The Factor of Corrupted Domain Controller, Windows Server 2016

Having a corrupted domain controller is highly troublesome and is irritating. It was my first time to experience an environment with a corrupted domain controller. Luckily, it wasn’t the master domain controller that is corrupted.

Before jumping into conclusion by blaming the domain controller is the cause. Let’s check what are the symptoms and what could be the possible cause. Anything that is related to the domain controller will get affected.

What are the symptoms that you will experience?

  1. Delay synchronization between other domain controllers
  2. Unexpected broke down of synchronization between other domain controllers
  3. Inconsistent reading of synchronization
  4. Loss of locating the master domain controller
  5. Time-sync delay
  6. Users unable to log in to Office 365 after password reset
  7. Newly created Exchange Hybrid users are not reflecting
  8. Exchange Hybrid failure to connect
  9. Unexpected slow performance
  10. Unexpected network detection failure

 

The factor of the causes?

When you have a corrupted domain controller, you really have drawn the layers to investigate.

  1. Configuration/Settings of the domain controller
  2. System Information and configuration on the server
  3. Operating system
  4. Host
  5. Virtual appliance
  6. Network (firewall or infrastructure)
  7. Storage
  8. Hardware

 

So it is best to analyze what is the possible cause of this and how to avoid it in the future. Logs are the friends you need.

 

 

 

 

Why can’t I use RODC DNS IP address on join to domain for client’s PCs?

What is RODC?

  • RODC stands for Read-Only Domain controller. Obviously, the name is the answer.

What is RODC purpose?

  • RODC act as a disaster plan or authentication for branches. RODC is deployed in a data center or at another site, it acts as a pull action. It pulls information and changes from the writable domain controller(s) only.

Why can’t I join to the domain on client’s PCs using RODC IP address?

  • Joining new PCs to the domain environment, this is considered as adding/modifying information and changes to the domain controller and this is the writable domain controller’s responsibility, not RODC.

 

 

 

 

PowerShell: How to export values into table format .csv file?

Again I’m no expert in PowerShell, it took me few hours to figure it out. Searched many articles but are difficult for me to understand.

However, the answer was right under my nose. Please refer to the reference I’ve include below this blog. Sorry about the attribute naming, well this is only an example. Hope this helps.

*Note:

  • Always run this(PowerShell) on a test account before moving production (bulk).
  • This script only supports PowerShell version 3.0 or above

Here is an example of what I’m saying;

#Purpose: This powershell is to get the office phone and copy 
#the last 4 digit into a temporary programming attribute and than 
#merge with a string value with the last 4 digits
#Export the user's name, office phone and New Phone

#Merge value
$merge= "123"

#Get the filename
$users = import-csv .\file.csv -delimiter ","

foreach ($i in $users)
{
#Attributes
$name = $i.Name
$officephone = $i.OfficePhone

#If the user's OfficePhone has value
if ($officephone -ne "")
{
#Copy the last 4 digit of the OfficePhone
$lastfourdigit = $officephone.substring($officephone.length - 4)
#Merge the string value with the 4digit to create a new phone number
$newvalue= $merge + $lastfourdigit

#Table format for csv
$content = [PSCustomObject]@{Name = $name; OfficePhone = $officephone; NewPhone= $newvalue}
#Export the table to new csv file
$content | Export-csv newfile.csv -Append

}
else{
#Table format for csv
$content = [PSCustomObject]@{Name = $name; OfficePhone = $officephone; NewPhone= ""}
#Export the table to new csv file
$content | Export-csv newfile.csv -Append

}

}

So the end result is;

newfile

 

I prefer to keep my codes simple and understandable.

Reference

  1. https://docs.microsoft.com/en-us/powershell/module/microsoft.powershell.utility/export-csv?view=powershell-6

Office 365: How to handle resign user mailbox with litigation hold enabled?

Litigation hold is a feature that allows you to keep your mailbox with specific period or unlimited period. However, this is only the high level definition of litigation hold. Through out my deep and many research of Microsoft articles, especially technet it only state high level of definition of litigation hold but nothing about notices.

Few weeks ago I’ve encounter one of my user reported to me, saying that they have a user account that is disable (in Active Directory)blocked sign in and unlicensed but the mailbox still in active state and able to send (etc inbox forwarding rules) and receive mails and also able to login if with full access. After few research, I found a Microsoft article (support article “https://support.office.com/en-us/article/manage-inactive-mailboxes-in-office-365-296a02bd-ebde-4022-900e-547acf38ddd7“) , about how to handle inactive mailboxes. However, it still didn’t state why it happens or how this mechanism works.

We call this as deprecated account but active mailbox. I really hope that Microsoft could do something about this as it seems to me it is pretty troublesome to go extra further step to handle this, and also hope that they could elaborate more about litigation hold pro and cons or how this mechanism works.

*Note:

Please take note if you have mailboxes with unlimited litigation hold enabled, and user account in Active Directory is disable but in a sync Organization Unit, please move them to a unsync organization unit IMMEDIATELY or else it will full up the mailbox storage. 

To check whether which Organization unit is unsync;

  1. Just go to your Azure Active Directory Server
  2. Windows Start button
  3. open MIISCLIENT or Synchronize Services
  4. On top select “Connection”
  5. double on your local domain
  6. select Configure Directory Partition
  7. at the bottom right button
  8. select “Containers”
  9. enter Azure Active Directory credential
  10. you will able to view unchecked boxes means they are the unsync organization unit.

