Mohammed Wasay

Blog

  • DFS Namespace service could not initialize cross forest trust information

    After you install Active Directory on Windows Server 2008 R2, you may start seeing the following error message after the server boots:

    The DFS Namespace service could not initialize cross forest trust information on this domain controller, but it will periodically retry the operation. The return code is in the record data.

    This occurs because the DFS Namespace service attempts to access Active Directory before it has completely initialized.
    To resolve this issue, we simply have to force the DFS Namespace service to start after the Active Directory service has initialized. We can do this by setting the DFS Namespace service to depend on the Active Directory service as well as setting it to a Delayed Startup mode.

    To make those changes, start regedit and make the following changes :

    1. Navigate to the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Dfs
    2. Modify the DependOnService value and add NTDS to the list.
    3. Create a new DWORD value named DelayedAutostart and set its value to 1.

  • DNS broken after Windows Update KB3145126

    I noticed the DNS broke on my servers after Windows Update.

    The problem was KB3145126. Read more about it here.

    After a quick removal and reboot, DNS was operational again.

    To remove/uninstall KB3145126, open powershell and run the following:

    wusa.exe /uninstall /KB:3145126

    Hope this helps.

  • Check Proxy settings from Powershell

    To check the proxy settings like ProxyOveride or if it is enabled or not:

    Get-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings"

    To disable proxy from PowerShell:

    Set-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" ProxyEnable -value 0

    To enable proxy from PowerShell:

    Set-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" ProxyEnable -value 1

     

  • IE Enable/Disable Proxy Settings via Registry

    Whatever the reason may be to enable or disable proxy, here is a simple registry hack to turn it on or off.

    Open powershell in admin mode.

    Enable:

    Set-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" ProxyEnable -value 1

    Disable:

    Set-ItemProperty -Path "Registry::HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings" ProxyEnable -value 0

    The above method require an IE restart, alternatively if you don’t want to restart IE. Make similar change under:

    [HKEY_USERS\<your SID>\Software\Microsoft\Windows\CurrentVersion\Internet Settings]

    To find your SID read here.

  • Disable IPv6 on Windows Core Server 2008 R2 – 2012 R2

    GUI Version:

    2016-08-09_17-13-27

    1. Open Control Panel > Network & Internet > Network & Sharing Center > Change Adapter Settings > Choose the Adapter
    2. Right Click – Select Properties
    3. Networking Tab
    4. DeSelect IPv6
    5. Close

    No GUI… No problem (Core):

    After doing the above procedure you might have to use the registry editor aswell to completely disable the ipv6 tunnel

    Here’s what to do to disable IPv6 on Core Windows Server

    First check the interface that you want to disable.

    WMIC NICCONFIG WHERE IPENABLED=TRUE GET Description,SettingID,IPADDRESS /FORMAT:LIST

    2016-08-09_17-01-41

    To completely disable IPv6 on a Windows Server 2008/2012-based computer yourself, follow these steps:

      1. Open Registry Editor.
      2. Locate the following registry subkey: 
        HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters
      3. In the details pane, click New, and then click DWORD (32-bit) Value.
      4. Type DisabledComponents, and then press ENTER.
      5. Double-click DisabledComponents, and then type 0xffffffff in Hexadecimal or 4294967295 in Decimal.Note The 0xffffffff value or the 4294967295 value disables all IPv6 components except for the IPv6 loopback interface.
        http://support.microsoft.com/kb/929852

        Also we can try this command to Disable IPv6 in Windows

        reg add hklm\system\currentcontrolset\services\tcpip6\parameters /v DisabledComponents /t REG_DWORD /d 255 /f
      6. Reboot
      7. Re-run the above command to see if the interface shows IPv6 addresses

  • Change the password age in bulk for Active Directory accounts

    Ran into an interesting situation where pretty much all domain accounts did not follow the default password policy and had the option of ‘password never expires’ checked. I needed to fix this immediately without impacting the users and expiring any accounts that may affect the business.

