Tag Archives: Active Directory

Upgrade Sysvol Replication to DFS (Distributed File System Replication) Guide through

December 20, 2019 Mohammed Hamada Leave a comment

Upgrade FRS to DFS:

You might be searching on how to do this due to many reasons, Migrating your DCs to Windows 2016 or Windows 2019, The steps to do this type of migration is pretty easy and straightforward.

First Let’s explain a bit about what does FRS and DFS do and what is the difference?

Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers.

SYSVOL is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD.

All the domain controllers in the network will replicate the content of SYSVOL folder. The default path for SYSVOL folder is %SystemRoot%\SYSVOL. This folder path can be defined when you install the active directory.

How does DFS Works?

In Windows server 2008 and later Active Directory uses Distributed File System (DFS) for the replication. DFS Replication uses a compression algorithm known as remote differential compression (RDC). RDC detects changes to the data in a file and enables DFS Replication to replicate only the changed file blocks instead of the entire file.

Although FRS has been deprecated Since Windows server 2008 most people still looking to migrate to latest version.

Migration Starts Here

In this guide, I am going to explain how to do this kind of migration step by step.

I am going to run the migration on Windows 2008 R2 Servers. however the process is exactly the same on Windows 2012 R2.

To start, I need to check the service console to see which services are running the replication. From run type services.msc and enter

As you can see there, File Replication Service is running

In the same manner DFS service is also started and functioning, But that doesn’t mean that RFS is not being used.

Health Check

Before starting any migration, I prefer to do a check on Eventviewer just to make sure nothing critical is being reported. In the same way I would like to see if there any warning being reported.
Below you can see errors are being reported from File Replication Service by the Domain Controller SRV01, So the time is convenient to start this kind of migration as this would fix the errors being reported.

Prerequirements:

The first part of the process for migrating SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS) Replication is to raise the functional level of the domain to Windows Server 2008 and to set the global migration state to Prepared.

Make sure your Domain Function Level is raised to 2008 at least for this process to work.

Migration:

To start migration, Run Powershell as an administrator from the DC And type the following command to prepare DCs for the migration.

dfsrmig /getglobalstate

Preparing to migrate

dfsrmig /setglobalstate 1

When this is done, you might have to wait sometime (5 mins or less for small environments). When done waiting type dfsrmig /getglobalstate to verify that the global migration state is Prepared. The following output appears if the global migration state is Prepared.

You will be able to see an event ID 8014 showing you the success of this command. Which means you can move to the next stage.

Migrate the domain to the Redirected state

From a command prompt or PowerShell window on a writeable domain controller (not a read-only domain controller) in the domain that you want to migrate, type dfsrmig /setglobalstate 2 to set the global migration state to Redirected.

2. Type dfsrmig /getglobalstate to verify that the global migration state is Redirected. The following output appears if the global migration state is Redirected.

After doing this, Checking event viewer you can see event ID 8017 showing you the current state, in my case it’s showing DFSR has successfully Migrated the DC to “Redirected” state. so it means we are good to go to the next step.

Migrating to the Eliminated State

Log on to a writeable domain controller (if you are not logged on already).

Open a command prompt window and then type dfsrmig /setglobalstate 3 to set the global migration state to Eliminated.

2. At a command prompt, type dfsrmig /getmigrationstate to verify that all the domain controllers are at the Redirected state. The following output appears when all domain controllers are at the Redirected state.

In the event viewer you can see the state of the DCs reporting that DC will now migrate to the “Eliminated” state. with event ID 8018

Once everything is finished, You will be able to confirm by two things, First on the Service console the File Replication Service should be disabled since it’s no longer going to be used.

Second thing is by using Command line or Powershel, Type Net Share an you can see the new Shares being published with new names “Sysvol_DFSR”.

Ref:

https://docs.microsoft.com/en-us/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsr

https://docs.microsoft.com/en-us/windows/win32/win7appqual/file-replication-service–frs–is-deprecated-in-windows-server-2008-r2

Active Directory, Powershell, Security

Powershell script to audit users who authenticated against DC servers

December 10, 2019 Mohammed Hamada Leave a comment

The story:

I have got a request from a client asking to find out which server(s) is using which domain admin or a highly privileged account as a service.

To find this I already wrote a powershell script that does this, Search the non standard/(Domain only users) and show the services and name of the servers where those accounts are configured on utilizing Remote powershell to do so and the use of a Domain Admin user.

You can refer to this link to see this article by clicking here

Creating the script process:

The same client wanted to also know which of those accounts did authenticate and wanted to know from which server/Computer did the request originate from and to which DC did it go.

I have started thinking of the process of doing so by again utilizing remote PowerShell to check against certain security events on AD to check which user among the Domain admin members did authenticate.

After sometime and with the help of some forums I managed to get script ready which looks in all Domain Controllers for users that are members of the Domain Admin groups who triggered an event ID 4624 and from which Computer did this request came from.

