Setup DC for time sync to external NTP server

The following steps can be taken to force your Domain Controller to sync with an external NTP server.

Run CMD as Administrator

net stop w32time

w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update

net start w32time

Allow BitLocker without a TPM

If you're using a computer which hasn't got a TPM, you can still enable BitLocker on the OS drive.  You will simply need to update the Local Group Policy (or normal Group Policy if you're within a Domain) to reflect the following:

Once done, you will be able to set a password-defined BitLocker on your OS drive.

Monitor SCCM Updates

With recent versions of SCCM, you can now perform in-place updates of SCCM.  This is a great way of updating the application without having to download external ISOs etc.

The only issue is that once you have kicked off the install, you have no way of monitoring the progress within the application itself.  We have to move to the LOG files in order to monitor this.

You can see the update highlighted here:

If you right-click the update, you can see "Install Update Pack".

Once you have done this, the only way to monitor the progress is by opening up the following LOG file within CMTrace:

C:\Program Files\Microsoft Configuration Manager\Logs\CMUpdate.log

This will update automatically as there's new information, and it's an easy way to see where the installation is at and whether there's any problems.

Windows Update Error: 80243004

Recently I was running Windows Update on a client's server, and I encountered the following error message:

Luckily this is a nice and easy fix.

1. Right-click task-bar and click on Properties

2. Click Customize

3. Tick Always show all icons and notifications on the taskbar

Once you've done that, simply click Try Again and it should work for you now.

Error apply Hard Drive changes | Failed to add device 'Synthetic Disk Drive' | Hyper-V

So today I was adding a new disk to a clustered virtual machine running in a Hyper-V environment.
When I clicked 'apply' to save the changes I'd made, I received the following error message:

The device was being saved from one of the Virtual Machine Hosts, to a SAN where all the HDDs were located.

Luckily, this was a nice and easy fix.  When you're going into the drive settings, check on the top-left corner where it shows you the iSCSI Controller / IDE Controller.

Simply change this to one of the other settings, and click 'apply', to see whether it will let you save it.  In my case, it was set to IDE Controller 0, and I needed to change it to SCSI Controller.

Once you've changed this, you should be good to go!

Veeam for Office 365 | Invalid Exchange Server version

Recently I noticed that clients of mine who were using Veeam for Office 365 started having issues with the product backing up their emails.

After looking into this, it looks as if Microsoft have updated their Exchange backend version without telling anyone, which has caused this issue.  Whilst there's no update available through Veeam at the moment, logging a support case with them provided me with a fix to get this up and running.

The error message in question here states "Invalid Exchange Server version".  This starts to fail for most mailboxes, and will eventually fail for all mailboxes.  Obviously this is a P1 issue, as you don't have backups up and running.

The fix is only available if you're running version 1.0.0.912, and is the following:

Download the hostfix file from https://storage.veeam.com/Fix_113114_fbcf2c440c.zip and follow the instruction to apply the hot fix. 

The workflow:

1. Stop all the jobs
2. Stop “Veeam Backup for Microsoft Office 365 Service”
3. Rename and replace Veeam.Ews.dll with the DLL from the archive in C:\Program Files\Veeam\Backup365 (don't forget to back up the original DLL)
4. Start “Veeam Backup for Microsoft Office 365 Service”
5. Retry the job

After performing this fix, it has 100% resolved the issue for my clients.

Hide User from GAL - Office 365 | AD Attribute

The following method will allow you to hide a user from the Global Address List if you're using Office 365 with Azure AD Connect.

From within AD, click on View, then Advanced Features

Find the user you'd like to amend and open up their AD object (note you will need to find the user account within AD, you can't search for it).

Find the following attribute and set it to True

msExchHideFromAddressLists

The next time Azure AD Connect syncs, it will update this attribute and the users will be hidden from the GAL.

Note: the GAL can take up to 24 hours to sync for each Outlook application.

Update Hyper-V Integration Services

I was recently on a Hyper-V host where a few of the VMs were saying the integration services required an update.

To update this, open up the VM through Hyper V manager, then click Action > Insert Integration Services Setup Disk.

Run the setup from within the VM

A message will show up saying that it's detected a previous version of the services and asks whether you'd like to upgrade it

Once you've clicked OK, it will give you a progress bar for the installation

Once finished installing, you will need to restart the VM

The final step is to simply eject the Integration Services from the VM

This process will need to be carried out on each VM you're running in your environment, if you notice it requires an Integration Services update.  Just note that because of the reboot, it will cause down-time. 

