NDR for Cloud Only Distribution List from Exchange (Hybrid) On-Premises.

On-Premises Mailbox isn’t able to send an email for Cloud only DL in office 365.

In order to fix that issue, we have followed the below steps.

  1. Made Internal Relay on Exchange Accepted domain.
  2. To create a group only on Office 365 and allow internal users on hybrid server to send mail.
  3. Group created on O365 and given address GROUPNAME@DOMAIN.COM.
  4. On O365 add additional email address to group in the format GROUPNAME@DOMAIN.onmicrosoft.com
  5. Takes about 10-15 minutes before internal users can send mail to O365 group.

 

 

DCPROMO: Domain Controller promotion fails (Solved)

Win2008R2 : DCPROMO Error The operation failed because: The Active Directory Domain Services Installation Wizard was unable to convert the computer account $ to an Active Directory Domain Controller account. “Access is denied”

Solution.

Check the attributes of the computer object which was supposed to be Depromoted to DC.
The computer was protected from accidental deletion & Also click on NTDS Setting uncheck the accidental deletion

dcpromo-access-denied-accidental-deletion

 

Step 2:-

Verify that the default domain controllers policy exists in Active Directory and is granting the “Enable computer and user accounts to be trusted for delegation” user right to the Administrators security group or alternate user accounts used to promote and demote domain controllers in the target domain.

How to recreate Outlook profiles after the Tenant migration

How to recreate Outlook profiles after the migration

Problem:

After performing a migration that includes transferring the domain name to the target server, Outlook cannot connect to the new server. The following error message is shown:

Outlook cannot log on. Verify you are connected to the network and are using the proper server and mailbox name. The Microsoft Exchange information service in your profile is missing required information. Modify your profile to ensure that you are using the correct Microsoft Exchange information service.

Solution:

This happens because the pre-migration settings of the Autodiscover service, which connects Outlook with Exchange, are still cached in the registry for the currently used Outlook profile. To resolve this, you need to create a new Outlook profile and set it as the default one. This can be done manually for each separate user or automatically for all users in your domain, by using Group Policy. Follow the links below to learn how to:

How to create a new Outlook profile for a single user

  1. Close Outlook.
  2. Go to the Windows Control Panel and click Mail (or, if you’re using the Category view, first click User Accounts, and then click Mail).
  3. In the window that opens, click Show Profiles (Fig. 1.).726-1
    Fig. 1. Accessing Outlook profiles.
  4. Click Add, and provide the name for the new Outlook profile (Fig. 2.). Click OKto proceed.726-2
    Fig. 2. Providing a name for the new Outlook profile.
  5. Complete the wizard to add your email account and click Finish.
  6. Make sure the Always use this profile option is selected and choose your newly created profile from the drop-down menu (Fig. 3.).726-3
    Fig. 3. Selecting the default Outlook profile.
  7. Click OK to save changes.

Outlook should now open without any errors and connect to the correct Exchange server.

How to create a new Outlook profile for all users in the domain

A new Outlook profile can be created and set as a default one by using a simple script that adds new values to Windows registry. To bulk create new Outlook profiles for all your users, you can run this script on multiple computers via Group Policy.

Important

In this scenario, the script will be executed as a user logon script. However, a Group Policy object (GPO) can also be configured to run user logoff or computer startup and shutdown scripts.

Follow the links below to:

Creating a file containing a script to create a new Outlook profile

  1. Open Notepad (or any text editor) and paste the following text (depending on which Outlook version you use):
    • Outlook 2010
      reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles\<name>"
      reg add "HKCU\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem\Profiles" /v DefaultProfile /t REG_SZ /d "<name>" /F
      reg add "HKCU\Software\Microsoft\Exchange\Client\Options" /v PickLogonProfile /t REG_DWORD /d "0" /f
    • Outlook 2013
      reg add HKCU\Software\Microsoft\Office\15.0\Outlook\Profiles\<name>
      reg add "HKCU\Software\Microsoft\Office\15.0\Outlook" /v DefaultProfile /t REG_SZ /d "<name>" /F
    • Outlook 2016
      reg add HKCU\Software\Microsoft\Office\16.0\Outlook\Profiles\<name>
      reg add "HKCU\Software\Microsoft\Office\16.0\Outlook" /v DefaultProfile /t REG_SZ /d "<name>" /F

      Where instead of <name> provide the name for the new Outlook profile.

