Forcing Azure AD Connect Sync

KB ID 0001590

Problem

If you are using Azure AD Connect, (AAD Connect) to sync your on-premise Active Directory with Azure AD (i.e. for Office 365), then there may be times when you need to manually ‘force a replication’ because by default it’s going to take 30 minutes between each normal ‘delta replication’

Solution

If you are directly on the server that’s running Azure AD connect, then use the following PowerShell. If you Don’t know which server is running AD connect the see the following link;

Locate Your Azure AD Connect Server

Firstly you need to add in the correct module, (you only have to do this once). Though the module should be already installed on the Sync server, let’s not tempt fate and check. (You can also use Get-Module to view installed modules).

[box]

Import-Module ADSync

[/box]

Note: If you get an error you may need to run Import-Module “C:\Program Files\Microsoft Azure AD Sync\Bin\ADSync\ADSync.psd1”

Then to Manually Force a Synchronisation;

[box]

To Perform a FULL Sync
Start-ADSyncSyncCycle -PolicyType Initial
To Perform a (Normal) Delta Sync
Start-ADSyncSyncCycle -PolicyType Delta

[/box]

You can view the Sync settings with;

[box]

Get-ADSyncScheduler

[/box]

But I don’t like that, I prefer to watch synchronisations going on on the ‘Syntonisation Service Manager’ console, you can spot and troubleshoot errors in here also 🙂

Note: To Troubleshoot Sync errors, see the procedure I use in the following post;

Azure AD Connect: Correct Or Remove Duplicate Values

Force an Azure AD Connect Synchronisation From Another Server

Use the following syntax;

[box]

Invoke-Command -ComputerName AD-Connect-Server-Name -ScriptBlock { 
Import-Module ADSync 
Start-ADSyncSyncCycle -PolicyType Delta 
}

[/box]

Disable and Enable Azure AD Sync

[box]

Disable
Set-ADSyncScheduler -SyncCycleEnabled $False
Enable
Set-ADSyncScheduler -SyncCycleEnabled $True	

[/box]

Related Articles, References, Credits, or External Links

Azure AD Connect: Correct Or Remove Duplicate Values

AAD Contains Another Object With The Same DN

PowerShell: Add All Members of an OU to a Security Group

KB ID 0001589

Problem

I’ve written in the past about ‘Bulk Adding Users from CSV files, into Groups‘. But what if you want to add ALL users in a particular OU into a security group?

Solution

The syntax is;

[box]

Get-ADUser -SearchBase ‘OU=Source-OU,OU=PNL,DC=pnl,DC=com’ -Filter * | ForEach-Object {Add-ADGroupMember -Identity ‘SG-Test-Group’ -Members $_ }

[/box]

Here I’ve got 20 users that need adding to a group, in this example the group’s in the same OU, but it does not have to be;

You will need to close and reopen the group properties for it to refresh its membership.

Related Articles, References, Credits, or External Links

NA

Azure AD Connect: Correct Or Remove Duplicate Values

KB ID 0001588

Problem

I was doing some work for a School recently, their staff were already using Office 365 and their tenancy was all setup. Now they wanted to roll Office 365 out to the pupils, and sync to their on premises Active Directory.

Now we could have simply excluded the staff from the Azure AD Connect Sync, but they want to manage their passwords etc. on-premises. Microsoft will tell you if you DON’T have an on-premises Exchange (they didn’t), then you simply need to enter the correct email address on the user object and the correct accounts will match up and sync, however they did not, this happened instead;

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:username@domain-name.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

Tracking Id: 2b68528a-695a-4c5e-9b4f-7ec471e5f38c
ExtraErrorDetails:
[{“Key”:”ObjectId”,”Value”:[“6ef8d8d0-2893-4d46-83e3-bf819ea607d2”]},{“Key”:”ObjectIdInConflict”,”Value”:[“56a72044-de5b-43ce-82b1-edb82c80395e”]},{“Key”:”AttributeConflictName”,”Value”:[“ProxyAddresses”]},{“Key”:”AttributeConflictValues”,”Value”:[“SMTP:username@domain-name.com“]}]

OK, I’ve worked A LOT with Exchange and I know that ProxyAddress and Email address are related, but not the same AD attribute. But changing that didn’t fix the problem either?

