This blog is going to be dedicated to pages, posts, documentation, links, and information that I find during my troubleshooting processes within the IT world. Some posts will contain code snippets that you can use with your own work if needed. Feel free to comment and get this thing rolling!
In a previous post, I showed how you could update one user’s photo for their Outlook and AD profiles via PowerShell. In this post, we will explore how to do this for your entire organization via PowerShell to Office365.
NOTE: I have not tested the scripts as I do not have enough mailboxes in my O365 tenant along with not using a ‘.’ in my alias. If the scripts are incorrect, please inform me with the correction and I will update accordingly.
Please make sure that your photos are reviewed before posting, and try to keep the file size of the photos to a minimum. In Office 365, there exists a limitation for the user photo not to be more than 10 KB in size, but I will show you how to get around that limitation.
Having a user photo for each of your users is very beneficial as it personalizes each account to a face in the company. The user photos can be viewed in below locations:
Steps to take:
1 2 3 | $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/?proxyMethod=RPS -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session |
NOTE: In the PowerShell cmdlet above, we connected using a different proxy method. This was to overwrite the limitation of uploading the images with size more than 10KB. Using the different proxy method (/?proxyMethod=RPS ) to connect to Office 365 in the above cmdlet accomplishes this.
Create a folder named C:/UserPics and make the filename of each photo be the username of that particular user. (i.e. llingerfelt.png)
The below script should be able account for aliases that have a ‘.’ in the id as well. (i.e. lance.lingerfelt)
NOTE: From my research, there is no set photo type that is required for the photo. My suggestion would be to keep the photos .png for size constraints while maintaining picture clarity.
Create the following script and name it Photos-Update.ps1
1 2 3 4 5 6 | $path= 'C:\UserPics\' $Images = Get-ChildItem $path $Images |Foreach-Object{ $Identity = ($_.Name.Tostring() -replace '.png','') $PictureData = $path+$_.name Set-UserPhoto -Identity $Identity -PictureData ([System.IO.File]::ReadAllBytes($PictureData)) -Confirm:$false } |
Run Photos-Update.ps1 and the script should upload the photos to Office 365 and apply each photo to the corresponding user.
NOTE: If you’re still having some issues with the alias having a ‘.’ in the name, you can also configure the Photos-Update.ps1 script in this manner to get that working properly:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | $path= 'C:\UserPics\' $Images = Get-ChildItem $path $Images |Foreach-Object{ $Identity = ($_.Name.Tostring() -split "\.") $count = $Identity.count If($count -gt 2) { for($i=0; $i -le $count-2; $i++) { $username=$username+$Identity[$i]+"." } $Id=$username.TrimEnd(".") } Else { $Id=$Identity[0] } $PictureData = $path+$_.name Set-UserPhoto -Identity $Id -PictureData ([System.IO.File]::ReadAllBytes($PictureData)) -Confirm:$false $username=$null } |
REFERENCES:
How to import Office365 User photos over 10KB & without CSV in bulk
I was working on upgrading my ASA firewall and was running into an issue with internet working on my device, but none of my server services were responding to requests:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency
I had configured 1-to-1 Object Based NAT translations for my servers for this purpose as had been configured on my prior ASA device. I had just copied the NAT rules to the new device thinking that it should just work. Needless to say, I had to call Cisco TAC and open a case. This seemed to be an issue for them as well. We kept getting the same error as above with another error listed during the NAT translation of the packets:
ifc selected is not same as preferred ifc
Doing route lookup again on ifc inside
We could ping internally to the server successfully from the ASA through the inside port:
LDLNET-FW01(config)# ping LDLNET-LAN 192.168.100.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.x, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Packet Capture:
4 packets captured
1: 01:01:21.086894 192.168.100.2 > 192.168.100.x: icmp: echo request
2: 01:01:21.087153 192.168.100.x > 192.168.100.2: icmp: echo reply
3: 01:01:21.087886 192.168.100.2 > 192.168.100.x: icmp: echo request
4: 01:01:21.088069 192.168.100.x > 192.168.100.2: icmp: echo reply
Again, I had created Object based NAT translations that should have worked for all the inside ports and allowed the packet traffic through properly:
object network Exchange_Server
nat (any,any) static ExchOut net-to-net
Not having knowledge what the net-to-net statement within the NAT Rule stood for, we ended up scrapping all of the Object based NAT rules and created a new rule using a static route:
nat (LDLNET-LAN,outside) source static Exchange_Server ExchOut description Exchange NAT Both Directions
Doing this worked for us and allowed traffic that was NOT translating correctly to be translated and flowing correctly through the ASA.
Phase: 17
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12345, packet dispatched to next module
Module information for forward flow …
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow …
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: LDLNET-LAN
output-status: up
output-line-status: up
Action: allow
Great! This is working now! The only issue is that I had to create static rules that go through the single interface on the ASA. What if I need to connect other devices to the ASA on different interface ports? Well, I will have to create the static NAT rules for those ports as well. If the current interface fails, I will have to recreate the static NAT Rules for the interface port that I change to. Secure in a way, but not how I think it should be designed.
If anyone has any suggestions for the configuration of this, why I was getting the error, or a way to get the Object Based NAT rules working properly, PLEASE COMMENT!
I took this exam back in February as a beta test. It finally got graded and I passed! I am now Cloud Certified in Messaging.