  2. Save the file as a BAT file.
  3. Copy the file to a network location accessible for all users in the domain (e.g. %logonserver%\netlogon).

    Warning

    Make sure that each user has appropriate permissions to access this location.

Creating a GPO executing the script when a user logs in to a workstation

  1. Log in to your Windows Server domain controller (DC).
  2. Open Server Manager and select Tools > Group Policy Management.

    Tip

    If it’s not there, you need to install this feature first. In Server Manager, select Manage > Add Roles and Features and follow the wizard instructions. Just remember to select the Group Policy Management feature in the Features step (Fig. 4.).

    726-4
    Fig. 4. Installing the Group Policy Management console.

  3. In the Group Policy Management console, find your domain on the left side navigation menu, right-click it and select Create a GPO in this domain, and Link it here (Fig. 5.).726-5
    Fig. 5. Creating a new GPO.
  4. Provide the name of the new GPO and click OK.
  5. Navigate to the Group Policy Objects container on the menu, find your newly created GPO, right-click it and select Edit. The Group Policy Management Editor will open.
  6. Go to User Configuration > Policies > Windows Settings > Scripts (Logon/Logoff) and double-click Logon (Fig. 6.).726-6
    Fig. 6. Adding a new logon script.
  7. In the Logon Properties window, click Add, and then click Browse and select the BAT file created in the section above (Fig. 7.).726-7
    Fig. 7. Selecting the appropriate script file.
  8. Click OK two times to save the change.

You can now close the Group Policy Management console. The script will be executed for each user when they log in to their workstations. When they try to open Outlook, the Outlook startup wizard will be shown (Fig. 8.).

726-8
Fig. 8. The Outlook startup wizard.

The Autodiscover feature should no longer have a problem connecting to the appropriate on-prem Exchange server or Office 365.

Invalid service type: w32time on ADC Server Name, current value WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS (Solved)

I was facing error while running DCDIAG and health script and getting below error.

“Invalid service type: w32time on ADC Server Name, current value WIN32_OWN_PROCESS, expected value WIN32_SHARE_PROCESS “

And when trying to start the services I was getting the below error.

“The service start failed since one or more services in the same process have an incompatible service SID type setting. A service with restricted service SID type can only coexist in the same process with other services with a restricted SID
type. If the service SID type for this service was just configured, the hosting process must be restarted in order to start this service.”

 

Since I was getting this error on one of Additional domain controller I ran the below cmd to fix the error. You can try both cmds, sc config w32time type= own & sc config w32time type= SHARE

Solution:-

sc config w32time type= SHARE

 

 

Outlook disconnected, 2010/2016 Co-Existence issues with RPC

We installed  Exchange 2016 for Co-Existence with Exchange 2010.  Configured the Exchange 2016 Virtual directories, We were testing the Outlook anywhere and found that the internal Exchange 2010 users are unable to connect to Exchange while new created Exchange 2016 users could connect fine with there Outlook clients.

We were getting outlook is disconnected. But OWA and Active sync was working fine.

  • We have checked outlook anywhere configuration which seems to be fine.
  •  Checked the name from the internal access point for Outlook.
  1. Get-OutlookAnywhere -Identity “exch2016-01\Rpc (Default Web site)” | select InternalHostname
  • Checked the name from the CAS Array on your Exchange 2010 with following Cmd:
  1. Get-ClientAccessArray | Select Fqdn
  • Checked RpcClientAccessServer is set on the Exchange 2010 Mailbox Databases
  1. Get-MailboxDatabase | Select Name, RPCClientAccessServer

 

RPC Client Access Arra/Server and the internal Outlook Anywhere names were the same, that caused a routing loop once we switched over the default namespace to Exchange 2016.

