Resetting Usernames and Passwords from text file

I had a project to migrate users from Linux Postfix mail system to Exchange 2013 but had to do it in stages in order to use it as recommended by Microsoft, The customer had Red Hat Linux Servers with Postfix integrated with Active directory for authentication.

In order to migrate the users I installed Exchange 2007 in order to use the Microsoft tool called (Microsoft Transporter Suite) and had to reset all users (850 User) passwords to use notepad file and import it in the tool in order to migrate all users in less than a week.

I searched for any powershells that would reset users passwords on Active directory but could not find anyone that would suit my scenario and customer’s security policies until I came through a tool called “Quest One activeRoles which integrates lots of useful commands into its own powershell that have to be installed on Active Directory server to reset all users passwords.

You can find the tool either from the following link:

http://www.quest.com/powershell/activeroles-server.aspx

In order to do so I have prepared a notepad file with 2 columns “Username, password” and then copied all users and their passwords below the two columns, saved the file in .csv extension then used the following script

$data = Import-csv “C:\users_pass.csv”

foreach($line in $data) {set-QADUser $line.username -UserPassword $line.password }

Click on the snapshot to enlarge it

As shown in the snapshopt above you will have to install the application first on your DC and then run the application shell “ActiveRoles Management shell for AD” as administrator then run the commands below

$data = Import-csv “C:\users_pass.csv”

foreach($line in $data) {set-QADUser $line.username -UserPassword $line.password }

Note:

Usernames in the CSV File must be according to the format in the Snapshot above or else the command won’t be recognized.

Replication after tombstone life expired

Replication After Tombstone Life Expired

As I was preparing for Exchange migration from 2010 to 2013 I had two DCs, one of those two DCs was off for about 8 months and has already passed the default tomb stone life so it was not authorized for replication in the forest.

Whenever I try to replicate the server I get the following error

image
image

Active Directory Sites and Services Error

“The following error occurred during the attempt to syncronize naming context CN=Configuration,DC=Domain,DC=Local from Domain Controller AD to Domain Controller AD2; The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime. This operation will not continue.”

My FSMO roles holder and PDC is the demotesas.local domain so on this DC I will run the following command

W32tm /config /manualpeerlist:time.windows.com,0x1 /syncfromflags:manual /reliable:yes /update

clip_image001

And this

w32time & net start w32time & W32tm /resync /rediscover

clip_image002

On the additional DC

w32tm /config /syncfromflags:domhier /update

w32time & net start w32time & W32tm /resync /rediscover

Force Replication

If the above doesn’t work then I will go ahead and force replication to the tomb stoned DC by using the following command.

repadmin /regkey * +allowDivergent

clip_image003

Now we’ll replicate and see what happens

clip_image004

Problem solved

image

REF:

https://social.technet.microsoft.com/Forums/windowsserver/en-US/893b09d8-636e-4f87-8260-11613a2a4e43/unable-to-replicate-between-2-dcs-error-message-exceeded-the-tombstone-lifetime?forum=winserverDS>

Prepare Active Directory with powershell

If you’re planning to Install Active directory on multiple DCs for backup, you can speed up this process by using the following script which is provided by Microsoft. but you’ll have to copy and paste it in notepad and save it in .ps1 extension after editing the Domain Name and Domain Netbios name.

You may also wanna change the forest mode to match the one in your environment if you already have an old DC.

# Windows PowerShell script for AD DS Deployment

#

Import-Module ADDSDeployment

Install-ADDSForest `

-CreateDnsDelegation:$false `

-DatabasePath “C:\Windows\NTDS” `

-DomainMode “Win2012” `

-DomainName “moh10ly.com” `

-DomainNetbiosName “Moh10ly” `

-ForestMode “Win2012” `

-InstallDns:$true `

-LogPath “C:\Windows\NTDS” `

-NoRebootOnCompletion:$false `

-SysvolPath “C:\Windows\SYSVOL” `

-Force:$true

Note: If you want to have a different Computer name, you will need to change that manually before you start the process below and restart after changing the computer name.

You will need to install the AD Domain Service management tools before you are able to run the powershell

Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools

clip_image001

When the management tools are installed you can drag and drop the powershell file to powershell window and press Enter and as soon as you do that it will ask you for the SafeModeADministratorPassword.

clip_image002

After you press Enter it will start the installation process

clip_image003

When finished it will let you know that server is going to be restarted automatically.

clip_image004

After restarting the server, this is how the Full computer name became.

clip_image005

Configure Outlook Autdiscover in GPO

To configure Outlook autodiscover in Active directory we’ll have to do the following

First open Group Policy Management from Administrator tools, After you have opened GPO you will want to create a new GPO for this purpose then follow the steps down to continue with the configuration:

1- Create a new GPO under any OU “Organization unit” you want to apply the GPO on. Then right click on it and click on Edit…

Under User configuration -> policies -> Administrative templates: Policy right click and click “add/remove templates…”

Click Add… and browse to the Office 2010 template (I’m attaching these files below) or you can just google them.