I wanted to update my picture within my Outlook profile and AD account really quickly without having to go through OWA to do so. I found this cmdlet that will allow for that picture to be changed very quickly via Exchange PowerShell.
NOTE: This can be done with On-Premises Exchange and Exchange Online PowerShell
First, download the picture you want to use to the computer that you want to run the cmdlet from. Also, make sure the picture is cropped and centered prior to running the cmdlet. I saved the pic to C:\temp for my scenario. The best format to use would be jpg. I named the file User1_Profile.jpg
Next, open Exchange PowerShell on the computer you saved the pic to and run the following cmdlet to change the photo:
1 | Set-UserPhoto "User1" -PictureData ([System.IO.File]::ReadAllBytes("C:\temp\User1_Profile.jpg")) -Confirm:$False |
Once completed, the Outlook client should be closed and reopen so that the new picture is visible in the profile.
I will post how to perform this for multiple users for Exchange and Office365 in a later post.
REFERENCES:
Set User Photo with Exchange PowerShell
If you’re a seasoned administrator, you have knowledge that in Exchange, the database settings will allow you to set the deleted mailbox retention. The default is 30 days, but sometimes you need to purge all those deleted mailboxes to do some ‘spring cleaning’ as it were. Note that doing these cmdlets does not change the ‘Whitespace’ of the database or the size. In my case, I had to purge everything of a toxic individual that was tainting my network much to my disappointment and did the following to complete that task.
The following cmdlet will seek all Soft Deleted mailboxes within the database you select and manually purge them from Exchange.
1 | Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "SoftDeleted"} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted} |
Now, should you only want to remove one mailbox, you will need to get the GUID of that Soft Deleted mailbox first so that you can enter it for the identity parameter.
1 2 3 4 5 6 | Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "SoftDeleted"} | Sort-Object DisconnectDate -descending | ft -a -wr Get the Mailbox GUID in the list for the deleted mailbox. Then Run: Remove-StoreMailbox -Database "DB01" -Identity "mailboxguid" -MailboxState SoftDeleted | ft -a -wr |
You can also preform a similar task for a disabled mailbox:
1 2 3 4 5 6 | Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "Disabled"} | Sort-Object DisconnectDate -descending | ft -a -wr Get the Mailbox GUID in the list for the deleted mailbox. Then Run: Remove-StoreMailbox -Database "DB01" -Identity "mailboxguid" -MailboxState Disabled | ft -a -wr |
You can perform the task on all disabled mailboxes for that database as well:
1 | Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "Disabled"} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState Disabled} |
NOTE: I would be very careful when performing either of these cmdlets as they will completely purge the mailboxes from the schema. If these cmdlets assist you with your ‘spring cleaning’, I will have been happy to assist.
References:
Purging Deleted Mailboxes on Exchange 2013
I’ve been building this blog along with my consulting business and needed to secure my websites with SSL for BBB accreditation. That accreditation is still pending at this time, but I want to show good faith in business practices to attain that accreditation.
So, I purchased my certificate and preformed the following to assure that all traffic to my websites are SSL secured. There are a number of ways to do it, and even do it for Exchange, (which I will cover in another post), but I found a great article that is simple and will work for most standard web sites. The link will be at the bottom in the references section. 🙂
Note: In this example {HTTPS}, {HTTP_HOST}, and {REQUEST_URI} are all URL parts that can be accessed using the URL Rewrite module. More information on URL parts can be found here.
The URL rewrite rules get written to the web.config file for the site you are working in. For example, the above configuration should result in this addition to the web.config file:
1 2 3 4 5 6 7 8 9 10 11 | <rewrite> <rules> <rule name="Redirect to http" enabled="true" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" negate="false" /> <conditions logicalGrouping="MatchAny"> <add input="{HTTPS}" pattern="off" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" /> </rule> </rules> </rewrite> |
That should take of it all for you and now when users connect to your website via http, they will be automatically redirected to https SSL.
References:
Creating Rewrite Rules for the URL Rewrite Module
URL Rewrite for IIS7 http to https redirection
URL Component Reference
Redirect from HTTP to HTTPS using the IIS URL Rewrite module
As many of you are aware, Microsoft provides a default logon page for OWA, the Outlook Web App. Most companies, like myself want to be able to customize that page so that it suites your organization. Here is what my company OWA page looks like:
I have changed the color on the left to match my scheme, replaced the Outlook Logo with my company logo, and added a disclaimer to notify users. Below is the process to do that effectively for your organization.
NOTE: Every time you install an Exchange Cumulative Update (CU) or new version of Exchange Server these modified files will be replaced. Remember to backup your original and changed files to another folder so that you can replace them when you Update or Upgrade or if something goes wrong with the changes.
