This blog is going to be a dedicated repository linked to pages, posts, documentation, links, and information that I find during my troubleshooting processes within the IT world. Some posts will contain code snippets that you can use with your own work if needed. Feel free to comment and get this thing rolling!
I now have contributors! Please welcome their input as valued colleagues in the IT Industry! Be on the lookout for their blog posts and please comment!
I wanted to pass this announcement along to everyone so that they are aware of the support ending for Exchange 2010. I personally have noticed a large number of Exchange 2010 environments starting to show age as the newer Outlook clients are having performance issues with Exchange 2010. If your team has not planned an upgrade to Exchange 2016 (you cannot upgrade directly from Exchange 2010 to 2019), I would advise that your team do so very soon. Exchange 2010 has been a great product for many years, but it is finally time for it to retire and allow the next generation of Messaging Services take the stage.
Announced today, and in alignment with Office 2010 and SharePoint 2010, and after investigating and analyzing the deployment state of an extensive number of Exchange customers, Microsoft has decided to move Extended Support date for Exchange Server 2010 from January 14th 2020 to October 13th 2020.
After October 13th 2020, Microsoft will no longer provide technical support for problems that may occur with Exchange 2010 including:
– bug fixes for issues that are discovered and that may impact the stability and usability of the server
– security fixes for vulnerabilities that are discovered and that may make the server vulnerable to security breaches
– and time zone updates
Customer installations of Exchange 2010 will, of course, continue to run after this date; however, due to the changes and potential end of support risks, Microsoft strongly recommends customers migrate from Exchange 2010 as soon as possible.
I’ve been currently assisting with onboarding at my new Full Time Contractor position at Microsoft. All of the new FTCs received laptops and needed to have the newest build of Windows 10 installed. The issue was that all of our laptops came with Windows 10 Professional and we needed to upgrade them to Enterprise edition.
After finding a working key for Enterprise Edition, we were still having issues joining the MS Azure domain so that we could get all of the needed software properly to being onboarding with Microsoft.
So, after going through a couple of re-images of my laptop with some failures attached to that, I finally was able to get the process down so that time would not be waisted for the oncoming new hires once they received their laptop. The issue was getting the correct build of Windows 10 and getting the proper apps installed in an efficient manner. Since the onboarding process was quickly moving, I needed to find a way to help streamline the process so the others would not have to go through all the mess I went through to get everything setup.
So, I began looking for a way to create a customized ISO for the build that would already have apps, settings, and customizations installed. I found this great article that details the process. I wanted to re-post this article here showing the steps I took to create the customized image by creating a VM in Hyper-V and then converting that completed image to an ISO that could be downloaded and utilized for the installation.
NOTE: This post will show how to use a virtual machine to create the ISO. All virtual machine references and instructions in this tutorial apply to Hyper-V, available in Windows 10 PRO, Education and Enterprise editions. Oracle VirtualBox and VMware users might need to consult their preferred virtualization platform’s documentation if instructions can’t be used as is.
Everything in this instruction can be made in each edition of Windows 10 (in Home and Single Language editions using a third party virtualization platform) with native Windows tools and programs, apart from Windows Deployment and Imaging Tools, part of Windows 10 Assessment and Deployment Kit (ADK) needed later in the post. The ADK is a free native Microsoft tool, downloadable directly from Microsoft.
If you will do this on a Hyper-V virtual machine (which is the recommended method), make sure to set the new virtual machine to use Standard Checkpoints instead of default Production Checkpoints. You can do this in virtual machine’s settings:
This method will produce an ISO image which can be compared to any original Windows 10 ISO you download from Microsoft, apart from the fact that it already contains pre-installed software according to your choice. It will also contain a customized and personalized default user profile, the base Windows uses whenever a new user profile will be created.
A customized default user profile means that whenever a new user account is created, all customizations (Start tiles, File Explorer & desktop icon and view settings, colors, wallpaper, theme, screensaver and so on will be applied to new user profile instead of Windows defaults.
Installation using this ISO will take somewhat longer than using a standard ISO because it not only contains full Windows setup, but also the pre-installed software. Notice that depending on how much space pre-installed software takes, you might not be able to burn this ISO to a standard 4.7 GB DVD disk but have to use a dual layer disk or a USB flash drive instead. My customized image came out to be about 8.5 GB in size.
The ISO created will include no user profile folders, personal user data and files.
This ISO image can be used on any hardware setup capable of running Windows and can be shared, subject to people you share the ISO with have valid licenses and / or activation keys for both Windows 10 and pre-installed software.
NOTE: The normal Windows Download from the link above will download Windows 10 Professional. You will need a key for the installation to upgrade to Enterprise Edition and you will need to be able to activate the copy of Windows to be able to save the customizations you create for your ISO.
NOTE: If Windows on your reference machine is not activated, you cannot personalize it. In this case you need to modify Windows theme (wallpaper, screensaver, colors, sounds) as you wish on another, activated Windows 10 machine, save the theme as a theme file, copy it to inactivated reference machine and apply (double click).
Also notice that Edge as well as other UWP apps do not work when signed in to built-in admin account. If you need a browser to download software you have to use a third party browser or Internet Explorer. IE can be started from Run dialog by typing iexplore and clicking OK.
1 | %windir%\system32\sysprep\sysprep.exe /audit /reboot |
Windows will now restart in Audit Mode using built-in administrator account. You will see a Sysprep prompt in the middle of display:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 | <?xml version="1.0" encoding="utf-8"?> <unattend xmlns="urn:schemas-microsoft-com:unattend"> <settings pass="specialize"> <component name="Microsoft-Windows-Shell-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <CopyProfile>true</CopyProfile> </component> <component name="Microsoft-Windows-Setup" processorArchitecture="amd64" publicKeyToken="31bf3856ad364e35" language="neutral" versionScope="nonSxS" xmlns:wcm="http://schemas.microsoft.com/WMIConfig/2002/State" xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance"> <UserData> <AcceptEula>true</AcceptEula> <FullName>Your Full Name</FullName> <Organization>Your Organization Name</Organization> <ProductKey> <Key>Your 25 Digit Product Key in format XXXXX-XXXXX-XXXXX-XXXXX-XXXXX</Key> <WillShowUI>Never</WillShowUI> </ProductKey> </UserData> </component> </settings> </unattend> |
1 2 | echo Y | del %appdata%\microsoft\windows\recent\automaticdestinations\* del %0 |
Sysprep will now prepare Windows, shutting down machine when done. LEAVE THE VM OFF AND DO NOT RESTART IT! Now, we continue to the Image Creation section.
IMPORTANT: Forgetting to select Read-only will especially when mounting a checkpoint AVHD / AVHDX file make it unusable for Hyper-V! You will NOT be able to boot your VM and could corrupt it should you have write access on the mounted VHDX file.
Windows mounts the virtual hard disk, and all of its partitions, as separate disk. In case of an MBR disk it even mounts the system reserved partition.
NOTE: In the above picture the Windows system partition for the reference VM is drive K:
1 | dism /capture-image /imagefile:D:\install.wim /capturedir:K:\ /name:"AnyName" /compress:maximum /checkintegrity /verify /bootable |
NOTE: D:\install.wim path in this case is the drive and directory where you want to save the image file. K:\ path is the capture path with subfolders of the drive you want to image FROM
NOTE: The name given in /name switch in above command is irrelevant as we will name the ISO later on, but is needed for the command to run. Use any name you want to for the switch parameter.
The image process will take time, go get something to eat as I did. On my high end Hyper-V server this takes over 20 minutes, the first half of it without showing any progress indicator whatsoever. DISM works somewhat faster if you don’t use optional switches /checkintegrity and /verify but it is not recommended that you to create install.wim without checking its integrity and verifying it.
I named the folder ISO_Files and placed it on the D: drive where I had created the image from the previous section. Alternatively, you can copy the contents of a created Windows 10 install USB or DVD to the ISO_Files folder.
IMPORTANT: If the ISO you used when copying the files to the ISO_Files folder has been made with Windows Media Creation Tool, the ISO_Files\Sources folder contains an install.esd file instead of install.wim.
In this case you will naturally not get “File exists” prompt. Simply delete the install.esd file and paste your custom install.wim to replace it. This will help reduce the overall size of the ISO and not confuse the installation process when ran.
