Thursday, December 5, 2013

How to configure Primary DC to sync time with an external Time Source

This article explains how to configure your Windows Server 2008 R2 Active Directory Primary Domain Controller to synchronize time with an external time source.
Note: In an active directory, all member computers will sync time with the PDC, so you only need to setup an external time source on the PDC.
Open an elevated command prompt and type the following:

Net Stop W32Time
W32tm /config /syncfromflags:manual /manualpeerlist:""
W32tm /config /reliable:yes
Net Start W32Time
W32tm /config /update
W32tm /resync

You can run W32tm /resync on member computers to sync time with the PDC.

A good reliable time source to use is pool.ntp.org.

Check out the NTP Project for world wide time sources.

Also note:  from Microsoft:
http://support.microsoft.com/kb/816042
No comments:
Labels: ,

Monday, November 25, 2013

Powershell Tricks and Notes

How to expand parameterizedProperty

Note if you issue the following command:

Get-ADComputer -Filter * |Get-Member

You will get the following result:
  TypeName: Microsoft.ActiveDirectory.Management.ADComputer

Name              MemberType            Definition
----              ----------            ----------
Contains          Method                bool Contains(string propertyName)
Equals            Method                bool Equals(System.Object obj)
GetEnumerator     Method                System.Collections.IDictionaryEnumerator GetEnumerator()
GetHashCode       Method                int GetHashCode()
GetType           Method                type GetType()
ToString          Method                string ToString()
Item              ParameterizedProperty Microsoft.ActiveDirectory.Management.ADPropertyValueCollection Item(string p...
DistinguishedName Property              System.String DistinguishedName {get;set;}
DNSHostName       Property              System.String DNSHostName {get;set;}
Enabled           Property              System.Boolean Enabled {get;set;}
Name              Property              System.String Name {get;}
ObjectClass       Property              System.String ObjectClass {get;set;}
ObjectGUID        Property              System.Nullable`1[[System.Guid, mscorlib, Version=4.0.0.0, Culture=neutral, ...
SamAccountName    Property              System.String SamAccountName {get;set;}
SID               Property              System.Security.Principal.SecurityIdentifier SID {get;set;}
UserPrincipalName Property              System.String UserPrincipalName {get;set;}


Notice that property "Item".

So when you type:

Get-ADComputer -Filter * -Property * |Get-Member

You hope tp get something that expands the properties of "Item".

Now.  What if you get an error:
PS C:\Data\Scripts> Get-ADComputer -Identity lab17dc1 -property * |gm
Get-ADComputer : One or more properties are invalid.
Parameter name: msDS-AssignedAuthNPolicy
At line:1 char:1
+ Get-ADComputer -Identity lab17dc1 -property * |gm
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (lab17dc1:ADComputer) [Get-ADComputer], ArgumentException
    + FullyQualifiedErrorId : ActiveDirectoryCmdlet:System.ArgumentException,Microsoft.ActiveDirectory.Management.Comm
   ands.GetADComputer

Well that is a big Oops.  It is actually a bug in AD.
Here is a workaround for THIS bug.  To get your properties, do the following:

