If you ever used Prepare moverequest command to migrate a user and forgot to use ADMT to rewrite user’s properties with the old attributes. You might have used ADMT again to rewrite the properties.
If you use ADMT you will need to exclude all Exchange Attributes from the source since its already copied using Prepare-move request script however, in some cases some people do make mistakes and you might have came through the same mistake my colleague have done during one of these extremely complicated Cross forest Migrations where you’d prepare a CSV files through PowerShell and names wouldn’t match Sam accounts.
Don’t Panic
If however, you forgot again to exclude the Exchange attributes while using ADMT then you most likely wont see the user in the Target forest which will cause to panic thinking the user is gone .. But no the user is not gone don’t panic.
When you look for the user’s mailbox on the target forest after the move request is completed you’ll get an error reporting the user can’t be found
Solution
To fix the problem you’ll need to change to attributes only for this migrated user. (In the target forest after user mailbox move is completed).
We had a security lab on Azure with 12 machines, It included 2 DCs and 10 other machines of different OS and had RDP closed on all the machines except one machine to use.
The Password was set for something simple however it seems that someone has changed it and no one was able to access the domain controller anymore nor any of the machines.
I had another user created for backup but it seems that user was also changed.
The usual method of resetting Azure VM is going through portal or PowerShell
Resetting Via Azure Portal
When you try to reset the password from Azure Virtual machine itself. If the VM has Domain Controller it will fail to reset the password with the following error:
VM has reported a failure when processing extension ‘enablevmaccess’. Error message: “VMAccess Extension does not support Domain Controller.” More information on troubleshooting is available at https://aka.ms/vmextensionwindowstroubleshoot
Through PowerShell
To reset a password, we first need to define the VM we’re working with. To do this, we can use the Get-AzureRmVm cmdlet. I’ll go ahead and assign variables to both the VM name and the resource group since we’ll need to reference those later, as well.
Next, we’ll need some way to pass the username and password into the script. A great way to do that is through the Get-Credential cmdlet.
$credential = Get-Credential
Once the credential is saved, we can then execute the command to actually make the password change using the variables we set earlier. Notice we had to use the GetNetworkCredential() method on the pscredential object. This method will not work if the credential is retrieved from another computer or from another user account. This shouldn’t be a problem, though, since you’re likely to execute this in a single script.
Once this completed (hopefully successfully), the VM will need to be rebooted. We can do that by using the Restart-AzureRmVm cmdlet.
$vm | Restart-AzureRmVM
While this PowerShell script might work with a normal VM, It will not work with a DC and would result in the same error as in the portal.
Solution
The solution is to write a script which would run through the CustomScriptExtension that you can deploy from the Azure Portal on the intended VM that has the Domain Controller Deployed on it.
Once you get the script ready to change the administrator Password you can upload the script and deploy it.
Let’s get the script ready and demonstrate these steps one by one.
– On my Computer I will write a tiny script that will say
Net User domainadmin Adm!nPassw0rd1
– Save the file on your desktop for later use. Go to Azure Portal, Virtual Machines and select your Domain Controller.
– Go to Extensions.
– Click on Add
– Select Custom script Extension
– Click Create
– Browse the PowerShell script on your Desktop.
– Select Storage Account
– Select an existing container or create new one
– Upload the file to the container
Result
Once deployed, it’ll take few mins to reset the password and you don’t have to restart the server.
Through PowerShell
After this I was able to access the machine again using the new password in the script.
You might be searching on how to do this due to many reasons, Migrating your DCs to Windows 2016 or Windows 2019, The steps to do this type of migration is pretty easy and straightforward.
First Let’s explain a bit about what does FRS and DFSR do and what is the difference?
Windows Server 2003 and 2003 R2 uses File Replication Service (FRS) to replicate SYSVOL folder content to other domain controllers.
SYSVOL is a folder shared by domain controller to hold its logon scripts, group policies and other items related to AD.