So we fixed this name issue with below cmd.

Set-MailboxDatabase –Identity “<Database Name>” –RPCClientAccessServer “exch2010-01.contoso.local”

in relation to the end-user.  Changing this setting results in end-users getting pop-ups in Outlook stating that an Exchange Administration has changed settings and that Outlook must be closed in re-opened.

cq

 

2010/2013/2016 Coexistence – 421 4.4.2 Connection dropped due to SocketError EMAILS Stuck in QUEUE

One of our engineers was facing the issue while setting up coexistence between 2010 to 2016.

all the E2010 mail flow working fine internally and externally

We moved test mailboxes to E2016 & send emails from E2010 to E2016.

E2016 mailboxes were not able to receive the email, we checked the email trace, email queue and found “421 4.4.2 Connection dropped due to SocketError” when an E2010 mailbox tries to send to an E2016 mailbox

To fix this issue we made the below changes

 

  • Open Regedit (Start | Run | Regedit)
  • Navigate to the registry key: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols
  • Here you will need to create a key for each of the cryptographic protocols. Create keys named TLS 1.0 and TLS 1.1
  • Within each protocol key, create two subkeys. One named Client, the other named Server
  • Within each of the Client and Server keys, create a DWORD with the name Enabled. A value of 1 enables the protocol where a value of 0 disables it.
  • Within each of the Client and Server keys, create another DWORD with the name DisabledByDefault. A value of 0 enables the protocol (i.e. not disabled by default).

5

No reboot required.

 

 

Microsoft Intune vs airwatch vs MobileIron (Comparison, intune vs airwatch vs MobileIron)

One of  our customer was looking for MDM  solution, We have proposed them  Intune, but they want to know the comparison between available MDM solutions, So here we have comparison between  Intune, Airwatch & Mobile Iron

 

 

# Features Intune Airwatch Mobile Iron
1 Pricing 7 $/user/month (Approx) 10$/Device/Month 11 $/user/month
Mobile Content Management Features
1 Content Access N/A Available Available
2 Content Push N/A Available N/A
3 Data Loss Prevention Available Available Available
4 Email Security Available N/A Available
Mobile Device Management Features
5 Automatic Device Recognition Available Available Available
6 BYOD Available Available Available
7 Execute Remote Functions Available Available Available
8 Geofencing Available Available N/A
9 Time Fencing N/A Available N/A
10 Location Tracking Available Available Available
11 Multi-User Management Available Available Available
12 Quarantine Unsecured Devices Available N/A Available
13 Self Enrollment Available Available Available
Reporting Features
14  Application Inventory Available Available Available
15 Content Access Reports N/A Available N/A
16 Content Inventory N/A Available Available
17 Customizable Dashboard Available Available N/A
18  Export Report Data Available Available Available
19 Hardware Inventory Available N/A Available
20 Report Templates Available N/A N/A
Support Features
21 24×7 Support Available Available N/A
22 Blog Available N/A N/A
23 Brochures Available Available Available
24 Email Available Available Available
25 FAQ Available Available Available
26 Forums Available N/A Available
27 Helpdesk Available N/A Available
28 Knowledge base Available Available Available
29 Remote Training Available N/A N/A
30 Request form Available Available Available
31 Webinars Available Available Available
32 White papers Available N/A Available
33 Instructional Videos Available Available Available
34 Live chat N/A  Available N/A
35 Phone Available Available Available
Mobile Application Management Features
36 App Wrapping Available Available Available
37 Mobile App Configuration & Policy Management Available Available Available
38 Mobile App Deployment Available Available Available
39 Updates Available Available Available
40 Mobile Browsing Management Available Available Available
41 Software Development Kit (SDK) Available Available N/A
42 Enterprise In-house App Store Available N/A Available
43  MDM Vendor Native Apps Available N/A Available
44 Whitelist/Blacklist Apps Available N/A Available
Additional Feature
45 Windows Laptop/desktop Management Available N/A N/A
46 Windows Updates Available N/A N/A
47 Integration with SCCM Available N/A N/A
48 Complaince Policies for Microsoft Applications Available N/A N/A

 

 

 

Application Proxy Incorrect Kerberos constrained delegation

I was publishing the Sharepoint site 2010  with Azure application proxy Server.

