In ‘Active Directory Users and Computers’ > Search for MSOL > This should display the GSMA (Group Managed Service Account) that is used to run the service* > In the account properties > on the Description attribute, scroll to the right and you should see the Computer/Server that the service was installed on.
If you need to FORCE sysvol and netlogon to be shared for a down domain controller, you can add this registry key. You should figure out why your replication is broken, but this will force it onling.
- Login to your Domain Controller that’s having the issue
- Open Regedit
- Browse to: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters
- Set SysVolReady from 0 to 1
You are running the Exchange Hybrid Configuration Wizard (HCW) and it gets stuck at validating domains. You try-
Set-FederatedOrganizationIdentifier -DelegationFederationTrust "Microsoft Federation Gateway" -AccountNamespace "MYDOMAIN" -Enabled $true"
You get- An error occured while attempting to provision exchange with the partner sts.
Add the following registry keys and reboot.
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v2.0.50727]
"SystemDefaultTlsVersions"=dword:00000001
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
[HKEY_LOCAL_MACHINE\SOFTWARE\Wow6432Node\Microsoft.NETFramework\v4.0.30319]
"SystemDefaultTlsVersions"=dword:00000001
Go into EAC, organization, remove the federation. Re-add it, add your domains, set your TXT records. Verify they are there with NSLookup, click Update. Re-run the hybrid wizard.
This issue is caused by a GuestOS sent unmap command.
To disable Unmap in the Guest OS-
fsutil behavior set DisableDeleteNotify 1
To re-enable the feature, use the following command:
fsutil behavior set DisableDeleteNotify 0
To verify the current setting, use the following command:
fsutil behavior query DisableDeleteNotify
DisableDeleteNotify=0 - indicates the Trim and Unmap feature is on (enabled)
DisableDeleteNotify=1 - indicates the Trim and Unmap feature is off (disabled)
What is unmap/deletenotify-
Delete notifications (also known as trim or unmap) is a feature that notifies the underlying storage device of clusters that have been freed due to a file delete operation. In addition:
For systems using ReFS v2, trim is disabled by default.
For systems using ReFS v1, trim is enabled by default.
For systems using NTFS, trim is enabled by default unless an administrator disables it.
If your hard disk drive or SAN reports that it doesn't support trim, then your hard disk drive and SANs don't get trim notifications.
Enabling or disabling doesn't require a restart.
- Trim is effective when the next unmap command is issued.
- Existing inflight IO are not impacted by the registry change.
- Doesn't require any service restart when you enable or disable trim.
$Params = @{
"DnsName" = @("quail-vm1.nytis.com")
"CertStoreLocation" = "Cert:\LocalMachine\My"
"NotAfter" = (Get-Date).AddMonths(100)
"KeyAlgorithm" = "RSA"
"KeyLength" = "2048"
}
New-SelfSignedCertificate @Params
https://www.sslshopper.com/ssl-converter.html
1. Install CA, configure as root CA.
2. On your CA Server launch the Certification Authority Management Console > Certificate Templates > Right Click > Manage.
3. Locate the Kerberos Authentication certificate > Make a Duplicate.
4. General Tab > Call it ‘LDAPoverSSL’ > Set its validity period > check to publish the cert in AD.
5. Request Handling Tab > Select ‘Allow private key to be exported’ > Apply > OK. Close out of the templates.
6. Right click Certificate Templates again > NEW > Certificate Template to issue.
7. Locate and select the ‘LDAPoverSSL’ certificate > OK.
8. Now logon to a DOMAIN CONTROLLER > Windows Key+R > mmc {Enter} > File > Add/Remove Snap-in > Add in the Certificates Snap-In > Computer account > Finish > OK > Expand Certificates > Personal > Certificates > Right Click > All Tasks > Request New Certificate > Next > Next.
9. Select the LDAPoverSSL Certificate > Enroll > Close the Certificate Snap-in.
10. In my case I need my device to ‘Trust’ the CA, So on the CERTIFICATE SERVER > open a command window and run the following command;
certutil -ca.cert ca_name.cer
11. It will display the certificate PEM on the screen and should complete successfully.
12. You will notice my command was run while I was on the root of the C: Drive, yours will probably be C:Users{your-username} go there and retrieve a copy of the ‘Root Certificate’.
Navigate to the following registry key:
HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows\OneDrive
Check if any of the "Disabled" keys are set to 1. If they are, set them to 0.
