You are working/discovering at a client site and you want to determine the domain controllers.
There are many many sources and methods to skin this cat. Here is a digest of a few of the best methods.
nslookup from command line
nslookup
set type=all
_ldap._tcp.dc._msdcs.DOMAIN_NAME
*probably the most standard, all you need is any Windows machine
from command line
set l (Lowercase "L")
*will only show the domain controller that authenticated you - does not show all domain controllers
From command line
gpresult /r
*will only show the domain controller that provided group policy to you at logon - does not show all domain controllers
From PowerShell
Import-Module ActiveDirectory
Get-ADDomainController | select name
*assumes you have RSAT and powershell installed
*only shows a domain controller not all domain controllers
My personal favorite
From command line
nstest /dclist:domain
*shows all domain controllers and their AD site
Thursday, October 8, 2015
Thursday, October 1, 2015
Exchange shell script as Scheduled task - mailbox and database statistics to e-mail
If you have a script that you run in Exchange Management Shell, you can schedule the task to run in "Scheduled Tasks".
I had to fumble around with this for some time, so I thought I could share. Maybe this will save you just a few minutes. I saw a few resources on the web on how to perform this task. For some reason or another, most of the guides were incorrect or didn't work on my Exchange server (tried on 2010 and 2013).
this is what DID work:
Create a scheduled task in task scheduler > basic task...
For the program/script:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Add this under ARUGEMENTS:
(For Exchange 2010)
-version 2.0 -NonInteractive -WindowStyle Hidden -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; <path and name of your existing .ps1 file>"
(For Exchange 2013)
-NonInteractive -WindowStyle Hidden -command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; <path and name of your existing .ps1 file>"
I had to fumble around with this for some time, so I thought I could share. Maybe this will save you just a few minutes. I saw a few resources on the web on how to perform this task. For some reason or another, most of the guides were incorrect or didn't work on my Exchange server (tried on 2010 and 2013).
this is what DID work:
Create a scheduled task in task scheduler > basic task...
For the program/script:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
Add this under ARUGEMENTS:
(For Exchange 2010)
-version 2.0 -NonInteractive -WindowStyle Hidden -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; <path and name of your existing .ps1 file>"
(For Exchange 2013)
-NonInteractive -WindowStyle Hidden -command ". 'C:\Program Files\Microsoft\Exchange Server\V15\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; <path and name of your existing .ps1 file>"
On the Exchange Server I created a folder called "scripts" on C:\
My argurment looks like this:
-version 2.0 -NonInteractive -WindowStyle Hidden -command ". 'C:\Program Files\Microsoft\Exchange Server\V14\bin\RemoteExchange.ps1'; Connect-ExchangeServer -auto; C:\scripts\Send_mailbox_stats.ps1"
Continue to configure your scheduled task. Select "Run wheather user is logged on or not", Select a date\time\recurrence under triggers.
You are all set as far as the scheduled task goes.
Here is an awesome script that will send you an email including all of your mailbox sizes and all of your database sized. In my case I have the report e-mailed weekly.
Enjoy:
# ******** Send mailbox statistics script
$Logfile = "C:\mailboxreport.txt"
$mailboxservername = "<YOUR MAILBOX SERVER NAME>"
$NumOfMailboxes = 40 #number of mailboxes to return
#******** delete the existing file, if exists
remove-item $Logfile | out-null
#********* variables for the mail message values
$FromAddress = "reports@yourdomain.com"
$ToAddress = "youremailaddress@yourdomain.com"
##$ToAddress2 = "otheremailaddress@yourdomain.com"
$MessageSubject = "Mailbox Size Report"
$MessageBody = "Attached is the current list of mailbox sizes."
$SendingServer = "YourOutboundmailserver.yourdomain.com"
#********** get and write the current date/time to the file
$LogTime = Get-Date -Format "MM-dd-yyyy_hh:mm:ss"
$LogTime >> $logfile
$mailboxservername >> $LogFile
#*********** Formatting for mailbox statistics # adjust the widths if desired
$a = @{Expression={$_.DisplayName};Label="Name";width=28}, `
@{Expression={$_.TotalItemSize.Value.ToMB()};Label="Size (MB)";width=9}, `
@{Expression={$_.itemCount};Label="Items";width=11}
#*********** Now get the stats and send to a text file
write-Output "" >> $Logfile
write-output "Mailbox Information: Top $numOfMailboxes" >> $Logfile
Get-MailboxStatistics -server $mailboxservername | Sort-Object TotalItemSize -Descending | ft $a | select-object -first $NumOfMailboxes >> $Logfile | out-null
#*********** Formatting for database statistics
$a = @{Expression={$_.Name};Label="Name";width=28}, @{Expression={$_.databasesize.ToGB()};Label="Size (GB)";width=9}, `
@{Expression={$_.Availablenewmailboxspace.toMB()};Label="Avail (MB)";width=11}
#*********** Now get the database stats and send to text file
write-output "" >> $Logfile
write-output "Database Statistics for server $mailboxservername" >> $logfile
Get-MailboxDatabase -Status | sort name | ft $a >> $Logfile
#********** Create the mail message and add the statistics text file as an attachment
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress,
$MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment($logfile)
$SMTPMessage.Attachments.Add($Attachment)
#$SMTPMessage.To.Add($ToAddress2)
#*************** Send the message *****************
$SMTPClient = New-Object System.Net.Mail.SMTPClient $SendingServer
$SMTPClient.Send($SMTPMessage) | out-null
Monday, September 28, 2015
Exchange 2010 and iPhone, Connect get mail, Connection to the server failed
During an upgrade from Exchange 2007 to Exchange 2010, whilst re-homing the CAS server and re-homing mail flow from 2007 to 2010, all of a sudden some users could not connect to Exchange from their iPhones. Only SOME users were affected and only iPhone users. We have a mix of iPhone and various Droid phones in use.