Solution

Well we are syncing on-premises Active Directory and Azure Active Directory, and we DON’T want to change anything on site. So logically wherever the ‘fix’ is, it will be in Azure. (If you only ever use the Office 365 portal then buckle up)

Within Office 365 Admin > Admin Centers > Azure Active Directory.

Welcome to Azure! > Azure Active Directory > Azure AD Connect > Connect Health.

Sync errors.

Duplicate Attribute.

Select the affected user(s) > Troubleshoot.

Double check it is the same user! (If you get this wrong all manner of carnage will unfold!) Yes > Apply Fix > Confirm.

Now wait for a directory replication, (or force one manually with PowerShell). The errors should now cease.

Related Articles, References, Credits, or External Links

AAD Contains Another Object With The Same DN

macOS: Find your DHCP Server Address

KB ID 0001587

Problem

In Windows this is easy to find, ‘ipconfig /all‘ will tell you 🙂 On macOS it’s not so simple.

Solution

First you need to know which network card we are talking about! Your wireless network card is nearly always en0 (that’s a zero), if you are on a wired connection simply run ifconfig and find the right network card.

to double check you can run;

[box]

ipconfig getifaddr en0

[/box]

Then to see your DHCP server address, issue the following command;

[box]

ipconfig getpacket en0

[/box]

Look for the value of server_identifier this is the DHCP servers address.

Related Articles, References, Credits, or External Links

NA

PowerCLI: vMotion Multiple VMs

KB ID 0001585

Problem

vMotioning one VM is pretty simple to do;

[box]

Get-VM VM1 | Move-VM -Destination (Get-VMHost ESX-02.pnl.com)

[/box]

And moving ALL the VMs on one host, to another is pretty straight forward also;

[box]

Get-VMHost ESX-01.pnl.com | Get-VM | Move-VM -Destination (Get-VMHost ESX-02.pnl.com)

[/box]

But what if you have a list of VMs you want to move, and you are too lazy, (sorry too skilled), do do them manually or one at a time?

Solution

Firstly get your VMs into a CSV file, in this example I’m only going to use two, drop their names into a column headed ‘Name‘.

Then use the following PowerCLI;

[box]

Import-Csv C:\Temp\VMs.csv | Foreach {Get-VM $_.Name | Move-VM -Destination (Get-VMHost ESX-02.pnl.com)}

[/box]

Then have a coffee, or stare out of the window while your work is done for you 🙂

 

Related Articles, References, Credits, or External Links

NA

VMware Converter Slow!

KB ID 0001584

Problem

I was P2Ving a server for a client this week. I did a ‘trial run’ just to make sure everything would be OK, and got this;

Yes, that says 13 days and 29 minutes! Suddenly doing this at 1700hrs on a Friday became a moot point! (Note: I was using VMware vCenter Converter Standalone version 6.2)

Solution

At first I assumed this was a network problem, so I moved everything onto the same Gigabit switch, and made sure all the NICs were connected at 1Gbps. Still no improvement. I then shut down as many services on the source machine as I could, still it was terribly slow 🙁

Firstly, make sure Concurrent Tasks, and Connections per Task are set to ‘Maximum’.

Then locate the converter-worker.xml file and edit it;

Usually located at “C:\ProgramData\VMware\VMware vCenter Converter Standalone

Note: ProgramData is, (by default) a hidden folder!

Locate the section, <useSsl>true</useSsl>, change it to <useSsl>false</useSsl> then save and exit the file.

Then restart the ‘VMware vCenter Converter Standalone Worker‘ service.

Boom! That’s better.

Related Articles, References, Credits, or External Links

NA

VMware Converter ‘Unable to Connect to the Network Share’

KB ID 0001583

Problem

I don’t think, Ive ever run the VMware Standalone Converter, without at least one error message or popup complaining about something! Today I was trying to convert a clients old Windows Server 2003 document management server, when trying to deploy the agent this happened;

Unable to connect to the network share ‘{Sever-name-or-IP} \ADMIN$’.

