Latest Entries »


How Domain and Forest trusts work:

EMC ISILON SID translation errors:


Actions to do:

Check Trust relationships

Check Firewall logs and use portqry to test ports required. Also use nltest; netdom command lines.

Check GPO: Network access: Allow anonymous SID/Name translation

and  The following groups have the “Access this Computer from the Network” permission on domain controllers by default:

Authenticated Users

Microsoft Ignite 2016 conference – annoucements:

  • Office avec Tap & Quick Start
  • Yammer integrated with Office 365 Groups
  • SharePoint (SharePoint teamsite, Synchro des librairies, App Android & Windows)
  • Skype Entreprise on Mac
  • Transcription instantanée sur Skype Broadcast
  • PSTN Calling en preview en France

Office at Ignite :

Other annouces regarding Office 365:

Office 365

Connect to expertise and content with new people experiences throughout Office 365

Applying intelligence to security and compliance in Office 365


Skype Entreprise




SharePoint and OneDrive

  • Major OneDrive updates at Ignite 2016 include SharePoint Online sync preview
  • Announcing Feature Pack 1 for SharePoint Server 2016—cloud-born and future-proof
  • Enhanced conditional access controls, encryption controls and site classification in SharePoint and OneDrive
  • Enriching the mobile and intelligent intranet with team news, apps for Android and Windows and more

Tasks to force removal of Exchange 2013

The tasks to force removal of Exchange 2013 are:

The most common reasons are listed below:

  • The deinstallation didn’t finish properly and left attributes or entries in Active Directory
  • The Exchange server is permanent offline and Exchange should be removed
  • An Exchange installation didn’t finish properly and the attributes and entries should be removed

To remove the server open ADSIEdit and go to configuration


CN=Microsoft Exchange
CN=Microsoft Exchange Autodiscover

CN=Default naming context,DC=MYDOMAIN,DC=LOCAL
CN=Microsoft Exchange Security Groups
CN=Microsoft Exchange Security Objects

IIS: Start inetmgr
DELETE the Exchange Back End and Front End websites with the IIS-Manager:

ecp (-> Exchange Control Panel)
EWS (-> Exchange Web Services)
Microsoft server Activsync (-> Exchange Active Sync)
OAB (-> Offline Addressbook)
owa (-> Outlook Web App)
Rpc (-> Remote Procedure Calls)


Also don’t forget to remove the application pools (MSExchange*)


Remove the local computer certificates (MMC, certificates snap-in, computer store)

AD Users and Computers:
DELETE the following users in the “Users” container:

DiscoverySearch Mailbox{GUID}
Exchange Online-ApplicationAccount

DELETE the key “ExchangeServer” under:

DELETE the keys “MSExchange*” under:

Hard Disk directories:
On the server’s hard disk you’ve to DELETE the Exchange Server installation folder.
Usually it’s C:\Program Files\Microsoft\Exchange Server

and c:\ExchangeSetupLogs

remove also d:\ mailboxes or other Exchange logs / monitoring directories

Cleanup Recycle bin

Final reboot


When trusted sites are managed by GPO we can’t even view what servers are trusted using IE menu Tools > Internet Options > Security > Servers because the UI is disabled and won’t let you scroll down:

To solve this problem, from a command line in admin mode:

$(get-item “HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey”).property

$(get-item “HKCU:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMapKey”).property

DNS to change a dynamic record to a static record


DNS PowerShell – import-module DNSServer



DNS Powershell – DnsShell

 Summary: Learn how to use a free Windows PowerShell module to ease administration of Windows DNS: DnsShell (

What is DnsShell?

The majority of the cmdlets in DnsShell are wrappers around the WMI interface. The WMI interface tends to be fairly difficult to work with, or at least more difficult than it needs to be. For the most part this is due to the infamous Generic Error it returns whenever something goes wrong.

In addition to the WMI wrappers, DnsShell contains an interface for working with DNS via LDAP with decoders for the dnsProperty and dnsRecord attributes.

The final cmdlet, Get-Dns, is a DNS resolver, designed to exceed the capabilities of nslookup and to be comparable with Dig.

This post aims to explore some of the capabilities for DnsShell, based on the tasks I use it for on a regular basis.

