Dirsync Synchronization Service - event ID 6208

"Cannot start Forefront Identity Manager Synchronization Service - event ID 6208 "

My Dirsync stopped working.  I found this link which explains how Microsoft Tech Support handles the situation, and also what "may" be causing the problem.

As of 11/09/2013, I am still looking for a root cause.

Anyway, the Dirsync to Office 365 stopped working, and I discover that the Service will not restart.
In the event log, I see the following error:
"FIMSynchronizationService Event ID 6208.   The Server Encryption Key could not be accessed"

See the following link:
http://community.office365.com/en-us/forums/613/t/24384.aspx

One submission says:
"With the assistance of Office 365 support, I have resolved the issue. The procedure:

• uninstall Microsoft Online Services Directory Sync Tool
• uninstall SQL Server Express
• delete FIMSynchronization database files
• Install dirsync.exe (Microsoft Online Directory Synchronization Service)
• Add enterprise admin domain account to local group MIIS_Admins
• Add permissions for the enterprise admin account for registry key HKLM\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service
• Add permissions for the enterprise admin account for registry key HKLM\Software\Microsoft\MSOLCoexistence\
• Run directory synchronization configuation wizard"

Another says (and this is the interesting one):
"I had dirsync working fine and then on days when windows updates ran the dirsync would stop.  I would then have to uninstall all of dirsync and all of the sql stuff and then re-install it.  If this were a one time thing it wouldn't have been a big deal but it happened a few times and I've deduced that the problem must be with windows updates as dirsync stops working immediately after the server is restarted from the updates."

Links for Microsoft (Hyper-V, Clustering, Server 2012)

Microsoft Tech Ref

• Microsoft Server TechCenter
  http://technet.microsoft.com/en-US/windowsserver
   

Microsoft Blogs

• Virtualization Blog
  http://blogs.technet.com/b/virtualization/
   
• Jose Barreto's Blog
  http://blogs.technet.com/b/josebda/
   
• Ask the Core Team
  http://blogs.technet.com/b/askcore/
   
• Windows Server Blog
  http://blogs.technet.com/b/windowsserver/
   
• Clustering and High-Availability
  http://blogs.msdn.com/b/clustering/
   
• 
  

Hyper-V

• Deploying a Hyper-V Cluster
  http://technet.microsoft.com/en-us/library/jj863389.aspx
   
• Windows Server 2012 R2 Hyper-V Best Practices
  http://blogs.technet.com/b/askpfeplat/archive/2013/11/03/windows-server-2012-r2-hyper-v-best-practices-in-easy-checklist-form.aspx
   
• Teaming and Hyper-V in Windows Server 2012
  http://blogs.technet.com/b/keithmayer/archive/2012/11/20/vlan-tricks-with-nic-teaming-in-windows-server-2012.aspx#.Uoznp8Ln-M9
   
• Everything you want to know about Network Teaming in Windows Server 2012
  http://blogs.msdn.com/b/virtual_pc_guy/archive/2012/12/07/everything-you-want-to-know-about-network-teaming-in-windows-server-2012.aspx
   
• Hyper-V over SMB.  Server 2012 Hyper-V
  http://channel9.msdn.com/Events/TechEd/NorthAmerica/2012/VIR306
   
• How does New-SmbShare know whether the new share should be standalone, clustered or scale-out?
  http://blogs.technet.com/b/josebda/archive/2013/01/18/how-does-new-smbshare-know-whether-the-new-share-should-be-standalone-clustered-or-scale-out.aspx
  Here are the rules:
  
  • If the path is on a local, nonclustered disk, New-SmbShare creates a standalone share
  • If the path is on a classic cluster disk, New-SmbShare creates a classic cluster file share on the group that owns that disk.
  • if the path is on a clustered shared volume (CSV), it creates a scale-out file share.
  
  

Links for Office 365 Info and procedures.

