You may notice that when you try to run the Sync command DirectorySyncClientCmd it doesn’t do anything and just closes right away.
If you open your Event viewer you may notice that you are getting the following event
Failed while Purging Run History
Invalid namespace
at System.Management.ManagementException.ThrowWithExtendedInfo(ManagementStatus errorCode) at System.Management.ManagementScope.InitializeGuts(Object o)at System.Management.ManagementScope.Initialize()at System.Management.ManagementObjectSearcher.Initialize()at System.Management.ManagementObjectSearcher.Get()at Microsoft.Azure.ActiveDirectory.Synchronization.DirectorySyncClientCmd.Program.PurgeRunHistory(TimeSpan purgeInterval)at Microsoft.Azure.ActiveDirectory.Synchronization.Framework.ActionExecutor.Execute(Action action, String description)at Microsoft.Azure.ActiveDirectory.Synchronization.DirectorySyncClientCmd.Program.Main(String[] args)
Cause:
This happens when the WMI object had unregistered itself which might be caused by another tool installed or uninstalled at the time when the problem started to occur.
Resolution:
To resolve the issue, you ‘ll have to run few command lines… each are explained below
mofcomp “D:\Program Files\Microsoft Azure AD Sync\Bin\mmswmi.mof”
As it shows in the command screenshot below the ‘mofcomp’ parses the MMS (FIM) wmi file and goes through the process of adding the classes to the WMI repository.
regsvr32 /s “D:\Program Files\Microsoft Azure AD Sync\Bin\mmswmi.dll”
Registers the WMI mmswmi.dll file to the server.
net stop winmgmt /y
net start winmgmt net start “IP Helper” net start “User Access Logging Service” net start “Microsoft Azure AD Sync”
D:\Program Files\Microsoft Azure AD Sync\Bin\DirectorySyncClientCmd.exe”
If you ever needed to add multiple ports or range of ports endpoints to a particular Virtual machine on Azure. you might have a difficulty doing this since it’s not allowed by design and that will require time to do this manually for range of ports. that’s where this article comes handy.
To achieve this first you will need to connect to your Azure subscription on Azure powershell. Azure PowerShell.
Run Azure powershell as an administrator and type the following cmdlet to get your subscription info
Get-AzurePublishSettingsFile
This will open a page and ask you to sign in to your Azure user account and download a file called Visual Studio Premium with MSDN-DATE-credentials.publishsettings
In the powershell you will have to navigate to where the file is located. And import the settings that have just been downloaded in that file
Import-azurepublishSettingsFile `.\Visual Studio FileLocation`
You can check for your account and Subscription, using Get-azureaccount script
Now I have setup a ubuntu Machine on Azure that hosts Openfire Chat server which requires 10000-10005 port range for the media service. On Azure Web interface the port range option is not yet supported. The only available option is through powershell which will open the required port range for us.
To do so I’ll use the following cmdlet highlighting the required information to enter
To Acquire your service name, you can simply login to Azure portal and check out All Items and see the cloud service name .. Just like the below screenshot
To Check your VMname simply navigate to Virtual machines tab and on the right side you can see the name.. I have copied it as well in the command.
Once you edited the cmdlet with your information you can enter it in the Powershell and enter
It should return something like this.
Once finished you can check Azure end point portal for the new ports configuration
Upgrade Microsoft Domain Controller 2008 R2 to DC 2012 R2 with Exchange 2010 in the current environment.
Prerequisites:
1- Windows 2012 R2 fully patches
2- New Windows 2012 R2 server should be joined to the Domain controller 2008r2
After you get all the prerequisites ready, start the Server manager and click on Add roles then add the ADDS role and follow the following instructions
Install the role and the n configure it as following
Add it to the existing DC
To migrate the AD Operations Master roles. The simplest way to move these roles is via PowerShell.
