http://support.microsoft.com/kb/2958414

Powershell to the rescue!

With AD cmdlets (2008+):

For more details about Get-Recipient: http://technet.microsoft.com/en-us/library/aa996921(v=exchg.80).aspx

else
Get-ADObject -LDAPFilter “objectClass=Contact”

For more details about get-adobject: http://technet.microsoft.com/en-us/library/ee617198.aspx

Get-ADObject cmdlet with -LDAPFilter “(objectCategory=person)”. This retrieves all user and contact objects.
The -SearchBase parameter can be used to specify an OU.

Or use Get-Contact cmdlet:

for a full list of attributes Get-Contact ‘contact name’ | fl

Get-Contact -resultsize unlimited | select-object name,Phone,company | export-csv contacts.csv

With Quest cmdlets for AD:

Get-QADObject -type ‘Contact’ -IncludedProperties ‘mail’

Get-QADObject -type ‘Contact’ | select Name, PrimarySMTPAddress | export-csv contacts.csv

or use Get-QAContact instead:  Get-contact | Select Name,WindowsEmailAddress

For more details about get-qadobject: http://en.community.dell.com/techcenter/powergui/f/4833/t/19573655

With Exchange cmdlets:

http://oxfordsbsguy.com/2014/04/07/exchange-powershell-how-to-list-all-smtp-email-addresses-in-exchange/

http://oxfordsbsguy.com/2014/09/08/exchange-powershell-how-to-enumerate-and-modify-distribution-group-properties/

http://oxfordsbsguy.com/2014/04/21/exchange-powershell-how-to-enumerate-distribution-lists-managers-and-members/

Azure AD Sync Services is notable for being Microsoft’s intended replacement tool for the Directory Synchronization (DirSync) tool.
Both tools are used to synchronize (or copy) user identities managed through Active Directory in organizations.

In addition, Microsoft has another way of synchronizing AD identities via its Forefront Identity Manager 2010 R2 Service Pack 1 product.

The next version of this product, to be called “Microsoft Identity Manager,” will be designed specifically to support hybrid cloud
and premises-based deployments with support for Azure AD and multifactor authentication, Microsoft indicated back in April.

At TechEd 2014 in May, Adam Hall, product manager for hybrid identity solutions, suggested in a presentation that this next product release
would simply drop the Forefront brand. Ease of deployment will be another big focus of this next Identity Manager product.

Microsoft plans to release Identity Manager sometime in 2015. It will coexist with Azure AD Sync, according to an explanation from a Microsoft spokesperson:

Microsoft Identity Manager is targeted to complex organizations which have significant requirements for synchronization and provisioning between on-premises applications.

Azure AD Sync is optimized for all organizations to easily on-board to Azure and take advantage of both Microsoft online services such as O365 and a world of connected SaaS applications.

Azure AD Sync Services
Microsoft has made it clear that the newly released Azure AD Sync Services tool will be replacing DirSync in the near future, perhaps by the end of this year.

Azure AD Sync Services is slated to get a number of new capabilities that DirSync and Forefront Identity Manager 2010 R2 won’t get.
It’s not clear when those new capabilities will arrive, but Microsoft has published a table comparing the current and future capabilities of DirSync,
Azure AD Sync and Forefront Identity Manager 2010 R2 at this page.

Azure AD Sync Services can do some things that DirSync can’t. It can synchronize multiforest AD environments. It can sync a small set of user attributes.
It can also map multiple Exchange deployments to a single Azure AD tenant. However, Azure AD Sync Services currently lacks a few of DirSync’s capabilities.
For instance, password hash synchronization is currently not supported in Azure AD Sync Services, although Microsoft plans to add support for it in a future release, according to a Microsoft FAQ.

Microsoft’s proliferation of various AD tool options has been confusing to Microsoft’s customers, as well as internally, according to a blog post by Ryan Sizemore of Microsoft.
He explained that DirSync is based on the Forefront Identity Manager product but DirSync was designed to streamline the setup process for organizations.
It apparently has been difficult to use Forefront Identity Manager to synchronize a premises-based AD with the cloud-based Azure AD.

Azure AD Sync Services, which will succeed DirSync as the next-generation sync tool, also features “a simplified deployment experience,” according to Sizemore.
It’s also considered by Microsoft to be a “next generation synchronization server (to supersede FIM [Forefront Identity Manager]),” he explained.
However, moving from DirSync or Forefront Identity Manager to Azure AD Sync Services apparently is a manual process.
That process is described in this Microsoft Azure library article.

