Deploy Azure Linux and Windows servers in 10 mins via cli

This is a step by step guide about deploying Linux or Windows servers on Azure via CLI.

Why Cli?

Some people prefer using Linux rather than PowerShell and it seems sometimes easier and faster to learn esp if you’re not GUI type of person.

Installation Options

If you’re working on Windows and would like to use CLI, you’ll have two options to install CLI

Option 1

Run Azure CLI installation directly from your Powershell (PowerShell needs to run from a privileged account)

Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList ‘/I AzureCLI.msi /quiet’

As soon as you run this command, it’ll take about 5 mins or less depending on the connection you have.

clip_image001

Option 2

Download the MSI file directly from MS’s link and install it on your Computer.

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest

Connect to Azure CLI from PowerShell

Run PowerShell or CMD and type the following command to connect

Az Login then hit enter

As soon as you type this, a web page will be launched asking you for your Azure Account credentials so open the session for your Cli window.

The moment you verified your account, PowerShell will list your azure plans that you have / had before.

clip_image002

If you’re going to use Linux (Ubuntu, Debian) flavor then you’d have to following the following instructions

Manual install instructions

If you don’t want to run a script as superuser or the all-in-one script fails, follow these steps to install the Azure CLI.

  1. Get packages needed for the install process:

    bash

    
    
    sudo apt-get update
    sudo apt-get install ca-certificates curl apt-transport-https lsb-release gnupg
  2. Download and install the Microsoft signing key:

    bash

    
    
    curl -sL https://packages.microsoft.com/keys/microsoft.asc |
        gpg --dearmor |
        sudo tee /etc/apt/trusted.gpg.d/microsoft.asc.gpg > /dev/null
  3. Add the Azure CLI software repository:

    bash

    
    
    AZ_REPO=$(lsb_release -cs)
    echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" |
        sudo tee /etc/apt/sources.list.d/azure-cli.list
  4. Update repository information and install the

    azure-cli

    package:

    bash

    
    
    sudo apt-get update
    sudo apt-get install azure-cli

Run the Azure CLI with the

az

command. To sign in, use the az login command.

  1. Run the

    login

    command.

    Azure CLI

    Try It

    
    
    az login

    If the CLI can open your default browser, it will do so and load an Azure sign-in page.

    Otherwise, open a browser page at https://aka.ms/devicelogin and enter the authorization code displayed in your terminal.

  2. Sign in with your account credentials in the browser.

To learn more about different authentication methods, see Sign in with Azure CLI.

Deploying Linux (CentOS):

Creating a Resource Group for Azure Container Instances (ACI)

We will start first by creating a Resource Group for our Machine, calling it a AzureLinuxServersGroup to easily identify that this group contains our Linux Servers

az group create –name AzureLinuxServersGroup –location westeurope

clip_image001[4]

Next we will be creating a container to contain the Linux OS on the resource group which we have just created

First, How we know which Image to use and if that will be proper for our deployment?

To answer that, we will use the following command which will view the available latest edition Linux OS with different flavors.

I would like to use CentOS since its identical to RedHat and used by majority of Enterprises.

To list the Images, Enter the following command

az vm image list –output table

clip_image002[4]

Notice there are many columns, The one which we are going to use in terminal command line is the UrnAlias. It’s important to remember this.

az vm create \

–resource-group AzureLinuxServersGroup \

–name AzureCentOSWP \

–image CentOS \

–admin-username Moh10lyUser \

–generate-ssh-keys

clip_image003

Since we are using Bash, It’s a case sensitive and it complained about user having capital letters. So we’ll go ahead and use small letters

clip_image004

After running the command with small letters, it’s telling us where we can find the keys in order for us to reach and get them to use later to login to this newly created machine.

SSH key files ‘/home/moh10ly/.ssh/id_rsa’ and ‘/home/moh10ly/.ssh/id_rsa.pub’ have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage, back up your keys to a safe location.

The deployment of the machine takes about 3 mins, and it’ll be created with the default minimum resources. Let’s view

clip_image005

Our machine is ready to be accessed now

clip_image006

In order for you to get the SSH Keys, you’ll have to have a bit of knowledge

I am going to go the location mentioned previously after creating a machine and copy the keys from the bash screen into a file. Save the file and Import it into SSH client which I will be using (Bitvise in my case).

From the bash screen goto cd /

Cd /home/user/.ssh/

Cat id_rsa hit enter and copy the key and save it into notepad.

Cat id_rsa.pub and copy/save into a notepad as the public key.

clip_image007

After loading both keys, I was able to successfully login to the Server

clip_image008

clip_image009

clip_image010

Get a list of Azure VMS

az vm image list

clip_image011

Let’s List and deploy a WordPress on CentOS

To view the list of available CentOS images, we’ll use the following cli command

az vm image list -f CentOS –all

The image needs to be grabbed from dockerhub URL

cognosys:wordpress-with-centos-77-free:wordpress-with-centos-77-free:1.2019.1008

az container create –resource-group mohazbackupgroup –name mohcontainer –os-type Linux –image cognosys:wordpress-with-centos-77-free:wordpress-with-centos-77-free:1.2019.1008 –dns-name-label azmohlinux –ports 22

Create Windows Server core with IIS

az container create –resource-group mohazbackupgroup –name mohcontainer –os-type windows –image mcr.microsoft.com/windoervercore/centos –dns-name-label azmohlinux –ports 22ws/servercore/iis:nanoserver –dns-name-label azmohiis –ports 80

clip_image012

Here we go I got a machine ready (took about 5 mins)

clip_image013

azmohiis.westeurope.azurecontainer.io

To delete the container, you can write the following

az container delete –resource-group mohazbackupgroup –name mohcontainer

clip_image014

clip_image015

Stay tuned for more articles about Azure.

