Exchange 2019 Migration from Exchange 2016

KB ID 0001472

Exchange 2019 Migration

If Exchange 2016 was Exchange 2013 in a pretty dress, then with Exchange 2019 it’s simply added a hat. In the past, every third Exchange release was a major rebuild, but Exchange 2016 is simply Exchange version 15.1 (Exchange 2013 was 15.0 and Exchange 2016 is version 15.1).

So the Exchange 2019 Migration is pretty much the same as it was from 2013 > 2016, or even 2016 > 2016. 

  •  There should be NO Exchange 2010 servers in existence before deploying Exchange 2019. You would need to upgrade to 2013 (CU21 minimum)/2016 (CU 11 minimum) first.
  • There’s no Unified Comms Role with Exchange any more! If you need to upgrade look at Microsoft Teams.
  • Forest Functional Levels should be, (at least) Server 2012 R2.
  • WARNING: Memory recommendations are 128GB (Mailbox server) and 64GB (Edge Transport server). Make sure you have enough compute!
  • Edge Server Role is still supported.
  • Windows Server Core (2019/2022) is supported with Exchange 2019.
  • Windows Server Nano is NOT supported.
  • Windows Server 2019 (Standard or Datacenter) and Windows Server 2022 (Standard or Datacenter) Note: Exchange 2019 CU 12 minimum, are supported host Operating systems.
  • Outlook 2013 (and newer), and Outlook for mac 2016 (and newer) is supported.

Solution

As with all Exchange migrations make sure your Active Directory Domain/DNS/Existing Exchange organisation is healthy before you start. Then upgrade the existing Exchange to the latest cumulative update.

Exchange 2019 Prerequisites

You will need your Server 2012R2 or Server 2016 server fully updated and added to your domain, then to add the required roles and services use the following Powershell commands for Server 2012, 2016 and 2019;

Server 2016 / 2012 R2

[box]Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS[/box]

Server 2019

[box]Install-WindowsFeature NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation, RSAT-ADDS[/box]

Now Required on Server 2012 R2, 2016, and 2019: You will need to install .Net 4.8 (link).

Server 2022: .Net 4.8 is already included in Server 2022!

You need to install the MS Unified Communications API 4.0 (link).

You will also need to install Microsoft Visual C++ (link)

You will also now have to install the ‘IIS Rewrite Module’ (link)

Either download the Exchange 2019 install media, or insert the Exchange 2019 DVD, and launch setup.exe > Next > Next > Files will be copied over.

Don’t I need to extend the schema, forest or domain? The setup does all this for you, you don’t need to do this manually anymore, (yes you can manually do this before installing, if you want to, but unless your schema master is in a different root domain, or you’re not a schema admin, then I don’t see the point!)

Introduction Page > Next > At the EULA tick “I Accept…” > Next > Tick “Use Recommended settings” > Next.

Select ‘Mailbox role’, and ‘Automatically install Windows Server roles and features…” > Next > Select the install directory, Note: In production you probably DON’T want this on the Windows System drive > Next > Unless you have a reason to disable Malware scanning then select ‘No’ > Next.

Readiness Checks > Fix and Errors and heed any warnings > Install > The product will install, this will take a long time!

Finish > Reboot the server.

An there’s our new Exchange 2019 Server.

Exchange 2019 EnterProduct Key

Servers > Servers > Select the 2019 Exchange Server > Enter Product Key  > Save

Note: On the pre-release version of Exchange 2019, the Exchange 2016 keys worked fine.

At the warning click OK.

Note: You can also enter the product key using the Command Shell, if you prefer.

[box]

Set-ExchangeServer {Host-name} -ProductKey 12345-12345-12345-12345-12345

[/box]

As directed Restart the ‘Microsoft Exchange Information Store’ service.

[box]Restart-Service MSExchangeIS[/box]

Transfer Exchange Certificate to Exchange 2019

Note: The ability to Export, Import & Renew certificates and creation/completion of certificate requests has been removed from the Exchange Admin Center. These changes will affect all cumulative update (CU) releases of Microsoft Exchange Server 2019 (CU12 and later) and Microsoft Exchange Server 2016 (CU23 and later).

I will leave the older (GUI) method, below for completeness – but all modern Exchange builds will need you to Open the Exchange Management Shell and perform the certificate migration via PowerShell

Transfer Certificates (PowerShell)

On your C: drive create a new folder called CERT  > Open an Administrative Exchange Managment Shell window on the SOURCE Exchange server.

[box]

Get-ExchangeCertificate -Server {Server-Name}

[/box]

Identify the certificate you require (by Subject) > Copy the Thumbprint text > Replace the thumbprint in this text with your thumbprint, then execute the following two  commands.