Azure AD Connect
Microsoft also has an Azure AD Connect (AADConnect) solution that acts as a sort of wizard for all of Microsoft’s Active Directory products, connecting
premises based AD with cloud-based Azure AD. The Azure AD Connect solution seems to have evolved from a connector tool designed to facilitate Forefront Identity Manager 2010 R2 synchronization.

Sizemore described Azure AD Connect as a more general-purpose deployment tool that works across all AD technologies.

“AADConnect isn’t a synchronization engine like FIM or AADSync — simply installing AADConnect won’t cause identities to magically begin synchronizing
with AAD,” Sizemore explained. “What [it] does do however is provide an easy-to-understand experience for deploying whatever technologies are required, based on your needed [sic].”

Azure AD Connect was at the preview stage back in August 2014. It downloads all of the software needed to connect premises-based AD to Azure AD.
It installs DirSync and Azure AD Sync Services and sets up password syncing for organizations using Azure AD Federation Services.
Microsoft claims that Azure AD Connect can “configure directory integration in just 3 clicks.”

Things to check before to troubleshoot ADFS: https://technet.microsoft.com/en-us/library/adfs2-troubleshooting-things-to-check(v=ws.10).aspx

Performance monitoring with perfmon and counters:

1. Launch Perfmon.exe from RUN or SEARCH
2. Data Collector Sets > User Defined > Right Click > New > Data Collector Set
3. Type Friendly Name & Select ‘Create Manually’, Click Next
4. Select Performance Counter
5. Add the respective counters as per the below list
6. Select Directory to Store Performance Files
7. Run As Default
8. Click Finish

https://technet.microsoft.com/en-us/library/ff627833(v=ws.10).aspx

http://www.edutech.me.uk/ad-fs/adfs-performance-statistics-nlb-requirements/    ; <=== you can download Perfmon templates for ADFS

The best article I found, I confirm the settings (put in place by myself too): https://digitalglue.wordpress.com/2014/02/11/configuring-cisco-webex-meeting-server-to-work-with-adfs-2-0/

Troubleshooting tools/techniques:

Web article: http://msinnovations.wordpress.com/2011/05/24/using-fiddler-to-trace-a-saml-idp-request-from-adfs-2-0/

Web sites to decode base64 SAMLResponse:

http://decode.urih.com/data/

or

URL decoder tool: http://meyerweb.com/eric/tools/dencoder/
BASE 64 decoder tool: http://www.opinionatedgeek.com/dotnet/tools/base64decode/

Understanding SAML: http://en.wikipedia.org/wiki/Security_Assertion_Markup_Language

Cisco Webex, SSO troubleshooting: http://www.cisco.com/c/en/us/td/docs/collaboration/CWMS/1_1/b_troubleshootingGuide/b_troubleshootingGuide_chapter_01001.html

Monitoring ADFS using AAD connect health a new Azure service:

http://www.alexgiraud.net/blog/Lists/Billets/Post.aspx?ID=322

The AAD Connect preview has a bug and cannot be entierely removed from your computer:

Follow the instructions here (FR) – I experienced today this problem and I confirm the procedure below works well:

http://www.maximerastello.com/desinstaller-correctement-azure-ad-connect-preview

http://www.maximerastello.com/unable-to-install-synchronization-service-desinstaller-manuellement-azure-active-directory-sync

AADSync or Azure AD Synchronization tool is used as a standalone product or more recently packages with AADConnect (Azure AD connect).

Behind the scene, the AADSync is based on the synchronization engine of FIM (Forefront Identity Management from MS).

Here are list of tip and tricks to use the AADSync tool:

AADSync technet ref: https://msdn.microsoft.com/en-us/library/azure/dn790204.aspx

AADSync blog: http://blogs.technet.com/b/aadsyncsupport/

DirectorySyncClientCmd.exe and it can be found at C:\Program Files\Microsoft Azure AD Sync\Bin folder if you are using the default installation path.

To force a full synchronization (after modifying connectors and filtering): DirectorySyncClientCmd.exe initial

• • This will run through the steps to execute the initial synchronization to the cloud.
  • Executes the following:
• Full Import (Stage Only) on all connectors
• Delta Import (Stage Only) on all connectors
• Delta Synchronizaiton on all AD connectors
• Export, Delta Import and Delta Synchronization on WAAD Connector
• Export on all AD Connectors

To force a delta synchronization: DirectorySyncClientCmd.exe delta

• • • This will run through the steps to execute a delta synchronization to the cloud
    • Executes the following:
      • Delta Import (Stage Only) on all connectors
      • Delta Synchronization on all AD connectors
      • Export, Delta Import and Delta Synchronization on WAAD Connector
      • Export on all AD Connectors