Microsoft exposes a security issue that affects millions of Windows 10 computers, RDP and DHCP on win2008R2

Windows 10 Crypto API Spoofing

Microsoft has released a new security patch for a vulnerability that could affect millions of Windows 10 Users world wide.

A decades old API

The decades old CryptoAPI tool validates and signs packages/software which could be utilized by hackers/developers to sign and execute illegitimate software thus would allow users to run anything without user’s nor Antivirus/Internet Security software’s notice.

Microsoft mentioned that the vulnerability could also allow hackers to change or modify encrypted communications.

It’s important to mention that CryptoAPI is a legacy API that’s being replaced by a new CNG (Cryptography Next Generation API) which also supports CryptoAPI.

CryptoAPI Key Storage Architecture

cryptoapi architecture

Download Patch

Direct Download

https://www.catalog.update.microsoft.com/Search.aspx?q=KB4528760

CVE

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2020-0601

Windows 2008 R2, Windows 7 RDP

A day ago Microsoft released two very important security patches on May 14, 2019.

One of these patches has been detected in the RDP service (CVE-2019-0708) which affects Windows 7 and Windows 2008 R2.

According to MS’s Article a remote code execution vulnerability exists in Remote Desktop Services – formerly known as Terminal Services – when an unauthenticated attacker connects to the target system using RDP and sends specially crafted requests.

No Authentication or Interaction needed

This vulnerability is pre-authentication and requires no user interaction. An attacker who successfully exploited this vulnerability could execute arbitrary code on the target system.

An attacker could then install programs; view, change, or delete data; or create new accounts with full user rights.

When look at CVE-2019-0708, which is related to the RDP service, we see that attackers are able to run code on systems by sending specially produced packages without any user interaction and authentication and manage to install malware like Ransomware or other execution files.

Download Patch

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0708

Windows 2008R2, 2012R2, 2016 and 2019 DHCP

The other one is in the DHCP service (CVE-2019-0725), and both vulnerabilities are very critical.

A memory corruption vulnerability exists in the Windows Server DHCP service when processing specially crafted packets. An attacker who successfully exploited the vulnerability could run arbitrary code on the DHCP server.

Download Patch

https://portal.msrc.microsoft.com/en-US/security-guidance/advisory/CVE-2019-0725

Sources:

Microsoft, NSA, Other Security Researchers

Freely Monitoring your Servers with Google Chat App Notifications

Monitoring:

Monitoring is considered one of the most important process in today’s world of Technology. Most Datacenters have their private monitoring systems with automation tools that would trigger failover, or Disaster Recovery in case of downtime being noticed and this is extremely costly operation.

What to Monitor?

CPU Usage, Memory Consumption, I/O, Network, Disk Usage, Process etc. Server Monitoring also helps in capacity planning by understanding the server’s system resource usage.

Other services can be monitored like Web Servers, FTP, Mail Servers or anything else if it’s publicly accessible.

Using UPTimeRobot Monitoring

image

Uptime Robot Monitoring is a free-commercial service that has rich monitoring features where you can monitor your services/servers on 1 minute interval and get alerted by Email, SMS, Phone Apps e.g. (Telegram, Google Chat, or Skype).

The Free version

In the free version Monitoring you can add services based on ports and protocols or Servers. This might look limited to some but since it’s free of charge it can be very useful for small or startup companies with couple of servers.

– Limited up to 50 Monitors.

– No SMS.

– Check interval is 5 mins.

– Logs are not kept

The Commercial Version:

image

In the commercial version you pay a small fee of 4.5$ a month, an you’d get the following:

– Up to 50 Monitors.

– 20 SMS.

– Check interval is 1 mins.

– Logs are kept for 2 years.

Adding a Server to Monitor:

After you create an account on UpTimeRobot.com you can easy add a site or a service to monitor right away and the monitoring will initiate after 5 minutes then it’ll report if the service,server you added is up or down.

Click on + Add New Monitor

image

Next add the website, In my case i’ll add my own website and see how it works and then choose Google Chat (Since I already have the integration on).

image

Once ready, click on create monitor

That should add the website directly into the List of monitored services:

image

If you click on the Monitor, you’ll get the stat figure of how long has your website been on/off

image

After waiting roughly 35 mins, I can see now that my website is up and running without any problem. The monitoring probe counts by milliseconds so you’ll be able to see if there’s any interruption in the connection to your website/server.

image

Integration with Google Chat

Requirements:

  • Google Suit.
  • Google Admin Account
  • Create a Google Chat Room
  • Configure WebHooks

The integration between Google chat and UpTimeRobot requires Google G Suits account

I will login to my G account with admin user

image

image

Next go to Chat admin console

Login with your admin account to google admin Console and then go to this link

https://chat.google.com/u/1/

image

Create a room, Call it UpTimeRobot

image

image

Once Created, Click on the … dots next to Now

image

Now Configure WebHooks

image

Call this UpTimeRobotContact and save

image

This should create a URL for you, Something that looks like this! This

https://chat.googleapis.com/v1/spaces/AAAAcUvSsqs/messages?key=AIzaSyDdI0hCZtE6vySjMm-WEfRq3CPzqKqqsHI&token=qSlBYydgUj2mqqC8o_DIDY_RqcMaiI%3D

image

Adding Members (To get notifications)

On the right side Add People and Bots

image

Add a user to receive notifications once any server or service is down.

image

Once you add a user, you’ll notice that the admin user’s notification below saying he/she added a user to the Room.

image

Uptime Robot Configuration:

In order for this to work we’ll have to finish the work on the UpTimeRobot portal

Inside Uptime Robot, create a new alert contact in My Settings>Alert Contacts>Add new>Google Hangouts Chat using the previously created Hangouts Chat web-hook URL.

image

image

image

When we choose the Google Hangouts Chat, We will have to give the following:

  • Friendly name for the monitor.
  • Provide the webhook URL which was created previously.
  • You can add a custom message to identify something related to the monitoring.
  • Enable notifications for, You can choose to get notifications only when the site/service is up or down or both.

image

image

After adding this, You need to download one or two apps to get alerts to your Cell Phone:

  • Google Chat
  • UPtime Robot

image

What do Alerts Look like?

As soon as your system goes down, Google Chat will sends you a push notification to your phone, if you’re using UpTime Robot and you’re logged in to the account then you’ll get another identical notification at the same time indicating your system’s status if it goes down or back up.

image

Like this you can add up to 50 monitors including all kinds of services, ports, protocols.

The notification also comes with an interesting tone so you could easily tell if the sound is for “System Down” or “System is up” kind of state.

This has personally helped me keep my system up 24/7 and interfere whenever there’s any downtime noticed.

I hope this article helps and in case you have any question please leave a comment or get in touch with me info@moh10ly.com

References:

https://blog.uptimerobot.com/new-feature-google-hangouts-chat-notifications/

https://chat.google.com/u/1/

Error After Migrating ADFS from 2012R2 to 2016

The Story:

You might have got a request to upgrade from ADFS 2012 R2 to Windows ADFS 2016.

This process can be complicated especially if you’ll have to migrate the Database as well and it would be more of an issue when the Database is WID (Windows Internal Database) since there’s no much documentation about troubleshooting issues involving WID on ADFS.

I have got a request from a client whom have done a migration with another consultant and obviously it was not done right.

Symptoms

On Windows 2016 ADFS when trying to update the ADFS SSL certificate I get the following error:

Set-AdfsSslCertificate -ThumbPrint A7etc : PS0159 : The Operation is not supported at the current Farm Behavior Level ‘1’. Raise the farm to at least version ‘2’ before retrying.

At line:1 char:1

clip_image001

Trying to update the database from 1 to 2,3 will also fail with the following error:

Invoke-AdfsFarmBehaviorLevelRaise

image

Error:

Database upgrade cannot be performed on AdfsServer.domain.com. Error: A database for the target behavior level already exists.

Troubleshooting:

If you’re installing ADFS on WID (Windows Internal Database) you should run the following to get the database name/Connect String

On ADFS Server

Open Windows PowerShell

  1. Enter the following:
    $adfs = gwmi -Namespace root/ADFS -Class SecurityTokenService

    and hit Enter

  2. Enter the following:
    $adfs.ConfigurationDatabaseConnectionString

    and hit enter.

  3. You should see the connect string information.

image

Go to Service Console and stop ADFS Service or from Powershell type Net stop adfssrv

Run SQL Server 2017 Database Engine Tuning Advisor as an administrator

clip_image001[4]

Use the Server name as this

\\.\pipe\MICROSOFT##WID\tsql\query

As for Authentication, Use the Windows Authentication with the user you’re logged into if you know that’s a privileged user and can authenticate, If not try with a user which you’ve done the upgrade of ADFS with.

image

After authenticating, You will be able to see AdfsConfiguration , AdfsConfigurationV3 and AdfsArtifactStore. What we need to see is that AdfsConfigurationV3 has data in it and is not totally empty.

clip_image001[6]

After checking and comparing the size between V1 and V3, It appeared that V3 database is empty. So what next?

Solution

Deleting the AdfsConfigurationV3 was the first thought that hit my mind however, before deleting anything I always take a snapshot of the VM since backing up the WID is more painful and takes more time than simply backing up the VM (Checkpoint, Snapshot).

