Category Archives: Active Directory

Reset Azure VM Admin password with Domain Controller installed

April 20, 2020 Mohammed Hamada Leave a comment

Active Directory Admin Password

We had a security lab on Azure with 12 machines, It included 2 DCs and 10 other machines of different OS and had RDP closed on all the machines except one machine to use.

The Password was set for something simple however it seems that someone has changed it and no one was able to access the domain controller anymore nor any of the machines.

I had another user created for backup but it seems that user was also changed.

The usual method of resetting Azure VM is going through portal or PowerShell

Resetting Via Azure Portal

When you try to reset the password from Azure Virtual machine itself. If the VM has Domain Controller it will fail to reset the password with the following error:

Failed to reset RDP configuration

VM has reported a failure when processing extension ‘enablevmaccess’. Error message: “VMAccess Extension does not support Domain Controller.” More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot

Through PowerShell

To reset a password, we first need to define the VM we’re working with. To do this, we can use the Get-AzureRmVm cmdlet. I’ll go ahead and assign variables to both the VM name and the resource group since we’ll need to reference those later, as well.

$vmName = 'YOURVMNAMEHERE'
$resourceGroupName = 'YOURRGHERE'
$vm = Get-AzureRmVm -Name $vmName -ResourceGroupName $resourceGroupName

Next, we’ll need some way to pass the username and password into the script. A great way to do that is through the Get-Credential cmdlet.

$credential = Get-Credential

Once the credential is saved, we can then execute the command to actually make the password change using the variables we set earlier. Notice we had to use the GetNetworkCredential() method on the pscredential object. This method will not work if the credential is retrieved from another computer or from another user account. This shouldn’t be a problem, though, since you’re likely to execute this in a single script.

$extensionParams = @{
    'VMName' = $vmName
    'Username' = $Credential.UserName
    'Password' = $Credential.GetNetworkCredential().Password
    'ResourceGroupName' = $resourceGroupName
    'Name' = 'AdminPasswordReset'
    'Location' = $vm.Location
}

$result = Set-AzureRmVMAccessExtension @extensionParams

Once this completed (hopefully successfully), the VM will need to be rebooted. We can do that by using the Restart-AzureRmVm cmdlet.

$vm | Restart-AzureRmVM

While this PowerShell script might work with a normal VM, It will not work with a DC and would result in the same error as in the portal.

Solution

The solution is to write a script which would run through the CustomScriptExtension that you can deploy from the Azure Portal on the intended VM that has the Domain Controller Deployed on it.

Once you get the script ready to change the administrator Password you can upload the script and deploy it.

Let’s get the script ready and demonstrate these steps one by one.

– On my Computer I will write a tiny script that will say

Net User domainadmin Adm!nPassw0rd1

– Save the file on your desktop for later use. Go to Azure Portal, Virtual Machines and select your Domain Controller.

– Go to Extensions.

– Click on Add

– Select Custom script Extension

– Click Create

– Browse the PowerShell script on your Desktop.

– Select Storage Account

– Select an existing container or create new one

– Upload the file to the container

Result

Once deployed, it’ll take few mins to reset the password and you don’t have to restart the server.

Through PowerShell

After this I was able to access the machine again using the new password in the script.

ref:

https://docs.microsoft.com/en-us/azure/virtual-machines/extensions/features-windows#troubleshoot-vm-extensions

https://docs.microsoft.com/en-us/azure/virtual-machines/windows/run-command

https://mcpmag.com/articles/2017/12/13/azure-vm-password-with-powershell.aspx

https://docs.microsoft.com/en-us/azure/virtual-machines/troubleshooting/reset-local-password-without-agent

Active Directory, Domain Controller

Upgrade Sysvol Replication to DFS (Distributed File System Replication) Guide through

December 20, 2019 Mohammed Hamada Leave a comment

Upgrade FRS to DFS:

You might be searching on how to do this due to many reasons, Migrating your DCs to Windows 2016 or Windows 2019, The steps to do this type of migration is pretty easy and straightforward.

First Let’s explain a bit about what does FRS and DFS do and what is the difference?

Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers.

SYSVOL is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD.

All the domain controllers in the network will replicate the content of SYSVOL folder. The default path for SYSVOL folder is %SystemRoot%\SYSVOL. This folder path can be defined when you install the active directory.

How does DFS Works?

