Microsoft Online Services: tenants, subscriptions and domain names

This content is 5 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I often come across confusion with clients trying to understand the differences between tenants, subscriptions and domain names when deploying Microsoft services. This post attempts to clear up some misunderstandings and to – hopefully – make things a little clearer.

Each organisation has a Microsoft Online Services tenant which has a unique DNS name in the format organisationname.onmicrosoft.com. This is unique to the tenant and cannot be changed. Of course, a company can establish multiple organisations, each with its own tenant but these will always be independent of one another and need to be managed separately.

It’s important to remember that each tenant has a single Azure Active Directory (Azure AD). There is a 1:1 relationship between the Azure AD and the tenant. The Azure AD directory uses a unique tenant ID, represented in GUID format. Azure AD can be synchronised with an existing on premises Active Directory Domain Services (AD DS) directory using the Azure AD Connect software.

Multiple service offerings (services) can be deployed into the tenant: Office 365; Intune; Dynamics 365; Azure. Some of these services support multiple subscriptions that may be deployed for several reasons, including separation of administrative control. Quoting from the Microsoft documentation:

“An Azure subscription has a trust relationship with Azure Active Directory (Azure AD). A subscription trusts Azure AD to authenticate users, services, and devices.

Multiple subscriptions can trust the same Azure AD directory. Each subscription can only trust a single directory.”

Associate or add an Azure subscription to your Azure Active Directory tenant

Multiple custom (DNS) domain names can be applied to services – so mycompany.com, mycompany.co.uk and myoldcompanyname.com could all be directed to the same services – but there is still a limit of one tenant name per tenant.

Further reading

Subscriptions, licenses, accounts, and tenants for Microsoft’s cloud offerings.

Weeknote 5: Playing with Azure; Black Friday; substandard online deliveries; and the usual tech/cycling/family mix (Week 47, 2017)

This content is 7 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

This weeknote is a bit of a rush-job – mostly because it’s Sunday afternoon and I’m writing this at the side of a public swimming pool whilst supervising a pool party… it will be late tonight when I get to finish it!

The week

There not a huge amount to say about this week though. It’s been as manic as usual, with a mixture of paid consulting days, pre-sales and time at Microsoft.

The time at Microsoft was excellent though – I spent Tuesday in their London offices, when Daniel Baker (@AzureDan) gave an excellent run through of some of the capabilities in Azure. I like to think I have a reasonable amount of Azure experience and I was really looking to top up my knowledge with recent developments as well as to learn a bit more about using some of the advanced workloads but I learned a lot that day. I think Dan is planning some more videos so watch his Twitter feed but his “Build a Company in a Day” slides are available for download.

On the topic of Azure, I managed to get the sentiment analysis demo I’ve been working on based on a conversation with my colleague Matt Bradley (@MattOnMicrosoft) and Daniel Baker also touched on it in his Build a Company in a Day workshop. It uses an Azure Logic App to:

  1. Monitor Twitter on a given topic;
  2. Detect sentiment with Azure Cognitive Services Text Analytics;
  3. Push data into Power BI dataset for visualisation;
  4. Send an email if the sentiment is below a certain value.

It’s a bit rough-and-ready (my Power BI skills are best described as “nascent”) but it’s not a bad demo – and it costs me pennies to run. You can also do something similar with Microsoft Flow instead of an Azure Logic App.

Black Friday

I hate Black Friday. Just an excuse to shift some excess stock onto greedy consumers ahead of Christmas…

…but it didn’t stop me buying things:

  • An Amazon Fire TV Stick to make our TV smart again (it has fewer and fewer apps available because it’s more than 3 years old…). Primarily I was after YouTube but my youngest is very excited about the Manchester City app!
  • Another set of Bluetooth speakers (because the kids keep “borrowing” my Bose Soundlink Mini 2).
  • Some Amazon buttons at a knock-down £1.99 (instead of £4.99) for IoT hacking.
  • A limited edition GCN cycle jersey that can come back to me from my family as a Christmas present!

