markwilson.it

SSD PC upgrade

Posted on Saturday 5 September 2015Sunday 6 September 2015 By Mark Wilson

This content is 9 years old. I don't routinely update old blog posts as they are only intended to represent a view at a particular point in time. Please be warned that the information here may be out of date.

Some time ago, I noticed that our family PC was running really slowly. It only has 4GB of RAM and sometimes the boys leave their flash-based websites open when they switch users (which can be a resource hog), but it was more than that (4GB should have been enough really). I dug a little deeper and found that the disk was running at a constant 100% – clearly that was the bottleneck!

I adjusted the virtual disk settings (away from the Windows defaults, which were pitifully small, to something I found recommended on the ‘net) and, whilst it helped with the system responsiveness, the disk queue was still sitting a little higher than I expected (in Resource Monitor) and Task Manager still said the disk was running at 100%.

Fast forward a few weeks and I’d been busy, the machine had been upgraded to Windows 10 and it seemed to be behaving itself. That was until, one Saturday morning, when I was just rushing out of the door to take the kids to football, I spotted the PC sitting on the kitchen counter with a boot error, followed by a failed attempt to boot from the network. “That’s great!”, I thought (actually it was some rather more grumpy words than that), “another job to fit into an already-packed weekend…”.

As it happened, I’d already been considering a solid state disk (SSD) upgrade after a customer had told me about the unit he had bought, the performance difference it had made, and how low the prices were. Our hard disk drive (HDD) failure just forced the point and I bought a 120GB Samsung EVO 850 SSD for only marginally more than the cost of a replacement 500GB Seagate Momentum Thin HDD (we don’t really need that much space anyway).

Why the EVO 850? Well, my customer had already done his homework, but the 256GB version was recently rated as a best budget SSD buy on Tom’s Hardware – and that was enough for me to buy its baby cousin.

I didn’t have time to fit the drive this week, but I set to work this afternoon, following the advice in the video below to take our laptop apart and swap the drive:

SSD installed in laptop – a lot easier than expected and very fast Windows 10 build (struggling to activate now tho’) pic.twitter.com/7OOR7jxwkI

— Mark Wilson (@markwilsonit) September 5, 2015

I’ll come back to the activation issue in a future post, but the SSD is awesome. Incredibly fast! And disk queues are a thing of the past (as is OEM-supplied crapware as I now have a clean PC build).

As for the old HDD, it still works… sort of. At least, I may be able to get some data off it if the spinning rust stays spinning for long enough. I bought an Anker USB 3.0 2.5″ HDD/SSD external enclosure and am very impressed. It’s so easy to use that my son fitted the old disk in seconds (no screws, just the SATA connection and slide the cover on) – perfect if you are going to clone from one disk to another (I didn’t, because I didn’t have a bootable system).

Manually removing servers from an Exchange organization

Posted on Friday 4 September 2015Thursday 3 September 2015 By Mark Wilson

I’m starting this blog post with a caveat: the process I’m going to describe here is not a good idea, goes against the advice of my colleagues (who have battle scars from when it’s been attempted in a live environment and not gone so well) and is certainly not recommended. In addition, I can’t be held responsible for any unintended consequences of following these steps.

Notwithstanding the above, I found myself trying to configure the Exchange Hybrid Configuration Wizard (HCW) in a customer environment, where the wizard failed because it was looking for servers that don’t exist any more.

I had two choices:

Recover the missing Exchange servers with setup.exe /m:RecoverServer, then uninstall Exchange gracefully (for 12 servers!).
Manually remove the servers using ADSI Edit.

I explained the situation to my customer, who discussed it with his Exchange expert, and they directed me to go for option 2 – this was a test environment, not production, and they were prepared to accept the risk.

Fearing the worst, I made a backup of Active Directory, just in case. This involved:

Installing the Windows Server Backup Command Line Tools feature on the domain controller.
Running wbadmin start systemstatebackup -backuptarget:driveletter:
Sitting back and waiting for the process to complete.

With a backup completed, I could then:

Run ADSI Edit.
Open the configuration naming context.
Navigate to CN=Servers,CN=Exchange Administrative Group (FYDIBOHF23SPDLT),CN=Administrative Groups,CN=organizationname,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domainname,DC=tld
Delete the records for the servers that no longer exist.
Restart each of the remaining Exchange servers in the organisation in turn.
Check the server list in ECP.