On Server 2012 AD PowerShell modules, this can be done from anywhere. Simply run the following command to view you current configuration, and change them:
******* WARNING: KCC could not add this REPLICA LINK due to error.
Naming Context: DC=domain,DC=local
Source: Default-First-Site-Name\DC2
******* WARNING: KCC could not add this REPLICA LINK due to error.
Resolution:
After joining new DC you will see this error until the replication with the PDC and schema master is finished.
Use the repadmin /syncall to hasten the sync process.
After we changed the PDC and Schema master role server to the new DC and shut down the old DC for test. On Exchange 2010 server you might get the following error
Exchange Console
Current deployment
Exchange 2010
New DC 2012 R2 with another Additional DC installed newly.
Two DC 2008R2 but have been shut down for testing.
Problem:
After you shutdown or demote the old PDC or Schema master Demote Domain Controller role, Microsoft Exchange Management Console fails to retrieve any Exchange information with error message “An error caused a change in the current set of Active Directory Server settings. Restart Exchange Management console.”
Cause
Microsoft Exchange management console caches the data in the user’s profile for quick access, So whenever you try to open EMC from an existing Exchange admin profile you will get the same error.
Resolution:
Navigate to the following folder and delete the Exchange Management Console file.
Starting with Windows 2008 R2, Microsoft introduced the Active Directory recycling bin. This is great for recovering objects back into AD if they are accidentally deleted. In order to use the recycle bin feature, your forest must be running with a functional level of Windows 2008 R2. If your forest is running at this level you simply run a PowerShell command to enable it.
Enable
To enable Active Directory Recycle Bin using the Enable-ADOptionalFeature cmdlet
Click Start, click Administrative Tools, right-click Active Directory Module for Windows PowerShell, and then click Run as administrator.
Below is a sample for enabling it for moh10ly.com:
Once you have the Recycling Bin for Active Directory you will have to use LDP.exe to restore. By default the container with the deleted objects is not displayed. The following steps will allow you to see the container with the deleted objects.
Display Deleted Objects
Follow these steps to display the Deleted Objects container:
To open Ldp.exe, click Start, click Run, and then type exe.
On the Optionsmenu, click Controls.
3. In the Controlsdialog box, expand the Load Predefined pull-down menu, click Return deleted objects, and then click OK.
4. To verify that the Deleted Objects container is displayed:
To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then Bind. (U must use SSL and port 636)
Click View, click Tree, and in BaseDN, type DC=<mydomain>,DC=<com>, where <mydomain>and <com> represent the appropriate forest root domain name of your AD DS environment.
In the console tree, double-click the root distinguished name (also known as DN) and locate the CN=Deleted Objects, DC=<mydomain>,DC=<com>container, where <mydomain>and <com> represent the appropriate forest root domain name of your AD DS environment.
Restore Deleted Objects
Once you have enabled the container to be displayed, you can now restore deleted objects from Active Directory. Below are the steps to recover a single item from the recycle bin using LDP.exe.
Follow these steps to restore a deleted Active Directory object using Ldp.exe:
Open Ldp.exe from an elevated command prompt. Open a command prompt (Cmd.exe) as an administrator. To open a command prompt as an administrator, click Start. In Start Search, type Command Prompt. At the top of the Startmenu, right-click Command Prompt, and then click Run as administrator. If the User Account Control dialog box appears, enter the appropriate credentials (if requested), confirm that the action it displays is what you want, and then click Continue.
To connect and bind to the server that hosts the forest root domain of your AD DS environment, under Connections, click Connect, and then click Bind.
3. On the Options menu, click Controls.
4. In the Controls dialog box, expand the Load Predefined drop-down list, click Return Deleted Objects, and then click OK.
5. In the console tree, navigate to the CN=Deleted Objects
6. Locate and right-click the deleted Active Directory object that you want to restore, and then click Modify.
7. In the Modifydialog box.
8. In Edit Entry Attribute, type isDeleted.
9.Leave the Valuesbox empty.
