Connecting to Azure via local PowerShell [Windows 10]

So to make life more interesting we will try to manage our Azure resources via PowerShell, running on our local workstation with Windows 10 Pro.

Before going to the details, its nice ot have updated help, which is done by typing:

To connect to Azure, there are some basics steps, before typing

There are some modulels that need to be installed and in order to do so, the appropriate policy should be set on your local instance:

After that, some modules must be installed

Wait some time, after which you could import the modules:

After that, connecting to Azure is as simple as typing:

Then you will be prompted to enter your Azure credentials on a form like this:

And in the end you should get something looking like this displayed on your PowerShell CLI:

You can also test by typing:

Which will dislplay all resouces, available within the current env.

Enable ping on windows 7/ Windows Firewall

By default, the pre-built windows firewall blocks ping requests. But ping being usually useful command, its convenient to be enabled, when working in a trusted environment.

 

To enable ping in Windows firewall:

  1. Open Start Menu
  2. Search for Windows Firewall
  3. Select Advanced Settings on the left
  4. Click Inbound Rules
  5. Find the rule, named: File and Printer sharing (Echo Request – ICMPv4)
  6. Right click on the rules and select “Enable”

Another option is to enable ping via GPO

Active directory interview questions, part 2 of 2

  • How does group policy resolve setting conflicts?
  1. Following the GPO’s processing order. More particular – the GPO containing the conflicting policy setting that applies last is the setting that overwrites all other settings.
  • Give three examples of where PowerShell pipeline should be used, rather than set as variable
  1. This is an intriguing question also in the Linux/bash environment.
  2. Allows data to be sent from one command to the second, without the need of variable definition
  3. Allows for easier ongoing refining of the function/script results
  4. Streaming/ piping values allow working with “infinite” length of continuous data, while its rather impossible to define such a variable
  • How do you establish a remote PowerShell session?  What are the pre-requisites?
  1. [If working within Domain] Enable PowerShell Remoting/ Enable-PSRemoting -Force
    1. Starts the WinRM service
    2. Starts automatically with system start
    3. Creates a firewall rule for incoming connection
  2. [If working within Workgroup]
    1. Configure the network as private
    2. Configure TrustedHosts on both machines.
  3. To execute a single remote cmdlet: Invoke-Command
  4. To initiate a remote session: Enter-PSSession

 

Active directory interview questions, part 1 of 2

Some questions from a recent interview for Active Directory specialist position:

 

  • What are some extended Active Directory attribute that are created when you install common enterprise Microsoft offerings?
    1. Depending on the MS product being deployed, there could be various changes on the schema. The good thing is that they are all well documented with sufficient description in Technet.
    2. For example, when installing Exchange 2016, attributes that are being created are: ms-Exch-UG-Event-Subscription-Link and ms-Exch-UG-Event-Subscription-BL.
    3. When deploying Skype for bussienss: msExchUserHoldPolicies, msRTCSIP-UserRoutingGroupId, msRTCSIP-MirrorBackEndServer
    4. etc.

 

  • Name 3 usage case of AD delegation that would be useful in a company
    1. Delegate Microsoft BitLocker Decryption rights to Help Desk
    2. Delegate new user creation and Identity and access management team [IAM]
    3. Delegate password reset to Global Service Desk users [GSD]

 

  • Solve for this scenario.
    o   User A needs access to
    §  \\company.share\Public
    §  \\company.share\Confidential
    §  \\company.share\Secret
    o   User B needs access to
    §  \\company.share\Public
    §  \\company.share\Confidential\Public
    §  Cannot have access to \\company.share\Confidential
    o   Solution needs to be scalable for the future


    1. Make 2 groups – User-a-category and User-b-category
    2. For the user-a-category, assign appropriate NTFS access to the specified folders in \\company.share\.
    3. For the user-b-category, assign NTFS access to the specified folders in \\company.share\.
    4. Set security permissions to the \\company.share\Confidential folder.

