So to never forget I thought why not make a post for myself and all of you out there.
But Paul Cunningham from Exchangeserverpro did a far better job even before i got started, so here goes:
Step 1
29 November 2016
Renew Exchange 2013 Certificates from Internal CA
This comes back once a year, well for me anyway.
So to never forget I thought why not make a post for myself and all of you out there.
But Paul Cunningham from Exchangeserverpro did a far better job even before i got started, so here goes:
Step 1
Step 2
Step 3
Step 4
So to never forget I thought why not make a post for myself and all of you out there.
But Paul Cunningham from Exchangeserverpro did a far better job even before i got started, so here goes:
Step 1
PowerShell tips
This cmdlet will return all exchange specific cmdlets
Get-command -name get-service –synopsis
Get-excommand
Get-Help is another one which comes handy. Say, while you were playing with Exchange management shell, you saw a new cmdlet and don’t know what that means.
For example, you don’t know what Get-Message means. To know more, type
Get-Help Get-Message
Get-Message is a cmdlet to retrieve messages from the message queue in Exchange 2007 and 2010
An example is,
Get-Message -Filter {FromAddress -like “*@ratishnair.com”}
This cmdlet will retrieve all messages from the domain “ratishnair.com”
The tilde character (~) represents the shortcut to root directory. For example,
Dir ~
Use it as a shortcut:
Cp FileName “~\My Documents”
We see the $_ sign in a lot of cmdlets. This is known as a Special Variable.
The $_ represents the objects being passed from one cmdlet to another cmdlet in the pipeline. The $_ variable is automatically initiated by the shell and is bound to the current pipeline object. You can access the properties of the object assigned to the $_ variable as you would any other object.
The following example shows how you can view the Name property of each mailbox object
that is passed through the pipeline:
Get-Mailbox | ForEach { $_.Name }
If you need another example, this one lists all running services on an Exchange server
Get-Service | where {$_.Status -eq “Running”}
Lets take a look at another one. This one returns the name of the smallest database:
(Get-MailboxDatabase | foreach { get-childitem $_.edbFilePath | select-object name,length} | sort -property length )[0]
-FILTER and –LIKE commands are often used together. This will filter the information in Double quotes and look for data matching info in Single quotes
Again, easy when explained with an example:
Get-Mailbox –RESULTSIZE UNLIMITED -FILTER “Displayname –Like ‘Nair, Ratish'”
So, this cmdlet is going to get mailbox information where the result will be unlimited and will filter information to ensure only the one with Displayname ‘Nair, Ratish’ is returned.
You can access the event log from the Exchange Management Shell. To retrieve the whole event log, run:
Get-EventLog Application | Format-List
To retrieve all Exchange-related events, run:
Get-EventLog Application | Where { $_.Source -Ilike “*Exchange*” }
Any cmdlet that accepts a size value lets you specify whether the integer value is in kilobytes (KB), megabytes (MB), gigabytes (GB), or terabytes (TB). For example:
Set-Mailbox “Meera Nair” -ProhibitSendQuota 200MB
You can import CSV files and treat them as objects by using the Import-Csv cmdlet. Each row in a CSV file becomes an element in an array, and each column becomes a property. You can assign the CSV file to a variable or you can pipe its contents directly to another cmdlet. In the following example, there are three columns in the CSV file, Name, Alias and EmailAddress, with several rows that the For Each cmdlet will cycle through. The data in each row is used to create a new mail contact.
Import-Csv | ForEach { New-MailContact -Name $_.Name -Alias $_.Alias -ExternalEmailAddress $_.EmailAddress -OrganizationalUnit Users }
The Exchange Management Shell can log all the Exchange-related commands that modify objects in some way. Exchange-related command activity is logged to the PowerShell event log. To enable Exchange-related command logging, run the following command:
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\PowerShell\1\PowerShellSnapIns\Microsoft.Exchange.Management.PowerShell.Admin -Name LogpipelineExecutionDetails -value 1
This one is one of my favourites – Set-Alias
Say you want to have an Alias for Get-StorageGroup, just type
Set-Alias GetSg Get-StorageGroup
From now, Get-StorageGroup cmdlet will have an alias Get-Sg
For all the current aliases, type:
Get-Alias
This one is not exactly a powershell cmdlet tip. This works in command prompt too. CTRL+C will hard-break command in the Exchange Management Shell. If a command is taking too long to run or you want to cancel an operation quickly, press CTRL+C to stop execution.