[box]

$Cert = Export-ExchangeCertificate -Thumbprint 4896265B267C38D39314121C7C6550C6E4DD23AB -BinaryEncoded -Password (ConvertTo-SecureString -String 'PASSWORD' -AsPlainText -Force)

[System.IO.File]::WriteAllBytes('\\New-Server-Name\C$\CERT\CertEx.pfx', $Cert.FileData)

[/box]

Remeber you will need to enable the certificate for the correct services also e.g.

[box]

Get-ExchangeCertificate -Server {New-Server-Name}

COPY the THUMBPRINT

Enable-Exchange Certificate –Thumbprint {Thumb-Print} -Service IIS,SMTP

[/box]

Transfer Certificates (ExchangeAdmin Centre {Older build versions only})

I’m using a wildcard certificate so I want to export the cert form my Exchange 2016 server and import it onto my new Exchange 2019 Server. You will want to do the same if you have a certificate with your public domain name on it and this will be your ‘internet facing’ Exchange server. Servers > Certificates > Select the Exchange 2016 Server, in the drop down menu > Select The Certificate > Click the ellipses (three dots) > Export Exchange Certificate > Supply a UNC path and password > OK.

Change the Dropdown to the Exchange 2019 Server > Click the ellipsis > Import Exchange Certificate > Supply the UNC path and password you used (above) > Next.

Add in the Exchange 2019 Server > Finish.

Exchange 2019 Assign Services to Certificate

Select the newly imported certificate> Edit > Services > Select the services > Save > Note: Here I’m selecting SMTP and IIS. (You cant use a wildcard cert for IMAP,POP).

Exchange 2019 Changing the Exchange Web Services URLs

Exchange relies heavily on web based services, and it needs the URLs setting accordingly. (remeber for Outlook Anywhere/OWA ets you might need to change firewall settings or repoint load balancers WAP server etc to the NEW 2019 server (and let it proxy these connections to the olde rExchange servers, while they still exist).

[box]

Get-WebServicesVirtualDirectory -Server EXCH-2019 | Set-WebServicesVirtualDirectory -InternalUrl https://mail.domainx.com/ews/exchange.asmx -ExternalURL https://mail.domainx.com/ews/exchange.asmx

Set-OWAVirtualDirectory -identity "EXCH-2019\owa (Default Web Site)" -InternalURL https://mail.domainx.com/owa -ExternalURL https://mail.domainx.com/owa

Get-OABVirtualDirectory -Server EXCH-2019 | Set-OABVirtualDirectory -InternalURL https://mail.domainx.com/OAB -ExternalURL https://mail.domainx.com/OAB

Get-ECPVirtualDirectory -Server EXCH-2019 | Set-ECPVirtualDirectory -InternalURL https://mail.domainx.com/ECP -ExternalURL https://mail.domainx.com/ECP

Get-MAPIVirtualDirectory -Server EXCH-2019 | Set-MAPIVirtualDirectory -InternalURL https://mail.domainx.com/MAPI -ExternalURL https://mail.domainx.com/MAPI -IISAuthenticationMethods NTLM,Negotiate

Get-ActiveSyncVirtualDirectory -Server EXCH-2019 | Set-ActiveSyncVirtualDirectory -InternalURL https://mail.domainx.com/Microsoft-Server-ActiveSync -ExternalURL https://mail.domainx.com/Microsoft-Server-ActiveSync

Set-OutlookAnywhere -identity "EXCH-2019\RPC (Default Web Site)" -ExternalHostname mail.domainx.com -InternalHostname mail.domainx.com -InternalClientsRequireSSL $true -ExternalClientsRequireSsl $true -ExternalClientAuthenticationMethod:NTLM

Set-ClientAccessService -Identity EXCH-2019 -AutoDiscoverServiceInternalUri https://mail.domainx.com/Autodiscover/Autodiscover.xml

[/box]

Exchange 2019 Rename Mailbox Database

Servers > Databases > Exchange always gives databases annoying names > Select the Database on the 2019 Exchange Server > Edit > Rename it  > Save.

Note: The path to the Database retains the original name (we will fix that in the next step).

Exchange 2019 Migration Move Mailbox Database

I’m pretty old school, I like my Exchange databases on their own drive/partition, and I like the logs on another drive/partition. To move both the Database and the Logs;

[box]Move-DatabasePath -Identity Database-Name -EdbFilePath X:\Folder\Database\Database-Name.edb -LogFolderPath L:\Folder\Log-Folder\[/box]

Add Exchange 2019 to the Send Connector

Mail Flow > Send Connectors > Select your mail SMTP connector(s) > Edit > Scoping > Source Server section > Add > Add in the new server > OK > Save.

