End of DirSync and AAD Sync Support

Last week marks the end of support for the legacy synchronization tools which are used to connect on-premises Active Directory to Office 365 and Azure AD.  Specifically Windows Azure Active Directory Sync (DirSync) and Azure AD Sync are the tools which are transitioning out of support at this time.  Note also that version 1.0  of Azure Active Directory (AAD Connect) is also transitioning of support.  The tools were previously marked as depreciated in April 2016.

The replacement for the older synchronization tools is Azure Active Directory Connect 1.1.  Customers must have this version of AAD Connect deployed. This is the tool which is being actively maintained, and receives updates and fixes.

Azure AD will no longer accept communications from the unsupported tools as of December 31st 2017.

If you do need to upgrade, the relevant documentation is below:

Upgrade from DirSync

Upgrade from Azure AD Sync

WMI Filters for OS version

DESKTOPS

ANY WINDOWS DESKTOP OS

  • Any Windows Desktop OS – 32-bit
    select * from Win32_OperatingSystem WHERE ProductType = “1” AND NOT OSArchitecture = “64-bit”
  • Any Windows Desktop OS – 64-bit
    select * from Win32_OperatingSystem WHERE ProductType = “1” AND OSArchitecture = “64-bit”

WINDOWS 7

  • Windows 7
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″
  • Windows 7 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 7 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 8.1

  • Windows 8.1
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″
  • Windows 8.1 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 8.1 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 8.1

  • Windows 8.1
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″
  • Windows 8.1 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND NOT OSArchitecture = “64-bit”
  • Windows 8.1 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

WINDOWS 10

  • Windows 10
    select * from Win32_OperatingSystem WHERE ‘Version like ‘10.0.%’ AND ProductType=”1″
  • Windows 10 – 32-bit
    select * from Win32_OperatingSystem WHERE Version like “10.0.% AND ProductType=”1” AND NOT OSArchitecture = “64-bit”
  • Windows 10 – 64-bit
    select * from Win32_OperatingSystem WHERE Version like “10.0.%””6.3%” AND ProductType=”1″ AND OSArchitecture = “64-bit”

SERVERS

ANY WINDOWS SERVER OS

  • Any Windows Server OS
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”)
  • Any Windows Server OS – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server OS – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) OR (ProductType = “3”) AND OSArchitecture = “64-bit”
  • Any Windows Server – Domain Controller
    select * from Win32_OperatingSystem where (ProductType = “2”)
  • Any Windows Server – Domain Controller – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server – Domain Controller – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “2”) AND OSArchitecture = “64-bit”
  • Any Windows Server – Non-Domain Controller
    select * from Win32_OperatingSystem where (ProductType = “3”)
  • Any Windows Server – Non- Domain Controller – 32-bit
    select * from Win32_OperatingSystem where (ProductType = “3”) AND NOT OSArchitecture = “64-bit”
  • Any Windows Server – Non-Domain Controller – 64-bit
    select * from Win32_OperatingSystem where (ProductType = “3”) AND OSArchitecture = “64-bit”

WINDOWS SERVER 2008 R2

  • Windows Server 2008 R2 – 64-bit – DC
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”2″
  • Windows Server 2008 R2 – 64-bit – non-DC
    select * from Win32_OperatingSystem WHERE Version like “6.1%” AND ProductType=”3″

WINDOWS SERVER 2012 R2

  • Windows Server 2012 R2 – 64-bit – DC
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”2″
  • Windows Server 2012 R2 – 64-bit – non-DC
    select * from Win32_OperatingSystem WHERE Version like “6.3%” AND ProductType=”3″

WINDOWS SERVER 2016

Very Important: Security update KB3159398 will break Group Policy

There is a known issue with the MS16-072/KB3163622 patch. This update will break GPO’s with faulty rights. Examples: Drives appear on domain systems that should be hidden, mapping drives don’t work, and other typical GPO settings aren’t getting applied.

To resolve this issue, use the Group Policy Management Console (GPMC.MSC) and follow one of the following steps:

1. Add the Authenticated Users group with Read Permissions on the Group Policy Object (GPO).

2. If you are using security filtering (WMI), add the Domain Computers group with read permission.

Z-Hire Active Directory User Creation Tool

I want you to inform about a great tool.

