Unable to connect Microsoft Teams with powershell with MFA enabled user

Issue:

while trying to connect Microsoft Teams with MFA enabled user through powershell. 

Getting the following error in powershell.

"Connect-MicrosoftTeams : One or more errors occurred.: AADSTS50076: Due to a configuration change made by your administrator, or because you moved to a new location, you must use multi-factor authentication to access '00000002-0000-0000-c000-000000000000'"  

Solution:

There may be multiple solutions but one is to user the Connect-MicrosoftTeams without -Credential parameter as below.

Import-Module MicrosoftTeams

Connect-MicrosoftTeams

Addresslist and resource mailboxes in exchange 2016 and exchange online Hybrid environment

Requirement:

In Hybrid environment to create an address list and add resource/Room mailboxes, should be visible/available to both on premise and cloud users in their address book.

Issue:

A single address list (created on premise OR on exchange online) would not be enough. as if created on exchange on premise then will be only visible to on premise users 

OR

if created on Exchange online then will be only visible to Exchange online users.

Same is the case with resource/room mailboxes, if created on exchange on premise then will be only visible to on premise users OR if created on Exchange online then will be only visible to Exchange online.

Solution:

i had to create 2 address lists with the same name, one on Exchange on premise and one on Exchange online.

the case with room/resource mailboxes was a bit change, even that the on premise room mailboxes were not appearing to the cloud users in their address book but while scheduling the meeting they were able to see the free/busy of  the on premise resource/room mailboxes.

same was the case with exchange online migrated room mailboxes,  were not appearing to the on premise users in their address book but while scheduling the meeting they were visible and their free/busy were also appearing to the on premise users.

An email was getting quarantined even the sender was whitelisted through office 365 rule

An email was getting quarantined even the sender was whitelisted through office 365 rule.

After looking into the header of the quarantined email found the "SFV:BLK" which means the sender was blocked by the recipient as per (Anti-spam message headers - Office 365 | Microsoft Docs).

So when to the effected user outlook and then 

on the Home tab, then "Junk Email Options" then "Blocked senders" tab, the quarantined email sender was added there. so after removing from there, next time the email was not quarantined and was successfully delivered. 

Solved: Unable to activate Windows server 2016 though GUI. getting error "This Edition Cannot Be Upgraded"

Issue:

1:

Windows server 2016 was rebooting again and again

2:

Unable to activate Windows server 2016 "Microsoft Windows Server 2016 Standard Evaluation" Edition, though GUI to Standard edition. getting error "This Edition Cannot Be Upgraded"

Solution:

Dism /online /Set-Edition:ServerStandard /AcceptEula /ProductKey:12345-qwert-asdfg-zxcvb-qazws

Other findings:

1. The server was running in VMWare environment.
2. The server was rebooting again and again.
3. After looking into the event viewer for the reboot cause found the error "The kernel power manager has initiated a shutdown transition.  Shutdown Reason: Kernel API"
4. The Dism /online set-edition:serverstand.... command took more than 30 minutes to complete
5. The server rebooted more than one time after running the DISM command.
6. the cleaning up process took few hours to complete

Resolved: [{LED=451 4.4.395 Target host responded with error. -> 421 4.4.1 Connection timed

 Mails stuck in queue, with the following error in queue.

[{LED=451 4.4.395 Target host responded with error. -> 421 4.4.1 Connection timed

the solution was:

Enable-ExchangeCertificate -ThumbPrint "thumbprint of the required new certificate" -services SMTP

Detail:

After updating SSL certificate in Exchange Server 2016 environment, including mailbox servers and edge servers, the mails were getting stuck in queue with the error "[{LED=451 4.4.395 Target host responded with error. -> 421 4.4.1 Connection timed"

after looking into it further, it was found that the new certificate was not enabled for the SMTP service.

So by enabling the new Certificate for the SMTP service, the issue was resolved.

Enable-ExchangeCertificate -ThumbPrint "thumbprint of the required new certificate" -services SMTP

 

How to import an SSL certificate in the personal store on windows machine

you can use the following command to import an SSL certificate in the personal store for logged in user account on windows machine

certutil -user -p pfxpassword -importPFX pathofCert\abc.pfx


To import an SSL certificate in the personal store for computer account on windows machine

certutil -p pfxpassword -importPFX pathofCert\abc.pfx

P.S: pfxpassword: while generating/exporting the pfx certificate from the CA server or any other machine one which the certificate is already there, you would have given the pfxpassword.
so keep that password noted as you will need it while importing on any machine with the above command or through console. 

