Policy Templates are found on: https://www.sans.org/security-resources/policies
Nonprofit group membership is found on: https://classmgmt.com
- Details
Get All Mailboxes With Permissions Other Than Themselves. Here's how:
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions-v1.csv
- Details
Learn visually? Me too. Here's the Outlook Permissions in table format with color view:
| Author | Contributor | Editor | None | NoneEditingAuthor | Owner | PublishingEditor | PublishingAuthor | Reviewer | AvailabilityOnly | LimitedDetails | |
| CreateItems | |||||||||||
| CreateSubfolders | |||||||||||
| DeleteAllItems | |||||||||||
| DeleteOwnedItems | |||||||||||
| EditAllItems | |||||||||||
| EditOwnedItems | |||||||||||
| FolderContact | |||||||||||
| FolderOwner | |||||||||||
| FolderVisable | |||||||||||
| ReadItems | Free/Busy | Free/Busy w Name & Location |
- Details
Do you have an Office365 account for your company domain (ie daknetworks.com) and email? Did you know that you can join your laptop or desktop to the Office365 domain?
Here are the links are recommended for various aspects of 365.
Portal for Office365 individual accounts:
https://portal.office.com
Portal for Office365 tenant management and the rest of your domain:
https://admin.microsoft.com
Portal for Azure:
https://portal.azure.com
Portal of Azure Active Directory (AAD):
https://aad.portal.azure.com
Portal for EndPoint Manager (InTune):
https://endpoint.microsoft.com
(for another view: AAD > DEVICES)
Add MFA-methods for individual accounts (as individual account):
https://mysignins.microsoft.com/security-info
Add MFA settings for individual accounts (as admin account):
AAD > USERS > PER-USER-MFA (at the top)
Or:
https://admin.microsoft.com > SETTINGS > ORG-SETTINGS
-click MULTIFACTOR-AUTHENTICATION
For fine-grain control of Exchange:
-click MODERN-AUTHENTICATION
Add MFA for entire account:
AAD > PROPERTIES > MANAGE-SECURITY-DEFAULTS
AZURE ACTIVE DIRECTORY
Once here, you are welcomed with so many services it is hard to keep them straight. What we are interested in is Azure-Active-Directory. Once you click on Azure-Active-Directory, you will see more options. Let's cover the basics.
USERS
Clicking on USERS will show you the users in your company. These naturally mirror the email accounts as you can't have an email account without having an Azure-Active-Directory account. But that might not be obvious if this is new to you.
GROUPS
Click on GROUPS is similar.
DEVICES
DEVICES will show all the DEVICES that is REGISTERED or JOINED. What's the difference?
REGISTERED is allowing the company to control the device. This is what happens with your iPhone (because who in their right mind would use Android). When you add your Office365 company email address to the phone, the company can control your iPhone. You might not know that. But it is nonetheless true. They can take the email account off the phone without your permission or they can wipe your entire iPhone without your permission.
The same is true for Windows 10 laptops/desktops. If you add your Office365 company email address to Outlook, the company can control your computer is some ways. Just like your iPhone, your computer is still accessible by you with the password that you setup when you brought the computer home from the store or received in the mail/ups/fedex/amazon package. But your company can control some of the items on your computer.
JOINED is what we think of in a traditional computer setup for a small company with an on-site server. When a computer is JOINED, any user in the company can login to that computer without having to setup the password locally. All the usernames/passwords are kept on a centrally located "invitation list."
JOIN COMPUTER TO AZURE ACTIVE DIRECTORY
So how do you do that?
- -click START > SETTINGS > ACCOUNTS
- -click ACCESS-WORK-OR-SCHOOL (on the left-hand side).
- -click CONNECT.
- -click JOIN-THIS-DEVICE-TO-AZURE-ACTIVE-DIRECTORY.
- -type in your email-address.
- -click NEXT.
- -type in your email-password.
- -click SIGN-IN > JOIN > DONE.
Check status with:
dsregcmd /status
MAGIC TO GET AROUND YOUR ORGANIZATION REQUIRES HELLO
There's a part here where if we continue, it will want to change your password to a PIN. Let's get around this.
- -click START > RUN.
- -type: gpedit.msc
- -click Computer Configuration > Administrative Templates > Windows Components > Windows Hello for Business (on the left-hand side).
- -click Use Windows Hello for Business (in the middle).
- -click DISABLED.
- -click OK
- -restart your computer to make sure it survives reboot.
LOGIN WITH AZURE ACTIVE DIRECTORY
At the login screen,
- -click OTHER-USER (at the bottom-left).
- -type in your email-address.
- -type in your email-password.
Once you do a whole new world begins. Now you can use your email-address and email-password to access the computer. You might notice that it automatically has your name from your email address. This is some the power of JOINING to an Azure-Active-Directory.
Note that when you do this, the process creates a new user on the computer so your DESKTOP, DOCUMENTS, PHOTOS, VIDEOS will all be reset to a fresh set. Any items you might have had are still in the other username and password. This can be manually transferred from the other account if needed.
NOTES
I could go on and on about the benefits of this:
- this computer now shows in Azure-Active-Directory > DEVICES section.
- if you open EDGE, go to https://portal.office.com you are automatically logged in and can download and install the software.
- if you open OUTLOOK, your account is automatically found and setup
In addition, I could go on and on about the number of misleading videos and long-winded documents I had to travel to get this far. Here are some of them:
https://docs.microsoft.com/en-us/azure/active-directory/devices/overview
https://www.youtube.com/watch?v=AZrtCtj4rTs
- Details
Exchange 2013 Room Lists exist.
To get a list of all the room resources:
get-mailbox |? {$_.resourcetype -eq "room"}
Just as mailboxes can be part of a group/distribution-group, the room resources can be part of a group/distribution-group. These are groups do not show in the ECP.
To get a list of all the roomlist groups:
get-DistributionGroup |? {$_.recipienttypedetails -eq "roomlist"}
To create a new roomlist group:
New-DistributionGroup conference-rooms-foo -RoomList
To add a member to the roomlist group:
Add-DistributionGroupMember conference-rooms-foo -Member foomember1
To get a list of all the members of a roomlist group:
get-DistributionGroupMember conference-rooms-foo
- Details
For some reason, we have never done an article on SPF records. Here are some notes concerning SPF.
Here are our current records:
v=spf1 a mx ip4:216.245.219.162 include:_spf.freshbooks.com -all
A is for the A record
MX is for the MX record
ip4 is for a dedicated ip address.
include is for including an outside system. In this case Freshbooks which handles our billing for us.
Since A, MX and IP are all the same, only one is needed. We changed it to this:
v=spf1 mx a include:_spf.freshbooks.com -all
- Details
Client has a FileMaker Server installed at a datacenter. They need the certificate installed and working.
Generate a CSR
- -open FILEMAKER SERVER.
- -click DATABASE-SERVER > SECURITY.
- -click CREATE-REQUEST.
- -create a password by typing it in.
- -when you do, a CSR file (certificate request) and a PRIVATE-KEY will be generated.
- -the files are automatically kept here: C:\Program Files\FileMaker\FileMaker Server\CStore
- -the CRS is called ServerRequest.pem
- -this is just a text file. Open the file with NOTEPAD or TEXTEDIT or EDITPAD or NOTEPAD++ (not WORD).
Create a Signed Certificate
- -take the contents of the CSR and give them to your SSL provider (GoDaddy, RapidSSL, Comodo, etc).
- -once submitted, that will generate a signed certificate.
- -it will also give you an intermediary certificate or chain certificate.
Gathering All the Certificates
- -create a folder on the desktop of the FileMaker Server.
- -create a new text file in the folder.
- -copy the contents of the signed certificate from your SSL provider (GoDaddy, RapidSSL, Comodo, etc) and paste them into the text file.
- -rename the file your.filemaker.domain.tld.crt
- -create another new text file in the folder.
- -copy the contents of the SHA-1 Root certificate from your SSL provider (GoDaddy, RapidSSL, Comodo, etc) and paste them into the text file.
- -copy the contents of the intermediary certificate from your SSL provider (GoDaddy, RapidSSL, Comodo, etc) and paste them into the text file directly under the root certificate.
- -so the file should look like this:
=================
-----BEGIN CERTIFICATE-----
root-certificate-here-blah-blah-blah
-----END CERTIFICATE-----
-----BEGIN CERTIFICATE-----
intermediary-certificate-here-blah-blah-blah
-----END CERTIFICATE-----
=================
- -rename the file chain.crt
- -copy the file C:\Program Files\FileMaker\FileMaker Server\CStore\serverKey.pem to this folder as well.
- -so the folder has 3 files:
- 1-your.filemaker.domain.tld.crt
- 2-chain.crt
- 3-serverKey.pem
Install the Certificate on FileMaker Server
- -click DATABASE-SERVER > SECURITY.
- -click IMPORT CERTIFICATE.
- -for SIGNED-CERTIFICATE choose the file your.filemaker.domain.tld.crt
- -for PRIVATE-KEY choose the file serverKey.pem
- -for INTERMEDIATE-CERTIFICATE choose the file chain.crt
- -for password, type in the password create during the CRS in the first step.
- -click IMPORT.
- -restart the service (or restart the server).
That should do it! You're awesome! You now have a green lock in the FileMaker Pro clients running around the country and everyone is happy.
Test the certificate: echo GET | openssl s_client -connect yourwebnameserver.tld:5003
NOTES
What makes this difficult is the terminology and the different certificate types and extensions (crt, cer, pem, p7s, etc). Naturally, I think most people try to use CER files by mistake.
Also the Intermediate certificate is a pain since sometime it is needed but not provided. When it is provided, they expect you to know what to do with it.
Lastly, sometimes they provide 2 Intermediate certificate along with their root-certificates and they expect you to know which one to use. Hint, use SHA-1-root with FM Server v16.
Here are the intermediate certificates for RAPIDSSL:
https://knowledge.digicert.com/generalinformation/INFO1548.html#links
- -find ROOT
- -click DOWNLOAD
- -it will show the root-certficate.
- -put this at the top of the chain.crt (which has nothing other than this pasted text).
- -find INTERMEDIATE CA
- -click DOWNLOAD
- -it will show the intermediate-certficate.
- -put this in the same file but under the root certificate.
- -save the file as chain.crt
- Details
Windows Couldn't Connect To The User Profile Service Service (aka All Your User Profile Are Belong To Us)
SCENARIO
This happens after an upgrade to v1803 or to v1809 or to v1903.
RESOLUTION
Get the HOMEDRIVE:
get-aduser -filter * -searchbase "ou=
This will output:
name homedrive homedirectory
---- --------- -------------
Foo User Z \\server\users$\foo.user
You will see above the HOMEDRIVE is something like a capital letter. In this case: "Z"
This needs to be set as: "Z:"
In other words, it is missing the colon ":"
To implement, first get the usernames in the OU needing serviced:
$usernames = (get-aduser -filter * -searchbase "ou=
Now set the correct HOMEDRIVE value:
foreach ($username in $usernames) {set-aduser $username -homedrive Z:}
MORE INFO
This happens because the HOMEDRIVE value is set incorrectly for the update script.
There is some sort of script that is trying to move the profile (Desktop, Documents, Favorites, Pictures, Photos, Videos) to OneDrive. The script errors when the HOMEDRIVE doesn't have the colon.
- Details
Windows Service Update Service (WSUS) is groaned by many administrators. What should be a drop-dead-easy process is overly complicated and difficult to manage.
Everything should "just work." But it doesn't.
On 80% of the systems, the ones left on all the time, the success rate is high. The updates download and install on schedule as per the Group Policy (GPO).
On 20% of the systems, the laptops not left on all the time or away from the office, the success rate is mixed. Sometimes the downloads update, sometimes not. Sometimes the downloads install. Sometimes not.
Invariably, throughout the course of a deployment, a handful of laptops and tablets start to lag behind. They refuse to download and install the updates for whatever reason.
This necessitates the ability to force the client system to download and update.
WUAUCLT
To force them to update and install used to be:
wuauclt /detectnow
wuauclt /updatenow
Or you could use the switches together:
wuauclt /detectnow /updatenow
USOCLIENT
Now with Windows 10, wuauclt is no longer working. But the completely undocumented USOCLIENT can be used to do the same:
USOClient StartScan (Start checking for updates)
USOClient StartDownload (Start downloading updates)
USOClient StartInstall (Start installing downloaded updates)
USOclient Refreshsettings
USOclient StartInteractiveScan
USOClient RestartDevice (Restart Windows after updates are installed)
USOClient ScanInstallWait (Check for updates, download available updates and install them)
USOclient ResumeUpdate
I’ve used the following command to get remote systems to update with success:
USOclient StartScan
USOclient StartDownload
USOclient StartInstall
Few notes:
- there is no slash.
- there is no documentation on the command.
- there is no output or feedback from the command.
- this command replaces: wuauclt
PSWINDOWSUPDATE
Or you can use powershell. This is not built-in so a module will have to be installed.
(The minimum TLS version was raised on the provider lookup site - Powershell Gallery. The first line sets the machine to TLS1.2)
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-Module PSWindowsUpdate
Get-ExecutionPolicy
Set-ExecutionPolicy RemoteSigned
Import-Module PSWindowsUpdate
Get-WindowsUpdate (or Get-WindowsUpdate -Verbose)
Install-WindowsUpdate
All Commands Available in PSWindowsUpdate
get-module
get-installedmodules
get-command -module pswindowsupdate
Repo
To see the source repository of the updates (ie local intranet WSUS server or public internet Microsoft server):
Get-WUServiceManager
To set the source of the update to the public internet Microsoft Server for a single point in time:
Get-WindowsUpdate -MicrosoftUpdate
To set the source of the update to the public internet Microsoft Server as the default:
add-wuservicemanager -serviceid "7971f918-a8474430-9279-4a52d1efe18d" -addserviceflag 7
For the curious, there is no set-wuservicemanager yet.
Extra
To search for a specific update:
Get-WindowsUpdate -KBArticleID KB982861
Get-WindowsUpdate -KBArticleID "KB5002324", "KB5002325"
Get-WindowsUpdate -KBArticleID KB982861 -Verbose
To get the current Job:
Get-WUJob
To see the installer status:
Get-WUInstallerStatus
To see the reboot status:
Get-WURebootStatus
To see the needed update status:
Get-WUInstall -verbose
To install with verbose:
Get-WUInstall -verbose -install
To get the history:
Get-WUHistory | ?{$_.Description -like "*Update*"}
To get the settings on the client system:
get-wusettings
reg query hklm\software\microsoft\windows\currentversion\windowsupdate /s
- Details
Them: Can you give us a list of All Enabled Accounts on Exchange Sorted by Last Name?
Me: Sure.
The problem becomes this is trickier than it seems.
There are 3 commands that are helpful:
get-mailbox: a list of all the mailboxes, including SHARED, RESOURCE, EQUIPMENT, ROOM but not including contacts, mailuser, distributiongroup, etc. Disabled accounts are included. There is no disabled/enabled property.
Use the following to see what it shows and the number of items:
Get-Mailbox |Group-Object RecipientTypeDetails |Select name,count
get-recipient: a list of all recipients including mailboxes, contacts, mailuser, distributiongroup, etc. Basically, any type of existing Exchange Online recipient.
Use the following to see what it shows and the number of items:
Get-recipient |Group-Object RecipientTypeDetails |Select name,count
get-user: get the USER objects from Active Directory, including the users without mailboxes and disabled users.
Use the following to see what it shows and the number of items:
Get-user |Group-Object RecipientTypeDetails |Select name,count
Knowing the above, we can put together a command that lists out all the USERS from AD that is enabled:
Get-User -RecipientTypeDetails UserMailbox -sortby lastname |where {$_.UserAccountControl -notlike “*AccountDisabled*”} |Select samaccountname
- Details
Find What Groups a User In AD is a Member Of
Here is how for one person:
get-aduser foo.user -properties MemberOf |Select -ExpandProperty memberof
or use the newer command:
Get-ADPrincipalGroupMembership foo.user | select name
or use the older command-line:
net user foo.user /domain
Here is how for a group in an OU:
get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties MemberOf |Select -ExpandProperty memberof
or you need just the Name and MemberOf:
get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties MemberOf |Select samaccountname,memberof
And if you need to put the whole thing together:
get-aduser -filter * -searchbase "ou=ou-name-here,dc=company-name,dc=com" -properties Memberof |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership $_).name}} |ft -wrap
Or if you need just the accounts that are more than the "Domain Users" group:
get-ADuser -Filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -properties Memberof |where memberof -ne "Domain Users" |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership $_).name}}
But maybe miss off the Guest account:
get-ADuser -Filter * -searchbase "ou=Disabled Users,dc=foodomain,dc=tld" -properties Memberof |where {($_.memberof -ne "Domain Users") -and ($_.samaccountname -ne "Guest")} |Select samaccountname,@{n="Groups";e={(Get-ADPrincipalGroupMembership $_).name}}
And to take this one step further, if you need to remove the user from all the account's groups, then:
Get-ADUser -filter * -searchbase "ou=ou-name-here,dc=company-domain,dc=com" -Properties MemberOf |where {($_.memberof -ne "Domain Users") -and ($_.samaccountname -ne "Guest")} |ForEach-Object{$_.MemberOf |Remove-ADGroupMember -Members $_.DistinguishedName -Confirm:$false}
- Details
Windows Could Not Complete The Installation
Here's how to fix.
- -hold SHIFT and press F10.
(a command prompt shows) - -type: oobe
- -hit ENTER key.
- -type: msoobe
- -hit ENTER key.
- -wait for around 5 minutes.
- -restart the computer and it should work.
If not then do the following:
- -press the power button on the computer for around 5 seconds. The system will shut off.
- -press the power button on the computer the system will turn on.
- - this needs to happen 3 times until a message that says “Preparing Automatic Repair“.
- -click ADVANCED-OPTIONS.
- -click TROUBLESHOOT.
- -click RESET THIS PC.
- -click KEEP MY FILES.
- -it will ask for an ADMINISTRATOR username & password.
- -click CONTINUE.
- -wait for around 5 minutes.
(RESET THIS PC screen will show) - -click CANCEL.
- -click CONTINUE.
If that doesn't work, you can download an iso/usb and repair the installation.
- Details
Blinking Back Screen After 1809 | Explorer Crashing After 1809 | Blinking Black Screen After Windows Update. Note that this is NOT a driver issue and this is NOT flickering.
This took awhile but in my case of a corporate environment, the AD Account being used had a HOMEFOLDER setup to a network share (homedrive & homedirectory). Changing this account to use the LOCALPATH instead of the NETWORKPATH seemed to have resolved this.
On the AD server:
- -open powershell
- -type: set-aduser foo.user -clear homedrive, homedirectory
On client system:
- -login with AD account.
NOTES:
- -to get the values, type: get-aduser foo.user -properties homedrive, homedirectory
- -to clear the values, type: set-aduser foo.user -clear homedrive, homedirectory
- -to set the values, type: set-aduser foo-user -homedrive Z -homedirectory \\
\users$\foo.user
(ie: set-aduser foo-user -homedrive Z -homedirectory \\server\users$\foo.user) - -to get the values being used on a system, start command-prompt or powershell and type: set
- Details
Recently I found out that my individual account was given FULLACCESS permission on every mailbox in Exchange. What was strange was that the permissions were INHERITED and had a DENY=TRUE on them.
How in the world did that happen? Also, how do I fix it?
I traced it back to permissions in AD on the Exchange Service:
dsacls "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-name,DC=tld"
Also it was here:
dsacls "CN=COMPANY-NAME,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-name,DC=tld"
So it must have happened durning an Exchange CU upgrade. More specifically during the Prepare Active Directory schema:
setup.exe /PrepareSchema
setup.exe /PrepareAD
To remove:
dsacls "CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain-name,DC=tld" /R DOMAIN\Account
Or you can open ADSI > CONFIGURATION > SERVICES > MICROSOFT-EXCHANGE
- -rigth-click > PROPERTIES
- -click SECURITY tab (at the top).
If needed, you can look further down:
ADSI > CONFIGURATION > SERVICES > MICROSOFT-EXCHANGE > COMPANY-NAME > ADMINISTRATIVE-GROUPS > EXCHANGE-ADMINISTRATIVE-GROUP > SERVERS > SERVER-NAME
- -right-click > PROPERTIES
- -click SECURITY tab (at the top).
- -click ADVANCED
Look for the account and it will show where the inheritance is coming from.
- Details
Turn on the debug log:
- vi /etc/asterisk/logger.conf
Uncomment or add a line for debugging:
- debug => notice,warning,error,verbose,debug
or
debug => debug
Start the Asterisk command line:
- asterisk -rvvvvv
(this is showing verbose at level 5)
Set the debug level to 5:
- core set debug 5
Turn off debug for interoffice exchange (iax):
- iax2 set debug off
Reload the logger and rotate the log:
- module reload logger
- logger rotate
Perform the action such as make a call. There is going to be a ton of logs in a few minutes so use cautiously. When do with the action, turn the debug log off or set to low-level:
- asterisk -rvvvvv
- core set debug 0
- module reload logger
Look at the debug file:
- cat /var/log/asterisk/debug
Don't forget to comment out the debug in the:
- vi /etc/asterisk/logger.conf
If you need to look at all the phone sets that are connected:
Start asterisk:
- asterisk -rvvvvv
- sip show peers
Or if you need just one:
- sip show peer 04167F120093
After you make changes to the sip.conf, you can reload the changes by:
- asterisk -rvvvvv
- sip reload
If you need to debug sip, here's how:
- asterisk -rvvvvv
- sip set debug on
- sip set debug off
If you need to debug rtp, here's how:
- asterisk -rvvvvv
- rtp set debug on
- rtp set debug off
NOTES:
https://wiki.asterisk.org/wiki/display/AST/Collecting+Debug+Information
- Details
Here's how to fix:
It should be the button above the keyboard.
Or it should be the FN + F8.
But if neither of those work then try the following:
C:\Program Files\TOSHIBA\TBS\TBSWireless.exe
- Details
We are on a large network with multiple subnets.
Our client device it called: COMPUTER-26
If you ping COMPUTER-26, you get: 10.162.110.4
If you NSLOOKUP COMPUTER-26, you get: 10.162.101.202
What gives?
DNS-RECORD REGISTER
Well it all starts with the dns-record. The client computer owns the dns-record, not the dns server. That is kinda strange in my thinking but so be it.
Since the client computer owns the record, the client computer need to register the dns record with the dns server. This should happen automatically in the dhcp but if you need to register the dns-record manually, you can do the following on the client-computer:
ipconfig /registerdns
NSLOOKUP
Great. Now when you NSLOOKUP a record from a second computer, it should return the correct result as per the client-computer.
nslookup computer-26
PING
When you PING a device, it goes through several steps to find the device. The steps are as follows:
- checks if the host name is the same as the local host name.
- searches the DNS client resolver cache.
- sends DNS Name Query Request messages to its configured DNS servers.
- converts the host name to a NetBIOS name and checks its local NetBIOS name cache.
- contacts WINS servers.
- broadcasts NetBIOS Name Query Request messages on the directly attached subnet.
- searches the local Lmhosts file.
So if it finds the name in the local cache file, it doesn't go any further. This is why the results are different.
If you need to manually update the cache, you can:
ipconfig /flushdns
Now do an NSLOOKUP to get the newest results from DNS.
nslookup computer-26
Now when you PING, the correct result will show:
ping computer-26
REASON - SCAVENGING & REFRESH
This usually happens when the DNS records are changing on the DHCP server. The new record the client computer has might not register in the DNS server. Or if they do register, there are 2 records in the DNS server from the same computer.
This happens when the records are not being scavenged correctly. The scavenge time is longer then the DHCP lease time.
Here is a linear scenario:
- -the lease time is 1-day in DHCP.
- -the scavenge time is set for 4-days in DNS.
- -on the second day, the record is renewed with another address.
- -that new record is registered in the DNS server.
- -now the DNS server has 2 records with the same name.
- -the first record is not scavenged because the time to do so is still 3 days away.
- -when pinging the system by name, the first record returns the incorrect address.
- -this happens because the first record has not gone stale.
FIX
Follow the DNS scavenging settings here: http://www.daknetworks.com/blog/433-dns-scavenging
- Details
Here's how to fix:
DISK CLEANUP MANAGER
- -cleanmgr.exe /verylowdisk /autoclean
DISM
- -Dism.exe /online /Cleanup-Image /StartComponentCleanup /ResetBase
- Details
Google Chrome has removed Flash-allowed-on-specified-websites from v69.
You can still manually set to Flash-allows-on-specified-website by:
- -open Chrome.
- -type: chrome://flags/#enable-ephemeral-flash-permission
- -press ENTER key.
(the setting shows) - -set to: DISABLED
You should now be able to set certain web sites to allow Flash without asking.
Across Entire Location
But what if you want to run this on several hundreds/thousands of comptuers?
Thankfully, the Google crew has Group Policy Administrative Templates that can be installed on a GP server.
- -download the Chrome ADMX files here:
https://dl.google.com/dl/edgedl/chrome/policy/policy_templates.zip - -unzip.
- -install on the central GPO store.
(see http://www.daknetworks.com/blog/307-update-the-admx-templates-in-windows-server-to-apply-gpo-to-windows-10)
Now set the GPO:
- -open GROUP-POLICY-MANAGEMENT.
- -right-click to create new GPO.
- -click COMPUTER-CONFIGURATION > POLICIES > ADMINISTRATIVE-TEMPLATES > GOOGLE > GOOGLE-CHROME > CONTENT-SETTINGS
- -click "Default Flash setting"
- -click ENABLED.
- -select CLICK-TO-PLAY.
- -click OK.
Now set another GPO to allow certain web sites:
- -open GROUP-POLICY-MANAGEMENT.
- -right-click to create new GPO.
- -click COMPUTER-CONFIGURATION > POLICIES > ADMINISTRATIVE-TEMPLATES > GOOGLE > GOOGLE-CHROME > CONTENT-SETTINGS
- -click "Allow the Flash plugin on these sites"
- -click ENABLED.
- -click SHOW.
- -type: [*.]foo.tld
- -click OK.
This will force Chrome to use these settings and the user cannot change/delete/add to them.
NOTES:
- adm files are older.
- admx files are newer.
- adml files are xml translation/localization files.
- Details
Here's how to get the details of any connections to an Exchange mailbox:
Get-MobileDeviceStatistics -mailbox foo.user |select deviceuseragent,lastsuccesssync,deviceid
Data Wipe an iPhone that has an Exchange account on it:
Clear-MobileDevice foo.user
Get-MobileDevice -mailbox foo.user |Clear-MobileDevice
If you need to cancel the wipe:
Get-MobileDevice -mailbox foo.user |Clear-MobileDevice -cancel
If you need to simply remove the relationship:
Get-MobileDevice -mailbox foo.user |Remove-MobileDevice
=====
NOTES:
get-help mobile
get-help get-mobiledevice
get-help Get-MobileDeviceStatistics -full
get-help clear-mobiledevice -full
get-help remove-mobiledevice -full
- Details
PCI\VEN_1033&DEV_0194&SUBSYS_FC301179&REV_04
Windows 10 64-bit. Can't get the Renesas Electronics USB 3.0 to work on a Toshiba Satellite P755. Here's how to get it working:
- -go here: https://downloadcenter.intel.com/download/22775/Renesas-Electronics-USB-3-0-Firmware-Updates
- -download: 200_FRONT.ZIP
- -unzip the package.
- -click START > RUN
- -type: CMD
(make sure you are running AS-ADMINISTRATOR) - -cd to the zip package
(ie cd c:\drivers\200_FRONT\x64) - -type: Update_4.0.2.1.bat
You will see it go through an update. Afterwards, simply reboot the laptop and it should be good to go.
- Details
I had a bunch of notes, but it has been awhile and so some of it is lost I wanted to capture as much as I could.
Basically, Paypal Payflow will only speak TLS 1.2. This is a very good since the security protocol has been around for about 10 years or so.
The protocols listed here are all old:
- SSL 2.0
- SSL 3.0
- TLS 1.0
- TLS 1.1 (not shown by default)
- TLS 1.2 (not shown by default)
Of course, TLS 1.2 is the one that is new and should be used.
TLS 1.2 IIS
Now, IIS can both communicate TO something as a SERVER as you would expect. But it can also communicate FROM something as a CLIENT.
This is what happens when interfacing with PAYPAL-PAYFLOW.
Here is the REGEDIT for the security protocols BEFORE the change:
====================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"Enabled"=dword:00000001
====================
And here is the REGEDIT for the security protocol AFTER the change:
====================
Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\Multi-Protocol Unified Hello\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\PCT 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 2.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\SSL 3.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Client]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.1\Server]
"DisabledByDefault"=dword:00000001
"Enabled"=dword:00000000
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2]
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Client]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.2\Server]
"DisabledByDefault"=dword:00000000
"Enabled"=dword:00000001
====================
As you can see, we disabled all the old protocols and only enabled TLS 1.2.
After this REGEDIT is complete, the change is immediate. Nothing is needed to be restarted except for COLDFUSION-APPLICATION-SERVICE, if you have it.
Cipher Suite Order
By default, the factory default cipher suite order will be used.
You can change the Cipher Suite Order on a Server 2008 or higher. Here's how:
-open GPEDIT.MSC
-navigate to: Computer-Configuration\Administrative-Templates\Network\SSL-Configuration-Settings
-edit: SSL-Cipher-Suite-Order
-the text in the field are the Cipher-Suites being used by the server.
-read the notes.
-edit the list in the order wanted.
-any Cipher-Suites not specified will not be used.
A recommended Cipher Suite list is published here:
https://www.grc.com/miscfiles/SChannel_Cipher_Suites.txt
But that was long ago in a brazenly unaware internet.
Nartac has the default Cipher-Suites and the best-practice Cipher-Suites listed here:
https://www.nartac.com/Products/IISCrypto/FAQ
They also have IIS Crypto software that will graphically display (get) and change (set) the protocols, Cipher-Suites and their order.
The actual location in the Registry is as follows:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Cryptography\Configuration\Local\SSL\00010002
The location of the Cipher-Suites is here:
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Ciphers]
Disabling the following:
NULL
DES
RC2
RC4
3DES
This leaves the following:
AES128
AES256
RDP Cipher Suite
The default RDP Cipher-Suite is RC4. So if RC4 is disabled, you will cut your own chain and will not be able to RDP to the system.
First, let's get some info by setting up logging for the Cipher-Suite.
[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL]
"EventLogging"=dword:00000007
The default is a value of: 1
Set the value to: 7
This will collect more info.
No need to reboot, the changes are immediate.
Now that the logging is set, SCHANNEL events can be found in the WINDOWS-LOGS > SYSTEM.
Secondly, let's set the RDP to use TLS1.2
-open GPEDIT.MSC
-navigate to: Computer-Configuration\Administrative-Templates\Windows-Components\Remote-Desktop-Services\Remote-Desktop-Session-Host\Security
-edit: "Require use of specific security layer for remote (RDP) Connections"
-set to: NEGOTIATE
This will enforce the most secure method that is supported by the client.
There's also a bug where "TLS 1.0" can be shown even though TLS 1.2 is actually being used:
https://docs.microsoft.com/en-US/troubleshoot/windows-server/remote/incorrect-tls-use-rdp-with-ssl-encryption
ColdFusion Java
ColdFusion might need JAVA to be updated. If so, the files might be here:
JAVA DEFAULT LOCATION that ships with the install:
C:\ColdFusion9\runtime\jre\bin
C:\ColdFusion9\runtime\bin\jvm.config
But this can be change to a customized location. This is specific in:
C:\ColdFusion10\cfusion\bin\jvm.config
Or to find what JAVA ColdFusion is using (java.home), look at the:
https://site.tld/CFIDE/administrator > SETTING-SUMMARY
The value of JAVA HOME will show the path.
In my case, it is in the following:
C:\Program Files\Java\jdk1.8.0_171\jre
I am not a JAVA expert but the JAVA-DEVELOPMENT-KIT (JDK) contains a JAVA-RUNTIME-ENVIRONMENT (JRE).
The overall security file is:
C:\Program Files\Java\jdk1.8.0_171\jre\lib\security\java.security
Open the file with a texteditor and you can read the notes in java.security where it states other security values can be added by looking at the jvm.config from above. In that file are arguments that specify how JAVA is running. The following will specify those values:
Djava.security.properties=
My additions are:
-Djava.security.manager "-Djava.security.policy=C:\\ColdFusion10\\cfusion\\lib\\coldfusion.policy" "-Djava.security.auth.policy=C:\\ColdFusion10\\cfusion\\lib\\neo_jaas.policy"
-edit java.security
-find the line: jdk.tls.disabledAlgorithms
-add TLS versions that should not be running: TLSv1, TLSv1.1, DES
Change from:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC
Change to:
jdk.tls.disabledAlgorithms=SSLv3, RC4, MD5withRSA, DH keySize < 1024, EC keySize < 224, DES40_CBC, RC4_40, 3DES_EDE_CBC, TLSv1, TLSv1.1, DES
Restart ColdFusion Application service.
New error:
"Error","scheduler-0","01/24/22","05:48:46",,"javax.mail.MessagingException: Could not convert socket to TLS; nested exception is: javax.net.ssl.SSLHandshakeException: No appropriate protocol (protocol is disabled or cipher suites are inappropriate)"
Debug:
C:\ColdFusion10\cfusion\bin\jvm.config
-add the following to the arguments, at the end:
"-Djavax.net.debug=all"
-restart the ColdFusion service.
-try to send email again.
-view the log at: C:\ColdFusion10\cfusion\logs\coldfusion-out.log
Current Workaround:
-login to the 356 Exchange endpint tenant via powershell.
-run: Set-TransportConfig -AllowLegacyTLSClients $True
-change the smtp endpoint to: smtp-legacy.office365.com
NOTES:
https://www.carehart.org/blog/client/index.cfm/2021/4/26/new_java_updates_for_Java_8_and_11_as_of_Apr_2021
https://www.adobe.com/support/coldfusion/downloads.html#additionalThirdPartyInstallers
- Details
DFARS regulations are here:
https://csrc.nist.gov/publications/detail/sp/800-171/rev-1/final
With the PDF being here:
https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-171r1.pdf
With the NIST SP 800-53 database here:
https://nvd.nist.gov/800-53
The STIGS are here:
https://iase.disa.mil
DISA is here:
https://www.disa.mil/Cybersecurity
Although the use of the principles and guidelines in these SRGs/STIGs provide an environment that contributes to the security requirements of DoD systems, applicable NIST SP 800-53 cybersecurity controls need to be applied to all systems and architectures based on the Committee on National Security Systems (CNSS) Instruction (CNSSI) 1253.
Typically, questions revolve around the following:
NIST SP 800-171
FAR 52.204-21: http://farsite.hill.af.mil/reghtml/regs/far2afmcfars/fardfars/far/52_000.htm#P901_130612
DFARS 252.204-7012: http://farsite.hill.af.mil/reghtml/regs/far2afmcfars/fardfars/dfars/dfars252_000.htm#P962_54607
Depending on the industry and scoping, it is necessary that we comply with the following:
FAR 52.204-21 (federal level)
NIST SP 800-171 (national level)
NIST SP 800-53 (national level)
DFARS 252.204-7012 (defense level)
ISO/IEC 27001 (international level)
NAS 9933 (aerospace industry)
GDPR (European level)
- Details
Parallels Activate License
- -click GO > UTILITIES > TERMINAL
- -type: prlsrvctl activate-license-online
Parallels Deactivate License:
- -click GO > UTILITIES > TERMINAL
- -type: prlsrvctl deactivate-license
- Details
Discrete Graphics / Switchable Graphics
It can be confusing as there are many variables here with different definitions. By default, the Precision 7720 has both an Intel onboard graphics chip and an added graphics chip (Nvidia/AMD; aka discrete-graphics). By default, the onboard chip is on as the primary graphics. This is true when using the laptop monitor, when a docking station is used and when a monitor is plugged directly into the laptop’s DisplayPort, HDMI connectors, and Thunderbolt/MiniHDMI port.
Dell calls this switchable-graphics. Disabling this must be done in the bios. If you have switchable graphics disabled, the onboard Intel GPU is not used.
With the "Discrete graphics controller direct output mode" or “Graphics Special Mode”, the external ports (DisplayPorts, HDMI connectors and Thunderbolt/MiniHDMI port) will be driven by the GPU directly.
Click here to see:
In short:
- -enter bios
- -disable switchable-graphics.
- -enable special-graphics mode.
- -enable dock-display-port
Dell Dock
To make it more confusing, the WD15 dock with 130W adapter is not powerful enough for a Precision 7720 with discrete-graphics. A 180W adapter is needed with the WD15 or if you are using a TB16, you would need a 240W adapter.
Lastly, there are special drivers/firmware that are needed to make the USB-c supply the correct power. The following must be updated:
- -Thunderbolt Controller Driver
- -Thunderbolt 3 Firmware Update
- -ASMedia USB 3.0 Extended Host Controller Driver for Dell Thunderbolt Dock
- -RealTek USB GBE Ethernet Controller Driver for Dell Thunderbolt Dock
- -RealTek USB Audio Driver for Dell Thunderbolt Dock
Click here to see:
- Details
For my own notes, there are a few steps here.
1- create scans user & add to administrators group
net user scans /add
net localgroup administrators scans /add
2- turn on older sharing protocol
dism /online /enable-feature /featurename:smb1protocol
3- create folder
mkdir c:\scans
4- share folder & grant share-permissions
net share scans=c:\scans /grant:everyone,FULL /grant:administrators,FULL
5- grant ntfs-permissions
icacls c:\scans /grant scans:f /t /grant administrators:f /t
====================
Graphically,
1- create a user called scans and give it administrator permissions
2- turn on the smb1 through the appwiz.cpl
3- create a scans folder at c:\scans
4- share the folder & grant scans user read/write
5- the ntfs permissions should be automatically set.