In Windows server 2008 and later Active Directory uses Distributed File System (DFS) for the replication. DFS Replication uses a compression algorithm known as remote differential compression (RDC). RDC detects changes to the data in a file and enables DFS Replication to replicate only the changed file blocks instead of the entire file.

Although FRS has been deprecated Since Windows server 2008 most people still looking to migrate to latest version.

Migration Starts Here

In this guide, I am going to explain how to do this kind of migration step by step.

I am going to run the migration on Windows 2008 R2 Servers. however the process is exactly the same on Windows 2012 R2.

To start, I need to check the service console to see which services are running the replication. From run type services.msc and enter

As you can see there, File Replication Service is running

In the same manner DFS service is also started and functioning, But that doesn’t mean that RFS is not being used.

Health Check

Before starting any migration, I prefer to do a check on Eventviewer just to make sure nothing critical is being reported. In the same way I would like to see if there any warning being reported.
Below you can see errors are being reported from File Replication Service by the Domain Controller SRV01, So the time is convenient to start this kind of migration as this would fix the errors being reported.

Prerequirements:

The first part of the process for migrating SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS) Replication is to raise the functional level of the domain to Windows Server 2008 and to set the global migration state to Prepared.

Make sure your Domain Function Level is raised to 2008 at least for this process to work.

Migration:

To start migration, Run Powershell as an administrator from the DC And type the following command to prepare DCs for the migration.

dfsrmig /getglobalstate

Preparing to migrate

dfsrmig /setglobalstate 1

When this is done, you might have to wait sometime (5 mins or less for small environments). When done waiting type dfsrmig /getglobalstate to verify that the global migration state is Prepared. The following output appears if the global migration state is Prepared.

You will be able to see an event ID 8014 showing you the success of this command. Which means you can move to the next stage.

Migrate the domain to the Redirected state

From a command prompt or PowerShell window on a writeable domain controller (not a read-only domain controller) in the domain that you want to migrate, type dfsrmig /setglobalstate 2 to set the global migration state to Redirected.

2. Type dfsrmig /getglobalstate to verify that the global migration state is Redirected. The following output appears if the global migration state is Redirected.

After doing this, Checking event viewer you can see event ID 8017 showing you the current state, in my case it’s showing DFSR has successfully Migrated the DC to “Redirected” state. so it means we are good to go to the next step.

Migrating to the Eliminated State

Log on to a writeable domain controller (if you are not logged on already).

Open a command prompt window and then type dfsrmig /setglobalstate 3 to set the global migration state to Eliminated.

2. At a command prompt, type dfsrmig /getmigrationstate to verify that all the domain controllers are at the Redirected state. The following output appears when all domain controllers are at the Redirected state.

In the event viewer you can see the state of the DCs reporting that DC will now migrate to the “Eliminated” state. with event ID 8018

Once everything is finished, You will be able to confirm by two things, First on the Service console the File Replication Service should be disabled since it’s no longer going to be used.

Second thing is by using Command line or Powershel, Type Net Share an you can see the new Shares being published with new names “Sysvol_DFSR”.

Ref:

https://docs.microsoft.com/en-us/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsr

https://docs.microsoft.com/en-us/windows/win32/win7appqual/file-replication-service–frs–is-deprecated-in-windows-server-2008-r2

Active Directory, Exchange 2016, Exchange 2019, Exchange Online, Microsoft, Office 365, Powershell

How to Sync Cloud User to On-premises AD ?

December 19, 2019 Mohammed Hamada Leave a comment

The Story:

I have got this client who constantly keeps on making the mistake of create user from Cloud and provision them with a license in an Exchange Hybrid environment.

Although this is not difficult to fix but it’s not the recommended approach when creating a new user especially in a Hybrid environment since Exchange on-premises won’t recognize this user and most likely will consider any incoming emails from it as spoof or spam.

How to Create a Cloud user from Exchange On-premises?

From Exchange on-premises ECP Admin panel you have the option to directly create user on-cloud which will also create a user object on on-premises AD.

Second option – Using Powershell

It’s not that much different than the Web UI option but it’s just for people who prefer using PowerShell than GUI

Enable-RemoteMailbox –Identity User –RemoteRoutingAddress user@yourTenant.mail.onmicrosoft.com

The reason to follow those two methods is due to the need of Exchange on-premises being aware of each of those users so mail flow between Exchange on-premises and Online would not get affected and route this users mail to the wrong place or flag it as spammed or spoof …etc.

The Real Question now is: How to Sync Cloud User to On-premises AD ?

