Active Directory

How to demote a Windows Server 2012 Domain Controller

In this short write up I will go over steps to demote a Server 2012 domain controller.

If you have worked in Active Directory and Windows Domain Administration over the years you may recall that in previous version of Windows Server that you would use the command line tool of ‘DCPROMO’ to promote or demote a server. Since Server 2012, the use of DCPROMO has been deprecated. In fact, if you attempt to use it you will be inform of this via the Active Directory Domain Service Installed.

In Server 2012 and later versions the use of Server Manager or PowerShell is required to promote / demote a server to/from a Domain Controller (DC). Below I provide steps on how to demote a server with some illustration along the way. Also, here is a quick YouTube video on the process: https://youtu.be/sBK2_APaDdg

Log into the domain controller you intend on demoting and Launch the Server Manager, select the Manage drop down menu, select Remove roles and features.

On the server selection page, select the desired server from the pool.

On the Remove Roles and Features Wizard, un-tick the Active Directory Domain Services box

The Remove Roles and Features dialog box will open. Click Remove features

On the Remove Roles and Features Wizard dialog box Validation Results box will appear. The domain controller must be demoted before continuing. Click on Demote this domain controller.

On the Active Directory Domain Services Configuration Wizard enter the required credentials to demote this server, click Next.

You will have several removal options. From the forced remove of failed domain member, to removing of the last domain in your forest. Make the selections which is appropriate for your remove task and click Next

Finally you will arrive on the New Administrator Password, enter and confirm the new local administrator account password, click Next.

On the Review Options verify the information is correct and click Demote.

After the server has restarted it will no longer be a domain controller

And that is it.

PowerShell: Unlock Active Directory Users Account

Use:

 

  • Listing account lockouts in Active Directory
  • Unlocking locked out accounts

# Open PowerShell or PowerShell ISE with an account with rights to unlock accounts
# Import the Actice Directory Module to PowerShell
#
Import-Module ActiveDirectory
#
# Run the Search-ADAccount command to search for accounts that are locked out
# Accounts locked out will be displayed
#
Search-ADAccount -LockedOut
#
#
# To unlock multiple {All} accounts the following command can be used
Search-ADAccount -LockedOut | Unlock-ADAccount
#

This could be useful if you wanted to somehow send an email to a ticket system so that you log and create IT tickets of account lockouts. A good way for your IT staff to track those types of activities that they do spend time on.

 

Tech Short: Using PowerShell to join Computer to AD Domain

Working on a server installation I decided to use a simple yet effective power-shell command to join a Windows Server 2012/R2 system to our domain.

For the sake of brevity lets just show you.

Requirements:

  • Admin access to the computer/server you are joining to the domain along with permissions in the AD domain to join machines
  • Connected to the network where the domain is accessible
  • Obtain an network ip address along with dns that can resolve the domain you are joining
  • PowerShell

Steps:

  1. Launch PowerShell as an Administrator
  2. Issue the following command example: Add-Computer -DomainName <domain name> -Restart

You will be prompt for a username and password at this point. Enter in the correct credentials and soon after a restart will occur.

When you resume from the restart you can now log in on this workstation/server with domain credentials.

Additional info can be found on Technet

I hope you enjoyed this short, thanks for visiting – jermal

Remote Server Administration Tools for Windows 10 | Released

Weeks of waiting and its here at last.

Q. What is it?

A. RSAT (Remote Server Administration Tools) is a Windows Server component for remote management of other computers and server operating systems running Windows.

Grab the tools here: Remote Server Administration Tools for Windows 10

 

Tech Short Q&A: What is vCenter Single Sign-On For

What is vCenter Single Sign-On?

vCenter Single Sign-On is a feature of VMware vCenter 5, 6 and future vCenter implementations that is an authentication broker which also creates security tokens providing a secure way of accessing your environments.

This token exchange mechanism is far superior than the former requirement of each component authenticating separately with a directory service such as Active Directory. Its VMware’s answer to identity management

Here are some key capabilities of SSO?

