ADPREP Error When Promoting New Domain Controller

When attempting to promote a new domain controller into an existing active directory environment, an error was encountered that wasn’t previously seen.

Error: The DN is CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=. 
The error logs were located: C:\Windows\debug\adprep\logs\

Looking into these folders, find the file ending in .87 and open in Notepad

Note the Attribute 0 appliesTo value

On a functional domain controller, launch ADSI Edit and connect to Configuration

Inside of CN=Extended-Rights, edit the “appliesTo” attribute for the below list of entries to remove the value data mentioned in the log file

List of items to edit:

CN=Send-As,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld 
CN=Receive-As,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld 
CN=Personal-Information,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld 
CN=Public-Information,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld 
CN=Allowed-To-Authenticate,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld 
CN=MS-TS-GatewayAccess,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld 
CN=Validated-SPN,CN=Extended-Rights,CN=Configuration,DC=domain,DC=tld

Once these have been done, attempt to run ADPREP again.

Perform AD Health Check & Clean UP – Before Adding New DC

This guide is intended to demonstrate the key tasks to perform before adding a new Domain Controller to Active Directory, or, when performing extended maintenance on older AD environments where domain controllers have been added & removed in its lifetime.

Get a list of all Domain Controllers using an administrative level PowerShell session:

Get-ADDomainController -Filter * | ft Name,Hostname,OperatingSystem,IPv4Address

Confirm in Active Directory Users and Computers (ADUC) that this list corresponds with the Domain Controllers OU (typical in simple environments that they all live in the same OU)

Note there are three domain controllers and they’re all Global Catalog located in the same site

Next, launch ADSI Edit

Right-click ADSI Edit in the top of the left tree, click Connect to…

Under the drop down list labelled “Select a well known Naming Context:” select Configuration

Click OK

Expand out:

Configuration > CN=Configuration > CN=Sites > CN=(site name) > CN=Servers

Confirm that this list matches that of what you got out of PowerShell earlier

Check each of the CN=Sites for all other CN=Servers – you’re confirming all sites for the presence of their DC (if they have them) or for any remnants of previous domain controllers still present in ADSI Configuration…

Example: This AD environment has multiple sites, and the site named DRFS54 no longer has any domain controllers, so after demoting them, a clean up was performed to ensure there are no remnants of them…

Next, launch the DNS Manager

You’ll need to expand out EVERY folder for both forward and reverse lookup zones on the left – you’re going to comb through EVERY one of these – checking for previous, no longer existent domain controllers listed, and ensuring that each zone has only current domain controllers listed…

So in the various AD-specific zones & meta data, check that no old DC’s remain – remove any old ones

For each zone, right click and select Properties, then click the Name Servers tab

Check & confirm that only current servers are listed – remove any old ones

Repeat the same for all Reverse Lookup Zones. If there are none, it would be good to create any required reverse lookup zones – but do this after the full health check has been completed & errors fixed… A reverse lookup zone will be required for any LAN & VPN subnet that might contain other PCs & servers that will communicate with AD, so in the case where there are multiple sites and remote access, each site and the VPN subnets will be created here.

Next we’ll move onto DCDIAG

Using an elevated command prompt from one of the domain controllers, issue the command:

DCDIAG

Check the output for any errors

Repeat this on every domain controller

If the domain controller has a VSS-level backup job or has been rebooted in the last 24 hours, you may receive the following error:

Starting test: DFSREvent
There are warning or error events within the last 24 hours after the SYSVOL has been shared. Failing SYSVOL replication problems may cause Group Policy problems.

This is normal and expected, as during either of the above mentioned scenarios, the DFSR service is stopped or paused, a VSS (volume snap shot) is taken, then the service is started again.

Check for other errors and fix up as best as you can – if you’ve had to perform a clean up, then you may need to wait up to 48 hours before some of the errors clear up and no longer show up in DCDIAG results. Google and ChatGPT are your friends here when it comes to errors.

Next, in an elevated command prompt, issue the command:

netdom query fsmo

This will output what AD believes is the primary role holding domain controller. If the AD is relatively old, has had servers added & removed in its lifetime, then. perform this check on every domain controller to ensure congruency.

On every domain controller – edit the NIC DNS settings to ensure that every DC has each domain controller’s IP Address as a DNS server, ideally with the PDC/FSMO as the primary IP Address, then all other DCs, followed by its own IP address, fianlly followed up with 127.0.0.1 as the last DNS lookup IP address.

Ensure the AD domain name is in the DNS suffix with registration enabled.

After ensuring this is completed on every domain controller, wait up to 24 hours and perform a final DCDIAG on each domain controller. What you’re looking to achieve is a clean bill of health in DCDIAG as pictured in the above examples!

