Wednesday, December 10, 2014

Recovering Active Directory From Total Lost Disaster Recovery Basic Steps.

In this article I will help you to understand, how to recover your entire forest from total lost. Many networks these days do have multiple domain controllers and especially on enterprise networks losing all available domain controllers less likely but still possible. If you do not have published SOP for recovering your Active Directory Forest the steps in this article might provide you frame work you need.

Scenario: Entire datacenter is gone, you do have your backup and infrastructure ready on the second data center.

Note: backup at least two Domain controller from each domain regularly to preserve better recovery option when needed.

Note: per Microsoft it is not recommended to restore FSMO role holder in the interest of simplicity.  (Forest recovery white paper)


now we lost DC1 , and we must recover Entire Forest /Domains from tape backup. 



  1. Prepare VM host on the DC2 , ready to be deployed
  2. Make sure each VM is able to talk to ( TCP/IP) your backup media Servers in the DC2
  3. Recover first Domain Controller on the Forest Root from good tape backup (SystemState)
  4. You will need to know DSRM administrator user name and password
  5. Reboot into  DSRM (Directory Services Restore Mode) mode by pressing F8 key after successful restore.
  6. Install VM host integrated Drivers ( Do not remove any of the existing drivers came with image, it could cause blue screen)
  7. Disable all Physical NIC cards , un-check option register this connection into DNS on all the NIC’s which are no longer being user. Domain controllers in general do not need more than single NIC.
  8. Make sure all Disks for the Recovered DC is configured correctly ( SYSVOL and .DIT )
  9. Bring all Disks online , make sure correct disk labeling is in place ( same as lost DC )
  10. Verify SYSVOL and .DIT exist after successful recovery
  11. Configure TCP/IP  IPV4 or IPV6 properties based on your needs, you can use different IP address schema, domain controllers will register their new IP addresses and their DC related DNS records into DNS on the first reboot.
  12. Reboot the DC into regular mode
  13. Wait for SYSVOL to become available ,
  14. login to DC with Domain administrator privileges
  15. Perform an authoritative  SYSVOL restore Set BurFlags to D4
  • Click Start, and then click Run.
  • In the Open box, type cmd and then press ENTER.
  • In the Command box, type net stop ntfrs.
  • Click Start, and then click Run.
  • In the Open box, type regedit and then press ENTER.
  • Locate the following subkey in the registry:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\NtFrs\Parameters\Backup/Restore\Process at Startup

  • In the right pane, double-click BurFlags.
  • In the Edit DWORD Value dialog box, type D4 and then click OK.

From command prompt type “net Share” to verify SYSVOL is shared.

Perform metadata cleanup ( Windows 2008 use ADUC ) or NTDSUTIL , if you are in large environment using ADUC is much faster, simply locate the DC computer object and select delete.( Related Link )

Tip: If you leave the FSMO Role holders to last to FSMO role DC’s will force FSMO Seizure to surviving DC ( one last step to worry about seizing the FSMO Roles)

  1. Reset machine account twice
  2. Reset the krbtgt account password twice
  3. Reset all trust passwords
  4. Seize the FSMO roles if you have not done it already
  5. Delete all orphan KCC replication connections
  6. Clean up DNS, Name Servers , Forwarders , Stale CNAME, Glue records, delete them all.
  7. Promote second DC on the root domain, if you have single label domain name space at this point you would DCPROMO other DC’s.
  8. On the Child Domain Restore First Writable Domain Controller
  9. Log into DSRM mode
  10. Perform all initial steps done on the previous restore
  11. Make sure TCP/IP properties Primary DNS for Child Domain controller is pointing to Root DC.
  12. Reboot restored Child Domain controller into regular mode.
  13. Wait for SYSVOL to be available
  14. Log into DC
  15. You need to set BurFlags to D2 on the child domain controller , if you wont do this SYSVOL folder will disappear after some time.
  16. Use RepAdmin  to make sure replication from Child to Parent is working
  17. Perform Metadata Cleanup
  18. Perform FSMO Role Seizure.
  19. Check to make sure DNS comes up.
  20. Cleanup all stale CNAME,A , GLU, RDNS entries 
  21. Make sure DC’s are stable
  22. Start planning your application servers recovery and have fun (-:


DCDiag and RepAdmin are two of the most powerfull command line tools use them.

dcdiag /V /C /D /E /s:DCname > C:\temp\DcDiag.txt


Oz Casey, Dedeal  ( MVP North America)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server + (Blog) (Blog

Download Forest Recovery White Paper

Tuesday, November 11, 2014

Exchange 2016 & Skype4B


I have recently attended MVP summit 2014 at Redmond. I must admit this was one of the most significant summit. I had same feelings when I attended MVP summit 2010.

Microsoft future vision was told us back then , most of critical Microsoft products would be running from “Cloud” in the future. Here we are almost 2015 and yes there has been many significant changes Microsoft has done to re-direct the business energy to cloud deployments. And more is on the way !!!!

It is very clear to me couple more years the current way of doing traditional IT business  will shrink and more and more “Cloud” deployments will be joining into our lives.

Information systems and  technology is subject to change and adopt fast innovations.  Most of these changes are inevitable and we will be adapting these changes.

Let’s take a look at some of the major changes and related news, which are rumbling around the internet

Exchange 2016 On prem & Office 365 “Cloud”


IT admins spend less time maintaining servers and more time lighting up features that make users happy.

It’s true that customers are shifting their Exchange deployments from on-premises to the cloud, and it’s true that we are investing heavily in Office 365. We’re fans of Office 365 because we’ve seen that when customers run email in our cloud, they save money, they get larger mailboxes, and they get faster access to our latest innovations. IT admins spend less time maintaining servers and more time lighting up features that make users happy. Running Office 365 also brings us real-world experience that helps us build a better on-premises product


Lync 2013 & Skype4B

In the first half of 2015, the next version of Lync will become Skype for Business with a new Current Lync Server customers will be able to take advantage of these capabilities simply by updating from Lync Server 2013 to the new Skype for Business Server in their datacenters.



more to come stay tuned….

Oz Casey, Dedeal  ( MVP North America)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server + (Blog) (Blog)



Monday, September 29, 2014

Arbitration Mailbox Exchange 2010 and 2013

Exchange Server system mailbox is also called "Arbitration" mailbox. Exchange Server uses these mailboxes for various tasks. These mailboxes are being created when you setup first exchange server preparing Active Directory /PrepareAD in the root domain of the AD Forest.

if you would like to locate these mailboxes you would use get-mailbox –Arbitration cmdlet and if you are in the root and child domain environment, you have to adjust the PS search to look at the root of the forest  to locate these accounts.


Set-ADServerSettings -ViewEntireForest $true

Get-mailbox -Arbitration | fl name,Database,DisplayName,ServerName


  • Name : SystemMailbox{1f05a927-eac1-46e7-9a47-611e1a81bb50}
  • Name : SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
  • Name : SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
  • Name : Migration.8f3e7716-2011-43e4-96b1-aba62d229136

If you go to root of your active directory forest you will be able to locate the user accounts associating with these system mailboxes.


By default they are located at the users container in the root of the AD Forest.


Arbitration system mailboxes keeps & stores organization wide data in them such as

  • eDiscovery Searches Metadata  ( if you are using  search-mailbox cmdlet with –targetmailbox switch and offloading searched enterprise data, before deleting the Arbitration system mailboxes could get potential big with the metadata collection as repository)
  • Administrator audit logs  ( Ability to run Search-AdminAuditLog cmdlet )
  • Unified Messaging data, such as menus, dial plans, and custom greetings

In most of the cases these account you wont pay huge attention , as they are not exposed to EMC and there is less chance them getting deleted. To be better prepared you can turn on “Protect object from accidental deletion”  on these accounts.



You can do same work from PS , the most common way is to ask for help if you do not remember the cmdlet

import-module ActiveDirectory

Get the help you need

Get-Help Get-ADUser -examples

Look for System Mailboxes

Get-ADUser -Filter 'Name -like "SystemMailbox*"' | FT Name


Enable all at once.

Get-ADUser -Filter 'Name -like "SystemMailbox*"' | Set-ADObject -ProtectedFromAccidentalDeletion:$true



Scenario –1

You have decided to move these mailboxes onto another database

Specify the target database with new-move Request

Get-Mailbox -Arbitration -Identity "SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}" | New-MoveRequest -TargetDatabase DB200

Scenario – 2

You decided to delete the System mailbox while preserving AD Account so you can create new Arbitration System mailbox

List the Arbitration mailboxes

Get-mailbox -Arbitration | fl name

  • Name : SystemMailbox{1f05a927-eac1-46e7-9a47-611e1a81bb50}
  • Name : SystemMailbox{e0dc1c29-89c3-4034-b678-e6c29d823ed9}
  • Name : SystemMailbox{bb558c35-97f1-4cb9-8ff7-d53741dc928c}
  • Name : Migration.8f3e7716-2011-43e4-96b1-aba62d229136
Get-mailbox -Arbitration -Identity "SystemMailbox{1f05a927*" | Disable-Mailbox –Arbitration –Confirm:$False

AD account is still exist, we will create brand new arbitration mailbox for the same account.