All the domain controllers in the network will replicate the content of SYSVOL folder. The default path for SYSVOL folder is %SystemRoot%\SYSVOL. This folder path can be defined when you install the active directory.
How does DFS Works?
In Windows server 2008 and later Active Directory uses Distributed File System (DFS) for the replication. DFS Replication uses a compression algorithm known as remote differential compression (RDC). RDC detects changes to the data in a file and enables DFS Replication to replicate only the changed file blocks instead of the entire file.
Although FRS has been deprecated Since Windows server 2008 most people still looking to migrate to latest version.
Migration Starts Here
In this guide, I am going to explain how to do this kind of migration step by step.
I am going to run the migration on Windows 2008 R2 Servers. however the process is exactly the same on Windows 2012 R2.
To start, I need to check the service console to see which services are running the replication. From run type services.msc and enter
As you can see there, File Replication Service is running
In the same manner DFS service is also started and functioning, But that doesn’t mean that RFS is not being used.
Health Check
Before starting any migration, I prefer to do a check on Eventviewer just to make sure nothing critical is being reported. In the same way I would like to see if there any warning being reported.
Below you can see errors are being reported from File Replication Service by the Domain Controller SRV01, So the time is convenient to start this kind of migration as this would fix the errors being reported.
Prerequirements:
The first part of the process for migrating SYSVOL replication from File Replication Service (FRS) to Distributed File System (DFS) Replication is to raise the functional level of the domain to Windows Server 2008 and to set the global migration state to Prepared.
Make sure your Domain Function Level is raised to 2008 at least for this process to work.
Migration:
To start migration, Run Powershell as an administrator from the DC And type the following command to prepare DCs for the migration.
dfsrmig /getglobalstate
Preparing to migrate
dfsrmig /setglobalstate 1
When this is done, you might have to wait sometime (5 mins or less for small environments). When done waiting type dfsrmig /getglobalstate to verify that the global migration state is Prepared. The following output appears if the global migration state is Prepared.
You will be able to see an event ID 8014 showing you the success of this command. Which means you can move to the next stage.
Migrate the domain to the Redirected state
From a command prompt or PowerShell window on a writeable domain controller (not a read-only domain controller) in the domain that you want to migrate, type dfsrmig /setglobalstate 2 to set the global migration state to Redirected.
2. Type dfsrmig /getglobalstate to verify that the global migration state is Redirected. The following output appears if the global migration state is Redirected.
After doing this, Checking event viewer you can see event ID 8017 showing you the current state, in my case it’s showing DFSR has successfully Migrated the DC to “Redirected” state. so it means we are good to go to the next step.
Migrating to the Eliminated State
Log on to a writeable domain controller (if you are not logged on already).
Open a command prompt window and then type dfsrmig /setglobalstate 3 to set the global migration state to Eliminated.
2. At a command prompt, type dfsrmig /getmigrationstate to verify that all the domain controllers are at the Redirected state. The following output appears when all domain controllers are at the Redirected state.
In the event viewer you can see the state of the DCs reporting that DC will now migrate to the “Eliminated” state. with event ID 8018
Once everything is finished, You will be able to confirm by two things, First on the Service console the File Replication Service should be disabled since it’s no longer going to be used.
Second thing is by using Command line or Powershel, Type Net Share an you can see the new Shares being published with new names “Sysvol_DFSR”.
I have got this client who constantly keeps on making the mistake of create user from Cloud and provision them with a license in an Exchange Hybrid environment.
Although this is not difficult to fix but it’s not the recommended approach when creating a new user especially in a Hybrid environment since Exchange on-premises won’t recognize this user and most likely will consider any incoming emails from it as spoof or spam.
How to Create a Cloud user from Exchange On-premises?
From Exchange on-premises ECP Admin panel you have the option to directly create user on-cloud which will also create a user object on on-premises AD.
