Azure AD Password Sync Error with Event ID 611
Recently we faced an issue with the Password Sync from our On-Prem AD server . The strange issue was when we create/delete an AD object the synchronization completes successfully except for the Password changes. In the event viewer on the AAD connect server we could see event ID 611.
Password synchronization failed for domain: test.com
Details:
System.DirectoryServices.Protocols.LdapException: The operation was aborted because the client side timeout limit was exceeded.
If you are facing the same issue , you need to modify the registy entry on the AAD connect server as below;
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Ldap
Modify the parameter LdapClientIntegrity to 0.
But I am still not sure , is it a Bug or not, If I come across any information about the cause of the error , I will update this post accordingly.
Good Luck.
How to login to Exchange Online Powershell
In most of the cases you may need to login O365 via PowerShell to manage the environments , Then you could use the below cmdlets to initiate the sessions.
+ Set-ExecutionPolicy RemoteSigned
+ $UserCredential = Get-Credential
+ $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://outlook.office365.com/powershell-liveid/ -Credential $UserCredential -Authentication Basic -AllowRedirection
+ Import-PSSession $Session -DisableNameChecking
+ Remove-PSSession $Session ( Need to run this to avoid the waiting time as Microsoft has a limit on the session)
That’s it now , you could start using the Powershell cmd’s. Please refer the below MS KB Article for the explanation of these commands, and prerequisites.
https://docs.microsoft.com/en-us/powershell/exchange/exchange-online/connect-to-exchange-online-powershell/connect-to-exchange-online-powershell?view=exchange-ps
In some cases when you try to run Import-Module MSOnline you will be see an error message no cmdlets found. In order to solve this issue you need to install Windows Management Framework 5.1. Once you install this update need to restart the computer. Thereafter you could use the below commands to Manage your environment.
+ $UserCredential = Get-Credential
+ Import-Module MSOnline
+ Connect-MsolService -Credential $UserCredential
+To Disable the Sync
Set-MsolDirSyncEnabled -EnableDirSync $false
+To view the Current status
(Get-MsolCompanyInformation).DirectorySynchronizationEnabled
+ To force a manual Sync after a Change in On-Prem Object.
Import-Module ADSync
Get-ADSyncScheduler
Start-ADSyncCycle -PolicyType Delta
How to descommission the On-Prem Exchange server after the successful migration to O365.
When you performed a cutover or Hybrid migration to O365 , You need to uninstall the On-Prem Exchange Server. Even though MS recommends to keep at least one Exchange On-Prem Server(Does not require any license and special license available for this use cases), Some environments require them to be uninstall in that case we could follow the below steps.(Please note I have not included any screenshots because if you are reading this article you should have well familiarized with O365 Admin / EAC consoles.
- Change the DNS records internally & externally to point it to O365.
- Open EAC on Office365
- Click on Mailflow -> Open Connectors
- Disable or Delete the 2 Connectors ( Both Inbound & Outbound)
- Click on Organization and remove the O365 to Onpremises …config.
- Stop the AD Sync (Set-MsolDirSyncEnabled –EnableDirSync $false)
- Remove all the unwanted or non migrated mailboxes from the On-Prem Server
- Remove the Public Folders
- Remove / Disable Arbitration Mailbox ( Get-Mailbox –Arbitration )
- Optional(Remove OAB)
- Uninstall Exchange
- Re-enable ADSync (Set-MsolDirSyncEnabled –EnableDirSync $true)
How to expire Veeam Backup Jobs
When using Veeam B&R , if you had to face a situation where you need to expire the old backups to free up some disk space you need to follow slightly a different approach. As mostly in other cases (especially VERITAS) you could simply change the retention period to a lower value and need to restart the services , you could notice the backup files have been disappeared. In Veeam you need to go through the below steps.
- Remove the backup files manually (recommended to clear the files created by the last incremental jobs until you reach to the last full backup).
- Reduce the backup pointer to a lower value in your backup job.
- Then you need to start the jobs manually or wait for the next schedule.
VCSA6.7 and Veeam B&R Issues
Recently we were upgrading our ESXi Infrastructure from ESXi 6.0 to 6.7.During this process we kicked off the migration process with our VCenter Server 6.0 with the intention to move it to a VCSA 6.7 . Everything went well . But on the following day we started receiving Backup job failure alerts from Veeam Server.
After few google searches we came to know that the Veeam B&R need to be upgraded with U3 to be fully be compatible with Photon based VCSA 6.7 .
Good Luck with your VSphere Upgrades.
Nutanix NTP Issues & Troubleshooting.
The below commands helps to troubleshoot and fix NTP issues on Nutanix Cluster. You can run these command by logging to any of the CVM’s.
To check the date on all the nodes
allssh ssh root@192.168.5.1 date
Additional Permissions needed for a Service Account to Reset and Change AD passwords and Unlock AD Accounts.
In some scenarios we had to delegate the permission for a Junior Administrator to do some AD related tasks ,for example change/reset the AD user password , Unlock user account , etc. In this case most of the articles I have googled and referred pointing only to enable the
“Reset user passwords and force password change at next logon “. But what I realized is that this alone will not grant your the required permission.
Thus additionally you need to add a custom level delegation as provided below;
- Create a custom task to delegate and click Next.
- Select Only the following objects in the folder from the Delegate control of option.
- Select the User objects option as the object to which to delegate.
Click Next to proceed.(Ensure Property-specific is selected.) - Scroll down to select the Read lockout Time and Write lockout Time.
- Review the changes and click next to complete the wizard.
Please note that I have not listed any detailed steps on how to create the delegation rules as there are plenty of articles available on the Internet that provides a very descriptive guidelines along with the screenshots.
