Monday, 21 September 2015

#SCCM 2012R2 - Determine SCCM 2012 CU version

1. Launch registry, navigate HKLM\Software\Microsoft\SMS\Setup
2. On right panel, check on CULevel.

or Power Shell 
  • Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\SMS\Setup -Name "CULevel"

CULevel value is (0). Mean no CU installed.

#SCCM 2012R2 - Software Update Point unable to connect WSUS

Error: System.Net.WebException: The request failed with HTTP status 404: Not Found.~~   at Microsoft.UpdateServices.Administration.AdminProxy.CreateUpdateServer(Object[] args)~~   at Microsoft.SystemsManagementServer.WSUS.WSUSServer.ConnectToWSUSServer(String ServerName, Boolean UseSSL, Int32 PortNumber)

Event ID: 6703

1. Verify the WsusPool is Started. (Under Application Pools)

2. Verify WSUS port number correct. 
Default port for WSUS Windows 2012, 8530
Default port for WSUS Windows 2008, 80

Tuesday, 15 September 2015

#Exchange 2013 - Exchange server exist in AD schema

Error: The Exchange Server is in an inconsistent state. Only disaster recovery mode is available. Please use Setup /,:RecoveryServer to recover this Exchange server.

1. Log in to AD. Open ADSI Edit, connect AD with configuration.

2. Navigate to Configuration[Domain name] --> CN=Configuration,DC=Domain name,DC=Domain name --> CN=services --> CN=Microsoft Exchange --> CN=Domain name --> CN=Administrative Groups --> CN=Exchange Administrative Group --> CN=Servers.
3. Delete the exchange server with the error above. (example: CN=DO-EXCH)

Thursday, 10 September 2015

#Web application proxy - ADFS Proxy unable to connect second ADFS Proxy server

Enter credential adfs proxy fail.

Ensure that remote management is enabled on the selected server, and then enter the name and password of an account that has administrator rights on that server. For example, or domain\user name.  


1. Add 2nd proxy server to 1st proxy server in server manager.
Follow here 

Monday, 7 September 2015

#O365 - Mailbox can't create on portal

Warning - This user's on-premises mailbox hasn't been migrated to Exchange Online. The Exchange Online mailbox will be available after migration is completed. 

Cause: This is because the user have on-premise Exchange mailbox or/and haven't migrate the mailbox to cloud.


Hybrid mode migration

1. Migrate the mailbox from on premise to cloud.

Direct cut over mode (greenfield)

Delete the user from O365.

1. Move the user out from the sync OU to non-sync OU on AD users and computers.
2. Resync the DirSync.
3. Make sure the user show under deleted users.
7. Force to clear the deleted users on O365.
    Refer to this link.

8. Make the user under Deleted Users was deleted.

Remove the Synchronization of the user attribute to Office 365

1. Open Synchronization Service Manager (miisclient.exe)
2. Click on Management Agents tab, right click Windows Azure Active Directory Connector, select properties.
3. Click on Configure Attribute Flow, 
4. Expend Object Type: User and Object Type: Group, search and locate for msExchMailboxGuid.
5. Select the mapping and delete.
6. Select Select Attributes, search and uncheck the msExchMailboxGuid.

7. Click OK to save the changes.
8. Repeat the step 3-7 for Active Directory Connector Agent. (for step 4, expand Object Type: UserObject Type: Group and Object Type: inetOrgPerson, search and locate for msExchMailboxGuid.)
9. Move back the user from non-sync OU to Sync OU.
10. Resync the dirsync.

If all users cannot create the mailbox, you might need to remove all the users from deleted users, and then reysnc all the user again from on-premise AD.

#Hyper-V - Windows 7/8/10 unable remove Hyper-V

Cannot uninstall Hyper-V from Windows 7/8/10
Cannot uninstall Hyper-V services


1. Remove Hyper-V from program and feature, when restart computer, Windows roll back.


1. Reinstall and repair the windows.
2. Select Upgrade Install Windows and keep file, settings and application.
3. This step won't lose any data, application or settings.
4. Follow the instruction. Different Windows, different step.
5. Usually step will ask you login to windows and run the windows setup CD.
6. After completed reinstall/repair Windows, remove the Hyper-V services.