How to backup the backend SQL DB on LocalDB: http://blogs.technet.com/b/aadsyncsupport/archive/2014/07/28/reference-how-to-backup-the-backend-sql-db-on-localdb.aspx

Multi-Forest AD Synchronization and Attribute Filtering: http://jesperstahle.azurewebsites.net/?p=1542

Hi,

Here are list of web resources about Penetration techniques (pentest)/forensics techniques etc:

Definitions: http://en.wikipedia.org/wiki/Penetration_test  ; http://en.wikipedia.org/wiki/Computer_forensics

Tools and techniques:

– Penetration toolkit for Windows: http://pentestlab.wordpress.com/2013/01/07/windows-tools-for-penetration-testing/

– Penetration toolkit from Erdal Ozakaya: http://www.erdalozkaya.com/index.php/security/83-penetration-testing-framework-0-58

– http://pentestlab.wordpress.com/

– http://www.coresecurity.com

– http://www.backtrack-linux.org/    ; http://fr.wikipedia.org/wiki/BackTrack  ; http://backtrack-fr.net/

– http://www.ampliasecurity.com (with the famous wce) , http://oss.coresecurity.com/projects/pshtoolkit.html

– http://sectools.org/

– http://www.truesec.com

– guides:

http://www.bleepingcomputer.com/tutorials/have-i-been-hacked/

http://csrc.nist.gov/publications/nistpubs/800-115/SP800-115.pdf

http://www.us-cert.gov/reading_room/forensics.pdf

– library: http://ed-diamond.com/

Hi,

let me share my experience of the AADConnect synchronization tool (preview) … this product will replace DirSync/AADSync soon.

when you install and use AADConnect tool, don’t be surprised if there is no user’s passwords synchronized to Azure AD !!!!

First,

the source connector must use a valid source AD on-premise technical account with rights to read user’s password (be member of default administrators group)

Secondly,

add this technical account member of local ADSyncPassword group (empty by default!)

then

Restart the Azure AD connect synchronization service!

How to check if user’s passwords has been synchronized?

=> You must check if EVENT ID 657 exist on Application event log

=> test to login using the standard synchronized account using IE on the portal: http://manage.windowsazure.com.

Here are resources and comments about ADCS migration to 2012 R2:

http://blogs.technet.com/b/askds/archive/2010/08/23/moving-your-organization-from-a-single-microsoft-ca-to-a-microsoft-recommended-pki.aspx

Export/Import certificate templates using Powershell:

http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0-bfed-4143-9eea-f521167d287c&ID=105

http://wawszczak.pr0.pl/en/2014/03/09/eksportimport-szablon%C3%B3w-certyfikat%C3%B3w-z-ad-w-windows-2012/

Export/Import certificate templates using ldifde:

ldifde -m -v -d cn=%mytemplate%,%LDAP% -f %myemplate%.ldf

Most important part of this command is -m switch, which will result in “forest free” ldf output.
For import you should use the similar command:

ldifde -i -k -f %Template1%.ldf

And this should work from the begining, starting from Windows 2000 Version.

Is it possible to cohabit with an old PKI hierarchy and a new PKI in a same Forest?

“Yes you can have multiple root CAs and even multiple PKIs in a single Active Directory forest. Because of the way the objects are representing those CAs are named and stored, you couldn’t possibly experience a conflict unless you tried to give more than one CA the same CA name.”

Why?

USE CASE: the old 2008 R2 AD CS SHA1 hierarchy and the new SHA256 hierarchy running AD CS 2012 R2

http://www.postseek.com/meta/fe2eee95f5a00bd80ab13f9627e2813b

DFS dirty-shutdown stopping DFS replication: DFSR event ID 2213 in Windows Server 2008 R2 or Windows Server 2012:

https://support.microsoft.com/fr-fr/kb/2846759

How to disable the Stop Replication functionality in AutoRecovery

To have DFSR perform AutoRecovery when a dirty database shutdown is detected, edit the following registry value after hotfix 2780453

is installed in Windows Server 2008 R2. You can deploy this change on all versions of Windows Server 2012. If the value does not exist, you must create it.

Export/Import certificate templates using Powershell:

http://en-us.sysadmins.lv/Lists/Posts/Post.aspx?List=332991f0-bfed-4143-9eea-f521167d287c&ID=105

http://wawszczak.pr0.pl/en/2014/03/09/eksportimport-szablon%C3%B3w-certyfikat%C3%B3w-z-ad-w-windows-2012/

Export/Import certificate templates using ldifde:

ldifde -m -v -d cn=%mytemplate%,%LDAP% -f %myemplate%.ldf

Most important part of this command is -m switch, which will result in “forest free” ldf output.
For import you should use the similar command:

ldifde -i -k -f %mytemplate%.ldf

And this should work from the begining, starting from Windows 2000 Version.