So the steps to fix this issue is

  • Taking a VM Snapshot/Checkpoint/Backup.
  • Download Microsoft SQL Server Management Studio from this link https://go.microsoft.com/fwlink/?linkid=864329
  • Install Microsoft SQL Server Management Studio on ADFS Server
  • Run MS SQL Server Management Studio as Administrator
  • In the Server Name type :

\\.\pipe\MICROSOFT##WID\tsql\query

Leave the Authentication as it is and logon.

image

  • From the SQL Object Explorer right click and Delete the AdfsConfigurationV3 and leave AdfsConfiguration Database only.

image

  • After deleting the Database, Start ADFS Service to make sure that it can load the old database without an issue.
  • Then run the cmdlet Invoke-AdfsFarmBehaviorLevelRaise and Accept by typing Y and Enter.

image

This might take about 5 minutes to finish.

image

When this process is done, You should see the following message indicating the success of the Database Upgrade.

image

To double check, We will run the cmdlet Get-AdfsFarmInformation

image

Updating Certificate

After this success, I am going to run the cmdlet below to replace the current certificate with the new one

Set-AdfsSslCertificate -Thumbprint 9b19426e17180c0b9c5d4atye53dda3bce9dbff

And here we go. It works perfectly fine

image

References:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-sql

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server

SoftEther – Fixing connecting to localhost 5555

SoftEther VPN Server Manager Connection Issue:

I have used SoftEther VPN for a long time to connect securely to my cloud server for almost 2 years without any single issue and I am using my Laptop, iPad, Phone and everything without an issue.

But one day I tried to connect to the connection settings and I got this error

Softether VPN Connection Error

Connection to the server failed. Check network connection and make sure that address and port number of destination server are correct.

clip_image001

Attempts to solve the issue

I have tried couple of things that came to my mind maybe that would solve the issue.

  1. Uninstall and Reinstall Softether VPN.
  2. Uninstall and Restart
  3. Tried to create a new connection with different ports.
  4. Disabling Microsoft Firewall.

clip_image002

All of these attempts lead to failure and none worked eventually. So I started searching for a different solution and checked the configuration file of the Softether VPN server which is located in

File Location and Configuration

C:\Program Files\SoftEther VPN Server

You can open the file in Notepad and start looking for the default port 5555 which is how you could normally connect to the connection settings.

Solution:

The solution is in the configuration changes, but in order to change/amend the config file you need to take a backup and make sure you stop the service before doing so.

clip_image003

Go to the configuration file location C:\Program Files\SoftEther VPN Server

clip_image004

Right click and open this file with Notepad

clip_image005

Search for uint Port 5555

On top of that, you’ll see bool Enabled false

clip_image006

Change that to Bool Enabled True

Save the file and start the service

clip_image007

Try to connect again

clip_image008

Now it works and will ask you for the old password which you had set previously

clip_image009

If you cannot remember the password, you can also find that in open text (Of course it is a vulnerability) then take it from there.

clip_image010

That’s it. You should be able to access your server settings now

Setting up SoftEther VPN with Most Secure Settings:

Why VPN?

Before reading this article or going through it maybe you want to know why you’re supposed to use VPN wherever you go ?

If you use one of the following on your computer/Phone/Tablet then you must use VPN

  • Online Banking?
  • Paying Bills?
  • Purchasing online Services?
  • Checking Private Emails?
  • Connecting to work Email?

The list goes on and on and won’t probably end with only those, But the most important thing to acknowledge that nowadays there is absolutely nothing safe on the Internet World. Your data could be exposed, hacked at anytime anywhere and esp if you go to public Internet places e.g. (Starbucks, University, Your Friend’s home even).

So what is SoftEther VPN Server/Client?

As introduced by Softether itself, SoftEther VPN (“SoftEther” means “Software Ethernet”) is one of the world’s most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris.

SoftEther VPN is open source. You can use SoftEther for any personal or commercial use for free charge.

clip_image001

Clients

SoftEther VPN is an optimum alternative to OpenVPN and Microsoft’s VPN servers. SoftEther VPN has a clone-function of OpenVPN Server. You can integrate from OpenVPN to SoftEther VPN smoothly. SoftEther VPN is faster than OpenVPN. SoftEther VPN also supports Microsoft SSTP VPN for Windows Vista / 7 / 8. No more need to pay expensive charges for Windows Server license for Remote-Access VPN function.

Use:

SoftEther VPN can be used to realize BYOD (Bring your own device) on your business. If you have smartphones, tablets or laptop PCs, SoftEther VPN’s L2TP/IPsec server function will help you to establish a remote-access VPN from your local network. SoftEther VPN’s L2TP VPN Server has strong compatible with Windows, Mac, iOS and Android.

Download

Download the Windows Server version of Softether from the following Page:

https://www.softether-download.com/en.aspx?product=softether

Installation Requirements:

  • Windows Server/Windows 10
  • 4GB RAM
  • 100 GB Disk
  • 2 VCPU

These resources are estimated and not calculated, It’s only in case of small amount of users (Max 100 User). If you’re going to use more than that you’ll have to check depending on how many concurrent connections are there going to be.

