganizationRelationship | fl
Get-MailUser “on-premises John Doe User” | fl
Get-Mailbox “Cloud user” | fl
Get-IntraOrganizationConnector | fl
get-OrganizationRelationship | Test-OrganizationRelationship -UserIdentity “cloud user”
Stop-Transcript
And when all else fails I reference these two blog articles:
and
-