KB ID 0001587

Problem

In Windows this is easy to find, ‘ipconfig /all‘ will tell you 🙂 On macOS it’s not so simple.

Solution

First you need to know which network card we are talking about! Your wireless network card is nearly always en0 (that’s a zero), if you are on a wired connection simply run ifconfig and find the right network card.

to double check you can run;

ifconfig getifaddr en0

Then to see your DHCP server address, issue the following command;

ifconfig getpacket en0

Look for the value of server_identifier this is the DHCP servers address.

Related Articles, References, Credits, or External Links

NA

KB ID 0001588

Problem

I was doing some work for a School recently, their staff were already using Office 365 and their tenancy was all setup. Now they wanted to roll Office 365 out to the pupils, and sync to their on premise Active Directory.

Now we could have simply excluded the staff from the Azure AD Connect Sync, but they want to manage their passwords etc. on-premise. Microsoft will tell you if you DON’T have an on-premise Exchange (they didn’t), then you simply need to enter the correct email address on the user object and the correct accounts will match up and sync, however they did not, this happened instead;

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:username@domain-name.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

Tracking Id: 2b68528a-695a-4c5e-9b4f-7ec471e5f38c
ExtraErrorDetails:
[{“Key”:”ObjectId”,”Value”:[“6ef8d8d0-2893-4d46-83e3-bf819ea607d2”]},{“Key”:”ObjectIdInConflict”,”Value”:[“56a72044-de5b-43ce-82b1-edb82c80395e”]},{“Key”:”AttributeConflictName”,”Value”:[“ProxyAddresses”]},{“Key”:”AttributeConflictValues”,”Value”:[“SMTP:username@domain-name.com“]}]

OK, I’ve worked A LOT with Exchange and I know that ProxyAddress and Email address are related, but not the same AD attribute. But changing that didn’t fix the problem either?

Solution

Well we are syncing on-premise Active Directory and Azure Active Directory, and we DON’T want to change anything on site. So logically wherever the ‘fix’ is, it will be in Azure. (If you only ever use the Office 365 portal then buckle up)

Within Office 365 Admin > Admin Centers > Azure Active Directory.

Welcome to Azure! > Azure Active Directory > Azure AD Connect > Connect Health.

Sync errors.

Duplicate Attribute.

Select the affected user(s) > Troubleshoot.

Double check it is the same user! (If you get this wrong all manner of carnage will unfold!) Yes > Apply Fix > Confirm.

Now wait for a directory replication, (or force one manually with PowerShell). The errors should now cease.

Related Articles, References, Credits, or External Links

NA

KB ID 0001589

Problem

I’ve written in the past about ‘Bulk Adding Users from CSV files, into Groups‘. But what if you want to add ALL users in a particular OU into a security group?

Solution

The syntax is;

Get-ADUser -SearchBase ‘OU=Source-OU,OU=PNL,DC=pnl,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘SG-Test-Group’ -Members $_ }

Here I’ve got 20 users that need adding to a group, in this example the group’s in the same OU, but it does not have to be;

You will need to close and reopen the group properties for it to refresh its membership.

Related Articles, References, Credits, or External Links

NA

KB ID 0001590

Problem

If you are using Azure AD Connect, (AAD Connect) to sync your on-premise Active Directory with Azure AD (i.e. for Office 365), then there may be times when you need to manually ‘force a replication’ because by default it’s going to take 30 minutes between each normal ‘delta replication’

Solution

If you are directly on the server that’s running Azure AD connect, then use the following PowerShell. If you Don’t know which server is running AD connect the see the following link;

Locate Your Azure AD Connect Server

Firstly you need to add in the correct module, (you only have to do this once). Though the module should be already installed on the Sync server, let’s not tempt fate and check. (You can also use Get-Module to view installed modules).

Import-Module ADSync

Note: If you get an error you may need to run Import-Module “C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1”

Then to Manually Force a Synchronisation;

To Perform a FULL Sync
Start-ADSyncSyncCycle -PolicyType Initial
To Perform a (Normal) Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta

You can view the Sync settings with;

Get-ADSyncScheduler

But I don’t like that, I prefer to watch synchronisations going on on the ‘Syntonisation Service Manager’ console, you can spot and troubleshoot errors in here also 🙂

Note: To Troubleshoot Sync errors, see the procedure I use in the following post;

Azure AD Connect: Correct Or Remove Duplicate Values

Force an Azure AD Connect Synchronisation From Another Server

Use the following syntax;

Invoke-Command -ComputerName AD-Connect-Server-Name -ScriptBlock { 
Import-Module ADSync 
Start-ADSyncSyncCycle -PolicyType Delta 
}

Disable and Enable Azure AD Sync

Disable
Set-ADSyncScheduler -SyncCycleEnabled $False
Enable
Set-ADSyncScheduler -SyncCycleEnabled $True	

Related Articles, References, Credits, or External Links

NA

KB ID 0001591

Problem

A client from a recent Exchange migration I had done, emailed me to say that his clients were having trouble searching their mailboxes, I jumped on remotely and saw that the mailbox Database content index status was showing ‘Failed’.

