Posts Tagged Powershell
Azure Key Vault Access Policies
Azure Key Vault is used to safeguard system critical data, such as keys, secrets and certificates that are part of your infrastructure core operations.
Key Vault access is managed through two interfaces: management plane – this dictates access to the Key Vault itself but not managing its content which is based on RBAC model, data plane – this enables granular control of keys/secrets/certificates, which relies on Access Policy.
This brings us nicely to Access Policies which is meat of this article. I have had to deal with a situation lately while applying access policy for a colleague while a restriction is imposed on my Azure AD account (see example below)
This would have limited access to my account (which is external) to AAD, which means I cant read or search AAD which is required when adding access policy via the GUI – Setting RBAC without access to AAD works (as an exception) if you know the full FQDN of the user you are adding.
The way around is to use PowerShell, but this requires a prerequisite which is the Azure AD object ID for the user you want to add, this can be achieved by adding them temporarily on management plane to access their user properties and copy object ID before deleting that rule.
Now to the command I used to apply that permission:
Set-AzKeyVaultAccessPolicy -ObjectId *** -VaultName **** -PermissionsToKeys **** -PermissionsToSecrets **** -PermissionsToCertificates **** -BypassObjectIdValidation
Key property here is the BypassObjectIdValidation, if the Object ID exists in AAD then it will be linked and the user will have their access policy applied to Azure Key Vault.
Application Gateway bug – Jan 2017
I have been working with Microsoft lately on an issue that I was experiencing with an Azure application gateway (appGW) deployment that require both internal and external interfaces handling traffic over HTTPS.
If you try to attach the same AppGW front end port to internal and external front end configuration, this would cause the appGW to misbehave. In my scenario I had a rule attached to external interface for handling incoming traffic but no rule attached on the internal interface and as a consequence the internal interface started processing traffic while the external interface was rejecting all connections (not even 502 error! would you believe!). Just to note that all my appGW deployments are scripted using PowerShell/JSON.
Microsoft managed to replicate this internally and issued a bug report, they are working on it as we speak but without ETA currently.
I had to drop my second listener (internal) in order to bring the appGW back to it’s expected behaviour!
DB fails to activate on another node in an Exchange 2013 DAG
Posted by Sam in Exchange 2013 on 29 January, 2015
It has been a while since I blogged about Exchange! Last year actually! Time runs by quick ..
Anyways, I wanted to talk about a problem you might face (certainly I have faced recently) in a situation when your DAG members are online but the database fails to activate to a particular node! Back in the days that used to happen if one of your Exchange vital services has stopped, but in this scenario all services were running as normal.
Based on Activation preference on each DB, I wanted to redistribute DB’s between all nodes after a restart. MS has kindly written a beautiful script that could take care of that for you based on a specific DAG. RedistributeActiveDatabases.ps1 which is located under Exchange install directory inside a ‘Script’ folder. This script can take your DAG and assess DB distributions, based on their activation preferences it starts to move the active DB’s to their intended servers.
In my case it failed to move due to some error on the server regarding ‘HighAvailability’ state, Exchange 2013 has introduced a new concept of server component state, which gives a granular control over server components that make up the Exchange server.
Running Get-ServerComponentState -Id ServerName on an Exchange server would show each of the component running and their state, this is very useful in troubleshooting problems with Exchange before even digging deep into configuration.
In order to bring server components online you could run the following PowerShell command:
Set-ServerComponentState -id ServerName -Component ComponentName -State StateName -Requester FunctionName
Note, if components were brought online by multiple requesters then you would need to issue the ‘Active’ command state under both these requesters in order for the component to turn to active.
There is a great article written by the Exchange team which goes in great depth explaining the principle behind it and the advantages gained by the administrator.
Report on Exchange 2010 Server RU level
I found a nice script written to gather your environment Exchange environment RU level.
Couldn’t open backup file handle while performing Exchange DB seed via Powershell
Posted by Sam in DAG, Exchange 2010, Poweshell on 4 November, 2013
The error above is the outcome of running Udate-MailboxDatabaseCopyStatus -Identity DB_NAME -DeleteExistingFiles and the DB status went to Failed and Suspended. The reason is that the backup was kicked off and the handle for the DB was no longer available.
You could check the status of the backup on the DB by running Get-MailboxDatabaseCopyStatus -Identity DB_NAME | fl *backup*
Two ways to get over this, either to wait for the backup to finish or to reboot the server and stop the backup and that should fix the issue, the seeding process needs to start from scratch.
Soft Deleted Mailbox in Exchange 2010 (Continued)
Posted by Sam in Exchange 2010, Poweshell on 12 July, 2013
In my previous post I have talked about what happens behind the scenes when you disconnect a mailbox via EMC. Soft deleted mailboxes stay on the system for the whole retention period (by default 30 days) hence they still utilise space within Exchange DB, if you are running on low disk space then this might become an issue.
Luckily there is a solution to this issue, using Remove-StoreMailbox command in Powershell, follow the solution in this MS article http://technet.microsoft.com/en-us/library/gg181092(v=exchg.141).aspx
Soft Deleted Mailbox in Exchange 2010
Posted by Sam in Exchange 2010, Poweshell on 17 June, 2013
Have you ever wondered why there are so many disconnected mailboxes? That has flagged a big security alert in our firm, especially after finding out how IT staff used to disable user accounts! By disabling a mailbox, you are actually detaching that mailbox form it’s AD object, this orphaned mailbox is prone to deletion according to your Exchange mailbox retention policy (by default 30 days!).
We have also found few other mailboxes for active users but they are sitting in Disconnected Mailbox, by running the command:
Get-MailboxStatistics -Server ServerName | where {$_.DisconnectReason -eq ‘SoftDeleted’}
The result would show user display name for those mailboxes that had moved from one DB to another. Exchange would mark the source mailbox as SoftDeleted rather than the default Disabled – a mailbox gets flagged as Disabled when disabling mailboxes using the Disable command within the MS Exchange GUI or Disable-Mailbox via Powershell.
Dynamic Distribution Group – Excluding Security Group
It has been a while since I have posted anything on my blog, due to change of responsibilities and the new job. Now I am mainly focused on VMware and Exchange.
Most people know that Dynamic Distribution Groups are great in offering flexible and automatic management of user membership in addition to all the features offered by normal distribution groups. By the way, I won’t be detailing how to use Set-DynamicDistributionGroup cmdlet in setting a dynamic group up (please refer to powershell help by typing help Set-DynamicDistributionGroup -Examples to see some examples of how to use -RecipientFilter property).
If you image that you have all your users in one OU (which is possible) , Dynamic Distribution Group look at a specific recipient container. In some cases you want to exclude a single user from the list, now that is easy, make sure (-not(Name -like ‘name‘) is entered into your recipient filter.
Excluding one name is easy, but you don’t want to keep adding a name at a time. You could bind all of your members who you want to exclude from your dynamic group in a security group and add this line to your recipient filter (-not(MemberofGroup -eq ‘Security_Group_FQDN‘)).
Whoever is added to that Security group won’t be a member of the dynamic distribution group.
To get members of a dynamic distribution group
$group = get-DynamicDistributionGroup “Group_Name“
$members = get-recipient -RecipientPreviewFilter $group.RecipientFilter
Practical Powershell
Posted by Sam in Compellent, Poweshell, VMWare on 9 July, 2012
I have been trying to link the information I get from VMware vSphere and the Compellent SAN to be able to trace VM activity within the storage layer end. I found a good post on the above link which gives a good link between the two systems using Powershell.
SysCloud.dev 