#O365 - Change User Primary SMTP Email Address with Dirsync

Error: The operation on mailbox "Username" failed because it's out of the current user's write scope. The action 'Set-Mailbox', 'EmailAddresses', can't be performed on this oject "Username" because teh object is being synchronized from your on-premises organization. This action should be performed on the object in your on-premises organization.

Solution 1:

1. Run Windows Azure Active Directory Module for Windows PowerShell as administrator.
2. To enable execution policy remotesigned, type

  • Set-ExecutionPolicy RemoteSigned
3. To assign credential right, type

  • $MSCred = Get-Credential
(Enter O365 admin user and password when prompt)

4. To open a connection to O365 server, type

  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $MSCred -Authentication Basic -AllowRedirection
5. To enter the Exchange powershell session, type

  • Import-PSSession $Session

6. To change user primary smtp email address, type

  •  Set-Mailbox -identity -WindowsEmailAddress
7. To exit the Exchange powershell session, type

  • Remove-PSSession $Session
Reference: link

Solution 2:
(Eidt AD user attribute)

1, Open Active Directory Users and Computers. Search for the user you want to change the primary smtp email address.
2. Open user properties, select Attribute Editor. (If Attribute Editor not exist, enable advanced features under AD users and computers view or/and open user properties from the actual directory, don't open from the search box)
3. Look for ProxyAddresses, and edit.

4. If no SMTP exist, enter the value as: (with SMTP upper case)

For example:

    If SMTP exist, remove the existing SMTP value, and enter the value as: (with SMTP lower case)

For example:

5. Click add, and the apply the setting.

6. Resync the Dirsync server.

Wednesday, 2 September 2015

#GPO - Missing "Internet Explorer Maintenance" Windows Server 2012/2012 R2

Missing GPO IE Maintenance after restart.
Missing GPO IE Maintenance after upgrade IE8
Missing GPO IE Maintenance after upgrade AD
Missing GPO IE Maintenance 2012/ 2012 R2

Solution 1

  1. If AD Windows server 2008/ 2008 R2, uninstall IE (9,10,11) back to IE 8.
Solution 2

Use another server 2008 R2 with IE8 or Windows 7 with IE8 to manage GPO.

Server 2008 R2
  1. Add server features, Group Policy Management.
  2. Launch the Group Policy Management, connect to domain with domain admin right.

  3. Enter your domain name.
  4. Now Internet Explorer Maintenance is back.
Windows 7 

Refer to this

Tuesday, 25 August 2015

#Exchange 2010 - Export User Mailbox to PST via Exchange Management Shell

1. Create a share folder for save the PST file. (In my case, my share folder named PST).
2. Launch Exchange Management Shell with administrator.
3. Add the user that run the export mailbox with Mail Import Export role. (In my case, i use administrator).

  • New-ManagementRoleAssignment -Role "Mailbox Import Export" -User "administrator" 

To Export a user mailbox
  • New-MailboxExportRequest -Mailbox user FilePath \\Server1\PST\ user.pst

To check the export status
  • Get-MailboxExportRequest

#O365 - Set up Microsoft Azure Rights Management for Office 365 Message Encryption

1. Activate Azure Right Management

** You can activate via portal or powershell

1.1 Activate via Portal 

a) Login to Office 365 Portal.
b) Go to Admin, expand Service Settings, click on Rights Management.

c) Click on Manage.
d) Click on Activate.


1.2 Activate via Powershell

a) Download RMS module for powershell here.
b) Install the RMS module for powershell. (required Microsoft Online Services Sign-in Assistant 2.1 or greater)
c) Run Windows PowerShell with administrator.

run command as below:

  • $user = "<your Office 365 administrator email">
  • $cred = Get-Credential -Credential $user
  • Import-Module AADRM
  • Connect-AadrmService -Credential $cred
  • Enable-Aadrm

2. Setup Azure Rights Management for Office 365 Message Encryption

** You can configure Automatic Protection or/and Manual Protection

Automatic Protection - If user send an email match the rule/policy pre-set by admin, rule/policy will automatic apply, and prevent IRM templates available in OWA and Microsoft Outlook.