Now go back and add in the missing Reverse Lookup Zones in DNS manager – check this has replicated across to each DC.

Note: The example AD environment above is for illustration purposes only, may not be reflective of the environment you’re attempting to follow this guide in, and is a testing lab only.

DCDIAG Result – Warning: Attribute userAccountControl of DC is: 0x82020

Issue:

When performing a DCDIAG, you get a warning with output:

Warning: Attribute userAccountControl of DC is: 0x82020 = ( UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?

Cause:

The computer account was pre-created in Active Directory Users and Computers (ADUC) before being added to the domain and promoted as a domain controller.

Fix 1:

  • Launch ADSI Edit and connect to the Default Naming Context
  • Drill down into the Domain Controllers OU
  • Double-click the domain controller and in the Attribute Editor tab, scroll down to userAccountControl
  • You will likely see the value set to something like:
0x82020 = (PASSWD_NOTREQD...
  • Highlight the value and click Edit
  • Change the value in the edit box from 532512 to 532480
  • Click OK and OK again to save the changes

Now running DCDIAG should show this error to have been cleared.

Fix 2:

You can use an elevated PowerShell session to automate the process of the above steps in Fix 1 to all domain controllers in the Domain Controllers OU.

Change the -searchbase criteria in the below and execute:

get-adobject -filter "objectcategory -eq 'computer'" -searchbase "ou=Domain Controllers,dc=domain,dc=tld" -searchscope subtree -properties distinguishedname,useraccountcontrol | select distinguishedname, name, useraccountcontrol | where {$_.useraccountcontrol -ne 532480} | %{set-adobject -identity $_.distinguishedname -replace @{useraccountcontrol=532480} -whatif}

Even if the above command fails to fix the values, it will at least list servers with the incorrect values – handy where there are numerous domain controllers present.

Extra Information:

Some typical values:

  • Standard user: 0x200 (512)
  • Domain controller: 0x82000 (532480)
  • Workstation / member server (non-DC): 0x1000 (4096)

 

Change the default OU’s in AD for new Users and Computers

By default, when new users & computers are created in active directory where the OU hasn’t been specified at creation, AD defaults to the following OU’s:

  • Users go into: DC=domain,DC=tld\Users
  • Computers go into: DC=domain,DC=tld\Computers

These can be changed to go into OU’s that you choose by issuing the following commands in an elevated PowerShell session / command prompt and change directory to:

cd C:\Windows\System32\

Users:

redirusr “OU=<newuserou>,DC=<domainname>,DC=com”

Computers:

redircmp “OU=<newcomputerou>,DC=<domainname>,DC=com”

Hint: Obtain the OU distinguish name from the advanced properties of the OU itself.

Configure Windows NTP Servers in Active Directory Environment Using Group Policy

Scope:

Setup a fully functional & authorities time service across Active Directory to ensure all AD joined Windows systems are properly time-synced to the domain controller(s) and also to external sources when abroad.

The Primary Domain Controller:

In Active Directory, the PDC Emulator should get the time from an external time source and then all member computers of this domain will get the correct time from the PDC. Since the PDC Emulator can move around, we make sure the GPO is applied only to the current PDC Emulator using a WMI filter.

Go to the WMI Filters section in GPMC and create a new filter like the following:

Here’s the query for you to copy’n’paste:

Select * from Win32_ComputerSystem where DomainRole = 5

Create a GPO called NTP Policy – PDC and apply it to the Domain Controllers OU

Apply the WMI filter you created earlier

Drill down into:

Computer Configuration/Policies/Administrative Templates/System/Windows Time Service/Time Providers

Edit all three policy items in this folder:

Next, we need to allow the NTP requests to hit the domain controller, so drill down into:

Computer Configuration\Policies\Windows Settings\Security Policies\Windows Defender Firewall with Advanced Security\Windows Defender Firewall with Advanced Security\Inbound Rules

Right-click on the Inbound Rules tree item and select New Rule…

Choose Port and click Next

Select UDP and specify port 23. Click Next

Select Allow the connection and click Next

Ensure all network profiles are selected and click Next

Give the rule a name, such as NTP-in and click Finish

The final result will look something like this:

Additional Domain Controllers:

Now we need to create another WMI Filter called BDC Emulator and use the following query:

Select * from Win32_ComputerSystem where DomainRole = 4

Create a new GPO in the Domain Controllers OU called NTP Policy – BDC

Link the WMI Filter for BDC Emulator

Now edit this GPO and drill down to:

Computer Configuration/Policies/Administrative Templates/System/Windows Time Service/Time Providers

Double-click Enable Windows NTP Client

Set to Enabled and click OK

Double-click on Configure Windows NTP Client

Set Type to NTP

Set NtpServer to hold the PDC and also a couple of external time providers that match what you specified in the PDC GPO

Click OK and close that policy

Congratulations! You have configured the NTP GPOs for the domain controllers.

