daknetworks.com

You are here: Blog

BCD Replaces Boot.ini

Twice this week I've been bitten by the BCD or BOOT CONFIGURATION DATA.

BCD replaces the BOOT.INI file in older systems such as XP. BCD is found in WINDOWS VISTA and newer systems. The BCD is a OPERATING SYSTEM FILE and will be hidden unless the options are set to view those files:

  • -open any EXPLORER window.
  • -click ORGANIZE > FOLDERS & SEARCH OPTIONS
  • -click the VIEW tab (at the top).
  • -uncheck HIDE PROTECTED OPERATING SYSTEM FILES.
  • -click OK.

Previously, there was a boot.ini file. To edit the boot.ini file, simply edit the file with a text editor. Now to edit the BCD, you must use BCDEdit.exe.

The overall problem becomes that the BCD is unreliable (hence the name Microsoft). It causes issues like:

"the trust relationship between this workstation and the primary domain failed" in WINDOWS 7
(bcdedit /set S:\Boot\BCD {default} bootstatuspolicy ignoreallfailures)

and

"inaccessible boot device" WINDOWS 8.1
(Bcdedit /store S:\BOOT\BCD /set {default} truncatememory 4294967296)
(T:\windows\system32\bcdedit /store S:\boot\bcd /set {default} truncatememory 4294967296)

Both require edits to the BCD. But how do you edit the BCD when the system isn't accessible?

 


How to Edit the BCD

The BCD is actually a file in a small hidden directory. If you could connect the external drive to a working system and assign the letter S to the drive, the file location would be:

S:\Boot\BCD

Please note that this is NOT the WINDOWS OS partition. This is a small NTFS partition (100MB for WINDOWS 7 & 300MB for WINDOWS 8) before the the WINDOWS OS partition. This partition is marked as ACTIVE and will therefore be chosen as the partition to boot from.

This is really confusing because there is a T:\Boot\BCD as well.

True to MS standard, they put out way too much unnecessary jargon here:http://technet.microsoft.com/en-us/library/cc721886%28WS.10%29.aspx#BKMK_bcdedit

  • -connect the harddisk with the corrupt BCD into another computer that is running Windows.
  • -mount the defective partition on a drive (in my case S:\)
  • -in the partition the file S:\Boot\BCD is the one that needs to be repaired.
  • -open a command prompt (Cmd.exe) (as administrator)
  • -type: T:\Windows\System32\bcdedit /store S:\Boot\BCD /enum
  • -you are viewing the BCD.
  • -to view everything in the BCD...
  • -type: T:\Windows\System32\bcdedit /store S:\Boot\BCD /enum all

 


How to Edit Some of the BCD Settings:

The BCD will have a BOOT-MANAGER called BOOTMGR. This is a boot manager for the entire disk. You can think of it as a GRUB, LILO, GRUB4DOS, etc or any other bootloader. It can be used to redirect the boot the MAIN WINDOWS OS but it can also boot other OS's as well. Most people won't get this far. They just want their MAIN WINDOWS OS to boot correctly.

After the BOOTMGR section, comes all the WINDOWS OS sections. Typically, the main section will be called DEFAULT and it will show as {default}.
(NOTE: don't let the curly brackets scare you).

For example, if you wanted to change the BOOTMGR device and the DEFAULT device, here's how.
(Please do not type this in... This is just an example.)

T:\Windows\System32\bcdedit /store S:\Boot\BCD /set {bootmgr} device boot
T:\Windows\System32\bcdedit /store S:\Boot\BCD /set {default} device boot
T:\Windows\System32\bcdedit /store S:\Boot\BCD /set {default} osdevice boot

This will change the settings for those key values.

You can also use an awesome handy tool called VISUAL BCD EDITOR located at: http://www.boyans.net

 


Fix the BCD

If you would like to rebuild the BCD, here's how:

  1. Put the Windows Vista or Windows 7 or Windows 8 media in the DVD drive / usb, and then start the computer.
  2. Press a key when you are prompted.
  3. Select a language, a time, a currency, a keyboard, or an input method, and then click Next.
  4. Click Repair your computer.
  5. Select the operating system that you want to repair, and then click Next.
  6. In the System Recovery Options dialog box, click Command Prompt.
  7. Type Bootrec.exe, and then press Enter.

That will automatically try and fix the BCD if it's broken.

 


Rebuild the BCD

Same as fixing the BCD above but using switches at the end.

Bootrec.exe /FixMbr
Bootrec.exe /FixBoot
Bootrec.exe /ScanOs
Bootrec.exe /RebuildBcd

 


WINDOWS 8.1 Considerations

WINDOWS 8.1 installs a hidden 300MB NTFS partition.

If WINDOWS is loaded, some may investigate and fiddle around with the BCD on the main partition in C DRIVE not realizing that the BCD loading in another hidden partition for the purpose of the BCD.

If you boot from a CD/USB, the BCD PARTITION will be the C DRIVE and the WINDOWS OS PARTITION will be the D DRIVE.

 


BCDEDIT Says zero Total Identified Windows installations

If you get as far as: Bootrec.exe /ScanOs

And it says:

"zero Total Identified Windows installations: 0"

Then you may have to rebuild the BCD. Be sure to backup the original BCD first.

  • boot from a WINDOWS VISTA/7/8 media as above.
  • cd c:\boot (note that this is not the normal C DRIVE. If you boot from a WINDOWS 7 or WINDOWS 8 install disk, the disk will see all the partitions and LETTER them accordingly. The C DRIVE will be the BCD partition and the D DRIVE will be the WINDOWS partition.)
  • bcdedit /export c:\bcdbackup
  • attrib c:\boot\bcd -h -r -s
  • ren c:\boot\bcd bcd.old
  • bootrec /rebuildbcd
  • type: Y
  • press: ENTER

You should get some kind of awesome message to let you know that it is rebuilt correctly.

Last Updated on Thursday, 25 September 2014 08:53

Set VPN Idle Timeout on Windows Server 2012

  • -open SERVER-MANAGER.
  • -click TOOLS > ROUTING & REMOTE ACCESS
  • (a new window opens)
  • -right-click REMOTE ACCESS LOGGING (on the left-hand side).
  • -click LAUNCH NPS.
  • (a new window opens)
  • -click NETWORK POLICIES (on the left-hand side).
  • -right-click "Connections to Microsoft Routing and Remote Access server"
  • -click PROPERTIES.
  • -click CONSTRAINTS tab (at the top).
  • -click IDLE TIMEOUT (on the left-hand side).

The IDLE TIMEOUT settings can be configured here.

GnuWin32 Where Have You Been All My Life?

GnuWin32 Where Have You Been All My Life? As they say, necessity is the mother of invention. I always wanted to use *nix commands on Windows platform before but never really needed it until I was forced to deal with a Windows Server on a daily basis.

My digust for some of the way Windows operates should be apparent by now but if not, let me tell you; I'm disgusted. I could have learned commands in the 1970's that are still in practice today. Or if I traveled with Windows, I would have to learn over and over again.

GnuWin32 is a application package suite that alllows you to use *nix commands on Windows.

This should get all your familiar *nix command in the COMMAND SHELL.

Last Updated on Wednesday, 03 February 2016 09:25

Group Policy, Organization Units, Server 2012

In my mind, it's very simple. You have USERS and you have GROUPS (anything that is more than 1 user). If I need to do something, I should create a rule and apply it to the group.

In Microsoft Server 2012, it doesn't exactly work that way. It, in true fashion, has to be as difficult as humanly possible.

To look at the default structure:

  • -click SERVER-MANAGER (I'm pretty sure they ripped this name off another project).
  • -click TOOLS > ACTIVE DIRECTORY USERS & COMPUTERS.
  • -a DOMAIN TREE shows.
  • (It has USERS, COMPUTERS but it doesn't have GROUPS. GROUPS are erroneously mixed in with USERS)

To add a GROUP.

  • -click USERS.
  • -right-click USERS.
  • -click NEW > GROUP
  • -type in the GROUP-NAME.

To add USERS to GROUP.

  • -double-click GROUP NAME.
  • -click MEMBERS tab (at the top).
  • -click ADD.
  • -type in the NAMES you want to add.

Since I'm a big fan of GROUPS, I want to apply a login script just for a certain GROUP.

To look at the default Group Policy structure:

  • -click SERVER-MANAGER (I'm pretty sure they ripped this name off another project).
  • -click TOOLS > GROUP POLICY MANAGEMENT.
  • -a GROUP-POLICY DOMAIN TREE shows.
  • (It has "GROUP POLICY OBJECTS". All your GPO's are here.)

Active Directory Hierarchy And The Way You See It Taught

Now what's interesting is that this doesn't match the USERS & COMPUTERS. There is no GROUPS section. Why? Because this is based off of LDAP. Why is that important? Because LDAP is hierarchical (and not relational). This means that one-child can only have one-parent. (But one parent can have many children. [Don't ask.]). So instead of GROUPS, they use ORGANIZATIONAL-UNITS. This hierarchical structure means that a USER cannot be a member of 2 different GROUPS in an ACTIVE DIRECTORY ORGANIZATIONAL UNIT (or AD and OU). The end result is that a USER-object can only be place in one OU.

This is why there are so many articles and videos about structuring your AD and OU's correctly. Because it doesn't make sense to rational thinking and someone has to explain it in details just to get it working. And even then, they have trouble getting it working smoothly. Most of the advice demonstrate that you should create OU's and then to put both the computer-objects and the user-objects inside of that OU. The GROUP-POLICY is then applied to the OU and consequently it will be applied to the USER and/or COMPUTER.

Of course it will. The GP is attaching to the individual USER or COMPUTER.

Active Directory And The Way It Should Be Enterprise

In short, this may work well for the ENTERPRISE (company more than 300 users). Traditionally you should create OU's along geographic boundaries and then to put both the computer-objects and the user-objects inside of that OU. It would look something like this:

OU-Kansas-City
----first-floor
--------computers
--------users
----basement
--------computers
--------users
OU-Chicago
----first-floor
--------computers
--------users
----basement
--------computers
--------users

The GROUP-POLICY is then applied to an OU and consequently it will be applied to the USER and/or COMPUTER.

Active Directory And The Way It Should Be Small Business

But what about everyone else? It doesn't work well for the small to medium enterprise (as defined by MS: a company less than 300 users). For this segment, it's faulty thinking. I don't have a bunch of offices across the globe. I don't have multiple floors, levels and locations. If I follow the common advice, I no longer have a section called USERS that contains all my users. And I don't have a section called GROUPS that contains all my groups.

My mind doesn't work the way of the enterprise. I group people all the time and they can be in many groups at the same time. I can group my friend Jason as being the WORK GROUP, FRIEND GROUP and CHURCH GROUP. But again, you can't do this in AD.

What is nice about AD is that it is highly customizable. Consequently, you will see many (and I stress many) different ways to do this in articles, videos and in practice. Also due to this customization, I can create the way I want it, I just have to create it myself rather than this feature coming ready out-of-the-box.

All of that set aside, ultimately at the root-level of AD I want to have an OU called GROUPS. Under that GROUPS-OU, I locate all my SECURITY-GROUPS objects (out of the USERS and into the GROUPS). These are common units like ACCOUNTING, PRODUCTION, HR, IT, MANAGEMENT, MARKETING, OPERATIONS, SALES, etc. Each SECURITY-GROUP has the members that are needed.

The result looks similar to:

DOMAIN
    BUILTIN
    COMPUTERS
    GROUPS
        ACCOUNTING
        BUILTIN
        HR
        IT
        MANAGEMENT
        MARKETING
        OPERATIONS
        SALES
    USERS

This makes it easy on myself. Just keep it simple and create those SECURITY-GROUPS in the new GROUPS-OU, leave the computers in the COMPUTERS-OU and the users in the USERS-OU.

For clarity, if you click on USERS, there are only USER-OBJECTS in there. There are no GROUP-OBJECTS in there. All of the GROUPS have all been moved to the appropriate place in the GROUPS-OU.

GROUP POLICY That Applies To Groups

Now the problem becomes the GROUP-POLICY.

Counter-intuitively, GROUP-POLICY-OBJECTS (GPO's) cannot be applied to GROUP-OBJECTS. GPO's can only be applied to USER-OBJECTS and COMPUTER-OBJECTS. Remember from above where many tutorials, classes, videos and articles say to put the objects in the OU? This is why they teach you to do it this way. If they don't put the OBJECTS in the OU, the GP doesn't work.

So how do I apply a GPO to a SECURITY-GROUP?

By creating a GPO on domain-level (not the OU level), editing the GPO and assigning the GPO to the GROUP through SECURITY-FILTERING.

To create a new GPO:

  • -click SERVER-MANAGER (I'm pretty sure they ripped this name off another project).
  • -click TOOLS > GROUP POLICY MANAGEMENT.
  • -a GROUP-POLICY DOMAIN TREE shows.
  • -right-click the domain-name (ie contoso.com).
  • -click CREATE-A-GPO-IN-THIS-DOMAIN,-AND-LINK-IT-HERE [sic].
  • -type in a NEW-NAME.
  • -click OK

Edit the GPO:

  • -right-click the GPO.
  • -click EDIT.
  • -make all your changes in here. Don't worry about anything else at this point.

Assign GPO to the GROUP:

  • -click the GPO.
  • -you should be on the SCOPE tab (at the top).
  • -click ADD (at the bottom).
  • -type in the name of the GROUP.
  • -click OK.
  • -click DELEGATION tab (at the top).
  • -click ADVANCED button (at the bottom right).
  • (a new windows pops up).
  • -click AUTHENTICATED USERS (at the top section).
  • -find APPLY GROUP POLICY (at the bottom section).
  • -uncheck the ALLOW.
  • -find READ (at the bottom section).
  • -checkmark ALLOW (this should already be done but just to verify).
  • (This is not a typo. This allows all users to READ the GPO but doesn't assign it to them.)

Run The GPO On The Client Computer

  • -click START > RUN
  • -type: CMD
  • -type: gpupdate /force
  • -type: gpresult /h new-report.html (or if you are savy, type: gpresult /R) (or if you want to punish yourself, type: gpresult /Z).
  • -open new-report.html to view results

SUMMARY

In summary, there are USERS-&-GROUPS section in AD and there are OU's in GPO. They don't match. So we create our own GROUP-STRUCTURE in AD, create a GPO, link it to an OU and only give the AD GROUP access to the to the GPO through SECURITY-FILTERING.

NOTES:

-A good source of information is here: http://www.grouppolicy.biz
-And there are good videos on YouTube here:https://www.youtube.com/user/itfreetraining
-EVERYONE group does not include EVERYONE.
-AUTHENTICATED-USERS also includes DOMAIN-COMPUTERS. This is why it should not be entirely-removed from the GPO.
-On 06/22/16 a MS update breaks many GPO's but not the method above. Read the rest of the story here:
https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

Last Updated on Tuesday, 11 February 2020 10:43

AWS S3, GovCloud and DropBox

So let's say that you need to share files with outside vendors. Historically, this is done through an FTP site. The problem is that FTP is insecure, really insecure. So insecure that in 2014 (and for many years before) it shouldn't even exist (you can throw telnet into this category as well).

In more modern times, this is done through services like DropBox, Gdrive, OneDrive, etc; with DropBox seemingly leading the way.

The problem becomes that certain industries are not allowed to use DropBox, not because DropBox doesn't meet technological requirements but because DropBox doesn't meet regulations. One of these industries is Government.

In walks Amazon Web Services or AWS. AWS has a number of cloud based products. There's so many services, it's dizzying. I'd be lying if I said that I knew and understood them all.

Now take all of these services and boil them down to the top 12 absolutely necessary services. Now make sure that only US Persons are able to access these services. This is GovCloud.

One of the primary services of AWS & GovCloud is S3. S3 is a simple cloud storage.

Create a DIRECTORY for the S3 to live:

  • -login to AWS GOVCLOUD.
  • -click S3.
  • -click CREATE BUCKET.

Create an OUTSIDE USER to access the S3:

  • -login to the AWS GOVCLOUD
  • -click IAM (or IDENTITY AND ACCESS MANAGEMENT).
  • -click USERS > CREATE NEW USERS.
  • -type in the USERNAME.
  • -click CREATE (at the bottom right).
  • -record the ID & KEY (you will not have another chance to do this).
  • -click CLOSE > CLOSE.
  • -click on the USER-YOU-JUST-CREATED.
  • -scroll to bottom.
  • -click MANAGE PASSWORD.
  • -click APPLY (at the bottom right).
  • -record the PASSWORD (you will not have another chance to do this).

 The rest can be done through the AWS GOVCLOUD web site but it's actually easier to use CLOUDBERRY S3 EXPLORER PRO. It costs $30 at the time of writing but so what.

Assign USER to allow access to S3 bucket:

  • -click ACCESS MANAGER (at the top).
  • -click NEW POLICY WIZARD.
  • -click NEXT.
  • -bullet SELECT AN EXISTING IAM USER.
  • -checkmark the OUTSIDE-USER
  • -select NEXT.
  • -bullet GRANT READ & WRITE ACCESS TO SELECTED BUCKETS ONLY.
  • -checkmark ALLOW USER ACCESS TO AWS CONSOLE.
  • -click NEXT.
  • -checkmark the S3 BUCKETS you want to allow access to.
  • -click NEXT.

It will show you the STATEMENT it is going to implement. This will work for AWS S3 but it won't work for GOVCLOUD. GOVCLOUD has a different RESOURCE NAME. I'll spare you the details.

  • -everywhere you see "aws", replace it with "aws-us-gov"
  • (This took me an entire day to discover).
  • -click NEXT > NEXT.
  • if it gives an error saying that a policy already exists... ignore it. We already know. We just created it.

 Now you have 2 sets of credentials for the OUTSIDE USER. You have a USERNAME & PASSWORD they can type in for the web site. They also have an ID and KEY they can use for a program.

Last Updated on Tuesday, 14 April 2015 15:05

Find DRAC IP Address

So you have a DRAC or DELL REMOTE ACCESS CONTROLLER. It is their proprietary version of IPMI. You can configure the DRAC via IP ADDRESS.

But how you find the IP ADDRESS of the DRAC?

FIND DRAC IP ADDRESS

-install OPENMANAGE.

(as of print is: http://en.community.dell.com/techcenter/systems-management/w/wiki/1760.openmanage-server-administrator-omsa.aspx#Documentation_OMSA)

-click START > RUN

-type: cmd

-type: racadm getniccfg

(this gets the IP ADDRESS. By default it is usually: 192.168.0.120)

SET DRAC IP ADDRESS:

-type: racadm setniccfg -s ipAddress gatewayAddress subnetMask

OR

-click START > RUN

-click DELL OPENMANAGE > SERVER MANAGER.

 

Last Updated on Wednesday, 06 August 2014 17:55

Quickbooks 2014 H202 Error

SETUP

Quickbooks 2014 H202 error. So the Quickbooks is setup in a traditional style. The Quickbooks Server is installed on the Windows Server 2012 x64. Quickbooks is setup on the Windows 7 x64 client pc's.

The FILE SHARE is mapped to Q DRIVE but QUICKBOOKS is trying to access the file via \\ip-address-here\qb-file-name-here

ERROR

The client PC's can see the FILE SHARE trying to access the Quickbooks file gets the dreaded H202 error. This basically means, "something's wrong."

SOLUTION

The FILE SHARE is locked down to the ACCOUNTING group. The Quickbooks QuickBooksDB24 Service is starting with a new user called Quickbooks-something-I-can't-remember.

Either:

  • -add the QBUSER to the group that has access to the FILE SHARE.

OR:

  • -click START > RUN
  • -type: services.msc
  • -double-click: QuickBooksDB24
  • -a new window opens.
  • -click LOGON (at the top).
  • -bullet THIS ACCOUNT.
  • -type in a USERNAME & PASSWORD of a USER in the group that has access to the FILE SHARE.
  • -restart the QUICKBOOKSDB24 service.

That should do it.

Polycom Administrator Manual

http://supportdocs.polycom.com/PolycomService/support/global/documents/support/setup_maintenance/products/voice/soundpoint_ip_soundstation_ip_administrators_guide_v2_2.pdf

This is what I need. Read and digest.

I'm having a hard time with this. There simply too much info that doesn't compute along with too much outdated info.

Apparently, you can configure the phones individually but also via config files from the server. That's what I want to do but I can't figure it out.

=============================

UPDATE 02/01/18

While it is certain that information is spread throughout the internet, I was finally able to piece this together that makes sense for me. Please see the Upgrading Polycom Phones Across Entire Location

Last Updated on Saturday, 10 February 2018 10:30

Find Devices in Linux

To find devices in Centos/RHEL, you can issue a:

cat /proc/partitions

Or you can issue a:

fdisk -l

Either will do. The fdisk gives a little more info.

If you need to get the info for a USB device, try:

lsusb

Last Updated on Saturday, 26 July 2014 05:16

DDWRT Guest Network

[UPDATE: This process isn't worth it anymore. For low-end projects, just buy an Asus router (it doubles as an access-point). For mid-sized projects, buy Ubiquiti. For high-end projects, buy Watchguard. Boom. Done. Easy.]