iPhone users were receiving:
tried rebooting phone - no luck
For SOME reason - the issue was fixed for 5 users by turning off SSL and then back on
For SOME reason - the issue was fixed for 3 users by turning on Airplane mode and then off
That still left me with about 25 users that couldn't get e-mail/calendar/contacts on iPhones.
Troubleshooting led me here (solution 3)
http://www.iphonetopics.com/cannot-get-mail-the-connection-to-the-server-failed/
Again, for SOME reason, some users did not have "Include inheritable permissions from this object's parent" enabled (ticked)
Open Active Directory Users and computer
On the top menu choose View > Advanced Features.
Find and right click the user account and choose Properties.
Choose Security tab. Then choose Advanced.
Select the check box ““Include inheritable permissions from this object’s parent”.
Checking this box fixed the issue, but now the bigger issue was how to do this in bulk for all my users.
Here is a powershell script that will enable (tick the box) for all users in AD recursing down an OU structure
Import-Module activedirectory
$Users = Get-ADUser -LDAPFilter “(ObjectClass=User)” -SearchBase “OU=accounts_active_users,DC=***,DC=***"
ForEach($User in $Users)
{
# Bind users
$OU = [ADSI](“LDAP://” + $User)
$SecGroup = $OU.PSBase.ObjectSecurity
if ($SecGroup.get_AreAccessRulesProtected())
{
$isProtected = $false ## Allows inheritance
$preserveInheritance = $true ## Preserves inheritance
$SecGroup.SetAccessRuleProtection($isProtected, $preserveInheritance)
$OU.PSBase.CommitChanges()
Write-Host “$User inheritance has been set”;
}
else
{
Write-Host “$User inheritance already set”
}
}
taken from: http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_28553940.html
iPhone users were receiving:
tried rebooting phone - no luck
For SOME reason - the issue was fixed for 5 users by turning off SSL and then back on
For SOME reason - the issue was fixed for 3 users by turning on Airplane mode and then off
That still left me with about 25 users that couldn't get e-mail/calendar/contacts on iPhones.
Troubleshooting led me here (solution 3)
http://www.iphonetopics.com/cannot-get-mail-the-connection-to-the-server-failed/
Again, for SOME reason, some users did not have "Include inheritable permissions from this object's parent" enabled (ticked)
Open Active Directory Users and computer
On the top menu choose View > Advanced Features.
Find and right click the user account and choose Properties.
Choose Security tab. Then choose Advanced.
Select the check box ““Include inheritable permissions from this object’s parent”.
Checking this box fixed the issue, but now the bigger issue was how to do this in bulk for all my users.
Here is a powershell script that will enable (tick the box) for all users in AD recursing down an OU structure
Import-Module activedirectory
$Users = Get-ADUser -LDAPFilter “(ObjectClass=User)” -SearchBase “OU=accounts_active_users,DC=***,DC=***"
ForEach($User in $Users)
{
# Bind users
$OU = [ADSI](“LDAP://” + $User)
$SecGroup = $OU.PSBase.ObjectSecurity
if ($SecGroup.get_AreAccessRulesProtected())
{
$isProtected = $false ## Allows inheritance
$preserveInheritance = $true ## Preserves inheritance
$SecGroup.SetAccessRuleProtection($isProtected, $preserveInheritance)
$OU.PSBase.CommitChanges()
Write-Host “$User inheritance has been set”;
}
else
{
Write-Host “$User inheritance already set”
}
}
taken from: http://www.experts-exchange.com/Software/Server_Software/Active_Directory/Q_28553940.html
Thursday, July 23, 2015
Get serial number of server from within Windows
I was remotely connected (via RDP) to a server a thousand miles away for which I needed to get the serial number. The server is an HP 380 Gen9.
Neat trick using WMIC
from command line:
wmic /node:HOSTNAME bios get serialnumber
(I used "localhost" for the hostname)
Monday, July 20, 2015
Domain Controller, new domain, Windows 2012 r2 Core, part 2
See part 1 for the back story.
