Monday, January 28, 2019

How to Configure AWS Active Directory Conditional Forwarders for a Trust between Your AWS Managed Microsoft AD and On-Premises Domain

As you get started. Make sure your VPC configurations for Inbound and Outbound traffic are correct.

If you are using a VPN. Make sure the AWS CIDR and your Local CIDR's are there. The local CIDR range is also your local AWS CIDR, not just your on-premise CIDR block range.

1. In order to establish a connection between your on-premises Active Directory and the AWS Cloud AWS Managed Microsoft Active Directory you must setup both the on-premise server (LOCALDOMAIN.COM) and your AWS Domain (AWSDOMAIN.LOCAL).

2. Create an AWS EC2 VM that will be joined to your awsdomain.local domain. After you have created the VM. Login to the VM and add the DNS addresses that are listed for AWSDOMAIN.LOCAL in the AWS Directory Service. Do an ipconfig /all to make sure that the DNS IP addresses are correct or nslookup will fail.

3. FYI. You cannot RDP into the AWS DC's for the AWS Managed Microsoft AD. You have to use the Server Manager Tools on the server that is joined to the the AWSDomain.Local.

4. Join the machine to your AWS Domain. The default username is "admin" and not "administrator". Then reboot the computer.

Right-click on Conditional Forwarder and then select New Conditional Forwarder

5. Configure your domain that will be used for the trust so that it can talk from your domain.

6. Run PowerShell or CMD Prompt as an administrator and run ipconfig /flushdns

7. Now ping the domain (FYI. It takes a few minutes. Relax). ping the domain name (e.g. ping awsisyourfriend.local) and you should get the ip address back that you put as the IP addresses of the master servers (domain IP's). DNS Settings are here with the arrow.

Image sanitized.

8. After you are able to ping the DNS IP addresses. Do an nslookup awsisyourfriend.local. Now you will get a response something like

C:\Windows\system32>nslookup awsisyourfriend.local

Non-authoritative answer:
Name:    awsisyourfriend.local

9. Next. Open your Active Directory Domains and Trusts and start the setup of the trust.

Note: URL if you have time.

Pics below for us that need to Get it Done!

10. Type the domain

11. Click Forest Trust

12. Two-Way

13. This Domain Only

14. Forest-wide authentication

15. Trust Password (NOTE: This is the password that you set up with the creation of the AWS Managed Microsoft AD).

16. Do not confirm the Outgoing or Incoming Trust (select No)

11. Now the on-premises side of the AD Domain Trust (Two-Way) is done.

12. Do the AWS Side now.

13. Note: You cannot create the trust from within the Windows OS on AWS. You must do it through the AWS Console. If you attempt to do it from the OS. You will get an error that says Access Denied!

14. If you have done everything correctly. You will get rewarded with a "Verified" green check mark!

AWS Articles:


Thursday, January 24, 2019

How to Enable Windows Server 2016 Remote Shell

1. Open PowerShell

2. Get-Item WSMan:\localhost\shell\allowremoteshellaccess

3. Open GPEdit and Turn it off. Restart the installation for the File Server and then you can turn it back on.

Computer Configuration > Administrative Templates > Windows Components > Windows Remote Shell > Allow Remote Shell Access

4. gpupdate

5. Now run the app again.

Thank you XIA!!


How to Recover a Deleted Office 365 Mailbox

1. Launch Powershell as an Administrator

2. Connect to Office365 via the CLI (You can't do this from the GUI/Browser)

3. You will need both GUID's to move the old mailbox data that was soft deleted to the new mailbox that was created.

NOTE: Background on how this would be applicable. The reason you would have to do this is if you had a local hybrid Active Directory and you did not migrate one mailbox to Office365 or whatever other reason you had a local mailbox stuck on the local exchange DB. You deleted the mailbox in OWA and Microsoft Active Directory Sync wiped out your Office365 account because the local AD account was wiped/deleted when you were fixing the OWA on-premise. You created a new account and when it was replicated to Azure Active Directory and you enabled the Mail license, you now need to copy the data from the old mailbox to the new Mailbox. Either way, you have a new mailbox and the soft deleted data needs to be migrated/copied to the new mailbox.

4. Informational. Your ExchangeGuid is not the same as the account Guid. Don't mix them up.

5. Get-Mailbox -SoftDeletedMailbox

6. Get the GUID's of the Old and New Mailboxes

Get-Mailbox -SoftDeletedMailbox -Identity cchicken | fl *guid*

Get-Mailbox -Identity curry.chicken | fl *guid*

7. Merge the old data into the new mailbox

New-MailboxRestoreRequest -SourceMailbox aef196y7-9036-4bec-b63b-f34re8rv6705 -TargetMailbox 0a897d6d-67a9-4ff8-a79d-k64rsvb678a3 -AllowLegacyDNMismatch


Wednesday, January 16, 2019

VMware Tools ISO Does Not Exist

1. You attempt to Install VMware Tools and you get the following error:

The required VMware Tools ISO image does not exist or is inaccessible. vix error code = 21001 Unable to install VMware Tools. An error occurred while trayin got access image file "/user'/lib/vmware/isoimages/windows.iso" needed to install VMware Tools: 2 (no such file or directory). Please refer the product documentation or KB article 2129825 for details....blah blah blah you get the point.

First...that KB article is wrong. It's 1036810:

2. Go to the latest VMware Tools of your OS (You don't need to be logged in):

3. Download the ISO and then WinSCP the file or whatever method you want to use to copy the file to /usr/lib/vmware/isoimages/

The quick and easy way is to just mount it and then install the VMware Tools. If you want to get gritty! Follow on!

4. If you don't know how to copy files to Linux. Use Linux Academy. It's way too much to try to type here: 

5. Access the VCSA UI from the browser with port: 5480 (e.g.

6. Enable SSH Login and Bash Shell under Access on the Appliance.

7. VCSA 6.7U1 doesn't not have "isoimages" under the /usr/lib/vmware/ path so you need to create it. 

8. mkdir isoimages && cd isoimages

9. If you have external internet connectivity. Grap the file with wget


mv VMware-tools-windows-10.3.5-10430147.iso (space and then type) windows.iso


Tuesday, January 15, 2019

How to Rename a Windows 2019 Server from the Command Line

1. From VMware (CTRL+ALT+Insert)

2. Check hostname post installation

3. hostname

4. netdom renamecomputer WIN-BLAHBLAH /newname:WS2016-BLAH /reboot 0

6. Y

7. Reboot

8. Login (CTRL+ALT+Insert)

9. Don't be scared little buddy. It's just the command line. =) The Windows Server CLI experience is not for newbies. Use the Desktop Experience if you find it extremely difficult and PowerShell very hard. It's not like Linux.

10. typing the command sconfig will take you into the base configurations of the server. Remember. Windows Server 2016 does not allow you to just turn on Desktop Experience. You have to clean install a new OS.

11. You need to run sconfig in order to enable RDP, etc.