%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources\logon.css
logon.css file, replace the default blue hexidecimal color value #0072c6 with the HTML RGB value that you want to use. You can use the following LINK to choose the color you wish to use.Here are the different graphics that can be changed on the OWA logon page and their associated files:
| Image | File name | Location | Dimensions (width x height in pixels) | Bit depth |
|---|---|---|---|---|
| 1 | favicon.ico | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources | 16 x 16 | 32 |
| 2 | olk_logo_white.png | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources | 128 x 108 | 32 |
| 3 | owa_text_blue.png | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources | 300 x 76 | 32 |
| 4 | Sign_in_arrow.png (for left-to-right languages) Sign_in_arrow_rtl.png (for right-to-left languages) | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources | 22 x 22 | 32 |
Next, we want to add a disclaimer to our logon page. To do that, we need to modify the logon.aspx document in the following directory:
%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\logon.aspx
Open the file in Notepad or your favorite HTML editor and search for the text ‘hidden-submit’. When you find the text, you can add your disclaimer text under the div class=”disclaimer” tag as I did in the following example:
1 2 3 4 5 6 7 8 9 | <div class="hidden-submit"><input type="submit" tabindex="-1"/></div> <div class="disclaimer"><p><b>Warning</b>: The website you are about to use is owned by Company Name and is intended to be used for official company business. As such, Company Name reserves the right to monitor all activity on all Company Name provided equipment and services. Use of Company Name provided information systems and networks in violation of company guidelines will result in disciplinary action, up to and including prosecution.</p> <p> <b>Violators</b>: They Will Be Prosecuted! </p> </div> </div> |
Save your logon.aspx file and give your OWA server an IISRESET for good measure. You should be good to logon with the new page from that point on.
References:
Customize the Outlook on the web sign-in, language selection, and error pages in Exchange Server
CUSTOMIZE EXCHANGE 2016 OUTLOOK ON THE WEB SIGN IN PAGE
Customizing Exchange 2016 OWA
In Windows Server 2016/2019 you have been upgraded to the Windows 10 Desktop Experience GUI. So, in the new versions, you are directed to use the 
to get to your settings. What was happening within the Settings is that I would choose a setting that calls on the control.exe file to open a Control Panel app. I would get the following error when attempting to do that function:
I immediately think it is a permissions issue. So I go to try to validate the permissions so that I could change them. Turns out, that due to it being a Windows System directory, I couldn’t modify the permissions without compromising directory security with NTFS permissions:
Now, if I open Control Panel, Network Sharing Center, etc…, I was able to access the applets with no issues. This was just happening in the Settings Gear Box Application. So, I started looking around and found that there is a registry key that needs to be modified so that your Administrator account can open these settings apps through the Settings Application:
1) Launch the Registry Editor (regedit.exe)
2) Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3) Change the value of FilterAdministratorToken (REG_DWORD) from 0 to 1 (If you don’t see that key, you can create it by right-clicking on any empty space from the right panel and select New > DWORD value, type the name and set the value to 1)
4) Reboot the computer and then it will be working fine.
I decided to create a Group Policy in AD to add this registry key so that it would propagate to all my 2016/2019 Servers:
1) Launch the Group Policy Manager
2) Create a new GPO and Link it to your Domain
3) Go to Computer Configuration > Preferences > Windows Settings > Registry > New Registry Key (DWORD)
4) Set the Action to “Replace”
5) Set the path as:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
6) Set the Key as FilterAdministratorToken
7) Set the Value as 1 (Decimal Format) and Save
8) Run gpupdate /force on your servers.
9) Schedule a Reboot of those servers for the change to truly take effect.
After the reboot of the server, all the apps launched correctly from the Settings Application within Windows. I am going to research a little more to see why this is like that. If you have a comment, or more information, please feel free to post!
I have realized recently that I am an Exchange Messaging Professional, but yet, I have not posted the methodology of how I install an Exchange Server Mailbox Role. So here it is!
Exchange Server 2019 requires Windows Server 2019 to run. For my environment, I haven’t necessarily need to follow all the enterprise level design aspects of database numbers to mailbox size ratios, number of servers, front/back end configurations, DAG Implementation, etc… If you want or need to delve into that realm, you can go here. I have need for a single server with only a few databases for a small number of mailboxes, so I am approaching it from that standpoint.
So first, in Hyper-V, I configured my VM with the following specifications:
Processors: 2 procs with 2 cores each – 4 Virtual Processors Total
RAM: 32GB with dynamic memory enabled optional
Drives: 2 .vhdx drives of 120GB each (OS / Exchange Data)
CD: Windows 2019 ISO
Default Settings for the rest of the VM Settings
Next I installed Windows Server 2019 Datacenter with the GUI! You can install it on Server Core if you wish. That information can be found in this link.
I ran through the setup of Windows and installed the OS on my first vhdx drive. I booted up, set the local admin password, and logged in. Once in Windows, I went to the Local Server Settings in Server Manager and configured the following settings:
Set the Date, Time, and Time Zone. (Once in the Domain, this would sync through Group Policy)
Set IE ESC to allow Administrators to have full IE access.
Set Remote Desktop Settings to gain RDP access. (This would be locked down with Group Policy as well once on the Domain)
Set the IP Settings to Static Settings. (DNS Servers, Gateway, WINS, etc…)
Join the server to the Active Directory Domain.
Reboot the VM Server.
Logon to your Domain.
Configure Windows Update Settings. (I have WSUS through Group Policy, this was configured automatically upon reboot)
Download and install all Windows Updates for the server. Then Reboot.
Open Disk Management and configure the secondary vhdx drive to be your Exchange Data Drive.
I configured the drive to be a mounted folder ‘C:\Exchange\Data’ rather than another drive letter as that seems to be the more accepted form of installation for the data drive these days. That is based on the multiple configurations that I have seen for Exchange through experience in Enterprise environments. Again, to each is own and depending on you design specifications, you might want to do that differently.