Basic tasks

Listing zones

Get-DnsZone can be used to return information about zones configured on a server. This cmdlet uses WMI to grab details of the zone. The parameters used with this cmdlet are used to
build a WQL filter.

# All zones


# Primary zones

Get-DnsZone -ZoneType Primary | Format-List

Zone information can be returned from Active Directory using Get-ADDnsZone. By default, Get-ADDnsZone targets the DomainDnsZones application partition.

The information returned by this cmdlet differs slightly from Get-DnsRecord, only showing detail stored in the dnsProperty attribute.

# Returning all zones in DomainDnsZoness (for the current domain)


# Returning all zones from all partitions

Get-ADDnsPartition | Get-ADDnsZone

Listing records

The following examples demonstrate how Get-DnsRecord can be used to pick up records configured on a server.

# Listing all records on the current server


# List A records in domain.example only

Get-DnsRecord -RecordType A -Zone domain.example

# List all static records on the server

Get-DnsRecord -Filter “TimeStamp=0”

# Name is a regular expression and can be used for simple or complex filters

Get-DnsRecord -Name ‘_tcp’ -RecordType SRV

Get-ADDnsRecord may also be to retrieve record information. By its nature Get-ADDnsRecord is limited to querying records stored in Active Directory-integrated zones.

# All records in the DomainDnsZones partition


# All Service (SRV) records in all partitions

Get-ADDnsPartition | Get-ADDnsRecord | Where-Object { $_.RecordType -eq “SRV” }

# Name supports wildcards (used to build an LDAP filter)

Get-ADDnsRecord -Name “_gc*”

# List all records in a specific zone

Get-ADDnsZone domain.example | Get-ADDnsRecord

Unlike Get-DnsRecord, which offers a parameter to filter on RecordType, Get-ADDnsRecord is reliant on Where-Object. This is used because
is no way to construct an LDAP Filter to limit a search to specific record types as the record type is encoded as part of the dnsRecord
attribute. Wildcards or partial matches are not permissible for DnsRecord as it is a Binary Large Object (BLOB).

The RecordType field used above is defined in an Enumeration. The possible values can be seen with:


Using the following filter for Where-Object returns the same results, it is equivalent to the filter above:

# Get all records from AD (DomainDnsZones). Filter to Service Records

Get-ADDnsRecord | Where-Object { $_.RecordType -eq [DnsShell.RecordType]::SRV }

Returning server configuration

Returning a DNS servers configuration is a simple task. The Get-DnsServer cmdlets returns each of the configuration options available to MS DNS server.

# Ask for DNS Server settings from $ServerName

Get-DnsServer $ServerName

Creating zones

New-DnsZone uses the CreateZone method from WMI, checking for a few potential errors along the way.

# A new standard Primary forward lookup zone. Returns an object representing the new zone

New-DnsZone domain.example -ZoneType Primary -PassThru

Creating records

New-DnsRecord is one of the most complex cmdlets in the module. It provides an abstract interface to the CreateInstanceFromPropertyData method on each of the record classes.
Many of the parameters accept pipeline input to further simplify usage.

# A new Host (A) record

New-DnsRecord -Name mail -RecordType A -Zone domain.example -IPAddress

# A new Mail Exchanger (MX) record

New-DnsRecord -RecordType MX -Zone domain.example ‘

-TargetName mail.domain.example -Preference 10

Advanced tasks

Automating secondary zone setup

On occasion it is nice to be able to create secondary zones for every Primary zone on another server.

# Alternate credentials for this operation

$Credential = Get-Credential

# The Primary server name (used to access WMI) and the  IP address $SecondaryServer will use to access the Primary

$PrimaryServer = “ThePrimaryServer”; $PrimaryIP = “”

# A secondary server name (used to access WMI)

$SecondaryServer = “TheSecondaryServer”

# Get all Primary Forward Lookup Zones from $PrimaryServer and create a corresponding Secondary zone on $SecondaryServer

Get-DnsZone -ZoneType Primary -Filter “Reverse=$False” ‘

-Server $PrimaryServer -Credential $Credential |

New-DnsZone -ZoneType Secondary -MasterServer $PrimaryIP  -Server $SecondaryServer -PassThru

A ForEach (either ForEach or ForEach-Object) loop is not necessary to accomplish this, however it may be added if greater control over the process is required.

