Exchange 2013 CU5 – Organization preparation failure – An Active Directory error 0x51 occurred when trying to check the suitability of server DC1.domainexample.com

When you run setup to upgrade Exchange server 2013, it checks prerequisites and one of its actions is to contact Active Directory to check schema version for possible need to update. In my case the problem was, that error 0x51 occured. I was checking what is happening. The first thing was to run netdom query fsmo command to gather which FSMO roles were placed on failing DC1. As it was during Schema version check, I was mostly iterested if Schema master role is present there…. and it was, No I was wondering what is the problem. I went to OU=Domain controllers in ADUC and checked DCs. I realised that Schema master role is running on non GC domain controller.

Solution: To run setup successfully seize FSMO Schema master role on DC with GC in the same AD site as Exchange server.

Windows Server 2012+ and net-framework-core package installation error (unable to locate source files)

I have faced a problem with net-Framework-core package installation. As you probably know, this package is deprecated, but still available, when you specify source. It can be installed by command

Add-WindowsFeature net-Framework-core -Sources <path to Windows Server 2012 installation media>\Sources\SxS

If that doesnt work, you should check several things:

  • Is the installation media from the same build as current OS (should be)
  • Isnt it corrupted
  • Sometimes it is helpful to map installation media on another server and use UNC path instead of local
  • In my case problem was in Windows Update Services setting. The registry key stated, no automatic update is possible and WUS is used for updates.

Solution: Locate registry key below, change value to “0” and install net Framework core feature. After done, change back to “1” – if still no go, change value to 0 and reboot server prior to install.

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU]

“UseWUServer”=dword:00000001

“NoAutoUpdate”=dword:00000001

 

Dirsync errors nad solutions: Event ID 0: Invalid namespace while automatic Sync or Start-OnlineCoexistenceSync, Object not found on the server

I have been facing errors with one of my customers lately. There is hybrid deployment with Exchange on premise and Office 365 with ADFS.

Symptoms:

  • Dirsync stopped to work, because automatic synchronization started to throw invalid namespace errors (Event ID 0)
  • DirSync cannot be run via Start-OnlineCoexistenceSync
  • Dirsync could run manually from GUI

invalid namespace

Cause:

When DirSync is installed on the server, after its configuration DirSync installator creates a service, which by default run synchronization every 3 hours to populate changes of local AD´s objects to the cloud and if Hybrid deplouyment checkbox is ticked during configuration, it also updates few attributes in opposite direction (From Cloud -> On premise).

Behind the scenes this service also creates performance counters to WMI and this is also the problem! In my case CCM agent´s (installed by SCCM) old version has been uninstalled and during uninstallation of CCM agent the repository of WMI has been corrupted. This caused the FIM Synchronization service to fail to run.

Solution:

The solution is not easy and here are the steps need to be run in the following order to make it work and make it work permanenty:

  • Fix MOF files – MOF files are used to register performance counters to WMI. These files can be registered once per product installation or everytime the product upgrades and this is problem. Dirsync Product has by default MOF files, which are registered only once and not during upgrades. This problems come up when CCM agent is uninstalled and MOF files are not re-registered. To prevent this to happen again add the following text to the first line of MOF files for dirsync product:

MOF file location:
%Program Files%\Windows Azure Active Directory Sync\SYNCBUS\Synchronization Service\Bin

MOF files name:
mmswmi.mof

mmswmi-x.mof is used for product uninstallation. Do not change it.

 #PRAGMA AUTORECOVER
//********************************************************
//*                                                      *
//*   Copyright (C) Microsoft. All rights reserved.      *
//*                                                      *
//********************************************************
//
// mmswmi.MOF
//
//===================================================================

  • Repair WMI repository permanently

To repair WMI you must run the following command from the same location as previous step and restart FIM Synchronization service. The result should be “Done!”

mofcomp mmswmi.mof
  • Re-Register FIM Sync Service DLL and restart win management service

From the same location under elevated permissions run:

regsvr32 /s mmswmi.dll
net stop winmgmt
net start winmgmt
  • Re-Run configuration of DirSync

From the location %Program Files%\Windows Azure Active Directory Sync run ConfigWizard.exe

If you receive the following error, move service accounts (MSOL* to OU=Users in root domain of your Onpremise AD)

No object on server

KPCS is finalist in Microsoft Awards 2014 wordwide!

