April 2017

Resolve IP Addresses from List of Host Names

If you have a list of hostnames/servers that you need IP addresses for its cumbersome to ping each server and get the ip address.

PowerShell to the rescue!

To do this we need a file called Server.txt with each server’s hostname on each line. I am storing the file in D:\Data\Servers.txt.

Once we run the script below it resolves the ip via DNS and stores to another file called D:\Data\Addresses.txt.

All the IP addresses are getting pulled from their DNS value. 

Connecting to a remote domain controller using PowerShell

Covering one of the basic day to day task if you are a Windows Administrator; connecting to the domain controller.  I try to minimize logging onto servers as much as possible.  Your thought should be around connecting to the server remotely and doing the work as needed instead of natively logging on to it.

I will be discussing two approaches below to connect to a domain controller:

  1. Connecting from a client machine on the same domain
  2. Connecting from a client machine on a different domain or a workstation/server

Before we get started, and regardless of which approach you take below, the following will need to be installed on the client Windows machine. Primarily you need to get the Active Directory Module for Windows PowerShell installed.

Installing the Active Directory Module

GUI:

The Active Directory for Windows PowerShell is already built-in into Windows Server operating systems (starting from Windows Server 2008 R2), but it is not enabled by default.

On Windows Server 2016, you can install the AD for PowerShell module from the Server Manager (Add Roles and Features -> Features -> Remote Server Administration Tools -> Role Administration Tools -> AD DS and AD LDS Tools -> Active Directory module for Windows PowerShell).

PowerShell:

You can also install the module from the PowerShell console using the command:

The RSAT-AD-PowerShell can be installed not only on the domain controllers, but also on any domain member server or even a workstation. The PowerShell Active Directory Module is installed automatically when you deploying the Active Directory Domain Services (AD DS) role (when promoting server to AD domain controller).

Approach 1: Connecting from a client machine on the same domain

First step you need to do is find all of your domain controllers and allow remote connections to it.

Logon to your one of your domain controllers and open up PowerShell:

You need to do this once on each domain controller so you can remotely connect to each one of them at a later time.

You can read more about WinRM here.

Alternatively, the following command can be ran in an elevated Powershell console on the DC. This enables WinRM and configures the firewall so that it can accept incoming commands.

Once that is done you are ready to connect to your domain controller.

Make sure your system is configured to run PowerShell scripts.

Copy the content below and paste it into your PowerShell Editor. Rename your value of “yourdomaincontroller” to your actual DC Server name.

Now all command you enter will be applied to the DC.

To check if your connection is successful. Try the command below to get a list of all of your domain controllers.

Approach 2: Connecting from a client machine on a different domain or a workstation

Windows Remoting works perfectly for same domain situations, and the set-up is relatively straight-forward. It’s extremely powerful when it works, and offers a highly flexible way to securely execute commands remotely.

Problems arise however when trying to use WinRM in mixed domain environments, or where only one machine is on a domain. This requires some additional configuration steps outlined below.

Logon to your one of your domain controllers and open up PowerShell and run the following:

The following registry key needs to be added to the target domain controllers:

Make sure the ports are open:

By default, WS-Man and PowerShell remoting use port 5985 and 5986 for connections over HTTP and HTTPS, respectively.

The module is interacting with AD through the Active Directory Web Service that must be installed on your domain controller (communication is performed over the TCP port 9389).

In some environments, you may need to check if the server authentication certs are valid and not expired. Also, in some situations I have seen that if the client is not resolving the FQDN, it is because the DNSzone doesn’t exist in the source domain. Either the zone can be added, or the host file can be modified to add the DC’s FQDN.

Trusted Hosts:

Adding the client IP or name can help avoid errors.

Depending on your environment and what is allowed or not one of the following should work for your situation.

View the computers of TrustedHosts list

To view the list of TrustedHosts added to the machine, type the following command. By default, its value is blank.