Get-DnsZone -ZoneType Primary -Filter “Reverse=$False” -Server $PrimaryServer -Credential $Credential |

# See if the zone exists on $SecondaryServer first
If (!(Get-DnsZone $_.Name -Server $SecondaryServer)) {
# If it does not (!), create the zone
$_.Name -ZoneType Secondary -MasterServer $PrimaryIP -Server $SecondaryServer -PassThru

Strictly speaking, the ForEach-Object loop is still not an absolute requirement in this example. Where-Object can be used to filter down to zones that only do not exist on the Primary.

Adding A and PTR records from a CSV file

One common task is the addition of A and corresponding PTR records. To demonstrate this script a simple CSV file can be used.


The tricky part is adding the PTR records without having to manually define the Reverse Lookup Zone name. One possible way to deal with this is to send a
DNS query; an approach is similar to that used by dynamic update, a query which attempts to find a server willing to accept an update.

In the example below, Get-Dns is used to execute a query for the PTR record. The expected response is NXDOMAIN (doesn’t exist), but that response will contain an Authority section including the server and zone name.
That zone name can be used to make the new record.

$ServerName = “TheServer”
$ForwardLookupZone = “domain.example”
Import-Csv Records.csv | ForEach-Object {
# Create the record in the Forward Lookup Zone
New-DnsRecord -Name $_.Name -IPAddress $_.IPAddress -Zone $ForwardLookupZone -Type A -Server $ServerName
# Find the name of the reverse lookup zone
$ReverseLookupZone = (Get-Dns $_.IPAddress -RecordType PTR -Server $ServerName).Authority[0].Name
# Create the record in the Reverse Lookup Zone
New-DnsRecord -Name $_.IPAddress -Hostname “$($_.Name).$ForwardLookupZone” -Zone $ReverseLookupZone -Type PTR -Server $ServerName

Debugging name resolution with Get-Dns

Debugging name resolution under Microsoft Windows is typically limited to either nslookup or the client resolver (normally via ping). Get-Dns is more comprehensive, capable of both simple and complex queries.

Note: The examples below make extensive use of domain.example.
This should be replaced with a valid domain name, many of the examples will return nothing if taken literally.

The following command performs a Zone Transfer, used when a Secondary server picks up a copy of the zone from a Primary Server. This operation should not be confused with replication of zone data when Active Directory-integrated zones are in use. This command requires access to TCP Port 53 on the server holding the zone (most DNS traffic uses UDP Port 53).

# Equivalent of nslookup using ls -d domain.example
Get-Dns domain.example -Transfer
# Or
Get-Dns domain.example axfr

Tracing a request from root using an iterative query; used to verify the delegation chain, to test that DNS requests are directed to the correct servers. The initial servers (Root Hints) are taken from the locally configured DNS service.

# Performs a search for the record from the Root DNS servers (display all hops)
# Equivalent of dig domain.example +trace
Get-Dns domain.example -Iterative

NsSearch can be used to check that all DNS servers for a domain name reply with the same (or intended) answer. If the answers are different clients may experience problems accessing
a resource.

# Returns the A record for domain.example from all authoritative name servers
# Equivalent for dig domain.example a +nssearch
Get-Dns domain.example -RecordType A -NsSearch

Get-Dns returns all of the fields from a DNS packet by default; this makes the return value a complex nested object. Specific parts of the return value can be selected as demonstrated in the following examples.

# Expanding the answer
Get-Dns http://www.domain.example a -NsSearch | Select-Object -ExpandProperty Answer
# If only one response is returned
(Get-Dns http://www.domain.example a).Answer
# Just the Header
Get-Dns domain.example | Select-Object -ExpandProperty Header
# Question, Answer, Authority and Additional are always arrays. An element number must be used when accessing fields even if only one item exists.
(Get-Dns http://www.domain.example a).Question[0].Name
(Get-Dns http://www.domain.example a).Question.Count
(Get-Dns http://www.domain.example a).Question.GetType()
# Answer and Flags
Get-Dns domain.example | Select-Object Answer, @{n=’Flags’;e={ $_.Header.Flags

# The server, status code (RCode) and time taken (in milliseconds) for an Iterative query
Get-Dns domain.exmaple -Iterative | Select-Object Server, TimeTaken,
@{n=’RCode’;e={ $_.Header.RCode }}

Troubleshooting HTTP.SYS – How delete old SSL cert?