Resolved: "Remove-ADUser : The directory service can perform the requested operation only on a leaf object"

I was trying to delete user object from active directory, which had mailbox, skype for business user, etc..etc. But was getting the error "Remove-ADUser : The directory service can perform the requested operation only on a leaf object" After search on internet i found the i should use the Remove-Adobject command, also need to use the user distinguish name and then with -recursive attribute. Remove-ADobject (Get-ADUser sAMAccountName).DistinguishedName -Recursive I you want to avoid any confirmation for deletion of the user object then can use -confirm attribute as below. Remove-ADobject (Get-ADUser sAMAccountName).DistinguishedName -Recursive -Confirm:$false

How to search and delete email from users mailboxes in office 365

Before proceeding on this task you have To create and run a Content Search, you have to be a member of the

eDiscovery Manager

Compliance Search management role.

To delete messages, you have to be a member of the

Organization Management role group or

Be assigned the Search And Purge management role

Open "Microsoft Exchange Online Powershell Module" with run as admin permission  and first you have to Connect to Security and Compliance via PowerShell

Connect-IPPSSession -UserPrincipalName Nawaz@mydomain.com

and then run the commands below to create the compliance Search and save the result in a veriable ($Search).

$Search=New-ComplianceSearch -Name "RemovePhishingMessage" -ExchangeLocation All -ContentMatchQuery '(Received:4/13/2020..4/14/2020) AND (Subject:"Subject of the email")'



Now you must Start the complainceSearch with the following command


Start-ComplianceSearch -Identity $Search.Identity



You can confirm the status of the complianceSearch with the following command



PS C:\Users\Nawaz> Get-ComplianceSearch ""RemovePhishingMessage

It will show the status like, not started, inprogress, completed.

If completed, you can run the following command which will show you the number of items found through the compliance search, as mentioned in our case is 32.



PS C:\Users\Nawaz> get-ComplianceSearch "RemovePhishingMessage" | fl                                          



RunspaceId                            : 4bef9a2a-4a98-46a4-8e57-f593a43b1

Language                              :

StatusMailRecipients                  : {}

LogLevel                              : Suppressed

IncludeUnindexedItems                 : True

ContentMatchQuery        : (Received:07/09/2020..07/10/2020) AND (Subject:" Notice Password")

SearchType                            : EstimateSearch

HoldNames                             : {}

SearchNames                           : {}

RefinerNames                          : {}

Region                                :

Refiners                              :

Items                                 : 32

Size                                  : 2911505

UnindexedItems                        : 28319

UnindexedSize                         : 79987919058

SuccessResults                        : {Location: abit@mydomain.com, Item count: 7, Total size: 608342,

                                        Location: MUI@mydomain.com, Item count: 4, Total size: 324402,

                                        Location: Mash@mydomain.com, Item count: 3, Total size: 316067,

                                        Location: Irfa@mydomain.com, Item count: 3, Total size: 299224,

                                        Location: Moh@mydomain.com, Item count: 3, Total size: 298679,

                                        Location: athed@mydomain.com, Item count: 3, Total size: 285691,

                                        Location: Nawaz@mydomain.com, Item count: 3, Total size: 280505,

                                        Location: Shahzad.Khurram@mydomain.com, Item count: 6, Total size: 259699,



Run the command below if you want to soft delete the emails.

New-ComplianceSearchAction -SearchName "RemovePhishingMessage" -Purge -PurgeType SoftDelete

Run the command below if you want to hard delete the emails. 

New-ComplianceSearchAction -SearchName "RemovePhishingMessage" -Purge -PurgeType HardDelete

To show the status of all search

Get-ComplianceSearchAction 

to confirm the status.

Get-ComplianceSearchAction -Identity "FromAl_purge" | Format-Table Searchname, JobStartTime, JobProgress, Status

How to set Database Activation Preference number for a Database in Exchange server 2016

I was working in a project, had to migrate the Exchange Sever 2013 environment to Exchange 2016. The environment was consist of PR (4 servers) and DR (3 servers), Total of 30 databases.

At one point i had to play with the DAG failover/switchover, in which i found that every time i activate any of the DBs on any desired server, after some time (1-2 hours) the DBs automatically move/activate back on the first server in the PR site.

After looking into it more i noticed that the "ActivationPreference" value on that server was lowest, set to "1".
So as per the default behavior of the DAG, every time if there is any issue in the DAG/database copies, the DAG will activate the DB on the server which has the most healthy copy. If all the servers have the healthy copies then the copy on the server with the lowest "ActivationPreference" number , i.e "1", will be activated.

So now i have to change the "ActivationPreference" number of all the 30 DBs but you know from the ECP it was a lengthy task so i followed the following steps in the Exchange management shell and performed it very easily and in a very short time.

First i had to check the current status (ActivationPreference value) of each of the DB with the following command.

Get-MailboxDatabase service1603 | fl servers, ActivationPreference


Then i used the following command to set the "ActivationPreference" value as per my requirement.

Set-MailboxDatabaseCopy -identity ‘service1603\MBS03’ -ActivationPreference 1

To check/verify the changes use the following command again but it took some time to show the updated value but in ECP the update value was appearing. 

Get-MailboxDatabase service1603 | fl servers, ActivationPreference
so you should give it some time or check in ECP the updated values. 

How to export last password reset date of Azure AD/office 365 users through powershell

To get the Azure AD or office 365 etc. last password reset date i use the following steps in windows powershell.
1)
login to Azure AD
$credential = Get-Credential

(once prompt for credentials, use your username/password i.e nawaz@mycompany.com/password)

Then you may use one of the following command to connect Azure AD.

2)
Connect-AzureAD -Credential $credential
OR
Connect-MsolService -Credential $credential

Now you should be connected with Azure AD, to confirm you may use type the first few characters of any Azure AD command and press Tab key, if the command showing any suggested command then it means you are connect.

3)
Get the required detail of one user and then get/use the same command for all users.
so lets use

PS C:\Windows\system32> Get-MsolUser -UserPrincipalName nawaz@mycommany.com | select displayname, lastpasswordchangetimestamp                                                                                                               
DisplayName                                                        LastPasswordChangeTimestamp
-----------                                                        ---------------------------
Nawaz Khan System engineer           2/26/2020 7:59:58 AM

Now that we got the desired details for a single user, so we can use the same command, just replacing the -UserPrincipalName with -all switch and exporting the output to a CSV.

Get-MsolUser -All | select DisplayName,LastPasswordChangeTimeStamp >c:\path\LastPasswordChangeDate.csv

Now you may have to wait for the command to complete, it may get time to complete, as per your number of users in Azure.

How to move multiple databases with a single command to another mailbox server in Exchange Server 2016

Some time you may have to activate a group of DBs on a server, then you have 2 option to perform this task, 1 is from ECP but it will take some long time if you have some multiple DBs. Second option is to use Exchange management shell, which will save your time and also will perform this task very easily.
So you can perform the following command in exchange management shell.
for example you have 4 DBs, all end with 01 numbers, which you want to be activated on MBS01 server.



Get-MailboxDatabase *601 | Move-ActiveMailboxDatabase -ActivateOnServer MBS01

To verify you can use the following command
Get-MailboxDatabase *601

[PS] C:\Windows\system32>Get-MailboxDatabase *1601
Name                           Server          Recovery        ReplicationType
----                           ------          --------        ---------------
HR1601                     MBS01  False           Remote
IT1601                     MBS01  False           Remote
M1601                     MBS01  False           Remote
P1601                     MBS01  False           Remote

So we can see here that all the required DBS are activated on MBS01 with a single command.

How to register Exchange server 2016 keys with powershell

Some time you may be unable to enter the Exchange server 2016 product key from ECP/EAC.

As i faced the same. i migrated an exchange environment from exchange server 2013 to exchange 2016. the ECP was still pointing to the exchange server 2013 CAS server. so when i tried to enter the product from ECP i was getting an error like as below

"An error occurred while accessing the registry on the server "Servername". The error that occurred is: "The network path was not found. "."

And the reason might be that the virtual directory i.e (https://mail.domain.com/ECP) was still pointing to the 2013 CAS servers.

So then i tried to put/enter the key through power shell as below and i was able to register the server in this way.

  

Set-ExchangeServer -Identity ServerName -ProductKey 8JHUYI-JHUYM-VNMFE-FGHJY-HJYUTV

So per my experience, if you want to register the key for the 2016 through ECP (https://mail.domain.com/ECP), your required virtual directory should be pointing to that 2016 environment/server. 

Database Status Passive Failed and Suspended, Content index state: Suspended in exchange server 2016

I have Exchange Server 2016 DAG, consist of 2 PR and 1 DR servers. the PR DBs status was Healthy but the DR DBs were in Status Passive Failed and Suspended, Content index state: Suspended
Tried different solutions to reseed but know luck.
Solution:
there are two solutions, which you may try.
1:
From ECP, instead of Resuming the copy, tried to Update the effected copy, which recreated the copy and the issue was resolved.

