Azure AD Connect - object not sync a single or more objects because of linked mailbox

 

 

I was at client site configuring Azure AD Connect sync to Office 365 and noticed a few user not synced. I’ve checked the filtering options like OU filtering, object filtering, security permissions etc and they all seems fine. There are no duplicate UPN or proxyaddress attribute and idfix tool doesn’t reveal anything major. From the Azure AD Connect, https://azure.microsoft.com/en-gb/documentation/articles/active-directory-aadconnectsync-understanding-users-and-contacts/

“
An account with a linked mailbox will never be used for userPrincipalName and sourceAnchor. It is assumed that an active account will be found later.

“

Looking at the Synchornization Service Manager, ("C:\Program Files\Microsoft Azure AD Sync\UIShell\miisclient.exe"). Go to metaverse search, find the user and double click, under the “connector tab”, you’ll see there is only 1 connectors. Compare with another user, they are 2 connectors.

 

Issue:
An account with a linked mailbox will never be used for userPrincipalName and sourceAnchor. It is assumed that an active account will be found later.

 

 

Workaround:

 

It is normally safe to convert a linked mailbox to user mailbox. You must do it from Exchange management shell.

To see the LinkedMasterAccount run this command

Get-User -Identity “user” | FL LinkedMasterAccount

To convert to user mailbox, run the following command

Set-User -Identity “user” -LinkedMasterAccount $null”

Once converted to user mailbox, you can either wait for the next sync or force run a sync from Synchornization Service Manager by following this link, https://blogs.technet.microsoft.com/rmilne/2014/10/01/how-to-run-manual-dirsync-azure-active-directory-sync-updates/

Retrieve BIOS embedded Windows product key

 

New PC shipped with windows OEM version from vendor no loner comes with Certificate of Authenticity attached, instead, PC manufacture embedded the windows key into BIOS or EFI.

 

Please read the link below carefully to understand your downgrade rights, https://www.microsoft.com/OEM/en/licensing/sblicensing/Pages/downgrade_rights.aspx#fbid=OtIyotJ5rw5

 

So, I just ordered a new PC that comes with windows 10 but due to some application compatibility, the software only support windows 8.1. So i have to downgrade and format the PC to windows 8.1.

I need a product key but it is embedded with the BIOS. I downloaded this tool to get they key, https://neosmart.net/OemKey/ . This product key can be used to re-install window 10 or downgrade to 8.1 with a clean windows setup CD.

 

 

AWS Simple AD–change subnet

i was working on a AWS project and setting up a workspace (desktop on the cloud) and 1 of the pre-requisite is active directories. I am using AWS in Sydney region. I setup my active directories (Simple AD)and realized AWS workspace does not support Sydney region on availability zone b and c, only availability Zone A is supported. I get error message like below when i tried to register workspace using my simple AD directories on availability zone b and c,

“

Unsupported Subnet

The selected directory was created in a subnet that is not supported by the WorkSpaces service, and cannot be registered. Please try with a different directory or contact the AWS Support Team on the community forums and via AWS Premium Support.

“

Workaround:

I've logged a support call with AWS support but the answer i get back is not possible to change the directories subnet. The workaround is to create a new AD connector. Make sure the AD connector is on the correct subnet (availability zone A)

make sure

- connected directory DNS is the same as simple AD

- NETBIOS name is the same as simple AD

- username and password – which is the user with domain admins rights in simple AD

- DNS must matched. you can get DNS by going into workspace – directories and expand the directories,

Once the AD connector is configured, you can now register the workspace with the new AD connector and start workspace.

 

It is an additional monthly charges but since my workspace also required MFA, which only support AD connector, hence this is ok for me.

Linux Services - From Oracle Linux 6 to Oracle Linux 7

Oracle Linux 7 is based on Fedora19, where the previous Oracle Linux 6, 5 are based on Red hat Enterprise. The switch from sysvinit to systemd is now part of the Enterprise Linux distributions. Below is just some simple commands to start/stop services

 

Starting and stopping service

#systemctl stop httpd

#systemctl start httpd

#systemctl restart httpd

#systemctl status httpd

 

Autostart service when boot, chkcofig replaced with

# systemctl start dbora.service

# systemctl enable dbora.service

 

List of services currently running

systemctl list-units --type service

 

I’ll update this post when new commands discovered.

Reset Windows Server Admin Password

 

Unfortunately, today you’ve forgot the windows server password but good news is, Microsoft make it easy for you to reset the admin password. All you need is the Windows Server CD.

I tried on my test VM, which is a domain controller, and it works too! As this a test VM, this is the only domain controller server.

 

 

1. Boot off the Windows disk and select the “Repair your computer” option from the lower left-hand corner.

2. Follow through until you get to the option to open the Command Prompt

 

3. Backup and move the utilman.exe file with the command below,

Note: for some system, you may change the c: to d:, you’ll need to know where is the windows file.

# MOVE C:\Windows\System32\Utilman.exe C:\Windows\System32\Utilman.exe.bak

4. Now copy the cmmd.exe and rename it Utilman.exe:

# COPY C:\Windows\System32\cmd.exe C:\Windows\System32\Utilman.exe

5. Reboot your machine. When its done booting up again and you are at the Logon screen, click on the Ease of access icon.

 

6. At the command prompt, to change the password type:

# net user administrator *

7. Once you press enter you will asked to set a new password and then confirm it, when entering your new password don’t worry if you can’t see them as you type, they are invisible, they are however being saved.

 

 

8. Once you’re logged in again,  go to C:\Windows\System32\, delete the Utilman.exe and then rename Utilman.exe.bak back to plain old Utilman.exe.

Chrome version 45 and weak Diffie-Hellman public key

You upgraded chrome.

It's important to understand changes being made to the browser before installing updates.

Chrome 45 blocks all https connections when the cipher suite is diffie-hellman and the DH keysize is < 1024 bits.

Solutions:

1.       Upgrade your web server to use 2048-it Diffie-Hellman group.

2.       Temporary solutions for Chrome

          
     - open CMD/DOS
      - Navigate to the directory where chrome.exe lives and then paste:   

chrome.exe --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

or 

                        "C:\Program Files (x86)\Google\Chrome\Application\chrome.exe" --cipher-suite-blacklist=0x0088,0x0087,0x0039,0x0038,0x0044,0x0045,0x0066,0x0032,0x0033,0x0016,0x0013

More info for Weak Diffie-Hellman and the Logjam Attack:

https://weakdh.org/

Removing Corrupted Shadow Copies

Sometimes, corrupted shadow copies cannot be deleted by issuing the "vssadmin delete shadows /all" command. Instead, you receive the error:

"Error: Snapshots were found, but they were outside of your allowed context. Try removing them with the backup application which created them."

Corrupted VSS stores in C:\System Volume Information and might taken up large amount of disk space.

 

Solutions:

Launch an elevated command prompt on the Agent machine(s) involved and type the following:

# diskshadow

# list shadows all

# delete shadows set  {id of shadow to be deleted if selective deletion is to be performed}<enter>

OR

# delete shadows all {if all shadows are to be deleted}.

 

This will delete the corrupted shadow copies.