Get-ADComputer -Identity lab17dc1 |Get-ADObject -properties *|gm

Now you get something like:
    TypeName: Microsoft.ActiveDirectory.Management.ADObject
Name                            MemberType            Definition
----                            ----------            ----------
Contains                        Method                bool Contains(string propertyName)
Equals                          Method                bool Equals(System.Object obj)
GetEnumerator                   Method                System.Collections.IDictionaryEnumerator GetEnumerator()
GetHashCode                     Method                int GetHashCode()
GetType                         Method                type GetType()
ToString                        Method                string ToString()
Item                            ParameterizedProperty Microsoft.ActiveDirectory.Management.ADPropertyValueCollection...
accountExpires                  Property              System.Int64 accountExpires {get;set;}
badPasswordTime                 Property              System.Int64 badPasswordTime {get;set;}
badPwdCount                     Property              System.Int32 badPwdCount {get;set;}
CanonicalName                   Property              System.String CanonicalName {get;}
CN                              Property              System.String CN {get;}
codePage                        Property              System.Int32 codePage {get;set;}
countryCode                     Property              System.Int32 countryCode {get;set;}
Created                         Property              System.DateTime Created {get;}
createTimeStamp                 Property              System.DateTime createTimeStamp {get;}
Deleted                         Property              System.Boolean Deleted {get;}
Description                     Property              System.String Description {get;set;}
DisplayName                     Property              System.String DisplayName {get;set;}
DistinguishedName               Property              System.String DistinguishedName {get;set;}
dNSHostName                     Property              System.String dNSHostName {get;set;}
dSCorePropagationData           Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection...
instanceType                    Property              System.Int32 instanceType {get;}
isCriticalSystemObject          Property              System.Boolean isCriticalSystemObject {get;set;}
isDeleted                       Property              System.Boolean isDeleted {get;}
LastKnownParent                 Property              System.String LastKnownParent {get;}
lastLogoff                      Property              System.Int64 lastLogoff {get;set;}
lastLogon                       Property              System.Int64 lastLogon {get;set;}
lastLogonTimestamp              Property              System.Int64 lastLogonTimestamp {get;set;}
localPolicyFlags                Property              System.Int32 localPolicyFlags {get;set;}
logonCount                      Property              System.Int32 logonCount {get;set;}
Modified                        Property              System.DateTime Modified {get;}
modifyTimeStamp                 Property              System.DateTime modifyTimeStamp {get;}
msDFSR-ComputerReferenceBL      Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection...
msDS-GenerationId               Property              System.Byte[] msDS-GenerationId {get;}
msDS-SupportedEncryptionTypes   Property              System.Int32 msDS-SupportedEncryptionTypes {get;set;}
Name                            Property              System.String Name {get;}
nTSecurityDescriptor            Property              System.DirectoryServices.ActiveDirectorySecurity nTSecurityDes...
ObjectCategory                  Property              System.String ObjectCategory {get;}
ObjectClass                     Property              System.String ObjectClass {get;set;}
ObjectGUID                      Property              System.Nullable`1[[System.Guid, mscorlib, Version=4.0.0.0, Cul...
objectSid                       Property              System.Security.Principal.SecurityIdentifier objectSid {get;}
operatingSystem                 Property              System.String operatingSystem {get;set;}
operatingSystemVersion          Property              System.String operatingSystemVersion {get;set;}
primaryGroupID                  Property              System.Int32 primaryGroupID {get;set;}
ProtectedFromAccidentalDeletion Property              System.Boolean ProtectedFromAccidentalDeletion {get;set;}
pwdLastSet                      Property              System.Int64 pwdLastSet {get;set;}
rIDSetReferences                Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection...
sAMAccountName                  Property              System.String sAMAccountName {get;set;}
sAMAccountType                  Property              System.Int32 sAMAccountType {get;set;}
sDRightsEffective               Property              System.Int32 sDRightsEffective {get;}
serverReferenceBL               Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection...
servicePrincipalName            Property              Microsoft.ActiveDirectory.Management.ADPropertyValueCollection...
userAccountControl              Property              System.Int32 userAccountControl {get;set;}
uSNChanged                      Property              System.Int64 uSNChanged {get;}
uSNCreated                      Property              System.Int64 uSNCreated {get;}
whenChanged                     Property              System.DateTime whenChanged {get;}
whenCreated                     Property              System.DateTime whenCreated {get;}
 
No comments:
Labels: , ,

Tuesday, November 12, 2013

Use Excel's conditional formatting to highlight weekends

Use Excel's conditional formatting to highlight weekends

Excellent, simple, article on how to highlight weekends in a spreadsheet.  Includes a sample spreadsheet for downloading.

http://www.techrepublic.com/blog/windows-and-office/use-excels-conditional-formatting-to-highlight-weekends/

No comments:
Labels: ,

Monday, November 11, 2013

Server 2012 R2 - Building a Scale-out File Server

The following checklist details how to set up a Scale-out File Server Cluster in Server 2012 R2.

