Windows DHCP not Updating DNS

Our 2012R2 DC’s do DHCP and DNS for our environment, but I found that our client’s DNS addresses were frequently incorrect, even though DHCP is supposed to update DNS with the correct entry.  Found this blog post that solved our problems:

http://blogs.msmvps.com/acefekay/2009/08/20/dhcp-dynamic-dns-updates-scavenging-static-entries-amp-timestamps-and-the-dnsproxyupdate-group/

Note:  If you are unsure about running the dnscmd shown in the blog post, I found the commands to verify the setting before you change it, and how to revert:

Show current state:

dnscmd /info /OpenACLOnProxyUpdates

Desired state:

dnscmd /config /OpenAclOnProxyUpdates 0

Revert to default:

dnscmd /config /OpenAclOnProxyUpdates 1

vCenter No Longer Reachable

After a power outage, we powered on our VMware infrastructure, and as we went through the process, we quickly realized that vCenter was not coming back online.  vCenter was not reachable via icmp or http/https.  Logging into the ESXi console showed the VCSA booting very slowly, but eventually it booted up.  Still no network connectivity.  After enabling bash and doing an “ifconfig”, I noticed the eth0 interface was missing.  The “ip link show” confirmed that the VM did not recognize any eth0 devices, but it did pick up an eth1 device.  For some reason, the vnic mac address had changed, and vCenter added the nic as a new device.  To resolve this:

  1. Edit this file on the VCSA: /etc/udev/rules.d/70-persistent-net.rules
  2. Delete (or comment out to test) all lines
  3. Reboot the VCSA

This process will clear the static mac association with the previous eth0 nic, and will allow VCSA to boot up with the new nic/mac address as eth0.

Reference: http://www.vmwarebits.com/content/how-fix-vcenter-appliance-no-networking-problem

WebEx and ADFS SSO

Implemented WebEx with ADFS SSO (Windows 2012R2) successfully, and found these articles helpful:

Initial Setup:

https://cisco-support.webex.com/guest/articles/en_US/Usability_FAQs/WBX63102/myr=false

https://digitalglue.wordpress.com/2014/02/11/configuring-cisco-webex-meeting-server-to-work-with-adfs-2-0/

Those guides do not go over configuring sign-out.  This can be accomplished with the WSFederation sign-out URL documented here:

http://social.technet.microsoft.com/wiki/contents/articles/1439.ad-fs-how-to-invoke-a-ws-federation-sign-out.aspx

And configuring your ADFS server with:

1.  Go to AD FS Manager – Trust Relationships – Relying Party Trusts – <your party trust> properties
2.  Under the Endpoints tab, click Add SAML…
3.  Endpoint Type = SAML Logout, Binding = POST, Trusted URL = https://myadfsserver.domainname.com/adfs/ls/?wa=wsignout1.0

Office 365 – Quick Optimizations

I’ll be adding to this as I continue to work with O365, but for now I have two things I usually do for every tenant:

First, connect to O365 via Powershell.  If you don’t know how, please see my recent blog post

Disable “Clutter” feature for all mailboxes:

Get-Mailbox -Filter * -ResultSize Unlimited | Set-Clutter -Enable $false

Raise email message size limits for all mailboxes (and mailbox plans):

Get-Mailbox -Resultsize Unlimited | Set-Mailbox -MaxReceiveSize 75MB -MaxSendSize 75MB

Get-MailboxPlan | fl name,maxsendsize,maxreceivesize,isdefault

Set-MailboxPlan ExchangeOnlineEnterprise-XXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXX -MaxSendSize 75MB -MaxReceiveSize 75MB (use mailbox plan name from previous command)

Disable password expiration:

Log into O365 web admin portal (https://portal.office365.com)

Go to “Service Settings” –> “Passwords” and select “Passwords never expire”

 

Office 365 – Powershell

Connecting to Office 365 via Powershell for the first time? Here are the steps to get started:

  1. Install the Microsoft Online Services Sign-In Assistant for IT Professionals RTW
  2. Install the Azure Active Directory Module for Windows Powershell (64-bit version)
  3. Open Powershell and run this command the first time you connect on your computer:
    1. Set-ExecutionPolicy RemoteSigned
  4. Next, run these three commands (you’ll do this everytime you want to connect):
    1. $UserCredential = Get-Credential
    2. $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
    3. Import-PSSession $Session
  5. You should now be connected.  When finished, run:
    1. Remove-PSSession $Session

UPDATE: Here is an awesome project on github that is a Office 365 Powershell GUI: https://github.com/bwya77/O365-Administration-Center

Microsoft References:

https://technet.microsoft.com/en-ca/library/jj151815.aspx#bkmk_installmodule
https://technet.microsoft.com/en-us/library/jj984289(v=exchg.160).aspx