ContentIndexState: Failed

Solution

I’ve had problems before with indexing here, I replicated the fix to remove the index and generate a new one. The process for this is, you need to stop the Fast Search and Host Controller Services, then find out where the  Mailbox Database is located;

Stop-Service MSExchangeFastSearch
Stop-Search HostControllerService
Get-MailboxDatabase Mailbox-Database-Name | Select EdbFilePath

Go to that location, as well as the .edb file you will see the ‘index folder‘, it’s name will just be a long GUID. DELETE that folder.

Then start those services again.

Start-Service MSExchangeFastSearch
Start-Search HostControllerService

In a few minutes another index folder will ‘appear’, you will now have to wait for the index to rebuild, if you check the status now it will say ‘ContentIndexState  Crawling‘. It will say this for quite some time, (hours) while the new index is rebuilt.

How To  Monitor ‘Exchange Indexing’ Crawling Progress

Launch ‘Perfmon‘ and remove all the counters, then add in a new one for ‘Local Computer’ > ‘MSExchange Search Index ‘> ‘Crawler: Mailboxes Remaining’ > Select your database > Add > OK.

Here you can watch the amount of mailboxes remaining decreasing.

When complete, the ContentIndexState should say Healthy.

Related Articles, References, Credits, or External Links

NA

KB ID 0001592

Problem

Seen when attempting to deploy Window Server 2016, as an ‘Image‘ (Parent VM,) with VMware Horizon View.

‘VM With Unsupported Guest OS’

I double checked, and Server 2016 (Standard and DataCenter) were supported, as was Server 2019 (Standard and DataCenter.) The image also had a new version of the VMware Horizon View agent installed in it?

Solution

In my case this was an embarrassingly easy fix, previously I’d deployed Windows 7, 8, and 10 with Horizon View, this was the first time I’d ever deployed a server OS as a VDI image, (With Windows Server Datacenter, this works out cheaper, licensing wise).

By Default: VMware Horizon View does not allow server operating systems, (even though they are supported.) You just need to enable the feature! Launch Horizon Administrator, View Configuration > Global Settings > Edit > Tick ‘Enable Windows Server Desktops‘ > OK.

Doh! That cost me two hours, (hope it saved you some time).

Related Articles, References, Credits, or External Links

NA

KB ID 0001593

Problem

Note: To add new subnets to a traditional Site to Site VPN, see the following article instead;

Cisco ASA – Adding New Networks to Existing VPNs

I see this get asked in online forums A LOT. If you have an existing AnyConnect VPN setup, and then need to add another network how do you do it?

Well that depends on where the new network is, and how it’s entering the firewall, these diagrams can be either way round, but the new network will either be coming into the ASA on the same interface (i.e you’ve spun up a new network for phones, or a new department etc),  or the traffic will be coming into the ASA through a different interface, (like a DMZ, or partner network).

Option A: New Network is on another interface;

Option B: New Network is on existing (inside) interface;

Note: The process for adding the new network is the same for both, BUT depending on which interface the new traffic is coming in on, this will change your NAT command. 

Warning: For this process to work you must already have a setup and working AnyConnect deployment!

Solution

Option A: New Network is on a Different Interface

Tasks on ASA

• Locate the NAT Exemption for the AnyConnect traffic, and add a new one on the SAME interface.
• If using Split Tunneling add the new network to the Spit Tunnel ACL

Locate the Nat Exception (or NO NAT on old Cisco Money) that prevents the AnyConnect traffic form getting NATTED.

ASA-1(config)# show run nat 
nat (inside,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup 
nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup 
!

From the output above we can see that the Nat exemption for the existing traffic is highlighted, we simply need to add another one, for the new interface (which we will call dmz).

Note: I’m using any, yours might be using a specific object or object-group, if so, you will need to create new objects or object groups for the new network(s), for the next step, I’m sticking with any!

ASA-1# configure terminal
ASA-1(config)# nat (dmz,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup

Now let’s see if we are using split tunnelling;

ASA-1# show run group-policy
group-policy DfltGrpPolicy attributes
 webvpn
  customization value Portal
group-policy GroupPolicy_AnyConnectVPN internal
group-policy GroupPolicy_AnyConnectVPN attributes
 wins-server none
 dns-server value 192.168.1.10 192.168.1.11
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunneling
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value AnyConnect type user
  customization value Portal
group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
 vpn-filter value ACL_Filter
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1
 webvpn
  customization value PulsantPortal

So we are using split tunnelling, and our split tunnel ACL is called SplitTunneling.