I am proud to announce, that company I work for KPCS.CZ is second worldwide in Server platform implementation projects category. Besides this nice placement we won 3 categories in Czech Republic and once we are finalist.

So total 5 awards within 1 year! What the great success!

More here:

http://www.digitalwpc.com/Awards/Pages/Home.aspx#fbid=jO4-P7IA4sY

http://www.kpcs.cz

 

 

 

Log Search script

This is just a small easy script to search log content in defined location and time range for string value. If you know what to search in many log files, it can help you to narrow search.

#logsearch
#Author: Zbynek Salon
#Path to search
$path = "D:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog\SmtpReceive"
#What to search (the best would be for example e-mail address for some SMTP log)
$str = "PRX5"
#Range (Start must be lower then end)
$start = "5/25/2014 8:00AM"
$end = "5/28/2014 9:00AM"
Get-ChildItem $path | where {($_.LastWriteTime -gt $Start) -and ($_.LastWriteTime -lt $End)} | foreach {$_
 $x = Get-Content -Path "$($path)\$_"
 if ($x -like "*$($str)*"){Write-Host "$_ contains $($str)" -ForegroundColor Green}
}

Script to gather FullAccess and SendAs permissions

I wrote this script to gather FullAccess and SendAs permissions to divide mailboxes into logical batches. May be somebody find it helpful.

#Purpose of this script is to gather full access and Send-As permissions of all mailboxes in organization
#Author: Zbynek Salon
#importing needed module
Import-Module Servermanager
$out = @()
$path = "c:\temp\FASA.txt"
$out +="Identity-email;Full Access;Send AS"
set-adserversettings -ViewEntireForest $true
#gathering info
$list = Get-Mailbox -resultsize unlimited | select alias,displayname,primarysmtpaddress,userprincipalname,distinguishedname
$i = 0
Foreach ($line in $list){
$sa = $null
$fa = $null
$fa = get-mailbox "$($line.distinguishedname)" | get-mailboxpermission | where {($_.IsInherited -like $false) -and ($_.accessrights -like "*Full*") -and ($_.user -notlike "*SELF*")}
$sa = get-mailbox "$($line.distinguishedname)" | get-adpermission | where {($_.extendedrights -like "*Send*") -and ($_.IsInherited -like $false) -and ($_.Deny -like $false)  -and ($_.user -notlike "*SELF*")}
Write-host "°°°°°°°°°°°°°°$($line.alias)"
#Full Access section
write-host "Full Access $($line.displayname)"
$fapo=$null
$sapo=$null
if ($fa -ne $null){
$fapo = "FA:"
            foreach ($fap in $fa){
                $o2=$null
                $o=$null
                #query object from AD using LDAP (translate SID to DN)
                $o = [adsi]"LDAP://<SID=$($fap.user.securityidentifier)>"
                #query needed properties of AD object (AD object is used to query for all object types
                $o2 = get-adobject "$($o.distinguishedname)" -properties * | select displayname,userprincipalname
                $o2
                if($o2 -ne $null){
                    $fapo = $fapo + "|$($o2.displayname)*$($o2.userprincipalname)"
                }
                else{$fapo = $fapo + "|NoExist*$($fap.user.securityidentifier)" }
            }
}else{}
#Send As section
write-host "Send - AS $($line.displayname)"
if ($sa -ne $null){
$sapo = "SA:"
            foreach ($sap in $sa){
                $u2=$null
                $u=$null
                $u = [adsi]"LDAP://<SID=$($sap.user.securityidentifier)>"
                $u2 = get-adobject "$($u.distinguishedname)" -properties * | select displayname,userprincipalname
                $u2
                if($u2 -ne $null){
                    $sapo = $sapo + "|$($u2.displayname)*$($u2.userprincipalname)"
                }
                else{$sapo = $sapo + "|NoExist*$($fap.user.securityidentifier)" }
            }
 }else{}
$out += "$($line.displayname)*$($line.userprincipalname);$($fapo);$($sapo)"
}

