This blog is going to be dedicated to pages, posts, documentation, links, and information that I find during my troubleshooting processes within the IT world. Some posts will contain code snippets that you can use with your own work if needed. Feel free to comment and get this thing rolling!
I’ve been building this blog along with my consulting business and needed to secure my websites with SSL for BBB accreditation. That accreditation is still pending at this time, but I want to show good faith in business practices to attain that accreditation.
So, I purchased my certificate and preformed the following to assure that all traffic to my websites are SSL secured. There are a number of ways to do it, and even do it for Exchange, (which I will cover in another post), but I found a great article that is simple and will work for most standard web sites. The link will be at the bottom in the references section. 🙂
Note: In this example {HTTPS}, {HTTP_HOST}, and {REQUEST_URI} are all URL parts that can be accessed using the URL Rewrite module. More information on URL parts can be found here.
The URL rewrite rules get written to the web.config file for the site you are working in. For example, the above configuration should result in this addition to the web.config file:
1 2 3 4 5 6 7 8 9 10 11 | <rewrite> <rules> <rule name="Redirect to http" enabled="true" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" negate="false" /> <conditions logicalGrouping="MatchAny"> <add input="{HTTPS}" pattern="off" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" /> </rule> </rules> </rewrite> |
That should take of it all for you and now when users connect to your website via http, they will be automatically redirected to https SSL.
References:
Creating Rewrite Rules for the URL Rewrite Module
URL Rewrite for IIS7 http to https redirection
URL Component Reference
Redirect from HTTP to HTTPS using the IIS URL Rewrite module
As many of you are aware, Microsoft provides a default logon page for OWA, the Outlook Web App. Most companies, like myself want to be able to customize that page so that it suites your organization. Here is what my company OWA page looks like:
I have changed the color on the left to match my scheme, replaced the Outlook Logo with my company logo, and added a disclaimer to notify users. Below is the process to do that effectively for your organization.
NOTE: Every time you install an Exchange Cumulative Update (CU) or new version of Exchange Server these modified files will be replaced. Remember to backup your original and changed files to another folder so that you can replace them when you Update or Upgrade or if something goes wrong with the changes.
%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources\logon.css
logon.css file, replace the default blue hexidecimal color value #0072c6 with the HTML RGB value that you want to use. You can use the following LINK to choose the color you wish to use.Here are the different graphics that can be changed on the OWA logon page and their associated files:
| Image | File name | Location | Dimensions (width x height in pixels) | Bit depth |
|---|---|---|---|---|
| 1 | favicon.ico | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources | 16 x 16 | 32 |
| 2 | olk_logo_white.png | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources | 128 x 108 | 32 |
| 3 | owa_text_blue.png | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources | 300 x 76 | 32 |
| 4 | Sign_in_arrow.png (for left-to-right languages) Sign_in_arrow_rtl.png (for right-to-left languages) | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources | 22 x 22 | 32 |
Next, we want to add a disclaimer to our logon page. To do that, we need to modify the logon.aspx document in the following directory:
%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\logon.aspx
Open the file in Notepad or your favorite HTML editor and search for the text ‘hidden-submit’. When you find the text, you can add your disclaimer text under the div class=”disclaimer” tag as I did in the following example:
1 2 3 4 5 6 7 8 9 | <div class="hidden-submit"><input type="submit" tabindex="-1"/></div> <div class="disclaimer"><p><b>Warning</b>: The website you are about to use is owned by Company Name and is intended to be used for official company business. As such, Company Name reserves the right to monitor all activity on all Company Name provided equipment and services. Use of Company Name provided information systems and networks in violation of company guidelines will result in disciplinary action, up to and including prosecution.</p> <p> <b>Violators</b>: They Will Be Prosecuted! </p> </div> </div> |
Save your logon.aspx file and give your OWA server an IISRESET for good measure. You should be good to logon with the new page from that point on.
References:
Customize the Outlook on the web sign-in, language selection, and error pages in Exchange Server
CUSTOMIZE EXCHANGE 2016 OUTLOOK ON THE WEB SIGN IN PAGE
Customizing Exchange 2016 OWA
In Windows Server 2016/2019 you have been upgraded to the Windows 10 Desktop Experience GUI. So, in the new versions, you are directed to use the 
to get to your settings. What was happening within the Settings is that I would choose a setting that calls on the control.exe file to open a Control Panel app. I would get the following error when attempting to do that function:
I immediately think it is a permissions issue. So I go to try to validate the permissions so that I could change them. Turns out, that due to it being a Windows System directory, I couldn’t modify the permissions without compromising directory security with NTFS permissions:
Now, if I open Control Panel, Network Sharing Center, etc…, I was able to access the applets with no issues. This was just happening in the Settings Gear Box Application. So, I started looking around and found that there is a registry key that needs to be modified so that your Administrator account can open these settings apps through the Settings Application:
1) Launch the Registry Editor (regedit.exe)
2) Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3) Change the value of FilterAdministratorToken (REG_DWORD) from 0 to 1 (If you don’t see that key, you can create it by right-clicking on any empty space from the right panel and select New > DWORD value, type the name and set the value to 1)
4) Reboot the computer and then it will be working fine.
I decided to create a Group Policy in AD to add this registry key so that it would propagate to all my 2016/2019 Servers:
1) Launch the Group Policy Manager
2) Create a new GPO and Link it to your Domain
3) Go to Computer Configuration > Preferences > Windows Settings > Registry > New Registry Key (DWORD)
4) Set the Action to “Replace”
5) Set the path as:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
6) Set the Key as FilterAdministratorToken
7) Set the Value as 1 (Decimal Format) and Save
8) Run gpupdate /force on your servers.
9) Schedule a Reboot of those servers for the change to truly take effect.
After the reboot of the server, all the apps launched correctly from the Settings Application within Windows. I am going to research a little more to see why this is like that. If you have a comment, or more information, please feel free to post!
I have realized recently that I am an Exchange Messaging Professional, but yet, I have not posted the methodology of how I install an Exchange Server Mailbox Role. So here it is!
Exchange Server 2019 requires Windows Server 2019 to run. For my environment, I haven’t necessarily need to follow all the enterprise level design aspects of database numbers to mailbox size ratios, number of servers, front/back end configurations, DAG Implementation, etc… If you want or need to delve into that realm, you can go here. I have need for a single server with only a few databases for a small number of mailboxes, so I am approaching it from that standpoint.
So first, in Hyper-V, I configured my VM with the following specifications:
Processors: 2 procs with 2 cores each – 4 Virtual Processors Total
RAM: 32GB with dynamic memory enabled optional
Drives: 2 .vhdx drives of 120GB each (OS / Exchange Data)
CD: Windows 2019 ISO
Default Settings for the rest of the VM Settings
Next I installed Windows Server 2019 Datacenter with the GUI! You can install it on Server Core if you wish. That information can be found in this link.
I ran through the setup of Windows and installed the OS on my first vhdx drive. I booted up, set the local admin password, and logged in. Once in Windows, I went to the Local Server Settings in Server Manager and configured the following settings:
Set the Date, Time, and Time Zone. (Once in the Domain, this would sync through Group Policy)
Set IE ESC to allow Administrators to have full IE access.
