Web Management Service (WMSVC) Won't Start, Exchange Update Fails, Event ID 1007

You may notice this installing and Exchange 2013/2016 CU, you get-

Error:
The following error was generated when "$error.Clear(); 
          $keyPath = "HKLM:\Software\Microsoft\WebManagement\Server";
          if (!(Get-Item $keyPath -ErrorAction SilentlyContinue))
          {
            New-Item $keyPath -Force
          }
          Set-ItemProperty -path $keyPath -name "EnableRemoteManagement" -value 0x1 -Type DWORD -Force;

          if (Get-Service WMSVC* | ?{$_.Name -eq 'WMSVC'})
          {
            Set-Service WMSVC -StartupType Automatic
            Stop-SetupService -ServiceName WMSVC;
            Start-SetupService -ServiceName WMSVC
          }
        " was run: "Microsoft.Exchange.Configuration.Tasks.ServiceDidNotReachStatusException: Service 'WMSVC' failed to reach status 'Running' on this server.
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)

You may see Event ID 1007 in the Event Log-
The description for Event ID 1007 from source Microsoft-Windows-IIS-IISManager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event: 

IISWMSVC_STARTUP_UNABLE_TO_READ_CERTIFICATE

Unable to read the certificate with thumbprint 'a86cfd8dfd664487ae20e3a5fbcc5e762cf6f1ea'.  Please make sure the SSL certificate exists and that is correctly configured in the Management Service page.

This may be because you are missing the WMSVC Certificate. 

To resolve, open IIS, click on the server name on the left, click "Server Certificates"-

Click "Create Self-Signed Certificate", Specify the name "WMSVC", Hit OK.


Click on Management Service.

Change the "SSL Certificate" to WMSVC.  Click Apply.  Start the Web Management Service.

Fixing Journal Wrap (JRNL_WRAP_ERROR) on a second DC (FRS)

1. Expand "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters" 2. Change value for "Enable Journal Wrap Automatic Restore" from 0 to 1. If the DWORD Value does not exist, create a new one with the exact spelling as above, including spaces but without the quotes. 3. Stop the NTFRS Service (open a command prompt and type "net stop ntfrs" 4. Start the NTFRS Service (net start ntfrs) 5. Monitor the File Replication Service Event Logs for events: • 13553 – The DC is performing the recovery process
• 13554 – The DC is ready to pull the replica from another DC. • 13516 - At this point go to step 6. (the problem is resolved if you receive this event) 6. Using a command prompt type: "net share" and look for the Netlogon and Sysvol Shares to appear. The error is only fixed after the Domain Controller receives the new SYSVOL replica from a peer Domain Controller. This may take a period of time depending on where your peer DC is located and on bandwidth. 7. Change value for "Enable Automatic Restore" from 1 to 0.

How to bypass 12 second timeout on AnyConnect

1) Open ASDM.
2) Go to Configuration, Remote Access VPN, AnyConnect Client Profile.
3) Click Add, name it, select the group policy that is tied to your anyconnect VPN.
4) Click on Preferences Part 2, Scroll to the Bottom, change the Authentication Timeout to 60.
5) Click Server List, Click Add, enter the FQDN of the VPN under Display Name and FQDN.
6) Click OK, Save.

Helpful Tools

IAS (Radius / NPS / Network Policy Server) Log Parser-
https://www.deepsoftware.com/iasviewer/

Blue Screen Viewer-
https://www.nirsoft.net/utils/blue_screen_view.html

PowerShell / Exchange Quick Reference

Office-365-
Download- https://www.microsoft.com/en-us/download/details.aspx?id=41950
Run powershell as admin, Install-Module MSOnline
If you can't, install- http://aka.ms/wmf5download
Unable to install Nugent Provider?
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Restart Powershell, then-
Install-Module PowershellGet -F

Connect-MsolService -Credential $credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -DisableNameChecking

Force Azure AD Sync (Skip 30-minute wait)-
import-module adsync
Start-ADSyncSyncCycle -PolicyType Delta

Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -Verbose

Purge Exchange Attributes in Office 365. Set-User nwitte@fourpointenergy.com -PermanentlyClearPreviousMailboxInfo

Some on-site IT admin deletes the Office 365 object in Exchange Admin Center, you need to re-add it on-prem-

Enable-RemoteMailbox "Alison.Bell@exoip.com"

Put DAG in Maintenance Mode-
Set-ServerComponentState -Identity “EXCH002” -Component HubTransport -State Draining -Requester Maintenance
Redirect-Message -Server “EXCH002” -Target “EXCH001.mgmt.local”
Suspend-ClusterNode “EXCH002”
Set-MailboxServer “EXCH002” -DatabaseCopyActivationDisabledAndMoveNow $true
Get-MailboxServer “EXCH002” | Select DatabaseCopyAutoActivationPolicy (Make sure it's unrestricted)
Set-MailboxServer “EXCH002” -DatabaseCopyAutoActivationPolicy Blocked
Move-ActiveMailboxDatabase -Server "EXCH002" -ActivateOnServer "EXCH001"
Get-MailboxDatabaseCopyStatus -Server “EXCH002” | Where {$_.Status -eq “Mounted”}

Get-Queue

Set-ServerComponentState “EXCH002” -Component ServerWideOffline -State Inactive -Requester Maintenance
Get-ServerComponentState “EXCH002” | Select Component, State

Take Dag out Maintenance Mode-
Set-ServerComponentState “EXCH002” -Component ServerWideOffline -State Active -Requester Maintenance
Resume-ClusterNode “EXCH002”
Set-MailboxServer EXCH002 –DatabaseCopyAutoActivationPolicy Unrestricted
Set-ServerComponentState EXCH002 –Component HubTransport –State Active –Requester Maintenance
Set-MailboxServer “EXCH002” -DatabaseCopyActivationDisabledAndMoveNow $false

Get-ServerComponentState “EXCH002” | Select Component, State

Check Dag Health-
(Get-DatabaseAvailabilityGroup) | ForEach {$_.Servers | ForEach {Get-MailboxDatabaseCopyStatus -Server $_}}

Check Dag Database Active Server-
Get-MailboxDatabaseCopyStatus * -Active | Select Name,Status,MailboxServer,ActivationPreference,ContentIndexState

Resume Mailbox Copy-
Resume-MailboxDatabaseCopy -Identity DB1\MBX1

Mailbox Size
Get-MailboxDatabase | Get-MailboxStatistics | Sort-Object TotalItemSize  -Descendin | ft -property DisplayName,TotalItemSize

How to find discovery mailbox name-
Get-Mailbox -Resultsize unlimited -Filter {RecipientTypeDetails -eq "DiscoveryMailbox"}

How to create discover mailbox-
New-Mailbox -Name "Discovery Search Mailbox" -Discovery
Add-MailboxPermission "Discovery Search Mailbox" -User Administrator -AccessRights FullAccess -InheritanceType all

How to export discovery mailbox (or any other mailbox) to PST-
New-MailboxExportRequest -Mailbox "Discovery Search Mailbox" -FilePath "\\server\share\export.pst"
Get-MailboxExportRequest | Get-MailboxExportRequestStatistic

Get all Mailbox Move Statistics-
Get-MoveRequest -resultsize unlimited | Where-Object {$_.status -notlike “null”} | Get-MoveRequestStatistics | select DisplayName, StatusDetail, *Size, *Percent* | ft

Get list of who has full access to a mailbox-
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

Calendar Permissions-
Get-MailboxFolderPermission -identity “username:\Calendar”

To change permissions on a Calendar item, type the following command:
Add-MailboxFolderPermission -identity “Managingdirector:\Calendar” -user “personalassistant” -AccessRights Editor

Give user full access to mailbox-
Add-MailboxPermission -identity Bob@domain.com –user Alan@domain.com –AccessRights FullAccess -AutoMapping:$false 

Give user full access to ALL mailboxes-
Get-Mailbox | Add-mailboxpermission -user Alan@domain.com -AccessRights FullAccess

