Posts

OAuth Certificates with Hybrid Exchange

Image
Older versions of Microsoft Exchange in a hybrid configuration with Exchange Online (EXO) used a federation trust to authenticate connections for free/busy information. Newer hybrid deployments of Exchange 2016/2019 use OAuth authentication instead of federation. OAuth authentication is reliant on the Auth certificate in your on-premises Exchange. This certificate is created automatically with a lifetime of 5 years when you install Exchange Server on-premises. If this certificate has been replaced, then you also need to update Azure AD with the new certificate information. The simplest way to update the information is by running the hybrid wizard again after you update the Auth certificate. I wrote a previous post about renewing/updating the Exchange Server Auth certificate here: http://byronwright.blogspot.com/2018/05/expired-microsoft-exchange-server-auth.html If you update the Exchange Server Auth certificate and forget to update the information in Azure AD, you are likely to see fr

Laggy Mouse and Jaggy Fonts

Image
I have a 4K TV hooked up as my monitor with an older video card. Unfortunately, this video card can only output 4K at 30Hz which isn't optimal, but for my purposes is just fine. I'm not playing games that require fine tuned actions. I recently changed my display to 1080P for an online presentation and then back to 4K. By default, 4K was running at 60Hz, however, this made the text slightly blurry because HDMI was compressing the signal. Set it down to 30Hz to fix that, but then the text was jaggy and not smooth. Also, my mouse was really laggy as I moved it around the screen. When I changed back to 4K 30Hz, Windows 10 and the TV negotiated using HDR (High Dynamic Range) for display. Normally when Windows 10 negotiates a setting, that's preferred, but not in this case. When I disabled HDR in display settings, my fonts were smoothed properly and the mouse lagging stopped.

Convert ImmutableID to Hex for AD

To get the immutableID value from a user (should be able to do similar with Get-MSOLUser if preferred): $id = (Get-AzureADUser -ObjectId User@domain.com).immutableid To convert that ID to hex for entry $hex=([system.convert]::FromBase64String("$id") | ForEach-Object ToString X2) -join ' ' To view the value in $hex: $hex The immutable id will be a value something like: fhG+Kox7LkaYwSIf6s6UFA== The hex for that one is: 7E 11 BE 2A 8C 7B 2E 46 98 C1 22 1F EA CE 94 14 The hex value can be entered into the ms-DS-ConsistencyGUID attribute of the user object. And converting from objectGUID to ImmutableID $immutableID = [system.convert]::ToBase64String(([GUID]($u.ObjectGUID)).tobytearray())

Install-Module Fails without TLS 1.2

 I've run into problems with Windows Server where the Install-Module cmdlet generate errors and won't download from the PowerShell  repository on the internet. To fix this you need to enable TLS 1.2 for PowerShell. To do this permanently for .NET 4 and up, set two registry keys for 64-bit and 32-bit .NET Framework: Set-ItemProperty -Path 'HKLM:\SOFTWARE\Wow6432Node\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord Set-ItemProperty -Path 'HKLM:\SOFTWARE\Microsoft\.NetFramework\v4.0.30319' -Name 'SchUseStrongCrypto' -Value '1' -Type DWord If you need to do a quick temporary fix because you can't update the registry then use this: [ Net.ServicePointManager ] ::SecurityProtocol = [ Net.SecurityProtocolType ] ::Tls 12 The temporary fix is only for the current PowerShell prompt.

Issues with Exchange 2010 and Exchange 2016 coexistence

This one is primarily notes to myself... When Exchange 2016 is installed with Exchange 2010, MAPI over HTTP is enabled by default for the organization. Exchange 2010 mailboxes continue to accessed via RPC. Exchange 2016 mailboxes will use MAPI over HTTP If Exchange 2016 mailboxes have Full Access to an Exchange 2010 mailbox then Outlook Anywhere is used to connect to that secondary mailbox. If using a wildcard cert you need to set the certificate name for the EXPR outlook provider for Outlook Anywhere as msstd:*domain.com. Authentication prompts Exchange 2010 on Windows Server 2008 R2 requires a security update for Outlook Anywhere to function properly. This is a security update from 2016 (KB3140410). It "should" already be in place, but if it's not then Outlook Anywhere will cause tons of authentication popups in Outlook. https://support.microsoft.com/en-us/help/2990117/outlook-anywhere-users-prompted-for-credentials-when-they-try-to-conne I saw this manifest as Exchange

MIS2000 Links

Using Power BI for data analytics and reporting https://docs.microsoft.com/en-us/learn/paths/create-use-analytics-reports-power-bi/ City of Winnipeg Software Piracy https://www.cbc.ca/news/canada/manitoba/city-of-winnipeg-manager-in-charge-of-police-radios-arrested-after-2-year-investigation-1.5027975 What's wrong with this picture? https://twitter.com/DaveLeeBBC/status/1102359402151985152 Computer system failure grounds transit system in San Francisco https://www.bart.gov/news/articles/2019/news20190309 Supply Chain Management Simulator https://www.scmglobe.com/supply-chains-roman-empire/ Career wisdom from IT pros https://www.reddit.com/r/sysadmin/comments/dzm3xs/once_a_young_sysadmin_and_now_an_old_unicorn_how/ (A few) Ops Lessons We All Learn The Hard Way https://www.netmeister.org/blog/ops-lessons.html Michael Geist blog (copyright and net freedom issues) http://www.michaelgeist.ca/ Government IT failures Federal Government - Phoenix payroll system #1 http://www.oag-bvg.gc.ca/

Azure AD Connect Large Object Error

Image
A client is migrating their remaining mailboxes from on-premises Exchange to Office 365. Today they went to migrate a mailbox, but the user account wasn't replicated up to Office 365. After verifying that it was not being filtered by OU in Azure AD Connect, I checked the Synchronization Service Manager for Azure AD Connect and found an error listed for the export to the Azure AD tenant (XXX.onmicrosoft.com). The error was LargeObject and when I drilled down, it had these details: The provisioned object is too large. Trim the number of attribute values on this object. This error is typically caused by: Too many user certificates (15 max) Too many SMIME certificates (15 max) A thumbnail photo that is too large Too many proxy addresses This user object did not have any user certificates, SMIME certificates, or a thumbnail photo. So, let's check out the proxy addresses. The user object had 540 addresses. After a bit more research, I found that user objects in Azure AD have a limit