(youraccount, system, scans, administrators)
====================
You can check your work by seeing the users on the system:
net user
You can see the details of the scans user to see group membership:
net user scans
You can check to see the share & share-permissions:
net share scans
You can check to see the ntfs-permissions:
icacls c:\scans
Troubleshooting
Sometimes it works after I:
- -turn off smb1: dism /online /disable-feature /featurename:smb1protocol
- -turn on smb1: dism /online /enable-feature /featurename:smb1protocol
- -reboot: shutdown -r -t 3
- Details
There are many problem with Outlook 2016 not working. Here's a fix for some:
- -open Outlook
- -go to “File” > “Options” > “Search” > “Indexing Options” > “Modify”
- -uncheck “Microsoft Outlook“.
- -click “Close”
- -close OUTLOOK.
- -navigate to the folder where the OST file lives (“C:\Users\username\AppData\Local\Microsoft\Outlook“).
- -right-click a highlighted file
- -click “Properties“.
- -click “Advanced"
- -checkmark “Allow this file to have contents indexed in addition to file properties” option if it isn’t checked already.
- -click “OK“
- -open Outlook
- -go to “File” > “Options” > “Search” > “Indexing Options” > “Modify”
- -recheck “Microsoft Outlook“
- -click “Close”
- Details
Have a client with Windows SQL Express 2017. Every once in a while the thing goes awol, tops out the CPU and is slow to respond. This happens for a few hours then it settles down and doesn't happen for another four months or so. They are asking me why.
I'll tell you... I have no idea. They claim something is wrong with the server... I think a sql query is zombied and gone awry.
Here are my notes for the future...
Diagnostics
As for some diagnostics, this says it better than I can:
Just:
- -click FILE.
- -go to: C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Policies\DatabaseEngine\1033
- -select all the files.
- -click EVALUATE.
Multiple Instances
There might be multiple sql server versions running. Or instances running. We left the 2014 as a failsafe in case something went wrong with 2017, since we didn't know how it would react.
Upgrade Away from Sql 2014:
I still think there's a serious bug in 2014 that everyone's ignoring. Since sql-2016 and sql-2017 released, there's no reason to fix bug per se. As a fix, simply upgrade, kill off 2014 and move on.
You are probably fine with 2017 and are at a place where we can remove sql-2014.
Remove Any Unused Sql instance:
Or perhaps there's some type of process in the othe sql-instance that is set to run. If you are not using the other Sql instance, it is probably best to remove it so you can narrow down the number of variables.
Ram-memory:
Ram-memory is meant to be used. That's what it is for. So if it is at 100% there's no need to be alarmed. In a traditional physical system, once the ram-memory is used up, the cpu will access the hard drive as virtual-memory/swap-space.
In a virtual system, such as this system, more ram-memory is dynamically added as the system needs it. This is referred to as hot-add ram. And it will keep a 20% buffer.
While this is supported by the operating system of the database server (Windows Server 2012 Standard), what I'm finding out is that SQL-Express (and the SQL-Standard version btw) is unable to hot-add ram. As shown here (Hot add memory):
https://docs.microsoft.com/en-us/sql/sql-server/editions-and-components-of-sql-server-2017?view=sql-server-2017
Also, looking at the link above, it shows that SQL-Express has a max buffer pool/buffer-cache of 1410MB, so hot-adding ram wouldn't help.
Looking into the db, this is exactly what it is using now:
1429700 kb physical_memory_in_use
This system is set to start with 4GB of ram-memory. Adding the 1410MB memory from above will put the usage around 5400MB. Adding 20% buffer will assign 6480MB. Here is the recent screenshot of memory assignment looking similar to our calculations:
All of this to say that you can double the startup Ram to 8GB. According to the datapoints, this is overkill and unnecessary but you have the memory so we might as well try it.
If those 3 items don't work then perhaps we can get away with using the Developer version of sql on the system which doesn't have the limitations.
Bad Query
Lastly, if the CPU load is at 100% then something is topping it out. A bad query is going to consume all resources available no matter how much you have. Adding more resources to compensate for a bad query is a bad idea.
NOTES:
https://logicalread.com/windows-server-hyper-v-dynamic-memory-with-sql-server/
https://www.mssqltips.com/sqlservertip/2393/determine-sql-server-memory-use-by-database-and-object/
- Details
vmware-tools are here:
https://packages.vmware.com/tools/releases/index.html
This means the Centos packages are here:
https://packages.vmware.com/tools/releases/latest/rhel6/x86_64/index.html
It seems like these packages should work. Maybe there is something that I am missing but vmware-tools can be a pain. This says it better than I can:
https://unix.stackexchange.com/a/423219
For me, here's how I did it:
-open bash shell
-type (or copy/paste):
/sbin/e-smith/db yum_repositories set epel repository \ Name 'Epel - EL6' \ BaseURL 'http://download.fedoraproject.org/pub/epel/6/$basearch' \ MirrorList 'http://mirrors.fedoraproject.org/mirrorlist?repo=epel-6&arch=$basearch' \ EnableGroups no \ GPGCheck yes \ GPGKey http://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL \ Exclude perl-Razor-Agent \ Visible no \ status disabled
-type: signal-event yum-modify
-type: yum --enablerepo=* install open-vm-tools
-Voila! I get the following:
-don't forget to start them by typing: /etc/init.d/vmtoolsd start
NOTES:
mkdir /mnt/cdrom
/dev/cdrom /mnt/cdrom
- Details
I used Disk2VHD to create a P2V. Then I started Hyper-V and created a new VM. Upon startup I got, "Missing Operating System."
Here's how to fix:
-connect Windows 10 iso (or a Windows repair disk).
-press any-key to boot via iso.
-wait for windows 10 to show (it could take a minute).
-select Windows 10.
-select your language.
-click NEXT.
-select REPAIR YOUR COMPUTER (bottom left).
-click NO (for automatic repair).
-click NEXT (at bottom right).
-click COMMAND PROMPT.
-type: bootrec /scanos.
(If it isn't already there, it should find the WINDOWS installation and ask if you want to add it.)
-type: Y
Now, at this point, if you try to do some work in bootrec (rebuildbcd), you will get a message, ""the volume does not contain a recognized file system."
-type: Diskpart
-type: LIST DISK
-type: SELECT DISK 0 (change this to the number of the disk . most likely 0)
-type: LIST PARTITION
-type: SELECT PARTITION 3 (change this to your partition number. most likely 3)
-type: DETAIL PARTITION
(it will show the details of the partition. We're trying to find the partition with the windows installation.)
-if you found it, it will probably say ACTIVE: NO
-type: ACTIVE
-type: EXIT
-type: bootrec /fixmbr (needed?)
-type: bootrec /fixboot (needed?)
-type: bootrec /rebuildbcd
-type: exit
-click RESTART
-boot from the iso one more time.
-click STARTUP-REPAIR.
It should find the Windows 10 installation and fix itself.
NOTES:
This is the same set of instructions for this article: http://www.daknetworks.com/blog/221-clone-macbook-pro-hard-drive-with-boot-camp
- Details
When a person goes to OWA and tries to customize the signature, they get a message that the signature is too big.
- -go to EMS:
- -type: Get-MailboxMessageConfiguration foo.user
You will see the SignatureHtml. Most likely, there will be inline css styles in the signature pushing the character limit.
Or the DefaultFontSize is greater than what is acceptable. The following should clear the clear the signature-text and the signature-html. Then have the account try again to set the signature:
- -type: Set-MailboxMessageConfiguration -Identity user -SignatureText $null -DefaultFontSize 7
- Details
The archive mailbox is an additional mailbox that's enabled for an account where messages older than 2 years are automatically moved (this can be customized in the retentionpolicy). This keeps the everyday mailbox at a more manageable level and allows for faster indexing and email searches.
Some power users will familiar with archiving in Outlook as they may have crossed this issue in the past. They archive the email older than 2 years into a pst file. That pst file will show as a separate set of folders on the left hand side.
In-Place Archive is very similar. However, where this different is that in-place archive is controlled by the Exchange administrator and does not require user intervention. The Exchange administrator can turn archiving on/off on the fly and control where the archive mailbox lives; this can be placed on the same edb or a different edb.
Here's how to enable archiving:
enable-mailbox foo.user -archive
Here's how to see what accounts have archive enabled:
get-mailbox -Filter {ArchiveState -Eq 'local'}
If you want to get the pertinent details of the archive such as archive database and archivename:
get-mailbox -Filter {ArchiveState -Eq 'local'} |select alias,archivestate,archivedatabase,archivename,retentionpolicy |fl
Here's how to enable unlimited archiving for the entire company:
Set-OrganizationConfig -AutoExpandingArchive
Here's how to enable unlimited archiving for a single account:
enable-mailbox foo.user -AutoExpandingArchive
Here's how to get the quota on a mailbox:
get-mailbox foo.user |Select *quota
365 Basic / 365 Standard / 365 Premium have a limit of 50GB for mailboxes. If you upgrade to an E3 or E5 license, you can upgrade the quota limits via powershell:
set-mailbox foo.user -ProhibitSendQuota 100GB -ProhibitSendReceiveQuota 100GB -IssueWarningQuota 98GB
Note that I tried this on 356-Standard and it does not work.
NOTES:
https://docs.microsoft.com/en-us/exchange/policy-and-compliance/in-place-archiving/manage-archives
https://docs.microsoft.com/en-us/microsoft-365/compliance/unlimited-archiving
- Details
Setup
1-First setup a trust to the Microsoft servers:
- -login to the EAC.
- -click ORGANIZATION.
- -click SHARING.
- -click ENABLE to add a Federation Trust to the Microsoft servers.
- -click CLOSE.
- -click MODIFY.
- -select the PRIMARY domain.
- -click OK.
- -it will return a TXT record.
- -create a TXT record for this domain on your public DNS server that contains the key. It will look like this:
g1lg/IZ3MIHN0TaBsNMF+QzYbbA8Z39B/d46rQfQVmtNYbb6w0vRDQagL1b+bkbXbhstfg6PWw6JRtQqIIJ3Q== - -create a TXT record for this domian on your Private DNS servers in your Active Directory.
- -wait. This should be around 15 minutes but can take 24 hours.
2-Second, the outside domain must do the same steps above.
3-Third setup an ORGANIZATION-SHARING using the outside domain. It will fail if the domains have not setup the trusts.
- -checkmark enable calendar free/busy information sharing.
4-Fourth setup an INDIVIDUAL-SHARING policy and set it as the default policy for everyone in the Exchange server.
Result
That should do it; you should now be able to see each others calendars as FREE/BUSY (not details).
To my dismay, this does not update users in the Global Address List (GAL) to include the outside domain. This means that, by default, looking up another person's calendar in the outsidedomain.tld is near impossible. You either have to manually type in all the outsidedomain.tld users into Exchange or use tools to do the sync for you; it is not built into Exchange. Grrrr...
Troubleshooting
As troubleshooting, you can get the URL by:
- -hold CONTROL
- -right-click the OUTLOOK icon (bottom-right).
- -click TEST-EMAIL-AUTOCONFIGURATION.
- -type in your password.
- -click TEST.
- -the AVAILABILITY-SERVICE-URL is the important URL.
Also, in the EMS, you can use the commands:
get-sharingpolicy foo-policy |fl
get-organizationrelationship |fl
get-federationinformation -DomainName outsidedomain.tld
Test-FederationTrust -useridentity mail\inside.foo.user
test-organizationrelationship -useridentity
As a result of the above test-organizationrelationship troubleshooting command failing, I had to toggle two properties and had to run the following:
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $false
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $True
Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $false
Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $True
- Details
Setup Send Connector in Exchange 2013 With Custom Port Number
- -login to ECP.
- -click MAIL-FLOW (left-hand side).
- -click SEND-CONNECTORS (top)
- -click the "+" symbol.
- -name it anything you want. Let's say "foo-send-connector".
- -bullet CUSTOM.
- -click NEXT.
- -bullet ROUTE-THROUGH-SMART-HOSTS
- -click the "+" symbol.
- -type in the IP ADDRESS of the server you want to deliver the mail to.
- -click SAVE.
- -click NEXT.
- -bullet EXTERNALLY SECURED.
- -click NEXT.
- -click the "+" symbol.
- -type in the domain name that will be used for this sending setup.
In other words, this setup is only going to be used with a particular domain name; contoso.com. In another way, when sending to contoso.com use the following custom smtp route instead of the normal smtp route. - -checkmark SCOPED-SEND-CONNECTOR.
- -click the "+" symbol.
- -select the server that this will apply to.
Small setups will probably only have 1 server. - -click FINISH.
Now this will work. But it is setup on the default port 25. This is standard. But what if you want a non-standard port. Let's say because the SAP setup is out of your control.
-start the EMS.
-type: Get-SendConnector |fl
This will allow you to see the complete Send Connector setup in the steps above. You will notice the Port number is in the setup.
-type: Set-SendConnector -identity "foo-send-connector" -Port:587
- Details
This article says it better than I can on how to setup a Ricoh Printer with Windows 10 v1803.
- Details
Where do I start? Forgot my rant on how the world operates and has chosen WordPress over so many other better CMS's...
Have an array in an URL like this: &foo=1,2,3,4
Take that array and search for all of them.
The OPERATOR => IN, is the includes.
Basically, we are trying to get a %like% sql statement.
if (isset($_GET['area']) && !empty($_GET['area']) && $_GET['area'] != 'all') {
$propareaArray = explode(",", $_GET["area"]);
$tax_query[] = array(
'taxonomy' => 'property_area',
'field' => 'slug',
//'terms' => $_GET['area'],
//'terms' => array($proparea[0],$proparea[1]),
'terms' => array_values($propareaArray),
'operator' => 'IN'
);
}
NOTES:
Don't ask me why 'EXISTS' doesn't work. I think it should. If it did, I wouldn't have to go through this.
- Details
Scenario
You are an administrator of an Exchange system. Through the ECP, you add yourself FULL-ACCESS to another mailbox account. The account naturally shows in your Outlook. You are finished with the account and no longer need access to it. Again, through the ECP, you remove yourself FULL-ACCESS. The account still shows in your Outlook. What gives?
You might be tempted to remove the FULL-ACCESS through the EMS with the following:
remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess
But that yields:
WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, ControlType: Allow] and was ignored on object "CN=where,OU=ever,OU=city,OU=Users,DC=domain,DC=tld".
Description
The mailbox is inheriting FullAccess permissions and has explicit FullAccess permissions. So when you removed the explicit FullAccess permissions, it won't have any effect unless a Deny permission is added. The problem is that Exchange doesn't tell you it is doing this.
Solution
To fix this, simply clear the Deny permission:
remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess -Deny
NOTES:
I've must have run into this before as I already have this post: http://www.daknetworks.com/blog/404-remove-mailbox-permissions-that-are-not-inherited
- Details
The access page for ColdFusion:
https://foo.tld/CFIDE/administrator/index.cfm
If needed, you can remove the USERNAME & PASSWORD by editing:
C:\ColdFusion10\cfusion\lib\neo-security.xml
- -find: admin.security.enabled variable tag.
- -change 'true' to 'false'
- -restart the ColdFusion application server.
Once you access the CFIDE, you can change the email settings there and test them as you save the settings.
Any undelivered emails will show in:
C:\ColdFusion10\cfusion\Mail\Undelivr
You simply drop them back into the spool directory and ColdFusion will send them:
C:\ColdFusion10\cfusion\Mail\Spool
- Details
So the IKVM/Remote-Console doesn't work with Java 8 (aka jre1.8.0_171). Apparently, this is because starting with JAVA-8 any JAR signed with an MD5 hash will no longer be considered trusted. There are instructions to workaround the new JAVA limits but why bother.
DOWNLOAD IKVM
- -download the IPMIView here: ftp://ftp.supermicro.com/utility/IPMIView/
- -install.
- -the IKVM is already a part of that package.
GET THE SERVER IKVM INFO
If you can connect to the SUPERMICRO server, when you try to launch the CONSOLE-REDIRECT, it will download a LAUNCH.JNLP file.
- -open the LAUNCH.JNLP file with NOTEPAD.
- -at the bottom, it will have all the parameters neededd.
RUN IKVM WITH PARAMETERS
- -to run, type: "C:\Program Files (x86)\SUPERMICRO\IPMIView\iKVM.jar" IP-ADDRESS USERNAME PASSWORD PORT
- (ie: "C:\Program Files (x86)\SUPERMICRO\IPMIView\iKVM.jar" 10.7.14.8 ADMIN PASSWORD null 5900 623 0 0)
- -or type: "C:\Program Files (x86)\SUPERMICRO\IPMIView\iKVM.exe" IP-ADDRESS USERNAME PASSWORD PORT
- Details
Cloning disk can be in many ways. A following is a list of some of the ways:
- Details
Creating a new web site in WordPress. Doing so, I create the web site at a subdomain such as: new.foowebsite.tld
After the web site is up to client standards, we change the dns at the name servers.
Now we have little squares where pictures once were. The pictures are coming from the CSS but only strange characters show.
Here's how to fix.
1- change in the sql database:
-go to myphpadmin
-use the following as a guide. Be sure to change "wp_" with the prefix of your database "fooprefix_".
UPDATE wp_options SET option_value = replace(option_value,'http://old.url.tld','https://www.newurl.tld') WHERE option_name ='home' OR option_name ='siteurl';
UPDATE wp_posts SET guid = replace(guid,'http://old.url.tld','https://www.newurl.tld');
UPDATE wp_posts SET post_content = replace(post_content,'http://old.url.tld','https://www.newurl.tld');
UPDATE wp_postmeta SET meta_value = replace(meta_value,'http://old.url.tld','https://www.newurl.tld');
This can be used to go from http to https as well. Or to go to an entirely different domain name.
2- change in the file names:
But that doesn't change the files. If you are a sysadmin, you can use grep. Also WordPress has some built in functionality if you ssh into the server.
First, test:
wp search-replace 'http://old.url.tld' 'https://www.newurl.com' --dry-run
Then run:
wp search-replace 'http://old.url.tld' 'https://www.newurl.com'
3- check the wp-config.php
Sometimes the site is hardcoded into the wp-config.php file. Check it to make sure it is correct. The hard coded line will typically be the last lines.
NOTES:
-here is the long version: https://codex.wordpress.org/Moving_WordPress
- Details
Lets say that your Exchange 2013 has multiple domains from various companies over the years:
- @company1.tld
- @company2.tld
- @company3.tld
Some mailboxes have @company1.tld email addresses but not all mailboxes have @company1.tld email addresses.
A decision has been made that everyone without an @company1.tld email address needs to have one. Or you are staging for a domain change or company merger of some type.
How do you find the mailboxes without @company1.tld and then add an @company1.tld email address without changing the current email address?
Here's how:
Get-Mailbox -Filter {EmailAddresses -notlike "*company1.tld"} |ForEach {set-mailbox $_.samaccountname -EmailAddresses @{Add=$_.samaccountname+"@company1.tld"}}
Boom.
(Of course, this is provided that your samaccountname/computer-username is the name that you want to use for your email address. Most of the time it is.)
Check your work:
Get-Mailbox -Filter {EmailAddresses -notlike "*company1.tld"} |select emailaddresses
- Details
First it is important to note that the dns record is owned by the node or individual computer. The dns record is not owned by the dns server. The dns server only keeps a record of the individual dns records. Kinda strange, right?
What often happens is that the dns record changes on the individual computer but the dns server is not updated. When a query is run against the dns server, the record is incorrect because it was not updated.
Secondly, there are 2 server roles here that work together; DNS and DHCP.
Thirdly, the lease-time should be set to double the refresh-rate.
Let's begin by starting with the DNS server:
- -right-click on the server-name.
- -click SET-AGING-SCAVENGING-FOR-ALL-ZONES.
- -checkmark "Scavenge stale resource records".
- -set both the no-refresh and the refresh interval to: 2-days
- -click OK
- -click "Apply these settings to existing..."
- -click OK
Great! You are on your way!
Let's move to the the DHCP server:
- -right-click on each dhcp zone.
- -click PROPERTIES.
- -set the dhcp-lease-time to: 4 days
- -click the DNS tab (at the top).
- -checkmark "Enable DNS Dynamic Updates..."
- -bullet "Always Dynamically Update DNS"
- -checkmark "Discard A and PTR records..."
- -checkmark "Dynamically Update DNS Records..."
Awesome! Almost finished. Now the second part on the DHCP server. This will allow the DHCP server to update the DNS server:
- -right-click on IPV4.
- -click PROPERTIES.
- -click ADVANCED tab (at the top).
- -click CREDENTIALS button
- -type in a USERNAME/DOMAIN/PASSWORD for an administrator account that can update DNS.
Finally, let's move back the DNS server:
- -right-click on the server-name.
- -click ADVANCED tab (at the top).
- -checkmark "Enabled Automatic Scavanging of Stale Records"
- -set the scavenging interval to: 1-day.
You're done!
BONUS
If you have more than one DHCP server (for example, mulitple locations):
- -open AD Users-&-Computers
- -find the built-in group, DnsUpdateProxy
- -add the DHCP servers from all locations.
- Details
You know Joel in Sales. But you don't remember Joel's last name (because you've been staring at names all week) and you don't know Joel's OU.
Here's how to find Joel:
get-aduser -filter * |select samaccountname |findstr /i joel
This will bring up all the Joel's in the domain. Hopefully you can narrow it down from here.
Now to find Joel's OU in the details of his record:
get-aduser joel.user
This will show the "distinguishedname" and allow you to narrow down the OU.
If you really want to see this properly in one line, we need to use the "canonicalname" and it would be like this:
get-aduser -filter * -Properties Canonicalname |select samaccountname,canonicalname |fl |findstr /i joel
- Details
Here's how to upgrade the bios for Dell Latitude/Precision laptop if from remote:
- -download the new bios
- -cd c:\path-to-the-download
- -click START > RUN > CMD
- -type: c:\drivers\bios\Latitude_5X80_Precision_3520_1.9.3.exe /s /r
"/s" is silent "/r" is reboot - "/f" is force if the battery is not present.
And if the battery is not present in the Dell Latitude/Precision laptop:
- -type: c:\drivers\bios\Latitude_5X80_Precision_3520_1.9.3.exe /forceit
"/forceit" is force if the battery is not present.
- Details
Usually I schedule a restart with some network tools I have. But in this case, I can remotely access the system via command-line/powershell but my network tools are not working. Probably because it needs a reboot after installing some updates.
Here's how to schedule a reboot with command line/powershell (works in either):
- -click START > RUN
- -type: cmd (or type: powershell)
- -click OK
- -type: schtasks /create /sc once /tn restart /tr “shutdown -r -f “”restart””” /st 13:00 /RU system
Where "/st" is the time in 24H clock and "/ru" is necessary to run even if the user is logged in or not.
- Details
Core i7 6500u Dell Inpiron 5559 should be a good fast processor. The laptop was dreadfully slow. Something had to be wrong.
- -hit CTRL+ALT_DEL
- -start TASK-MANAGER
- -click PERFORMANCE tab
- -click CPU (on the left-hand side)
You will notice the SPEED to around 0.39GHz. Hmmm... seems like something is throttling the CPU.
BIOS Settings
I tried to fix some Bios Settings:
- c-states = off
- intel speedstep = off
- intel turboboost = off
Same result. Hmmm.... there must be some settings not being shown in the Bios that can be adjusted.
ThrottleStop
Here's how to fix (as shown in my really edited picture below):
- -download ThrottleStop
- 1-click LIMITS (on the right-hand side)
- 2-this will show you exactly why the throttle is happening. The culprit being BD_PROCHOT.
- 3-uncheck BD_PROCHOT (on the left-hand side)
- 4-checkmark DISABLE-TURBO
- 5-do NOT turn on SPEEDSTEP
- 5-do NOT turn on SPEED-SHIFT-EPP (if on, it will have a green SST "speed shift technology".)
(you can change the number next to SPEED-SHIFT and set it to zero, just delete the number and type over it)
You will notice the SPEED to around 2.49GHz and the speed is noticably faster.
Schedul to Auto Start
- -start TASK-SCHEDULER using the basic scheduler.
- -open the properties of the task.
- -start THROTTLESTOP on startup whether someone is logged in or not.
- -change the user to be SYSTEM.
- -since THROTTLESTOP doesn't have to stay running, you can close it automatically. Find the THROTTLESTOP.INI file in the THROTTLESTOP directory/folder, open with text editor and change "DCExitTime" to the number of seconds to remain open, say 5 seconds.
Final Thoughts
There are reasons why this is happening. In the end, buy business class hardware (Dell Latitude/Precision; Lenovo ThinkPads, etc) that have more options in the BIOS.
Intel-Adaptive-Thermal-Monitor might be the actual culprit. The issue is that there is no option to turn off in the BIOS.
NOTES:
-https://gallery.technet.microsoft.com/scriptcenter/Automatically-Enable-ad9c2208
- Details
Here's how to blank out all members in a distribution group:
Update-DistributionGroupMember foo.group -Members $null
Here's how to update the members in a distribution group:
Update-DistributionGroupMember foo.group -Members foo.user1, foo.user2, foo.user3
If you need to add a member to the group:
add-DistributionGroupMember foo.group -member foo.user
If you need to remove a member from the group:
removeDistributionGroupMember foo.group -member foo.user
If you need to adjust the list, do so in Excel, Word, Notepad, etc.
Here's how to add a Dynamic Distribution Group that contains all emails of a certain Organizational Unit (OU) in Active Directory (AD):
New-DynamicDistributionGroup -Name "foo.group.dynamic" -OrganizationalUnit "Foo OU" -RecipientFilter {((RecipientTypeDetails -eq 'UserMailbox'))}
There's probably a better way to do this.
Here's how to see the members of a Dynamic Distribution Group:
$foovariable = Get-DynamicDistributionGroup foo.dynamic.group
Get-Recipient -RecipientPreviewFilter $foovariable.RecipientFilter -OrganizationalUnit $foovariable.RecipientContainer
- Details
First, find the groups you want to change and give us the group email name and the value:
[PS] Get-DistributionGroup |Where {$_.alias -like "verse*"} |select name,RequireSenderAuthenticationEnabled
(where "*" is anything. So *foo is barfoo but not food. And foo* is foobar and food but not barfoo.)
Let at the results and see if these are the groups you want changed.
Next, get the groups and change the value you want changed:
[PS] Get-DistributionGroup |Where {$_.alias -like "verse*"} |Set-DistributionGroup -RequireSenderAuthenticationEnabled $false
- Details
Here is a list of Microsoft Reseller Indirect Provider: https://partnercenter.microsoft.com/en-us/partner/find-a-provider
- AppRiver https://www.appriver.com/partners/resell-office-365/
- Arrow Electronics, Inc http://ecs.arrow.com/cloud_services/
- Crayon Software Experts LLC https://www.crayon.com/resell-azure-office-365/
- D&H Distributing Company http://www.dandh.com/
- Ingram Micro http://www.ingrammicrocloud.com/become-a-partner/
- Insight https://www.insight.com/en_US/buy/partner/microsoft/service-provider-solutions.html
- Intermedia https://www.intermedia.net/resellers
- intY Cascade https://www.inty.com/partner-program/csp-partner-program/
- Rackspace https://www.rackspace.com/partners/cloud-reseller
- SaaSplaza Inc http://saasplaza.com
- Sherweb http://www.sherweb.com/partners/resell-office-365/
- Signature Business Systems, Inc., D/B/A SBS GROUP http://www.sbsgroupusa.com/solutions/cloud/stratos-cloud
- SYNNEX Corporation http://www.synnex.com
- Tech Data http://www.techdata.com/content/tdcloud/index.html
We have relationship with AppRiver.
- Details
Three pbx/asterisk servers. MPLS is in place. Two servers can interoffice call through extension number. The third is reachable through the main number but not through extension number. It waits, then says "goodbye" and hangs up.
Looking at the logs when a call is made:
-type: asterisk -rvvvvv
-dial an extension in the other office
-returns:
======
[Apr 26 16:52:37] WARNING[5653]: app_dial.c:1523 dial_exec_full: Unable to create channel of type 'IAX2' (cause 20 - Unknown)
== Everyone is busy/congested at this time (1:0/0/1)
-- Executing [s@macro-remote-call:11] Goto("Local/P1220@hud-caller-answer-e107;1", "s-CHANUNAVAIL,1") in new stack
-- Goto (macro-remote-call,s-CHANUNAVAIL,1)
-- Executing [s-CHANUNAVAIL@macro-remote-call:1] Goto("Local/P1220@hud-caller-answer-e107;1", "s,x-dial") in new stack
-- Goto (macro-remote-call,s,12)
-- Executing [s@macro-remote-call:12] Dial("Local/P1220@hud-caller-answer-e107;1", "IAX2/c10325x@c16067x/1524775950.8016-1-3109-external-") in new stack
[Apr 26 16:52:37] WARNING[5653]: app_dial.c:1523 dial_exec_full: Unable to create channel of type 'IAX2' (cause 20 - Unknown)
== Everyone is busy/congested at this time (1:0/0/1)
-- Timeout on Local/P1220@hud-caller-answer-e107;1
== CDR updated on Local/P1220@hud-caller-answer-e107;1
-- Executing [t@internal:1] BackGround("Local/P1220@hud-caller-answer-e107;1", "vm-goodbye") in new stack
=====
-type: asterisk -R -x 'iax2 show peers'
Name/Username Host Mask Port Status
c23013x 10.162.44.31 (S) 255.255.255.255 4569 OK (44 ms)
c23013i 10.162.44.31 (S) 255.255.255.255 4569 OK (44 ms)
c16067x 10.162.30.10 (S) 255.255.255.255 4569 UNREACHABLE
c16067i 10.162.30.10 (S) 255.255.255.255 4569 UNREACHABLE
4 iax2 peers [2 online, 2 offline, 0 unmonitored]
This shows that the servers are set to be reached through the local IP addresses in the MPLS. This also shows that the second server is "unreachable."
-there is a file at: /etc/asterisk/iax.conf
-iax is interoffice asterisk exchange
Perhaps what is happening here is that the UDP port binding in the MPLS is maintained by sending traffic through it. The binding expired, and there is no way for Asterisk to communicate with the IAX peer (other-Asterisk).
-go to remote asertisk server that cannot be reached.
-type: asterisk -R -x 'iax2 show peers'
Name/Username Host Mask Port Status
c23013x 10.162.44.31 (S) 255.255.255.255 4569 UNREACHABLE
c23013i 10.162.44.31 (S) 255.255.255.255 4569 UNREACHABLE
c11025x 10.162.100.31 (S) 255.255.255.255 4569 UNREACHABLE
c11025i 10.162.100.31 (S) 255.255.255.255 4569 UNREACHABLE
4 iax2 peers [0 online, 4 offline, 0 unmonitored]
This shows that the server cannot reach either of the other two servers.
You have 2 options here.
1- Restart the iax service
asterisk -rx "module unload chan_iax2.so"
sleep 90;
asterisk -rx "module load chan_iax2.so"
2- Rebooted the server:
-type: /sbin/shutdown -r +5
-wait for reboot to finish
-type: asterisk -R -x 'iax2 show peers'
Name/Username Host Mask Port Status
c23613x 10.162.44.31 (S) 255.255.255.255 4569 OK (40 ms)
c23613i 10.162.44.31 (S) 255.255.255.255 4569 OK (41 ms)
c11325x 10.162.100.31 (S) 255.255.255.255 4569 OK (28 ms)
c11325i 10.162.100.31 (S) 255.255.255.255 4569 OK (28 ms)
You can see the peers are reachable again.
NOTES:
http://www.cyber-cottage.co.uk/?p=994
https://www.voip-info.org/asterisk-iax-qualify
- Details
DAK Networks Company is pleased to announce that we are certified to sell/support/maintain WatchGuard firewalls, routers and access points through our relationship with the GigJit Company.
This relationship allows us to provide a total solution to clients as an easy solution for problems that small and medium sized companies deal with on a daily basis.
So no matter if you are IT manager at a medium-sized company, a CEO/President at a small company or a marketing manager at a small to medium sized company, we can help you make sure that your WatchGuard Firewall equipment is installed, subscribed and working correctly.
Contact us today if you need further information.
- Details
In 2 separate occasions today, I've come across the following error:
The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52} and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D}
To fix, I followed this:
https://www.youtube.com/watch?v=QQi6ZeBiYZs
Also in both cases, the system was a Dell All In One. One was an Dell Inspirion 24" and one was a Dell Optiplex 7440. Both had Intel HD Graphics 530 and both needed the Intel RST updated.
I don't know why just yet but the RST drivers for the systems are not on the Dell Drivers web site. But they are in the Dell Enterprise Wiki:
http://en.community.dell.com/techcenter/enterprise-client/w/wiki/11654.optiplex-7440-aio-windows-10-driver-pack
Everything you need is in the CAB file.
Once again, I urge everyone to purchase Dell business class computers. I've been saying this for 20 years now and it is still the same issue. The business class systems are supported better. It isn't worth saving the money just to have you paying me to fix it for you. There is no savings.
- Details
Printers are a pain for so many reasons.
This time around, printing to a Konica BizHub would automatically delete the print job with the status "Error Deletion" and the details, "Login Error."
But yet, others could print without hassle. What gives?
Konica BizHub printer options are awesome. There are so many settings it is mind blowing. One of these settings is User-Authentication or User-Auth.
If User-Auth is set to ON (on the physical printer\web settings) and the printer is installed, the driver is set to automatically pickup the settings of the physical-printer. Since the setting is User-Auth = ON (on the physical printer\web settings), the driver picks up that setting and tries to send a username & password. Since there are no usernames & passwords setup, the print job fails due to a login error.
How do you get around this?
So to print, you can manually set the settings on the print driver (rather than automatic). This allow you to set printer to User-Auth = OFF (on the driver).
Here's how in picture format:
- Details
Hyper-V VHDX disks can be created from a physical computer with Disk2VHD. You will end up with a VHDX disk. If you run into a problem where you cannot run Hyper-V, VirtualBox is a good alternative. The roadblock you might run into is that VirtualBox cannot run VHDX files. To convert to VirtualBox VDI Disk (VirtualBox native format):
- -click START > RUN
- -type: cmd
- -inside the command window, type: cd c:\program files\oracle\VirtualBox\
- -hit enter
- -type: VBoxManage clonemedium disk c:\path-to-vhdx\DESKTOP.VHDX c:\path-to-vdi\DESKTOP.VDI --format VDI
Now simply create a VM and use/attach the VDI disk.
(In the settins, I had to checkmark "Enable I/O APIC")
Bonus
Let's say you want to start the VM without a GUI. This is "headless". If you want the VM to start when the host starts:
- -click START > RUN
- -type: cmd
- -inside the command window, type: cd c:\program files\oracle\VirtualBox\
- -hit enter
- -type: VBoxManage list vms
(this will show a list of VM's)
Let's add the VM to start automatically on a Windows host:
- -click START > RUN
- -type: shell:startup
- -create a shortcut in this directory
VBoxManage startvm MyVM --type headless
- Details
1-First create a folder in your Outlook called: SearchAndDeleteLog
(As a root folder. Not an INBOX subfolder)
2-Now in Exchange-Mangement-Shell EMS) search for the messages with the SENDER, DATE and SUBJECT and put the results in your own mailbox:
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery {from:
Or for a date-range:
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery {from:
Or for a domain name:
Get-Mailbox -ResultSize unlimited | search-mailbox -SearchQuery "@domain.tld" -TargetMailbox "my.account" -TargetFolder "SearchAndDeleteLog" -LogOnly -LogLevel Full
3-Look in your Outlook and verify the results.
4-After you are sure of the results, run the command to delete:
Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery {from:
If you need to copy the messages from a specific mailbox:
Get-Mailbox foo.user | Search-Mailbox -SearchQuery {from:
- Details
Resource room in Exchange 2013. Let's say you have a conference room. And you want everyone in the office to:
- -see a calendar for the conference room.
- -see if the conference room is available/busy.
- -schedule an event for the conference room.
- -see the details of the conference room.
Create Resource Room
First create a mailbox resource room. This can be a ROOM or it can be EQUIPMENT. The idea is that it is a shared resource.
- $new-mailbox foo.resource -type room
or - $new-mailbox foo.resource -type equipment
View Default Permissions
You can view the default permissions of the mailbox like so:
- $get-MailboxPermission foo.resource |? {$_.IsInherited -eq $false -and $_.User -ne "NT AUTHORITY\SELF"}
You can view the default permissions of the mailbox calendar like so:
- $get-MailboxFolderPermission foo.room:\
- $get-MailboxFolderPermission foo.room:\calendar
Add Permissions
Afterwards, set the permissions for the calendar. This must be done at the calendar level:
- $set-MailboxFolderPermission foo.room:\calendar -user Default -AccessRights Reviewer
To schedule the calendar in OUTLOOK,
- -click NEW > MEETING
- -click TO
- -click GLOBAL-ADDRESS-LIST (upper-right)
- -select ALL-ROOMS
- -click the room required.
- -click RESOURCES (at bottom-left, to add the room to the RESOUCE area).
- -click the date and time you need.
- -click SEND
This will schedule the room for you, put the event on your personal calendar, put the event on the room calendar for everyone to see and manage if it is in use or not.
Everyone In Office To Add Events To A Shared Calendar
If everyone in the office is "playing nice" and if you just want the calendar to show, have people double-click on the calendar day to start an event and schedule a time, then set the calendar permissions to AUTHOR:
- $set-MailboxFolderPermission foo.room:\calendar -user Default -AccessRights Author
NOTES:
-REVIEWER role is the following:
(the "-" is not allowed)
ReadItems
FolderVisible
-CreateItems
-EditOwnedItems
-EditAllItems
-CreateSubfolders
-DeleteOwnedItems
-DeleteAllItems
-FolderOwner
-FolderContact
-AUTHOR role is the following:
(the "-" is not allowed)
ReadItems
FolderVisible
CreateItems
EditOwnedItem
DeleteOwnedItemss
-EditAllItems
-CreateSubfolders
-DeleteAllItems
-FolderOwner
-FolderContact
More at: https://technet.microsoft.com/en-us/library/dd298062(v=exchg.150).aspx
- Details
So I'm probably the last to know but aliases are built right into gmail addresses.
If your email address is:
The following will also work:
In addition, you can add a plus sign (+) and any word before the @ symbol and the email will still reach you
This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it. This email address is being protected from spambots. You need JavaScript enabled to view it.
- Details
Your scanning used to work from the Ricoh/Savin. It used to go right into a folder you had setup.
Then the computer updated itself in the Fall/Winter of 2018 or early 2018.
Now when you try to scan, it doesn't work.
This is because the computer updated to Windows 10 v1709 (aka Fall Creators Update). In this update, a change was made so that your computer can no longer talk to the Ricoh/Savin scanner. The update took away a communication protocol called SMBv1.
The correct fix is to change the way the scanner talks to the computer and use a newer communication protocol.
In lieu of making those changes, you can re-enable SMBv1:
- -click START > RUN
- -type: CMD
- -click OK
- -type: dism /online /enable-feature /featurename:smb1protocol
The same is true for disabling:
- -type: dism /online /disable-feature /featurename:smb1protocol
- Details
For 32-bit (x86) Office 2013 installed in 32-bit Windows using Click-To-Run:
- "C:\Program Files\Microsoft Office 15\ClientX86\OfficeClickToRun.exe" scenario=Repair platform=x86 culture=en-us
For 32-bit (x86) Office 2013 installed in 64-bit Windows using Click-To-Run:
- "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe" scenario=Repair platform=x86 culture=en-us
For 64-bit (x64) Office 2013 installed in 64-bit Windows using Click-To-Run:
- "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe" scenario=Repair platform=x64 culture=en-us
For Office 2013 installed using traditional MSI method:
- "C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Setup.exe"
- Details
You can see INBOX rules every mailbox:
GET:
$get-InboxRule -mailbox foo.user
You will get something like:
Name Enabled Priority RuleIdentity
---- ------- -------- ------------
foo.bar.rule True 1 6404806255763783681
Of course, you can see the details by:
$get-InboxRule -mailbox foo.user |fl
REMOVE:
remove-InboxRule -mailbox FOO.USER 6404806255763783681
- Details
First step is diagnostics; find out how hot it is running. There is a package called lm_sensors.
Installation
lm_sensors is installed by default in Centos. If not, you can install:
yum install lm_sensors
Detect The Sensors
lm_sensors needs to know what sensors are available. To do this:
sensors-detect
answer YES to all the questions / accept all the defaults
Show the Temp
lm_sensors will show the temperature in C by:
sensors
Or will show the temperature in F by:
sensors -f
Or to see a continuous monitor of temp by:
watch -n 2 sensors
watch -n 2 sensors -f
watch -d sensors
How Hot?
A normal temperature is 45C/100F.
A high temperature is 87C/189F.
A critical temperature is 105C/225F.
Fans should kick in around 60C/140F.
Why Hot? CPU
The burning question (ba-dom-tiss), why is it hot.
One reason could be the CPU. The CPU will have different speeds that it can run. So a 2700 CPU may only be running at 1200. This is called "governors".
To see your max speed and current running speed:
grep -E '^model name|^cpu MHz' /proc/cpuinfo
Not all cpus will have the same options. To see your available governors:
cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_available_governors
To see your set governor:
cat /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
Or:
service cpuspeed status
And if that doesn't work, try:
/etc/init.d/cpuspeed status
To set your governor:
echo ondemand > /sys/devices/system/cpu/cpu*/cpufreq/scaling_governor
Why Hot? Graphics Chip
A second reason is the graphic chip or graphic drivers. In laptops, secondary graphics cards can be installed along with the built-in graphics card. The idea is that the secondary card takes over when the built-in card needs it. This is called discrete graphics card or Nvidia’s Optimus graphics-switching technology. The idea is to save power and to make the battery last longer. There are all sorts of problems this happening in real life.
To see if the discrete graphics card is on:
grep -i switcheroo /boot/config-*
To change, edit the file manually and change "CONFIG_VGA_SWITCHEROO=n" to "CONFIG_VGA_SWITCHEROO=y":
vi /boot/config-2.6.32-696.20.1.el6.x86_64
(of course, change the config number file that you select when you boot the laptop)
Then reboot:
signal-event reboot
Why Hot? Fans
For me, the laptop isn't hot. It is just that the fan are running at full speed all the time.
Typically, fan control is done through a service called: acpid (this is the same service that provides shutdown control when you press a power button). But, in some cases, Dell laptops lacks ACPI fan control capability. Also, Dell laptops lack pwm-capable sensor for the fans/pwm controllable fans. So lm_sensors from above will not find a sensor for the fans. Consequently, the following typical solutions will not work:
trying with ACPI boot parameters.
fancontrol/pwmconfig program.
/**************************************
SIDEBAR
Some have had luck editing the /etc/grub.conf file and editing ACPI boot parameters by either reporting to the BIOS as Linux or reporting as not Windows 2012. When Linux boots, it reports to the BIOS as Windows. Reporting as Linux may allow it more control.
In the same fashion, reporting as Linux doesn't work but reporting as not Windows 2012 does work.
vi /etc/grub.conf
you will see a list of kernels with numbers. Ususally the highest number is the newest release and the one being used.
find the line that starts with: kernel
at the end, simply add: acpi_osi=Linux
or at the end, simply add: acpi_osi='!Windows 2012'
You can also test this before making the changes permanent:
reboot
wait till the list of kernels show
use the up/down arrow keys to move the highlighted kernel
select the kernel (again, usually the highest number).
press 'e' (for edit)
selec the line that starts with 'kernel'
press 'e' again (for edit)
go all the way to the right (it usually puts you at the end of the line)
at the end, simply add: acpi_osi=Linux
at the end, simply add: acpi_osi='!Windows 2012'
at the end, simply add: acpi_enforce_resources=lax
press enter (to accept the edit)
press 'b' to boot
For example, my normal line looks like:
kernel /vmlinuz-2.6.32-696.20.1.el6.x86_64 ro rd_NO_PLYMOUTH root=/dev/mapper/main-root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=main/root nodmraid rd_LVM_LV=main/swap SYSFONT=latarcyrheb-sun16 rd_MD_UUID=701062e5:0b13b844:9523e658:0c4b0c3d KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet crashkernel=auto
My modified line looks like:
kernel /vmlinuz-2.6.32-696.20.1.el6.x86_64 ro rd_NO_PLYMOUTH root=/dev/mapper/main-root rd_NO_LUKS LANG=en_US.UTF-8 rd_LVM_LV=main/root nodmraid rd_LVM_LV=main/swap SYSFONT=latarcyrheb-sun16 rd_MD_UUID=701062e5:0b13b844:9523e658:0c4b0c3d KEYBOARDTYPE=pc KEYTABLE=us rd_NO_DM rhgb quiet crashkernel=auto acpi_osi=Linux
**************************************/
Try typing:
pwmconfig
You will get a standard message stating:
There are no pwm-capable sensor modules installed
Load i8kutils
So to workaround this, you have to install i8kutils package
First, you have to load a kernel module:
modprobe -v i8k
You can see the loaded modules by:
lsmod
In there, you should see: i8k
Great! Now that i8k is loaded, we need the i8kutils package.
- Details
In theory, the handset and the base go together. Plug in the base and the handset works with that base.
ADD W52P HANDSET TO BASE
However, you can add the handset to another base if needed:
- -press the button on the base.
- -press REGISTER on the phone set.
Long way:
- -login to the base web page.
- -click ACCOUNT (at the top).
- -select ACCOUNT1, ACCOUNT2, ACCOUNT3, ACCOUNT4, ACCOUNT5
- -fill in the necessary information
FACTORY DEFAULT YEALINK W52P
To factory-default the base:
- -unplug power.
- -hold in the button (there's only one button).
- -plug in the power.
- -all 3 led's will light up.
- -unplug power.
- -plug power back in.
UPGRADEYEALINK W52P
In normal circumstances, the firmware of the base and the handset can be updated here:
http://support.yealink.com/documentFront/forwardToDocumentDetailPage?documentId=25
The firmware of the base can be updated via the web.
The firmware of the handset can be updated via the web (if the base firmware is new enough). Or the firmware of the handset can updated via usb. This requires the usb tool here:
Upgrading W52x Handset Firmware.zip
UPGRADE YEALINK W52P BRICKED / NOT RESPONDING
In some cases, there is still no response after the factory default or if the firmware upgrade was incomplete/corrupt. The base needs to be put in recovery mode and is look for a tftp from 192.168.0.23.
To fix, you will need to:
- -download the newest firmware for the base: http://support.yealink.com/documentFront/forwardToDocumentDetailPage?documentId=25
- -unzip.
- -rename the firmware to: W52P.rom
(I used the files here: W52P.zip)
TFTP
- -download a TFTP-SERVER: http://www.tftpd64.com/tftpd32_download.html
- -get the PORTABLE version.
- -unzip the files.
- -set your computer IP to: 192.168.0.23
- -set your computer SUBNET to: 255.255.0.0
- -set your computer GATEWAY to: 192.168.0.1
NETWORK
- -get a switch.
- -get 2 ethernet cables.
- -plug computer into switch.
- -disable wireless, if needed.
- -disable firewall.
TFTP-UPLOAD
- -start the tftpd32.exe/tftpd64.exe
- -create a tftproot folder at the root of c:\ (so it should be: c:\tftproot)
- -upload the W52P.rom, W5X.rfs, W5X.bin
TFTP-SETTINGS-GLOBAL
- -click SETTINGS.
- -click GLOBAL
- -checkmark DHCP
- -checkmark TFTP
TFTP-SETTINGS-DHCP
- -set IP-POOL-START-ADDRESS as: 192.168.0.100
- -set SIZE-OF-POOL to: 11
- -set the options to (these are irrelevant, so it doesn't matter):
- 192.168.0.1
- 255.255.0.0
- 192.168.0.11
- 192.168.0.11
- -set the BIND-ADDRESS to: 192.168.0.23
TFTP-SETTINGS-TFTP
- -checkmark BIND-TFTP-TO-THIS-ADDRESS: 192.168.0.23
TFTP-SERVER-RESTART
- -close the TFTP server software
- -start the TFTP server software
BASE
- -unplug power
- -hold in the button (there's only one button).
- -plug in the power.
- -all 3 led's will light up.
- -release the button.
(if that doesn't work, try when only 2 led's light up and release the button) - -wait about 10 minutes to be sure.
- -the BASE unit should upgrade the firmware, reboot and be accessible at: 192.168.0.100
(You can follow along in the TFTP log. It will show activity so you know if it is working)
NOTES:
-here is the Yealink PDF instructions: Recovery_Mode_on_Yealink_IP_Phones_build.pdf
- Details
http://download.wdc.com/smartware/EssentialEliteFirmwareUpdaterv1.032_1.0.7.4.zip
Here are the drivers if your WD MyBook is not recogized.
- Details
I spend a large amount of time defending from spam attacks and sql injection attacks. I can analyze the httpd logs with the following:
grep schem ./access_log* |cut -d ' ' -f 2 |uniq -c |sort -n
- The 'grep' command searches for the word schema as in information_schema. No real sql query searches for this. It is always an sql hacking attempt.
- The files we are searching is 'access_log*' which means search through all the access logs that we have. For me, that is usually around 4 months of data. That is a fairly good data set.
- The 'cut' command chunks up the data. The '-d' part tells how to chunck the data; by a space character. The '-f 2' tells what data to collect; the second item in each line.
- The 'uniq -c' tells to count each unique item.
- The 'sort -n' sorts them least to greatest.
- Details
WSUS complete setup. While there is another article that preceeds, this article tries to encompass the full WSUS setup, configuration, maintenance and common problems that you may run into.
There are 6 parts to this:
- WSUS Setup
- WSUS Configuration
- WSUS Maintenance
- WSUS Client Update
- WSUS Client Problems
- WSUS Problems
1-WSUS Setup
https://www.youtube.com/watch?v=6RFkP2wppOI
Powershell Module
As a refresher, you can see your PowerShell modules with:
get-module
Or see the installed PowerShell modules:
get-installedmodule
Or see all the available PowerShell moduels:
get-module -listavailable
UpdateServices
There is a built-in PowerShell module that installs with WSUS called UpdateServices. This module can be used for many WSUS commands.
To see the commands:
get-command -module UpdateServices
The main command is:
Get-WSUSUpdate
Get-WSUSUpdate -Classification Critical -Status Any -Approval unapproved |get-member
Get-WSUSUpdate -Classification Critical -Status Any -Approval unapproved |select products -unique
Classifications
WSUS updates has Classifications.
There is a slight variation in Classifications from WSUS server in certain places:
[enum]::GetNames([Microsoft.UpdateServices.Commands.WsusUpdateClassifications])
Classification only includes:
All
Critical
Security
WSUS
This is different than the WSUS Classifications listed here as "Root Categories":
Get-WsusServer |Get-WsusClassification
Classifications includes:
Applications
Critical Updates
Definition Updates
Driver Sets
Drivers
Feature Packs
Security Updates
Service Packs
Tools
Update Rollups
Updates
Upgrades
Each update also has a Category. To see the Language Packs from the client:
Get-WindowsUpdate -Category "Language packs"
See here for Update Categories:
https://learn.microsoft.com/en-us/archive/blogs/dubaisec/windows-update-categories
2-WSUS Configuration
From above, there is a built-in PowerShell module that installs with WSUS called UpdateServices.
-Get-Command -Module UpdateServices
-Get-WSUSServer
-Get-WSUSComputer
Configuration can be done automatically or it can be done manually. We will go through both.
Manual Configuration (aka the hard way)
-IIS > WSUS Application Pool > "Advanced Settings"
-Queue Length: 25000 from 10000
-Limit Interval (minutes): 15 from 5
-"Service Unavailable" Response: TcpLevel from HttpLevel
-Private Memory Limit: 5529600 from 1843200 (or 0 for unlimited)
-(Stop the IIS first) > Edit the web.config ( C:\Program Files\Update Services\WebServices\ClientWebService\web.config ) for WSUS
-Replace
-Restart-WebAppPool -name wsuspool
-Get-WsusUpdate -Approval Unapproved -Status Needed
-Get-WsusUpdate -Approval Unapproved -Status Needed |Approve-WsusUpdate -Action Install -TargetGroupName “All Computers” –Verbose
-Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteComputers –CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates
-download: https://docs.microsoft.com/en-us/troubleshoot/mem/configmgr/reindex-the-wsus-database
-database is WID located in: C:\Windows\WID\Data > called SUSDB.mdf
-sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query -i C:\installs\WsusDBMaintenance.sql
To see the WSUS configuration settings:
-reg query "HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup"
-options set to auto-approve > ran rule.
-created gpos for workstations/servers: https://community.spiceworks.com/how_to/1390-wsus-gpo-settings-for-the-real-world?page=3
Automatic Configuration
This will automatically set the configuration for you.
Get the Optimize-WsusServer script:
wget https://github.com/awarre/Optimize-WsusServer/blob/master/Optimize-WsusServer.ps1 -outifle Optimize-WsusServer.ps1
Install-Module SqlServer -allowclobber
.\Optimize-WsusServer.ps1 -FirstRun
.\Optimize-WsusServer.ps1 -DeepClean
Increase the transfer request quantity
When a WSUS client asks for an update, it can error out (0x80244010) if the transfer is over the limit.
To set the limit to unlimited:
sqlcmd -S np:\\.\pipe\MICROSOFT##WID\tsql\query
USE SUSDB
GO
SELECT MaxXMLPerRequest from tbConfigurationC
GO
UPDATE tbConfigurationC SET MaxXMLPerRequest = 0
GO
To reset to the default value:
UPDATE tbConfigurationC SET MaxXMLPerRequest = 5242880
GO
Language Pack Configuration Caveat
WSUS console shows Language Pack (ie KB2839636, KB3012997) not installed.
This is working as designed. Whether to install a language pack is up to each user account to decide if the a language pack should be installed or not.
As a result, language packs should not be deployed by WSUS as there will non-compliant reports coming back to WSUS.
The following will deny all Language Packs in WSUS that have not been Approved:
get-WsusUpdate |?{$_.update.title -like "*Language Pack*"} | Deny-WsusUpdate
If the Language Packs were already Approved, then the following will deny all Language Packs:
get-WsusUpdate -Approval Approved -Status FailedOrNeeded |?{$_.update.title -like "*Language Pack*"} |Deny-WsusUpdate
(This works because we know that update package is failing/needed.)
Note that the Language Packs are not included in the normal update process. Meaning if you search for updates on the Windows client, the Language Pack does not show. But it will show as missing on the WSUS report.
3-WSUS Maintenance
If this is your first time, Maintenance can be complicated as there are many ways to go about doing so without any real official way of doing so from Microsoft. The Microsoft published articles on WSUS are questionable as well. There are simply better methods.
You can fiddle around with WSUS for hours/days/weeks/months and even years. Sometimes I find some people who equate WSUS with being a sysadmin.
I put all the ways to peform WSUS Maintenance in its own article since it would make this too long:
http://www.daknetworks.com/blog/655-seven-way-wsus-maintenance
For a "speedrun" to get WSUS working as fast as possible, there is a script in PowerShell Gallery called Wsus-Maintenance and Invoke-DGASoftwareUpdateMaintenance.ps1
Install-Script -Name Wsus-Maintenance
Wsus-Maintenance (to see the readme)
Wsus-Maintenance -Run
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -configfile .\config_wsus_standalone.ini
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -configfile .\config_wsus_standalone.ini #uncomment whatifpreference
Plugins:
Decline-Edge
Decline-Office365Editions
Decline-Windows10Languages
Decline-Windows10Versions
Decline-Windows11Languages
Decline-WindowsARM64
Decline-WindowsItanium
.\Decline-SupersededUpdates.ps1 -SkipDecline -UpdateServer localhost -port 8530
.\Decline-SupersededUpdates.ps1 -UpdateServer localhost -port 8530 #remove -SkipDecline
Get-WSUSUpdate -Status Any -Approval unapproved |?{$_.products -match "2003" -or $_.products -match "2007" -or $_.products -match "2010" -or $_.products -match "2013"} |Deny-WsusUpdate -verbose #accidentially downloaded office 2003, 2007, 2010, 2013 |
Get-WSUSUpdate -Status Any -Approval unapproved |?{$_.products -match "Windows 10 and later Dynamic Update" -or $_.products -match "Windows 10 and later Dynamic Update, Windows Safe OS Dynamic Update" -or $_.products -match "Windows 10 and later GDR-DU" -or $_.products -match "Windows 10 GDR-DU FOD" -or $_.products -match "Windows 10 Feature On Demand" -or $_.products -match "Windows 10 LTSB, Windows 10" -or $_.products -match "Windows GDR-Dynamic Update"} |Deny-WsusUpdate -verbose
Get-WSUSUpdate -Classification critical -Status Any -Approval unapproved |Approve-WsusUpdate -Action Install -TargetGroupName "All Computers" –Verbose
Get-WSUSUpdate -Classification security -Status Any -Approval unapproved |Approve-WsusUpdate -Action Install -TargetGroupName "All Computers" –Verbose
4-WSUS Client Update
On the client a PowerShell module called PSWINDOWSUPDATE can be used.