1 | oscdimg.exe -m -o -u2 -udfver102 -bootdata:2#p0,e,bd:\iso_files\boot\etfsboot.com#pEF,e,bd:\iso_files\efi\microsoft\boot\efisys.bin d:\iso_files d:\14986PROx64.iso |
Replace three instances of d:\iso_files with the path to the ISO_Files folder where you copied Windows installation files. Notice that this is not a typo: first two of these instances are typed as argument for switch -b without a space in between the switch and argument. This is to tell the oscdimg command where to find boot files to be added to ISO.
Replace d:\14986PROx64.iso with the path where you want to store the ISO image. This is where you also name the ISO file what you want the file name to be.
Although the command seems a bit complicated, everything in it is needed. For more information about the oscdimg command line options, see: Oscdimg Command-Line Options
You now have a completed ISO image ready for distribution to your machines. The overall process took me about 4 hours to complete with all the customizations that I did. Thanks again to Ten Forums for the article. I have provided references below for your convenience as well.
REFERNCES:
Create Windows 10 ISO image from Existing Installation
Open and Use Disk Cleanup in Windows 10
Download Windows 10
Windows 10 sysprep – how to skip entering product key
Windows ADK downloads – Windows Hardware Dev Center
The sheer craziness of it all! I noticed that my clocks were off on my servers by FOUR minutes. I had originally set in group policy for the PDC emulator for my domain, a VM on one of my Hyper-V hosts, to get the time from the Public NTP hosts. I then configured a group policy to have all the other machines get their time from the PDC Emulator.
This was working great for me until I realized that my Hyper-V hosts were actually controlling the time of the VMs. They were also configured to get the time from the PDC Emulator, but essentially, due to how Hyper-V is configured, the PDC Emulator VM was getting the time from the Host. So, once the time got thrown off, everything went wacky on me!
I’d read through a couple of articles and found the configuration flaw of Hyper-V and the need for those servers to get their time from the external NTP hosts as well as be configured as NTP servers themselves. This totally went against my Group Policy configuration which caused the issue!
Luckily, I had a stand alone server that is a tertiary DC in the domain not running Hyper-V. I was able to get my time synced again properly after performing the following configuration.
1 | Move-ADDirectoryServerOperationMasterRole -Identity backupdc01 -OperationMasterRole 0,1,2,3,4 -Confirm:$False |
1 2 3 4 5 6 7 8 9 10 11 | Stop and Start the time service: net stop w32time net start w32time Resync with the NTP servers: w32tm /resync /nowait Query the Source NTP server for the server you are running: w32tm /query /source (Should return your Public NTP server) 2.us.pool.ntp.org,0x1 |
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 | Cmdlets in order: Unregister the Time Service: w32tm /unregister Stop the Time Service: net stop w32time Register the Time Service: w32tm /register Start the service: net start w32time Query the Source NTP server for the server you are running: w32tm /query /source (Should return the default public NTP server) time.windows.com,0x1 Configure the NTP time servers you want to use: w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org" /update /reliable:yes Resync with the NTP servers: w32tm /resync /nowait Verify the Source NTP Server being used: w32tm /query /source (Should return the Public NTP server you set) 1.pool.ntp.org,0x1 Time should be correct on the Hyper-V host now. |
The one problem Hyper-V host that was syncing with the DC VM would not change settings via Group Policy nor through the w32tm cmdlet. I even went into the registry and tried to modify the following keys to make the changes stick:
1 2 3 4 5 6 7 8 | Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\ Keys - Value (Decimal): w32time\Config\AnnounceFlags - 10 w32time\Parameters\NtpServers - 0.us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1 w32time\TimeProviders\NtpClient\SpecialPollInterval - 900 (15 minutes) w32time\TimeProviders\NtpServer\Enabled - 1 |
The values would just not change, most likely due to the time not being synchronized. I had to reboot the server and then run through the process again in order for the changes to stick.
I did look at another article that said to do the following on the DC VM in order for time NOT to sync with the Hyper-V Host:
Go into Hyper-V console on the host machine, right-click on the client VM AD server, and select Settings. Once in here, on the left look under:
Management –> Integration Services
Untick Time Synchronization
Click Apply/OK
Things are running smoothly now. Please view the references at the bottom of the post. There are a couple of great articles about the Time Synchronization process with Hyper-V and why it needs to be setup the way I have it now. I wished I had read it before I originally set this up. I will post the article about getting group policy to handle the time sync process. Just remember, if your PDC Emulator is a VM, don’t sync it to a public NTP server. Sync it to your Hyper-V Host and have the Host sync publicly.
In the long run, I think it is a good design solution to have your Hyper-V hosts time synced to the Public NTP servers than having to remember to configure each VM DC you create to NOT time sync with the host. To each is own though, and one thing I learned from working Microsoft, there are multiple ways to get to the same goal that are technically sound methods.
REFERENCES:
Setup of NTP on Hyper-V servers
Time Synchronization in Hyper-V
“It’s Simple!” – Time Configuration in Active Directory
NTP Circular Time Sync – Windows Server 2012 R2 / Hyper-V
WHAT IS THIS ALL ABOUT?
Historically we only had two primary ways to structure sites in SharePoint. You would either create one big site collection and create lots of subsites in it, or you would have lots and lots of site collections in your tenant. Of course, you could have both models run in parallel. Provision lots of department sites each in its own site collection and lots of subsites in each department’s site collection. Multiple Site collections always made sense for large organizations. With the arrival of SharePoint Online and Office 365, we had many small businesses embrace SharePoint now and most small, and even medium-size businesses could get away with just 1 or 2 site collections. What made a single site collection really attractive to many is that you could easily build common navigation between all the subsites. On top of that, you could also create site templates and reuse them.
Things started to swing in favor of flat architecture with the rollout of Office 365 Groups and Communication Sites. Every time you create an Office 365 Group or a Communication site – a new site collection is provisioned. So whether you want it or not, now you are almost forced into a flat architecture.
WHAT ARE HUB SITES?
So now, with all these Office 365 Groups and Communication Sites and old legacy site collections, the challenge is how do we bring them all together via common navigation? I documented several ways to create common navigation for sites previously, but all of the tricks are local to the site collection. Meaning, if you create navigation in one site collection, you can only propagate it to subsites underneath, not to other site collections..
This is where Hub Sites come in. Hub Sites are a way to tie together all the autonomous site collections under one navigation umbrella. There are other characteristics that are shared within a Hub , but primarily – they are for navigation.
HOW TO CREATE HUB SITES
So now that we are clear what the Hub Sites are, let me show you how to create them! There are 2 steps involved.
Step 1: Register Hub Site
Mazel Tov, you just created your first Hub Site!!!
Step 2: Associate a Site to a Hub
The next step is for you to associate (connect) other site collections to the Hub. There are two ways for you to do so:
Option 1: Connect from the SharePoint Admin Center
Option 2: Connect from the site collection itself
NOTE: This second technique only works for site collections that have been modernized. That means that if you have a classical site collection with a classical page, you won’t see the Site Information in the menu under the gear icon. So what you will need to do first is modernize your page first. It is quite easy, and I described how to do it here.
CONFIGURE HUB
Assign a Hub Name and Upload a Hub Logo
There is a bit of configuration you can also do to a Hub once created. If you go back to the main Hub Site, then click Gear Icon > Hub Site Settings…
…you can upload a Hub logo and specify a navigation name for the Hub.
Don’t mind the Site design drop-down – it is way too technical for us, out of the box guys and girls.
Here is what this all means:
Build Common Navigation
This step is primarily the reason why we did all of the above. Associating (connecting) all the site collections to the hub, does not automatically add links to the navigation. You have to do so manually. Let me show you how to do this.
Take advantage of Hub Features
Here I would like to list all the advantages of the Hub functionality. At the moment, the list is not big. However, I am sure as Hub Sites evolve, there will be other features added.
Common Navigation
We already covered it above, so not going to repeat it here.
News roll up
When you combine your site collections into a Hub, you can automatically aggregate News and Announcements from all the sites into 1 site by using News Web Part. Go ahead and add a News Web Part to a page on the main Hub Site. Click the Edit Button. There you will be able to choose an option to aggregate all the news within a Hub into one!
Search within a Hub
Once you create a Hub and connect other sites to it, you will notice that a Search Box on the Main Hub now searches across other sites within a Hub. This is amazing!
Common theme
You will notice as soon as you add your site collection to a hub, that its color scheme will adopt the colors of the main Hub. That’s pretty nice – great from common branding/user adoption standpoint.
Content roll-up via HCWP
Once you create a Hub, you will be able to roll-up content using Highlighted Content Web Part (HCWP) within a hub.
