24 May 2017

Skype for Business 2015 Frontend Service won't start - Don't disable TLS 1.0 Event ID: 32192 & 32179

Finally figured it out.
Our Skype for Business 2015 Server Front-End service wouldn't start, it kept displaying "Starting".
The event-viewer kept filling up with:
Event ID: 32192

Closing routing group service due to an error.

Calling ReportFault on routing group {3C86EE90-FB81-5FC0-9B41-2C787B4ACC20} with FaultType 2 and ReasonCode 3. Error code: 0x00000000(ERROR_SUCCESS)
Cause: This may indicate a problem with the routing group. Please examine the server event logs and traces to identify the cause.
Resolution:
Run the commandlet Get-CsPoolFabricState -RoutingGroup [ROUTING GROUP] and make sure quorum is achieved. If the Pool is running and the Front-End is just started, this is normal for some time. If the error persists while the Front-End is running, restart the server.

And:
Event ID: 32179

Request to sync data from backup store for routing group {353B9BC5-A12D-578B-BAD5-F7F8BD5E02FC} was throttled due to pending requests.
Cause: This can happen when a Pool is re-started, and should go away automatically.

Turns out TLS 1.0 was disabled but this would be effective after the first reboot.
So when we rebooted for the latest WSUS updates it got activated and thereby killing the RTCSRV.exe service.

You can find the key here:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0|Server
REG_DWORD - Enabled
Value: ffffffff (decimal: 4294967295)

The disabled value is:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0|Server
REG_DWORD - Enabled
Value: 0(decimal: 0)

23 May 2017

Start Menu locations - Or add a simple Start Menu yourself without 3rd party tools

I keep forgetting the path to the Start Menu:
"C:\Program Data\Microsoft\Windows\Start Menu\Programs"

This is the same for Windows 7 up to Windows 10, and for Server 2012 to Server 2016.

But, wouldn't it be nice to have some sort of start menu without installing some malware/spyware infested tool? Then this quick fix is for you:

  • Display "Hidden items" on your C: Drive.
  • Open File Explorer and browse to your C: Drive. 
  • On the View tab, check the "Hidden items" checkbox.
  • Add a New Toolbar on your Taskbar.
  • Right-click on a blank area of your Taskbar and select Toolbars > New Toolbars.
  • Browse to the Start Menu\Programs folder.
  • In the New Toolbar dialog box, browse to the "C:\Program Data\Microsoft\Windows\Start Menu\Programs" folder. 
  • Click the "Select Folder" button.
  • Click the "Select Folder" button to add the new Toolbar to your Taskbar.

Here's what it looks like:

19 May 2017

Find all the KB's for Wannacry with PowerShell

I know this stuff is all over the place, but still could come in handy:

Check to see if the necessary Microsoft KB's are installed on your computer or server to protect you from "Wannacry":

#Current list of all the hotfixes from https://technet.microsoft.com/en-us/library/security/ms17-010.aspx            
$hotfixes = "KB3205409", "KB3210720", "KB3210721", "KB3212646", "KB3213986", "KB4012212", "KB4012213", "KB4012214", "KB4012215", "KB4012216", "KB4012217", "KB4012218", "KB4012220", "KB4012598", "KB4012606", "KB4013198", "KB4013389", "KB4013429", "KB4015217", "KB4015438", "KB4015546", "KB4015547", "KB4015548", "KB4015549", "KB4015550", "KB4015551", "KB4015552", "KB4015553", "KB4015554", "KB4016635", "KB4019213", "KB4019214", "KB4019215", "KB4019216", "KB4019263", "KB4019264", "KB4019472", "KB4015221", "KB4019474", "KB4015219", "KB4019473"            
             
#Check the computer it's run on if any of the listed hotfixes are present            
$hotfix = Get-HotFix -ComputerName $env:computername | Where-Object {$hotfixes -contains $_.HotfixID} | Select-Object -property "HotFixID"            
             
#Confirms whether hotfix is found or not            
if (Get-HotFix | Where-Object {$hotfixes -contains $_.HotfixID})            
{            
"Found HotFix: " + $hotfix.HotFixID            
} else {            
"Didn't Find HotFix"            
}            

If you are running Windows 10 Creator Update (Winver: 1703) you are good to go, as this build is not affected by Wannacry.

17 May 2017

PSGallery module gone - add it back to PowerShell-ISE

Unable to add modules from the PSGallery provider

When your Package provider list is empty:
Get-PackageProvider -ListAvailable

Run CMD.exe as an administrator and run the following command:
@powershell -NoProfile -ExecutionPolicy Bypass -Command "iex 
((new-object net.webclient).DownloadString('https://chocolatey.org/
install.ps1'))" && SET PATH=%PATH%;%ALLUSERSPROFILE%\chocolatey\bin

Close the CMD window, now you have a PS Repository:
PS C:\windows\system32> Get-PSRepository            
            
Name                      InstallationPolicy   SourceLocation
---------                 ------------------   --------------   
PSGallery                 Trusted              https://www.powershellgallery.com/api/v2/

Set the PSGallery as trusted:
PS C:\windows\system32> Set-PackageSource -Name PSGallery -Trusted               
            
Name                             ProviderName     IsTrusted  Location            
---------                        -------------    ---------  --------                                                                                                                                  
PSGallery                        PowerShellGet    True       https://www.powershellgallery.com/api/v2/


11 May 2017

Bitlocker everything - Store your bitlockerkeys in Onedrive

I was fooling around with bitlocker the other day and needed a way to store my bitlocker key other than on an external drive or USB drive and especially something else than printing them.

