Category: Microsoft

Organizations that subscribe to Microsoft 365 and also have on-premises IT infrastructure, tend to synchronize accounts from their local Active Directory database(s) to the cloud. Hybrid accounts (synchronized) simplify things like user login and password management.

In the Microsoft 365 portal, you can discern which accounts have been synched from the local Active Directory by their icon. Unfortunately, the on-premises Active Directory database does not have an attribute that indicates when an account has been synched with the cloud. This can lead to confusion.

Azure AD Connect, the tool used to perform the synchronization, has numerous options and features. So many that it can become difficult to tell which accounts have been hybridized and which have not. An administrator may be left attempting to compare the accounts in each database manually.

I was assigned this task for an AD database with more than two-hundred accounts. It wasn’t feasible to compare them one by one. Lucky for me, my PowerShell skills were up to the task. Run the script below, from a system that has both the Active Directory and Azure AD PowerShell modules installed. The report it outputs will show you which on-premises accounts are synchronized to the cloud.

Import-Module ActiveDirectory
Connect-AzureAD

Get-ADUser -Filter {Enabled -EQ $True} -Properties *  | 
    Select-Object DisplayName, SamAccountName, UserPrincipalName, LastLogonDate,           
    @{N="AzureADSynced"; E={(Get-AzureADUser -ObjectID $_.UserPrincipalName |
    Select-Object -Property DirSyncEnabled).DirsyncEnabled}} | 
Export-Csv $env:userprofile\documents\On-Prem_CloudSynced_Accounts.csv

When designed and implemented correctly, Windows failover clusters can be one of the most resilient server architectures available for your datacenter. Unfortunately, this does not translate into their never having issues. When they do suffer some type of trouble; diagnostics and recovery can be challenging due to the complexity of clusters resources.

I generally start the troubleshooting process by having Windows test and report the status of all the components. Generating the report is much faster than logging into each component individually and the report frequently points directly to the cause of an outage. To get started, open an elevated PowerShell console on any of the cluster node servers and run the following.

Get-Cluster | Test-Cluster

The one-liner should start a cluster validation report. The default CVR process is not invasive, no systems will be rebooted or otherwise heavily impacted. Invasive disk tests are skipped in the default report (at the time of this writing). If you didn’t redirect the output, the results will be located @ %SystemRoot%\Cluster\Reports. Three files are generated in the folder.

Please check official Microsoft documentation yourself. Microsoft has been known to change a PowerShell cmdlet’s default functions as a result of updates and upgrades, link below.

Open the .htm file in a web browser and look for items that do not report success. Click their links to see more information about the alert. Resolve any issues and reboot the cluster nodes or affected hardware, if you know it is safe to do so.

Rebooting a cluster node or other components can cause, or make a cluster failure worse. Hardware failure, data loss, and/or the interruption of services from multiple IT assets and business IT processes can, and does, occur. If you are not comfortable with, or are not authorized for these types decisions; stop-here and find someone that is.

To make this decision you should be fully confident in all aspects of the underpinning network, data-storage platforms, machine-level hardware, the operating systems of all involved equipment and their configurations and interactions. You should also know how to restore the cluster, and anything hosted on it, from backups.

Any action you take, is of course at your own risk. The idea of this article is to get you pointed in the right direction. Things like deciding what to do, and the results of any action, or inaction, are on you!

Standard cluster events populate the event viewer and you should review them. One of the easiest ways, is to open the failover cluster management console and look for cluster events on the dashboard.

Those that mention any malfunction of the Failover Cluster Database, but do not have a corresponding all clear message further down the log stream, are one indication of a possible cluster failure.

In addition to the Cluster Validation Report and events, Windows clusters also include node-level logging facilities. To generate them we need to switch back over to an elevated PowerShell console.

Get-ClusterLog

Running the cmdlet will export the running log for each of the nodes to a file. These reports can take much longer to compile than the CVR did, the reason for checking them, is that these logs will often compile even when the cluster, or its components, have suffered a major failure. The files created by the cmdlet will also be located @ C:\Windows\Cluster\Reports, assuming you did not specify a destination.

If you run Get-ClusterLog without specifying a time span, the resulting files can be very large. Hundreds of megabytes, or hundreds of gigabytes are not uncommon, depending on the cluster’s number of nodes, number of roles, and logging level configuration. You may actually struggle to open the files depending on your computer and its available software options.

Get-ClusterLog -Timespan 5 would pull logs for the last 5 minutes.

As for what to do with the files. Alas, that too is out of scope for a blog post. A good place to start is by searching them for key words like “error”. If you’ve gotten this far and haven’t found a solution, you might consider contacting a professional with Hyper-V Cluster experience, or opening a support ticket with Microsoft’s Hyper-V support team.