Set Remote Desktop Settings to gain RDP access. (This would be locked down with Group Policy as well once on the Domain)
Set the IP Settings to Static Settings. (DNS Servers, Gateway, WINS, etc…)
Join the server to the Active Directory Domain.
Reboot the VM Server.
Logon to your Domain.
Configure Windows Update Settings. (I have WSUS through Group Policy, this was configured automatically upon reboot)
Download and install all Windows Updates for the server. Then Reboot.
Open Disk Management and configure the secondary vhdx drive to be your Exchange Data Drive.
I configured the drive to be a mounted folder ‘C:\Exchange\Data’ rather than another drive letter as that seems to be the more accepted form of installation for the data drive these days. That is based on the multiple configurations that I have seen for Exchange through experience in Enterprise environments. Again, to each is own and depending on you design specifications, you might want to do that differently.
Next, we need to install the prerequisites for the Exchange Mailbox Server. I have always used practical365.com to get the PowerShell script to install the prerequisites, but couldn’t find the article this time. Great site though! Instead, I got the information and ran the following from an elevated PowerShell Session locally on the server:
1 | Install-WindowsFeature Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Http-Redirect,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Basic-Auth,Web-Client-Auth,Web-Digest-Auth,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Tools,Web-Mgmt-Compat,Web-Metabase,Web-WMI,Web-Mgmt-Service,NET-Framework-45-ASPNET,NET-WCF-HTTP-Activation45,NET-WCF-MSMQ-Activation45,NET-WCF-Pipe-Activation45,NET-WCF-TCP-Activation45,Server-Media-Foundation,MSMQ-Services,MSMQ-Server,RSAT-Feature-Tools,RSAT-Clustering,RSAT-Clustering-PowerShell,RSAT-Clustering-CmdInterface,RPC-over-HTTP-Proxy,WAS-Process-Model,WAS-Config-APIs |
As part of the prerequisites you will need to install the following packages onto the server as well:
UCMA Runtime Install
Visual C++ Redistributable Packages for Visual Studio 2013
Once completed, you can begin the install of Exchange. If this is your first Exchange 2019 Server in your Organization, then you will need to run the following to update the Forest, Schema, and Domain so that Exchange will install properly:
1 | setup.exe /p /IacceptexchangeServerLicenseTerms |
1 | setup.exe /ps /IacceptexchangeServerLicenseTerms |
1 | setup.exe /pad /IacceptexchangeServerLicenseTerms |
NOTE: If you run into Prerequisite issues with the installation due to a “pending reboot”, check out my blog post for information on remediation of that issue.
Now that the environment is prepared for Exchange, you can actually begin the installation. I wanted to make my default database and logs folder to be on the Exchange Data volume that I created, so I included those settings in the setup command. Please look at the reference to the setup.exe switches for more information on that. Here is the command:
1 | setup.exe /Mode:Install /IacceptexchangeServerLicenseTerms /Role:Mailbox /DBFilePath:"C:\Exchange\Data\MDB\EX2019-DB01.edb" /LogFolderPath:"C:\Exchange\Data\LOGS" /MdbName:"EX2019-DB01" |
Setup should go through the installation via the PowerShell window and complete successfully. Reboot the Exchange Server, then you can then logon to the Exchange Admin Center and begin the process of configuration of how you need to integrate the Mailbox Server into your Server Farm. That configuration is for a later post.
References:
UCMA Runtime Install
Visual C++ Redistributable Packages for Visual Studio 2013
Install Exchange Server 2019 on Windows Server 2019 Core
Exchange Server Design Planning
Use unattended mode in Exchange Setup
Practical365 on Exchange 2019
Wanted to do a quick post as I was working on my Hybrid Exchange Environment. I was unable to get the HCW to download and start from the Exchange Control Panel with the link provided on the page. This has happened to me for a while, so I went online and found a link that would work that could be downloaded and reused to open the HCW:
Hybrid Configuration Wizard Link
References:
HYBRID CONFIGURATION WIZARD WON’T START ON WINDOWS 2016
Like most IT guys. They have a repository of their ISO images saved on a network share so that they can mount the ISO if needed on multiple machines. I recently switched to Hyper-V and have been having an issue with creating VMs and using my ISO from my network share to do so.
Hyper-V Manager available through RSAT doesn’t have an option to mount an ISO or capture a drive from a machine on which is running. Instead it gives you drives of the Hyper-V host, and that would of course require you to have an ISO or the disc itself present on the host. I didn’t want to do that. I would rather have my repository share available for that purpose to allow for all the drive space to be available on the Hyper-V host.
So, I would map a network drive with my ISOs. The mapping would succeed, but mapped drive (letter) will not be visible in Hyper-V manager when trying to mount an ISO. Okay, so next I tried mounting from UNC share directly, but that would also fail, with the message:
“‘VM’ failed to add device ‘Virtual CD/DVD Disk’” & “User account does not have permission required to open attachment”.
It goes back to the constrained delegation requirement for the Hyper-V host accounts to be used to perform functions such as this. This has been a pain to say in the least, as I have also had issues with live migration with my machines not being clustered due to different hardware.
So, in researching, I found this blog post. It has helped me through this issue with mapping the shared folder with the ISOs.
The cause of the problem is that the Hyper-V is intended to run with VMM Library Server and to mount files from it, not any random share. To re-mediate this:
Here is step by step procedure for the constrained delegation:
The resulting setup should look something like this:
I added both the server that contained the ISO images and the server that I run my RSAT tools from just to be safe. I next rebooted the Hyper-V host (that is a requirement).
When the host rebooted, I was able to successfully create the VM.
Hopefully, this will also solve my issue with live migration between my hosts. I will have to test that again and will inform everyone here if that succeeds as well!
References:
Hyper-V Server 2012 won’t mount ISO from a network share
Hyper-V authentication in Windows Server 2016 for managing remote Hyper-V servers through RSAT
Constrained Delegation
I have had this issue with EVERY upgrade that I have ever attempted for Exchange Server from 2013 through 2019 CU1. You go to run the setup program and during the prerequisite checks, setup stops. The error listed is:
A restart from a previous installation is pending. Please restart the system and rerun setup.
During the prerequisite checks, Exchange Setup looks in the registry at the following keys:
Nine times out of ten, a restart does NOT remediate this error. In order for setup to continue properly, you must do the following:
You should now be able to run setup and upgrade your Exchange Server.
References:
A Restart From Another Installation Is Pending
Exchange Setup Fails – A Restart From Another Installation Is Pending
Microsoft Document – A Restart From Another Installation Is Pending
As you may have knowledge of, if you are reading my blog. I am currently migrating off of VMWare to Hyper-V. Now, as I convert my machines to Hyper-V, it uses a totally different driver for the Network Card. I am having to rebuild the NIC settings within windows to setup the NIC for the Hyper-V VM to get the machines on the network properly again. The VMWare NIC disables and hides the NIC from the VMWare driver in Device Manager.