Symptom: On internal ADFS server the new SSL certificate has been replaced using the set-adfssslcertificate cmdlet, but the get-adfssslcertificate still display the old thumbprint and

 This error cause error on Azure AD health connect


There is not special ADFS cmdlet to remove this old thumbprint. The solution is to use NETSH HTTP to manage HTTP.SYS web server.

Reference: netsh commands for HTTP:

Netsh http show sslcert                               ; to list all SSL bindings

In our case, we want to remove all bindings associated to


In general the command is : Netsh http delete sslcert ipport=w.x.y.z:443

In our case :

Netsh http delete sslcert

Netsh http delete sslcert

Check with get-adfssslcertificate cmdlet



This article will explain how to repair the windows update and its components.

During certain circumstances; windows update can be frozen on Windows OS and downloads can be blocked;

I tested for you this procedure, because I experienced this problem just after installation of Windows 10 1511 in a computer. To solve my problem I followed successfully this procedure:

note: I found this script here to reset windows update:


a) Eventvwr: system log, source: windowsupdateclient

b) To get the windows update log: use this powershell cmdlet: get-windowsupdatelog

PS C:\Windows\system32> get-windowsupdatelog

Converting C:\Windows\logs\WindowsUpdate into C:\Users\jdalbera\Desktop\WindowsUpdate.log …
    Directory: C:\Users\jdalbera\AppData\Local\Temp\WindowsUpdateLog


SQL performance counters are missing

SQL Performance Counters are Missing

How to retrieve the computer name based on the IP?

this mechanism is called “reverse lookup”. In general it works if your DNS server contain “reverse zones” and reverse records.

In that case, the following commands works fine:

ping -a <IP>

nslookup -a <IP>

But if your internal DNS Server, does not contain reverse zone. You must request records from your DNS server directly.

To achieve that, you can use nslookup or powershell to get an answer from a DNS server:

a) using nslookup


server <enter remote DNS>

<type the IP>


b) using Powershell

# Get DNS records (computer FQDN) based on list of IPs (input)
# Created    :     10/01/2012
# Updated    :    21/03/2013
# Authors    : jdalbera – gbs-its-wid-nce
# Comments    : This script query the current DNS to retrieve list of FQDN corresponding
# to list of IPs (reverse records)
# It writes the results to a text file
Write-Host “”
Write-Host “——————————————————-”
Write-Host ” Get DNS records from list of IPs ”
Write-Host “——————————————————-”
Write-Host “”

$date = Get-Date -Format ddMMyyyy
$log = “.\logs\Get-DNSrecordFromIPs-$date.txt”
#$listofIPs = Get-Content .\IPList.txt
$listofIPs = “”,”″,”″
#Lets create a blank array for the resolved names
$ResultList = @()

Write-host “”
Write-host “————————————————————————————————”
Write-host “”
$startscript = Get-Date

# Lets resolve each of these addresses
foreach ($ip in $listofIPs)
$result = $null
$currentEAP = $ErrorActionPreference
$ErrorActionPreference = “silentlycontinue”

#Use the DNS Static .Net class for the reverse lookup
# details on this method found here:
$result = [System.Net.Dns]::gethostentry($ip)
$ErrorActionPreference = $currentEAP
If ($Result) {
$Resultlist += [string]$Result.HostName
Else {
$Resultlist += “$IP – No HostNameFound”
# To output the results to a text file
$resultlist | Out-File $log

Write-host “——————-”
Write-host “– End of Script –”
Write-host “——————-”
Write-host “”
$stopscript = Get-Date
Write-host “Has started at” $startscript -BackgroundColor Gray -ForegroundColor Black
Write-host “Had finished at” $stopscript -BackgroundColor Gray -ForegroundColor Black
Write-host “TIME SPENT:” (New-TimeSpan -Start $startscript -End $stopscript).hours “Hours” (New-TimeSpan -Start $startscript -End $stopscript).minutes “Minutes” (New-TimeSpan -Start $startscript -End $stopscript).seconds “Seconds” -BackgroundColor Green -ForegroundColor Black
Write-host “”
Write-host “”