Here we establish a second domain controller for an existing domain that we set up in part 1.
Use Part1 to repeat steps 1 through 5
Verify your hostname and IP configuration are correct, primary DNS should be address of the first domain controller we installed in part 1.
To create additional domain controller for existing domain:
From PowerShell:
step 6.
#add computer to domain
add-computer -domain lab.local -credential (get-credential)
[enter credentials of domain admin]
restart-computer
step 7.
from PowerShell
Install-ADDSDomainController -DomainName lab.local -InstallDNS:$True –Credential (Get-Credential)
[enter domain admin credentials]
reboot will occur.
Here we establish a second domain controller for an existing domain that we set up in part 1.
Use Part1 to repeat steps 1 through 5
Verify your hostname and IP configuration are correct, primary DNS should be address of the first domain controller we installed in part 1.
To create additional domain controller for existing domain:
From PowerShell:
step 6.
#add computer to domain
add-computer -domain lab.local -credential (get-credential)
[enter credentials of domain admin]
restart-computer
step 7.
from PowerShell
Install-ADDSDomainController -DomainName lab.local -InstallDNS:$True –Credential (Get-Credential)
[enter domain admin credentials]
reboot will occur.
Domain Controller, New Domain, Server 2012 r2 Core, Part 1.
I am setting up a test lab for "Skype for Business 2015". To proceed with testing I wanted a new lab consisting of:
2x Domain Controller (w/ DNS) - Windows 2012 R2 Core
1x SQL server 2012 on Windows 2012 (not r2, W/ GUI)
1x Skype for Business 2015 (Lync) server on Windows 2012
1x RDS server (as client) on server 2008R2
As a guide to configuring the Domain Controllers, below are the commands and Powershell commands that I use.
*THIS IS ONLY FOR A LAB ENVIRONMENT! I would not recommend this for a production environment*
Let me preface this by saying that all of these commands are not mandatory and this is not a secure installation. I like to disable IP v6 and all related components in my lab environment and disable the firewall.
Part 1. First domain controller, assuming a completely vanilla installation
Step 1.
Use SCONFIG to configure:
IP address, Subnet mask
defaut gateway address
DNS address
turn on (enable) remote desktop
computer name (reboot after)
step 2. disable ip6 components
From command line:
*test computer name and IP address:
hostname
ipconfig /all
netsh int ipv6 isatap set state disabled
netsh int ipv6 6to4 set state disabled
netsh int teredo set state disable
step 3. disable IP Helper service
From Powershell:
# PowerShell cmdlet to list services that are running
Get-Service * | Where-Object {$_.Status -eq "Stopped"}
#disable "IP Helper" service
set-service iphlpsvc -startuptype disabled
stop-service iphlpsvc
step 4A. disable IPv6 on adapter. on a fresh install the only adapter is called "Ethernet"
Get-NetAdapterBinding -InterfaceAlias Ethernet | Select-Object Name,DisplayName,ComponentID
Disable-NetAdapterBinding -InterfaceAlias Ethernet -ComponentID ms_tcpip6
step 4B. disable firewall
Get-NetFirewallProfile | Set-NetFirewallProfile -enabled false
step 5. install AD services (does not make a domain controller)
Install-WindowsFeature -Name AD-Domain-Services
step 6 (basic commands, accepts defaults during AD install
$Password = ConvertTo-SecureString -AsPlainText -String MyRetoreModePassword -Force
Install-ADDSForest -DomainName lab.local -SafeModeAdministratorPassword $Password -InstallDns
(additional command to append to previous command, if required/desired to change)
-DomainNetbiosName lab -DomainMode Win2012R2 -ForestMode Win2012R2 -DatabasePath "%SYSTEMROOT%\NTDS" `
-LogPath "%SYSTEMROOT%\NTDS" -SysvolPath "%SYSTEMROOT%\SYSVOL" -NoRebootOnCompletion -Force
#Step 5
Restart-Computer -Force
This should complete your first DC installation. See part 2 for installation of the second domain controller.
2x Domain Controller (w/ DNS) - Windows 2012 R2 Core
1x SQL server 2012 on Windows 2012 (not r2, W/ GUI)
1x Skype for Business 2015 (Lync) server on Windows 2012
1x RDS server (as client) on server 2008R2
As a guide to configuring the Domain Controllers, below are the commands and Powershell commands that I use.
*THIS IS ONLY FOR A LAB ENVIRONMENT! I would not recommend this for a production environment*
Let me preface this by saying that all of these commands are not mandatory and this is not a secure installation. I like to disable IP v6 and all related components in my lab environment and disable the firewall.
Part 1. First domain controller, assuming a completely vanilla installation
Step 1.