Add all computers to the TrustedHosts list

Using the Set-Item cmdlet and the wildcard you can add all the computers to the TrustedHosts list with the following command.

Add all domain computers to the TrustedHosts list

In the following command, replace .yourdomain.com with your own domain name.

Add specific computers to the TrustedHosts list

You can add specific computers you choose based on their hostname by separating them with a comma (,) using the following command.

Where ComputerName can be in the Server01 or Server01.yourdomain.com format

Add a computer to an existing list of TrustedHosts

If you have already added some computers to the TrustedHosts list and want to add an additional computer, without deleting the previous entries, you should use the following method. This is because the TrustedHosts list is updated based on the last Set-Item command you have run overwriting the previous entries.

Use the following command to save the current TrustedHosts computer list to a curList variable.

To add a computer to the current list, type the following command by specifying both the variable you created and the computer name you are going to add.

Alternatively, to avoid using a variable, add the -Concatenate switch to the Set-Item command to add both new and previous entries. For example:

Add computers to the TrustedHosts list using the IP address

Similarly to the previous commands, you can use an IPv4 or IPv6 address. In the case of IPv6, you have to type the address between [].

Add computers to the TrustedHosts list using multiple IP address (Most common)

Another way to add trusted hosts is via an elevated Command Prompt:

Importing the AD Module:

Before using any cmdlets of the Active Directory module, you need to import it to your PowerShell session (on Windows Server 2012 R2/ Windows 8.1 and newer the module is imported automatically).

With this configuration, it’s now possible to authenticate and execute a command remotely with explicit credentials.

Lets check if it is working:

It WORKS! 🙂

Common Errors & Solutions:

Error: WinRM service started.  Set-WSManQuickConfig : <f:WSManFault…. WinRM firewall exception will not work since one of the network connection types on this machine is set to Public…… Change the network connection type to either Domain or Private and try again.

Solution: 

Explanation:

The above error message indicates that we have set the network to Public in order to enable PowerShell Remoting. Several ways exist to change the connection type. For some reason that only Microsoft knows, you can’t do this in the Network and Sharing Center.

 

Error: Enter-PSSession : Connecting to remote server 10.0.2.33 failed with the following error message : The WinRM client cannot process the request….

Solution:

Explanation:

In an Active Directory environment, you can just use the computer name to connect to a remote machine. If you remotely connect to a standalone machine, you usually have to use the IP address instead. If you try to connect to the remote computer with the Enter-PSSession cmdlet using the IP address of the remote machine, PowerShell will throw the above error.

Error: Cannot connect to host…

Solution:

Check with your network/ firewall team if  the port 5985, 5986, and 9389 are open.

Explanation: 

Most of the times the ports are overlooked and are the root cause as to why the connection is not working

A Beginner’s Guide to Checksum

Are you wondering what a checksum is? You may have noticed that when you download files from certain websites, they have a very long string of numbers and letters called a checksum or MD5 checksum or SHA-1, etc. These really long strings basically act as fingerprints for that particular file, whether it be an EXE, ISO, ZIP, etc.

Checksums are used to ensure the integrity of a file after it has been transmitted from one storage device to another. This can be across the Internet or simply between two computers on the same network. Either way, if you want to ensure that the transmitted file is exactly the same as the source file, you can use a checksum.

The checksum is calculated using a hash function and is normally posted along with the download. To verify the integrity of the file, a user calculates the checksum using a checksum calculator program and then compares the two to make sure they match.

Checksums are used not only to ensure a corrupt-free transmission, but also to ensure that the file has not been tampered with. When a good checksum algorithm is used, even a tiny change to the file will result in a completely different checksum value.

The most common checksums are MD5 and SHA-1, but both have been found to have vulnerabilities. This means that malicious tampering can lead to two different files having the same computed hash. Due to these security concerns, the newer SHA-2 is considered the best cryptographic hash function since no attack has been demonstrated on it as of yet.

