Migrate SYSVOL from FRS to DFSR

Migration of SYSVOL from FRS to DFSR is actually quite simple.

First, you need to make sure all the Domain Controllers (DC) in the Domain are online and the AD replication and SYSVOL Replication are working normally.

After that, just need to run few of the following command in sequence:

1. At command Prompt, type "dfsrmig /setglobalstate 1". This is to enter the Prepared state.
• Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state
2. Next at Command Prompt, type "dfsrmig /setglobalstate 2". This is to enter the Redirected state.
• Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state
3. Next at command prompt, "type dfsrmig /setglobalstate 3". This is to enter the Emilinated state.
• Type dfsrmig /getmigrationstate to confirm all domain controllers have reached prepared state

Cannot Access Remote Share on Workgroup Computer using Local Admin Account

Description:

You have several servers in Workgroup environment. You know the Local Administrator Account and Password. You try to connect to the Administrative Share from Remote Workgroup machine but always failed. Network port for Ping, RPC, SMB from source to destination are all open. Username and password are both correct.

Resolution:

Open Regedit and go to "HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System". 

1. On the Edit menu, point to New, and then click DWORD (32-bit) Value.

2. Type LocalAccountTokenFilterPolicy to name the new entry, and then press Enter.

3. Right-click LocalAccountTokenFilterPolicy, and then click Modify.

4. In the Value data box, type 1, and then click OK.

5. Exit Registry Editor.

BitLocker with MBAM Failed to Encrypt because Access Denied by Remote Endpoint

Description:

You have configure MBAM Application server, MBAM Database server and set GPO for Drive Encryption to run automatically with minimal user interaction. However when you test it, it shows error "failed to encrypt".

When you look at the event viewer in the client machine, it said "Unable to connect to the MBAM Recovery and Hardware Service". It also give Error Code: -2143485947 and more detail "Access was denied by the remote endpoint".

Resolution:

Make sure the account for MBAM web application pool has the correct SPN.

You can use the following command to set the SPN for FQDN and NETBIOS.

Setspn -s http/mbamvirtual contoso\mbamapppooluser

Setspn -s http/mbamvirtual.contoso.com contoso\mbamapppooluser

Error when Encrypting Drive in BitLocker with MBAM

Description:

You have configure MBAM Application server, MBAM Database server and set GPO for Drive Encryption to run automatically with minimal user interaction. However when you test it, it shows error "failed to encrypt".

When you look at the event viewer in the client machine, it said "an error occurred while applying MBAM policies" And it also give error code -2147217402.

Resolution:

Please update the MBAM client on that machine to the latest servicing update. At the moment it can be downloaded from Download Microsoft Desktop Optimization Pack October 2020 Servicing Release from Official Microsoft Download Center. After restart you will see the encryption process is running successfully.

Error when Granting Access to the User at tenant root scope “/” to deploy Enterprise-Scale

Description:

You want to deploy Enterprise-Scale Architecture at your Azure Environment.

One of the prerequisite is to explicitly provide roleAssignment (RBAC) at the tenant root scope via CLI or PowerShell (Note: There’s no portal UX to make this roleAssignment)

However several error occurred when you try to run the following command at Azure CLI to provide the role Assignment.

• az login

Error message: The following tenants don't contain accessible subscriptions. Use 'az login --allow-no-subscriptions' to have tenant level access.

• az role assignment create --scope '/'  --role 'Owner' --assignee-object-id $(az ad signed-in-user show --query  objectId)

Error message: Failed to query --assignee-principal-type for "7786a679-034b-42cc-a23a-xxxxxxxxxxxx" by invoking Graph API. RBAC server might reject creating role assignment without --assignee-principal-type in the future. Better to specify --assignee-principal-type manually. The Principal ID '"7786a679-034b-42cc-a23a-xxxxxxxxxxxx"' is not valid. Principal ID must be a GUID.

Resolution:

To fix the issue, the command needs some small changes. Instead of using the above command, try to use the following command:

• az login -t yourdomainname.onmicrosoft.com

• az role assignment create --scope '/'  --role 'Owner' --assignee-object-id "7786a679-034b-42cc-a23a-xxxxxxxxxxx"