IT Infrastructure

Mapping Your AD: VBScript to List OUs in Parent-Child Order | Lazy Admin Blog

Posted on Updated on

When you’re managing a complex Active Directory environment, getting a clear “birds-eye view” of your structure is essential. While the Active Directory Users & Computers (dsa.msc) snap-in is great for manual navigation, sometimes you need a flat text output that preserves the visual hierarchy of your Organizational Units (OUs).

The following VBScript crawls your LDAP directory and mirrors the parent-child nesting you see in your GUI tools.

📜 The Script: ListAllOUs_ParentChild.vbs

Copy the code below and save it as ListAllOUs_ParentChild.vbs.

VBScript
Option Explicit
Const ADS_SCOPE_SUBTREE = 2
Dim ObjConn, ObjRS, ObjRootDSE
Dim StrSQL, StrDomName, ObjOU
' Get the local domain name
Set ObjRootDSE = GetObject("LDAP://RootDSE")
StrDomName = Trim(ObjRootDSE.Get("DefaultNamingContext"))
Set ObjRootDSE = Nothing
' SQL Query to find OUs (Excluding Domain Controllers)
StrSQL = "Select Name, ADsPath From 'LDAP://" & StrDomName & "' Where ObjectCategory = 'OrganizationalUnit' And Name <> 'Domain Controllers'"
Set ObjConn = CreateObject("ADODB.Connection")
ObjConn.Provider = "ADsDSOObject"
ObjConn.Open "Active Directory Provider"
Set ObjRS = CreateObject("ADODB.Recordset")
ObjRS.Open StrSQL, ObjConn
If Not ObjRS.EOF Then
    ObjRS.MoveLast: ObjRS.MoveFirst
    WScript.Echo vbNullString
    WScript.Echo "Total OU: " & Trim(ObjRS.RecordCount)
    WScript.Echo "==================="
    WScript.Echo vbNullString
    
    While Not ObjRS.EOF
        Set ObjOU = GetObject(Trim(ObjRS.Fields("ADsPath").Value))
        ' Check if it's a top-level Parent OU
        If StrComp(Right(Trim(ObjOU.Parent), Len(Trim(ObjOU.Parent)) - 7), StrDomName, VbTextCompare) = 0 Then
            WScript.Echo "Parent OU: " & Trim(ObjRS.Fields("Name").Value)
            GetChild(ObjOU)
        End If      
        ObjRS.MoveNext
        Set ObjOU = Nothing
    Wend
End If
ObjRS.Close: Set ObjRS = Nothing
ObjConn.Close: Set ObjConn = Nothing
' Subroutine to find first-level children
Private Sub GetChild(ThisObject)
    Dim ObjChild
    For Each ObjChild In ThisObject
        If StrComp(Trim(ObjChild.Class), "OrganizationalUnit", VbTextCompare) = 0 Then
            WScript.Echo vbTab & ">> Child OU: " & Right(Trim(ObjChild.Name), Len(Trim(ObjChild.Name)) - 3)
            GetGrandChild (ObjChild.ADsPath)
        End If      
    Next
End Sub
' Recursive subroutine to find all nested children
Private Sub GetGrandChild (ThisADsPath)
    Dim ObjGrand, ObjItem
    Set ObjGrand = GetObject(ThisADsPath)
    For Each ObjItem In ObjGrand
        If StrComp(Trim(ObjItem.Class), "OrganizationalUnit", VbTextCompare) = 0 Then
            WScript.Echo vbTab & vbTab & ">> Child OU: " & Right(Trim(ObjItem.Name), Len(Trim(ObjItem.Name)) - 3)
            GetGrandChild Trim(ObjItem.ADsPath)
        End If
    Next    
    Set ObjGrand = Nothing
End Sub

🚀 How to Execute

To run this script correctly and avoid “Windows Script Host” popup boxes for every line, you must use the command-line engine (CScript).

Example Command: CScript /NoLogo ListAllOUs_ParentChild.vbs

Output Preview:

Parent OU: Sales

Child OU: North_Region

Child OU: South_Region

>> Child OU: Retail_Stores

#ActiveDirectory #SysAdmin #WindowsServer #Automation #VBScript #ITAdmin #LazyAdmin #LDAP #DirectoryServices #InfrastructureAsCode #Scripting #ADUC

This entry was posted in Active Directory, Scripts and tagged , , , , , , , , , .