The goal is to have one wireless unit providing both the OFFICE WIFI and the GUEST WIFI. This wireless unit is an access point already running the OFFICE WIFI. It is not a router/gateway/firewall. A SonicWall is the router/gateway/firewall.

So how do we have a wireless GUEST WIFI as well as a regular OFFICE WIFI?

ADD GUEST WIFI NETWORK

  • -click WIRELESS > BASIC SETTINGS.
  • -find VIRTUAL INTERFACES (at the bottom).
  • -click ADD.
  • -give your guest wifi network a name.
  • -select ENABLE for AP ISOLATION.
  • -click SAVE > APPLY.

ADD PASSWORD TO GUEST WIFI NETWORK

  • -click WIRELESS SECURITY (at the top).
  • -select a mode (I chose WPA2 PERSONAL).
  • -select an algorithm (I chose TKIP + AES).
  • -type a password.
  • -click SAVE.

CREATE A BRIDGE

  • -click SETUP > NETWORKING (at the top).
  • -find BRIDGING SECTION (should be the 2nd from the top).
  • -click ADD.
  • -type: br1 (in the first box).
  • -click SAVE (at the bottom).
  • -new options will show under the bridge.
  • -type in an IP ADDRESS & SUBNET MASK (I typed in 192.168.2.1 & 255.255.255.0).
  • The idea here is that it must be a separate network from the main network. Since most small networks are 192.168.1.1 or 192.168.0.1, using 192.168.2.1 is fine.
  • -click SAVE > APPLY.

ASSIGN GUEST WIFI TO BRIDGE

  • -go to the BRIDGING SECTION again.
  • -find ASSIGN TO BRIDGE.
  • -click ADD.
  • -select BR1.
  • -select WL0.1
  • -click SAVE > APPLY.

 ADD 2ND DHCP SERVICE

The DHCP service must be running to add a secondary DHCP service.

  • -click SETUP > BASIC SETUP (at the top).
  • -find the DHCP section.
  • -select DHCP SERVER.
  • -verify the appropriate network information.
  • -checkmark USE DNSMASQ FOR DHCP.
  • -checkmark USE DNSMASQ FOR DNS.
  • -checkmark DHCP-AUTHORITATIVE.
  • -click SAVE (at the bottom).
  • -click SETUP > NETWORKING (at the top).
  • -find the DHCPD section (at the bottom).
  • -click ADD.
  • -select BR1.
  • -select ON.
  • -click SAVE > APPLY SETTINGS (at the bottom).

 CUSTOMIZE THE 2ND DHCP SERVICE

  • -click SERVICES (at the top).
  • -find the DNSMASQ section.
  • -select ENABLE for DNSMASQ.
  • -select ENABLE for LOCAL DNS.
  • -select ENABLE for NO DNS REBIND.
  • -type the following in the Additional DNSMasq Options:

dhcp-option=3,192.168.1.1
dhcp-range=192.168.1.100,192.168.1.150,255.255.255.0,24h
dhcp-option=6,192.168.1.1,4.2.2.2
interface=br1
dhcp-option=br1,3,192.168.2.1
dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h
dhcp-option=br1,6,4.2.2.2,8.8.8.8

This should be fairly straight forward. We are setting the options for 2 sets of DHCP. Each set customizes the GATEWAY, DHCP RANGE and DNS for the each DHCP set. You will have to customize this to fit your own needs.

This is different than most instructions you will see. This is because since this is an ACCESS POINT and not a GATEWAY/ROUTER/FIREWALL. When that happens the AP will automatically try to become the DNS & the GATEWAY for both sets of DHCP ranges. That obviously won't do since we need have to other items perform those functions. More importantly, I do not want the guest network to have the same DNS settings as the regular network. The settings above allow us to customize them to our needs.

ADD FIREWALL RULES

  • -click ADMINISTRATION > COMMANDS (at the top).
  • -find the COMMAND SHELL box.
  • -type the following:

iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -p tcp -dport telnet -j REJECT -reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp -dport ssh -j REJECT -reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp -dport www -j REJECT -reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp -dport https -j REJECT -reject-with tcp-reset

  • -click SAVE FIREWALL (at the bottom).

This isn't straight forward at all. Basically, the first 5 commands allow internet access to flow. The last 4 commands block the GUEST WIFI from accessing the OFFICE WIFI.

That should do it! Save and Restart the unit to make sure that it survives a reboot. There are 2 separate networks, the OFFICE WIFI and the GUEST WIFI. The GUEST WIFI can access the internet but cannot access the office network. That includes any shares, printers or any other computers on the office network.

Last Updated on Thursday, 01 September 2016 14:46

Show Last Logon

Let's say that you had a requirement to show the last time your logged onto the computer system, including any failed attempts.

To be clear, this message shows after anyone logs into the computer and before the DESKTOP shows.

  • click SERVER-MANAGER > TOOLS > GROUP POLICY MANAGEMENT
  • right-click DEFAULT DOMAIN POLICY.
  • click EDIT.
  • click COMPUTER-CONFIGURATION > POLICIES > ADMINISTRATIVE-TEMPLATES >WINDOWS-COMPONENTS > WINDOWS LOGON OPTIONS
  • enable DISPLAY INFORMATION ABOUT PREVIOUS LOGONS...

Add a Login Message in Windows Server 2012

Let's say that you had a requirement to show a login message before someone logged into the computer. Maybe something like, "Hi, system usage is monitored, recorded, and subject to audit. By using the system, you grant consent to such monitoring and recording. Unauthorized use is prohibited and subject to criminal and civil penalties."

To be clear, this message shows before anyone logs into the computer and before the LOGIN BOX shows.

  • click SERVER-MANAGER > TOOLS > GROUP POLICY MANAGEMENT
  • right-click DEFAULT DOMAIN POLICY.
  • click EDIT.
  • click COMPUTER-CONFIGURATION > POLICIES > WINDOWS-SETTINGS > SECURITY SETTINGS > LOCAL-POLICIES > SECURITY-OPTIONS.
  • click INTERACTIVE LOGON: MESSAGE TEXT
  • edit the text.
  • click INTERACTIVE LOGON: MESSAGE TITLE.
  • edit the text.

(NOTE: Both have to be set or else it doesn't show.)

Windows Server 2012 Backup System State

I like to manually backup the SERVER STATE before I make any changes:

Last Updated on Wednesday, 16 July 2014 11:19

Add A Disclaimer to Exchange 2013

The best guide I've witnessed on this occasion is here:

http://www.techieshelp.com/exchange-2013-add-a-disclaimer/

I'm posting for my own reference.

ADD EXCEPTION

The only other items I would like to add is that there should be an EXCEPTION:

-click MORE OPTIONS.
-select THE SUBJECT OR BODY INCLUDES ANY OF THESE WORDS.
-paste the disclaimer in the box (don't worry if the whole disclaimer doesn't fit).
-click the + (the plus sign).
-click SAVE.

NOTES:
-the disclaimer will be placed directly at the end of the email.
-the disclaimer will only show at the very bottom of the email; underneath any forwards or replies that may be in the email.
-the disclaimer will only show once and will not repeat if the disclaimer already exists. This means it will not repeat on forwarded emails and reply emails.

Last Updated on Wednesday, 16 July 2014 11:21

Polycom Phone Sets Digitmap

Are you experiencing different results when you dial directly from the Polycom phone set than if you pickup the Polycom phone set and dial?

For example, to make a call:
-walk to the phone.
-dial 540-552-0497 (automated weather service number).
-hit DIAL.
-the call goes through on speaker phone.

Now, try this:
-walk to the phone.
-pick up the hand set (you hear a dial tone).
-dial 540-552-0497 (automated weather service number).
-nothing... (or possibly, "I am sorry, that is not a valid extension).

As referenced in the last post, a DIAL PLAN, is a set of numbers that is used to dial out. What's interesting with the Fonality/Polycom solution is that the DIAL PLAN on the SERVER, doesn't apply to the POLYCOM PHONE SETS directly. So what's happening here is when you simply dial the number and hit DIAL, you are using the SERVER DIAL PLAN.

When you pick up the phone set and dial the number, you are using the POLYCOM PHONE SET DIGITMAP (notice the difference between the DIAL PLAN & DIGITMAP).

What's even more interesting, is that the two sets don't corrospond. You can't simply take the SERVER DIAL PLAN and simply copy it to the POLYCOM PHONE SET DIGITMAP and expect it to work. Trust me. I've tried. We have to translate them.

So here are the SERVER DIAL PLANS again:

9 + nxxnxxxxxx
9 + 411
9 + 611
9 + 0
9 + nxxxxxxx
9 + 1nxxnxxxxxx
9 + 011.
9 + 11

To start fresh, I've wiped out the POLYCOM PHONE SET DIGITALMAP.

The letter "n" is any single number other than 1 or 0. The problem is that "n" doesn't exist on the DIGITALMAP. You have to use [2-9].

The letter "x" is any single number. "x" does exist on the DIGITALMAP.

So here is my on-the-fly-translation:

[2-9]xx[2-9]xxxxxx
[2-9]11
-covered by rule 2
0 (telco operator)
[2-9]xxxxxxx
1[2-9]xx[2-9]xxxxxx
011xxx.T
-covered by rule 2

Additonal DIGITALMAP rules are as follows:

0T (allows for local operator)
[7]xxx (allows for local extension)
9[2-9]xx[2-9]xxxxxx
91[2-9]xx[2-9]xxxxxx
9011xT.

The complete final DIGITALMAP looks like this:
[2-9]xx[2-9]xxxxxx|[1][2-9]xx[2-9]xxxxxx|9[2-9]xx[2-9]xxxxxx|91[2-9]xx[2-9]xxxxxx|[2-9]11|0|[7]xxx|011xxx.T|9011x.T

Last Updated on Tuesday, 08 July 2014 11:37

Port Mapping on SonicWall

Let's say I want to access a server on port 5901 in the internal network but rom the outside network, I want to connect to port 5900.

So it may look like this: 5900 => 5901

STEP 1: Create new custom service.

Create new service: RedirectExtPort on TCP 5901.

STEP 2: Add firewall-access-rule.

Firewall -> Access Rules

WAN -> LAN

Service: RedirectExtPort
Source: Any
Destination: WAN IP

STEP 3: Add NAT Policy

go to Network -> NAT Policies

New Policy:

Original Source: Any
Translated Source: Original
Original Destination: WAN IP
Translated Destination: InternalServerIP
Original Service: RedirectExtPort
Translated Server: RDP5900
Inbound Interface: WAN Port
Outbound Interface: Any

10 Steps In Setting Up a Fonality Server

Recently, I had the priviledge to be involved in a new fiber line install from LEVEL3. The fiber line service was also ordered with a SIP service. This is new to me so I'll explain slowly in terms I can understand.

A SIP service is basically telephone service via internet only (no copper lines). Sometimes, this is called a SIP TRUNK or a VOIP TRUNK. Basically, it's the main connection with a USERNAME & a PASSWORD that they provide along with an OUTSIDE IP ADDRESS. To to be clear, the only connection we have to the outside world is one internet connection, the fiber line. In this particular case, the connection's capacitiy is 10 Mbps.

Sitting in a physical brown box was a Fonality phone server. I have no idea who Fonality is or the extent of their service. I pulled it out of the box and rack it in the four post rack.

From here, I have no idea what to do. I have no idea how the Fonality server connects to anything. I have no idea where the phone numbers are coming from.

Here is the process I went through.

1-collect the phone numbers or the phone number block or the list of phone numbers that are assigned to the company. This block is coming from the company that is providing the SIP service. Call the company and get them.

2-collect the MAC ADDRESSES of the phone devices. The MAC ADDRESSES are needed to be collected and given to the crew at FONALITY. They will somehow associate the MAC ADDRESSES with the account. If the MAC ADDRESS is not associated with the account, the device cannot be used. I'm finding out more about this as I should be able to add devices myself. Currently, to my knowledge there is no way to add the sets by yourself. The Fonality support crew must do this for you.

3-connect the FONALITY server to the internet. It doesn't matter how. It just needs an internet connection. On mine, there were 2 nics on the back. NIC1 was the one that worked. To configure, I had to plug in a monitor, keyboard and mouse. Logging in with:

USER: ip
PASS: ip

This gave me limited options and one was to change the IP address. If you can't set it manually, it should be set to get an IP ADDRESS via DHCP.

The magic of the FONALITY is that upon connecting to the internet, it will automatically make a VPN call back to the FONALITY HQ SERVERS. The FONALITY HQ has a WEB ADMIN CONTROL PANEL (https://cp.fonality.com/) that configures (with pulls and pushes) to the local PHYSICAL FONALITY SERVER via the VPN. Pretty cool.

4-connect to the WEB ADMIN CONTROL PANEL at https://cp.fonality.com/. FONALITY should give you a USERNAME & PASSWORD. I received one with a WELCOME LETTER in the box but it didn't work. I had to contact support to get the USER/PASS reset.

5-setup USERS/EXTENSIONS. Upon logging into the CP, you have to setup the USERS. This comes down to FIRST NAME, LAST NAME & EXTENSION NUMBER. The EXTENSION NUMBER can be any 4 digit extension but it cannot be changed later on. If you want to change the extension, the extension has to be deleted and recreated. At the bottom of the page, add the DEVICE to the EXTENSION.

6-setup the SIP account. Again, the SIP account is just a USER/PASS along with an OUTSIDE IP ADDRESS. Click OPTIONS > VOIP. Type in those 3 pieces of information and click ADD VOIP ACCOUNT.

7-setup DIAL PLAN. A DIAL PLAN is how the phones will be used to dial out for items such as local phone calls, long distance phone calls and international phone calls. Such as dial 9 to get an outside line. Click OPTIONS > DIAL PLAN. Here are the dial plans I setup:

9 + nxxnxxxxxx local call
9 + 411 Information local call
9 + 611 Phone Trouble local call
9 + 0 local call
9 + nxxxxxxx Standard local call local call
9 + 1nxxnxxxxxx long distance
9 + 011. International international
9 + 11 emergency

8-setup SONICWALL or other firewall. The Fonality server is going to require certain ports open on the firewall to work correctly. On a simple firewall, direct the following ports to the internal ip address:

  • icmp:0
  • icmp:3
  • icmp:4
  • icmp:5
  • icmp:8
  • icmp:9
  • icmp:10
  • icmp:11
  • tcp:21
  • tcp:22
  • tcp:53
  • udp:53
  • tcp:80
  • udp:4569
  • udp:5060
  • udp:5061
  • udp:5070
  • udp:5222
  • tcp:5222
  • tcp:6600
  • tcp:8000
  • udp:9710

On a SONICWALL, the concept is the same but you have to create an ADDRESS OBJECT. Create the services, if they are not already there. Finally create the NAT POLICY. Typically, I use the WIZARD to set these up. At least with one service but then add the other services later on.

9-setup phone sets via IP ADDRESS. Amazingly to me, some of the settings need to setup individually; phone set by phone set. This kind of ruined the whole point of central management but so be it. If the phone has an IP ADDRESS, type it in along with the USER/PASS. The important setup items here are LINE1 with the EXTENSION NUMBER. Also setup the NTP for the NETWORK TIME. Click GENERAL > TIME. The important part here is to setup the server name which is something like s123456.fonality.com.

10-last of all Fonality recommends setting an A RECORD in the DNS settings. A RECORD is s123456.fonality.com the IP ADDRESS is the INTERNAL IP ADDRESS of the server. This way when the phone sets request info they will be redirected internally rather than externally. It saves a few milliseconds.

Last Updated on Sunday, 06 July 2014 16:50

LEVEL3 Fiber Line and Sonicwall

Just a mental note that a SONICWALL INTERFACE (X0, X1, X2, etc) needs to be manually set with a LINK SPEED of 100MB FULL DUPLEX for a LEVEL3 Fiber Line. It cannot be set to AUTONEGOTIATE.

Upgrade Exchange 2013

CURRENTLY:

-we are at EXCHANGE 2013 15.9.516.32 aka RTM
(You can find yours by typing: get-exchangeserver | fl AdminDisplayVersion)
(Visit the following for the current version list: https://technet.microsoft.com/en-us/library/hh135098%28v=exchg.150%29.aspx)
-underlying OS is WINDOWS SERVER 2012 STANDARD
-verified we have .NET 4.5 installed

AVAILABLE:
-CU5 15.0.913.22
-SP1

STEPS:
-only need CU5
(CU4 aka SP1 is not needed. All CU's are full updates and are not dependent upon previous CU's in any way.)
-downloaded CU5 to the server.


BACKUP AD
Take a confirmed backup of Active Directory

BACKUP EXCHANGE DB
Take a confirmed backup of your existing Exchange 2013 servers and databases


VERIFY AD HEALTH
-DCDIAG
-REPADMIN /SYNCALL

EXTRACT CU INTO ROOT DIRECTORY
-c:\Exch2013CU5


PREPARE AD LEVEL1
-setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms


VERIFY AD HEALTH
-repadmin /showreps
-DCDIAG

PREPARE AD LEVEL2
-Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms
-Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms

SET EXECUTIONPOLICY
-click START > ALL PROGRAMS > ACCESSORIES > WINDOWS POWERSHELL
-get-executionpolicy –list
-get-executionpolicy
-Set-ExecutionPolicy Unrestricted
-get-executionpolicy

ADD RSAT TOOL
-click Manage > Add Roles and Features > Features
-Expand to RSAT > FAT > FCT > FAILOVER CLUSTER COMMAND INTERFACE
-checkmark it
-click NEXT
-click INSTALL

PERFORM THE UPGRADE
-Setup /m:upgrade /IAcceptExchangeServerLicenseTerms

SET EXECUTIONPOLICY
-click START > ALL PROGRAMS > ACCESSORIES > WINDOWS POWERSHELL
-get-executionpolicy –list
-get-executionpolicy
-Set-ExecutionPolicy RemoteSigned
-get-executionpolicy


=================
FRIENDLY WEBSITES
=============================================
http://enterpriseit.co/microsoft-exchange/2013/prepare-ad-prepare-schema/
http://blog.jasonsherry.net/2014/05/28/exchange-2010-sp3-ur6-and-2013-cu5-released/
http://windowsitpro.com/blog/exchange-2013-cu5-a-good-update
http://exchangeserverpro.com/exchange-server-2013-cumulative-update-5-released/
http://msexchangeteam.in/how-to-backup-exchange-server-2013-database-part-1/

Last Updated on Monday, 03 April 2017 11:15

Datacenter Backups Are Tough

Datacenter backups are tough. They have been killing me through the years. Why? Simply because there is too much data. Sure backuping up a desktop or a phone isn't too hard as the options are available but what do I do in a datacenter? What are my options?

Good question. What are my options? Well, lets think about it.

Typically, the fist option I think of is a backup to an external HD or a USB HD. On a desktop this easy, plug the USB HD into the desktop and off you go. In a datacenter, I can't plug in the USB. It's thousands of miles away. When I called one datacenter about this option, they said I would have to rent out another unit or another U. This is obviously expensive. Plus I would have to pay for USB drive and the time for a tech to work with me. That part shouldn't be too bad but you never know.

But if I'm going to pay for another U, I might as well have a second server to backup to.

Which leads to the second option, a second server. A second server wouldn't be too bad. There are many pros, it is available, I have control and I could use it in a pinch for something else if I needed and possibly exteriment with high availability items.

The issue with a second server is setup. The thought of having to setup a secure RSYNC is daunting to me. There's too many things that could go wrong and I wouldn't know it until they did go wrong. Items like my backup not working until I needed it.

The second issue with a second server is simply my pennywise roots. I'm not paying a full server setup simply for backup if I can get around it.

The third option is to backup to desktop. This simply won't work. There's simply too much data. I'm not downloading 500GB of info via web to a local desktop. Even if I did go down this path the major issue would be restoring it if I needed to. How would I get the data back to the rebuilt server? Wait days for it to transfer 500GB? It would be faster if I drove it there. I simply don't like it.

Luckily for me, my new awesome datacenter has a fourth option; NAS. Network attached storage. So basically it's an external HD that is accessible via LAN connection. Better yet, I can setup it up without their required intervention. I can just order it up via my control panel they provide and it is ready to go in a matter of 1 minute. Awesome. They automatically provide the NAS connection name, the share name, the username and the password.

But would it work? Well, they offer a free 20GB NAS for testing out. Huh? Are you kidding me? That's awesome.

So I type in the credentials on the backup panel, signal a manual backup and voila, it works. After all these years, a seemingly daunting and expensive task it boiled down to a literal 5 minute operation. Amazing.

Thank you to all the datacenter professionals and backup developers that made this possible.

Last Updated on Monday, 23 June 2014 06:03

SuperMicro Intelligent Management

Wow! I'm learning a whole bunch about SuperMicro Intelligent Management. It basically provides a way to control the physical server from a remote location. Or as they put it you can have "system management in a pre-OS or an OS-absent environment." Pretty cool.

I can view the bios, change bios settings, change IP settings, view the screen as if I were sitting right in front of the server. Again, pretty cool.

A couple of notes for me:

-CONSOLE REDIRECTION and KVM CONSOLE and CONSOLE REDIRECTION and IPMI are all the same type of item and refer to the same item, a remote console.

