Exchange 2019 / 2016 Manage Remotely via PowerShell

KB ID 0001465

Problem

Since Exchange 2013 we have been able to manage Exchange remotely through the Exchange Admin Center, but what if you want to use the Exchange Management Shell remotely?

Install Exchange Management Tools

This is not just the Management Shell, this will also install the Toolbox and additional help.

There are few prerequisites, but to install from a normal PowerShell prompt;

[box]

Enable-WindowsOptionalFeature -Online -FeatureName IIS-ManagementScriptingTools,IIS-ManagementScriptingTools,IIS-IIS6ManagementCompatibility,IIS-LegacySnapIn,IIS-ManagementConsole,IIS-Metabase,IIS-WebServerManagementTools,IIS-WebServerRole

./Setup.exe /Role:ManagementTools /IAcceptExchangeServerLicenseTerms

[/box]

Once Installed, You can launch the Shell itself, or you can add the Exchange PowerShell commandlets to a normal Powershell session, with the following command;

[box]

Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn;

[/box]

For older versions of Exchange, the commands are slightly different;

  • Exchange 2010: Add-PSSnapin Microsoft.Exchange.Management.PowerShell.E2010;
  • Exchange 2007 :Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin;

Connect to Exchange Remotely (via PowerShell)

It’s a Windows server after all, so you can bring up a remote session, first give it an account with some Exchange administrative privileges;

[box]

$UserCredential = Get-Credential

[/box]

Then connect the the Exchange Server;

[box]

$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://Server-Name/PowerShell/ -Authentication Kerberos -Credential $UserCredential

Import-PSSession $Session -DisableNameChecking

[/box]

Note: As above, don’t forget to disconnect the session the you have finished.

[box]

Remove-PSSession $Session

[/box]

Related Articles, References, Credits, or External Links

NA

PDC Emulator: Cannot Sync Time From External NTP Server

KB ID 0001464

Problem

I was involved in a question on Experts Exchange this week where the asker could not get their PDC to sync time from an external NTP server.

He was seeing an Event ID 12 Error;

Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.

Also See: Windows – Setting Domain Time

Solution

If you see this error in the event log, then when you try and ‘resync’ you may see;

The computer did not resync because no time data was available

Then look at the following

UDP Port 123 (NTP) is not opened, (outbound) for this host on the corporate firewall.

This is easy to check, use NTPTool, if it looks like this either the hostname/IP address you are going to is incorrect, or the PORT is blocked on your firewall.

If it looks like this then your hostname/IP is correct, and the port IS open.

Is the Server a Virtual Machine? 

If so it might be getting its time set at the Hyper Visor level, (this is not good for Windows machines). Check the VM Settings

VMware 6

VMware 5

There is a GPO enforced on the PDC emulator that is enforcing the incorrect time settings

Again easy to check, open an administrative command Window and run ‘rsop’

Navigate to;

[box]Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers [/box]

Note: The Time servers must be in Name(comma) Stratum-level (space) format. For troubleshooting just try pool.ntp.org, 0x1 (Then you can specify ones closer to home, as you prove they work ok, if you get the stratum level or the syntax wrong then you will see the “The computer did not resync because no time data was available,” error.

If theres a GPO being applied higher up in the domain, you need to change it, so that it does not apply (at least to the PDC Emulator). In the next post I’ll discuss how to set the PDC Emulator to correctly get its time via GPO.

Check What your Server ‘Thinks’ is the Correct NTP Settings

Firstly use;

[box]w32tm /query /status[/box]

Below we can see the server is using its own internal clock, this is not what we want! You need to go back to square one if you see this!

Assuming it’s not using its own clock as a time source, use the following;

[box]w32tm /query /configuration[/box]

You are looking for;

  • AnnounceFlags 5 (Local)
  • NtpClient (Local)
  • DllName C:\WINDOWS\SYSTEM32\w32time.DLL (Local)
  • (Under NTPClient) NtpServer {your-public-ntp-server}(Local)
  • (Under NTLClient) Enabled 1 (Local)

 Assuming that’s all OK you can also se the status;

[box]w32tm /query /status /verbose[/box]

You are looking for;

  • Server Role 576 (Reliable Time Service)
 
 

Related Articles, References, Credits, or External Links

Sync Microsoft Domain Time To A Cisco NTP Device

Windows – Setting Domain Time

Cisco ASA – Configuring for NTP

Windows – Error ‘A Good Time server could not be located’

VMware Cannot Upload Large ISO File?

KB ID 0001463

Problem

I was trying to upload a windows 10 use file to my vSphere environment, and it was continually failing;

I tried multiple datastore on multiple hosts, same result. It wasn’t until I connected directly to one of the hosts to try that I saw a more descriptive Error;

Brilliant Thanks Microsoft! Their website says;

You may notice that even IE11 is limited to 4gb uploads, but that’s not a significant problem because websites should never try to upload large files (e.g. >50mb) directly in modern browsers.

Right so who makes Windows 10?