Installation Steps:

As soon as you start Softether VPN – Create new Connection and set the password for the Administrator

clip_image002

clip_image003

Configure Softether as Remote Access VPN Server

I am going to setup new Remote Access VPN Server:

clip_image004

clip_image005

This will create a new Virtual Hub, Give it whatever name you want.

clip_image006

If you have no Static Public IP address

Set a dynamic DNS function name, This is useful in case the IP you have keeps changing like in the case of ADSL connections at home ..etc

clip_image007

VPN Type:

In the IPSEC/L2TP/EtherIP /L2TPv3 Server settings, you’ll need to choose the most secure VPN connection to allow your users to safely and securely browse the internet. This needs L2TP server function to be enabled along with setting the Ipsec Pre-Shared key to provide the most secure VPN connectivity.

clip_image008

AZURE Settings:

If you don’t have access to Firewall to configure NAT, or configure your firewall access to the Softthere VPN Server you must enable this feature (VPN Azure Cloud VPN Service (Free) by the Japanese University of Subuka.

clip_image009

We have set the Azure hostname previously already so no need to change it unless you wanna use something else.

clip_image010

Creating Users

clip_image011

I will create a user, assign it to my admins group, then Create a Certificate for this user to login to make sure I have the maximum security and authentication methods offered.

Creating Certificate

Since I already have created the root certificate, I Am going to create a client certificate for this particular user from the root certificate.

clip_image012

clip_image013

Finally user is created

clip_image014

Choosing the right connection to set as Local Bridge

I need to make sure to choose the NIC which reflects my internet outbound NIC in order to connect properly (In my case it’s going to be Ethernet 2)

clip_image015

clip_image016

clip_image017

Using the most secure Encryption Algorithm for our connection

By default Softether uses AES128-SHA, while this is considered secured and used by most common VPN service providers it’s always better to use something that’s level or more secure. So we are going to change the default changes to AES256-GCM-SHA384

To change those settings, Navigate to the main menu of Softether VPN Server Manager and click on “Encryption and Network”

clip_image018

Change the “Encryption Algorithm Name:” to AES256-GCM-SHA384

AES256-GCM-SHA384 is based on the cipher suite TLSv 1.3 which is considered the most recent and secure cipher suite that’s being used right now.

Default Setting:

clip_image019

Change to

clip_image020

Client Configuration:

  • In the setting name: we are going to enter a random name.
  • The hostname: will be the name which we created previously for Dynamic IP cases. This will be useful to remember even If you have a static Public IP address.
  • User Authentication Setting: We will be using the certificate which I created before (I copied this cert to my client computer where I am going to connect via the VPN client manager).
  • Virtual Hub Name: Here you’ll need to copy the exact name of the Virtual Hub name which you have created on the server side.

clip_image021

clip_image022

Connectivity Test:

After settings everything, I am going to try and connect with my user using Certificate and the Password I set.

clip_image023

Ref:

https://www.softether.org/

https://wiki.mozilla.org/Security/Server_Side_TLS

https://www.softether.org/4-docs/1-manual/3._SoftEther_VPN_Server_Manual/3.3_VPN_Server_Administration#3.3.6_Listener_Ports

https://www.iplocation.net/encryption

kms Server Deployment step by step Guide

So What is KMS ?

KMS stands for the abbreviation (Key Management Service) in which enterprises and big companies manage their Software, End user and Servers licenses keys through a single server (Called KMS) which automates the whole process of activation and eliminates the need for an individual or admin interfering to activate them.

Prerequisites for KMS Host:

In order to use KMS, You will need to install Server version of Microsoft Windows. This server can be installed on a Virtual machine or physical one. But still there are requirements to activate other machines.

  • Server needs to be joined to Domain to activate other machines/products.
  • VLSC (Volume License Service Center) Host Key (Can only be acquired through the VLSC portal.
  • If you’re going to activate any Office products (Office 2016/ Office 2019) then you’ll need to download the Office Volume License Pack for those products from the links attached.
  • Run the License Pack you downloaded and enter the Office Key to activate it.

After deploying Windows 2016/2019 Server you can install the role from Server manager or from PowerShell

KMS Installation

Launch powershell in Admin mode and run the following CMDLET

Install-WindowsFeature -Name VolumeActivation

image

image

Continue to the next window and add the required Features

image

The next window will let give you some information about the automation of the license activation for MS products and how KMS works.

image

There are two options of how activating licenses, One is through using a service or the other through joining server/computer to Active Directory KMS will auto activate products if their relevant KMS licenses are entered in the KMS Host server.

image

Install your Windows 2016/2019 KMS Host Server key to create AD Object for KMS

image

Choose your activation Method in order to activate the KMS server

image

If activation continues successfully you’ll be able to see KMS telling you that continuing will create an AD object . Click Yes to continue

image

We’ll wait until this finishes

image

When this works, The next window will give you a warning that Clicking Next will delete the current activation Object which is the AD object that has been previously created. Click Close since we want to keep that.

image

KMS Host Activation

To view the activation of your KMS Host, You can open CMD on the KMS Server and type

slmg.vbs –dlv

As you can see below, it’ll show summary information about the license you entered and other related info.

image

To make sure your installation has went successfully, you can launch ADSI Editor and see if the AD object has been created or not.

