Azure AD Connect: Correct Or Remove Duplicate Values

KB ID 0001588

Problem

I was doing some work for a School recently, their staff were already using Office 365 and their tenancy was all setup. Now they wanted to roll Office 365 out to the pupils, and sync to their on premises Active Directory.

Now we could have simply excluded the staff from the Azure AD Connect Sync, but they want to manage their passwords etc. on-premises. Microsoft will tell you if you DON’T have an on-premises Exchange (they didn’t), then you simply need to enter the correct email address on the user object and the correct accounts will match up and sync, however they did not, this happened instead;

Unable to update this object because the following attributes associated with this object have values that may already be associated with another object in your local directory services: [ProxyAddresses SMTP:username@domain-name.com;]. Correct or remove the duplicate values in your local directory. Please refer to http://support.microsoft.com/kb/2647098 for more information on identifying objects with duplicate attribute values.

Tracking Id: 2b68528a-695a-4c5e-9b4f-7ec471e5f38c
ExtraErrorDetails:
[{“Key”:”ObjectId”,”Value”:[“6ef8d8d0-2893-4d46-83e3-bf819ea607d2”]},{“Key”:”ObjectIdInConflict”,”Value”:[“56a72044-de5b-43ce-82b1-edb82c80395e”]},{“Key”:”AttributeConflictName”,”Value”:[“ProxyAddresses”]},{“Key”:”AttributeConflictValues”,”Value”:[“SMTP:username@domain-name.com“]}]

OK, I’ve worked A LOT with Exchange and I know that ProxyAddress and Email address are related, but not the same AD attribute. But changing that didn’t fix the problem either?

Solution

Well we are syncing on-premises Active Directory and Azure Active Directory, and we DON’T want to change anything on site. So logically wherever the ‘fix’ is, it will be in Azure. (If you only ever use the Office 365 portal then buckle up)

Within Office 365 Admin > Admin Centers > Azure Active Directory.

Welcome to Azure! > Azure Active Directory > Azure AD Connect > Connect Health.

Sync errors.

Duplicate Attribute.

Select the affected user(s) > Troubleshoot.

Double check it is the same user! (If you get this wrong all manner of carnage will unfold!) Yes > Apply Fix > Confirm.

Now wait for a directory replication, (or force one manually with PowerShell). The errors should now cease.

Related Articles, References, Credits, or External Links

AAD Contains Another Object With The Same DN

Event ID 1005 and 1015

KB ID 0000117 

Problem

TraceLevel parameter not located in registry; Default trace level used is 32.

SMTP service is installed but not configured.

Solution

To stop these events from occuring, add the TraceFileName and the TraceLevel values to the following registry subkey:

HKEY_LOCAL_MACHINESOFTWAREMicrosoftSNMP_EVENTSEventLogParameters

• TraceFileName Type: REG_SZ Value: null (blank) • TraceLevel Type: REG_DWORD Value: 32 (0x20)

or merge the following

[box]

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINESOFTWAREMicrosoftSNMP_EVENTSEventLogParameters]
"TraceFileName"=""
"TraceLevel"=dword:00000020

[/box]  

Related Articles, References, Credits, or External Links

NA

Draytek Vigor Router Port Forwarding

KB ID 0000425 

Problem

This procedure was carried out on a Draytek Vigor 2800 Router, for this I needed to forward RDP (That’s on TCP Port 3389).

Warning: If you need to forward any of the following ports 23 (Telnet), 80 (HTTP) , 443 HTTPS/SSL), 21 (FTP), or 22 (SSH). The Draytek has these reserved for remote management. You will need to change the port number (system Maintenance > Management > Management Port Setup).

Solution

1. Log into the routers web console (default will be a blank username and password, or admin and admin, or admin and blank password).

2. Expand NAT > Select Port Redirection.

2. Give the service a name (Like RDP) > Enter the protocol type TCP or UDP > Enter the internal IP that you want to forward the port to > Tick active > Click OK.