Solution

Use Chrome 🙁

Related Articles, References, Credits, or External Links

NA

Safari: This connection Is Not Private Loop

KB ID 0001462

Problem

This has been bugging me for a while, I use Safari for most things, but recently going to an https (SSL secured) web page that uses a self signed, or expired certificate, give me this;

Now this is to be expected, normally you click ‘visit this website‘ it asks for you password, and away you go. However now it doesn’t, it loops you back here again and you can go round many times, until you give up and use FireFox.

Solution

This stung me yesterday when I wanted to get on the office MFD. The fix is easy, open a new private browsing window  (File > New Private Window). Then go to the same URL, what’s more, once you have been to that URL, it  now works in normal Safari

Related Articles, References, Credits, or External Links

NA

SMB1 Is Dead? (Unfortunately Not Yet)

KB ID 0001461

Problem

I recently did a migration for an engineering company, about a week later I got an email from them to say, “We have a new Windows 10 PC, and it can’t connect to the ‘N’ Drive?” I asked them to send me a screenshot, the error was;

You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747

Some Googling told me that windows 10 (build 1803) had removed SMB1, and like most people who see this for the first time, I got thePowerShell to turn it on, client was happy end of problem right?

Well yes and no, ‘SMB1 is Bad‘, very bad in fact, enabling SMB1 is a bit like removing the windows from your house because your too hot, yes it solves the problem, but now anyone who wants to jump into your house can do so, at any time of the day!

OK What’s Changed?

With Windows 10 (Build 1803) SMB1 has been completely disabled. If you try and connect to a device/share that’s using it you will see the same error my client did.

However if you have an earlier build of Windows 10, and you simply let it update, (Including the 1803 July Security update), that will continue to work.

I tried to replicate this on my test network, like the client I had a 2008 R2 file server, and connected to it from a new Windows 10 and an old(er) updated Windows 10 machine. Everything worked? In fact to replicate the clients error, I had to manually disable SMB2 and force SMB1? That’s strange I thought, so I checked the clients server;

As you will discover (below) the DWORD highlighted disables SMB2 and forces the server to use SMB1. Now the server does not ship like this, and I doubt very much anyone did this manually, so where did it come from? Well as an educated guess, the software that runs on this server needs SMB1. (They have some older Linux machines and machinery that logs are collected from).

Solution

As Microsoft says;

Warning: We do not recommend that you disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.

So the steps I outline below, are so you can actually do some troubleshooting, to see what’s wrong. The third law of engineering states ‘Just because you can do something, does not necessarily mean you should‘ That being said, I appreciate we operate in the real world. If your line of business software needs SMB1 you cant shut down production while the vendor fixes their ‘poorly written, and relying on 30 year old protocol‘ code. Or, what you are connecting to might not be a Windows machine at all! It might be an appliance tha’ts old, with no firmware to update it to SMB2/3, and there’s no budget to replace it.

Windows 10 Enable SMB1

Use the following PowerShell;

[box]

Get-WindowsOptionalFeature -Online –FeatureName smb1protocol
Enable-WindowsOptionalFeature -Online –FeatureName smb1protocol

[/box]

Again this is a temporary fix! As soon as possible disable it again.

[box]

Disable-WindowsOptionalFeature -Online –FeatureName smb1protocol

[/box]

Windows Server (Enabling/Disabling SMB1 & SMB2)

As with most things, SMB status is set in the registry (see above).

Enable or disable SMBv1 on the SMB server;

Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

Enable or disable SMBv2 on the SMB server;

Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters
Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled (No registry key is created)

Note:  You must restart the computer after you make these changes.

But things are much easier done with PowerShell, to see the settings;

[box]Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}[/box]

Note: Above SMB1 is enabled SMB2 is Disabled.

WARNING: To test this properly, I’d suggest converting this server to a VM and testing on a copy, or cloning the server, (if it’s already virtualised), then you can try out some non-destructive testing, to make sure your applications still work. Ideally start by enabling SMB2 and disabling SMB1 to test.

[box]Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB2 -Type DWORD -Value 1 –Force
Set-ItemProperty -Path “HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters” SMB1 -Type DWORD -Value 0 –Force[/box]

Remember to reboot!

 

If your application still works great, ‘you didn’t need SMB1 anyway‘, sit back, light your pipe, and admire your handiwork!

If not, try with both Protocols enabled. (To be fair, security-wise this is just as bad as having SMB1 only, as all the ‘good bits’ in SMB2 can still be bypassed by using SMB1!) But at least (from a user perspective) your new Windows machines will connect via SMB2.

Remember to reboot!

 

Related Articles, References, Credits, or External Links

NA

FirePOWER: ‘No Authentication Required’ No Usernames

KB ID 0001460

Problem

When attempting to track Users with FirePOWER, the FMC would not show any usernames?

Solution

Theres a lot of reasons this might not work, let’s take a look at a few of them.

Firstly make sure the server running the ‘user agent’ is listed under  System >Integration > Identity Sources > User Agent.

It probably goes without saying, but over on server running the user agent, make sure it can see the Domain Controller(s) and the FMC (everything is green).

Make sure your DC’s are setup to audit logon events! (I’ve had to do this in local policy directly on the DC’s before).

Ensure you have setup a ‘Realm’ for you active directory, and it’s enabled. (System > Integration > Realms).

WARNING: In some versions of the FMC there’s a ‘Bug’ that requires you use the NETBIOS name of your domain rather than its full domain name, (as shown in the example on the right).

After you have made the change, ensure you can still download the users and groups. Don’t forget to ‘Save’ the changes, and redeploy the settings.

Make sure you have an ‘Identity Policy‘, and that it’s set to discover users by ‘Passive Authentication‘, and it’s set to use the ‘Realm‘ you created. (Policies > Access Control > Identity).

In your main ‘Access Control Policy‘ > In at least one of the rules, under ‘Users‘, ensure that your ‘Realm‘ is selected and added. (Policies > Access Control).

You also under your ‘Network Discovery‘ policy make sure ‘Users‘ has been added.

Then take a look under Analysis > Users > User Activity. Make sure that logon events are getting logged, and mapped to IP addresses.

Once all the boxes are ‘ticked’, users should start appearing.

Related Articles, References, Credits, or External Links

NA

Dell iDRAC: ‘Virtual Media is Detached’

KB ID 0001459

Problem

I’d needed to present an .iso image to my Dell server and got this;

Either Virtual Media is detached or
Virtual Media redirection for the selected virtual disk is already in use

Solution

System  > Console Media > Configuration > Virtual Console > Enabled (tick)  > Status (Auto Attach) > Save.

Related Articles, References, Credits, or External Links

NA

vSphere: Downgrading Guest ‘Hardware Version’

KB ID 0001458

Problem

I always assumed this was either not possible, (without using VMware converter,) or at least very difficult. I downgraded one of my test ESX boxes from 6.5 to 5.5 this week, and needed to lower the hardware versions on some of my VMs accordingly.

Solution

Connect to the host ESX server via SSH, then navigate to the VMFS volumes;

[box]cd /vmfs/volumes[/box]

Change directory so you are in the right ‘datastore’, locate the VMs folder, and change to that directory. You are looking for the VMs .vmx file, (shown below in green).

Edit the file using ‘vi’ and locate the virtualHW.version value, here it’s version 11 (ESX 6.0).

Here I’m changing it to version 10 (ESX 5.5).

Then remove the VM from the inventory, navigate to its .vmx file and select ‘Register VM‘.

Related Articles, References, Credits, or External Links

NA

Scheduled Task Error 0x1

KB ID 0001457

Problem

While replacing a server, I copied over some scripts, (batch files) the client was using to back up some data. I scheduled them on the new server, but noticed they were finishing with a status of 0x1. (and not actually backing anything up!)

Solution

Edit the properties of the job > General Tab > Tick “Run with the highest privileges”.

Note: You can also tick “Do not store password. This task will only have access to local computer resources” if the process is only running on this machine.

Actions > Select the Action and edit it > Change the ‘Start In‘ section, so that it points to the folder the script is in > OK >Apply > OK.

Rerun the job and it should complete with a 0x0 status (successful).

Related Articles, References, Credits, or External Links

NA

Veeam Backup Error: Code 1326

KB ID 0001456

Problem

Processing {Server-Name} Error: Failed to connect to guest agent. Errors: ‘Cannot connect to the host’s administrative share. Host: [{Server-Name}]. Account: [{Account-Name}]. Win32 error:The user name or password is incorrect. Code: 1326 Cannot connect to the host’s administrative share. Host: [{IP-Address}]. Account: [{Account-Name}]. Win32 error:The user name or password is incorrect. Code: 1326 ‘

Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors: ‘Cannot connect to the host’s administrative share. Host: [{Server-Name}.amf.local]. Account: [{Account-Name}]. Win32 error:The user name or password is incorrect. Code: 1326 Cannot connect to the host’s administrative share. Host: [{IP-Address}]. Account: [{Account-Name}]. Win32 error:The user name or password is incorrect. Code: 1326 ‘
Error: Failed to connect to guest agent. Errors: ‘Cannot connect to the host’s administrative share. Host: [{Server-Name}.amf.local]. Account: [{Account-Name}]. Win32 error:The user name or password is incorrect. Code: 1326 Cannot connect to the host’s administrative share. Host: [{IP-Address}]. Account: [{Account-Name}]. Win32 error:The user name or password is incorrect. Code: 1326 ‘

Solution

Firstly, make sure the user that you are running the backup job as, has the correct rights! Also set it up as DOMAIN-NAME\Username. If you have selected application award processing, make sure that user has the appropriate rights (or an additional user is added for applications like SQL, Oracle etc.)

Go to the properties of the job, Guest Processing > Credentials.

Select the server producing the error > Set User > Standard Credentials > Select the appropriate user > OK > OK.

Then use the “Test Now” button, and ensure the authentication works correctly.

Related Articles, References, Credits, or External Links

Veeam Backup and Recovery Download

Veeam Availability Suite Download

Veeam Backup For Office 365 Download

Veeam Backup For Azure Download

Veeam Backup for AWS Download