 

References:

  1. https://support.office.com/en-us/article/manage-inactive-mailboxes-in-office-365-296a02bd-ebde-4022-900e-547acf38ddd7
  2. https://technet.microsoft.com/en-us/library/ff637980(v=exchg.160).aspx#lithold
  3. https://technet.microsoft.com/library/dn743673(v=exchg.150).aspx
  4. https://technet.microsoft.com/en-us/library/dn790612.aspx

 

Active Directory: How to export Active Directory User with all attributes?

I know that the below command will not be as effective but it does the job.

Step-by-Steps

  1. Go to Active Directory/Domain Controller
  2. Open Powershell as administrator
  3. Type the following command below;

Get-ADUser -Properties * -Filter * | Export-csv “ADUserattributes.csv”

OR

Get-ADUser -Filter * -Properties * | Export-csv “ADUserattributes.csv”

 

The above command will export the list of AD Users with attributes and values in a csv file format, and all you need to do is to copy out the attributes and paste it in a new excel file, format it from column view to row view(optional).

*Note: You could modify the command as you wish

 

AD & Office 365: Soft-matching Distribution List from AD to Office 365

Want to manage your cloud Distribution List with on-premise? You could do soft-matching to get Distribution list match and synchronized back  to Office 365.

Yes, to perform this you could either manually or powershell. Manually means that you will configure using the GUI of AD. For powershell is for a large amount of Distribution List.

The 3 major attributes needed to fulfill in AD for having a successful soft-matching are;

  1. displayName
  2. mail
  3. proxyAddresses

*Note: 3 of these attributes above must have the same value with the Distribution list in Office 365.

softmatch.PNG

Next, after finishing fulfilling the values of these 3 attributes, you can go ahead to your Azure AD server (AADC) and run the sync.

  1. Open Windows Powershell or open Microsoft Azure Powershell Module
  2. Type this command
    1. Start-ADSyncSyncCycle -PolicyType Delta

      • *Note: This only sync changes
    2. Check your Azure Sync Client Interface for sync progress
  3. Once sync progress is finish, go to your Office 365 portal
  4. At the admin center > Groups > Search for your Distribution list

References:

  1. https://gallery.technet.microsoft.com/Soft-Match-Cloud-b2652fee

Active Directory & Read-Only Domain Controller: Unable to login into RODC

Sometimes the environment will have problems such as, network down, RPC is disconnected or even worst problems that you couldn’t imagine. These which would definitely causes login problems. For now I would like to only pin point on RODC. Usually inexperience engineers, will not notice that there is a most important feature has to be enable at the RODC.

That is the Password Replication Policy or you could call it the Password cache.

Yes, there are some environment where all the user’s are pointing to RODC instead of the DC.  Anything happens to the RODC will lead to huge complaints from the users and the person whom is supporting the back end will definitely get the blame.

So is better to avoid the trouble even though how good or stable is the environment. Here are the articles you could refer to;

  1. https://technet.microsoft.com/en-us/library/cc730883(v=ws.10).aspx
  2. https://technet.microsoft.com/en-us/library/rodc-guidance-for-administering-the-password-replication-policy(v=ws.10).aspx
  3. http://windowsitpro.com/windows-server/configure-credential-caching-rodc-windows-server-2016

AD & GPO: How to enable or configure Windows Hello?

To create this GPO is pretty simple, just by creating a new GPO or you could reuse a existing GPO (Not the default GPO).

*Note: Windows Hello only works with Windows Server 2016 and Surface Pro, Windows 10

Here are the simple steps;

  1. At the Group Policy Management > Group Policy Objects > right click to create a new policy/edit the existing policy
  2.  The image below is basically the policy to enable Windows Hello featuregpowinhello.JPG
  3. After this, remember to link the gpo to the OU that you wish it will take the gpo
  4. Remember to also do a “gpupdate /force” at both the server and computer side.
    • Open cmd > type the command “gpupdate /force”
  5. There is a gpupdate function with one push, but you have to make sure that the user’s computer are connected.
    • In the GPMC > select the OU > right click > select GPO Update policy
      • This will update all the objects inside that particular OU

AD & GPO: Why password/account policy is not working?

To those are newbie to GPO (Group Policy Objects) or Group policy management, your mentor sure told you to not configure default domain policy and instead they will tell you to create a new GPO.

Here is something you should know, Not all policy settings are workable under newly create GPO”. This means that there are still dependencies with Default GPOs. Even you’ve try to enable “Enforce” or “Block Inheritance”, the Default GPO will always there running. Thus, always research and understand in-dept of GPO.

Below is the supporting article is the answer to you.

References:

  1. https://technet.microsoft.com/en-us/library/cc748850(v=ws.10).aspx

AD & DNS: RODC not appear as Name Server?

Why ONLY the writable domain controller (RWDC) appear as “Name Server” in the DNS?

Why Read-only domain controller appears as “Host(A)” in the DNS?

*Note: This is a normal behavior

Reference:

https://social.technet.microsoft.com/wiki/contents/articles/4031.how-read-only-domain-controllers-and-dns-works.aspx

https://awinish.wordpress.com/2011/10/04/rodc-read-only-domain-controller/

https://technet.microsoft.com/en-us/library/cc754956(v=ws.10).aspx