    I needed to adjust the password age for all domain accounts so that they follow the password aging policy. Typically a password age policy is upto 90 days. Powershell to the rescue:

    Import-Module ActiveDirectory

$list= Get-ADUser -SearchBase "DC=yourdomain,DC=local" -Properties samaccountname -Filter *
foreach ($entry in $list) {
	$sam = $entry.samaccountname 
 
	$todouser = Get-ADUser $sam -Properties pwdLastSet -Server yourdomaincontroller.local
     
	$todouser.pwdLastSet = 0 
	Set-ADUser -Instance $todouser 
     
	$todouser.pwdLastSet = -1 
	Set-ADUser -Instance $todouser 
}

    So now that all the accounts have a password age of 1 day. Time to uncheck that ‘password never expires’ box. Now for some service and system accounts I wanted them to have password never expires. So now I needed to work with a filtered set.

    I grabbed the accounts I wanted and was able to save them in a .CSV file.

    change.csv contents:

    SamAccountName
Aespinoza
ahernandez
aray

    Now to perform the task on each account:

    import-csv C:\ServerCleanup\change.csv | ForEach-Object {Set-ADUser -Identity $_.SamAccountName -PasswordNeverExpires:$FALSE}

    Hope this helps if you run into a similar situation.

  • Disable Office group creation

    Every Exchange user has an OWA mailbox policy that governs what they can and can’t do with their mailbox. Updating this mailbox policy removes the ability for users to create Groups. Because OWA policies are per user, you can limit the ability to create Groups for some users and not others. At this time, the only way to update the mailbox policy is through Windows PowerShell.

    These commands disable group creation for OWA and Outlook only. If you want to disable the group creation in your organization, use Azure Active directory settings. Check out Windows PowerShell for more details.

    To disable Group creation for all users

    1. Start Windows PowerShell.
    2. At the prompt, type: 
      Set-OwaMailboxPolicy -Identity yourdomainname.com\OwaMailboxPolicy-Default -GroupCreationEnabled $false

    To disable a policy for a subset of users

    1. Start Windows PowerShell.
    2. Create a new mailbox policy by typing this command, replacing <policy name> with your policy. (If you already have an OWA mailbox policy, skip to the next step.)

      New-OwaMailboxPolicy –Name “<policy name>”

    3. set the GroupCreationEnabled value to false, replacing <policy name> with the name of your policy.

      Set-OwaMailboxPolicy –Identity “<policy name>” –GroupCreationEnabled $false

    4. Set the policy on the mailboxes of the user who isn’t allowed to create Groups. Replace <user> with the name of the user.

      Set-CASMailbox –Identity <user> -OWAMailboxPolicy “<policy name>”

  • Saving emails in the ‘Sent Folder’ of shared mailboxes

    When composing a message from a shared mailbox, by default when the message is ‘sent’, it is copied to the Sent Items for the user composing the message and not the Sent Items folder on the shared mailbox. Well, conveniently there is a way to enable this option in Exchange 2016 and Office365.

    I don’t understand why this option is not turned on by default because it accounts for a message sent from a shared mailbox yet there is no historical record of the message being sent from the mailbox. Apart from journaling if it is enabled or a third party software/ service.

    #To enable it for emails Sent As the shared mailbox, set the enable flag to true and run the cmdlet:
Set-Mailbox <mailbox-name> -MessageCopyForSentAsEnabled $True
    #To enable it on all shared mailboxes, use this cmdlet:
Get-Mailbox -ResultSize unlimited -Filter {(RecipientTypeDetails -eq 'SharedMailbox')} | Set-Mailbox -MessageCopyForSentAsEnabled $True
    #If the email was Sent On Behalf of the shared mailbox, use
Set-Mailbox <mailbox-name> -MessageCopyForSendOnBehalfEnabled $True
    #To disable it for emails Sent As the shared mailbox, use this cmdlet:
Set-Mailbox <mailbox-name> -MessageCopyForSentAsEnabled $False
    #To disable if the email was Sent On Behalf of the shared mailbox, use
Set-Mailbox <mailbox-name> -MessageCopyForSendOnBehalfEnabled $False

  • ESXi 6.0 not detecting BROCADE HBA adapter

    Steps:

    1. Make sure HBA is connected on the PCI slot and visible under esx hardware list: 
      esxcli hardware pci list
    2. Check if VMKernel can detect any storage via Fibre Channel 
      esxcli storage san fc list

      (output will be blank line if HBA driver is missing but HBA appears to be in PCI card determined from step 1)

      esxcli storage core adapter rescan
    3. Search and download the relevant ESXi drivers for HBAthe recommended driver (bfa) version for 82B in ESXi 5.1 is 3.0.0.0
      You can download it from the following URL.
      https://my.vmware.com/web/vmware/details?downloadGroup=DT-ESXi50-BROCADE-bfa-3000&productId=229
    4. Download the driver and install it using following instructions:

    New Installation

    For new installs, you should perform the following steps:

    1. Copy the VIB to the ESX server.  Technically, you can place the file anywhere that is accessible to the ESX console shell, but for these instructions, we’ll assume the location is in ‘/tmp’. Here’s an example of using the Linux ‘scp’ utility to copy the file from a local system to an ESX server located at 10.10.10.10: 
      scp VMware_bootbank_net-driver.1.1.0-1vmw.0.0.372183.vib [email protected]:/tmp
    2. Issue the following command (full path to the VIB must be specified): 
      esxcli software vib install -v {VIBFILE}

    In the example above, this would be:

    esxcli software vib install -v /tmp/VMware_bootbank_net-driver.1.1.0-1vmw.0.0.372183.vib

    Note: Depending on the certificate used to sign the VIB, you may need to change the host acceptance level.  To do this, use the following command:

    esxcli software acceptance set --level=<level>

    Also, depending on the type of VIB being installed, you may have to put ESX into maintenance mode.  This can be done through the VI Client, or by adding the ‘–maintenance-mode’ option to the above esxcli command.

    Upgrade Installation

    The upgrade process is similar to a new install, except the command that should be issued is the following:

    esxcli software vib upgrade -v {VIBFILE}

    Reboot host.

    Now you should have the HBA should the datastores.

  • Remove licensing from ESXi host

    WARNING: This is for education/informational testing/development purposes only, and should not be used on a production server.

    WARNING: This trick will only work with an ESX(i) stand alone server.  It will not work if the ESX(i) server is connected to a vCenter Server, as the vCenter Server knows better than to let you do this.  (you can always remove and readd the ESX(i) server to vCenter.)

    To reset your ESX 4.x, ESXi 4.x and ESXi 5.x 60 day evaluation license:

    1. Login to the TSM through SSH or Shell
    2. Remove the following two files: 
      1. /etc/vmware/vmware.lic
      2. /etc/vmware/license.cfg
    3. Reboot server

    If your ESX server is connected to a vCenter server, please remove the ESX server first.  Once the steps above are completed, you can add it back to the vCenter server.

    Command to remove the license and reboot the ESX host:

    rm -f /etc/vmware/vmware.lic /etc/vmware/license.cfg
reboot

    After reboot, logging on the ESXi server, you should be greeted with this message.

    60-day-evaluation

    For ESXi 5.1 and ESXi 5.5, you may need to continually remove the license files as the server reboots for this to work.  The following should do this quite nicely:

    rm -f /etc/vmware/vmware.lic /etc/vmware/license.cfg
reboot ; while true ; do
    rm -f /etc/vmware/vmware.lic /etc/vmware/license.cfg
done

    An alternative would be restarting the services, it should work just as well as rebooting the server:

    # For ESXi 5.0
rm -f /etc/vmware/vmware.lic /etc/vmware/license.cfg
services.sh restart
    # For ESXi 5.1
rm -r /etc/vmware/license.cfg
cp /etc/vmware/.#license.cfg /etc/vmware/license.cfg
/etc/init.d/vpxa restart

    For vCenter
    1) Create a DSN to your local SQL Express instance that holds your vCenter DB.
    2) Uninstall virtual center
    3) Re-install virtual center and point to your DSN making sure not to overwrite.

    With this method, I have been able to refresh my 4.1 and 5.0 hosts.  Have not confirmed if this works for 5.1.