In my career, I have to be able to be efficient as most of my projects are on a time crunch schedule. Being able to quickly configure Exchange when setting up a server environment is crucial to the success of the project.
While still honing my skills in PowerShell, I was attempting to create my own script to help configure all of the Virtual Directories in one shot rather than go to each setting and configure them manually. It did not go very well, so as I do, I research and find great professionals that do great work in scripting so that I may learn from them.
In doing so, I found Paul Cunningham’s script that performs this. I took the following script and modified it to add the PowerShell Virtual Directory to it as I like to configure that as well.
***YOU CAN REM THE LINES OUT SHOULD YOU NOT WANT TO CONFIGURE THAT DIRECTORY***
Here is my version of the script:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 | <# .SYNOPSIS ConfigureExchangeURLs.ps1 .DESCRIPTION PowerShell script to configure the Client Access server URLs for Microsoft Exchange Server 2013/2016. All Client Access server URLs will be set to the same namespace. If you are using separate namespaces for each CAS service this script will not handle that. The script sets Outlook Anywhere to use NTLM with SSL required by default. If you have different auth requirements for Outlook Anywhere use the optional parameters to set those. .PARAMETER Server The name(s) of the server(s) you are configuring. .PARAMETER InternalURL The internal namespace you are using. .PARAMETER ExternalURL The external namespace you are using. .PARAMETER InternalSSL Specifies the internal SSL requirement for Outlook Anywhere. Defaults to True (SSL required). .PARAMETER ExternalSSL Specifies the external SSL requirement for Outlook Anywhere. Defaults to True (SSL required). .EXAMPLE .\ConfigureExchangeURLs.ps1 -Server sydex1 -InternalURL mail.exchangeserverpro.net -ExternalURL mail.exchangeserverpro.net .EXAMPLE .\ConfigureExchangeURLs.ps1 -Server sydex1,sydex2 -InternalURL mail.exchangeserverpro.net -ExternalURL mail.exchangeserverpro.net .LINK http://exchangeserverpro.com/powershell-script-configure-exchange-urls/ .NOTES Written by: Paul Cunningham For more Exchange Server tips, tricks and news check out Exchange Server Pro. * Website: http://exchangeserverpro.com * Twitter: http://twitter.com/exchservpro Find me on: * My Blog: http://paulcunningham.me * Twitter: https://twitter.com/paulcunningham * LinkedIn: http://au.linkedin.com/in/cunninghamp/ * Github: https://github.com/cunninghamp License: The MIT License (MIT) Copyright (c) 2015 Paul Cunningham Permission is hereby granted, free of charge, to any person obtaining a copy of this software and associated documentation files (the "Software"), to deal in the Software without restriction, including without limitation the rights to use, copy, modify, merge, publish, distribute, sublicense, and/or sell copies of the Software, and to permit persons to whom the Software is furnished to do so, subject to the following conditions: The above copyright notice and this permission notice shall be included in all copies or substantial portions of the Software. THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE SOFTWARE. Change Log: V1.00, 13/11/2014 - Initial version V1.01, 26/06/2015 - Added MAPI/HTTP URL configuration V1.02, 27/08/2015 - Improved error handling, can now specify multiple servers to configure at once. V1.03, 09/09/2015 - ExternalURL can now be $null V1.04, 17/11/2016 - Removed Outlook Anywhere auth settings, script now sets URLs only V1.05, 18/11/2016 - Added AutodiscoverSCP option so it can be set to a different URL than other services V1.06, 25/06/2019 - Added PowerShell Virtual Directory Configuration Requiring SSL and using Basic Authentication .ADDENDUM V1.06 Modified by Lance Lingerfelt for similar use. * Website: http://www.ldlnet.net * IT Blog: http://itblog.ldlnet.net #> #requires -version 2 [CmdletBinding()] param( [Parameter( Position=0,Mandatory=$true)] [string[]]$Server, [Parameter( Mandatory=$true)] [string]$InternalURL, [Parameter( Mandatory=$true)] [AllowEmptyString()] [string]$ExternalURL, [Parameter( Mandatory=$false)] [string]$AutodiscoverSCP, [Parameter( Mandatory=$false)] [Boolean]$InternalSSL=$true, [Parameter( Mandatory=$false)] [Boolean]$ExternalSSL=$true ) #................................... # Script #................................... Begin { #Add Exchange snapin if not already loaded in the PowerShell session if (Test-Path $env:ExchangeInstallPath\bin\RemoteExchange.ps1) { . $env:ExchangeInstallPath\bin\RemoteExchange.ps1 Connect-ExchangeServer -auto -AllowClobber } else { Write-Warning "Exchange Server management tools are not installed on this computer." EXIT } } Process { foreach ($i in $server) { if ((Get-ExchangeServer $i -ErrorAction SilentlyContinue).IsClientAccessServer) { Write-Host "----------------------------------------" Write-Host " Configuring $i" Write-Host "----------------------------------------`r`n" Write-Host "Values:" Write-Host " - Internal URL: $InternalURL" Write-Host " - External URL: $ExternalURL" Write-Host " - Outlook Anywhere internal SSL required: $InternalSSL" Write-Host " - Outlook Anywhere external SSL required: $ExternalSSL" Write-Host "`r`n" Write-Host "Configuring Outlook Anywhere URLs" $OutlookAnywhere = Get-OutlookAnywhere -Server $i $OutlookAnywhere | Set-OutlookAnywhere -ExternalHostname $externalurl -InternalHostname $internalurl ` -ExternalClientsRequireSsl $ExternalSSL -InternalClientsRequireSsl $InternalSSL ` -ExternalClientAuthenticationMethod $OutlookAnywhere.ExternalClientAuthenticationMethod if ($externalurl -eq "") { Write-Host "Configuring Outlook Web App URLs" Get-OwaVirtualDirectory -Server $i | Set-OwaVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/owa Write-Host "Configuring Exchange Control Panel URLs" Get-EcpVirtualDirectory -Server $i | Set-EcpVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/ecp Write-Host "Configuring ActiveSync URLs" Get-ActiveSyncVirtualDirectory -Server $i | Set-ActiveSyncVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/Microsoft-Server-ActiveSync Write-Host "Configuring Exchange Web Services URLs" Get-WebServicesVirtualDirectory -Server $i | Set-WebServicesVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/EWS/Exchange.asmx Write-Host "Configuring Offline Address Book URLs" Get-OabVirtualDirectory -Server $i | Set-OabVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/OAB Write-Host "Configuring MAPI/HTTP URLs" Get-MapiVirtualDirectory -Server $i | Set-MapiVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/mapi Write-Host "Configuring PowerShell URLs" Get-PowerShellVirtualDirectory -Server $i | Set-PowerShellVirtualDirectory -ExternalUrl $null -InternalUrl https://$internalurl/PowerShell -BasicAuthentication $True -RequireSSL $True -Confirm:$False } else { Write-Host "Configuring Outlook Web App URLs" Get-OwaVirtualDirectory -Server $i | Set-OwaVirtualDirectory -ExternalUrl https://$externalurl/owa -InternalUrl https://$internalurl/owa Write-Host "Configuring Exchange Control Panel URLs" Get-EcpVirtualDirectory -Server $i | Set-EcpVirtualDirectory -ExternalUrl https://$externalurl/ecp -InternalUrl https://$internalurl/ecp Write-Host "Configuring ActiveSync URLs" Get-ActiveSyncVirtualDirectory -Server $i | Set-ActiveSyncVirtualDirectory -ExternalUrl https://$externalurl/Microsoft-Server-ActiveSync -InternalUrl https://$internalurl/Microsoft-Server-ActiveSync Write-Host "Configuring Exchange Web Services URLs" Get-WebServicesVirtualDirectory -Server $i | Set-WebServicesVirtualDirectory -ExternalUrl https://$externalurl/EWS/Exchange.asmx -InternalUrl https://$internalurl/EWS/Exchange.asmx Write-Host "Configuring Offline Address Book URLs" Get-OabVirtualDirectory -Server $i | Set-OabVirtualDirectory -ExternalUrl https://$externalurl/OAB -InternalUrl https://$internalurl/OAB Write-Host "Configuring MAPI/HTTP URLs" Get-MapiVirtualDirectory -Server $i | Set-MapiVirtualDirectory -ExternalUrl https://$externalurl/mapi -InternalUrl https://$internalurl/mapi Write-Host "Configuring PowerShell URLs" Get-PowerShellVirtualDirectory -Server $i | Set-PowerShellVirtualDirectory -ExternalUrl https://$externalurl/PowerShell -InternalUrl https://$internalurl/PowerShell -BasicAuthentication $True -RequireSSL $True -Confirm:$False } Write-Host "Configuring Autodiscover" if ($AutodiscoverSCP) { Get-ClientAccessServer $i | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$AutodiscoverSCP/Autodiscover/Autodiscover.xml } else { Get-ClientAccessServer $i | Set-ClientAccessServer -AutoDiscoverServiceInternalUri https://$internalurl/Autodiscover/Autodiscover.xml } Write-Host "`r`n" } else { Write-Host -ForegroundColor Yellow "$i is not a Client Access server." } } } End { Write-Host "Finished processing all servers specified. Consider running Get-CASHealthCheck.ps1 to test your Client Access namespace and SSL configuration." -ForegroundColor Yellow Write-Host "Refer to http://exchangeserverpro.com/testing-exchange-server-2013-client-access-server-health-with-powershell/ for more details." Write-Host "Also check out http://itblog.ldlnet.net for Lance's IT Blog of information!" -ForegroundColor Gray } #................................... # Finished #................................... |
1 | .\ConfigureExchangeURLs.ps1 -Server EX01 -InternalURL mail.ldlnet.net -ExternalURL mail.ldlnet.net |
1 | .\ConfigureExchangeURLs.ps1 -Server EX01,EX02,EX03 -InternalURL mail.ldlnet.net -ExternalURL mail.ldlnet.net |
REFERENCES:
Exchange Server Client Access URL Configuration Script
PowerShell Script to Configure Exchange Server Client Access URLs
How to Stop and Start All SharePoint 2013 Farm Services using PowerShell?
