Office 365 Can’t connect to the mailbox of user Mailbox database guid

This morning when I came to work 50 % of our Conf Room Displays did not show any information about the room. If it was booked or if it was available for me to book.
On the display there was an error saying that it could not connect to the mailbox and that it could have been moved. (Do not remember the hole error message.)
The room displays are using Exchange 365 Online and Web Service (EWS) to connect to the Room mailboxes.
( Exchange Web Services will not receive feature updates and Basic Authentication for EWS will be decommissioned you can read more about it here https://blogs.technet.microsoft.com/exchange/2018/07/03/upcoming-changes-to-exchange-web-services-ews-api-for-office-365 ) 

In Exchange Admin center on Resource mailboxes I could find error messages on some mailboxes

Can’t connect to the mailbox of user Mailbox database guid: 7345gh36a1-d890-41ca-af393345 because the ExchangePrincipal object contains outdated information. The mailbox may have been moved recently.

In my case the problem was solved by moving the mailbox to another mailbox DB
To do that:

1. Connect to Exchange online using Powershell

$exchangeSession = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri “https://outlook.office365.com/powershell-liveid/” -Credential $credential -Authentication “Basic” -AllowRedirection
Import-PSSession $exchangeSession

2. Move Mailbox that are having problem

New-MoveRequest -Identity test@domain.com –primaryonly

3. See the status on the mailbox move

get-moverequeststatistics

The move of the mailbox will take some time. My mailboxes was around 800 MB and it took a couple of hours.
When running get-moverequeststatistics I got the message   StalledDueToTarget_DiskLatency
But after some hours it was done.

 

Happy moving // Chris

 

Posted in Office 365, Powershell | Leave a comment

Microsoft SharePoint Migration Tool – OneDrive for Business migration

Are you planning to move your users old Home folders to OneDrive for Business you can use BitTitan or any other 3d party migration solution or you can use Microsoft SharePoint Migration Tool that is free.

The SharePoint Migration Tool lets you migrate your files from SharePoint on-premises document libraries or your on-premises file shares and easily move them to either SharePoint or OneDrive in Office 365.

You can read more and download the tool from https://docs.microsoft.com/en-us/SharePoint/migrate-to-sharepoint-online/new-and-improved-features-in-the-sharepoint-migration-tool

Prerequisites:

  • The Admin account in 365 that are used to connect to office 365 needs to have a license in Office 365 for example an E3 license.
  • The Admin account needs to be an SharePoint Online Tenant Administrator.
  • SharePoint Online Management Shell installed on your computer. https://www.microsoft.com/en-us/download/details.aspx?id=35588
  • The users OneDrive URL needs to be provisioned before using PowerShell. (The Users OneDrive URL are created when the user logs in to OneDrive Client the first time.)
  • A list of all the user that are going to use OneDrive, max is 200 users per list. So if you have more you need multiple files.
  • The Admin account needs to have access to the users OneDrive.
  • A list of the users OneDrive URLs.
  • Install SharePoint Migration Tool on a server.
  • Create the CSV used to import to SharePoint migration.
  • Scan the file share for files and signs that are not allowed in SharePoint.

Scripts
The scripts I used can be downloaded from http://www.compit.se/bilder/OneDriveMigration/OneDriveMigration.zip
In each script read the info and modify it so that it connects to your SharePoint Online.
Thanks to http://www.lieben.nu for some of the scripts.

Let’s get started with the migration:

  1. Install SharePoint online Management Shell. On your computer.
  2. Install SharePoint Migration Tool on a server or your computer.
  3. Run Scan local files and folders and make it ready for moving at SharePoint Server.ps1 on the file server
  4. Create a txt file with the users that are going to have OneDrive provisioned (email-address ) The limit for each file is 200 users
  5. Start PowerShell and import SharePoint module Import-Module Microsoft.Online.SharePoint.PowerShell -DisableNameChecking
  6. Connect to SharePoint online.
    Connect-SPOService -Url https://tenant-admin.sharepoint.com -credential admin@tenant.onmicrosoft.com
  7. Provision the users OneDrive using – BulkEnqueueOneDriveSite.ps1 Use the txt file that you created in step 3
  8. Get a list of the OneDrive URLs using – ListOneDriveURL.ps1
  9. Set the Admin rights on the users OneDrive using – ODFB_AdminAccess_v0.1.ps1
  10. Create a csv file that matches the users home folder to the OneDrive URL The users OneDrive URL should look something like this
    https://Your-Domain-my.sharepoint.com/personal/chris_compit_se/
    So you need to modify the output you got from ListOneDriveURL.ps1