(Incidentally, FYDIBOHF23SPDLT is “Caesar’s Cipher” for EXCHANGE12ROCKS).

Murat Yildirimoglu’s Windows IT Pro article entitled “How to Uninstall a Stubborn Exchange Server” goes into more detail, including completely removing an Exchange organisation from Active Directory, should that be required (Christopher Dargel covers that too).

The process seemed to work but the danger of manually removing servers from an Exchange organization like this is the potential side effects of “unknown unknowns” (which you can be sure won’t surface immediately). It did let me progress to the next stage of the HCW though. More on that in a future blog post…

“Delivery has failed to these recipients or groups” when running Exchange in an Azure VM

Posted on Thursday 3 September 2015Tuesday 1 September 2015 By Mark Wilson

Exchange didn’t used to be supported in Azure. It is now, subject to specific requirements; however there’s a big difference between “supported” and “works” and it was always theoretically possible.

My current customer has a test environment running on a number of Azure VMs. All was working well, until I started to test mail flow out of the organisation. My mailboxes (work and personal) are both on Office 365 and the reply came back as:

Delivery has failed to these recipients or groups:

Mark Wilson
Your message wasn’t delivered due to a permission or security issue. It may have been rejected by a moderator, the address may only accept email from certain senders, or another restriction may be preventing delivery.

The following organization rejected your message: DB3FFO11FD037.mail.protection.outlook.com.

Basically, Exchange Online Protection was bouncing the mail. The error continued with diagnostic information for administrators and I could see that the message was leaving the organisation, then returning to the Exchange Edge server.

I could also see in one of the messages that it said:

“Remote Server returned ‘<DB3FFO11FD037.mail.protection.outlook.com #5.7.1 smtp;550 5.7.1 Service unavailable; Client host [123.123.123.123] blocked using FBLW15; To request removal from this list please forward this message to delist@messaging.microsoft.com>'”

So I emailed and asked to be removed, quickly receiving a very polite but understandably automated and non-committal response:

“Hello ,
Thank you for your delisting request SRX1234567890ID. Your ticket was received on (Aug 28 2015 12:26 AM UTC) and will be responded to within 24 hours.

Our team will investigate the address that you have requested to be removed from our blocklist. If for any reason we are not able to remove your address, one of our technical support representatives will respond to you with additional information.

Regards,
Technical Support”

Within 24 hours, Microsoft had responded to say that we had been delisted from their blocklists (presumably they checked that the IP address was one of theirs – which was also one reason why we couldn’t add a reverse DNS record, as one might expect with an SMTP server) and the mail had started to flow:

“Hello ,
Thank you for contacting Microsoft Online Services Technical Support. This email is in reference to ticket number 1234567890, which was opened in regards to your delisting request for 123.123.123.123.

The IP address you submitted has been reviewed and removed from our block lists. Please note that there may be a 1-2 hour delay before this change propagates through our entire system.

We apologize for any inconvenience this may have caused you. As long as our spam filtering systems do not mark a majority of email from the IP address as spam-like, your messages will be allowed to flow as normal through our network. However, should we detect an increase in spam-like activity, the IP address may be re-added to our block list.

Should you have any further questions or concerns, please feel free to respond to this email.

Thank you again for contacting Microsoft Online Services technical support and giving us the opportunity to serve you.”

I’m glad the experience was with a customer’s test environment, and not live email flow, but worth remembering for the future…

[Ticket numbers and IP addresses in this scenario have been changed]

Control OneDrive for Business syncing to prevent data copies on non-domain-joined PCs

Posted on Wednesday 2 September 2015Tuesday 13 October 2015 By Mark Wilson

One of the recently announced changes to Office 365 is the ability to better control OneDrive for Business. Specifically, it’s now possible to control OneDrive for Business syncing to prevent data from being copied to non-domain-joined PCs, based on a list of approved domains, as well as to change the storage limit for users (perhaps 1TB is just too much data and something more restrained might reduce the impact on your network). There are also some changes around the “Shared with Everyone” folder, which used to be created by default but isn’t anymore.