Use SCONFIG to configure:
IP address, Subnet mask
defaut gateway address
DNS address
turn on (enable) remote desktop
computer name (reboot after)
step 2. disable ip6 components
From command line:
*test computer name and IP address:
hostname
ipconfig /all
netsh int ipv6 isatap set state disabled
netsh int ipv6 6to4 set state disabled
netsh int teredo set state disable
step 3. disable IP Helper service
From Powershell:
# PowerShell cmdlet to list services that are running
Get-Service * | Where-Object {$_.Status -eq "Stopped"}
#disable "IP Helper" service
set-service iphlpsvc -startuptype disabled
stop-service iphlpsvc
step 4A. disable IPv6 on adapter. on a fresh install the only adapter is called "Ethernet"
Get-NetAdapterBinding -InterfaceAlias Ethernet | Select-Object Name,DisplayName,ComponentID
Disable-NetAdapterBinding -InterfaceAlias Ethernet -ComponentID ms_tcpip6
step 4B. disable firewall
Get-NetFirewallProfile | Set-NetFirewallProfile -enabled false
step 5. install AD services (does not make a domain controller)
Install-WindowsFeature -Name AD-Domain-Services
step 6 (basic commands, accepts defaults during AD install
$Password = ConvertTo-SecureString -AsPlainText -String MyRetoreModePassword -Force
Install-ADDSForest -DomainName lab.local -SafeModeAdministratorPassword $Password -InstallDns
(additional command to append to previous command, if required/desired to change)
-DomainNetbiosName lab -DomainMode Win2012R2 -ForestMode Win2012R2 -DatabasePath "%SYSTEMROOT%\NTDS" `
-LogPath "%SYSTEMROOT%\NTDS" -SysvolPath "%SYSTEMROOT%\SYSVOL" -NoRebootOnCompletion -Force
#Step 5
Restart-Computer -Force
This should complete your first DC installation. See part 2 for installation of the second domain controller.
Thursday, May 7, 2015
Lync - Screen Sharing cannot connect to ther server now issue with multiparty application sharing and screen sharing
We use Lync for internal chatting and screen sharing and the "presence" feature. I run a small shop with 100 users spread across 5 buildings. Lync really help our users collaborate.
Although Lync is a great product, it can be slightly complicated, especially if you are a small/medium business and are NOT setting up 5 separate servers for Lync.
I ran in to an issue where two users could share content (screen or application) with each other without error. The moment a third user was added to the mix (i.e. Alice sharing content with Bill and Bob), I received "Screen sharing cannot connect to the server now". Somewhat confusing because screen sharing was working just fine between just two participants.
I do not claim to be a Lync expert. I am passing along information to help any Lync novices.
When two participants are connected, the session is peer-to-peer.
When three or more participants are connected, the Application Sharing feature depends on the Front End Server Multi Point Control Unit (MCU) to provide the sharing stream to all parties.
Error: Screen sharing cannot connect to the server now.
Lync Server 2010
This error is commonly reported when the Application Sharing Server (ASMCU) service is not running on the Lync Server Front End pool. If the ASMCU service is not installed on the Lync Front End it is likely because the components have not been enabled within the Lync Topology.
Step 1
Verify Application Sharing service is enabled in topology builder.
If not, enable it and publish the topology. Rerun component setup on FE pool using the Lync Deployment Wizard.
Step 2
Verify "Lync Server Application Sharing" and "Lync Server Web Conferencing Services" are actively running on FE pool. If not, try to start them. Check Lync Application Event logs if start fails.
*In my case the "Lync Server Application Sharing service" was bombed. Starting the service resolved the issue. The service started successfully.
If the service fails to start, check event log and begin Lync debug logging (another topic).
Step 3
Verify whether the user has the appropriate conferencing policy applied and that the policy applied has EnableAppDesktopSharing = TRUE.
Get-CsConferencingPolicy
Good luck w/ Lync. Next steps: Lync migration to 2013 on-prem.
Although Lync is a great product, it can be slightly complicated, especially if you are a small/medium business and are NOT setting up 5 separate servers for Lync.
I ran in to an issue where two users could share content (screen or application) with each other without error. The moment a third user was added to the mix (i.e. Alice sharing content with Bill and Bob), I received "Screen sharing cannot connect to the server now". Somewhat confusing because screen sharing was working just fine between just two participants.
I do not claim to be a Lync expert. I am passing along information to help any Lync novices.
When two participants are connected, the session is peer-to-peer.
When three or more participants are connected, the Application Sharing feature depends on the Front End Server Multi Point Control Unit (MCU) to provide the sharing stream to all parties.
Error: Screen sharing cannot connect to the server now.
Lync Server 2010
Internal client to internal client(s)
Single server install
This error is commonly reported when the Application Sharing Server (ASMCU) service is not running on the Lync Server Front End pool. If the ASMCU service is not installed on the Lync Front End it is likely because the components have not been enabled within the Lync Topology.
Step 1
Verify Application Sharing service is enabled in topology builder.
If not, enable it and publish the topology. Rerun component setup on FE pool using the Lync Deployment Wizard.
Step 2
Verify "Lync Server Application Sharing" and "Lync Server Web Conferencing Services" are actively running on FE pool. If not, try to start them. Check Lync Application Event logs if start fails.