Note: Depending on setup you may see this instead (if that’s the case select the correct public IP)

3. That should be all you need to do, unless the firewall is turned on, if that’s the case expand NAT > Open Ports.

4. Again enter a name in the comment box > The local IP of the machine > and the port details > OK.

 

Related Articles, References, Credits, or External Links

Draytek Router – Firmware Update

DrayTek Vigor – Reset To Factory Settings

Google Searches Work, But All the Result Links DON’T(BT Broadband)

KB ID 0000740

Problem

I was covering the phone for one of the days over the Christmas period, and a client had rang in with this problem, at first I thought it was simply an EDNS problem like this. However some testing proved DNS was working fine? Then I thought it was an Internet Explorer problem, until Chrome and Firefox did the same. I could go to Google and search for what I wanted,but all the links (and any other URL I tried, with the exception of YouTube strangely), would not work. SMTP/Email worked, as did FTP and everything else I tested? But HTTP and HTTPS would not, with the exception of Google/YouTube.

So I knew the problem was either the router, (a Cisco 1800 with firewall IOS), or the ADSL circuit itself that was causing the problem.

Solution

As BT Business Broadband ADSL circuits don’t usually come with a Cisco Router, I thought if I rang them I’d get the “We didn’t supply or support that router” speech, so I got the client to dig out their supplied (2Wire) router, and asked him to ring BT while I was on-site.

While he was explaining the problem, the Engineer on the other end said, “Unplug the 2Wire and plug the Cisco router back in, I will ring you back…”. This was strange behavior for BT, and I thought we would be the victim of “BT Syndrome“, and sure enough five minutes later is magically fixed itself.

When BT rang back, they explained that this had been imposed on the client, because they were a ‘little late’ paying their bill, (there’s Christmas spirit for you).

Related Articles, References, Credits, or External Links

NA

Exchange – Are you an Open Relay?

KB ID 0000087 

Problem

When Email was a new medium, pretty much all mail servers were open relays, and nobody really cared, after all if someone in Nigeria wanted to relay mail through a college server in Manchester then why shouldn’t they? Sadly with the explosion of Email and internet use this is no longer an option, because all those annoying Emails you get for Viagra or insider stock tips have probably been sent to you through an open relay. That’s to say someone like you with a mail server that’s happily sending out someone else’s mail.

Now you may be the sort of person who does not care, if that’s true then “be warned” Major ISP’s and Email handlers are routinely blocking “Suspect” mail servers, you might not even know you had a problem, and the first thing you know about it is,you cant send mail to a particular domain because you are on a blacklist, or worse your ISP cuts off your internet access, or you get an early knock on the door from some nice men in suits wanting to know why 400Gb of “dodgy photos” was sent from your IP address this morning.

Solution

Test your Mail Server with Telnet

 

1. OK – the first thing we need to do is get on a PC that isn’t logged into the domain (Exchange can be set to relay mail from a client that’s authenticated to the domain regardless) – So take that out of the equation by not being in the domain. Now open a good old fashioned command window . Click Start > Run > CMD {enter}
Alert! – To put “Run” on your start menu > Right click your task bar > Properties > Start Menu Tab > Customise > Tick “Run Command” > OK > OK.

2. You now need to connect to your mail server using a telnet command, to do this you need to know either the name or the IP address of the server. the command is,
telnet <IP Address or Server Name> 25 {enter}

Telnet’ is not recognized as an internal or external command

3. The server should respond with a “Banner” this lets you know you connects successfully NOTE some anti virus programs block this (McAfee for example) you need to go to its access protection settings and untick “Prevent mass mailing worms from sending mail”. Don’t forget to turn it back on again later 🙂

4. You are going to send an Email from command line, the first thing you need to do is say hello to the server, though being an exchange server the command is,
ehlo {enter}
What we want to see are 250 messages in our example we got,
250-server1.petenetlive.com Hello [10.254.254.60]

5. Type the following,
mail from:test@test.com{enter}
again we want to be seeing a 250 message, if you didn’t get one you made a spelling mistake start again 🙁
In our example we got,
250 2.1.0 test@test.com….Sender OK

6. Now we are going to attempt to relay mail for a different domain this will tell us if the server is an open relay or not. Type the following,
rcpt to:badperson@nastyspammer.com{enter}
Note if the Server gives you a message like,
550 5.7.1 Unable to relay for badperson@nastyspammer.com
THIS MEANS YOU ARE NOT AN OPEN RELAY.