  • add multiple AD domains, OpenLDAP, and the local operating system where SSO is deployed. It also lets you create local users and groups.
  • allows VMware vSphere to connect to a non-AD Identity Source, OpenLDAP.
  • supports the SAML 2.0 standard and WS-TRUST, both of which are open industry standards.
  • lets users delegate tasks to solutions that can run as the identity of the user.
  • supports identity delegation for long-lived tasks with the ability to renew tokens.

follow this link -> VMware vCenter Single Sigion-On for more info on

 

I hope you enjoyed this techshort, thanks for visiting – jermal

Tech Short: PowerShell to list users in AD security group

You want to get a list of users who exist as members of a AD (Active Directory) security group. Here are some quick steps on accomplishing this task.

Lets begin:

  1. Open PowerShell or PowerShell ISE
  2. Type Import-Module ActiveDirectory
  3. Followed by Get-ADGroupMember -identity “Group Name” | select name | Out-GridView

And there you go, fast and simple to do.

 

Remove Dead Exchange Servers from Active Directory

Working with  my Exchange 2012 Hybrid configuration I into the following error:

ERROR : Subtask NeedsConfiguration execution failed: Configure MRS Proxy Settings

Execution of the Get-WebServicesVirtualDirectory cmdlet has thrown an exception. This may indicate invalid parameters in your hybrid configuration settings.

The task wasn’t able to connect to IIS on the server ‘exchange’. Make sure that the server exists and can be reached from this computer: The RPC server is unavailable.

This is because I did not properly remove the retired exchange servers form Active Directory during past migrations to Exchange 2013.

To remove these objects to continue with your Hybrid configuration task do the following:

  1. Launch the run dialog (Windows Key + R)
  2. Type in the command “adsiedit.msc” and press OK
  3. In the drop down menu select “Configuration”
  4. Expand “CN=Configuration [domain]\CN=Services\CN=Microsoft Exchange\CN=[organization]\CN=Administrative Groups\CN=Servers”
  5. Right click on the dead server and “Delete”
  6. Navigate to ”CN=Configuration [domain]\CN=Services\CN=Microsoft Exchange\CN=[organization]\CN=Administrative Groups\CN=Databases”
  7. Right click on each dead database and “Delete”

Step 1-5 will get you past the Hybrid error, but you might as well cleanup while your here.

The Truth – Single Sign On with Outlook and Office 365

After many twists and turns on this bumpy road of setting up a Hybrid Deployment of Exchange Online with AD Sync and ADFS for SSO.  I am faced with yet another issue.

Let me tell you what does work with the single sign on:

  • Outlook via Web Access
  • Office 365 Portal
  • Office 365 SharePoint
  • Office 365 Yammer
  • Office 365 Web Apps
  • Office 365 Lync Online

For the most part any Office 365 web services offered using a web browser, as long as its Internet Explorer.

Missing from the above list of working items is Outlook! That’s right; Outlook doesn’t work.

In fact; users of Outlook will be prompted to enter their credentials on first use.  Let me break right here and describe first use.

First use is any time you open Outlook, you will be prompt for a password to log in.  Unless you save it.

In addition to having to save your password locally in the Windows Credential Manager, you will need to update this password which was saved each and every time you change your password.

This is not my understanding of what the term “Single Sign On” was to be. Good job to Microsoft’s Office 365 Marketing Team.  You had/have so many of us as believers.

At this time I am very disappointed about the Outlook prompts for password credentials. Perhaps they will fix in the future.

Research

I was able to find the following ADFS White Paper on Office 365 Single Sign-On with AD FS which should provide more details.

I also found info confirming that Outlook wasn’t designed to support Single Sign On.  It has even been quoted “The Office 365 experience for logging on to Microsoft Outlook connections is also not expected to be a single sign-on experience.”KB2535227 (A federated user is prompted unexpectedly to enter their credentials when they access an Office 365 resource)

I apologize for the somewhat rant; but felt I needed to share this before many of you waste a lot of time and investment on trying to get something like this working, to only find out one of the major reasons to use it doesn’t work.