Note: The Exchange server will now need to have TCP port 25 (SMTP) open outbound on your corporate firewall.

Hybrid (On-Prem) Exchange Migration Note

If your on-premise Exchange is part of an Office 365 Hybrid deployment you will need to add the new server to the ‘scope’ for that connector also!

Decommission Exchange 2016

From this point forward we are going to start getting rid of our Exchange 2016 server, they can of course coexist, (if you wanted to wait a while).

For that reason I change the ‘mail flow’ on the firewall to point to the new Exchange server at this point, and the HTTP access for OWA, Outlook Anywhere,  and Phone/Tablet access

Exchange 2019 Mailbox Migration

Yes you can do this in the EAC, but I prefer to do this in PowerShell. But If I don’t put this here, I’ll get emails! Recipients > Migration  > Add > Move to a different Database > Add in the mailboxes/users > Next.

Give the ‘Batch’ a name > Select to move Archive mailboxes (if you have them) > Select the destination (Exchange 2019) Database > Again if using archive mailboxes, select the target archive mailbox database > Set the bad Item limit to 99 > Next > Select Automatically Start > Select Automatically Finish > New. 

From this point, this is where I don’t like the EAC it takes AGES to update with progress! From the Exchange Shell you can get an up to date view of that is going on!

[box]Get-MoveRequest | Get-MoveRequestStatistics[/box]

For a better list of commands for moving user mailboxes, and monitoring the migration, and removing the move requests when you are finished, see the following article;

Exchange: PowerShell Commands

 

Migrating Exchange System Mailboxes

Before you start issue the following command;

[box]Set-AdServerSettings -ViewEntireForest $true[/box]

In addition to the user mailboxes there are a multitude of different ‘System mailboxes’ that might be hanging around, before we can get rid of the Exchange 2016 Database we need to migrate those.

Firstly AuditLog Mailboxes

[box]Get-Mailbox -AuditLog -Database “Mailbox-Database-2016

If there are any!

Get-Mailbox -AuditLog -Database “Mailbox-Database-2016” | New-MoveRequest -TargetDatabase “Mailbox-Database-2019“[/box]

Then Arbitration Mailboxes

[box]Get-Mailbox -AuditLog -Database “Mailbox-Database-2016” -Arbitration

If there are any!

Get-Mailbox -AuditLog -Database “Mailbox-Database-2016” -Arbitration | New-MoveRequest -TargetDatabase “Mailbox-Database-2019“[/box]

Then Monitoring Mailboxes

[box]Get-Mailbox -Monitoring -Server “Mail-2016

If there are any!

Get-Mailbox -Monitoring -Server “Mail-2016” | New-MoveRequest -TargetDatabase “Mailbox-Database-2019“[/box]

Make sure there are no archive mailboxes;

[box]Get-Mailbox -Auditlog -Database “Database-Name” -Archive[/box]

If there are, move them, (as above.)

Also move any  Discovery mailboxes, and move them to 2019;

[box]Get-Mailbox DiscoverySearchMailbox* | New-MoveRequest -TargetDatabase “Mailbox-Database-2019“[/box]

Migrating Public Folder Mailboxes

Remember after Exchange 2013 these are just mailboxes! you can move them like any other mailbox 🙂

Delete Exchange 2016 Database(s)

When you are 100% sure theres nothing left on the old database(s) remove them;

[box]Get-MailboxDatabase -Identity “Mailbox-Database-2016” | Remove-MailboxDatabase[/box]

Uninstall Exchange 2016

Your install directory may not be on the C: drive so change your path accordingly;

[box]cd “C:\Program Files\Microsoft\Exchange Server\V15\Bin

setup.exe /mode:uninstall[/box]

At this point make sure your backup/replication software is pointed to the new Exchange 2019 Server.

 

Note: If you are running an On-Premise Exchange in Hybrid mode, and post migration if you have any mail flow problems see the following article;

No Mail Flow On-Premise To/From Office 365

Related Articles, References, Credits, or External Links

NA

Duo: Migrate from LDAP to LDAPS

KB ID 0001647

Problem

With the impending ‘turning off’ of cleartext LDAP queries to Windows Server, I wanted to make sure my new Duo deployments were already using LDAPS. I got LDAP deployed very quickly and easily, but making the ‘swap’ to LDAPS proved to be massively problematic.

Normally I find Duo a pleasure to deploy, but their technical documentation just confused me for this and I went running up some blind alleys, and eventually ended up logging a call to Duo to try to get it working. So to save you this pain, read on.