... DRAFT ...



No comments:
Labels: , ,

Saturday, November 9, 2013

Dirsync Synchronization Service - event ID 6208

"Cannot start Forefront Identity Manager Synchronization Service - event ID 6208 "

My Dirsync stopped working.  I found this link which explains how Microsoft Tech Support handles the situation, and also what "may" be causing the problem.

As of 11/09/2013, I am still looking for a root cause.

Anyway, the Dirsync to Office 365 stopped working, and I discover that the Service will not restart.
In the event log, I see the following error:
"FIMSynchronizationService Event ID 6208.   The Server Encryption Key could not be accessed"

See the following link:
http://community.office365.com/en-us/forums/613/t/24384.aspx

One submission says:
"With the assistance of Office 365 support, I have resolved the issue. The procedure:
  • uninstall Microsoft Online Services Directory Sync Tool
  • uninstall SQL Server Express
  • delete FIMSynchronization database files
  • Install dirsync.exe (Microsoft Online Directory Synchronization Service)
  • Add enterprise admin domain account to local group MIIS_Admins
  • Add permissions for the enterprise admin account for registry key HKLM\SOFTWARE\Microsoft\Forefront Identity Manager\2010\Synchronization Service
  • Add permissions for the enterprise admin account for registry key HKLM\Software\Microsoft\MSOLCoexistence\
  • Run directory synchronization configuation wizard"
Another says (and this is the interesting one):
"I had dirsync working fine and then on days when windows updates ran the dirsync would stop.  I would then have to uninstall all of dirsync and all of the sql stuff and then re-install it.  If this were a one time thing it wouldn't have been a big deal but it happened a few times and I've deduced that the problem must be with windows updates as dirsync stops working immediately after the server is restarted from the updates."

No comments:
Labels: , ,

Thursday, November 7, 2013

Links for Microsoft (Hyper-V, Clustering, Server 2012)


Microsoft Tech Ref


Microsoft Blogs

Hyper-V

No comments:
Labels: , ,

Thursday, October 31, 2013

Links for Office 365 Info and procedures.

Office 365

No comments:
Labels: , , ,

Thursday, September 19, 2013

Links for Exchange Info and Procedures

Exchange 2013 Info

Exchange 2013 Procedures:

No comments:
Labels: , , , ,

Tuesday, September 17, 2013

Reg Update to add Powershell to Plugable Protocol Handlers.


With the following registry additions, you can create a new URL protocol handler for PowerShell:

This allows me to do the following:
Start -> Run: ps:3+5
Start -> Run: ps:get-process
Start -> Run: ps:

A new powershell window opens, parses and executes the command and leave the window open.

Import the following to set it up:

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS]
@="URL:Powershell Protocol"
"URL Protocol"=""
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS\DefaultIcon]
@="\"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\",1"
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS\shell]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS\shell\open]
[HKEY_LOCAL_MACHINE\SOFTWARE\Classes\PS\shell\open\command]
@="\"C:\\WINDOWS\\system32\\WindowsPowerShell\\v1.0\\powershell.exe\" -NoLogo -NoExit -command $ExecutionContext.InvokeCommand.InvokeScript('%1'.Substring(3))"

Special thanks to  for the original post.
No comments:
Labels: , ,

Thursday, September 12, 2013

Exchange SSL Certs and DNS configurtion(s)

This article discusses how to deal with the fact that you can no longer get a 3rd party SSL Certificate for an internal domain.

The issue is that 3rd party Certs will not allow non-verifiable Certs after Oct 2016.  Essentially, that means that you should now configure your Exchange environment (2007/2010/2013) to not depend on Certs for internal names.

The solution is too simple.  Just configure your DNS server to implement a "Split-DNS-Horizon".
Note that this also works perfectly for auto-configuring your Outlook clients, regardless of whether they are connected internally or externally.

For this example, lets assume that your internal domain is domain.local, and that your email domain is domain.com

The easiest and simplest trick is to configure an entry in your internal DNS servers, to point autodiscover.domain.com to the internal IP address of your CAS server.

