Monday, March 30, 2015

How to Remove SID History from Active Directory Object

In this blog post I'm going to show you how to remove the SIDHistory from an object in Active Directory after a domain migration.  If you attempt to use standard Microsoft tools such as ADSIEdit to remove the SIDHistory from an object regardless what access rights you have been assigned, the following error will be presented.

Operation failed.  Error code: 0x5
Access is denied


00000005: SecErr: DSID-031A1256, problem 4003
(INSUFF_ACCESS_RIGHTS), data 0




To remove SIDHistory from an object you need to use the following VBScript from Microsoft KB295758.

http://support.microsoft.com/en-us/kb/295758

Simply copy and paste the script into a notepad document then run the script with the following arguments to remove the SIDHistory entries from the object in question.

 

Sunday, March 29, 2015

Windows 8 Unable to Connect through RD Gateway

A customer of mine today logged a support case stating users on Windows 8 or Windows 8.1 were unable to connect to remote computers by using a Remote Desktop Gateway (RD Gateway).

I tested this functionality and was able to reproduce the issue.  The error experienced was:

Remote Desktop can't connect to the remote computer for one of these reasons:
  1. Remote access to the server is not enabled
  2. The remote computer is turned off
  3. The remote computer is not available on the network
Make sure the remote computer is turned on and connected to the network, and that remote access is enabled.


Windows 7 clients did not receive any problems connecting through an RD Gateway.

After reviewing the group policy applied to the domain, I noticed a Group Policy object was setting the LAN Manager Authentication Level to "Send LM & NTLM - use NTLMv2 session security if negotiated".

 
The new RDP 8.0 client (built into Windows 8 and 8.1) requires this policy be set to "Send NLTMv2 response only" as it uses NTLMv2 and does not have the ability to negotiate authentication.  "Send NTLMv2 response only" is the default for Windows 8 and Windows 8.1.
 
As a test, I set a local policy on one of the Windows 8 computers using gpedit.msc and then did a gpupdate /force followed by a reboot.
 
 

After setting the LAN Manager authentication level to "Send NLTMv2 response only" I was able to connect to RD Gateways without issues.

I did not test this, but I assume if a Windows 7 client was updated to RDP v8 by installing Microsoft KB2592687, the same issue would be experienced if the LAN Manager authentication level is changed to anything other then the default.

Friday, March 27, 2015

PowerShell - Find All Files Beginning With

A customer of mine was hit with another one of those Viruses which encrypt all data on shared drives mapping back to the file server.  The entire shared drive was encrypted and users were no longer able to access documents on the volume.

I restored all encrypted files from backup however I still had these HELP_DECRYPT Ransome ware files in every directory on the file server.


As a result I needed an easy way to find and delete each of these files.

PowerShell!

First set the path you want to search, mine was H:\Shared.

Next run the following command to search any files containing HELP_DECRYPT with the following command:

Get-ChildItem $Path -Recurse | Where{$_.Name -Match "HELP_DECRYPT"}


 This went through and listed all of these HELP_DECRYPT files in every directory of the file server recursively.

After you have carefully went through all the results and confirmed that no legitimate files were listed, you can pipe the output from the Get-ChildItem command into Remove-Item cmdlet.


After piping the Output into Remove-Item, run the command to list the items again to ensure they were all deleted correctly.  Getting no output as per above means the files were removed successfully.
 

Saturday, March 21, 2015

Repairing ContentIndexState on DAG Nodes in Exchange 2013

In Exchange Server 2013, sometimes the content index state can go corrupt on databases.  When this occurs, Exchange 2013 FAST search technology is no longer available for the database meaning people cannot search for content from OWA, Active Sync or Outlook in online mode.

In DAG environments, you can simply reseed the Content Index State from a healthy node in the cluster.  I will show you how to perform this in this blog post.

Here we have two databases in a DAG cluster which have the index status in a failed state:


To manually update the ContentIndexState from a healthy node simply run the following command:

Update-MailboxDatabaseCopy "database\server" -CatalogOnly

In my case the database I want to update was "CCEX2-DB-02" on server "CCEX1" so I ran:

Update-MailboxDatabaseCopy "CCEX2-DB-02\CCEX1" -CatalogOnly


After running the command you can see we brought the index for the database back to a healthy state.


Repeat this process for any other databases with a failed content index.

Friday, March 20, 2015

Public Folder Migration Error:Property expression isn't valid

When migrating public folders from legacy Exchange 2007 and Exchange 2010 environments to Exchange 2013, you may receive the following error message:

Error: Property expression "Anglicare RT" isn't valid. Valid values are: Strings formed with characters from A to Z (uppercase or lowercase), digits from 0 to 9, !, #, $, %, &, ', *, +, -, /, =, ?, ^, _, `, {, |, } or ~. One or more periods may be embedded in an alias, but each period should be preceded and followed by at least one of the other characters. Unicode characters from U+00A1 to U+00FF are also valid in an alias, but they will be mapped to a best-fit US-ASCII string in the e-mail address, which is generated from such an alias.


This is caused by an invalid alias format generally created from legacy versions of Exchange such as 2000 or 2003.  Exchange 2010/2013 does not support spaces in the Public Folder Alias.

On the legacy Exchange 2007/2010 server open up Public Folder Management console and navigate to the Public Folder in question.  On the Exchange General tab you will receive an error message saying the object contains invalid data.


Simply remove the space from the Alias, this is no longer supported.

 
Next go back to your Exchange 2013 server and resume your public folder migration request.
 
 
You may need to repeat this process a few times as it is likely multiple public folders have incorrect aliases.