Identifying “onmicrosoft” Email Users

If you use Office 365 and DirSync, a user’s primary email address can end up being username@domain.onmicrosoft.com if not setup correctly.  To identify all users setup this way, connect to Office 365 powershell and run this command:

Get-mailbox -ResultSize unlimited | Select-Object primarysmtpaddress | ? {$_ -clike “*onmicrosoft*”}

 

CUCM IM change postgres external database

If you need to change the postgres external database for CUCM, there a few steps to follow:

  1. Change database server name
    1. External server setup -> External databases
  2. Unassign servers and disable persistent chat
    1. Messaging -> Group Chat and Persistent Chat
    2. Change “Persistant Chat Database Assigntment” to unsassigned
    3. Uncheck “Enable Persistant Chat” and Save
  3. Assign servers and enable persistent chat
    1. Messaging -> Group Chat and Persistent Chat
    2. Change “Persistant Chat Database Assigntment” to sassigned
    3. Check “Enable Persistant Chat” and Save
  4. Restart Cisco XCP Router
  5. Start XCP Text Conference Manager

 

 

This blog post helped figure out the process: http://collabtechnotes.blogspot.com/2015/07/postgre-sql-cisco-xcp-message-archiver.html

ADFS MFA with Office 365

We wanted to implement MFA (multi-factor authentication) for our ADFS servers when authenticating to Office 365.  If you just want basic “MFA for all users” then the AD FS GUI will allow you to select your MFA provider and enable.  I needed a more granular policy:

Only enable MFA if the user is a member of a specific security group AND the user is coming from outside the corporate network AND it is a browser based authentication request

The third part of that policy is in place so that user’s can still use activesync or skype for business, since they do not support MFA right now.

Granular ADFS policies are set using “claims”, which can be combined together with “and” statements.  Here are the three claims I needed enabled:

Only enables MFA for a particular security group (uses the group SID)
c:[Type == “http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid&#8221;, Value == “S-1-2-46-1537777264-XXXXXXXXXXXXX”] &&

Only enables MFA for users outside the corporate network (auth requests that go through the AD FS proxy servers)
c1:[Type == “http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork&#8221;, Value == “false”] &&

Only enables MFA for browser based requests
c2:[Type == “http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path&#8221;, Value =~ “(/adfs/ls)|(/adfs/oauth2)”]

To apply these claims, first enable the MFA provider using the GUI.  Open AD FS, click on “Authentication Policies” and then click “Edit Global Multi-Factor Authentication” on the left-hand side.  From there you can select your MFA provider and click “Apply”.  After this, you must use powershell.  I also used powershell variables to make the process a little cleaner.

PS C:\windows\system32> $mfarule='c:[Type == "http://schemas.microsoft.com/ws/2008/06/identity/claims/groupsid", Value == "S-1-2-46-1537777264-XXXXXXXXXXXXX"] && c1:[Type == "http://schemas.microsoft.com/ws/2012/01/insidecorporatenetwork", Value == "false"] && c2:[Type == "http://schemas.microsoft.com/2012/01/requestcontext/claims/x-ms-endpoint-absolute-path", Value =~ "(/adfs/ls)|(/adfs/oauth2)"] => issue(Type = "http://schemas.microsoft.com/ws/2008/06/identity/claims/authenticationmethod", Value = "http://schemas.microsoft.com/claims/multipleauthn");'
PS C:\windows\system32> $rpt = Get-AdfsRelyingPartyTrust –Name "Microsoft Office 365 Identity Platform"
PS C:\windows\system32> Set-AdfsRelyingPartyTrust –TargetRelyingParty $rpt –AdditionalAuthenticationRules $mfarule

And now you are done!  The following command reverts the changes made back to default:

PS C:\windows\system32> Set-AdfsRelyingPartyTrust –TargetRelyingParty $rpt –AdditionalAuthenticationRules ''

These commands enable MFA just for Office 365 relying party (so I can have different policies per party).  If you would like to enable these settings on a global scale, use this:

Set-AdfsAdditionalAuthenticationRule -AdditionalAuthenticationRules $mfarule

And finally, to see all your changes made:

Get-AdfsRelyingPartyTrust -Name DisplayNameofTrust

———————————————————————————————————————

These blogs were extremely helpful throughout this process:

https://doubledit.co.uk/2015/10/21/adfs-multi-factor-authentication-force-mfa-for-browser-based-access-to-office-365/

http://blog.auth360.net/2014/10/23/mfa-conditional-access-policies-in-ad-fs-2012-r2/

http://blogs.msdn.com/b/ramical/archive/2014/01/30/under-the-hood-tour-on-multi-factor-authentication-in-ad-fs-part-1-policy.aspx

https://technet.microsoft.com/en-us/library/dn479343(v=wps.630).aspx