hochwald.net About DevOps, PowerShell and more

A reliable time source within an Active Directory environment (or networks in general) is critical.
A prefer an expensive GPS Clock; others don’t care… I decided a while ago that I sync my DCs with an NTP source.

Please keep in Mind, that your servers need access to the NTP Servers on the UDP Port 123 (NTP) to sync the clock with them. So your Firwall needs to allow this.

In a minimum your Server with the FSMO Role PDC should sync. Here is how to find this server:

rem Get the PDC FSMO Role (Or apply it to all your DCs)
netdom /query fsmo
rem This will show you all FSMO Roles, see the PDC role for your main DC server

You can do that on all your DCs (or at least on one in every location/Site).

Now to the real work:

I use the German Servers of the NTP Pool Project in the sample above. If you want to use the general server, here you go:

rem This is the general list
rem w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org, 1.pool.ntp.org, 2.pool.ntp.org"

If you want to check that everything works:
w32tm /query /configuration

And check your EventLogs!

There are a few other ways to do this, but the sample above is older, and it works with all Windows Serevr 2008R2, or later. Just did it on a few Windows 2016 servers, and it worked great!
Here is what I did: I sync my Router with NTP Pool Project servers and sync my internal systems with this box. Most modern firewalls or Routers support NTP Server and Clients.

If you want to play fair: Become part of the NTP Pool Project! The traffic is not high and you support a great project. So, if you have a spare server and a dedicated IP, think about it.

A friend called me today with a urgent question: Why did our Load Balancer shows all Nodes in our AD FS Farm as down?

The answer is a bit complicated: AD FS (Active Directory Federation Services) doesn’t answer correct to the bind/probe and therefore, the Load Balancer marks the Server(s) as down. The Problem is Layer 6/7 and based on how Microsft handles SSL for SNI (Server Name Indication) within AD FS. WAP (Web Application Proxy) handles that, but most load balancers have an issue with that.

Here is what you do (in a regular, but elevated, Shell):
netsh
http add sslcert ipport=0.0.0.0:443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY
http add sslcert ipport=0.0.0.0:49443 certhash=*** appid={5d89a20c-beab-4389-9447-324788eb944a} certstorename=MY

Replace the ** with your Certificate Hash and check the APPID: netsh http show sslcert

The 443 instance is for the regular AD FS Business, Port 49443 is used for device registration. You might not need that if you want use Device Registration in AD FS.

Run this on all nodes of you AD FS Farm and you will see, that they will be marked as available within a few seconds.

I tested this with NGINX as Reverse Proxy (But just to see if it works), and I use it with HAProxy since a while and never had any issue with it. And I use AD FS a lot!
I know a few customers who use this with KEMP and F5 as Load Balancers in front of AD FS.
Read More

Today I was asked why I comment so much in my samples, and the Gist that I publish here.

The answer is very easy: The comments should educate everyone a bit (more)!

I know that there are a lot of redundancies and that not every comment makes perfect sense.

A lot of the samples are part of my workshops and showcases. How should I teach others how to write Scripts and build their own tools of the code is not documented well?

Two quotes to think about:

The sourcecode is documentation enough. Unknown developer

It was hard to write the code, so it must be hard to read it! Unknown developer

And to be honest: I think if the comments are too much, just remove them!

There are a lot of other functions and tools that could do the same, but most of them raise the bad counter by 2 (one for a bind and the other for the try itself).

I wanted a easy to use function that can do the same with just ONE (1) shot.
Read More

/ 2017-02-20 / Comments Off on Download and Install Office 365 PowerShell requirements

Download and Install Office 365 PowerShell requirements

I had a very interesting workshop with administrators and IT guys from a customer (a customer of a partner to be correct). One of the very first questions, like so often, was: Is it possible to install all PowerShell requirements for Office 365 with a single command?

The easy answer is: No, it is not… Sorry!
The true, and longer answer must be: There are a lot of scripts available on Technet, or GitHub (and elsewhere) that can do the job for you.

However, we then started to build an individual script that can do exactly that: Download and install all required PowerShell Modules for Office 365.

We defined the following requirements:

  • Do each step in an separate function (Agreed, that makes the code more complex)
  • Use an external parameter File (that contains the URL)
  • Make it robust (e.g. implement some error handling)

Read More