This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(278.4, 2%, 36%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EP%3C/text%3E%3C/svg%3E)
We are moving an Exchange 2010 cluster to Kerberos in prep for migration to Exchange online and have run into a problem regarding the script "ConvertOABDir.ps1". According to a few different sites I need to do the following:
The problem is I can't find that script. All the links that have been provided to Microsoft don't have this file. Searching Microsoft can't find this file. The closest I can get is post here which appears to have pasted the contents but I can't validate whether or not this is the actual script, unchanged for Exchange 2010 SP3.
https://social.technet.microsoft.com/Forums/lync/en-US/ab5409ff-f20c-4d66-a261-c3c73f01a919/cant-enable-kerberos-in-outlook-and-exchange-2013-bug-in-convertoabvdirps1?forum=exchangesvrclients
Can anyone help? Or is there a different way to achieve this same goal?
Why the need to do this if you are migrating to Exchange Online anyway?
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(28.799999999999997, 82%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EEY%3C/text%3E%3C/svg%3E)
Hi,
It's still in %Exchangeinstallpath\scripts folder in Exchange2016:
In case your folder not complete, I post it here in txt:
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
I am writing here to confirm with you how the thing going now?
If you need further help, please provide more detailed information, so that we can give more appropriate suggestions.
If an Answer is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
This is Exchange 2010. THAT script is not on either server. However I've modified my search and found the file "convertoabvdir.ps1". Is that the same thing?
Edit: this is in the SP3 install directories. I assume it's the same but would like to know for sure.
Sorry, have to ask again. Why the need to do this if you are moving mailboxes to Exchange Online?
We're doing a hybrid deployment and need to connect our domain to Azure AD. One of the strongly recommended things to do is to NOT allow NTLM traffic outside of your organization. In order to turn off NTLM I need to migrate the Exchange 2010 cluster to Kerberos, away from NTLM.
Hmm, not sure what you are referring to, but there is no relationship between kerberos and migrating to Exchange Online. :)
Moving to Kerberos auth only makes sense if you want to reduce the load mail clients have on Domain controllers, otherwise there is no reason to introduce this change now and it doesn't buy you anything if you are moving to Exchange Online.
Another thing to remember is that kerberos auth only works for domain-joined clients, so enabling this wont make a difference for non-domain joined clients and won't have any benefit for this that you mentioned above "One of the strongly recommended things to do is to NOT allow NTLM traffic outside of your organization"
Maybe you can enlighten me. In my research regarding migrating to Exchange Online we've decided to do a hybrid deployment. And in the documentation I've found for that it indicates we need Azure AD connect. This Microsoft doc that indicates the need to harden the Azure AD Connect server:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/how-to-connect-install-prerequisites
And half way down that document it indicates: "Deny use of NTLM authentication with the AADConnect server."
THEN... in further research I've not found a way just to turn off NTLM for one server but for the whole domain.
Is there a better way?
You can certainly set that for just the AADConnect server or the domain, but before you do, you would need to audit the domain to ensure you arent using apps or clients that use only NTLM.
But that's really a separate issue, because once you move the mailboxes to Exchange Online, you will want to ensure the clients are using Modern Authentication, Modern Auth isnt NTLM or kerberos but rather Oauth/ token based
So, given that, there is no reason to transition to kerberos on-prem if you are migrating since once you do, Kerberos wont be used by any clients anyway.
First, thanks for this help. Much appreciated.
Second, let's step back to the NTLM auditing. Because of the need to do hybrid Exchange I have to use the AADConnect.
So how do I audit for NTLM only applications? I am not aware that we have anything that old other than Exchange 2010. I know that I can restrict Exchange from using any domain controller that has NTLM denied. If turning off NTLM on a single server is an option I'd prefer to go that route. Then the question becomes what could be using NTLM only and how do I find out?
I think I've found it for the server I am going to put the AADConnector on here:
Applications and Services Log\Microsoft\Windows\NTLM
However it appears to be empty. I am still going to check the rest of the DCs for NTLM authentication events.
More on auditing:
https://adsecurity.org/?p=3377
Thanks for this info. This helps a ton. I've enabled auditing via the Local Security Policy editor and can see most of the servers and clients are still using NTLM. Also from this site it looks like I can block NTLM traffic with exceptions. Thus I am assuming this would more easily take care of this issue of not allowing NTLM traffic outside of the organization via this specific server since it is the server that I would put the AADC on. Is that a correct assertion?
The AADConnect server only connect on port 443 outbound, so NTLM wont leave your org regardless.
f you want to lockdown and block the use of NTLM for that server, then ensure it can still communicate to other servers and DCs after that
So I could conceivably just create a block on all Internet connected firewalls for port 443 and be done with this?
How does AADC connect to the Azure domain?
Edit: Maybe not:
https://learn.microsoft.com/en-us/azure/active-directory/hybrid/reference-connect-ports
Edit2: Ok so I read your post wrong. I've been reading way too damn much today.
On that note, what exact ports does NTLM use? I can't find a specific answer. I find discussions with conjecture but no answers.
yea, all it needs is outbound on 443 and 80 from that server.
LOL So what you're saying is all this is moot? The original article I found simply indicated that steps needed to be made to keep NTLM from exiting your environment.
Thanks again for the help. I am just going to make explicit firewall deny statements for outbound connections on ports 137, 138, 139, 445
Yea, for the AADConnect server, the NTLM hardening is for internal access to that server, not from AADConnect to Azure :)