When AD -> Azure Sync Fails for a User
article #1417, updated 4 days ago

There are many ways of doing this. Here is one way to bring everything into a single consistent behavior, a landing place from which you can vary slightly at need.

This presumes that you have Azure/AD sync installed and working in general, and yielding errors in the Synchronization Service window for one or more users. Make sure that you don’t have duplicate email addresses in AD, that could be bad.

The first steps are in Active Directory Users and Computers.

  1. Set the user’s email correctly in his/her AD object, in “E-mail” under General.
  2. Set proxyAddresses in the Attribute Editor. The primary email address has to be the same, and in proxyAddresses has to be of the format “SMTP:email@domain.com”. There can be others in proxyAddresses but smtp must be lowercase. Also in proxyAddresses, set mailNickname blank.
  3. Under Account, either the user login name plus the dropdown domain is to be the same as the above, or it is to be a valid login according to the O365 console. If the dropdown domain list is local only, you can add the Internet domain list in Active Directory Domains and Trusts, with a right-click on the root level in the left pane of that window, and then an add of one or more alternative UPN suffixes. Then restart ADUC and the domain(s) you just added will be available in the dropdown.

Now we do some other things.

  1. Run Azure/AD sync, this is CMD, do it as administrator:
repadmin /syncall /AdeP
@"%SystemRoot%\System32\WindowsPowerShell\v1.0\powershell.exe" -NoProfile -InputFormat None -ExecutionPolicy Bypass -Command ^
"Import-Module ADSync; Start-ADSyncSyncCycle -PolicyType Delta"
  1. If you see errors in the Synchronization Service window, run something called a “hard match”, which changes enough to connect the AD user of that email address, with the Azure user of that email address. Here’s a script for it, Powershell; you’ll need to log into the O365 tenant. Note that while $AzureUPN is the O365 “primary email address”, $ADUPN is the double item under Profile in AD, the username plus the domain dropdown.
$AzureUPN = "user_email_on_azure@domain.com"
$ADUPN = "user_login_in_ad@domain.com"

"First connect to AzureAD:"
Connect-AzureAD

"Now get Azure ImmutableID:"
$AzureUser = Get-AzureADUser -SearchString $AzureUPN
$AzureUser.ImmutableID
""
""
"Extracting AD GUID..."
ldifde -f export.txt -r "(Userprincipalname=$ADUPN)" -l *
$ADGUID = (-split (type export.txt | select-string "ObjectGUID"))[1]
"Extracted AD GUID:"
$ADGUID
""
""
Set-AzureADuser -ObjectID $AzureUser.ObjectID -ImmutableID $ADGUID

"New Azure ImmutableID re-extracted for confirmation:"
$AzureUser = Get-AzureADUser -SearchString $AzureUPN
$AzureUser.ImmutableID

Categories:      

==============

Free Public DNS Servers
article #883, updated 4 days ago

Things have changed. Best recommend now is CloudFlare’s. General:

1.1.1.1
1.0.0.1

CloudFlare’s, filtered for malware:

1.1.1.2
1.0.0.2

And CloudFlare’s, filtered for malware and “adult content”:

1.1.1.3
1.0.0.3

And one more provider, almost as good in this writer’s experience, Level 3. Unfiltered.

209.244.0.3
209.244.0.4

No other recommends at this writing.

Categories:      

==============

Eliminate Hesitations in Microsoft Services with Better DNS
article #1067, updated 4 days ago

Microsoft is heavily using something called GeoIP, to optimize Internet data routing for its services, including Skype, Office 365, and all of the others.

All of the code below is within ‘nslookup’, running in CMD on Windows.

The way this works, basically, is different IP sets are reported by DNS lookups, depending on the upstream DNS server being polled. So if, like many right now, you were using Google’s DNS (8.8.8.8 and 8.8.4.4) on your LAN, and did nslookup on the recommended test hostname, outlook.office365.com, you would see this:

> outlook.office365.com
Server:  google-public-dns-a.google.com
Address:  8.8.8.8

Non-authoritative answer:
Name:    outlook-namsouth2.office365.com
Addresses:  2603:1036:0:26::2
          2603:1036:102:90::2
          2603:1036:404:a4::2
          2603:1036:102:107::2
          2603:1036:102:b8::2
          2603:1036:404:11b::2
          2603:1036:404:3f::2
          2603:1036:3:12e::2
          2603:1036:102:3e::2
          2603:1036:404:11c::2
          40.97.170.162
          40.97.30.130
          40.97.170.178
          40.97.142.18
          40.97.41.98
          40.97.162.130
          40.97.154.66
          40.97.166.178
          40.97.117.242
          40.97.119.178
Aliases:  outlook.office365.com
          outlook.ha.office365.com
          outlook.office365.com.g.office365.com