What this does is make Windows think it has two active network cards, even though one is disabled and removed/hidden in device manager. So, to clean things within Windows, I have to perform the following procedure to remove the hidden device:
Open PowerShell as Administrator
Next, type the following cmdlet and press Enter:
1 | set devmgr_show_nonpresent_devices=1 |
Next, open Device Manager from the PowerShell Session:
1 | devmgmt.msc |
When the Device Manager GUI opens, click the View menu
Click Show Hidden Devices
Go to the Device that is hidden, in my case the Network Adapter
Right-Click the Device and select Uninstall
Close the Device Manager GUI and PowerShell session
This cleaned the old hardware drivers off the system and allowed the current Hyper-V NIC to be the only one installed.
A rare weekend post for me! HA! I am currently migrating my server environment from VMWare 6.7 to Server 2019 Hyper-V. I have a separate standalone box that I use for my VM backups and as a tertiary DC. Since I had to shut down my VMs in order to convert them, I needed to quickly move my FSMO roles from the DC Virtual Machine to the Standalone box so things would stay running.
I found this great article on how to do that quickly through PowerShell since it is a pain to go into ADUC, ADDT, and setup an MMC for the Schema snap-in.
When you create a domain, all FSMO roles assigned to the first domain controller in the forest by default. You can transfer FSMO roles from one DC to another both the Active Directory graphics snap-ins and the PowerShell command line. Moving FSMO roles using AD PowerShell has the following benefits:
Import the Active Directory Module Into PowerShell:
1 | Import-Module ActiveDirectory |
To get the current forest level FSMO role owners (Domain Naming Master and Schema Master roles) you can use the following PowerShell cmdlet:
1 | Get-ADForest ldlnet.net | ft DomainNamingMaster, SchemaMaster -a -wr |
To view domain-wide FSMO roles (Infrastructure Master, PDC Emulator and Relative Identifier Master roles):
1 | Get-ADDomain ldlnet.net | ft InfrastructureMaster, PDCEmulator, RIDMaster -a -wr |
To transfer FSMO roles between Active Directory domain controllers, we use the PowerShell cmdlet:
Move-ADDirectoryServerOperationMasterRole
To use the Move-ADDirectoryServerOperationMasterRole cmdlet, you must meet the following requirements:
NOTE: Unlike the Ntdsutil.exe utility, the Move-ADDirectoryServerOperationMasteRole cmdlet can be performed from any domain computer to migrate the Operations Master roles if you have the appropriate rights (Domain admins and Enterprise Admins).
Import the AD Module:
1 | Import-Module ActiveDirectory |
I needed to move all the roles from one server to the other, so, I ran the following to do so:
1 | Move-ADDirectoryServerOperationMasterRole -Identity “servername” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster -Confirm:$False |
NOTE: To simplify the command, you can replace the names of roles with numbers from 0 to 4. The correspondence of names and numbers is given in the table:
| PDCEmulator | 0 |
| RIDMaster | 1 |
| InfrastructureMaster | 2 |
| SchemaMaster | 3 |
| DomainNamingMaster | 4 |
So, by having knowledge of these numbers, you can simplify your cmdlet:
1 | Move-ADDirectoryServerOperationMasterRole -Identity “servername” –OperationMasterRole 0,1,2,3,4 -Confirm:$False |
NOTE: In the event that the current owner of one or all of the FSMO roles fails, the forced transfer of FSMO roles is performed by the same command, but with the -Force option. Also, after the FSMO roles have been seized, the domain controller from which the roles was seized should never be connected to the domain. You will need to preform a metadata cleanup of the Schema before even thinking about putting that failed server back into production.
Once completed, I ran the previous cmdlets of Get-ADForest and Get-ADDomain to verify that the FSMO roles moved to the destination server.
As of now, my conversion to Hyper-V is going smoothly, although it takes quite a bit of time to convert the hard disks. Thanks again!
Recently, I was trying to load this IT Blog and noticed that the page took a very long time to load properly. So, first thing I did was logon to my Web Server to check things and saw that the Performance was very slow, almost to a halt. When I was able to pull up Server Manager, I saw the following:
The Performance Alert was pegged at 99+ alerts. I went into the alerts for the performance and saw the following:
My CPU Usage was pegged at 100% for many hours. As I was having issues with the server and could not dig any deeper to find what was running to cause the error other the the w3wp process, I decided to reboot the server.
Rebooting did resolve the issue at hand, but I needed a better way to alert myself when the processor pegged at 95% or more over at least a steady two minute period. That way I could keep the websites going and restart the server if necessary due to an issue with a process pegging the CPU.
I don’t have SCCM or any robust alerting software like we have a my employer, but not to worry, Windows Server has a built in method to generate a task using Task Scheduler when the Performance Counter is above threshold for the time period that you set.
The first thing that you need to do is write a Powershell script that when run can send an email. While researching this I discovered many ways to accomplish this task, feel free though to experiment and use what is right for your environment.
Here is an example of a Powershell script that when used in conjunction with Task Scheduler and Perfmon can send an email alert automatically when any user defined performance counter threshold condition is met. In my environment I set this to C:\PowerShell\AlertEMail.ps1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | #Alert E-Mail Script to generate an email from PowerShell. #Created and Modified by Lance Lingerfelt - LDLNET LLC - Life In Action!™ #Set your variables $counter = $Args[0] $dtandtime = $Args[1] $ctr_value = $Args[2] $threshold = $Args[3] $value = $Args[4] $FileName="$env:ComputerName" #Setup the E-Mail Content $EmailFrom = "servername@domain.com" $EmailTo = "webadmin@domain.com" $Subject ="CPU Alert From $FileName" $Body = "Data and Time of Alert: $dtandtime`nPerfmon Counter: $ctr_value`nThreshold Value: $threshold `nCurrent Value: $value" #Define your SMTP Server variables. This assumes that you do NOT have to provide credentials to the SMTP Server and that you will send your E-Mail over port 25. Make necessary changes as needed. $SMTPServer = "mailserver.domain.com" $SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25) $SMTPClient.EnableSsl = $false #Send the actual completed E-Mail $SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body) |
If you notice, this Powershell script takes four arguments and assigns them to variables used in the output. It also saves the computer name to a variable which is also used as part of the output. By doing this the script can be used to send an email on any Perfmon Alerting Counter and on any server without additional customization of the script.
In Task Scheduler we are going to Create a new Task as show in the following screen shots.
Give the Task a name, you will need to remember it for the next step. Make sure the task is run with an administrative account and is run whether the user is logged on or not.
There are no Triggers to setup here. This Task will actually be triggered through the Perfmon Counter Alert we will set up in Step 3.
On the Action tab you want to define a new action. The action will be to Start a Program and use the following inputs, please adjust for your specific environment.
Program/Script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Add Arguments: -File C:\PowerShell\AlertEMail.ps1 $(Arg0)
Next, set your Conditions and Settings Tabs to the following settings as I did for this purpose. If need be, you might need to set them differently, but these settings should work just fine.
Open Performance Monitor and Create a new Data Collector Set under Data Collector Sets > User Defined
I needed to monitor the Total % Processor Time for all processors on the server combined, so I set the counter to monitor from the available counters.