Setting Up Microsoft Entra Connect (Step-by-Step) | Lazy Admin Blog

Posted on Updated on

Why do manual user management when you can let a sync engine do the heavy lifting?

If you’re still manually creating users in both on-premises Active Directory and the Microsoft 365 portal, stop. You’re working too hard. Microsoft Entra Connect (formerly Azure AD Connect) is the “bridge” that syncs your local identities to the cloud. Set it up once, and your users get one identity for everything.

1. The “Pre-Flight” Checklist (Don’t skip this!)

The biggest mistake admins make is running the installer before the environment is ready. To be truly “lazy,” do the prep work so the installation doesn’t fail midway.

  • Server: A domain-joined Windows Server 2016 or later (2022 is recommended).
  • Hardware: Minimum 4GB RAM and a 70GB hard drive.
  • Permissions: * Local: You need to be a Local Admin on the sync server.
    • On-Prem: An Enterprise Admin account for the initial setup.
    • Cloud: A Global Administrator or Hybrid Identity Administrator account in Entra ID.
  • Software: .NET Framework 4.7.2 or higher and TLS 1.2 enabled.

Pro Tip: Run the Microsoft IdFix tool first. It finds duplicate emails and weird characters in your AD that would otherwise break the sync.

2. Step-by-Step Installation

Download the latest version of the Entra Connect MSI here.

Step A: The Express Route

  1. Launch AzureADConnect.msi.
  2. Agree to the terms and click Use Express Settings. (Note: Use “Custom” only if you have multiple forests or need specific attribute filtering).
  3. Connect to Entra ID: Enter your Cloud Admin credentials.
  4. Connect to AD DS: Enter your Enterprise Admin credentials.
  5. Entra ID Sign-in: Ensure your UPN suffixes match. If your local domain is corp.local but your email is lazyadminblog.com, you need to add lazyadminblog.com as a UPN suffix in AD.

Step B: The “Staging Mode” Safety Net

Before you hit install, you’ll see a checkbox for “Start the synchronization process when configuration completes.” If you are replacing an old server or are nervous about what will happen to your 5,000 users, check the “Enable staging mode” box. This allows the server to calculate the sync results without actually exporting anything to the cloud. You can “peek” at the results before going live.

3. Post-Setup: The “Lazy” Health Check

Once installed, the sync runs every 30 minutes by default. You don’t need to babysit it, but you should know how to check it:

  • The Desktop Tool: Open the Synchronization Service Manager to see a green “Success” status for every run.
  • The PowerShell Way: To force a sync right now (because you’re too impatient for the 30-minute window), run:PowerShellStart-ADSyncSyncCycle -PolicyType Delta

4. Troubleshooting Common “Gotchas”

  • “Top-level domain not verified”: You forgot to add your domain (e.g., https://www.google.com/search?q=myblog.com) to the Entra ID portal.
  • “Object Synchronization Triggered Deletion”: By default, Entra Connect won’t delete more than 500 objects at once. This is a safety feature to stop you from accidentally wiping your cloud directory. If you intended to delete them, you’ll need to disable the export deletion threshold.

The “Lazy Admin” Sync Monitor Script

Copy and save this as Monitor-EntraSync.ps1 on your sync server.

# --- CONFIGURATION ---
$SMTPServer = "smtp.yourrelay.com"
$From = "EntraAlert@lazyadminblog.com"
$To = "you@yourcompany.com"
$Subject = "⚠️ ALERT: Entra ID Sync Failure on $(hostname)"
# --- THE LOGIC ---
# Import the AdSync module (usually already loaded on the server)
Import-Module ADSync
# Get the statistics of the very last sync run
$LastRun = Get-ADSyncRunProfileResult | Sort-Object StartDateTime -Descending | Select-Object -First 1
# Check if the result was NOT 'success'
if ($LastRun.Result -ne "success") {
    $Body = @"
    The last Entra ID Sync cycle failed!
    