About 99.9% of the time, you really don’t need to care or worry about checksums when downloading files off the Internet. However, if you are downloading something sensitive like anti-virus or privacy software like Tor, it’s probably a good idea to verify the checksum because hackers can create malware-infested versions of critical software in order to gain full access to a system.

Windows has in-built checksum utility and it is very easy to use:

It can also calculate for MD2 MD4 MD5 SHA1 SHA256 SHA384 SHA512

Download Microsoft File Checksum Integrity Verifier

The MD5 & SHA Checksum Utility is my favorite utility for working with checksums because it has all the features I need in the free version.

 

Outlook 2016: Remove Duplicate entries in Room Finder

In Outlook 2016 some users may noticed dual entries in the Room List:

The room list behavior that we see  in Outlook is by design. When we  use a Room List  for a meeting, it is stored in the  Most Recently Used entries in the registry. When we create a new meeting, we will see this MRU entry in the top of the Room Lists . The same Room List will be seen again in the drop down which is accessed from the Exchange Server/ Online.

To prevent the duplicate entries seen in the Room List, create the below registry entry with blank data to disable the  Most Recently Used  Room List in Outlook.

Path: HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Outlook\Preferences

Key: RoomFinderRecentRooms
Key: RoomFinderRecentRoomList

If these entry already exist just empty the values.

After Outlook Restart:

 Only single instance of the rooms list now showing! 🙂

Reset Windows Server 2012 R2 RDS 120 Day Grace Period

The RD Licensing grace period has expired and the service has not registered with a license server with installed licenses. A RD Licensing server is required for continuous operation. A Remote Desktop Session Host server can operate without a license server for 120 days after initial start up.

The official solution is to Activate the RDS/TS CAL License server and point the Server to License server with User/Device License and will be resolve the problem, but if you want to reset the timer and again avail the 120 days grace time here is the solution:

Delete the REG_BINARY in:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

To delete the key you must take ownership and give admin users full control.

After a restart of the server RDS will reset the grace period to 120 days.

No remote Desktop License Server available on RD Session Host server 2012 R2

A fully functional and activated 2012 R2 Remote Desktop Session Host server displayed the following message:

This was a simple setup on one server with the: connection broker, Session Host and Licensing server with 2012 R2 CAL’s installed.

Even though the licensing seems to be configured correctly, in server manager:

and PowerShell:

Licensing diagnostics:

everywhere you look, everything seems to be OK. But the license manager shows something odd:

No licenses are being used? This server was used since late 2012. Some interesting things could also be found in the event logs, the following events appear:

EventID: 1130
Source: TerminalServices-RemoteConnectionManager

The Remote Desktop Session Host server does not have a Remote Desktop license server specified. To specify a license server for the Remote Desktop Session Host server, use the Remote Desktop Session Host Configuration tool.

and:

EventID: 1128
Source: TerminalServices-RemoteConnectionManager

The RD Licensing grace period has expired and the service has not registered with a license server with installed licenses. A RD Licensing server is required for continuous operation. A Remote Desktop Session Host server can operate without a license server for 120 days after initial start up.

The solution was to delete the REG_BINARY in

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod

Only leaving the default.

Note: you must take ownership and give admin users full control to be able to delete this key.

After a reboot the server should be working again, licenses are now being used:

Although everything seemed to be OK and configured correctly with valid licenses, it seems that the setup was still in a 180 day grace period, even though it was correctly configured.

Office365: List Your Business Can’t Live Without

When you have a lot of conference rooms, equipment or special rooms mailboxes it is hard to list or find available free rooms during a particular time slot. Luckily, Office365 and Outlook 2013/2016 have a special feature called ‘Room Lists’, which enable you to find and schedule  a room quickly based on availability and offer suggestions during room reservation.

In simple terms Room List work  as distribution groups for conference or other types of rooms.

Use PowerShell to login to Office365:

Create a room list:

Add rooms to a list:

Check what Room Lists you have:

Check what conference rooms are part of a particular room list: