Active Directory

Lance LingerfeltDecember 12, 2019

Exchange System Mailboxes not being configured cause Exchange Setup to fail

My continuation of the “Installation from HELL” proceeded onward today with our team attempting to install Exchange on another server in the test environment and having it fail when getting to the Mailbox Role portion of the installation.

The error kept saying that the installation was failing due to a “Database is mandatory on UserMailbox”. We had been having many issues with the Schema and RBAC roles which were resolved in my other post by adding the Role Assignments to the schema. I did mention that the environment started settling down and the system mailboxes (Arbitration) along with the Health Mailboxes started functioning. This was actually not the case for the Arbitration mailboxes. I glanced at the following article to see how to manually recreate the Arbitration mailboxes again.

I performed a “Get-Mailbox -Arbitration | fl Name” in Exchange Powershell (similar to the screenshot below) to see if the mailboxes were in fact created. They in fact were not and were giving the error “Database is mandatory for the UserMailbox.”

Verification of Arbitration System Mailboxes existing

So, I tried to do what the original article said to do and enable the mailboxes one by one. I kept getting errors when trying to create the mailboxes. So I began to search the internet for another way to possibly remediate this without having to get too deep into the system.

I found the following article explaining the exact error I was getting during the installation of Exchange. In the article, it said to look at the attributes of the account associated with the Arbitration mailbox to see if the homeMDB attribute had no value:

homeMDB attribute NOT set on Arbitration Mailbox Account

Now, since I was NOT having good luck with either the Exchange Setup nor PowerShell, I had to figure out a way to place the attribute value so that the mailbox would be visible. What I did was this:

I opened a User in ADUC with a working mailbox on the needed database.
I went to the Attributes Tab and looked up the homeMDB attribute for that user then chose Edit.
I copied the entire value from the screen and closed it.
I then went to the Arbitration mailbox in question and opened it’s homeMDB attribute.
I pasted the value into the Value box and saved it.

Paste the active database value in the homeMDB attribute for the Arbitration Mailbox account

Once completed with remediating the attribute for all the Arbitration mailbox accounts missing the value, I re-ran the cmdlet to verify that the error was not present for any arbitration maibox:

I then uninstalled and re-installed Exchange using setup on the failing server and the installation completed successfully.

This has been an excellent week in training on the value of the setup process for Exchange and also the value of the system accounts and values in relation to Exchange and it working properly.

A POSITIVE OUTLOOK WILL YIELD POSITIVE RESULTS ULTIMATELY!

REFERENCES:
Exchange Install Error Database is mandatory on UserMailbox
Recreate missing arbitration mailboxes

Lance LingerfeltJuly 3, 2019

The Windows Time Service, Hyper-V Hosts, and DCs that are VMs.

The sheer craziness of it all! I noticed that my clocks were off on my servers by FOUR minutes. I had originally set in group policy for the PDC emulator for my domain, a VM on one of my Hyper-V hosts, to get the time from the Public NTP hosts. I then configured a group policy to have all the other machines get their time from the PDC Emulator.

This was working great for me until I realized that my Hyper-V hosts were actually controlling the time of the VMs. They were also configured to get the time from the PDC Emulator, but essentially, due to how Hyper-V is configured, the PDC Emulator VM was getting the time from the Host. So, once the time got thrown off, everything went wacky on me!

I’d read through a couple of articles and found the configuration flaw of Hyper-V and the need for those servers to get their time from the external NTP hosts as well as be configured as NTP servers themselves. This totally went against my Group Policy configuration which caused the issue!

Luckily, I had a stand alone server that is a tertiary DC in the domain not running Hyper-V. I was able to get my time synced again properly after performing the following configuration.

I had to move the FSMO roles to the tertiary DC with the following cmdlet:

Move-ADDirectoryServerOperationMasterRole -Identity backupdc01 -OperationMasterRole 0,1,2,3,4 -Confirm:$False

1	Move-ADDirectoryServerOperationMasterRole -Identity backupdc01 -OperationMasterRole 0,1,2,3,4 -Confirm:$False

I then made sure the tertiary DC was syncing time correctly by running the following on that server:

Stop and Start the time service:
net stop w32time
net start w32time

Resync with the NTP servers:
w32tm /resync /nowait

Query the Source NTP server for the server you are running:
w32tm /query /source
(Should return your Public NTP server)
2.us.pool.ntp.org,0x1

Stop and Start the time service:

net stop w32time

net start w32time

Resync with the NTP servers:

w32tm /resync /nowait

Query the Source NTP server for the server you are running:

w32tm /query /source

(Should return your Public NTP server)

2.us.pool.ntp.org,0x1

I then removed the Group Policy Object for syncing the time source to the DC that I had linked to my Hyper-V Servers OU in Active Directory
Ran a gpupdate /force on the Hyper-V host to remove the policy there
I then had to reconfigure the Hyper-V hosts to be NTP Servers and clients that got their time from a public NTP server:

Cmdlets in order:

Unregister the Time Service:
w32tm /unregister

Stop the Time Service:
net stop w32time

Register the Time Service:
w32tm /register

Start the service:
net start w32time

Query the Source NTP server for the server you are running:
w32tm /query /source
(Should return the default public NTP server)
time.windows.com,0x1

Configure the NTP time servers you want to use:
w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org" /update /reliable:yes

Resync with the NTP servers:
w32tm /resync /nowait

Verify the Source NTP Server being used:
w32tm /query /source
(Should return the Public NTP server you set)
1.pool.ntp.org,0x1

Time should be correct on the Hyper-V host now.

Cmdlets in order:

Unregister the Time Service:

w32tm /unregister

Stop the Time Service:

net stop w32time

w32tm /register

Start the service:

net start w32time

Query the Source NTP server for the server you are running:

w32tm /query /source

(Should return the default public NTP server)

time.windows.com,0x1

Configure the NTP time servers you want to use:

w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org" /update /reliable:yes

Resync with the NTP servers:

w32tm /resync /nowait

Verify the Source NTP Server being used:

w32tm /query /source

(Should return the Public NTP server you set)

1.pool.ntp.org,0x1

Time should be correct on the Hyper-V host now.

The one problem Hyper-V host that was syncing with the DC VM would not change settings via Group Policy nor through the w32tm cmdlet. I even went into the registry and tried to modify the following keys to make the changes stick:

Path:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Keys - Value (Decimal):
w32time\Config\AnnounceFlags - 10 
w32time\Parameters\NtpServers - 0.us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1 
w32time\TimeProviders\NtpClient\SpecialPollInterval - 900 (15 minutes)
w32time\TimeProviders\NtpServer\Enabled - 1

Path:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\

Keys - Value (Decimal):

w32time\Config\AnnounceFlags - 10

w32time\Parameters\NtpServers - 0.us.pool.ntp.org,0x1 1.us.pool.ntp.org,0x1 2.us.pool.ntp.org,0x1

w32time\TimeProviders\NtpClient\SpecialPollInterval - 900 (15 minutes)

w32time\TimeProviders\NtpServer\Enabled - 1

The values would just not change, most likely due to the time not being synchronized. I had to reboot the server and then run through the process again in order for the changes to stick.

I did look at another article that said to do the following on the DC VM in order for time NOT to sync with the Hyper-V Host:

Go into Hyper-V console on the host machine, right-click on the client VM AD server, and select Settings. Once in here, on the left look under:

Management –> Integration Services
Untick Time Synchronization
Click Apply/OK

Things are running smoothly now. Please view the references at the bottom of the post. There are a couple of great articles about the Time Synchronization process with Hyper-V and why it needs to be setup the way I have it now. I wished I had read it before I originally set this up. I will post the article about getting group policy to handle the time sync process. Just remember, if your PDC Emulator is a VM, don’t sync it to a public NTP server. Sync it to your Hyper-V Host and have the Host sync publicly.
In the long run, I think it is a good design solution to have your Hyper-V hosts time synced to the Public NTP servers than having to remember to configure each VM DC you create to NOT time sync with the host. To each is own though, and one thing I learned from working Microsoft, there are multiple ways to get to the same goal that are technically sound methods.

THANKS FOR READING!
PLEASE COMMENT!

REFERENCES:
Setup of NTP on Hyper-V servers
Time Synchronization in Hyper-V
“It’s Simple!” – Time Configuration in Active Directory
NTP Circular Time Sync – Windows Server 2012 R2 / Hyper-V

Lance LingerfeltJune 3, 2019June 3, 2019

Error 801c0003 when joining computer to Azure AD

I just received my new laptop for my current project and was setting up Windows 10 to join the company Azure AD domain. When I got to the part where you join, I received the following error:

Turns out that my account is unable to domain join a device to the tenant. This is easily solved though. You have your tenant admin perform the following:

Go to Azure Active Directory -> Devices
Check the device settings, in particular the options:

Users may join devices
Maximal number of devices

Now, in my case, I did not have access as I am NOT a tenant admin:

So, I am currently waiting for my IT department to resolve the access issue and grant me access to join the device to the domain. Just be sure to look at this if you’re having issues setting up your Windows 10 device to join your Azure tenant!

HAPPY TROUBLESHOOTING!
POSITIVE ENERGY!