As of November 11, 2013 Microsoft issued the Windows Root Certificate Program – Technical Requirements version 2.0 , this contains the SHA1 Deprecation Policy which says that:

Ref: https://www.comodo.com/e-commerce/SHA-2-transition.php   says:

1. CAs must stop issuing new SHA1 SSL and Code Signing certificates by 1 January 2016.
2. For SSL certificates, Windows will stop accepting SHA1 certificates by 1 January 2017. This means any SHA1 SSL certificates issued before or after this announcement must be replaced with a SHA2 equivalent by 1 January 2017.
3. For code signing certificates, Windows will stop accepting SHA1 signed code and SHA1 certificates that are time stamped after 1 January 2016. SHA1 signed code time stamped by an RFC 3161 Time Stamp Authority before 1 January 2016 will be accepted until such time when Microsoft decides SHA1 is vulnerable to pre-image attack.
4. The Program will no longer accept for distribution new root certificates with code signing use supporting SHA1 or RSA 2048. New code signing root certificates must support SHA2 and RSA 4096.

To upgrade the issuing CA execute the following commands from an elevated command shell

• certutil -setreg ca\csp\CNGHashAlgorithm SHA256

• net stop certsvc && net start certsvc

How to list and to install Windows feature from Powershell ?

Import-Module servermanager

Get-WindowsFeature | Where-Object {$_.installed} | Format-Table -AutoSize

Get-WindowsFeature | Where-Object {$_.Installed -match “True”} | Select-Object -Property Name

Get-WindowsFeature | Where-Object {$_.Installed -match “True”} | Select-Object -Property Name | Out-File d:\Temp\Features.txt

To install the features:

Add-WindowsFeature NetFx2-ServerCore
Add-WindowsFeature NetFx2-ServerCore-WOW64
Add-WindowsFeature NetFx3-ServerCore
Add-WindowsFeature NetFx3-ServerCore-WOW64
…

To automate a little bit more:

On the source server (master):

Get-WindowsFeature | Where-Object { $_.Installed } | Where-Object { $_.SubFeatures.Count -eq 0 } | Export-Clixml d:\temp\features.xml
Copy-Item d:\temp\features.xml \\remoteserver\d$\temp

On the remote server (target):

$file = Import-Clixml d:\temp\features.xml

$file | Add-WindowsFeature

Restart-Computer

Several methods to retrieve group membership for user and group:
Several methods to retrieve group membership for user and group:

Using Powershell:
============

Using powershell – for a user samaccountname:

Import-module Activedirectory
(Get-ADUser <samaccountname> -Properties MemberOf | Select-Object MemberOf).MemberOf        ; list of groups the user belongs
(Get-ADUser <samaccountname> -Properties MemberOf | Select-Object MemberOf).MemberOf.Count     ; Display the number of the groups the user belongs

Other useful powershell cmdlet:
get-adprincipalgroupmembership <samaccountname>
(get-adprincipalgroupmembership <samaccountname>).count

Using powershell – for a Group samaccountname:

Import-module Activedirectory
(Get-ADGroup “domain users” -Properties MemberOf | Select-Object MemberOf).MemberOf        ; list of groups the “domain users” group belongs
(Get-ADGroup “domain users” -Properties MemberOf | Select-Object MemberOf).MemberOf.count    ; Display the number of the groups the group “domain users” belongs

Using powershell with Quest cmdlets for AD – for a user samaccountname:

Add-PsSnapin Quest.ActiveRoles.ADManagement

(get-QADGroup -containsmember <samaccountname>)                ; list of groups the user belongs
(get-QADGroup -containsmember <samaccountname>).count            ; Display the number of the groups the user belongs

(get-QADGroup -containsIndirectmember <samaccountname>)            ; list of all nested groups the user belongs
(get-QADGroup -containsIndirectmember <samaccountname>).count        ; Display the number of the groups the user belongs

Using powershell with Quest cmdlets for AD – for a group samaccountname:

Add-PsSnapin Quest.ActiveRoles.ADManagement

(get-QADGroupMember ‘administrators’)                ; list content of administrators group
(get-QADGroupMember ‘administrators’).count            ; count the content

(get-QADGroupMember ‘administrators’ -indirect)            ; list the content with nesting content!
(get-QADGroupMember ‘administrators’ -indirect).count        ; count the full content with nested content!