Prior to SharePoint patching, its a best practice to Stop all SharePoint 2013 and its related services and then start once patching is completed. If you don’t do this, your service pack or patch installation will take longer than its expected.
So what are all the services to be stopped?
• SharePoint 2013 Search Service (OSearch15 – OSearch16 in SharePoint 2016)
• SharePoint 2013 Timer Job (SPTimerV4) • SharePoint 2013 Administration (SPAdminV4)
• SharePoint 2013 Tracing (SPTraceV4)
• SharePoint 2013 VSS Writer (SPWriterV4)
• SharePoint 2013 User Code Host (SPUserCodeV4)
• SharePoint Search Host Controller (SPSearchHostController)
• Forefront Sync Service (FIMSynchronizationService)
• Forefront Service (FIMService)
• World Wide Web Publishing Service (W3SVC)
• Internet Information Services (IIS)
Lets use PowerShell to stop and start all SharePoint services:
Stop all SharePoint 2013 Services, Lets use PowerShell to stop and start all SharePoint services:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | 1 Add-PSSnapin Microsoft.sharepoint.powershell -ErrorAction SilentlyContinue 2 3 $SharePointServices = ('SPSearchHostController','OSearch15','SPWriterV4','SPUserCodeV4','SPTraceV4','SPTimerV4','SPAdminV4','FIMSynchronizationService','FIMService','W3SVC') 4 5 #Stop all SharePoint Services 6 foreach ($Service in $SharePointServices) 7 { 8 Write-Host -ForegroundColor red "Stopping $Service..." 9 Stop-Service -Name $Service 10 } 11 12 #Stop IIS 13 iisreset /stop |
Start all SharePoint 2013 Services: After the patching, Use the below script to start all SharePoint services.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 | 1 Add-PSSnapin Microsoft.sharepoint.powershell -ErrorAction SilentlyContinue 2 3 $SharePointServices = ('SPSearchHostController','OSearch15','SPWriterV4','SPUserCodeV4','SPTraceV4','SPTimerV4','SPAdminV4','FIMSynchronizationService','FIMService','W3SVC') 4 5 #Start all SharePoint Services 6 foreach ($Service in $SharePointServices) 7 { 8 Write-Host -ForegroundColor green "Starting $Service..." 9 Start-Service -Name $Service 10 } 11 12 #Start IIS 13 iisreset /start |
Completely Stop or Start SharePoint Farm Services on All Servers: Lets put everything together and make a reusable PowerShell function, which stops or starts all SharePoint related services in all servers of the farm.
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 | 1 Add-PSSnapin Microsoft.SharePoint.PowerShell -ErrorAction SilentlyContinue 2 3 Function StartOrStop-SPFarm() 4 { 5 Param( 6 [parameter(Mandatory=$true)] $StartOrStopOption 7 ) 8 9 #Get All Servers in the Farm 10 $Farm = Get-SPFarm 11 $Servers = $Farm.Servers | Where-Object {$_.Role -ne [Microsoft.SharePoint.Administration.SPServerRole]::Invalid} 12 Write-Host "Total Number of Servers in the Farm: " $Servers.Count 13 14 #List of All SharePoint Services 15 $SharePointServices = ('SPSearchHostController','OSearch15','SPWriterV4','SPUserCodeV4','SPTraceV4','SPTimerV4','SPAdminV4','FIMSynchronizationService','FIMService','W3SVC','DCLoadBalancer15', 'DCLauncher15') 16 17 #Iterate through each server 18 $Servers | ForEach-Object { 19 Write-Host "Performing Operation on Server:" $_.Name 20 21 #Loop through each service 22 foreach($ServiceName in $SharePointServices) 23 { 24 $ServiceInstance = Get-Service -ComputerName $_.Name -Name $ServiceName -ErrorAction SilentlyContinue 25 if($ServiceInstance -ne $null) 26 { 27 If($StartOrStopOption -eq "Stop") 28 { 29 Try 30 { 31 Write-Host "Attempting to stop service" $ServiceName ".." -ForegroundColor Yellow 32 Stop-Service -InputObject $ServiceInstance 33 Write-Host "Stopped Service" $ServiceName -ForegroundColor Green 34 } 35 36 catch 37 { 38 Write-Host "Error Occured on Stopping Service. " $_.Message -ForegroundColor Red 39 } 40 } 41 elseif ($StartOrStopOption -eq "Start") 42 { 43 Try 44 { 45 Write-Host "Attempting to start service" $ServiceName ".." -ForegroundColor Yellow 46 Start-Service -InputObject $ServiceInstance 47 Write-Host "Started Service" $ServiceName -ForegroundColor Green 48 } 49 50 catch 51 { 52 Write-Host "Error Occured on Starting Service. " $_.Message -ForegroundColor Red 53 } 54 } 55 } 56 } 57 #Start of Stop IIS 58 If($StartOrStopOption -eq "Stop") { iisreset /stop} elseif ($StartOrStopOption -eq "Start") {iisreset /start} 59 } 60 } 61 62 #Call the function to Stop or Start Services 63 StartOrStop-SPFarm -StartOrStopOption "Stop" 64 #StartOrStop-SPFarm -StartOrStopOption "Start" |
Yesterday, I posted on how Exchange now uses the Resilient File System (ReFS) to optimize and protect Exchange critical files. Another layer of protection is using a database availability group (DAG) for redundancy and is a necessary factor when designing an Exchange Enterprise Environment.
In this example, I will walk you through the installation of an Exchange Server 2019 DAG as I configured in my environment. This DAG will contain two Exchange Servers in the same site with a third Windows Server 2019 server being the File Share Witness (FSW).
For my configuration, I configured two identical Windows Server 2019 VMs (same procs, RAM, vhdx drives, partitions, etc…). I configured the Exchange Data Volume using ReFS and mounted them to the same folder on the C: Drive on each server. This is very important for replication to take place successfully when the databases are added to the DAG.
1 2 3 4 5 6 7 8 9 10 11 12 13 | Get-MailboxDatabase | fl Name,EDBFilePath,LogFolderPath Name : EX01-DB01 EdbFilePath : C:\Exchange\Data-ReFS\DB\EX01-DB01\EX01-DB01.edb LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX01-DB01 Name : EX01-ARCHIVE-DB EdbFilePath : C:\Exchange\Data-ReFS\DB\EX01-ARCHIVE-DB\EX01-ARCHIVE-DB.edb LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX01-ARCHIVE-DB Name : EX02-DB01 EdbFilePath : C:\Exchange\Data-ReFS\DB\EX02-DB01\EX02-DB01.edb LogFolderPath : C:\Exchange\Data-ReFS\Logs\EX02-DB01 |
I next went to the Admin server where the FSW would be hosted and added the Exchange Trusted Subsystem Account to the local Administrators group on that server:
NOTE: The reason that this is an ‘IP-less’ DAG is that I’m creating a DAG with no cluster administrative access point (CAAP). The DAG has no IP address of its own, and no computer object in Active Directory. The main implication of this is that backup software that relies on the CAAP or backup operations won’t work. This option of an ‘IP-less’ DAG was first introduced in Exchange Server 2013 SP1/CU4, so by now any decent backup products should support this configuration. But you should always verify this with your backup vendor of choice. Also be aware that this is only supported for DAGs that are running on Windows Server 2012 R2 (or later).