10. Under Operation, click Delete, and then click Enter.
11. In Edit Entry Attribute, type distinguishedName.
12. In Values, type the original distinguished name (also known as DN) of this Active Directory object.
13. Under Operation, click Replace.
14. Make sure that the Extended check box is selected, click Enter, and then click Run.
A key point to understand and remember with AD Recycle Bin is that you must restore hierarchically; a parent object must be restored before a child object. If you were to delete an entire OU and all its contents, you must first restore the OU before you can restore its contents.
Modify
Clicking on Run gives an error
“Error 0x2077 Illegal modify operation. Some aspect of the modification is not permitted.”
Resolution:
Disconnect and reconnect with SSL on port 636
Enter the full Distinguished path in the Values
Click on Run again and that should work
Before
After
\
After restoring the object, I will try to login to the user’s mailbox
I’ll need to reset the user’s password after its restored.
I had a project to migrate users from Linux Postfix mail system to Exchange 2013 but had to do it in stages in order to use it as recommended by Microsoft, The customer had Red Hat Linux Servers with Postfix integrated with Active directory for authentication.
In order to migrate the users I installed Exchange 2007 in order to use the Microsoft tool called (Microsoft Transporter Suite) and had to reset all users (850 User) passwords to use notepad file and import it in the tool in order to migrate all users in less than a week.
I searched for any powershells that would reset users passwords on Active directory but could not find anyone that would suit my scenario and customer’s security policies until I came through a tool called “Quest One activeRoles which integrates lots of useful commands into its own powershell that have to be installed on Active Directory server to reset all users passwords.
You can find the tool either from the following link:
In order to do so I have prepared a notepad file with 2 columns “Username, password” and then copied all users and their passwords below the two columns, saved the file in .csv extension then used the following script
$data = Import-csv “C:\users_pass.csv”
foreach($line in $data) {set-QADUser $line.username -UserPassword $line.password }
Click on the snapshot to enlarge it
As shown in the snapshopt above you will have to install the application first on your DC and then run the application shell “ActiveRoles Management shell for AD” as administrator then run the commands below
$data = Import-csv “C:\users_pass.csv”
foreach($line in $data) {set-QADUser $line.username -UserPassword $line.password }
Note:
Usernames in the CSV File must be according to the format in the Snapshot above or else the command won’t be recognized.
As I was preparing for Exchange migration from 2010 to 2013 I had two DCs, one of those two DCs was off for about 8 months and has already passed the default tomb stone life so it was not authorized for replication in the forest.
Whenever I try to replicate the server I get the following error
Active Directory Sites and Services Error
“The following error occurred during the attempt to syncronize naming context CN=Configuration,DC=Domain,DC=Local from Domain Controller AD to Domain Controller AD2; The directory service cannot replicate with this server because the time since the last replication with this server has exceeded the tombstone lifetime. This operation will not continue.”
My FSMO roles holder and PDC is the demotesas.local domain so on this DC I will run the following command
If you’re planning to Install Active directory on multiple DCs for backup, you can speed up this process by using the following script which is provided by Microsoft. but you’ll have to copy and paste it in notepad and save it in .ps1 extension after editing the Domain Name and Domain Netbios name.
You may also wanna change the forest mode to match the one in your environment if you already have an old DC.
# Windows PowerShell script for AD DS Deployment
#
Import-Module ADDSDeployment
Install-ADDSForest `
-CreateDnsDelegation:$false `
-DatabasePath “C:\Windows\NTDS” `
-DomainMode “Win2012” `
-DomainName “moh10ly.com” `
-DomainNetbiosName “Moh10ly” `
-ForestMode “Win2012” `
-InstallDns:$true `
-LogPath “C:\Windows\NTDS” `
-NoRebootOnCompletion:$false `
-SysvolPath “C:\Windows\SYSVOL” `
-Force:$true
Note: If you want to have a different Computer name, you will need to change that manually before you start the process below and restart after changing the computer name.
You will need to install the AD Domain Service management tools before you are able to run the powershell
When the management tools are installed you can drag and drop the powershell file to powershell window and press Enter and as soon as you do that it will ask you for the SafeModeADministratorPassword.