The best way to do this is to create a new DNS Zone with the name "autodiscover.domain.com", and then create an unnamed entry ("@") pointing to your internal CAS server(s). 


This way, it does not interfere with all of your existing DNS records for the "domain.com" zone, such as www, etc. 

So now, with this configuration, all that you need for a 3rd party SSL Cert is the "domain.com" name.  

Additional Reference:
No comments:
Labels: , , ,

Tuesday, September 10, 2013

Public Folder Migration Exchange 2003 to 2010

Public Folder Migration Exchange 2003 to 2010

 

Also, Form 2007/2010 to 2013, here are the Microsoft tools:
No comments:
Labels: , ,

Wednesday, August 21, 2013

Office 365 - How to connect Powershell to Office 365 Service

How to connect Powershell to the Office365 Server, so that you can administer a Hybrid environment.

Issue the following commands:
  • Set-ExecutionPolicy Unrestricted
  • $cred = Get-Credential
    (Enter your Tenant Login to Office365)
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $Cred -Authentication Basic -AllowRedirection
    (Note: You may get a redirection as this command is executed:
    WARNING: Your connection has been redirected to the following URI:
    "    https://pod51042psh.outlook.com/powershell-liveid?PSVersion=3.0 ")
  • Import-PSSession $Session
Before issuing this command, following are the Modules that were loaded:
PS>Get-Module
ModuleType Name                                ExportedCommands
---------- ----                                ----------------
Manifest   Microsoft.PowerShell.Management     {Add-Computer, Add-Content, Cheomputer, Clear-Content...}
Manifest   MSOnline                            {Add-MsolForeignGroupToRole, Add-MAdd-MsolRoleMember,...

After issuing a successful connection to the Office365 Service, you now have the following:
PS C:\Windows\system32> Get-Module
ModuleType Name                                ExportedCommands
---------- ----                                ----------------
Manifest   Microsoft.PowerShell.Management     {Add-Computer, Add-Content, Checkpoint-Co...}
Manifest   Microsoft.PowerShell.Security       {ConvertFrom-SecureString, ConvertTo-Secu...
Manifest   Microsoft.PowerShell.Utility        {Add-Member, Add-Type, Clear-Variable, Compare-Object...}
Manifest   MSOnline                            {Add-MsolForeignGroupToRole, Add-MsolGroupMember, ...
Script     tmp_fhnxmnma.xiw                    {Add-AvailabilityAddressSpace, Add-Distribution...

This module adds 469 new commands.

http://help.outlook.com/en-us/140/cc952755.aspx
No comments:
Labels: ,

Thursday, August 8, 2013

Outlook: When I send an email message it doesn't leave my outbox


Outlook: When I send an email message it doesn't leave my outbox

I ran into this problem today and was baffled until I found this link:

http://office.microsoft.com/en-ca/outlook-help/when-i-send-an-e-mail-message-it-doesn-t-leave-my-outbox-HA001187988.aspx
The above link says that it describes Outlook 2003, but the information applies to my Outlook 2010.

The symptoms are that in Outlook 2010, when I send a message, it goes to the outbox but is not in italics and does not get sent. 
I can forward that same message and the copy goes just fine.  Also, this is a global problem on several Outlook profiles, not just one.

The culprit turns out to be an Outlook Addin from Apple.  I apparently had installed the application called iCloud on my laptop, and ever since then this problem existed.  

I was able to simply disable this Addin and the problem was resolved.
No comments:
Labels: ,

Friday, August 2, 2013

Enabling feature .Net Framework 3.5 and Framework 2.0 on Windows 2012

Enabling feature .Net Framework 3.5 and Framework 2.0 on Windows 2012
Problem: The .Net Framework 3.5 and Framework 2.0 feature is initially not installed on a new windows 2012 server.  It has an installation status of "removed"