This may also be a good point to restore the host’s Windows session state backups or the hosts themselves. Either restoration option should let you restore the cluster to a working state. The catch is that restoration itself, is an expert-level decision and action. A decision with whole separate sets of requirements and consequences that you need to fully understand before deciding on.

If you don’t have backups, or the restore didn’t work, you’re going to want to stay tuned for my next post in this series.

Further Reading:

• Test-Cluster – https://learn.microsoft.com/en-us/powershell/module/failoverclusters/test-cluster?view=windowsserver2022-ps
• Get-ClusterLog – https://learn.microsoft.com/en-us/powershell/module/failoverclusters/get-clusterlog?view=windowsserver2022-ps

• Part 2 Rebuild It- Hyper-V Failover Cluster Troubleshooting and Recovery Part 2, How to Rebuild It.

If your organization utilizes conditional access rules (aka Geo-fencing), you may be experiencing issues accessing the platform this morning. If you suspect this outage is impacting your productivity, contact your IT support.

At the time of this post, Microsoft was estimating that the recovery process is 25% completed. You can access status reports by visiting the Health section of your Microsoft 365 admin portal.

I’m not sure that I ever knew the Home/Family version of Microsoft 365 supported custom domain names. I was changing some settings in Outlook and ran into a notification. It was a warning that the ability to add custom domain name to your Priemium Microsoft account would expire on November 30th of 2023. Not one to miss out on features I am paying for, I decided to dig a little deeper. You can review the notification message yourself here. https://support.microsoft.com/en-us/office/changes-to-microsoft-365-email-features-and-storage-e888d746-61e5-49e3-9bd1-94b88e9be988

If you reading about this feature for the first time like I did, here’s what to know. If you have, or are willing to buy, a custom domain name from GoDaddy.com you can use it for email with your Microsoft 365 subscription. According to the official instructions, public DNS records for the domain must be hosted with GoDaddy.

I already had a domain name from GoDaddy and was able to use it without issue. The process was more complicated than it would have been if had I purchased a brand new domain name from GoDaddy through Outlook. I had to manipulate DNS records manually to make my domain work. It is my understanding that part of the process is automated if you purchase the name though Outlook.com.

Whether you already own a domain or are purchasing one, the setup starts with logging into what is commonly called OWA (Outlook Web Access) aka your Outlook.com account https://outlook.live.com will get you there.

Click on the Gear icon (settings) in the upper right hand corner.

In the pane that opens click View all Outlook Settings at the bottom.

Now click Premium, then Personalized email address.

You can read the notification, use the Manage button to sign-in to your GoDaddy account, or set one up if you don’t already have it. Microsoft’s own documentation on the setup, questions, and troubleshooting is where you should turn for the rest of the configuration. They’ve made the process fairly simple, it took me about forty-five minutes to get my custom email addresses fully working on the Internet. If you complete the setup process before the deadline, your custom email address will not stop working.

There are plenty of online guides that explain how to configure Exchange Online to allow external mail forwarding. This isn’t another one, try Microsoft’s own guide if that is what you are looking for. We’re talking about a situation I recently encountered in which mail forwarding was correctly configured (via the linked doc), but still not working.

The problem turned out to be a guest account that contained an email address that matched the forwarding target’s address. I deleted the guest account and replaced it with a mail contact. Everything worked normally afterward.

You may be wondering why I didn’t just configure forwarding to point at the guest account instead of deleting it. That is because there’s no option to do so as far as I can tell. Exchange Online’s people picker does not seem to recognize guest accounts.

The existence of the guest account prevented me from creating a mail contact because another Azure AD object contained the same address. You can’t have multiple objects with the same SMTP address in the same tenant space. Except when you manually enter and SMTP address in the forwarding target of a mailbox?

One of the features promised during the Windows 11 run-up was that it would be able to natively run Android applications. The Windows Subsystem for Android fulfills that promise. The WSA is officially out of preview.

Before you start installing the new feature there are some of those pesky requirements to contemplate. At the bare minimum you’ll need 8 gigs of RAM, an SSD storage device, and i-3 or Ryzen 3000 series CPU. However, like all things PC, the minimum specs will probably leave you unsatisfied with the performance. 16GB and an i-5 or Ryzen 5000 series will let Android apps run like they do on your phone or tablet.

I have an i-7, 16GB, an SSD, and discrete GPU in my laptop. I tested out several apps, they all ran fine. I was able to play War Robots, a 3-D mech warrior clone, without lagging or other issues. Even on-line matches worked well. It should be noted that not all apps are supported, and some will suffer from re-sizing issues depending on how they were coded.

You should also be aware that the Amazon App store is the only supported option for installing apps at the moment. If you are so inclined, there are a few posts on-line that explain how to hack the system into running other famous app stores along with getting direct APK files to install and run.