Next, we create the DAG from Exchange PowerShell using the New-DatabaseAvailabilityGroup cmdlet. Now remember that since you are using the ReFS system for your database volumes, you will need to specify the -FileSystem parameter within the cmdlet to assure proper setup and replication of the data files.
1 2 3 4 5 | New-DatabaseAvailabilityGroup -Name LDLNETDAG01 -WitnessServer admin01.ldlnet.org -FileSystem ReFS Name Member Servers Operational Servers ---- -------------- ------------------- LDLNETDAG01 {} |
Next, we add the Exchange Servers that hold the databases that will be replicated within the DAG:
1 | Add-DatabaseAvailabilityGroupServer -Identity LDLNETDAG01 -MailboxServer EX01 |
1 | Add-DatabaseAvailabilityGroupServer -Identity LDLNETDAG01 -MailboxServer EX02 |
The DAG will now show the two servers as Operational Member Servers:
1 2 3 4 5 | Get-DatabaseAvailabilityGroup -Status | ft -a -wr Name Member Servers Operational Servers ---- -------------- ------------------- LDLNETDAG01 {EX01, EX02} {EX01, EX02} |
The FSW Directory was created on the admin01 server when the DAG was created. We can verify that with the following cmdlet:
1 2 3 4 5 6 7 8 9 | Get-DatabaseAvailabilityGroup -Status | fl *Witness* WitnessServer : admin01.ldlnet.org WitnessDirectory : C:\DAGFileShareWitnesses\LDLNETDAG01.ldlnet.org AlternateWitnessServer : AlternateWitnessDirectory : WitnessShareInUse : Primary DxStoreWitnessServers : |
Next, we add the databases that we want replicated to the DAG as replicated databases. I want all my Databases on EX01 to replicate to EX02 and vice versa for the EX02 Databases. I want the activation preference to remain on the server that the databases were originally created on so I will use the -ActivationPreference parameter to accomplish that. I will go into more detail on Activation Preference in another post.
1 | Add-MailboxDatabaseCopy -Identity EX01-DB01 -MailboxServer EX02 -ActivationPreference 2 |
1 | Add-MailboxDatabaseCopy -Identity EX01-ARCHIVE-DB -MailboxServer EX02 -ActivationPreference 2 |
1 | Add-MailboxDatabaseCopy -Identity EX02-DB01 -MailboxServer EX01 -ActivationPreference 2 |
Now we verify that the Database Copies are healthy on each replication member using the Get-MailboxDatabaseCopyStatus cmdlet. You will see a Healthy Status on the replicated copies:
1 2 3 4 5 6 7 | Get-MailboxDatabaseCopyStatus -Server EX01 | ft -a -wr Name Status CopyQueueLength ReplayQueueLength LastInspectedLogTime ContentIndexState ---- ------ --------------- ----------------- -------------------- ----------------- EX01-DB01\EX01 Mounted 0 0 NotApplicable EX01-ARCHIVE-DB\EX01 Mounted 0 0 NotApplicable EX02-DB01\EX01 Healthy 0 0 6/12/2019 11:03:03 AM NotApplicable |
1 2 3 4 5 6 7 | Get-MailboxDatabaseCopyStatus -Server EX02 | ft -a -wr Name Status CopyQueueLength ReplayQueueLength LastInspectedLogTime ContentIndexState ---- ------ --------------- ----------------- -------------------- ----------------- EX02-DB01\EX02 Mounted 0 0 NotApplicable EX01-ARCHIVE-DB\EX02 Healthy 0 0 6/12/2019 11:06:44 AM NotApplicable EX01-DB01\EX02 Healthy 0 0 6/12/2019 10:46:40 AM NotApplicable |
REFERENCES:
Installing an Exchange Server 2016 Database Availability Group
In my ongoing effort for becoming more knowledgeable on Exchange Server, I found that the preferred new file system for Exchange Databases and Log files is the ReFS.
ReFS is not that new. Microsoft’s Resilient File System (ReFS) was introduced with Windows Server 2012. ReFS is not a direct replacement for NTFS, and is missing some underlying NTFS features, but is designed to be (as the name suggests) a more resilient file system for extremely large amounts of data.
From Exchange Server 2013 and upwards (which includes Exchange Server 2019 today) Microsoft supports the use of ReFS for Exchange servers, and in fact they now recommend it as the preferred file system for Exchange Server 2019, within the following guidelines.
For Exchange Server 2013:
This means that you should continue to use NTFS for your operating system and Exchange Server 2013 installation volume, but you can consider using ReFS for the volumes hosting Exchange databases, log files, and index files.
For Exchange Server 2016:
This means that you should continue to use NTFS for your operating system and Exchange Server 2016 installation volume, and it is recommended ReFS for the volumes hosting Exchange databases, log files, and index files.
For Exchange Server 2019:
This means that you should continue to use NTFS for your operating system and Exchange Server 2019 installation volume, and it is recommended ReFS for the volumes hosting Exchange databases, log files, and index files.
In Windows Server during the New Volume Wizard when you get to the step for configuring File System Settings change the file system from NTFS to ReFS.
NOTE: Using the New Volume Wizard does not give you the option to disable data integrity at the volume level. To set it at the volume level itself use PowerShell when configuring new volumes. I found this out the hard way and am now re-configuring my volumes to disable the Integrity Streams.
I needed to create the mount point to mount the volume to:
1 | New-Item C:\Exchange\Data-ReFS -Type Directory |
I then got a list of my available disks:
1 | get-disk |
In my case, disk 2 was the one I needed to format and change. I had to create a new partition and then format it:
1 | Get-Disk -Number 2 | New-Partition -UseMaximumSize |
1 | Get-Partition -DiskNumber 2 -PartitionNumber 2 | Format-Volume -FileSystem ReFS -NewFileSystemLabel "EXCH2019-EDBDATA" -AllocationUnitSize 65536 -SetIntegrityStreams:$False -Confirm:$False |
Once formatted, I mount the volume to the Directory created earlier:
1 | Add-PartitionAccessPath -DiskNumber 2 -PartitionNumber 2 -AccessPath C:\Exchange\Data-ReFS |
NOTE: Partition 1 on a disk is always reserved for system files on the drive volume. So the active partitions will always start at 2.
Lastly, verify that the partition is online and that the Integrity Streams are turned off:
1 | get-partition -DiskNumber 2 -PartitionNumber 2 | fl |
1 | Get-FileIntegrity C:\Exchange\Data-ReFS |
When you are deploying an Exchange 2016 or 2019 DAG and using Autoreseed, the disk reclaimer needs to know which file system to use when formatting spare disks. So when, creating a DAG in Exchange PowerShell, make sure to set the -FileSystem parameter. For Exchange Server 2013 DAGs, manually format the spare volumes with ReFS.
1 | Set-DatabaseAvailabilityGroup NameOfYourDAG -FileSystem ReFS |
More coming soon. I will post how I setup the “IP-less” DAG for my environment and got replication functional for my Exchange Databases.
REFERENCES:
Exchange 2013 storage configuration options
Exchange 2016 Preferred Architecture
Exchange Storage for Insiders: It’s ESE (Ignite video)
ReFS Exchange Server Volumes
Preparing ReFS Volumes for Exchange
I was working on setting up a VM for my server farm and mis-configured one of the vhdx drives. I ended up having to delete that drive and recreate it in Hyper-V manager. When I did though, I received an error stating that I could not start the virtual machine:
An error occurred while attempting to start the selected virtual machine(s).
