Category: PowerShell

How To Disable Azure AD Connect via PowerShell

Recently I came across an environment where Exchange was being migrated to Office 365. As you may know, DirSync is no longer supported for Exchange/O365 migrations and Microsoft recommends you now use Azure AD Connect.

With that said, recently in a PoC environment, using Azure AD Connect, the domain controller that was running the Azure AD Connect utility was never uninstalled, and the VM was shortly deleted. Well, as a result, the O365 admins are now getting reminded daily that their AD Sync has failed to connect.

As of today, there is no way to disable Azure AD Connect via the Azure Resource Manager (ARM) portal, but this can be done with some PowerShell. If you take a look at the ARM portal, there is no option to currently disable the directory synchronization.

First, you will need to install the Azure Active Directory Connection utility, the download for that can be found HERE. This will provide you the PowerShell cmdlet’s needed to run the code below. No, AzureADPreview V2 will not work (yet…).

Once installed, launch the PowerShell console and we will need to connect to Azure AD and trigger the Directory Sync to false. Below are the commands you will need to get this done. Note, you will need an Azure global admin account with the *@*.onmicrosoft.com domain to successfully sign into Azure AD via PowerShell.

#specify credentials for azure ad connect
$Msolcred = Get-credential
#connect to azure ad
Connect-MsolService -Credential $MsolCred
#disable AD Connect / Dir Sync
Set-MsolDirSyncEnabled –EnableDirSync $false 
#confirm AD Connect / Dir Sync disabled
(Get-MSOLCompanyInformation).DirectorySynchronizationEnabled 

If you choose to re-enable the AD Connect, just change the flag to TRUE.

Set-MsolDirSyncEnabled –EnableDirSync $true 

Once complete, we can now verify the Directory Sync has now been disabled in ARM.

For more on Azure AD PowerShell cmdlets, visit the following page, HERE.

Transfer Active Directory FSMO Roles via PowerShell

Sometimes a domain controller (DC) just needs to be decommissioned for whatever reason, let’s say an upgrade, or corrupted VM and the roles are now seized.. nevertheless, moving the FSMO (Flexible single master operation) roles can be done via the UI, however if you want to speed things up and do it with PowerShell, here is how to that.

In my scenario, I am decommissioning my Hyper-V server which at the time was acting as the primary DC. Now that it is being decomm’ed I need to transfer the FSMO roles to another DC. The destination DC is “DC01” in this case.

Move-ADDirectoryServerOperationMasterRole -Identity "DESTINATION DC" -OperationMasterRole 0,1,2,3,4

You have the option here to specify a numerical value or specifying the role itself. See below for the number assoicated to each roles. You could input each role, or as I did, just input the number(s).

PDCEmulator or 0
RIDMaster or 1
InfrastructureMaster or 2
SchemaMaster or 3
DomainNamingMaster or 4

To verify the FSMO roles have been transferred, run the netdom query fsmo command.

netdom query fsmo

Installing SCOM 2016 License Key

Launch the PowerShell console, and Run as Administrator:

Import-Module OperationsManager
Set-SCOMLicense -ProductId "XXXXX-XXXXX-XXXXX-XXXXX-XXXXX"
Start-Sleep -s 10
Restart-Service healthservice, omsdk, cshost

capture

Don’t forget, in order for the Product Key to be applied, you will need to restart all SCOM Services, (or you can run the code above (there is a 10 second delay after the key is applied before the services are restarted)):

  • Microsoft Monitoring Agent (healthservice)
  • System Center Data Access Service (OMSDK)
  • System Center Management Configuration (cshost)

 

Cheers!

How to enable Azure Backup to Canada (Central)

Earlier in 2016, Microsoft increased the number of  Canadian Data Centers to two: Canada East and Canada Central. With most of my customers being within Canada, naturally they want their Azure Backup data stored within the Canada Data Centers/Regions — makes sense for many (legal) reasons. Only problem is, Azure backup is still very limited to specific locations (see chart below).

Fellow Canadian and MVP — Stéphane Lapointe, was able to get this working with some PowerShell magic — Please visit his blog to get the more details of his workaround. The PowerShell code below is workaround to get Azure Backup services bound to the Canadian Regions/Data Centers, specifically the Canada Central region (note, this is still in Preview state), until Microsoft officially allows all Monitoring/ASR services (along with others) to be generally available. This will allow you to create new Azure Backup services and bound them to Canada Central. For more information on this announcement and code details, please visit Microsoft’s announcement.