From CMD or Powershell type adsiedit.msc

Navigate to Configuration>Services> Microsoft SPP> You should see the Activation Objects there.

image

Activating Office 2016 / 2019

As we mentioned previously to activate office 2016 or Office 2019 you will need to download the Office License pack from the links attached previously.

– Office 2016 License Package link https://www.microsoft.com/download/details.aspx?id=49164

– Office 2019 License Package Link https://www.microsoft.com/en-us/downloads/details.aspx?id=57342

NOTE:

You should not launch Volume License Manager when activating Office products or when trying to enter a KMS License key for Office products, Instead when executing the Office Package it will launch it for you and all you have to do is Enter the Office license key and restart Microsoft Windows Client to get Office activated.

image

Verifying KMS is Working:

To check if KMS is working on the end user’s side we need to get our hands on one of those clients, restart the user’s PC and then launch one of Office apps and see if it’s activated or not. The condition for the End user is that they need to be domain joined to acquire a license from KMS server.

It gets activated right after a restart!

image

Reference

https://docs.microsoft.com/en-us/deployoffice/vlactivation/configure-a-kms-host-computer-for-office

https://docs.microsoft.com/en-us/deployoffice/vlactivation/activate-office-by-using-active-directory

Use Group Based Licensing to Active Office 365 Users

The Story

I got a request to place users into Security Groups for management purposes, The client have already users active but many of those users have left the work place and still have E3 or E1 Licenses which they should not have since this is pricey licenses and backing up users details is the easiest and most cost effective way of handling this.

So, To start (Prerequisites):

The Group based licensing management is a new feature, Was introduced in 2019 and not many people know that it is there however, This feature doesn’t come for free as you know (Since it’s Microsoft) and you must have a license for it or at least have users with E3 licensing model. So the requirements are:

  • – Azure AD Premium P1 or Higher
  • – Office 365 E3 or Higher.
  • – EMS or Higher.

How does it work?

In order for you to get this to work  you need to make sure you have planned from where you want to manage those groups and their licenses, Online? Or On-Premises?

IF Online

If you’re going to do this online, then you need to create a group for each Licensing Model which represents the intended License and its users e.g. Office365-E1 is going to be created as a security group and dedicated to E1 License users.

Office365-E3 will also be created the same way and users of License type E3 will be added to it.

If On-Premises

If you’re going to manage those groups on-premises, Then you must have ADConnect (Azure AD Sync) tool to sync those groups after creating them.

In my case I have created those groups in the following manner:

image

After creating those groups, You will need to sync them to Office 365 using ADConnect. To force this to sync immediately fire up Powershell on Azure Connect Server and type

Start-ADSyncSyncCycle -PolicyType delta

image

image

What If I have users already assigned with License?

If you have users already assigned licenses and want to manage them using Group Based licensing then you’re going to have to get a list of all your users with their Licenses information into a CSV file and Import those users to the groups you created base on the license they have.

I created a PowerShell that would match user’s names and based on the license mentioned in the CSV file would add them to the relevant group but first you need to export Users from Office 365.

Export Users and their license from Office 365

First of all we’ll connect to Office 365 MSOL Service using Online Powershell

image

Get-MsolUser -All |Where {$_.IsLicensed -eq $true } |Select DisplayName,UsageLocation,@{n=”Licenses Type”;e={$_.Licenses.AccountSKUid}},SignInName,UserPrincipalName,@{n=”ProxyAddresses”;e={$_.ProxyAddresses}}| Export-csv -Path C:ExportlicenseUsage.csv -notype

image

So this is how my CSV look right after I exported the users, We need to do some tuning on this CSV file to clean it and get it ready for our PowerShell.

image

There are total of 6 columns in this folder, If for whatever reason you wanted to use the ProxyAddress to distinguish users feel free to keep them in the script but in my case I didn’t need them so I deleted the entire column.

So I will keep the following (Remove Spacing between License Type)

  • DisplayName
  • UsageLocation
  • LicenseType
  • SignInName
  • UserPrincipalName

The Value of the License Type is usually formatted like this “TenantName: License” and in order to make this column useful I am going to remove the Tenant name from all the cells.

Find and Replace can easily remove and clean these values for you.

image

After cleaning the column, this is how it looks

image

This should be useful for us now along with the PowerShell to add the users to their relevant groups.

On Active Directory from an elevated PowerShell

Run PowerShell ISE  from a privileged account and copy + paste this script in ISE,

$ImportedUsers = Import-csv “C:\Users\AD\Desktop\ExportlicenseUsage.csv”

Foreach ($ImportedUser in $ImportedUsers){
$License = $ImportedUser.LicensesType
$E3 = “E3-Office365”
$E1 = “E1-Office365”
$EMS = “EMS-Office365”
$Sam = $ImportedUser.SamAccountName
$ImportedUPN = $ImportedUser.UserPrincipalName