Next, we need to install the prerequisites for the Exchange Mailbox Server. I have always used practical365.com to get the PowerShell script to install the prerequisites, but couldn’t find the article this time. Great site though! Instead, I got the information and ran the following from an elevated PowerShell Session locally on the server:
1 | Install-WindowsFeature Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Http-Redirect,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Basic-Auth,Web-Client-Auth,Web-Digest-Auth,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Tools,Web-Mgmt-Compat,Web-Metabase,Web-WMI,Web-Mgmt-Service,NET-Framework-45-ASPNET,NET-WCF-HTTP-Activation45,NET-WCF-MSMQ-Activation45,NET-WCF-Pipe-Activation45,NET-WCF-TCP-Activation45,Server-Media-Foundation,MSMQ-Services,MSMQ-Server,RSAT-Feature-Tools,RSAT-Clustering,RSAT-Clustering-PowerShell,RSAT-Clustering-CmdInterface,RPC-over-HTTP-Proxy,WAS-Process-Model,WAS-Config-APIs |
As part of the prerequisites you will need to install the following packages onto the server as well:
UCMA Runtime Install
Visual C++ Redistributable Packages for Visual Studio 2013
Once completed, you can begin the install of Exchange. If this is your first Exchange 2019 Server in your Organization, then you will need to run the following to update the Forest, Schema, and Domain so that Exchange will install properly:
1 | setup.exe /p /IacceptexchangeServerLicenseTerms |
1 | setup.exe /ps /IacceptexchangeServerLicenseTerms |
1 | setup.exe /pad /IacceptexchangeServerLicenseTerms |
NOTE: If you run into Prerequisite issues with the installation due to a “pending reboot”, check out my blog post for information on remediation of that issue.
Now that the environment is prepared for Exchange, you can actually begin the installation. I wanted to make my default database and logs folder to be on the Exchange Data volume that I created, so I included those settings in the setup command. Please look at the reference to the setup.exe switches for more information on that. Here is the command:
1 | setup.exe /Mode:Install /IacceptexchangeServerLicenseTerms /Role:Mailbox /DBFilePath:"C:\Exchange\Data\MDB\EX2019-DB01.edb" /LogFolderPath:"C:\Exchange\Data\LOGS" /MdbName:"EX2019-DB01" |
Setup should go through the installation via the PowerShell window and complete successfully. Reboot the Exchange Server, then you can then logon to the Exchange Admin Center and begin the process of configuration of how you need to integrate the Mailbox Server into your Server Farm. That configuration is for a later post.
References:
UCMA Runtime Install
Visual C++ Redistributable Packages for Visual Studio 2013
Install Exchange Server 2019 on Windows Server 2019 Core
Exchange Server Design Planning
Use unattended mode in Exchange Setup
Practical365 on Exchange 2019
Wanted to do a quick post as I was working on my Hybrid Exchange Environment. I was unable to get the HCW to download and start from the Exchange Control Panel with the link provided on the page. This has happened to me for a while, so I went online and found a link that would work that could be downloaded and reused to open the HCW:
Hybrid Configuration Wizard Link
References:
HYBRID CONFIGURATION WIZARD WON’T START ON WINDOWS 2016
Like most IT guys. They have a repository of their ISO images saved on a network share so that they can mount the ISO if needed on multiple machines. I recently switched to Hyper-V and have been having an issue with creating VMs and using my ISO from my network share to do so.
Hyper-V Manager available through RSAT doesn’t have an option to mount an ISO or capture a drive from a machine on which is running. Instead it gives you drives of the Hyper-V host, and that would of course require you to have an ISO or the disc itself present on the host. I didn’t want to do that. I would rather have my repository share available for that purpose to allow for all the drive space to be available on the Hyper-V host.
So, I would map a network drive with my ISOs. The mapping would succeed, but mapped drive (letter) will not be visible in Hyper-V manager when trying to mount an ISO. Okay, so next I tried mounting from UNC share directly, but that would also fail, with the message:
“‘VM’ failed to add device ‘Virtual CD/DVD Disk’” & “User account does not have permission required to open attachment”.
It goes back to the constrained delegation requirement for the Hyper-V host accounts to be used to perform functions such as this. This has been a pain to say in the least, as I have also had issues with live migration with my machines not being clustered due to different hardware.
So, in researching, I found this blog post. It has helped me through this issue with mapping the shared folder with the ISOs.
The cause of the problem is that the Hyper-V is intended to run with VMM Library Server and to mount files from it, not any random share. To re-mediate this:
Here is step by step procedure for the constrained delegation:
The resulting setup should look something like this:
I added both the server that contained the ISO images and the server that I run my RSAT tools from just to be safe. I next rebooted the Hyper-V host (that is a requirement).
When the host rebooted, I was able to successfully create the VM.
Hopefully, this will also solve my issue with live migration between my hosts. I will have to test that again and will inform everyone here if that succeeds as well!
References:
Hyper-V Server 2012 won’t mount ISO from a network share
Hyper-V authentication in Windows Server 2016 for managing remote Hyper-V servers through RSAT
Constrained Delegation
I have had this issue with EVERY upgrade that I have ever attempted for Exchange Server from 2013 through 2019 CU1. You go to run the setup program and during the prerequisite checks, setup stops. The error listed is:
A restart from a previous installation is pending. Please restart the system and rerun setup.
During the prerequisite checks, Exchange Setup looks in the registry at the following keys:
Nine times out of ten, a restart does NOT remediate this error. In order for setup to continue properly, you must do the following:
You should now be able to run setup and upgrade your Exchange Server.