Manual Protection - User can select which rule/policy when they send an email in OWA and Microsoft Outlook.

2.1 Automatic Protection

a) Connect to Exchange Online with Windows Power Shell (Run as Administrator) and import the session.

  • Set-ExecutionPolicy RemoteSigned
  • $cred = Get-Credential
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri -Credential $cred -Authentication Basic –AllowRedirection
  • Import-PSSession $Session

b) Configure the Rights Management Services (RMS) online key-sharing location in Exchange Online. Use the RMS key sharing URL corresponding to your location, as shown in this table:

Location                                 RMS key sharing location

North America              
European Union            
South America              
Office 365 for Government (Government Community Cloud)

  • Enable-OrganizationCustomization
  • Set-IRMConfiguration -RMSOnlineKeySharingLocation

c) To import the Trusted Publishing Domain (TPD) from RMS Online
  • Import-RMSTrustedPublishingDomain -RMSOnline -name "RMS Online"
d) To verify that you successfully configured IRM in Exchange Online to use the Azure Rights Management service.
  • Test-IRMConfiguration –sender

e) Run the following commands to disable IRM templates from being available in OWA and Outlook and then enable IRM for your cloud-based email organization to use IRM for Office 365 Message Encryption.

Disable IRM templates from being available in OWA and Outlook
  • Set-IRMConfiguration -ClientAccessServerEnabled $false

Enable IRM for your cloud-based email organization
  • Set-IRMConfiguration -InternalLicensingEnabled $true

f) To view the IRM Configuration
  • $true Get-IRMConfiguration

g) Define rules to encrypt or decrypt email messages

I) Go to Admin, expand Admin, click on Exchange.

II) Go to Mail Flowrules, click on +create a new rules..



2.2 Manual Protection
a) Connect to Exchange Online with Windows Power Shell (Run as Administrator) and import the session.
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionURI -Credential $Cred -authentication Basic –Allowredirection
  • Import-PSSession $session
  • Enable-OrganizationCustomization
  • Set-IRMConfiguration -RMSOnlineKeySharingLocation\
(Depend your location)
Location                                 RMS key sharing location

North America              
European Union            
South America              
Office 365 for Government (Government Community Cloud)
  • Set-ExecutionPolicy RemoteSigned
  • $cred = Get-Credential
  • Import-RMSTrustedPublishingDomain –RMSOnline –Name “RMS Online”
b) To verify that you successfully configured IRM in Exchange Online to use the Azure Rights Management service.
  • Test-IRMConfiguration –sender
c) Enable IRM templates from being available in OWA and Outlook
  • Set-IRMConfiguration -ClientAccessServerEnabled $true
d) Enable IRM for your cloud-based email organization
  • Set-IRMConfiguration -InternalLicensingEnabled $true

Thursday, 13 August 2015

#Hyper-V 2012 R2 - Virtual Machine unknowns device (Windows 2008 R2 / 7 and below)

If you install Windows 2008R2/2008/7/Vista as virtual machine in Hyper-V 2012 R2, and notice unknown devices show in device manager.
Actually one is Automatic Virtual Machine Activation (AVMA), and another one is Remote Desktop Control Channel/Enhance Session Mode. This two features are new in Windows Server 2012 R2, and required virtual hardware. 

1. You can find the driver in Hyper-V 2012 R2 integration service setup disc or download the driver from link below:
2. Update the driver manually in device manager.
3. Restart Computer.