Forward to External Email address *without* making a contact-
Set-Mailbox -Identity user@internaldomain.com -DeliverToMailboxAndForward $true -ForwardingSMTPAddress user@externaldomain.com

See if mail is forwarding-
Get-Mailbox user@domain.com | FL DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress

Check all forwarding-
Get-Mailbox -ResultSize Unlimited | Where {($_.ForwardingAddress -ne $Null) -or ($_.ForwardingsmtpAddress -ne $Null)} | Select Name, ForwardingAddress, ForwardingsmtpAddress, DeliverToMailboxAndForward

Change UPN-
Set-MsolUserPrincipalName -UserPrincipalName <OldUPN> -NewUserPrincipalName <NewUPN>

Check Searching-
Get-MailboxDatabaseCopyStatus -Server $env:ComputerName | Format-Table Name,Status,ContentIndex* -Auto
Test-ExchangeSearch -Identity AlanBrewer@contoso.com

Distribution Group Send As
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName admin@Megastarfinance.onmicrosoft.com           
Add-RecipientPermission -Identity accounting@megastarfinancial.com -Trustee dlewis@megastarfinancial.com -AccessRights SendAs

Non-Exchange-

Get list of enabled accounts sorted by password last changed date-
Get-ADUser -filter {Enabled -eq $True} -Properties passwordlastset | sort passwordlastset -descend | ft -property samaccountname,passwordlastset

Get Members of Domain Admin-
Get-ADGroupMember "Domain Admins" | ft -property samaccountname

Get Password Never Expires-
Get-ADUser -filter {Enabled -eq $True} -Properties passwordneverexpires | sort PasswordNeverExpires | ft -property SamAccountName,PasswordNeverExpires

Last Logon-
Get-ADUser -filter {Enabled -eq $True} -Properties LastLogonDate | sort LastLogonDate | ft -property SamAccountName,LastLogonDate

Find Windows 7 Computers that logged in within 30 days-
Get-ADComputer -Properties * -Filter {Enabled -eq $True -and OperatingSystem -like "Windows 7*"} | Where { $_.LastLogonDate -GT (Get-Date).AddDays(-30) } | FT Name, OperatingSystem, LastLogonDate -Autosize

Only enabled accounts

Get-ADUser -filter {Enabled -eq $True} -Properties passwordlastset | ft -property samaccountname,passwordlastset | export-csv test.csv

All accounts-
Get-ADUser -filter * -Properties passwordlastset | select Name,samaccountname,passwordlastset,Enabled | export-csv test.csv

Sample user inventory-
$date = Get-Date -Format ddMMMyyyy_HH_mm

Get-ADUser -Filter * -server dc1 -Properties DistinguishedName, DisplayName, Enabled, whenCreated, whenChanged, lastLogon, LastLogonDate, memberOf | Select Name,DisplayName,DistinguishedName,Enabled,@{n='LastLogon';e={[DateTime]::FromFileTime($_.LastLogon)}},LastLogonDate, whenCreated,whenChanged,@{n="memberof";e={[string]$_.memberof}},  @{N='DOMAIN';E={("XXX ")}} | Export-Csv -Delimiter ~ c:\temp\AD_Users_$date.txt -NoTypeInformation

To sync AD sync-
Import-Module ADSync

# For a Delta Sync (most common, and used for most situations):
Start-ADSyncSyncCycle -PolicyType Delta

# For a Full Sync (only necessary in some situations):
Start-ADSyncSyncCycle -PolicyType Initial

Output - Out-GridView

Set-User callie@providentconstruction.com -PermanentlyClearPreviousMailboxInfo

Open PowerShell, type-

 get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

To Export to CSV-

Get-ADUser -filter * -properties passwordlastset, passwordneverexpires | sort-object name | select-object Name, passwordlastset, passwordneverexpires | Export-csv -path c:tempuser-password-info-20131119.csv

For enabled only-

get-aduser -filter 'enabled -eq $true'  -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

To see an accounts creation date-

Get-ADUser <UserName> -Properties whenCreated | Format-List Name,whenCreated