$AllUsers = Get-ADUser -Filter * -Properties *
Foreach ($User in $AllUsers)
{
$UPN = $User.UserPrincipalName

if($user.UserPrincipalName -eq $ImportedUPN -and $License -match “EMS”)
{
Add-ADGroupMember -Identity $EMS -Members $Sam
Write-Host $($UPN) “User has EMS License and has been added to the Group EMS” -ForegroundColor DarkGreen -BackgroundColor White
}
ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains “STANDARDPACK”)
{
Add-ADGroupMember -Identity $E1 -Members $Sam
Write-Host $($UPN) “User has E1 License and has been added to the Group E1” -ForegroundColor black -BackgroundColor green
}
ElseIf ($user.UserPrincipalName -eq $ImportedUPN -and $License -Contains “ENTERPRISEPACK”)
{
Add-ADGroupMember -Identity $E3 -Members $Sam
Write-Host $($UPN) “User has E3 License and has been added to the Group E3” -ForegroundColor Blue -BackgroundColor White
}
}
}

image

Enabling Group Based License from Azure Portal

After this script finishes, I can open Azure Portal

From Azure Active Directory > Licenses > All Products

image   image    image

I will choose the license which I want to assign to a group of which I have created on my on-premises AD

image

Click on the License (Office 365 E1)  and choose Assign from top menu

image

Make sure you select assignment options and customize the license according to the products you want your group members to use then click on Users and Groups and select the relevant Group which you’ve created (In my case it’s E1-Office365)

image

Here, The group has been assigned

image

Click assign and you should be done

image

We will do the same for E3 Users

image

image

NOTE

From now on, Removing any user from this group will revoke their license and any service connected to it, You must be very careful when removing users from this group.

Microsoft has done great job covering this thoroughly and in a great detail including Scripts to be able to do many things like grabbing users who have an inherited license from a group or manually assigned. I am writing down the references if you’re more curious into these.

References:

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-groups-assign

https://docs.microsoft.com/en-us/azure/active-directory/users-groups-roles/licensing-ps-examples

Upgrade FRS (File Replication Service) to DFSR (Distributed File System Replication) Guide through

Upgrade FRS to DFSR:

You might be searching on how to do this due to many reasons, Migrating your DCs to Windows 2016 or Windows 2019, The steps to do this type of migration is pretty easy and straightforward.

First Let’s explain a bit about what does FRS and DFSR do and what is the difference?

Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers.

SYSVOL is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD.

All the domain controllers in the network will replicate the content of SYSVOL folder. The default path for SYSVOL folder is %SystemRoot%\SYSVOL. This folder path can be defined when you install the active directory.

How does DFS Works?

In Windows server 2008 and later Active Directory uses Distributed File System (DFS) for the replication.  DFS Replication uses a compression algorithm known as remote differential compression (RDC). RDC detects changes to the data in a file and enables DFS Replication to replicate only the changed file blocks instead of the entire file.

Although FRS has been deprecated Since Windows server 2008 most people still looking to migrate to latest version.

Migration Starts Here

In this guide, I am going to explain how to do this kind of migration step by step.

I am going to run the migration on Windows 2008 R2 Servers. however the process is exactly the same on Windows 2012 R2.

To start, I need to check the service console to see which services are running the replication. From run type services.msc and enter

As you can see there, File Replication Service is running

clip_image001

In the same manner DFS service is also started and functioning, But that doesn’t mean that RFS is not being used.

clip_image002

Health Check

Before starting any migration, I prefer to do a check on Eventviewer just to make sure nothing critical is being reported. In the same way I would like to see if there any warning being reported.
Below you can see errors are being reported from File Replication Service by the Domain Controller SRV01, So the time is convenient to start this kind of migration as this would fix the errors being reported.

clip_image003

Prerequirements:

The first part of the process for migrating SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS) Replication is to raise the functional level of the domain to Windows Server 2008 and to set the global migration state to Prepared.

Make sure your Domain Function Level is raised to 2008 at least for this process to work.

Migration:

To start migration, Run Powershell as an administrator from the DC And type the following command to prepare DCs for the migration.

dfsrmig /getglobalstate

clip_image004

Preparing to migrate

dfsrmig /setglobalstate 1

When this is done, you might have to wait sometime (5 mins or less for small environments). When done waiting type dfsrmig /getglobalstate to verify that the global migration state is Prepared. The following output appears if the global migration state is Prepared.

clip_image005

clip_image006

You will be able to see an event ID 8014 showing you the success of this command.  Which means you can move to the next stage.

clip_image007

clip_image008

Migrate the domain to the Redirected state

From a command prompt or PowerShell window on a writeable domain controller (not a read-only domain controller) in the domain that you want to migrate, type dfsrmig /setglobalstate 2 to set the global migration state to Redirected.

clip_image009

2. Type dfsrmig /getglobalstate to verify that the global migration state is Redirected. The following output appears if the global migration state is Redirected.

clip_image010

After doing this, Checking event viewer you can see event ID 8017 showing you the current state, in my case it’s showing DFSR has successfully Migrated the DC to “Redirected” state. so it means we are good to go to the next step.

clip_image011

clip_image012

Migrating to the Eliminated State

Log on to a writeable domain controller (if you are not logged on already).