>

But on the other hand, if you were using OpenDNS (208.67.220.220/222.222), you would see this:

> outlook.office365.com
Server:  resolver1.opendns.com
Address:  208.67.222.222

Non-authoritative answer:
Name:    outlook-namsouth4.office365.com
Addresses:  2603:1036:d01:2::2
          2603:1036:101:2::2
          2a01:111:f400:31ab::2
          2603:1036:902:a3::2
          2603:1036:906:4d::2
          2603:1036:405:2::2
          2603:1036:405:15::2
          2603:1036:404:67::2
          2603:1036:100::2
          40.97.142.18
          40.97.41.98
          40.97.162.130
          40.97.154.66
          40.97.166.178
          40.97.117.242
          40.97.119.178
          40.97.170.162
          40.97.30.130
          40.97.170.178
Aliases:  outlook.office365.com
          outlook.ha.office365.com
          outlook.office365.com.g.office365.com

>

The most important thing to observe in the above, is that the IP set is different. And if you try pings from your test PC to each of the above IPs, you will notice major differences. In recent testing, most of Google’s results ping much slower (higher, in milliseconds) than OpenDNS’s. But we found OpenDNS’s pings noticeably slower than our current known best of breed, Level3 (209.244.0.3/4):

> outlook.office365.com
Server:  resolver1.level3.net
Address:  209.244.0.3

Non-authoritative answer:
Name:    outlook-namsouth.office365.com
Addresses:  2603:1036:404:16::2
          2603:1036:404:b6::2
          2603:1036:102:16::2
          2603:1036:405:29::2
          2603:1036:906:4f::2
          2603:1036:d00::2
          2603:1036:102:8f::2
          2603:1036:405:4a::2
          2603:1036:4:4c::2
          40.97.133.130
          40.97.132.194
          40.97.125.114
          40.97.132.226
          40.97.126.50
          40.97.31.50
          40.97.164.146
          40.97.136.194
          40.97.166.34
Aliases:  outlook.office365.com
          outlook.ha.office365.com
          outlook.office365.com.g.office365.com

>

We have also noticed that the lists of IPs do not correspond to names, i.e., outlook-namsouth3 does not return the same IP list each time. So there is a lot of highly complex geographically-centered IP routing by DNS, going on, by Microsoft, and Level3 seems to cooperate best.

The upshot is, if you see any Microsoft cloud-based services being slow, hesitating, freezing up, or losing connection regularly, switch your LAN’s DNS forwarders to Level 3, and you may well knock the problem out most easily. CloudFlare’s DNS works as well if not better.

Categories:      

==============

HP/HPE Model Number, Part Numbers, and Serial Numbers via Powershell
article #1415, updated 38 days ago

Model:

(Get-CimInstance -ClassName Win32_ComputerSystem).Model

Part number (if present; may be in one, the other, or both locations):

(Get-CimInstance -ClassName Win32_ComputerSystem).SystemSKUNumber
(((Get-CimInstance -ClassName Win32_ComputerSystem).OEMStringArray)[1] -split " ",3)[2]

Serial number:

(Get-CimInstance -ClassName Win32_BIOS).SerialNumber

All:

(Get-CimInstance -ClassName Win32_ComputerSystem).Model
(Get-CimInstance -ClassName Win32_ComputerSystem).SystemSKUNumber
(((Get-CimInstance -ClassName Win32_ComputerSystem).OEMStringArray)[1] -split " ",3)[2]
(Get-CimInstance -ClassName Win32_BIOS).SerialNumber

Categories:      

==============

A Windows Print Spooler World-Shaker
article #1414, updated 43 days ago

Well, it rocked my little world. This came from the excellent Terry Powell. He had a Server 2016 machine where Explorer would crash and restart every time Devices and Printers was opened. A very large number of common fixes was tried, including four different DISM methods with SFC and others, no change, DISM said the image was fixable but nothing would fix, and the only thing clearly missing according to DISM and SFC logs was a .lnk file. Terry found a reference stating that if one clears everything here except “(Default)”:

HKCU\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Devices

and then restarts the printer spooler, all begins working well. And indeed, it appears that this is space in which bad gunk can build up! He found about 100 there, removed them, and lo and behold, all is well. Powershell code to do this:

function Remove-AllItemProperties
{
    [CmdletBinding()]
    param([string]$Path)