When some or a group of users complain that they cannot access their mailbox, check the mounted status of all mailbox databases? Type:
Get-MailboxDatabase -Status | Format-Table Name, Server, Mounted
This one checks the permissions an Active Directory user account has on a specific mailbox? Use:
Get-Mailbox <Mailbox to Check> | Get-MailboxPermission -User <Active Directory User>
This one returns the list of all devices synchronized with a user’s mailbox:
Get-ActiveSyncDeviceStatistics
A variety of information is returned including device name, operating system, and last sync time.
This one returns the list of the backup status of all mailbox databases in your organization? Type:
Get-MailboxDatabase -Status | Format-Table Name, Server, *Backup*
How about just the mailboxes on a specific server? Type:
Get-MailboxDatabase -Server <Server Name> -Status | Format-Table Name, *Backup*
This one gets a list of all users who are Unified Messaging-enabled type, use:
Get-UmMailbox | ForEach { If($_.UmEnabled -Eq $True){$_.Name}}
This one will help you control the properties of e-mail messages sent to a specific domain using the RemoteDomain cmdlet.
Create a new remote domain by using the New-RemoteDomain cmdlet. Type:
New-RemoteDomain -Name “ratishnair.com Configuration” -DomainName ratishnair.com
Then modify the properties that you want for this remote domain by using the Set-RemoteDomain cmdlet:
Set-RemoteDomain ” ratishnair.com Configuration” -AutoReplyEnabled $True -AutoForwardEnabled $True
Control which features are available to Outlook Web Access users by using the Set-OwaVirtualDirectory cmdlet. Type:
Set-OwaVirtualDirectory “OWA (Default Web Site)” -ContactsEnabled $True -ChangePasswordEnabled $True
This one will disable Outlook web access for the user sunder@msexchangeguru.com
Set-CASMailbox sunder@msexchangeguru.com-OWAEnabled:$False
Move-Mailbox of all users from server EXCH1 to server EXCH2 as follows:
Get-Mailbox -Server EXCH1 | Move-Mailbox -TargetDatabase EXCH2
The .count parameter is a good one. This helps to count the output (number of mailboxes) in a cmdlet like the one shown below:
<Get-Mailbox –Server EXCH1 –Resultsize unlimited>.count
#####################
UPDATE from Jeffery Hicks (Windows PowerShell MVP)
Good list, although I might suggest a few revisions to make them even more PowerShell like and take advantage of the pipeline.
This command (point 4):
Get-Mailbox | ForEach { $_.Name }
works and generates a nice list which is great if you wanted to save it to a text file:
Get-Mailbox | ForEach { $_.Name } | out-file Mailboxes.txt.
But to get just that property all you need is
Select-Object: Get-MailBox | Select Name
I would also suggest that this (Point 16):
Get-UmMailbox | ForEach { If($_.UmEnabled -Eq $True){$_.Name}} is more complicated than it needs to be. This is more efficient.
Get-Mailbox | where {$_.UMEnabled} | Select Name
Get-command -name get-service –synopsis
Get-excommand
Get-Help is another one which comes handy. Say, while you were playing with Exchange management shell, you saw a new cmdlet and don’t know what that means.
For example, you don’t know what Get-Message means. To know more, type
Get-Help Get-Message
Get-Message is a cmdlet to retrieve messages from the message queue in Exchange 2007 and 2010
An example is,
Get-Message -Filter {FromAddress -like “*@ratishnair.com”}
This cmdlet will retrieve all messages from the domain “ratishnair.com”
The tilde character (~) represents the shortcut to root directory. For example,
Dir ~
Use it as a shortcut:
Cp FileName “~\My Documents”
We see the $_ sign in a lot of cmdlets. This is known as a Special Variable.
The $_ represents the objects being passed from one cmdlet to another cmdlet in the pipeline. The $_ variable is automatically initiated by the shell and is bound to the current pipeline object. You can access the properties of the object assigned to the $_ variable as you would any other object.