ASA-1# show run access-list SplitTunneling
access-list SplitTunneling standard permit 192.168.1.0 255.255.255.0

Now simply just add the new subnet;

ASA-1(config)# access-list SplitTunneling standard permit 192.168.100.0 255.255.255.0

Option B: New Network is on the Same Interface

Tasks on ASA

• Locate the NAT Exemption for the AnyConnect traffic, and add a new one for the new interface.
• If using Split Tunneling add the new network to the Spit Tunnel ACL

Locate the Nat Exception (or NO NAT on old Cisco Money) that prevents the AnyConnect traffic form getting NATTED.

ASA-1(config)# show run nat 
nat (inside,outside) source static any any destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup 
nat (inside,outside) source static Obj-Local-LAN Obj-Local-LAN destination static Obj-Remote-LAN Obj-Remote-LAN no-proxy-arp route-lookup 
!

From the output above we can see that the Nat exemption for the existing traffic is highlighted, IMPORTANT: Because I’m using any, (yours might be using a specific object or object-group), I DONT NEED TO ADD ANYTHING as any covers the newly added subnet. if you didn’t use any, then you will need to create new objects or object groups for the new network(s), for the next step, I’m sticking with any! then

ASA-1# configure terminal
ASA-1(config)# object network Obj-New-LAN
ASA-1(config-network-object)# subnet 192.168.100 255.255.255.0
ASA-1(config-network-object)#nat (inside,outside) source static Obj-New-LAN Obj-New-LAN destination static Obj-ANYCONNECT-SUBNET Obj-ANYCONNECT-SUBNET no-proxy-arp route-lookup 

Now let’s see if we are using split tunnelling;

ASA-1# show run group-policy
group-policy DfltGrpPolicy attributes
 webvpn
  customization value Portal
group-policy GroupPolicy_AnyConnectVPN internal
group-policy GroupPolicy_AnyConnectVPN attributes
 wins-server none
 dns-server value 192.168.1.10 192.168.1.11
 vpn-tunnel-protocol ssl-client ssl-clientless
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SplitTunneling
 default-domain value petenetlive.com
 webvpn
  anyconnect profiles value AnyConnect type user
  customization value Portal
group-policy GroupPolicy3 internal
group-policy GroupPolicy3 attributes
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy2 internal
group-policy GroupPolicy2 attributes
 vpn-filter value ACL_Filter
 vpn-tunnel-protocol ikev1
group-policy GroupPolicy1 internal
group-policy GroupPolicy1 attributes
 vpn-tunnel-protocol ikev1
 webvpn
  customization value PulsantPortal

So we are using split tunnelling, and our split tunnel ACL is called SplitTunneling.

ASA-1# show run access-list SplitTunneling
access-list SplitTunneling standard permit 192.168.1.0 255.255.255.0

Now simply just add the new subnet;

ASA-1(config)# access-list SplitTunneling standard permit 192.168.100.0 255.255.255.0

Related Articles, References, Credits, or External Links

NA

KB ID 0001594

Problem

When attempting to install the VMware Horizon client you see;

Well that’s very descriptive and helpful?

Solution

Firstly make sure you  are NOT trying to install the client software on a Horizon Connection Server, or a Horizon Security Server! If you are not, then the easiest way to get it to install, is to ‘extract’ the .msi installation files, and manually run them. 

In PowerShell navigate to the folder that you download the client .exe file to, and extract its contents with the following command;

					
.\VMware-Horizon-Client-{version-and-build-number}.exe /x

It looks like nothing has happened, but the files get put in the ‘Temp‘ folder in YOUR user profile, Navigate to C:\Users\{Your-Username}\AppData\Local\Temp

In this location you will find a folder containing the individual install files you require.

From here you can launch the one you want, In my case (VMware Horizon View Client (x64).msi).

Related Articles, References, Credits, or External Links

NA

KB ID 0001595

Problem

In all honesty there’s lots of reasons for this.

I’ll cover the ones that have tripped me up, if you find some new ones feel free to post them below.

Solutions

Before continuing, the image needs to have the Horizon Agent installing within it, and it has to be the SAME version that your Composer and Connection servers are running, (or newer). Also your Horizon servers are connecting to VMware vCenter using an account, (in a lot of cases that will be the domain administrator account, or an account you setup for this reason), make sure that account has global administrator properties in vSphere.

Also in your image install the LATEST version of VMWare Tools, Note: that might be NEWER than the one that you have on your ESX servers, download it and install it manually, (to do this uninstall the old VMWare Tools, then Uninstall the Horizon Agent, then Install the NEW VMWare Tools, then finally reinstall the Horizon Agent again. (Note: If using Horizon Composer, make sure you install the composer option!)

Horizon Inability to get a licence for your KMS Server.

Check this first;

slmgr /dli

It goes without saying you need a network connection (to the right VLAN) before KMS will work. I’ve ran though KMS setup and troubleshooting here.

Horizon Sysprep Problems

For sysprep obviously you need to be deploying images with sysprep and NOT quick prep, if you are using sysprep check the error log, (if the error log is empty, then sysprep is not your problem).

Navigate to: C:\Windows\System32\Sysprep\Panther\setuperr.log

Sysprep Problem 1

Problem 0x0f0043 Failed DeleteInstance AntiSpywareProduct

Error      [0x0f0043] SYSPRP WinMain:The sysprep dialog box returned FALSE
Error                 SYSPRP Error 0x-2147417850: Failed to re-enable Compat-Gentel custom trigger.[gle=0x0000047e]
Error                 SYSPRP setupdigetclassdevs failed with error 0
Error                 SYSPRP MRTGeneralize:107 - ERROR: Failed DeleteInstance AntiSpywareProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904
Error                 SYSPRP MRTGeneralize:116 - ERROR: Failed DeleteInstance AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904
Error                 SYSPRP Error 0x-2147417850: Failed to re-enable Compat-Gentel custom trigger.[gle=0x0000047e]
Error                 SYSPRP setupdigetclassdevs failed with error 0
Error                 SYSPRP MRTGeneralize:107 - ERROR: Failed DeleteInstance AntiSpywareProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904
Error                 SYSPRP MRTGeneralize:116 - ERROR: Failed DeleteInstance AntiVirusProduct.instanceGuid="{D68DDC3A-831F-4FAE-9E44-DA132C1ACF46}" hr=2147749904

Seen On Window Server 2016 and Windows 10: In your Source Image you need to remove Windows Defender, like so;

Uninstall-WindowsFeature Windows-Defender-Features

Sysprep Problem 2

Problem 0x0f0073

Error      [0x0f0073] SYSPRP RunExternalDlls:Not running DLLs; either the machine is in an invalid state or we couldn't update the recorded state, dwRet = 0x1f
Error                 SYSPRP WinMain:Hit failure while processing sysprep re-specialize internal providers; hr = 0x8007001f
Error                 SYSPRP Error 0x-2147417850: Failed to re-enable Compat-Gentel custom trigger.[gle=0x0000047e]
Error                 SYSPRP setupdigetclassdevs failed with error 0

This is happening because the machine you are using as your image has been sysprepped too many times, you nee to make some changes on the reference image to reset/rearm it, so it can be sysprepped.

On your image machine  run regedit and navigate to;

HKLM > SYSTEM > Setup > Status > Sysprep Status

Ensure the following;

• CleanupState is set to 2
• GeneralizationState is set to 7

Open an administrative command window and execure the following commands;

msdtc -uninstall
msdtc -install

Back in registry editor navigate to

HKLM > SOFTWARE > Microsoft > Windows NT > CurrentVersion > SoftwareProtectionPlatform

Set SkipRearm to 1

Try again.

Related Articles, References, Credits, or External Links

NA

KB ID 0001596

Problem

With more people looking at Microsoft 365 (as opposed to Office 365), then the amount of people who want to join their Windows machines to Azure Active Directory is only going to go up. This is how to join your Windows client devices to Azure Active Directory.

Solution

Microsoft have done a good job of hiding where you need to be, Start > Settings > Accounts..

Access Work or School > Connect.

STOP! If you put your credentials in here you will Not join the machine to Azure AD you will perform an Azure Workplace Join (or be Azure Registered) that’s NOT WAHT WE WANT > Select “Join This Device to Azure Active Directory‘.

Enter your Azure AD/Office 365 Credentials > Next.

Join.

Done.

The machine will now show that it’s connected to.Azure AD

Note: The login screen now changes to ‘Sign in to: Your Work or School account‘.

How To Leave / Disconnect From Azure AD

Same place as above, select the connection and simply click ‘Disconnect‘.

Related Articles, References, Credits, or External Links

NA

KB ID 0001473

Problem

If you are retiring a CA Server, or there’s a problem with the server and you want to move Microsoft Certificate Services to another server, the procedure is pretty straight forward.

BE AWARE: We are moving the CA Server, NOT the server name/FQDN, the two things are NOT the same, (you might have called them the same thing!) But a Certificate Authority has a name of its own, and that what we are going to move.

So the new server doesn’t have to have the same name? No, it can do if you really want, but that’s an added layer of complication I can’t see the point of?

In the video below, I’m migrating from Server 2008 R2 to Server 2019, and I’m also moving CRLs and OSCP responders. In the screenshots below I’m moving from Server 2016 to Server 2016, but the process is pretty much identical all the way back to Server 2003.

Solution

On the ‘Source‘ server, open the Certificate Services management console > Right click the CA NAME > All Tasks > Back up CA.

The backup wizard will open, Next > Tick BOTH options > Select a Backup Location > Next > Set a password (you will need this to set the new CA up!) > Next > Finish.

Now we need to take a backup of the Registry key that holds the information for this CA server. Run ‘regedit’ > Navigate to;

Export a copy of this key, (save it in the same folder that you backed up to earlier).

Now we need to uninstall CA Services from this server. Server Manager > Manage > Remove Roles and Services > Next.

REMOVE all the CA role services first! > Complete the Wizard, then launch the wizard again and select ‘Active Directory Certificate Services > At the pop-up select ‘Remove Features” > Next.

Next > Next > Next > Close.

Setup Certificate Services on the Target/New Server

Server Manager > Add Roles and Features > Next.

Next > Select ‘Active Directory Certificate Services’ > Add Features > Next.

For now let’s just stick the Certification Authority > Add the other role services later* > Next.

*Note: I’ve written about all these role services before, just use the search function, (above.) If you are unsure what they all do.

Next > Close.

Warning > Configure Active Directory Certificate Services > Next.

Next > Enterprise CA (Unless it’s an offline non domain joined CA) > Root CA (unless it’s a subordinate CA!) > Next.

> Select ‘Use existing private key‘ > Select ‘Select a Certificate and use its associated private key‘ > Next > Import > Browse > In your backup folder locate the certificate (it will have a .p7b extension.) > Enter the password > OK > Select the Cert > Next.

Next > Next > Configure >  Close.

Stop Certificate Services;

If your new server has a different hostname/FQDN open the registry file you exported above with Notepad, Locate and change the CAServerName entry to the name of the NEW server.

Right click the registry backup > Merge > Yes > OK.

Launch the Certificate Services management console > Right Click the CA NAME > All Tasks > Restore CA.

The restore wizard will start > Next > Browse to the folder with your backup in > Next > Enter the password you used (above) > Next > Finish.

You will be prompted to start the Certificate Services service > Yes.

Related Articles, References, Credits, or External Links

NA

KB ID 0001597

Problem

I recently did a post about Joining Azure AD. while working on that I found out there were two different Azure AD ‘States’.

• Azure AD Joined: Aimed at Corporate owned machines joined to Azure AD, (or CYOD devices).
• Azure AD Registered (Was called Workplace Joined, and still is if you work in PowerShell). Aimed at BYOD devices.

Of course your Windows clients can also still be Domain Joined, or Simply Workgroup Joined. But you can’t be Domain Joined and Azure AD Joined. Thought to be even more confusingly you can be Domain Joined and Azure AD Registered.

How To Find out if a Machine is Azure AD Joined, Azure AD Registered, or Domain Joined

Azure AD Joined

The command you need to use is;

dsregcmd /status

Look for AzureADJoined : YES. Also take a note of the DeviceId.

To check with PowerShell, first you need to connect with Connect-MsolService, then. log into Azure AD. Then you can query a DEviceId’s status with the following command.

Get-MsolDevice -DevideID {Device-ID-From Above}

Look for DeviceTrustType: Azure AD Joined.

From within Azure > Azure Active Directory > Devices > Locate the Device in question > Join Type: Azure AD Joined.

Azure AD Registered (Workplace Joined)

When a device is AD registered then it has been connected from a logged on account, that has been connected, via the Access Work or School wizard. You can see this only if you’re logged on as that user! Settings > Accounts > Access work or School > Look for an enter under ‘Connect’.

If you are not logged on as the user then run there same command we ran above;

dsregcmd /status

And look for a WorkplaceDeviceId.

Then use the same PowerShell commands as above. 

First you need to connect with Connect-MsolService, log into Azure AD. Then you can query a DEviceId’s status with the following command.

Get-MsolDevice -DevideID {Device-ID-From Above}

Look for DeviceTrustType: Workplace Joined. (Yeah very consistent, thanks Microsoft ‘half a job’ developers!)

Domain Joined

You can use the same command to view Local (On-Prem) Domain Joined status.

dsregcmd /status

And look for DomainJoined : Yes, and DomainName : {Your-Domain-Name}.

Of course as always you can see the information on your computer’s ‘Properties’, like so;

Note: An Azure AD Joined Machine does not show details here, in fact it says it’s workgroup joined! (Again thanks Microsoft, we’ve only looked here since Windows NT4, would it have been that much more work to update this as well?)

Related Articles, References, Credits, or External Links

NA

KB ID 0001262

Problem

Once upon a time, adding a domain controller that was running a newer version of the Windows Server family involved opening command line and schema prepping, and GP prepping etc. Now all this happens in the background while the wizard is doing the heavy lifting for you.

Solution

2008 to 2019

2008 to 2016

Obviously the server needs to be a domain member first!

• For Server 2019 Forest and Domain Functional levels need to be at ‘Windows Server 2008‘. (The documentation says 2008 R2, but Server 2008 also works flawlessly).
• For Server 2016 Forest and Domain Functional levels need to be at ‘Windows Server 2003‘.

Before You Start!

Remember if your ‘retiring’ domain controller is also a DNS/DHCP server you will also need to address that, and make sure you don’t have a service or device that queries the old domain controller directly (Radius Devices, Firewalls, RSA Appliances, Proxy Filters, Security door software, etc).

Procedure

With a vanilla install Server Manager will open every time you boot, (unless you’ve disabled it!) To open it manually, run ‘servermanager.exe’  > Manage > Add Roles and Features.

I usually tick the ‘Skip this page by default’ option > Next.

Role Based… > Next.

Ensure the local server is selected, (if you are managing another server, you can of course do the role install from here as well, but let’s keep things simple) > Next.

Select Active Directory Domain Services > Next.

Next.

Next.

Ensure ‘Restart’ is selected > Next.

Next.

Promote Windows Server To Domain Controller

Back in Server Manager > In the ‘Notifications’ section, click the warning triangle > ‘Promote This Server To Domain Controller’.

Assuming you already have a domain, and this is not a greenfield Install > Add a domain controller to an existing domain > Next.

Type and confirm a Directory Services Restore Mode Password (DSRM,) make it something you will remember in a crisis, or store it securely somewhere > Next.

This is fine, You see this error because it’s trying to create a delegation for this DNS zone, and there isn’t a Windows server above you in the DNS hierarchy. For example if your domain name is petelnetlive.co.uk > Then I do not have access to create a delegation in the .co domain space. (So you can safely ignore) > Next

If you have a backup of AD you can ‘Install From Media’. This used to be handy on remote sites that had awful bandwidth, as it saved you having to replicate a large Active Directly over a ‘pants’ connection > I’ve not had to do that in a long time > Next.

Unless you want to change the default AD install locations > Next.

Next.

Read any warnings  > Install

Go have a coffee, we ticked ‘reboot’ earlier so it will complete, then reboot the server, which will come back up as a domain controller.

You will notice, (if you’re interested,) that your schema version is now 88 (Server 2019), or 87 (Server 2016).

Find out your Domain Schema Version

Related Articles, References, Credits, or External Links

NA

KB ID 0001598

Problem

After a recent Exchange migration (2007 > 2013 > 2016), I had problems with users not being able to see public folders, one user could see them all, (so I know they were present and correct, content wise,) but other users could not even see them.

Normally in this situation I’d test them in Outlook Web App first, if they work there then look at Outlook, but Public folders just didn’t work in Outlook Web App 2016 at all.

My first task was to check/set the permissions of the public folders, the one user who could see them was set as ‘Owner‘ on the root of the public folders, so my first step was working out how to grant myself these rights, and apply all those rights to all the child public folders below?

Note: Granting a user ‘Owner‘ rights at the root has obvious security implications, in your scenario you might want to choose ‘Reviewer’, or some other level of access.

View Existing Public Folder ‘Root’ Permissions

Simply use the following PowerShell in the Exchange Management Shell;

Get-PublicFolderClientPermissions "\"

If you just wanted to check for one user, then do this instead;

Get-PublicFolder -Identity "\" -Recurse | Get-PublicFolderClientPermission | Where-Object { $PSItem.User -like "SURNAME*" }

Note: If you are working on a particular ‘child’ Public Folder the the syntax is “\FOLDER NAME“.

Granting Public Folder Rights Recursively

Use the following PowerShell in the Exchange Management Shell

Get-PublicFolder -Identity "\" -Recurse | Add-PublicFolderClientPermission -User pete.long -AccessRights Owner

It complains and says this user already has rights? If this happens then Recursively Remove all rights then re-execute the command above.

Removing Public Folder Rights Recursively

Use the following PowerShell in the Exchange Management Shell

Get-PublicFolder -Identity "\" -Recurse | Remove-PublicFolderClientPermission -User pete.long

Related Articles, References, Credits, or External Links

NA

KB ID 0001599

Problem

Seen while attempting to install Microsoft Management Framework 5.1 on Server 2012 R2, (to upgrade PowerShell).

Windows Update Standalone Installer
The update is not applicable to your computer

Solution

Well in the the end it turns out I was being a doofus! I was installing W2K12-KB3191565-x64.msu which is for Server 2012 (Not Server 2012 R2!) Look a bit lower, you need Win8.1AndW2K12R2-KB3191564-x64.msu.

The solution was in front of me the whole time!

Related Articles, References, Credits, or External Links

NA

KB ID 0001600

Problem

I like to learn the keyboard shortcuts for these sort of things, (because developers will change the way things are done in the GUI). So in the good old days I simply ran msconfig, and located the offending software on the startup list and disabled it. Then that got removed and put in ‘Task Manager’, then that got removed. So I’m pulling a frowny face at Microsoft Developers for their lack of continuity 🙁 (It’s not just them Cisco and VMware are just as bad!) 