Solution

Firstly your domain controller(s) need to be setup to accept LDAPS queries, SORT THAT OUT FIRST. I’ve covered that in the following post;

Get Ready for LDAPS Channel Binding

In the following section I’ll assume you have LDAP already setup on your Duo ADSync, if this is a new deployment, and you are going straight to LDAPS, then you can ignore this next section.

Duo Existing LDAP AD Sync

It goes without saying, (but I’ll say it anyway,) your ADSync should already be connected, if you’re switching room LDAP!

So your domain controller(s) will be using TCP port 389.

Your transport type will be set to ‘Clear’.

Duo Deploy LDAPS for ADSync

The first thing that held me up was reading the Duo documentation, and wondering what I needed to add to my authproxy.cfg file! The truth is;

YOU DON T NEED TO ADD ANYTHING TO AUTHPROXY.CFG!!

Here’s a copy of mine for reference, you ONLY need the sections highlighted, the additional section on mine was for my Cisco ASA RADIUS client;

Rights and Permissions for Duo Service Account

Note: By default the Duo service on your Duo Auth Proxy server will be running under the LOCAL SYSTEM ACCOUNT. I had problems using this account, so I used the service account specified in the authproxy.cfg file. But there are some rights you need to assign to the account first. On the Auth Proxy server, run secpol.msc > Security Settings > Local Policies > User Rights Assignment > Log on as a service > Add User or Group > Add in your Duo service account.

 

All domain users should have the following right, but let’s take a ‘belt and braces’ approach! On a domain controller open ‘Active Directory Users and Computers’ > Right click your domain > Properties > Security > Advanced.

Add in the Duo service account, and grant;

  • List contents
  • Read all properties
  • Read properties

Note: They will probably, already be selected.

Finally: Add the Duo service account to the LOCAL ADMINISTRATORS group on the Duo Auth Proxy server, (Server Manager > Tools > Computer Management).

You can now open the services console and change the account the service runs under, to the Duo Service account, (Windows Key + R > services.msc > OK > Locate ‘Duo Authentication Proxy Service’ > Properties > Log On > Change the account to your service account and enter the password.) Then RESTART THE SERVICE.

Change Duo ADSync to LDAPS

To do this you are going to need a copy of your Root CA certificate (in PEM format). If you have Microsoft Certificate services make sure you get a copy of the Root CA cert in Base 64 format, (if you don’t, when you open the Certificate with Notepad, it will link like gobbledegook!)

Open your Cert with a text editor, and it should look a bit like this, copy that, (with no additional spaces on the end!) To the clipboard, you will need to paste it into the Duo Admin Panel in a minute.

In the Duo Amin Portal > Users > Directory Sync > Active Directory > ADSync > Change the port on your Domain controllers to 636 (That’s LDAPS TCP Port 636, so it needs to be open on any firewalls between the Duo Auth Proxy, and the domain controllers!)

Go to Transport Type > Change to LDAPS > Paste in your CA Certs PEM information into the ‘SSL CA Certs’ Section > Save Directory.

Why didn’t you tick ‘SSL Verify Hostname’? Simply because it fails when I do that, I’m assuming the common name on the LDAPS cert on my domain controllers is the hostname of the DC, and not its FQDN, so I needed to leave this unticked.

All being well it should say connected.

Troubleshooting Duo LDAPS

Duo have a tool that will check your domain controller certificates are OK. It’s called acert.exe or you can enable debugging, or use the connectivity tool.

Related Articles, References, Credits, or External Links

NA

How Do I Find/Change My IP Address?

KB ID 0000208

What’s an IP address?

An IP address is the address used on a network to find your PC, Server, Laptop, or Printer etc. It’s the networking equivalent of your house number and post code (or Zip Code for visitors from over the pond).

Do you want your PUBLIC or PRIVATE IP address? As we started to run out of addresses, there were a number of solutions that we came up with, one you will see below (DHCP) the other is NAT (Network Address Translation) that lets many IPs on a network share one (or more) public IP addresses on the internet. If you want to know your PUBLIC address (your address in on the internet) then simply see below;

Your Public IP Address Is: [user_ip]

Where does my IP address come from?

You get an IP address by two methods,

1. Statically Assigned: Your address never changes and is allocated to you manually.

2. Dynamically Assigned: Your machine gets its IP address automatically via a system called DHCP.

What does an IP address look like?

Most IP addresses in use today are IP version 4 and consist of 4 numbers separated by three full stops (or once again, periods, for overseas visitors).

An IP address 192.168.1.100

Is that all my computer needs?