If by mistake we created a user on Cloud (Office 365) and we forgot to create an AD User for this account, that user might already have started using his account on Office 365 (Sharepoint, Exchange, Teams) etc.

There also might be the intention of moving users from Cloud to On-premises Exchange in case the company wanted to decrease their spending on cloud users and in this case when Migrating a cloud user to on-premises you will get the following errors:

test3@domain.com

Status: Failed

test3@domain.com Skipped item details

User status

Data migrated:

Migration rate:

Last successful sync date:

Error: MigrationPermanentException: Cannot find a recipient that has mailbox GUID ‎’03c9764e-8b8e-4f33-94d1-ef098c4de656‎’. –> Cannot find a recipient that has mailbox GUID ‎’03c9764e-8b8e-4f33-94d1-ef098c4de656‎’.

So how do we overcome this situation since syncing a user might require you to delete the cloud user and recreate it on AD?

Solution:

To sync the user from the Cloud to on-premises you will need to follow these steps :

1- Create an on-premises Mailbox where the following attributes would be matching the cloud user

UserPrincipalname
ProxyAddresses
SamAccountName
Alias

2- The Location of the OU where the On-premises user is going to be created must be provisioned by ADConnect (Azure AD Connect)

You can look which of these OU are provisioned by Starting AD Connect Sync Manager

By verifying the user you created in the AD is in the right OU, You can now start AD Sync from PowerShell to speed up the process.

Below, You can see the user has been successfully synchronized to the cloud without any issue.

Now we’ll see it from the portal to confirm the user is synced with AD

Depending on the Source anchor being used in ADConnect there might be a GUID conflict or not, You will get an error similar to when trying to migrate the user in the beginning however you can solve this by replacing the cloud user’s GUID (ImmutableID) with the on-premises user which will force the user to merge with the On-prem user.

Let’s confirm in our case if the user on-cloud has a matching GUID with the one on-premises.

From CMD or Powershell you can use the following command to get the user’s ImmutableID (ObjectGUID) .

ldifde -f c:\Test.txt -d “cn=Test3,DC=Domain,DC=com”

Checking the notepad we just exported you can see the Immutable ID on AD for the User test3 is IkTni9mw7Ee4YefeGpz7IA==

To be able to see the user on Office 365, We need to logon to MSOL through Exchange Online powershell

Connect to Exchange Online’s powershell using your Online ECP.

Once you click on Configure this should download an executable file that will launch PowerShell Online which allows you to use the Modern Authentication (MFA) to use PowerShell safely.

Connect-Msoluser will connect you to Office 365 and you’ll be able to get the user’s properties and see if the Immutable ID is matching to the user’s GUID.

Once you’re connect you can use the following cmdlet to get the user’s properties.

Get-MsolUser -UserPrincipalName test3@domain.com |fl DisplayName,ImmutableID

You can see they are matching each other, In case there’s a conflict then you can simply set the online user’s Immutable ID to the on-premises user and that should solve the problem.

Ref:

https://support.microsoft.com/en-us/help/2956029/migrationpermanentexception-cannot-find-a-recipient-that-has-mailbox-g

https://docs.microsoft.com/en-us/exchange/hybrid-deployment/create-cloud-based-archive

Active Directory, Powershell, Security

Powershell script to audit users who authenticated against DC servers

December 10, 2019 Mohammed Hamada Leave a comment

The story:

I have got a request from a client asking to find out which server(s) is using which domain admin or a highly privileged account as a service.

To find this I already wrote a powershell script that does this, Search the non standard/(Domain only users) and show the services and name of the servers where those accounts are configured on utilizing Remote powershell to do so and the use of a Domain Admin user.

You can refer to this link to see this article by clicking here

Creating the script process:

The same client wanted to also know which of those accounts did authenticate and wanted to know from which server/Computer did the request originate from and to which DC did it go.

I have started thinking of the process of doing so by again utilizing remote PowerShell to check against certain security events on AD to check which user among the Domain admin members did authenticate.

After sometime and with the help of some forums I managed to get script ready which looks in all Domain Controllers for users that are members of the Domain Admin groups who triggered an event ID 4624 and from which Computer did this request came from.