I then set the threshold to Alert when the processor is over 95% with Processor Time. I also let it run as the System account, and then saved the settings:
Once you have created the Data Collector Set go into the Properties of it and make sure the Alerting threshold and Sample Interval is set properly for each Performance Counter. Keep in mind, if you sample every 10 seconds then you should expect to receive an email every 10 seconds as long as the performance counter exceeds the threshold you set. I set my Sample Interval to 2 minutes so that if the percentage stays above 95% over that long of a time interval, I should take a look at the server and see what process is pegging the CPU:
If you select the Log an entry in the application event log don’t expect to see any entries in the normal Application event log. It will be written to the Microsoft-Windows-Diagnosis-PLA/Operational log in the Application and Services log directory.
Finally, we have to set an Alert Task that will trigger the Scheduled Task (AlertEMail) that we created in Step 2. You see that we also pass some of the Task arguments which are used by the PowerShell script to customize the email with the exact error condition associated with the Alert:
Once the Data Collector is configured properly you will want to start it.
If you configured everything correctly you should start receiving emails any time that alert threshold is surpassed. I also manually ran the script once from PowerShell with no Argument Data just to make sure the script would generate the email to my E-Mail Address.
You now have one more step. Whenever you reboot a server the Perfmon Counter Alert will not start automatically. In order to survive a reboot you must run the following at a command prompt.
Note: “Processor Usage Alert” referenced in the script below is the name of my user defined Data Collector Set.
1 | schtasks /create /tn 'Processor Usage Alert' /sc onstart /tr "logman start 'Processor Usage Alert'" /ru system |
I now have a simple way to monitor my Web Server should this event happen again with the processor being pegged over a two minute period.
Reference:
Setup E-Mail Generation from a Performance Counter Alert
I was in the market for renewing my VPN appliance SSL certificate and came across this great deal that I wanted to pass along. It gives you a new SSL Certificate for a single domain with basic validation for only $5.99 for the first year. I usually get a new certificate for my VPN appliance yearly so this works out great!
LINK HERE: https://www.godaddy.com/web-security/ssl-certificate
Just enter that code above when you are at checkout in the Promo Code field and you will get the certificate for $5.99! Great Deal. I am not sure how long this will last, so if you try it and it does not work, let me have knowledge of that and I will take this post down! Just remember to always look for these hidden gems when purchasing web related items like domains and certificates. You can always find deals if you look hard enough.
References:
GoDaddy SSL Certificate Coupons
TechSmart Info on GoDaddy SSL Certificate Promotion
I had an issue last night where a server lost Secure Channel Connection to the PDC Emulator (NETLOGON Event IDs 5719 and 5783). All tests to test the secure channel via PowerShell were failing. (i.e. nltest or Test-ComputerSecureChannel cmdlets) The server essentially needed to be rebooted. I had a dumb dumb in my brain and forgot to check to see if there were any pending Windows Updates, because those need to be installed at the proper time and to a schedule. So, when I ran the following command to reboot:
1 | shutdown.exe /r /t 000 /c "Rebooting DC01 Due To NETLOGON Errors" |
The Windows Updates were installed inadvertently which could have caused even more issues if they were NOT approved or caused another failure on the server. TO NOT DO THIS IN THE FUTURE, remember to run the following command to shut off the Windows Update Service BEFORE initiating the reboot of the server:
1 2 3 4 5 | net stop wuauserv OR Stop-Service wuauserv |
But, the deed was done. NOW, I had to find out quickly what updates WERE installed via PowerShell so that I could alert the proper folks and give them a heads up on possible issues. Luckily, the server did NOT have any issues and the initial problem with NETLOGON was resolved. Here is the command I ran to find out the installed hotfixes filtered by today’s date:
1 | wmic qfe where "InstalledOn = '2/26/2019'" list full |
Here was the Output:
Caption=http://support.microsoft.com/?kbid=4480960
CSName=DC01
Description=Security Update
FixComments=
HotFixID=KB4480960
InstallDate=
InstalledBy=NT AUTHORITY\SYSTEM
InstalledOn=2/26/2019
Name=
ServicePackInEffect=
Status=
Caption=http://support.microsoft.com/?kbid=4480965
CSName=DC01
Description=Security Update
FixComments=
HotFixID=KB4480965
InstallDate=
InstalledBy=NT AUTHORITY\SYSTEM
InstalledOn=2/26/2019
Name=
ServicePackInEffect=
Status=
Since there were no issues, I was able to resolve the incident. I did notify the account team though of the inadvertent installation so that they could revert the changes if necessary.
Remember, troubleshooting to resolution is a methodical process, and when in an enterprise environment, you MUST be aware of all factors of change process, even when the resolution is a simple reboot of the affected server.
References:
Methods of generating installed updates via PowerShell
Check Windows Update History via PowerShell
Disable or Bypass Windows Update Installation During Reboot/Shutdown of a Server
We get alerts from time to time that SharePoint and Skype Websites might not be loading correctly or not at all. The following is a script that will generate a report, with time and date, showing the availability of the websites in question and the time it takes to load them.
First off, you want to create a text file called URLList.txt that will have the list of websites you want to check. I save the file in the C:\PowerShell directory but you can change the path to where you need it. If this happens often, having this list prepared will help you evaluate the environment quickly and allow you to troubleshoot if necessary efficiently.
Here is the script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 | ##WebsiteChecker.ps1 built by Lance Lingerfelt - LDLNET LLC - Life In Action! E-Mail: lance.lingerfelt@ldlnet.net - Learn, Do, Live! ## Provide the path to the URL list to test $URLListFile = "c:\PowerShell\URLList.txt" $URLList = Get-Content $URLListFile -ErrorAction SilentlyContinue $Result = @() $booltime = 0 ##Begin the function cmdlet and define the variables Foreach ($Uri in $URLList) { $time = try{ $request = $null ## Request the URL, and measure how long the response took. $result1 = Measure-Command { $request = Invoke-WebRequest -Uri $uri -UseDefaultCredentials } $result1.Totalseconds $ResultsTime = $result1.TotalSeconds if($ResultsTime -gt 0) { write-host $uri, $ResultsTime $booltime++ write-host $booltime } } catch { ## If the request generated an exception (i.e.: 500 server error or 404 not found), we can pull the status code from the Exception.Response property $request = $_.Exception.Response $time = -1 } $result += [PSCustomObject] @{ Time = Get-Date; Uri = $uri; StatusCode = [int] $request.StatusCode; StatusDescription = $request.StatusDescription; ResponseLength = $request.RawContentLength; TimeTaken = $time; } } ##Prepare the output report body in HTML format if($booltime -gt 0 ) { if($result -ne $null) { $Outputreport = "<HTML><TITLE>Website Availability Report</TITLE><BODY background-color:peachpuff><font color =""#99000"" face=""Microsoft Table""><H2> Website Availability Report </H2></font><Table border=1 cellpadding=0 cellspacing=0><TR bgcolor=gray align=center><TD><B>URL</B></TD><TD><B>StatusCode</B></TD><TD><B>StatusDescription</B></TD><TD><B>ResponseLength</B></TD><TD><B>TimeTaken</B></TD</TR>" Foreach($Entry in $Result) { if($Entry.StatusCode -ne "200") { $Outputreport += "<TR bgcolor=red>" } else { $Outputreport += "<TR>" } $Outputreport += "<TD>$($Entry.uri)</TD><TD align=center>$($Entry.StatusCode)</TD><TD align=center>$($Entry.StatusDescription)</TD><TD align=center>$($Entry.ResponseLength)</TD><TD align=center>$($Entry.timetaken)</TD></TR>" } $Outputreport += "</Table></BODY></HTML>" } $Filename = "C:\PowerShell\URLCheck-" + [DateTime]::Now.ToString("yyyyMMdd-HHmmss") + ".htm" $Outputreport | out-file $Filename ## Open the file for viewing Invoke-Item $Filename } |
Here is your output:
I get a lot of these incidents in my queue after a user has been migrated to O365. For whatever reason, most likely due to the mailbox being moved itself, whether it is the user’s mailbox, the shared mailbox, or both, the connections to the shared mailboxes stop working in Outlook and the user cannot connect to the shared mailbox.