Perhaps Microsoft should read the Internet more before misusing terms such as SSO.

“With SSO, a user logs in once and gains access to different applications, without the need to re-enter log-in credentials at each application.”

http://www.techopedia.com/definition/4106/single-sign-on-sso

Single sign-on (SSO) is a property of access control of multiple related, but independent software systems. With this property a user logs in once and gains access to all systems without being prompted to log in again at each of them.”

http://en.wikipedia.org/wiki/Single_sign_on

Single signon takes away the need for the user to enter further authentications when switching from one application to another.”

http://www.webopedia.com/TERM/S/single_signon.html

Single sign-on (SSO) is mechanism whereby a single action of user authentication and authorization can permit a user to access all computers and systems where he has access permission, without the need to enter multiple passwords. Single sign-on reduces human error, a major component of systems failure and is therefore highly desirable but difficult to implement.

http://www.opengroup.org/security/sso/

– Jermal

Manually Remove Auto-Mapped Exchange Mailboxes

Beginning with Exchange 2010 then on to Exchange  2013. User who used the client Outlook 2007/2010/and 2013  had a new feature called automapping.

Automapping takes advantage of Exchange auto-discovery services to map mailboxes which  a user has “Full Access” permissions granted.

This is very helpful to the end user as he or she is no longer required to know or learn how to add additional mailboxes to Outlook.

The not so helpful side is when a users access is removed and a ghosted mailbox folder exists in Outlook that the user is unable to remove.  Attempts to close the mailbox result in a message that reads:

This group of folders is associated with an e-mail account. To remove the account, click the File Tab, and on the info tab, click Account Settings, Select the e-mail account, and then click Remove.

Thank’s but this doesn’t work.  In fact even on a a clean install of Outlook the user still has the ghost folders associated to their Outlook Client.

 

So to tackle this issue, I used ADSIedit.

  1. Open ADSIEdit (WinKey R to open Run and type adsiedit.msc)
  2. Connect to the Default Naming Context. (Click OK)
  3. Locate the mailbox that you once were granted Full Access Permissions and …
  4. Right-click on the object, view properties.
  5. Scroll down to MsExchDelegateListLinked attribute.
  6. Click Edit, select the User Object and click Remove your information.

 

Now give it a little time for the change to replicate out in our Active Directory, you will later find these folders to be gone.

To prevent this from occurring when adding mailboxes you could always run the following command to disable automapping:

Add-MailboxPermission -Identity user@jermsmit.com
-User admin@jermsmit.com -AccessRights FullAccess
-AutoMapping:$false

 

Update from the comments 6/5/2017:
To find the mailbox, you actually find the AD user account, under the OU=Domain Name, within ADSIEdit.  – Thanks ‘ splunch ‘ for the info.

Windows 8: fixing trust relationship issues

Dear Jermal, here is some info that you may find useful in the future. I hope that you share with your friends, coworkers and the readers of your blog.

From time to time I have found myself having to reset the computer account of a workstation that was left offline. In most cases this workstation was a virtual machine with a computer password that expired. A clear sign of this is the message “The trust relationship between this workstation and the primary domain failed.” 

This can be fixed by classic steps of removing the computer from the domain and then joining it back. You could also attempt to log into active directory users and computers and reset the computer object; I haven’t had much success with this. Perhaps I’m to impatient to wait for replication.

Another method is to use PowerShell and the Test-ComputerSecureChannel method.

By loading up PowerShell (as Administrator) you can run the Test-ComputerSecureChannel cmdlet (pronounced “command-let”). Running this command on a working machine will return the value of “True”

If the Test-ComputerSecureChannel cmdlet returns False, use the Repair switch to repair the secure channel. That command will look like this: “Test-ComputerSecureChannel

I hope this helps,

Sincerely,

Jermal

 

P.S. – You will need to be logged in under a cached Administrator account on the computer; To do this you just remove yourself from the network and log in under your credentials.