Also, worth noting, this will only allow you to use Canada Central region for new setup/configurations. It will not change current setups to Canada Central.

Execute the following code on your machine (Run As Administrator…)

Import-Module AzureRM -Force 

#azure account login stuff
$username = ""
$cred = New-Object -TypeName System.Management.Automation.PSCredential -argumentlist $username, $password
Login-AzureRmAccount -Credential $cred
$SubscriptionName = 'Visual Studio Enterprise'

#update recovery services to Canada Central from whatever region it may be (US East, US Central, etc.)
$ErrorActionPreference = 'Stop'
Get-AzureRmSubscription –SubscriptionName $SubscriptionName | Select-AzureRmSubscription
Register-AzureRmResourceProvider -ProviderNamespace Microsoft.RecoveryServices
Register-AzureRmProviderFeature -FeatureName RecoveryServicesCanada -ProviderNamespace Microsoft.RecoveryServices

powershell-result

After about 5 minutes, I re-ran the query, and the Recovery Services were registered to Canada! Sweet..eh? 🙂

powershell-result-2

Now you can create new Azure Backup services bound to the Canada Central region:

arm

(more…)

Issues with Azure Active Directory and Login-AzureRmAccount

If you’re like me, you have probably banged your head against the wall a few times with the Login-AzureRmAccount cmdlet… I reached out to the Azure Development team and not only is this a known issue, but there is currently no solution at the time…. Hmm.

Here is a bit of the background story, followed with the problem and solution to the issue.

Background:

Using PowerShell to script an auto-login to Azure, and start (and shutdown) Virtual Machines (yes, OMS Automation could help/solve this, but in this scenario my customer is currently not on-board with OMS). At any rate, the script is designed to capture some data on a on-premises server, if the threshold breaks, then begin starting resources in Azure, likewise, if the threshold falls back then shutdown those same resources in Azure.

Problem:

Running the following code, I keep getting the a null entry for SubscriptionId and SubscriptionName. Even though the user I have created is a co-administrator and has access to all the resources necessary. Assuming the login did work and the data isn’t needed…when try to start my Azure VM I get an Azure subscription error. So, let me check the subscription details. Well, there we go, I get the following response, “WARNING: Unable to acquire token for tenant ‘Common’” ….. So what gives?

powershell-reply-1

powershell-reply-2

I check and confirm the test-user is in-fact an administrator in ARM (Azure Resource Manager):

arm-portal-1

Solution:

Turns out, the user account created, not only needs to be created and added to the resources with Azure Resource Manager (ARM), but also needs to be assigned as an Administrator within Azure Classic Portal.

classic-portal-1

classic-portal-2

classic-portal-3

Once the test-user was added within the Classic Portal Administrators and set as Co-administrator, I could then get SubscriptionId and SubscriptionName info populate, and Get-AzureRmSubscription with proper details. Yay! (Still get that tenant ‘Common’ warning however…)

powershell-reply-3

Now I can go ahead with my script!

I hope this helps you as much as it helped me.

System Center Operations Manager (SCOM) 2016 – Web Console IIS Requirements for Windows Server 2016 via PowerShell

The following PowerShell code is to install all the necessary IIS components for System Center Operations Manager (SCOM) 2016 Web Console on Windows Server 2016.

Import-Module ServerManager
Add-WindowsFeature Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-Windows-Auth, Web-App-Dev, Web-Net-Ext45, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Tools, Web-Mgmt-Console, Web-Mgmt-Compat, Web-Metabase, NET-Framework-45-Features, NET-Framework-45-Core, NET-Framework-45-ASPNET, NET-WCF-Services45, NET-WCF-HTTP-Activation45, NET-WCF-TCP-PortSharing45, WAS, WAS-Process-Model, WAS-Config-APIs, web-asp-net -restart

You can also find this in Microsoft’s TechNet Gallery, HERE.

Step-by-Step – Installing System Center Operations Manager (SCOM) 2016 on Windows Server 2016 with SQL 2016

This post I will be installing System Center Operations Manager 2016 (SCOM) RTM, Build Number 7.2.11719.0.