‘VMName’ failed to start. (Virtual machine ID ‘SomeID’)
‘VMName’ Microsoft Emulated IDE Controller (Instance ID ‘SomeID’): Failed to Power on with Error ‘General access denied error’ (0x80070005). (Virtual machine ID ‘SomeID’)
‘VMName’: IDE/ATAPI Account does not have sufficient privilege to open attachment ‘C:\Users\Public\Documents\Hyper-V\Virtual hard disks\DiskName.vhdx’. Error: ‘General access denied error’ (0x80070005). (Virtual machine ID ‘SomeID’)
‘VMName’: Account does not have sufficient privilege to open attachment ‘V:\Hyper-V\Virtual hard disks\DiskName.vhdx’. Error: ‘General access denied error’ (0x80070005). (Virtual machine ID ‘SomeID’)
Each virtual machine is started using a virtual machine account. The virtual machine account needs read and write access to the .vhd/.vhdx file, but if the file has just been copied from somewhere then it most likely lacks the necessary file permissions.
That happened in my case because I had just created the vhdx drive and did not create it from the VM itself. I just attached it to the VM. So, when I booted the VM, it gave the error.
There are a few ways that you could remediate the issue. The simplest way, if it is a new VM, is to remove the drive in the VM settings and then re-create it from scratch. That is what fixed it for me.
Another way is to add the VM GUID to the permissions so that it can access the vhdx file properly:
‘PC-Name’ failed to start. (Virtual machine ID B9C4F7D4-0009-4BE2-90FB-9D60B1A06BDD) ‘PC-Name’ Microsoft Emulated IDE Controller (Instance ID XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX): Failed to Power on with Error ‘General access denied error’ (0x80070005). (Virtual machine ID B9C4F7D4-0009-4BE2-90FB-9D60B1A06BDD)
‘PC-Name’: IDE/ATAPI Account does not have sufficient privilege to open attachment ‘E:\Hyper-V\PC-Name\Virtual Hard Disks\MyVHD.vhdx’.
Error: ‘General access denied error’ (0x80070005). (Virtual machine ID B9C4F7D4-0009-4BE2-90FB-9D60B1A06BDD)
‘PC-Name’: Hyper-V Virtual Machine Management service Account does not have sufficient privolege to open attachment ‘E:\Hyper-V\PC-Name\Virtual Hard Disks\MyVHD.vhdx’.
Error: ‘General access denied error’ (0x80070005). (Virtual machine ID B9C4F7D4-0009-4BE2-90FB-9D60B1A06BDD)
Where PC-Name will be the name of your virtual PC. The long sequence of letters and numbers (in my case above “B9C4F7D4-0009-4BE2-90FB-9D60B1A06BDD”) is the Virtual Machine ID. This number is significant and you need it to fix the problem.
1 | icacls "full-path-to-vhd-or-vhdx-file" /grant "NT VIRTUAL MACHINE\Virtual-Machine-ID":(F) |
You will need to substitute the path to the vhd/vhdx file – you can obtain this from the original error message, and the Virtual-Machine-ID that you obtained from the “See details” part of the error.
So the line for me was:
1 | icacls "V:\LDLNET\Hyper-V\PC-Name\Virtual Hard Disks\MyVHD.vhdx" /grant "NT VIRTUAL MACHINE\B9C4F7D4-0009-4BE2-90FB-9D60B1A06BDD":(F) |
NOTE: If you get the message “Failed processing 1 files” then check the virtual machine ID.
There is also a PowerShell Gallery script that is supposed to remediate this issue:
http://www.ntsystems.it/page/PS-Restore-VMPermissionps1.aspx
I haven’t tried it but it looks as it would work. Please review and leave a comment should you have issues with the script.
REFERENCES:
Resolved: Hyper-V General access denied error when trying to load a Virtual Hard Drive
Restore-VMPermission
Virtual machine fails to start with General access denied error / Account does not have sufficient privilege to open attachment
I was going through my LinkedIn feed as I do daily and found a post with the following document. Great post and document. I wanted to add this here to my blog for reference and to share with all of you!
The document includes the following topics:
Overview
Azure Active Directory Identity Protection
Azure Advanced Threat Protection
Azure Information Protection
Office 365 Advanced Threat Protection
Office 365 Cloud App Security
Microsoft Cloud App Security
Office 365 Advanced Data Governance
Office 365 Advanced eDiscovery
Office 365 Customer Key
Office 365 Customer Lockbox
Privileged Access Management in Office 365
Data Loss Prevention for Exchange Online, SharePoint Online, and OneDrive for Business
Data Loss Prevention for Teams chat and channel conversations
Information barriers
Advanced Message Encryption
Download your copy of this document as reference:
I just received my new laptop for my current project and was setting up Windows 10 to join the company Azure AD domain. When I got to the part where you join, I received the following error:
Turns out that my account is unable to domain join a device to the tenant. This is easily solved though. You have your tenant admin perform the following:
Go to Azure Active Directory -> Devices
Check the device settings, in particular the options:
Users may join devices
Maximal number of devices
Now, in my case, I did not have access as I am NOT a tenant admin:
So, I am currently waiting for my IT department to resolve the access issue and grant me access to join the device to the domain. Just be sure to look at this if you’re having issues setting up your Windows 10 device to join your Azure tenant!
References:
Issue Joining A Device To An Azure AD Tenant Domain
In a previous post, I showed how you could update one user’s photo for their Outlook and AD profiles via PowerShell. In this post, we will explore how to do this for your entire organization via PowerShell to Office365.
NOTE: I have not tested the scripts as I do not have enough mailboxes in my O365 tenant along with not using a ‘.’ in my alias. If the scripts are incorrect, please inform me with the correction and I will update accordingly.
Please make sure that your photos are reviewed before posting, and try to keep the file size of the photos to a minimum. In Office 365, there exists a limitation for the user photo not to be more than 10 KB in size, but I will show you how to get around that limitation.
Having a user photo for each of your users is very beneficial as it personalizes each account to a face in the company. The user photos can be viewed in below locations:
Steps to take:
1 2 3 | $UserCredential = Get-Credential $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/?proxyMethod=RPS -Credential $UserCredential -Authentication Basic -AllowRedirection Import-PSSession $Session |
NOTE: In the PowerShell cmdlet above, we connected using a different proxy method. This was to overwrite the limitation of uploading the images with size more than 10KB. Using the different proxy method (/?proxyMethod=RPS ) to connect to Office 365 in the above cmdlet accomplishes this.
Create a folder named C:/UserPics and make the filename of each photo be the username of that particular user. (i.e. llingerfelt.png)
The below script should be able account for aliases that have a ‘.’ in the id as well. (i.e. lance.lingerfelt)
NOTE: From my research, there is no set photo type that is required for the photo. My suggestion would be to keep the photos .png for size constraints while maintaining picture clarity.
Create the following script and name it Photos-Update.ps1
1 2 3 4 5 6 | $path= 'C:\UserPics\' $Images = Get-ChildItem $path $Images |Foreach-Object{ $Identity = ($_.Name.Tostring() -replace '.png','') $PictureData = $path+$_.name Set-UserPhoto -Identity $Identity -PictureData ([System.IO.File]::ReadAllBytes($PictureData)) -Confirm:$false } |
Run Photos-Update.ps1 and the script should upload the photos to Office 365 and apply each photo to the corresponding user.
NOTE: If you’re still having some issues with the alias having a ‘.’ in the name, you can also configure the Photos-Update.ps1 script in this manner to get that working properly:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 | $path= 'C:\UserPics\' $Images = Get-ChildItem $path $Images |Foreach-Object{ $Identity = ($_.Name.Tostring() -split "\.") $count = $Identity.count If($count -gt 2) { for($i=0; $i -le $count-2; $i++) { $username=$username+$Identity[$i]+"." } $Id=$username.TrimEnd(".") } Else { $Id=$Identity[0] } $PictureData = $path+$_.name Set-UserPhoto -Identity $Id -PictureData ([System.IO.File]::ReadAllBytes($PictureData)) -Confirm:$false $username=$null } |
REFERENCES:
How to import Office365 User photos over 10KB & without CSV in bulk
I was working on upgrading my ASA firewall and was running into an issue with internet working on my device, but none of my server services were responding to requests:
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: inside
output-status: up
output-line-status: up
Action: drop
Drop-reason: (no-adjacency) No valid adjacency
I had configured 1-to-1 Object Based NAT translations for my servers for this purpose as had been configured on my prior ASA device. I had just copied the NAT rules to the new device thinking that it should just work. Needless to say, I had to call Cisco TAC and open a case. This seemed to be an issue for them as well. We kept getting the same error as above with another error listed during the NAT translation of the packets:
ifc selected is not same as preferred ifc
Doing route lookup again on ifc inside
We could ping internally to the server successfully from the ASA through the inside port:
LDLNET-FW01(config)# ping LDLNET-LAN 192.168.100.x
Type escape sequence to abort.