Office 365

• Windows Azure Active Directory Sync tool - Version Release History
   
  You can check your DirSync version by running the following PowerShell command: 
  (GP 'hklm:SOFTWARE\Microsoft\Windows\CurrentVersion\Uninstall\Microsoft Online Directory Sync').DisplayVersion
  The latest version can be downloaded here: Windows Azure Active Directory Sync tool – 64 bit
  
  http://social.technet.microsoft.com/wiki/contents/articles/18429.windows-azure-active-directory-sync-tool-version-release-history.aspx
   
• Configuring SMTP relay for Office365 / Exchange Online
  http://windows.ittips.eu/2014/04/configuring-smtp-relay-for-office365.html
   
•   

Links for Exchange Info and Procedures

Exchange 2013 Info

•  Exchange 2013 Build Numbers and Release Dates
  http://technet.microsoft.com/en-us/library/hh135098%28v=exchg.150%29.aspx
   
• Display Current Build (including CU)
  Display HKLM\SOFTWARE\Microsoft\CurrentVersion\Uninstall\Microsoft Exchange V15\DisplayName
  Example "Microsoft Exchange Server 2013 Cumulative Update 2"
• Client connectivity in an exchange 2013 coexistence environment
  http://blogs.technet.com/b/exchange/archive/2014/03/12/client-connectivity-in-an-exchange-2013-coexistence-environment.aspx
  
• Some CAS Transistion exxamples
  http://msexchangeguru.com/2012/10/23/e2k7-to-e2010-cas-transition/

Exchange 2013 Procedures:

• Exchange 2010 and below Build Numbers
  http://social.technet.microsoft.com/wiki/contents/articles/240.exchange-server-and-update-rollups-build-numbers.aspx
• Installing Cumulative Updates for Exchange Server 2013
  http://exchangeserverpro.com/exchange-2013-installing-cumulative-updates/
   
• Hybrid configuration wizard fails on parameter AntiSpamFilteringEnabled
  http://community.office365.com/en-us/forums/613/p/151551/434560.aspx
   
• Upgrade from Exchange 2007 to Exchange 2013
  http://technet.microsoft.com/en-us/library/jj898581%28v=exchg.150%29.aspx
   
• Exchange 2010 Vs Exchange 2013
  http://www.itbigbang.com/exchange-2010-vs-exchange-2013/
   
• Step by Step Exchnge 2007 to 2013 migration
  http://blogs.technet.com/b/meamcs/archive/2013/07/25/part-1-step-by-step-exchange-2007-to-2013-migration.aspx

Reg Update to add Powershell to Plugable Protocol Handlers.

With the following registry additions, you can create a new URL protocol handler for PowerShell:

This allows me to do the following:
Start -> Run: ps:3+5
Start -> Run: ps:get-process
Start -> Run: ps:

A new powershell window opens, parses and executes the command and leave the window open.

Import the following to set it up:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS]
@="URL:Powershell Protocol"
"URL Protocol"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS\DefaultIcon]
@="\"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\",1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS\shell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS\shell\open]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS\shell\open\command]
@="\"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoExit -command $ExecutionContext.InvokeCommand.InvokeScript('%1'.Substring(3))"

Special thanks to Eriq VanBibber for the original post.

Exchange SSL Certs and DNS configurtion(s)

This article discusses how to deal with the fact that you can no longer get a 3rd party SSL Certificate for an internal domain.

The issue is that 3rd party Certs will not allow non-verifiable Certs after Oct 2016.  Essentially, that means that you should now configure your Exchange environment (2007/2010/2013) to not depend on Certs for internal names.

The solution is too simple.  Just configure your DNS server to implement a "Split-DNS-Horizon".
Note that this also works perfectly for auto-configuring your Outlook clients, regardless of whether they are connected internally or externally.

For this example, lets assume that your internal domain is domain.local, and that your email domain is domain.com

The easiest and simplest trick is to configure an entry in your internal DNS servers, to point autodiscover.domain.com to the internal IP address of your CAS server.

The best way to do this is to create a new DNS Zone with the name "autodiscover.domain.com", and then create an unnamed entry ("@") pointing to your internal CAS server(s). 

This way, it does not interfere with all of your existing DNS records for the "domain.com" zone, such as www, etc. 

So now, with this configuration, all that you need for a 3rd party SSL Cert is the "domain.com" name.  

Additional Reference:

• Internal DNS and Exchange Autodiscoverhttp://acbrownit.wordpress.com/2012/12/20/internal-dns-and-exchange-autodiscover/

Public Folder Migration Exchange 2003 to 2010

Public Folder Migration Exchange 2003 to 2010

• Replicate Public Folders to 2010 Server.
  http://www.petenetlive.com/KB/Article/0000426.htm
• FAQ on Migrating Public Folders to 2010
  http://itmel.wordpress.com/2012/12/01/microsoft-exchange-2013-and-public-folders/

 

---

Also, Form 2007/2010 to 2013, here are the Microsoft tools:

• Migrate Public Folders to Exchange 2013 From Previous Versions
  http://technet.microsoft.com/en-us/library/jj150486(v=exchg.150).aspx
• ...