    Read more https://docs.microsoft.com/sv-se/SharePoint/migrate-to-sharepoint-online/how-to-format-your-csv-file-for-data-content-migration
  11. Start the SharePoint Migration Tool and sign in
  12. Where are you migrating from?
  13. In this case we are going to use our CSV file so that we don’t need to manually type all the info.
  14. After we have imported our csv we can modify some more setting
  15. Now it’s time to start with a test migration. When you see that your test is successful continue with the rest of the users.

 

Happy Migration

// Chris

Posted in Azure, Office 365, Powershell, Scripting | Leave a comment

Office 365 – Unhealthy Identity synchronization Notification

Today I received an e-mail from a new customer.  They hade received an e-mail from MSOnlineServicesTeam@MicrosoftOnline.com

On Friday, 02 March 2018 01:28:41 GMT, Azure Active Directory did not register a synchronization attempt from the Identity synchronization tool in the last 24 hours for.

I logged on to the server that hade Azure AD Connect installed and looked in to the Event Viewer System log

The first error I saw Event ID: 36874

Log Name:      System
Source:        Schannel
Date:          2018-03-02 14:03:48
Event ID:      36874
Task Category: None
Level:         Error
Keywords:
User:          SYSTEM
Computer:     azureadd01.compit.se
Description:

An TLS 1.2 connection request was received from a remote client application, but none of the cipher suites supported by the client application are supported by the server. The SSL connection request has failed.

I then started the Synchronization Service Manager and it also showed me errors.

A couple of weeks ago I received an E-mail from Microsoft that they required TLS 1.2 from March 1 2018 to access Office 365 services.

As outlined in the article “Preparing for the mandatory use of TLS 1.2 in Office 365”, this is going to present a problem if your organization is still using Windows 7/Vista clients. Why?

Because on March 1, 2018, Microsoft Office 365 will be disabling support for TLS 1.0 and 1.1. This means that, starting on March 1, 2018, all client-server and browser-server combinations must use TLS 1.2 or later protocol versions to be able to connect without issues to Office 365 services. This may require certain client-server and browser-server combinations to be updated.

 Read more here:

https://blogs.technet.microsoft.com/cloudyhappypeople/2017/12/22/the-end-of-support-for-older-tls-versions-in-office-365/

 https://support.microsoft.com/en-us/help/4057306/preparing-for-tls-1-2-in-office-365

 The problem with the articles is that in one it says March 1 and the other says October 31 2018  The E-mail I received said 1 March.
What date is the correct?

My solution:

Was to update the Azure AD Connect version to a new version that supports TLS 1.2

https://www.microsoft.com/en-us/download/details.aspx?id=47594

There are a couple of things to think about when you update

  • Check your configuration and document it. My upgrade failed so I had to uninstall and do a new install.
    • Check what OU you are syncing
    • Check if you have any custom settings in the Synchcronization Rules Editor
  • During the upgrade the sync service will be stopped so any new created accounts or password changes will not be synced during the upgrade.

Good luck

Chris

Posted in Active Directory, Azure, Office 365 | 2 Comments

Cisco Any Connect Certificate Validation Failure.

Had a case at a customer the other day where we are planing to start using machine certificate
to make the VPN more secure.
When we were testing we ran into a problem on two of our test computers.

When starting to connect to the VPN the Cisco Any Connect client failed with the error Certificate Validation Failure.

 

 

 

 

 

We started to look into the loogs in ASDM on the firewall but nothing showed up.
So did the client even get so long that it connected to the firewall? No!

So I started to look in the Windows event log and found Event ID: 36870

A fatal error occurred when attemting to access the SSL client credential private key.
The error code returned from the cryptograpic module is 0x8009030d. The internal error state is 10003.

 

 

 

 

 

 

 

When I started the Cisco Any Connect client as admin it worked.
So it seems that we are having a access error to the certificate.

The files we are having problem to access are stored in C:\ProgramData\Microsoft\Crypto\RSA
To be able to fix the access we first need to stop the Cryptographic Services

Solution:

Start CMD as admin and run below text in an cmd file.