Now we need to configure NTP for the rest of the domain members

Configure NTP for Domain Member Systems:

Finally, create a new GPO and link it to the OU where member servers, laptops, and workstations reside

Call it something like NTP Policy – Member Systems

Again, drill down to:

Computer Configuration/Policies/Administrative Templates/System/Windows Time Service/Time Providers

Double-click Enable Windows NTP Client

Set to Enabled and click OK

Double-click on Configure Windows NTP Client

Set Type to NTP

Set NtpServer to hold the PDC and also a couple of external time providers that match what you specified in the PDC GPO

Click OK and close that policy

Congratulations! You should now have successfully configured full AD NTP sync across the network.

Perform a gpupdate on systems to ensure policies are applying, use gpresult to ensure the policies are being read & applied.

In some cases, you may need to restart the Windows Time Service or reboot systems.

 

NTP GPO details explained

So what all these settings mean.

Configuring Windows NTP Client: Enabled

NtpServer:

  • Here you specify which NtpServers to use separated by a space but also with a special NTP flag. I decided to use the public ntp.org pools:
0.se.pool.ntp.org,0x1 1.se.pool.ntp.org,0x1 2.se.pool.ntp.org,0x1 3.se.pool.ntp.org,0x1

The NtpFlags are explained in detail here but 0x1 means: “Instead of following the NTP specification, wait for the interval specified in the SpecialPollInterval entry before attempting to recontact this time source. Setting this flag decreases network usage, but it also decreases accuracy.” where SpecialPollInterval is specified in the GPO (in our, case 3600 seconds)

  • The rest of the settings are explained in the GPO Help.

Enable Windows NTP Client: Enabled

  • Is a must, otherwise the computer will not sync with other NTP serves since it’s disabled by default.

Enable Windows NTP Server: Enabled

  • Is a must, otherwise the computer will not allow other computers to sync with it since it’s disabled by default.

Where is the configuration stored?

First, never edit the registry for NTP. If something is not working, clear the configuration and start from scratch and configure NTP using GPO or W32tm.exe. Do this by running the following commands:

Stop-Service w32time

w32tm /unregister

w32tm /register

Start-Service w32time

Still, you might want to check where the configuration is. When using GPO, the configuration is stored here:

HKLM\SOFTWARE\Policies\Microsoft\W32Time\Parameters

Note that this is different if you’re using w32tm.exe, then the configuration is stored here:

HKLM\SYSTEM\CurrentControlSet\Services\W32Time\Parameters

Useful tools when troubleshooting NTP

W32tm is still your friend and here are my favorites:

w32tm.exe /resync /rediscover /nowait

Resynchronize the clock as soon as possible, disregarding all accumulated error statistics. It will not wait for resynchronization and will force redetection of sources.

w32tm /query /peers

Displays all configured peers you have configured

w32tm /query /source

Displays the currently used time source. Note that after a restart of the service, it might show Local CMOS Clock until everything has refreshed properly.

w32tm /query /status

Displays the current status

w32tm /query /configuration

Displays the configuration

w32tm /debug /enable /file:C:\Temp\w32tmdebug.log /size:10485760 /entries:0-300

If you really want to get dirty, enable the debug log

Troubleshooting

Many things can go wrong when configuring NTP. Here are some suggestions:

  • Don’t forget to allow NTP traffic (udp/123) in your firewall(s) – if you have 3rd party firewalls, check them also
  • Enable the debug log and check that the service actually tries to communicate with the NTP serves. You can lower the SpecialPollInterval to 30 seconds to speed up your troubleshooting.
  • Restart the service and maybe even the server, sometimes this has solved it.
  • Also monitor the event log since the service logs there too.
  • If the domain controller is a Hyper-V VM, disable Time Synchronization on the guest

Attachments

This attachment is a client script that can be used to force reconfiguration of the local sync setup of workstations and member servers…

clocksyncupdate.cmd

Tasks to be performed post SSL Certificate renewal on Hybrid Exchange server environments

Forward:

This guide is for environments where Exchange On-Premise 2013/2016/2019 is configured as a hybrid deployment with Microsoft 365 Exchange Online.

Requirements:

It assumes you have an administrator mailbox account that can login to both Exchange On-Premise as an Exchange Administrator and login to Microsoft Exchange 365 Online as a Global Admin.

You will also require an active, functional mailbox sitting in the mailbox database located in the Exchange On-Premise. This mailbox does not need to have any administrative rights, it doesn’t even have to be in use actively by a user, it just needs to exist for testing purposes.