[ ] .NET Framework 3.5 Features                         NET-Framework-Features         Available
    [ ] .NET Framework 3.5 (includes .NET 2.0 and 3.0)  NET-Framework-Core               Removed
    [ ] HTTP Activation                                 NET-HTTP-Activation            Available
    [ ] Non-HTTP Activation                             NET-Non-HTTP-Activ             Available
[X] .NET Framework 4.5 Features                         NET-Framework-45-Fea...        Installed
    [X] .NET Framework 4.5                              NET-Framework-45-Core          Installed
    [ ] ASP.NET 4.5                                     NET-Framework-45-ASPNET        Available

I am still trying to figure out WHY this is not "Available", but there appears to be 2 ways to install the NET-Framework-Core
 
Method 1:
 
Open Run with administrator privilege, and type this at the command :
dism.exe /online /enable-feature /all /featurename:NetFX3 /Source:D:\sources\sxs /LimitAccess

 Method 2: using GUI

1. You have to insert Windows Server 2012 DVD or iso to D drive.
2. Open Add Roles and Features Wizard
3. Select .NET Framework 3.5 Features and then click next,
4. Select Specify an alternate source path link in the Confirm installation selections screen.
5. Path: D:\Sources\SxS and then click OK.
6. Finally click Install button.
 
 Method 2: using PowerShell

 PS >Install-WindowsFeature NET-Framework-Features,NET-Framework-Core -source d:\Sources\SxS
No comments:
Labels: ,

Wednesday, July 31, 2013

Windows Server 2012 Links

Following at some link to relevant articles regarding Microsoft Server 2012.

No comments:
Labels: ,

Tuesday, July 30, 2013

Setup Onramp Login Requirements

Setup Onramp Login Requirements
  • You need to add Office365.com as a trusted site in IE in order to be able to install the ActiveX control to run the tests
  • You also need to log in to the Server and Office365 using credentials that have the same UPN. 

Note: When launching the Office 365 OnRamp wizard (either from the Admin page or directly thru a URL), it is a requirement that you use a Login ID that exists both as a Office365 and AD as a UPN.


Example: Do not use the Original Tenant login for Office365, unless you have carefully created an identical account in AD that has the same UPN as the Office365 account.

Instead, set up DirSync first, and then elevate one of the AD Accounts to an Office365 Global Administrator.  Then use this account to log in to your Server and to log in to Portal.microsoftonline.com.  When you then run the Setup wizard you will get meaningful results.

The symptoms of an account that cannot log in to AD (don't assume that your current account is used), is that you will get an "unknown" status for all of the tests that need to talk to AD.


Also, if you are having trouble running the Office365 Setup wizard, you can enable debugging in IE to see what it is having trouble with.  Prior to running the Environmental Checks, hit F12 and select Console.  Look for any obvious errors in the console information.
No comments:
Labels:

Friday, July 26, 2013

Office 365 - Change your default email domain

Office 365 - Change your default email domain

After you set up your custom domain in Office 365 (like mycompany.ca, for example), you can change the default domain that appears for new email addresses when you Add users.

To change the default domain:
  1. Go to your organization’s Office 365 profile:
  2. Go to Admin => Office 365
  3. In the upper right, click your organization’s name
 
  1. Click Edit.
  2. Choose a new default domain from the list of domains, and then save your changes.
http://office.microsoft.com/en-ca/office365-suite-help/change-your-default-domain-HA102818532.aspx
No comments:
Labels: , ,

Friday, July 12, 2013

Office365 DIRSYNC, How to Set a Partition to limit the number of objects that are Synced from AD

The default install of DIRSYNC will synchonize your entire AD with Office365.

To my way of thinking, this is excessive and unnecessary.

During the install, at the end of following running Configuration Wizard, you will be asked if you wish to "Synchronize now".   Uncheck this box and then, after a reboot, follow the instructions below:

Step 1:
  • Create a shortcut to C:\Program Files\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\UIShell\miiclient.exe (Synchronization Service Manager)
  • Change the advanced properties to Run as Administrator.
  •  Launch this tool
Step 2:
  • After the install,  Open Active Directory Users and Computers and search for all users starting with "MSOL_".  You will see that there is a new account called "MSOL_6b06ffadffb5" or some such giberish.  The number is different on every Server.  
  • Change the password on this account to something secure, that you can enter in the Service Manager
Step 3: 
  • In Synchronization Service Manager, click on the Management Agents button, and highlight Active Directory Connector.
  • Click Actions and then Properties 
  • Click on the "Connect to Active Directory Forest" menu on the left.
  • Enter the Password that you assigned to the default account


  • Click "Configure Directory Partitions".  It will verify the AD credentials and change to the "Configure Directory Partitions" menu.
  • Click on the Containers button

  • Uncheck the select at the root of the Domain, and instead select the appropriate OU(s) that you wish to sync.