Second option – Using Powershell
It’s not that much different than the Web UI option but it’s just for people who prefer using PowerShell than GUI
The reason to follow those two methods is due to the need of Exchange on-premises being aware of each of those users so mail flow between Exchange on-premises and Online would not get affected and route this users mail to the wrong place or flag it as spammed or spoof …etc.
The Real Question now is: How to Sync Cloud User to On-premises AD ?
If by mistake we created a user on Cloud (Office 365) and we forgot to create an AD User for this account, that user might already have started using his account on Office 365 (Sharepoint, Exchange, Teams) etc.
There also might be the intention of moving users from Cloud to On-premises Exchange in case the company wanted to decrease their spending on cloud users and in this case when Migrating a cloud user to on-premises you will get the following errors:
Error: MigrationPermanentException: Cannot find a recipient that has mailbox GUID ’03c9764e-8b8e-4f33-94d1-ef098c4de656’. –> Cannot find a recipient that has mailbox GUID ’03c9764e-8b8e-4f33-94d1-ef098c4de656’.
So how do we overcome this situation since syncing a user might require you to delete the cloud user and recreate it on AD?
Solution:
To sync the user from the Cloud to on-premises you will need to follow these steps :
1- Create an on-premises Mailbox where the following attributes would be matching the cloud user
UserPrincipalname
ProxyAddresses
SamAccountName
Alias
2- The Location of the OU where the On-premises user is going to be created must be provisioned by ADConnect (Azure AD Connect)
You can look which of these OU are provisioned by Starting AD Connect Sync Manager
By verifying the user you created in the AD is in the right OU, You can now start AD Sync from PowerShell to speed up the process.
Below, You can see the user has been successfully synchronized to the cloud without any issue.
Now we’ll see it from the portal to confirm the user is synced with AD
Depending on the Source anchor being used in ADConnect there might be a GUID conflict or not, You will get an error similar to when trying to migrate the user in the beginning however you can solve this by replacing the cloud user’s GUID (ImmutableID) with the on-premises user which will force the user to merge with the On-prem user.
Let’s confirm in our case if the user on-cloud has a matching GUID with the one on-premises.
From AD run CMD or Powershell you can use the following command to get the user’s ImmutableID (ObjectGUID) .
From Notepad checking the user we just exported you can see the Immutable ID on AD for the User test3 is IkTni9mw7Ee4YefeGpz7IA==
To be able to see the user on Office 365, We need to logon to MSOL through Exchange Online PowerShell
Connect to Exchange Online’s powershell using your Online ECP.
Once you click on Configure this should download an executable file that will launch PowerShell Online which allows you to use the Modern Authentication (MFA) to use PowerShell safely.
Connect-Msoluser will connect you to Office 365 and you’ll be able to get the user’s properties and see if the Immutable ID is matching to the user’s GUID.
Once you’re connect you can use the following cmdlet to get the user’s properties.
You can see they are matching each other, In case there’s a conflict then you can simply set the online user’s Immutable ID to match the on-premises user’s ImmutableID.
Once done, Go and force ADConnect to sync the user and you’ll see if the problem has been resolved. The command for changing the Immutableid is as follows:
I have got a request from a client asking to find out which server(s) is using which domain admin or a highly privileged account as a service.
To find this I already wrote a powershell script that does this, Search the non standard/(Domain only users) and show the services and name of the servers where those accounts are configured on utilizing Remote powershell to do so and the use of a Domain Admin user.
You can refer to this link to see this article by clicking here
Creating the script process:
The same client wanted to also know which of those accounts did authenticate and wanted to know from which server/Computer did the request originate from and to which DC did it go.
I have started thinking of the process of doing so by again utilizing remote PowerShell to check against certain security events on AD to check which user among the Domain admin members did authenticate.
After sometime and with the help of some forums I managed to get script ready which looks in all Domain Controllers for users that are members of the Domain Admin groups who triggered an event ID 4624 and from which Computer did this request came from.