The Script :

# Get domain admin user list
$DomainAdminList = Get-ADGroupMember -Identity 'Domain Admins'
# Get all Domain Controller names
$DomainControllers = Get-ADDomainController -Filter * | Sort-Object HostName
# EventID
$EventID = '4624'
#
# Get only last 24hrs
$Date = (Get-Date).AddDays(-3)
# Limit log event search for testing as this will take a LONG time on most domains
# For normal running, this will have to be set to zero
$MaxEvent = 100

# Loop through Dcs
$DALogEvents = $DomainControllers | ForEach-Object {
    $CurDC = $_.HostName
    Write-Host "`nSearching $CurDC logs..."
    Get-WinEvent  -ComputerName $CurDC -FilterHashtable @{Logname='Security';ID=$EventID;StartTime = $Date} -MaxEvents $MaxEvent |`
    Where-Object { $_.Properties[5].Value -in $DomainAdminList.SamAccountName } |`
    ForEach-Object {
        [pscustomobject]@{SourceIP = $_.Properties[18].Value; SamAccountName = $_.Properties[5].Value;Time = $_.TimeCreated;LogonEventLocation = $CurDC}
    }
}
$DALogEvents

How to run:

The Script must be run on DC with a privileged account in order to get the write results, The default time interval is set to 3 days but you can choose to increase that.

You can also change the default group where you want to search for members by changing Domain Admin groups to something else.

Screenshot of the result

Active Directory, ADMT, DNS, Microsoft

Migration Computer with ADMT gives an error Logon Failure: The target account name is incorrect

August 27, 2019 Mohammed Hamada Leave a comment

If you’re doing a Cross Forest migration project then you most likely have had a big experience but the more you do those kind of projects the more you’ll see different types of errors and issues rising up.

One of the issues I had in one of the cross forest projects that I have done before was the following error

To start troubleshooting, we’ll start by ruling out the following main causes.

Checked DNS.
Checked relative services (Netbios, RPC, Computer browser ..etc)
Checked firewall (Kaspersky and windows) and closed them both.
Checked connected DC and changed it to a different one.
Checking DCs / Frs (File repliation service) replication and health.

The Kerberos client received a KRB_AP_ERR_MODIFIED error from the server smart0188$. The target name used was RPCSS/Smart0248.smartmoss.local. This indicates that the target server failed to decrypt the ticket provided by the client. This can occur when the target server principal name (SPN) is registered on an account other than the account the target service is using. Ensure that the target SPN is only registered on the account used by the server. This error can also happen if the target service account password is different than what is configured on the Kerberos Key Distribution Center for that target service. Ensure that the service on the server and the KDC are both configured to use the same password. If the server name is not fully qualified, and the target domain (SMARTMOSS.LOCAL) is different from the client domain (SMARTMOSS.LOCAL), check if there are identically named server accounts in these two domains, or use the fully-qualified name to identify the server.

Suppose you have a domain member named DOMAINMEMBER. You can reset the member secure channel by using the following command:

NETDOM MEMBER \\DOMAINMEMBER /JOINDOMAIN

From <https://support.microsoft.com/en-us/kb/175024/>

You can run the command above on the member DOMAINMEMBER or on any other member or domain controller of the domain, provided that you are logged on with an account that has administrator access to DOMAINMEMBER.

The output received from the command should be similar to the following:

Searching PDC for domain DOMAIN …
Found PDC \\DOMAINPDC
Querying domain information on PDC \\DOMAINPDC …
Querying domain information on computer \\DOMAINMEMBER …
Computer \\DOMAINMEMBER is already a member of domain DOMAIN.
Verifying secure channel on \\DOMAINMEMBER …
Verifying the computer account on the PDC \\DOMAINPDC …
Resetting secure channel …
Changing computer account on PDC \\DOMAINPDC …
Stopping service NETLOGON on \\DOMAINMEMBER …. stopped.
Starting service NETLOGON on \\DOMAINMEMBER …. started.
Querying user groups of \\DOMAINMEMBER …
Adding DOMAIN domain groups on \\DOMAINMEMBER …

The computer \\DOMAINMEMBER joined the domain DOMAIN successfully.

Logoff/Logon \\DOMAINMEMBER to take modifications into effect.

From <https://support.microsoft.com/en-us/kb/175024/>

Solution 1-

nltest.exe can be used to check the channel and attempt to reset it.

nltest.exe /sc_verify:smartmoss.local

If that does not do it, you can restart the netlogon service (I mainly use PowerShell, so I’ll give an example of that).

Get-Service netlogon | restart-service
nltest.exe /sc_verify:<fully.qualified.domain.name.here>

I ran the nltest command after restarting the service to validate that the secure channel was back in operation.

If you’ve made some network changes (IP Addresses, changing hardware, virtualizing, etc..) you might want to flush your dns cache and clear your arp table before running the above commands.

ipconfig /flushdns
arp -d *
Get-Service netlogon | restart-service
nltest.exe /sc_verify:<fully.qualified.domain.name.here>

Let’s try to find out which DC the client is connected to

nltest /dsgetdc: Dc.local

Point the client to a different DC

nltest /Server:client0 /SC_RESET: DC.Local\DC02

Testing tool

Checked the following tool

http://www.lansweeper.com/kb/2/The-RPC-server-is-unavailable.html

Checked the services RPC, computer browser,

Solution 2-

There is a bug in MS after 400 days of uptime that they don’t tear down their time_wait connections so the server runs out of sockets and can’t make connections to the DC – a reboot should fix this issue temporarily.

From <http://community.spiceworks.com/topic/218426-there-are-currently-no-logon-servers-available-to-service-the-logon-request>

net stats srv

Active Directory, Powershell, Windows Server

How to get all domain Joined Server services that using a unique or domain user

August 6, 2019 Mohammed Hamada Leave a comment

If you’re wondering which of your servers are using domain joined account or a non regular account like network service or system. You will need to go through every server’s service console and check that one by one but thanks to PowerShell this job was made like a piece of cake.

The requirement to run this script is a domain admin account since the PowerShell will require access to other servers using Remote PowerShell using Invoke command and run a Get-WMIObject script to find out those details. So in short I will write the required things for this to work

1- Logged in to Active Directory (In order for AD PowerShell module to run and find computers).

2- Domain admin account (To run the remote PowerShell on other servers and get service details)

3- Firewall for domain joined computers is open (To allow remote PowerShell to work) or have remote PowerShell enabled via GPO.

The Script will also show you the offline (inaccessible servers) and will state those servers as down as you can see in the screenshot below.

The script will also prompt you for a path to save the output. You can enter something like C:\Services.csv as soon as you type the file path and extension it’ll be opened using Notepad.

#Check servers down and get services from the responsive servers

$Computers = Get-ADComputer -Filter { OperatingSystem -Like ‘*Windows Server*’}

$Input = ForEach ($computer in $computers)

{

             $comp = $Computer.DNSHostName

             $dist = $Computer.DistinguishedName

             if (Test-Connection -Computername $comp -count 2 -Quiet )

             {

             Invoke-Command -ComputerName $comp -ScriptBlock {Get-WmiObject win32_service | where {$_.StartName -notlike “*LocalSystem*” -and $_.StartName -notlike “*LocalService*” -and $_.StartName -notlike “*NetworkService*” -and $_.StartName -notlike “*System*”} | select DisplayName,StartName,State }}

else{ Write-host $comp is down -foregroundColor red -BackGroundColor black

             }

}

$Output = Read-Host “Enter File path and Name to save output to”

Out-File -FilePath $Output -InputObject $Input -Encoding ascii

Notepad $Output

Active Directory, DFS, FileServer, Storage

Migrating DFS from 2000 Mode to 2008 made like a piece of cake

December 15, 2018 Mohammed Hamada Leave a comment

Starting:

This article will guide you through the steps for Migrating your DFS mode from 2000 to 2008, in the same time we’ll migrate DFS Namespace servers from 2008 to 2016 but keep the folder targets and replication groups intact without any change

This is a Microsoft summary about the process including my lab migration config step by step, I hope you find this useful and share it with others.

The Windows Server 2008 mode for domain-based namespaces includes support for access-based enumeration and increased scalability.

To migrate a domain-based namespace from Windows 2000 Server mode to Windows Server 2008 mode, you must export the namespace to a file, delete the namespace, recreate it in Windows Server 2008 mode, and then import the namespace settings. To do so, use the following procedure.

NOTE:

After raising domain and forest functional level to 2008, you need to restart DFS services on the FSMO DC

To migrate a domain-based namespace to Windows Server 2008 mode

Open a Command Prompt window and type the following command to export the namespace to a file, where \\ domain \ namespace is the name of the appropriate domain and namespace and path\filename is the path and file name of the export file:

On the source DC/DFS Server

Dfsutil root export \\domain\namespace C:\filename.xml

Write down the path (\\ server \ share ) for each namespace server. You must manually add namespace servers to the recreated namespace because Dfsutil cannot import namespace servers.

In DFS Management, right-click the namespace and then click Delete , or type the following command at a command prompt, where \\ domain \ namespace is the name of the appropriate domain and namespace:

Dfsutil root remove \\domain\namespace

Let’s go refresh the console and see if it’s deleted there

Next remove

I will remove the rest of the name spaces

All have been removed, Now lets remove the name spaces from the display and observe what happens to the replication groups

NOTE:

Replication groups didn’t get affected

In DFS Management, recreate the namespace with the same name, but use the Windows Server 2008 mode, or type the following command at a command prompt, where \\ server \ namespace is the name of the appropriate server and share for the namespace root:
Dfsutil root adddom \\server\namespace v2

I will use the UI instead of the command

Although we raised the forest and domain function forest but still the 2008 is still greyed out. Lets try to restart the DFS services on the FSMO server

After restarting the services on FSMO server we are able to see the “Enable Windows Server 2008 Mode”

Next, I will copy all the xml files to the new server and import them there

My new server is 2016

To import the namespace from the export file, type the following command at a command prompt, where \\ domain \ namespace is the name of the appropriate domain and namespace and path\filename is the path and file name of the file to import:

Dfsutil root import merge path\filename.xml \\domain\namespace

After the Import

I will continue to import the rest of the namespaces

First we need to create them with their matching namespaces from the GUI

Now I will import and merge the xml file

After adding the NEW folder which has replicating group existing already from the previous mode. First it didn’t show up

but after navigating to the NewFolder and clicking on Replication tab then Navigate to the replication group showed the replication group underneath the Replication

What has changed?

The only noticeable thing which has changed is the NameSpace Servers, everything else like ( Folder targets still the same, replication is identical to previous settings)

See this screenshot

Let’s check the access to the new namespace

Finally, Let’s import the latest namespace and its configuration (PublicFolder)

Let’s check the result on GUI

Notice the replication group for the PF didn’t come, so let’s do as we have explained before to show the replication group

Here we go

Right after this process finishes, the command creates some kind of a report with time, importing status and other related settings such as site cost, timeout.. Etc

Note

To minimize the time that is required to import a large namespace, run the Dfsutil root import command locally on a namespace server.

Add any remaining namespace servers to the recreated namespace by right-clicking the namespace in DFS Management and then clicking Add Namespace Server , or by typing the following command at a command prompt, where \\ server \ share is the name of the appropriate server and share for the namespace root:

Dfsutil target add \\server\share

Note

You can add namespace servers before importing the namespace, but doing so causes the namespace servers to incrementally download the metadata for the namespace instead of immediately downloading the entire namespace after being added as a namespace server.

From <https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2008-R2-and-2008/cc753875(v=ws.11)>

If you have any other issues or struggling, check out this link it might be of use

http://landie.tech/migrate-dfs-namespaces-from-2000-to-2008-mode/

Active Directory, Certification Authority, Email, Exchange 2010, Exchange 2013, Exchange 2016

Create 10 years Certificate template for Skype for Business, Exchange Server .etc

December 6, 2018 Mohammed Hamada Leave a comment

Having a certificate template that would last for years is a requirements that’s become more of a need during these days due to the amount of time it takes to renew the servers which are certificate dependent.

Some servers would automatically be renewed their Certificate using GPO’s auto enrollment however when this doesn’t work or if you don’t like dealing with GPO and its headache then the best way to solve this is to create a template that would last for sometime and leave you at peace.

Note that having a long term certificate (10 years for example) is not a good practice since encryption algorithm changes over the time and security related issues rise up every now and then so if you decided to go with this article and create 10 years template for your servers, you will need to keep an eye on latest news related to certificates, encryption and signature algorithm so they are not exploitable.

To begin with this article, I will tell a small story of a company that had suffered production disasters due to this might look tiny kind of problem.

A company called AP have deployed Lync 2013 (Currently Skype for Business) and decided to use the default CA (Webserver) template which lasts for 2 years by default.

This company called me when their Lync servers were all down and PSTN calls were not going through so the first thing that came to my mind is to check Services and as soon as I saw services were not able to run I checked the eventlog’s Lync tab.

The errors were mostly referring to an expired certificate. upon renewing the certificates for all servers everything went back to normal but that took long downtime and delayed the company’s productivity.

Here came the idea of creating a long template which would last for 10 years, achieving this on Exchange is done through the following steps:

On CA Server Find and open the Certification Authority MMC

Right click on Certificate Templates and click Manage

IN certificate templates console right click on Web Server and click Duplicate template

Select Windows Server 2003 Enterprise

Enable “Allow private key to be exported”

Select Enroll for the Authenticated users

Back to the Certificate Authority Console, Right click on Certificate Templates and click New -> Certificate template to issue and add the certificate template you created to the list.

