Tuesday, January 31, 2017

Windows 2003 Documentation in PDF

Someone at Microsoft must have decided it was time to clean up the support documentation. You'll now find that if you try to use a link referring to older Windows Server 2003 documentation or support docs, you instead get prompted to download a PDF. At first I didn't think much about this as I didn't really need the documentation.

Today I wanted to confirm some processes in a forest recovery (a low likelihood issue, but I'm doing up some documentation). Ok, I'll download this and find the content I want.

It turns out that this PDF is 150MB and 28000 pages. I'm sure it's complete, but not very convenient.

If anyone else is looking for the forest recovery info, it's on page 3078.

I should also point out that this content is relevant all the way up to Windows Server 2012 R2 (and I assume Windows Server 2016 also). MS has no other official forest recovery info that I've run across.

And just for fun, here's a link to the Windows 2003/2003 R2 retired content:

Saturday, January 28, 2017

PowerShell Script for Math Homework

My daughter needs to practice her multiplication tables. So, I came up with a little script that can help.

You can use the script on any Windows computer. Copy the code below into a text file and then name that file something like multiply.ps1. The file needs to end in .ps1 for Windows to recognize it as PowerShell.

You may also need to allow PowerShell scripts on your computer. Open a PowerShell prompt and run Set-ExecutionPolicy RemoteSigned.

If you have the file saved on your desktop, right-click it and select Run with Windows PowerShell

 $questions = Read-Host "How many questions?"   
  For($i=1;$i -le $questions;$i++) {   
   $first = Get-Random -Minimum 0 -Maximum 10   
   $second = Get-Random -Minimum 0 -Maximum 10   
   $answer = $first * $second   
   Do {  
     Write-Host "$first x $second = ??"   
     $response = Read-Host "Enter your answer"   
     If ($response -eq $answer) {   
          Write-Host "That is correct!"  
     Else {   
          Write-Host "Try Again"  
   Until ($response -eq $answer)  
 Write-Host "Well done! $questions questions completed!"

Friday, January 27, 2017

Full Restore for DC with NetBackup

I was doing some disaster recovery testing for Windows 2008 R2 domain controllers today with Veritas NetBackup. I’m running through and documenting some scenarios in a test environment. Better to document the steps before you need them!

Doing a non-authoritative and an authoritative restore went well by restoring the system state. Next up on my list was a full server restore.

The documentation for a full server restore was (to be kind) a bit fuzzy. The best of their articles I could find was this one:
At a high level, the instructions are:
  • Install and OS with the NetBackup client software.
  • Restore the drives (and don’t reboot yet)
  • Restore the system state
  • Reboot
My problem was that after the reboot I got a blue screen. After stopping the blue screen long enough to see the error, I saw this:
STOP: c00002e2 Directory Services could not start because of the following error:
The specified procedure could not be found
Error status: 0xc000007a
I did some searching and found lots of references to a corrupt AD database and fixing it by removing log files or doing a manual repair on the ntds.dit file. Just for kicks, I did try these because they were fast and easy, but not the answer.

This link from Microsoft gave me the hint I needed:
This link indicates that the error occurs when the Active Directory Domain Services role is removed before a domain controller is demoted. Basically, you have lobotomized DC that doesn’t have all the files anymore but is still trying to run the services. I tried to run ntdsutil and the file wasn’t there. That was a good hint that some files for AD DS were not there.

To fix my process, I installed the AD DS and DNS server roles before I did the restore. By doing those, all was good.

Tuesday, January 17, 2017

O365: Unable to Create Distribution Group

Microsoft is aggressively encouraging Office 365 customers to use Office 365 groups instead of traditional distribution groups. In the Exchange admin center, when you select to create a distribution group, you get a popup to create an Office 365 group instead, as shown below.

There is one difference between this popup and if you actually selected an Office 365 group. This window has an option to create a distribution list. You can see it in the screenshot above by the red arrow. I'm pointing out that option because I didn't see it at first and was only made aware of it by Microsoft.

I should also note that another work around is to create a distribution list in the Office 365 admin center. That option is still available and is the same as creating a distribution group in Exchange admin center.

Sunday, January 15, 2017

Office 365 Tech Support is Good!

As a technology professional, I dread calling tech support sometimes. Most of the time when you contact tech support (for any software), you get a front line person that is not terribly knowledgeable or useful. That first level person has access to a knowledgebase that is similar to what you could find by searching online. When that person can't help, they pass you up to a higher level of support that can likely fix your issue.

The other problem with most tech support is timeliness. You are often kept on hold for an extended period of time or are forced to contact support via email or web form and hope that they get back to you within a few hours. It's almost never quick.

