Ondrej Žilinec – IT Blog

Once upon the time there was customer asking if we can help them with integration their Active Directory with Office 365 cloud. The main request was to sync Active Directory users into Office 365 cloud and then test Office 365 applications on their computers.

Registration for free Office 365

First you need to check prices and packages you want to use. I wanted to test it so I registered HERE. In free month you can use licences for 10 users. Don’t forget to register for Office 365 Midsize Business, only this version of Ouffice 365 can sync AD. After registration I have received e-mail with my account to log into Office 365 portal. After firt logon there is really not to many things to configure. I have to notice that I received testing domain @AtosSlovakia.onmicrosoft.com. This is what you need to have.

Preparing playground

So I have my playground setup:

• Domain name: DOMAIN.LOCAL
• Domain controller: MT-SERVER01.DOMAIN.LOCAL
• Server which will synchronize data into cloud Office 365: MT-SERVER02.DOMAIN.LOCAL

Computer which will do synchronizaction needs to accomplished couple conditions:

• Must have Microsoft .NET Framework 3.x
• In cannot be domain controller
• Must be part of the domain
• It can be Windows Server 2008, Server 2008 R2 or Server 2012
• If you have less than 50 000 objects in AD which you want to sync you can use Microsoft SQL Server 2008 Express. Other way you need to use “normal” SQL
• Active Directory forest functional mode has to be Windows Server 2003 and higher

More HERE.

I also need to generate some users in domain which I will upload into cloud. I just have created 50 bulk users using following powershell script:

I have received testing domain suffix from Office 365 @AtosSlovakia.onmicrosoft.com so I have to set it as aditional UPN for new created users:

• Open Active Directory Domain and Trusts
• Right click on Active Directorz Domains and Trusts and click Properties
• Type defined UPN and click OK

Setup Active Directory Synchronizaction

When you log on Office 365 portal you go to “users and groups” and select Active Directory synchronization Set up.

Then you have to complete 6 steps (not really work to do) to make it work:

Activation of AD Sync tool can take about 24 hours:

While we will wait for activation of feature, let’s install Directory Sync Tool on server MT-SERVER02.DOMAIN.LOCAL.

Read more…

I was facing weird problem with computers when I was trying to migrate computer accounts between two active directory domains. When you use ADMT to migrate computer accounts, ADMT installs ADMT Agent on computer and this ADMT Agent makes all changes during computer account migration.

Problem

When there was computer with ESET Smart Security installed I had following problems. First problem was that migration failed and in ADMT log file I received following error:

2013-04-12 16:29:54 The Active Directory Migration Tool Agent will be installed on CENTRALA.DOMAIN.LOCAL
2013-04-12 16:29:59 WRN1:0000 Could not open SCManager on \\CENTRALA.DOMAIN.LOCAL : GetLastError() returned 5
2013-04-12 16:29:59 WRN1:7015 Failed to connect to the service control manager on \\CENTRALA.DOMAIN.LOCAL, rc=5   Access is denied.
2013-04-12 16:29:59 ERR2:7006 Failed to install agent on \\CENTRALA.DOMAIN.LOCAL, rc=5   Access is denied.

 So error number 5 means I have no rights somewhere. After reading couple pages of ADMT documentation I found out that ADMT installs ADMT Agent using Admin share called ADMIN$. So I tried to access ADMIN$ share on computer CENTRALA.DOMAIN.LOCAL. I received following error:

I have never seen such an error:”An attempt was made to logon, but the network logon service was not started.”. I checked services on computer CENTRALA.DOMAIN.LOCAL and Windows was right. Service NETLOGON was Disabled!

Solution

I had to temporary turn off ESET Smart Security (I would preffer not use this software at all 🙂 ) and also enable and start service NETLOGON.

Conclusion

Every computer I migrated and had installed ESET Smart Security had the same problems. So IMHO ESET Smart Security has changed service NETLOGON to Disabled. I really don’t understand why this is necessary, but I think it’s not right way “smart security product” should protect your computer.

I found one article about disabling NETLOGON service as security practice. It’s maybe good security practice, but there is also pitfall stated on websie:

If you disable the NetLogon service, a workstation no longer functions reliably as a domain member. This setting may be appropriate for some computers that do not participate in domains. However, it should be carefully evaluated before deployment.