4- Under Administrative Templates: Policy Definitions – > Classic Administrative Templates (ADM) click on MS Outlook 2010 -> Exchange and on the right pane.

Enable Automatically configure profile based on AD Primary. And Enable Configure outlook anywhere user interface options.

These steps are optional but they’ll force opening outlook in order to configure it after the Client’s PC restarts.

5- When done go to User Configuration –> Windows Settings –> Scripts -> double click on Logon on the right pane

Click on Add

Browse then

Copy the below batch file to this location and attach it ” \\domain.com\SysVol\domain.com\Policies\{34E9C6C2-FCCF-45DA-908D-65A452D049F3}\User\Scripts\Logon”

When PCs restart they’ll take the new configuration.

Note:

The Outlook.txt file is the script that will be launching the Outlook configuration panel, you will need to rename the extension file from .txt to outlook.bat before uploading it to the location in the article.

CHANGING PROXY ADDRESS FOR LOCAL AD USERS

If your Exchange users have problem with Active Sync’s Autodiscover configuration or you’re intending to configure a Hybrid configuration with Microsoft office 365 Exchange Online or Your Lync/Skype for business users are having troubles signing in right after you enable users from the Lync/SfB Panel then this article is for you.

Note: For Lync you’d want to change Account (UPN) Instead of the Proxy Address Attribute for users. For each scenario it might be a different case.

Assuming that I have the following domain list, and I want to add them to my AD user’s proxy address attribute so they can use it as SMTP address

%’sAMAccountName’%@Domain1.com

%’sAMAccountName’%@Domain2.com

%’sAMAccountName’%@Domain3.com

%’sAMAccountName’%@Domain4.com

%’sAMAccountName’%@Domain5.com

%’sAMAccountName’%@cardtekcloud.onmicrosoft.com

First to add main SMTP address we’ll use the attribute %’sAMAccountName’%@Domain.com

Next to add alternative Proxy addresses we’ll use

%’sAMAccountName’%@domain.com

image

I’ll open ADModify.net app and select the organization that I would like to apply the changes for

I’ll select Domain from the domain list. Then choose the Domain controller and choose only to show users

Click on the green Next button then click Add to List then click Next under the user to continue

clip_image002

I’ll navigate to Email addresses tab to do the changes and place the domain that I would like to use.

I’ll enter whatever domain and use sAMAccountName since it matches the user’s Email address .

IMPORTANT NOTE:

It’s very important to notice that if you’d like to change the domain in the Proxy Address . You ‘ll need to choose an attribute that matches the user’s existing Proxy address username ..

clip_image003
clip_image004
clip_image005

To add the other domains e.g. domain2, domain3 ..etc I’ll follow the exam same steps just change the end @domain2.com.

That should be all. If you have any questions please don’t hesitate to contact me or comment.

Change Password Policy for AD and domain users

To change the password policy we’ll have first to open Group policy management which is located in “Administrative Tools” on your DC

Right click on “Default Domain Policy” in order to change the password policy for all users within a domain.

This will open the Group Policy Management editor as you can see below where you will have to navigate to “Computer configuration -> Security Settings -> Password Policy” and there you can disable the password complexity, adjust it or change any other settings.

Next when the Group policy opens up the configuration I will go to “Account Policies” and disable the “Password must meet complexity requirements” since this is what I simply want do in my case.

After changing the policy you will need to force updating the policy on all the domain joined clients by using the command line GPupdate /force

When this is finished, all clients must be restarted in order for the group policy change to take effect.

Active Directory Useful Script

WINDOWS POWERSHELL SCRIPT FOR AD DS DEPLOYMENT

# Windows PowerShell script for AD DS Deployment

#

Install-windowsfeature -name AD-Domain-Services –IncludeManagementTools

Import-Module ADDSDeployment

Install-ADDSForest `

-CreateDnsDelegation:$false `

-DatabasePath “C:\Windows\NTDS” `

-DomainMode “Win2012” `

-DomainName “moh10ly.com” `

-DomainNetbiosName “Moh10ly” `

-ForestMode “Win2012” `

-InstallDns:$true `

-LogPath “C:\Windows\NTDS” `

-NoRebootOnCompletion:$false `

-SysvolPath “C:\Windows\SYSVOL” `

-Force:$true

Find out which user is logged in to which computer

While I was doing a cross forest migration in a customer’s environment I had to make sure that of some computers’ logged in users before starting the migration process due to the customer’s policy how Computer hostnames are used.