The Exchange On-Premise needs to be externally accessible on ports: 25, 80, and 443.

Prerequisite Checks:

First, we need to check the health of the AD-Sync deployment. In the Microsoft 365 Admin Center, head to Health > Directory sync status

Check that Directory sync is on & healthy, no errors, and make sure password sync is also working.

Ideally, recent syncs should be less that 40 minutes.

If AD Sync isn’t working properly, address this problem before continuing any further.

Microsoft has recently split off support for Microsoft Windows Server 2012 R2, so this version of Windows is less likely to receive any updates. If you’re in this situation, you may need to download Azure AD Connect version 1.6.16.0. More on the Azure AD Connect version history here. Please note, that as of August 2022, all Azure AD Connect versions 1.x.x.x will be retired as they use Microsoft SQL Server 2012 which will no longer be supported.

If you’re in an environment still operating on Windows Server 2012 R2, now is the time to start planning an upgrade – even if that upgrade means deploying a more modern version of Windows Server (2016/2019/2022) as a domain member or secondary domain controller, and configuring Azure AD Sync on this newer server instead.

Certificate Installation on On-Premise Exchange server:

You will need to already have your new certificate file(s) – ideally, you want the full stack certificate file in pfx format.

Login to your Exchange server’s desktop environment as a domain admin, copy the P12 PFX file to somewhere local on the Exchange Server.

Double-click the certificate file to launch the certificate installation wizard

Select Local Machine and click Next

Confirm by clicking Yes if you are prompted with the UAC elevation prompt

On the next screen, just click next

This next step is pretty crucial especially, if later you need to export the certificate for use elsewhere…

Enter in the password for the PFX file.

Ensure that both options are ticked for:

  • Mark this key as exportable
  • Include all extended properties

Now, if the certificate is properly formatted, the Automatic store selection should just work fine here. If not, select the Personal certificate store.

Now we need to check the certificate in the Certificates snap in for the local machine and ensure we give it a meaningful name

Click start, type in mmc.exe – once its listed, press enter (note: if UAC is on, you will be prompted to click Yes again).

Click File > Add/Remove Snap-in…

In the left box, choose Certificates, click the Add button

It will prompt you to select what certificates to manage – select Computer account and click Next

Select Local computer and click Finish

Click OK

Expand out Certificates > Personal > Certificates

Click on the Certificates folder you revealed under Personal

You will be presented with all the certificates

You will see both the expiring / expired certificate and the newly installed certificate. Note, neither of these have a ‘friedly name’ – we’re going to fix this now.

Right-click on the newly installed certificate and click Properties

In the properties window, give the certificate a friendly name – this is very helpful to identify this certificate when there are several with the same SAN. Ideally, I like to use the FQDN_YYYY at the very least which indicates the fully qualified domain name, and underscore, and the year the certificate was installed. Some techs will use the installation date or the expiry date. If you do this, maybe also add in the words installed or expires so the next time this is revisited, the date is more meaningful.

Once you have the name, click OK.

Update Bindings in IIS:

Now the friendly name filed in the certificates list will have the name you entered against that certificate. Go ahead and close the MMC certificates console.

Next we need to launch the IIS interface and expand out all the sites.

First click on the Default Web Site and expand it – this will likely have all the front end facing sites & services.

Now on the right side under the Actions menu, click Bindings…

Any of the bindings in here that are on https need to have the new certificate applied

Double-click and set the new certificate for each one

Once these are done, move onto the Exchange Back End pool

Again, on the right, click to edit the Bindings in the Actions menu

There’s usually only a single binding on https and uses port 444.

Note: This is almost always meant to use the default “Microsoft Exchange” certificate issued by the Exchange server, so don’t change this unless it for some reason already has the expiring signed SSL certificate or is required to have a 3rd party certificate!

Again, edit this binding to use the new certificate

Once the bindings have all been updated, you may need to restart IIS – note this will disconnect any connected clients.

In the tree on the left, click on the server, then on the right under the Actions menu, click Restart – this may take a minute

Update Connectors in Exchange:

Login to the Exchange ECP Web UI with the administrator account.

While you’re at it, open another tab in the same browser and use this other tab to login to the Microsoft 365 Admin Center – using the same account credentials.

In the On-Premise Exchange ECP, head to Servers > Certificates

Double-click the new certificate

Locate the Thumbprint, copy and paste this into a notepad session (you’ll need this shortly)

You will need to select Services and then tick box:

  • SMTP
  • IMAP (optional, but not available for wildcard certificates)
  • POP (optional, but not available for wildcard certificates)
  • IIS

(Note that IMAP and POP are optional, but recommended to choose them if clients are connecting using these protocols)

Click Save

You may receive a Warning prompt about overwriting the existing default SMTP certificate, Choose Yes.