Here is a quick and easy solution to use to disconnect and reconnect the shared mailbox(es) that you lose connectivity to when migrated. This is usually performed on Outlook 2016 and above as most users upgrade their client software when moved to O365.
First, we remove the existing shared mailbox connection:
Second, we re-add the shared mailbox connection to Outlook:
Note: The above procedure must be followed in order to properly reconnect the shared mailbox. You cannot remove and re-add the mailbox in the same process as that will not reset the connection properly. You must save the settings when disconnecting.
I hope that this will assist everyone when troubleshooting Outlook connectivity issues to shared mailboxes after a migration.
As many of you have knowledge, I am studying for my MS-202 Exam. And, part of the knowledge needed is to be able to migrate mailboxes between on premises and Exchange Online through PowerShell. Here are the steps for the scenario to move a mailbox from on premises to O365:
1. Connect to Exchange Online via PowerShell
If you have read my previous post: Connect to All PowerShell Modules in O365 with one script
You should have all the settings needed to connect your PowerShell to O365. Note in this scenario, that all these cmdlets will be run from O365 PowerShell and will be monitored from O365 by either PowerShell or the Exchange Admin Center. You will not be able to monitor the moves from On-Premises.
2. Provide your on premises Migration Administrator credentials as a variable for your cmdlet.
1 | $OnPremCred = Get-Credential -Message "Enter the On Premises Exchange Migration Admin account creds" |
3. Move a single mailbox.
In your hybrid configuration you should be doing directory sync with O365/Azure and the accounts should be available in the cloud showing that they are synced with AD. This also assumes that you have your MRS Proxy endpoint enabled, which can be done by the HCW. Also, make sure you have your licensing available for your mailboxes. From my knowledge, you can assign your license to the account in the cloud before moving, especially if you have a particular license that you need to assign the account. Other than that, moving the mailbox will assign an existing license that is available that includes an Exchange Online mailbox feature when the mailbox is moved.
Now we initiate the move with the cmdlet. Similar to what you would do in the GUI, this simple mailbox move cmdlet initiates the move request. It has most of the same parameters as a local move request including BadItemLimit, LargeItemLimit, AcceptLargeDataLoss, etc…
Use the following LINK for documentation on the New-MoveRequest cmdlet.
1 2 3 4 5 6 7 8 | #Set the identity of the mailbox being moved $user = Read-Host "Enter the alias or E-Mail Address of the user being migrated: " #Next Run the cmdlet for the New Mailbox Move Request New-MoveRequest -Identity $user -remote -RemoteHostName (hybridURL) -TargetDeliveryDomain companyname.mail.onmicrosoft.com -RemoteCredential $OnPremCred -AcceptLargeDataLoss -BadItemLimit 500 -LargeItemLimit 100 -BatchName "$user Mailbox Move to O365" #Get the status of the mailbox move to completion Get-MoveRequest | ? {$_.alias -eq "$user"} | Get-MoveRequestStatistics | fl |
Now with all migration projects, we expect to have to move multiple mailboxes in a single batch. The following will show the process for moving mailboxes in bulk from on premises to O365:
1. Connect to Exchange Online via PowerShell
If you have read my previous post: Connect to All PowerShell Modules in O365 with one script
You should have all the settings needed to connect your PowerShell to O365. Note in this scenario, that all these cmdlets will be run from O365 PowerShell and will be monitored from O365 by either PowerShell or the Exchange Admin Center. You will not be able to monitor the moves from On-Premises.
2. Provide your on premises Migration Administrator credentials as a variable for your cmdlet.
1 | $OnPremCred = Get-Credential -Message "Enter the On Premises Exchange Migration Admin account creds" |
3. Move multiple mailboxes in a single batch.
In your hybrid configuration you should be doing directory sync with O365/Azure and the accounts should be available in the cloud showing that they are synced with AD. This also assumes that you have your MRS Proxy endpoint enabled, which can be done by the HCW. Also, make sure you have your licensing available for your mailboxes. From my knowledge, you can assign your license to the account in the cloud before moving, especially if you have a particular license that you need to assign the account. Other than that, moving the mailbox will assign an existing license that is available that includes an Exchange Online mailbox feature when the mailbox is moved.
This time you want to create a CSV file using the alias or emailaddress as your header and then list the appropriate value for all the users in your batch group. Save the file locally as MigrationBatch01.csv or a name of your choice.
Next you initiate the mailbox moves. When specifying the mailbox identity in the cmdlet, use the respective header in your variable declaration (either $user.EMailAddress OR $user.Alias)
Use the following LINK for documentation on the New-MoveRequest cmdlet.
1 2 3 4 5 6 7 8 | #Import the CSV into the variable state $mailboxes = Import-CSV C:\Migration\MigrationBatch01.csv #Next Run the cmdlet for the New Mailbox Move Request to move each mailbox foreach ($user in $mailboxes) { New-MoveRequest -Identity $user.EMailAddress -remote -RemoteHostName (hybridURL) -TargetDeliveryDomain companyname.mail.onmicrosoft.com -RemoteCredential $OnPremCred -AcceptLargeDataLoss -BadItemLimit 500 -LargeItemLimit 100 -BatchName "Migration Batch 01 Moves to O365" } #Get the status of the mailbox moves in the batch to completion Get-MoveRequest | ? {$_.batchname -like "Migration Batch 01 Moves to O365"} | Get-MoveRequestStatistics | ft -a -wr |
References:
Moving Individual Mailboxes to O365
Move Mailboxes in Bulk to O365
PowerShell Mailbox Migration to O365
Connect to all PowerShell Modules in O365 with one script
New-MoveRequest Microsoft Document
I had an issue with a four node DAG where the DR site with two of the DAG members were having replication issues. It was only technically affecting one DAG Member though. The copy queue length was really high and the logs were not committing to the database. A Test-ReplicationHealth cmdlet test told that the copy queue length for the affected database copy was high. No other databases were affected as there were eight databases on this DAG Node. The issue was that the log files were not replicating properly to the one DAG member for that database, causing the log file drives on all the other DAG members to build and become full:
Circular Logging was turned on, but since the db was NOT in sync, the logs could NOT truncate properly which rendered CL useless. What was being done to stave the issue was to suspend the database copy of the affected DAG member (EX04), then resume the copy. The logs would replay and commit to the database copy on the DAG member, but over a short period of time, the same issue would arise again, as shown in this graph:
There were absolutely no errors in the Event Viewer showing this replication issue. After some research, I ran the following cmdlet showing a particular output parameter that gave me the actual problem:
Get-MailboxDatabaseCopyStatus DAG1DB01 | ft -a -wr Name, Status, IncomingLogCopyingNetwork
The operative error here was: {An error occurred while communicating with server ‘EX01’. Error: Unable to read data from the transport connection: An established connection was aborted by the software in your host machine.}
Now even though only EX04 was actually having problems with its log replication, both DR members EX03 & EX04 were having the same problem. Again, there were NO events in event viewer showing this issue. I next did some connectivity tests to EX01 from EX04 even though the error said there was an established connection that was broken.