I requested to Sharepoint team to make the required changes on Sharepoint Side. We have done configuration &  Site is able to accessible from outside, But we when we enabled  Single sign on with WIA by setting up SPN we were getting an error.

“Incorrect Kerberos constrained delegation configuration in your on-premises Active Directory.”

Above problem comes when you have misconfigured the SPN.

Solution:

Check the SPN Confiuration with Below cmds.

SetSPN -Q HTTP/portal.domain.com

SetSpn -L  “domain\Service account”

Please check the Event on APP proxy server.

We found some event related to delegation, We checked app proxy server’s computer object in AD & hit to Delegation Tab, We found there was no SPN added.

In AD Users and Computers you will need to navigate to the OU that contains the server to which you installed the Application Proxy Connector.  Once you locate that computer entry, just right-click on it and select Properties.  In the Properties dialog click on the Delegation tab.

You need to add SPN like below Image.

1

This is how I resolved my issue, Please share your thoughts, How you resolved it.

 

 

 

 

 

 

Active Direcorty Best Pratcises

We are working on AD best practice points, We have listed few points, If you have any consideration, please comment below we’ ll update in our write-up.

Physical Security

  1. The physical server should have the redundant power supply.
  2. The physical location should be restricted.
  3. Server OS should be up to date with latest security patches.
  4. RDP Session should be limited to Admin user.
  5. Deploy full disk encryption.

Document Your Active Directory

In order to keep a clean and secure AD, it’s essential that everyone on the team is on the same page. This means documenting things like naming conventions and key security policies. Here’s a good checklist to start with:

  • Identify all of your computers, users, domain, and OU naming conventions.
  • Describe your OU hierarchy, DNS configuration, network numbering conventions, and DHCP configuration.
  • List main functions of your GPOs and the process of organization.
  • Take note of the locations of AD’s Flexible Single Master Operation Roles (FSMO) roles.
  • Identify the organization’s policy when adding new user accounts or when revoking user accounts.
  • Describe the organizations’ policy for user restrictions.
  • AD design should be created for references

Control Your Administration

local admins, privileged users, domain admins, etc. These accounts are often used by sysadmins to manage and deploy IT systems. So make sure only legitimate people have access to the AD and only on the appropriate OUs. Many security teams have real-time alerts setup to report on any changes/additions to these groups since they should happen very infrequently.

ADDS Services Considerations.

  1. The server should be protected with AV & Backup Agent. AV should be configured with right exception & latest AV engine.
  2. Use Separate Administrative Accounts.
  3. Restrict Elevated Built-In Groups
  4. Disable Guest and Rename Administrator
  5. Limit Access to the Administrator Account
  6. Enforce Strong Password Rules
  7. Protect the Service Account’s Password
  8. Minimize Unnecessary Services and Open Ports.
  9. Make the DC Time Source Secure.
  10. Audit Important Events
  11. Monitor AD for Signs of Compromise.
  12. Login Restriction for the END users.
  13. FSMO roles should be distributed on different servers.
  14. User & Group creation should be documented & with approval.
  15. Record of delegated users access.

Group Policies.

  1. Default Group Policy should be enabled.
  2. Domain controller GPO should be deployed.
  3. Test GPO before deploy.
  4. GPO should be documented.

Daily operation.

  1. Check Replication & service health.
  2. Daily back up of Domain controller server.
  3. Daily back up of Services Like, DHCP DNS & CA.
  4. Documented the any Service Change on AD.
  5. Task Scheduler for health checkup script.

Additional Tool:

  1. Deploy ATA for behavior analysis of Active directory if you have EMS Licenses
  2. Deploy Azure AD health Agent.
  3. SCOM monitoring.
  4. 3rd Party Solutions for Monitoring

AD Test Environment

  1. Create test bed for current AD environment.
  2. Any configuration should perform in the Test environment.