The following example shows how you can view the Name property of each mailbox object
that is passed through the pipeline:
Get-Mailbox | ForEach { $_.Name }
If you need another example, this one lists all running services on an Exchange server
Get-Service | where {$_.Status -eq “Running”}
Lets take a look at another one. This one returns the name of the smallest database:
(Get-MailboxDatabase | foreach { get-childitem $_.edbFilePath | select-object name,length} | sort -property length )[0]
-FILTER and –LIKE commands are often used together. This will filter the information in Double quotes and look for data matching info in Single quotes
Again, easy when explained with an example:
Get-Mailbox –RESULTSIZE UNLIMITED -FILTER “Displayname –Like ‘Nair, Ratish'”
So, this cmdlet is going to get mailbox information where the result will be unlimited and will filter information to ensure only the one with Displayname ‘Nair, Ratish’ is returned.
You can access the event log from the Exchange Management Shell. To retrieve the whole event log, run:
Get-EventLog Application | Format-List
To retrieve all Exchange-related events, run:
Get-EventLog Application | Where { $_.Source -Ilike “*Exchange*” }
Any cmdlet that accepts a size value lets you specify whether the integer value is in kilobytes (KB), megabytes (MB), gigabytes (GB), or terabytes (TB). For example:
Set-Mailbox “Meera Nair” -ProhibitSendQuota 200MB
You can import CSV files and treat them as objects by using the Import-Csv cmdlet. Each row in a CSV file becomes an element in an array, and each column becomes a property. You can assign the CSV file to a variable or you can pipe its contents directly to another cmdlet. In the following example, there are three columns in the CSV file, Name, Alias and EmailAddress, with several rows that the For Each cmdlet will cycle through. The data in each row is used to create a new mail contact.
Import-Csv | ForEach { New-MailContact -Name $_.Name -Alias $_.Alias -ExternalEmailAddress $_.EmailAddress -OrganizationalUnit Users }
The Exchange Management Shell can log all the Exchange-related commands that modify objects in some way. Exchange-related command activity is logged to the PowerShell event log. To enable Exchange-related command logging, run the following command:
Set-ItemProperty HKLM:\SOFTWARE\Microsoft\PowerShell\1\PowerShellSnapIns\Microsoft.Exchange.Management.PowerShell.Admin -Name LogpipelineExecutionDetails -value 1
This one is one of my favourites – Set-Alias
Say you want to have an Alias for Get-StorageGroup, just type
Set-Alias GetSg Get-StorageGroup
From now, Get-StorageGroup cmdlet will have an alias Get-Sg
For all the current aliases, type:
Get-Alias
This one is not exactly a powershell cmdlet tip. This works in command prompt too. CTRL+C will hard-break command in the Exchange Management Shell. If a command is taking too long to run or you want to cancel an operation quickly, press CTRL+C to stop execution.
When some or a group of users complain that they cannot access their mailbox, check the mounted status of all mailbox databases? Type:
Get-MailboxDatabase -Status | Format-Table Name, Server, Mounted
This one checks the permissions an Active Directory user account has on a specific mailbox? Use:
Get-Mailbox <Mailbox to Check> | Get-MailboxPermission -User <Active Directory User>
This one returns the list of all devices synchronized with a user’s mailbox:
Get-ActiveSyncDeviceStatistics
A variety of information is returned including device name, operating system, and last sync time.
This one returns the list of the backup status of all mailbox databases in your organization? Type:
Get-MailboxDatabase -Status | Format-Table Name, Server, *Backup*
How about just the mailboxes on a specific server? Type:
Get-MailboxDatabase -Server <Server Name> -Status | Format-Table Name, *Backup*
This one gets a list of all users who are Unified Messaging-enabled type, use:
Get-UmMailbox | ForEach { If($_.UmEnabled -Eq $True){$_.Name}}
This one will help you control the properties of e-mail messages sent to a specific domain using the RemoteDomain cmdlet.