Z-Hire automates the IT user account creation process for Exchange mailbox, and Active Directory and Lync accounts. With just a click of the button, your Exchange mailbox, and Active directory user, Lync account and SalesForce User account will be created simultaneousy. Z-Hire serves as the platform for new hire accounts by allowing auto-creation of major IT accounts with the option for custom scripts. Z-hire will decrease your account deployment time by 600%, without the need for complicated and expensive identity management solutions. This tool makes creating Active Directory users a breeze. Some of the features include:

– Environment Auto discovery (AD/Exchange/Lync/SalesForce)
– Support for Active Directory user, Exchange, Lync 2010 and SalesForce user accounts
– Template based deployment (allows consistency for all user accounts)
– Active Directory user creation with major attributes
– Active Directory group selection
– Active Directory user duplicate SamAccountName detection – Lync 2010 / 2013 user account creation supporting all policies
– SalesForce user account creation supporting all attributes
– Faster performance (compared to previous version)

Supported Environments / IT systems
– Active Directory (all versions)
– Exchange 2007 (all versions)
– Exchange 2010 / 2013 (all versions)
– Lync 2010 / 2013 (both Standard and Enterprise versions)
– Office 365 Cloud
– SalesForce Cloud

Screenshot #1 – Active Directory
Screenshot #2 – Active Directory
Screenshot #3 – Active Directory
Screenshot #4 – Exchange
Screenshot #5 – Lync
Screenshot #6 – Supported Systems

SYSTEM REQUIREMENTS
– .NET 3.5 and .NET 4.0
– Domain Joined

COMPATIBLE OS
– Windows 7 X64
– Windows Server 2008 X64
– Windows Server 2008 R2 X64
– Windows Server 2012

Please download administration guide:1
http://www.zohno.com/docs/Z-Hire_V4_Administration_Guide.pdf

Download: Z-Hire

Z-Term Active Directory User Termination Tool

I want you to inform a about a great tool Z-Term Active Directory User Termination Tool

This application allows IT administrators to automate common tasks when an employee leaves the company. Usually, IT administrators use multiple consoles and perform variety of tasks to terminate user accounts. This tool allows IT administrator to automate:

Active Directory Tasks
– Disable Active Directory Account
– Reset Active Directory Password
– Move users to dedicated OU
– Remove Active Directory Group membership
– Clear Manager field in AD
– Set Description field
– Set Notes field
– Remove Active Directory Account

Exchange Tasks
– Change Distribution List ownership to
– Set customAttribute5
– Set out of office reply
– Forward Email
– Grant full access permission
– Hide user from Global Adress List
– Remove Calendar items from resources.(remove calendar items where user is an organizer of)
– Cancel meetings from termined user’s mailobx(cancel meetings where user is an organizer of)
– Disable mailbox
– Export mailbox to PST format
– Remove ActiveSync device partnership
– Remote wipe user’s ActiveSync device

Lync
– Disable Lync Account

Office 365
– MSOL User – Reset Password
– MSOL User – Remove Office 365 License
– MSOL User – Remove User
– MSOL Exchange – Clear Out of Office Reply
– MSOL Exchange – Hide User from GAL
– MSOL Exchange – Change Distribution List Ownership
– MSOL Exchange – Set CustomAttribute
– MSOL Exchange – Set Out of Office Reply
– MSOL Exchange – Set Grant FullAccess Permission
– MSOL Exchange – Set email forwarding
– MSOL Exchange – Remove calendar items from resource mailboxes

File Operations
– Move home folder
– Export user settings to XML (dump all user data to xml as backup)
– Run custom script ( for advanced users only, contact support for more info )

Screenshot #1 – Active Directory
Screenshot #2 – Exchange
Screenshot #3- File Operations

SYSTEM REQUIREMENTS
– .NET 3.5 and .NET 4.0
– Domain Joined

COMPATIBLE OS
– Windows 7 X64
– Windows Server 2008 X64
– Windows Server 2008 R2 X64
– Windows Server 2012

Please download administration guide: http://www.zohno.com/docs/Z-Term_V4_Administration_Guide.pdf

Download: Z-Term

Active Directory Replication Status Tool

The Active Directory Replication Status Tool (ADREPLSTATUS) analyzes the replication status for domain controllers in an Active Directory domain or forest. ADREPLSTATUS displays data in a format that is similar to REPADMIN /SHOWREPL * /CSV imported into Excel but with significant enhancements.
Specific capabilities for this tool include:

    • Expose Active Directory replication errors occurring in a domain or forest
    • Prioritize errors that need to be resolved in order to avoid the creation of lingering objects in Active Directory forests
    • Help administrators and support professionals resolve replication errors by linking to Active Directory replication troubleshooting content on Microsoft TechNet
    • Allow replication data to be exported to source or destination domain administrators or support professionals for offline analysis

System Requirements

Supported Operating System

Windows 7, Windows 8, Windows Server 2003, Windows Server 2008, Windows Server 2008 R2, Windows Server 2012, Windows Vista, Windows XP

      • ADREPLSTATUS does not install on server core installs of Windows
      • Windows 2000 not supported due to lack of support for .NET Framework 4.0

    Domain membership requirements:

      • Must be joined to the Active Directory domain or forest you intend to monitor

    .NET Framework requirements:

      • .NET Framework 4.0 (you may be prompted to install .NET Framework 3.5.1 first on Windows Server 2008)

    Required User Credentials:

      • Target forest/domain user account

    Supported DC OS versions that can be monitored by ADREPLSTATUS:

      • Windows Server 2003
      • Windows Server 2003 R2
      • Windows Server 2008
      • Windows Server 2008 R2
      • Windows Server 2012

      image

Active Directory Accidental Deletion – Prevention

Accidental deletions in active directory can cause havoc and unfortunately. This may have been avoided and secondly could have been fixed in less than 10 % of the actual time spent if the environment was using one of the latest features that we included in Windows 2008 R2 ( Active Directory Recycle Bin ). Most critical situations arise due to accidental human /tool interference or configuration and it is important to be able to come out of such situations within minimal down time, Accidental Deletion in Active Directory is one such situation.

Powershell Enable Protected From Accidenta lDeletion:
Get-ADobject -Filter * -SearchBase “DC=wardvissers,DC=local” | Set-adobject -ProtectedFromAccidentalDeletion $true

Microsoft Active Directory Topology Diagrammer

The Microsoft Active Directory Topology Diagrammer reads an Active Directory configuration using LDAP, and then automatically generates a Visio diagram of your Active Directory and /or your Exchange Server topology. The diagramms may include domains, sites, servers, organizational units, DFS-R, administrative groups, routing groups and connectors and can be changed manually in Visio if needed.

Some Schreenshots:

image imageimageimage

Download Microsoft Active Directory Topology Diagrammer HERE

BitLocker Active Directory Recovery Password Viewer on Windows Server 2008 R2

You can find BitLocker Password Recovery tool on Windows Server 2008 R2 under Features. You can install the tool by opening Server Manager and under »Add Features« look for »Remote Server Administration Tools« »Feature Administration Tools«. Here select »BitLocker Diver Encryption Administration Utilities« and follow the wizard.

Once install process completes you can open Active Directory Users and Computers and right click on domain level. You should now see »Find BitLocker Recovery Password…«

Active Directory / Domain Naming System Convergentie Check Utility

Domain Naming System Convergentie Check Utility is een “script/tool” om een nieuwe ingerichte domain controller op de juiste wijze functioneert. Het test namelijk de ad replicatie en of dns op de juiste wijze werkt. Downloaden doe je HIER

Uitvoering:
DNSconvergeCheck.cmd “domaincontroller1” “"domaincontroller2” “FQDN” > dnslog.txt

DNSLOG.txt
[‘DNSconvergeCheck’ begins]

– Confirming source name server [DNS] is listening     : SUCCESS!
– Confirming destination name server [DNS] is listening: SUCCESS!

+ Verifying source name server holds supplied DNS domain [zone]
  = server’s addresss: ward-dc01
  = querying domain  : wardvissers.local
  = record [RR] type : SOA
  = DNS query type   : iterative
/ SUCCESS!

– Confirming test record does NOT exist on source      : SUCCESS!
– Confirming test record does NOT exist on destination : SUCCESS!

+ Creating test RR on source name server
   = server’s address : ward-dc01
   = record [RR] type : A
   = record [RR] name : _canary.wardvissers.local.
   = record [RR] value: 127.0.0.1
/ SUCCESS!

+ Querying destination name server for test record
   [review title-bar for progress]
   = server’s address    : ward-dc02
   = query retry interval: 30 seconds
   = RR record’s FQDN    : _canary.wardvissers.local.
     – test record successfully resolved by destination name server
     – 7 queries were submitted
/ SUCCESS!

[‘DNSconvergeCheck’ completed]