Open a command prompt window and then type dfsrmig /setglobalstate 3 to set the global migration state to Eliminated.

clip_image013

2. At a command prompt, type dfsrmig /getmigrationstate to verify that all the domain controllers are at the Redirected state. The following output appears when all domain controllers are at the Redirected state.

clip_image014

In the event viewer you can see the state of the DCs reporting that DC will now migrate to the “Eliminated” state. with event ID 8018

clip_image015

clip_image016

Once everything is finished, You will be able to confirm by two things, First on the Service console the File Replication Service should be disabled since it’s no longer going to be used.

clip_image017

Second thing is by using Command line or Powershel, Type Net Share an you can see the new Shares being published with new names “Sysvol_DFSR”.

clip_image018

Ref:

https://docs.microsoft.com/en-us/windows-server/storage/dfs-replication/migrate-sysvol-to-dfsr

https://docs.microsoft.com/en-us/windows/win32/win7appqual/file-replication-service–frs–is-deprecated-in-windows-server-2008-r2

How to Sync Cloud User to On-premises AD ?

The Story:

I have got this client who constantly keeps on making the mistake of create user from Cloud and provision them with a license in an Exchange Hybrid environment.

Although this is not difficult to fix but it’s not the recommended approach when creating a new user especially in a Hybrid environment since Exchange on-premises won’t recognize this user and most likely will consider any incoming emails from it as spoof or spam.

How to Create a Cloud user from Exchange On-premises?

From Exchange on-premises ECP Admin panel you have the option to directly create user on-cloud which will also create a user object on on-premises AD.

image

Second option – Using Powershell

It’s not that much different than the Web UI option but it’s just for people who prefer using PowerShell than GUI

Enable-RemoteMailbox –Identity User –RemoteRoutingAddress user@yourTenant.mail.onmicrosoft.com

The reason to follow those two methods is due to the need of Exchange on-premises being aware of each of those users so mail flow between Exchange on-premises and Online would not get affected and route this users mail to the wrong place or flag it as spammed or spoof …etc.

The Real Question now is: How to Sync Cloud User to On-premises AD ?

If by mistake we created a user on Cloud (Office 365) and we forgot to create an AD User for this account, that user might already have started using his account on Office 365 (Sharepoint, Exchange, Teams) etc.

There also might be the intention of moving users from Cloud to On-premises Exchange in case the company wanted to decrease their spending on cloud users and in this case when Migrating a cloud user to on-premises you will get the following errors:

image

test3@domain.com

Status: Failed

test3@domain.com Skipped item details

User status

Data migrated:

Migration rate:

Last successful sync date:

Error: MigrationPermanentException: Cannot find a recipient that has mailbox GUID ‎’03c9764e-8b8e-4f33-94d1-ef098c4de656‎’. –> Cannot find a recipient that has mailbox GUID ‎’03c9764e-8b8e-4f33-94d1-ef098c4de656‎’.

So how do we overcome this situation since syncing a user might require you to delete the cloud user and recreate it on AD?

Solution:

To sync the user from the Cloud to on-premises you will need to follow these steps :

1- Create an on-premises Mailbox where the following attributes would be matching the cloud user

  • UserPrincipalname
  • ProxyAddresses
  • SamAccountName
  • Alias

2- The Location of the OU where the On-premises user is going to be created must be provisioned by ADConnect (Azure AD Connect)

You can look which of these OU are provisioned by Starting AD Connect Sync Manager

image

By verifying the user you created in the AD is in the right OU, You can now start AD Sync from PowerShell to speed up the process.

image

Below, You can see the user has been successfully synchronized to the cloud without any issue.

image

Now we’ll see it from the portal to confirm the user is synced with AD

image

Depending on the Source anchor being used in ADConnect there might be a GUID conflict or not, You will get an error similar to when trying to migrate the user in the beginning however you can solve this by replacing the cloud user’s GUID (ImmutableID) with the on-premises user which will force the user to merge with the On-prem user.

Let’s confirm in our case if the user on-cloud has a matching GUID with the one on-premises.

From CMD or Powershell you can use the following command to get the user’s ImmutableID (ObjectGUID) .

ldifde -f c:\Test.txt -d “cn=Test3,DC=Domain,DC=com”

image

Checking the notepad we just exported you can see the Immutable ID on AD for the User test3 is IkTni9mw7Ee4YefeGpz7IA==

image

To be able to see the user on Office 365, We need to logon to MSOL through Exchange Online powershell

Connect to Exchange Online’s powershell using your Online ECP.

image

Once you click on Configure this should download an executable file that will launch PowerShell Online which allows you to use the Modern Authentication (MFA) to use PowerShell safely.

image

Connect-Msoluser will connect you to Office 365 and you’ll be able to get the user’s properties and see if the Immutable ID is matching to the user’s GUID.

Once you’re connect you can use the following cmdlet to get the user’s properties.

Get-MsolUser -UserPrincipalName test3@domain.com |fl DisplayName,ImmutableID

image

You can see they are matching each other, In case there’s a conflict then you can simply set the online user’s Immutable ID to the on-premises user and that should solve the problem.

Ref:

https://support.microsoft.com/en-us/help/2956029/migrationpermanentexception-cannot-find-a-recipient-that-has-mailbox-g

https://docs.microsoft.com/en-us/exchange/hybrid-deployment/create-cloud-based-archive