Ping EX01 -f -l 1472
Now the -f states do NOT fragment the packet and send it as a whole to the destination.
The -l states the packet/buffer size you want sent. In this case 1472 bits.
By doing this, you are able to assure that a router or switch is NOT segmenting the packets, packet segmentation of replication logs can cause data corruption and replication issues.
That test passed successfully. I also did a trace route to assure there was no packet loss on the route to the replicating server. That test passed successfully.
I next checked the DAG Network to assure that all networks were working for replication. Now, in this scenario, there was only ONE DAG Network, there was NOT a separate Replication Network. I did not design the DAG and limitations most likely came into play during the design. From my experience, you setup a separate replication network for replication only, but if your network has enough bandwidth, and the design calls for simplification, you can use one DAG network in your design.
Get-DatabaseAvailabilityGroupNetwork | fl
RunspaceId : a1600003-8074-4000-9150-c7800000207f
Name : MapiDagNetwork
Description :
Subnets : {{192.168.1.0/24,Up}, {192.168.2.0/24,Up}}
Interfaces : {{EX01,Up,192.168.1.25}, {EX02,Up,192.168.1.26},{EX03,Up,192.168.2.25}, {EX04,Up,192.168.2.26}}
MapiAccessEnabled : True
ReplicationEnabled : True
IgnoreNetwork : False
Identity : DAG1\MapiDagNetwork
IsValid : True
ObjectState : New
All the DAG Network Members were up and not showing errors. I next did a telnet session to EX01 over the default DAG replication port 64327 to see if there would be any connectivity issues to EX01:
telnet EX01 64327
That test was successful and there were no connectivity issues to EX01 from EX04. Again, there was only ONE database out of eight that was having replication problems. After mulling over the problem, it was decided to restart the MSExchangeRepl service on EX03 AND EX04 since the error was present on both DAG members. We would then, suspend the database copy and resume the database copy on the affected servers.
Run on EX03:
Restart-Service MSExchangeRepl
Suspend-MailboxDatabaseCopy DAG1DB01/EX03 -Confirm:$False
Resume-MailboxDatabaseCopy DAG1DB01/EX03 -Confirm:$False
Run on EX04:
Restart-Service MSExchangeRepl
Suspend-MailboxDatabaseCopy DAG1DB01/EX04 -Confirm:$False
Resume-MailboxDatabaseCopy DAG1DB01/EX04 -Confirm:$False
After monitoring the databases and log drives, the issue was resolved and replication started functioning properly.
We all like to have our customization in our Windows Desktop. Custom colors, icons, wallpaper, etc.. Well IT guy/gal, why not have your PowerShell CLI the same way? I’ve looked around at a few blogs and got some ideas to share with you on customizing your PowerShell CLI.
Now, by default, Windows looks in the following directory for your customization file:
C:\Users\(username)\Documents\WindowsPowerShell
It looks for a file called profile.ps1 and will load that script every time you load PowerShell once it is customized.
You can construct the script within PowerShell ISE or your favorite editor. The following is how I programmed the script to customize my PowerShell prompt:
First, we want to clear the slate on the PowerShell CLI.
I like to add my contact information for instance.
1 2 3 4 5 6 7 | #Set the PowerShell CLI for customization. #Written by Lance Lingerfelt / LDLNET LLC - lance.lingerfelt@ldlnet.net - http://www.ldlnet.net #Start Script# #Clear the default PowerShell Window Clear-Host |
Second, I run a script that I came across and added to my customization.
It get’s me the weather for the local area that I am from. Click the link for details.
How To Uniquify Your PowerShell Console (Scroll to Getting the Weather)
1 2 3 | #Run the Script Get-Weather.ps1 to get the weather forcast. . $PSScriptRoot\Get-Weather.ps1 Get-Weather -City 'Charlotte' -Country 'USA' |
Next, I customize the PowerShell Window Settings so that it is the size and shape that I want.
I set the Directory Location, The Colors, and The Window Sizes.
1 2 3 4 5 6 7 8 9 10 11 12 13 | #Customize the PowerShell Window Settings set-location c:\PowerShell $a = (Get-Host).UI.RawUI $a.BackgroundColor = "black" $a.ForegroundColor = "white" $size = $a.WindowSize $size.Width = 200 $size.Height = 50 $a.WindowSize = $size $size = $a.BufferSize $size.Width = 200 $size.Height = 9999 $a.BufferSize = $size |
Next, I wanted to write some text in the window before I get my PowerShell Prompt.
I work at Avanade, so I wanted to put a welcome message, today’s date, and what PS version I was running just because I could.
1 2 3 4 5 6 7 | #Customize the text to be shown before the prompt $time = Get-Date $curUser= (Get-ChildItem Env:\USERNAME).Value $psVersion= $host.Version.Major Write-Host "Welcome to Avanade PowerShell, $curUser!" -foregroundColor Green Write-Host "Today is: $($time.ToLongDateString())" -foregroundColor Yellow Write-Host "You're running PowerShell version: $psVersion" -foregroundColor Red `n |
Lastly, we actually configure the prompt. There is a lot of ways to do this and I will leave references for you at the bottom of this post so that you can get more details on the commands actually run.
I wanted to have a colorful prompt that stated the company motto and put the current time.
I also configured the Window Title at the top to show text, the current user, and the current directory with different colors as that is my expressive part of my brain. 🙂
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | #Customize the actual PS prompt function prompt { Write-Host -NoNewLine "Avanade... " -foregroundColor Red Write-Host -NoNewLine "Know, Share, Do: " -foregroundColor White Write-Host -NoNewLine "[" -foregroundColor Yellow Write-Host -NoNewLine (Get-Date -f "hh:mm:ss tt") -foregroundColor Cyan Write-Host -NoNewLine "]" -foregroundColor Yellow Write-Host -NoNewLine ">" -foregroundColor Red $host.UI.RawUI.WindowTitle = "Avanade PowerShell >> User: $curUser >> Current Directory: $((Get-Location).Path)" Return " " } #End Script# |
Here is the script in its entirety:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 | #Set the PowerShell CLI for customization. #Written by Lance Lingerfelt / LDLNET LLC - lance.lingerfelt@ldlnet.net - http://www.ldlnet.net #Start Script# #Clear the default PowerShell Window Clear-Host #Run the Script Get-Weather.ps1 to get the weather forcast. . $PSScriptRoot\Get-Weather.ps1 Get-Weather -City 'Charlotte' -Country 'USA' #Customize the PowerShell Window Settings set-location c:\PowerShell $a = (Get-Host).UI.RawUI $a.BackgroundColor = "black" $a.ForegroundColor = "white" $size = $a.WindowSize $size.Width = 200 $size.Height = 50 $a.WindowSize = $size $size = $a.BufferSize $size.Width = 200 $size.Height = 9999 $a.BufferSize = $size #Customize the text to be shown before the prompt $time = Get-Date $curUser= (Get-ChildItem Env:\USERNAME).Value $psVersion= $host.Version.Major Write-Host "Welcome to Avanade PowerShell, $curUser!" -foregroundColor Green Write-Host "Today is: $($time.ToLongDateString())" -foregroundColor Yellow Write-Host "You're running PowerShell version: $psVersion" -foregroundColor Red `n #Customize the actual PS prompt function prompt { Write-Host -NoNewLine "Avanade... " -foregroundColor Red Write-Host -NoNewLine "Know, Share, Do: " -foregroundColor White Write-Host -NoNewLine "[" -foregroundColor Yellow Write-Host -NoNewLine (Get-Date -f "hh:mm:ss tt") -foregroundColor Cyan Write-Host -NoNewLine "]" -foregroundColor Yellow Write-Host -NoNewLine ">" -foregroundColor Red $host.UI.RawUI.WindowTitle = "Avanade PowerShell >> User: $curUser >> Current Directory: $((Get-Location).Path)" Return " " } #End Script# |
Here is the final product when opening PowerShell:
References:
Customizing your PowerShell Profile
Get-Weather.ps1
Modify your PowerShell Prompt
PowerShell Basics: Console Configuration
I ran across an issue with my VM backups saying that they were failing validation and not backing up properly, even though each VM showed success when checking the logs. I was getting a specific error in the backup logs:
Backup files health check has been completed
Failed to perform backup file verification Error: Data error (cyclic redundancy check). Failed to read data from the file [B:\Backups\LDLNET Other Backup\LDLNET BackupD2019-01-12T001234.vbk]. Agent failed to process method {Signature.FullRecheckBackup}.
So, I did some research and found a little known tool that is used to manually validate the Veeam backup files, basically because it’s a tool usually executed only by the technical support staff. It is located in the following folder (Version 9.5.0.1922):
C:\Program Files\Veeam\Backup and Replication\Backup\Veeam.Backup.Validator.exe
Its main use case is to verify the consistency of a backup created with Veeam Backup & Replication. It’s NOT SureBackup, that does another kind of control by starting the VM from the backup file, and is for sure more reliable. But if you do not want to start a SureBackup activity, or if you only have a Standard license lacking SureBackup, this tool can be a good alternative, or you can use it to check a backup file after it has been moved or if you had a consistency problem on the storage holding those files.
Now since I had a specific file that was showing an error, I wanted to run the command against that file to validate the backup. Here is the command that I ran:
.\Veeam.Backup.Validator.exe /file:”B:\Backups\LDLNET Other Backup\LDLNET BackupD2019-01-12T001234.vbk”
It started running against the file and it did fail as it did in the log files from the backup process. Here is the error message:
Skipping VM ‘B:\Backups\LDLNET Other Backup\LDLNET BackupD2019-01-12T001234.vbk ‘: File “LDLNET-VM01-flat.vmdk” is corrupted. Data error (cyclic redundancy check).
Failed to read data from the file [B:\Backups\LDLNET Other Backup\LDLNET BackupD2019-01-12T001234.vbk ].
Now, when looking at the backup job, I found that the file listed was the original full backup that I had completed when I originally changed the job for all the new VMs that were now listed in the backup job. Since that was the case and I did not have any VMs that were in a bad state, I deleted all the backup files from my storage and started another full backup of the VMs in the job.
Using the CLI tool to manually validate the backup file was very helpful in this case as it would help me decide to clear out a backup that would not restore properly, even with the incremental backups since the base full file was corrupt.
References:
Veeam Backup Validator: check the consistency of your backup files
Let’s say you’re an admin that needs to connect to Office365 via PowerShell often. Now, there are many different websites or blogs that will show you how to connect to each session via PowerShell. That can cause a headache since you can end up having five different PowerShell sessions running in five different windows. You end up having to enter a username and password all those times, which can become time consuming.
I want to show you here how to combine all those sessions into one script where, if you’re security is tight enough on your computer, you don’t even have to enter credentials. This way, you can click on one icon and pull up all the O365 PowerShell commands that you’ll need to manage your organization.
First you need to download the following PowerShell Module Installation Files so that your PowerShell Database will have the correct modules installed:
Microsoft Online Service Sign-in Assistant for IT Professionals RTW
Windows Azure Active Directory Module for Windows PowerShell v2
SharePoint Online Management Shell
Skype for Business Online, Windows PowerShell Module
Next, we want to setup the CLI (Command Line Interface) to be too cool for school. I have learned it helps to have knowledge of how to customize the CLI window. You can do all of this in PowerShell ISE or Notepad, which ever you prefer. Here are the commands for the script that I use to setup the CLI:
1 2 3 4 5 6 7 8 9 | #Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell" set-location c:\PowerShell $a = (Get-Host).UI.RawUI $a.BackgroundColor = "black" $a.ForegroundColor = "yellow" $a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services" $curUser= (Get-ChildItem Env:\USERNAME).Value function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")>"} $host.UI.RawUI.WindowTitle = "(Your Comapny Name) O365 PowerShell >> User: $curUser >> Current Directory: $((Get-Location).Path)" |
Next, you want to set your Execution Policy and put in your credentials so that you won’t be prompted to enter the user credentials when you run the script.
NOTE: MAKE SURE YOU KEEP YOUR SCRIPT SAFE AS THE CREDENTIALS ARE VISIBLE WITHIN THE SCRIPT IN PLAIN TEXT!
You can, alternatively, set your script to prompt for credentials every time by using the following:
$LiveCred = Get-Credential
Here is that part of the script:
1 2 3 4 5 6 | #Setup Execution Policy and Credentials using your Tenant Admin Credentials Set-ExecutionPolicy Unrestricted $user = "tenantadmin@companyname.onmicrosoft.com" $pass = "adminpassword" $secpass = $pass | ConvertTo-SecureString -AsPlainText -Force $LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass |
Now we get into the importing of the modules for each O365 service:
Get the MSOnline Module:
1 2 3 | #Set up the powershell cmdlets for Office365 Write-Host "Getting MSOnline Module" -ForegroundColor Green Get-Module MSOnline |
Connect to the MSOnline Service:
1 2 3 | #Connect the MS Online Service Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green Connect-MSOLService -Credential $LiveCred |
Connect to Azure AD PowerShell:
1 2 3 | #Connect to Azure Ad PowerShell Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green Connect-AzureAD -Credential $LiveCred |
Connect to SharePoint Online PowerShell:
NOTE – MAKE SURE YOU CHANGE TO YOUR COMPANY NAME IN THE URL!!
