sobota, 5 kwietnia 2025

change upn for M365 migration

Some company with near 25k identities (above 30k accounts - many persons or identities have few accounts). Now in process of the big jump on clouds - Exchange Online and SharePoint Online.
And Houston, we have a problem.
On premise users using sAMAccountNames (in 3 domains), as You can remember users can have more than one account so only one account should be synchronized to Azure. So we had to use emails as upn (in ADFS) and during synchronization (email is synced as upn to Azure - by AADC/Entra Connect). To complicate the whole picture users can be switched between their accounts and between domains and... last, but not least, account names (sAMAccountNames) could be changed (some old app requirement). So, if emails are uniqe, we could plan to use emails as upn (one of possible scenarios described in Technet/Microsoft). Only one account per user is synchronised (filtering) and it was almost work with Teams, but now we are making the big leap to clouds.
What's wrong? After first steps toward hybrid we have the problem with employees who have access to more than one mailbox. Still, without migrated mailboxes, they start receiving logon request (form based login in Outlook) - expecting to provide valid email address. But, as You can remember - we have separated upn on premise (one of three possible, because we have three domains), but it's different than email addresses and upn on Azure, because upn on Azure is our email, but user is receiveing proposal with on premise upn which is different than email.
To the whole picture You should know, that we had blocked some traffic to outlook.com or outlook.net domains, but we should enable it to proper work of sharepoint online. We had to also set - enforce - in registry to avoid using M365 autodiscover... i think this is the whole picture...
So we can synchronize upn with emails, but:
  • at first look we can recognize few apps with invalid access due to upn change
  • if a user provide valid email outlook will work properly
  • we don't know what will be affected by this change - we have 300-400 apps so impact is unknown

poniedziałek, 3 marca 2025

SQL MA schema refresh error

SQL MA failed to retrieve schema with error 0x80231100. For me sollution was simple - add port to SQL server (replacement of old server and tests with a new server). So from someSQL.some.domain to someSQL.some.domain,4773 - is enough to refresh schema.

sobota, 1 marca 2025

dns record timestamp in Active Directory partition

how to force AD to replicate timestamps? I can't use Scavanging - too many different objects - huge risk of loss of data, I can't enforce every device to reregister.
Idea to enable scavanging on zone is useless - as long as I will not run it on server level this setting is useless.
The only way is to remove stale records tracked by timestamp distributted accross thirty domain controllers (in four domains). We can recognize records from workstations (laptops, pc and virtual desktops) by ip addresses, but why it can be automated?

poniedziałek, 16 grudnia 2024

stupid office.com as a blank page

I don't know how and why but for sometime I had blank page on edge set to office.com. Without a reason it was set without option to change in settings. At first I thought to download admx package because in local policy I couldn't find settings for Edge. Today I come to my sense and in registry I removed NewTabPageLocation pointing to office.com on computer settings policies Software/Microsoft/Policies...

Still no solution - only forced gpupdate helps.

poniedziałek, 9 grudnia 2024

huge netbios traffic

according to this link from spiceworks maybe some old printer causing huge network traffic on NetBIOS - 137 tcp/udp:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Print\Providers\Client Side Rendering Print Provider\Servers*oldservername*

I've got such scenario - near 20k workstations with some missing printers causing huge network - netbios - traffic. Maybe there are resposible for it?