I’ve got an administration server I use, (Server 2016,) and it’s got a load of software on there that usually would not be on a server, Skype Client, Citrix Client etc. So how do I stop them autoloading?

Solution

Well I could start digging around in the registry manually, but a much simpler option is to download and run AutoRuns;

Either untick the offender or right click and go to the source and manually disable it yourself.

Related Articles, References, Credits, or External Links

Massive thanks to Syinternals and Mark Russinovich, who has been bailing me out of the mire for many years!

KB ID 0001601

Problem

I use EVE-NG a lot, it’s an awesome tool. Also I’m lucky enough to have my own ESX servers, so that’s where it lives. I’ve noticed this problem before, but I’ve either given up, and done something else, or it’s manifested itself in an ‘odd’ way that I can work around.

If you’re new to connecting EVE-NG to a live network you might want to read the following post first;

EVE-NG (VMware) Connecting to the Internet

When setting up a new lab, I connected a Ciso IOL router to my cloud object, and it successfully got an IP from DHCP, but could not communicate with the outside world. So I replaced it with a Cisco (Dynamips) router, same thing! So I replaced with with a Cisco ASAv, same thing!

I moved the EVE-NG machine onto its own standard vSwitch, (no difference).

I hadn’t committed the ‘schoolboy error‘ of forgetting to allow promiscuous mode on the port group.

I could also see from my physical network, that there was layer 2 connectivity happening, as it was in in the ARP cache of my core switch.

I did notice that if I waited for a long time, it would start working, so (on the Core Switch) I flushed the ARP cache, and pinged the EVE-NG device and got a response, then it worked fine from EVE-NG, (for a while, in a manner of speaking!) If I tried to NAT any other traffic, or do anything else, then the problem returned. I could keep flushing the ARP cache on the switch, but that’s a bit annoying?

Solution

Well, (in my case) the problem turned out to be a problem with the fact I have ‘teamed‘ physical NICs on the vSwitch, which you can see above (vmnic0, and vmnic7). AS SOON as I removed one, and only had one physical uplink it worked faultlessly?

Everything works now.

Note: I tried changing the load balancing algorithms to ‘Route based on IP hash‘, ‘Route based on source MAC hash, and even ‘Use Explicit failover order‘, none of these worked.

I did see other people in forums that were saying, ‘I only have one physical uplink‘, I’m suspecting that in their case, it’s promiscuous mode was missing, but feel free to comment below, if any one manages a better work-around / fix / explanation.

Related Articles, References, Credits, or External Links

NA

KB ID 0001602

Problem

Site to Site VPNs are easy enough, define some interesting traffic, tie that to a crypto map, that decides where to send the traffic, create some phase 1 and phase 2 policies, wrap the whole lot up in a tunnel-group, and you’re done! But there needs to be a ‘peer address‘ in the crypto map, and if one end of the VPN is on DHCP that address is likely to change, so you cant supply that?

The solution is quite simple, Cisco had to address this years ago when they had remote IPSec VPN clients, you use a Dynamic Cryptomap, and because you can’t have a tunnel group either, you use the DefaultL2LGroup, (this gets used when a specific IP address is not defined).

Note: If you have many remote sites using DHCP why not consider configuring EZVPN instead?

Static IP ASA Config

Use the following, change the values in red, to suit your own requirements;

!
object network OBJ-MAIN-SITE-LAN
 subnet 192.168.1.0 255.255.255.0
!
object network OBJ-REMOTE-SITE-LAN
 subnet 192.168.2.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit IP object OBJ-MAIN-SITE-LAN object OBJ-REMOTE-SITE-LAN
nat (inside,outside) source static OBJ-MAIN-SITE-LAN OBJ-MAIN-SITE-LAN destination static OBJ-REMOTE-SITE-LAN OBJ-REMOTE-SITE-LAN
!
crypto ipsec IKEv2 ipsec-proposal IPSEC-PROP-1
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto dynamic-map DMAP-VPN 10 set IKEv2 ipsec-proposal IPSEC-PROP-1
crypto dynamic-map DMAP-VPN 10 set reverse-route
!
crypto map outside_map 999 ipsec-isakmp dynamic DMAP-VPN
crypto map outside_map interface outside
!
crypto IKEv2 policy 2
 encryption aes-256
 integrity sha512
 group 24
 prf sha512
 lifetime seconds 86400
!
crypto IKEv2 enable outside
!
group-policy GP-SITE-2-SITE internal
group-policy GP-SITE-2-SITE attributes
 vpn-idle-timeout none
 vpn-session-timeout none
 vpn-filter none
 vpn-tunnel-protocol IKEv2 
tunnel-group DefaultL2LGroup general-attributes
 default-group-policy GP-SITE-2-SITE
tunnel-group DefaultL2LGroup ipsec-attributes
 IKEv2 remote-authentication pre-shared-key Password123
 IKEv2 local-authentication pre-shared-key Password123
!

Static IP ASA Config

As above, change the values in red, to suit your own requirements, (this is essentially just a normal site to site IKEv2 config!)

!
object network OBJ-REMOTE-SITE-LAN
 subnet 192.168.2.0 255.255.255.0
!
object network OBJ-MAIN-SITE-LAN
 subnet 192.168.1.0 255.255.255.0
!
access-list VPN-INTERESTING-TRAFFIC extended permit IP object OBJ-REMOTE-SITE-LAN object OBJ-MAIN-SITE-LAN
nat (inside,outside) source static OBJ-REMOTE-SITE-LAN OBJ-REMOTE-SITE-LAN destination static OBJ-MAIN-SITE-LAN OBJ-MAIN-SITE-LAN
!
crypto ipsec IKEv2 ipsec-proposal IPSEC-PROP-1
 protocol esp encryption aes-256
 protocol esp integrity sha-1
!
crypto map outside_map 1 match address VPN-INTERESTING-TRAFFIC
crypto map outside_map 1 set pfs group5
crypto map outside_map 1 set peer 1.1.1.1
crypto map outside_map 1 set IKEv2 ipsec-proposal IPSEC-PROP-1
crypto map outside_map interface outside
!
crypto IKEv2 policy 2
 encryption aes-256
 integrity sha512
 group 24
 prf sha512
 lifetime seconds 86400
!
crypto IKEv2 enable outside
!
group-policy GroupPolicy_1.1.1.1 internal
group-policy GroupPolicy_1.1.1.1 attributes
 vpn-tunnel-protocol IKEv2
tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 general-attributes
 default-group-policy GroupPolicy_1.1.1.1
tunnel-group 1.1.1.1 ipsec-attributes
 IKEv2 remote-authentication pre-shared-key Password123
 IKEv2 local-authentication pre-shared-key Password123
!

Related Articles, References, Credits, or External Links

NA

KB ID 0001603

Problem

When attempting to connect to a vCenter or ESXi host, you see the following error;

Connect-VIServer : {Date} {Time}  Connect-VIServer Error: Invalid server certificate. Use Set-PowerCLIConfiguration 
to set the value for the InvalidCertificateAction option to Prompt if you'd like to connect once or to add a 
permanent exception for this server.
Additional Information: Could not establish trust relationship for the SSL/TLS secure channel with authority
'{Server-Name}'.
At line:1 char:1
+ Connect-VIServer
+ ~~~~~~~~~~~~~~~~
    + CategoryInfo          : SecurityError: (:) [Connect-VIServer], ViSecurityNegotiationException
    + FullyQualifiedErrorId : Client20_ConnectivityServiceImpl_Reconnect_CertificateError,VMware.VimAutomation.ViCore.
   Cmdlets.Commands.ConnectVIServer

Solution

Well you can either ‘Sort out your certificates properly‘, or ‘Drag down the self signed certificate and install it‘, or simply execute the following command;

Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false

Try again.

Related Articles, References, Credits, or External Links

NA

KB ID 0001604

Problem

A colleague was doing a firewall migration yesterday and I offered to sit in, in case he had any problems, one of the tasks was a VPN tunnel getting migrated, this is usually painless, (if you have control of both ends!) But in this case we didn’t, and it’s usually the case, when there’s VPN problems, the people at the {ahem} ‘less experienced,’ end of the tunnel tend to blame the other end. 

I asked if we could get on the client’s servers to set up a constant ping, (to force the tunnel up as soon as the far side had changed peer ip addresses). But we couldn’t, I was asked ‘Can we not bring the tunnel up from the ASA?’

Solution

Note: To save people emailing me to ask, the above is virtualised using EVE-NG in VMware ESX.

Well, yes you can do this, BUT there are some caveats,

• The inside IP of the ASA needs to be part of the ACL that declares ‘interesting traffic’ i.e. the one matched in the crypto map.
• The inside IP o the ASA needs to also be in the nat exemption for the VPN traffic.
• ‘Management-access inside‘ needs to be enabled in the config, (so traffic can be sourced from it).

Then, (assuming 192.168.1.10 is an IP address at the far-end of the VPN tunnel), use the following syntax;

ping inside 192.168.1.10

Note: This assumes your inside interface is called ‘inside‘, yours may be called LAN, or Inside, or something else.

Well my IP is on a different range to the inside interface, or I can’t enable management-access inside, and/or my IPs are not in the nat exemption! Jeez there’s always one! Well in your case you can simulate VPN traffic to bring the tunnel up, with packet-tracer, like so;

packet-tracer input inside tcp 172.16.1.1 80 192.168.1.10 80

Note: This assumes 172.16.1.1 is at YOUR site and 192.168.1.10 is at the OTHER site, and you interesting traffic ACL permits TCP port 80, (most of them permit all ports but you may be in a more secure environment so check).

Related Articles, References, Credits, or External Links

NA