Create a new remote domain by using the New-RemoteDomain cmdlet. Type:
New-RemoteDomain -Name “ratishnair.com Configuration” -DomainName ratishnair.com
Then modify the properties that you want for this remote domain by using the Set-RemoteDomain cmdlet:
Set-RemoteDomain ” ratishnair.com Configuration” -AutoReplyEnabled $True -AutoForwardEnabled $True
Control which features are available to Outlook Web Access users by using the Set-OwaVirtualDirectory cmdlet. Type:
Set-OwaVirtualDirectory “OWA (Default Web Site)” -ContactsEnabled $True -ChangePasswordEnabled $True
This one will disable Outlook web access for the user sunder@msexchangeguru.com
Set-CASMailbox sunder@msexchangeguru.com-OWAEnabled:$False
Move-Mailbox of all users from server EXCH1 to server EXCH2 as follows:
Get-Mailbox -Server EXCH1 | Move-Mailbox -TargetDatabase EXCH2
The .count parameter is a good one. This helps to count the output (number of mailboxes) in a cmdlet like the one shown below:
<Get-Mailbox –Server EXCH1 –Resultsize unlimited>.count
#####################
UPDATE from Jeffery Hicks (Windows PowerShell MVP)
Good list, although I might suggest a few revisions to make them even more PowerShell like and take advantage of the pipeline.
This command (point 4):
Get-Mailbox | ForEach { $_.Name }
works and generates a nice list which is great if you wanted to save it to a text file:
Get-Mailbox | ForEach { $_.Name } | out-file Mailboxes.txt.
But to get just that property all you need is
Select-Object: Get-MailBox | Select Name
I would also suggest that this (Point 16):
Get-UmMailbox | ForEach { If($_.UmEnabled -Eq $True){$_.Name}} is more complicated than it needs to be. This is more efficient.
Get-Mailbox | where {$_.UMEnabled} | Select Name
IIS redirect using URL Rewrite
In the following example we will redirect HTTP to HTTPs using URL Rewrite. You will need the following items completed in order for this to work correctly.
– SSL Certificate for site installed in IIS.
– Site properly installed and configured for SSL (site set up and binding in IIS configured).
– URL Rewrite 2.0 is installed on the sever.
– In the “Features View” panel, double click URL Rewrite
You will notice there are currently no rules configured for this site. Click “Add Rules…” in the Actions menu to the right of the “Features View” panel
Use the default “Blank rule” and press “OK”.
When editing a rule there are the “Name” field and 4 configuration pull down boxes.
– Enter “Redirect to HTTPS” in the name field.
– Next we will configure the first configuration pull down box called “Match URL”, on the right side of “Match URL” press the down arrow to expand the box.
Within the “Match URL” configuration box we will set the following settings:
Requested URL: Matches the Pattern
Using: Regular Expressions
Pattern: (.*)
We can now edit the next configuration pull down box which is “Conditions”, Press “Add…” to add a new condition to the configuration.
We will configure the condition with the following settings:
Condition Input: {HTTPS}
Check if input string: Matches the Pattern
Pattern: ^OFF$
Press “OK”
You should see your condition in the list of conditions.
For this setting we do not need to configure the “Server Variables” pull down box. Continue onto the “Action” configuration box and pull down the box by selecting the arrow on the right. We will configure the following settings for the “Action” configuration:
Action Type: Redirect
Redirect URL: https://{HTTP_HOST}/{R:1}
Redirect Type: See Other (303)
Press “Apply” then press “Back to Rules”
You should now see the rule configured on the main screen of the URL Rewrite module.
Test your site, it should now redirect from HTTP to HTTPS.
If we exam the web.config file we can see where the rule was entered. If we entered the rule directly into the web.config file it would show up in the GUI.
Web.Config Rule
You can also edit the web.config file of the site directly and you will be able to see the rule in the GUI. You will need to enter the following within the <system.webServer> </system.webServer> elements.
When implementing this solution you need to make sure to use relative paths for all references on your page because there is a possibility you will get a warning asking you if you want to display secure and insecure items. For example, if you have a logo on your page and the URL to this logo is http://domain/images/logo.jpg, do not use the whole path because including the http:// will hard code this image to use http and not https. Instead use /images/logo.jpg.
Replace the Redirect URL https://{HTTP_HOST}/{R:1} with https://{HTTP_HOST}{REQUEST_URI}
– SSL Certificate for site installed in IIS.