Web Server V2 is on top

Let’s check it on Certserv IIS

Certificate is generated for 5 years. The reason why the certificate is generated for 5 years is because the Certification Authority server’s Certificate is limited to 5 years.

So the CA certificate must be set to longer then the client’s requested Certificate limit.

Certification Authority Issuing Certificate validity period extending

To change the Validity Period for the Root CA you can configure a CAPolicy.inf. To create a CAPolicy.inf file that changes the lifietime of the certificate to 30 years, you would type the following into a text file, and save it with the name CAPolicy.inf in the

C:\Windows directory,:

[Version]

Signature= “$Windows NT$”

[Certsrv_Server]

RenewalValidityPeriod=Years

RenewalValidityPeriodUnits=30

From <http://blogs.technet.com/b/xdot509/archive/2013/06/06/operating-a-windows-pki-renewing-ca-certificates.aspx>

After this you will need to renew the CA certificate from the CA console : right click on your certification authority and choose All Tasks -> then choose -> Renew CA Certificate

When you click on Renew CA certificate you will get the following prompt asking you to stop the CA to renew its Certificate, Click Yes

Once you click on Yes the service will stop and you will get this window telling you if you would like to generate new public and private key it’s up to you to use a new or not but if you choose Yes the clients using the old Certificate might be provoked and you might need to install the new CA Certificate on all clients using GPO.

Click Ok

After clicking OK you will see that you were able to generate the new CA Certificate and then you can issue clients certificates.

In order to allow the CA to issue certificates that has longer than the default age (2 years) you must run the following command line on the CMD on the CA server.

Run the certutil commands above to change the maximum lifetime of certs issued by the CA

certutil -setreg ca\validityperiodunits 30
certutil -setreg ca\validityperiod years
net stop certsvc net stop certsvc

Now when you try to generate a new certificate for your Exchange or any other app you should choose the new template which is 30 years valid.

Active Directory, Exchange 2010, Exchange 2013, Exchange 2016

Corrupted Databases on Exchange 2010/2013/2016 and how to recover with Stellar Phoenix Mailbox Exchange Recovery software review

November 16, 2018 Mohammed Hamada Leave a comment

23 May 2018 By Mohammed Hamada

Exchange administrators go through hard times when servers crash, Reason of these crashes can vary but the result will most likely be a corrupted Database with dirty shutdown status.

In my case as an Exchange Senior Consultant I came through many clients who have had power issues or an update that cause their Servers to go down and crash Exchange servers. Some of them had 20K users with a very busy environment and huge amount of data being written on their databases.

Most organizations will likely have backup solution which backs up the database on daily basis but I have seen that even these kind of organizations will still lose data due to the interval of data backup they have which is around minimum of 12 hours. so if a database gets corrupted in +5 over the past backup then there would be a disaster.

This where recovery solution is a must, Stellar Phoenix Mailbox Exchange Recovery have the capability to recover data in the mailbox which is no longer visible on Exchange but it is still on a backup for example or from a corrupted database since has the mechanism of rescuing a corrupted database which can’t be mounted or read by Exchange server.

Installation:

The installation process is pretty straight forward. You can check the demo version and see for your self how that this software can read the database and mailboxes prior to make any decisions on purchasing.

Use of Stellar Phoenix Mailbox Exchange Recovery

Loading a DB into the application will show you all mailboxes inside the DB, You can see all the content of each user, their calendar, contacts and even mail items‘s content.

Menu Navigation

The use of the app is pretty easy as you can see from the main ribbon menu below:

To load a corrupted EDB you simply click File > Select EDB and load the DB then once it loads you’ll be able to navigate through the mailboxes within the DB

Exporting Data:

Once the list of users loads, you can choose users then right click on the user and save button as whatever file type that’s convenient for you to restore your data. The Save button is also added to the ribbon from which you can save or export the items you require.

Check Data Integrity

Read data from within the application and see for yourself if the items are still readable. If not then you still can fix the database and restore the damaged or lost data.

Exchange Version Support:

Supports MS Exchange Server 2016 / 2013 / 2010 / 2007 / 2003 / 2000 & 5.5

Licensing

You can purchase the license online and will receive a registration key or a dongle to register the product, although in the demo you can see most of the features in action.