The Script :
# Get domain admin user list
$DomainAdminList = Get-ADGroupMember -Identity 'Domain Admins'
# Get all Domain Controller names
$DomainControllers = Get-ADDomainController -Filter * | Sort-Object HostName
# EventID
$EventID = '4624'
#
# Get only last 24hrs
$Date = (Get-Date).AddDays(-3)
# Limit log event search for testing as this will take a LONG time on most domains
# For normal running, this will have to be set to zero
$MaxEvent = 100
# Loop through Dcs
$DALogEvents = $DomainControllers | ForEach-Object {
$CurDC = $_.HostName
Write-Host "`nSearching $CurDC logs..."
Get-WinEvent -ComputerName $CurDC -FilterHashtable @{Logname='Security';ID=$EventID;StartTime = $Date} -MaxEvents $MaxEvent |`
Where-Object { $_.Properties[5].Value -in $DomainAdminList.SamAccountName } |`
ForEach-Object {
[pscustomobject]@{SourceIP = $_.Properties[18].Value; SamAccountName = $_.Properties[5].Value;Time = $_.TimeCreated;LogonEventLocation = $CurDC}
}
}
$DALogEvents
How to run:
The Script must be run on DC with a privileged account in order to get the write results, The default time interval is set to 3 days but you can choose to increase that.
You can also change the default group where you want to search for members by changing Domain Admin groups to something else.
The Story (Finding Domain Joined Servers Services users)
If you’re wondering which of your servers are using domain joined account or a non regular account like network service or system. You will need to go through every server’s service console and check that one by one but thanks to PowerShell this job was made like a piece of cake.
Requirement
The requirement to run this script is a domain admin account since the PowerShell will require access to other servers using Remote PowerShell using Invoke command and run a Get-WMIObject script to find out those details. So in short I will write the required things for this to work
1- Logged in to Active Directory (In order for AD PowerShell module to run and find computers).
2- Domain admin account (To run the remote PowerShell on other servers and get service details)
3- Firewall for domain joined computers is open (To allow remote PowerShell to work) or have remote PowerShell enabled via GPO.
The Script will also show you the offline (inaccessible servers) and will state those servers as down as you can see in the screenshot below.
The script will also prompt you for a path to save the output. You can enter something like C:\Services.csv as soon as you type the file path and extension it’ll be opened using Notepad.
#Check servers down and get services from the responsive servers
Few months ago I have got a request from one of my clients regarding migrating DFS from 2012R2 to 2016.
2012R2 was migrated from 2008r2 and was based on 2000 Mode. To do this you’ve got a list of requirements as it can be migrated but certain features won’t be supported if you continue to use the 2000 Mode in DFS on Windows 2016 server.
How to Start
In this tutorial I will explain how to do this migration by doing a demo step by step and guide you through this Migration with screenshots and the required commands.
I have added a tiny comparison also to make it clear why are we going to use this particular method of migrating DFS mode and Server.
To migrate a domain-based namespace to Windows Server 2008 mode
Open a Command Prompt window and type the following command to export the namespace to a file, where \\ domain \ namespace is the name of the appropriate domain and namespace and path\filename is the path and file name of the export file:
Write down the path (\\ server \ share ) for each namespace server. You must manually add namespace servers to the recreated namespace because Dfsutil cannot import namespace servers.