Installing the Windows Subsystem for Android is a simple matter. Open the Windows App store and install the Amazon App store. Yes, I know that sounds weird but nonetheless it is correct. If you have issues, make sure that the virtualization features of your processor are enabled. These settings are accessed in the UEFI BIOS. Microsoft has published this handy document that has links to most manufacturers’ instructions. Typically, the options are enabled by default in my experience.

I’ve already found the feature useful for testing Android apps and playing a few Android games. Outside of development and techs playing around, I’m not so sure the feature will catch on. The Amazon Appstore is missing some key apps. I had hoped to install the Microsoft Authenticator app for some end user documentation efforts but found that it isn’t available. If Microsoft can secure support for Google Play store the mass appeal will be stronger. It remains to be seen if that’s in the cards.

Microsoft has been engaged in the removal of Basic Authentication from their Exchange On-line systems for almost a year. The final cutoff is currently set for October of 2022. Some business applications and devices like scanners logon to the cloud with their own user account to deliver their messages. Older apps and machines that impersonate a Microsoft 365 user in this way may not support MFA (Multi-Factor Authentication), aka 2FA.

In preparation for decommissioning the basic logon protocol, Microsoft has begun modifying the SmtpClientAuthenticationDisabled attribute for Tenants and mailboxes they’ve deemed to not be using it anyway. According to their documentation, they will post a notification in the Message Center before making the changes to your organization’s subscription. We’ve received multiple reports of this change effecting established systems that are used every day with no message being seen in the Microsoft portal.

If you find that your apps, MFPs, or other non-Outlook email clients have suddenly stopped working, there are some useful PowerShell commands that will help you diagnose the situation. You can also re-enable SMTP authentication for either your entire Org or for individual mailboxes. Most of this information is outlined in another Microsoft Document.

To check the SMTP Authentication status of an Exchange On-line subscription, logon from a PowerShell session in your favorite terminal app. The instructions in this post assume that you have already installed the new EXO V2 PowerShell module.

To check settings for the organizational level, run the command below. An output of True means the authentication is disabled at the top level. This is not the whole story. Each mailbox can also have its own setting. The top-level only applies when a mailbox’s corresponding attribute is blank.

Get-TransportConfig | Format-List SmtpClientAuthenticationDisabled

If the mailbox SmtpClientAuthenticationDisabled attribute is set to a value other than $null (empty in the report you generate below), it overrides to top-level command. Use this one-liner to generate a report showing each account’s setting.

Get-CasMailbox | Select DisplayName, PrimarySmtpAddress, SmtpClientAuthenticationDisabled

To change the Organizational (default) level, execute the following line in your console. Change the value at the end from $true to $false to fit your desired outcome.

Set-TransportConfig -SmtpClientAuthenticationDisabled $true

To modify individual mailboxes, you’ll need the email address. The SmtpClientAuthenticationDisabled value can be set to $true (disable SMTP auth), $false (enable SMTP auth), or $null (use ORG level).

Set-CASMailbox -Identity xxx@xxxx.com -SmtpClientAuthenticationDisabled $true 

Use this simple script to modify all of your mailboxes at once, the same values apply here. Note: if you are at a larger company, you may need to add the ResulteSize Unlimited switch. As written, it will enable SMTP Authentication for all mailbox accounts.

$mailboxes = Get-CasMailbox|Select-Object PrimarySmtpAddress -ExpandProperty PrimarySmtpAddress

Foreach ($mailbox in $mailboxes){
    Set-CasMailbox -identity $mailbox -SmtpClientAuthenticationDisabled $false
    }

Typically, the 700003 error code indicates that the computer’s machine account cannot be found in Azure Active Directory.

Recentley I encountered a situation that had dozens of systems showing the error message. It was difficult to explain how that many system accounts could have been removed from Azure AD.

Eventually I traced the problem to some work another team was doing. They were reorganizing on-prem computer accounts into new organisational units. The Azure AD Connect configuration pointed at specific OUs and nobody had thought to add the new ones.

As the systems were moved to their new OUs they were marked for deletion by Azure AD Connect. The fix was to add the new organization units to ADC and force a sync.

During a recent security exercise, I needed to validate all of the admin created service accounts in use on a customer’s Windows domain. The only problem was the total lack of trust in the documentation. In order to check them, I would first have to find the service accounts across dozens of customer environments.

Surely Microsoft included a method to acquire the data I needed? I mean, it’s their recommendation to review the accounts in the first place. So, I’ll just fire up the domain service account console. Yeah, right, you are on your own.

Some of my co-workers had resorted to logging on to each server one at a time, but I had way too many for a manual search. Of all the skills that I have invested my time into learning, none have paid off like knowing PowerShell. Run the script below from a DC or system with the RSAT AD modules installed. Use a Domain Admin account in an elevated PowerShell console. It will find all of the Windows servers in the domain and list the services that are automatically starting with a named account.