Using dsquery/dsget:
===============

To display only the MemberOf of a group:

dsquery group -name “domain users” -d AMAIISDOM | dsget group -memberof                ; list of groups the “domain users” group belongs

To display only the MemberOf of a user:

dsquery user -samid <samaccountname> | dsget user -memberof | dsget group -samid        ; list of groups the user belongs

WARNING: but this command does not list recursive groups!

dsquery user -samid <samaccountname> | dsget user -memberof -expand | dsget group -samid        ; list of groups the user belongs (including recursive groups)

For user objects:

# Let’s see all the new user accounts created one month ago

$When = ((Get-Date).AddDays(-30)).Date

Get-ADUser -Filter {whenCreated -ge $When} -Properties whenCreated

Get-ADUser -Filter {whenCreated -ge $When} -Properties whenCreated | select samaccountname,whencreated | ft -autosize

# Let’s see all the new user accounts created since the 1st of the month

$When = ((Get-Date)).Date

Get-ADUser -Filter {whenCreated -ge $When} -Properties whenCreated | select samaccountname,whencreated | ft -autosize

For computer objects:

# Let’s see all the new computer created one month ago

$When = ((Get-Date).AddDays(-30)).Date

Get-ADGroup -Filter {whenChanged -ge $When} -Properties whenChanged

With Quest cmdlets for AD:

# Let’s see all the new user accounts created today

$When = ((Get-Date)).Date

Get-QADUser -CreatedOn $When | select samaccountname,whencreated | ft -autosize

# Let’s see all the new user accounts created since the 1st of the month

Get-QADUser -CreatedAfter “April 1, 2009″

# Can narrow it down to specific OU to exclude service accounts

Get-QADUser -CreatedAfter “April 1, 2009″ -SearchRoot mydomain.local/employees

# Same thing for groups, computers, OUs, or any AD objects

Get-QADComputer -CreatedAfter “April 1, 2009″

Get-QADGroup -CreatedAfter “April 1, 2009″

# Did we hire anyone today?

Get-QADUser -CreatedOn “April 17, 2009″

# Let’s if we have anyone who is with the company for more than 10 years ;)

Get-QADUser -CreatedBefore (Get-Date).AddYears(-10) -SearchRoot d.local/emp -Enabled

# Let’s count how many employees we were hiring monthly for

($d = Get-Date “January 1, 2008″; $d -le (Get-Date); $d = $d.AddMonths(1)) { “$($d.ToShortDateString()) to $($d.AddMonths(1).ToShortDateString()):” (Get-QADUser -CreatedAfter $d -CreatedBefore $d.AddMonths(1)).Count }

To backup the DNS server properties:

Open the registry, and go to HKLM\System\CurrentControlSet\Services\DNS\Parameters

Save the content in a .reg file called .\dnssettings.reg

To restore, cleanup the .reg using notepad and restore using regedit /s .\dnssettings.reg

Now, to back up and restore the DNS zones:

If you do not use Active Directory-integrated DNS, you must explicitly back up the zone files.

See here about backing up DNS:
http://support.microsoft.com/kb/304489
http://technet.microsoft.com/en-us/library/cc738755(WS.10).aspx

Additionally: using powershell (http://dnsshell.codeplex.com)

===========================

Backup an AD integrated DNS zone:

dnscmd /zoneexport “zone name” “zone file name”
For example: dnscmd /zoneexport test.local test.local.bak.

The file is automatically created and stored in the %windir%\System32\DNS folder. This can be copied to a more secure location if needed by the administrator.

Restore an AD integrated DNS zone:

The administrator can restore and earlier version of the DNS zone from backup at any time. the following steps outline the process to restore an AD integrated DNS zone from backup in Windows Server 2008.

Rename the backup file extension to .dns.
For example: test.local.bak to test.local.dns

Now, type the below command in the command prompt.
dnscmd /zoneadd “zone name” /primary /file “zone name file” /load

For example: dnscmd /zoneadd test.local /primary /file test.local.dns /load.  This will add the zone to DNS.

Next, type the below command in the command prompt.
dnscmd /zoneresettype “zone name” /dsprimary

For example: dnscmd /zoneresettype test.local /dsprimary. This will reset the zone to an Active Directory integrated primary DNS zone.

In case of zone corruption, perform the below step to delete the current zone before restoring the zone from backup as indicated above.

Open an elevated command prompt (right click on command prompt and select “run as administrator”), type the following command and press enter.

dnscmd /zonedelete “zone name” /dsdel /f
For example: dnscmd /zonedelete test.local /dsdel /f