Solution

It’s a pretty descriptive error, can you map a drive to this machine and open a network share manually? Is the ‘server service’ running? In my case the problem was easily diagnosed;

As I wasn’t about to start enabling SMBv1 on the clients Windows 2019 server! So I simply installed the VMware Standalone converter on one of their existing 2008 members servers instead, and ran it from there.

Related Articles, References, Credits, or External Links

SMB1 Is Dead? (Unfortunately Not Yet)

VMware Converter – Unable to Deploy Agent

Cisco ASA: NAT 2 Public IPs to 1 Private IP

KB ID 0001582

Problem

I got asked today if this could be done. My first response was ‘why?’ I cant really think of a use case for this. But a client had this on their previous firewall and were migrating to a virtual ASA, and wanted the config replicating.

So I built something like this;

Solution

To be fair, my first thought was ‘why not simply add an additional internal IP to the web server, and NAT the second public IP to that?’. That was my reserve answer, if it dind’t work!

Turns out it was pretty easy, I had the following working quite quickly;

[box]

!
object network OBJ-Web-Host-Public
 range 198.51.100.2 198.51.100.3
!
object network OBJ-Web-Host-Private
 host 192.168.100.10
 nat (inside,outside) static OBJ-Web-Host-Public
!
access-list inbound line 1 extended permit tcp any object OBJ-Web-Host-Private eq www
!

[/box]

Note: Change the ACL name inbound to match your incoming access-list.

Feeling pleased with myself I went over, to help get it deployed. But there was a problem, the public IP addresses in the clients case were not sequential (contiguous). So I thought I’d simply create an object group and put two hosts in it and use that instead, but that did not work 🙁

I didn’t think creating two NAT statements would work, as the second one would complain it overlaps with the first one, surely? Well no it didn’t, and it worked fine.

[box]

!
object network OBJ-Web-Host-1
 Host 192.168.110.14
 nat (inside,outside) static 198.51.100.11
!
object network OBJ-Web-Host-2
 Host 192.168.110.14
 nat (inside,outside) static 198.51.100.33
!
access-list inbound line 1 extended permit tcp any object OBJ-Web-Host-1 eq www
access-list inbound line 2 extended permit tcp any object OBJ-Web-Host-2 eq www
!

[/box]

Everyday’s a school day! Sometimes the simplest answer is staring you in the face.

Related Articles, References, Credits, or External Links

NA

Mailbox Move ‘StalledDueToMailboxLock’

KB ID 0001581

Problem

I was doing a migration from Exchange 2007 (on prem) to Exchange 2013 (on prem), this week. I had a number of mailboxes that were ‘StalledDueToMailboxLock‘.

Solution

Nice easy fix, on the Source and Destination Exchange severs, restart the ‘Microsoft Exchange Mailbox Replication Service‘.

Wont this break my Mailboxes! No, it will interrupt the migration process, (which is already stalled). But the actual ‘Live‘ mailbox, remains on the ‘Source Server‘, until the process is successfully completed anyway.

It can take a few minutes, (time for a coffee) but check and the process should now have resumed ‘CopyingMessages‘.

Related Articles, References, Credits, or External Links

NA

Virtualising Hyper-V ‘Validation Fails’

KB ID 0001580

Problem

Normally if you saw this error, it would mean that you didn’t have the advanced virtual extensions turned on, in the physical machine’s BIOS. But here I’m installing on Hyper-V in a vSphere/ESX environment;

Validation Results
The validation process found problems on the server which you want to install features. The selected features are not compatible with the current configuration of your selected server. Click OK to select different features.

Hyper-V cannot be installed: The processor does not have required virtualisation capabilities.

Solution

The VM in question needs to be ‘Powered Off’. Then edit its settings > VM Options > Expand CPU > Hardware virtualisation > Tick “Expose hardware assisted virtualisation to the guest” > OK.

Power on the VM, and then install the Hyper-V role.

Virtualising Hyper-V on Hyper-V

You need to expose the underlying virtualisation extensions on Hyper-V as well, with the following command;

[box]

Set-VMProcessor -VMName “server-name” -ExposeVirtualizationExtensions $true

[/box]

You also need to enable ‘MAC Spoofing’ on the advanced settings of the network card of the VM.

Related Articles, References, Credits, or External Links

NA