Sending 5, 100-byte ICMP Echos to 192.168.100.x, timeout is 2 seconds:
!!!!!
Success rate is 100 percent (5/5), round-trip min/avg/max = 1/1/1 ms
Packet Capture:
4 packets captured
1: 01:01:21.086894 192.168.100.2 > 192.168.100.x: icmp: echo request
2: 01:01:21.087153 192.168.100.x > 192.168.100.2: icmp: echo reply
3: 01:01:21.087886 192.168.100.2 > 192.168.100.x: icmp: echo request
4: 01:01:21.088069 192.168.100.x > 192.168.100.2: icmp: echo reply
Again, I had created Object based NAT translations that should have worked for all the inside ports and allowed the packet traffic through properly:
object network Exchange_Server
nat (any,any) static ExchOut net-to-net
Not having knowledge what the net-to-net statement within the NAT Rule stood for, we ended up scrapping all of the Object based NAT rules and created a new rule using a static route:
nat (LDLNET-LAN,outside) source static Exchange_Server ExchOut description Exchange NAT Both Directions
Doing this worked for us and allowed traffic that was NOT translating correctly to be translated and flowing correctly through the ASA.
Phase: 17
Type: FLOW-CREATION
Subtype:
Result: ALLOW
Config:
Additional Information:
New flow created with id 12345, packet dispatched to next module
Module information for forward flow …
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_tcp_normalizer
snp_fp_translate
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Module information for reverse flow …
snp_fp_tracer_drop
snp_fp_inspect_ip_options
snp_fp_translate
snp_fp_tcp_normalizer
snp_fp_adjacency
snp_fp_fragment
snp_ifc_stat
Result:
input-interface: outside
input-status: up
input-line-status: up
output-interface: LDLNET-LAN
output-status: up
output-line-status: up
Action: allow
Great! This is working now! The only issue is that I had to create static rules that go through the single interface on the ASA. What if I need to connect other devices to the ASA on different interface ports? Well, I will have to create the static NAT rules for those ports as well. If the current interface fails, I will have to recreate the static NAT Rules for the interface port that I change to. Secure in a way, but not how I think it should be designed.
If anyone has any suggestions for the configuration of this, why I was getting the error, or a way to get the Object Based NAT rules working properly, PLEASE COMMENT!
I took this exam back in February as a beta test. It finally got graded and I passed! I am now Cloud Certified in Messaging.
I wanted to update my picture within my Outlook profile and AD account really quickly without having to go through OWA to do so. I found this cmdlet that will allow for that picture to be changed very quickly via Exchange PowerShell.
NOTE: This can be done with On-Premises Exchange and Exchange Online PowerShell
First, download the picture you want to use to the computer that you want to run the cmdlet from. Also, make sure the picture is cropped and centered prior to running the cmdlet. I saved the pic to C:\temp for my scenario. The best format to use would be jpg. I named the file User1_Profile.jpg
Next, open Exchange PowerShell on the computer you saved the pic to and run the following cmdlet to change the photo:
1 | Set-UserPhoto "User1" -PictureData ([System.IO.File]::ReadAllBytes("C:\temp\User1_Profile.jpg")) -Confirm:$False |
Once completed, the Outlook client should be closed and reopen so that the new picture is visible in the profile.
I will post how to perform this for multiple users for Exchange and Office365 in a later post.
REFERENCES:
Set User Photo with Exchange PowerShell
If you’re a seasoned administrator, you have knowledge that in Exchange, the database settings will allow you to set the deleted mailbox retention. The default is 30 days, but sometimes you need to purge all those deleted mailboxes to do some ‘spring cleaning’ as it were. Note that doing these cmdlets does not change the ‘Whitespace’ of the database or the size. In my case, I had to purge everything of a toxic individual that was tainting my network much to my disappointment and did the following to complete that task.
The following cmdlet will seek all Soft Deleted mailboxes within the database you select and manually purge them from Exchange.
1 | Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "SoftDeleted"} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState SoftDeleted} |
Now, should you only want to remove one mailbox, you will need to get the GUID of that Soft Deleted mailbox first so that you can enter it for the identity parameter.
1 2 3 4 5 6 | Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "SoftDeleted"} | Sort-Object DisconnectDate -descending | ft -a -wr Get the Mailbox GUID in the list for the deleted mailbox. Then Run: Remove-StoreMailbox -Database "DB01" -Identity "mailboxguid" -MailboxState SoftDeleted | ft -a -wr |
You can also preform a similar task for a disabled mailbox:
1 2 3 4 5 6 | Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "Disabled"} | Sort-Object DisconnectDate -descending | ft -a -wr Get the Mailbox GUID in the list for the deleted mailbox. Then Run: Remove-StoreMailbox -Database "DB01" -Identity "mailboxguid" -MailboxState Disabled | ft -a -wr |
You can perform the task on all disabled mailboxes for that database as well:
1 | Get-MailboxStatistics -Database "DB01" | where {$_.DisconnectReason -eq "Disabled"} | foreach {Remove-StoreMailbox -Database $_.database -Identity $_.mailboxguid -MailboxState Disabled} |
NOTE: I would be very careful when performing either of these cmdlets as they will completely purge the mailboxes from the schema. If these cmdlets assist you with your ‘spring cleaning’, I will have been happy to assist.
References:
Purging Deleted Mailboxes on Exchange 2013
I’ve been building this blog along with my consulting business and needed to secure my websites with SSL for BBB accreditation. That accreditation is still pending at this time, but I want to show good faith in business practices to attain that accreditation.
So, I purchased my certificate and preformed the following to assure that all traffic to my websites are SSL secured. There are a number of ways to do it, and even do it for Exchange, (which I will cover in another post), but I found a great article that is simple and will work for most standard web sites. The link will be at the bottom in the references section. 🙂
Note: In this example {HTTPS}, {HTTP_HOST}, and {REQUEST_URI} are all URL parts that can be accessed using the URL Rewrite module. More information on URL parts can be found here.
The URL rewrite rules get written to the web.config file for the site you are working in. For example, the above configuration should result in this addition to the web.config file:
1 2 3 4 5 6 7 8 9 10 11 | <rewrite> <rules> <rule name="Redirect to http" enabled="true" patternSyntax="Wildcard" stopProcessing="true"> <match url="*" negate="false" /> <conditions logicalGrouping="MatchAny"> <add input="{HTTPS}" pattern="off" /> </conditions> <action type="Redirect" url="https://{HTTP_HOST}{REQUEST_URI}" redirectType="Found" /> </rule> </rules> </rewrite> |
That should take of it all for you and now when users connect to your website via http, they will be automatically redirected to https SSL.
References:
Creating Rewrite Rules for the URL Rewrite Module
URL Rewrite for IIS7 http to https redirection
URL Component Reference
Redirect from HTTP to HTTPS using the IIS URL Rewrite module
As many of you are aware, Microsoft provides a default logon page for OWA, the Outlook Web App. Most companies, like myself want to be able to customize that page so that it suites your organization. Here is what my company OWA page looks like:
I have changed the color on the left to match my scheme, replaced the Outlook Logo with my company logo, and added a disclaimer to notify users. Below is the process to do that effectively for your organization.
NOTE: Every time you install an Exchange Cumulative Update (CU) or new version of Exchange Server these modified files will be replaced. Remember to backup your original and changed files to another folder so that you can replace them when you Update or Upgrade or if something goes wrong with the changes.