Office 365 Hybrid Deployment - Mail Loop

If you're ever in the middle of an Office 365 Hybrid deployment, you've configured everything correctly but you notice that when you're testing the mail flow from one premise to the other, it's causing a continuous mail flow (you will receive a NDR), the first thing I would suggest you look into is whether there's a gateway in the middle of your on-prem Exchange and your Office 365 environment.

Office 365 Hybrid is only supported if you have nothing between your on prem Exchange, and the O365 environment.  That means no IronPorts etc getting in the way.

I recently encountered an issue where there was a continuous mail flow symptom.  Office 365 was trying to deliver the email to on prem Exchange, it was caught up in the IronPort and then it tried to deliver it back to Office 365.  To get around this I opened Exchange up to the internet by NATting Port 25 on a different WAN IP which would bypass the IronPorts entirely.  I amended the Connectors in Office 365 so they'd connect through that address, rather than through the IronPorts.

Once this was done, the issue resolved itself immediately.

Create new AD User with Remote Mailbox | Office 365 Hybrid

I recently had a client who had a Hybrid Office 365 who required a set of users to be created, and Office 365 mailboxes created at hte same time.  Whilst I could have had a script to create the users, then go through and add mailboxes to them, I decided that it would be better to smash it all in one hit.

Thanks to my colleague Gareth for writing this script

The following process is comprised of two steps.

1. Run a script that references a CSV File
2. A CSV file that has all the relevant information in it

In this case my CSV file had the following:

The BackupEmail was put there at the Client's request.  It was just an area to put the user's personal email address within the AD object.  

The script used is the following, which needs to be saved as CreateUsers.csv.  Note the bold areas which are the variables that have been included.

$Users = Import-Csv -Path "C:\Userlist.csv"

$OU = "OU=Sub-OU,OU=Parent-OU,DC=DOMAIN,DC=com,DC=au"     

foreach ($User in $Users)           

{           

    $Displayname = $User.Firstname + " " + $User.Lastname           

    $UserFirstname = $User.Firstname           

    $UserLastname = $User.Lastname           

    $SAM = $User.Username         

    $UPN = $User.Firstname + "." + $User.Lastname + "@domain"        

    $Password = "<insertpassword>" 

    $Mobile = $User.Mobile

     $remoterouting = "smtp:" + $UPN

     $Notes = $User.BackupEmail

    New-ADUser -Name "$Displayname" -DisplayName "$Displayname" -SamAccountName $SAM -UserPrincipalName $UPN -GivenName "$UserFirstname" -Surname "$UserLastname" -AccountPassword (ConvertTo-SecureString $Password -AsPlainText -Force) -Enabled $true -Path "$OU" -ChangePasswordAtLogon $false –PasswordNeverExpires $true -MobilePhone $Mobile -HomePhone $Notes

    Enable-RemoteMailbox $SAM -RemoteRoutingAddress $remoterouting

}

Save the script as well as the .csv file into the same location, then run the script through Exchange Management Shell.

This will create the user account and will also create the Office 365 Mailbox which can be viewed from either Exchange On Prem, or the O365 Tenant.  Remember that it takes a bit of time for Azure AD Connect to sync all the AD objects as well.  It might help to force an Azure AD Connect sync.

The last step you will need to do is to assign an Office 365 license to that particular user, or users.

Don't worry though, I've got that covered in a previous blog post.

The Group Policy Client service failed the logon - Access is denied

I recently had a client who was receiving this error when he was trying to log into his domain account:

The fix for this is rather simple and straight-forward, however it's rather nasty if you don't know what to do.  The following steps can be followed to resolve this issue:

• Login with another account, preferably a Domain Admin account
• This should work as the issue is with the profile, not the computer
• Create a local account on the machine and ensure it's also a local administrator
• Remove the machine from the domain
• Login as the local account you just created
• Rename the profile name in C:\Users 
• I would usually create a new folder called "Backup" and then move the profiles into there
• Open Start Menu and search for Regedit
• Open the following location
  HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList

• Click on the different SIDs until you find the one that has Profile Path which is related to the user that's having problems

• Right-click the SID and export it just to make sure you have a copy

• Delete the SID

• Join the computer back to the domain
• I had deleted the computer object from AD and I even renamed the computer
• Login as the user who was having problems
• Should be working perfectly now.

Update App Deployment Client Connectivity Restriction | SCCM

I recently had a client who's using SCCM, and was needing to install a particular application on many computers.  These machines happened to be in a workshop and they were testing the deployment by doing the manual install (through Software Centre).  They noticed that whilst they elected to install this particular app on about 30 machines, most of the workstations would say "Waiting to install", whilst only about 5 or so machines would actually be installing the app at one time.