The full details are in an Office Mechanics video, linked from a Microsoft blog post but I recently had the chance to try them out for real.

Step 1 was to determine the ObjectGuid for each of the domains in my customer’s Active Directory Forest, using Active Directory PowerShell:

$domains = (Get-ADForest).Domains; foreach($d in $domains) {Get-ADDomain -identity $d | Select ObjectGuid}

Step 2 is to connect to Office 365 using PowerShell:

$cred=Get-Credential connect-sposervice –url https://tenantname-admin.sharepoint.com/ –credential $cred

Step 3 is to take the ObjectGuid from step 1 and use the Set-SPOTenantSyncClientRestriction cmdlet to restrict synchronisation:

Set-SPOTenantSyncClientRestriction -enable -DomainGuids "a0083dbb-e136-4f48-a048-2ec3a4c40cab"

It’s worth noting that, initially, this failed for me – SetSPOTenantSyncClientRestriction wasn’t a valid command in the version of the SharePoint Online Management Shell I had installed. I checked the version with Get-Module -ListAvailable | Format-List version, name and found I had version 15.0.4569.0 of Microsoft.Online.SharePoint.PowerShell. After updating to the latest version, I was at version 16.0.4316.0, which worked a treat:

TenantRestrictionEnabled AllowedDomainList

———————— —————–

True {a0083dbb-e136-4f48-a048-2ec3a4c40cab}

It’s important to understand how the restrictions are enforced though:

Not only will OneDrive for Business Sync client requests originating from a domain that is not on the safe recipients list be blocked but all OneDrive for Business Mac Sync client requests will be blocked. This also means that a sync relationship will not be established unless they are joined to an allowed domain.
However:
- Mobile clients are not blocked (there are separate MDM controls for this) and any files that have been previously been synced to the computer will not be deleted.
- New or existing files added to the client will still be uploaded to the server and will not be blocked.
- OneDrive for Business sync client prior to version 15.0.4693.1000 will stop syncing existing libraries.

Controlling the storage quota was a little more tricky. I found that I could use Get-SPOSite -Identity https://tenantname-my.sharepoint.com/personal/firstname_lastname_tenantname_onmicrosoft_com to view the properties of a users’ OneDrive for Business site, but attempting to set the quota on the same site presented an error:

Set-SPOSite -Identity https://tenantname-my.sharepoint.com/personal/firstname_lastname_tenantname_onmicrosoft_com -StorageQuota 2048

Set-SPOSite : Cannot get site https://tenantname-my.sharepoint.com/personal/firstname_lastname_tenantname_onmicrosoft_com.
At line:1 char:1
+ Set-SPOSite -Identity
https://tenantname-my.sharepoint.com/personal/firstname_lastname …
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : NotSpecified: (:) [Set-SPOSite], ServerException
+ FullyQualifiedErrorId : Microsoft.SharePoint.Client.ServerException,Microsoft.Online.SharePoint.PowerShell.SetSite

I haven’t fixed that yet, so I’ll be returning to the topic again soon, no-doubt…

Post Script

There is a known issue with domain joined PCs failing to sync OneDrive for Business, even when added to a safe list, which is fixed by the 12 May 2015 update for OneDrive for Business (see Microsoft knowledge base article 2986244).

Office 365 command line administration (redux)

Posted on Tuesday 1 September 2015Tuesday 25 August 2015 By Mark Wilson

Every now and again, I find myself looking up the same things for Office 365 command line administration (i.e. using PowerShell), so it’s probably worth me writing them down in one post…

Of course, a connection to Office 365 from PowerShell is a pre-requisite – although that’s a lot simpler now than it used to be as there’s no longer any need for the Microsoft Online Services Sign In Assistant (MOS SIA), just:

Import-Module MSOnline $Credential = Get-Credential Connect-MsolService -credential $Credential

If you’re doing this in a script, you might want to save the password as a secure string (as described in more detail by Kris Powell):

(Get-Credential).Password | ConvertFrom-SecureString | Out-File Password.txt

To use the secure string:

$User = "alias@domainname.tld" $Pass = Get-Content "Password.txt" | ConvertTo-SecureString $Credential = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $user,$pass

Then Connect-MsolService -credential $Credential as above.