References:
Issue Joining A Device To An Azure AD Tenant Domain

Lance LingerfeltMarch 9, 2019

How to transfer FSMO Roles using PowerShell

A rare weekend post for me! HA! I am currently migrating my server environment from VMWare 6.7 to Server 2019 Hyper-V. I have a separate standalone box that I use for my VM backups and as a tertiary DC. Since I had to shut down my VMs in order to convert them, I needed to quickly move my FSMO roles from the DC Virtual Machine to the Standalone box so things would stay running.

I found this great article on how to do that quickly through PowerShell since it is a pain to go into ADUC, ADDT, and setup an MMC for the Schema snap-in.

When you create a domain, all FSMO roles assigned to the first domain controller in the forest by default. You can transfer FSMO roles from one DC to another both the Active Directory graphics snap-ins and the PowerShell command line. Moving FSMO roles using AD PowerShell has the following benefits:

You do not need to connect with a MMC snap-ins to the future role owner;
Transferring or seizing FSMO roles does not require a connection to the current or future role owner. You can run AD-PowerShell module cmdlets on a Windows Client or Server running RSAT Tools;
To seize the FSMO role (if the current owner is not available), it suffices to use an additional parameter -force.

Import the Active Directory Module Into PowerShell:

Import-Module ActiveDirectory

1	Import-Module ActiveDirectory

To get the current forest level FSMO role owners (Domain Naming Master and Schema Master roles) you can use the following PowerShell cmdlet:

Get-ADForest ldlnet.net | ft DomainNamingMaster, SchemaMaster -a -wr

1	Get-ADForest ldlnet.net \| ft DomainNamingMaster, SchemaMaster -a -wr

To view domain-wide FSMO roles (Infrastructure Master, PDC Emulator and Relative Identifier Master roles):

Get-ADDomain ldlnet.net | ft InfrastructureMaster, PDCEmulator, RIDMaster -a -wr

1	Get-ADDomain ldlnet.net \| ft InfrastructureMaster, PDCEmulator, RIDMaster -a -wr

Transfer FSMO Roles using PowerShell

To transfer FSMO roles between Active Directory domain controllers, we use the PowerShell cmdlet:
Move-ADDirectoryServerOperationMasterRole

To use the Move-ADDirectoryServerOperationMasterRole cmdlet, you must meet the following requirements:

There must be at least one DC with a version of Windows Server 2008 R2 or higher
PowerShell version 3.0 or newer
Active Directory module (2.0 or newer)

NOTE: Unlike the Ntdsutil.exe utility, the Move-ADDirectoryServerOperationMasteRole cmdlet can be performed from any domain computer to migrate the Operations Master roles if you have the appropriate rights (Domain admins and Enterprise Admins).

Import the AD Module:

Import-Module ActiveDirectory

1	Import-Module ActiveDirectory

I needed to move all the roles from one server to the other, so, I ran the following to do so:

Move-ADDirectoryServerOperationMasterRole -Identity “servername” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster -Confirm:$False

1	Move-ADDirectoryServerOperationMasterRole -Identity “servername” –OperationMasterRole DomainNamingMaster,PDCEmulator,RIDMaster,SchemaMaster,InfrastructureMaster -Confirm:$False

NOTE: To simplify the command, you can replace the names of roles with numbers from 0 to 4. The correspondence of names and numbers is given in the table:

PDCEmulator	0
RIDMaster	1
InfrastructureMaster	2
SchemaMaster	3
DomainNamingMaster	4

So, by having knowledge of these numbers, you can simplify your cmdlet:

Move-ADDirectoryServerOperationMasterRole -Identity “servername” –OperationMasterRole 0,1,2,3,4 -Confirm:$False

1	Move-ADDirectoryServerOperationMasterRole -Identity “servername” –OperationMasterRole 0,1,2,3,4 -Confirm:$False

NOTE: In the event that the current owner of one or all of the FSMO roles fails, the forced transfer of FSMO roles is performed by the same command, but with the -Force option. Also, after the FSMO roles have been seized, the domain controller from which the roles was seized should never be connected to the domain. You will need to preform a metadata cleanup of the Schema before even thinking about putting that failed server back into production.

Once completed, I ran the previous cmdlets of Get-ADForest and Get-ADDomain to verify that the FSMO roles moved to the destination server.

As of now, my conversion to Hyper-V is going smoothly, although it takes quite a bit of time to convert the hard disks. Thanks again!

HAPPY TROUBLESHOOTING! KEEP SCRIPTING!
PLEASE COMMENT!

Reference:
How To Transfer FSMO Roles Using PowerShell

Lance LingerfeltFebruary 12, 2019February 12, 2019

Connect to all PowerShell Modules in O365 with one script

Let’s say you’re an admin that needs to connect to Office365 via PowerShell often. Now, there are many different websites or blogs that will show you how to connect to each session via PowerShell. That can cause a headache since you can end up having five different PowerShell sessions running in five different windows. You end up having to enter a username and password all those times, which can become time consuming.

I want to show you here how to combine all those sessions into one script where, if you’re security is tight enough on your computer, you don’t even have to enter credentials. This way, you can click on one icon and pull up all the O365 PowerShell commands that you’ll need to manage your organization.

First you need to download the following PowerShell Module Installation Files so that your PowerShell Database will have the correct modules installed:

Microsoft Online Service Sign-in Assistant for IT Professionals RTW
Windows Azure Active Directory Module for Windows PowerShell v2
SharePoint Online Management Shell
Skype for Business Online, Windows PowerShell Module

Next, we want to setup the CLI (Command Line Interface) to be too cool for school. I have learned it helps to have knowledge of how to customize the CLI window. You can do all of this in PowerShell ISE or Notepad, which ever you prefer. Here are the commands for the script that I use to setup the CLI:

#Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell"
set-location c:\PowerShell
$a = (Get-Host).UI.RawUI
$a.BackgroundColor = "black"
$a.ForegroundColor = "yellow"
$a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services"
$curUser= (Get-ChildItem Env:\USERNAME).Value
function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")&gt;"}
$host.UI.RawUI.WindowTitle = "(Your Comapny Name) O365 PowerShell &gt;&gt; User: $curUser &gt;&gt; Current Directory: $((Get-Location).Path)"

#Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell"

set-location c:\PowerShell

$a = (Get-Host).UI.RawUI

$a.BackgroundColor = "black"

$a.ForegroundColor = "yellow"

$a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services"

$curUser= (Get-ChildItem Env:\USERNAME).Value

function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")>"}

$host.UI.RawUI.WindowTitle = "(Your Comapny Name) O365 PowerShell >> User: $curUser >> Current Directory: $((Get-Location).Path)"

Next, you want to set your Execution Policy and put in your credentials so that you won’t be prompted to enter the user credentials when you run the script.

NOTE: MAKE SURE YOU KEEP YOUR SCRIPT SAFE AS THE CREDENTIALS ARE VISIBLE WITHIN THE SCRIPT IN PLAIN TEXT!

You can, alternatively, set your script to prompt for credentials every time by using the following:

$LiveCred = Get-Credential

Here is that part of the script:

#Setup Execution Policy and Credentials using your Tenant Admin Credentials
Set-ExecutionPolicy Unrestricted
$user = "tenantadmin@companyname.onmicrosoft.com"
$pass = "adminpassword"
$secpass = $pass | ConvertTo-SecureString -AsPlainText -Force
$LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass

#Setup Execution Policy and Credentials using your Tenant Admin Credentials

Set-ExecutionPolicy Unrestricted

$user = "tenantadmin@companyname.onmicrosoft.com"

$pass = "adminpassword"

$secpass = $pass | ConvertTo-SecureString -AsPlainText -Force

$LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass

Now we get into the importing of the modules for each O365 service:

Get the MSOnline Module:

#Set up the powershell cmdlets for Office365
Write-Host "Getting MSOnline Module" -ForegroundColor Green
Get-Module MSOnline

#Set up the powershell cmdlets for Office365

Write-Host "Getting MSOnline Module" -ForegroundColor Green

Get-Module MSOnline

Connect to the MSOnline Service:

#Connect the MS Online Service
Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green
Connect-MSOLService -Credential $LiveCred

#Connect the MS Online Service

Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green

Connect-MSOLService -Credential $LiveCred

Connect to Azure AD PowerShell:

#Connect to Azure Ad PowerShell
Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green
Connect-AzureAD -Credential $LiveCred

#Connect to Azure Ad PowerShell

Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green

Connect-AzureAD -Credential $LiveCred

Connect to SharePoint Online PowerShell:
NOTE – MAKE SURE YOU CHANGE TO YOUR COMPANY NAME IN THE URL!!

#Connect to SharePoint Online PowerShell
Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green
Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred

#Connect to SharePoint Online PowerShell

Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green

Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking

Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred

Connect to Exchange Online PowerShell:

#Connect to Exchange Powershell
Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session

#Connect to Exchange Powershell

Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

Connect to Skype For Business Online PowerShell:

#Connect the Skype For Business Online Powershell Module
Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green 
Import-Module SkypeOnlineConnector
$sfboSession = New-CsOnlineSession -Credential $LiveCred
Import-PSSession $sfboSession

#Connect the Skype For Business Online Powershell Module

Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green

Import-Module SkypeOnlineConnector

$sfboSession = New-CsOnlineSession -Credential $LiveCred

Import-PSSession $sfboSession

Connect to the Security & Compliance PowerShell:
NOTE – This one I still get “Access Denied” when trying to connect. I have looked for an answer to that issue, but have not found one. Please comment with a link if you have an answer so that I can update this script!