NO! You need FOUR pieces of information to access the internet and work properly;

1. The IP address itself (i.e. 192.168.1.100) this is unique to every machine on the network.

2. The Subnet Mask (i.e. 255.255.255.0) this tells the machine how big the network it is on, is.

3. The Default Gateway, this is another IP address on the network that you need to go through to get off the local network, i.e. to access the internet.

4. The DNS IP address, this is another IP address of a machine that can translate IP addresses into names (e.g. translate www.bbc.co.uk to 212.58.246.159).

What’s my IP address?

1. Windows Key + R > type ‘cmd’ {Enter}

2. A Command Window will open, click within the box and you can type in commands, the command to show your IP address is ipconfig, but this WONT show us the DNS settings as well, to do that the command is “ipconfig /all“.

Note: If you have many network connections you will get results for them all, you may need to scroll up and down to find the right one.>

IP Problems

Problem 1: My machine has got an IP address that is 169.254.x.y (where x and y can be any number from 1 to 254).

Answer: This machine is set to get its IP address automatically via DHCP but it cant speak to the DHCP server, because either the DHCP server is down or there is no connection between the DHCP server and you.

Problem 2: My IP address shows as 0.0.0.0

Answer: You have been given a static IP address and someone on the same network is using the same address, this causes an IP conflict, change one of the IP addresses.

Find out if your IP address is statically assigned of dynamically assigned

The more eagled eyed of you will see on the ipconfig /all results above that this machine is disabled for DHCP so its dynamically assigned however, on your Windows machine do the following.

1. Windows Key + R > Tyoe ‘ncpa.cpl’ {Enter}

2. Your network connections window should open and locate the connection you are connecting with (you might have many, be sure to select the right one, i.e. you might have one for dial up, one for wireless, one for a VPN to the office etc). Right click the connection and select properties.

3. On the window that appears you may have to scroll down the list, we are looking for its TCP/IP (on newer machines it will be called “Internet Protocol Version 4 (TCP/IPv4)”, Select it and click properties.

4. Now you can see if your addresses are set statically or dynamically.

How to change your IP address

To change your IP address you first need to know if you have a static IP address or a Dynamically assigned one. (That’s why this section is below the one above).

1. If you have a static IP address, simply change it on the screen shown (diagram above).

2. If you have a Dynamic IP address, you can either reboot the machine in question or Click Start > run > cmd {enter}

3. A Command Window will open, click within the box and you can type in commands, the command to release your IP address is ipconfig /release

Then to get a new address type in ipconfig /renew

Related Articles, References, Credits, or External Links

NA

Windows – Find your ‘Uptime’

KB ID 0000552 

Problem

There are lots of reasons you might want to know your PC/Servers uptime, to make sure a client has rebooted a server (like you asked them to), or to see if a server has had a BSOD and rebooted overnight, etc.

Check Uptime with Task Manager

You can get your uptime from the Task Manager’s “Performance” tab.

To launch Task Manger

Start > Run > Taskmgr.exe {enter}. or Press CTRL+SHIFT+ESC, or Right click the Task bar > Select Task Manager.  > Options

 

Use PowerShell to find Server Boot time

From Powershell Use the following syntax;

[box]

[Management.ManagementDateTimeConverter]::ToDateTime((Get-WmiObject Win32_OperatingSystem).LastBootUpTime)

[/box]

Use PowerShell to find Uptime

From Powershell Use the following syntax;

[box]

(Get-Date) - [Management.ManagementDateTimeConverter]::ToDateTime((Get-WmiObject Win32_OperatingSystem).LastBootUpTime)

[/box]

Option 3 – Use Systeminfo to find Uptime

From command line execute the Systeminfo | find /I “boot” command;

 

Option 3 -Use Net Statistics to find Uptime

You can get uptime information by either querying the workstation service, or the server service, issue either, the following command;

[box]

net statistics workstation

[/box]

Or the following command;

[box]

net statistics server

[/box]

Option 4 – Use Uptime.exe to find Uptime

Download uptime and put a copy in your “System32” Directory, you can then use the uptime command.

Option 5 – Use WMI (Windows Management Instrumentation) to find Uptime

Issue the following command;

[box]

wmic os get lastbootuptime

[/box]

As you can see the result is not pretty, it is presented in UTC format.

20120109081112.925800+000 = Year 2010, Month 01, Day 09, Time 08:11:12

Option 6 – Check the Event Log to find Uptime

Launch the Event Viewer (eventvr.msc) > Windows Logs > System Log > Find > Search for Event ID 6005, (Note: This event gets logged each time the server boots, as the event log service starts). Event ID 6006 will be labeled as “The event log service was stopped.” This is synonymous with system shutdown.