Ultimately every machine received the application, however they wanted to know why it was limited to this small number, and what we could do to increase that.

To update this number to allow more machines simultaneously installing applications, we need to do the following:

Administration > Site Configuration > Sites > Configure Site Components > Software Distribution

The highlighted section is what I had updated.

The next part I updated was the following:

Administration > Site Configuration > Sites > Right-click site name and click Properties > "Sender" tab

I updated the circled settings to be 15 each.

Increase Public Folder Quotas | Office 365

Recently a client of mine received a warning message saying a certain Public Folder was running low on space and they needed to delete some items.

This is the standard message you get from Exchange/Office 365 if your mailbox is running out of space etc, however with this being Office 365, I would have thought this limit would be much larger (or at least the client wouldn't have encountered this message for a period of time).

I logged into Office 365 and checked the Public Folder settings to make sure nothing was explicitly set, and that they were just getting the default quotas.

Whilst you can simply change the storage quotas section to not use the organisation quota defaults, this wasn't really practical as this client had about 15 different Public Folders.  It was much easier to just change the entire organisation's quota defaults and have it affect all the Public Folders.

In order to change this, you will need to do the following:

1. Sign into Office 365 through PowerShell
Note: this links to a previous blog post of mine which goes through how to sign into O365 using PS
2. Type the following command to find out what the current warning and prohibit quotas are set to:

Get-OrganizationConfig -DefaultPublicFolderIssueWarningQuota,DefaultPublicFolderProhibitPostQuota

As you can see here, the warning message is set to 1.7GB, and the prohibit message is set to 2GB. Neither of which is really acceptable. 

I changed this to warn at mailbox size 45GB, and prohibit at mailbox size 49GB.  This will mean that they will not have to worry about this filling up for a long period of time.

In order to do this, I typed two commands:

1. Set-OrganizationConfig -DefaultPublicFolderProhibitPostQuota 49GB
2. Set-OrganizationConfig -DefaultPublicFolderIssueWarningQuota 45GB

You can see in the below screenshot that after doing this, I then ran the Get-OrganizationConfig again to confirm the limits.

Configure Squid Proxy with LDAP Auth | Active Directory

Recently a client of mine asked if we could implement a proxy server which forced each user to authenticate with their AD credentials.  They currently had a rather cut-down Squid server running in their environment and it was logging traffic, but there was no way to work out which users were browsing the most.  There was IP tracking, but when using a hot-desk situation, no user had a specific machine.

The following steps are what I've done to get this up and running where it forces each user to authenticate against AD, and denies all access if they don't authenticate correctly.

Assumptions: there is the assumption that you've already got a working copy of Linux up and running in your virtual environment.  In this case, I was using Ubunut 16.04.
The other assumption is that you have installed the LDAP role within Server Manager within your AD environment.

1. Download/Install Squid
sudo apt-get install squid
This will install Squid onto the Linux machine.  

2. Open ldap.conf which can be found at /etc/ldap/ldap.conf

3. Set BASE to your domain (in my case its test.internal as I've blogged this within a test environment).  I've updated the URI section too, however it's hashed out and not needed.

4. Edit squid.conf which can be found here: /etc/squid/squid.conf

5. Search for the follow section auth_param basic program, then enter the following details:

Note: most of this will already be there, you will just need to un-hash it.  The IP address used is the DC.  The blurred out section is the password I have used for the Administrator account which is mentioned within this section.
Also note that the credentialsttl will be how long a user can be logged in for before they're prompted again.  For testing purposes I set it to 15 minutes, you could set this to 2 hours.

6. Within the same document, search for acl safe_ports and then add the highlighted section below:

7. In the same document, search for http_access allow localhost, then add the highlighted section underneath it

8. Search for cache_dir ufs and then un-hash that section

9. Update the proxy settings within your environment to point to the Squid server on port 3128.  When you try to access a website, you should be greeted with the following message:

Install reporting tool for tracking user's browsing

In order to track the user's browsing, you will need to get Webmin, and also SARG.  These work together to allow you to make nice little reports which will show where users have been going and how much data they're using etc.

The following tasks will be completed within the Terminal

1. sudo nano /etc/apt/sources.list

2. Add the following two lines to the document you've just opened up

deb http://download.webmin.com/download/repository sarge contrib

deb http://webmin.mirror.somersettechsolutions.co.uk/repository sarge contrib

3. Save the document and close out of it

4. sudo wget http://www.webmin.com/jcameron-key.asc

5. sudo apt-key add jcameron-key.asc

6. sudo apt-get update

7. sudo apt-get install webmin -y

8. sudo ufw allow 10000

This will then allow you to access the Webmin web portal on https://localhost:10000

Log in with your administrator (local admin) credentials

Click on un-used modules then find Squid Proxy

You will most likely see a message saying it wasn't able to find squid.  This will be because it's looking for /squid3/ rather than just /squid/.  You will need to edit the config and change squid3 to just squid everywhere you see it.