The Script :

# Get domain admin user list
$DomainAdminList = Get-ADGroupMember -Identity 'Domain Admins'
# Get all Domain Controller names
$DomainControllers = Get-ADDomainController -Filter * | Sort-Object HostName
# EventID
$EventID = '4624'
#
# Get only last 24hrs
$Date = (Get-Date).AddDays(-3)
# Limit log event search for testing as this will take a LONG time on most domains
# For normal running, this will have to be set to zero
$MaxEvent = 100

# Loop through Dcs
$DALogEvents = $DomainControllers | ForEach-Object {
    $CurDC = $_.HostName
    Write-Host "`nSearching $CurDC logs..."
    Get-WinEvent  -ComputerName $CurDC -FilterHashtable @{Logname='Security';ID=$EventID;StartTime = $Date} -MaxEvents $MaxEvent |`
    Where-Object { $_.Properties[5].Value -in $DomainAdminList.SamAccountName } |`
    ForEach-Object {
        [pscustomobject]@{SourceIP = $_.Properties[18].Value; SamAccountName = $_.Properties[5].Value;Time = $_.TimeCreated;LogonEventLocation = $CurDC}
    }
}
$DALogEvents

How to run:

The Script must be run on DC with a privileged account in order to get the write results, The default time interval is set to 3 days but you can choose to increase that.

You can also change the default group where you want to search for members by changing Domain Admin groups to something else.

Screenshot of the result

Active Directory, Exchange 2010, Exchange 2013, Exchange 2016

Corrupted Databases on Exchange 2010/2013/2016 and how to recover with Stellar Phoenix Mailbox Exchange Recovery software review

November 16, 2018 Mohammed Hamada Leave a comment

23 May 2018 By Mohammed Hamada

Exchange administrators go through hard times when servers crash, Reason of these crashes can vary but the result will most likely be a corrupted Database with dirty shutdown status.

In my case as an Exchange Senior Consultant I came through many clients who have had power issues or an update that cause their Servers to go down and crash Exchange servers. Some of them had 20K users with a very busy environment and huge amount of data being written on their databases.

Most organizations will likely have backup solution which backs up the database on daily basis but I have seen that even these kind of organizations will still lose data due to the interval of data backup they have which is around minimum of 12 hours. so if a database gets corrupted in +5 over the past backup then there would be a disaster.

This where recovery solution is a must, Stellar Phoenix Mailbox Exchange Recovery have the capability to recover data in the mailbox which is no longer visible on Exchange but it is still on a backup for example or from a corrupted database since has the mechanism of rescuing a corrupted database which can’t be mounted or read by Exchange server.

Installation:

The installation process is pretty straight forward. You can check the demo version and see for your self how that this software can read the database and mailboxes prior to make any decisions on purchasing.

Use of Stellar Phoenix Mailbox Exchange Recovery

Loading a DB into the application will show you all mailboxes inside the DB, You can see all the content of each user, their calendar, contacts and even mail items‘s content.

Menu Navigation

The use of the app is pretty easy as you can see from the main ribbon menu below:

To load a corrupted EDB you simply click File > Select EDB and load the DB then once it loads you’ll be able to navigate through the mailboxes within the DB

Exporting Data:

Once the list of users loads, you can choose users then right click on the user and save button as whatever file type that’s convenient for you to restore your data. The Save button is also added to the ribbon from which you can save or export the items you require.

Check Data Integrity

Read data from within the application and see for yourself if the items are still readable. If not then you still can fix the database and restore the damaged or lost data.

Exchange Version Support:

Supports MS Exchange Server 2016 / 2013 / 2010 / 2007 / 2003 / 2000 & 5.5

Licensing

You can purchase the license online and will receive a registration key or a dongle to register the product, although in the demo you can see most of the features in action.

Main Features

Recovers Dismounted & Offline Database files which you think are no longer mountable on Exchange server
The ability to repair large databases and several databases at the same time.
You can also exports recovered Mailboxes from corrupted databases directly to Exchange Online/Office 365.
Restores Mailbox items like emails, contacts, calendars, tasks etc.
Allows saving recovered database items in different formats e.g. PST, MSG, EML, HTML, RTF & PDF formats

To learn more, Please visit the vendor’s website

https://www.stellarinfo.com/edb-exchange-server-recovery.htm

Reference:

https://www.linkedin.com/pulse/corrupted-databases-exchange-201020132016-how-recover-mohammed-hamada/

Active Directory, Domain, Domain Controller

Installing child domain in Windows 2012 R2 RTM causes replication failure

September 19, 2016 Mohammed Hamada Leave a comment

After Installing child domain in Windows 2012 R2 RTM causes the replication to fail.

Symptoms : Event ID 1202, 1126 and 1645

Evet ID 1202

Event ID 1126

Event ID 1645

After installing new child domain and join it to the Root domain

To show the child domain’s DNS partition enlisting use

Dnscmd /enumdirectorypartitions

Add child domain’s DNS to the forest

dnscmd /enlistdirectorypartition

First Solution

Make sure windows is full updated, After you apply Windows update the problem should be gone.

If not check the second solution:

Second: Make sure that your Child administrator and root administrator’s passwords are not identical.