Main Features

Recovers Dismounted & Offline Database files which you think are no longer mountable on Exchange server
The ability to repair large databases and several databases at the same time.
You can also exports recovered Mailboxes from corrupted databases directly to Exchange Online/Office 365.
Restores Mailbox items like emails, contacts, calendars, tasks etc.
Allows saving recovered database items in different formats e.g. PST, MSG, EML, HTML, RTF & PDF formats

To learn more, Please visit the vendor’s website

https://www.stellarinfo.com/edb-exchange-server-recovery.htm

Reference:

https://www.linkedin.com/pulse/corrupted-databases-exchange-201020132016-how-recover-mohammed-hamada/

Active Directory, Powershell

Bulk Copy Files to Domain Joined Computers

April 19, 2018 Mohammed Hamada Leave a comment

Using Powershell to copy Files between Joined Computers in a domain

While doing projects sometimes you have to work with the GPO to copy certain files, scripts to apply certain commands on clients Computers however, The GPO’s File/Folder creation method takes long time to gets created and until replication through all clients is done you’ll have to wait for “God knows how long” till the shows you placed gets copied to the destination computers.

Hard Part

After having to copy certain folder to about 800 machine immediately in order to apply certain script I had to create a script to copy this folder to all the machines straight ahead.

Script

The script below will read computer hostnames,FQDN from a file that I exported from certain Organizational Unit and check if the Computer is online then copy folder to it if not it’ll report that it’s not online with Red font color and yellow background using Robocopy.

Hope this scripts will help someone out there.

#This Script will copy files to destination computers which you will define in a stored file.

#The Format of the CSV fille will contain only two columns (Name,DNSHostname) you can use the below script to export computer objects from certain OU.

#Get-ADComputer -Filter * -SearchBase “OU=Computers,DC=Domain,DC=com” | select name,dnshostname | Export-Csv C:\Computers.csv -NoTypeInformation

$computers = Import-Csv “C:\computer1.csv”

Start-Transcript

Foreach ($computer in $Computers){

$fullcomp = $computer.dnshostname

If (Test-Connection -ComputerName $computer.name -Quiet) {

.\Robocopy.exe \\SourceServer\c$\nk2edit \\$fullcomp\C$\nk2edit

Write-Host Files has been copied to $fullcomp -ForegroundColor Green -BackgroundColor black}else{

Write-host $computer.name is not online -ForegroundColor Red -BackgroundColor Yellow

}

}

Active Directory Admin Password

Resetting Via Azure Portal

Through PowerShell

Solution

Result

Through PowerShell

Upgrade FRS to DFS:

First Let’s explain a bit about what does FRS and DFS do and what is the difference?

How does DFS Works?

Migration Starts Here

Health Check

Prerequirements:

Migration:

Migrate the domain to the Redirected state

Migrating to the Eliminated State

The Story:

How to Create a Cloud user from Exchange On-premises?

Second option – Using Powershell

The Real Question now is: How to Sync Cloud User to On-premises AD ?

So how do we overcome this situation since syncing a user might require you to delete the cloud user and recreate it on AD?

Solution:

1- Create an on-premises Mailbox where the following attributes would be matching the cloud user

2- The Location of the OU where the On-premises user is going to be created must be provisioned by ADConnect (Azure AD Connect)

The story:

Creating the script process:

The Script :

How to run:

Screenshot of the result

Starting:

NOTE:

On the source DC/DFS Server

Using Powershell to copy Files between Joined Computers in a domain

Hard Part

Script

#This Script will copy files to destination computers which you will define in a stored file.

#The Format of the CSV fille will contain only two columns (Name,DNSHostname) you can use the below script to export computer objects from certain OU.

#Get-ADComputer -Filter * -SearchBase “OU=Computers,DC=Domain,DC=com” | select name,dnshostname | Export-Csv C:\Computers.csv -NoTypeInformation

$computers = Import-Csv “C:\computer1.csv”

Start-Transcript

Foreach ($computer in $Computers){

$fullcomp = $computer.dnshostname

If (Test-Connection -ComputerName $computer.name -Quiet) {

.\Robocopy.exe \\SourceServer\c$\nk2edit \\$fullcomp\C$\nk2edit

Write-Host Files has been copied to $fullcomp -ForegroundColor Green -BackgroundColor black}else{

Write-host $computer.name is not online -ForegroundColor Red -BackgroundColor Yellow

}

}

Just another IT Website