– Site properly installed and configured for SSL (site set up and binding in IIS configured).
– URL Rewrite 2.0 is installed on the sever.
GUI Version
– Select the website you wish to configure– In the “Features View” panel, double click URL Rewrite
You will notice there are currently no rules configured for this site. Click “Add Rules…” in the Actions menu to the right of the “Features View” panel
Use the default “Blank rule” and press “OK”.
When editing a rule there are the “Name” field and 4 configuration pull down boxes.
– Enter “Redirect to HTTPS” in the name field.
– Next we will configure the first configuration pull down box called “Match URL”, on the right side of “Match URL” press the down arrow to expand the box.
Within the “Match URL” configuration box we will set the following settings:
Requested URL: Matches the Pattern
Using: Regular Expressions
Pattern: (.*)
We can now edit the next configuration pull down box which is “Conditions”, Press “Add…” to add a new condition to the configuration.
We will configure the condition with the following settings:
Condition Input: {HTTPS}
Check if input string: Matches the Pattern
Pattern: ^OFF$
Press “OK”
You should see your condition in the list of conditions.
For this setting we do not need to configure the “Server Variables” pull down box. Continue onto the “Action” configuration box and pull down the box by selecting the arrow on the right. We will configure the following settings for the “Action” configuration:
Action Type: Redirect
Redirect URL: https://{HTTP_HOST}/{R:1}
Redirect Type: See Other (303)
Press “Apply” then press “Back to Rules”
You should now see the rule configured on the main screen of the URL Rewrite module.
Test your site, it should now redirect from HTTP to HTTPS.
If we exam the web.config file we can see where the rule was entered. If we entered the rule directly into the web.config file it would show up in the GUI.
Web.Config Rule
You can also edit the web.config file of the site directly and you will be able to see the rule in the GUI. You will need to enter the following within the <system.webServer> </system.webServer> elements.
1
2
3
4
5
6
| <rule name="Redirect to HTTPS" stopProcessing="true"><match url="(.*)" /><conditions><add input="{HTTPS}" pattern="^OFF$" /></conditions></rule> |
Replace the Redirect URL https://{HTTP_HOST}/{R:1} with https://{HTTP_HOST}{REQUEST_URI}
PSGallery and NuGet on WIndows 10 build 1607 (Anniversary Edition)(OneGet)
Since the Windows 10 anniversary edition things have change a little for NuGet. (OneGet)
The new way to add a repository is this:
The new way to add a repository is this:
PS C:\> Get-PackageSource Name ProviderName IsTrusted Location ---- ------------ --------- -------- PSGallery PowerShellGet False https://www.powershellgallery.com/api/v2/ PS C:\> Set-PackageSource -Name PSGallery -Trusted Name ProviderName IsTrusted Location ---- ------------ --------- -------- PSGallery PowerShellGet True https://www.powershellgallery.com/api/v2/ PS C:\> Get-PackageProvider -Name Chocolatey The provider 'chocolatey v2.8.5.130' is not installed. chocolatey may be manually downloaded from https://oneget.org/ChocolateyPrototype-2.8.5.130.exe and installed. Would you like PackageManagement to automatically download and install 'chocolatey' now? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y Name Version DynamicOptions ---- ------- -------------- Chocolatey 2.8.5.130 SkipDependencies, ContinueOnFailure, ExcludeVersion, ForceX86, PackageSaveMode, FilterOnTag, Contains, AllowPrereleaseVersions, ConfigFile, SkipValidate PS C:\> Set-PackageSource -Name Chocolatey -Trusted Name ProviderName IsTrusted Location ---- ------------ --------- -------- chocolatey Chocolatey True http://chocolatey.org/api/v2/ PS C:\> Get-PackageSource Name ProviderName IsTrusted Location ---- ------------ --------- -------- PSGallery PowerShellGet True https://www.powershellgallery.com/api/v2/ chocolatey Chocolatey True http://chocolatey.org/api/v2/ PS C:\> Find-Package -Name Firefox The provider 'nuget v2.8.5.208' is not installed. nuget may be manually downloaded from https://oneget.org/Microsoft.PackageManagement.NuGetProvider-2.8.5.208.dll and installed. Would you like PackageManagement to automatically download and install 'nuget' now? [Y] Yes [N] No [S] Suspend [?] Help (default is "Y"): Y Name Version Source Summary ---- ------- ------ ------- Firefox 50.0.1 chocolatey Bringing together all kinds of awesomeness to make browsing better for you PS C:\> Find-Package -Name Adobe Name Version Source Summary ---- ------- ------ ------- adobereader 2015.007.20033 chocolatey Adobe Reader - View and interact with PDF files AdobeAIR 23.0.0.257 chocolatey Adobe AIR runtime is necessary for AIR based applications. adobeshockwaveplayer 12.2.4.197 chocolatey Displays Web content that has been created by Adobe Director adobereader-update 15.017.20053.1 chocolatey Adobe Reader - View and interact with PDF files adobe-creative-cloud 1.0 chocolatey Adobe Creative Cloud Client Installer for installing creative cloud subscription applications simnetsa-adobereader-fr 11.0.7 chocolatey Le logiciel Adobe Reader est la norme internationale libre, permettant de visualiser, imprimer et commenter des documents PDF BR.AdobeReaderFR 11.0.09 chocolatey BR.AdobeReaderFR PS C:\>
25 November 2016
How to Configure Windows 2012-R2/2019 ADCS With Static DCOM Port
To configure the Active Directory Domain Services (AD CS) certification authority (CA) service (CertSvc) to listen on a static DCOM port
1. Log on with an account that has local administrator permission on the CA
2. Open the Component Services snap-In (dcomcnfg.exe).
3. In the left pane of the Component Services snap-In, expand Component Services, Computers, My Computer, and then DCOM Config.
4. In the right pane, select CertSrv Request.
5. On the Action menu, click Properties.
6. On the Endpoints tab, click Add.
7. Select Use static endpoint, enter an unused TCP port number, 50000, and then click OK twice.
5. On the Action menu, click Properties.
6. On the Endpoints tab, click Add.
7. Select Use static endpoint, enter an unused TCP port number, 50000, and then click OK twice.
ADCS Server 2012 R2 Auto Enrollment with hardening - RPC Server Unavailable
On a Windows 2012 R2 server with the ADCS role
installed you get an error "RPC server unavailable" after trying to
request a certificate from a published template.
The first thing to look for is access rights.
In all the posts on the internet I came across mentioned to check whether the Authenticated users group had acces on several objects. The idea is in the right direction but not quite the solution yet.
In Windows Server 2012 R2 in combination with a hardening policy you need to use the Domain Users group as well.
So check for the Authenticated Users group and add the Domain Users group in the following places:The local server group: Certificate DCOM Access
The properties of the CA server itself, Authenticated Users, Domain Computers, Domain Controllers and Domain Users should be present.
The first thing to look for is access rights.
In all the posts on the internet I came across mentioned to check whether the Authenticated users group had acces on several objects. The idea is in the right direction but not quite the solution yet.
In Windows Server 2012 R2 in combination with a hardening policy you need to use the Domain Users group as well.
So check for the Authenticated Users group and add the Domain Users group in the following places:The local server group: Certificate DCOM Access
The properties of the CA server itself, Authenticated Users, Domain Computers, Domain Controllers and Domain Users should be present.
On the CA server itself the Certsrv directory in C;\Windows\System32\ should have Read and Execute rights for Authenticated users and Domain Users.
In Active Directory\Builtin locate the "Users" group and check for Authenticated Users and Domain Users
Check the DCOM Access Limit of “My Computer” of the DC:
1- On the server, run dcomcnfg.exe.2- On the Component Services console, navigate to Component Services\Computers\My Computer.
3- Right-click My Computer, select Properties, verify that Enable Distributed COM on this computer is selected in the Default Properties tab.
4- Click the COM Security tab, Click Edit Limits in the Access Permission section and ensure that Everyone and Certificate Service DCOM Access has Local Access and Remote Access permissions.
5- Click Edit Limits in the Launch and Activation Permission section and ensure that Certificate Service DCOM Access group has Local Activation and Remote Activation permissions.
6- Click OK.
This should be enough to get those certificates rolling again.
Subscribe to:
Posts (Atom)