Third: Make sure trust is set properly using the following command

Active Directory, Attributes

Restoring an Active Directory Object after mistakenly deleting it

June 2, 2016 Mohammed Hamada Leave a comment

Starting with Windows 2008 R2, Microsoft introduced the Active Directory recycling bin. This is great for recovering objects back into AD if they are accidentally deleted. In order to use the recycle bin feature, your forest must be running with a functional level of Windows 2008 R2. If your forest is running at this level you simply run a PowerShell command to enable it.

Enable

To enable Active Directory Recycle Bin using the Enable-ADOptionalFeature cmdlet

Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.

Below is a sample for enabling it for domain.com:

Enable-ADOptionalFeature –Identity “CN=Recycle Bin Feature,CN=Optional Features,CN=Directory Service,CN=Windows NT,CN=Services,CN=Configuration,DC=moh10ly,DC=com” –Scope ForestOrConfigurationSet –Target moh10ly.com

Restore

Once you have the Recycling Bin for Active Directory you will have to use LDP.exe to restore. By default the container with the deleted objects is not displayed. The following steps will allow you to see the container with the deleted objects.

Display Deleted Objects

Follow these steps to display the Deleted Objects container:

To open Ldp.exe, click Start, click Run, and then type exe.
On the Optionsmenu, click Controls.

3. In the Controlsdialog box, expand the Load Predefined pull-down menu, click Return deleted objects, and then click OK.

4. To verify that the Deleted Objects container is displayed:

To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then Bind. (U must use SSL and port 636)
Click View, click Tree, and in BaseDN, type DC=<mydomain>,DC=<com>, where <mydomain>and <com> represent the appropriate forest root domain name of your AD DS environment.
In the console tree, double-click the root distinguished name (also known as DN) and locate the CN=Deleted Objects, DC=<mydomain>,DC=<com>container, where <mydomain>and <com> represent the appropriate forest root domain name of your AD DS environment.

Restore Deleted Objects

Once you have enabled the container to be displayed, you can now restore deleted objects from Active Directory. Below are the steps to recover a single item from the recycle bin using LDP.exe.

Follow these steps to restore a deleted Active Directory object using Ldp.exe:

Open Ldp.exe from an elevated command prompt. Open a command prompt (Cmd.exe) as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Startmenu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue.
To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then click Bind.

On the Options menu, click Controls.
In the Controls dialog box, expand the Load Predefined drop-down list, click Return Deleted Objects, and then click OK.
In the console tree, navigate to the CN=Deleted Objects

Locate and right-click the deleted Active Directory object that you want to restore, and then click Modify.
In the Modifydialog box:
In Edit Entry Attribute, type isDeleted.
Leave the Valuesbox empty.
Under Operation, click Delete, and then click Enter.

In Edit Entry Attribute, type distinguishedName.
In Values, type the original distinguished name (also known as DN) of this Active Directory object.
Under Operation, click Replace.

Make sure that the Extended check box is selected, click Enter, and then click Run.

A key point to understand and remember with AD Recycle Bin is that you must restore hierarchically; a parent object must be restored before a child object. If you were to delete an entire OU and all its contents, you must first restore the OU before you can restore its contents.

Modify

Clicking on Run gives an error

“Error 0x2077 Illegal modify operation. Some aspect of the modification is not permitted.”

Resolution:

Disconnect and reconnect with SSL on port 636

Enter the full Distinguished path in the Values

Before

After

Active Directory, Attributes, Exchange 2010, Exchange 2013, Office 365, Office365

Changing Proxy Address for local AD users

April 1, 2016 Mohammed Hamada Leave a comment

If your Exchange users have problem with Active Sync’s Autodiscover configuration or you’re intending to configure a Hybrid configuration with Microsoft office 365 Exchange Online or Your Lync/Skype for business users are having troubles signing in right after you enable users from the Lync/SfB Panel then this article is for you.

Note: For Lync you’d want to change Account (UPN) Instead of the Proxy Address Attribute for users. For each scenario it might be a different case.

Assuming that I have the following domain list, and I want to add them to my AD user’s proxy address attribute so they can use it as SMTP address

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@Domain1.com

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@Domain2.com

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@Domain3.com

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@Domain4.com

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@Domain5.com

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@cardtekcloud.onmicrosoft.com

First to add main SMTP address we’ll use the attribute {308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@Domain.com

Next to add alternative Proxy addresses we’ll use

{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}’sAMAccountName'{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}@domain.com

I’ll open ADModify.net app and select the organization that I would like to apply the changes for

I’ll select Domain from the domain list. Then choose the Domain controller and choose only to show users

Click on the green Next button then click Add to List then click Next under the user to continue

I’ll navigate to Email addresses tab to do the changes and place the domain that I would like to use.

I’ll enter whatever domain and use sAMAccountName since it matches the user’s Email address .

IMPORTANT NOTE:

It’s very important to notice that if you’d like to change the domain in the Proxy Address . You ‘ll need to choose an attribute that matches the user’s existing Proxy address username ..

To add the other domains e.g. domain2, domain3 ..etc I’ll follow the exam same steps just change the end @domain2.com.

That should be all. If you have any questions please don’t hesitate to contact me or comment.

My Tech Website