——————————————————

net stop CryptSvc

cd C:\ProgramData\Microsoft\Crypto\RSA

icacls MachineKeys /grant everyone:(OI)R

net start CryptSvc

——————————————————

PS !
Do not forget to update the profile.xml file in C:\ProgramData\Cisco\Cisco AnyConnect Secure Mobility Client\Profile with the new
one that tells the client to use the certificate before you enable the certificate requirements.
If the xml file is not updated no client will be able to connect.

Posted in Scripting, Security, Windows 7 | 3 Comments

Protect your business against Ransomware and Malware.

More and more virus and malware are released everyday on the internet. The Anti-Virus vendors are struggeling to keep up. And we IT Pros are doing what we can to protect our business from ransomware and malware.

From the Avecto Microsoft Vulnerabilities Report 2015

  • 86% of Critical vulnerabilities affecting Windows could be mitigated
    by removing admin rights.
  • 99.5% of all vulnerabilities in Internet Explorer could be mitigated by
    removing admin rights.
  • 82% of vulnerabilities affecting Microsoft Office could be mitigated
    by removing admin rights.
  • 85% of Remote Code Execution vulnerabilities could be mitigated by
    removing admin rights.
  • 82% Critical vulnerabilities affecting Windows 10 could be mitigated
    by removing admin rights.
  • 100% of the vulnerabilities in Office 2016, the latest
    version of Microsoft’s software, could have been mitigated by admin
    rights removal.

 

 

 

 

 

 

 

 

Today there are two different type of anti-virus vendors:

  • The one that still uses local signature files that are downloaded every X hours from a server or from the Internet.
  • And the one that sends an MD5 hasch of every new file to a cloud based database to check if the file is ok.

There are almost released one milion new malware threats everyday. Try to fit a signature file that has knowledge about all those files on your laptop.
The Leaders in Gartners Magic Quadrant are the one that are still using the local signature files and they don’t have knowledge about all known threats.
If you look att the Visionaries they are doing some new thinking and are doing the scanning in the cloud against a large database of known threats.

 

 

 
If you are using vendor technique one or two dosen’t mather your users can still get virus on the computers.

So what is the best way to protect your computers from virus?

  • No Local admins. (if local admin is needed create an special admin account for the user that can be used with Microsoft Run As function.)
  • Use Local Administrator Password Solution (LAPS) from Microsoft for users that need admin rights.
  • Cloud based antivirus.
  • GPO AppLocker.
  • To protect files from ransomware make sure your users only have access to the shared files that they need to have access to. That way you reduces the risk that your hole files server is encrypted and no one can work until you have done a restore.
  • Backup and test restore of files and systems.

 

 

 

 

 

 

 

 

Getting started with GPO – AppLocker.

  1. Create a new group in ADUC (Active Directory Users and Computers) name it for example GPO-AppLocker
  2. Put your test computers in the group.
  3. Create a new GPO and link it to your computer OU.
  4. Change so that the GPO is only applied to your test group.

 

Edit the new GPO.

Navigate to Computer Configuration/Windows Settings/Security Settings/Application Control Policies/AppLocker

Click Configure rule enforcement.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Configure AppLocker to Enforce Rules or Audit Only. With Audit only an event will be logged to the eventlog.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Create the rules.
Start with the Default Rules and then add more paths to folders if nessesary.

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Have your test users test all of the company programs that your are using.

When you are done testing change the GPO security filtering so that the GPO is applied to Authenticated Users.

You can read more about AppLocker on the link below.

https://technet.microsoft.com/library/mt431725(v=vs.85).aspx

You can read more about LAPS on the link below.
https://www.microsoft.com/en-us/download/details.aspx?id=46899

 

// Chris Steding

 

Posted in GPO, Security | Leave a comment

Azure Backup / Windows Backup Email Notification.

Are you using Azure / Windows backup to backup your servers?
Do you logon to the server everyday to check status?

Use Powershell and scheduled task to send an Email with the status.

In the script edit the lines whith the path to the files.
Set-Content c:\Source\backup.html
-Attachments “c:\Source\backup.html”

Powershell Script For Azure Backup:

http://compit.se/download/Azure/AzureBackupStatus.zip

Powershell Script for Windows Backup:

http://compit.se/download/Azure/WindowsBackupStatus.zip

Scheduled Task:

Create a Scheduled Task according to the Pictures.

