If you’ve arrived here, you are trying to run a script, and you cant;
[box]PS C:\Users\{User-name}> .\{script-name}.ps1
.\{script-name} : File C:\Users\{User-name}\{script-name} cannot be loaded because running scripts is disabled on this system. For more information, see about_Execution_Policies at
http://go.microsoft.com/fwlink/?LinkID=135170.
At line:1 char:1
+ .\{script-name}
+ ~~~~~~~~~~~~~~~~~~
+ CategoryInfo : SecurityError: (:) [], PSSecurityException
+ FullyQualifiedErrorId : UnauthorizedAccess
PS C:\Users\\{User-name}>[/box]
Solution
Execute the following command;
[box]Set-ExecutionPolicy -Scope Process -ExecutionPolicy Bypass[/box]
Then run your script.
THIS WILL ONLY WORK: While that PowerShell window is open, so don’t close it if you are running a lot of scripts.
I Want to Always be Able to Run Scripts?
OK you can either change the ‘Scope’ of that last command, from ‘Process’ to to ‘CurrentUser’, or ‘CurrentMachine’.
Process: The execution policy affects only the current Windows PowerShell process.
CurrentUser: The execution policy affects only the current user.
LocalMachine: The execution policy affects all users of the computer.
Or you can simply change the policy ‘Globally’;
[box]Set-ExecutionPolicy {Value}[/box]
Possible values are;
Restricted: Does not load configuration files or run scripts. Restricted is the default execution policy.
AllSigned: Requires that all scripts and configuration files be signed by a trusted publisher, including scripts that you write on the local computer.
RemoteSigned: Requires that all scripts and configuration files downloaded from the Internet be signed by a trusted publisher.
Unrestricted: Loads all configuration files and runs all scripts. If you run an unsigned script that was downloaded from the Internet, you are prompted for permission before it runs.
Bypass: Nothing is blocked and there are no warnings or prompts.
Undefined: Removes the currently assigned execution policy from the current scope. This parameter will not remove an execution policy that is set in a Group Policy scope.
Related Articles, References, Credits, or External Links
The day after I had deployed some RDP Web access servers, I got the call that all the Linux (Intel NUC Thin clients), could not connect to the RDP farm, all the windows machines were fine?
Error
[08:19:16:178] [21254:21255] [ERROR][com.freerdp.core.transport] – BIO_read returned a system error 14094438:SSL routines:ssl3_read_bytes:tlsv1 alert internal error
[08:19:16:178] [21254:21255] [ERROR][com.freerdp.core] – freerdp_set_last_error ERRCONNECT_CONNECT_TRANSPORT_FAILED [0x2000D]
[08:19:16:178] [21254:21255] [ERROR][com.freerdp.client.x11] – Freerdp connect error exit status 1
Solution
I was confused, because I’d not done any work on the Connection Broker? (All the thin clients are ‘in-house’). While support stated building a new broker, I researched the error online.
The reason this had started, was because of a Windows update KB4088776 After removing this update from the ‘Session Hosts’ and the’ Connection Broker’, the Linux (FreeRDP) client could then reconnect.
Related Articles, References, Credits, or External Links
I was doing some RDS work for a client today, and it would seem that at some time in the past their RDS Licensing server had died, it had been replaced, and everything was working OK. But when I was adding roles to the new servers, this kept popping up;
The following server in this deployment are not part of the server pool
1. Server-Name
The servers must be added to the server pool.
I could have ignored the error and finished the job, but things like this remaining ‘unfinished’ really wind me up. So I thought I’d sort it out.
Solution
At first I thought I could just dive into either ADSIEdit or ‘AD Sites And Services’, make a quick change and everything would be fixed. That revealed that the site licence server was set to a server that also didn’t exist! (So I fixed that, still the problem remained).
So if all else fails then use PowerShell right?
[box]Remove-RDServer {Server-FQDN} {ROLE}[/box]
Error: Object Reference not set to an instance of an object
After some research I discovered that the RDS servers are stored in a database, (Windows Internal Database) on the connection broker(s). So you need to download the ‘SQL Management Studio’ software on your connection broker(s). Then ‘Run As’ administrator.
Connect to, “\\.\pipe\MICROSOFT##WID\tsql\query“
Under Databases you will find a database called RDCms >Expand that, and drill down to the tables. Locate rds.server. Press the ‘Query’ button > Right click the rds.server table > List top 1000 rows.
Locate your ‘Dead’ server here you can see mine has an ‘Id’ of 3. Look in the following tables and make sure there are no references to Id 3. (I didn’t have any, my only reference was in the rds.server table.)
rds.RoleRdcb (Connection Broker)
rds.RoleRdls (License Server)
rds.RoleRdsh (Session Host)
rds.RoleRdvh (Virtualisation Host)
rds.RoleRdwa (Web Access Host)
In the bottom of the Query Section enter the following, (as applicable, i.e your column might be ServerId, and your server might be number 123)
[box]use RDCms
delete from rds.server where Id=3[/box]
Press ‘Execute’, Close the SQL Manager, repeat on any remaining ‘Session Brokers’. Have a coffee, then try again, the problem should be resolved.
Related Articles, References, Credits, or External Links
Background: Just introduced Exchange 2016 into Exchange 2013 Environment. Mailboxes on Exchange 2016, can send external mail and internal (to Exchange 2013) mail. No mail flows from Exchange 2013 to Exchange 2016. External mail to Exchange 2016, (which flows thought the 2013 server,) also fails.
Event ID 5006
Cannot find information about owning Mailbox Server {server-path} for database {database-path} in routing tables with timestamp {time-stamp}. Recipients will not be routed to this database.
Event ID 5015
Microsoft Exchange cannot find a route to the source transport server or home MTA server {server-path} for connector {connector-path} in routing tables with timestamp {time-stamp}. Microsoft Exchange is ignoring the source transport server.
Solution
Oh I struggled with this for hours! I removed and recreated the receive connectors, on the Exchange 2016 Server. I went though ADSIEdit and checked all the databases, servers and connectors had inheritable permissions, and that the Exchange Server group had the right permissions. I restarted the transport services, and rebooted the Exchange 2016 server.
I was about 7 pages deep in Google translating Spanish and Russian tech posts, when I started to think I might have to ring Microsoft. When I stumbled on a Technet post that had the same Event IDs I posted above.
ANNOYINGLY: The fix is to reboot the 2013 Exchange server! (So I had to plan in some downtime). I was a bit skeptical this would work, and it did take a few minutes, I watched the ‘Undeliverable Queue’ change and the mail get delivered.
Thank you EngineerBoy wherever you are!
Related Articles, References, Credits, or External Links
You see this a lot with 3rd party (purchased) certificates, especially if you have imported them from something else e.g. a web site, appliance, NetScaler, etc.
The correct certificate, is there, it’s just got no name?
Solution
Open an MMC console (Start > Run > mmc {enter}) File > Add Remove Snap-in > Certificates > Select ‘Local Computer’ > Open Personal > Certificates > Locate your cert > Properties.
Enter a ‘Friendly Name’ > Apply > OK > Close the MMC.
Back in Exchange Admin Center, simply click refresh.
Related Articles, References, Credits, or External Links
After an Exchange 2007 to 2013 migration, the client emailed to say that noderunner.exe was maxing out the server memory and CPU.
The server was working fine other wise. (I’d previously disabled the search index on the datastore, to speed up the migration, and had only re enabled it that day so I assumed that’s what the problem was, I disabled it once more and jumped on after hours for a look.
You may also see Event ID 1009 logged;
Solution
First thing is to cap the memory that noderunner.exe uses, to do that edit the {Drive-Letter}:\Program Files\Microsoft\Exchange Server\V15\Bin\Search\Ceres\Runtime\1.0\noderunner.exe.config.
Locate the ‘memoryLimitMegabytes=”0″‘ value.
Change it from ZERO, (use everything) to 250 and save the file.
Before we go any further lets check the database index status, execute the following command;
Go to each location, and in the same folder will be a folder with a long Hexedecimal name, (the GUID of the database). Delete the folder, repeat for each database that has a problem.
Start the services again;
[box]Start-Service MSExchangeFastSearch
Start-Service HostControllerService[/box]
Check the index health again;
Note: If you are running Exchange 2013, make sure you update it to a cumulative update later than version 12.
Related Articles, References, Credits, or External Links
If there’s one thing thats grown on me it’s PowerShell, After the last few versions of Exchange you can’t really escape it. So now we have so many clients with their Exchange in Office 365. The ability to connect to that, and use all your usual Exchange commandlets is a bonus!
WARNING: This process may end up with you getting an “Access is denied” error, if you are using modern authenticiction, or MFA. If so use this articleinstead.
Solution
If you haven’t already done so, you need to ‘slacken‘ your signing policy, (a little) before proceeding;
[box]Set-ExecutionPolicy RemoteSigned[/box]
Now to access Exchange online you need to be able to authenticate to it, the best way to do that is to ‘cache’ your logon credentials. (Unless you have ADFS Federation then you can skip this step). To enter your O365 creds execute the following command;
I had a nightmare with this, (this morning). Client had an Exchange 2007 Server in a sub domain, and I am migrating them to Exchange 2016 (via Exchange 2013). While attempting to deploy the Exchange 2013 Server, the ‘Readiness Checks’ failed;
[box]
Error:
The Active Directory Schema isn’t up-to-date, and this user account isn’t a member of the ‘Schema Admins’ and/or ‘Enterprise Admins’ groups.