*In my case the "Lync Server Application Sharing service" was bombed. Starting the service resolved the issue. The service started successfully.
If the service fails to start, check event log and begin Lync debug logging (another topic).
Step 3
Verify whether the user has the appropriate conferencing policy applied and that the policy applied has EnableAppDesktopSharing = TRUE.
Get-CsConferencingPolicy
Good luck w/ Lync. Next steps: Lync migration to 2013 on-prem.
credit to NextHop/LyncMd
http://blogs.technet.com/b/nexthop/archive/2012/11/05/lyncmd-troubleshooting-lync-server-2010-application-sharing-internal-and-remote-scenarios.aspx
Thursday, April 23, 2015
Lync 2010 server stops - Certificate Expired
The Lync server stop responding for all users. Lo and behold the certificate had expired. The last certificate was installed/updated 2 years ago. Fairly painless to update the certificate (i.e. install a new certificate) on the Server. We use an Internal Windows CA. Lync can use (and by default) a simple SSL cert.
Today, the Lync client bombs for all users. Lync 2010 client reads "there was a problem verifying the certificate from the server...". The login process seems to hang indefinitely.
I open the Lync Control Panel and get a security alert. View certificate yields the following. I should have reminded myself to update the certificate. It is unfortunate that the process isn't automated nor is there a good system of alerting for impending certificate expiration.
Look at the details of the cert. I am noting the SAN entries
The rest is fairly simple. Open the Lync Deployment Wizard. Select "Request, Install or Assign...".
For my installation, I was able to accept all the default of the Certificate generation since I had previously received (installed) a certificate from the same CA server.
During the cert generation wizard, I am verifying that the auto-generated Subject Alternative Names (SAN) matches what I had previously. Notice the SIP.<domainname>.com SAN was not there. No sweat because it is added on the next screen.
.
Make sure the SIP domain is correct. Again, for me, all I had to do was accept the default.
Next, next, next and the new cert is generated and installed. From the Wizard I select "start services" for good measure.
I will be upgrading to on-prem Lync 2013 very soon.
Good Luck.
Monday, April 13, 2015
Outlook not displaying e-mail attachment, attachment not stripped by Exchange
I ask a user to send me an e-mail w/ attachment. I receive the e-mail - no attachment. I call the sender, the sender swears that she sent the attachment. The e-mail with attachment shows in her "sent items".
My first thought is that Exchange stripped the attachment. The problem with this theory is that the attachment type is not banned, i.e. the attachment is a simple PDF not an .exe or a .vbs or anything like that.
Coincidentally, I look down at my smartphone (Driod - Galaxy S5) and sure enough, the e-mail with attachment is looking right at me. Now I am confused.
Additionally, I open OWA and the e-mail with the attachment is there but it looks a little out of the norm.
Take a look:
Outlook - No attachment icon (little paperclip), no attachment in e-mail
OWA - No attachment icon, attachment DOES show in the e-mail when you open it
After through scouring of the Interwebs, I found some suggestions. This was difficult to research because most posts improperly referred to Exchange attachment blocking, virus filtering, etc. I saw a bunch of posts regarding MIME types but the resolution did not apply.
The problem exists w/ Exchange 2007 and 2010. I didn't confirm 2013.
Resolution is:
Exchange 2010:
1.Stop the Exchange Transport service.
2.Locate the EdgeTransport.exe.config file. This file is located in the following path:
<drive> :\Program Files\Microsoft\Exchange Server\Bin\
3.In the EdgeTransport.exe.config file, add the following entry between the <appSettings> element and the </appSettings> element:
<add key="TreatInlineDispositionAsAttachment" value="true" />
4.Restart the Transport service
Exhcnage 2007
[shell]
set-OrganizationConfig -ShowInlineAttachments:$true
Good luck.
My first thought is that Exchange stripped the attachment. The problem with this theory is that the attachment type is not banned, i.e. the attachment is a simple PDF not an .exe or a .vbs or anything like that.
Coincidentally, I look down at my smartphone (Driod - Galaxy S5) and sure enough, the e-mail with attachment is looking right at me. Now I am confused.
Additionally, I open OWA and the e-mail with the attachment is there but it looks a little out of the norm.
Take a look:
Outlook - No attachment icon (little paperclip), no attachment in e-mail
OWA - No attachment icon, attachment DOES show in the e-mail when you open it
After through scouring of the Interwebs, I found some suggestions. This was difficult to research because most posts improperly referred to Exchange attachment blocking, virus filtering, etc. I saw a bunch of posts regarding MIME types but the resolution did not apply.
The problem exists w/ Exchange 2007 and 2010. I didn't confirm 2013.
Resolution is:
Exchange 2010:
1.Stop the Exchange Transport service.
2.Locate the EdgeTransport.exe.config file. This file is located in the following path:
<drive> :\Program Files\Microsoft\Exchange Server\Bin\
3.In the EdgeTransport.exe.config file, add the following entry between the <appSettings> element and the </appSettings> element:
<add key="TreatInlineDispositionAsAttachment" value="true" />
4.Restart the Transport service
Exhcnage 2007
[shell]
set-OrganizationConfig -ShowInlineAttachments:$true
Good luck.
Friday, March 27, 2015
Basic configuration of Server Core Domain Controller
Recently I was tasked with configuring a Windows 2012 server Core as a domain controller from scratch. The process is well documented and fairly painless. I figured I would aggregate and post the process.
Assumptions:
- This process doesn't cover the basic installation of the OS. This assumes you have installed the OS for the first time as CORE and you are logged in for the first time with administrative credentials.
- We don't use IPv6 (yet). I lilke to unbind and disable the adapters and protocol needed for IPv6. If you use IP6 don't follow this guide.
- You already have an existing domain infrastructure. This process adds an additional domain controller to an existing domain.
- In my example the domain is called LAB.LOCAL.
- You will be installing DNS on the domain controller.
- You don't wish to change the default NTDS and SYSVOL locations.
- You understand what the directory services restore mode password is.
In this process we will:
- disable unneeded adapters
- disable "IP Helper" service (iphlpsvc)
- rename computer
- set IP/DNS addresses
- install AD
disable 6to4, isatap adapter, Teredo tunnel adapter
From the command line:
netsh int ipv6 isatap
set state disabled
netsh int ipv6 6to4 set state disabled
netsh interface teredo set state disable
disable IP Helper service
sc config iphlpsvc start= disabled
(there is a space between = and disabled)
Start Powershell
powershell
unbind IPv6
Get-NetAdapterBinding -InterfaceAlias Ethernet | Select-Object Name,DisplayName,ComponentID
Pay attention to the name displayed for the adapter you intend to modify. Petri insider’s tip: In a fresh Server core installation with one network adapter installed, the name will be Ethernet by default.
Disable-NetAdapterBinding -InterfaceAlias Ethernet -ComponentID ms_tcpip6
Get-NetAdapter
Set IP Address
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 10.0.0.10 -DefaultGateway 10.0.0.1 -PrefixLength 24
(if you mess up the IP address)
remove-netipaddress -ipaddress x.x.x.x -defaultgateway x.x.x.x
Set DNS address
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddress 10.0.0.100
*make sure everything looks right
ipconfig /all
Rename Computer
Rename-Computer -NewName NewComputerNAME
Reboot
(even though this is a command line command, it will work within powershell)
shutdown /r /t 1
Log back in, start PowerShell, Add computer to domain
Add-Computer -DomainName domain.local -DomainCredential (Get-Credential)
Reboot
Install AD
*log back in with (administrative) domain credentials, start powershell
Install-ADDSDomainController -DomainName lab.local -InstallDNS:$True –Credential (Get-Credential)
netsh interface teredo set state disable
disable IP Helper service
sc config iphlpsvc start= disabled
(there is a space between = and disabled)
Start Powershell
powershell
unbind IPv6
Get-NetAdapterBinding -InterfaceAlias Ethernet | Select-Object Name,DisplayName,ComponentID
Pay attention to the name displayed for the adapter you intend to modify. Petri insider’s tip: In a fresh Server core installation with one network adapter installed, the name will be Ethernet by default.
Disable-NetAdapterBinding -InterfaceAlias Ethernet -ComponentID ms_tcpip6
Get-NetAdapter
For the next few steps I want to mention that you could alternatively use sconfig to rename the computer and set the IP + DNS address.
To start sconfig just type "sconfig" at the command line.
To start sconfig just type "sconfig" at the command line.
Set IP Address
New-NetIPAddress -InterfaceAlias Ethernet -IPAddress 10.0.0.10 -DefaultGateway 10.0.0.1 -PrefixLength 24
(if you mess up the IP address)
remove-netipaddress -ipaddress x.x.x.x -defaultgateway x.x.x.x
Set DNS address
Set-DnsClientServerAddress -InterfaceAlias Ethernet -ServerAddress 10.0.0.100
ipconfig /all
Rename Computer
Rename-Computer -NewName NewComputerNAME
Reboot
(even though this is a command line command, it will work within powershell)
shutdown /r /t 1
Log back in, start PowerShell, Add computer to domain
Add-Computer -DomainName domain.local -DomainCredential (Get-Credential)
shutdown /r /t 1
Install AD
*log back in with (administrative) domain credentials, start powershell
Install-WindowsFeature AD-Domain-Services –IncludeManagementTools
(wait a few minutes)
You will be asked for a SafeModeAdministratorPassword. This is the Directory Services Restore Mode Password.
"the target server will be configured as a domain controller..."
"the target server will be configured as a domain controller..."
continue with this operation? Y
(a series of warnings)
The first warning lets you know that Windows Server 2012 has defaults for certain security settings that can affect very old OSes on the network such as Windows NT 4.0. The second warns that a DNS Server delegation can’t be created. Since we’re installing DNS on this server as part of the DC promotion process, both of these errors are safe to ignore.
