How to migrate from FRS to DFS on a domain

Ensure the health of AD and FRS on all domain controllers is known to be healthy. Ensure SYSVOL and NETLOGON are shared on all DCs.

Migrate to Prepared State - You will migrate to the Prepared state, where both FRS and DFSR are replicating their own individual copies of SYSVOL, but the FRS copy mounts the SYSVOL and Netlogon shares. On the PDC Emulator domain controller, run (as an elevated domain admin):
Dfsrmig /setglobalstate 1

Run the following to force AD to sync.

dfsrdiag pollad

repadmin /syncall /AdeP

Dfsrmig /setglobalstate 1

Wait for this AD value on the PDCE to converge on all domain controllers, Use the following command to see progress:
Dfsrmig /getmigrationstate

Migrate to Redirected State - You will migrate to the Redirected state, where both FRS and DFSR are replicating their own individual copies of SYSVOL, but the DFSR copy mounts the SYSVOL and Netlogon shares. On the PDC Emulator domain controller, run (as an elevated domain admin): 

Dfsrmig /setglobalstate 2

Wait for this AD value on the PDCE to converge on all domain controllers. Use the following command to see progress: 

Dfsrmig /getmigrationstate

You will migrate to the Eliminated state, where DFSR is replicating SYSVOL and FRS is removed. Unlike the Prepared and Redirected states, there is no way to go backwards from this step - once executed, FRS is permanently stopped and cannot be configured again. On the PDC Emulator domain controller, run (as an elevated domain admin): 

Dfsrmig /setglobalstate 3

Wait for this AD value on the PDCE to converge on all domain controllers, then for DFSR to switch to Eliminated state on each domain controller and update AD, and finally for that value to replicate back to the PDCE. Use the following command to see progress: 

Dfsrmig /getmigrationstate

WSUS Troubleshooting

gpupdate /force

Check GPO-
gpresult /r
gpresult /h gpreport.html

Check Windows Update Server-
reg query HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate

Reset password or unlock account on VMware appliances

Reboot, press e.

Add- rw init=/bin/bash to the Linux command, press F10
mount -o remount, rw /

To reset pw-
passwd

To unlock-
/sbin/pam_tally2 -r -u root

umount /
reboot -f

Cisco Anyconnect, users intermittently do not have DNS Resolution

Cisco Anyconnect, users intermittently do not have DNS Resolution-

This is the bug, CSCtf20226 and CSCtz86314.  You can work around it by bypassing IPv6.

Under the group policy for the VPN-
client-bypass-protocol enable

Cisco ASA ASDM IDM Launcher Won't Run on Windows 10 "this app can't run on your pc"

Go to Start, Cisco ASDM-IDM Launcher, right click the launcher and go to Open file location.

Right Click on the Shortcut and go to Properties.  In the Target Field, you'll see a long path to  wscript.exe.  Change this to C:\Windows\System32\wscript.exe note - leave everything else alone including the invisible.vbs run.bat on the end as these scripts are used to open up ASDM.).

How to disable TLS 1.0 and TLS 1.1 on ASA

ssl server-version tlsv1.2
ssl cipher tlsv1.2 custom "ECDHE-ECDSA-AES256-GCM-SHA384 ECDHE-RSA-AES256-GCM-SHA384 DHE-RSA-AES256-GCM-SHA384 ECDHE-ECDSA-AES256-SHA384 ECDHE-RSA-AES256-SHA384 DHE-RSA-AES256-SHA256"
ssl cipher dtlsv1 custom "DHE-RSA-AES256-SHA DHE-RSA-AES128-SHA"
ssl dh-group group14

Then go to https://www.ssllabs.com/ssltest to test.

Web Management Service (WMSVC) Won't Start, Exchange Update Fails, Event ID 1007

You may notice this installing and Exchange 2013/2016 CU, you get-

Error:
The following error was generated when "$error.Clear(); 
          $keyPath = "HKLM:\Software\Microsoft\WebManagement\Server";
          if (!(Get-Item $keyPath -ErrorAction SilentlyContinue))
          {
            New-Item $keyPath -Force
          }
          Set-ItemProperty -path $keyPath -name "EnableRemoteManagement" -value 0x1 -Type DWORD -Force;

          if (Get-Service WMSVC* | ?{$_.Name -eq 'WMSVC'})
          {
            Set-Service WMSVC -StartupType Automatic
            Stop-SetupService -ServiceName WMSVC;
            Start-SetupService -ServiceName WMSVC
          }
        " was run: "Microsoft.Exchange.Configuration.Tasks.ServiceDidNotReachStatusException: Service 'WMSVC' failed to reach status 'Running' on this server.
   at Microsoft.Exchange.Configuration.Tasks.Task.ThrowError(Exception exception, ErrorCategory errorCategory, Object target, String helpUrl)

You may see Event ID 1007 in the Event Log-
The description for Event ID 1007 from source Microsoft-Windows-IIS-IISManager cannot be found. Either the component that raises this event is not installed on your local computer or the installation is corrupted. You can install or repair the component on the local computer.