References:
A Restart From Another Installation Is Pending
Exchange Setup Fails – A Restart From Another Installation Is Pending
Microsoft Document – A Restart From Another Installation Is Pending
As you may have knowledge of, if you are reading my blog. I am currently migrating off of VMWare to Hyper-V. Now, as I convert my machines to Hyper-V, it uses a totally different driver for the Network Card. I am having to rebuild the NIC settings within windows to setup the NIC for the Hyper-V VM to get the machines on the network properly again. The VMWare NIC disables and hides the NIC from the VMWare driver in Device Manager.
What this does is make Windows think it has two active network cards, even though one is disabled and removed/hidden in device manager. So, to clean things within Windows, I have to perform the following procedure to remove the hidden device:
Open PowerShell as Administrator
Next, type the following cmdlet and press Enter:
1 | set devmgr_show_nonpresent_devices=1 |
Next, open Device Manager from the PowerShell Session:
1 | devmgmt.msc |
When the Device Manager GUI opens, click the View menu
Click Show Hidden Devices
Go to the Device that is hidden, in my case the Network Adapter
Right-Click the Device and select Uninstall
Close the Device Manager GUI and PowerShell session
This cleaned the old hardware drivers off the system and allowed the current Hyper-V NIC to be the only one installed.
A rare weekend post for me! HA! I am currently migrating my server environment from VMWare 6.7 to Server 2019 Hyper-V. I have a separate standalone box that I use for my VM backups and as a tertiary DC. Since I had to shut down my VMs in order to convert them, I needed to quickly move my FSMO roles from the DC Virtual Machine to the Standalone box so things would stay running.
I found this great article on how to do that quickly through PowerShell since it is a pain to go into ADUC, ADDT, and setup an MMC for the Schema snap-in.
When you create a domain, all FSMO roles assigned to the first domain controller in the forest by default. You can transfer FSMO roles from one DC to another both the Active Directory graphics snap-ins and the PowerShell command line. Moving FSMO roles using AD PowerShell has the following benefits:
Import the Active Directory Module Into PowerShell:
1 | Import-Module ActiveDirectory |
To get the current forest level FSMO role owners (Domain Naming Master and Schema Master roles) you can use the following PowerShell cmdlet:
1 | Get-ADForest ldlnet.net | ft DomainNamingMaster, SchemaMaster -a -wr |
To view domain-wide FSMO roles (Infrastructure Master, PDC Emulator and Relative Identifier Master roles):
1 | Get-ADDomain ldlnet.net | ft InfrastructureMaster, PDCEmulator, RIDMaster -a -wr |
To transfer FSMO roles between Active Directory domain controllers, we use the PowerShell cmdlet:
Move-ADDirectoryServerOperationMasterRole
To use the Move-ADDirectoryServerOperationMasterRole cmdlet, you must meet the following requirements:
NOTE: Unlike the Ntdsutil.exe utility, the Move-ADDirectoryServerOperationMasteRole cmdlet can be performed from any domain computer to migrate the Operations Master roles if you have the appropriate rights (Domain admins and Enterprise Admins).
Import the AD Module:
1 | Import-Module ActiveDirectory |
I needed to move all the roles from one server to the other, so, I ran the following to do so:
1 | Move-ADDirectoryServerOperationMasterRole -Identity “servername” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster -Confirm:$False |
NOTE: To simplify the command, you can replace the names of roles with numbers from 0 to 4. The correspondence of names and numbers is given in the table:
| PDCEmulator | 0 |
| RIDMaster | 1 |
| InfrastructureMaster | 2 |
| SchemaMaster | 3 |
| DomainNamingMaster | 4 |
So, by having knowledge of these numbers, you can simplify your cmdlet:
1 | Move-ADDirectoryServerOperationMasterRole -Identity “servername” –OperationMasterRole 0,1,2,3,4 -Confirm:$False |
NOTE: In the event that the current owner of one or all of the FSMO roles fails, the forced transfer of FSMO roles is performed by the same command, but with the -Force option. Also, after the FSMO roles have been seized, the domain controller from which the roles was seized should never be connected to the domain. You will need to preform a metadata cleanup of the Schema before even thinking about putting that failed server back into production.
Once completed, I ran the previous cmdlets of Get-ADForest and Get-ADDomain to verify that the FSMO roles moved to the destination server.
As of now, my conversion to Hyper-V is going smoothly, although it takes quite a bit of time to convert the hard disks. Thanks again!
Recently, I was trying to load this IT Blog and noticed that the page took a very long time to load properly. So, first thing I did was logon to my Web Server to check things and saw that the Performance was very slow, almost to a halt. When I was able to pull up Server Manager, I saw the following:
The Performance Alert was pegged at 99+ alerts. I went into the alerts for the performance and saw the following:
My CPU Usage was pegged at 100% for many hours. As I was having issues with the server and could not dig any deeper to find what was running to cause the error other the the w3wp process, I decided to reboot the server.
Rebooting did resolve the issue at hand, but I needed a better way to alert myself when the processor pegged at 95% or more over at least a steady two minute period. That way I could keep the websites going and restart the server if necessary due to an issue with a process pegging the CPU.
I don’t have SCCM or any robust alerting software like we have a my employer, but not to worry, Windows Server has a built in method to generate a task using Task Scheduler when the Performance Counter is above threshold for the time period that you set.
The first thing that you need to do is write a Powershell script that when run can send an email. While researching this I discovered many ways to accomplish this task, feel free though to experiment and use what is right for your environment.