 

// Chris

Thanks Proxima’s IT Admin Corner for the Azure script and most parts of the Windows Backup script.

Posted in Powershell, Scripting, Uncategorized | 5 Comments

Disabled network card (NIC) on Azure VM.

What happens if you disable a network card (NIC) on your Virtual Machine (VM) in Azure? Well you will lose all connections to your VM. No RDP, No Powershell and No other endpoints.

To get restore access to your VM you need to login to the Azure Portal. https://manage.windowsazure.com

1. Go to the VIRTUAL MACHINES.

2. Select the VM that you disabled the NIC on.

 

 

 

 

 

3. Go to Configure and change the Virtual Machine Size to a new Size.

 

 

 

 

 

4. Save (The VM will now restart. After the restart you will be able to access the VM again.)

 

 

5. Change the Size back to the original size, if you want to. (The VM will now restart.)

Good Luck!

 

Posted in Azure | Tagged | 1 Comment

This webpage wants to run the following add-on: Adobe Flash Player

Everytime I went in to a webbpage that was using Adobe Flash Player I got the pop up telling me that This webpage wants to run the following add-on: Adobe Flash Player.
I pressed the Allow button and it was coming back again and again.

The solution for me was to enable ActiveX  Filtering in IE 11.

  • When you have IE 11 open press the Alt button to get to the Tools menu.
    Click on ActiveX Filtering.
  • Restart your browser.

I hope it works for you to.

 

 

 

Posted in Uncategorized | 4 Comments

Update AD Attributes using Powershell.

I was at a customer the other day installing their new helpdesk portal. When we came to the step to import the users from Active Diretory there was almost no info on the user accounts. Only a first name and last name.

We wanted to be able to Group the users by city and we neded their phone numbers. The easiest way to get this information was from the HR department and then build a CSV file that we used with Powershell to import the information to Active Directory.

To help me edit the csv file that I got from the HR department I used the new feature in Excel 2013 called Flash Fill. You can read more about Flash Fill in this Office Blog http://blogs.office.com/2012/08/09/flash-fill/

 

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
#------------------------------------------------------------------------------------------
# Script created by Chris Steding
#
# This script will update AD attributes for users imported from csv file
# csv file format:
# SamAccountName,Title,MobilePhone,OfficePhone,city,EmailAddress,Department,Office
#
# Remember to edit the -SearchBase to the correct domain name.
#-------------------------------------------------------------------------------------------
 
# Import AD Module
Import-Module ActiveDirectory
 
write-Host 'Starting to update AD Attributes.......' -NoNewline -ForegroundColor Yellow
# Import CSV into variable $users
 
$users = Import-Csv -Path C:\temp\users.csv
# Loop through CSV and update users if the exist in CVS file
 
foreach ($user in $users) {
#Search in specified OU and Update existing attributes
Get-ADUser -Filter "SamAccountName -eq '$($user.samaccountname)'" -Properties * -SearchBase "DC=Compit,DC=local" |
Set-ADUser -Title $($user.Title) -MobilePhone $($user.MobilePhone) -OfficePhone $($user.OfficePhone) -City $($user.City) -EmailAddress $($user.EmailAddress) -Department $($user.Department) -Office $($user.Office)
}
 
Write-Host 'done!' -ForegroundColor Green

Download the script and a csv:
http://www.compit.se/download/script/Update-ADattributes.zip

Have a nice day // Chris

Posted in Active Directory, Powershell, Scripting | Tagged , | 23 Comments

VLC media player 2.1.5 MSI

A new version off VLC media Player has been released from VLC. You can download the new version as an MSI below.

# Created with Adminstudio.
# Updates notifier turned off.
# Tested on Win 7 x64 and Win 7 x86

Download 

x64
http://www.compit.se/download/MSI/VLC Media Player-x64-v2.1.5.msi
http://www.compit.se/download/MSI/VLCMediaPlayer-x64-v2.1.5-en-US.msi

x86
http://www.compit.se/download/MSI/VLC Media Player-x86-v2.1.5.msi
http://www.compit.se/download/MSI/VLCMediaPlayer-x86-v2.1.5-en-US.msi

Download it, test it, deploy it. // Chris

Posted in Uncategorized | 28 Comments