2:
From Exchange power shell you may use
Update-MailboxDatabaseCopy -Identity "DBname\ServerName" -SafeDeleteExistingFiles

More Detail:

I looked into the path on the effected server/database and the database file (venDB2.edb) was not found.
I also tried to update the effected copy with -catalogonly switch as mentioned below but no luck as were getting the given warning.
.
[PS] C:\Windows\system32>Get-MailboxDatabaseCopyStatus VenDB2\XMBS2 | Update-MailboxDatabaseCopy -CatalogOnly
Confirm
Are you sure you want to perform this action?
Seeding database copy "VenDB2\XMBS2".
[Y] Yes  [A] Yes to All  [N] No  [L] No to All  [?] Help (default is "Y"): y
WARNING: Seeding of content index catalog for database 'VenDB2' failed. Please verify that the Microsoft Search
(Exchange) and the Host Controller service for Exchange services are running and try the operation again. Error: There
was no endpoint listening at
net.tcp://localhost:3863/Management/SeedingAgent-78CFB425-GE76-4B17-9B48-2E3BE436368812/Single that could accept the
message. This is often caused by an incorrect address or SOAP action. See InnerException, if present, for more
details..
So after running
Update-MailboxDatabaseCopy -Identity "DBname\ServerName" -SafeDeleteExistingFiles
it delete the already created logs file and create the logs files again and create the DB file as well.


P.S:
It may take some long time, depending on the size of database size, as both the database copy and the content index catalog copy will be recreated/copied to the server.
So you should wait until all of the files are copied, you can monitor in the ECP console.
or you can use the following command.
Get-MailboxDatabaseCopyStatus VenDB2\XMBS2


Note: Posts are provided “AS IS” without warranty of any kind, always based on my experience and findings in my routine tasks in my production environment.

How to export all member of a group in AD with their specific attributes

How to export all member of a group in AD and their specific attributes

PS C:\Windows\system32>$group = "ABCGroup"

PS C:\Windows\system32> Get-ADGroup $group -Properties Member | Select-Object -Expand Member | Get-ADUser -Property * | ft company, whenCreated, lastLogonTimestamp, mobile > C:\ABCGroup.CSV

How to update meta data in a Relying Party Trust in ADFS

First you should note the name of the Relying Party Trust with the following command.

PS C:\Windows\system32>get-ADFSRelyingPartyTrust | ft name

once you get the name of the Relying Party Trust which you want to update, use the following command


PS C:\Windows\system32> update-ADFSRelyingPartyTrust -targetName "Planning & Budgeting " -MetadataFile "C:\Users\adc\Desktop\DataCloud.xml"

The specific error code was 0xC00402C7

"The specific error code was 0xC00402C7."

After installing/configuring SMTP server in windows server 2016 IIS. I was unable to send emails through this new SMTP to any domains. Mails were getting stuck in "C:\inetpub\mailroot\Badmail" folder.
after opening one of notepad file in this path. the error "The specific error code was 0xC00402C7." was mentioned there in the failed logs (notepad files).
Secondly, in the system logs of the SMTP server, getting the event ID=4007, with below detail as warning.

"Message delivery to the host '14.47.3.33' failed while delivering to the remote domain 'live.com' for the following reason: An SMTP protocol error occurred.
 The SMTP verb which caused the error is 'MAIL'.  The response from the remote server is '550 5.7.1 Service unavailable, Client host [18.176.15.17] blocked using Spamhaus. To request remo'."

So have to first check in black provider list and yes found there that my IP was appearing there as in PBL.
so putted the request there to whitelist my server IP and wait for some time.

Now after waiting for some more than a hour, tested again and were able to send emails to any domain.

Unable to install CMS database for skype for business 2015 in SQL server 2016

Have recently migrated from Lync server 2010 to Skype for business 2015. All users migrated to skype for business 2015 and as a last step trying to move the CMS database from Lync server 2010 to skype for business 2015.
As mentioned in( https://docs.microsoft.com/en-us/lyncserver/move-the-lync-server-2010-central-management-server-to-lync-server-2013 ) for CMS migration, first to install the CMS database on the skype for business 2015 FE server but while trying the (Install-CsDatabase -CentralManagementDatabase -SQLServerFQDN C01ict-SFBdb.abc.domain.com -SQLInstanceName RTC) command, getting the below error.
Now if we look into the error, it is mention that (Install-CsDatabase : Failed to connect to the SQL server C01ict-SFBdb.abc.domain.com\RTC) means unable to connect to the RTC instance. and yes the RTC instance was not in the SQL server, so we have to create the RTC instance in SQL server or have to use the install-csdatabase command without the -SQLInstanceName switch, which is an easy way. so the required database will be created in the default install of SQL server. so we change the command to (Install-CsDatabase -CentralManagementDatabase -SQLServerFQDN C01ict-SFBdb.abc.domain.com) and the below error was gone. the LIS and XDS databases were created within SQL default instance. and the issue was resolved.