 

Update Default Send and Receive Connectors in Exchange On-Premise PowerShell:

Launch an Exchange PowerShell for the On-Premise Exchange server

Issue the command:

Get-ExchangeCertificate

This will list all of the installed SSL Certificates on the Exchange server

Note, the Thumbprints for each will be listed – confirm your new SSL Certificate’s Thumbprint should be listed there as well.

Let’s place the Thumbprint into the PowerShell session’s environment variables

$cert = Get-ExchangeCertificate -Thumbprint XXXXXX
$tlscertificatename = "<i>$($cert.Issuer)<s>$($cert.Subject)"

(The second line will be used a little further down)

Let’s enable secure SMTP using the new certificate:

Enable-ExchangeCertificate $cert -services SMTP

Note: Due to recent Exchange updates, if you get an error similar to the below running this, change the command to:

 Enable-ExchangeCertificate <thumbprint> -services SMTP

and it should work

Now let’s get the Send Connectors list and update the connector with the new certificate

Get-SendConnector

This will list all the send connectors, locate the connector used to connect with Office 365 – it will look something like:

"Outbound to Office 365"

Let’s set this connector to use the new certificate:

Set-SendConnector "Outbound to Office 365" -TlsCertificateName $tlscertificatename

Repeat for any other send connectors that are in use

Next, we need to do the same for the Receive Connector(s)

Issue the command:

Get-ReceiveConnector

to get the list of all the receive connectors

Identify which connector(s) are using secure protocols for incoming connection (incl. from Office 365). Eg:

<ExchServer>\Default Frontend <ExchServer>
<ExchServer>\Client Frontend <ExchServer>
<ExchServer>\Client Proxy <ExchServer>

Where <ExchServer> is the local host name of the Exchange server.

You may have multiple receive connectors that require updating, so the below will need to apply to these as well.

Set-ReceiveConnector "<ExchServer>\Default Frontend <ExchServer>" -TlsCertificateName $tlscertificatename

Update the Office 365 receove connector as well.

You can now delete the expiring SSL certificate from the Exchange server (via IIS or Certificate manager).

Head back to Exchange ECP > Mail Flow > Send Connectors

Edit the Send Connector used by Office 365 to note down the following settings:

Delivery > mail routing (MX or Smart Host)

Scoping > Address Space

Again, note these settings down as the Hybrid Configuration Wizard will overwrite them and mail break some mail flow.

 

Re-Validate the Hybrid Configuration:

The below process has been completely re-written as the process has changed extensively. Migrations are no longer performed on the on-premise Exchange server.

From the desktop of the Exchange server launch the Microsoft Office 365 Hybrid Configuration Wizard:

Its likely an update will be offered, so please proceed with the update installation

Once all updated and installed, click Next at the Welcome screen

Wait for the wizard to perform its initial detection task – once done, it should show the correct Exchange server and have Office 365 Worldwide selected. Click Next

Ensure a domain admin account has been auto selected for the on-premise Exchange server.

Click Sign in for the 365 tenant admin account and authenticate as usual

Once signed in for on-prem and 365, it should look like the below – click Next

The wizard will spend some time ‘gathering information’

Sometimes issues do crop up here, usually if the configuration is broken of very old, or if certain parts of Exchange aren’t working properly.

You’ll need to spend some time addressing the concerns raised before you get a successful result on both on-prem and 365:

Its likely that Full Hybrid Configuration will be selected, and Minimal Hybrid is greyed out – this is fine

In the event that Minimal is selected, discuss with the lead tech for this client to clarify this is correct as usually we setup Full Hybrid Configuration.

The next screen will present the domain names present and selected.

If unsure, discuss with the lead tech, but in most cases, all domains will be selected

(some clients have way too many domain names)

At this time, where Hybrid Sync is configured with Class Hybrid Technology we’re still using this, but in the future we’ll likely migrate to Modern Hybrid Technology (likely when pushed by Microsoft to do so)

Click Next

This next screen will usually be smart enough to figure out if the on-premise Exchange server is using CAS/MBX or EDGE connector roles – but be sure to double check – especially with larger Exchange deployments

The next two screens just asks you to confirm which Exchange server to use for hosting Receive Connectors and Send Connectors – 99.99% of the time, same on-premise Exchange server, so click Next for each

After this you will be asked to choose and confirm the correct SSL certificate to be used for communication between Exchange on-prem and Office 365 – ideally, this is the same SSL certificate used on the Exchange for the Send & Receive connectors and Web Front Ends as installed earlier in the guide. Ensure the current SSL has been auto selected and no old / expired signed certificates exist – if they do, you need to stop and fix this up before re-running the Hybrid Configuration Wizard!