Here is some of the background information. As this post will concentrate on the installation of SCOM 2016, I am going to omit the setup and configuration of the Domain Controller, Windows Server 2016 for both SCOM Management Server and SQL Server (Please note, I am using SQL Server 2016, both servers on Windows 2016).

If you need help setting up SQL 2016 for SCOM 2016, please visit HERE.

Environment:  Virtual; ESX 6.0 Hypervisor

SCOM Management Server:

  • Windows Server 2016
  • 4 vCPU (2.00GHz)
  • 12 GB memory
  • 100GB Diskspace
  • 1GB vNIC

SQL Server:

  • Windows Server 2016
  • SQL Server 2016
  • 4 vCPU (2.00GHz)
  • 24 GB memory
  • 300GB Diskspace
  • 1GB vNIC

Service Accounts and Local Administrator:

Domain\Account Description Local Admin on…
domain\SCOM_AA SCOM Action Account SCOM & SQL
domain\SCOM_DA SCOM Data Access/SDK Account SCOM & SQL
domain\SCOM_SQL_READ SCOM SQL Reader SQL
domain\SCOM_SQL_WRITE SCOM SQL Writer SQL
domain\SCOM_Admins SCOM Administrators Group SCOM
domain\SQL_SA SQL Service Account SQL
domain\SQL_SSRS SQL Service Reporting Services Account SCOM

 

Now, if you’re lazy like me, or are tired of doing this setup for environments, I have scripted the automation of these accounts. You can find that link here, Microsoft TechNet Gallery.


Let’s Begin:

2

3

For completeness, let’s install all the features of SCOM 2016. (I am hosting a default SQL 2016 instance on the SCOM Management Server for SSRS)

4

5

Well, that’s not new… Errors. Since this is a clean, vanilla Windows 2016 server, we will need to install all the necessary Web Console components, along with Report Viewer Controls (probably SQL CLR Types too..).

  • For the Report Viewer Prerequisites, go HERE.

Note, oddly I was unable to install with CLR SQL 2016, Reports Viewer still complained and required CLR SQL 2014.

  • Here is the PowerShell command I ran to install the necessary IIS features/roles:
Import-Module ServerManager
Add-WindowsFeature Web-Server, Web-WebServer, Web-Common-Http, Web-Default-Doc, Web-Dir-Browsing, Web-Http-Errors, Web-Static-Content, Web-Health, Web-Http-Logging, Web-Log-Libraries, Web-Request-Monitor, Web-Performance, Web-Stat-Compression, Web-Security, Web-Filtering, Web-Windows-Auth, Web-App-Dev, Web-Net-Ext45, Web-Asp-Net45, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Mgmt-Tools, Web-Mgmt-Console, Web-Mgmt-Compat, Web-Metabase, NET-Framework-45-Features, NET-Framework-45-Core, NET-Framework-45-ASPNET, NET-WCF-Services45, NET-WCF-HTTP-Activation45, NET-WCF-TCP-PortSharing45, WAS, WAS-Process-Model, WAS-Config-APIs -restart

 

Once the server is back online, you will need to register ASP.Net.

6

You will need to apply the following using Command Prompt (as Administrator)).

  1. cd %WINDIR%\Microsoft.NET\Framework64\v4.0.30319\
  2. aspnet_regiis.exe -r
  3. IISRESET
  4. Reboot your server…

Once the server is back online, let’s try that Prerequisites check again….

7

Great! Now all of Prerequisites have been met!

8

Provide a meaningful Management Group Name (there’s no going back after this…)

9

SQL Server will be where your SCOM SQL instance(s) were installed. For me, I have built two instances on my SQL2016 server (SCOM_OPSMGR & SCOM_DW).

10

11

12

13

14

15

16

17

I recommend always keeping this off, and manually updating your SCOM infrastructure.

18

One quick review. Looks good. Hit Install, and get some fresh air!

19

A few minutes later….

20

Sweet! All good. I hope this helps. If you have any questions or issues, please drop me a line.

Please note, it is STRONGLY ADVISED to install the Update Rollup 1 once you have deployed SCOM 2016. For that walk-through, please visit the following post, HERE.

Happy 2016 SCOM’ing!

(more…)