Enable-mailbox -Arbitration -Identity "SystemMailbox{1f05a927*"


Scenario – 3

Arbitration mailboxes AD account has been deleted , simply re-run setup

If you have Exchange 2013 in the environment you need to run the setup from E2013 media.

Setup.EXE /IAcceptExchangeServerLicenseTerms /PrepareAD


Simple enough after setup is complete, they are back.


Oz Casey, Dedeal ( MVP north America)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server + (Blog) (Blog)

Tuesday, September 16, 2014

Configuring Internal Application Relay with Receive Connector Part#2


Open your newly created internal Receive connector my making right click on it and selecting properties


In order to allow Anonymous Authentication follow the steps in this order. On the Authentication Tab TLS is selected by default.

  • Click Permissions and select “Exchange Servers” and click apply


  • Now go back to Authentication and select “Externally Secured” this is where the magic starts


  • I will explain in details why we selected this option and what happened in the background.
  • Go back to Permissions Tab and select this time “Anonymous”


  • If you don’t follow the order you will receive error, some controls aren’t valid.

You must set the value for the PermissionGroups to ExchangeServers when you set the AutMechanism parameter to a value of ExternalAuthoritative.


  • You got this because you did not follow the order listed above.
  • If you enable “Eternally Secured” you will be forced to use limited offer TLS with this connector,
  • You can go back and mess with Permissions groups if you do have any requirements.


Step-1 ---------------> Permission Groups, Select Exchange Servers

Step-2 ---------------> Authentication Settings, Select Externally Secured

Step-3 ---------------> Permission Groups, Select Anonymous

Externally Secured meaning is, This Receive connector will lift off most of the restrictions, you are pretty much trusting the internal Servers, the relaying servers are “Trusted: therefore you will be adding the IP address of the relaying servers into here.


Here is list of permissions gets assigned to this connector


MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authoritative-Domain}


MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Anti-Spam}


MS Exchange\Externally Secured Servers {ms-Exch-Bypass-Message-Size-Limit}


MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Exch50}


MS Exchange\Externally Secured Servers {ms-Exch-Accept-Headers-Routing}


MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Submit}


MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Recipient}


MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Authentication-Flag}


MS Exchange\Externally Secured Servers {ms-Exch-SMTP-Accept-Any-Sender}

See the  Receive connectors



Add AD Permissions to this Receive Connector

$ReceiveConnector = "E1\Internal_Relay-1"

Get-ReceiveConnector "$ReceiveConnector" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-SMTP-Accept-Any-Recipient"


Now let’s see the properties of this connector

Get-ReceiveConnector -Identity "E1\Internal_Relay-1" | fl


Now if you have applications will relay off this connector and they are defined with short names, you will need to add your SMTP domain name in this filed, otherwise the short name completion may fail with 501 5.1.3 Invalid address Short Name Rcpt SMTP address etc.

Basically the application server is passing valid from SMTP Address format on the relay submission and on the CC or BB it is passing short names such as casey.Dedeal


To: Casey.Dedeal

Bcc: Jon.Doe


To overcome with this issue allow applications to continue to use short names on the CC or BCC field use

$ReceiveConnector = "E1\Internal_Relay-1"

Set-Receiveconnector "$ReceiveConnector" -defaultdomain


Now this connector will append default specified SMTP domain to short names when application is performing relay submission.


One less to worry , especially for applications who are written poorly. ( none full SMTP compliant)

If you like to see the AD Permissions on this connector

$ReceiveConnector = "E1\Internal_Relay-1"

Get-ReceiveConnector "$ReceiveConnector” | Get-ADPermission | where {$_.extendedrights –like “*Any-Recipient”}


Lastly , use network sniffer and SMTP loggings options  to further troubleshoot any SMTP submission failures on this connector.

Oz Casey, Dedeal ( MVP north America)
MCSE 2003, M+, S+, MCDST
Security+, Project +, Server + (Blog) (Blog)