#Connect the Security & Compliance Center PowerShell Module
Write-Host "Connecting to O365 Security & Compliance Online through PowerShell"-ForegroundColor Green
$SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $LiveCred -Verbose -Authentication Basic -AllowRedirection
Import-PSSession $SccSession -Prefix cc

#Connect the Security & Compliance Center PowerShell Module

Write-Host "Connecting to O365 Security & Compliance Online through PowerShell"-ForegroundColor Green

$SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $LiveCred -Verbose -Authentication Basic -AllowRedirection

Import-PSSession $SccSession -Prefix cc

Lastly, put in a note to show that the PS load is completed:

Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green
Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green
Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green

Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green

Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green

Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green

So Here is the final script in its entirety:

#Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell"
set-location c:\PowerShell
$a = (Get-Host).UI.RawUI
$a.BackgroundColor = "black"
$a.ForegroundColor = "yellow"
$a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services"
$curUser= (Get-ChildItem Env:\USERNAME).Value
function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")&gt;"}
$host.UI.RawUI.WindowTitle = "(Your Company Name) O365 PowerShell &gt;&gt; User: $curUser &gt;&gt; Current Directory: $((Get-Location).Path)"

#Setup Execution Policy and Credentials using your Tenant Admin Credentials
Set-ExecutionPolicy Unrestricted
$user = "tenantadmin@companyname.onmicrosoft.com"
$pass = "adminpassword"
$secpass = $pass | ConvertTo-SecureString -AsPlainText -Force
$LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass

#Set up the powershell cmdlets for Office365
Write-Host "Getting MSOnline Module" -ForegroundColor Green
Get-Module MSOnline

#Connect the MS Online Service
Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green
Connect-MSOLService -Credential $LiveCred

#Connect to Azure Ad PowerShell
Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green
Connect-AzureAD -Credential $LiveCred

#Connect to SharePoint Online PowerShell
Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green
Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred

#Connect to Exchange Powershell
Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
Import-PSSession $Session

#Connect the Skype For Business Online Powershell Module
Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green 
Import-Module SkypeOnlineConnector
$sfboSession = New-CsOnlineSession -Credential $LiveCred
Import-PSSession $sfboSession

#Connect the Security &amp; Compliance Center PowerShell Module
Write-Host "Connecting to O365 Security &amp; Compliance Online through PowerShell"-ForegroundColor Green
$SccSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.compliance.protection.outlook.com/powershell-liveid -Credential $LiveCred -Verbose -Authentication Basic -AllowRedirection
Import-PSSession $SccSession -Prefix cc

Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green
Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green
Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green

#Set the PowerShell CLI. Make sure you have a directory named "C:\PowerShell"

set-location c:\PowerShell

$a = (Get-Host).UI.RawUI

$a.BackgroundColor = "black"

$a.ForegroundColor = "yellow"

$a.WindowTitle = "(Your Company Name) PowerShell for ALL O365 PowerShell Services"

$curUser= (Get-ChildItem Env:\USERNAME).Value

function prompt {"(Your Company Name) O365 PS: $(get-date -f "hh:mm:ss tt")>"}

$host.UI.RawUI.WindowTitle = "(Your Company Name) O365 PowerShell >> User: $curUser >> Current Directory: $((Get-Location).Path)"

#Setup Execution Policy and Credentials using your Tenant Admin Credentials

Set-ExecutionPolicy Unrestricted

$user = "tenantadmin@companyname.onmicrosoft.com"

$pass = "adminpassword"

$secpass = $pass | ConvertTo-SecureString -AsPlainText -Force

$LiveCred = New-Object System.Management.Automation.PSCredential -ArgumentList $user, $secpass

#Set up the powershell cmdlets for Office365

Write-Host "Getting MSOnline Module" -ForegroundColor Green

Get-Module MSOnline

#Connect the MS Online Service

Write-Host "Connecting to the MSOnline Service" -ForegroundColor Green

Connect-MSOLService -Credential $LiveCred

#Connect to Azure Ad PowerShell

Write-Host "Connecting to Azure AD PowerShell" -ForegroundColor Green

Connect-AzureAD -Credential $LiveCred

#Connect to SharePoint Online PowerShell

Write-Host "Connecting to SharePoint Online through PowerShell" -ForegroundColor Green

Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking

Connect-SPOService -Url https://companyname-admin.sharepoint.com -credential $LiveCred

#Connect to Exchange Powershell

Write-Host "Connecting to Exchange Online through PowerShell" -ForegroundColor Green

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection

Import-PSSession $Session

#Connect the Skype For Business Online Powershell Module

Write-Host "Connecting to Skype For Business Online through PowerShell" -ForegroundColor Green

Import-Module SkypeOnlineConnector

$sfboSession = New-CsOnlineSession -Credential $LiveCred

Import-PSSession $sfboSession

#Connect the Security & Compliance Center PowerShell Module

Write-Host "Connecting to O365 Security & Compliance Online through PowerShell"-ForegroundColor Green

Import-PSSession $SccSession -Prefix cc

Write-Host "Be sure to check for any connectivity errors!" -ForegroundColor Green

Write-Host "Also, Remember to run 'Get-PSSession | Remove-PSSession' before closing your PowerShell Window!" -ForegroundColor Green

Write-Host "Successfully connected to all O365 PowerShell Services for (CompanyName)!" -ForegroundColor Green

Now you can create your icon for your desktop so that you can easily access the script. I would save the script to your Scripts directory.

That will usually be C:\Users\’username’\Documents\WindowsPowerShell\Scripts or wherever directory you choose.

To start, right click the desktop and choose New > Shortcut
In the Target Field, enter the following for your PowerShell Shortcut, pointing to the path of your script:

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe -noexit -ExecutionPolicy Unrestricted -File “C:\Users\username\Documents\WindowsPowerShell\Scripts\ConnectO365All.ps1”

Click on the Advanced button and check the box: Run As Administrator
Under the General Tab, name your shortcut: (CompanyName) O365 All PowerShell
Click OK to save the shortcut to your desktop.

LAST BUT NOT LEAST, RUN THE FOLLOWING COMMAND BEFORE EXITING OR CLOSING YOUR POWERSHELL WINDOW. THIS WILL REMOVE ALL THE SESSIONS YOU’VE CONNECTED TO:

Get-PSSession | Remove-PSSession

HAPPY SCRIPTING!
LEARN, DO, LIVE!

References:
Connect to all O365 Services in one PowerShell Window
How to connect to all O365 Services through PowerShell
Connecting to Office 365 “Everything” via PowerShell

Lance LingerfeltJanuary 15, 2019

MaxConcurrentAPI Script for Netlogon Issues

I get incidents from time to time that deal with Netlogon Service Issues. For example: Semaphore Waiters, Semaphore Timeouts, Semaphore Acquires, etc…

Here is a script I got from the Microsoft Gallery
In some enterprise environments the sheer volume of NTLM authentication can produce performance bottlenecks on servers. To help make the problem easier to detect, this PowerShell script was written.

PARAM ([Switch]$CheckMaxConcurrentApi, [switch]$GetNetlogonInstances, [string]$Computer = "Localhost", [string]$Instance = "_Total", [bool]$CalcMCA = $False)
#************************************************
# CheckMaxConcurrentApiScript.ps1
# Version 1.0
# Date: 3/22/2013
# Author: Tim Springston [MSFT]
# Description:Uses .Net methods and WMI to query
#                a remote or local computer for MaxConcurrentApi
#               problems and return details back in a PSObject.
#************************************************
function CheckMaxConcurrentApi ([string]$InstanceName = "_Total", [string]$ComputerName = "localhost", [bool]$Calc = $false)
{   
	#This function takes three optional parameters to select Netlogon Instance (can be obtained by using
	#sister function GetNetlogonInstances, computer to run against and whether to run
	#MaxConcurrentApi calculation-which takes longer.
    #It returns details about the computer, whether the problem is detected, and suggested MaxConcurrentApi value.
	$ProblemDetected = $false
	$Date = Get-Date
 
	#Get role, OSVer, hotfix data.
	$cs =  gwmi -Namespace "root\cimv2" -class win32_computersystem -Impersonation 3 -ComputerName $ComputerName
	$DomainRole = $cs.domainrole
	$OSVersion = gwmi -Namespace "root\cimv2" -Class Win32_OperatingSystem -Impersonation 3 -ComputerName $ComputerName
	$bn = $OSVersion.BuildNumber
	$150Hotfix = $false
 
	#Determine how long the computer has been running since last reboot.
	$wmi = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $ComputerName
	$LocalDateTime = $wmi.LocalDateTime
	$Uptime = $wmi.ConvertToDateTime($wmi.LocalDateTime) – $wmi.ConvertToDateTime($wmi.LastBootUpTime)
	$Days = $Uptime.Days.ToString()
	$Hours = $Uptime.Hours.ToString()
	$UpTimeStatement = $Days + " days " + $Hours + " hours"
 
	#Get SystemRoot so that we can map the right drive for checking file versions.
	$objReg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$ComputerName)
	$ObjRegKey = $ObjReg.OpenSubKey("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion")
	$SystemRoot = $ObjRegKey.GetValue("SystemRoot")
 
	#Parse the drive letter for the remote systemroot and then map the network drive. First though
	#make sure the drive you will map to doesnt exist already.
	$Drives = gwmi -Namespace "root\cimv2"  -ComputerName $ComputerName -Impersonation Impersonate -Class Win32_LogicalDisk
	$DriveLetters = @()
	ForEach ($Drive in $Drives)
		{
		  $Caption = $Drive.Caption
		  $DriveLetters += $Caption
		  $Caption = $null
		}
 
	if ($ComputerName -ne "localhost")
		{
			$PossibleLetters = [char[]]"DEFGHIJKLMNOPQRTUVWXY" 
			$devices = get-wmiobject win32_logicaldisk | select -expand DeviceID
			$PossibleLetters | where {$DriveLetters -notcontains "$($_):"} | Select -First 1 | % {
			$AvailableDriveLetter = $_
			}
			$DriveToMap = $SystemRoot
			$DriveToMap = $DriveToMap.Replace(":\Windows","")
			$DriveToMap = "\\" + $ComputerName + "\" + $DriveToMap + "$"
			$AvailableDriveLetter = $AvailableDriveLetter  + ":"
			$NETUSEReturn = net use $AvailableDriveLetter $DriveToMap
			$RemoteSystem32Folder = $AvailableDriveLetter + "\Windows\System32"
			$NetlogonDll = $RemoteSystem32Folder + "\Netlogon.dll"
		}
		else
			{
			 $NetlogonDll = $SystemRoot + "\System32\Netlogon.dll"
			}
 
	#Check the file versions for the hotfixes.
	$FileVer = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($NetlogonDll).FileVersion
	switch -exact ($bn)
		{"6002" {#Hotfix Check for MCA to 150 KB975363 http://support.microsoft.com/kb/975363
				 $6002HotfixVer = "6.0.6002.22289"
				 if ($6002HotfixVer -eq $FileVer)
				     {$150Hotfix = $true}
				}
		"7600" {#Hotfix Check for MCA to 150 KB975363 http://support.microsoft.com/kb/975363
				$7600HotfixVer = "6.1.7600.20576"
				if ($7600HotfixVer -eq $FileVer)
					{$150Hotfix = $true}
				}
		"7601" {#Hotfix Check for MCA to 150 KB975363 http://support.microsoft.com/kb/975363
				$150Hotfix = $true
				}
		}
	if ($ComputerName -ne "localhost")
		{
		$NETUSEReturn = net use $AvailableDriveLetter /d
		}
 
	#Determine effective MaxConcurrentApi setting based on OS, hotfix presence, role and registry setting.
	$objReg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $ComputerName)
	$objRegKey= $objReg.OpenSubKey("SYSTEM\\CurrentControlSet\\services\\Netlogon\\Parameters")
	$MCARegVal = $objRegKey.GetValue('MaxConcurrentApi')
	$CurrentMCA = 0
	if  ($DomainRole -gt 1)
			{    
			if ($bn -ge 9200)
				{
				If (($MCARegVal -lt 10) -or ($MCARegVal -eq $null) -or ($MCARegVal -gt 9999))
					{$CurrentMCA = 10}
					elseif (($MCARegVal -gt 10)    -and ($MCARegVal -lt 9999))
						{$CurrentMCA = $MCARegVal}
				}
				else
					{        
					If (($MCARegVal -gt 10) -and ($150Hotfix -eq $true))
						{        
						$CurrentMCA = $MCARegVal}
						elseif (($MCARegVal -gt 10) -and ($150Hotfix -eq $false))    
							{$CurrentMCA = 2}
							elseif (( $MCARegVal -gt 2 ) -and ($MCARegVal -le 10))
								{$CurrentMCA = $MCARegVal}
								elseif ($MCARegVal -lt 2)
									{$CurrentMCA = 2}
									elseif ($MCARegVal -eq $null)
										{$CurrentMCA = 2}
					}
				}
 
	#Get a sample of the counters.
	$Category = "Netlogon"
	$CounterASHT = "Average Semaphore Hold Time"
	$CounterST = "Semaphore Timeouts"
	$CounterSA = "Semaphore Acquires"
	$CounterSH = "Semaphore Holders"
	$CounterSW = "Semaphore Waiters"
	#Query remote computer for counters.
	$NetlogonRemoteASHT = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterASHT,$InstanceName,$ComputerName)
	$NetlogonRemoteST = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterST,$InstanceName,$ComputerName)
	$NetlogonRemoteSA = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSA,$InstanceName,$ComputerName)
	$NetlogonRemoteSW = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSW,$InstanceName,$ComputerName)
	$NetlogonRemoteSH = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSH,$InstanceName,$ComputerName)
	#Cook values
	$CookedASHT = $NetlogonRemoteASHT.NextValue()
	$CookedST = $NetlogonRemoteST.NextValue()
	$CookedSA = $NetlogonRemoteSA.NextValue()
	$CookedSW = $NetlogonRemoteSW.NextValue()
	$CookedSH = $NetlogonRemoteSH.NextValue()
	if ((($CookedSW -gt 0) -and (-not($CookedSW -gt 4GB))) -or ($CookedSH -eq $CurrentMCA) -or ((($CookedST -gt 0) -and (-not($CookedST -gt 4GB))) -and (($CookedSW -gt 0) -and (-not($CookedSW -gt 4GB)))))
				{$ProblemDetected = $true}
 
	#Do a second data sample and compare results in order to run the "suggested MCA" math.
	if (($ProblemDetected -eq $true) -and ($Calc -eq $true))
		{
		Start-Sleep -Seconds 60
		$NetlogonRemoteASHT = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterASHT,$InstanceName,$ComputerName)
		$NetlogonRemoteST = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterST,$InstanceName,$ComputerName)
		$NetlogonRemoteSA = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSA,$InstanceName,$ComputerName)
		$NetlogonRemoteSW = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSW,$InstanceName,$ComputerName)
		$NetlogonRemoteSH = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSH,$InstanceName,$ComputerName)
		#Cook values
		$SecondCookedASHT = $NetlogonRemoteASHT.NextValue()
		$SecondCookedST = $NetlogonRemoteST.NextValue()
		$SecondCookedSA = $NetlogonRemoteSA.NextValue()
		$SecondCookedSW = $NetlogonRemoteSW.NextValue()
		$SecondCookedSH = $NetlogonRemoteSH.NextValue()
		#Next, calculate the suggested MCA 
	                            #using formula from http://support.microsoft.com/kb/2688798
	                            #(semaphore_acquires + semaphore_timeouts) * average_semaphore_hold_time / time_collection_length =< New_MaxConcurrentApi_setting
							 #subtract Sample1SA from Sample2SA = SampleSADelta
							 $SampleSADelta = ($SecondCookedSA - $CookedSA)
							 $SampleSTDelta = ($SecondCookedST - $CookedST)
							 $ASHT = ($SecondCookedASHT + $CookedASHT)
							 $SampleASHTDelta = ($ASHT / 2 )
							 $SamplesDeltaSAST = ($SampleSADelta + $SampleSTDelta)
							 $AllSampleDeltas = ($SampleASHTDelta * $SamplesDeltaSAST)
						     $AllSampleDeltas /= 90
							 $SuggestedMCA = $AllSampleDeltas
							 $SuggestedMCA = "{0:N0}" -f $SuggestedMCA
							 if ($SuggestedMCA -le 2)
								{$SuggestedMCA = $CurrentMCA}
		}
	#Create PSObject for returned data.
	$ReturnedData = New-Object PSObject
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Detection Time" -value $Date
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Problem Detected" -value $ProblemDetected
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Server Name" -value $cs.Name
	if ($cs.DomainRole -le 1)
		{add-member -inputobject $ReturnedData  -membertype noteproperty -name "Server Role" -value "Client"}
	if (($cs.DomainRole -eq 3) -or ($cs.DomainRole -eq 2))
		{add-member -inputobject $ReturnedData  -membertype noteproperty -name "Server Role" -value "Member Server"}
	if ($cs.DomainRole -ge 4)
		{add-member -inputobject $ReturnedData  -membertype noteproperty -name "Server Role" -value "Domain Controller"}
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Domain Name" -value $cs.Domain
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Operating System" -value $OSVersion.Caption
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Time Since Last Reboot" -value $UpTimeStatement
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Current Effective MaxConcurrentApi Setting" -value $CurrentMCA
	if ($SuggestedMCA -eq $null)
		{add-member -inputobject $ReturnedData  -membertype noteproperty -name "Suggested MaxConcurrentApi Setting (may be same as current)" -value $CurrentMCA}
		else
		{add-member -inputobject $ReturnedData  -membertype noteproperty -name "Suggested MaxConcurrentApi Setting (may be same as current)" -value $SuggestedMCA}
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Current Threads in Use (Semaphore Holders)" -value $CookedSH
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Clients Currently Waiting (Semaphore Waiters)" -value $CookedSW
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Cumulative Client Timeouts (Semaphore Timeouts) " -value $CookedST
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Cumulative MaxConcurrentApi Thread Uses (Semaphore Acquires)" -value $CookedSA
	add-member -inputobject $ReturnedData  -membertype noteproperty -name "Duration of Calls (Avg Semaphore Hold Time)" -value $CookedASHT
	return $ReturnedData
}
 
function GetNetlogonInstances ([string]$RemoteComputerName = "localhost")
	{
	 #This function takes a computer name as input (default to local computer) and returns
	 #the instances-analagous to secure channels-a computer has. 
	 #Format returned is \\hostname.domainname.com.
	 
	 if ($RemoteComputerName -eq $null)
	     {
		$LocalNetlogon = New-Object System.Diagnostics.PerformanceCounterCategory("Netlogon",$RemoteComputerName)
		$LocalInstances = $LocalNetlogon.GetInstanceNames()
	    $AllLocalInstances = @()
		foreach ($LocalInstance in $LocalInstances)
			{    
	          if ($LocalInstance -ne "_total")
	             {
				 $AllLocalInstances += $LocalInstance
				}         
			} 
			if ($AllLocalInstances -eq $null)
				{
				WriteTo-StdOut "The local computer was missing its DC perf instance so getting DC name from WMI." -shortformat
 
				$Query = "select * from win32_ntdomain where description = '" + $env:userdomain + "'"
				$v2 = get-wmiobject -query $Query
				$DCName = $v2.DomainControllerName
				$AllLocalInstances += $DCName
				WriteTo-StdOut "DCName is $AllLocalInstances" -shortformat
				}
		return $AllLocalInstances
		}
		else
		{
		$RemoteNetlogon = New-Object System.Diagnostics.PerformanceCounterCategory("Netlogon",$RemoteComputerName)
		$RemoteInstances = $RemoteNetlogon.GetInstanceNames()
		$AllRemoteInstances = @()
		foreach ($RemoteInstance in $RemoteInstances)
			{    
	          if ($RemoteInstance -ne "_Total")
	             {
				 $AllRemoteInstances += $RemoteInstance
				}
			}
			if ($AllRemoteInstances -eq $null)
				{
				#If the local computer was missing its DC perf instance so getting DC name from WMI.
				$Query = "select * from win32_ntdomain where description = '" + $env:userdomain + "'"
				$v2 = get-wmiobject -query $Query
				$DCName = $v2.DomainControllerName
				$AllRemoteInstances += $DCName
				}
		return $AllRemoteInstances
		}
	}
 
if (($CheckMaxConcurrentApi) -and ($Instance -ne "_Total") -and ($Computer -ne "Localhost") -and ($CalcMCA -eq $true))
	{CheckMaxConcurrentApi -instancename $Instance -ComputerName $Computer -Calc $CalcMCA  | FL }
elseif (($CheckMaxConcurrentApi) -and ($Instance -ne "_Total") -and ($Computer -ne "Localhost"))
	{CheckMaxConcurrentApi -instancename $Instance -ComputerName $Computer | FL }
elseif (($CheckMaxConcurrentApi) -and ($Instance -ne "_Total"))
	{CheckMaxConcurrentApi -instancename $Instance  | FL}
elseif (($CheckMaxConcurrentApi) -and ($Computer -ne "Localhost"))
	{CheckMaxConcurrentApi -ComputerName $Computer  | FL}
elseif (($CheckMaxConcurrentApi) -and ($CalcMCA -eq $true))
	{CheckMaxConcurrentApi -Calc $calcmca  | FL}
elseif ($CheckMaxConcurrentApi)
	{CheckMaxConcurrentApi | FL}
if (($GetNetlogonInstances) -and ($Computer -ne "Localhost"))
	{GetNetlogonInstances  | FL}
elseif ($GetNetlogonInstances) 
{GetNetlogonInstances -RemoteComputerName $Computer | FL}

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178

179

180

181

182

183

184

185

186

187

188

189

190

191

192

193

194

195

196

197

198

199

200

201

202

203

204

205

206

207

208

209

210

211

212

213

214

215

216

217

218

219

220

221

222

223

224

225

226

227

228

229

230

231

232

233

234

235

236

237

238

239

240

241

242

243

244

245

246

247

248

249

250

251

252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

PARAM ([Switch]$CheckMaxConcurrentApi, [switch]$GetNetlogonInstances, [string]$Computer = "Localhost", [string]$Instance = "_Total", [bool]$CalcMCA = $False)

#************************************************

# CheckMaxConcurrentApiScript.ps1

# Version 1.0

# Date: 3/22/2013

# Author: Tim Springston [MSFT]

# Description:Uses .Net methods and WMI to query

# a remote or local computer for MaxConcurrentApi

# problems and return details back in a PSObject.

#************************************************

function CheckMaxConcurrentApi ([string]$InstanceName = "_Total", [string]$ComputerName = "localhost", [bool]$Calc = $false)

{

#This function takes three optional parameters to select Netlogon Instance (can be obtained by using

#sister function GetNetlogonInstances, computer to run against and whether to run

#MaxConcurrentApi calculation-which takes longer.

#It returns details about the computer, whether the problem is detected, and suggested MaxConcurrentApi value.

$ProblemDetected = $false

$Date = Get-Date

#Get role, OSVer, hotfix data.

$cs = gwmi -Namespace "root\cimv2" -class win32_computersystem -Impersonation 3 -ComputerName $ComputerName

$DomainRole = $cs.domainrole

$OSVersion = gwmi -Namespace "root\cimv2" -Class Win32_OperatingSystem -Impersonation 3 -ComputerName $ComputerName

$bn = $OSVersion.BuildNumber

$150Hotfix = $false

#Determine how long the computer has been running since last reboot.

$wmi = Get-WmiObject -Class Win32_OperatingSystem -ComputerName $ComputerName

$LocalDateTime = $wmi.LocalDateTime

$Uptime = $wmi.ConvertToDateTime($wmi.LocalDateTime) – $wmi.ConvertToDateTime($wmi.LastBootUpTime)

$Days = $Uptime.Days.ToString()

$Hours = $Uptime.Hours.ToString()

$UpTimeStatement = $Days + " days " + $Hours + " hours"

#Get SystemRoot so that we can map the right drive for checking file versions.

$objReg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine',$ComputerName)

$ObjRegKey = $ObjReg.OpenSubKey("SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion")

$SystemRoot = $ObjRegKey.GetValue("SystemRoot")

#Parse the drive letter for the remote systemroot and then map the network drive. First though

#make sure the drive you will map to doesnt exist already.

$Drives = gwmi -Namespace "root\cimv2" -ComputerName $ComputerName -Impersonation Impersonate -Class Win32_LogicalDisk

$DriveLetters = @()

ForEach ($Drive in $Drives)

{

$Caption = $Drive.Caption

$DriveLetters += $Caption

$Caption = $null

}

if ($ComputerName -ne "localhost")

{

$PossibleLetters = [char[]]"DEFGHIJKLMNOPQRTUVWXY"

$devices = get-wmiobject win32_logicaldisk | select -expand DeviceID

$PossibleLetters | where {$DriveLetters -notcontains "$($_):"} | Select -First 1 | % {

$AvailableDriveLetter = $_

}

$DriveToMap = $SystemRoot

$DriveToMap = $DriveToMap.Replace(":\Windows","")

$DriveToMap = "\\" + $ComputerName + "\" + $DriveToMap + "$"

$AvailableDriveLetter = $AvailableDriveLetter + ":"

$NETUSEReturn = net use $AvailableDriveLetter $DriveToMap

$RemoteSystem32Folder = $AvailableDriveLetter + "\Windows\System32"

$NetlogonDll = $RemoteSystem32Folder + "\Netlogon.dll"

}

else

{

$NetlogonDll = $SystemRoot + "\System32\Netlogon.dll"

}

#Check the file versions for the hotfixes.

$FileVer = [System.Diagnostics.FileVersionInfo]::GetVersionInfo($NetlogonDll).FileVersion

switch -exact ($bn)

{"6002" {#Hotfix Check for MCA to 150 KB975363 http://support.microsoft.com/kb/975363

$6002HotfixVer = "6.0.6002.22289"

if ($6002HotfixVer -eq $FileVer)

{$150Hotfix = $true}

}

"7600" {#Hotfix Check for MCA to 150 KB975363 http://support.microsoft.com/kb/975363

$7600HotfixVer = "6.1.7600.20576"

if ($7600HotfixVer -eq $FileVer)

{$150Hotfix = $true}

}

"7601" {#Hotfix Check for MCA to 150 KB975363 http://support.microsoft.com/kb/975363

$150Hotfix = $true

}

if ($ComputerName -ne "localhost")

{

$NETUSEReturn = net use $AvailableDriveLetter /d

}

#Determine effective MaxConcurrentApi setting based on OS, hotfix presence, role and registry setting.