In DFS Management, right-click the namespace and then click Delete , or type the following command at a command prompt, where \\ domain \ namespace is the name of the appropriate domain and namespace:
Copy
Dfsutil root remove \\domain\namespace
Let’s go refresh the console and see if it’s deleted there
Next remove
I will remove the rest of the name spaces
All have been removed, Now lets remove the name spaces from the display and observe what happens to the replication groups
NOTE:
Replication groups didn’t get affected
In DFS Management, recreate the namespace with the same name, but use the Windows Server 2008 mode, or type the following command at a command prompt, where \\ server \ namespace is the name of the appropriate server and share for the namespace root:
Dfsutil root adddom \\server\namespace v2
I will use the UI instead of the command
Although we raised the forest and domain function forest but still the 2008 is still greyed out. Lets try to restart the DFS services on the FSMO server
After restarting
Next, I will copy all the xml files to the new server and import them there
My new server is 2016
To import the namespace from the export file, type the following command at a command prompt, where \\ domain \ namespace is the name of the appropriate domain and namespace and path\filename is the path and file name of the file to import:
Dfsutil root import merge path\filename.xml \\domain\namespace
After the Import
I will continue to import the rest of the namespaces
First we need to create them with their matching namespaces from the GUI
Now I will import and merge the xml file
After adding the NEW folder which has replicating group existing already from the previous mode. First it didn’t show up
but after navigating to the NewFolder and clicking on Replication tab then Navigate to the replication group showed the replication group underneath the Replication
What has changed?
The only noticeable thing which has changed is the NameSpace Servers everything else like ( Folder targets still the same, replication is identical to previous settings)
See this screenshot
Let’s check the access to the new namespace
Finally, Let’s import the latest namespace and its configuration (PublicFolder)
Let’s check the result on GUI
Notice the replication group for the PF didn’t come, so let’s do as we have explained before to show the replication group
Here we go
Right after this process finishes, the command creates some kind of a report with time, importing status and other related settings such as site cost, timeout.. Etc
Note
To minimize the time that is required to import a large namespace, run the Dfsutil root import command locally on a namespace server.
Add any remaining namespace servers to the recreated namespace by right-clicking the namespace in DFS Management and then clicking Add Namespace Server , or by typing the following command at a command prompt, where \\ server \ share is the name of the appropriate server and share for the namespace root:
Copy
Dfsutil target add \\server\share
Note
You can add namespace servers before importing the namespace, but doing so causes the namespace servers to incrementally download the metadata for the namespace instead of immediately downloading the entire namespace after being added as a namespace server.
In this tutorial. I will integrate my Active directory with Pfsense in order to authenticate Users from Active directory instead of using Pfsense’s User manager.
The process will give you more options and will make managing users much easier. so in order to do that follow the following steps.
First open your Pfsense Web UI and click on System – > user manager
Next go to Servers Tab
Click + in the right corner
After you click on the + icon you will get the following page.
Fill these details accordingly, for help on how to fill these in check the below snapshot
Note: Make sure that your password is simple and contains only letters, no numbers or special characters e.g. Pfsense
When done click on Select and the result will be that you will be able to view the following OU/CN.
Now create a group on AD e.g. “PF” and create the same identical group name on Pfsense. On AD add any user to this group.
Then go back to pfsense – > system – > user manager -> goto Settings Tab – > from Authentication server select your AD and save
Now click on Diagnostic -> Authentication -> select your AD server
Type in your username and password for the user which you have added to the group pf in the AD and click test then you will see the result on top. “User: Pfsense authenticated successfully. this user is a member of these groups: pf
Hope this will help you find your way through Pfsense. 🙂
Upgrade Microsoft Domain Controller 2008 R2 to DC 2012 R2 with Exchange 2010 in the current environment.
Prerequisites:
1- Windows 2012 R2 fully patches
2- New Windows 2012 R2 server should be joined to the Domain controller 2008r2
After you get all the prerequisites ready, start the Server manager and click on Add roles then add the ADDS role and follow the following instructions
Install the role and the n configure it as following
Add it to the existing DC
To migrate the AD Operations Master roles. The simplest way to move these roles is via PowerShell.
On Server 2012 AD PowerShell modules, this can be done from anywhere. Simply run the following command to view you current configuration, and change them:
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=domain,DC=local
Source: Default-First-Site-Name\DC2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Resolution:
After joining new DC you will see this error until the replication with the PDC and schema master is finished.
Use the repadmin /syncall to hasten the sync process.