%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources\logon.css
logon.css file, replace the default blue hexidecimal color value #0072c6 with the HTML RGB value that you want to use. You can use the following LINK to choose the color you wish to use.Here are the different graphics that can be changed on the OWA logon page and their associated files:
| Image | File name | Location | Dimensions (width x height in pixels) | Bit depth |
|---|---|---|---|---|
| 1 | favicon.ico | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources | 16 x 16 | 32 |
| 2 | olk_logo_white.png | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources | 128 x 108 | 32 |
| 3 | owa_text_blue.png | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources | 300 x 76 | 32 |
| 4 | Sign_in_arrow.png (for left-to-right languages) Sign_in_arrow_rtl.png (for right-to-left languages) | %ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\<ExchangeVersion>\themes\resources | 22 x 22 | 32 |
Next, we want to add a disclaimer to our logon page. To do that, we need to modify the logon.aspx document in the following directory:
%ExchangeInstallPath%FrontEnd\HttpProxy\owa\auth\logon.aspx
Open the file in Notepad or your favorite HTML editor and search for the text ‘hidden-submit’. When you find the text, you can add your disclaimer text under the div class=”disclaimer” tag as I did in the following example:
1 2 3 4 5 6 7 8 9 | <div class="hidden-submit"><input type="submit" tabindex="-1"/></div> <div class="disclaimer"><p><b>Warning</b>: The website you are about to use is owned by Company Name and is intended to be used for official company business. As such, Company Name reserves the right to monitor all activity on all Company Name provided equipment and services. Use of Company Name provided information systems and networks in violation of company guidelines will result in disciplinary action, up to and including prosecution.</p> <p> <b>Violators</b>: They Will Be Prosecuted! </p> </div> </div> |
Save your logon.aspx file and give your OWA server an IISRESET for good measure. You should be good to logon with the new page from that point on.
References:
Customize the Outlook on the web sign-in, language selection, and error pages in Exchange Server
CUSTOMIZE EXCHANGE 2016 OUTLOOK ON THE WEB SIGN IN PAGE
Customizing Exchange 2016 OWA
In Windows Server 2016/2019 you have been upgraded to the Windows 10 Desktop Experience GUI. So, in the new versions, you are directed to use the 
to get to your settings. What was happening within the Settings is that I would choose a setting that calls on the control.exe file to open a Control Panel app. I would get the following error when attempting to do that function:
I immediately think it is a permissions issue. So I go to try to validate the permissions so that I could change them. Turns out, that due to it being a Windows System directory, I couldn’t modify the permissions without compromising directory security with NTFS permissions:
Now, if I open Control Panel, Network Sharing Center, etc…, I was able to access the applets with no issues. This was just happening in the Settings Gear Box Application. So, I started looking around and found that there is a registry key that needs to be modified so that your Administrator account can open these settings apps through the Settings Application:
1) Launch the Registry Editor (regedit.exe)
2) Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
3) Change the value of FilterAdministratorToken (REG_DWORD) from 0 to 1 (If you don’t see that key, you can create it by right-clicking on any empty space from the right panel and select New > DWORD value, type the name and set the value to 1)
4) Reboot the computer and then it will be working fine.
I decided to create a Group Policy in AD to add this registry key so that it would propagate to all my 2016/2019 Servers:
1) Launch the Group Policy Manager
2) Create a new GPO and Link it to your Domain
3) Go to Computer Configuration > Preferences > Windows Settings > Registry > New Registry Key (DWORD)
4) Set the Action to “Replace”
5) Set the path as:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System
6) Set the Key as FilterAdministratorToken
7) Set the Value as 1 (Decimal Format) and Save
8) Run gpupdate /force on your servers.
9) Schedule a Reboot of those servers for the change to truly take effect.
After the reboot of the server, all the apps launched correctly from the Settings Application within Windows. I am going to research a little more to see why this is like that. If you have a comment, or more information, please feel free to post!
I have realized recently that I am an Exchange Messaging Professional, but yet, I have not posted the methodology of how I install an Exchange Server Mailbox Role. So here it is!
Exchange Server 2019 requires Windows Server 2019 to run. For my environment, I haven’t necessarily need to follow all the enterprise level design aspects of database numbers to mailbox size ratios, number of servers, front/back end configurations, DAG Implementation, etc… If you want or need to delve into that realm, you can go here. I have need for a single server with only a few databases for a small number of mailboxes, so I am approaching it from that standpoint.
So first, in Hyper-V, I configured my VM with the following specifications:
Processors: 2 procs with 2 cores each – 4 Virtual Processors Total
RAM: 32GB with dynamic memory enabled optional
Drives: 2 .vhdx drives of 120GB each (OS / Exchange Data)
CD: Windows 2019 ISO
Default Settings for the rest of the VM Settings
Next I installed Windows Server 2019 Datacenter with the GUI! You can install it on Server Core if you wish. That information can be found in this link.
I ran through the setup of Windows and installed the OS on my first vhdx drive. I booted up, set the local admin password, and logged in. Once in Windows, I went to the Local Server Settings in Server Manager and configured the following settings:
Set the Date, Time, and Time Zone. (Once in the Domain, this would sync through Group Policy)
Set IE ESC to allow Administrators to have full IE access.
Set Remote Desktop Settings to gain RDP access. (This would be locked down with Group Policy as well once on the Domain)
Set the IP Settings to Static Settings. (DNS Servers, Gateway, WINS, etc…)
Join the server to the Active Directory Domain.
Reboot the VM Server.
Logon to your Domain.
Configure Windows Update Settings. (I have WSUS through Group Policy, this was configured automatically upon reboot)
Download and install all Windows Updates for the server. Then Reboot.
Open Disk Management and configure the secondary vhdx drive to be your Exchange Data Drive.
I configured the drive to be a mounted folder ‘C:\Exchange\Data’ rather than another drive letter as that seems to be the more accepted form of installation for the data drive these days. That is based on the multiple configurations that I have seen for Exchange through experience in Enterprise environments. Again, to each is own and depending on you design specifications, you might want to do that differently.
Next, we need to install the prerequisites for the Exchange Mailbox Server. I have always used practical365.com to get the PowerShell script to install the prerequisites, but couldn’t find the article this time. Great site though! Instead, I got the information and ran the following from an elevated PowerShell Session locally on the server:
1 | Install-WindowsFeature Web-WebServer,Web-Common-Http,Web-Default-Doc,Web-Dir-Browsing,Web-Http-Errors,Web-Static-Content,Web-Http-Redirect,Web-Health,Web-Http-Logging,Web-Log-Libraries,Web-Request-Monitor,Web-Http-Tracing,Web-Performance,Web-Stat-Compression,Web-Dyn-Compression,Web-Security,Web-Filtering,Web-Basic-Auth,Web-Client-Auth,Web-Digest-Auth,Web-Windows-Auth,Web-App-Dev,Web-Net-Ext45,Web-Asp-Net45,Web-ISAPI-Ext,Web-ISAPI-Filter,Web-Mgmt-Tools,Web-Mgmt-Compat,Web-Metabase,Web-WMI,Web-Mgmt-Service,NET-Framework-45-ASPNET,NET-WCF-HTTP-Activation45,NET-WCF-MSMQ-Activation45,NET-WCF-Pipe-Activation45,NET-WCF-TCP-Activation45,Server-Media-Foundation,MSMQ-Services,MSMQ-Server,RSAT-Feature-Tools,RSAT-Clustering,RSAT-Clustering-PowerShell,RSAT-Clustering-CmdInterface,RPC-over-HTTP-Proxy,WAS-Process-Model,WAS-Config-APIs |
As part of the prerequisites you will need to install the following packages onto the server as well:
UCMA Runtime Install
Visual C++ Redistributable Packages for Visual Studio 2013
Once completed, you can begin the install of Exchange. If this is your first Exchange 2019 Server in your Organization, then you will need to run the following to update the Forest, Schema, and Domain so that Exchange will install properly:
1 | setup.exe /p /IacceptexchangeServerLicenseTerms |
1 | setup.exe /ps /IacceptexchangeServerLicenseTerms |
1 | setup.exe /pad /IacceptexchangeServerLicenseTerms |
NOTE: If you run into Prerequisite issues with the installation due to a “pending reboot”, check out my blog post for information on remediation of that issue.
Now that the environment is prepared for Exchange, you can actually begin the installation. I wanted to make my default database and logs folder to be on the Exchange Data volume that I created, so I included those settings in the setup command. Please look at the reference to the setup.exe switches for more information on that. Here is the command:
1 | setup.exe /Mode:Install /IacceptexchangeServerLicenseTerms /Role:Mailbox /DBFilePath:"C:\Exchange\Data\MDB\EX2019-DB01.edb" /LogFolderPath:"C:\Exchange\Data\LOGS" /MdbName:"EX2019-DB01" |
Setup should go through the installation via the PowerShell window and complete successfully. Reboot the Exchange Server, then you can then logon to the Exchange Admin Center and begin the process of configuration of how you need to integrate the Mailbox Server into your Server Farm. That configuration is for a later post.
References:
UCMA Runtime Install
Visual C++ Redistributable Packages for Visual Studio 2013
Install Exchange Server 2019 on Windows Server 2019 Core
Exchange Server Design Planning
Use unattended mode in Exchange Setup
Practical365 on Exchange 2019