$objReg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $ComputerName)

$objRegKey= $objReg.OpenSubKey("SYSTEM\\CurrentControlSet\\services\\Netlogon\\Parameters")

$MCARegVal = $objRegKey.GetValue('MaxConcurrentApi')

$CurrentMCA = 0

if ($DomainRole -gt 1)

{

if ($bn -ge 9200)

{

If (($MCARegVal -lt 10) -or ($MCARegVal -eq $null) -or ($MCARegVal -gt 9999))

{$CurrentMCA = 10}

elseif (($MCARegVal -gt 10) -and ($MCARegVal -lt 9999))

{$CurrentMCA = $MCARegVal}

}

else

{

If (($MCARegVal -gt 10) -and ($150Hotfix -eq $true))

{

$CurrentMCA = $MCARegVal}

elseif (($MCARegVal -gt 10) -and ($150Hotfix -eq $false))

{$CurrentMCA = 2}

elseif (( $MCARegVal -gt 2 ) -and ($MCARegVal -le 10))

{$CurrentMCA = $MCARegVal}

elseif ($MCARegVal -lt 2)

{$CurrentMCA = 2}

elseif ($MCARegVal -eq $null)

{$CurrentMCA = 2}

}

#Get a sample of the counters.

$Category = "Netlogon"

$CounterASHT = "Average Semaphore Hold Time"

$CounterST = "Semaphore Timeouts"

$CounterSA = "Semaphore Acquires"

$CounterSH = "Semaphore Holders"

$CounterSW = "Semaphore Waiters"

#Query remote computer for counters.

$NetlogonRemoteASHT = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterASHT,$InstanceName,$ComputerName)

$NetlogonRemoteST = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterST,$InstanceName,$ComputerName)

$NetlogonRemoteSA = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSA,$InstanceName,$ComputerName)

$NetlogonRemoteSW = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSW,$InstanceName,$ComputerName)

$NetlogonRemoteSH = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSH,$InstanceName,$ComputerName)

#Cook values

$CookedASHT = $NetlogonRemoteASHT.NextValue()

$CookedST = $NetlogonRemoteST.NextValue()

$CookedSA = $NetlogonRemoteSA.NextValue()

$CookedSW = $NetlogonRemoteSW.NextValue()

$CookedSH = $NetlogonRemoteSH.NextValue()

if ((($CookedSW -gt 0) -and (-not($CookedSW -gt 4GB))) -or ($CookedSH -eq $CurrentMCA) -or ((($CookedST -gt 0) -and (-not($CookedST -gt 4GB))) -and (($CookedSW -gt 0) -and (-not($CookedSW -gt 4GB)))))

{$ProblemDetected = $true}

#Do a second data sample and compare results in order to run the "suggested MCA" math.

if (($ProblemDetected -eq $true) -and ($Calc -eq $true))

{

Start-Sleep -Seconds 60

$NetlogonRemoteASHT = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterASHT,$InstanceName,$ComputerName)

$NetlogonRemoteST = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterST,$InstanceName,$ComputerName)

$NetlogonRemoteSA = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSA,$InstanceName,$ComputerName)

$NetlogonRemoteSW = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSW,$InstanceName,$ComputerName)

$NetlogonRemoteSH = New-Object System.Diagnostics.PerformanceCounter($Category,$CounterSH,$InstanceName,$ComputerName)

#Cook values

$SecondCookedASHT = $NetlogonRemoteASHT.NextValue()

$SecondCookedST = $NetlogonRemoteST.NextValue()

$SecondCookedSA = $NetlogonRemoteSA.NextValue()

$SecondCookedSW = $NetlogonRemoteSW.NextValue()

$SecondCookedSH = $NetlogonRemoteSH.NextValue()

#Next, calculate the suggested MCA

#using formula from http://support.microsoft.com/kb/2688798

#(semaphore_acquires + semaphore_timeouts) * average_semaphore_hold_time / time_collection_length =< New_MaxConcurrentApi_setting

#subtract Sample1SA from Sample2SA = SampleSADelta

$SampleSADelta = ($SecondCookedSA - $CookedSA)

$SampleSTDelta = ($SecondCookedST - $CookedST)

$ASHT = ($SecondCookedASHT + $CookedASHT)

$SampleASHTDelta = ($ASHT / 2 )

$SamplesDeltaSAST = ($SampleSADelta + $SampleSTDelta)

$AllSampleDeltas = ($SampleASHTDelta * $SamplesDeltaSAST)

$AllSampleDeltas /= 90

$SuggestedMCA = $AllSampleDeltas

$SuggestedMCA = "{0:N0}" -f $SuggestedMCA

if ($SuggestedMCA -le 2)

{$SuggestedMCA = $CurrentMCA}

}

#Create PSObject for returned data.

$ReturnedData = New-Object PSObject

add-member -inputobject $ReturnedData -membertype noteproperty -name "Detection Time" -value $Date

add-member -inputobject $ReturnedData -membertype noteproperty -name "Problem Detected" -value $ProblemDetected

add-member -inputobject $ReturnedData -membertype noteproperty -name "Server Name" -value $cs.Name

if ($cs.DomainRole -le 1)

{add-member -inputobject $ReturnedData -membertype noteproperty -name "Server Role" -value "Client"}

if (($cs.DomainRole -eq 3) -or ($cs.DomainRole -eq 2))

{add-member -inputobject $ReturnedData -membertype noteproperty -name "Server Role" -value "Member Server"}

if ($cs.DomainRole -ge 4)

{add-member -inputobject $ReturnedData -membertype noteproperty -name "Server Role" -value "Domain Controller"}

add-member -inputobject $ReturnedData -membertype noteproperty -name "Domain Name" -value $cs.Domain

add-member -inputobject $ReturnedData -membertype noteproperty -name "Operating System" -value $OSVersion.Caption

add-member -inputobject $ReturnedData -membertype noteproperty -name "Time Since Last Reboot" -value $UpTimeStatement

add-member -inputobject $ReturnedData -membertype noteproperty -name "Current Effective MaxConcurrentApi Setting" -value $CurrentMCA

if ($SuggestedMCA -eq $null)

{add-member -inputobject $ReturnedData -membertype noteproperty -name "Suggested MaxConcurrentApi Setting (may be same as current)" -value $CurrentMCA}

else

{add-member -inputobject $ReturnedData -membertype noteproperty -name "Suggested MaxConcurrentApi Setting (may be same as current)" -value $SuggestedMCA}

add-member -inputobject $ReturnedData -membertype noteproperty -name "Current Threads in Use (Semaphore Holders)" -value $CookedSH

add-member -inputobject $ReturnedData -membertype noteproperty -name "Clients Currently Waiting (Semaphore Waiters)" -value $CookedSW

add-member -inputobject $ReturnedData -membertype noteproperty -name "Cumulative Client Timeouts (Semaphore Timeouts) " -value $CookedST

add-member -inputobject $ReturnedData -membertype noteproperty -name "Cumulative MaxConcurrentApi Thread Uses (Semaphore Acquires)" -value $CookedSA

add-member -inputobject $ReturnedData -membertype noteproperty -name "Duration of Calls (Avg Semaphore Hold Time)" -value $CookedASHT

return $ReturnedData

}

function GetNetlogonInstances ([string]$RemoteComputerName = "localhost")

{

#This function takes a computer name as input (default to local computer) and returns

#the instances-analagous to secure channels-a computer has.

#Format returned is \\hostname.domainname.com.

if ($RemoteComputerName -eq $null)

{

$LocalNetlogon = New-Object System.Diagnostics.PerformanceCounterCategory("Netlogon",$RemoteComputerName)

$LocalInstances = $LocalNetlogon.GetInstanceNames()

$AllLocalInstances = @()

foreach ($LocalInstance in $LocalInstances)

{

if ($LocalInstance -ne "_total")

{

$AllLocalInstances += $LocalInstance

}

if ($AllLocalInstances -eq $null)

{

WriteTo-StdOut "The local computer was missing its DC perf instance so getting DC name from WMI." -shortformat

$Query = "select * from win32_ntdomain where description = '" + $env:userdomain + "'"

$v2 = get-wmiobject -query $Query

$DCName = $v2.DomainControllerName

$AllLocalInstances += $DCName

WriteTo-StdOut "DCName is $AllLocalInstances" -shortformat

}

return $AllLocalInstances

}

else

{

$RemoteNetlogon = New-Object System.Diagnostics.PerformanceCounterCategory("Netlogon",$RemoteComputerName)

$RemoteInstances = $RemoteNetlogon.GetInstanceNames()

$AllRemoteInstances = @()

foreach ($RemoteInstance in $RemoteInstances)

{

if ($RemoteInstance -ne "_Total")

{

$AllRemoteInstances += $RemoteInstance

}

if ($AllRemoteInstances -eq $null)

{

#If the local computer was missing its DC perf instance so getting DC name from WMI.