The weekend

My weekend involved: cycling (my son was racing cyclocross again in the Central CX League); an evening out with my wife (disappointing restaurant in the next town followed by great gin in our local pub); a small hangover; some Zwift (to blow away the cobwebs – and although it was sunny outside, the chances of hitting black ice made the idea of a real road bike ride a bit risky); the pool party I mentioned earlier (belated 13th birthday celebrations for my eldest); 7 adolescent kids eating an enormous quantity of food back at ours; and… relax.

Other stuff

My eldest son discovered that the pressure washer can make bicycle bar tape white again! (I wrote a few years back about using baby wipes to clean bar tape but cyclocross mud goes way beyond even their magical properties.)

After posting my 7 days 7 photos efforts last week, I saw this:

I’ll get my coat.

I also learned a new term: “bikeshedding” (nothing to do with cycling… or smoking… or other teenage activities…):

It’s scary to see how much we’re cluttering space – not just our planet:

There’s a new DNS service in town:

I’ve switched the home connection from OpenDNS (now owned by Cisco) to 9.9.9.9 and will report back in a while…

This ad tells a great story:

Curve is now available to ordinary employees and not just business-people!

We recently switched back to Tesco for our online grocery shopping (we left years ago because it seemed someone was taking one or two items from every order, hoping we wouldn’t notice). Well, it seems things have improved in some ways, but not in others…

On the subject of less-than-wonderful online shopping experiences, after I criticised John Lewis for limiting website functionality instead of bursting to the cloud:

It seems they got their own back by shipping my wife’s Christmas present with Hermes, who dumped it on the front doorstep (outside the notified delivery timeframe) and left a card to say it had been delivered to a secure location:

It may be silly but this made me laugh:

Finally, for this week, I borrowed my son’s wireless charger to top up my iPhone. Charging devices without cables – it’s witchcraft, I tell you! Witchcraft!

Next week, I’ll be back with my customer in Rochdale, consulting on what risual calls the “Optimised Service Vision” so it was interesting to see Matt Ballantine’s slides on Bringing Service Design to IT Service. I haven’t seen Matt present these but it looks like our thinking is quite closely aligned…

That’s all folks!

That’s all for this week. I’m off to watch some more Halt and Catch Fire before I get some sleep in preparation for what looks like a busy week…

Short takes: @ in DNS records; are ‘ and & legal in an email address?; changing the search base for IDfix

This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few short items that don’t quite warrant their own blog post…

@ in DNS records

Whilst working with a customer on their Office 365 integration recently, we had a requirement to add various DNS records, including the TXT record for domain verification which included an @ symbol. The DNS provider’s systems didn’t allow us to do this, or to use a space instead to denote the origin of the domain. Try googling for @ and you’ll have some challenges too…

One support call later and we had the answer… use a *.  It seemed to do the trick as soon after that the Microsoft servers were able to recognise our record and we continues with the domain configuration.

Are ‘ and & “legal” in an email address?

Another interesting item that came up was from running the IDfix domain synchronisation error remediation tool to check the on-premises directory before synchronisation.  Some of the objects it flagged as requiring remediation were distribution groups with apostrophes (‘) or ampersands (&) in their SMTP addresses. Fair enough, but that got me wondering how/why those addresses ever worked at all (I once had an argument with someone who alleged that the hyphen in my wife’s domain name was an “illegal” character). Well, it seems that, technically, they are allowable in SMTP (I struggled reading the RFCs, but Wikipedia makes it clearer) but certainly not good practice… and definitely not for synchronisation with Azure AD.

Changing the search base for IDfix

I mentioned the IDfix tool above and, sometimes, running it against a whole domain can be difficult to cope with the results.  As we planned to filter directory synchronisation on certain organizational units (OUs), it made sense to query the domain for issues on those same OUs. This is possible in the settings for IDfix, where the LDAP query for the search base can be changed.

Website moving to a new server…

This content is 12 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

My hosting provider has told me that they are moving this website to a new server over the weekend.

All being well, the move will be transparent but I will also need to point the domain names at new DNS servers, so, if I disappear offline for a while on Sunday night, please bear with me and I should be back again once the interwebs have updated…

Domain management for Office 365 (Small Business)

This content is 13 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

A few weeks ago, I wrote about configuring DNS for Exchange Online in Office 365. In that post, I mentioned that Microsoft is only supporting small business customers with domains that are delegated to (i.e. hosted on) Microsoft’s name servers – currently ns1.bdm.microsoftonline.com and ns2.bdm.microsoftonline.com.