In order to use the Squid Report Generator, you will need to install SARG.  To do this, open Terminal and type the following:

sudo apt-get install sarg

Then you can click on Squid Report Generator within Webmin and be able to run reports on usage etc.

Import Mail Contacts into Office 365 from CSV File | PowerShell

This blog post has been created as I have recently needed to upload hundreds of Mail Contacts into Office 365.

1. Create a CSV file which has the following columns:
ExternalEmailAddress,Name,FirstName,LastName

2. Populate the CSV file with the required contents.  Name will be their Display Name, so there cannot be any spaces etc.  Usually with this I will populate the FirstName & LastName and then have the following for Name:
=C2&D2
This will combine the first name and the last name and remove any spaces etc.  Then just drag this down for all the users and it will populate for everyone.

3. Save this file as ImportContacts.csv
4. Open PowerShell ISE and add the following contents
(change the bold section to reflect where you've saved your ImportContacts CSV file).

#Connect To Exchange Online 
$UserCredential = Get-Credential 
$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection 
Import-PSSession $Session

#Function to pick the CSV File 
Function Get-FileName($initialDirectory) 
{ 
[System.Reflection.Assembly]::LoadWithPartialName(“System.windows.forms”) | 
Out-Null

$OpenFileDialog = New-Object System.Windows.Forms.OpenFileDialog 
$OpenFileDialog.initialDirectory = $initialDirectory 
$OpenFileDialog.filter = “All files (*.*)| *.*” 
$OpenFileDialog.ShowDialog() | Out-Null 
$OpenFileDialog.filename 
} #end function Get-FileName 
#Command To Launch Function and store it in the variable 
$PathToCSV = Get-FileName -initialDirectory "C:\Users\adam.arkwright\Desktop\ImportContacts.csv"

#Commands to import CSV file to contacts then export the contact list for comparison 
Import-Csv $PathToCSV | %{New-MailContact -Name $_.Name -DisplayName $_.Name -ExternalEmailAddress $_.ExternalEmailAddress -FirstName $_.FirstName -LastName $_.LastName} 
Get-MailContact | Select DisplayName,ExternalEmailAddress,FirstName,LastName | Out-GridView 
Get-MailContact | Select DisplayName,ExternalEmailAddress | Export-Csv "C:\Users\adam.arkwright\Desktop\ExportedContacts.csv"

5. Save this as ImportContacts.ps1 somewhere easily accessible. 
6. Open PowerShell as administrator and run ImportContacts.ps1

This will then ask you for your Office 365 Username and Password.  Make sure you use the administrator credentials.  If there's any issues, you may find a File Explorer windows pop up.  If this happens, simply navigate to where you've saved the .csv file and double click on it.  Then it will go through and start importing all the contents into your Office 365 tenant.

Windows 10 | Connect to wireless automatically before logging in

A client of mine had a MS Surface running Windows 10.  They were almost 100% wireless and kept running into issues where they'd login to their profile and then it would connect to the wireless.  That's not usually a problem, however in this case it was a roaming profile and caused some issues with connectivity.

To get around this, I was able to save the credentials prior to logging in, which allowed the Surface to connect to the Wireless before they actually go through the login process, and ensure that it has access to a Domain Controller.

Click on the 'WiFi' option from Network Settings

Click Wireless Properties

Click Advanced Settings

Select User Credentials then click Save Credentials.  It will then ask you to type in a username and password which it will then use to authenticate against the wireless prior to logging in.

Note: this isn't a scalable solution, and merely designed to get one or two users up and running on wireless devices.  This will cause problems if the user's password expires as well.

For a scalable solution, you will need to use Group Policy and define a Service Account username and password.

Set passwords to never expire | Office 365

Whilst the majority of Office 365 users would have DirSync configured so users will be using their Active Directory user accounts & passwords, some businesses will be using the cloud user accounts, which have their passwords expire.

It's very simple to configure all cloud O365 accounts to have their passwords never expire, which will especially stop the inconvenience of having to update admin accounts etc.

To do this, you will need to log into Office 365 through PowerShell.  You will also need to do the second part of the attached blog by connecting to the MSOL service.

Once you've done that, use the following command:

Get-MSOLUser | Set-MSOLUser -PasswordNeverExpires $true