$out | out-file "$($path)"

DirSync to Office 365 synchronization failed – Event ID:6126, Event ID:109, Event ID:6801, Event ID:6803, Event ID:6110

I have faced problems with Dirsync synchronization with the following Event IDs:6126,0,109,6801,6803,6110,0

Solution:

Password reset for Dirsync cloud account and its configuration in MIIS client.

Description:

Here is, what I have found in the event log
001

1. Event ID 6126

Synchronization has beedo done but changes of the rules occured
000-6126

2. Event ID 109

Error statest, that synchronization didn´t perform and that change password might help
002-109

3. Event IDs 6801,6803

States the same as Event ID 109. Authentication failure and final state that error has occued.
003-6801
004-6803

4. Event ID 6110

Watermark of delta synchronization was not saved.
005-6110

5. Password needs to be changed in the cloud

Just logon to the cloud and change password via WEB interface

6. Password never expires

As additional stem I have set password to never expire to prevent these problems to occur again
010-password change

7. Set new password in DirSync

In the Windows Azure Active Directory connector you should set new password.

8. OK

009-OK

Office 365 – Adding SMTP addresses while DirSync without ADFS/Hybrid

Background

There are limitations, when you deploy Office 365 without ADFS/Hybrid. In this article I would like to write about SMTP addresses.

  • This attribute is synchronized to Office 365
  • You cannot add SMTP addresses on the cloud side, so you have to use attribute editor or Powershell On-Premise instead
  • To use Powershell you need to import module for Server manager and one of the methods to add / remove or replace SMTP addresses is to use Set-ADUser cmdlet, where you add string values to multivalue property “ProxyAddresses”
  • More proxy addresses can be added at the time
get-aduser -identity "stokurev" | set-aduser -add @{'ProxyAddresses'=@("SMTP:anatolij.stokurev@domain.com","smtp:stokurev@domain.com")}

Example

As an example here is the script to double existing aliases with another domain suffix

#Purpose of this script is to double aliases of domain.suffix to domain.suffix2 as secondary SMTP addresses
#Author: Zbynek Salon
#importing needed module
Import-Module Servermanager
#gathering and adding aliases
$x = get-aduser -SearchBase "OU=SUFFIX2,OU=Office365,OU=People,DC=DOMAIN,DC=SUFFIX2" -filter * -pr * | select SAMAccountname,UserPrincipalName,proxyaddresses
foreach ($line in $x){
    foreach ($addr in $line.proxyaddresses){
                if ($addr -like "smtp:*"){
                $addr = $addr.replace("DOMAIN.SUFFIX","DOMAIN.SUFFIX2")
                $addr = $addr.replace("SMTP:","")
                $addr = $addr.replace("smtp:","")
                $addr
                get-aduser -identity "$($line.samaccountname)" | set-aduser -add @{'ProxyAddresses'=@("smtp:$($addr)")}

                }
                }
               
}
#check results
$y = get-aduser -SearchBase "OU=SUFFIX2,OU=Office365,OU=People,DC=DOMAIN,DC=SUFFIX2" -filter * -pr * | select SAMAccountname,UserPrincipalName,proxyaddresses
foreach ($line in $y){
$line.samaccountname
    foreach ($addr in $line.proxyaddresses){
                if ($addr -like "smtp:*"){
                $addr
                }
                }
               
}

Cisco Labs – Network Security (14) – ASA as transparent firewall

Introduction

During my university studies I was doing a diploma thesis in field of Redundant and reliable networking. The purpose of itwas to create LAB examples for students, so they can test Basic settings for VPN, IPS and others. These tasks are created to Virtlab (Virtual lab with physical Cisco routers) however configuration is valid and tested on physical Cisco routers as well.