My experience with Office 365 support today was amazing. I had a question on Sunday morning at about 11am and had an answer within 10 minutes. Here is what it looked like....
  1. I'm working on some labs and find that in the Exchange admin center, when I attempt to create a distribution group it actually prompts me to create an Office 365 group instead. I confirm this is the case in my own personal Office 365 tenant and a test tenant I'm working with for lab development.
  2. In the Office 365 admin center, in Support, I selected Let us call you. This option is not available until you at least attempt to search for a resolution to your problem.
  3. The Let us call you option showed an estimated wait time of 10 minutes. So, I entered my phone number and waited.
  4. Within about 5 minutes, I got a call from a very helpful person at Office 365 Support (thank you Bel).
  5. She listened to my concern and did a remote view on my system to confirm the issue and identified it as a bug. She offered a work around of creating the distribution list in the Office 365 admin center (which does work) instead of the Exchange admin center.
  6. She also followed up with an email that stated she confirmed the issue in her own test environment and has reported it as a bug in the Exchange admin center user interface. Nice to know that there is a process in place to take care this rather than just giving me the work around.
Here is what was awesome:
  • Support was fast and I knew about how long it would take to be contacted. Sometimes the ambiguity of dealing tech support is the worst part. And, this was Sunday morning, not business hours.
  • The support person wasn't working from a script. She listened to my issue and then wanted to confirm it by remote viewing. There wasn't a long process of "well, let's try this...." I was not treated like a dummy as most tech support does.
  • This level of support is available to anyone. I don't have any special support contract. In fact the tenant for my email that I used to send the support request costs only about $12 per month. That's awesome support for a low cost product.
Update: Since this post, I've learned from Microsoft that the UI change for creating distribution groups in Exchange admin center is not a bug, but a design change. For details, see my other post here: http://byronwright.blogspot.ca/2017/01/o365-unable-to-create-distribution-group.html

Exchange VM Hangs During Updates

I haven't run into this yet, but it appears that in some cases, Hyper-V virtual machines running Exchange Server will hang when installing updates. Specifically this seems to occur when running updates for Hyper-V integration services.

There are reports of KB3037623 specifically causing this issue.
The fix is to:
  1. Disable the Exchange services
  2. Apply the update
  3. Reenable the Exchange services
This blog posting provides detailed steps:

Tuesday, January 10, 2017

PowerShell Learning Resources

I'm doing some onsite PowerShell training this week and realized that I mention lots of resources but haven't provided a list of them anywhere for easy access. So, this posting is my best summary of Windows PowerShell related learning content from Microsoft. There are also a bunch of my links to my blog articles that I use as examples in class.

General Resources

Microsoft makes a lot of content available online for free. Here is a high level list:

Windows PowerShell Resources

Here are some resources specifically related to PowerShell:

PowerShell Examples

The following are examples of using PowerShell from my blog. They may or may not be useful for your purposes. I use them in class as examples that we review.

Wednesday, January 4, 2017

Finding Stale SIDs on GPOs

One of my clients has a tool from Microsoft that scans the AD infrastructure and generates a report of items that can fixed/improved. One of the items on a recent report was stale SIDs on GPOs that could affect GPO processing. However, the tools didn't give us the stales SIDs. Just said we had them.

First, let's talk about what a stale SID is...

All Windows security is based on a Security Identifier (SID) that is unique for each user or group. In the Access Control List (ACL) for an resource, it is the SID that is assigned permissions, not the name of a user or group. The Windows tools just translate that SID back to a user or group name for use to manage them easier.

A stale SID occurs when a user or group has been assigned permissions to access a resource and the user or group is later deleted. There is no link back from the user or group to where the permissions have been assigned. So, Windows cannot go back and remove the SID from the ACL. The SID that's left behind without a matching user or group object is a stale SID. When you are using graphical tools to view permissions and it shows a SID instead of a user or group name, that's typically a stale SID.

NOTE: Just because a graphical tool is showing a SID does not 100% guaranteed that the SID is stale. It could be a user or group from a trusted domain that the tool is having trouble resolving. If you have trusted forests or domains, you should verify that SID is in your domain.

If there were only a few GPOs, it would be fairly fast to use the Group Policy Management Console to find the stale SIDs. However, this client had about 500 GPOs and manually verifying the permissions would have been quite painful.

To find the stale SIDs on GPOs, I wrote up a small script that scans the GPOs and finds any security permissions that are unknown:

 Import-Module GroupPolicy  
 $gpo = Get-GPO -All  
 Foreach ($g in $gpo) {  
   $permissions = $g.getsecurityinfo()  
   Foreach ($p in $permissions) {  
     If ($p.Trustee.SidType -eq "unknown") {  
       Write-Host "Policy with unknown SID: $($g.DisplayName)"  
       Write-Host "Trustee SID: $($p.Trustee.Sid)"  
     } #end if  
   } #end foreach permissions  
 } #end foreach gpo  

Here is what the script does:
  • Loads the GroupPolicy module (required for Windows Server 2008 R2, Windows Server 2012 will do that automatically.
  • Pulls all GPOs into the variable $gpo.
  • Starts a foreach loop to process each gpo in $gpo.
  • Pulls the permissions for the current GPO into the $permissions variable by suing the getsecurityinfo() function for gpo objects.
  • Starts a foreach loop to process each permission in $permissions.
  • Tests whether the SidType for the trustee in the permissions is unknown. An unknown SidType identifies a SID that couldn't be resolved to a user or group.
  • The name of the gpo and the SID of the trustee are written to screen.
 This script writes output to screen, but you could easily modify it to dump the output to fine instead.