If the event originated on another computer, the display information had to be saved with the event.

The following information was included with the event: 

IISWMSVC_STARTUP_UNABLE_TO_READ_CERTIFICATE

Unable to read the certificate with thumbprint 'a86cfd8dfd664487ae20e3a5fbcc5e762cf6f1ea'.  Please make sure the SSL certificate exists and that is correctly configured in the Management Service page.

This may be because you are missing the WMSVC Certificate. 

To resolve, open IIS, click on the server name on the left, click "Server Certificates"-

Click "Create Self-Signed Certificate", Specify the name "WMSVC", Hit OK.


Click on Management Service.

Change the "SSL Certificate" to WMSVC.  Click Apply.  Start the Web Management Service.

Fixing Journal Wrap (JRNL_WRAP_ERROR) on a second DC (FRS)

1. Expand "HKLM\System\CurrentControlSet\Services\NtFrs\Parameters" 2. Change value for "Enable Journal Wrap Automatic Restore" from 0 to 1. If the DWORD Value does not exist, create a new one with the exact spelling as above, including spaces but without the quotes. 3. Stop the NTFRS Service (open a command prompt and type "net stop ntfrs" 4. Start the NTFRS Service (net start ntfrs) 5. Monitor the File Replication Service Event Logs for events: • 13553 – The DC is performing the recovery process
• 13554 – The DC is ready to pull the replica from another DC. • 13516 - At this point go to step 6. (the problem is resolved if you receive this event) 6. Using a command prompt type: "net share" and look for the Netlogon and Sysvol Shares to appear. The error is only fixed after the Domain Controller receives the new SYSVOL replica from a peer Domain Controller. This may take a period of time depending on where your peer DC is located and on bandwidth. 7. Change value for "Enable Automatic Restore" from 1 to 0.

How to bypass 12 second timeout on AnyConnect

1) Open ASDM.
2) Go to Configuration, Remote Access VPN, AnyConnect Client Profile.
3) Click Add, name it, select the group policy that is tied to your anyconnect VPN.
4) Click on Preferences Part 2, Scroll to the Bottom, change the Authentication Timeout to 60.
5) Click Server List, Click Add, enter the FQDN of the VPN under Display Name and FQDN.
6) Click OK, Save.

Helpful Tools

IAS (Radius / NPS / Network Policy Server) Log Parser-
https://www.deepsoftware.com/iasviewer/

Blue Screen Viewer-
https://www.nirsoft.net/utils/blue_screen_view.html

PowerShell / Exchange Quick Reference

Office-365-
Download- https://www.microsoft.com/en-us/download/details.aspx?id=41950
Run powershell as admin, Install-Module MSOnline
If you can't, install- http://aka.ms/wmf5download
Unable to install Nugent Provider?
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord
Restart Powershell, then-
Install-Module PowershellGet -F

Connect-MsolService -Credential $credential

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection

Import-PSSession $Session -DisableNameChecking

Force Azure AD Sync (Skip 30-minute wait)-
import-module adsync
Start-ADSyncSyncCycle -PolicyType Delta

Import-Module -Name "C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync" -Verbose

Purge Exchange Attributes in Office 365. Set-User nwitte@fourpointenergy.com -PermanentlyClearPreviousMailboxInfo

Some on-site IT admin deletes the Office 365 object in Exchange Admin Center, you need to re-add it on-prem-

Enable-RemoteMailbox "Alison.Bell@exoip.com"

Put DAG in Maintenance Mode-
Set-ServerComponentState -Identity “EXCH002” -Component HubTransport -State Draining -Requester Maintenance
Redirect-Message -Server “EXCH002” -Target “EXCH001.mgmt.local”
Suspend-ClusterNode “EXCH002”
Set-MailboxServer “EXCH002” -DatabaseCopyActivationDisabledAndMoveNow $true
Get-MailboxServer “EXCH002” | Select DatabaseCopyAutoActivationPolicy (Make sure it's unrestricted)
Set-MailboxServer “EXCH002” -DatabaseCopyAutoActivationPolicy Blocked
Move-ActiveMailboxDatabase -Server "EXCH002" -ActivateOnServer "EXCH001"
Get-MailboxDatabaseCopyStatus -Server “EXCH002” | Where {$_.Status -eq “Mounted”}