Reboot when complete
Credit to:
Petri, setup domain controller
http://www.petri.com/setup-domain-controller-windows-2012-server-core.htm
Petri, setup domain controller
http://www.petri.com/setup-domain-controller-windows-2012-server-core.htm
set and remove IP address from powershell:
https://technet.microsoft.com/en-us/library/hh826150.aspx
Quick Reference for server core tasks
https://technet.microsoft.com/en-us/library/jj592694.aspx
Quick Reference for server core tasks
https://technet.microsoft.com/en-us/library/jj592694.aspx
Tuesday, March 10, 2015
Uninstall program from the command line, fails as non-admin, fails as admin with RUNAS
Uninstall program using "Run As" as admin fails when a non-admin is currently logged in and UAC is disabled.
The problem is as follows:
Generally helpdesk has a need to uninstall/reinstall a program on an end-user's PC whilst the end-user is logged in. Another case is admin simply needs to uninstall a program\app\driver from a non-admin end user's computer.
The problem is that if UAC is turned OFF (never notify), you cannot remove(uninstall) a program, even though you are logged in as an ADMIN, via the runas command. The process fails.
When I say UAC is disabled, I mean User Account Control is set to "never notify"
For Example:
Joe User (non admin) is currently logged in.
UAC is disabled on the user's PC (see image above).
You, a domain admin, are at the user's PC - either in person or via a screen sharing technology.
You run (from command line) "runas /user:BillyTheAdmin@domain.local cmd"
You are prompted for your password - you enter your password
A new command line opens with your credentials, you type "appwiz.cpl"
(Alternatively you could have run "runas /user:BillyTheAdmin@domain.local appwiz.cpl")
add\remove programs opens, you select the program you wish to remove, click Uninstall.
You are prompted with "You must be an administrator.... The process fails, the app is not uninstalled/removed.
In the above scenario, IF UAC was ENABLED you would be prompted again for your username/password and the process would succeed.
*Note: To access the user account control settings as an admin by running the following:
C:\Windows\System32\UserAccountControlSettings.exe
To work around the issue and AVOID logging out the user you can uninstall\remove apps from the command line. In this example, I want to remove the Live Meeting 2007 client.
1. Open a command prompt as an administrator
In my example, run "runas /user:BillyTheAdmin@domain.local cmd"
2. Input WMIC and press Return. You will see a prompt that looks like this:
wmic:root\cli>
3. At the new prompt, execute the following command:
product get name
This will generate a list of installed applications. On my computer (very fast PC) this took 30 seconds to return results, be patient.
4. At the prompt, execute the following command:
product where name="exact product name" call uninstall
where application name is the name of the program you wish to uninstall (use the exact name provided by the previously generated list).
5. When prompted, input "y" to confirm that you wish to uninstall the application and press Return. In the image below the line is very long (I tried to capture it, sorry if the image appears small).
The application will be uninstalled. You will get a quasi-useless return code.
Type "Exit" to leave WMIC
Type "Exit" to close the cmmand line
The problem is as follows:
Generally helpdesk has a need to uninstall/reinstall a program on an end-user's PC whilst the end-user is logged in. Another case is admin simply needs to uninstall a program\app\driver from a non-admin end user's computer.
The problem is that if UAC is turned OFF (never notify), you cannot remove(uninstall) a program, even though you are logged in as an ADMIN, via the runas command. The process fails.
When I say UAC is disabled, I mean User Account Control is set to "never notify"
For Example:
Joe User (non admin) is currently logged in.
UAC is disabled on the user's PC (see image above).
You, a domain admin, are at the user's PC - either in person or via a screen sharing technology.
You run (from command line) "runas /user:BillyTheAdmin@domain.local cmd"
You are prompted for your password - you enter your password
A new command line opens with your credentials, you type "appwiz.cpl"
(Alternatively you could have run "runas /user:BillyTheAdmin@domain.local appwiz.cpl")
add\remove programs opens, you select the program you wish to remove, click Uninstall.
You are prompted with "You must be an administrator.... The process fails, the app is not uninstalled/removed.
In the above scenario, IF UAC was ENABLED you would be prompted again for your username/password and the process would succeed.
*Note: To access the user account control settings as an admin by running the following:
C:\Windows\System32\UserAccountControlSettings.exe
To work around the issue and AVOID logging out the user you can uninstall\remove apps from the command line. In this example, I want to remove the Live Meeting 2007 client.
1. Open a command prompt as an administrator
In my example, run "runas /user:BillyTheAdmin@domain.local cmd"
2. Input WMIC and press Return. You will see a prompt that looks like this:
wmic:root\cli>
3. At the new prompt, execute the following command:
product get name
This will generate a list of installed applications. On my computer (very fast PC) this took 30 seconds to return results, be patient.
4. At the prompt, execute the following command:
product where name="exact product name" call uninstall
where application name is the name of the program you wish to uninstall (use the exact name provided by the previously generated list).
In the image below, the output is from "product get name". I want to uninstall the live meeting client.
5. When prompted, input "y" to confirm that you wish to uninstall the application and press Return. In the image below the line is very long (I tried to capture it, sorry if the image appears small).
The application will be uninstalled. You will get a quasi-useless return code.
Type "Exit" to leave WMIC
Type "Exit" to close the cmmand line
Wednesday, February 25, 2015
Lync 2010, disable "suggested contacts" from Outlook 2010
We use Lync 2010. In my scenario, I ONLY want to see GAL/GAB, Lync Enabled users in Lync. Your situation may differ.
By default Lync 2010 pulls from Outlook's contacts when using "Search" in Lync. I find this feature annoying because we don't use Lync for calls of any kind. We only use Lync for IM and Presence internally. Hence, seeing my Outlook Contacts in Lync is of ZERO use to me. All of my Contacts show up as "Presence Unknown".
example: Tom Smith is a GAL, internal, Lync enabled user. Tom Jones of from my contact list.
Very simple Solution:
On Lync Server (mgt shell)
set-CsClientPolicy -Identity global -ExcludedContactFolders "Contacts"
This will now exclude Outlook Contact from populating Lync searches....great.
Fast Forward, upgrade Office from '07 to 2010.
Lync is now showing contacts again. This time from Outlook's "Suggested Contacts", a new feature of Outlook 2010. Suggested Contacts is a new contact folder starting in Outlook 2010. I find this feature completely useless but that is another topic.
set-CsClientPolicy -Identity global -ExcludedContactFolders "Contacts;Suggested Contacts"
By default Lync 2010 pulls from Outlook's contacts when using "Search" in Lync. I find this feature annoying because we don't use Lync for calls of any kind. We only use Lync for IM and Presence internally. Hence, seeing my Outlook Contacts in Lync is of ZERO use to me. All of my Contacts show up as "Presence Unknown".
example: Tom Smith is a GAL, internal, Lync enabled user. Tom Jones of from my contact list.
Very simple Solution:
On Lync Server (mgt shell)
set-CsClientPolicy -Identity global -ExcludedContactFolders "Contacts"
This will now exclude Outlook Contact from populating Lync searches....great.
Fast Forward, upgrade Office from '07 to 2010.
Lync is now showing contacts again. This time from Outlook's "Suggested Contacts", a new feature of Outlook 2010. Suggested Contacts is a new contact folder starting in Outlook 2010. I find this feature completely useless but that is another topic.
To Get Lync to stop pulling suggested contacts into Lync searches do this:
To view the policy:
Get-CsClientPolicy -identity global
Check the settings:
Friday, February 20, 2015
Error delegating, Outlook 2010, The Delegates were not saved correctly, cannot activate send-on-behalf-of list, KB2593557
Outlook 2010, error delegating AGAIN.
I had a previous post with problems delegating calendar access in Outlook 2007. Now I am having problems with users delegating Inbox access in Outlook 2010.
Error looks like:
Again, KB2593557 claims to fix the problem but it does NOT! It only suppresses the error.
Add "Write personal information" (and Read personal information) to the "SELF" object in AD on the ACL.
As I looked through my users (randomly), I found some user account already had this set properly and others did not. I do not know how or why this came about but I intend on fixing it.
I figured that I would set the settings at once for all users
use this script
--== Begin Script ==--
$mailboxes = Get-Mailbox
foreach ($mailbox in $mailboxes)
{
$user = $mailbox.alias
$mailboxname = $mailbox.name
Write-Host "Processing... $user,$mailboxname"
Add-ADPermission -Identity "$mailboxname" -User 'NT Authority\self' `
-AccessRights ReadProperty, WriteProperty -Properties 'Personal Information'
}
--== End Script ==--
Save as .ps1, run from Exchange Management Shell
I had a previous post with problems delegating calendar access in Outlook 2007. Now I am having problems with users delegating Inbox access in Outlook 2010.
Error looks like:
Again, KB2593557 claims to fix the problem but it does NOT! It only suppresses the error.
Add "Write personal information" (and Read personal information) to the "SELF" object in AD on the ACL.
As I looked through my users (randomly), I found some user account already had this set properly and others did not. I do not know how or why this came about but I intend on fixing it.
I figured that I would set the settings at once for all users
use this script
--== Begin Script ==--
$mailboxes = Get-Mailbox
foreach ($mailbox in $mailboxes)
{
$user = $mailbox.alias
$mailboxname = $mailbox.name
Write-Host "Processing... $user,$mailboxname"
Add-ADPermission -Identity "$mailboxname" -User 'NT Authority\self' `
-AccessRights ReadProperty, WriteProperty -Properties 'Personal Information'
}
--== End Script ==--
Save as .ps1, run from Exchange Management Shell
Subscribe to:
Posts (Atom)