[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
Install-Module PSWindowsUpdate
Get-ExecutionPolicy
Set-ExecutionPolicy RemoteSigned
Import-Module PSWindowsUpdate
get-command -module pswindowsupdate
get-wuinstallerstatus
get-wurebootstatus
get-wuinstall -verbose (This is the same as: Get-WindowsUpdate or Get-WindowsUpdate -Verbose)
get-wuinstall -verbose -install (This is the same as Install-WindowsUpdate)
get-command -module pswindowsupdate
Windows Update Repo
To see the source repository of the updates (ie local intranet WSUS server or public internet Microsoft server):
Get-WUServiceManager
To set the source of the update to the public internet Microsoft Server:
Get-WindowsUpdate -MicrosoftUpdate
Extra
To search for a specific update:
Get-WindowsUpdate -KBArticleID KB982861
Get-WindowsUpdate -KBArticleID "KB5002324", "KB5002325"
Get-WindowsUpdate -KBArticleID KB982861 -Verbose
To get the current Job:
Get-WUJob
To get the history:
Get-WUHistory | ?{$_.Description -like "*Update*"}
5-WSUS Server Reset
Reset WSUS Pool
If WSUS Server Keeps Stopping
Internet Information Services (IIS) Manager -> Server -> Application Pools -> Select “WSUSPool” -> Actions Advanced -> Recycling -> change “Private Memory Limit (KB)“.
-set to 0 (no limit).
-started WSUSPool.
-started Windows WSUS service.
-started cleanup.
Reset WSUS Server
If you run into WSUS problems you can reset the WSUS server:
net stop wsusservice
"c:\Program Files\Update Services\Tools\wsusutil.exe" reset
net start wsusservice
Reset WSUS View
-reset view:
-close mmc wsus
-rm %userprofile%\application data\Microsoft\MMC\wsus
6-WSUS Client Problems
Check the Windows Client is Using WSUS Server
See if settings are being applied to the client system:
via PSWindowsUpdate:
Get-WUSettings
via gpo inspection:
gpresult /r /scope:computer
rsop.msc
Configuration\Administrative Templates\Windows Components\Windows Update
via reg query:
reg query HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate
Check the Windows Client is Reaching the WSUS Server
Now check to see if the client can update:
via manual download:
http://
via log inspection:
wuauclt /detectnow
get-content %SystemRoot%\WindowsUpdate.log
get-content %SystemRoot%\WindowsUpdate.log |findstr /i "server:"
If the intranet WSUS server shows, then it is reaching the correct server.
If not, then there might be a connectivity issue with the Anonymous user account called IUSR:
IIS > Virtual Directory > SelfUpdate > Authentication > Enable Anonymous Authentication
IUSR is the anonymous/www user
(No longer uses the IUSR_
Check the Windows Client is Updating
Now check what happens when the client tries to update:
get-content %SystemRoot%\WindowsUpdate.log -wait
get-content %SystemRoot%\WindowsUpdate.log -wait -tail 25
Error 0x800f0823
The update error 0x800f0823 usually happens when a recent servicing stack update (SSU) is missing. The SSU is the update agent. Confirm by looking at the CBS log:
get-content %SystemRoot%\Logs\CBS\CBS.log |findstr /i hresult
get-content %SystemRoot%\Logs\CBS\CBS.log |findstr -wait -tail 25
This is where PDQ can help and be part of the patch management. PDQ can auto download and push the monthly rollup to the clients. But it's 2023 and the Windows Server 2012 R2 hasn't been patched since... well, you know. So it needs a bit of help.
Service Stack Update (SSU)
The Service Stack Update is the update agent itself. So it is kinda like updating YUM. Let's update the SSU.
Get the newest SSU here:
https://msrc.microsoft.com/update-guide/en-us/vulnerability/ADV990001
wget https://catalog.s.download.windowsupdate.com/c/msdownload/update/software/secu/2022/10/windows8.1-kb5018922-x64_3aa7832b7586e11304f8fee5e09b6829b32d1833.msu -outfile "Win8.1AndW2K12R2-KB3191564-x64.msu"
wusa.exe "Win8.1AndW2K12R2-KB3191564-x64.msu" /log:"/myLogFile.log"
CBS.log shows:
Trusted Installer is shutting down because: SHUTDOWN_REASON_AUTOSTOP
[HRESULT = 0x800f0805 - CBS_E_INVALID_PACKAGE]
Reset WindowsUpdateAgent
Now let's reset the WindowsUpdateAgent:
via PSWindowsUpdate:
Reset-WUComponents
via Cleanup Manager:
cleanmgr
-select Windows Updates to clean out the updates.
-wait about an hour
via manual:
https://support.microsoft.com/en-us/sbs/windows/fix-windows-update-errors-18b693b5-7818-5825-8a7e-2a4a37d6d787
net stop cryptsvc
net stop bits
net stop wuauserv
ren %systemroot%\softwaredistribution softwaredistribution.bak
ren %systemroot%\system32\catroot2 catroot2.bak
net start cryptsvc
net start bits
net start wuauserv
Reset Windows Update Components
The Windows Update needs reset. First let's verify the OS:
DISM /Online /Cleanup-Image /RestoreHealth
reboot
It may reboot on it's own a second time.
sfc /scannow
reboot
0x80244010 - Just Retry a Bunch of Times
Finally, start the update process again and it should go through. If the error message is 0x80244010, then just RETRY. You might have to RETRY about 10 times. You are hitting the limit on what can be done on WSUS (200). RETRYING picks up where it left off. This is why it needs to be done multiple times.
If configurated correctly, this shouldn't happen. See the 2-WSUS Configuration -> Increase-the-transfer-request-quantity
Force Windows Client Report to WSUS
Sometimes the Windows Client won't report to WSUS. Let's force it:
$updateSession = new-object -com "Microsoft.Update.Session"; $updates=$updateSession.CreateupdateSearcher().Search($criteria).Updates
wuauclt /reportnow
Or if you need to fully reset the WSUS client:
-remove WSUS client from WSUS
-on the WSUS client, remove the settings and reset the Update Components:
echo y |REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\" /v SusClientId
echo y |REG DELETE "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\" /v SusClientIdValidation
Reset-WUComponents
WUAUCLT /ResetAuthorization /DETECTNOW
For a in-depth article on WSUS Clients not updating see the following:
http://www.daknetworks.com/blog/653-server-2019-not-updating-cumulative-update--wsus-cumulative-update
NOTES:
Someone suggested that patch Tuesday doesn't exist because patches are sometimes released afterwards and that Tuesday isn't the same across the globe. It was a very long thread and there is some validity. Even VMware went to UTC on the logs and doesn't allow it to be changed to the local timezone. Probably smart. In any event, here is some date/time to narrow Windows Update no matter where you are in the world:
(get-date).ToUniversalTime()
(get-date).DayOfYear
[int](Get-Date -UFormat %s -Millisecond 0)
([DateTimeOffset](Get-Date)).ToUnixTimeSeconds()
- Details
WSUS setup speedrun.
I give credit when credit is due. This has been covered very well in the follow video:
https://www.youtube.com/watch?v=6RFkP2wppOI
=================================================================================
1-Optimize-WsusServer will automatically set some configuration in IIS. This is why it is run first.
.\Optimize-WsusServer.ps1 -firstrun
-Get-Command -Module UpdateServices
-Get-WSUSServer
-Get-WSUSComputer
-select Products
All Developer Tools, Runtimes and Redisributables
Office
Dictionary Updates
Microsoft 365 Apps/Office2019
New Dictionary Updates
Office 2016
Powershell x64
Microsoft SQL Version YYYY (version depends on your environment)
Microsoft SQL Version Management Studio
Windows Defender Antivirus
Microsoft Server Operating System 21H2
Microsoft Server Operating System 22H2
OOBE ZDP
Server 2022 Hotpatch
Windows 10, version 1903 and later
Windows 10
Windows 11
Windows Dictionary Updates
Windows Server 2012 R2
Windows Server 2012
Windows Server 2016
Windows Server 2019
Windows Server Manager
Windows Server version 1903 and later
Synchronize - manually sync and set sync schedule for automatic sync.
2-DeploymentBunny will automatically change the WSUS WID database. This is why it is run after the sync. https://github.com/DeploymentBunny/Files/tree/master/Tools/Invoke-WSUSMaint
-download all 3 files.
-run: .\Invoke-WSUSMaint
3-Invoke-DGASoftwareUpdateMaintenance will automatically perform maintenance on the update and remove the most common items found in the plugins.
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -configfile .\config_wsus_standalone.ini
.\Invoke-DGASoftwareUpdateMaintenance.ps1 -configfile .\config_wsus_standalone.ini #uncomment whatifpreference
Plugins:
Decline-Edge
Decline-Office365Editions
Decline-Windows10Languages
Decline-Windows10Versions
Decline-Windows11Languages
Decline-WindowsARM64
Decline-WindowsItanium
4-CleanUP-WSUS has its own set of items:
.\CleanUP-WSUS.ps1 -firstrun
.\CleanUP-WSUS.ps1 -scheduledrun
.\CleanUP-WSUS.ps1 -daily
.\CleanUP-WSUS.ps1 -monthly
.\CleanUP-WSUS.ps1 -quarterly
5-Decline-SupersededUpdates from Microsoft is published. It probably won't do anything at this point but lets run it for good measure.
.\Decline-SupersededUpdates.ps1 -SkipDecline -UpdateServer localhost -port 8530
.\Decline-SupersededUpdates.ps1 -UpdateServer localhost -port 8530 #remove -SkipDecline
6-Install-Script -Name Wsus-Maintenance
Wsus-Maintenance (to see the readme)
Wsus-Maintenance -Run
Get-WSUSUpdate -Status Any -Approval unapproved |?{$_.products -match "2003" -or $_.products -match "2007" -or $_.products -match "2010" -or $_.products -match "2013"} |Deny-WsusUpdate -verbose #accidentially downloaded office 2003, 2007, 2010, 2013 |
Get-WSUSUpdate -Status Any -Approval unapproved |?{$_.products -match "Windows 10 and later Dynamic Update" -or $_.products -match "Windows 10 and later Dynamic Update, Windows Safe OS Dynamic Update" -or $_.products -match "Windows 10 and later GDR-DU" -or $_.products -match "Windows 10 GDR-DU FOD" -or $_.products -match "Windows 10 Feature On Demand" -or $_.products -match "Windows 10 LTSB, Windows 10" -or $_.products -match "Windows GDR-Dynamic Update"} |Deny-WsusUpdate -verbose
Get-WsusUpdate -Approval Unapproved -Status Needed
Get-WsusUpdate -Approval Unapproved -Status Needed |Approve-WsusUpdate -Action Install -TargetGroupName “All Computers” –Verbose
Get-WSUSUpdate -Classification critical -Status Any -Approval unapproved |Approve-WsusUpdate -Action Install -TargetGroupName "All Computers" –Verbose
Get-WSUSUpdate -Classification security -Status Any -Approval unapproved |Approve-WsusUpdate -Action Install -TargetGroupName "All Computers" –Verbose
7-UpdateServices (builtin when installing WSUS)
-Get-WsusServer | Invoke-WsusServerCleanup -CleanupObsoleteComputers –CleanupObsoleteUpdates -CleanupUnneededContentFiles -CompressUpdates -DeclineExpiredUpdates -DeclineSupersededUpdates
-created wsus-cleanup.ps1
-set as Scheduled-Task
Sometimes this needs to be run one at a time:
Invoke-WsusServerCleanup -CleanupUnneededContentFiles -CompressUpdates
Invoke-WsusServerCleanup -DeclineSupersededUpdates
Invoke-WsusServerCleanup -DeclineExpiredUpdates
Invoke-WsusServerCleanup -CleanupObsoleteComputers
Invoke-WsusServerCleanup -CleanupObsoleteUpdates -CompressUpdates
8-Powershell OneLiner:
Get-WSUSUpdate -Classification All -Status Any -Approval AnyExceptDeclined `
| ?{ $_.Update.GetRelatedUpdates(([Microsoft.UpdateServices.Administration.UpdateRelationship]::UpdatesThatSupersedeThisUpdate)).Count -gt 0 } `
| Deny-WsusUpdate
-reg query "HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup"
-options set to auto-approve > ran rule.
-created gpos for workstations/servers: https://community.spiceworks.com/how_to/1390-wsus-gpo-settings-for-the-real-world?page=3
See the WSUS Complete Setup which has a bit more explanation and troubleshooting items for both the WSUS Server and the WSUS Clients.
- Details
Export Contacts from mailbox in Exchange 2013
New-MailboxExportRequest -Mailbox foo.user -IncludeFolders "#Contacts#" -excludedumpster -FilePath "\\exchange-server\c$\Archives\foo.use.recovered.pst"
- Details
I spent some time in compuer maintenance. This is thousands of computers across multiple locations on the globe. If I have to physically visit a computer, I've lost. The goal is to be able to provide network administration to all computers without ever having to physically visit on-site.
Because of this goal, gathering information is important.
WMIC is one tool for this. Here are some nice cheatsheet items:
Get the video card information/display-adapter information:wmic path win32_VideoController get name
Get the video card driver:wmic path win32_VideoController get driverVersion
Get the motherboard information:wmic baseboard get product
Get the onboard devices:wmic onboarddevice get description
Get the serial number in the bios:wmic bios get serialnumber
Get the bios version:wmic bios get smbiosbiosversion
Love it!
- Details
There are three areas that we need to look at to see what computer is making changes. This is in the online web site version.
- -RECENT https://www.dropbox.com/hThe RECENT will show what computer made the change.
- -EVENTS https://www.dropbox.com/eventsThe EVENTS area will show what has been added/edited/moved/deleted on a particular day.
- -DELETED https://www.dropbox.com/deleted_filesThe DELETED area will shwo what has been deleted. You can restore the items here.
In the RECENT area:
- -click the ELIPSES (the dots next to the title).
- -click the VERSION-HISTORY.
- -hover over the word DESKTOP. It will show the name of the computer that made the change.
- Details
In performing a periodic check on permissions on mailboxes in EXCHANGE 2013, I saw that there are some permissions that would not remove.
Here's how to check for additional permissions across all mailboxes:
Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and $_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ', $_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions-v1.csv
There are some entries that did not belong that look like this:
RunspaceId: 03d29daa-2ca3-4428-bbe4-4ebc1102b86e
AccessRights: {FullAccess}
Deny: True
InheritanceType: All
User: DOMAIN:foo.user2
Identity: DOMAIN/Users/foo.user
IsInherited: False
IsValid: True
ObjectState: Unchanged
When I tried to remove them, I used this command:
remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess
But that didn't work, the permission remained the same. I could see that the permission is not-inherited and that the permission is to DENY.
To get it to work, I had to remove the DENY permission, like this:
remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess -InheritanceType All -deny
The MS doc site shows like the following but I had no idea what
[-Deny]
NOTES:
I've run into this more than one, as I created another post: http://www.daknetworks.com/blog/439-shared-mailbox-wont-disconnect-from-outlook
- Details
Brother Printer DOA. Plugged in. Turned on. Lights flash. Then go off.
Called Brother support. They said it was a firmware issue and I had to take it to the authorized Brother dealer... I guess I can't handle it.
- -download Brother Maintenance USB Driver
- -download FILEDG32.EXE
- -download the firmware for your printer.
- -find a Windows XP computer.
- -install the Brother Maintenance USB Driver.
- -plug in the USB printer.
- -the computer should recognize it and install the device in the PRINTERS list.
- -click on the MAINTENANCE printer in the list to highlight it.
- -click FILE > PRINT-FILE
- -select the firmware.
- -wait a few minutes till all the lights on the printer are on and stay on.
- -power cycle the printer.
NOTES:
-http://pschla.blogspot.com/2013/08/resurrecting-brother-hl-2250dn-after.html
- Details
Client Dell Latitude Laptop E5570 boots past the Dell logo (bios logo) and gets a black screen and can see nothing. The computer responds to a remote support software. I see nothing but I can run commands via command line (cmd) and get a response.
- -start the command line interface.
- -type: sc config "appreadiness" start= disabled
- -type: shutdown -r -t 3
This will disable the appreadiness service and restart the computer. The computer should boot to the login screen without difficulty.
If I didn't have the command line interface and simply has a laptop at home, I would try to get into safe-mode and then run the commands there:
- -click start > run
- -type: cmd
- -click OK
- -type: sc config "appreadiness" start= disabled
- -type: shutdown -r -t 3
- Details
Sometimes when I get an email from someone in OUTLOOK, their photo shows. How do they do that?
Setting your picture can happen in a few ways.
OUTLOOK
- To set your picture:
- -open OUTLOOK.
- -click FILE (at the top-right).
- -click CHANGE (under the picture).
WEB SITE
This is also possible on the web site at:
- -https://domain.tld/owa
- -click your name (at the top-right).
- -click CHANGE (under the picture).
ADMIN
This is also possible by having the administrator do it for a single user, OU or entire domain.
For a single user and you know the file location:
- Set-UserPhoto "username" -PictureData ([Byte[]] $(Get-Content -Path "C:\path-to-file\username.jpg" -Encoding Byte -ReadCount 0)) -Confirm:$false
For everyone:
- -save photos in common location.
- -name the photos the same as the username.
- -get all the users in EXCHANGE:
get-user -resultsize unlimited |select samaccountname |export-csv c:\pah-to-file\users.csv - -add a column called "picture"
- -run the command:
Import-csv "c:\pah-to-file\users.csv" | foreach {Set-UserPhoto -Identity $_.samaccountname -PictureData ([System.IO.File]::ReadAllBytes(c:\path-to-pics\$_.samaccountname.jpg)) -Confirm:$false}
For an OU
- get-aduser -filter * -searchbase "ou=
,ou= ,dc= ,dc=com" -properties HomeDirectory |foreach ( $_.samaccountname ) {Set-UserPhoto -Identity $_.samaccountname -PictureData ([System.IO.File]::ReadAllBytes($_.HomeDirectory+"\"+$_.samaccountname+".jpg")) -Confirm:$false}
Done!
- Details
Compress PDF with Ghostscript On Windows
DOWNLOAD & INSTALL GHOSTSCRIPT
You can download Ghostscript here (get the 64-bit version):
https://www.ghostscript.com/download/gsdnld.html
Installation is easy but the installer doesn't put the directory in the PATH. Until that time, you will have to type in the whole path to run the program:
C:\Program Files\gs\gs9.21\bin\gswin64c.exe
Adding to the PATH allows you to run the program by just using:
gswin64c.exe
To change the PATH temporarily, you can add to the PATH by typing in the command line:
set PATH=%PATH%;C:\Program Files\gs\gs9.21\bin\;C:\Program Files\gs\gs9.21\lib\
Or you can:
- -right-click MY-COMPUTER/
- -click PROPERTIES
- -click ADVANCED-SYSTEM-SETTINGS
- -click ENVIRONMENTAL-VARIABLES (at the bottom-right).
- -in the lower section called "SYSTEM VARIABLES", find PATH
- -click EDIT
- -find VARIABLE VALUE
- -keep everything there
- -go to the end of the value
- -add the following:
;C:\Program Files\gs\gs9.21\bin\;C:\Program Files\gs\gs9.21\lib\;
NOTE: do not remove any of the existing values.
RUNNING GHOSTSCRIPT
The idea here is that Ghostscript will create PDF's for you without step-by-step interaction. Let's say you have a directory of PDF that somebody scanned at 1200dpi with each PDF at 10MB. After time, this directory becomes entirely too large. We can use Ghostscript to re-compress the PDF's by 90% and take each PDF down to 1MB.
Ghostscript is suite of commands and not just one command. The command we are interested in is: ps2pdf
To run for a single file:
ps2pdf -dPDFSETTINGS#/ebook C:\path\to\input\file.pdf c:\path\to\output\file.pdf
There are a bunch of options but the most are correctly set by default:
https://www.ghostscript.com/doc/current/Ps2pdf.htm
Here is a script to run for an entire directory. Create the batch file and name it compress-all.bat. Put the batch file in the directory for which you want to compress files. Run the batch file from command line. It will create a "compressed" folder and put a copy of the compressed files in there:
=====
@echo off setlocal set GS_OUTPUT_DIR=compressed mkdir %GS_OUTPUT_DIR% for %%i in (*.pdf) do ps2pdf -dPDFSETTINGS#/ebook "%%i" "%GS_OUTPUT_DIR%\%%i"
- Details
SITUATION DISCOVERY
Branch Office Domain Controller Active Directory isn't working when the HQ DC AD is offline. Hurricane Irma knocked power out at the HQ location. The HQ DC AD server was shut down to prevent any issues.
Branch offices across North America have DC's, AD's and DNS.
When users go to a local server share, they get the login box with an error message:
"Search Results The system cannot contact a domain controller to service the authentication request"
When I go to the AD Users & Computers, I get an error message:
"Active Directory Naming Information Could Not Be Located"
The Users & Computers tree on the left hand side has an X for "Active Directory Users and Computers" and the center box is blank.
DIAGNOSTICS
I make sure DNS is setup correctly:
IPV4: 10.162.99.99
DNS1: 10.162.99.99 (SELF, always should be this way)
DNS2: 10.162.55.55 (HQ1)
DNS3: 10.162.55.56 (HQ2)
==========
I make sure the FORWARDERS are set correctly:
4.2.2.2
And working:
nslookup where-ever.tld 4.2.2.2
Reply:
PASS PASS
==========
Ping domain:
ping my-domain-name-here.com
Positive reply. So I know the domain and AD exists. I just can't reach it.
==========
Next, I try a dcdiag /fix:
dcdiag /fix
Reply:
"Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
Bummer... it cannot reach a Global-Catalog. This is certainly the heart of the issue.
==========
Next, I check to see if my server is a GLOBAL-CATALOG server:
repadmin /options *
Reply:
Repadmin: running command /options against full DC DC-01.my-domain-here.com
Current DSA Options: IS_GC
Well, I now know that the server I am using is a GLOBAL-CATALOG.
==========
Next, I check to see what servers are global catalog servers as stated in DNS:
nslookup gc._msdcs.my-domain-name-here.com
Reply:
Server: dc-al-01.my-domain-name-here.com
Address: 10.162.30.291
Name: gc._msdcs.my-domain-name-here.com
Addresses: 10.162.300.291
10.162.190.213
10.162.509.231
10.162.260.101
10.162.430.110
10.162.410.19
10.162.100.222
The server is in the list on DNS as a GLOBAL-CATALOG.
==========
Next, I try a dsquery:
dsquery server -isgc
Reply:
dsquery failed:The specified domain either does not exist or could not be contacted.
==========
Next, I try a nltest:
nltest /dsgetdc:my-domain-name-here.com
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN
==========
Next, I look at a registry value:
reg query "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters" /v SysvolReady
Reply:
HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters
SysvolReady REG_DWORD 0x0
CAUSE
There is certainly more to this. The AD isn't setup correctly. Active Directory uses the _msdcs.my-domain-here.com sub-domain to host SRV records. These records are not automatically updated, even in 2012-R2. Consequently, there may be outdated servers listed. In addition, the new servers will be missing.
You can find the domain and the servers here:
DNS -> DC-SERVER-01 > FORWARD > my-domain-name-here.com > _msdcs
Reply:
dc1.my-domain-name-here.com
dc.my-domain-name-here.com
Since this list is not updated automatically, the old servers are not available to provide the info. The new servers are not in the list since it is not added automatic. That means that the only server in the list was the original server. Once that server is no longer available, AD is unavailable. So much for fault tolerance.
SOLUTION
Workaround solution:
-type: echo y | reg add "HKLM\System\CurrentControlSet\Services\Netlogon\Parameters" /v SysvolReady /d 1
This makes the SYSVOL folder available and the AD Users-&-Computers should populate.
Permanent solution:
Once available, go to DNS -> DC-SERVER-01 > FORWARD > my-domain-name-here.com > _msdcs
Manually edit them. Remove the ones that don't exist and add the ones that do.
- Details
SMTP providers:
| SERVICE | PRICE |
| ElasticEmail (up to 150K free) | $ - |
| AWS SES | $ 2.50 |
| SendInBlue | $ 7.37 |
| MailGun | $ 7.50 |
| MailJet | $ 8.00 |
| SparkPost | $ 9.00 |
| SendGrid | $ 10.00 |
| SCANMAILX | $ 15.00 |
| Mandrill | $ 20.00 |
| PostMark | $ 37.50 |
| SocketLabs | $ 80.00 |
| -based on 25K emails per month. |
- Details
apcupsd runs ups's. It's rather simple:
DOWNLOAD & INSTALL
Downloading and installation isn't hard
- -download the program here: https://sourceforge.net/projects/apcupsd/
- -install the program
RUN APCUPSD
Running apcupsd isn't hard:
- -click START > PROGRAMS > APCUPSD > START-APCUPSD
This will shut your computer down when the battery is nearing end of power.
TEST BATTERY WITH APCUPSD
One of my favorite parts is that apcupsd has some options to test a battery and set some battery options. Here's how:
- -first, stop apcupsd by: click START > PROGRAMS > APCUPSD > STOP-APCUPSD
- -you may have to stop the APCUPSD service: click START > RUN > SERVICES.MSC. Find APCUPSD in the list. Click STOP.
- -CMD (as admin)
- -cd to: C:\apcupsd\bin
- -type apcaccess.exe to see stats
- -type apctest.exe to test/configure battery
PERFORM CALIBRATION
Most of the trouble comes from performing calibration to the unit. This can be done in 2 different ways:
- -with APCTEST.
- -with a manual calibration.
A manual calibration is basically, to put at least a 30% load on the unit. Unplug the unit and let it drain to zero. Plug the unit back in.
NOTES:
-you cannot run apctest.exe with apcupsd running.
-click here for manual calibration docs as it gets into more detail than I care to display: http://www.apcupsd.com/manual/manual.html#manual-runtime-calibration
- Details
I've had a interest in FileMaker for decades. Nothing else seems to fit the custom software solution like FMP does.
So putting the FMP Server on a cloud VM was a information worth pursuing.
The costs from various places range like this (obscured to avoid any love letters):
| SOURCE | MONTHLY-COST | TOTAL COST |
| aws | 50 | 600 |
| lsn | 50 | 600 |
| host-1 | 71 | 852 |
| host-2 | 79 | 948 |
| host-3 | 99 | 1188 |
| host-4 | 100 | 1200 |
| host-5 | 130 | 1560 |
| host-6 | 130 | 1560 |
| host-7 | 140 | 1680 |
| host-8 | 150 | 1800 |
| host-9 | 150 | 1800 |
As outgoing Rackspace CEO recently referenced, it is hard to beat a disrupter like AWS. You're going to have to join them.
In the end, I decided to go with LSN. They have a CloudStack running and I can rely on their support if I'm ever in a jam.
NOTES:
http://www.soliantconsulting.com/blog/2016/01/filemaker-server-on-amazon-web-services
- Details
1- fix Windows Update
Use the Windows Update Troubleshooter here:
https://support.microsoft.com/en-us/help/10164/fix-windows-update-errors
2- fix Windows Image
-open POWERSHELL (as admin)
-type: DISM.exe /Online /Cleanup-image /Restorehealth
3- fix Windows System File
-type: sfc /scannow
4- fix Windows Apps:
-type: Get-AppXPackage | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"}
- Details
Exchange 2013 Error: The global catalog verification failed
Working on Exchange 2013 and adding permissions to a mailbox, I get:
Active Directory operation failed on exchange.domain.tld. This error could have been caused by user input or by
the Active Directory server being unavailable. Please retry at a later time. Additional information: Additional
information: The global catalog verification failed. The global catalog is not available or does not support the
operation. Some part of the directory is currently not available.
Active directory response: 000020E1: SvcErr: DSID-03200672, problem 5002 (UNAVAILABLE), data 0
Here's how to fix:
- -delete the files in: C:\Users\administrator\AppData\Roaming\Microsoft\MMC
(or C:\Users\administrator.\AppData\Roaming\Microsoft\MMC) - -re-run the command: Add-MailboxPermission foo.user -User foo.user2 -AccessRights FullAccess -InheritanceType All
- set-mailbox foo.user -GrantSendOnBehalfTo foo.user1,foo.user2,foo.user3
That is all.
- Details
The Trust Relationship Between This Workstation and the Domain Has Failed
Reset-ComputerMachinePassword
Just as a USER-ACCOUNT is an object in AD, a COMPUTER-ACCOUNT is an object in AD. This has a password but the password isn't working. Let's reset the password.
- $credential = Get-Credential
(enter the domain admin account when prompted) - -type: Reset-ComputerMachinePassword -Server ClosestDomainControllerNameHere -Credential $credential
Test-ComputerSecureChannel
Now, let's test the secure channel
- -start > programs > powershell (as administrator)
- -type: Test-ComputerSecureChannel
It will come back either TRUE or FALSE. If it's false, let's try and repair it.
- -login to localadmin-account on local system and type: Test-ComputerSecureChannel -repair
- -if that didn't work, try: Test-ComputerSecureChannel -Repair -Credential
(Use the username/password of the domain admin account) - -if you need to run remotely: Invoke-Command -ComputerName REMOTE-COMPUTER-NAME-HERE -ScriptBlock { Test-ComputerSecure Channel } -Credential (Get-Credential -UserName 'admin-here' -Message 'User')
- -if you need a one-liner: Test-ComputerSecureChannel -Repair -Credential (New-Object System.Management.Automation.PSCredential 'domain\adminaccounthere',(convertto-securestring $('password-here') -asplaintext -force))
What I usually find is that I can't run the commands remotely because the trust is broken. And when I run locally, it simply runs "False."
So I copy a powershell script onto the computer with the file name rejoin-domain.ps1
==================
$computer = Get-WmiObject Win32_ComputerSystem
$computer.UnjoinDomainOrWorkGroup("password-here", "administrator", 0)
$computer.JoinDomainOrWorkGroup("domain.tld", "password-here", "administrator", $null, 3)
Restart-Computer -Force
==================
Then run the powershell through a remote command line like this:
powershell c:\path-to-file\rejoin-domain.ps1
Netdom
An older way of fixing this was with NETDOM
-type: netdom reset computer /domain:domainname /userd:domainadmin /passwordd:password
What Lead Me Here
I found out the relationship failed by:
- -right-click a folder that is a shared folder for a group on the domain.
- -click properties
- -click security tab (at the top)
- -click advanced button (at the bottom)
- -effective-access tab
- -select a user
- -click VIEW-EFFECTIVE-ACCESS
- Details
ForensiT User Profile Wizard is a great tool when you are migrating from domainold.tld to domainnew.tld.
The free version is a manual process but the corporate version is an automated process that helped migrate an entire office.
Cost
The cost is around $2 USD per computer. So for 100 computers, the cost is $200. Priced correctly on the time you will save.
Installation
Simply download and install. It will install in c:\program files\ForeensiT\Profile Wizard\.
A license file will be emailed to you. Save the file in the location: C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\
Run The Wizard
Running the wizard will create a CONFIG file. The config file is an xml file that is editable by any text editor. The options are pretty standard. You will be able to get through them. Very simple, nothing complex. I think the only gotchas are:
-reboot without notice (as you'll be doing this off-hours).
-create a SINGLE-DEPLOYMENT-FILE.
When finished. It will save the CONFIG file in: C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\
Edit the Config File
Edit the CONFIG file at C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\. Run the PROFWIZ.EXE again to edit the file you just created.
You need to edit a few items to get it to work the way we want it to. Namely, the following:
< AdsPath > OU=Workstations,OU=Office,DC=olympic,DC=domain-name,DC=tld
< Silent > True
< NoMigrate > False
< NoReboot > False
< RemoveAdmins > True
< MachineLookupFile >\\server\share\migrate-pc-file.csv
< Log > \\sever\share\Migrate.Log
< ScriptLocation > \\server\share\Migrate.vbs
(yes, change this even if it says not to. I find having the server share is more accomodating)
< All > True
< Exclude > ASPNET,Administrator
< Persist > False
< NoGUI > True
< ProtocolPriority > LDAP
< DC > \ \ britannic2.britannic.domainname.tld
< ProfBatRetryLimit > 3
< ProfBatRetryDelay > 2
Most of the key/values are self explanitory. To choose which domain controller you want to join, the ProtocolPriority must be set to LDAP and the DC setting specifies the FQDN of the domain controller (make sure you precede with the "\\").
Create Migrate-PC.CSV File
A .csv file needs to be created. Column A is the current computer name. Column B is the new computer name. If the names are the same then the computer name doesn't change.
Save this file in \\server\share\migrate-pc-file.csv
Save the single-deployment-file in the same location: \\server\share
Deployment
I used 3 ways to deploy.
1- automatic from admin workstation:
- -download PROFBAT at: http://www.forensit.com/support-downloads.html
- -save it in:C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\
- -make sure you are still on the domainold.tld and logged in a users at domainold.tld
- -reboot all the computers for a fresh start (use PDQ inventory if you need to do this automatically).
- -click START > PROGRAM-FILES > FORENSIT > COMMAND-LINE (you do not need to run this as-admin)
- -a cmd prompt opens
- you should be at: C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\
- -type: profbat.exe
- -hit enter
- -wait... It will give some feedback but not much.
- -it will automatically go through all the computers in the .csv list, migrate all the profiles and join the new domain and reboot the computers.
- -once rebooted, everyone can use their new login at newdomain.tld
- -AWESOME!
- -the logs should be at \\server\share
- -each pc will have it's own migration log.
2- manually from admin workstation:
- -click START > PROGRAM-FILES > FORENSIT > COMMAND-LINE (you do not need to run this as-admin)
- -a cmd prompt opens
- -type: profwiz.exe /COMPUTER computer-name-here
- -hit enter
- -you will see:
> - -wait... It won't give any verbose information.
- -soon it will go to a new line once finished and you will see:
>
> - -the logs are the place you indicated (which should be \\server\share\).
3-manually at admin workstation after domainnew.tld
If for some reason, the pc's are joined to the domainnew.tld without the profiles being migrated, don't worry as it is pretty much the same process. The most important part is the first step:
- -make sure you are on the domainnew.tld and logged into a user with domainnew.tld
- -click START > PROGRAM-FILES > FORENSIT > COMMAND-LINE (you do not need to run this as-admin)
- -a cmd prompt opens
- -type: profwiz.exe /COMPUTER computer-name-here
- -hit enter
- -you will see:
> - -wait... It won't give any verbose information.
- -soon it will go to a new line once finished and you will see:
>
> - -the logs are the place you indicated (which should be \\server\share\).
4- manually at the client computer:
- -save the profwiz.exe, profwiz.config, migrate.exe, migrate.vbs at the share: \\server\share\
- -edit the profwiz.config
- -change:
True - -save
- -run: migrate.vbs
- -it should show the progress and migrate all the profiles over.
- -reboot the computer.
5- automatically via logonscript
- -save the profwiz.exe, profwiz.config, migrate.exe, migrate.vbs at the share: \\server\share\
- -add the migrate to the login-script: \\server\share\migrate.vbs
- -login to the client pc. It will begin the migrate process and skip if has already been run (of course it won't be referenced once the computer is joined to the new domain).
Final Thoughts
That's it! That should handle all the scenarios that will work. Of course, there are many scenarios that will NOT work. Most of the errors will be trying to move a client-pc on domainold.tld by using an admin-workstation already joined to domainnew.tld (and logged into domainnew.tld user). Or vice-versa. If you are making changes, the client-pc and the admin-pc must be on the same domain (at least for it to be easy).
In any event, in all scenarios I did not visit a single client pc. Everything worked with a little thinking. This should be built into Windows Server.
NOTES:
https://www.forensit.com/Downloads/User%20Profile%20Wizard%20Corporate%20User%20Guide.pdf
For the curious... Yes, it is possible to have 2 domains on the same network subnet at the same time. But there can only be one DHCP and both domains should reference the other in the DNS -> FORWARD LOOKUP ZONES. Simply add the other domain and IP address of the other domian server.
- Details
Watchguard, Mimecast and Office365
Couldn't get email from certain outside domains. Further investigation revealed that this is only happening from domains hosted at Office365. The error message in Mimecast is "Null result from socket."
This means that there is no response from the internal email server when Mimecast tries to deliver the message. That means it is being blocked by the WatchGuard.
WatchGuard logs show, something about the header size being 20656 and "header-line too large."
So WatchGuard is blocking anything where the header is too large.
You can see above the "Maximum email header size" is at 20,000 bytes.
We set it to: 21000.
Save > Push-Config
That did it!
NOTES:
- Details
Set Logon Script For Everyone in Domain | Set Logon Script For Everyone in OU
Good morning class! Today, let's set the LOGON SCRIPT for everyone in a domain or in an OU:
-run powershell (as admin)
To clear the value:
-type: get-aduser -filter * -searchbase "ou=
To set the value:
-type: get-aduser -filter * -searchbase "ou=
Or for a single user:
-type: set-aduser foo.user -clear scriptpath
-type: set-aduser foo.user -scriptpath
(ie: set-aduser foo.user -scriptpath ls)
See Logon Script for Everyone in Domain | Set Logon Script For Everyone in OU
-type: get-aduser -filter * -searchbase "ou=
Or in table form:
-type: get-aduser -filter * -searchbase "ou=
Or for a single user:
get-aduser foo.user -properties scriptpath
What About More? I Want More! Like the Home Folder?
Now I already know what you are going to ask... "Can I set the HOME FOLDER as well?"
YES!!! It's a little complicated so it is in another article here: http://www.daknetworks.com/index.php/blog/390-how-to-setup-home-drives-home-folders-and-login-scripts
- Details
How To Setup Home Drives, Home Folders and Login Scripts Automatically
Good morning class! This isn't duplicate content. This is valuable! I don't want the HOME-DRIVES part of the other article lost. So here it is:
- -setup a "users" folder on the server.
- -share the folder as: users$
- -set share-permissions to: EVERYONE=FULL-ACCESS.
- -set ntfs-permissions > disable-inheritance.
- -set ntfs-permissions: DOMAIN-USERS (or other sub-group is large domain) > this-folder-only = Traverse | Create-Folders
- -set ntfs-permissions: CREATOR OWNER > Subfolders-and-files = Full-Control
- -set ntfs-permissions: SYSTEM > this-folder-Subfolders-and-files = Full-Control
- -set ntfs-permissions: DOMAIN-ADMINS > this-folder-Subfolders-and-files = Full-Control
- -run powershell (as admin).
- -to get the values, type: get-aduser foo.user -properties homedrive, homedirectory, scriptpath
- -to clear the values, type: set-aduser foo.user -clear homedrive, homedirectory, scriptpath
- -to set the values, type: set-aduser foo-user -homedrive Z -homedirectory \\
\users$\foo.user -scriptpath logonscriptfilenamehere
We used to use %username% as a variable. But that doesn't work in powershell. However if you want to get same, it's a little long winded:
- -type: $username = (get-aduser foo.user -properties samaccountname |foreach { $_.samaccountname }).ToString()
- -type: set-aduser $username -homedrive Z -homedirectory \\
\users$\$username -scriptpath logonscriptfilenamehere
$username should be left as is. The folder will automatically be created and named exactly as the username! Too bad it doesn't automatically create the folder permissions like the GUI does in AD.
To set the permissions:
- -type: icacls("\\
\users$\'$username'") /grant ("$username" + ':(OI)(CI)F') /T
For an entire Domain or OU
How about for the whole domain or for an OU. Forget the long-winded scripts you see plastered all over the internet:
- -to get the values, type:
get-aduser -filter * -searchbase "ou=,ou= ,dc= ,dc=com" -properties homedrive, homedirectory, scriptpath |ft name, homedrive, homedirectory - -to clear the values, type:
get-aduser -filter * -searchbase "ou=,ou= ,dc= ,dc=com" |set-aduser -clear homedrive, homedirectory, scriptpath - -to set the values, type:
$usernames = (get-aduser -filter * -searchbase "ou=,ou= ,dc= ,dc=com" -properties samaccountname |foreach { $_.samaccountname })
foreach ($username in $usernames) {set-aduser $username -homedrive Z -homedirectory \\\users\$username -scriptpath logonscriptname} - -to set the permissions, type:
$userfolder = "\\\users$\"
foreach ($username in $usernames) {icacls ("$userfolder" + "$username") /grant ("$username" + ':(OI)(CI)F') /T}
!!!Please double-check and triple-check to make sure you have the correct punctuation above. This can be a career-changing event if you get this wrong!!!
NOTES:
Hopefully, it is obvious that
https://windowsserveressentials.com/2012/10/29/powershell-make-it-do-something-useful/
Users Complain that the HomeDrive is Not Available in VPN Connections
Since the user logs in without being connected to the domain, the homedrive is not setup correctly. You can use the following GPO to get connected so that the homedrive is also a mapped drive which will be available upon vpn.
user-configuration > preferences > windows-settings >drive-maps
- Details
I was going to write an article on how to create a trust relationship between two domains but the hard work has already been done by the fabulous people over at: https://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html
- Details
RENAME DOMAIN
-rdp into dc1.olddomain.tld
(dc1 is your domain controller)
-go to dns tree.
-add new FORWARD-LOOKUP-ZONE.
-right-click FORWARD-LOOKUP-ZONE.
-click NEXT > NEXT > NEXT
-type in newdomain.tld
-click NEXT > NEXT > FINISH
(this is your new domain name)
-cd c:\installs
-rendom /list
-edit c:\installs\Domainlist.xml
-replace olddomain.tld with newdomain.tld
(in 4 places. The last place doesn't have a .tld)
-rendom /upload
-rendom /prepare
-rendom /execute
-reboot
-netdom computername dc1.olddomain.tld /add:dc1.newdomain.tld
-netdom computername dc1.olddomain.tld /makeprimary:dc1.newdomain.tld
-reboot
-gpfixup /olddns:olddomain.tld /newdns:newdomain.tld
-gpfixup /oldnb:olddomain /newnb:newdomain
-rendom /clean
-rendom /end
-remove olddomain.tld from dns tree.
-final reboot to make sure it survives reboot.
-go to DHCP tree.
-go to ipv4 > server-options
-change dns domain name to newdomain.tld
-restart DHCP service
-you have have to change each scope > scope-options
Client computers will need to be rebooted twice.
-once dc is rebooted, wait 15 minutes.
-reboot client computers.
-wait 15 minutes.
-reboot client computers again.
Client computers suffix should be changed automatically.
If you need a regedit to change the primary dns suffix when membership changes:
echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SyncDomainWithMembership /t REG_DWORD /d 00000001
If you have problems with a client pc joining the new domain, you can:
-netdom remove oldpc /Domain:olddomain.tld /Force
-reboot
-join newdomain.tld
If you really, really, really need, you can use the USER-PROFILE-WIZARD at https://www.forensit.com/downloads.html
NOTES:
-these are better instructions than mine: https://mizitechinfo.wordpress.com
- Details
Hyper-v migration. This is an offline migration (not a live migration). Here's how:
On the older HYPER-V host:
-shutdown the VM off gracefully.
-click ACTION > EXPORT (at the top).
This will export the entire VM somewhere. This can be an external drive or a network share.
On the newer HYPER-V host:
-click ACTION > IMPORT-VIRTUAL-MACHINE
-select the folder of the EXPORT (from above).
-select REGISTER THE VIRUTAL MACHINE
This will leave the VM where it is.
-select RESTORE THE VIRTUAL MACHINE.
This will place the VM where you tell it to.
- Details
There is a link between AD and EXCHANGE. But it isn't a hard link. Meaning that just because you create an AD account doesn't mean an Exchange account will be created.
Conversely, if you delete an AD account doesn't mean that the EXCHANGE account is deleted. Rather it is DISCONNECTED. It remains this way for 30 days. Then it is deleted.
Sometimes if you delete the AD account and the EXCHANGE account doesn't show DISCONNECTED until the MAILBOX-DATABASE runs its regular maintenance.
But you can force it to run by:
- Get-MailboxDatabase | Get-MailboxStatistics | Format-List DisplayName, MailboxGuid, Database, DisconnectReason, DisconnectDate
- Update-StoreMailboxState -Database “db_name” -Identity “mailbox_guid”
This is useful if you want to import some AD users into the domain from another domain but they already have EXCHANGE accounts. You can:
- -delete the AD accounts.
- -import the other AD accounts.
- -show the mailboxes as disconnected.
- -reconnect the mailboxes to the other AD accounts.
- Details
MegaRaid controllers can be confusing and difficult because of the companies that keep on merging together. Currently, Broadcom maintains LSI equipment. But, in my opinion, they are being difficult recently and forcing you to get support through the OEM's. OEM's like Supermicro don't have much information either.
In any event, you can control the MegaRaid cards either:
-upon boot up with a CTRL+H
-or through the MegaRaid Management Software
Again, I would list more but this web site has more information than we can provide:
Upon installation, the login is the login of the computer you are using.
You can now manage your raid.
- Details
I created a VHDX from a physical disk using a program called Disk2vhd.
Now I want to copy that VHDX back to a physical disk.
- -boot from E2B USB disk
- -select: systemrescuecd
Get your bearing by seeing what is recognized:
- fdisk |grep "/dev/"
To connect the VHDX and clone to the physical drive:
- -type: qemu-nbd --connect=/dev/nbd0 --format=VHDX
- -type: ddrescue --verbose --force /dev/nbd0 /dev/sda
To disconnect the VHDX:
- -type: unmount /mnt
- -type: qemu-nbd --disconnect /dev/nbd2
- Details
Migrating Active Directory Users and Merging Domains
Imagine you are part of a company. That company is being bought out by a larger company. To ease feelings, new email accounts are created at the larger company (ie
Now comes a point in time where the larger company wants to join the domains together. What are the options? How do you handle this situation?
Very good questions.
OPTION-1: 1 Forest & 2 Domains
A forest is a group of domains. It is possible to keep the domains separate but still have the same forest. @hq.tld and @branch.tld will live happily together and have a trust-relationship.
Two users would still exist. For example,
OPTION-2: Parent-Child Domain
The parent domain is hq.tld. It is possible to have a child domain such as branch.hq.com (or is you prefer, us.company.tld).
Two users would still exist. For example,
OPTION-3: Flat & Import
This consolidates everything down. It gets rid of messiness and flattens the company to 1 domain of hq.tld.
Only one user exist per person and this makes sense for people.
How To Flatten Domain and Import Users
- Details
When you start an email and you start to type in an email address, OUTLOOK will show a drop-down list of email addresses you've written to before.
This is an AUTOCOMPLETE-list (This is not an address-book or contact-list). What's surprising to me is that, to users, this list is more important than the contact-list or address-book. Probably because it automatically show.
What's more suprising is that there is no connection between the contact-list, address-book or AUTOCOMPLETE-list.
History Autocomplete
The AUTOCOMPLETE file used to be called the NK2 file. There is a ton of information about the NK2 file.But it's 2017 and closing to 2018, the NK2 file is no longer relevant. The data on the internet is becoming long in the tooth. So much bad information.
Location Autocomplete
In any event, the AUTOCOMPLETE list in OUTLOOK 2016 is here:
C:\Users\foo.user\AppData\Local\Microsoft\outlook\RoamCache\
The file name is something like:
Stream_Autocomplete_0_A603AC42FB764D4C9662D971D85637C2.dat
!!!Step 1 For Autocomplete!!!
Before you do anything, copy this file as a backup!!! The file size is small and can be copied in less than 5 seconds. This file is known to be volitile and can go from a large size down to zero without warning. This is why you want a backup.
Transfer Autocomplete
If you have an old computer and OUTLOOK setup and your new comuter and OUTLOOK setup doesn't have the list, you can:
- -close OUTLOOK.
- -copy this file to the new computer.
- -place in the following directory: C:\Users\foo.user\AppData\Local\Microsoft\outlook\RoamCache\
- -rename the current DAT file to something like: Stream_Autocomplete_0_A603AC42FB764D4C9662D971D85637C2.dat.old
- -change the wanted DAT file (with all the info in it) name to the current name, something like: Stream_Autocomplete_0_A603AC42FB764D4C9662D971D812345.dat
Export Autocomplete
You can export the names in the DAT file. Despite the name, the NK2EDIT is the best tool for this:
- -close OUTLOOK
- -download NK2EDIT here: https://www.nirsoft.net/utils/nk2edit.zip
- -unzip
- -run the tool
- (It should automatically populate with your current AUTOCOMPLETE file).
- -click FILE > SAVE-AS
This will save the file as an NK2 file that can later be imported somewhere else.
Import Autocomplete
This is for a fresh OUTLOOK with no AUTOCOMPLETE.
- -open the NK2 from the old system.
- -click FILE > EXPORT-TO-MESSAGE-STORE
This will overwrite the existing AUTOCOMPLETE with the items from the old AUTOCOMPLETE.
Merge Autocomplete
This is to merge old AUTOCOMPLETE with the current AUTOCOMPLETE.
- -open the NK2 from the old system.
- -click FILE > IMPORT-FROM-MESSAGE-STORE
- (This will merge the current AUTOCOMPLETE with the info from the older AUTOCOMPLETE.)
- -click FILE > EXPORT-TO-MESSAGE-STORE
This will overwrite the existing AUTOCOMPLETE with the items from the old AUTOCOMPLETE.
Rebuild Autocomplete
Let's say that the AUTOCOMPLETE file is gone. For whatever reason, it is emtpy (I'm bashfully looking away, avoiding eye contact). But you still have your PST/OST file. Can't you just rebuild the AUTOCOMPLETE with information that is in the SENT-ITEMS folder?
Yes, you can. Here's how:
- -open NK2EDIT (the list will be empty).
- -click ACTION > ADD-RECORDS-FROM-MAILBOX-RECIPIENT
This will allow you to rebuild the AUTOCOMPLETE with items from your SENT-ITEMS folder. This is probably what you want; as everyone you've written an email to will automatically be placed in here. In addition, you can place a checkmark to items from your INBOX as well.
Fiddle around with the settings and when you are satisfied, click FILE > EXPORT-TO-MESSAGE-STORE.
Edit the AUTOCOMPLETE
- -open NK2EDIT and edit away.
- -be sure to FILE > EXPORT-TO-MESSAGE-STORE.
Final Thoughts
In short, this is an oldy but goody. Considering the importance of AUTOCOMPLETE items to users, you wonder why this isn't built directly into the OUTLOOK.
NOTES
There is a POWERSHELL script that didn't exactly work for me but it looks promising if could be updated:
http://blog.degree.no/2012/01/outlook-adding-all-emails-in-sent-items-to-autocomplete-list/
- Details
Outlook 2016 Won't Open - Crashes Upon Starting Outlook 21016. Here's how I fixed it:
Office365 Repair
- -close OUTLOOK
- -click START > CONTROL-PANEL > PROGRAMS-AND-FEATURES
- -click MICROSOFT-OFFICE-365
- -click CHANGE (at the top).
- -click FULL-REPAIR (not "quick-repair")
- -wait 15 minutes.
- -try OUTLOOK again when finished.
x64 Bit
If that doesn't work, I've found the x64 bit to be more stable:
- -uninstall Microsoft Office x32
- -restart computer.
- -install Microsoft Office x64
Outlook Safe Mode
If that doesn't work:
- -hold CONTROL
- -click OUTLOOK icon to open.
- -click YES (for disable plugins)
- -click FILES > OPTIONS > ADD-INS > COM-ADD-INS > GO
- -uncheck everything.
- -checkmark MICROSOFT-EXCHANGE-ADD-IN
- -click OK
- -close OUTLOOK
- -open OUTLOOK in normal mode.
Set Data File
If that doesn't work:
- -click START > SETTINGS > CONTROL-PANEL > MAIL
- -click EMAIL-ACCOUNTS
- -click DATA-FILES (at the top)
- -select your mail account in the list.
- -click SET-AS-DEFAULT
- (yes, even if it already is).
- -click CLOSE > CLOSE.
- -open OUTLOOK.
Update iCloud
If that doesn't work:
- -close OUTLOOK.
- -update ICLOUD software here: https://www.apple.com/icloud/setup/
- -restart the computer
- -open OUTLOOK
Office365 Account Conflict
If that doesn't work, you might have an OFFICE365 account conflict. You may have one OFFICE365 account for WORD, EXCEL, OUTLOOK and another OFFICE365 account for EMAIL.
- -click START > SETTINGS > ACCOUNT
- -click EMAIL-&-APP-ACCOUNTS (on the left-hand side).
- -remove the OFFICE365 account that is only for email (leaving the OFFICE365 account that is for WORD, EXCEL, etc or the one that you use to login to the computer [ie same as your username]).
- -make sure the correct DATA-FILE is set as the DEFAULT (see above).
- -open OUTLOOK
Office Update
If that doesn't work:
- -click START > SETTINGS
- -click UPDATE-&-SECURITY
- -click CHECK-FOR-UPDATES
- -install any updates and restart the computer.
Redo
If that doesn't work, you've probably spent too much time on this:
- -start a new profile.
- -add the email accounts back in.
- Details
Microsoft Edge Pop Up Blocker Exceptions
As of this writing, there is not pop up blocker exception setting in Microsoft Edge. There is only an ON/OFF option.
However, you can still adjust this manually through the registry or regedit. You can manually edit here:
[HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\Allow]
Pop Up Blocker Exceptions Allow
Or you can follow the instructions below:
- -click start > run
- -type: cmd
- -type: echo y | reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\Allow" /v "url-name-here" /t REG_BINARY /d 00000000
(NOTE: keep the quotes in-tact. Use *.domain.tld for wildcard.)
Pop Up Blocker Exceptions Allow In Private
Also note that PrivateWindows mode has separate values located here (which doesn't mean they are all that private):
- -click start > run
- -type: cmd
- -type: echo y | reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate" /v "url-name-here" /t REG_BINARY /d 00000000
(NOTE: keep the quotes in-tact. Use *.domain.tld for wildcard.)
- Details
Exchange 2013 - Get the Number of Emails in a Folder
Here's how:
Get-MailboxFolderStatistics foo.user |Select Name, ItemsInFolder
It will show the folder structure and the number of items in each folder.
- Details
Exchange could not load the certificate with thumbprint. Or as the warning message states in the logs:
Microsoft Exchange could not load the certificate with thumbprint of 59235427B7C322A8CFD7E1EB939445A2EAF9F670 from the personal store on the local computer.
Get the information
There's a few ways to get the information to see the current certificate list.
First is through the Exchange Management Shell (EMS):
- -type: get-exchangecertificate
You can see the same list in the Exchange Admin Center (EAC):
- EAC > servers > certificates
You can also see the same list in Internet Information Services (IIS):
- -click server-name (on the left-hand side).
- -click SERVER-CERTIFICATES (on the middle section).
Once you have the information displayed, find the thumbprint of the certificate you are using for email.
Fix the error
In EMS:
- -type: Enable-ExchangeCertificate -Thumbprint
-Services None - -type: Enable-ExchangeCertificate -Thumbprint
-Services IMAP,POP,IIS,SMTP
Explanation
This error is actually coming from the configuration of the: get-transportservice
More specifically, the value at: get-transportservice |select InternalTransportCertificateThumbprint
In older versions this is called: get-transportserver
More specifically, the value at: get-transportserver |select InternalTransportCertificateThumbprint
With this command you will see the thumbprint of the certificate in the log.
Typing the commands above will replace this value with the new value.
For the curious, there is no fine-tuned fix. In other words, the following does not exist or work. Use the above commands:
set-transportservice InternalTransportCertificateThumbprint
- Details
Find All Distribution Groups A User Is A Member Of. I hope that makes sense. Let's say you have a user name: foo.user. What groups is foo.user a member of?
Here's how:
Get-DistributionGroup -Filter "Members -like 'CN=foo user,OU=where-ever,OU=Users,DC=domain-name-here,DC=tld'"
Since the DistinguishedName is used, it makes it nearly impossible to use the command unless you keep it in a handy note somewhere. Instead, this may be easier:
-type: $distinguishedName = (Get-Mailbox -Identity foo.user).distinguishedname
-type: $group = Get-DistributionGroup -Filter "Members -like '$($distinguishedName)'"
-type: Write-Host $group
- Details
Another article on the internet about Adobe Lightroom with high cpu on Mac OSX because, well, it's a problem (and Apple doesn't care).
- -close Lightroom app.
- -delete: /Users/
/Library/Preferences/com.adobe.Lightroom6.plist - -delete: /Users/
/Library/Preferences/com.adobe.Lightroom6.LSSharedFileList.plist - -delete anything else that looks like it belongs to Lightroom in: /Users/
/Library/Preferences/ - -delete anything that looks like it belongs to Lightroom in: /Users/
/Library/Preferences/Adobe/ - -delete anything that looks like it belongs to Lightroom in: /Users/
/Library/Application Support/Adobe/ - -delete anything that looks like it belongs to Lightroom in: /Users/
/Library/Caches/Adobe/ - -open LIGHTROOM
- -click LIGHTROOM > PREFERENCES > GENERAL.
- -uncheck "Select the current/previous import collection during import."
- -click PERFORMANCE (at the top).
- -uncheck "Use Graphics Processor."
- -make sure the import folder that it is trying to import from exists. In other words, sometimes the last import location is a external drive that doesn't exist anymore. Change it to somewhere neutral like the DESKTOP.