Here is an example of a Powershell script that when used in conjunction with Task Scheduler and Perfmon can send an email alert automatically when any user defined performance counter threshold condition is met. In my environment I set this to C:\PowerShell\AlertEMail.ps1
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 | #Alert E-Mail Script to generate an email from PowerShell. #Created and Modified by Lance Lingerfelt - LDLNET LLC - Life In Action!™ #Set your variables $counter = $Args[0] $dtandtime = $Args[1] $ctr_value = $Args[2] $threshold = $Args[3] $value = $Args[4] $FileName="$env:ComputerName" #Setup the E-Mail Content $EmailFrom = "servername@domain.com" $EmailTo = "webadmin@domain.com" $Subject ="CPU Alert From $FileName" $Body = "Data and Time of Alert: $dtandtime`nPerfmon Counter: $ctr_value`nThreshold Value: $threshold `nCurrent Value: $value" #Define your SMTP Server variables. This assumes that you do NOT have to provide credentials to the SMTP Server and that you will send your E-Mail over port 25. Make necessary changes as needed. $SMTPServer = "mailserver.domain.com" $SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25) $SMTPClient.EnableSsl = $false #Send the actual completed E-Mail $SMTPClient.Send($EmailFrom, $EmailTo, $Subject, $Body) |
If you notice, this Powershell script takes four arguments and assigns them to variables used in the output. It also saves the computer name to a variable which is also used as part of the output. By doing this the script can be used to send an email on any Perfmon Alerting Counter and on any server without additional customization of the script.
In Task Scheduler we are going to Create a new Task as show in the following screen shots.
Give the Task a name, you will need to remember it for the next step. Make sure the task is run with an administrative account and is run whether the user is logged on or not.
There are no Triggers to setup here. This Task will actually be triggered through the Perfmon Counter Alert we will set up in Step 3.
On the Action tab you want to define a new action. The action will be to Start a Program and use the following inputs, please adjust for your specific environment.
Program/Script: C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Add Arguments: -File C:\PowerShell\AlertEMail.ps1 $(Arg0)
Next, set your Conditions and Settings Tabs to the following settings as I did for this purpose. If need be, you might need to set them differently, but these settings should work just fine.
Open Performance Monitor and Create a new Data Collector Set under Data Collector Sets > User Defined
I needed to monitor the Total % Processor Time for all processors on the server combined, so I set the counter to monitor from the available counters.
I then set the threshold to Alert when the processor is over 95% with Processor Time. I also let it run as the System account, and then saved the settings:
Once you have created the Data Collector Set go into the Properties of it and make sure the Alerting threshold and Sample Interval is set properly for each Performance Counter. Keep in mind, if you sample every 10 seconds then you should expect to receive an email every 10 seconds as long as the performance counter exceeds the threshold you set. I set my Sample Interval to 2 minutes so that if the percentage stays above 95% over that long of a time interval, I should take a look at the server and see what process is pegging the CPU:
If you select the Log an entry in the application event log don’t expect to see any entries in the normal Application event log. It will be written to the Microsoft-Windows-Diagnosis-PLA/Operational log in the Application and Services log directory.
Finally, we have to set an Alert Task that will trigger the Scheduled Task (AlertEMail) that we created in Step 2. You see that we also pass some of the Task arguments which are used by the PowerShell script to customize the email with the exact error condition associated with the Alert:
Once the Data Collector is configured properly you will want to start it.
If you configured everything correctly you should start receiving emails any time that alert threshold is surpassed. I also manually ran the script once from PowerShell with no Argument Data just to make sure the script would generate the email to my E-Mail Address.
You now have one more step. Whenever you reboot a server the Perfmon Counter Alert will not start automatically. In order to survive a reboot you must run the following at a command prompt.
Note: “Processor Usage Alert” referenced in the script below is the name of my user defined Data Collector Set.
1 | schtasks /create /tn 'Processor Usage Alert' /sc onstart /tr "logman start 'Processor Usage Alert'" /ru system |
I now have a simple way to monitor my Web Server should this event happen again with the processor being pegged over a two minute period.
Reference:
Setup E-Mail Generation from a Performance Counter Alert
I was in the market for renewing my VPN appliance SSL certificate and came across this great deal that I wanted to pass along. It gives you a new SSL Certificate for a single domain with basic validation for only $5.99 for the first year. I usually get a new certificate for my VPN appliance yearly so this works out great!
LINK HERE: https://www.godaddy.com/web-security/ssl-certificate
Just enter that code above when you are at checkout in the Promo Code field and you will get the certificate for $5.99! Great Deal. I am not sure how long this will last, so if you try it and it does not work, let me have knowledge of that and I will take this post down! Just remember to always look for these hidden gems when purchasing web related items like domains and certificates. You can always find deals if you look hard enough.