Right click on the physical drive you want to bitlocker and select "Turn on bitlocker".
Then your asked where the bitlocker recovery key has to be stored.
The first options that is presented turned out to be the most excellent one.

Save to your cloud domain account.
Now you might think that you need an Azure joined machine, this is partially correct.
If your machine is Azure Active Directory domain joined your bitlocker keys are stored in the "Devices" section in your account, you can the key under the details of your device.

But if you're not Azure domain joined but do have a Onedrive account setup than it will save your bitlocker key in your Onedrive.

Eureka, this means there is no more reason to not use bitlocker on your personal computers.
Knowing that in the case of theft or loss your data will not be compromised.
And the recovery key can be accessed fairly easy through this site:

https://onedrive.live.com/RecoveryKey.

Now this site is not accessible from your onedrive site directly, you won't find a link to it there, you have to know it and type it.

Here's what it looks like:


20 April 2017

Forward email to external domain - Exchange 2013 & Exchange 2016

By default email forwarding to an external domain is disabled on an out of the box Exchange 2013/2016 installation.
There are a lot of  blogs/threads/comments on the web that say to create a transport rule or to create a contact. Both of these will not work because autoforward to external domains is disabled (see below)

If you look in the message tracking logs you will find the following line:

To be able to do this for a specific domain only you can do the following:

Check your current settings:
Get-RemoteDomain
Name                           DomainName                                   AllowedOOFType
----                           ----------                                   --------------
Default                        *                                            External

Check the auto forward settings:
Get-RemoteDomain | fl autofor*
AutoForwardEnabled : False

Add a new remote domain to allow forwarding to:
New-RemoteDomain -Name description -DomainName yourremotedomain.com


Check the auto forward settings for the new domain:
Get-RemoteDomain -Identity yourremotedomain | FL auto*            
AutoReplyEnabled   : True                        
AutoForwardEnabled : True

After doing all this you can create a rule in Outlook or OWA to forward an email to this particular domain only.

31 March 2017

Get-HealthReport - Get your daily dose of builtin Exchange HealthReport checks in your mailbox

Fooking for some stuff about Skype for Business I came across a great post by Joakim Storrank over at https://sysadminblogger.wordpress.com/

He had a few scripts he uses for monitoring, 2 he mentions I use as well but the third caught my eye.

It was a great oneliner (gotta love those) about the builtin HealthReport checks for Exchange.
The thing is that it was for 1 server and I have several so I made some adjustments and look here now it can be used for an array of servers.

Thanks Joakim, and check out his post about the Health Checking / Monitoring Exchange Server 2013/2016

Run it as a scheduled task daily with these arguments:
powershell.exe -noprofile - file "C:\_Scripts\Get-HealthReport\Get-HealthReport.ps1"

Note the spaces around "Style" for the table, I had some trouble getting the code to display correctly.

The Script:
##############################################################################            
## Get-HealthReport            
## Purpose: Sends report on the builtin Exchange HealthReport commandlets            
## Author: Edwin van Brenk            
## Date: 30 march 2017            
## Version: 1.0            
## Credits go to Joakim Storrank for his excellent oneliner: 
## https://sysadminblogger.wordpress.com/2017/03/13/health-checking-monitoring-exchange-server-20132016/            
##############################################################################            
#Load Exchange 2013 Module             
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.SnapIn            
            
#SMTP options for sending the report email            
$smtpServer = "smtp.domain.com"            
$smtpFrom = "Get-HealthReport@domain.com"            
$smtpTo = "username@domain.com"            
$messageSubject = "Get-HealthReport $Computers"            
            
$logPath = "C:\_Scripts\Get-HealthReport\"            
            
# Build table for html files, remove the space around "Style"            
$style = "< style >BODY{font-family: Arial; font-size: 10pt;}"            
$style = $style + "TABLE{border: 1px solid black; border-collapse: collapse;}"            
$style = $style + "TH{border: 1px solid black; background: #dddddd; padding: 5px; }"            
$style = $style + "TD{border: 1px solid black; padding: 5px; }"            
$style = $style + "</ style >"            
# End HTML Output file style            
            
$Date = Get-Date -Format dd-MM-yyyy            
            
## The Servers to test            
$Computers = "server1","server2","server3","server4"
            
# Start the Script            
Foreach($computer in $Computers)            
{            
# Choose what you want to see, all status' or everything but healthy or everything but healthy and disabled by commenting out the desired line            
#$GetStuff = Get-HealthReport -Server $Computer | Select server,state,healthset,alertvalue,lasttransitiontime,monitorcount #-AutoSize            
#$GetStuff = Get-HealthReport -Server $Computer | where {$_.alertvalue -ne “Healthy” -and $_.AlertValue -ne “Disabled”}  | Select server,state,healthset,alertvalue,lasttransitiontime,monitorcount #-AutoSize            
$GetStuff = Get-HealthReport -Server $Computer | where {$_.alertvalue -ne “Healthy”} | Select server,state,healthset,alertvalue,lasttransitiontime,monitorcount #-AutoSize            
$GetStuff | ConvertTo-Html -head $style -body "Get-HealthReport from $Computer" | Out-File "$logPath\$Computer-$Date.html"            
}            
            
# Remove previously created combined.html            
Remove-Item $logPath\combined.html            
#Combine all the html files in to one file               
Get-Content -path $logPath\*.html | Add-Content -Path $logPath\combined.html            
            
#Send email message            
Send-Mailmessage -To $smtpto -From $smtpfrom -SmtpServer $smtpserver -Subject $messagesubject -Body (Get-Content $logpath\combined.html | Out-String) -BodyasHtml            
# Remove all html files to prevent filling the disk            
Remove-Item $logpath\*.html