8 May 2022

Was the file downloaded?

If you’re ever tracking down where a suspicious came from, it can be hard to determine if it was downloaded off of the “dirty” internet, or if someone actually created the file locally on the machine. Well if you know how to check the file’s alternative data stream, it actually becomes pretty easy to determine if it was in fact downloaded. You don’t know what the alternate data stream is, or how to check? We can fix that.

First a little background. The “Zone Identifier Alternate Data Stream” is often referred to as the Mark-of-the-Web (MOTW). The MOTW was actually a security feature first introduced by Internet Explorer for determining how to run saved HTML webpages. It has since grown to become implemented into many other file types. Whenever a file is downloaded, your browser implements MOTW by utilizing a feature of the NTFS file system called the alternate data stream (ADS) to associate a data stream to that file. The browser creates an ADS called “Zone.Identifier” and then adds the ZoneId to the stream to specify where the file came from. The ADS will be <file>:Zone.Identifier.

The ZoneId can have the following values:

  • 0. Local Computer
  • 1. Local Intranet
  • 2. Trusted Sites
  • 3. Internet
  • 4. Restricted Sites

Enough of the background… Let us get back to the hands-on part.

To check the files’ ADS & ZoneId from a command prompt, use the following syntax. The “file” we’re going to be checking is named: file.ext

notepad file.ext:Zone.Identifier

Alternatively, to check the file with PowerShell, use either of the following cmdlets. 

Get-Item .\file.ext -Stream *
Get-Content .\file.ext -Stream Zone.Identifier
Category: Microsoft, PowerShell | LEAVE A COMMENT
10 April 2020

Manually force an Azure AD Connect sync

The Azure AD Connect tool has a default sync schedule to run every 30 minutes. However sometime you need changes you make to get sync-ed NOW! So from time-to-time it’s necessary to manually force Azure AD Connect to run and sync your on-prem AD up to Azure AD. This can be done with PowerShell as either a full sync or a delta sync.

Open Powershell.

If you’re running PowerShell on the server where AD Connect Sync resides, you can skip this step. Connect to the AAD Connect Sync server by running the following command to create a PSRemoting session. Replacing <SERVERNAME> with the name of your AD Connect server.

Enter-PSSession -ComputerName <SERVERNAME>

Import the ADSync module with the following command.

Import-Module ADSync

Run one of the following command to manually force the sync.

For a Delta Sync (most commonly use cases)

Start-ADSyncSyncCycle -PolicyType Delta

For a Full Sync (less common use cases)

Start-ADSyncSyncCycle -PolicyType Initial

If you used the “Enter-PSSession” command earlier, then you need to exit that session. Otherwise it will stay open even after terminating the connection. To close the “PSSession” use the following command:

Exit

Category: Microsoft, PowerShell | LEAVE A COMMENT
27 February 2020

Server Manager – Orphaned RDS

So I’ve seen this a couple times and I always forget how to handle it, so hopefully writing this down will help me remember for next time…

You are replacing some Remote Desktop Session Host (RDSH) with a newer server, and everything looks good-to-go. Back on your Remote Desktop Connection Broker (RDCB), you have Server Manager open, and you proceed to remove the old RDSH servers. Easy. You then go back to edit other properties in in your RDS deployment and – BAM – you get an error message that states:

The following servers in this deployment are not part of the server pool:
1. <Old.RDSH.ServerName>
The servers must be added to the server pool

Powershell to our rescue! On your RDCB, open up a PowerShell window as an Administrator. Run the command below.

PS C:\> Get-RDServer

This will return a list of all the Remote Desktop servers you have in RDCB as well as their installed roles. You should see your old, unwanted, RDSH server in that list. Next, we can enter the command below to remove our orphaned RDSH server.

PS C:\> Remove-RDServer Old.RDSH.ServerName RDS-RD-SERVER

This will remove the ‘RDS-RD-SERVER’ role. Now if you go back to your RDCB, and back to your deployment, everything should be back to normal. It is no longer expecting the “Old.RDSH.Server” to be a server that Server Manger manages. In fact, at this point you should be able to remove it as a managed server.

Note: RDS is a complicated beast. The above mentioned trick utilizing PowerShell has worked for me the couple times I’ve needed in my scenario. However, your mileage may vary depending on your environment.

Category: Microsoft, PowerShell, Windows 2012/2012R2, Windows 2016, Windows 2019 | LEAVE A COMMENT
23 January 2020

Migrating NPS Configuration

I recently had to migrate some services from an old Windows 2008 server to Windows 2016. One of those services was a Network Policy Server (NPS) service, which is used by RADIUS to authenticate users into some more secure resources.

I was kind of dreading the task, as I had no recollection of how I had configured it, some five or more years ago. My initial search on the subject landed me on this Microsoft documentation site, which was very informative. Luckily, the task of exporting and migrating your NPS configuration to import onto another server is quite simple. It can all be done with a few lines at a command prompt and a single XML file.

In Windows 2008 or 2008 R2, you use ‘netsh’.
In Windows 2012 and above, you can use PowerShell or ‘netsh’.

Both methods are equally simple, it really just comes down to which version of Windows Server are you migrating from.

Export and Import the NPS configuration by using Netsh

Log into to your source NPS server with your Administrative credentials.

Open a ‘Command Prompt’ as an administrator, type netsh, and then hit Enter.

At the netsh prompt, type nps, and then hit Enter.

At the netsh nps prompt, type export filename="<path>\<filename>.xml" exportPSK=YES
Update <path> with the folder location where you want to save your configuraation file. The path can be relative or absolute, or it can be a UNC path.
Update <filename> with what you want to name your xml file.

After you press Enter, you’ll see a message showing whether the export was successful or not.

Copy the xml file you created to the destination NPS server.

Open a ‘Command Prompt’ as an administrator on the destinantion NPS. Type the following command, then hit Enter. netsh nps import filename="<path>\<file>.xml"
A message will appear to show whether the import was successful or not.

Export and Import the NPS configuration by using Windows PowerShell

Log into to your source NPS server with your Administrative credentials.

Open a ‘PowerShell window’ as an administrator, type the following command, and then hit Enter. Export-NpsConfiguration –Path c:\NPSconfig.xml

There is no message after the command completes, but if you check your path location, you should see your xml file.

After you have exported the NPS configuration to a file, copy the file to the destination NPS server. I’m copying mine to the root of the c:\ so it’s easy to find.

Open a ‘PowerShell window’ as an administrator on the destination server. Type the following command, and then hit Enter, to import your configuration.

Import-NpsConfiguration -Path "c:\NPSconfig.xml"

Category: Microsoft, Networking, PowerShell, Windows 2012/2012R2, Windows 2016, Windows 2019 | 9 Comments on Migrating NPS Configuration