Get-Queue

Set-ServerComponentState “EXCH002” -Component ServerWideOffline -State Inactive -Requester Maintenance
Get-ServerComponentState “EXCH002” | Select Component, State

Take Dag out Maintenance Mode-
Set-ServerComponentState “EXCH002” -Component ServerWideOffline -State Active -Requester Maintenance
Resume-ClusterNode “EXCH002”
Set-MailboxServer EXCH002 –DatabaseCopyAutoActivationPolicy Unrestricted
Set-ServerComponentState EXCH002 –Component HubTransport –State Active –Requester Maintenance
Set-MailboxServer “EXCH002” -DatabaseCopyActivationDisabledAndMoveNow $false

Get-ServerComponentState “EXCH002” | Select Component, State

Check Dag Health-
(Get-DatabaseAvailabilityGroup) | ForEach {$_.Servers | ForEach {Get-MailboxDatabaseCopyStatus -Server $_}}

Check Dag Database Active Server-
Get-MailboxDatabaseCopyStatus * -Active | Select Name,Status,MailboxServer,ActivationPreference,ContentIndexState

Resume Mailbox Copy-
Resume-MailboxDatabaseCopy -Identity DB1\MBX1

Mailbox Size
Get-MailboxDatabase | Get-MailboxStatistics | Sort-Object TotalItemSize  -Descendin | ft -property DisplayName,TotalItemSize

How to find discovery mailbox name-
Get-Mailbox -Resultsize unlimited -Filter {RecipientTypeDetails -eq "DiscoveryMailbox"}

How to create discover mailbox-
New-Mailbox -Name "Discovery Search Mailbox" -Discovery
Add-MailboxPermission "Discovery Search Mailbox" -User Administrator -AccessRights FullAccess -InheritanceType all

How to export discovery mailbox (or any other mailbox) to PST-
New-MailboxExportRequest -Mailbox "Discovery Search Mailbox" -FilePath "\\server\share\export.pst"
Get-MailboxExportRequest | Get-MailboxExportRequestStatistic

Get all Mailbox Move Statistics-
Get-MoveRequest -resultsize unlimited | Where-Object {$_.status -notlike “null”} | Get-MoveRequestStatistics | select DisplayName, StatusDetail, *Size, *Percent* | ft

Get list of who has full access to a mailbox-
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions.csv

Calendar Permissions-
Get-MailboxFolderPermission -identity “username:\Calendar”

To change permissions on a Calendar item, type the following command:
Add-MailboxFolderPermission -identity “Managingdirector:\Calendar” -user “personalassistant” -AccessRights Editor

Give user full access to mailbox-
Add-MailboxPermission -identity Bob@domain.com –user Alan@domain.com –AccessRights FullAccess -AutoMapping:$false 

Give user full access to ALL mailboxes-
Get-Mailbox | Add-mailboxpermission -user Alan@domain.com -AccessRights FullAccess

Forward to External Email address *without* making a contact-
Set-Mailbox -Identity user@internaldomain.com -DeliverToMailboxAndForward $true -ForwardingSMTPAddress user@externaldomain.com

See if mail is forwarding-
Get-Mailbox user@domain.com | FL DeliverToMailboxAndForward,ForwardingAddress,ForwardingSmtpAddress

Check all forwarding-
Get-Mailbox -ResultSize Unlimited | Where {($_.ForwardingAddress -ne $Null) -or ($_.ForwardingsmtpAddress -ne $Null)} | Select Name, ForwardingAddress, ForwardingsmtpAddress, DeliverToMailboxAndForward

Change UPN-
Set-MsolUserPrincipalName -UserPrincipalName <OldUPN> -NewUserPrincipalName <NewUPN>

Check Searching-
Get-MailboxDatabaseCopyStatus -Server $env:ComputerName | Format-Table Name,Status,ContentIndex* -Auto
Test-ExchangeSearch -Identity AlanBrewer@contoso.com

Distribution Group Send As
Import-Module ExchangeOnlineManagement
Connect-ExchangeOnline -UserPrincipalName admin@Megastarfinance.onmicrosoft.com           
Add-RecipientPermission -Identity accounting@megastarfinancial.com -Trustee dlewis@megastarfinancial.com -AccessRights SendAs