 

Note: Event 6013 is periodically logged this shows the machines uptime at that point.

Note:  In the event of an abnormal shutdown look for Event ID 6009 indicates the processor information detected during boot time. Event ID 6008 will let you know that the system started after it was not shut down properly.

Option 1 – Use Uptime.exe to get a Remote Machines Uptime

Already mentioned above download uptime and extract it to your system32 directory. Then to get a remote machines uptime, use the following command;

[box]

uptime {Name of Remote PC}

[/box]

Use Powershell to get a Remote Machines Uptime

Use the following syntax;

[box]

[Management.ManagementDateTimeConverter]::ToDateTime((Get-WmiObject Win32_OperatingSystem -ComputerName RemoteMachine).LastBootUpTime)

[/box]

Related Articles, References, Credits, or External Links

NA

Control Panel ‘Mail Icon Missing’

KB ID 0000237

Problem

Problem usually seen on x64 Office versions, to set up some mail profiles;

Solution

Firstly what happens if you try running;

[box]

outlook.exe /manageprofiles

[/box]

The file you are looking for is called mlcfg32.cpl Find it and double click it. here’s where I found it

C:\Program Files (x86)\Microsoft Office\root\Office{Version}

or

C:\Program Files (x86)\Common Files\System\MSMAPI\1033

If you get stuck, or are using x64 bit version of Office, go old school *remember to run it form the root of the drive!)

Related Articles, References, Credits, or External Links

NA

Windows Client(s) not ‘appearing’ in WSUS

KB ID 0000591 

Problem

Before you start troubleshooting clients, how long have you waited? I usually setup and configure WSUS up at the start of a job, then leave it alone for a few DAYS, before I start worrying.

Here are the steps I usually follow to get the machines listed in the WSUS management console.

Solution

Before doing anything further, simply try running the following two PowerShell commands, (on the problem client,) and then waiting for a few hours;

[box]

$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates

wuauclt /reportnow

[/box]

 

 

1. Assuming you are deploying your WSUS settings by GPO, make sure the machine in question is actually trying to apply the policy, you can do this by running rsop.msc like so:

Or by running gpresult /R from command line

Note: If you cannot see Computer Policy / Computer Settings, i.e. you can only see user settings, then you are probably not running the command window as ‘Administrator’ (Locate cmd.exe > right click > Run as Administrator).

2. If you are enforcing by GPO, or directly via registry edit, your next step is to check that the registry entries exist. Start > In the Search/Run box type regedit {Enter}. Navigate to:

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Policies > Microsoft > Windows > WindowsUpdate[/box]

3. Start > In the Search/Run box type services.msc {enter} Locate the Windows Update service and ensure it is running.

4. Then locate the Background Intelligent Transfer Service and make sure that’s also running.

5. To make sure the client can see the WSUS website, open a browser window, and navigate to http://{name-of-the-wsus-server}/iuident.cab and make sure you can open/download the file.

6. If all the above is OK, you can try forcing a registration with the following command;

[box]wuauclt /detectnow[/box]

7. All update events are being logged, you can find the log at c:windowsWindowsUpdate open the file with notepad.

8. Scroll all the way to the end, then work upwards looking for errors.

9. Sometimes if you image a machine (Or clone a VM) it keeps it’s unique update ID, if this happens then the first machine with this ID to register gets listed, and all the rest do not. To find out if this is your problem, locate and stop the Windows update service on an affected client.

10. Open the registry Editor and navigate to:

[box]HKEY_LOCAL_MACHINE > SOFTWARE > Microsoft > Windows > CurrentVersion > WindowsUpdate[/box]

Locate and delete the SusClientId entry.

11. Restart the Windows Update service and run the following two commands:

[box]wuauclt /resetauthorization /detectnow<br /> wuauclt /reportnow [/box]

Update 16/06/15

Received via Email from Patrick Mauger:

You can add an incorrect binding in IIS to the site WSUS Administration.

You need to add a binding for port 80, because the only ports configured are 8530 and 8531.

Related Articles, References, Credits, or External Links

Windows Server Update Services – Install and Configure (2008 R2)

WSUS Install Error – ‘The update could not be found. There may be a network connection issue.

Message ID 6600: sms wsus configuration manager failed to configure upstream server

WSUS Install Error on Windows Server 2008 R2

Cluster: Not Reachable On UDP Port 3433

KB ID 0001621

Problem

Seen on a Microsoft Hyper-V failover cluster (Server 2019);

Network Interfaces {Node-Name} {Interface-Name} and {Node-Name} {Interface-Name} are on the same cluster network, yet address {IP-Address} is not reachable from {IP-Address} using UDP port 3433

Solution

I’ve seen this error before, and usually you just need to disable the firewall or open UDP port 3433 and then re-validate the cluster (job done). However, in my case the following was true;

  • All IP addresses could ‘ping’ the IP addresses that it was telling me it could not communicate with.
  • All local firewalls were turned off on the domain profile.
  • No AV was running, or third party firewalls were installed.