$ErrorActionPreference = "SilentlyContinue"
 
Import-Module ActiveDirectory 

$domains = (Get-ADForest).domains
$dcs = Foreach ($domain in $domains) {
    Get-ADDomainController -DomainName $domain -Discover -Service PrimaryDC
}
$servers = Foreach ($dc in $dcs) {
    Get-ADComputer -Properties * -Filter {(OperatingSystem -like "*Windows Server*")}| Select-Object DNSHostName -ExpandProperty DNSHostName
}

Foreach ($Server in $Servers) { 
    Get-WmiObject -Class win32_service -ComputerName $Server -Property SystemName, Name, StartMode, StartName, State | 
    Select-Object SystemName, Name, StartMode, StartName, State | 
    Where-Object {($_.startmode -like "auto") -and ($_.startname -NotLike "*NT Auth*") -and ($_.startname -Notlike "*Local*") -and ($_.startname -Notlike $null)} |
    Format-Table -AutoSize
}

In the beginning, there was so much confusion around Microsoft’s new OS requirements that even many professionals had to tune out the noise. Now that 11 has actually landed, the requirements aren’t too difficult to grasp, right? TPM 2.0 and an eighth gen or newer CPU are the big ones.

If you are okay with accepting some risk, then you can bend the rules and load the new version on pretty much anything. Side doors are always an intriguing option for inquisitive people. They almost always come with some grave side effects, and Microsoft doesn’t disappoint.

If you edit the registry of most computers from the Windows 7 era (already running 10), the TPM and CPU checks can be bypassed. This allows the Windows 11 upgrade to be intiatied by mounting the ISO and running setup. You will be accepting an agreement that states you are proceeding at your own peril and that future updates may be withheld. I followed The Verge’s three step guide the first time: read it @ https://www.theverge.com/22715331/how-to-install-windows-11-unsupported-cpu-intel-amd-registry-regedit

The first thing I used the technique on was an older Samsung Galaxy Book 10.6. The Intel m3 CPU doesn’t pass muster according to the Windows PC Health Check. Admittedly, the dual core 1GHz CPU and 4GB of RAM are pretty light by today’s standards. 

I formatted the disk and installed a fresh copy of Windows 10 along with all the drivers and such from Samsung’s recovery feature. Then, I updated everything: BIOS, Windows, App Store, 3rd party software, all of it, to the newest available option.

In subsequent upgrades, I skipped the clean install and had zero issues. I wanted this one to be as pristine as possible. I plan on pressing the Galaxy Book back into service as the portable Windows machine in my travel tool kit. The little Samsung tablet took the upgrade with ease. Once the installation and initial setup were complete, I updated everything again.

The results are impressive. Microsoft’s newest OS runs like a champ on the ultra-portable. The hardware was automatically detected, and proper drivers were loaded. The camera, speakers, mic, Bluetooth, keyboard, touch screen, and pen all work perfectly. The system is responsive, snappy even. The only issue I have detected is a tendancy for the network adapter to crash while resuming from hibernation.

I proceeded to upgrade a Dell G3 laptop, Lenovo gaming laptop, an HP Elite Book, a Dell Venue tablet, a Surface 3,  Surface Go, Surface Go 2, Surface Book 2, and multiple custom built gaming desktop systems of both Intel and AMD architectures. In all of that, the network resume glitch is the only issue I have personally encountered.

Here’s the thing: I have encountered that glitch on three different systems. Both wireless and wired nics have been affected. I’ve tried everything I know but have not been able to resolve the problem without resorting to disabling hibernation. Incidentally, disabling the network adapter in the device manager and then turning it back can sometimes help.

Given how draconian Microsoft has been in the media about the requirements, I was pleasantly surprised. My experience to date has been that any system or software compatible with Windows 10 is also compatible with Windows 11. Or, at least, it can be if you are willing to jump through Microsoft’s hoops.

You can use Outlook 2007 and newer to merge PST files. This process is useful if you have acquired somebody else’s mailbox export, or have numerous archive files that are difficult to deal with. You can not select a source PST that is in use by Outlook so you must close it first. If you are consolidating into a single new PST file, create it before you continue with the steps below. The target PST file needs to be mounted in the Outlook profile or it will not show up as an option in the import dialog.

• Open Outlook, right click on the Source PST file and close it
• Click File -> Open / Export
• Click Import / Export
• Click Import from another program or file -> Next
• Click Outlook Data File (.pst) -> Next
• Browse to and select the source PST file (the one you are moving data from)
• Make sure the “Do not import duplicates” option is selected.
• Click Next
• Be sure the “Include subfolders” check box is selected.
• Select the radio button labeled “Import items into the same folder in:”
• Choose the Target Outlook Data File from the drop down menu.
• Click Finish