I wasn’t entirely comfortable with this (for a start, the Office 365 DNS Manager is best described as “basic”), so I decided to see what happens if I went through the process, but never actually switched over the name server records… as it happens it seems to work quite well (albeit in an unsupported manner).

If you want to retain control of settings, all that’s involved is creating the same records with an external DNS provider.

For reference, on the markwilson.co.uk domain, these would be:

markwilson.co.uk. 3600 IN MX 0 markwilson-co-uk.mail.eo.outlook.com.
autodiscover 3600 IN CNAME autodiscover.outlook.com.
markwilson.co.uk. 3600 IN TXT “v=spf1 include:outlook.com ~all”
SRV _sip _tls 443 1 100 sipdir.online.lync.com. markwilson.co.uk 3600
SRV _sipfederationtls _tcp 5061 1 100 sipfed.online.lync.com. markwilson.co.uk 3600

Of course, if Microsoft changes the server names, you won’t be notified and that might affect your service but the settings seem to be the same as the ones provided to Enterprise customers as part of their domain management process.

Then, go through the normal process to add a domain to Office 365, but just click Next on the Edit Name Server Records page:

Ignore the step that advises changing DNS entries

At the time of writing, Office 365 is still in beta, so things could change (for example, the domain verification process has already switched from using CNAME records to using either TXT or MX records) but it might be worth a try…

[Update 20 June 2011: Microsoft has documented a workaround for domains that do not allow delegation (specifically for .NO and .DK but I see no reason why other domains should not be used in this way)]

Configuring DNS for Exchange Online in Office 365

This content is 13 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Readers who follow me on Twitter (@markwilsonit) may have noticed that I was in a mild state of panic last night when I managed to destroy the DNS for markwilson.co.uk.  They might also have seen this website disappear for a few hours until I managed to get things up and running again. So, what was I doing?

I’ve been using Google Apps for a couple of years now but I’ve never really liked it – Docs lacks functionality that I have become used to in Microsoft Office and Mail, though powerful, has a pretty poor user interface (a subjective view of course – I know some people love it).  When Microsoft announced Office 365 I was keen to get on the beta, and I was fortunate enough to be accepted early in the programme.  Unfortunately, at that time, the small business (P1) plan didn’t allow the use of “vanity domains” (what exactly is vain about having your own domain name? I call it professionalism!) so I waited until I was accepted onto the enterprise (E3) beta. Then I realised that moving my mail to another platform was not a trivial exercise and, by the time I got around to it several weeks had gone by and it is now possible to have vanity domains on a small business plan!

Anyway, I digress: migrating to Office 365, how was it? Well, first up, I should highlight that the DNS issues I had were nothing to do with Microsoft – and, without those issues, everything would have been pretty simple actually.

Microsoft provides a portal to administer Office 365 accounts and this also allows access to the Exchange Online, Lync Online and SharePoint Online components.  In that regard, it’s not dissimilar to Google Apps – just a lot more pleasant to use. So far, I’ve concentrated on the Exchange Online and Outlook Web App components – I’ll probably blog about some of the other Office 365 components as I start to use them.

The e-mail address that Microsoft gave me for my initial mailbox is in the form of user@subdomain.onmicrosoft.com. That’s not much use to me, so I needed to add a domain to the account which involves adding the domain, verifying it (by placing a CNAME record in the DNS for the appropriate domain – using a code provided by Microsoft, resolving to ps.microsoftonline.com.) and then, once verified, configuring the appropriate DNS records. In my case that’s:

markwilson.co.uk. 3600 IN MX 0 markwilson-co-uk.mail.eo.outlook.com.
autodiscover 3600 IN CNAME autodiscover.outlook.com.
markwilson.co.uk. 3600 IN TXT “v=spf1 include:outlook.com ~all”

These are for Exchange – there are some additional records for Lync but they show how external domain names are represented inside Office 365.