Tuesday, 4 August 2015

#O365 - Force delete user with DirSync

Force delete Office 365 active users

1. Run Windows Azure Active Directory Module for Windows PowerShell as administrator
2. To connect Office 365, type
  • Connect-MsolService
3. To disable dirsync, type
  •   Set-MsolDirSyncEnabled –EnableDirSync $false
(remember enable back the dirsync after delete user completed by type, Set-MsolDirSyncEnabled –EnableDirSync $true)

4. To check dirsync was fully disable, type
  • (Get-MSOLCompanyInformation).DirectorySynchronizationEnabled
(Enable and disable might take a while to complete. Please wait until the dirsync fully disable and continue next step)

5. To remove the active users, type
  • Remove-MsolUser –UserPrincipalName
6. To remove all the active users, type
  •  Get-MsolUser | Remove-MsolUser -Force
Force delete Office 365 user from deleted users

1. Run Windows Azure Active Directory Module for Windows PowerShell as administrator
2. To connect Office 365, type
  • Connect-MsolService
3. To remove the deleted users, type
  • Remove-MsolUser -UserPrincipalName -RemoveFromRecycleBin

  • Remove-MsolUser -UserPrincipalName -RemoveFromRecycleBin -force
4. To remove all deleted users, type
  • Get-MsolUser -ReturnDeletedUsers | Remove-MsolUser -RemoveFromRecycleBin -Force

#Azure - Create Azure Right Management template

1. Log on to O365 portal with admin.
2. Go to Service Settings, Rights Management, select Manage.

3. Select Advanced Features

3. Go to Active Directory, select Rights Management. (If you haven't activate an Azure account, you can activate now)  

4. Select your domain. (By default,two template will created, and DO NOT FORWARD rule included)
5. Select Create a new rights policy template.

6. Select a language and enter a name.

7. Select groups or users. 

8.Select a rights

9. Publish the template.

Tuesday, 21 July 2015

#Azure AD Directory Sync - change sync time interval

By default, Azure AD directory sync schedule is sync every 3 hours.
To change the interval,

Go to Windows Azure Active Directory Sync Installation path, look for Microsoft.Online.DirSync.Scheduler.exe (Config file). 

Open the file with notepad.
edit the "SyncTimeInterval" value="hh:mm:ss"
Restart the Windows Azure AD Directory Sync services or restart the server.

Thursday, 16 July 2015

#AD FS 3.0 - Customize AD FS 3.0 login page

Customize the login page:



Change Company Name:

Change Logo:

Change illustration:

Change Sign-in description:

For more information Microsoft link 

#Active Directory - Force seize FSMO roles from death DC, Windows Server 2012 R2

1. From secondary domain controller, run powershell as administrator.
2. Run following command:

Move-ADDirectoryServerOperationMAsterRole -Identity "Target_DC_Name" -OperationMasterRole PDCEmulator,RIDMaster,InfrastructureMaster,SchemaMaster,DomainNamingMaster


Move-ADDirectoryServerOperationMAsterRole -Identity "Target_DC_Name" -OperationMasterRole 0,1,2,3,4 -Force

Wednesday, 15 July 2015

#Office 365 ProPlus - Unable to install

Couldn't install. We're sorry, we had a problem installing your Office program(s).
Error Code: 30088-1021 (0)


1. Make sure all Microsoft Office version/component uninstall from the computer. (Include visio, project and others)
2. Use Microsoft Office fix it tools to uninstall other version of Microsoft Office.
    Fix it script Download
4. Make sure the installer no problem. Can download o365 proplus from here: Office365 Proplus Offline Installer

#Microsoft Office - uninstall Microsoft Office by fix it script

Download here

#O365 ProPlus Offline Installer Download

Office 365 ProPlus Office Installer Downlaod

Password: P@ssw0rd!@#$

Download here Office365 ProPlus 32 bit

Download here Office365 ProPlus 64 bit

Tuesday, 14 July 2015

#WAP - Remove Web Application Proxy (WAP) from Cluster - Windows 2012 R2 (ADFS)


WAP Cluster with 2 ADFS Proxy. To remove ADFS-Proxy1. 


1. On one of the ADFS Proxy server, run PowerShell with Administrator.
2. Enter Command below:

swpc -ConnectedServersName ((gwpc).ConnectedServersName -ne 'adfsservername')

3. ADFS-Proxy1 removed.