    Server: $(hostname)
    Run Profile: $($LastRun.RunProfileName)
    End Time: $($LastRun.EndDateTime)
    Result: $($LastRun.Result)
    
    Please log in to the Synchronization Service Manager to investigate.
"@
    # Send the alert
    Send-MailMessage -SmtpServer $SMTPServer -From $From -To $To -Subject $Subject -Body $Body -Priority High
}

🛠️ How to set it up (The Lazy Way)

To make this fully automated, follow these steps:

  1. Create a Scheduled Task: Open Task Scheduler on your Entra Connect server.
  2. Trigger: Set it to run every hour (or every 30 minutes to match your sync cycle).
  3. Action: * Program/script:powershell.exe
    • Add arguments: -ExecutionPolicy Bypass -File "C:\Scripts\Monitor-EntraSync.ps1"
  4. Security Options: Run it as SYSTEM or a Service Account that has local admin rights so it can access the ADSync module.

Why this is better than “Default” monitoring:

  • No Noise: You only get an email if there is an actual problem.
  • Proactive: You’ll likely know the sync is broken before your users start complaining that their new passwords aren’t working.
  • Zero Cost: No need for expensive third-party monitoring tools for a single-server task.

References & Further Reading

This entry was posted in Azure and tagged , , , , , , , , , , , , , , .

The Master List: VMware vCenter Release & Build Number History (Updated 2026) | Lazy Admin Blog

Posted on Updated on

Version tracking is the backbone of lifecycle management. Whether you are patching against the latest security vulnerability or verifying compatibility for a backup agent, you need the exact build number.

Below is the comprehensive history of vCenter Server, from the cutting-edge vSphere 9.0 down to the legacy VirtualCenter 2.5.

vCenter Server 9.0 Build Numbers (Latest)

vSphere 9.0 represents the latest shift toward AI-integrated infrastructure and cloud-native operations.

NameVersionRelease DateBuild Number
vCenter Server 9.0.2.09.0.201/20/202625148086
vCenter Server 9.0.1.09.0.109/29/202524957454
vCenter Server 9.0 GA9.0.006/17/202524755230

vCenter Server 8.0 Build Numbers

The 8.0 Update 3 branch is the current stable “workhorse” for most enterprise environments.

NameVersionRelease DateBuild Number
vCenter Server 8.0 Update 3i8.0.3.0080002/24/202625197330
vCenter Server 8.0 Update 3h8.0.3.0070012/15/202525092719
vCenter Server 8.0 Update 3g8.0.3.0060007/29/202524853646
vCenter Server 8.0 Update 3e8.0.3.0050004/11/202524674346
vCenter Server 8.0 Update 38.0.3.0000006/25/202424022515
vCenter Server 8.0 Update 28.0.2.0000009/21/202322385739
vCenter Server 8.0 Update 18.0.1.0000004/18/202321560480
vCenter Server 8.0 GA8.0.0.1000010/11/202220519528

vCenter Server 7.0 Build Numbers

Note: vCenter for Windows was officially removed starting with version 7.0.

NameVersionRelease DateBuild Number
vCenter Server 7.0 Update 3w7.0.3.0250009/29/202524927011
vCenter Server 7.0 Update 3l7.0.3.0140003/30/202321477706
vCenter Server 7.0 Update 27.0.2.0000003/09/202117694817
vCenter Server 7.0 GA7.0.0.1010004/02/202015952498

Legacy vCenter Server Build Numbers (vSphere 4.0 – 6.7)

NameVersionRelease DateBuild Number
vCenter Server 6.7 Update 3w6.7.0.5800010/28/202424337536
vCenter Server 6.5 Update 3w6.5.0.4300007/04/202424045034
vCenter Server 6.0 Update 16.0 U109/10/20153018524
vCenter Server 5.5 Update 35.5 U309/16/20153000241
vCenter Server 5.1 Update 35.1 U312/04/20142306353
vCenter Server 5.0 GA5.0 GA08/24/2011456005
vCenter Server 4.1 GA4.1 GA07/13/2010259021
vCenter Server 4.0 GA4.0 GA05/21/2009162856
VirtualCenter 2.5.0 GA2.5.012/10/200764192

Quick Tips for the Lazy Admin

  1. Check via VAMI: For 6.7 and newer, go to https://<vcenter-ip>:5480. The version and build are right on the login screen.
  2. Compatibility: Before upgrading vCenter, check the VMware Interoperability Matrix. Just because vCenter 9.0 is out doesn’t mean your older ESXi 6.7 hosts can talk to it!
  3. VCSA Migration: If you are still on version 6.5 or 6.7, your next step is a migration to the Appliance (VCSA). There is no “in-place” upgrade for Windows-based vCenter to 7.0+.