[Update 17 June 2011: The DNS entries for Lync are shown below]

SRV _sip _tls 443 1 100 sipdir.online.lync.com. markwilson.co.uk 3600
SRV _sipfederationtls _tcp 5061 1 100 sipfed.online.lync.com. markwilson.co.uk 3600

The . on the end of the names and the quotes on the TXT record are important – without the . the name resolution will not work correctly and I think it was a lack of " " that messed up my DNS when I added the record using the cPanel WebHost Manager (WHM), although I haven’t confirmed that.

With the domain configured, additional email addresses may be added to user accounts and, once DNS propagation has taken place, mail should start to flow.

Before I sign off, there are a few pieces of advice to highlight:

  • After I got everything working on the Office 365 Enterprise (E3) plan, I realised that I’d be better off using the Small Business (P1) plan. This wasn’t a simple subscription choice (I hope it will be in the final product – at the time of writing Office 365 is still in beta) and it involved me removing my “vanity” domains from all user objects, distribution groups, contacts and aliases, then removing the domain from Office 365, and finally going through the process of adding it using a different Microsoft Online account.
  • Before making DNS changes, it’s worthwhile tuning DNS settings to reduce the time to live (TTL) to speed up the DNS propagation process by reducing the time that records are stored in others’ DNS caches.
  • Microsoft TechNet has some useful advice for checking DNS MX record configurations with nslookup.exe but Simon Bisson pointed me in the direction of the Microsoft Exchange Remote Connectivity Analyzer, which is a great resource for checking Exchange ActiveSync, Exchange Web Services and Office Outlook connectivity as well as inbound and outbound SMTP email.
  • Microsoft seems to have decided that, whilst enterprises can host their DNS externally, small businesses need to host their DNS on Microsoft’s name servers (and use a rather basic web interface to manage it).  I’m hoping that decision will change (and I’m led to believe that it’s still possible to host the DNS elsewhere, as long as the appropriate entries are added, although that is an unsupported scenario) – I’m trying that approach with another domain that I own and I may return to the topic in a future blog post.

Now I have my new mailbox up and running, I just need to work out how to shift 3GB of email from Google Apps to Exchange Online!

Using DHCP reserved client options for certain devices

This content is 14 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I’ve been struggling with poor Internet connectivity for a while now – the speed is fine (any speed tests I conduct indicate a perfectly healthy 3-5Mbps on on “up to 8Mbps” ADSL line) but I frequently suffer from timeout, only to find that a refresh a few moments later brings the page back quickly.

Suspecting a DNS issue (my core infrastructure server only has a Atom processor and is a little light on memory), I decided to bypass my local DNS server for those devices that don’t really need it because all the services they access are on the Internet (e.g. my iPad).

I wasn’t sure how to do this – all of my devices pick up their TCP/IP settings (and more) via DHCP – but then I realised that the Windows Server 2008 R2 DHCP service (and possibly earlier versions too) allows me to configure reserved client options.

I worked out which IP address my iPad was using, then converted the lease to a reservation. Once I had a reservation set for the device, I could configure the reserved client options (i.e. updating the DNS server addresses to only use my ISP servers, OpenDNS, or Google’s DNS servers).

Unfortunately I’m still experiencing the timeouts and it may just be that my elderly Solwise ADSL modem/router needs replacing… oh well, I guess it’s time to go back to the drawing board!

Managing simultaneous access to resources from both internal and external DNS namespaces

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

When I originally set up my Active Directory, I used an internal DNS namespace, with a .local TLD (as was the advice at the time – no longer recommended). Essentially, my external domains are managed by my hosting providers and I manage the internal namespace. Simple.

Then I set up a few Internet-facing resources at home. I decided to create a secondary forest using a subdomain of my main external DNS namespace so that:

  • domain.local was the AD-integrated DNS for internal (private) resources.
  • domain.tld was managed by my hosting provider for external resources.
  • subdomain.domain.tld was the AD-integrated DNS for Internet-facing resources under my control.

I also added a forwarding rule on the DNS server to send requests for subdomain.domain.tld to the authoritative DNS server for the domain (under my control) but to send requests for domain.tld and all other domains to the ISP’s DNS servers.