There was about 500 computers, most of these computers don’t use their users’s names but company’s name and then a number e.g. (PC5123).

Luckily Mark Russinovich has provided the great PSTOOLS for administrators to work remotely and find out everything about user’s computers in domain without having to go physically or interact with the users.

So I had to download the tools from this link and use the following command to get the logged in user.

wmic /node:”smart0498″ ComputerSystem GET UserName

image

Hope you find this useful

Domain Controller Cross Forest migration Part 3 (ADMT Installation)

ADMT 3.2 installation

Requirements

  1. SQL express/full 2008 sp2
  2. Windows 2012/R2 / Windows 2008 R2 for ADMT
  3. Install PES on Source DC for Migrating Passwords

http://blogs.technet.com/b/askds/archive/2010/07/09/admt-3-2-common-installation-issues.aspx

  • The server where you install ADMT can run any supported version of Windows Server, including Windows Server 2012 R2 and Windows Server 2012.
  • The source and destination domain controllers must be writeable, but they can run any supported version of Windows Server with a user interface (not Server Core), including Windows Server 2012 R2 and Windows Server 2012.
  • The source and destination domains must be at Windows Server 2003 domain functional level or higher.
  • The computers that can be migrated can run any supported version of Windows, including Windows 8.1.
  • You can use any version of SQL Server for the ADMT database.

From <https://technet.microsoft.com/en-us/library/active-directory-migration-tool-versions-and-supported-environments(v=ws.10).aspx>

ADMT user permissions:

image

From <https://social.technet.microsoft.com/Forums/windowsserver/en-US/fe44cdd4-ef11-4d73-801d-f37939d756bd/minimum-permissions-needed-for-admt-32-when-doing-an-interforest-migration-with-sid-history?forum=winserverMigration>

ADMT Migration Account

The account you run ADMT under will need to have administrative rights in both the source and destination domain. You may decide to create a user specifically for the ADMT Migration, or you may use an existing user e.g. the default administrator account. I will create a user called ADMT and assign this user the correct permissions. This is the account we will use for the entire migration.

It is recommended that you make the user account in the destination domain and make it a member of the domain administrators group.

destination Domain:

clip_image001

In the source domain add the same user to the builtin administrators group (you will be unable to add it to the domain administrators group).

Source Domain:

clip_image002

Installing ADMT

You should install ADMT and SQL onto a member server in the destination forest. Use the ADMT service account explained in the previous post to install SQL and ADMT.

ADMT requires a preconfigured instance of SQL Server for its underlying data store, so we’ll go ahead and install SQL 2008 SP1 Express on ADMT.contoso.com

Installing SQL Express 2008 SP2

SQL Express download here: https://www.microsoft.com/en-us/download/details.aspx?id=30438

clip_image003
clip_image004
clip_image005
clip_image006

Cause

This error is purely within SQL Express 2008 and is not really to do with ADMT 3.2. The issue is fixed in “Cumulative update package 4 for SQL Server 2008”.

Unhelpfully, this error is identified in KB975055 as being only for Windows 7 and that it was fixed by SP1 – both incorrect. The issue does affect Win2008 R2 and is only fixed by the cumulative update.

Resolution

Before installing SQL Server Express 2008 with SP1 (which will fail), first install:

Cumulative update package 4 for SQL Server 2008 

http://support.microsoft.com/kb/963036

clip_image007
clip_image008
clip_image009
clip_image010
clip_image011
clip_image012
clip_image013
clip_image014

Set an account for the SQL service to run under (use your ADMT Service Account).

clip_image015

Set a SQL administrator, choose the user account you plan to run ADMT under- be aware that this user account will need to have local administrative rights in the source domain (this will be discussed further in the series).

clip_image016
clip_image017

Download ADMT 3.2

https://onedrive.live.com/redir?resid=82488EABA4ACDB15!33497&authkey=!AF3kLtU8fl2_B0I&ithint=file%2cexe

Installing ADMT

For this series I will be using ADMT 3.2, which is the supported version for Server 2008 R2. Use ADMT 3.1 for installation on a Server 2008 non-R2 server, or ADMT 3.0 for Server 2003. If you need to migrate a 2000 Domain Server, you will need to use ADMT version 3.1 or earlier.

Update Junes 2014 – ADMT 3.2 now supports Windows Server 2012 / 2012 R2.

clip_image018
clip_image019
clip_image020

Next you can leave the default value be used for the SQL installation. 

clip_image021
clip_image022

Since this is a new installation then I won’t need to be importing any data from a previous database and will continue with the normal options.

clip_image023
clip_image024
clip_image025

 The Installation of the ADMT tool is finished and next we’ll be preparing Permission in the next series and starting migration of users, Groups, Computers  and i’ll talk about the issues that I had during the migration. 