References:
GoDaddy SSL Certificate Coupons
TechSmart Info on GoDaddy SSL Certificate Promotion
I had an issue last night where a server lost Secure Channel Connection to the PDC Emulator (NETLOGON Event IDs 5719 and 5783). All tests to test the secure channel via PowerShell were failing. (i.e. nltest or Test-ComputerSecureChannel cmdlets) The server essentially needed to be rebooted. I had a dumb dumb in my brain and forgot to check to see if there were any pending Windows Updates, because those need to be installed at the proper time and to a schedule. So, when I ran the following command to reboot:
1 | shutdown.exe /r /t 000 /c "Rebooting DC01 Due To NETLOGON Errors" |
The Windows Updates were installed inadvertently which could have caused even more issues if they were NOT approved or caused another failure on the server. TO NOT DO THIS IN THE FUTURE, remember to run the following command to shut off the Windows Update Service BEFORE initiating the reboot of the server:
1 2 3 4 5 | net stop wuauserv OR Stop-Service wuauserv |
But, the deed was done. NOW, I had to find out quickly what updates WERE installed via PowerShell so that I could alert the proper folks and give them a heads up on possible issues. Luckily, the server did NOT have any issues and the initial problem with NETLOGON was resolved. Here is the command I ran to find out the installed hotfixes filtered by today’s date:
1 | wmic qfe where "InstalledOn = '2/26/2019'" list full |
Here was the Output:
Caption=http://support.microsoft.com/?kbid=4480960
CSName=DC01
Description=Security Update
FixComments=
HotFixID=KB4480960
InstallDate=
InstalledBy=NT AUTHORITY\SYSTEM
InstalledOn=2/26/2019
Name=
ServicePackInEffect=
Status=
Caption=http://support.microsoft.com/?kbid=4480965
CSName=DC01
Description=Security Update
FixComments=
HotFixID=KB4480965
InstallDate=
InstalledBy=NT AUTHORITY\SYSTEM
InstalledOn=2/26/2019
Name=
ServicePackInEffect=
Status=
Since there were no issues, I was able to resolve the incident. I did notify the account team though of the inadvertent installation so that they could revert the changes if necessary.
Remember, troubleshooting to resolution is a methodical process, and when in an enterprise environment, you MUST be aware of all factors of change process, even when the resolution is a simple reboot of the affected server.
References:
Methods of generating installed updates via PowerShell
Check Windows Update History via PowerShell
Disable or Bypass Windows Update Installation During Reboot/Shutdown of a Server
We get alerts from time to time that SharePoint and Skype Websites might not be loading correctly or not at all. The following is a script that will generate a report, with time and date, showing the availability of the websites in question and the time it takes to load them.
First off, you want to create a text file called URLList.txt that will have the list of websites you want to check. I save the file in the C:\PowerShell directory but you can change the path to where you need it. If this happens often, having this list prepared will help you evaluate the environment quickly and allow you to troubleshoot if necessary efficiently.
Here is the script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 | ##WebsiteChecker.ps1 built by Lance Lingerfelt - LDLNET LLC - Life In Action! E-Mail: lance.lingerfelt@ldlnet.net - Learn, Do, Live! ## Provide the path to the URL list to test $URLListFile = "c:\PowerShell\URLList.txt" $URLList = Get-Content $URLListFile -ErrorAction SilentlyContinue $Result = @() $booltime = 0 ##Begin the function cmdlet and define the variables Foreach ($Uri in $URLList) { $time = try{ $request = $null ## Request the URL, and measure how long the response took. $result1 = Measure-Command { $request = Invoke-WebRequest -Uri $uri -UseDefaultCredentials } $result1.Totalseconds $ResultsTime = $result1.TotalSeconds if($ResultsTime -gt 0) { write-host $uri, $ResultsTime $booltime++ write-host $booltime } } catch { ## If the request generated an exception (i.e.: 500 server error or 404 not found), we can pull the status code from the Exception.Response property $request = $_.Exception.Response $time = -1 } $result += [PSCustomObject] @{ Time = Get-Date; Uri = $uri; StatusCode = [int] $request.StatusCode; StatusDescription = $request.StatusDescription; ResponseLength = $request.RawContentLength; TimeTaken = $time; } } ##Prepare the output report body in HTML format if($booltime -gt 0 ) { if($result -ne $null) { $Outputreport = "<HTML><TITLE>Website Availability Report</TITLE><BODY background-color:peachpuff><font color =""#99000"" face=""Microsoft Table""><H2> Website Availability Report </H2></font><Table border=1 cellpadding=0 cellspacing=0><TR bgcolor=gray align=center><TD><B>URL</B></TD><TD><B>StatusCode</B></TD><TD><B>StatusDescription</B></TD><TD><B>ResponseLength</B></TD><TD><B>TimeTaken</B></TD</TR>" Foreach($Entry in $Result) { if($Entry.StatusCode -ne "200") { $Outputreport += "<TR bgcolor=red>" } else { $Outputreport += "<TR>" } $Outputreport += "<TD>$($Entry.uri)</TD><TD align=center>$($Entry.StatusCode)</TD><TD align=center>$($Entry.StatusDescription)</TD><TD align=center>$($Entry.ResponseLength)</TD><TD align=center>$($Entry.timetaken)</TD></TR>" } $Outputreport += "</Table></BODY></HTML>" } $Filename = "C:\PowerShell\URLCheck-" + [DateTime]::Now.ToString("yyyyMMdd-HHmmss") + ".htm" $Outputreport | out-file $Filename ## Open the file for viewing Invoke-Item $Filename } |
Here is your output:
I get a lot of these incidents in my queue after a user has been migrated to O365. For whatever reason, most likely due to the mailbox being moved itself, whether it is the user’s mailbox, the shared mailbox, or both, the connections to the shared mailboxes stop working in Outlook and the user cannot connect to the shared mailbox.
Here is a quick and easy solution to use to disconnect and reconnect the shared mailbox(es) that you lose connectivity to when migrated. This is usually performed on Outlook 2016 and above as most users upgrade their client software when moved to O365.