#VMware #vSphere9 #vCenter #SysAdmin #Virtualization #Datacenter #LazyAdmin #BuildNumbers #ITOps #PatchManagement

This entry was posted in VMware and tagged , , , , , , , , , .

Locked Out of Cisco UCS? How to Recover the Master Admin Password | Lazy Admin Blog

Posted on Updated on

It’s the nightmare scenario: you need to make a critical service profile change, but the only admin password is lost or forgotten. Because Cisco UCS Manager doesn’t store passwords in a reversible format, you can’t “view” the old one. Instead, you must perform a password reset by power-cycling the Fabric Interconnects (FIs) and interrupting the boot sequence.

⚠️ Warning: This procedure requires a physical power cycle of the Fabric Interconnects. In a production environment, this will cause a temporary disruption in management connectivity and potentially data traffic if not handled correctly in a cluster.

Phase 1: The Pre-Flight Check

Before you pull the power cables, you need two pieces of information. If you still have read-only access or a lower-privilege account, gather these now:

  1. Identify the Roles: In a cluster, you must know which FI is Primary and which is Subordinate.
    • Path: Equipment > Fabric Interconnects > [FI Name] > General > High Availability Details.
  2. Verify Firmware Versions: You must know the exact Kernel and System firmware versions currently running.
    • Path: Equipment > Firmware Management > Installed Firmware.

Phase 2: Password Recovery (The Process)

Scenario A: Standalone Configuration

If you only have one Fabric Interconnect, the process is straightforward but requires downtime.

  1. Connect: Attach a console cable physically to the FI console port.
  2. Power Cycle: Turn the FI off and then back on.
  3. Interrupt Boot: As it boots, repeatedly press Ctrl+L or Ctrl+Shift+R until you see the loader > prompt.
  4. Boot Kernel: Load the kickstart/kernel image: loader > boot /installables/switch/ucs-6100-k9-kickstart.x.x.x.gbin
  5. Enter Config: Fabric(boot)# config terminal
  6. Reset Password: Fabric(boot)(config)# admin-password YourNewPassword123
  7. Load System: Exit config mode and boot the system image: Fabric(boot)# load /installables/switch/ucs-6100-k9-system.x.x.x.bin

Scenario B: Cluster Configuration (High Availability)

In a cluster, the order of operations is vital to ensure the database remains synchronized.

  1. Subordinate First: Power cycle the Subordinate FI and interrupt its boot to the loader > prompt. Leave it there.
  2. Primary Second: Power cycle the Primary FI and interrupt its boot to the loader > prompt.
  3. Reset on Primary: Follow the “Standalone” steps (4 through 7) on the Primary FI console.
  4. Bring up Subordinate: Once the Primary is back up and you can log into UCS Manager, go to the Subordinate console and boot its kernel and system images normally from the loader prompt.

Important Notes

  • Clear Text: When you type the admin-password command in the boot loader, the password displays in clear text on the screen. Ensure no one is shoulder-surfing!
  • Strong Passwords: UCS Manager requires at least one capital letter and one number.
  • Console Access: This cannot be done via SSH. You must have physical or terminal server access to the console port.

#CiscoUCS #DataCenter #CiscoProphet #SysAdmin #Networking #ITTech #Cisco #UCSManager #LazyAdmin #Infrastructure

This entry was posted in Cisco UCS and tagged , , , , , , , , .

vSphere Ports & Connections: The Infrastructure Roadmap | Lazy Admin Blog

Posted on Updated on

In a locked-down enterprise environment, the “Any-to-Any” firewall rule is a myth. To manage ESXi effectively, you need to poke specific holes in your hardware and software firewalls.

The Core Management Ports

These are the “must-haves” for basic connectivity between vCenter, the vSphere Client, and the Host.

PortProtocolSourceDestinationPurpose
443TCPManagement WorkstationvCenter / ESXivSphere Client / SDK: The primary port for the Web Client and API access.
902TCP/UDPvCenter ServerESXi HostvCenter Agent (vpxa): vCenter uses this to send data to the host and receive heartbeats.
902TCPManagement WorkstationESXi HostVM Console: Required to open the “Remote Console” (MKS) to a virtual machine.
80TCPvCenter / WorkstationESXi HostHTTP: Used for redirecting to 443 and for some legacy file downloads.