Domain Controller Cross Forest migration Part 2

Domain Controller Cross Forest migration Part 2

Mohammed Hamada 4:35 AM Active Directory , Windows Migration , Windows Server

Current environment on the LAB.com DC

  1. Additional DC2
  2. SCVMM
  3. SCVMM SQL
  4. Exchange
  5. SCMM
  6. SCMM SQL

Computers

clip_image001[7]

Migration plan

AD 2012 R2 (LAB.com) to (Contoso.com) 2012 R2.

Users

clip_image002[6]

In the second part of this series (DC cross forest migration) I will demonstrate some major required steps for the migration from the old DC (lab.com) to the new DC (Contoso.com)

NOTE:

SQL Servers and their applications can’t be migrated due to SQL permissions and Schema mismatch.

Requirements are :

Destination DC Forest Function and domain function level must be set to at least 2008 R2 for ADMT3.2 to work

clip_image002[4]

And a health check must be performed on the FSMO roles to make sure everything is functioning properly on the Source DC.. PDC, SchemaMaster..etc

The checks I will perform are

  1. Check replication (In case there’s more than one DC In the source forest).
  2. DC health (DCDiag tool)
  3. Check the reachability of the PDC.

Netdom query FSMO ( this command will show you which DC in the source forest holds the roles exactly)

clip_image001[5]

1- For Checking replication you can use the repadmin command line which checks replication between sites, DCS and reports any errors in between. in case you have one server in pace the following outcome should be printed for you.

Repadmin.exe helps administrators diagnose Active Directory replication problems between domain controllers running Microsoft Windows operating systems.

https://technet.microsoft.com/en-us/library/cc770963.aspx
image

2- Check DC health using DCDIAG tool

Analyzes the state of domain controllers in a forest or enterprise and reports any problems to help in troubleshooting

https://technet.microsoft.com/en-us/library/cc731968.aspx

as they are multiple types of tests that can be applied with dcdiag depending on the parameter used. I will start with the DNS.

image

If the DNS is healthy then it should show as following. and we can continue to the next test.

image

For an extensive test, you can use the parameter /v along with this sign >c:\dcdiag.txt to export the test to a file and look at it line by line.

image

If everything sounds good and healthy we shall move on to the next step which is DNS configuration

DNS Configuration

Preparation:

  1. DNS replication between both domains
  2. Installing Windows 2008 R2 for ADMT 3.2
  3. Setting up domain trust between forests.
  4. DNS replication between the source and target domain

In order for the trust to be created between both forests, you either have to create a conditional forwarders that will copy the source zones to the destination DNS server and vice versa or you can create a secondary forwarder zone in destination DC for the source DC and vice versa.

In my case I will go for creating a secondary zone and to do this I will go to each DNS server and allow Zone to be transferred.

Note:

You can include only the IPs of the Source and Destination servers in the zone transfer and any additional DNS servers.

clip_image003[7]

Now I a have created a secondary zone DNS and trying to resolve FQDNs from the source server as in the below snapshot.

clip_image004[7]

Same will be done on the destination server.

clip_image005[7]

Checking Name Resolution for both domains:

clip_image006[7]

Once the nslookup works as expected from both servers then we’ll ahead with creating forest trust between both DCs.

Creating Forest trust between Source and Destination Domain.

NOTE:

In order for the trust to be created between both source and destination domains the PDC on the Destination Domain must be available.

1. Open the Active Directory Domains and Trusts, right click on the domain and click properties.

clip_image011[4]
clip_image012[4]
clip_image013[4]
clip_image014[4]
clip_image015[4]
clip_image016[4]
clip_image017[4]
clip_image018[4]
clip_image019[4]
clip_image020[4]
clip_image021[4]
clip_image022[4]
clip_image023[4]
clip_image024[4]

We will have to validate trust after creating it to make sure that trust in both ways are validated.

clip_image025[4]
clip_image026[4]
clip_image027[4]

Now since trust is created and already validated both ways, we’ll have to add a GPO policy to update all clients with the new Domain name in the DNS suffix search list to resolve netbios names.

Updating DNS Suffix Search list:

DNS suffix search list:

In order to add the source and destination domains suffix to the dns suffix search list we will have to open GPO on the destination Domain (Contoso.com)

clip_image028[4]

On the target domain (contoso.com) we’ll have to open GPO .

Right Click on default domain policy / Edit

clip_image029[4]

Go to (Computer Configuration \ Policies \ Administrative Templates \ Network \ DNS client

Double click on the DNS Suffix Search list to open it and enable it.

clip_image031[4]
image

Click ok and apply the police and see how it should show in the report.

clip_image033[4]

Once this is done and policy is applied among all clients you should have no problem and it should show first on the DC where you applied the policy.

image