<<<>>>
On existing DHCP
Open Powershell and then type in the following command
Export-DhcpServer -ComputerName "DC01.omanconvention.com" -File "C:\Media\DHCP\dhcpexport.xml" -Force -Verbose
Copy the file dhcpexport.xml to the new DHCP Server
Install and configure the DHCP role on new DHCP Server
Start the DHCP service
Type in the following command on Powershell to import the DHCP Data
Import-DhcpServer -ComputerName "DHCP01.omanconvention.com" -File "C:\Media\DHCP\dhcpexport.xml" -BackupPath "C:\Media\DHCP\" -ScopeOverwrite -Force -Verbose
Restart the DHCP service
Verify the DHCP Scopes
<<<<>>>
001 Microsoft Disable Netbios Option 0x2
003 Router
006 DNS Servers
015 DNS Domain Name omanconvention.com
How to disable NetBIOS over TCP/IP by using DHCP server options
<<<<>>>>
Verify Current AD Schema
Get-ADObject (Get-ADRootDSE).schemaNamingContext -Property objectVersion
AD version objectVersion
Windows Server 2000 13
Windows Server 2003 30
Windows Server 2003 R2 31
Windows Server 2008 44
Windows Server 2008 R2 47
Windows Server 2012 56
Windows Server 2012 R2 69
Windows Server 2016 87
Windows Server 2019 88
Windows Server 2022 88
Windows Server 2025 91
Verify the FSMO Role Holders
From Windows Server Media, copy Support folder to a Schema Master
Open command prompt in elevated mode and navigate to location of Support folder c:\Media\Support\adprep
Run "adprep.exe /forestprep"
and Run "adprep.exe /domainprep"
This will upgrade the Schema and Domain-wide information. This process will create two log files under c:\windows\debug\adprep\logs\yyyymmddhhmmss with name ADPrep.log & ldif.log
ADPrep.log will show successful upgrade of Schema and ldif.log will show attributes which has been extended to schema
Run "adprep /domainprep /gpprep"
Run "adprep /rodcprep"
<<<<>>>>
LSA
How to troubleshoot high Lsass.exe CPU utilization on Active Directory Domain Controllers
Antivirus Exclusions for Veeam Backup & Replication
VSS Errors Related to the 'NTDS' VSS Writer
Virus scanning recommendations for Enterprise computers that are running Windows or Windows Server (KB822158)
Windows Malicious Software Removal Tool 64-bit
https://www.microsoft.com/en-us/download/details.aspx?id=9905
Configure added LSA protection
KB5020805: How to manage Kerberos protocol changes related to CVE-2022-37967
LSASS Memory
https://redcanary.com/threat-detection-report/techniques/lsass-memory/
Microsoft Sysmon, OS Credential Dumping: LSASS Memory
TryHackMe: Sysmon Complete Walkthrough (SOC Level 1)
https://www.jalblas.com/blog/tryhackme-sysmon-walkthrough-soc-level-1/
https://github.com/SwiftOnSecurity/sysmon-config
Troubleshooting High LSASS CPU Utilization on a Domain Controller (Part 1 of 2)
Troubleshooting High LSASS CPU Utilization on a Domain Controller (Part 2 of 2)
How to Fix “LSA Package is Not Signed as Expected” Warning in Windows 11
https://www.ninjaone.com/blog/fix-lsa-package-is-not-signed-as-expected/
LSA Protection Bypass/Detection
https://medium.com/h7w/lsa-protection-bypass-detection-16e8db3ab66c
Detecting Advanced Process Tampering Tactics with Sysmon v13
https://blog.netwrix.com/2023/07/06/sysmon-13-process-tampering-detection/
<<<<>>>>
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\LSASS.exe"
Get-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Control\Lsa"
Operational log under Applications and Services Logs > Microsoft > Windows > CodeIntegrity
Operational log under Applications and Services Logs > Microsoft > Windows > LSA
System log under Windows Logs
vssadmin list writers
Verify the state of NTDS Writer is Stable
<<<<>>>>
Exchange Update
<<<<<<<<>>>>>>>>
Download CU setup from Microsoft Download Center
Exchange 2019 CU15 setup requires .NET Framework 4.8.1
Check the installed .NET Framework and update or block \ unblock based on compatibilty with the Exchange CU
For instance to block automatic installation of .NET Framework 4.91 through Windows Update on Windows 2019 Server OS
REG ADD "HKEY_LOCAL_MACHINE\Software\Microsoft\NET Framework Setup\NDP\WU" /v BlockNetFramework491 /t REG_DWORD /d 1
Update Exchange 2019 Server OS with up to date patches made available through Windows Update
Backup AD DS
Backup Exchange 2019 servers and databases
Backup any out of box customized modifications such as OWA, config files on servers, registry changes or third party add-ons
^^^^^^^^^
MBX1
^^^^^^^^^
Configure Load Balancer to not redirect Exchange Traffic to MBX2
Disbale Exchange aware Third Party AV
Disable File Level AV
Restart Exchange 2019 server
-----------------------------------------------
Prepare Schema from the Exchange 2019 CU15 Setup
-----------------------------------------------
1. Run setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF
2. Run setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF
3. Run setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms_DiagnosticDataOFF
----------------------------
Drain and Move Active Queues
----------------------------
Set-ServerComponentState -Identity MBX1 -Component HubTransport -State Draining -Requester Maintenance
Redirect-Message -Server MBX1.umt.om -Target MBX2.umt.om
-------------------------------
Suspend DAG Member from Cluster
-------------------------------
Suspend-ClusterNode -Name MBX1
--------------------------------
Disable database copy activation
--------------------------------
Set-MailboxServer -Identity MBX1 -DatabaseCopyActivationDisabledAndMoveNow $true
