User Profile
mrizzi2
Copper Contributor
Joined 6 years ago
User Widgets
Recent Discussions
Re: Help with necessary information missing in the BCD
Hi there Dave, thank you for your reply. It is very much appreciated. I would like to apologize for my delayed response. I confirm that we will go ahead and demote it to member server in the first instance. I really hope we manage to solve this issue by demoting to member server. At least the Veeam Agent for Microsoft Windows won't need to deal with disabling DC SafeBoot mode anymore as part of Backing up the Domain Controller. Regarding the the possibility of standing up a new one for replacement, unfortunately the affected server is a physical box located in a remote site. As a result, I am afraid I might need to try to take a deeper look into the issue (should it persist after the demotion to member server) as it is not so immediate to replace the box. Kind Regards, MassimilianoHelp with necessary information missing in the BCD
Hello Community and good day, I am requesting assistance with an issues we started seeing lately with regards to a physical domain controller server running Microsoft Windows Server 2012 R2. Basically, bcdedit cannot run properly and it is causing a Veeam Agent for Microsoft Windows backup job to fail with the following error: ================================================== 20/10/2022 16:17:48 :: Error: Failed to disable DC SafeBoot mode Cannot get [BcdObject.Id="{9dea862c-5cdd-4e70-acc1-f32b344d4795}",StoreFilePath=""] object. COM error: Code: 0xd0000001 ================================================== There has been no changes to the affected server, the issue just started out of the blue. As part of the initial troubleshooting, we noticed that the affected server is missing the registry key "HKEY_LOCAL_MACHINE\BCD00000000" and that the Msconfig Startup Selection is set to "Selective Startup". We are getting the error message I have attached when trying to select the "Normal startup": ================================================== ================================================== Any observations/recommendations on this matter will be greatly appreciated. Thanks and Regards, Massimiliano RizziQuestion regarding Microsoft-Windows-Hyper-V-Worker Event ID 18504
Hello experts, so, I have a question that is puzzling me regarding Microsoft-Windows-Hyper-V-Worker Event ID 18504 in a scenario where the Hyper-V Guest Shutdown Service (vmicshutdown/hv_utils) is used in order to allow the host to trigger virtual machines shutdown. Can anybody please clarify if Event ID 18504 is written to Microsoft-Windows-Hyper-V-Worker event log: ================================================== 1. Only when a given Virtual Machine is actually shut down (i.e. the previously running workload is actually terminated on the Hyper-V host itself) 2. When the command to shut down a running Virtual Machine is issued. Because of that, it does not necessarily mean that the previously running workload is actually terminated on the Hyper-V host itself. For example, if there is an issue with the Hyper-V Integration Services service inside the Guest OS, there may be a delay or fail to shutdown the machine ================================================== Any suggestions and thoughts will be greatly appreciated. Thanks and Regards, MassimilianoIs it possible to achieve a more secure user authentication and authorization with on-prem Exch ?
Hello experts, consider a scenario where medium sized companies are still running a supported version of Exchange 2013 or newer On-Prem and for whatever reason are reluctant to commit to Office 365, for example because they invested a lot of money in Microsoft Exchange and infrastructure licenses over the last years. At the same time, these companies have realized the need to plan for and implement a more secure user authentication and authorization with the on-prem Exchange server. The main concern here are the recent critical Exchange Server vulnerabilities due to Exchange endpoints being exposed to the outside world. I've been digging through a lot of information to get a clear high level answer on this subject, and here are some of the conclusions I got so far (please correct me if I'm wrong at any point): ================================================== 1 – Microsoft does not provide any on-prem solution that can be integrated with an on-prem Exchange server in order to implement a more secure user authentication and authorization with the latter 2 – Some third parties provide solutions (Cisco Duo and Kemp LoadMaster to name a couple) that can be integrated with an on-prem Exchange server, but unfortunately these solutions seem to be restricted to a subset of the Exchange endpoints exposed to the outside world. For example, they cannot add two-factor authentication to the ActiveSync or Outlook Anywhere endpoints 3 – Microsoft provides Hybrid modern authentication with Exchange 2013 or newer On-Prem, however it is not clear to me if HMA offers a more secure user authentication and authorization not only for OWA, but also for other endpoints such as ActiveSync or Outlook Anywhere ================================================== To summarize, I am looking for a 10,000 feet overview of the various possibilities for a more secure user authentication and authorization with on-prem Exchange servers. Any additional observations/recommendations on this matter will be greatly appreciated. Thanks and Regards, MassimilianoQuestion regarding Exchange 2013 and the /PrepareSchema needed for CVE-2021-34470
Hello experts, just a quick question here with regards to with regards to Exchange 2013 and the /PrepareSchema needed in addition to application of July 2021 security updates for CVE-2021-34470. Will it require any downtime of the Exchange Server so that it is advised to run the command during a maintenance window or outside of production hours ? Thanks and Regards, MassimilianoQuestion around joining Windows Server VMs to Azure AD
Hello experts, one of our customers has just adopted a new on-prem Hyper-V host running Windows Server 2019. It will be used to run a few VMs such as a SQL Server, an application server and a small RDS farm (for which Active Directory is required to enable full RDS functionality based on my knowledge). Currently our customer has no existing on-prem infrastructure in place. In fact, all users have an Office 365 license and their computers are joined to Azure AD. I am seeking technical advice in order to check whether: ================================================== 1) It is possible to join the new VMs to Azure AD in a way that Azure AD can actually be the complete replacement to the on-prem AD (which i doubt) 2) It is not possible to completely replace the on-prem AD and join the new VMs to Azure AD. As a result, at least one domain controller will need to be implemented on-prem along with the other VMs on the new Hyper-V host ================================================== Unfortunately, running the new VMs in the cloud is not currently an option. Any help will be greatly appreciated. Thanks and Regards, MassimilianoIs it possible move OWA in a new dedicated DMZ/perimeter network ?
Hello Team, we are a Microsoft Partner and we are opening this Case on behalf of an existing customer which is currently running a Microsoft Exchange Server 2013 On-Prem. In order to maintain and expand the existing business with a car manufacturer, the latter has instructed a third-party to conduct an IT audit and security assessment. Based on the results from the IT Audit, one of the recommendations is to move OWA in a new dedicated DMZ/perimeter network. Basically, our customer has been asked to pull the Microsoft Exchange Server 2013 from the internal network. I believe that the main concern here are the recent critical Exchange Server vulnerabilities due to OWA being exposed to the Internet as a Web application and, as a result, being prone to attacks (I would say more now than in the past). Based on my knowledge, it is my understanding that moving OWA in a dedicated DMZ/perimeter network is not feasible/supported as we can only put the edge server in DMZ, while we cannot put a CAS server in the DMZ (and OWA connects to Exchange server from CAS server). Could you please clarify whether: ================================================== 1) We are wrong about this and provide us with Microsoft's recommended approach in order to achieve this and move OWA in a new dedicated DMZ/perimeter network 2) We are right about this and provide us (at a high level) with the possibilities we can explore in order to try our best to comply with the recommendations provided by the third-party IT auditor ================================================== Any additional observations/recommendations on this matter will be greatly appreciated. Thanks and Regards, Massimiliano