 Step 4:
  • Verify DirSync.  Do this by opening up Powershell, and adding the snapin

    ADD-PSSnapin Coexistence-Configuration
  • Type Start-OnlineCoexistenceSync
  • Watch the Status screen of the Synchronization Service Manager 
  •  Make sure that you see "Success" for each of the 4 tasks.



No comments:
Labels: , , ,

Office365 DIRSYNC Password Sync Scenario

This entry demonstrates a successful implementation of DIRSYNC with Password Sync.

Step 1:
First, you need to install the DIRSYNC that was released on June21, 2013.  If you are not sure which version that you are currently running, see http://aerobatgeek.blogspot.ca/2013/07/office365-dirsync-versions.html
Note that in order to be successful, you will need to uninstall any previous version, and also be sure to reboot after the uninstall.

Step 2:
Install DIRSYNC, including Password Sync.  I will leave details to other posts.
Remember to Reboot after the install.
Also, it is my advice to NOT select "Synchronize Now".  You should set the scope first.
 
For instructions on how to limit the scope of which accounts are Synced from AD, see post http://aerobatgeek.blogspot.ca/2013/07/office365-dirsync-how-to-set-partition.html

Step3:
Once the scope has been selected (in my case a single OU), then you can trigger a manual DIRSYNC.
On the DIRSYNC Server, launch Powershell with elevated Privileges.
Load the commandlet by typing the following:

PS C:\Windows\system32> Add-PSSnapin Coexistence-Configuration

then type 

PS C:\Windows\system32> Start-OnlineCoexistenceSync

If you launch miicleint, you will see the Synchronization events.
 

Step 3: Look in the Event viewer to see if the passwords were synced.
 
Notice Event ID's 656,657, and then 653,654, indicating a fully successful sync.

Step 4:
If the above command does NOT trigger a password sync, you can force it by following the following steps:
  • Edit the Registry and set HKLM\SOFTWARE\Microsoft\MSOLCoExistence\PasswordSync\FullSyncRequired = 1
  • Restart the service Forefront Identity Manager Synchronization Service 
  • Check the event viewer again.

If all of that doesn't work perfectly, see the following:

No comments:
Labels: ,

Office365 Dirsync Version(s)

Microsoft released a new version of DIRSYNC recently that now includes Password Sync.

This does not replace ADFS for User Authentication (especially "Single Signon"), but does provide "same signon".

The big issue that I found was how to determine what version of DIRSYNC that I had installed, and how to determine if a new download was required.  
It turns out that this is not so easy.   To be honest, as much as I admire Microsoft for how thoroughly they have documented Office365, they are painful in their inconsistency on some things.  

Normally I would assume that at the very least that the install of any version would have a version number in "Programs and Features".

I installed what was the  current version on June 2, (this was released Jan 30,2013) and this is what is displayed:
Note that the Size and Version are blank.   (Cheeses guys).

Anyway, now that I have downloaded and installed the version available today ( or more accurately as of June 21,2013) you will see that it properly displays a version, 1.0.6411.007. 
This information is also in the Details of the install file DIRSYNC.EXE.



Here are the details regarding 3 versions of DIRSYNC.EXE that I am aware of.


 
This is the latest version, release June 21, that includes Password Sync

This is the previous version, release Jan 13, 2013.  This version allowed me to configure a scope for synchronization, using miiclient.exe

This is a version that is even older, and has a different icon. I mention this because this show up in some blogs.




No comments:
Labels: ,
Subscribe to: Posts (Atom)