There seemed to be no reason for this, I disabled and re-enabled the ‘Live migration’ NIC and 50% of the links ‘went green’ but then the Live Migration link said ‘partitioned‘ 🙁

In the end, (even though the cluster was in a failed state) I moved all my VMs onto one Host, then ran Windows update, and bounced the server, then repeated the process on the other host and the problem went away. I don’t know it it was a bug/update/driver problem, but fingers crossed it’s been OK since.

Related Articles, References, Credits, or External Links

NA

Moving Certificate Services To Another Server

KB ID 0001473

Problem

If you are retiring a CA Server, or there’s a problem with the server and you want to move Microsoft Certificate Services to another server, the procedure is pretty straight forward.

BE AWARE: We are moving the CA Server Name , NOT the Server Name (FQDN), the two things are NOT the same, (you might have called them the same thing!) But a Certificate Authority has a name of its own, and that’s what we are going to move.

So the new server doesn’t have to have the same name? No, it can do if you really want, but that’s an added layer of complication I can’t see the point of?

In the video below, I’m migrating from Server 2008 R2 to Server 2019, and I’m also moving CRLs and OSCP responders. In the screenshots below I’m moving from Server 2016 to Server 2016, but the process is pretty much identical all the way back to Server 2003.

Can I migrate from Server 2008 (NON R2) to 2016 (or newer): Yes, but not directly, you need to upgrade to Server 2012 R2 first. If you don’t, the database wont mount and you will get this error.

Solution

On the ‘Source‘ server, open the Certificate Services management console > Right click the CA NAME > All Tasks > Back up CA.

The backup wizard will open, Next > Tick BOTH options > Select a Backup Location > Next > Set a password (you will need this to set the new CA up!) > Next > Finish.

Now we need to take a backup of the Registry key that holds the information for this CA server. Run ‘regedit’ > Navigate to;

[box]HKEY_LOCAL_MACHINE > SYSTEM > CurrentControlSet > Services > CertSvc > Configuration > {CA-NAME}[/box]

Export a copy of this key, (save it in the same folder that you backed up to earlier).

Now we need to uninstall CA Services from this server. Server Manager > Manage > Remove Roles and Services > Next.

REMOVE all the CA role services  > Complete the Wizard, then launch the wizard again and select ‘Active Directory Certificate Services’ > At the pop-up select ‘Remove Features’ > Next.

Next > Next > Next > Close.

Setup Certificate Services on the Target/New Server

Server Manager > Add Roles and Features > Next.

Next > Select ‘Active Directory Certificate Services’ > Add Features > Next.

For now let’s just stick with the Certification Authority > Add the other role services later* > Next.

*Note: I’ve written about all these role services before, just use the search function, (above), if you are unsure what they all do.

Next > Close.

Warning > Configure Active Directory Certificate Services > Next.

Next > Enterprise CA (Unless it’s an offline non domain joined CA) > Root CA (unless it’s a subordinate CA!) > Next.

> Select ‘Use existing private key‘ > Select ‘Select a Certificate and use its associated private key‘ > Next > Import > Browse > In your backup folder locate the certificate (it will have a .p7b extension.) > Enter the password > OK > Select the Cert > Next.

Next > Next > Configure >  Close.

Stop Certificate Services;

[box]net stop certsvc[/box]

If your new server has a different hostname/FQDN open the registry file you exported above with Notepad, locate and change the CAServerName entry to the name of the NEW server.

Right click the registry backup > Merge > Yes > OK.

Launch the Certificate Services management console > Right Click the CA NAME > All Tasks > Restore CA.

The restore wizard will start > Next > Browse to the folder with your backup in > Next > Enter the password you used (above) > Next > Finish.

You will be prompted to start the Certificate Services service > Yes.

What About Certificate Templates? Do I need to Move Them?

No! Certificate templates are actually stored in Active Directory, NOT in/on the actual Certificate Services server, (that’s why sometimes they take a while to appear after you create them!) You can see them here;

Related Articles, References, Credits, or External Links

Digital Certificates Explained

Certificate Services – Migrate from SHA1 to SHA2 (SHA256)

Convert (VMware) VMDK to (Microsoft) VHD/VHDX

KB ID 0001516

Problem

Recently I’ve looked a lot at converting VMware resources to either Hyper-V, or Azure. But what if you want to take a Microsoft machine (or workload) and run it in VMware? 