1 2 3 4 | #Connect to SharePoint Online PowerShell Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred |
Connect to Exchange Online PowerShell:
1 2 3 4 | #Connect to Exchange Powershell Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection Import-PSSession $Session |
Connect to Skype For Business Online PowerShell:
1 2 3 4 5 | #Connect the Skype For Business Online Powershell Module Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green Import-Module SkypeOnlineConnector $sfboSession = New-CsOnlineSession -Credential $LiveCred Import-PSSession $sfboSession |
Connect to the Security & Compliance PowerShell:
NOTE – This one I still get “Access Denied” when trying to connect. I have looked for an answer to that issue, but have not found one. Please comment with a link if you have an answer so that I can update this script!
1 2 3 4 | #Connect the Security & Compliance Center PowerShell Module Write-Host "Connecting to O365 Security & Compliance Online through PowerShell"-ForegroundColor Green $SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $LiveCred -Verbose -Authentication Basic -AllowRedirection Import-PSSession $SccSession -Prefix cc |
Lastly, put in a note to show that the PS load is completed:
1 2 3 | Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green |
So Here is the final script in its entirety:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 | #Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell" set-location c:\PowerShell $a = (Get-Host).UI.RawUI $a.BackgroundColor = "black" $a.ForegroundColor = "yellow" $a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services" $curUser= (Get-ChildItem Env:\USERNAME).Value function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")>"} $host.UI.RawUI.WindowTitle = "(Your Company Name) O365 PowerShell >> User: $curUser >> Current Directory: $((Get-Location).Path)" #Setup Execution Policy and Credentials using your Tenant Admin Credentials Set-ExecutionPolicy Unrestricted $user = "tenantadmin@companyname.onmicrosoft.com" $pass = "adminpassword" $secpass = $pass | ConvertTo-SecureString -AsPlainText -Force $LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass #Set up the powershell cmdlets for Office365 Write-Host "Getting MSOnline Module" -ForegroundColor Green Get-Module MSOnline #Connect the MS Online Service Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green Connect-MSOLService -Credential $LiveCred #Connect to Azure Ad PowerShell Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green Connect-AzureAD -Credential $LiveCred #Connect to SharePoint Online PowerShell Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred #Connect to Exchange Powershell Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection Import-PSSession $Session #Connect the Skype For Business Online Powershell Module Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green Import-Module SkypeOnlineConnector $sfboSession = New-CsOnlineSession -Credential $LiveCred Import-PSSession $sfboSession #Connect the Security & Compliance Center PowerShell Module Write-Host "Connecting to O365 Security & Compliance Online through PowerShell"-ForegroundColor Green $SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $LiveCred -Verbose -Authentication Basic -AllowRedirection Import-PSSession $SccSession -Prefix cc Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green |
Now you can create your icon for your desktop so that you can easily access the script. I would save the script to your Scripts directory.
That will usually be C:\Users\’username’\Documents\WindowsPowerShell\Scripts or wherever directory you choose.
To start, right click the desktop and choose New > Shortcut
In the Target Field, enter the following for your PowerShell Shortcut, pointing to the path of your script:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -ExecutionPolicy Unrestricted -File “C:\Users\username\Documents\WindowsPowerShell\Scripts\ConnectO365All.ps1”
Click on the Advanced button and check the box: Run As Administrator
Under the General Tab, name your shortcut: (CompanyName) O365 All PowerShell
Click OK to save the shortcut to your desktop.
LAST BUT NOT LEAST, RUN THE FOLLOWING COMMAND BEFORE EXITING OR CLOSING YOUR POWERSHELL WINDOW. THIS WILL REMOVE ALL THE SESSIONS YOU’VE CONNECTED TO:
Get-PSSession | Remove-PSSession
References:
Connect to all O365 Services in one PowerShell Window
How to connect to all O365 Services through PowerShell
Connecting to Office 365 “Everything” via PowerShell
I had received a weird alert for a DB volume for a DAG member being below threshold. This was odd to me due to the fact that there were four DAG members and we only received an alert for one. I went into Azure Log Analytics and ran the following query to render a graph for the past 14 days showing the percent free space of the volume for all the DAG members.
Thanks Georges Moua for the query script!
1 2 3 4 5 6 7 8 9 | let PerfCutoff = ago(14d); let inst = "C:\\ExchangeDB\\DAG1DB001\\DB"; search * | where TimeGenerated > PerfCutoff | where Name_s == "PercentFreeSpace" | where InstanceName_s contains inst | sort by TimeGenerated desc | project Resource,Company_s,InstanceName_s,PercentFreeSpace=Value_d,TimeGenerated | render timechart |
Now the reason I can run the query this way is due to the fact that the Design of the DAG was correctly done and the DB folders are identical on all DAG members. The query rendered the following chart:
I next went to an Exchange Server in the DAG and got the volume data for all the members in the DAG:
1 2 3 | $Svrs = Get-MailboxDatabaseCopyStatus DAG1DB001 | Select-Object MailboxServer | Sort-Object MailboxServer foreach ($Svr in $Svrs) { $Svr.MailboxServer ; Get-WmiObject -ComputerName $Svr.MailboxServer Win32_Volume | ? {$_.Name -like "*DAG1DB001\DB*"} | select Name,FileSystem,FreeSpace,BlockSize,Capacity | % {$_.BlockSize=(($_.FreeSpace)/($_.Capacity))*100;$_.FreeSpace=($_.FreeSpace/1GB);$_.Capacity=($_.Capacity/1GB);$_} | Sort-Object Name | Format-Table Name,@{n='Free,GB';e={'{0:N2}'-f $_.FreeSpace}},@{n='Free,%';e={'{0:N2}'-f $_.BlockSize}},@{n='Capacity,GB';e={'{0:N3}' -f $_.Capacity}},@{n='FS';e={$_.FileSystem}} -AutoSize } |
I went on EX02 and found that there was a subfolder named “Restore” that was not present on the other servers. I ran the following script to get the size of that folder in GB:
1 | Write-Host ; $Folder = "{0:N2}" -f ( ( Get-ChildItem '\\EX02\DAG1DB001\DB\Restore' -Recurse -Force | Measure-Object -Property Length -Sum ).Sum / 1GB ) ; Write-Host "Folder Size Is: $Folder GB" -ForegroundColor Green |
The folder size was 185 GB. Removing that folder, along with all subfolders/files, would balance the free space to the other DAG members. I ran the following cmdlet to remove the folder and all subfolders/files:
1 | Remove-Item '\\EX02\DAG1DB001\DB\Restore' -recurse -force |
This remediated the alert and balanced the drive space across all DAG members.
POST YOUR COMMENTS OR QUESTIONS!
HAPPY TROUBLESHOOTING!