 

  • If a user calls and tells you a newly created distribution group is unable to accept email from clients.  What is the problem?:
    1. Analyze the error code, generated by sending emails [if available]
    2. Check if Group scope is appropriate  [Universe/Global/Domain local]
    3. Check if “Sender authentication” is enabled
    4. Check with Get-TransportServer | Get-MessageTrackingLog -sender “address of sender” -recipient “address of DL”
    5. Check if there isn’t an anti-spam filter interfering [althou this could be  depending if internal/external messages are being received]
    6. Remove the user from the group and add him again [some classical IT troubleshooting]

 

  • What is a loop back group policy?
    1. Allows user configuration settings to be applied, based on the computers GPO. Thus computers policies take precedence over user’s policies/ settings. Works in 2 modes:
    2. replace: the user policies defined in the computer’s GPO replace the user policies, normally applied to the user
    3. merge: the user policies defined in the computer’s GPO and the user policies normally applied on the user’s are merged. If a conflict occurs, the user policies in the computer’s default GPO overwrite the user’s normal policies.

Part 2 will be on soon.

 

Fix: Windows 10 installs various apps and games without asking

So Windows 10 includes a new feature that automatically installs apps from the Windows Store because it wants to promote some of them. Usually, not a problem, but can be of annoyance. Fortunately, there is a quick solution:

  1. Open Registry Editor
  2. Go to
    1. HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CloudContent
    2. if the value is not present, you will need to make one
  3. Create a 32-bit DWORD value for the key:
    1. name: DisableWindowsConsumerFeatures
    2. value:1
DisableWindowsConsumerFeatures
DisableWindowsConsumerFeatures

Restart the computer.

Series: Compact corporate environment

Series: Compact corporate environment

Purpose:

  • troubleshoot common problems found in complex environment
  • gain additional experience
  • test new products and features
  • develop some PowerShell and Desired State configuration scripts
  • go through the design and deployment phases
  • enjoy while building, breaking and fixing

Continue reading “Series: Compact corporate environment”

FIX: Windows cannot find the Microsoft Software License Terms

So, setting up a nice Windows Server 2012 R2 machine in Hyper-V for some active directory testing.

Allocating the minimum required resources for WS 2012 R2, as seen here , and just after selecting the edition that I wanted to install [doesn’t matter if you prefer Standard or datacenter edition, with or without GUI], a greeting window appeared:

Windows cannot find the Microsoft Software License Terms
Windows cannot find the Microsoft Software License Terms

Continue reading “FIX: Windows cannot find the Microsoft Software License Terms”

Office 365 lab set up [in progress]

A useful guide for setting up an Office 365 lab for testing purposes.

Components:

  • On-premise domain controller
  • On-premise SCCM
  • Public cloud exchange server
  • Windows 10 workstation
  • Windows 8.1 workstation

Original article available here.

 

Nice readings, conversions or forums, related to the post:

  • Moving Domain controller to cloud (AWS or Azure) for a small business @ Spice Works – available here.
  • Protect Active Directory and DNS with Azure Site Recovery @ Microsoft – available here.
  • Install a new Active Directory forest on an Azure virtual Network @ Microsoft, available here.

repadmin – cli tool for AD replication troubleshooting

Some examples:

  • repadmin /bind dc1 will test basic LDAP connectivity to the targeted server
  • repadmin /showrepl DC1 will show the replication status for DC1 domain controller and
  • repadmin /showrepl * > repl-status.csv will export the information in a nice csv file. Help available at repadmin /?
  • repadmin /showrepl * > csv | ConvertFrom-Csv | out-gridview – will show the result in a nice view, without the need for Excel or Calc.
  • repadmin /replicate dc2 dc1 “dc=root,dc=contosom,dc=com” will attempt to replicate from dc1 to dc2
  • repadmin /showobjmeta dc1 “cn=dc1,ou=domain controllers,dc=root,dc=contoso,dc=com” > dc1objectinfo.txt amd repadmin /showobjmeta dc2 “cn=dc1,ou=domain controllers,dc=root,dc=contoso,dc=com” > dc2objectinfo.txt will get you the replication meta information for a specificed object, stored in the AD. Its useful for troubleshooting some replication errors like -2146893022, 8614 amd 8606. It can show you if there is a difference in the *pwd* versions. If such exists, it will be useful to check the event viewer -> Windows Logs -> System -> Kerberos Error

Active Directory/ Windows environment troubleshooting toolbox

A small collection of useful programs, applications and mmc’s that can be of use, when your Active Directory isn’t cooperating and working as designed, or trying to find that small problem in the environment, that has been bothering you for quite some time.

Post in progress, regularly updated.

Continue reading “Active Directory/ Windows environment troubleshooting toolbox”