Error:
Loading Modules for Skype for Business Server 2015...
PS C:\Users\User> Install-CsDatabase -CentralManagementDatabase -SQLServerFQDN C01ict-SFBdb.abc.domain.com -SQLInstance
Name RTC
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.XdsDatabase'****
Trying to connect to Sql Server C01ict-SFBdb.abc.domain.com\RTC. using windows authentication...
Exception Stack:
Type: System.Reflection.TargetInvocationException, Message: Exception has been thrown by the target of an invocation.
Type: Microsoft.Rtc.Common.Data.DbSetupSqlServiceNotInstalledException, Message: Failed to find SQL Service. Make sure t
hat SQL Server service (instance name RTC) is installed in machine C01ict-SFBdb.abc.domain.com
Install-CsDatabase : Failed to connect to the SQL server C01ict-SFBdb.abc.domain.com\RTC.
At line:1 char:1
+ Install-CsDatabase -CentralManagementDatabase -SQLServerFQDN C01ict-S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:SourceCollection) [Install-CsDatabase], DbSetupSqlServiceNotInstalled
   Exception
    + FullyQualifiedErrorId : SqlConnectionFailure,Microsoft.Rtc.Management.Deployment.InstallDatabaseCmdlet
****Creating DbSetupInstance for 'Microsoft.Rtc.Common.Data.LisDatabase'****
Trying to connect to Sql Server C01ict-SFBdb.abc.domain.com\RTC. using windows authentication...
Exception Stack:
Type: System.Reflection.TargetInvocationException, Message: Exception has been thrown by the target of an invocation.
Type: Microsoft.Rtc.Common.Data.DbSetupSqlServiceNotInstalledException, Message: Failed to find SQL Service. Make sure that SQL Server service (instance name RTC) is installed in machine C01ict-SFBdb.abc.domain.com
Install-CsDatabase : Failed to connect to the SQL server C01ict-SFBdb.abc.domain.com\RTC.
At line:1 char:1
+ Install-CsDatabase -CentralManagementDatabase -SQLServerFQDN C01ict-S ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : InvalidArgument: (:SourceCollection) [Install-CsDatabase], DbSetupSqlServiceNotInstalled
   Exception
    + FullyQualifiedErrorId : SqlConnectionFailure,Microsoft.Rtc.Management.Deployment.InstallDatabaseCmdlet
WARNING: Install-CsDatabase failed.
WARNING: Detailed results can be found at
"C:\Users\User\AppData\Local\Temp\Install-CsDatabase-975ca94c-1c88-41bd-80e4-54e4265b8dc8.html".
PS C:\Users\User>

unable to share files through skype for business 2015 between internal and external users

Hi,
on the front end servers of Skype for business 2015, i was getting Errors/informaitons, with event IDs:  41024,41025, 41026
Event: 41024
No connectivity with one of the Web Conferencing Edge Servers.
Edge Server Machine FQDN: server1.domain.com, Port:8057
If the problem persists this event will be logged again after 20 minutes
Cause: Service may be unavailable or Network connectivity may have been compromised.


Event ID: 41025
Connection to the Web Conferencing Edge Server has succeeded
Edge Server Machine FQDN: server1.domain.com, Port:8057
Event ID: 41026
No connectivity with any of Web Conferencing Edge Servers. External Skype for Business clients cannot use Web Conferencing modality.
Cause: Service may be unavailable or Network connectivity may have been compromised.
Resolution:
Verify all Web Conferencing Edge Services in the topology are running, and network connectivity is available.

Errors:
No connectivity with one of the Web Conferencing Edge Servers.
Edge Server Machine FQDN: server1.domain.com, Port:8057
If the problem persists this event will be logged again after 20 minutes
Cause: Service may be unavailable or Network connectivity may have been compromised.

Solution:
add the following key to resolve this issue.
reg add HKLM\SOFTWARE\Microsoft\.NETFramework\v4.0.30319\System.Net.ServicePointManager.RequireCertificateEKUs /v “C:\Program Files\Skype for Business Server 2015\Web Conferencing\DataMCUSvc.exe” /t REG_DWORD /d 0 /f


After adding the above key on the front end servers and restarting the "Skype for Business server web conferencing" service, the above errors were not appearing any more and the issue of file shares etc. was resolved.

https://support.microsoft.com/en-in/help/4023993/ls-data-mcu-41026-41025-and-41024-after-may-2017-net-framework-update