Download and run the Diagnostic Tool in Docker to test whether the Hybrid Connector can operate correctly in the target environment. The tool supports connectivity, certificate, and on-premises validation checks, and can export the results for troubleshooting.
Login and pull the container image
Login
Open a PowerShell session with administrative rights and run the following command:
docker login -u XXXXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXX -p {SecretKey} cvhybridtool.azurecr.ioReplace {SecretKey} with the secret key provided by Support. To obtain the secret key, contact the Support team.
Pull
After logging in, download the required Docker image.
2019 version
Run the following command:
docker pull cvhybridtool.azurecr.io/cvdiagnostictool:20192022 version
Run the following command:
docker pull cvhybridtool.azurecr.io/cvdiagnostictool:2022Do not use PowerShell ISE, as it is not supported by the Diagnostic Tool. For better visibility, run the tool in a full-screen PowerShell window.
Run the Diagnostic Tool
2019 version
If the 2019 version was downloaded, run:
docker run -v c:\temp:c:\temp --rm -it cvhybridtool.azurecr.io/cvdiagnostictool:20192022 version
If the 2022 version was downloaded, run:
docker run -v c:\temp:c:\temp --rm -it cvhybridtool.azurecr.io/cvdiagnostictool:2022Step 1: select the data center
When the tool starts, select the data center where your organization is registered. Press Enter to confirm the selection and connect to the selected data center.
Step 2: select tests
From the menu, select any test to evaluate whether the Hybrid Connector will work in the target environment. Press the spacebar to select an option and Enter to confirm.
Prerequisite checks
- Validate CoreView connectivity, endpoints, API resolves DNS and simulates the connections to the platform endpoints and ports for the selected data center. Each port is reported as Open, Closed, or Filtered, and the resolved IP is shown.
- Validate TLS certificates inspects the TLS certificate of each HTTPS endpoint, including issuer and expiry, and flags a likely proxy TLS interception (MITM) when the issuer is not a known public CA.
On-premises
- Verify WinRm to domain controller tests the WinRM configuration used to reach the Active Directory domain controller.
- Verify Active Directory tests connectivity to Active Directory, lists organizational units, and can optionally validate service-account read access on specific OUs. When prompted, enter the OU distinguished names, or leave the field empty to skip this validation.
- Verify On-premises Exchange tests connectivity, authentication method, and protocol used to connect to Exchange Server, and validates basic read access (RBAC) by running read-only cmdlets.
Advanced (interactive)
- Open manual PowerShell session opens a clean PowerShell runspace. See the dedicated section below.
Open manual PowerShell session
This option opens a clean PowerShell runspace similar to the one used by the Hybrid Connector. It can be used for tests that are not covered by the default menu options.
For information about the supported PowerShell and module versions, see PowerShell versions and features supported by CoreView. Install the required module version in the Diagnostic Tool before running additional commands.
Modules installed in this runspace are available only for the current session. When the runspace is closed by typing exit and pressing Enter, imported modules and executed commands are cleared.
The following cmdlets can be used to test additional connections:
# Enable Tls protocol to perform https connection tests
[Net.ServicePointManager]::SecurityProtocol = "Tls, Tls11, Tls12, Ssl3"
# Test Microsoft connection
Invoke-WebRequest -Uri https://www.microsoft.com -UseBasicParsing
# Test SSL certificate revocation list
Invoke-WebRequest -Uri https://sectigo.com -UseBasicParsing# Test Exchange Online connection
$adUsername = "upn"
$adPassword = "password" | ConvertTo-SecureString -AsPlainText -Force
$Credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adUsername, $adPassword
$cs = Get-Credential -Credential $Credentials
Connect-ExchangeOnline -Credential $cs# Test Teams connection
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
$adPassword = "password"
$adUsername = "username"
$adPassword = $adPassword | ConvertTo-SecureString -AsPlainText -Force
$Credentials = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $adUsername, $adPassword
$cs = Get-Credential -Credential $Credentials
Connect-MicrosoftTeams -Credential $cs -LogFilePath "c:/temp/teams-logs.txt"
Get-CsApplicationAccessPolicy | ConvertTo-JsonShortcuts to connect to Active Directory and Exchange On-Premises
Shortcuts are available to quickly connect to Active Directory and Exchange On-Premises without entering the full PowerShell commands.
These shortcuts are available only in the 2019 and 2022 versions.
Connect to Active Directory
Press Ctrl + Q, then enter the Active Directory username, password, and connection URL.
Connect to Exchange On-Premises
Press Ctrl + W, then enter the Exchange username, password, and connection URL.
Diagnostic Tool
-
Export report (JSON + HTML) saves all checks executed in the current session to
C:\tempas both a JSON file and an HTML report. After the export, the current session is cleared. - Help shows a table describing each menu option.
Configuration
- Switch data center changes the target data center used by the tool.
Example
For example, the following options can be selected and run:
- Validate CoreView connectivity, endpoints, API
- Verify WinRm to domain controller
- Export report (JSON + HTML)
The results are shown on screen and also saved in C:\temp as a JSON file and an HTML report.
When prompted, enter the same credentials that will be configured as service accounts for the Hybrid Connector. For more information, refer to the Hardening your hybrid environment article.