I’m wondering what other functions are not available when NETLOGON disabled (besides not accessible ADMIN$ share) on domain member computer.

I hope this helps someone 🙂

Last night I removed Domain Controller Role from Exchange 2007 server and we had problem in the morning with Exchange Outlook Web Access (OWA). We couldn’t log in at all. Symptomps:

• Form based authentification was enabled, but Basic was proposed to clients instead
• When users logged in they received 440 Login Timeout error

After couple minutes of googling I found this article which solved problem.

IMHO when computer was demoted from domain controller role it created local SAM database and didn’t use domain created accounts IUSR_ComputerName and IWAM_ComputerName.

I always was wondering if there is any way to determine all DNS records NetLogon service registers in DNS server. This record list is located at %systemroot%\\system32\\config\\netlogon.dns.

_ldap._tcp.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.gc._msdcs.domain.local. 600 IN SRV 0 100 3268 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.gc._msdcs.domain.local. 600 IN SRV 0 100 3268 SERVER-DC1.domain.local.
_ldap._tcp.cb30fef3-1c01-46c1-951a-5dec33f85833.domains._msdcs.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
bcb148b0-c836-4847-bd55-3d3991821f76._msdcs.domain.local. 600 IN CNAME SERVER-DC1.domain.local.
_ldap._tcp.dc._msdcs.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.dc._msdcs.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_gc._tcp.domain.local. 600 IN SRV 0 100 3268 SERVER-DC1.domain.local.
_gc._tcp.Site1._sites.domain.local. 600 IN SRV 0 100 3268 SERVER-DC1.domain.local.
_ldap._tcp.ForestDnsZones.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.ForestDnsZones.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.DomainDnsZones.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.Site1._sites.DomainDnsZones.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
_ldap._tcp.pdc._msdcs.domain.local. 600 IN SRV 0 100 389 SERVER-DC1.domain.local.
domain.local. 600 IN A 10.0.0.22
gc._msdcs.domain.local. 600 IN A 10.0.0.22
ForestDnsZones.domain.local. 600 IN A 10.0.0.22
DomainDnsZones.domain.local. 600 IN A 10.0.0.22
_kerberos._tcp.dc._msdcs.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kerberos._tcp.Site1._sites.dc._msdcs.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kerberos._tcp.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kerberos._tcp.Site1._sites.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kerberos._udp.domain.local. 600 IN SRV 0 100 88 SERVER-DC1.domain.local.
_kpasswd._tcp.domain.local. 600 IN SRV 0 100 464 SERVER-DC1.domain.local.
_kpasswd._udp.domain.local. 600 IN SRV 0 100 464 SERVER-DC1.domain.local.

This list can be used to import all required DNS records into DNS servers that don’t support dynamic updates.

More and more are people working with Outlook 2007+, using Lync clients, … all of these applications have ability to show pictures of users in their interface. Let’s look how to implement picture into AD for some users.

Picture in AD is stored in one AD attribute called thumbnailPhoto. We need to put picture into this attribute. Exchange servers and other services use Global Catalog Domain Controllers to resolve attributes for objects in domains. So first of all we need to make sure attribute thumbnailPhoto is propagated into Global Catalog database. We need to modify properties of attribute thumbnailPhoto:

• Register MMC snap-in for Active Directory Schema running command:

Regsvr32 schmmgmt.dll

• Open up Active Directory Schema MMC snap-in
• Under Attributes look for thumbnailPhoto and open its properties
• Check option “Replicate this attribute to the Global Catalog”

Edit thumbnailPhoto properties

Read more…

Today I was preparing new AD test environment for myself. I’ve created new W2008R2 VMs and when I ran dcpromo.exe I’ve got following error:

This was just a funny thing I never saw 🙂

Pred casom som nasiel super prednasku o AD, ktoru prezentoval sam Ondrej Sevecek.

Odporucam si ju pozriet, je to velmi zaujimave a velmi dobre prednesene. Bodaj by sme mali takych ludi viacej.

Today Microsoft released great utility to check health of Active Directory Replication in your environment.

More information about utility is HERE.

I tested it and it’s nice tool to check vitality. You don’t have to use command line utilities.

Just check it and you’ll love it 🙂