That worked well but, because my mail server is known by two different names internally and externally (mailserver.domain.tld for external access and mailserver.subdomain.domain.tld for internal access) and these actually resolve to the same physical server, I get certificate errors when using the internal name. Furthermore, I’m unable to access the server from inside my firewall using the external name, because the mailserver.domain.tld name actually resolves to the IP address of my router, from where which IP filtering and NAT forwarding rules allow the packets to be forwarded to the mail server.

I needed mail clients to work with the same server name (mailserver.domain.tld) whether they were accessing the server on the internal or external networks, so I made some changes:

  1. My hosting provider sent me a copy of the DNS zone file for mailserver.domain.tld and I imported this to my internal DNS server.
  2. Next, I deleted the forwarding rule for mailserver.domain.tld (leaving the one for subdomain.domain.tld in place).
  3. Then, I edited the entries for the servers that needed to be accessed with the same name internally and externally so that instead of resolving to the external IP address of my router, they resolved to the actual IP address of the server (which uses an RFC 1918 internal IP address range).
  4. Finally, nslookup helped me to confirm that the addresses were resolving correctly on the internal and external networks – effectively getting one set of results in the Internet from my hosting provider and another set on the internal network from my DNS server.

The new setup looks like this (note that the IP addresses have been changed to protect the innocent):

Managing internal and external DNS lookups to the same resource

Now I can seamlessly access my mail server using the same DNS name (mailserver.domain.tld) from wherever I roam to.

Improvements in Windows Server 2008 DNS

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Windows administrators have been waiting to see the back of WINS for years but many applications still rely on single name lables (and multiple DNS name suffixes can become unwieldy). Windows Server 2008 DNS will provide an alternative through its GlobalNames zone (one of several improvements in Windows Server 2008 DNS).

Although it’s not listed in the article linked above, I understand (from Scotty McLeod) that Windows Server 2008 DNS allows the application of a conditional forward (globally – i.e. to all DNS servers) at the domain level; unfortunately, forwarder information still has to be defined on a server-by-server basis.

Implementing SenderID Framework records for my e-mail server

This content is 17 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

I recently read Craig Spiezle and Alexander Nikolayev’s TechNet Magazine article about the SenderID Framework (SIDF) – one of the available schemes to validate mail servers in the fight to reduce unsolicited commercial e-mail (UCE), more commonly known as spam.

SIDF is similar to the Sender Policy Framework (SPF) in that it uses specially-formatted TXT records in DNS (called SPF records) to detail the mail exchange (MX) servers that SMTP e-mail may originate from for a given domain, and any other domain names that may be used.

I’d decided some time ago to implement an SPF record for my domains but my hosting service provider at the time did not support the use of TXT records. Since I moved to ascomi a few months back that’s not been an issue and last night I finally requested that the changes were made.

There are a variety of tools online to help create SPF records, but the first problem I had was the need to decide whether to use OpenSPF, SenderID, or an alternative (such as Domain Keys). In the end, I decided to go with SenderID – largely because the Microsoft SenderID website helped me create an SPF record which supported the both SenderID Mail From method (identical to the SPF method) and the SenderID Purportedly Responsible Address (PRA) header method. Finally, to validate that my record was correct, I sent an e-mail to check-auth@verifier.port25.com and used the Email Service Provider Coalition verification tools – Microsoft also publishes a short implementation guide for SIDF which is worth a read.

The differences between SPF formats are discussed on the OpenSPF site too (and OpenSPF also has tools to help create the necessary records) but the OpenSPF guys seem to be more interested in saying why SenderID violates the standards and shouldn’t really be called SPF (I call that the “not invented here” syndrome) than in actually helping people work out how to stop spam.

It’s also worth pointing out that my SPF record will not directly affect the volume of spam that I receive; it will, however, help others who perform SPF lookups to determine if mail that appears to come from one of my domains really originated from a server which I authorised. Even then, they may elect to retain the message, or they may drop it – that’s no different to today but as more and more SPF records are published, the volume of spam on the Internet should drop considerably as all messages are effectively authenticated as having passed through an authorised MX for the stated domain name.