$Query = "select * from win32_ntdomain where description = '" + $env:userdomain + "'"

$v2 = get-wmiobject -query $Query

$DCName = $v2.DomainControllerName

$AllRemoteInstances += $DCName

}

return $AllRemoteInstances

}

if (($CheckMaxConcurrentApi) -and ($Instance -ne "_Total") -and ($Computer -ne "Localhost") -and ($CalcMCA -eq $true))

{CheckMaxConcurrentApi -instancename $Instance -ComputerName $Computer -Calc $CalcMCA | FL }

elseif (($CheckMaxConcurrentApi) -and ($Instance -ne "_Total") -and ($Computer -ne "Localhost"))

{CheckMaxConcurrentApi -instancename $Instance -ComputerName $Computer | FL }

elseif (($CheckMaxConcurrentApi) -and ($Instance -ne "_Total"))

{CheckMaxConcurrentApi -instancename $Instance | FL}

elseif (($CheckMaxConcurrentApi) -and ($Computer -ne "Localhost"))

{CheckMaxConcurrentApi -ComputerName $Computer | FL}

elseif (($CheckMaxConcurrentApi) -and ($CalcMCA -eq $true))

{CheckMaxConcurrentApi -Calc $calcmca | FL}

elseif ($CheckMaxConcurrentApi)

{CheckMaxConcurrentApi | FL}

if (($GetNetlogonInstances) -and ($Computer -ne "Localhost"))

{GetNetlogonInstances | FL}

elseif ($GetNetlogonInstances)

{GetNetlogonInstances -RemoteComputerName $Computer | FL}

Execution:

Now, I modified this script taking out the clear screen parameter so that I could be run against multiple servers. Place the script in your Scripts directory and name it CheckMaxConcurrentApiScript.ps1

First, in PowerShell, gather your list of servers:

$DCList = Get-ADDomainController -Filter * | Sort-Object Name | Select-Object Name

1	$DCList = Get-ADDomainController -Filter * \| Sort-Object Name \| Select-Object Name

$EXList = Get-ExchangeServer | Sort-Object Name | Select-Object Name

1	$EXList = Get-ExchangeServer \| Sort-Object Name \| Select-Object Name

Next, run the command to run the ps1 against those servers:

foreach ($DC in $DCList) { $DC.Name ; Invoke-Command -Command {C:\Scripts\CheckMaxConcurrentApiScript.ps1 -checkmaxconcurrentapi -Computer $DC.Name -CalcMCA $true} }

1	foreach ($DC in $DCList) { $DC.Name ; Invoke-Command -Command {C:\Scripts\CheckMaxConcurrentApiScript.ps1 -checkmaxconcurrentapi -Computer $DC.Name -CalcMCA $true} }

foreach ($EX in $EXList) { $EX.Name ; Invoke-Command -Command {C:\Scripts\CheckMaxConcurrentApiScript.ps1 -checkmaxconcurrentapi -Computer $EX.Name -CalcMCA $true} }

1	foreach ($EX in $EXList) { $EX.Name ; Invoke-Command -Command {C:\Scripts\CheckMaxConcurrentApiScript.ps1 -checkmaxconcurrentapi -Computer $EX.Name -CalcMCA $true} }

Sample Output:

DC03
Detection Time : 12/13/2018 7:56:16 PM
Problem Detected : False
Server Name : DC03
Server Role : Domain Controller
Domain Name : ldlnet.org
Operating System : Microsoft Windows Server 2008 R2 Enterprise
Time Since Last Reboot : 4 days 22 hours
Current Effective MaxConcurrentApi Setting : 10
Suggested MaxConcurrentApi Setting (may be same as current) : 10
Current Threads in Use (Semaphore Holders) : 0
Clients Currently Waiting (Semaphore Waiters) : 0
Cumulative Client Timeouts (Semaphore Timeouts) : 17
Cumulative MaxConcurrentApi Thread Uses (Semaphore Acquires) : 3493999
Duration of Calls (Avg Semaphore Hold Time) : 0

EXCH02
Detection Time : 12/13/2018 8:00:53 PM
Problem Detected : False
Server Name : EXCH02
Server Role : Member Server
Domain Name : ldlnet.org
Operating System : Microsoft Windows Server 2008 R2 Standard
Time Since Last Reboot : 4 days 23 hours
Current Effective MaxConcurrentApi Setting : 10
Suggested MaxConcurrentApi Setting (may be same as current) : 10
Current Threads in Use (Semaphore Holders) : 0
Clients Currently Waiting (Semaphore Waiters) : 0
Cumulative Client Timeouts (Semaphore Timeouts) : 570
Cumulative MaxConcurrentApi Thread Uses (Semaphore Acquires) : 1682257
Duration of Calls (Avg Semaphore Hold Time) : 0

Hopefully, this script will assist you with gathering the needed information to help you balance the netlogon load between your servers when needed in your environment.

HAPPY TROUBLESHOOTING!

Lance LingerfeltJanuary 10, 2019January 29, 2019

Protected AD Groups and the problems they can cause accounts

I have run into this issue over the years with accounts being in the Domain Admins group and having issues running PowerShell cmdlets as well as not being able to connect to ActiveSync from a mobile device with the account.

These issues are due to the AdminSDHolder Template in AD and the SDProp Process that is run every 60 Minutes in AD.
This is explained in fantastic detail through the following Microsoft article: Protected Accounts & Groups In Active Directory

Here is an example of an issue that occurred in one of the environments that I was managing. A user was trying to run the following AD cmdlet in PowerShell on DC01:

Set-ADUser lancel -Server dc01.ldlnet.org -Replace @{title="Senior Operations Engineer"}

1	Set-ADUser lancel -Server dc01.ldlnet.org -Replace @{title="Senior Operations Engineer"}

The user got the following error when the cmdlet was executed:

Set-ADUser : Insufficient access rights to perform the operation
At line:1 char:1
+ Set-ADUser lancel -Server dc01.ldlnet.org -Replace @{title=”Senior O …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo: NotSpecified: (lancel:ADUser) [Set-ADUser], ADException
+ FullyQualifiedErrorId : ActiveDirectoryServer:8344,Microsoft.ActiveDirectory.Management.Commands.SetADUser

The issue was that the admin account used to run the cmdlet was in the Domain Admins group and was not inheriting permissions per the AdminSDHolder template that was applied to the account:

I checked to see that the admin account was in a protected group:

I next went to the Security Tab > Advanced Button and saw that the Enable Inheritance button was visible:

I’ve circled where to look in the window.

This verifies that the account is protected due to being in the Domain Admins group. Now, there are two workarounds for this particular error that we were experiencing.

Click the Enable Inheritance button. This will cause the permissions to be inherited temporarily. When SDProp is cycled again, the account will lose any inherited permissions and will be essentially “broken” again. This is not good if you’re going to be running cmdlets regularly to modify AD Accounts.
The preferred method to work around this issue is to set the -Server parameter to point to a different DC than the one you are on. So, essentially, we tell the cmdlet to execute on DC02 when running the cmdlet from DC01.

Set-ADUser lancel -Server dc02.ldlnet.org -Replace @{title="Senior Operations Engineer"}

1	Set-ADUser lancel -Server dc02.ldlnet.org -Replace @{title="Senior Operations Engineer"}

Either method will allow the cmdlet to execute successfully and modify the object. You would think that Microsoft would have noticed this issue with running an admin cmdlet for Active Directory, but they have not fixed this issue as of yet nor do i think they plan to. I would just go with workaround number two and remain sane.

Another example of this Protected Group issue comes with an account in a Protected Group that has a mailbox not being able to connect to Exchange ActiveSync when setting up their mobile device.

You usually get a 500 error on the device that you cannot connect.
You will also see event 1053 in Event Viewer alluding to not having sufficient access to create the container for the user in AD.

Read this page for more information: Exchange ActiveSync Permissions Issue with Protected Groups

So, in your endeavors admins, keep this in mind when running into these types of problems. Happy Troubleshooting!

Lance LingerfeltJanuary 4, 2019January 28, 2019

PowerShell Script to log NETLOGON Events 5719 and 5783, then test the Secure Channel to verify connectivity

In my support role, we would get nightly alerts showing disconnection to the PDC from other DCs and Exchange Servers, giving the following events:

DC02
10/31/2018 23:20:28 5719
NETLOGON
This computer was not able to set up a secure session with a domain controller in domain LDLNET due to the following:
The remote procedure call was cancelled.
This may lead to authentication problems. Make sure that this computer is connected to the network. If the problem persists, please contact your domain administrator.

ADDITIONAL INFO
If this computer is a domain controller for the specified domain, it sets up the secure session to the primary domain controller emulator in the specified domain. Otherwise, this computer sets up the
secure session to any domain controller in the specified domain.

DC03
10/31/2018 23:18:58 5783
NETLOGON
The session setup to the Windows NT or Windows 2000 Domain Controller \\DC01.LDLNET.ORG for the domain LDLNET is not responsive. The current RPC call from Netlogon on \\DC03 to \\DC01.ldlnet.org has been cancelled.

In order to validate the secure channel, you normally run the nltest command (you can also run the Test-ComputerSecureChannel PowerShell cmdlet) to verify the connectivity to the PDC on the secure channel. The scenario is though that multiple DCs or Exchange servers are having multiple events at a similar time due to a network hiccup that brought the secure channel offline between the two Servers.

Our team at the time was getting a lot of alerts generated and it was taking an inordinate amount of time to validate and test. In an effort to provide an efficient solution for this issue, I compiled a PowerShell ps1 script to first validate the events posted in the past three hours, and then secondly, test all the DCs and Exchange Servers for the Secure Channel Connectivity:

NOTE: This script needs to be run on a server that has the Exchange and Active Directory RSAT tools for PowerShell.