Advanced Feature Ports

If you are using specific vSphere features like vMotion, HA, or specialized storage, you need these additional ports open:

1. vMotion (Live Migration)

  • 8000 (TCP): Required for vMotion traffic.
  • 2049 (TCP/UDP): If using NFS storage for the virtual disks.

2. vSphere High Availability (HA)

  • 8182 (TCP/UDP): Used by the Fault Domain Manager (FDM) agent for inter-host communication and election of the master host.

3. Provisioning & Deployment

  • 69 (UDP): TFTP, used for PXE booting ESXi for Auto Deploy.
  • 4012 (TCP): Used by the Auto Deploy service.

4. Troubleshooting & Monitoring

  • 22 (TCP): SSH access to the ESXi Shell.
  • 161 / 162 (UDP): SNMP polling and traps for hardware monitoring.

Troubleshooting “Host Disconnected”

If your host shows as “Not Responding” in vCenter, check these three things in order:

  1. Ping: Can the vCenter server ping the ESXi management IP?
  2. Port 902: From the vCenter server, try to telnet to the host on port 902 (telnet <host-ip> 902). If it fails, the heartbeat can’t get through.
  3. DNS: VMware is extremely sensitive to DNS. Ensure forward and reverse lookups work for both the vCenter and the Host.

Lazy Admin Tip 💡

Don’t memorize every port! Use the VMware Ports and Protocols Tool (the official online matrix). It allows you to select your source and destination products and generates a custom firewall rule list for you.

A high resolution pdf can be downloaded here Connections and Ports in ESX and ESXi

#VMware #vSphere #Networking #SysAdmin #Firewall #DataCenter #ESXi #ITOps #LazyAdmin #Connectivity

This entry was posted in VMware and tagged , , , , , , , , , .

HPE ProLiant Diagnostics: How to Generate a Survey Log (Online & Offline) | Lazy Admin Blog

Posted on Updated on

An HPE Survey Log provides a deep-dive look at your server’s hardware configuration, firmware levels, and error counts. Depending on whether your OS is healthy or the server is “down,” you have two ways to get this data.

Method 1: The Offline Approach (Non-Booting Servers)

Use this method if the OS is corrupted or you need to test the hardware in a “clean” state using the SmartStart CD (Gen8 and older) or Service Pack for ProLiant (SPP).

  1. Boot the server using the SmartStart CD or SPP ISO.
  2. Navigate: From the homepage, click Maintenance > HP Insight Diagnostics.
  3. Default View: The Survey tab will open by default.
  4. The “Pro” Settings: * Change Category from ‘Overview’ to ‘All’.
    • Change View Level from ‘Summary’ to ‘Advanced’.
  5. Save: Click Save. Note that you will need a USB flash drive plugged in to export the .html or .txt log file.

Method 2: The Online Approach (Live Production)

If the server is running Windows or Linux, you can pull the logs without a reboot by using the HP Insight Diagnostics Online Edition.

For Windows Admins:

  • Via Start Menu: Go to Start > All Programs > HP System Tools > HP Insight Diagnostics.
  • Via Web Browser: Open the HP System Management Homepage (SMH), click Webapps, and select HP Insight Diagnostics.

For Linux Admins:

  1. Open your browser and navigate to: https://localhost:2381
  2. Log in with root credentials.
  3. Click Webapps > HP Insight Diagnostics.

Exporting the Online Log:

Once the interface opens, follow the same “Advanced” steps:

  1. Set Category to ‘All’.
  2. Set View Level to ‘Advanced’.
  3. Click Save to download the file directly to your workstation.

How to Install Online Diagnostics (If Missing)

If the tool isn’t installed, you’ll need the HPE Service Pack for ProLiant (SPP):

  1. Mount the SPP ISO.
  2. Navigate to /hp/swpackages and run hpsum.exe (Windows) or ./hpsum (Linux).
  3. Select Localhost as the target and ensure HP Insight Diagnostics Online Edition is checked for installation.

Lazy Admin Tip 💡

For modern Gen9, Gen10, and Gen11 servers, you can bypass these tools entirely by using the iLO (Integrated Lights-Out). Simply log into the iLO web interface and download the Active Health System (AHS) log. It’s the modern replacement for the Survey log and is much faster to collect!

#HPE #ProLiant #ServerAdmin #SysAdmin #ITOps #HardwareTroubleshooting #iLO #DataCenter #LazyAdmin #TechTips

This entry was posted in HP Enterprise Servers, Windows and tagged , , , , , , , , , .