After we changed the PDC and Schema master role server to the new DC and shut down the old DC for test. On Exchange 2010 server you might get the following error
Exchange Console
Current deployment
Exchange 2010
New DC 2012 R2 with another Additional DC installed newly.
Two DC 2008R2 but have been shut down for testing.
Problem:
After you shutdown or demote the old PDC or Schema master Demote Domain Controller role, Microsoft Exchange Management Console fails to retrieve any Exchange information with error message “An error caused a change in the current set of Active Directory Server settings. Restart Exchange Management console.”
Cause
Microsoft Exchange management console caches the data in the user’s profile for quick access, So whenever you try to open EMC from an existing Exchange admin profile you will get the same error.
Resolution:
Navigate to the following folder and delete the Exchange Management Console file.
Starting with Windows 2008 R2, Microsoft introduced the Active Directory recycling bin. This is great for recovering objects back into AD if they are accidentally deleted. In order to use the recycle bin feature, your forest must be running with a functional level of Windows 2008 R2. If your forest is running at this level you simply run a PowerShell command to enable it.
Enable
To enable Active Directory Recycle Bin using the Enable-ADOptionalFeature cmdlet
Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
Below is a sample for enabling it for moh10ly.com:
Once you have the Recycling Bin for Active Directory you will have to use LDP.exe to restore. By default the container with the deleted objects is not displayed. The following steps will allow you to see the container with the deleted objects.
Display Deleted Objects
Follow these steps to display the Deleted Objects container:
To open Ldp.exe, click Start, click Run, and then type exe.
On the Optionsmenu, click Controls.
3. In the Controlsdialog box, expand the Load Predefined pull-down menu, click Return deleted objects, and then click OK.
4. To verify that the Deleted Objects container is displayed:
To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then Bind. (U must use SSL and port 636)
Click View, click Tree, and in BaseDN, type DC=<mydomain>,DC=<com>, where <mydomain>and <com> represent the appropriate forest root domain name of your AD DS environment.
In the console tree, double-click the root distinguished name (also known as DN) and locate the CN=Deleted Objects, DC=<mydomain>,DC=<com>container, where <mydomain>and <com> represent the appropriate forest root domain name of your AD DS environment.
Restore Deleted Objects
Once you have enabled the container to be displayed, you can now restore deleted objects from Active Directory. Below are the steps to recover a single item from the recycle bin using LDP.exe.
Follow these steps to restore a deleted Active Directory object using Ldp.exe:
Open Ldp.exe from an elevated command prompt. Open a command prompt (Cmd.exe) as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Startmenu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue.
To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then click Bind.
3. On the Options menu, click Controls.
4. In the Controls dialog box, expand the Load Predefined drop-down list, click Return Deleted Objects, and then click OK.
5. In the console tree, navigate to the CN=Deleted Objects
6. Locate and right-click the deleted Active Directory object that you want to restore, and then click Modify.
7. In the Modifydialog box.
8. In Edit Entry Attribute, type isDeleted.
9.Leave the Valuesbox empty.
10. Under Operation, click Delete, and then click Enter.
11. In Edit Entry Attribute, type distinguishedName.
12. In Values, type the original distinguished name (also known as DN) of this Active Directory object.
13. Under Operation, click Replace.
14. Make sure that the Extended check box is selected, click Enter, and then click Run.
A key point to understand and remember with AD Recycle Bin is that you must restore hierarchically; a parent object must be restored before a child object. If you were to delete an entire OU and all its contents, you must first restore the OU before you can restore its contents.
Modify
Clicking on Run gives an error
“Error 0x2077 Illegal modify operation. Some aspect of the modification is not permitted.”
Resolution:
Disconnect and reconnect with SSL on port 636
Enter the full Distinguished path in the Values
Click on Run again and that should work
Before
After
\
After restoring the object, I will try to login to the user’s mailbox
I’ll need to reset the user’s password after its restored.