Setting a user password (and making sure you don’t need to force a change – one reason to do it from PowerShell rather than the web portal) involves:

Set-MsolUserPassword -UserPrincipalName alias@domainname.tld -forcechangepassword $false -newpassword password

And, if it’s a service account, turn off password expiry?

Set-MsolUser -UserPrincipalName alias@domainname.tld -PasswordNeverExpires $true

Resource naming restrictions in Azure

Posted on Monday 31 August 2015Tuesday 13 October 2015 By Mark Wilson

Whilst creating a virtual machine in Azure IaaS last week, I came across an interesting issue…

I was creating a temporary server and didn’t fully understand the customer’s naming scheme, so I replaced the numerical part of the server name with xxxxxx. Then, when provisioning, I saw that deployment to the resource group had failed, with the following message:

statusCode:BadRequest

statusMessage:{“error”:{“code”:”DomainNameOperationFailed”,”message”:”Unable to create domain name ‘DIRSYNCxxxxxx’: ‘You used a word that may be considered offensive, or the word is embedded in another word.’.”}}

xxxxxx (or probably xxx) appears to be on a Microsoft banned words list! When I changed xxxxxx to 000000 and repeated the operation, everything was fine, although I cant find a list anywhere of reserved words/resource naming restrictions in Azure (understandably, I guess).

Short takes: search for new lines in Word; fix HTML <code> text wrapping in CSS; hidden elements in a WordPress theme

Posted on Friday 28 August 2015Tuesday 25 August 2015 By Mark Wilson

Another mini-blog post under the “short takes” banner…

Search for new lines when reformatting text in Word

Unix admins will probably scoff at me as they can probably cat, awk and sed this (or something like that) but I needed to take a list of values from a web page and convert them to a list in a single command earlier this week. The basic steps I used were:

Copy text from table on HTML page
Paste into Excel
Delete unrequired columns
Save as text

That gave me a file with a list of values (in this case a list of audio or video file formats) but it was one column and I wanted a row to include within some very long PowerShell commands.

Open in Word
Find ^p and replace with ,

The way that this works is that ^p will search for new lines in Word (actually, it’s looking for new paragraphs, and ^l will find a new line). This worked for me in Word, but not in WordPad.

Wrapping text in HTML code snippets

For years (ever since Garry Martin wrote a one of his guest posts on this blog), I’ve been using a WordPress plug-in called DirtyCode to format code snippets that wrap to multiple lines.

The plug-in is no longer maintained though, and WordPress’s visual editor strips out the <dirtycode> tags so I’ve been wanting to fall back to the standard HTML <code> tag. Unfortunately that doesn’t text wrap in my theme, so I had to find a way to stop long lines of code running out of the frame.

The fix (or maybe it’s a fudge – if I could work out how to make custom CSS stick on theme changes, I would) was to edit my WordPress theme’s stylesheet (style.css) to include the following inside the existing code { } line:

word-break: break-all; white-space: pre-wrap;

Hidden elements in a WordPress theme

On a related note, I had some issues with elements not displaying properly in my new theme either. The WordPress forums came to my rescue though – it seems the tag line that I couldn’t see was there but hidden, until I added the following code to the custom CSS:

.site-description { color: #CCCCCC; display: block; }

Reconfiguring Azure AD Sync – rip and replace!

Posted on Thursday 27 August 2015Sunday 23 August 2015 By Mark Wilson

I had an interesting learning experience recently, whilst working with a customer to implement some Microsoft Online services.

They have an existing AAD Sync installation, although from time to time that stops working when Microsoft changes the IP addresses of the servers that are needed for synchronisation. This is not a recommended configuration – but the reasons why are well-described in David Ross’ post on using a proxy with Azure AD Sync Services. To limit the number of IP addresses in their firewall and router configurations, this customer places hosts file entries on the Azure AD Sync server, meaning that Azure AD Sync only uses two IP addresses to find the hosts:

134.170.172.140 adminwebservice.microsoftonline.com
191.235.135.139 login.microsoftonline.com

Microsoft publishes a full list of Office 365 URLs and IP addresses, together with an RSS feed for changes.