 

NOTE if the server responds with
250 2.1.5 badperson@nastyspammer.com
Then either you ignored me in step 1 and your in the domain – or YOU ARE AN OPEN RELAY.

Officially there are three things, that if set wrong can leave you as an open relay,

1. Your Default SMTP Virtual Server.

2. Your SMTP Connector.

3. You have ISA server installed and set incorrectly.

Step 1 – Check the SMTP Virtual Server

1. On the Exchange Server Click Start > All Programs > Microsoft Exchange > System Manager.

2. Expand Administrative Groups > First Administrative group > Servers > {your server name} > Protocols > SMTP > Right Click “Default SMTP Virtual Server” > Properties.

3. On the properties window select the Access tab > Click the “Relay” Button.

4. On the “Relay Restrictions” window Check that, “Only the list below” is selected > It’s not unusual (in fact its the default) that the window is empty, you may see the Exchange server IP addresses in here – or in some cases other hosts on your network that have been set up to relay mail – (Backup software that emails you, or SQL servers that email events for example) > And ensure the box at the bottom that says “Allow all computers that successfully authenticate to relay, regardless of the list above” IS TICKED.

Step 2 – Check the SMTP Connector

NOTE: You might not have an Exchange connector don’t panic if its not there 🙂

1. On the exchange Server Click Start > All Programs > Microsoft Exchange > System Manager.

 

2. Expand Administrative Groups > First Administrative group > Routing Groups > First Routing Group > Connectors. > {your connector name}
NOTE – you may have many different routing groups and the path in your exchange system manger might be under Servers > {your server name} > Connectors.

3. Right click your connector and select Properties.

4 Select the “Address Space” Tab > You should see the following > Address Type = SMTP > Address = * > Cost = 1 > Connector Scope = “Entire Organisation” > “Allow Messages to be relayed to these domains” IS NOT TICKED.

Step 3 – Check ISA

ISA Server 2000 – had a problem where if you had a mail publishing rule for SMTP it set an open relay -check! Also make sure make sure 127.0.0.1 is NOT in the list of IP addresses that are allowed to relay in the the properties section of the default SMTP Virtual server.

Related Articles, References, Credits, or External Links

NA

Exchange 2010 / 2007 Alternate-port SMTP

KB ID 0000089

Problem

I’ve used the no-ip service for years, and untill recently the Exchange box I ran gave me no problems, well it still does not, but now my wife has her Email on it as well, and because of reverse DNS Lookups, she cannot Email her friends at Hotmail etc.

Instructions at the site (at the time of writing) are for Exchange 2003, which as you aware is a different beast altogether, so to make it work….

Assumptions: You have set up your no-ip account for Alternate SMTP port access and have set up your password

Solution

1. On the Exchange Server, Click Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Console. Expand Organisational Configuration > Hub Transport > Send Connector. Right click your send connector and select properties.

Note: If you do not have a send connector at all, create a new one, set the “Address Space” to * (thats a single asterisk) > Tick “Include all subdomains” > Add your Exchange Server to the source server list.

2. On the Network tab Select “Route mail through the following smart hosts” > Click Add.

3. Enter the name of the no-ip smart host “SMTP-AUTH.NO-IP.COM” > Click OK.

4. Click “Change” to set up smart host authentication.

5. Select Basic Authentication > Enter the username and password that no-ip provided you with (You need to set up the password, its NOT the same as your usuall no-ip password) > Click OK.

6. Now you need to change the port your Exchange Server sends on, the only way to do this (at time of writing) is in Powershell. Take note of what you called the Send connector (mine’s called “Send Connecor”). On the Exchange Server, Click Start > All Programs > Microsoft Exchange Server 2007 > Exchange Management Shell. > the command Syntax is…..

Set-SendConnector -Identity “Send Connector” -port 3325 Where “send connector” is the name of the send connector and 3325 is the port you connect to no-ip with.

7. Click Start > Run > Services.msc {enter} > Locate the “Microsoft Exchange Active Directory Topology Service” Right click it and select “Restart.”

8. Select yes to restart the other services as well.

9. Go and have a coffee then test mail flow in and out.

Related Articles, References, Credits, or External Links

NA

Event ID 12014

KB ID 0000174 

Problem

Event ID 12014

Microsoft Exchange could not find a certificate that contains the domain name {name.domain.com} in the personal store on the local computer. Therefore, it is unable to support the STARTTLS SMTP verb for the connector SendConnector with a FQDN parameter of {name.domain.com}. If the connector’s FQDN is not specified, the computer’s FQDN is used. Verify the connector configuration and the installed certificates to make sure that there is a certificate with a domain name for that FQDN. If this certificate exists, run Enable-ExchangeCertificate -Services SMTP to make sure that the Microsoft Exchange Transport service has access to the certificate key.

In the error massage take note of {name.domain.com} this name is being used on one of your mail connectors, and the certificate on the Exchange server has a different name.

Solution

1. Launch Exchange Management Console > Organization Configuration > Hub Transport > Send Connectors > Right click your Send connector > Properties > Make sure the “Specify the FQDN this connector will provide…” section is the same as the name on your servers certificate.

2. Launch Exchange Management Console > Server Configuration > Hub Transport > Receive Connectors > Right click your Send connector > Properties > Make sure the “Specify the FQDN this connector will provide…” section is the same as the name on your servers certificate.

3. Start > run > services.msc {enter} > Restart the Microsoft Exchange Active Directory Topology Service > Select “Yes” to restart the other services.

Related Articles, References, Credits, or External Links

NA

Exchange 2010 (c/w SP1) Install – Greenfield Site

(Installing on Server 2008 R2)

KB ID 0000416

Problem

Microsoft have not only slipstreamed the service pack into the install media, they have (Finally!) got the install routine to put in all the usual pre-requisites, roles, and features, that you had to do yourself before. (With the exception of the Microsoft 2010 filter pack, but even then you can do that after the install).

The procedure below was done on a single server in a test environment, to demonstrate the simplified procedure, it IS NOT good practice to install Exchange (any version) on a domain controller.

Solution

Before Site Visit

1. Have your install media downloaded and ready to go (Make sure you also have the unlock codes for Exchange – or you will have 119 days to licence it, post install).

2. Does your current anti virus solution support Exchange 2010? Do you need an upgrade?

3. Does your current backup software support Exchange 2010? Do you need to purchase extra remote agents or updates?

Before Deploying Exchange 2010

1. Depending on what documentation you read, some say that the global catalog server(s) in the current site need to be at least Server 2003 SP2. Other documentation says the schema master needs to be at least Server 2003 SP2. Let’s hedge our bets, and make sure that ALL the domain controllers are at least Server 2003 SP2 🙂

2. Your domain and forest functional levels need to be at Windows Server 2003.

3. Don’t forget – your server needs to be x64 bit (the video below was shot on a Server 2008 R2 server).

4. Make sure both the server you are installing on, and the Windows domain, are happy (get into the event viewers of your servers and have a good spring clean before deploying Exchange 2010).

5. Install the Office 2010 Filter Pack, and the Office 2010 Filter Pack Service Pack 1.

6. Install the roles required with the following PowerShell Commands;

[box]

Import-Module ServerManager

For Client Access, Hub Transport, and the Mailbox roles issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy,Web-WMI -Restart

For Client Access and Hub Transport server roles issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy,Web-WMI -Restart

For only the Mailbox role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server -Restart

For only the Unified Messaging role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Desktop-Experience -Restart

For only the Edge Transport role issue the following command;

Add-WindowsFeature NET-Framework,RSAT-ADDS,ADLDS -Restart

[/box]

7. Set the Net.Tcp Port Sharing Service for Automatic startup by running the following command;

[box]Set-Service NetTcpPortSharing -StartupType Automatic[/box]

Exchange 2010 (c/w SP1) Install – Greenfield Site

The single best thing Microsoft has done with the SP1 install media, is to include this tick box.

Related Articles, References, Credits, or External Links

How To Install Exchange 2016 (Greenfield Site)

Exchange 2010 – Working with Certificates

KB ID 0000453

Problem

Exchange 2010 installs with it’s own (self signed) certificate. To stay free of security errors and warnings, the best bet is to purchase a “publicly signed” digital certificate and use that.

The following process uses the Exchange Management console to create a CSR (Certificate Signing Request). Then what to do with the certificate, when it has been sent back to you.

Solution

Certificate Vendors

Buy Your Exchange Certificates Here!

 

Related Articles, References, Credits, or External Links

NA

Cisco Routers – Port Forwarding

KB ID 0000533 

Problem

If you have a server or host that you want to be publicly addressable and only have one public IP address then port forwarding is what you require.

Solution

Assumptions

1. You have a public IP on the outside of your Router.

2. You are performing NAT from your internal range of IP address to your External IP address.

To Make Sure

1. Run the following command:

[box]PetesRouter#show run | include ip nat inside[/box]

You should see a line like,

[box]ip nat inside source list 101 interface Dialer0 overload[/box]

2. That means NAT all traffic that access-list 101 applies to, to Dialer0 (this is an ADSL router and that’s it’s outside interface). To see what traffic is in access-list 101 is issue the following command:

[box]PetesRouter#show run | include access-list 101[/box]

You should see a line like,

[box]access-list 101 permit ip 10.10.0.0 0.0.255.255 any[/box]

3. This means permit (apply this ACL) to all traffic from 10.10.0.0/16 to anywhere. So its set to NAT all traffic from the inside network to the outside network.

4. Finally to see what IP is on your Dialer0 issue the following command:

[box]PetesRouter#show ip interface brief | exclude unassigned[/box]

You should see something like this

Now we know all traffic from 10.10.0.0/24 (All inside traffic) will be NAT translated to 123.123.123.123

Set up Port Forwarding

In this case Ill port forward TCP Port 443 (HTTPS) and TCP Port 25 (SMTP) to an internal Server (10.10.0.1).

1. First set up the static NAT translations.

[box]

PetesRouter#ip nat inside source static tcp 10.10.0.1 443 123.123.123.123 443 extendable
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 123.123.123.123 extendable
OR If you are running with a Public DHCP address

PetesRouter#ip nat inside source static tcp 10.10.0.1 443 interface Dialer0 443
PetesRouter#ip nat inside source static tcp 10.10.0.1 25 interface Dialer0 25

[/box]

2. Second stop that traffic being NATTED with everything else.

[box]

PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 443 any
PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 25 any

[/box]

3. Save the changes with “copy run start”, then press enter to access the default name of startup-config:

[box]

PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#

[/box]

Setup port forwarding and restrict it to an IP or network

For things like HTTPS and SMTP you might want them accessible from anywhere but you might want to lock down access for something like RDP, (TCP port 3389) if that’s the case then you need to do the following.

1. Create a new ACL that allows traffic from you but denies it from everyone else (remember to put an allow a permit at the end).

[box]

PetesRouter#access-list 199 permit tcp host 234.234.234.234 host 123.123.123.123 eq 3389
PetesRouter#access-list 199 deny tcp any host 123.123.123.123 eq 3389
PetesRouter#access-list 199 permit ip any any

[/box]

Note: To allow a network substitute the first line for,

[box]PetesRouter#access-list 199 permit tcp 234.234.234.232 0.0.0.7 host 123.123.123.123 eq 3389[/box]

Note: Cisco Routers use inverted masks, so 234.234.234.232 0.0.0.7 is 234.234.234.232 255.255.255.248 (or/29)

2. Then (as in the example above) create the static NAT translation.

[box]PetesRouter#ip nat inside source static tcp 10.10.0.1 3389 123.123.123.123 3389 extendable[/box]

3. Then (as in the example above) exempt this traffic from the default NAT ACL.

[box]PetesRouter#access-list 101 deny tcp host 10.10.0.1 eq 3389 any[/box]

4. Finally apply the ACL you created inbound on the Dialer0 interface.

[box]

PetesRouter#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
PetesRouter(config)#interface Dialer0
PetesRouter(config-if)#ip access-group 199 in
PetesRouter(config-if)#exit
PetesRouter#

[/box]

5. Save the changes with “copy run start”, then press enter to access the default name of startup-config:

[box]

PetesRouter#copy run start
Destination filename [startup-config]?
Building configuration...
[OK]
PetesRouter#

[/box]

Related Articles, References, Credits, or External Links

Cisco PIX / ASA Port Forwarding