The next screen just confirms the public FQDN on the on-premise Exchange server as configured on the connectors – click Next if correct (365 will connect using this)

The wizard is now at the final stage and is ready to update the configuration, so tick Yes to upgrade and click Next

The process should only take up to 5 mins on a relatively standard & healthy environment (running Exchange 2016 or 2019)

At the end of the wizard, you should be presented with a Congratulations screen with the welcoming green tick, click Close.

Now return to Exchange ECP > Mail Flow > Send Connectors

Edit the send connector for Office 365

Using the settings you noted down earlier, adjust the connector back to what you have noted down.

Don’t go away, we’re almost done, but not yet… Now we need to test & confirm its working properly…

Test Hybrid Exchange Configuration

To test we need two things – an on-premise Exchange mailbox and to be logged into the admin as the tenant admin

The on-premise mailbox needs to be fully generated – one that has been logged into and has at least one mail item in its mailbox

In the Admin Center, head to Exchange > Migration https://admin.exchange.microsoft.com/#/migrationbatch

In the upper right corner, click on Endpoints and ensure the on-premise Exchange server is present and looks correct. If not, delete it – we can re-add it during the next steps below…

Click to Add Migration Batch and follow the wizard steps:

Name: Hybrid Test

Path: Migration to Exchange Online

Type: Remote move migration

Select or add the on-premise Exchange server as your endpoint

(note: if needing to re-add, please see the appendix at end of this guide on what that looks like, but it should be pretty straight forward)

Select to Manually add users to migrate and select the test on-prem mailbox from the list when you click in the text entry field

Select the target delivery domain (note: the test account must have this same domain as an alias address in its AD proxyAddresses attribute / as a mail alias)

The final screen here will need to be set to:

Auto start the batch

Manually complete the batch (as we don’t actually intend on completing the batch)

Send email to the admin mailbox or a mailbox you have access to if you need to review the alerts

Click Save

Click Done

Now sit pretty and monitor the migration batch

Once the Syncing status has changed to Synced we know its working. A small mailbox should be done within 15 mins. Once its synced, you can simply stop and delete the batch – job done – close ticket!

If there are errors, you’ll need to troubleshoot and fix – we can’t leave it in a broken state as the Hybrid Exchange is used for creating new user accounts.

This is what a synced batch job looks like:

Synced, 100% not finalized and not failed.

Select, stop, wait until stopped, then delete once at this stage.

Appendix:

Creating a new Exchange Endpoint:

Give the endpoint a meaningful, short name, ending in the year – if its old, likely we’ll see that and need to recreate it anyway.

The account name ideally will be a domain admin account that also has an on-premise mailbox, but the mailbox isn’t mandatory.

Remote MRS proxy server is the public FQDN of the Exchange server, eg: mail.domain.com

Don’t skip verification – we need confirmation that 365 can communicate with the on-premise server with the specified account

Once validated, continue on with the batch job creation as per above steps.

Firewall:

If the on-premise Exchange server isn’t being accessed by general users externally, as all mailboxes are in 365, then its best to restrict access to the Exchange on-prem HTTP, HTTPS and SMTP traffic to only IP addresses that require access (such as us, customer website if using SMTP) and to Microsoft 365.

This is the link for the IP addresses / network addresses that Microsoft has published for creating an ACL / whitelist on the customer firewall: https://learn.microsoft.com/en-us/microsoft-365/enterprise/urls-and-ip-address-ranges?view=o365-worldwide

Below is a sample firewall port forward / ACL for SMTP traffic allow list (using IPv4 IP/Networks):

 

Join Mac to Active Directory – the Right way!

This guide will assist you to joining a Mac to AD. There are plenty of guides online, but many of them leave out certain key aspects that lead to issues when not performed properly.

First step, check AD for the next available computer name and create the computer AD entity in the correct OU.

Document the AD computer description field with useful information such as ticket number, model, user, serial number, etc

Identify & note down any users / groups that should have local administrative rights on the Mac

Setting the local workstation host name:

Apple Menu > System Preferences > Sharing > Computer Name

Now let’s get get domain joined:

System Preferences > Users & Groups > Login Options

Click the  to gain admin access using the local administrator account

Change Display login window as: Name and password

Change Show fast user switching menu as: Full Name

Click the Join… button

Click Open Directory Utility…

Click the  and authenticate to unlock

Highlight Active Directory

Click the pencil  button to edit

Populate the Active Directory Domain field with the AD name

Click the  icon to expand the options

Place a tick next to Create mobile account at login – this tells the Mac to create a local user profile for the AD account so a) the user has somewhere to store data, and b) the user can login when away from the AD network.

Click the Administrative Button

Place a tick next to: Allow administration by:

By default, it will have domain admins and enterprise admins pre-populated.