    Remove-ItemProperty -Name * @PSBoundParameters
}

Remove-AllItemProperties "HKCU:\SOFTWARE\microsoft\windows nt\currentversion\devices"

Stop-Service Spooler
Start-Service Spooler

Categories:      

==============

Report Bad Actor Emails
article #1413, updated 46 days ago

If (when) anyone gets a bad actor email, i.e., a “phishing” scam trying to produce misdirection of funds and/or identity theft, those emails should be sent here:

reportphishing@apwg.com

and if it was sent from or arrived into a Microsoft mailbox, also here:

phish@office365.microsoft.com

Categories:      

==============

Speed Up Watchguard Firewalls
article #1412, updated 47 days ago

Here are two ways:

  1. If IPS is in use, set it to Fast Scan. This is in Policy Manager —> Subscription Services —> Intrusion Prevention Service..
  2. By default, internal certificates are not updated. If they are not up to date, they can cause slowdowns. This is in Policy Manager —> Setup —> Certificates —> Trusted CA Certificates.

Categories:      

==============

Find which servers hold FSMO roles
article #1411, updated 58 days ago

Try this:

netdom query fsmo

Categories:      

==============

Increase those wifi bars as inexpensively as you can!
article #1410, updated 64 days ago

I live in a rather congested wifi neighborhood, there are strong active wifi signals in every house in front and back and next door etcetera. Our wireless routers have all sat next to the exterior wall through which the Cox coax comes through, and for about ten years, through three different wireless router upgrades, I relied on an aluminum flashing sheet placed between the wall and the wireless router, to keep everything as good as possible. Just one room away, line-of-sight through a double doorway without doors, I’d get 3-4 bars only without that sheet. This occurred even though I would check and usually change wifi channels every 3-6 months! The wireless-only Roku is in that room next door, so problems are easy to spot.

Anyway, about a year and a half ago it was wireless-router-buying time again (it has been historically a matter of frustration factor…), and I bought one of these off of eBay:



Initially it was simply a nice, reasonably well-behaved, one-notch improvement over the previous, like all of my previous upgrades. It’s recommendable, but not the purpose of this article. I got four solid bars to the next room over despite the neighborhood, using the flashing, which is what I expected. Still only 2-3 to the bedroom to my sweet wife’s tablet, and worse upstairs. And then I remembered something. Some years before I had bought this pair:



which are standard +9 Dbi wifi antennas, for $20. I had bought them and then realized my router of the time did not have removables. They fit this one. I bought one more, a +12 DBi, to make it three. The originals were the usual stubbies about six inches long, these are more like fourteen.

Five bars in line of sight. Four bars steady everywhere else in the house, including upstairs, and just outside. No flashing anymore. And I haven’t had cause to check wifi environment at all since the better antennas went in.

Wifi devices that have removable antennas, use a very standard connector for those antennas. There are rare exceptions, but the standard is very widespread, especially for indoor models. I will not be buying wireless routers without removable antennas ever again if I have any say in it, and we’ll see if I ever need to replace these antennas!

Categories:      

==============

Time synchronization (NTP, SNTP) setup
article #37, updated 64 days ago

In Windows Server 2012 R1/2, 2008 R1/2, 7, Vista, and 2003 SP2 and later, whenever time is out of sync, it’s good to run the following two commands in an administrative command prompt (an ordinary command prompt for 2003SP2+):

w32tm /config "/manualpeerlist:north-america.pool.ntp.org 0.north-america.pool.ntp.org 1.north-america.pool.ntp.org 2.north-america.pool.ntp.org" /syncfromflags:MANUAL /update 
w32tm /resync

If the service has not been registered, the whole canole is:

w32tm /register
net start w32time
w32tm /config "/manualpeerlist:north-america.pool.ntp.org 0.north-america.pool.ntp.org 1.north-america.pool.ntp.org 2.north-america.pool.ntp.org" /syncfromflags:MANUAL /update 
w32tm /resync

Under Windows 2000, we need to go a bit more archaic:

net time /setsntp:north-america.pool.ntp.org
net time /querysntp

Two addenda:

  • We used to recommend just pool.ntp.org , but geoblocking has become quite common, so a more geographically appropriate setup is now the rule.
  • Do the above for domain controllers, standalone PCs, and mobile laptops. Add the domain controller’s IP to “Time Server” in DHCP, to reach desktops.

Categories: