TechShizz | Tech Guides

Disable ADAL for Outlook 2016

Problem

Various authentication issues including:

  • O365 profiles sets up instead of on prem mailbox
  • Outlook wont authenticate on Office 365
  • Outlook wont authenticate on Office 365 with SSO
Cause

ADAL is the new authentication method for azure cloud solutions. It over-rides the standard kerberos, basic and NTLM protocols.

Solution

ADAL can be disabled by registry key:

To disable modern authentication on a device, set the following registry keys:

Registry key

    Type

       Value

HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL

    REG_DWORD

        0


Reference, Links and Imges

https://answers.microsoft.com/en-us/msoffice/forum/msoffice_outlook/modern-authentication-on-outlook-2016-keeps-on/98a263f4-ab9c-4d6f-b5eb-2728a8e77412 

One Drive character limit | PowerShell to find file path character length | File Path Character Limit

Problem

One Drive will not sync files with more than 400 charactes in the file path

Cause

Limitation

Solution

Use this script and execute to create a list of all files and their number of characters. Address by shortening folder and file names. 

 $pathToScan = "C:\APP1-Data\SharePointData\MW\MW - Documents" # The path to scan and the the lengths for (sub-directories will be scanned as well).
$outputFilePath = "C:\temp\PathLengths.txt" # This must be a file in a directory that exists and does not require admin rights to write to.
$writeToConsoleAsWell = $true # Writing to the console will be much slower.

# Open a new file stream (nice and fast) and write all the paths and their lengths to it.
$outputFileDirectory = Split-Path $outputFilePath -Parent
if (!(Test-Path $outputFileDirectory)) { New-Item $outputFileDirectory -ItemType Directory }
$stream = New-Object System.IO.StreamWriter($outputFilePath, $false)
Get-ChildItem -Path $pathToScan -Recurse -Force | Select-Object -Property FullName, @{Name="FullNameLength";Expression={($_.FullName.Length)}} | Sort-Object -Property FullNameLength -Descending | ForEach-Object {
$filePath = $_.FullName
$length = $_.FullNameLength
$string = "$length : $filePath"

# Write to the Console.
if ($writeToConsoleAsWell) { Write-Host $string }

#Write to the file.
$stream.WriteLine($string)
}
$stream.Close()


Decommission SBS Server

1. Move FSMO Roles to new DC.

https://www.techshizz.com/post/quick-guide-seizing-fsmo-roles 

2. Backup the Certificate Authority role and remove it

Certificate Services is installed by default in SBS 2008/2011, and it is unlikely to be required moving forward. 99% of the time, you can safely remove this role with no ill effects. If there are no active certificates or pending requests, you should be good to go. However, it is good practice to follow the proper procedures to backup the Certificate Authority in case it needs to be resurrected in the future on a new server. To backup the database and certificate key, open a command prompt (as Administrator), and perform the following:

  1. Type Certutil.exe –backupdb C:\CABackup and press ENTER to backup the database.
  2. Type Certutil.exe –backupkey C:\CABackup and press ENTER to backup the certificate keys.  Note: You will be asked to enter a password to protect the keys.
  3. Type net stop certsvc and press ENTER to stop the Active Directory Certificate Services service.
  4. Type reg export HKLM\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration C:\CABackup\CAregistry.reg and press ENTER to export the the registry key to a file.

Backup-CAcmd1

You may also need to copy the CAPolicy.inf file from %SystemRoot% directory (if using custom policy). Verify your backup files are present at the location you specified, and copy them to a safe location.  Then you can go ahead and remove the role, also. From Server Manager, go to Roles > Remove Roles. Make sure to deselect Active Directory Certificate Services and complete the wizard. Reboot required.

3. Remove Exchange Server

  • Exchange should be removed before AD/DNS: The uninstall procedure needs to be done in advance of removing Active Directory roles from the SBS server;
  • Windows Server editions: Note that this procedure is also valid for removing the last legacy Exchange 2007 / 2010 Server from Windows Standard / Enterprise / Datacenter editions;
  • Hybrid/Remote Move Migrations: if you had performed a Remote Move migration from SBS 2011 or Exchange 2010, then you need to follow a slightly different procedure, to ensure that Directory synchronization and the hybrid relationship is properly retired before uninstall. Therefore, only proceed with the below if you are positive that you do not have a hybrid connection, and/or Directory Synchronization in place. Alternatively, you may consider keeping a free Exchange server on-premises to maintain the hybrid connection.

Prepare Exchange for Uninstall

You will need to run several PowerShell commands to help prepare your server for uninstall. Warning: this assumes all data has been migrated to Office 365, and you have no further need of Exchange data / services on-premises. Proceed at your own risk.

remove-exch-1

Open the Exchange Management Shell as Administrator, and run the following PoSH snippets in this order for SBS 2008/2011 or Exchange 2007/2010, answering prompts for confirmation in the affirmative for all (A).

 

Uninstall Exchange

Now you are ready to run the uninstaller. From an elevated command prompt, navigate to the directory “C:\Program Files\Microsoft\Exchange Server\Bin” or “C:\Program Files\Microsoft\Exchange Server\v14\Bin”  and run:

remove-exch-2

That should be it. After Exchange is fully removed, you can proceed with the rest of the decom process, which will be covered in an upcoming post.

4. Remove the Global Catalog

Note: Exchange must already be completely uninstalled from the source server before proceeding.

This operation will prevent other computers on the domain from referring to this server as a logon server. I usually wait at least 1 business day after performing this operation before I proceed with dcpromo, in case there are adverse impacts on the network that need to be resolved before completely removing the AD/DNS roles. Some people even prefer to power off the source server entirely at this time, which is also an acceptable step to take.

From AD Sites & Services, locate the NTDS Settings object for the source server, right-click and select Properties. Then clear the check mark box for Global Catalog, and click OK.

remove-GC-2

5. Demote the Domain Controller

dcpromo-1

Step through the wizard to demote the server, however, be sure to leave this box unchecked (do not delete the domain):

dcpromo-2

After it is completed, you will reboot the server.

Make sure your new server no longer refers to the old server in TCP/IP settings (Control Panel > Network Connections). Remove the reference now if it is still present, and do the same on other statically configured servers/devices. Only the new server(s) should be referenced at this point.

6. Remove the Active Directory roles

Assuming you have taken all steps necessary to decommission these roles, it is time to remove them from the server. From Server Manager, go to Roles > Remove Roles. Make sure to deselect Active Directory Domain Services and DNS Server. Complete the wizard to remove the roles.

At this point it is also good to double-check that no servers or other devices refer to this server’s IP address for DNS. The server should also no longer reference itself as a DNS server in its own NIC settings.

7. Clean up AD metadata

Delete the server object from Active Directory Sites & Services.

8. Clean up DNS

From the DNS Manager console, open the Properties on every one of your lookup zones (including _msdcs), and check the Name Servers tab. If there are still references to the old DNS server(s), remove them all now.

dns-cleanup-1b

Open the DNS zones and delete any other records that you find in here also that refer to the old server. Work through the entire tree until it is clean.

dns-cleanup-1c

Run DCDIAG and BPA analyzers once more just to ensure that you have a good, clean environment at the end of the day. Make adjustments if necessary. Otherwise, this concludes the process of removing Active Directory & DNS roles in order to retire the source server from your domain.

9. Remove from Domain and Power down the SBS server

Remove from domain and Power off. 

Reference, Links and Imges

 https://www.itpromentor.com/sbs-decom/ 

https://www.itpromentor.com/sbs-remove-exchange/ 

Enable ports for remote management for Server Manager

Problem

You are unable to remotly manage a server using server administrator getiing a DCOM and Remote Event Management firewall error.

Cause

The firewall on the remote computer is not configured to allow remote management of the server.

Solution

You can run this PowerShell command to enable the rules on all servers in one command.

Import-Module NetSecurity

Invoke-Command Server1,Server2,Server3 {Get-NetFireWallRule *COM* | Enable-NetFirewallRule}

Invoke-Command Server1,Server2,Server3 {Get-NetFireWallRule *RemoteEvent* | Enable-NetFirewallRule}‚Äč

HTTP Error 503 when Single Sin On redirecting to ADFS Server After Re-Enabling Single Sign On

Problem

An Office 365 single sign on environment has been disabled (due to server being offline for an extended period of time) and on trying to re-enable Single Sign on is not working. Specifically, when being re-directed from the Office 365 portal to the federated server sts.domain.com you get a http 503 error.  Also you may have noticed the token signing certificates in ADFS have exired.

Cause

The proxy trust certificate is a rolling certificate valid for 2 weeks and periodically updated. If the servers are offline for more than two weeks the ADFS server will lose its trust relationship with the ADFS Proxy server. 

Solution

The certificates that had expired needed to be re-newed. To do this we simply ran the Azure AD Connect tool on the ADFS server. Once this was run, we noticed the expired certificates has been renewed.

Second, we need to install the new ADFS certificate thumbprint in the ADFS Proxy Server (Web Appication Proxy). To do this, on the ADFS server we ran:

Get-ADFSSSlcertificate

and noted the thumprint for the new certificate

On the ADFS Proxy Server (Web Application Proxy) we ran:

Install-WebApplicationProxy -CertificateThumbprint "22121D02DCBF80F440B5E26D52B92BC255D59F95" -FederationServiceName "sts.domain.com"

We then had to enter the DOMAIN credentials. 

Reference, Links and Imges

https://blogs.technet.microsoft.com/rmilne/2015/04/20/adfs-2012-r2-web-application-proxy-re-establish-proxy-trust/

https://www.fastvue.co/tmgreporter/blog/how-to-solve-web-application-proxy-and-ad-fs-certificate-issues-general-error-code-0x8007520c

https://support.microsoft.com/en-gb/help/3079872/troubleshoot-ad-fs-issues-in-azure-active-directory-and-office-365