Use the + button to add in the additional resource users & groups noted earlier that will require local admin rights

Click Bind…

This will first prompt for the local admin password

Then it will prompt for the domain administrator username & password.

If all details are correct and DNS is working, the Mac will be joined to the directory.

If you followed the earlier instructions to pre-create the computer in AD, it will advise you that the computer account exists, and ask you if you want to use the existing computer account – say Yes.

Domain Join over a VPN:

If you need to join over a VPN connection, but the VPN connection is disconnected when switching user accounts, you can cache an AD account from the local admin account when still connected to the VPN post domain join using the below terminal commands:

sudo /System/Library/CoreServices/ManagedClient.app/Contents/Resources/createmobileaccount -n [AD_username]

Once this passes, you will need to cache the login credentials

login

When prompted, login using the user’s username and password.

Note: the password entering will not provide any feedback on-screen.

Ideally, if the Mac is being domain joined over the VPN, you would also cache the domain admin account using this method also.

A Mac already directory bound that isn’t configured to create mobile account at login:

Using terminal, issue the below commands:

sudo dsconfigad -mobile enable

sudo dsconfigad -mobileconfirm disable

The first command forces the system to create mobile (cached) accounts when the user logs in, the second command suppresses the confirmation prompt when creating the account.

A little Terminal bonus:

You can do a quick & dirty AD join from the terminal using the below command:

dsconfigad -prefered yourserver.YOURDOMAIN.SOMETHING -a nameOfYourDevice -domain YOURDOMAIN.SOMETHING -u DomainAdministratorAccount -p 'DomainAdministratorPassword'

Of course doing this, will not set the Mac to create a mobile account at login, won’t configure local admin users…

Active Directory – Missing Attribute Editor in User editor

Issue:

Can’t access the Attribute Editor tab in users and groups

 

Scope:

Active Directory in Windows Server versions: 2008 R2, 2012, 2012 R2, 2016, 2019, and 2022.

 

Solutions:

First and foremost, ensure in AD Users and Computers, you have enabled the Advanced Features in the View menu:

For 99% of the issue occurances, this will fix the issue. You may need to close and re-launch the ADUC console.

If the above has been done and you still don’t see the Attribute Editor tab after enabling Advanced Features, first off, log out of the DC or management system from the account you are logged in with. Log back in and try again.

If after logging out and back in the issue persists, then there are some changes that may need to be made by performing the following steps:

Open ADSIedit.msc

Right-click the upper left most item in the left tree pane and click Connect to

Click the radio button in the Connection point for Select a well known Naming Context, and select Configuration from the drop down list

Now drill down through: CN=Configuration > CN=DisplaySpecifiers > CN=409 (409 is for US English, pick the language appropriate to your profile)

Double-click on CN=user-Display

Double-click on adminPropertyPages

Add in the missing value:

11,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

 

Once done, OK twice out and re-launch ADUC.

Now the Attribute Editor tab should be availble.

 

Extra Notes:

This is a common occurence for AD Domains that have been previously migrated from Windows Server 2003 (or older) into newer Windows server versions, and the functional levels raised. Unfortunately raising the domain functional levels doesn’t seem to add in these missing values.

If this is the case for your environment, you may also need to add in other missing values such as:

In the CN=computer-Display > adminPropertyPages

12,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

In the CN=default-Display > adminPropertyPages

4,{c7436f12-a27f-4cab-aaca-2bd27ed1b773}

 

 

Installing & Configuring IP Networked Printers in Windows

Update History:

  • 2017-Feb-09: Initial publication
  • 2019-Mar-12: Include mentions for coverage of Windows Server 2019 and ARM64 architectures
  • 2022-Feb-09: Include mentions for coverage of Windows Server 2022 and Windows 11

This guide applies to:

  • Windows Desktop / Workstation Editions 7, 8, 81, 10, and 11
  • Windows Server Editions 2008 R2, 2012, 2012 R2, 2016, 2019, and 2022

It is intended for environments where the printer is connected to the network, has either a fixed LAN IP address or a DHCP reservation, and is accessible by the target Windows systems. It is assumed that the printer has been freshly setup on the network but not yet installed or configured on any target workstation or servers.

Download and install drivers:

Identify and download the correct drivers for your make & model of printer. Ideally, you want to download the basic / standard drivers and not the full driver package installers. The ideal drivers may be identified as PCL, PS (PostScript), or WHQL drivers.

Typically, there will be multiple drivers – a listed set of drivers for multiple versions of Windows. Typically, most manufacturers will have the exact same driver files that cover many generations of Windows – eg: a driver written for Windows 7 will almost always work on Windows 10, or Server 2019, and Server 2008 R2.