Each task in the series will have its separate post with brief description of the task and schema. Complete task can be downloaded on My Onedrive

NS2 – Modul2 8.3.3 ASA task definition

ASA as transparent firewall

Goal

  • Configure ASA as transparent firewall.
  • Generate a test message thru HTTP, FTP and ICMP.
  • Apply access list and recheck configuration.
  • Do not forget to clear configuration before start.

Required time

2 hours

Theoretical background

Here will be short theoretical background for solving this task.

Topology

NS2-8.3.3_ASA_topology1_VIRTLAB

Configuration

PC1

ifconfig int3 10.0.0.2 netmask 255.255.255.0							;set IP address
route add default gw 10.0.0.1 dev int3								;set default gw

SERVER

R19@ostrava(config)#hostname SERVER
SERVER(config)#interface INT4
SERVER(config-if)#ip address 10.0.0.254 255.255.255.0
SERVER(config-if)#no shutdown
SERVER(config)#aaa new-model									;define authentication policy
SERVER(config)#aaa authentication login telnet local  						;authenticate locally
SERVER(config)#username cisco password cisco							;authenticate by this username and password                
SERVER(config)#enable password cisco								;set enable password for privileged mode
SERVER(config)#ip http server									;enable HTTP server
SERVER(config)#ftp-server enable								;enable FTP server
SERVER(config)#ftp-server topdir FLASH:/							;set top directory for FTP server
SERVER(config)#line vty 0 4									;enable tenlnet connections

ASA

1) Firewall settings

ciscoasa(config)# hostname ASA1
ASA1(config)# firewall transparent                          					;set up firewall in transparent mode
ASA1(config)# interface INT1
ASA1(config-if)# nameif outside              
ASA1(config-if)# no shutdown
ASA1(config)# interface INT2
ASA1(config-if)# nameif inside
ASA1(config-if)# no shutdown
ASA1(config)# ip address 10.0.0.253 255.255.255.0               			        ;set management IP address for Firewall device
ASA1(config)# debug icmp trace                          					;turn on debug for icmp traffic thru firewall

Check connection as you can see in Function test before applying access lists.

2)Apply access lists

ASA1(config)# access-list FWRULEIN permit icmp any any
ASA1(config)# access-list FWRULEIN permit udp any any eq 20
ASA1(config)# access-list FWRULEIN permit udp any any eq 21
ASA1(config)# access-list FWRULEIN permit tcp any any eq www 
ASA1(config)# access-list FWRULEIN permit tcp any any eq ftp 

ASA1(config)# access-group FWRULEIN in interface outside

Function test

Pictures are taken from text web browser lynx. You can get similar results from graphical web browser from Linux and Windows.

F1) Before access lists

outside -> inside

ASA1(config)# debug icmp trace									;turn on debugging for icmp
PC1#ping 10.0.0.253										;ping firewall MGMT address
PC1#ping 10.0.0.254										;ping server
PC1#lynx http://10.0.0.254									;iniciate http connection with server - this traffic is permitted by default.
PC1#lynx ftp://10.0.0.254									;iniciate ftp connection with server

Pictures shows result of these commands.

NS2-8.3.3_ASA_DIA1-1

NS2-8.3.3_ASA_DIA1-2

inside -> outside

SERVER#ping 10.0.0.100										;ping PC1 from server

Picture shows result of this command.

NS2-8.3.3_ASA_DIA1-3

F2) After access lists application

outside -> inside

PC1#ping 10.0.0.253										;ping firewall MGMT address
PC1#ping 10.0.0.254										;ping server
PC1#lynx http://10.0.0.254									;iniciate http connection with server
PC1#lynx ftp://10.0.0.254									;iniciate ftp connection with server

Pictures shows result of these commands.

NS2-8.3.3_ASA_DIA2-1

NS2-8.3.3_ASA_DIA2-2

inside -> outside

SERVER#ping 10.0.0.100										;ping PC1 from server

Picture shows result of this command.

NS2-8.3.3_ASA_DIA2-3

Optional tasks

  • Try to configure different types of access lists denying and permitting different types of traffic.