Since Exchange 2013 we have been able to manage Exchange remotely through the Exchange Admin Center, but what if you want to use the Exchange Management Shell remotely?
Install Exchange Management Tools
This is not just the Management Shell, this will also install the Toolbox and additional help.
There are few prerequisites, but to install from a normal PowerShell prompt;
Once Installed, You can launch the Shell itself, or you can add the Exchange PowerShell commandlets to a normal Powershell session, with the following command;
I was involved in a question on Experts Exchange this week where the asker could not get their PDC to sync time from an external NTP server.
He was seeing an Event ID 12 Error;
Time Provider NtpClient: This machine is configured to use the domain hierarchy to determine its time source, but it is the PDC emulator for the domain at the root of the forest, so there is no machine above it in the domain hierarchy to use as a time source. It is recommended that you either configure a reliable time service in the root domain, or manually configure the PDC to synchronize with an external time source. Otherwise, this machine will function as the authoritative time source in the domain hierarchy. If an external time source is not configured or used for this computer, you may choose to disable the NtpClient.
If you see this error in the event log, then when you try and ‘resync’ you may see;
The computer did not resync because no time data was available
Then look at the following
UDP Port 123 (NTP) is not opened, (outbound) for this host on the corporate firewall.
This is easy to check, use NTPTool, if it looks like this either the hostname/IP address you are going to is incorrect, or the PORT is blocked on your firewall.
If it looks like this then your hostname/IP is correct, and the port IS open.
Is the Server a Virtual Machine?
If so it might be getting its time set at the Hyper Visor level, (this is not good for Windows machines). Check the VM Settings
VMware 6
VMware 5
There is a GPO enforced on the PDC emulator that is enforcing the incorrect time settings
Again easy to check, open an administrative command Window and run ‘rsop’
Navigate to;
[box]Computer Configuration > Administrative Templates > System > Windows Time Service > Time Providers [/box]
Note: The Time servers must be in Name(comma) Stratum-level (space) format. For troubleshooting just try pool.ntp.org, 0x1 (Then you can specify ones closer to home, as you prove they work ok, if you get the stratum level or the syntax wrong then you will see the “The computer did not resync because no time data was available,” error.
I was trying to upload a windows 10 use file to my vSphere environment, and it was continually failing;
I tried multiple datastore on multiple hosts, same result. It wasn’t until I connected directly to one of the hosts to try that I saw a more descriptive Error;
Brilliant Thanks Microsoft! Their website says;
You may notice that even IE11 is limited to 4gb uploads, but that’s not a significant problem because websites should never try to upload large files (e.g. >50mb) directly in modern browsers.
Right so who makes Windows 10?
Solution
Use Chrome 🙁
Related Articles, References, Credits, or External Links
This has been bugging me for a while, I use Safari for most things, but recently going to an https (SSL secured) web page that uses a self signed, or expired certificate, give me this;
Now this is to be expected, normally you click ‘visit this website‘ it asks for you password, and away you go. However now it doesn’t, it loops you back here again and you can go round many times, until you give up and use FireFox.
Solution
This stung me yesterday when I wanted to get on the office MFD. The fix is easy, open a new private browsing window (File > New Private Window). Then go to the same URL, what’s more, once you have been to that URL, it now works in normal Safari
Related Articles, References, Credits, or External Links
I recently did a migration for an engineering company, about a week later I got an email from them to say, “We have a new Windows 10 PC, and it can’t connect to the ‘N’ Drive?” I asked them to send me a screenshot, the error was;
You can’t connect to the file share because it’s not secure. This share requires the obsolete SMB1 protocol, which is unsafe and could expose your system to attack.
Your system requires SMB2 or higher. For more info on resolving this issue, see: https://go.microsoft.com/fwlink/?linkid=852747
Some Googling told me that windows 10 (build 1803) had removed SMB1, and like most people who see this for the first time, I got thePowerShell to turn it on, client was happy end of problem right?
Well yes and no, ‘SMB1 is Bad‘, very bad in fact, enabling SMB1 is a bit like removing the windows from your house because your too hot, yes it solves the problem, but now anyone who wants to jump into your house can do so, at any time of the day!
OK What’s Changed?
With Windows 10 (Build 1803) SMB1 has been completely disabled. If you try and connect to a device/share that’s using it you will see the same error my client did.
However if you have an earlier build of Windows 10, and you simply let it update, (Including the 1803 July Security update), that will continue to work.
I tried to replicate this on my test network, like the client I had a 2008 R2 file server, and connected to it from a new Windows 10 and an old(er) updated Windows 10 machine. Everything worked? In fact to replicate the clients error, I had to manually disable SMB2 and force SMB1? That’s strange I thought, so I checked the clients server;
As you will discover (below) the DWORD highlighted disables SMB2 and forces the server to use SMB1. Now the server does not ship like this, and I doubt very much anyone did this manually, so where did it come from? Well as an educated guess, the software that runs on this server needs SMB1. (They have some older Linux machines and machinery that logs are collected from).
Solution
As Microsoft says;
Warning: We do not recommend that you disable SMBv2 or SMBv3. Disable SMBv2 or SMBv3 only as a temporary troubleshooting measure. Do not leave SMBv2 or SMBv3 disabled.
So the steps I outline below, are so you can actually do some troubleshooting, to see what’s wrong. The third law of engineering states ‘Just because you can do something, does not necessarily mean you should‘ That being said, I appreciate we operate in the real world. If your line of business software needs SMB1 you cant shut down production while the vendor fixes their ‘poorly written, and relying on 30 year old protocol‘ code. Or, what you are connecting to might not be a Windows machine at all! It might be an appliance tha’ts old, with no firmware to update it to SMB2/3, and there’s no budget to replace it.
WARNING: To test this properly, I’d suggest converting this server to a VM and testing on a copy, or cloning the server, (if it’s already virtualised), then you can try out some non-destructive testing, to make sure your applications still work. Ideally start by enabling SMB2 and disabling SMB1 to test.
If your application still works great, ‘you didn’t need SMB1 anyway‘, sit back, light your pipe, and admire your handiwork!
If not, try with both Protocols enabled. (To be fair, security-wise this is just as bad as having SMB1 only, as all the ‘good bits’ in SMB2 can still be bypassed by using SMB1!) But at least (from a user perspective) your new Windows machines will connect via SMB2.
Remember to reboot!
Related Articles, References, Credits, or External Links
When attempting to track Users with FirePOWER, the FMC would not show any usernames?
Solution
Theres a lot of reasons this might not work, let’s take a look at a few of them.
Firstly make sure the server running the ‘user agent’ is listed under System >Integration > Identity Sources > User Agent.
It probably goes without saying, but over on server running the user agent, make sure it can see the Domain Controller(s) and the FMC (everything is green).
Make sure your DC’s are setup to audit logon events! (I’ve had to do this in local policy directly on the DC’s before).
Ensure you have setup a ‘Realm’ for you active directory, and it’s enabled. (System > Integration > Realms).
WARNING: In some versions of the FMC there’s a ‘Bug’ that requires you use the NETBIOS name of your domain rather than its full domain name, (as shown in the example on the right).
After you have made the change, ensure you can still download the users and groups. Don’t forget to ‘Save’ the changes, and redeploy the settings.
Make sure you have an ‘Identity Policy‘, and that it’s set to discover users by ‘Passive Authentication‘, and it’s set to use the ‘Realm‘ you created. (Policies > Access Control > Identity).
In your main ‘Access Control Policy‘ > In at least one of the rules, under ‘Users‘, ensure that your ‘Realm‘ is selected and added. (Policies > Access Control).
You also under your ‘Network Discovery‘ policy make sure ‘Users‘ has been added.
Then take a look under Analysis > Users > User Activity. Make sure that logon events are getting logged, and mapped to IP addresses.
Once all the boxes are ‘ticked’, users should start appearing.
Related Articles, References, Credits, or External Links
I always assumed this was either not possible, (without using VMware converter,) or at least very difficult. I downgraded one of my test ESX boxes from 6.5 to 5.5 this week, and needed to lower the hardware versions on some of my VMs accordingly.
Change directory so you are in the right ‘datastore’, locate the VMs folder, and change to that directory. You are looking for the VMs .vmx file, (shown below in green).
Edit the file using ‘vi’ and locate the virtualHW.version value, here it’s version 11 (ESX 6.0).
Here I’m changing it to version 10 (ESX 5.5).
Then remove the VM from the inventory, navigate to its .vmx file and select ‘Register VM‘.
Related Articles, References, Credits, or External Links
While replacing a server, I copied over some scripts, (batch files) the client was using to back up some data. I scheduled them on the new server, but noticed they were finishing with a status of 0x1. (and not actually backing anything up!)
Solution
Edit the properties of the job > General Tab > Tick “Run with the highest privileges”.
Note: You can also tick “Do not store password. This task will only have access to local computer resources” if the process is only running on this machine.
Actions > Select the Action and edit it > Change the ‘Start In‘ section, so that it points to the folder the script is in > OK >Apply > OK.
Rerun the job and it should complete with a 0x0 status (successful).
Related Articles, References, Credits, or External Links
Processing {Server-Name} Error: Failed to connect to guest agent. Errors: ‘Cannot connect to the host’s administrative share. Host: [{Server-Name}]. Account: [{Account-Name}]. Win32 error:The user name or password is incorrect. Code: 1326 Cannot connect to the host’s administrative share. Host: [{IP-Address}]. Account: [{Account-Name}]. Win32 error:The user name or password is incorrect. Code: 1326 ‘
Failed to prepare guest for hot backup. Error: Failed to connect to guest agent. Errors: ‘Cannot connect to the host’s administrative share. Host: [{Server-Name}.amf.local]. Account: [{Account-Name}]. Win32 error:The user name or password is incorrect. Code: 1326 Cannot connect to the host’s administrative share. Host: [{IP-Address}]. Account: [{Account-Name}]. Win32 error:The user name or password is incorrect. Code: 1326 ‘
Error: Failed to connect to guest agent. Errors: ‘Cannot connect to the host’s administrative share. Host: [{Server-Name}.amf.local]. Account: [{Account-Name}]. Win32 error:The user name or password is incorrect. Code: 1326 Cannot connect to the host’s administrative share. Host: [{IP-Address}]. Account: [{Account-Name}]. Win32 error:The user name or password is incorrect. Code: 1326 ‘
Solution
Firstly, make sure the user that you are running the backup job as, has the correct rights! Also set it up as DOMAIN-NAME\Username. If you have selected application award processing, make sure that user has the appropriate rights (or an additional user is added for applications like SQL, Oracle etc.)
Go to the properties of the job, Guest Processing > Credentials.
Select the server producing the error > Set User > Standard Credentials > Select the appropriate user > OK > OK.
Then use the “Test Now” button, and ensure the authentication works correctly.
Related Articles, References, Credits, or External Links