After you press Enter it will start the installation process
When finished it will let you know that server is going to be restarted automatically.
After restarting the server, this is how the Full computer name became.
To configure Outlook autodiscover in Active directory we’ll have to do the following
First open Group Policy Management from Administrator tools, After you have opened GPO you will want to create a new GPO for this purpose then follow the steps down to continue with the configuration:
1- Create a new GPO under any OU “Organization unit” you want to apply the GPO on. Then right click on it and click on Edit…
Under User configuration -> policies -> Administrative templates: Policy right click and click “add/remove templates…”
Click Add… and browse to the Office 2010 template (I’m attaching these files below) or you can just google them.
4- Under Administrative Templates: Policy Definitions – > Classic Administrative Templates (ADM) click on MS Outlook 2010 -> Exchange and on the right pane.
Enable Automatically configure profile based on AD Primary. And Enable Configure outlook anywhere user interface options.
These steps are optional but they’ll force opening outlook in order to configure it after the Client’s PC restarts.
5- When done go to User Configuration –> Windows Settings –> Scripts -> double click on Logon on the right pane
Click on Add
Browse then
Copy the below batch file to this location and attach it ” \\domain.com\SysVol\domain.com\Policies\{34E9C6C2-FCCF-45DA-908D-65A452D049F3}\User\Scripts\Logon”
When PCs restart they’ll take the new configuration.
Note:
The Outlook.txt file is the script that will be launching the Outlook configuration panel, you will need to rename the extension file from .txt to outlook.bat before uploading it to the location in the article.
If your Exchange users have problem with Active Sync’s Autodiscover configuration or you’re intending to configure a Hybrid configuration with Microsoft office 365 Exchange Online or Your Lync/Skype for business users are having troubles signing in right after you enable users from the Lync/SfB Panel then this article is for you.
Note: For Lync you’d want to change Account (UPN) Instead of the Proxy Address Attribute for users. For each scenario it might be a different case.
Assuming that I have the following domain list, and I want to add them to my AD user’s proxy address attribute so they can use it as SMTP address
%’sAMAccountName’%@Domain1.com
%’sAMAccountName’%@Domain2.com
%’sAMAccountName’%@Domain3.com
%’sAMAccountName’%@Domain4.com
%’sAMAccountName’%@Domain5.com
%’sAMAccountName’%@cardtekcloud.onmicrosoft.com
First to add main SMTP address we’ll use the attribute %’sAMAccountName’%@Domain.com
Next to add alternative Proxy addresses we’ll use
%’sAMAccountName’%@domain.com
I’ll open ADModify.net app and select the organization that I would like to apply the changes for
I’ll select Domain from the domain list. Then choose the Domain controller and choose only to show users
Click on the green Next button then click Add to List then click Next under the user to continue
I’ll navigate to Email addresses tab to do the changes and place the domain that I would like to use.
I’ll enter whatever domain and use sAMAccountName since it matches the user’s Email address .
IMPORTANT NOTE:
It’s very important to notice that if you’d like to change the domain in the Proxy Address . You ‘ll need to choose an attribute that matches the user’s existing Proxy address username ..
To add the other domains e.g. domain2, domain3 ..etc I’ll follow the exam same steps just change the end @domain2.com.
That should be all. If you have any questions please don’t hesitate to contact me or comment.
To change the password policy we’ll have first to open Group policy management which is located in “Administrative Tools” on your DC
Right click on “Default Domain Policy” in order to change the password policy for all users within a domain.
This will open the Group Policy Management editor as you can see below where you will have to navigate to “Computer configuration -> Security Settings -> Password Policy” and there you can disable the password complexity, adjust it or change any other settings.
Next when the Group policy opens up the configuration I will go to “Account Policies” and disable the “Password must meet complexity requirements” since this is what I simply want do in my case.
After changing the policy you will need to force updating the policy on all the domain joined clients by using the command line GPupdate /force
When this is finished, all clients must be restarted in order for the group policy change to take effect.