Anyway, to cut a long story short, my customer created a test environment by cloning existing servers into Azure IaaS. I ran IdFix against test directory objects, changed the UPN on the user accounts to match the domain we had associated with Office 365 (test.companyname.com) and ran the Microsoft Azure Active Directory Sync Services tool (directorysynctool.exe) to set Azure AD Sync up with the new, test Office 365 tenant. Then I sat back and waited for the changes to sync.

To my horror, I found that the changes didn’t sync to the test Office 365 tenant, but to production! Running miisclient.exe confirmed that the original connectors were in place and had had not been changed by re-running the Directory Sync Services tool.

Unfortunately, because the production AAD Sync server was unable to connect to Azure (due to IP address changes…), we couldn’t force a sync from that server to overwrite the stale directory information, which meant late night working was needed to get emergency changes in place and restore service.

Once the production AAD Sync was up and running again, the live directory data was re-synced to Azure AD and services that relied on this (Intune-managed mobile devices were the obvious ones) started working again.

As expected, the sync with the correct directory over-wrote the changes from the stale directory and the login names for those users that had changed to @tenantname.onmicrosoft.com (because their UPN from the test domain was not valid in the production tenant) reverted to the correct UPNs (which have verified domains in the tenant).

In the cold light of day, I realised that the issue was not caused by me – the only reason synchronisation from the test environment hadn’t over-written the live directory sooner was that the test AAD sync server didn’t have Internet access and then I’d disabled the scheduled task whilst running the Directory Sync Services tool. Once it was enabled it simply did its job – but the key learning point for me is that reconfiguring Azure AD Sync is not as simple as re-running the Directory Sync Services tool and supplying the necessary details – it really needs to be ripped out and run from scratch because directly editing the connectors is unsupported:

Microsoft does not support modification or operation of the Directory Sync tool outside of those actions formally documented. […] Unsupported actions include:

Opening the underlying FIM Sync Engine to modify Connector configuration

Manually controlling the frequency and/or ordering of Synchronization Run Profiles or changing the attributes that are synchronized to the cloud.

Any of these actions may result in an inconsistent or unsupported state of the Directory Sync tool and as a result, Microsoft cannot provide technical support for such deployments / usage of the tool. Filtering configurations applied to your directory synchronization instance aren’t saved when you install or upgrade to a newer version. If you are upgrading to a newer version of directory synchronization, you must re-apply filtering configurations after you upgrade, but before you run the first synchronization cycle.

Bulk changing Active Directory UPNs from PowerShell

Posted on Wednesday 26 August 2015Sunday 23 August 2015 By Mark Wilson

As part of my current Office 365 project, I needed to prepare an on-premises Active Directory for synchronisation with Azure AD. This was a test environment that had been created by taking a copy of the production directory, so I had thousands of users – but all with incorrect user principal names (UPNs) that needed to be changed to a new value @test.domainname.tld.

I added the new UPN to the forest in Active Directory Domains and Trusts, then ran the following PowerShell for each OU that contained users I was going to synchronise with Azure AD (discovered via David O’Brien):

Get-ADUser -Filter * -SearchBase 'OU=Employees,OU=Users,OU=CompanyName,DC=DomainName,DC=tld' -Properties userPrincipalName | foreach { Set-ADUser $_ -UserPrincipalName "$($_.samaccountname)@test.domainname.tld"}

The command failed when I ran it on the domain controller (as did the script I originally tried) but when I used PowerShell on another server that was a member of the domain (my Azure AD sync server), it worked. This forum post suggests that it can run locally if you use the -server parameter but I haven’t tried that. Just be sure to run Import-Module ActiveDirectory first, or else the *-ADUser commands won’t be available.

Export transport rules from Exchange or Exchange Online

Posted on Tuesday 25 August 2015Sunday 23 August 2015 By Mark Wilson

After all my work last week creating Exchange transport rules for profanity, audio/video attachments, message encryption and more, I wanted to export the rules just in case they needed to be re-established. Thanks to TechNet, I found the required PowerShell to export transport rules from Exchange or Exchange Online, which is:

$file = Export-TransportRuleCollection
Set-Content -Path "ExchangeOnlineRules.xml" -Value $file.FileData -Encoding Byte

The resulting XML includes the New-TransportRule commands to re-create the rules if required (or the Import-TransportRuleCollection cmdlet can be used instead).