#Start Script
 
#Import Active Directory Module
Write-Host
Write-Host "Importing the Active Directory Module" -ForegroundColor Green
Import-Module ActiveDirectory

#Import Exchange Module
    Write-Host "Loading the Exchange Snap-In"
    Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction SilentlyContinue
    . $env:ExchangeInstallPath\bin\RemoteExchange.ps1
    Connect-ExchangeServer -auto -AllowClobber
 
#Get the list of DCs in the domain
Write-Host
Write-Host "Getting the list of DCs for LDLNET" -ForegroundColor Magenta
$DCList = Get-ADDomainController -Filter * | Sort-Object Name | Select-Object Name

#Get the list of Exchange Servers in the domain
Write-Host
Write-Host "Getting the list of Exchange Servers for LDLNET" -ForegroundColor Magenta
$EXList = Get-ExchangeServer | Sort-Object Name | Select-Object Name
 
#Run the command against each server to pull the Events from Event Logging. Make sure you have the StartTime;Endtime parameters correct. This gets events for the past three hours.
Write-Host
Write-Host "Getting a list of 5719 and 5783 Events from the DCs for the past three hours." -ForegroundColor DarkCyan
foreach ($DC in $DCList) {
try{
    echo $DC.name
    $Event = Get-Winevent -ComputerName $DC.name -FilterHashTable @{LogName="System";StartTime=((get-date).addhours(-3));id='5719','5783'} -ErrorAction Stop | foreach {[string]$_.timecreated + "`t" + [string] $_.id + "`n"  + $_.ProviderName + "`n" + $_.message + "`n"}
    Write-Host "$Event" -ForegroundColor Red 
    }
    Catch{Write-Host "No Events Found For This Server" -ForegroundColor Green
		Write-Host}
}

#Run the command against each server to pull the Events from Event Logging. Make sure you have the StartTime;Endtime parameters correct. This gets events for the past three hours.
Write-Host
Write-Host "Getting a list of 5719 and 5783 Events from the Exchange Servers for the past three hours." -ForegroundColor DarkCyan
foreach ($EX in $EXList) {
try{
    echo $EX.Name
    $Event = Get-Winevent -ComputerName $EX.name -FilterHashTable @{LogName="System";StartTime=((get-date).addhours(-3));id='5719','5783'} -ErrorAction Stop | foreach {[string]$_.timecreated + "`t" + [string] $_.id + "`n" + $_.ProviderName + "`n"  + $_.message + "`n"}
     Write-Host "$Event" -ForegroundColor Red 
     }
    Catch{Write-Host "No Events Found For This Server" -ForegroundColor Green
    Write-Host}
}
 
#Run the Secure Channel Test for the DCs. Make sure you modify the nltest command for your domain fqdn.
Start-Sleep -Seconds 2
Write-Host
Write-Host "Testing Secure Channel for the DCs in LDLNET" -ForegroundColor Cyan
foreach ($DC in $DCList) {
try{
	echo $DC.name
	$Test = Invoke-Command -ComputerName $DC.Name -ScriptBlock {nltest /sc_verify:ldlnet.org} -ErrorAction Stop | Out-String -Stream
	Write-Host "$Test" -ForegroundColor Yellow 
	}
	Catch{Write-Host "Secure Channel Test Failed For This Server" -ForegroundColor Red}
}

#Run the Secure Channel Test for the Exchange Servers. Make sure you modify the nltest command for your domain fqdn.
Start-Sleep -Seconds 2
Write-Host
Write-Host "Testing Secure Channel for the Exchange Servers in LDLNET" -ForegroundColor Cyan
foreach ($EX in $EXList) {
try{
	echo $EX.name
	$Test = Invoke-Command -ComputerName $EX.Name -ScriptBlock {nltest /sc_verify:ldlnet.org} -ErrorAction Stop | Out-String -Stream
	Write-Host "$Test" -ForegroundColor Yellow 
	}
	Catch{Write-Host "Secure Channel Test Failed For This Server" -ForegroundColor Red}
}

#End of Script

#Start Script

#Import Active Directory Module

Write-Host

Write-Host "Importing the Active Directory Module" -ForegroundColor Green

Import-Module ActiveDirectory

#Import Exchange Module

Write-Host "Loading the Exchange Snap-In"

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010 -ErrorAction SilentlyContinue

. $env:ExchangeInstallPath\bin\RemoteExchange.ps1

Connect-ExchangeServer -auto -AllowClobber

#Get the list of DCs in the domain

Write-Host

Write-Host "Getting the list of DCs for LDLNET" -ForegroundColor Magenta

$DCList = Get-ADDomainController -Filter * | Sort-Object Name | Select-Object Name

#Get the list of Exchange Servers in the domain

Write-Host

Write-Host "Getting the list of Exchange Servers for LDLNET" -ForegroundColor Magenta

$EXList = Get-ExchangeServer | Sort-Object Name | Select-Object Name

#Run the command against each server to pull the Events from Event Logging. Make sure you have the StartTime;Endtime parameters correct. This gets events for the past three hours.

Write-Host

Write-Host "Getting a list of 5719 and 5783 Events from the DCs for the past three hours." -ForegroundColor DarkCyan

foreach ($DC in $DCList) {

try{

echo $DC.name

$Event = Get-Winevent -ComputerName $DC.name -FilterHashTable @{LogName="System";StartTime=((get-date).addhours(-3));id='5719','5783'} -ErrorAction Stop | foreach {[string]$_.timecreated + "`t" + [string] $_.id + "`n" + $_.ProviderName + "`n" + $_.message + "`n"}

Write-Host "$Event" -ForegroundColor Red

}

Catch{Write-Host "No Events Found For This Server" -ForegroundColor Green

Write-Host}

}

#Run the command against each server to pull the Events from Event Logging. Make sure you have the StartTime;Endtime parameters correct. This gets events for the past three hours.

Write-Host

Write-Host "Getting a list of 5719 and 5783 Events from the Exchange Servers for the past three hours." -ForegroundColor DarkCyan

foreach ($EX in $EXList) {

try{

echo $EX.Name

$Event = Get-Winevent -ComputerName $EX.name -FilterHashTable @{LogName="System";StartTime=((get-date).addhours(-3));id='5719','5783'} -ErrorAction Stop | foreach {[string]$_.timecreated + "`t" + [string] $_.id + "`n" + $_.ProviderName + "`n" + $_.message + "`n"}

Write-Host "$Event" -ForegroundColor Red

}

Catch{Write-Host "No Events Found For This Server" -ForegroundColor Green

Write-Host}

}

#Run the Secure Channel Test for the DCs. Make sure you modify the nltest command for your domain fqdn.

Start-Sleep -Seconds 2

Write-Host

Write-Host "Testing Secure Channel for the DCs in LDLNET" -ForegroundColor Cyan

foreach ($DC in $DCList) {

try{

echo $DC.name

$Test = Invoke-Command -ComputerName $DC.Name -ScriptBlock {nltest /sc_verify:ldlnet.org} -ErrorAction Stop | Out-String -Stream

Write-Host "$Test" -ForegroundColor Yellow

}

Catch{Write-Host "Secure Channel Test Failed For This Server" -ForegroundColor Red}

}

#Run the Secure Channel Test for the Exchange Servers. Make sure you modify the nltest command for your domain fqdn.

Start-Sleep -Seconds 2

Write-Host

Write-Host "Testing Secure Channel for the Exchange Servers in LDLNET" -ForegroundColor Cyan

foreach ($EX in $EXList) {

try{

echo $EX.name

$Test = Invoke-Command -ComputerName $EX.Name -ScriptBlock {nltest /sc_verify:ldlnet.org} -ErrorAction Stop | Out-String -Stream

Write-Host "$Test" -ForegroundColor Yellow

}

Catch{Write-Host "Secure Channel Test Failed For This Server" -ForegroundColor Red}

}

#End of Script

I can’t really put out the output since it will have customer PII, but you will see where it will list the DC/Exchange Server Name, show the events, then run the test. You can then troubleshoot from there. Also, know that the secure channel test will FAIL when run on the PDC Emulator DC. The PDC Emulator cannot run a secure channel test on itself.

Please, if you have any questions or comments, please leave some feedback! Happy Troubleshooting!

A POSITIVE OUTLOOK WILL YIELD POSITIVE RESULTS ULTIMATELY!

THANKS FOR READING!PLEASE COMMENT!

HAPPY TROUBLESHOOTING!POSITIVE ENERGY!

Transfer FSMO Roles using PowerShell

HAPPY TROUBLESHOOTING! KEEP SCRIPTING!PLEASE COMMENT!

HAPPY SCRIPTING!LEARN, DO, LIVE!

Execution:

Sample Output:

HAPPY TROUBLESHOOTING!

Cookies Notice for itblog.ldlnet.net

THANKS FOR READING!
PLEASE COMMENT!

HAPPY TROUBLESHOOTING!
POSITIVE ENERGY!

HAPPY TROUBLESHOOTING! KEEP SCRIPTING!
PLEASE COMMENT!

HAPPY SCRIPTING!
LEARN, DO, LIVE!