Non-Exchange-

Get list of enabled accounts sorted by password last changed date-
Get-ADUser -filter {Enabled -eq $True} -Properties passwordlastset | sort passwordlastset -descend | ft -property samaccountname,passwordlastset

Get Members of Domain Admin-
Get-ADGroupMember "Domain Admins" | ft -property samaccountname

Get Password Never Expires-
Get-ADUser -filter {Enabled -eq $True} -Properties passwordneverexpires | sort PasswordNeverExpires | ft -property SamAccountName,PasswordNeverExpires

Last Logon-
Get-ADUser -filter {Enabled -eq $True} -Properties LastLogonDate | sort LastLogonDate | ft -property SamAccountName,LastLogonDate

Find Windows 7 Computers that logged in within 30 days-
Get-ADComputer -Properties * -Filter {Enabled -eq $True -and OperatingSystem -like "Windows 7*"} | Where { $_.LastLogonDate -GT (Get-Date).AddDays(-30) } | FT Name, OperatingSystem, LastLogonDate -Autosize

Only enabled accounts

Get-ADUser -filter {Enabled -eq $True} -Properties passwordlastset | ft -property samaccountname,passwordlastset | export-csv test.csv

All accounts-
Get-ADUser -filter * -Properties passwordlastset | select Name,samaccountname,passwordlastset,Enabled | export-csv test.csv

Sample user inventory-
$date = Get-Date -Format ddMMMyyyy_HH_mm

Get-ADUser -Filter * -server dc1 -Properties DistinguishedName, DisplayName, Enabled, whenCreated, whenChanged, lastLogon, LastLogonDate, memberOf | Select Name,DisplayName,DistinguishedName,Enabled,@{n='LastLogon';e={[DateTime]::FromFileTime($_.LastLogon)}},LastLogonDate, whenCreated,whenChanged,@{n="memberof";e={[string]$_.memberof}},  @{N='DOMAIN';E={("XXX ")}} | Export-Csv -Delimiter ~ c:\temp\AD_Users_$date.txt -NoTypeInformation

To sync AD sync-
Import-Module ADSync

# For a Delta Sync (most common, and used for most situations):
Start-ADSyncSyncCycle -PolicyType Delta

# For a Full Sync (only necessary in some situations):
Start-ADSyncSyncCycle -PolicyType Initial

Output - Out-GridView

Set-User callie@providentconstruction.com -PermanentlyClearPreviousMailboxInfo

Open PowerShell, type-

 get-aduser -filter * -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

To Export to CSV-

Get-ADUser -filter * -properties passwordlastset, passwordneverexpires | sort-object name | select-object Name, passwordlastset, passwordneverexpires | Export-csv -path c:tempuser-password-info-20131119.csv

For enabled only-

get-aduser -filter 'enabled -eq $true'  -properties passwordlastset, passwordneverexpires |ft Name, passwordlastset, Passwordneverexpires

To see an accounts creation date-

Get-ADUser <UserName> -Properties whenCreated | Format-List Name,whenCreated

Cisco ASA Anyconnect, some users can't resolve DNS queries.

group-policy <name> attributes
 client-bypass-protocl enable

This will disable IPv6 if it's not enabled on the vpn.

Windows Server 2019, The product key you entered didn't work. Check the product key and try again, or enter a different one. (0x80070490)

Open a command prompt as administrator.

Run-

c:\windows\system32\slmgr.vbs /ipk <product_key>

OR

DISM /online /Set-Edition:ServerStandard /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula

How to get your Dell Service Tag from the command prompt

How to get your Dell Service Tag from the command prompt-

Type-
wmic bios get serialnumber

You try to upgrade a VMware ESXi host and get "conflicting vibs"

You try to upgrade a VMware ESXi host and get "The system encountered the following error(s)." "conflicting vibs"

SSH into the host.

esxcli software vib list | grep Mell

esxcli network nic liste

sxcli software vib remove -n net-mst

How to get an old iDrac7 to work with Java

Note- this is a bad idea from a security standpoint, so bear that in mind.



Open a command prompt as Administrator

Navigate to-  C:\Program Files (x86)\Java\jre1.8.0_131\lib\security

Edit java.security (notepad)

Remove the algorithms jdk.jar.disabledAlgorithms and comment out the line that begins with jdk.tls.disabledAlgorithms=.