First, we remove the existing shared mailbox connection:
Second, we re-add the shared mailbox connection to Outlook:
Note: The above procedure must be followed in order to properly reconnect the shared mailbox. You cannot remove and re-add the mailbox in the same process as that will not reset the connection properly. You must save the settings when disconnecting.
I hope that this will assist everyone when troubleshooting Outlook connectivity issues to shared mailboxes after a migration.
As many of you have knowledge, I am studying for my MS-202 Exam. And, part of the knowledge needed is to be able to migrate mailboxes between on premises and Exchange Online through PowerShell. Here are the steps for the scenario to move a mailbox from on premises to O365:
1. Connect to Exchange Online via PowerShell
If you have read my previous post: Connect to All PowerShell Modules in O365 with one script
You should have all the settings needed to connect your PowerShell to O365. Note in this scenario, that all these cmdlets will be run from O365 PowerShell and will be monitored from O365 by either PowerShell or the Exchange Admin Center. You will not be able to monitor the moves from On-Premises.
2. Provide your on premises Migration Administrator credentials as a variable for your cmdlet.
1 | $OnPremCred = Get-Credential -Message "Enter the On Premises Exchange Migration Admin account creds" |
3. Move a single mailbox.
In your hybrid configuration you should be doing directory sync with O365/Azure and the accounts should be available in the cloud showing that they are synced with AD. This also assumes that you have your MRS Proxy endpoint enabled, which can be done by the HCW. Also, make sure you have your licensing available for your mailboxes. From my knowledge, you can assign your license to the account in the cloud before moving, especially if you have a particular license that you need to assign the account. Other than that, moving the mailbox will assign an existing license that is available that includes an Exchange Online mailbox feature when the mailbox is moved.
Now we initiate the move with the cmdlet. Similar to what you would do in the GUI, this simple mailbox move cmdlet initiates the move request. It has most of the same parameters as a local move request including BadItemLimit, LargeItemLimit, AcceptLargeDataLoss, etc…
Use the following LINK for documentation on the New-MoveRequest cmdlet.
1 2 3 4 5 6 7 8 | #Set the identity of the mailbox being moved $user = Read-Host "Enter the alias or E-Mail Address of the user being migrated: " #Next Run the cmdlet for the New Mailbox Move Request New-MoveRequest -Identity $user -remote -RemoteHostName (hybridURL) -TargetDeliveryDomain companyname.mail.onmicrosoft.com -RemoteCredential $OnPremCred -AcceptLargeDataLoss -BadItemLimit 500 -LargeItemLimit 100 -BatchName "$user Mailbox Move to O365" #Get the status of the mailbox move to completion Get-MoveRequest | ? {$_.alias -eq "$user"} | Get-MoveRequestStatistics | fl |
Now with all migration projects, we expect to have to move multiple mailboxes in a single batch. The following will show the process for moving mailboxes in bulk from on premises to O365:
1. Connect to Exchange Online via PowerShell
If you have read my previous post: Connect to All PowerShell Modules in O365 with one script
You should have all the settings needed to connect your PowerShell to O365. Note in this scenario, that all these cmdlets will be run from O365 PowerShell and will be monitored from O365 by either PowerShell or the Exchange Admin Center. You will not be able to monitor the moves from On-Premises.
2. Provide your on premises Migration Administrator credentials as a variable for your cmdlet.
1 | $OnPremCred = Get-Credential -Message "Enter the On Premises Exchange Migration Admin account creds" |
3. Move multiple mailboxes in a single batch.
In your hybrid configuration you should be doing directory sync with O365/Azure and the accounts should be available in the cloud showing that they are synced with AD. This also assumes that you have your MRS Proxy endpoint enabled, which can be done by the HCW. Also, make sure you have your licensing available for your mailboxes. From my knowledge, you can assign your license to the account in the cloud before moving, especially if you have a particular license that you need to assign the account. Other than that, moving the mailbox will assign an existing license that is available that includes an Exchange Online mailbox feature when the mailbox is moved.
This time you want to create a CSV file using the alias or emailaddress as your header and then list the appropriate value for all the users in your batch group. Save the file locally as MigrationBatch01.csv or a name of your choice.
Next you initiate the mailbox moves. When specifying the mailbox identity in the cmdlet, use the respective header in your variable declaration (either $user.EMailAddress OR $user.Alias)
Use the following LINK for documentation on the New-MoveRequest cmdlet.
1 2 3 4 5 6 7 8 | #Import the CSV into the variable state $mailboxes = Import-CSV C:\Migration\MigrationBatch01.csv #Next Run the cmdlet for the New Mailbox Move Request to move each mailbox foreach ($user in $mailboxes) { New-MoveRequest -Identity $user.EMailAddress -remote -RemoteHostName (hybridURL) -TargetDeliveryDomain companyname.mail.onmicrosoft.com -RemoteCredential $OnPremCred -AcceptLargeDataLoss -BadItemLimit 500 -LargeItemLimit 100 -BatchName "Migration Batch 01 Moves to O365" } #Get the status of the mailbox moves in the batch to completion Get-MoveRequest | ? {$_.batchname -like "Migration Batch 01 Moves to O365"} | Get-MoveRequestStatistics | ft -a -wr |
References:
Moving Individual Mailboxes to O365
Move Mailboxes in Bulk to O365
PowerShell Mailbox Migration to O365
Connect to all PowerShell Modules in O365 with one script
New-MoveRequest Microsoft Document