Typically, the only differences in the drivers are:

  • Architecture (as in Windows 32-bit, Windows 64-bit, Windows Itanium, and more recently, ARM64.
  • The drivers communication protocol when communicating with the printer – this is how the computer talks to the printer, so PCL, PS, KX, etc…

You need to be aware of what communication protocol is supported by the printer. By default, FujiXerox DocuCentre machines don’t support PostScript (PS) out of the box, and require installation of additional optional hardware. If you’re looking to set one of these machines up on any Macs, get the PostScript card when ordering (cheaper at time of order than it is after the fact). Most printers will happily work using standard PCL drivers. Note: If you’re deploying Kyocera ECOSYS machines, aim for their KX drivers.

When downloading the drivers for deployment on a Windows server for sharing out to the networked Windows clients, opt to download both the 64bit and 32bit drivers of the same version number or release date, and if available, also the ARM64 drivers. When they are installed and made available to client systems using these different architectures, the user won’t have to go hunting to find drivers, as Windows will supply them to the connecting client during the printer installation.

Note here, we are downloading both the Windows 7 64 bit and Windows 7 (aka 32 bit) drivers for deployment:

Windows 7 (32 bit):

Once the drivers have been downloaded, extract them into their own sub folders. The may come as a ZIP file or as a self-extracting application. If the latter, when prompted to commence installation, cancel these operations – you just want the extracted driver files. Take note of where you have extracted them to. Pro-tip: place them in a ClientApps share so they can be accessed over the network at a later date it required.

Open the Control Panel (not Settings) and change the view mode from Category to Small Icons (or Large Icons if your eyes don’t work).

Click on Devices and Printers

Click on Add Printer in the toolbar

When Windows is scanning for printers, click on “The printer that I want isn’t listed

When prompted, select the option to Add a local or network printer with manual settings:

When choosing a printer port, select Create a new port and change the drop down list to Standard TCP/IP Port, click Next

Enter in the fixed or reserved IP address of the printer, and un-tick the Query the printer for automatic installation

Windows will now check to see if it can communicate with the printer’s network stack and determine the available network protocols (SNMP, HP Discovery, etc).

Now we need to install the actual drivers, click Have Disk

Click Browse and locate the folder where the 64 bit drivers were extracted to

You may need to drill down into a fairly deep folder structure, like in this example to locate the valid driver information (INF) file. Click Open

You will return here, where you can see the file path. Click OK

Typically, manufacturers will bundle drivers & support for multiple models of their printer for ease of production, so you will need to select the correct model & revision from the list to ensure you get all the correct features & settings available to your printer. Once selected, click Next

Give the printer a valid & meaningful name. If prompted to Share the printer to the network, un-tick this option as we’re not yet ready for this

Windows will now install the drivers and add the new printer

From here, click to Print a test page if there’s not many options on the printer, otherwise, click Finish.

 

Returning to the Control Panel > Devices and Printers, you will now see the newly installed printer.

 

Now we want to install support for 32 bit Windows (and ARM64 if applicable / available). This is to ensure Windows 32 bit systems connecting to our server to access the printer will also receive automatic driver installation. Although 32 bit Windows is becoming far less common these days, doing this ensures in the long term, there’s little or no poor user experience or frustration when adding shared printers to their systems. It also helps when deploying printers via Group Policy that 32 bit Windows users don’t get prompted to install drivers on every logon until installed.

Right-click on the newly installed printer

Select Printer Properties from the contextual menu.

Many networked printers offer automatic device configuration in the form of two-way communication between the printer driver and the printer’s network stack. If this is an option, enable it and click the button appropriate to update the printer options.

In our FujiXerox example, this is called Bi-Directional setup – which is off by default, so turn this on, then click Get Information from Printer.

What this does: Tells the driver to communicate with the printer, requesting information such as: how many trays, what paper is in each tray, are their side car options or ‘finishers’, staplers, binders, folders, etc. The printer will respond to the driver and tell it what options are installed & available, and also consumable information such as paper & toner levels, etc. Once done, click Apply to save changes and update the configuration.

You can verify this worked by clicking Advanced, and Printing Defaults

You’ll see tray options, paper sizes, color options, output options, etc.

Now, head to the Sharing tab, click Additional Drivers.

Place a tick next to the additional drivers that you have downloaded (such as 32 bit) and click OK

This will prompt you to install them, like at the beginning, click browse to locate and install the appropriate drivers

Once located and selected, click OK

Finally, now you can Share out the printer. If the Windows PC or server sharing the printer is a member of Active Directory (or is the domain controller), tick the option to List in the directory – this will make is easier later in Group Policy to deploy.

Windows PC’s on the network (either AD authenticated, or pre-authenticated locally) can now browse the network share of this Windows Server and install the shared printer by simply double-clicking on it.