------------------------------------------
Review Database copy auto activation policy
------------------------------------------
Get-MailboxServer MBX1 | Select DatabaseCopyAutoActivationPolicy
---------------------------------------
Set auto activation policy to "Blocked"
---------------------------------------
Set-MailboxServer -Identity MBX1 -DatabaseCopyAutoActivationPolicy Blocked
------------------------------------
Put the Server into Maintenance Mode
------------------------------------
Set-ServerComponentState -Identity MBX1 -Component ServerWideOffline -State InActive -Requester Maintenance
*************************************
Install Exchange 2019 CU15 and Restart
*************************************
---------------------------------------
Take the Server out of Maintenance Mode
---------------------------------------
Set-ServerComponentState -Identity MBX1 -Component ServerWideOffline -State Active -Requester Maintenance
----------------------
Resume DAG Node Member
----------------------
Resume-ClusterNode -Name MBX1
--------------------------------
Check the Status of Cluser Nodes
--------------------------------
Open Command Prompt and run
cluster node
--------------------------------------------
Set auto activation policy to "Unrestricted"
--------------------------------------------
Set-MailboxServer -Identity MBX1 -DatabaseCopyAutoActivationPolicy Unrestricted
-------------------------------
Enable Database copy activation
-------------------------------
Set-MailboxServer -Identity MBX1 -DatabaseCopyActivationDisabledAndMoveNow $False
-----------------
Reactivate Queues
-----------------
Set-ServerComponentState -Identity MBX1 -Component HubTransport -State Active -Requester Maintenance
Configure Load Balancer to start redirecting Exchange Traffic to MBX1
------------------------------------
Exchange Server Emergency Mitigation
------------------------------------
After Exchange 2019 CU11 admin can enable or disable sending the optional data to the Office Config Service (OCS) on the Exchange server
Set-ExchangeServer -Identity <ServerName> -DataCollectionEnabled $false
OR
Set-ExchangeServer -Identity <ServerName> -DataCollectionEnabled $true
Verify that an Exchange server has connectivity to the OCS using the Test-MitigationServiceConnectivity.ps1 script
EM Service checks the OCS for migigations every 1 Hour
All applicable mitigations are enabled by default
An admin can enable and disable mitigations at an organizational level or at the Exchange server level
Set-OrganizationConfig -MitigationsEnabled $false
OR
Set-ExchangeServer -Identity <ServerName> -MitigationsEnabled $false
To view Applied and Blocked Mitigations
Get-ExchangeServer -Identity <ServerName> | fl name, MitigationsApplied, MitigationsBlocked
A detailed list of available mitigations can also be viewed using the Get-Mitigations.ps1 script
.\Get-Mitigation.ps1 -Identity <Server> -ExportCSV C:\temp\CSVReport.csv
------------------------------------
Exchange Server Feature Flighting
------------------------------------
After Exchange 2019 CU15, Feature Flighting, by default assigns all Exchange Servers to RingLevel 1, this Ring will receive new features as soon as Microsoft has confirmed that the features are ready for general availability.
If you don't want Microsoft to automatically enable new features or make changes to your server via Feature Flighting, you must assign your Exchange servers to Ring 2, in this Ring Flighted features are shipped in a disabled state and must be manually enabled by the administrator.
The following example assigns a server to Ring 2
Set-ExchangeServer -Identity <ServerName> -RingLevel 2
Validate the assignments of Rings on all Exchange Servers in ORG
Get-ExchangeServer | Format-List Identity,RingLevel
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
To verify the server is not in maintenance mode, run
Get-ServerComponentState <ServerName> | Format-Table Component,State -Autosize
Note: If you're installing an Exchange update, and the update process fails, it can leave some server components in an inactive state, which will be displayed in the output of the above Get-ServerComponentState cmdlet. To resolve this, run following commands
Set-ServerComponentState <ServerName> -Component ServerWideOffline -State Active -Requester Functional
Set-ServerComponentState <ServerName> -Component Monitoring -State Active -Requester Functional
Set-ServerComponentState <ServerName> -Component RecoveryActionsEnabled -State Active -Requester Functional
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
If you're installing an Exchange update, and the update process fails, it can leave some server services in disabled state, to resolve this
Check the status of Exchange Services
Get-Service -DisplayName "Microsoft exchange*" | ft DisplayName,Starttype ,Status
If the StartType value for Microsoft Exchange services is Disabled, run the following command in Windows PowerShell to restore the StartType
cd "C:\Program Files\Microsoft\Exchange Server\V15\Bin"
Add-PSSnapin -Name Microsoft.Exchange.Management.PowerShell.Setup -ErrorAction SilentlyContinue
.\ServiceControl.ps1 AfterPatch
Make sure that the status of Microsoft Exchange services display Automatic StartMode
Get-Service -DisplayName "Microsoft exchange*" | ft DisplayName,Starttype ,Status
<<<<<>>>>>