-SOL is SERIAL OVER LAN. I do not know what this is but I think it's passe. I'll check and report if I find differently.

Here you can get the IPMIView:

ftp://ftp.supermicro.com/utility/

But you don't need it. Just hit the IP address of the IPMI nic in INTERNET-EXPLORER (will not work in FIREFOX) and a login page will show. The default user/pass is:

  • USER: ADMIN
  • PASS: ADMIN
  • (case-sensitive)

You may have to add the ip address to the JAVA security section before this will work:

  • -start > control-panel > java
  • -click SECURITY tab (at the top).
  • -click EDIT-SITE-LIST
  • -type your ip-address like so: https://1.2.3.4
  • -click OK > OK

To add an ISO:

  • -click VIRTUAL-MEDIA > VIRTUAL-STORAGE

From here you can add an ISO, IMA, USB, etc

To update the SUPERMICRO BIOS:

  • -get a bootable ISO here: http://pingtool.org/downloads/fd11src_live.iso
  • -get the bios zip file for your motherboard from the supermicro web site
  • -extract the bios zip files
  • -open AMI.BAT in a text-editor
  • -comment out the following lines by adding the double colon (::) in front of the lines:
    ::REN AFUDOSU.SMC AFUDOSU.EXE
    ::REN AFUDOSU.EXE AFUDOSU.SMC
  • -manually rename AFUDOSU.SMC to AFUDOSU.EXE
  • -download the MAGICISO program.
  • -install MAGICISO.
  • -start MAGICISO.
  • -open the bootable ISO.
  • -add the bios files to the FREEDOS > 3RDPARTY folder
  • -save the ISO (click file > save).
  • -connect the ISO to the VIRTUAL-MEDIA (as above).
  • -choose FREEDOS from the menu.
  • -change to the 3RDPARTY folder: cd 3RDPARTY
  • -type: AMI filename.xxx (ie: ami X10SLM5.c21)
  • -hit ENTER
  • -wait.
  • -wait more.
  • -wait longer.
  • -eventually it will complete.
  • -once you get the message "System must power-off to have the changes take effect!", turn the power-off on the IMPI.
  • -disconnect the ISO.
  • -power-on the system.
  • -let it reboot 4 times on it's own.
  • -once it reboots to something, enter the bios and reset to the defaults (this is necessary as there are defaults that cannot be manually changes and must be set).
  • -reboot again and enter bios.
  • -set your bios options to your preference.

NOTES / LINKS:

Last Updated on Saturday, 28 October 2017 21:35

Running a VDMK on VirtualBox

  • open VIRTUALBOX.
  • click NEW (at the top).
  • type in the name you want to see.
  • select the TYPE of system (in my case it's WINDOWS 7).
  • select the VERSION of system (in my case it's WINDOWS 7 X64).
  • select USE AN EXISTING HARD DRIVE FILE.
  • select the folder or CHOOSE.
  • browse to the VMDK file.
  • click CREATE.

Try to start it. Most likely it will BSOD with 0×0000007B.

Booting a VMDK in VIRTUALBOX BSOD's with 0×0000007B.

Now when you try to boot it, it will BSOD on you. It's happening because of the STORAGE CONTROLLER is fubar'd. The Problem is that Images you import from other plattforms to Virtual Box gets by default the wrong HDD config and Windows hates you for changing hard drive controllers. Here's how to fix it (loose instructions as specific changes from version to version):

  • open VIRTUALBOX.
  • right-click on the VM.
  • click SETTINGS.
  • click STORAGE.
  • select the SATA CONTROLLER.
  • click REMOVE.
  • click ADD NEW CONTROLLER.
  • click ADD NEW ATTACHMENT TO STORAGE.
  • select IDE.

Now the VMDK should boot fine.

 

Manually Send An Email To An Outside Domain

Want to manually send an email to an outside domain from your Exchange 2013?

Destination SMTP server:   mail.foo-receive.com
Source domain:   foo-send.com
Sender's e-mail address: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Recipient's e-mail address: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Message subject:   Test from foo-send
Message body:   This is a test message

click START > RUN

type: cmd

at the command prompt type: telnet

press ENTER.

This command opens the Telnet session.

type: set localecho

This optional command lets you view the characters as you type them. This setting may be required for some SMTP servers.

press ENTER.

Type: set logfile c:\telnetsession.txt

This optional command enables logging of the Telnet session to the specified log file. If you only specify a file name, the location of the log file is the current working directory. If you specify a path and a file name, the path must be local to the computer. Both the path and the file name that you specify must be entered in the Microsoft DOS 8.3 format. The path that you specify must already exist. If you specify a log file that doesn't exist, it will be created for you.

Type: open mail.foo-receive.com 25

press ENTER.

Type EHLO foo-send.com

press ENTER.

Type MAIL FROM: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

press ENTER.

Type RCPT TO: This e-mail address is being protected from spambots. You need JavaScript enabled to view it NOTIFY=success,failure

press ENTER.

The optional NOTIFY command defines the particular delivery status notification (DSN) messages that the destination SMTP server must provide to the sender. DSN messages are defined in RFC 1891. In this case, you are requesting a DSN message for successful or failed message delivery.

Type DATA

press ENTER.

You will receive a response that resembles the following:

354 Start mail input; end with <CLRF>.<CLRF>

Type Subject: Test from foo-send

press ENTER.

press ENTER.

RFC 2822 requires a blank line between the Subject: header field and the message body.

Type: This is a test message

press ENTER.

Press ENTER

type a period ( . )

press ENTER.

You will receive a response that resembles the following:

250 2.6.0 <GUID> Queued mail for delivery

To disconnect from the destination SMTP server, type: QUIT

press ENTER.

You will receive a response that resembles the following:

221 2.0.0 Service closing transmission channel

To close the Telnet session, type: quit

press ENTER.

Last Updated on Friday, 13 June 2014 13:54

Windows 7 Won't Boot, Windows 7 Won't Boot Into Safe Mode, Hang On Searching For Windows Installations

How I got there:

  • user shutdown computer via START > SHUTDOWN.
  • computer started to load 8 updates during shutdown.
  • user didn't want to wait and hard shutdown pc by holding power button.
  • slap forhead.
  • boot into normal mode. Result: takes forever and then reboots (about an hour).
  • boot into safe mode. Result: takes forever to load and then reboots (about an hour).
  • same result for safe mode with command line.
  • boot from WINDOWS 7 CD. Click REPAIR YOUR COMPUTER. It goes to SEARCHING FOR WINDOWS INSTALLATIONS and stays for long time (I hard shutdown at about 1 hour).

What to do:

1 - MAKE BACKUP OF YOUR DATA.
In running a CHECKDISK, you are risking that an error will be discovered and the disk will refuse to run or start clicking.
You can easily use a KNOPPIX CD to access and transfer the data.

2 - MAKE BACKUP OF YOUR DATA.
Yes, this is in twice because the data is important. In running a CHECKDISK, you are risking that an error will be discovered and the disk will refuse to run or start clicking.
You can easily use a KNOPPIX CD to access and transfer the data.

3 - RUN A CHECKDISK

  • boot from WINDOWS 7 CD.
  • choose language & keyboard.
  • press SHIFT + F10.
  • a command prompt opens.
  • type: chkdsk c: /R

4- RENAME THE WINDOWS UPDATE

  • type: Ren c:\windows\winsxs\pending.xml pending.old

5 - RUN A SYSTEM FILECHECK

  • type: CD /D C:
  • type: SFC /SCANNOW /OFFBOOTDIR=C:\ /OFFWINDIR=C:\WINDOWS
  • reboot to WINDOWS 7 CD.
  • type: SFC /SCANNOW /OFFBOOTDIR=C:\ /OFFWINDIR=C:\WINDOWS
  • reboot to WINDOWS 7 CD.
  • type: SFC /SCANNOW /OFFBOOTDIR=C:\ /OFFWINDIR=C:\WINDOWS
  • reboot to hard drive.
  • yes 3 times. The above is NOT a typo.

In my particular case, the CHKDSK found and error and refused to proceed. A hard shutdown was performed. Upon reboot, the drive started clicking. The drive is now at a data recovery center.

NOTE: Thank you to to the following link:http://www.sevenforums.com/tutorials/219533-troubleshooting-windows-7-failure-boot.html

Last Updated on Friday, 13 June 2014 13:54

Downgrade Windows 7 Professional to Windows 7 Home Premium

I like to skip the story usually of how I go into the situation but on this occassion it's worth it since I can imagine this scenario happening for many.

I was repairing a client's computer since the hard drive died. I replaced the hard drive and needed to load the OS. The sticker on the computer box said WINDOWS HOME PREMIUM but the client didn't have the CD since the manufacturer doesn't include them anymore. I didn't have one either. I only had WINDOWS 7 PRO.

"What's the big deal," I thought. "I'm sure it's simple to change it afterwards." Well, it isn't.

I loaded the Windows 7 Professional but then it complained about not being activated and not being genuine.

Just like most other issues, there is so much mis-information on the internet, it's almost impossible to fix anything nowadays. But it is possible to fix.

So here's my notes:

1-regedit
-go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
-edit EDITIONID:

Options are:
Ultimate
Professional
HomePremium
HomeBasic
Starter

-edit: PRODUCTNAME:

Options are:Windows 7 Professional
Windows 7 Ultimate
Windows 7 HOMEPREMIUM
Windows 7 Business
Windows 7 HOMEBASIC

2-download the freely available ISO of the WINDOWS version found here:

Windows 7 Home Premium 32Bit: http://msft.digitalrivercontent.net/win/X17-58996.iso
Windows 7 Home Premium 64Bit: http://msft.digitalrivercontent.net/win/X17-58997.iso

Windows 7 Professional 32Bit: http://msft.digitalrivercontent.net/win/X17-59183.iso
Windows 7 Professional 64Bit: http://msft.digitalrivercontent.net/win/X17-59186.iso

Windows 7 Ultimate 32Bit: http://msft.digitalrivercontent.net/win/X17-59463.iso
Windows 7 Ultimate 64Bit: http://msft.digitalrivercontent.net/win/X17-59465.iso

(NOTE: the product key number on the side of the computer box has to match the WINDOWS VERSION but it doesn't matter about the BIT VERSION. A Windows 7 Home Premium number will work with both the 32bit and the 64 bit)

3-download the eicfg_removal_utility.zip tool found here:
http://code.kliu.org/misc/winisoutils/

4-run the utility on the ISO to remove ei.cfg from the ISO.

5-download RUFUS found here:
http://rufus.akeo.ie/

6-run RUFUS and put the ISO on a USB.
(select all the defaults)

7-run SETUP.EXE on the USB.
(Do not boot from the USB).

8-click INSTALL NOW
(it's the only option it gives you).

9-click UPGRADE (it should allow you to go through the upgrade/downgrade process. It will keep all programs & files intact.)

10-type the product key on the side of the computer box.

Give it about an hour to complete this process.

Migrate to Office365

The migration to Office 365 is a pain. I'm not a fan. I could go on and on but there's almost no point in resisting. I even recommend switching to it to some of my clients.

To start the migration, you need an end-point. That end point needs to have the

WEB SITE NAME: mail.contoso.com
SERVER NAME: contoso-dc (yes, this is the actual computer name).

In the migration, do not setup the users on the new side. The migration will automatically setup the users for you.

Last Updated on Friday, 26 June 2015 15:22

Block Cryptolocker on Exchange 2013

-log into your EXCHANGE ADMIN CENTER (EAC) with an Admin account.
-click on the Admin in the upper right hand corner.
-select Exchange.
-go to Mail Flow on the left.
-make sure you are on Rules.
-click the + (to Create New Rule).
-name it Block EXE.
-in the Apply this rule if... drop down select Any attachment's content includes...
-click the Enter words...
-type EXE
-hit the + (you should not see EXE where the Enter words... was).
-(if you want to add other extensions like BAT, MSI, CMD and so on, you can just click in that same spot).
-in the Do the following... drop down selected Reject the message with the explanation...
-type in: Executable content not allowed. 
-leave the Audit this rule with severity level: checked drop down as is (Not specified).
-choose a mode for this rule: radio button should be on Enforce.
-now hit Save


=====================================
Now add a second rule. This time when setting up the rule in mail flow, you need to:

-click on 'more options' (at the bottom of the rule).
-go back to 'apply this rule if' (at the top)
-select 'any attachment' then 'has executable content'.

Maybe I'll add a video here. Contact me if you really want one.

Last Updated on Friday, 13 June 2014 13:27

EXCHANGE 2013 PUTS MESSAGES IN DRAFTS FOLDER

Is your Exchange 2013 (Windows Server 2012) putting messages in the DRAFTS folder?

-hard code the IP ADDRESS in the c:\windows\system32\drivers\etc\hosts file as both FQDN and Friendly name.

It will look like this:

192.168.1.2     server.domain.tld
192.168.1.2     server

Restart the MAIL TRANSPORT service and everything should be right as rain.

This happens because the server is trying to use IPv6 and for some unknown-reason-to-me, the IPv6 wasn't working as it should. Hard coding the ip address in the HOSTS file forces the server to use IPv4.

Another 6 hours down the drain due to lack of logs in Microsoft Windows. This is exactly why I stopped using Microsoft software more than 10 years ago. At least with Red Hat (RHEL, Centos, Linux) you have something to go on. If you are business, I recomment getting a support contract so that you can call when you need to.

Last Updated on Thursday, 19 March 2015 13:32

OUTLOOK Email Calendar Crashes OUTLOOK

PROBLEM:
Emailing Calendar dates from OUTLOOK 2007 crashes the OUTLOOK app.

SOLUTION:
The WindowsShell.manifest file is missing from C:\Windows folder. Find another workstation where this file exists and copy it over.

Manually Transfer SME Server Data to New Install

Manually Transfer SME Server Data to New Install

SEQUENCE OF HOW WE GOT HERE

-3 drives (sda, sdb, sdc) in RAID 5 config.
-sudden power outage.
-sme won't boot.
-bad block on sda which makes up MD1.
-removing sda doesn't work for some reason.


WHAT I DID

Install Fresh SME Server

-buy new HD
-remove all old HD's
-install new HD
-install fresh SME on new HD
-shutdown machine

Re-insert Old HD

-remove new HD
-insert one of the good old HD drives

Boot from CD

-put in SME SERVER cd
-boot
-type: sme rescue
-hit enter
-don't start network
-accept other defaults

Change the LVM Name

(It's ok to run these commands. Only the last command affects the setup. Which can be easily changed back if needed)
-lvm vgscan
-lvm lvscan
-lvm vgchange -a y
-lvm pvscan
-lvm lvscan
-lvm vgrename main mainold
-exit

Re-insert New HD

-remove old HD
-insert new HD drive

Boot New HD & Access Old HD

-boot up via new HD
-connect old HD via USB caddy.
-it should be /dev/sdb
-type: fdisk -lu /dev/sdb
-mdadm -AR /dev/md8 /dev/sdb2
-lvm vgscan
-lvm lvscan
-lvm vgchange -a y
-mkdir -p /mnt/olddrive
-mount -t ext3 /dev/mainold/root /mnt/olddrive

Manually Copy Old Info

-cd /
-signal-event pre-restore
-/bin/cp -Ra /mnt/olddrive/etc/e-smith/templates-custom/ /etc/e-smith/
-/bin/cp -Ra /mnt/olddrive/etc/e-smith/templates-custom/ /etc/e-smith/
-/bin/cp -Ra /mnt/olddrive/etc/group /etc/
-/bin/cp -Ra /mnt/olddrive/etc/gshadow /etc/
-/bin/cp -Ra /mnt/olddrive/etc/passwd /etc/
-/bin/cp -Ra /mnt/olddrive/etc/samba/secrets.tdb /etc/samba/
-/bin/cp -Ra /mnt/olddrive/etc/samba/smbpasswd /etc/samba
-/bin/cp -Ra /mnt/olddrive/etc/shadow /etc/
-/bin/cp -Ra /mnt/olddrive/etc/smbpasswd /etc/
-/bin/cp -Ra /mnt/olddrive/etc/ssh/ /etc/
-/bin/cp -Ra /mnt/olddrive/etc/sudoers /etc/
-/bin/cp -Ra /mnt/olddrive/root/ / (I cheated here. I only grabbed the htop config file. I left the rest)
-/bin/cp -Ra /mnt/olddrive/opt/ /
-/bin/cp -Ra /mnt/olddrive/home/e-smith/db/ /home/e-smith/
-/bin/cp -Ra /mnt/olddrive/home/e-smith/Maildir/ /home/e-smith/
-/bin/cp -Ra /mnt/olddrive/home/e-smith/web/ /home/e-smith/

Manually Copy Mysql Info

service mysqld stop
/bin/cp -Ra /mnt/olddrive/var/lib/mysql/ /var/lib/
cd /var/lib/
chown -R mysql:mysql ./mysql
service mysqld start

Reboot with Transferred Configuration

-signal-event post-upgrade
-reboot
-this allows people to work/access iinternet

Manually Copy Rest of Data

/bin/cp -Ra /mnt/olddrive/home/e-smith/files/ /home/e-smith/


Copy to New External HD

-leave HD's in the server.

Boot from CD

-plug in new HD via usb
-put in SME SERVER cd
-boot
-type: sme rescue
-hit enter
-don't start network
-accept other defaults

The new drive should show up as /dev/sdd.

Parition New HD

-type: fdisk /dev/sdd
-Press p > Press n > Press p, partition 1, default 1 > Press w
-type: mkfs.ext3 /dev/sdd1

Change to Old Info

-chroot /mnt/sysimage

Mount New HD

-mkdir -p /mnt/newdrive
-mount /dev/sdd1 -t ext3 /mnt/newdrive

Copy Info

-/bin/cp -Ra /home/ /mnt/newdrive

ScanMailX

ScanMailX

If running your own mail server is still important to then you will need a few item in today's world even if they are not RFC required. These items are mainly:

  • spam filtering
  • antivirus filtering
  • spf
  • dkim
  • dmarc

You either have to build these yourself or use a product that has it built in. With cloud systems clearly on the rise, most are going to find that it isn't worth the trade off and succumb to the pressure of using Gmail or Microsoft Hosted Exchange for around $4 per month.

However there are other options out there. If you don't want to give up control of the mail server (and I wouldn't blame you if fall into this category) but still want the items listed above, you could always use SCANMAILX.COM

Though it doesn't look like much on the outside, it is actually a terrific product depending on the number of account you need to manage. For about $175, you can protect and secure all the accounts on the domain.

Jesper Knudsen is the brains behind SCANMAILX and one of the most brilliant developers of our time. After emailing back and forth a few short times so I could feel comfortable with the product, I signed up.

It is rather easy to get going as well. You don't even have to setup accounts on the SCANMAILX side. Three simple steps to change to SCANMAILX.

CHANGE TO SCANMAILX

  • change MX records TTL to 3600 (1 hour. The lowest TTL possible in NS).
  • be certain the FORWARD HOST is correctly configured in SCANMAILX account.
  • change DNS mx records to mxdk01.scanmailx.com & mxdk02.scanmailx.com.

It's been a few months since signing up and everything is humming along just fine and dandy. The controls at the administrator side of their web site is pretty straight forward.

Canon Advanced C5235: Change SMTP Port

Canon Advanced C5235: Change SMTP Port

Of course with the recent changeover to Hosted Exchange, or Office365, we need to change all the outgoing email settings, or SMTP settings, on all the copiers. Most copiers it is pretty simple. But with Canon, they haven't put their SMTP Port in the web interface. Nearly 2014 and companies still design and engineer with brain damage.

  • walk to copier.
  • press the settings button.
  • press the numbers 2 & 8 simultaneously.
  • press the settings button again.
  • press the number 2 and the settings button once again (go into "level 2" of service mode).
  • press NETWORK > SMTPTXTN.
  • press the i symbol.

Running My Own Email Server

Running My Own Email Server

For the past 10 years, I've been running my own email server for a company of 750 accounts. It was built in my spare bedroom as a hobby and it intrigued my desire to learn. It worked very well and saved a ton of money, so I implemented it.

The Reasons

One of the reasons I did this was strictly control. I could easily control accounts, look into situations and make corrections if needed.

Another reason I did this was because of detailed information I could get by looking at the log files. Like above, I could easily look into the logs to see what's happening in real-time and didn't have to put up with cryptic or erroneous messages.

Another primary reason was speed. I could make changes via command line faster than most people could change channels on their TV. A simple command line and BAM!, the info I needed was there.

The last primary reason I did was because I trusted myself rather than someone else. I knew that as long as the hardware was working correctly, the Centos email-server would be the energizer bunny of the rack.

The Downfall

The downfall of all of this is actually running it. And everything that comes with it. The technical aspect was the easy part. As I said, most Centos systems are rock solid stable. The tough part is the people. When email doesn't go through, they automatically think that there is something wrong with the system. Especially when business is on the line. It's easier to blame the system rather than themselves. Never do they think or admit that they could have made a mistake.

The reality is much different. If this 10 year project has taught me anything it's that people make a massive amount of mistakes. Massive. Let me say it again: MASSIVE!

The Human Factor

Telling people that the email didn't go through because they spelled the email address incorrectly was nearly a daily occurrence. It went like this... They spelled the name incorrectly. They received a bounce message. They assumed that something is wrong with the email server. They complained to me. Never once did they actually look at the bounce message and read what it said.

>> NO USER BY THAT NAME

"Oh, I must have spelled the email address incorrectly. Let me try again and spell it correctly." Were never words that anyone said. It was always, "I need this email to go through!!! There is something wrong with the system!!! How can we operate like this!!!"

When you tell them the email address incorrect, they call you a smart-@$$ and grumble as they walk away. Really I have better things to do than spend my adult years telling other adults that they can't spell.

Spam

Then comes the big issue: SPAM. I've nearly devoted my life to rid my accounts of spam. It's been a back and forth battle. There were some days that I thought I would simply pull the plug and quit. But I stuck in there and eventually an updated RPM would come through fixing the problem for awhile until the process started again.

In recent years, the server has sometimes nearly choked on itself fighting the contents of messages but it kept pushing through.

Blacklisting

While blocking other blacklisted servers is a good idea in my mind it is obviously not good for the people trying to get messages. In my mind, the complaints sounded like this, "My friend has a GoDaddy account that she bought the other night for a dollar and the account is on a server that sending out millions of spam messages advertising pharmaceuticals. It's obviously black-listed for very good reason as most, if not all, blacklisted servers are but I need her messages to come through. Can you fix it?"

So I'm supposed to adjust my system because theirs is obviously broken.

Example

Here's the progression of an actual complaint taken verbatim:

THEM: "I've had repeated complaints of emails getting denied, kicked back or undeliverable when people use my [removed].com address. Am about to lose a new listing because of... What's the problem!?"

ME: "They are on a blacklist. We don't receive email from blacklisted servers."

THEM: "I contacted my friend. Here is what he said..."

"Your email server uses a German blacklist database provider that looks to be shady at best. The IP address [blah, blah, blah] is owned by Network Solutions who hosts one of the largest email systems. Any reputable black list service would contact Network Solutions directly before blacklisting one of their email servers seeing how blacklisting a Network Solution server would cause a great deal of email to be 'bounced' or undelivered to your system. I recommend removing this black list from your mail server immediately. I would also recommend using an ironport or some other reputable SPAM filtering hardware over a hosted database look up. If you do decide to use a hosted service to reduce SPAM, definitely choose a more reputable company than UCEPROTECT...."

ME: "The server is on more than 5 different blacklists. They can't all be wrong. There is obviously an issue with the other server."

THEM: "...the email addresses [sic] are famous for being undependable. (Just ask [removed] from [removed company], [removed], [removed] and more)... Many [removed] agents use their own email addresses due to the poor workings of [removed] addresses."

ME: "Their email is hosted on Unified Layer. One of Unified Layer's servers was behaving badly. Consequently, that server was put on an external BLACKLIST that we utilize. This blocked all email from that particular server. Unified Layer has full time staff to handle issues like this and they fixed the issue rather quickly so everything should be ok. It is a common issue with Unified Layer just search on google here: https://www.google.com/search?q=unified+layer+blacklist"

THEM: "Our regular [removed] emails are not all coming in. I did not receive multiple emails from [removed] a couple days ago, and apparently our new client (who is about to list a $1m+ with us) is being rejected. Please fix asap, as he is very techy [sic] and if we are not receiving his emails..."

ME: "He's so techy [sic] that he's using Unified Layer as his email. Not a good sign. They are black listed again. Look at the 17 million results when you search for it via google."

THEM: "If [removed], [removed], [removed] and I (repeatedly)are all kicked back from [removed]- we have a problem. I know other agents have addressed this same concern - answer always comes back that it is not [removed]'s issue. Yet our ability to receive necessary email continues to be compromised. More than likely, this very message will be kicked back. This is beyond frustrating - has been going on for 2+ years now with no success in remedying this crippling situation. It is not just 1 or 1 isolated incidents. Too many senders are being rejected."

ME: "Thanks for contacting me. You can help me by contacting me if you have a particular issue. You need to let me know what the issue is and what bounce message is. In other words, if someone sends you a message and they receive a bounce message, find out what the bounce is and send it to me. I'll be glad to look at it and point out where the issue is and make adjustments if necessary.

Can I make adjustments on technical information that is never sent to me? No I can't. Which is why I ask for your help.

They don't all get kicked back. Unified had a problem with one of their servers. They fixed it as they should. You can see from the info below that Barracuda agrees that this is an issue outside of [removed].

Nobody has sent me any bounce messages from [removed] but [removed] and I email each other on a regular basis. In fact we traded emails over the weekend.

Nobody has sent me any messages from [removed].

Concerning your email, you might have sent a message in the past but not recently. Again, if you are receiving a bounce message, let me know what it is."

Boring

The above is boring. That is my point. It's boring and pointless. They are trying to convince me that something is wrong on my end. I am trying to convince them to use a good email service like gmail so something similar that costs less than $5 per month.

The Switch

Today, I put an end to all of it. I switched over to a cloud service. It came down to Gmail or Microsoft Hosted Exchange. I chose Hosted Exchange because I don't like where Gmail is headed with the funny and ultimately too small compose message box on their web site. Yes, that is really why I did't choose them.

The total project is going to cost 50K per year or 500K of the same period I was doing it for free.

The biggest relief is that I don't have to do it anymore. If something is wrong, it's their fault. Do you think I will still get complaints?

Powershell Useful Commands

Powershell Useful Commands

This is my Powershell Useful Commands. They are commands that I want to use but can't remember their silly non-sensical syntax. I'll update it as I see fit. This is for me. If you can use it, great.

LOOK AT USER ACCOUNT EVERYTHING:
1.Get-Mailbox USERACCOUNT | Select *
LOOK AT USER ACCOUNT SELECTED PROPERTIES:
1.Get-Mailbox USERACCOUNT | Select prop1, prop2, etc
GET USER FORWARD EMAIL ACCOUNT
1.Get-Mailbox USERACCOUNT | FL *forward*
2.Get-Mailbox USERACCOUNT | Select Name, PrimarySMTPAddress, ForwardingAddress, ForwardingSMTPAddress, DeliverToMailboxAndForward

NOTE: There are two properties that are very similar ForwardingAddress & ForwardingSMTPAddress.

Here is the difference:
ForwardingAddress: This is to forward to another account within the same domain.
ForwardingSMTPAddress: This is to forward to an external account.

SET FORWARDING TO EXTERNAL EMAIL ADDRESS
1.Set-Mailbox USERNAME -DeliverToMailboxAndForward $true -ForwardingSMTPAddress forwarding-email-address.tld
DELETE FORWARDING TO EXTERNAL EMAIL ADDRESS
1.Set-Mailbox USERNAME -DeliverToMailboxAndForward $false -ForwardingSMTPAddress $Null
SET USER PSEUDONYM
1.Set-Mailbox USERACCOUNT -EmailAddresses foouser1-AT-domain.tld, foouser2-AT-domain.tld
2.<h5>FIND ALL USERS WITH FORWARDING ADDRESS IS SET TO EXTERNAL EMAIL ADDRESS</h5>
3.<h5>{code}Get-Mailbox | Where {$_.ForwardingsmtpAddress -ne $null} | Select Name, ForwardingAddress,ForwardingsmtpAddress, DeliverToMailboxAndForward
FIND ALL USERS IN A GROUP
1.Get-DistributionGroupMember GROUP-NAME-at-DOMAIN.TLD
FIND ALL INFO ABOUT A GROUP
1.Get-DistributionGroup GROUP-NAME-at-DOMAIN.TLD|FL
ADD USER TO A GROUP
1.Add-DistributionGroupMember -Identity GROUP-NAME-at-DOMAIN.TLD -Member USERNAME -BypassSecurityGroupManagerCheck"
REMOVE USER FROM A GROUP
1.Remove-DistributionGroupMember -Identity GROUP-NAME-at-DOMAIN.TLD -Member USERNAME -BypassSecurityGroupManagerCheck

By default only internal-accounts can email groups. To set a group to accept Senders outside of organization:

SET A GROUP TO ACCEPT SENDERS OUTSIDE OF THE ORGANIZATION
1.Set-DistributionGroup -Identity GROUP-NAME-at-DOMAIN.TLD -RequireSenderAuthenticationEnabled $False

WINDOWS AZURE AD MODULE

I don't know how to explain this. But here it goes... The following are commands that affect the USERACCOUNT at a root level. Because of this, REGULAR POWERSHELL (and all it's dependencies) can't run the commands. You have to get a SUPER POWERSHELL.

They call it the WINDOWS AZURE AD MODULE. It will only run on WINDOWS-7 & WINDOWS-8 and it requires something called ONLINE SERVICES SIGN IN ASSISTANT. Even though it is called a MODULE which maybe should just upgrade your current POWERSHELL, the truth is that it's another POWERSHELL (Trust me, nothing in Microsoft world makes sense).

DOWNLOAD WINDOWS AZURE AD MODULE

So, AS ADMINISTRATOR, you have to use this AD MODULE rather than POWERSHELL to make changes.

CONNECT WINDOWS AZURE AD MODULE TO OFFICE365
1.right-click WINDOWS AZURE AD MODULE click RUN AS ADMINISTRATOR type: $msolcred = get-credential type: connect-msolservice -credential $msolcred
SET USERNAME TO NOT REQUIRE STRONG PASSWORD
1.Set-MsolUser -UserPrincipalName jsmith-at-company.com -StrongPasswordRequired $false
HARD SET THE USERNAME PASSWORD AND DON'T REQUIRE A CHANGE
1.Set-MsolUserPassword -UserPrincipalName jsmith-at-company.com -NewPassword new-password-here -ForceChangePassword $false
DELETE USERNAME
1.Remove-MsolUser –UserPrincipalName USERNAME-at-DOMAIN.TLD
ADD USERNAME
1.New-MsolUser -DisplayName "testuser" –UserPrincipalName testuser-AT-yourdomain.com –UsageLocation "US" | Set-MsolUserLicense -AddLicenses "tenantname:ENTERPRISEPACK"

OTHER COMMON COMMANDS

ls: lists contents of directory.

cat: read contents of text file.

Select-String: the MS version of grep.

DDWRT Kong Build Updates

I periodically check for newer hardware and firmware builds when it comes to routers. I am more interested in stability than performance but of course would like to have both.

In my last update, I was using:
Asus RT-N16 + r18050

In this check, I'm still sticking with Asus RT-N16. They are plentiful and affordable. New routers are available but they are 100% higher in costs and I don't think are worth the trade-off yet.

Stable More Affordable Version

The only change at this time is to move to the latest K26 r22200 build here:
Asus RT-N16 + http://www.desipro.de/ddwrt/K26/r22200

I was looking into the K3.x builds for the RT-N16 but it seems a rather complex process.

Stable Upgraded Bleeding Edge Version

Since I'd rather wait till hardware changes and the process is a little more straight forward, the next step up seems to be:
Asus AC-RT66U + http://www.desipro.de/ddwrt/K3-AC/22715

Last Updated on Tuesday, 11 April 2017 18:19

The Option of Options

The Option of Options

Leaders are gatekeeps. They decide what a group of people will have and what they won't have. In the same way an editor of a newspaper decides what stories people will read and what stories will never make the frontpage, leaders eventually have to decide what to offer as well.

One of the most powerful principles a leader will come across is the option of options. What do good leaders give as an option to another group? Do you give the as many as possible? After all, that seems to be what people want.

The truth is that while people want options to be able to choose, they don't want too many options. If you give a person too many options, their brain goes into overload and quits the decision making process altogether to find another way to proceed.

A good example of this is CostCo. You might have been to CostCo before. The huge warehouse superstore that does nearly everything by bulk. I actually stretch before I go in and I heard a rumor that it will be added to the next Summer Olympics. Just kidding.

One of the most common complaints about CostCo is the lack of choice. Do you know what CostCo thinks? Perfect. That's exactly what they want. They want options but very few of them. Options are good but too many options and it hinders the decision making process.

The brain can handle about 6 options easily. Any more than that and it starts to give up.

This was one of the brilliance of Steve Jobs. One of the best actions he took when he was reintroduced to Apple in the early 2000's was to limit the product line. Forget about having all sorts of options that competitors were offering. Boil the product line down to the most basic of items. Keep the options so simple that a non-working wife of a well-to-do husband could understand and make the decision on her own. He limited it down to the:

  • iMac (home computer use)
  • Mac Pro (professional computer use)
  • iBook (home laptop use)
  • Mac Book Pro (professional laptop use)

What could be easier? Each option is clear. Each option is distinct. Each option is easily understood by the target market. Diving deeper into each one of these simple options will reveal that there are further options to upgrade but those options come later and are re-presented at another stage.

What's funny is how quickly a company can change when the leader is vacated. In such a short time, Apple has lost it's focus that was so easily identifiable a few years ago.

This week they will release 2 new iPhones, the 5s and the 5c. Our target market can't tell the difference between the two. There's no clear difference. There's no easily identifiable differentiators. It can't be easily understood. Do you think both will be a success? Or do you think that one will succeed and one will fall flat on it's face? Or maybe both will be doomed? I guess we will find out.

Now to you leader. Will you offer options? You will offer many and confuse? Or will you be helpful. Offer no more than 6 options. Make each one clear and easily identifiable. Don't confuse. Clarify.

Paying for a SMTP Relay

Paying for a SMTP Relay

I manage a server that handles email for a medium sized company. It processes about 1,000 messages per hour or 24,000 per day. The box sits inside the office humming away for about 10 years.

Then one day, for some reason, executable content comes through the email service which isn't picked up by ClamAV. Then, for some reason, a user opens an email that's obvious-to-me-but-not-to-them that they shouldn't open. Then, for some reason, my choice of antivirus at the time (Panda Cloud) does nothing and... poof. Cutwail virus city. This thing starts sending out spam by the thousands every minute and the IP address is quickly put on blacklists all across the world.

Great.

If you are given a map and dropped into nowhere, you can usually find your way around pretty quickly. If you're dropped in the middle of nowhere, it takes longer to find your way out.

I discover they're on a blacklist pretty quickly. Through blacklist diagnostics, I can see that a cutwail virus is on the network. I wait till the end of day and start to scrub client pc's and think "I'm too old of this stuff."

I find a client pc, disinfect it with Microsoft Saftey Scanner and feel good. I put in for delisting and wake up the next day to find they were re-listed for the same reason.

I missed a client pc behind a closed door. Executives. The reason the world spins slowly.

Finally getting physical access by persuasion that there's an obvious problem, I disinfect the second client pc as well. Feeling really good, I put in for another delisting. The next morning they stay that way.

Good.

The next few days were spent delisting from any blacklist or RBL at MXToolBox.

Now here's the problem, despite delisting, the IP address is on-radar at larger outfits like Yahoo & AOL who run their own internal spam metrics. Because of poor stats, the server is still getting blocked.

To ease this, I switch over to the ISP smtp server which is used to work fine for quite a long time: smtp.fdn.com. That doesn't work. They were bought out. So I use the newer smtp server: smtp.nuvox.net. That doesn't work. They were bought out by Windstream. I don't know the smtp server for them.

I call support knowing that large customers get to talk to knowledgeable people in a few minutes. Obtaining that Windstream's smtp server is: mailhost.windstream.com, I start using that.

Everything is going good.

A few hours pass.

Rrrrrriiiiiinnnnggg!!!! Rrrrrrriiiiinnnngggg!!! Rrrrrriiiinnnnnngggg!!!

"I'm not getting email!"

I look in the logs: "Too many recipients in the past hour."

So Windstream has an hourly limit on sending. This used to not be so. Normally it isn't a problem but when blast company wide messages go out, the server spikes above that level.

I switch back to the internal smtp.

Everything is going good.

A few hours pass.

Rrrrrriiiiiinnnnggg!!!! Rrrrrrriiiiinnnngggg!!! Rrrrrriiiinnnnnngggg!!!

"I'm not gettting email!"

I look in the logs: "(DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.htm"

So AOL has dynamically blocked the IP address because it went too high on the stats.

I switch back to the Windstream smtp.

My only problem is AOL. If they would remove the DYN:T1 block, my life would be normal again.

I switched back and forth between the internal smtp and the Windstream smtp for the next several days hoping the block would be removed.

After getting enough complaints because of too much delay, I realize I'm too old for this and my hobby projects in my 20's which are now production projects in my 30's probably need to be shutdown. I just can't take it.

I look for outside help.

I remember hearing about Amazon smtp services or simple email service (SES). It's part of their Amazon Web Services (AWS) or their cloud services.

I sign up feeling like they are a good partner.

Their documentation takes a few reads because of the whole credentials aspect. They have a set of credentials for accessing the service but they have a different set for accessing SMTP. This set is created automatically.

Their documentation is also confusing about SSL/TLS on port 465 but I test it out over the next few days and get it working in my test. Here's what I used

SMTPSmartHost=email-smtp.us-east-1.amazonaws.com

smtp-auth-proxy=service
Debug=disabled
Passwd=not-posted-in-plain-text
PeerPort=465
Userid=AKIAILKTFOYH47NR5MEA
status=enabled

Unfortunately, the service won't work for forwarding accounts. In other words, if I receive emails on behalf of someone and forward them onto their private email address at for example, AOL, it bounces with a message about the sending domain being invalid.

Back to the drawling board.

You would think that an SMTP service for large volume would be easy to find and obtain. Well, it's easy to find enough. Like most, I go to google and type "smtp services."

Cutting out the details, here's the services that make my short list:

  • MandrillApp
  • Ongage
  • Critsend
  • Mailgun
  • MailJet
  • SendGrid
  • Dyn

I moved on to the next service on the list, MandrillApp. Super easy. Create an account and the credentials are right there, easy to understand and ready to be used.

  • Host smtp.mandrillapp.com
  • Port 587
  • SMTP Username This e-mail address is being protected from spambots. You need JavaScript enabled to view it
  • SMTP Password any valid API key

I turn them on over the weekend and montior it. Everything is great. It even has detail stats on the sending such as percentages and graphs that make you feel good. The problem becomes, you lose control.

Managing my own server, I can watch the outgoiong process in real time. If the receiving server gives a message, I can see it. When you outsource this to another company, you don't get to see anything. You have no idea what is happening. All you know is that there is a problem.

Over the next few days, I deal with issues such as mail stuck in the queue with no way to send it, message sending limits being lowered to 29 messages per hour with no way to lift them and rejected messages with no reason why. Messages aren't getting through.

No one can run a business without messages getting through.

I contact their support through email and wait about 24 hours for a response each time. The responses are all the same, they sound great but in the end the service is automatic and their's nothing they can/will do.

So I ask the ultimate question, "What's the point of having a sending service that doesn't help you send?" I didn't pay them to be critics on what I was sending, I pay them to send, period. If they are not going to help me do that then we are not a good fit.

I change the sending back to local server. I move on.

I cannot have another experience like the failed MandrillApp trial run. Being afraid, I breeze over Ongage, CritSend, MailGun and MailJet. They all seem to be similar. Built for developers so that a product can automatically send messages to their clients.

They really aren't services that help send messages on a day to day basis. Most of their documentation starts talking about send limits and unsubscribes.

I decide using the local service is the best option just like that past 10 years. I made some changes to limit the number of messages that can be sent per second and I dish sending off to the ISP smtp server. It seems to be working OK with only a few hiccups.

AOL has seemed to stop blocking with these low limits and the passing of 30 days time from the original incident. My only issue is some Yahoo servers are still blocking. Not all. Only some. Arrrrgggghhh. I'll deal with it.

I'll have to work on the IP reputation in the near future by turning on SPF, DKIM, and DMARC. Believe it or not, I turn towards friends and I have one who runs scanmailx.com. I'll test the service out but know that the developers are some of best around.

Walk Through: Clone Hard Drive with Bad Blocks By Using ddrescue

Walk Through: Clone Hard Drive with Bad Blocks By Using ddrescue

OK, here it is again in simple terms. You can't fix bad blocks. Once it happens, it grows. If you see bad blocks anywhere, replace the HD as soon as possible.

The best way to make this happen is by cloning the disk. Here's how:

This process ignores filesystems so it will work on Windows (NTFS) and Linux (ext2, ext3). I haven't tried other filesystems but can imagine it would work fine as well. Although on Mac's I use Carbon Copy Cloner (CCC).

  • -shutdown the computer that needs fixing.
  • -buy a disk the exact same size (or larger) as the disk that has bad blocks on it.
  • -physically install the HD in the computer.
  • -download SYSRESCUE CD here:
  • -make a bootable SYSRESCUE CD.
  • -boot off of the SYSRESCUE CD.
  • -accpect the defaults as it boots.
  • -you are at a black command prompt.
  • -find which HD is in which position.
1.sfdisk -luS /dev/sda /dev/sdb

-typically the sda will have a partition table & sdb will have nothing and you'll get "no partitions found".

-Great. Wonderful.

-Now let's clone the disk by rescuing a whole disc with all partitions in /dev/hda to /dev/hdb.

Note: you do not need to partition the new disk /dev/hdb beforehand, but if the partition table on /dev/hda is damaged, you'll need to recreate it somehow on /dev/hdb.

1.ddrescue -f -n /dev/sda /dev/sdb rescue.log

If the system is really important, then do it a second time with the following options. This pass will be slower but more thorough.

1.ddrescue -d -f -r3 /dev/sda /dev/sdb rescue.log

Now let's shutdown.

Remove sda (the old drive).

Now reboot.

Boot fine! It recognizes the new cloned drive as sda.

Shutdown.

Reposition the drive sda to the first slot for sanity's sake.

Macbook Pro Slow After 10.8 Upgrade

Macbook Pro Slow After 10.8 Upgrade

Macbook Pro slow after 10.8 update. Many are having the same issue. I threw in the towel and purchased another after market hard drive from macsales.com. They promise it will work with some custom firmware they have on it. The hard drive I purchase is located here:

http://eshop.macsales.com/item/HGST/0J22423S2/

With a fresh 1TB hard drive that's verified to work and original CD's in hand, I went onto install Mac OS X 10.6 with a fresh install rather than cloning this time. It wouldn't install... See above.

Macbook Pro Won't Install

Macbook Pro Won't Install

Macbook Pro won't install OS X with an error message "Installation failed, Mac OS X could not be installed on your computer..." I don't know why. I don't really care. I just want it to work.

  • restart the install from the disk.
  • select OPTIONS.
  • uncheck everything except the BASE SYSTEM (I think that's what it's called).
  • it should install this time.

One thing is for sure, Apple is not the promise land... it's just a new set of problems.

Macbook Pro Slow During OS X Install

Macbook Pro Slow During OS X Install

Macbook Pro is slow and taking forever (say about 15 minutes) with no progress update or the little sounds that make me feel like something's happening. You can see the install logs by clicking:

  • window.
  • installer log.

Select to SHOW ALL LOGS. This way I know what's happening. That makes me feel better. Or just be patient and let it go through. It's actually doing something.

Macbook Pro Pinwheel of Death During 10.8 Upgrade

Macbook Pro Pinwheel of Death During 10.8 Upgrade

What a disaster... If you see the pinwheel of death, aka the beachball of death, aka spinning ball, let it go for about 10 minutes. Still happeing? Hard shutdown by holding the power button for 5 seconds or so. It will shutdown. Press again to start up the Macbook Pro. The upgrade process should begin automatically.

Access RAPIDSSL Certificates

Access RAPIDSSL Certificates

To access your RAPIDSSL certificates or your GEOTRUST certificates, you can login to their END USER PORTAL here:
https://products.geotrust.com/orders/orderinformation/authentication.do

This is kinda hidden since typically RAPIDSSL only sells to resellers and pushes all support through them, so I'm making a note of it.

Last Updated on Friday, 26 July 2019 05:31

Can't Print to Bizhub C360 From Mac OSX

Can't Print to Bizhub C360 From Mac OSX

DEFAULT USERNAME & PASSWORD:

USER: admin
PASS: 12345678

INSTRUCTIONS

  • -download drivers from the bizhub website
  • -add printer as normal using those drivers (not generic)
  • -print something
  • -click SHOW DETAILS (in print dialog box) (or you might have to click USE SYSTEM DIALOG)
  • (Basically we are trying to get to the part where we have many options.)
  • -change to OUTPUT METHOD
  • -checkmark USER AUTHENTICATION
  • -bullet PUBLIC
  • -click SAVE SETTINGS > OK
  • -click SAVE AS DEFAULT SETTINGS

In some cases, I've had to use ACCOUNT TRACKING (rather than USER AUTHENTICATION). For this, a USER must be setup on the Bizhub C360 under ACCOUNT TRACKING. The USER must have a NAME & PASSWORD.

On the Mac OSX side

  • -print something
  • -click SHOW DETAILS (in print dialog box) (or you might have to click USE SYSTEM DIALOG)
  • (Basically we are trying to get to the part where we have many options.)
  • -change to OUTPUT METHOD
  • -checkmark ACCOUT TRACKING
  • -type in ACCOUNT & PASSWORD
  • -click SAVE SETTINGS > OK
  • -click SAVE AS DEFAULT SETTINGS
Last Updated on Friday, 26 July 2019 05:32

Office 2010 "You don't have permission to open this file."

Office 2010 "You don't have permission to open this file."

You also might get, "filename.xls could not be found."

-disable Panda's DATA SHIELD.

Panda's Cloud free antivirus has a new component called Data Shied. Disable the DATA SHIELD and it will fix the issue.

Last Updated on Friday, 26 July 2019 05:33

The Specified Domain Either Does Not Exist or Could Not Be Contacted

The Specified Domain Either Does Not Exist or Could Not Be Contacted

When you try to add a computer (XP, SERVER 2003, WIN7, etc) to a domain, you get: "The Specified Domain Either Does Not Exist or Could Not Be Contacted"

If I know that the domain does exist, check to make sure the computer you are working on has the right network settings. You may have to release and renew the IP address. Usually, the DNS is incorrect. If it still doesn't work, set the WINS server as well.

Last Updated on Friday, 26 July 2019 05:34

Testing HD with Smartctl & Finding the Filesystem

Testing HD with Smartctl & Finding the Filesystem

Hmmm. Something is wrong with SDA. Let's test it:

1.smartctl -t short /dev/sda

And look at the results:

1.smartctl -a /dev/sda

The last 5 result log shows:
Error: UNC 8 sectors at LBA = 0x00384622 = 3687970

SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Short offline Completed: read failure 10% 44084 976766499

So we have to find the filesystem. Usually it would be:

1.# fdisk -lu /dev/sda

I get:

1.Disk /dev/sda: 500.1 GB, 500107862016 bytes
2.255 heads, 63 sectors/track, 60801 cylinders, total 976773168 sectors
3.Units = sectors of 1 * 512 = 512 bytes
4.Device Boot Start End Blocks Id System
5./dev/sda1 * 1 208769 104384+ fd Linux raid autodetect
6.Partition 1 does not end on cylinder boundary.
7./dev/sda2 208770 976768063 488279647 fd Linux raid autodetect

Using:
((976766499- 208770) * 512) / 4096

We get:
122069716 LBA block.

But wait, the filesystem isn't on sda, it's on /dev/main/root. Here's how:

1.# cat /etc/fstab
1./dev/main/root / ext3 usrquota,grpquota 1 1
2./dev/md1 /boot ext3 defaults 1 2
3./dev/main/swap swap swap defaults 0 0

So we know files system is mounted at /dev/main/root and it is ext3 type.

We can find the BLOCK SIZE by:

1.# tune2fs -l /dev/main/root | grep Block

I get:

1.Block count:              121561088
2.Block size:               4096
3.Blocks per group:         32768

We're still at 122069716 LBA block.
Or specifically 122069716.125 or the second of 8 sectors in this block.

We can test the block by:

1.# debugfs
2.debugfs 1.39 (29-May-2006)
3.debugfs:  open /dev/main/root
4.debugfs:  testb 122069716
5.Illegal block number passed to ext2fs_test_block_bitmap #122069716 for block bitmap for /dev/main/root
6.Block 122069716 not in use
7.debugfs:  quit

In short, it looks like this:

==================================================================
sda1  sdb1
    |
     md1

        sdb1 sdb2
            |
             md2
            |
        pv (md2)
            |
        vg (main)
    /            \
lv (main/root)        lv (main/swap)

Last Updated on Friday, 26 July 2019 05:35

unrecoverable I/O read error for block 976557696

unrecoverable I/O read error for block 976557696

unrecoverable I/O read error for block 976557696

TLDR; (SHORT VERSION)

I'm going to walk you through this one. It happened during a raid recovery. SDA is in the system and I'm trying to add a new SDB. I hate posting logs but it looks like this:

01.Dec 24 15:38:10 server kernel: sd 0:0:0:0: SCSI error: return code = 0x08000002
02.Dec 24 15:38:10 server kernel: Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE,SUGGEST_OK
03.Dec 24 15:38:10 server kernel: sda: Current [descriptor]: sense key: Medium Error
04.Dec 24 15:38:10 server kernel:     Add. Sense: Unrecovered read error - auto reallocate failed
05.Dec 24 15:38:10 server kernel:
06.Dec 24 15:38:10 server kernel: Descriptor sense data with sense descriptors (in hex):
07.Dec 24 15:38:10 server kernel:         72 03 11 04 00 00 00 0c 00 0a 80 00 00 00 00 00
08.Dec 24 15:38:10 server kernel:         3a 38 46 23
09.Dec 24 15:38:10 server kernel: raid1: sda: unrecoverable I/O read error for block 976557696
10.Dec 24 15:38:10 server kernel: ata1: EH complete

It can't resync the raid because there's a read error on the only remaining disk, sda. I wish it would just skip over it because the value of having a working raid is more important than the value of having a bit of information that is probably not that important anyway. I think it's a bug in the mdadm package that's fixed in current versions but I'm stuck with what I have.

To fix, in short, clone the disk and move on with life. Here's howto:

================================================
Use ddrescue to clone disk. It's a tool on a boot cd found here:
http://www.sysresccd.org

So download the disk image and burn it.
Boot to system rescue cd with defaults.
The raid starts to rebuild automatically, so we will have to stop it. First, fail and remove sdb1:

1.mdadm -f /dev/md1 /dev/sdb1
2.mdadm -r /dev/md1 /dev/sdb1

Now, fail and remove sdb2:

1.mdadm -f /dev/md2 /dev/sdb2
2.mdadm -r /dev/md2 /dev/sdb2

Now let's clone the disk:

1.ddrescue -f -n /dev/sda /dev/sdb rescue.log
2.ddrescue -d -f -r3 /dev/sda /dev/sdb rescue.log

Now let's shutdown.

Remove sda. Now reboot.

Boot fine! It recognizes the new cloned drive as sda.

Shutdown:

1.signal-event halt

Reposition the drive sda to the first slot for sanity's sake.
Place new hd into the second slot.
reboot.

01.console
02.manage disk array redundancy.
03.add sdb into array.
04.wait for resync.
05.# cat /proc/mdstat
06.Personalities : [raid1]
07.md1 : active raid1 sdb1[1] sda1[0]
08. 104320 blocks [2/2] [UU]
09.md2 : active raid1 sdb2[1] sda2[0]
10. 488279552 blocks [2/2] [UU]

resync's fine!!!

LONG VERSION

Here's the long version with all of my notes. It's the perfect example of a sysadmin's downward spiral into the 5th circle of hell.  It may or may not make sense.

The error return code is below. I had to look it up. Basically it says there's no error.
==============================================
0x08000002
DRIVER | HOST | MESSAGE | CONDITION
08 | 00 | 00 | 02
cat /usr/src/kernels/2.6.18-308.16.1.el5PAE-i686/include/scsi/scsi.h
DRIVER SOFT | NO ERROR | COMMAND COMPLETE | SAM_STAT_CHECK_CONDITION

Here's the real issue. It's a read error on the live disk.
==============================================
raid1: sda: unrecoverable I/O read error for block 976557696

This link explains it better than I do:
http://www.sjvs.nl/?p=12

In theory, this would work. First check the read of the sector:
==============================================
$ hdparm –read-sector 976766499 /dev/sda: Input/Output error

Then write to the sector:
==============================================
hdparm –write-sector 976766499 /dev/sda
hdparm –write-sector 976766499 –yes-i-know-what-i-am-doing /dev/sda

But I don't have those options in hdparm. I'm at hdparm v6.6 and these options are in hdparm v8.1. Hmmm... Let's look at the status:
==============================================
cat /proc/mdstat
Personalities : [raid1]
md1 : active raid1 sdb1[1] sda1[0]
104320 blocks [2/2] [UU]
md2 : active raid1 sdb2[2](S) sda2[0]
488279552 blocks [2/1] [U_]

Let's look at the details of md2:
==============================================
mdadm --detail /dev/md2

So md2 has:
1 active-sync member
1 removed member
1 spare member

We can't add the new drive into md2 because it's already added:
==============================================
mdadm -a /dev/md2 /dev/sdb2
mdadm: Cannot open /dev/sdb2: Device or resource busy

So we have to fail it and remove it:
==============================================
mdadm -f /dev/md2 /dev/sdb2
mdadm -r /dev/md2 /dev/sdb2

Now let's try to re-add it with the re-add option:
==============================================
mdadm /dev/md2 --remove detached
mdadm --re-add /dev/md2 /dev/sdb2

Same result. Humph...

==============================================
Let's remove the device, shutdown and add the original sdb back in.

Same result. Humph...

==============================================
We're back to the bad block. Exact same message, exact same block:
$raid1: sda: unrecoverable I/O read error for block 976557696

Modern hard disk drives are equipped with a small amount of spare sectors to reallocate damaged sectors. However, a sector only gets relocated when a write operation fails. A failing read operation will, in most cases, only throw an I/O error. In the unlikely event a second read does succeed, some disks perform a auto-reallocation and data is preserved. In my case, the second read failed miserably (“Unrecovered read error – auto reallocate failed“).

If there were another correctly working disk in the raid, I would just replace the bad disk. But this is the only disk left.

==============================================
Let's see the logical volume:
lvdisplay --maps |egrep 'Physical|LV Name|Type'

OK, it's: /dev/main/root

I'm going to try to run badblocks on the lv:
badblocks -n -s /dev/main/root

I get:
/dev/main/root is mounted; it's not safe to run badblocks!

===============================================
Boot from Install CD.
Type: sme rescue (at prompt)

Select your language. Select keyboard language.
Select READ/WRITE

Unmount the lvm:
unmount -l /dev/main/root

Check for bad blocks on the lv:
badblocks -n -s /dev/main/root

That took too long. Stopped at 1% compelete.

================================================
Let's check the remaining disk:
smartctl -a /dev/sda

Gives the error log:
40 51 08 22 46 38 e0  Error: UNC 8 sectors at LBA = 0x00384622 = 3687970

And also gives the proper LBA error:
LBA_of_first_error
976766499

This is the decimal number. The hexadecimal number is: 0x3a384623.

The system has a raid. LVM is on the raid. The file system is on LVM. Trying to map the bad phyiscal block, to the LVM logical block is nearly impossible because it's manual calculation. But I try anyway.

Finding the sda layout:
sfdisk -luS /dev/sda

Gives:
Disk /dev/sda: 60801 cylinders, 255 heads, 63 sectors/track
Units = sectors of 512 bytes, counting from 0

Device Boot    Start       End   #sectors  Id  System
/dev/sda1   *         1    208769     208769  fd  Linux raid autodetect
/dev/sda2        208770 976768063  976559294  fd  Linux raid autodetect

so the bad lba is in sda2.

The LBA minus the start of the partition:
976766499 - 208770 = 976557729

Let's get the size of the PHYSICAL EXTENT of the PHYSICAL VOLUME:
pvdisplay
--- Physical volume ---
PV Name               /dev/md2
VG Name               main
PV Size               465.66 GB / not usable 3.31 MB
Allocatable           yes (but full)
PE Size (KByte)       32768
Total PE              14901
Free PE               0
Allocated PE          14901
PV UUID               M1IIOi-nln7-encf-DgZC-DtjF-0ZGs-4OEFgK

So we have:
32768

So the LBA block size is 32768 * 2:
65536

Let's find the offset of the beginning of the first PE:
pvs -o+pe_start $part

Gives:
192.00K

Let's calculate the physical partition's bad block number / sizeof(PE) =
976557729 / 65536 = 14901.0883942

Find the LV of 14901:
lvdisplay --maps |egrep 'Physical|LV Name|Type'

Gives:
]# lvdisplay --maps |egrep 'Physical|LV Name|Type'
LV Name                /dev/main/root
Type                linear
Physical volume     /dev/md2
Physical extents    0 to 4702
Type                linear
Physical volume     /dev/md2
Physical extents    4765 to 14900

So we know it's in /dev/main/root

We need to know the block size of the LV:
dumpe2fs /dev/main/root | grep 'Block size'

Gives:
Block size:               4096

The logical partition begins on PE 4765

So let's find the badblock
(# PE's start of partition * sizeof(PE)) + parttion offset[pe_start] =
(4096 * 65536) + 192 = 268435648

Let's test the FS of the bad block:
dd if=/dev/main/root of=block268435648 bs=4096 count=1 skip=268435648

Nothing.

debugfs
debugfs 1.32 (09-Nov-2002)
debugfs:  open /dev/main/root
debugfs:  testb 268435648

976557696

I got:
Illegal block number passed to ext2fs_test_block_bitmap #268435648 for block bitmap for /dev/main/root
Block 268435648 not in use

This means my calculations are wrong.

Crap...

====================================
Back to the drawing board. Here's what I know:
debugfs must be used on the filesystem. The filesystem is on /dev/main/root
The disk has sectors of 512 bytes.
The logical block size of the FS is 4096 (Or the block size is 8 disk sectors)
The error message is: raid1: sda: unrecoverable I/O read error for block 976557696
(I don't know if this is the block on sda, sda2, md2 or /dev/main/root).
Doing a e2fsck -cvy /dev/main/root or a badblocks -n -s /dev/main/root takes too long.
The LBA_of_first_error is 976766499
The starting sector of sda2 is 208770.
The last sector of sda2 is 976768063.
The total sectors in sda2 is 976559294.
The problem is at 976557729 inside partition sda2.

====================================
If no LVM it would be:
((976766499 - 208770) * 512) / 4096 = 122069716.125

http://smartmontools.sourceforge.net/badblockhowto.html#bb

So I check to see if it's in the repos
yum --enablerepo=* search sg3

I get some pages back.

So I look at more info about it:
yum info sg3_utils

I get back the package is in the centos base repo.

Feeling safe, I install the package:
yum install sg3_utils

Now I can verify LBA block without feeling nausea:
sg_verify --lba=976766499 /dev/sda

I get:
verify (10):  Descriptor format, current;  Sense key: Medium Error
Additional sense: Unrecovered read error - auto reallocate failed
Descriptor type: Information
0x000000003a384623
medium or hardware error, reported lba=0x3a384623

I poke around other LBA from the logs:
sg_verify --lba=976557696 /dev/sda

I get nothing.

I'm all in and going to reassign the block:
sg_reassign --address=976766499 /dev/sda

I get:
REASSIGN BLOCKS not supported

Crap... The good news is that I've verified the LBA block or physical block.

================================================
Physcial block: 976766499
File system block: 3687970

b = (int)((L-S)*512/B)

================================================
I'm down to:
using a live cd to hdparm
or
Spinrite.
or
calculate something to use dd on the lvm filesystem.

================================================
I downloaded a gparted livecd & burn it to a cd
Booted from gparted live cd and entered command line mode.

hdparm –read-sector 976766499 /dev/sda: Input/Output error

Then write to the sector:
hdparm –write-sector 976766499 /dev/sda
hdparm –write-sector 976766499 –yes-i-know-what-i-am-doing /dev/sda

Read sector again:
hdparm –read-sector 976766499 /dev/sda
(a lot of zeroes should follow)
================================================

New error:
raid1: sda: unrecoverable I/O read error for block 976558336

================================================
# 1  Short offline       Completed: read failure       90%     44420         976766501

Booted from gparted live cd and entered command line mode.

This time when I read the sector, I get a bunch of zero's
hdparm –read-sector 976766501 /dev/sda

================================================
Reboot... won't boot.

Boot into file system recover mode (no live cd or rescue).
Look at /cat/proc/mdstat
Now md1 was automatically renamed md127 thanks to gparted livecd.

Go into single user mode:
telinit 1

Take a look at the mdadm.conf
mdadm --detail /dev/md127

If it says "Preferred Minor : 127" this this is your problem. You need to update the preferred minor.

mdadm --stop /dev/md127
mdadm --assemble --update=super-minor /dev/md1 /dev/sda1

Then you'll have your md127 assembled as md1. And it should stay this way in the future too.

================================================
Since I didn't do:
mdadm --assemble --update=super-minor /dev/md1 /dev/sda1 /dev/sdb1

I now have:
# cat /proc/mdstat
Personalities : [raid1]
md1 : active raid1 sda1[0]
104320 blocks [2/1] [U_]

md127 : active raid1 sdb1[1]
104320 blocks [2/1] [_U]

md2 : active raid1 sda2[0]
488279552 blocks [2/1] [U_]

unused devices: <none>

Wonderful. Let's stop md127. But first, unmount it:
# umount /dev/md127

I get:
umount: /dev/md127: not mounted

OK. Since it's unmounted, let's stop it:
# mdadm -S /dev/md127

I get:
mdadm: stopped /dev/md127

Great. Back to start. Let's see what we have:
# cat /proc/mdstat

I get:
Personalities : [raid1]
md1 : active raid1 sda1[0]
104320 blocks [2/1] [U_]

md2 : active raid1 sda2[0]
488279552 blocks [2/1] [U_]

unused devices: <none>

Let's zero out the superblock of sdb so that md127 doesn't com back via some type of magic out there.

Fist, I check the partition table of sdb with the -lu option so it shows sectors rather than cylinders.
# fdisk -lu /dev/sdb
or
# sfdisk -luS /dev/sdb

I get:
Disk /dev/sdb: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders, total 976773168 sectors
Units = sectors of 1 * 512 = 512 bytes

Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1      208769      104384+  fd  Linux raid autodetect
Partition 1 does not end on cylinder boundary.
/dev/sdb2          208770   976768063   488279647   fd  Linux raid autodetect

Let's zero out the superblock of sdb.
#mdadm --zero-superblock /dev/sdb1
#mdadm --zero-superblock /dev/sdb2

Now let's add sdb back in.
#console > Manage Disk Array > Add sdb

I get:
kernel: raid1: sda: unrecoverable I/O read error for block 976558336

================================================

hdparm –read-sector 976766501 /dev/sda: Input/Output error

Then write to the sector:
hdparm –write-sector 976766501 /dev/sda
hdparm –write-sector 976766501 –yes-i-know-what-i-am-doing /dev/sda

Read sector again:
hdparm –read-sector 976766501 /dev/sda
(a lot of zeroes should follow)

hdparm –read-sector 976767187 /dev/sda: Input/Output error

Then write to the sector:
hdparm –write-sector 976767187 /dev/sda
hdparm –write-sector 976767187 –yes-i-know-what-i-am-doing /dev/sda

Read sector again:
hdparm –read-sector 976767187 /dev/sda
(a lot of zeroes should follow)

================================================
kernel panic

crap!!!

================================================
Boot from livecd.

type: sme rescue
press ENTER for ENGLISH
press ENTER for US
press right arrow to select NO, Don't start network.
press ENTER to CONTINUE, Start filesystem.
press ENTER for OK

Take a look at:
cat /proc/mdstat

md1
md127

mdadm --detail /dev/md127

If it says "Preferred Minor : 127" this this is your problem. You need to update the preferred minor.

vgchange -an
can't deactivate volue group main with 2 open logical volumes

Can't stop the volume group because there's a logical volume open.

lvchange -an
lv main/root in use: not deactivating

Can't stop the logical volume. Don't know why.

Let's reboot without mounting the file system:
Boot from livecd.

type: sme rescue
press ENTER for ENGLISH
press ENTER for US
press right arrow to select NO, Don't start network.
SKIP the filesystem

mdadm --assemble --update=super-minor --uuid ce917023:5da6a14f:2a9c304f:a380120a /dev/md2

================================================
Use ddrescue to clone disk.
Boot to system rescue cd with defaults.
The raid starts to rebuild automatically, so we will have to stop it.

mdadm -f /dev/md1 /dev/sdb1
mdadm -r /dev/md1 /dev/sdb1

mdadm -f /dev/md2 /dev/sdb2
mdadm -r /dev/md2 /dev/sdb2

Now let's clone the disk:

ddrescue -f -n /dev/sda /dev/sdb rescue.log
ddrescue -d -f -r3 /dev/sda /dev/sdb rescue.log

Now let's shutdown.
halt

Remove sda. Now reboot.

Boot fine! It recognizes the new cloned drive as sda.

Shutdown:
signal-event halt

Reposition the drive sda to the first slot for sanity's sake.
Place new hd into the second slot.
reboot.
console
manage disk array redundancy.
add sdb into array.
wait for resync.

# cat /proc/mdstat
Personalities : [raid1]
md1 : active raid1 sdb1[1] sda1[0]
104320 blocks [2/2] [UU]

md2 : active raid1 sdb2[1] sda2[0]
488279552 blocks [2/2] [UU]

resync's fine!!!

================================================
Now reboot with only sdb. I get:
black screen.

I have to reinstall grub onto sdb. It should have happened on manage disk array redundancy. Asking for help.

In the end, the following worked fine:
grub-install sdb

Last Updated on Friday, 26 July 2019 05:39

md1 was automatically renamed md127 after using gparted livecd.

md1 was automatically renamed md127 after using gparted livecd.

Boot into file system recover mode (no live cd or rescue).
Look at:

1./cat/proc/mdstat

Now md1 was automatically renamed md127 thanks to gparted livecd.

Go into single user mode:

1.telinit 1

Take a look at the mdadm.conf

1.mdadm --detail /dev/md127

If it says "Preferred Minor : 127" this this is your problem. You need to update the preferred minor.

1.mdadm --stop /dev/md127
2.mdadm --assemble --update=super-minor /dev/md1 /dev/sda1 /dev/sdb1

This will rebuild, without data loss, md1.

Or to be more exact, use the uuid of the raid disk, md1, and update the name.

1.mdadm --assemble --update=super-minor --uuid ce917023:5da6a14f:2a9c304f:a380120a /dev/md1

Of course you need to re-adjust for your raid situation. In my case, md1 was built from sda1 and sdb1.

Then you'll have your md127 assembled as md1. And it should stay this way in the future too.

Last Updated on Friday, 26 July 2019 05:37

How Do I Remove md127?

How Do I Remove md127?

If you're following along, md127 is on the system because of the gparted live cd. It isn't being used because we've re-built the array as md1.

md127 is left over as a raid device but there are no disks to it. Let's stop md127. But first, unmount it:

1.# umount /dev/md127

I get:

1.umount: /dev/md127: not mounted

OK. Since it's unmounted, let's stop it:

1.# mdadm -S /dev/md127

I get:

1.mdadm: stopped /dev/md127

That should do it.

Last Updated on Friday, 26 July 2019 05:36

IE9 Won't Install - code 3715

IE9 Won't Install - code 3715

IE9 won't install on a Windows 7 64-bit system:

1.-download the SYSTEM UPDATE READINESS TOOL here:
3.-run the tool (as administrator)
4.-wait about 30 minutes.
5.-download the IE9 offline installer here:
7.-run the IE9 INSTALLER (as administrator).

That should do it.

PDF -The file is damaged and could not be repaired

PDF -The file is damaged and could not be repaired

Try to open a PDF in FIREFOX and get the message: The file is damaged and could not be repaired. Local\gobblygook

The fix, for me was a setting in KASPERSKY.

1.-click KASPERSKY > SETTINGS
2.-click WEB ANTIVIRUS (on the left-hand side).
3.-click SETTINGS (under SECURITY LEVEL, in the middle)
4.-click TRUSTED URLS (tab at the top)
5.-click ADD
6.-type: *.yourwebsitename.tld/*
7.-click OK > OK > OK

Office 2008 Mac Setup Assistant Loop

Office 2008 Mac Setup Assistant Loop

If you have the serial code for the software, you remove the files below:
~/Library/Preferences/Microsoft/Office 2008/Microsoft Office 2008 Settings.plist
/Applications/Microsoft Office 2008/Office/OfficePID.plist

If you are using the Mac Migration Assistant and migrate the Apps but not the user, copy the files from the old computer to the new user/computer.
~/Library/Preferences/Microsoft/Office 2008/Microsoft Office 2008 Settings.plist
/Applications/Microsoft Office 2008/Office/OfficePID.plist

That should do it.

eregi, preg_match | split, preg_split | ereg_replace, preg_replace

Quick note to myself; eregi, ereg_replace and split are depreciated php functions. Official note is here:

http://www.php.net/manual/en/reference.pcre.pattern.posix.php

Fix eregi with preg_match like so:

case (eregi('android',$user_agent));  // we find android in the user agent
case (preg_match('/(android)/i',$user_agent));  // we find android in the user agent

if ( eregi( "bmp|gif|jpg|png|jpeg", $file ) && is_file( $i_f ) ) {^M
if ( preg_match( "/(bmp|gif|jpg|png|jpeg)/i", $file ) && is_file( $i_f ) ) {^M

if (eregi("0$", $count)) {
if ( preg_match( "/(0$)/i", $count)) {

if (eregi("gif", $file) || eregi("jpg", $file) || eregi("png", $file))
if (preg_match("/(gif)/i", $file) || preg_match("/(jpg)/i", $file) || preg_match("/(png)/i", $file))

Fix split with preg_split like so:

split(':', $thumbSpace);^M
preg_split('/:/', $thumbSpace);^M

split('www', 'D:/Projects/job.com/www/www/path/source', 2);
preg_split('/www/', 'D:/Projects/job.com/www/www/path/source', 2);

Fix ereg_replace with preg_replace like so:

$output = ereg_replace (";", "", $output);
$output = preg_replace ("/;/", "", $output);

Dell 3100cn Won't Work with Windows 8

Dell 3100cn color laser printer won't work with Windows 8. When it asks for the driver:

  • select DELL (on the left hand side).
  • select DELL OPEN PRINTER DRIVER (PCL 5) (on the right hand side).

That should do it. It will work, it just won't automatically pick up the correct model number. Who cares. At least it works. Better than Dell not offering specific drivers.

Brother MFC Scanning Windows 8

Brother MFC 8440 won't scan as PDF on Windows 8 (32 bit). These are loose instructions as I can't provide step by step.

You'll have to start the scans from the computer. The scan buttons on the Brother MFC won't work. But at least you can scan to PDF.


Another option, if you really want PaperPort then:

You'll have to start the scans from the PaperPort in this instance. But at least you can use PaperPort and you can scan to PDF. The ConnectionTool also works if the SCAN button in greyed out in PaperPort for Windows 8.


All of this is provided that the twain driver is installed. The WIA driver won't work. If the twain driver needs installed:
  • right-click MY COMPUTER.
  • click MANAGE.
  • click DEVICE MANAGER.
  • find IMAGING DEVICES in the tree.
  • right click BROTHER MFC 8440.
  • click UPDATE DRIVERS.
  • click I HAVE THE DRIVERS.
  • browse to the driver folder and inf file.
  • click OK.

This will install the twain driver.

Last Updated on Thursday, 08 December 2016 16:45

Allow Internal Lan Clients to Send Email

Upgrading to SME v8 (Centos v5, RHEL v5) requires email clients on the internal lan to send email with authentication turned on and SSL turned on. Without this, email will not get sent.

To send email from internal email clients without requiring authentication turned on and SSL turned on.

config setprop qpsmtpd RelayRequiresAuth disabled
signal-event email-update

How Do I Reset a Ricoh Printer Back to Factory Defaults?

To reset a Ricoh printer back to factory defaults:

  1. -go into SERVICE MODE
  2. -go to: SP 5-801

Sender Name Has Not Been Registered to the Address Book on Ricoh Printers

Sometimes I get a "Sender name has not been registered to the address book" error on Ricoh printers and multifunction machines.

  1. -walk up to machine.
  2. -click USER TOOLS -> SYSTEMS SETTINGS.
  3. -click the FILE TRANSFER tab (at the top).
  4. -click NEXT or the down arrow button (at the bottom).
  5. -click AUTO SPECIFY SENDERS NAME.
  6. -click ON.
  7. -while you are there, make sure there's an ADMINISTRATOR'S EMAIL address and SMTP settings.
  8. -click OK -> EXIT -> EXIT.

As far as I know there is no way to change this on the web interface. I'm probably wrong, I just don't know where it is. The other settings on the web interface are accessible by clicking EMAIL.

Other settings in to make a multi-page PDF, in other words a PDF with multiple pages and not seperate pages, are in:

  • Default Settings for Normal Screens on Device
  • Default Settings for Simplified Screens on Device
Last Updated on Saturday, 28 January 2023 08:06

Hardware VEN DEV's

Here's a list I just used to figure out the model number of an attached harware wireless client. I was working remotely so I couldn't just look at the label.

http://www.linux-usb.org/usb.ids

  1. -right click MY COMPUTER
  2. -click MANAGE
  3. -click DEVICE MANAGER (on the left hand side)
  4. -click the + (next to a device, ie "network adapters")
  5. -right click on the device
  6. -click PROPERTIES
  7. -click DETAILS tab (at the top)

The number in the big white box looks like this:
PCI\VEN_8086&DEV_1050&SUBSYS_017A1028&REV_02\4&1C660DD6&0&40F0

The important parts are the following:
VEN number: 8086
DEV number: 1050

Look it up on the list and you'll see what I was working with.

Macbook Pro Slow After New Hard Drive

UPDATE

I'm not sure the below is correct. I think there is a problem with the link negoatiation between 1.5 (sata), 3.0 (sata2) and 6.0 (sata3). Something isn't jiving. You can see this post where people more interested in this than I am located a tool to change the speed: http://forums.macrumors.com/showthread.php?t=1584023&page=2


 

After I upgraded a client's Macbook Pro (Mid 2009) 250GB hard drive to a 1TB WD WD10JPVT and cloned it with CCC, the Macbook Pro was sloooooowwwwww.

Being beachballed to death, I searched for a solution. It's technical but basically the SOFTWARE UPDATE in OSX upgrades the EFI FIRMWARE to v1.7. I don't know why exactly but downgrading to EFI FIRMWARE to v1.6 fixes it (shamelessly reprinted from the Crucial forms).

Verify you have a higher version number than 1.6.

  1. -click APPLE > ABOUT THIS MAC > MORE INFO
  2. -find "Boot ROM Version"
  3. -it should say: MBP53.00AC.B03
  4. -download http://hotfile.com/dl/109001076/5dfaf39/aluminum.macbook.pro.recovery.dmg.html
  5. -open DiskUtility and drag the above image to the left.
  6. -plug-in any USB flash drive (no need for large capacity).
  7. -click the USB from the left and erase with "Mac OS Extended (Journaled)".
  8. -click the image and choose the RESTORE tab.
  9. -in the destination drag the USB drive.
  10. -click restore.
  11. -beboot while holding the option key to select the USB drive from boot menu.
  12. -the Apple logo will come up and a dark gray bar will start to move right under it.
  13. -sit relax and wait for the process to be done.
  14. -Macbook Pro will reboot automatically.
  15. -now open System Information and make sure that Boot ROM Version is MBP53.00AC.B02.

If you get "Could not find any scan information. The source image needs to be imagescanned before it can be restored."
-click on the image file in the list on the left.
-click on IMAGE > SCAN IMAGE (in the menu at the top).

The final fix for this is to change the SPECIFIC hd cable, with a 2010 FOXCONN model hd cable that is designed for the faster controller. It's a 15 minute fix and you should be running EFI Firmware v1.7 without any issues.
Here are the details:

PART#:
922-9314

iFixit part no:
161-061-1

FOXCONN#:
50 12. 02 6

APPLE part#:
821-0989-A (NOT part#: 821-0812-A)

How Do I Customize Joomla 2.5 Quick Icons

Go to: site-root/administrator/modules/mod_quickicon/helper.php

array(
'link' => JRoute::_('index.php?option=com_jevents&task=icalevent.list'),
'image' => 'header/icon-48-language.png',
'text' => 'Calendar Events',
'access' => true
),

In the example above the link goes to the JEVENTS component. I wanted to place a quick icon for Joomla 2.5 because I want my client to easily be able to access what they need to access. You can replace the LINK with your custom link.

Last Updated on Thursday, 08 December 2016 17:18

How Do I Reset the Counter on a Ricoh 4100nl

Need to get to reset the counter on the Ricoh 4100nl?

1.-go into SERVICE MODE.
2.-press 2 > ENTER > 7 > ENTER > 804 > ENTER >
3.-press 001 > ENTER > ENTER > ESCAPE
4.-press 002 > ENTER > ENTER > ESCAPE
5.-press 003 > ENTER > ENTER > ESCAPE
6.-press 004 > ENTER > ENTER > ESCAPE
7.-turn OFF & back ON.

Service Mode for Ricoh 4100nl

Need to get to SERVICE MODE on the Ricoh 4100nl?

1.-turn power off.
2.-hold ONLINE & ESCAPE
3.-turn on
4.-nothing shows on led
5.-release ONLINE & ESCAPE

You're in SERVICE MODE on the Ricoh 4100nl.

Ricoh 4100 Remove Misfeed Internal Path

Are you getting an error message that says, "REMOVE MISFEED INTERNAL PATH" after changing the MAINTENANCE KIT on your Ricoh 4100nl?

-unplug printer
-remove two screws that hold the left panel on (one in back & one on left side after opening up the front).
-you'll see 2 silver motors about the size of a quarter.
-the lower one has a metal rod in the middle.
-push it all the way in. It has to be all the way flush with the rest. It came loose when replacing the paper feed roller.

If that doesn't work, I usually trash it. Probably thrown away about 10 so far. They don't make them like they used to. Still better quality than when I was using Dell/Lexmark products.

GPT Protected Disk

SCENERIO

You plug in a external disk drive into an Windows XP computer. The disk doesn't show under MY COMPUTER. You look in DISK MANAGEMENT and you might see HD Drive in GPT status.

SOLUTION

CAUTION! This will erase everything on the disk. If you need to get data off the disk, you'll have to use a data recover program like R-STUDIO or ICARE.

  • -click on "Start Menu" > click "Run" > type "cmd" > click "OK"
  • -type "DiskPart"
  • -type "list disk"
  • -type "select disk 1"
  • -type "clean" (This command removes GPT disk from the current in-focus disk by zeroing sectors).
  • -go back to Disk Management
  • -right click on disk info > choose "Initialize Disk"
  • -right click on disk info > choose "New Partition…", follow Partition Wizard and format it.
  • -now you are able to use the disk in Windows XP.

iPhone Photo Library is Black

On your iPhone, you go to the PHOTO LIBRARY and all you see is black. Here is the fix:

  1. Connect your iPhone to your computer.
  2. Run iPhone Explorer on your computer (install it if you don't already have it).
  3. Backup (copy to a folder on your computer) and then delete the following files:
  4. /DCIM/.MISC/Info.plist
  5. /PhotoData/Photos.sqlite
  6. /PhotoData/PhotosAux.sqlite
  7. /PhotoData/com.apple.photos.caches_metadata.plist
  8. Unplug your iPhone, launch Camera Roll app and wait as it rebuilds the database.

HP Printing Gibberish

HP printing gibberish when printing PDF's. The first page comes out in English but the other pages come out in hyroglyphocs or gibberish.

  1. open ADOBE READER.
  2. click PREFERENCES.
  3. uncheck PROTECTED MODE.
Last Updated on Saturday, 25 June 2022 04:41

How Do I Share on Windows 7

STEP 1

-click Start > Control Panel > Network and Sharing Center.
-click Change Advanced Sharing Settings.
-make sure File and Printer Sharing is Turned On.
-make sure Password Protected Sharing is Turned Off.

STEP 2 (If that didn't work)

-click Start > type gpedit.msc
-navigate to Computer Configuration/ Windows Settings/ Security Settings/ Local Policies.
-click on User Rights Assignment.
-click "Access this computer from the network"
-make sure EVERYONE is added to the list.

STEP 3 (If that didn't work)

-click here Windows Server 2003 Resource Kit Tools: http://go.microsoft.com/fwlink/?LinkId=4544(ignore message about known issue.)

After installation is complete, click on: Start > All Programs > Windows Resource Kit Tools > Command Shell

Type (Attention: they are case sensitive.)

1.net user guest /active:yes
2.ntrights +r SeNetworkLogonRight -u Guest
3.ntrights -r SeDenyNetworkLogonRight -u Guest

The first command enables network access for Guest, the two subsequent ones change two different policies to allow network access for Guest.

Last Updated on Saturday, 25 June 2022 04:42

Ricoh LPR Port

Ricoh printers should be able to print with a RAW PORT and port number 9100. These are the default settings for TCP/IP printing.

To get an older Ricoh printer to print in LPR

1.-select LPR
2.-type: lp (that's a lower-case L and lower-case P in the QUEUE).

I recently had this with an MPC2000 (MP C2000).

In the end, I switched it back to RAW PORT 9100. It seemed it was a firmware issue.

Last Updated on Saturday, 25 June 2022 04:44

Find Your Service Tag Number

Finding your service tag or serial number:

1.-click RUN
2.-type: cmd
3.-click OK
4.-type:
wmic csproduct get vendor,name,identifyingnumber
or
wmic bios get serialnumber
5.-hit ENTER (on the keyboard)

Last Updated on Saturday, 25 June 2022 04:49

Reset a Cisco AIR-AP1121G-A-K9

To reset a Cisco AIR-AP1121G-A-K9 to factory defaults:

1.-power Cisco Aironet down.
2.-hold the MODE button, and turn it on.
3.-hold the MODE button until you the AP lights turn red, which should be after about 30 seconds.

To access a Cisco AIR-AP1121G-A-K9 with factory defaults:
1.-give your PC the static address of 10.0.0.2
2.-plug your PC into your AP's Ethernet interface using a Crossover cable (this is required).
3.-open a web browser and try to connect to 10.0.0.1
4.-USER: Cisco (case-sensitive)
5.-PASS: Cisco (case-sensitive)

Note that the AP only holds the 10.0.0.1 for 5 minutes after boot.

Also note that if it's plugged into a router, it will pick up a DHCP address. If so, you may be able to look at the address table on the router and match up the MAC ADDRESS with IP ADDRESS so you can see what address to connect to. Hope that makes sense.

For the record, the above access points are nearly the worst wireless units I've ever come across. It's taken nearly all day to reconfigure these units that could have been done in a matter of minutes on DDWRT. After that, one went awol and brought down the entire network for some unknown reason. I'm seriously considering dropping these units in the project and replacing them with Asus units with DDWRT.

Last Updated on Saturday, 25 June 2022 04:51

Contact Form Spam

So this site has recently been the target of CONTACT FORM SPAM. This means that a CONTACT FORM on the web site is being hammered by an automated process to submit content to the form that is really just junk and random letters.

The main ip address of the spammer is 178.238.232.234. and the logs are here: http://daknetworks.com/logs/giga-hosting.biz

I went ahead and contacted the abuse department at giga-hosting.biz, the company responsible for the server and ip address. I'm doubting to get any response but you never know.

I put on CAPTCHA on the contact forms. CAPTCHA is where it makes you spell the funny letters and numbers before hitting submit. You know what I'm talking about, right? Good. Well, unfortunately, in this world it is just about absolute necessary to have one of those on just about every contact form.

UPDATE

And upon sending the message we received the response of "[your email] is_not_yet_authorized_to_deliver_mail_from" message. Basically this means that they are greylisting or DEFERRING any email that comes to them. Our system should automatically resend the message when appropriate.

Last Updated on Saturday, 25 June 2022 04:52

Comcast SMC Business Class Modem Login

I've been doing a bunch of Comcast Business Class internet setups lately. With 25mbps download speeds and a affordable pricing for Small to Medium Enterprises (SME's), who can blame the customers. I'd do it too.

The issue with the cable connection is that it isn't guaranteed. This means it could go down for any reason what-so-ever and there's really no re-course. Not good for an office fully of paid salaries trying to accomplish daily tasks. So I also have a backup T1 connection. Funny because historically T1 connections were soooo much faster than speeds at home.

I usually install my own equipment (ROUTER) behind the MODEM. When doing this, 2 items I notice.

First, DHCP is turned on the modem. I don't want that because I have a static IP. So getting into the SMC modem is as follows:

-open INTERNET EXPLORER (big blue 'e' on computer).
-at the top where you type in a web site, erase everything up there.
-type: 10.1.10.1
-hit ENTER (or RETURN) on the keyboard.

USER: cusadmin
PASS: highspeed

Turning off DHCP should be pretty obvious.

Secondly, I couldn't get through my router with a public IP from a remote location so that I can access the equipment behind it. There's an firewall setting that has to be changed in the SMC modem to make it work. Simply:
-checkmark "Disable Firewall for True Static IP Subnet Only."

That's it. Enjoy your highspeed, really, really fast business class internet from Comcast with a static IP.

Last Updated on Saturday, 25 June 2022 04:52

DDWRT Kong Builds

I've been using the Kong Builds lately and have been happy with them. Just make sure to use the right build number. Currently, I use Kong Build R18050 here:
http://www.desipro.de/ddwrt/K26/r18050/

There still seems to be some kind of memory leak or wireless driver issue with the new drivers but I'll wait and see it improves.

If I have to resort to the DDWRT official builds, I resort to the R14929 by BrainSlayer, also known as BS builds found here:
ftp://dd-wrt.com/others/eko/BrainSlayer-V24-preSP2/2010/08-12-10-r14929/broadcom_K26/

I am getting a little worn over the whole wireless issue and trying to find the maximum settings so that everyone can work at peak performance. Here's what I currently use:

1.NG Mixed Mode
2.Channel Wide 40MHz
3.Extension Channel Upper
4.Channel 6 if possible & Channel 8 if not possible.
5.17 TX Power
6.WPA Personal Security Mode (not WPA2)

Last Updated on Saturday, 25 June 2022 04:53

XP ACTIVATION BLACK PAGE

SITUATION: Repair install on Windows XP. Must activate. Can't activate... get black screen.

01.1. Turn On your PC.
02.2. Press F8 repeatedly and go to SAFE MODE WITH COMMAND PROMPT.
03.3. Click RESOLVE LATER (a black screen with show).
04.4. Type: cd \windows\system32
05.5. Type: rundll32.exe syssetup,SetupOobeBnk
06.(one space after "rundll32.exe" - Oo are two letter o's - capitals and comma are necessary)
07.6. Wait a couple of seconds (although you will Not see any change).
08.7. type: shutdown -r -t 3
09.8. You are now able to go to Normal Mode again (For another 30 days !!!).

Last Updated on Saturday, 25 June 2022 04:53

Top Ten Reasons Why I Miss the Palm Pre and the WebOS

Scenario

I've had a Palm Pre for more than 2 years now. Like dog years, that's about 14 years in technology world. After this time, the phone started to show signs of wear. Random shutdowns, cracks in the case and the like prompted me to move to a newer, better looking model that requires less maintenance.

I switched to the iPhone 4s. The decision was more out of necessity, than by choice. What other phone could I really choose? The Android or Droid is absolutely horrendous. So that left me with one option, the iPhone.

While it seems like everyone has this phone and absolutely loves it, I'm a little different. After only a week, I can already find myself wanting some of the features of the Palm Pre I've become accustomed to.

Rationalization

You see, I'm a geek. I admit it. I like things a certain way. The litmus test for most of my project implementations is the following:

Perfection is achieved perfection not when there is nothing left to add, but when there is nothing left to take away– Antoine de Saint-Exupery .

This has much to do with User Interface design or UI. But it also has to do with how we operate and perform tasks. In projects, I refer to this as processes and procedures.

Only give them the buttons you want them to use. If you don't want them to use a button, don't give it to them. Don't give them 2 steps when you can only give them one. You get the idea.

Top 10 Items I Miss About the Palm Pre and WebOS

As I apply these ideas to the iPhone 4s, I'm amazed. Not at what a wonderful tool it is but how in the world did it become so popular? There are great items about·the device·and it's a cool party topic but most of it is soooo 2007. It's almost 5 years later. We deserve more. We deserve the features the Palm Pre had over 2 years ago.

Here are the top ten·items the Palm Pre/WebOS has/had that I dearly miss:

01. Visual notification. This is really a stroke of genius. The Palm Pre had a visual notification when someone emailed me, texted me or called me. If I didn't get the buzz (or disabled the buzz altogether), the light would flash letting me know even from across the room that something happened. That's great because I'm not tied to my phone all the time but it usually is in close proximity. Now I have to do 4 steps with the iPhone, get the phone, turn on the screen, swipe it to activate and visually check for messages. With the Palm Pre, this only took a glance of my eye. No extra steps required.

02. Unified Swiping. This means that with the Palm Pre, everything was like a book, left to right. That's great because to go back, you don't have to find a button, just swipe to the left (or book backwards) at the bottom of the phone and it will take you back. Again, very intuitive. The iPhone has back buttons scattered all around. Sometimes at the top, sometimes at the bottom. I find fingers going schitz looking for where to push. To me this translates as a slowdown. With the Palm Pre, this is only a swipe of a thumb from the hand that's holding it. No extra steps required.

03. Card Multitasking. This was brilliant as well. On the Web OS, every new item was a card. A simple push of the button will allow you to visually see all the cards so that you can get to the one you want. Want to see a contact while writing an email? No problem, just push one button to activate the carding system and go to the contacts. Then go back via the same route you came. No extra steps required.

04. Screen Size. Believe it or not, in some cases, the screen size was larger on the Palm Pre than the iPhone. When I have to text something, the virtual keyboard takes up more than half of the physical screen size leaving my texting visual field to nearly that of a calculator I had in high school. Ugh... I miss the larger usable screen size.

05. Texting App. I can barely read texts on the iPhone. I don't need to shrink and see a comic-bubble like on the iOS. The WebOS had texting in full font size and differentiates people by a simple different color background. It also time stamped conversations easily to see when conversations happened. I miss the WebOS texting app.

06. Cloud. I mean really. It's November 2011 and the iOS is just coming out with cloud which requires a forced upgrade. WebOS has this by default and has it by design and since inception almost 3 years ago. If I drop the phone in the ocean, who cares. I buy a new one type in my username and password and viola... all my important stuff is there including my APPS. No extra steps required.

07. Synergy. This is something iOS still hasn't caught onto. Lets say I have a Facebook Friend named Dallas Herrmann. Guess who's contact is in my contacts? Dallas's. Guess who's picture shows when Dallas calls? Dallas's. I didn't put it there, it pulled from Facebook. Chances are if he's my friend in Facebook, he'll call my cell phone. If he changes his picture on Facebook, it changes on my phone. I can override this of course. I really liked this. No extra steps required.

08. Phone App. The Phone App on the iPhone is terribly thought out in my opinion. Going from voicemail to missed calls to contacts is clumsy. Trying to make a phone call requires more scrolling than an ancient library. Finding contacts is such a slowdown since everyone is listed by last name. With the Palm Pre, I open the phone app and start typing either their first or last name and a short list shows. No extra steps required.

09. Notifications. On the iOS, I get a little read circle with a number. That tells a whole lot of nothing. The WebOS has a notification system that shows a notification with what happened and who did it. Getting rid of them wasn't entering the app, it was a simple swipe to remove the visual item. No extra steps required.

10. Touchstone Charging. The iPhone still has to be plugged in to get a charge. The Palm Pre could have a touch back that rested on a pedestal. This limited the chances of breakage of tiny part or of dirt entering the internals of the device. It was less moving parts. No extra steps required.

Additional Notes

So there you have it, the top 10 items I miss most about the Palm Pre and WebOS. I could have put other items in like the single swipe to delete emails or the sticky note app but the list above is good. If I missed something or if you just want to sound off, let me know. We're a small group.

Also note that there are things that I won't miss about the Palm Pre that should be put into a different post.·As well, there are items about the iPhone 4s that are superior to the Palm Pre which again is a different post altogether.

I suppose my biggest suprise is the lack of support of a large company for the WebOS. It is a viable and in some cases preferred alternative to the iOS. Not everyone needs to have games and apps of the iOS. People like me don't have time for that stuff anyway. What we need is productivity. And that seemed to be the gap the·WebOS filled for me. My device needs to do some things really, really well: phone, contacts, calendar, email, texting and twitter.

There's a Pepsi for Every Coke

In my perfect world, Sprint would have bought the WebOS (instead of HP, yuck) and married it to their services. This would have created a synergy in the mobile communications sector defining themselves for productive people and attracting people who don't prefer the iOS or want·the opposite of items that can be seen as childish. Doing this would have created a clear personal brand that defined Sprint and WebOS for productive people and pitted themselves against the iPhone which is nothing more than an unproductive toy that requires attention that I·have set for other important items. I would used a tag line, Productivity Begins.

No Sim Card Installed - iPhone 3GS (iOS 5.0.1)

I will list out the horror story later. Basically if you have a "No Sim Card Installed" or "No Service" message. Do the following exactly. Do not read into the instructions - just perform the steps.

1. connect iPhone to Mac with iTunes.

2. remove the SIM CARD (take a paper-clip and push it in the top pinhole to eject the card).

3. put iPhone in DFU mode (that is holding down the POWER BUTTON & HOME BUTTON both at the same time for exactly 10 seconds. Release the POWER BUTTON only).

[a message on iTunes shows that an iPhone is connected in recover mode.]

4.click RESTORE in iTunes (this will restore the iPhone to the stock/normal firmware.)

5. wait til it is finished.

6. when the phone boots, it will show "No Sim card." Don't do anything yet.

7. simply put the simcard in the top SIM CARD slot.

6. the phone will activate the phone automatically.

Update: 11/03/12: This is one of the most popular articles on this web site. Please note that this info is provided as in my own experience and it isn't meant to fix your particular issue. Please make sure you've backed up everything. Please make sure everything is synced. Please refrain from emailing me, asking me for support. If you want my advice, upgrade your phone to the latest version available (iPhone v5) and have the store/service transfer everything.

What is a T1?

internetRecently I was at a medical office in Stuart. The office was sending huge x-ray images to various places. The issue was sending the files was taking forever.

They couldn't understand why it was taking so long because they had a DSL. I asked it they ever considered a T1? They said they didn't understand what a T1 was compared to their DSL line.

Great question.

Internet connections are measured in two ways; download speed (or receiving speed) and upload speed (or sending speed).

Download speed is the speed by which we surf the internet. Your laptop is getting information from somewhere else. Complaints asking why the internet is so slow is always download speed.

Upload speed is the speed by which we send emails. Your laptop is sending information to somewhere else. This is why their complaint about slow in sending prompted me to inquire about a T1 consideration.

Furthermore, we measure speeds in megabits, Mbp, (not megabytes, MB, like we normally do). Here's how the connections stack up.

Their DSL was a 6Mbps. This is a 6Mbps maximum download speed. Upload speed probably around 0.250 Mbps.

Their T1 is going a to be 1.5Mbps. Upload speed is going to be 1.5Mbps. This is a 500% increase over a DSL line in upload speed. Giving the best chance at sending the xray images.

The most important factor of T1 is that it is guaranteed. This means it is guaranteed to be running all the time. Worries about their internet going down like it did in the past won't be an issue anymore.

After explaining the differences, we'll be installing a T1 at their office this week.

Open .xls Files with Office Starter (Excel Starter)

SITUATION:

-have a traditional .xls file on the DESKTOP

-double-click to open it.... nothing

RESOLUTION:

01.-close out of everything
02.-click START > RUN
03.-type: regedit
04.-click OK
05.-navigate to: HKEY_LOCAL_MACHINE\SOFTWARE\Classes\.xls\OpenWithProgIDs
06.-it'll probably say: "Excel.Sheet.8"
07.-right-click
08.-click RENAME
09.-change to: "Excel.Sheet.12"
10.-restart computer
11.-click START > CONTROL PANEL > DEFAULT PROGRAMS
12.-click ASSOCIATE A FILE TYPE WITH A PROGRAM
13.-find .xls
14.-double-click
15.-change to: "Microsoft Application Virtualization DDE"
16.-click OK > CLOSE

Yes... that took me about 2 hours to discover. I don't choose to hate Microsoft.... they force me to hate them.

DDWRT Initial Flash Instructions

This one is for me because I can never remember or sift through the endless pages of info on web sites concerning this.

The files are located here:

 

1.-the TRX file is the first one
2.-then
3.-telnet
4.-erase nvram
5.-reboot
6.-14896 is legacy
7.-14929 is recommended stable
8.-do a 30/30/30

COM+ Fix (Reinstalling COM+ Service)

01.-Reboot and start in Safemode
02.-Open a command prompt (cmd.exe) and execute the following commands:
03.-ren %windir%\System32\Clbcatq.dll Clbcatq.dll.bak
04.-del %windir%\Registration\*.* /s
05.-Start the registry editor and delete the following registry key:
06.[HKEY_LOCAL_MACHINE \SOFTWARE \Microsoft \COM3]
07.-Reboot and start in Normal mode.
08.-Open a command prompt (cmd.exe) and execute this command:
09.-rmdir /s %windir%\Registration
10.-Open the Control Panel and double click Add/Remove Programs
11.-Select Add/Remove Components and click Next and it will reinstall COM+
12.-Re-apply the necessary service packs and updates for COM+.
13.-click START > RUN
14.-type: cmd
15.-click OK
16.-rundll32 %windir%\system32\inetsrv\wamreg.dll, CreateIISPackage

Virtual Domain External SMTP on SME Server

SCENERIO

  • -add a virtual domain to the server.
  • -configure external domain name provider (in this case, ENOM) to point to server.
  • -configure external domain name provider to point MX records to gmail.
  • -check MX records.
1.dig -t mx domain.tld
2. 
3.;; ANSWER SECTION:
4.domain.tld.       1800    IN      MX      10 ASPMX.L.GOOGLE.com.
5.domain.tld.       1800    IN      MX      20 ALT1.ASPMX.L.GOOGLE.com.
6.domain.tld.       1800    IN      MX      30 ALT2.ASPMX.L.GOOGLE.com.
7.domain.tld.       1800    IN      MX      40 ASPMX2.GOOGLEMAIL.com.
8.domain.tld.       1800    IN      MX      50 ASPMX3.GOOGLEMAIL.com.
  • -send an email from primary domain to virtual domain.
  • -get a bounce basically saying "Recipient unknown"

SOLUTION

-added MailServer setting to domain

1.db domains setprop domain.tld <b>MailServer</b> a.b.c.d
2.signal-event email-update

chkdsk every boot

1.-click START > RUN
2.-type: cmd (black scary screen shows)
3.-type: fsutil dirty query c:
4.-if volume is dirty go to next step
5.-type: chkdsk c: /f /x
6.-when finished repeat: fsutil dirty query c:
7.-if no longer dirty then reboot (no more ckdisk).

What is an SSL Certificate?

What is it?

An SSL Certificate in layman's terms is a vouching system. In other words, you are who you say you are because a large company has verified it.

If I had a company, say like Dak Networks Company, how would you know that the web site you are on is actually the company web site? There's no way of actually knowing. Unless, of course, someone you trust told you that it really was the company web site. Then you would feel secure that you were on the right web site.

This in essence is what an SSL Certificate is. You pay a company. They do a little research to verify who you are. They hand you a certificate. Easier said than done.

Why do you need it?

You need an SSL Certificate to create an SSL connection or to have the HTTPS for you web site.

More importantly, you have to install it correctly for the web site not to complain. If it isn't installed correctly, people get weird messages when they visit your site like "there's a problem with this web site." So unless you want to field phone calls all day long and repeatedly say, "Just click continue" which drives you absolutely insane, you better make sure the SSL Certificate is installed correctly (sounds like I have experience with this?).

I have an SSL Certificate... Now What?

You have to install the SSL Certificate on your server. This is the issue.

Last Updated on Saturday, 25 June 2022 03:59

Install Rapid SSL Certificate, RapidSSL Intermediate Certificate & RapidSSL CA

When you get a RapidSSL Certificate (see instructions below somewhere), you have to install it. You also have to install the intermediate certificate. You also have to install the parent certificate or the certificate authority also known as the Root CA. The intermediate certificate & root certificate together is known as the CertificateChainFile or intermediate file or intermediate bundle or CA bundle.

So our structure from below is:

1.ssl.crt
2.ssl.key
3.ssl.pem

We'll change into the certificate directory:

1.cd ssl.crt

In this directory, you should have your server.crt, the certificate that you bought & they sent you in an email.

You should also have the INTERMEDIATE CERTIFICATE FILE. This is also called the CA BUNDLE.

Caution! They only send you the single intermediate certificate in the email. They don't send the bundle. You have to get it. Also, they send a link to the incorrect CA bundle in the email.

The problem with the RapidSSL bundle is that it contains the RAPIDSSL CA & the GEOTRUST CROSS ROOT CA and nothing else.

The GEOTRUST CROSS ROOT CA is here:
https://knowledge.geotrust.com/support/knowledge-base/index?page=content&id=AR1426&actp=search&viewlocale=en_US&searchid=1283360269668

This works fine for newer devices like ANDROID phones as they have the GEOTRUST CROSS ROOT CA installed as something they can trust.

But it doesn't work for stable production systems like CENTOS 4, RHEL 4 or anything with OPENSSL v0.9.7a-43.17.el4_8.6 . The problem is that these items have a different CA STORE or items they can trust and the GEOTRUST CROSS ROOT CA isn't in the STORE.

The older GEOTRUST GLOBAL ROOT CA is in the store (which is different than the GEOTRUST CROSS ROOT CA... confusing, isn't it). First we have to get it:

So now the directory looks like this:

1.server.crt
2.RapidSSL_CA_bundle.pem
3.GeoTrust_Global_CA.cer

Great! We have to join these together into one certificate.

1.openssl x509 -inform PEM -in "server.crt" -text > ca_bundle.crt
2.openssl x509 -inform PEM -in "RapidSSL_CA_bundle.pem" -text >> ca_bundle.crt
3.openssl x509 -inform PEM -in "GeoTrust_Global_CA.cer" -text >> ca_bundle.crt

That's it! You know have a certificate called ca_bundle.crt to incorporate the certificate into you server directly. For me that's:

1.config setprop modSSL crt /home/e-smith/path/to/your/crt/ca_bundle.crt
2.signal-event domain-modify
3.signal-event email-update

This ensures you have no error messages on the browsers (firefox, opera, safari, ie) and it ensures you have no error messages on the email clients (thunderbird, etc).

You can test your work directly on the server directory with:

1.openssl verify -CAfile ca_bundle.crt -verbose server.crt

You can test your work directly on the public HTTPS side with:

1.echo GET | openssl s_client -connect yourwebnameserver.tld:443

And the public IMAPS with:

1.echo GET | openssl s_client -connect yourwebnameserver:993

Both will give you the chain structure and where it breaks, if it breaks.

Caution! If it tells you, you have a self-signed certificate, that's fine. The ROOT CA is always a self-signed certificate.

Hope this helps someone. Most importantly me, since it took a good 48 hours to pull all this together from different places & trial and error.

What is SSL?

httpsWhat is it?

SSL stands for SECURE SOCKET LAYER. In layman's terms SSL is a secure connection. When you type something into a web site, any web site, and click SUBMIT, the information you type in can be seen by those young kids who know how to hack.

SSL prevents those kids from seeing what you type in.

What does it do?

SSL securely transmits the information you type into a web site so that no one can see it. Except, of course, the people who you're sending it to.

SSL Quick Example

Find the ADDRESS BAR at the top of your web browser (see picture). You know where you type in a web site. You can typically tell you're on an SSL web site because you'll see HTTPS in the beginning of the bar. The "S" stands for "secure." Also, recently, the ADDRESS BAR is changing color when an SSL connection is being made, sometimes blue (see picture) & sometime green.

What do I need if I want to do an SSL for my web site?

You need an SSL certificate from an authorized browser partner.

Last Updated on Saturday, 25 June 2022 04:03

Create Key, Generate & Install Certificate -ssl, csr, crt

How many times do I have to go through this? Because this can be confusing I create 3 directories:
1.mkdir ssl.crt
2.mkdir ssl.key
3.mkdir ssl.pem

 

GENERATE KEY PAIR (key & csr)

This can be done a few ways. You can do this with PUTTY on a WINDOWS pc. You can do this with OPENSSL on a REDHAT server. Choose one. It doesn't matter. Below is for OPENSSL on the server.

 

1: cd ./ssl.key
2a (no Subject Alternative Name [SAN]): openssl req -nodes -newkey rsa:2048 -sha256 -reqexts v3_req -keyout www.regionalidx.com.key -out www.regionalidx.com.csr -subj "/C=US/ST=Florida/L=Jupiter/O=Regional IDX/OU=IT/CN=www.regionalidx.com"
2b (Subject Alternative Name [SAN] ≤ openssl v1.1.0):
openssl req -nodes -newkey rsa:4096 -sha256 \
  -keyout regionalidx.com.key -out regionalidx.com.csr -reqexts SAN -extensions SAN -subj '/C=US/ST=Florida/L=Jupiter/O=Regional IDX/OU=IT/CN=regionalidx.com' -config <(cat /etc/pki/tls/openssl.cnf; printf "[SAN]\nsubjectAltName=DNS:www.regionalidx.com,DNS:mail.regionalidx.com,DNS:server.regionalidx.com")
2c (Subject Alternative Name [SAN] ≥ openssl v1.1.1):
openssl req -nodes -newkey rsa:4096 -sha256 -reqexts v3_req \
  -keyout www.regionalidx.com.key -out www.regionalidx.com.csr -subj "/C=US/ST=Florida/L=Jupiter/O=Regional IDX/OU=IT/CN=regionalidx.com" \
  -addext 'subjectAltName=DNS:www.regionalidx.com,DNS:mail.regionalidx.com,DNS:server.regionalidx.com'

NOTE: Please do not enter your email address, challenge password or an optional company name when generating the CSR.

You can test out test CSR with the following:

openssl req -text -noout -verify -in regionalidx.com.csr
openssl req -text -noout -verify -in regionalidx.com.csr |grep DNS

 

REQUEST CERTIFICATE

Great! You have a key as well as a certificate request (csr).

 

1.login to your account where you bought the certificate.
2.paste in your CSR.
3.submit the request.
4.check & double check to make sure the contact info is correct (you can't skimp here)

 

APPROVE REQUEST

 

1.the certificate provider (GEOTRUST, VERISIGN, etc) should email the AUTHORITATIVE EMAIL (admin @yourdomain.com) as listed out in the domain name WHO IS.
2.accept the request.

 

INSTALL CERTIFICATE

 

1.the certificate provider (GEOTRUST, VERISIGN, etc) should email you the certificate.
2.copy the certficate
3.change into the CRT directory
4.cd ../ssl.crt
5.paste it into the CRT file.
6.vi yourdomain-example.com.crt

 

They may also send you an INTERMEDIATE certificte. If needed, paste it into it's own file.

 

1.vi geotrust.crt

 

TELL THE SERVER WHERE TO FIND IT

 

1.config setprop modSSL crt /home/e-smith/ssl.crt/{domain}.crt
2.config setprop modSSL key /home/e-smith/ssl.key/{domain}.key
3.config setprop modSSL CertificateChainFile /home/e-smith/ssl.crt/{CA}.crt

 

APPLY THE CHANGES

 

1.signal-event domain-modify
2.signal-event email-update

 

Last Updated on Monday, 13 June 2022 19:49

Accept Certificate on Ipad, Accept Certificate on Iphone

If you have a certificate error for an email server, your IPOD/IPAD/IPHONE may not notify you of an issue, which doesn't allow you to click OK, which doesn't all you to get email. It simply says, "Cannot connect to server. Check the settings and try again."
1.on your Mac, go to the web site with the certificate issue (my issue was a name mismatch).
2.view the certificate.
3.trust the certificate.
4.open your Applications->Utilities->Keychain Access app.

find your mail server in the Name column. There may well be more than 1 entry. Find the entry that has “certificate” in the Kind column, and that has the most recent Expires date. This is the certificate you want.

 

1.right/control-click the certificate and choose Export “(mail server name)”: 
2.in the File Format dropdown, make sure you select Privacy Enhanced Mail (.pem) [NOT Certificate (.cer)]
3.save the file on your desktop.
4.attach it to a new mail message. Send the email to yourself.
5.on your iPhone/iPad/iPod touch, open the email. 
6.tap the attachment. This will open an Install Profile window.
7.tap the Install button to install the certificate on your device.

You should now find that you can send and receive email. If not, reboot your IPAD/IPHONE/IPOD.

To find the installed certificate, just tap Settings -> General -> Profile.

Logon failure: the user has not been granted the requested logon type at this computer

view source
1.go to the computer with the share
2.download the Windows Server 2003 Resource Kit Tools and install it: http://go.microsoft.com/fwlink/?LinkId=4544
3.click Start, All Programs, Windows Resource Kit Tools, Command Shell

Then enter the following commands. (Attention: they are case sensitive.)

1.net user guest /active:yes
2.ntrights +r SeNetworkLogonRight -u Guest
3.ntrights -r SeDenyNetworkLogonRight -u Guest

Tech Support Life

It's a Saturday on a holiday weekend. By 10am, I had more than 5 voicemail messages and 5 text messages. All "Little Stuff" that is sooooo important that it can't wait till the beginning of the next work week.

This is why I've pretty much exited personal tech support and why I'm moving into teaching.

Ohhh... Before I forget. Payment for today after working for 8 hours straight.... zero.

Windows 7 Won't Run EXE Files

Latest problem listed above on a Windows 7 machine. Here' how I fixed it:

01.-go to working computer
02.-click here: http://www.winhelponline.com/fileasso/exe_fix_w7.zip
03.-unzip the file: exe_fix_w7.reg
04.-copy to FLASH DRIVE (also known as a THUMB DRIVE)
05.-start problem PC in START MODE W NETWORKING
06.-plug in FLASH DRIVE
07.-press: CTRL-SHIFT-ESC
08.-hold: CTRL
09.-click FILE > NEW TASK (command box / shell prompt / black-scary-screen opens)
10.-type: F:
11.-type: REG IMPORT exe_fix_w7.reg
12.-that's it! You should be able to run EXE files now.

DDWRT Client Bridge Settings

Here's the simple steps to get a second DDWRT wirless unit to extend the orginial. Putting here so that I don't have to look it up again. I always seem to forget some of the settings.

FIND THE SIGNAL

wireless_find

  • -start from scratch. This means start with a plain jane vanilla ddwrt without any customized settings.
  • -login & change USERNAME & PASSWORD to something customized.
  • -click STATUS > WIRELESS.
  • -click SITE SURVEY (at the bottom).
  • -(a screen with a list of the wireless signals will show).
  • -find the one you want to extend.
  • -click JOIN (at the right).

WIRELESS SETTINGS

  • -(this will automatically fill in the BASIC SETTINGS for the wireless).
  • -wireless mode: client-bridge.
  • -wireless channel: match the channel on the main unit.
  • -click SAVE (at the bottom.)
  • -click WIRELESS SECURITY (at the top).
  • -security mode: (match the security mode on the main unit exactly including TKIP or AES. If a new setup use WPA PERSONAL AES).
  • -(note: cannot do WPA2 Personal Mixed).
  • -password: anything-of-your-choosing-thats-8-characters-long.
  • -click SAVE (at the bottom).

BASIC SETTINGS

  • -click SETUP
  • -connection type: disabled
  • -local ip address: 192.168.1.2
  • -subnet: 255.255.255.0
  • -gateway: 192.168.1.1
  • -local dns: leave-blank
  • -dhcp forwarder: 192.168.1.1
  • -click SAVE
  • -click ADVANCED ROUTING (at the top)
  • -operating mode: ROUTER
  • -click SAVE (at the bottom)

SECURITY SETTINGS

  • -click SECURITY
  • -find BLOCK WAN REQUESTS area
  • -checkmark FILTER MULTICAST
  • -uncheck everything else in the area
  • -spi firewall: disable
  • -click SAVE (at the bottom)

FINAL SETTINGS

  • -click ADMINISTRATION
  • -click SAVE (at the bottom)
  • -click APPLY SETTINGS (at the bottom)
  • -reboot router
  • -wait 3 minutes for everything to come back on and sync up.

CHECK TO SEE IF IT'S WORKING

  • -click STATUS > WIRELESS
  • -you'll be able to see the signal strength between the two units. If it's too low, move them closer together or in a more direct line of sight.

Rogue Infections Hiding Start Menu Shortcuts

Here's the deal. Fake infections on Windows XP & Windows 7 have been hiding folders in LOCAL DISK C.

Basically we have to unhide the hidden folders.

We also have to move the START MENU shortcuts back.

http://forums.malwarebytes.org/index.php?showtopic=85715&st=0&p=434006&#entry434006

The Conspiracy of Change


PICT0053My life has been turned upside down lately. It all started with my car. I needed to replace it. So I bought the same make and model but a different year. It's amazing how different user interface items change in the span of a few years. The cruise controls were different, the center console configuration was different and radio was different.

My family tried to convince me that these items were better but if you're like me, you know that this isn't true. They conspired with the car to accept it as better. But I didn't want to learn how to do something new. I already knew how to work all of those items just fine.

Then the same thing happened to my TV as Comcast changed the user interface on the cable box without asking me. The nerve of them! At least give me the option of going back to the old look and feel. Even the buttons on the remote don't respond the same.

Then it happened to my phone. The PalmPre was discontinued by Sprint so I took the opportunity to change to the most popular phone system, the Android on brand new 4G technology. I got a new larger screen, joining everyone else and of course a new user interface.

I gave it my best to adapt to the new controls that were supposed to be better and it shouldn't have been that hard. After all, I already knew how to use one smartphone, translating that knowledge to a new smartphone should be easy.

But I missed many of the features of the PalmPre. I didn't have buttons anymore, it was all on screen. Getting my clumsy thumbs to hit the letter I wanted proved to be too hard. This made the spell correction an absolute necessity. But it corrected many items incorrectly and in my tech world many items are spelled awkardly to begin with; OSX became "occasion". And my last name is my last name, whether I like the spelling or not isn't the point. Just stop asking me if I want to correct it. I don't.

This all lead up to making my texts & tweets incomprehensible. Everything from "Woof you call me?" to "I'll be huff in a boat 2 hores." (I'll be home in about 2 hours.) Nice upgrade.

The larger screen was nice. But was it too large. That whole item of being happy to see someone and pockets started to come to mind repeatedly. Also, when the onscreen keyboard was showing, the screen didn't seem to be that large anymore. It actually seemed smaller.

This larger screen lead to the battery dying by dinner. Bad for any family member trying to connect for the nightly ritual.

The worst of it was the user interaction. What took one gesture on the PalmPre (swipe to delete an email) now took 3 with the Android (read email, menu, delete). The simple measure of going back even with it's permanent button seemed to not take me where I wanted to go. And switching applications was a seemingly impossibility.

Combine this all together and I was missing texts, missing phone calls and missing family dinners.

I gave it my best go for two weeks. As soon as I hit the two week mark, I switched back to the PalmPre and WebOS. WebOS, you're my hero. Never did I miss my swiping so much.

EXE Files Won't Run (Windows cannot find the correct program... Choose a program from the list)

A round of malware has really turned up lately that once it's cleaned with Malware Malbytes, the computer won't run EXE files. It says, "Windows cannot find the correct program to open blahblah.exe, choose a program from the list."

Here's the fix (reformatted & reposted from http://support.microsoft.com/kb/555067)

  • -click START > RUN
  • -type "command.com", press Enter. (A DOS window opens.)
  • -type: "cd\", press Enter
  • -type "cd \windows" press Enter
  • -type: copy regedit.exe regedit.com, press Enter
  • -type regedit.com, press Enter
  • -navigate to and select the key: HKEY_CLASSES_ROOT\exefile\shell\open\command
  • -in the right pane, double-click the (Default) value.
  • -delete the current value data
  • -type: "%1" %*
    (quote-percent-one-quote-space-percent-asterisk)
  • -cose Regedit utility.

That should do it! You can now run EXE files again. If it still doesn't work, you may have to fix EXE file association with this zip file.

Then if SECURITY CENTER won't run AUTOMATIC UPDATES

  • -click START > RUN
  • -type:regsvr32 wuaueng.dll

AC97 Drivers Continuous Reboot and Won't Install

I hate drivers. I really do. Just wrestled with another AC97 (AC 97) REALTEK driver issue on an older computer with WINDOWS XP SP3.

The board was an INTEL D845GRG (audio was a 82801DB). The driver from REALTEK kept rebooting without finishing (WDM_A406) and the INTEL drivers kept saying, "DRIVER NOT FOUND" with the SOUNDMAX installs.

Here are the steps I used to get it fixed:

 

A patch is required before any of the HD device drivers are installed, but the patch will only go on XP SP2 computers. 

-right-click MY COMPUTER
-click MANAGE
-click DEVICE MANAGER (on the left-hand side)
-find SOUND, VIDEO, AND GAME CONTROLLERS
-under it, find the yellow exclamation point
-right-click yellow exclamation point
-click UNINSTALL

-click START > RUN
-type: regedit
-go to: HKLM\SYSTEM\CurrentControlSet\Control\Windows\CSDVersion
-change HEX VALUE TO: 200
-Restart your PC

-download kb888111xpsp2.exe
-install: kb888111xpsp2.exe
-download: Audio_eMachines_5.12.1.3571_XPx86_A.zip
-unzip: Audio_eMachines_5.12.1.3571_XPx86_A.zip
-run: SoundMAX_WDM_5_12_1_3571.exe
(the old driver is removed & new is downloaded)
(may have to manually run: DownloadedDriver_1-7-2005\Setup.exe)
-Restart your PC

-click START > RUN
-type: regedit
-go to: HKLM\SYSTEM\CurrentControlSet\Control\Windows\CSDVersion
-change HEX VALUE TO: 300
-Restart your PC

I'm putting this here so I never have to deal with it again.

Comcast Fiber Optic Upgrade

comcast_flyerI got a flyer in the mail from Comcast today. It headlines that they've "doubled [my] internet speeds." Further it claims that the fiber optic network in Jupiter, FL has been "enhanced." The flyer claims that speeds of up to 25Mbps are possible. All I have to do is "unplug [the modem] from the power source for ten minutes."

To the left, you can see a poor image of the flyer from my Palm Pre.

Cool. Rather than just giving it a shot, I'd thought I'd do a "live" before and after to see if it really works. I'll use Speedtest.net for my tests. Speedtest tries to measure your speed between your location and a server. Since the server location is important, I'll pick a server relatively close to me in Boca/ Miami about 60/90 miles away (rather than a server outside of the state of FL).

Before and after details are below:

comcast_speedtest

You can see before in February 2011 my speed was around 12.6Mbps. Now in April 2011 my speed is about 28.11Mbps.

Good enough for me. Thanks Comcast. This is faster than my T1 connections I have all over Palm Beach County and my Metro-e connection on PGA Blvd.

If you can get Comcast around here, it's a definite no brainer -yes!

Then why do I have a Metro-e? Good question. Because a Metro-e is guaranteed not to go down. Since the office has about 50 people working in it at all business hours and since the office processes more than 1billion dollars a year, it is worth it to spend extra to have peace of mind that the office won't have issues.

Compliance Services of 400 Capital Cir SE is a Scam

The COMPLIANCE SERVICES of 400 Capital Cir SE, Postal Mail Box 18321, Tallahassee, FL 32301 is a complete scam. The COMPLIANCE SERVICES of 400 Capital Cir SE, Postal Mail Box 18321, Tallahassee, FL 32301 is a complete farce. Do not do business with the COMPLIANCE SERVICES of 400 Capital Cir SE, Postal Mail Box 18321, Tallahassee, FL 32301.

State of Florida notifies that the Compliance Services of 400 Capital Cir SE is a Scam

You can see the official warning and consumer advisory posted by the State of Florida on their web site at http://sunbiz.org here. You can see they reinforce the fact that the COMPLIANCE SERVICES of 400 Capital Cir SE, Postal Mail Box 18321, Tallahassee, FL 32301 is a complete scam.

Lawyers in Florida notifies that the Compliance Services of Tallahassee, FL is a Scam

You can see other recent blog posts from licensed lawyers in Florida notifying businesses of the fact that the COMPLIANCE SERVICES of 400 Capital Cir SE, Postal Mail Box 18321, Tallahassee, FL 32301 is a complete scam here: http://www.floridaconsumerlawyerblog.com/2011/03/compliance-services-in-tallaha.html

In fact, in the above blog post quoted as saying, "Sarelson Law Firm is investigating a potential class action lawsuit on behalf of anyone who paid "Compliance Services" the $125 fee."

The Compliance Services of 400 Capital Cir SE, Postal Mail Box 18321, Tallahassee, FL 32301, is a company unrelated to the Florida Division of Corporations. They are sending out notices through the US Postal Service with a marking of "TIME SENSITIVE" concerning a $125 fee for annual corporate minutes. They try hard to make it look like an official letter from the State of Florida. They even put a due date on the letter.

Compliance Services of Tallahaee, FL 32301, is a company unrelated to the Florida Division of Corporations

Only people who read the fine print realize that the Compliance Services of 400 Capital Cir SE, Postal Mail Box 18321, Tallahaee, FL 32301, is a company unrelated to the Florida Division of Corporations.

However this is after the bolded headline which reads, "ANNUAL MINUTES REQUIREMENT STATEMENT DIRECTORS AND SHAREHOLDERS (Business Corporations)."

Jacksonville Times Union warns readers of the Compliance Services of Tallahassee, FL 32301

Even the Jacksonville Times Union is reporting on the story here: http://jacksonville.com/opinion/blog/400564/david-bauerlein/2010-04-25/letter-tallahassee-not-necessarily-state

Compliance Services of Tallahassee, FL Scamming People for Years

Apparently, this has been going on for quite some time as the following blog post is from 2009 and has more than 220 comments: http://scriptionary.com/2009/03/07/annual-minutes-requirement-scam/

They all echo the same concern. That the Compliance Services of 400 Capital Cir SE, Postal Mail Box 18321, Tallahaee, FL 32301, is a scam.

Compliance Services of Tallahassee, FL Scamming People in Other States

Click here to see how the Compliance Services of Tallahassee, FL is scamming people in other states:

http://www.ncnn.com/business/6646-state-stops-deceptive-mailings-to-businesses

Picture of the Compliance Services of Tallahassee, FL Scam Letter

Here is the letter JPG format of the Compliance Services of 400 Capital Cir SE, Postal Mail Box 18321, Tallahassee, FL 32301:

compliance_services

If this is all it takes to make some quick cash, I'm in the wrong business. I might as well start a company call the Computer Compliance Services and base it on 400 Capital Cir SE, Tallahassee, FL 32301.

Enough Proof that the Compliance Services of Tallahassee, FL is a Scam?

Hopefully, this page has provided enough proof that the Compliance Services of 400 Capital Cir SE, Postal Mail Box 18321, Tallahaee, FL 32301, is a scam.

Where Is This Going?

I have a friend who thinks that the push towards Apple desktops and laptops is just a fad. He really believes that in the long run, companies are not going to be able to incorporate Apple desktops into their businesses.

Will Macs Be Accepted in the Workplace?

I understand where he's coming from. He's in the banking business where people are traditional employees and the information belongs to the company. The company can't handle a dual environment between PC's and Mac's not because it's impossible but because it's one more thing.

Contrast From Apple

In contrast, Apple is citing that the PC era is over. They announced this at the launch of the iPad2 here:
http://finance.yahoo.com/news/Apples-Jobs-Says-iPad-2-Makes-paidcontent-407216748.html?x=0&.v=3

Basically they are saying that the era of keyboards and desktop towers are gone. Not needed. They are indicating that the "app stack" or applications like WORD, EXCEL, FILEMAKER PRO are not needed anymore. All of these types of applications are available on the web.

The Future is Uncertain

If you are like me, you're wondering where all this is going. And I'll tell you. I don't know.

Public Demand

It really has to do with how the general public accept these types of devices. Most companies will initially resist. Simply because, like my friend above, they are not sure if this is going to last. But if the pull is so strong that companies cannot ignore, they will incorporate items like iPads into their support systems.

You may have to learn something new, yet again. But it isn't that bad this time. You don't need that much dexterity. Everyone can point and click with their finger.

The Next 24 Months

We will see iPads invade the small workplace. They're fun, affordable and currently don't break. We don't have to deal with items like spyware, malware and TDSS rootkits. It might be an actual welcomed scenario.

Page 5 of 6

Contact Dak Networks

We are not taking on new clients at this time.