Error:
Global updates need to be made to Active Directory, and this user account isn’t a member of the ‘Enterprise Admins’ group.
Error:
The local domain needs to be updated. You must be a member of the ‘Domain Admins’ group and ‘Organization Management’ role group, or ‘Enterprise Admins’ group to continue.
Error:
You must be a member of the ‘Organization Management’ role group or a member of the ‘Enterprise Admins’ group to continue.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.GlobalServerInstall.aspx
Error:
You must use an account that’s a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology.
Error:
You must use an account that’s a member of the Organization Management role group to install the first Client Access server role in the topology.
Error:
You must use an account that’s a member of the Organization Management role group to install the first Client Access server role in the topology.
Error:
You must use an account that’s a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology.
Error:
You must use an account that’s a member of the Organization Management role group to install or upgrade the first Client Access server role in the topology.
Error:
You must use an account that’s a member of the Organization Management role group to install the first Mailbox server role in the topology.
Error:
Setup encountered a problem while validating the state of Active Directory: Exchange organization-level objects have not been created, and setup cannot create them because the local computer is not in the same domain and site as the schema master. Run setup with the /prepareAD parameter on a computer in the domain {root-domain} and site (site-name}, and wait for replication to complete. See the Exchange setup log for more information on this error.
Error:
The forest functional level of the current Active Directory forest is not Windows Server 2003 native or later. To install Exchange Server 2013, the forest functional level must be at least Windows Server 2003 native.
Error:
Either Active Directory doesn’t exist, or it can’t be contacted.
[/box]
WOW! Thats some error list!
Solution
OK, I’m assuming from this point forward you ARE in the correct AD groups? Those being;
Schema Administrators
Enterprise Administrators
Exchange Organisational Management
Domain Admins
Note: If you’re in a sub-domain you can’t be in the Domain admins and Schema/Enterprise Admins groups, (see below).
At first I thought it was just a ‘bug’ that I’d seen before, you need to go to your user account in Active Directory and change your primary group from ‘Domain Users’ to ‘Enterprise Admins’, like so;
These Exchange servers were in a ‘Sub-domain’, so I had to go to the Root-domain, and go a bit ‘old-school’. Locate the Schema Master, (it will be in the root domain).
For some reason, every post says go to another DC in the same site as the Schema Master, and continue, well you can do that here? i.e. You can simply run the following commands on the same server!
If you have some NFS storage, and you want to use it as a Datastore in your VMware environment, this is the procedure to follow.
Pre-Requisites
I’m assuming you already have a network connection between your ESX servers and the NAS box, (i.e you have a VM Kernel NIC) on the same network. I’m also assuming you have the NFS setup correctly, in this example I’m using a Buffalo NAS box.
But you can also use a Windows NFS Share, see the follow article;
I’ve got a job coming up to deploy some Duo two factor authentication into a clients RDS farm. To make things a bit easier for them I needed to migrate their RD Connection Broker. They had their Connection Broker, Gateway, and Web roles on one server, (which is not unusual, or incorrect). It turned out, that moving the Connection Broker, was going to be a major task, and it would be a lot easier to move the other two roles.
Solution
Note: Before deploying make sure you have the certificate ready to import (in .PFX format with a known password). If you are confused export the one from the old server. If you’re still confused use the search button above, I’ve written that procedure up before.
Moving the Gateway and Web roles is actually pretty simple to do, the process is, add the server to the RDS farm, ddd the Role, migrate the IIS settings. You can then repoint your firewall rules to the new server and remove the roles form the old one.
Build your new server, update it and join it to the domain.
Add the new server into the RDS deployment, (on one of the RDS farm members).
You can (from one to the other servers in the RDS farm) now deploy the new role, I’m going to deploy RD Web Access first.
Search for, select, then add the new server > Next.
Add
The new role will be deployed, (time for a coffee?).
Select ‘Configure Certificate’.
Your newly added role will say ‘Error’ > Select it > ‘Select existing certificate’.
Browse to the certificate > Supply the password > Tick ‘Allow the certificate to be added to the Trusted Root……’ option > OK.
When the display changes to ‘Success’ > Apply > OK.
Now you can add the other RDS Server(s) into the Server Manager console on the ‘new’ RDS server.
Now to ‘migrate’ any custom IIS settings, download the web Deploy Tool, either directly fromMicrosoft,
Or you can deploy from the Web Platform Installer.
Then to migrate all the IIS settings issue the following commands;
[box]CD “C:\Program Files (x86)\IIS\Microsoft Web Deploy V3”