Well the easiest way is to use some freeware, “StarWind V2V Image Converter”. These days I’m dubious about any piece of freeware, because it’s either a) Not Free when you actually want to use it in anger, b) Full of adware and nastiness, c) Just a vehicle to get your email address to send you marketing and junk.

Well you do need to supply an email address to get it but, other than suggesting I might want to take a look at their free VSAN software, they have left me alone (ThanQ).

Solution

Launch the software, and browse to the folder containing your .vhd to .vhdx file. (Note: You can connect directly to a Hypervisor if you wish).

Again I’m going to output to a local file, (faster) but as above, you can output to a Hypervisor. (I’ll simply just SCP the image into VMware and create a VM with it, when I’m finished).

Select your output type, basically they are; VMware Workstation (thick or thin), Stream optimised (.OVA), or the one we want, ESXi.

Note: You can also output to RAW file or GQCOW2 (Handy for if you run EVE-NG and what to upload a server/workstation into it!)

Time for a coffee! Hopefully this is what you will see.

Related Articles, References, Credits, or External Links

NA

Microsoft One Drive: Analysis, Pros &Cons of Using It

KB ID 0001439

There are a lot of cloud storage options available on the market. More and more companies make their own cloud storage service. This is why it can be tricky to pick the right service for you. Also, you need to take into consideration a lot of things before you select a cloud storage service. The level of security, its features, and the price are just some of them.

In this article, we are going to talk about Microsoft One Drive. Here you will find an analysis of this cloud service. However, if you want more information you should read this comparison between OneDrive and Dropbox, made by Cloud Storage Advice. Now, let’s see which are the pros and cons of this cloud storage service.

OneDrive General info

OneDrive, also known as SkyDrive is Microsoft’s response to the war of cloud storage services. This is one of the most known cloud services on the market. One of the best things about it is that it provides 5GB of data for free, in their basic plan. OneDrive means integration because it is found on all Windows 10 and 8 devices and on all Windows apps.

Also, this service is easy to use and it offers a big variety of features. All you have to do is to choose the right plan for you and your needs. Apart from the free basic plan, you can also choose the 50GB plan for  $1.99/month or the Office 365 Personal (1TB) for $69.99/year. If you have a small business, you can select the Office 365 Home and you receive 5TB (1 TB per user) for $99.99/ year.

Pros and Cons of Using OneDrive

Like any other service, OneDrive has its pros and cons. We are going to show you the good and the bad of this cloud storage option.

Pros

When it comes to the main features, OneDrive has a lot of pros. First of all, it offers a lot of features including backup, sharing, and editing all of your files. Also, you can select which files need to be backed up and which need to be stored. This service also comes with a lot of extra features. Some of the best additional features include collaboration tools, Office 365, mobile apps, and 24/7 technical support.

Another great pro of this service is the integration. All Windows 8 and 10 devices come with the app already installed. All you have to do is to create an account and start storing the important data. Also, this service is compatible with some of the biggest platforms including iOS, Chromium, Android, and Mac.

It offers a big free storage space of 5GB which can attract more users. If they fill the space and enjoy the features, they are more likely to purchase a paid plan. Another important pro you should know is that this service has an AI which can save your videos and pics in the files according to importance. The automatic syncing options is another pro. Their file management and syncing service are extending even more.

Cons

The level of security is one of the most important things you need to consider before you decide to purchase a cloud storage service. One Drive has a good security because of Sookasa, an all-in-one security tool. Unfortunately, like any other security tool, Sookasa doesn’t always do its job at keeping the data secure.

However, there are also some cons when it comes to their features. OneDrive could add a few more features considering the fact that the company wants to make this an all-in-one cloud storage service. Also, some of the features might not work as well as on other cloud services.

Another con of this service is the fact that it doesn’t offer a lot of options for business owners. Most services have at least 2 options for businesses. However, Microsoft OneDrive is a better option for personal use. If you want a cloud service for business, you should check out another service like Dropbox or MEGA cloud.

These are the most important things you should know about this cloud storage service. OneDrive is one of the best cloud options. However, like any other service, it has a lot of pros and some cons. Its main features and the additional ones make this service stand out of the crowd. Also, it has great integration and a good security. Despite all of the pros, the main con is the fact that it is not suited for business owners. This service doesn’t offer many options for business and this it’s why it is a great service for individuals.

Post written by;

Cristopher Burge

{cloustatorageadvice.com}

 

Related Articles, References, Credits, or External Links

NA