# daknetworks.com

You are here:

## Dell Precision 7720 Graphics

### Discrete Graphics / Switchable Graphics

It can be confusing as there are many variables here with different definitions. By default, the Precision 7720 has both an Intel onboard graphics chip and an added graphics chip (Nvidia/AMD; aka discrete-graphics). By default, the onboard chip is on as the primary graphics. This is true when using the laptop monitor, when a docking station is used and when a monitor is plugged directly into the laptop’s DisplayPort, HDMI connectors, and Thunderbolt/MiniHDMI port.

Dell calls this switchable-graphics. Disabling this must be done in the bios. If you have switchable graphics disabled, the onboard Intel GPU is not used.

With the "Discrete graphics controller direct output mode" or “Graphics Special Mode”, the external ports (DisplayPorts, HDMI connectors and Thunderbolt/MiniHDMI port) will be driven by the GPU directly.

https://www.dell.com/support/article/us/en/04/sln304550/precision-7510-7710-graphics-special-mode-setting-in-the-bios?lang=en

In short:

• -enter bios
• -disable switchable-graphics.
• -enable special-graphics mode.
• -enable dock-display-port

### Dell Dock

To make it more confusing, the WD15 dock with 130W adapter is not powerful enough for a Precision 7720 with discrete-graphics. A 180W adapter is needed with the WD15 or if you are using a TB16, you would need a 240W adapter.

Lastly, there are special drivers/firmware that are needed to make the USB-c supply the correct power. The following must be updated:

• -Thunderbolt Controller Driver
• -Thunderbolt 3 Firmware Update
• -ASMedia USB 3.0 Extended Host Controller Driver for Dell Thunderbolt Dock
• -RealTek USB GBE Ethernet Controller Driver for Dell Thunderbolt Dock
• -RealTek USB Audio Driver for Dell Thunderbolt Dock

https://www.dell.com/support/article/us/en/04/sln301075/how-to-use-and-troubleshoot-the-dell-thunderbolt-dock-tb16-?lang=en

## Share From Windows 10 Ricoh Savin

For my own notes, there are a few steps here.

2- turn on older sharing protocol

dism /online /enable-feature /featurename:smb1protocol

3- create folder

mkdir c:\scans

4- share folder & grant share-permissions

5- grant ntfs-permissions

icacls c:\scans /grant scans:f /t /grant administrators:f /t

====================

Graphically,

1- create a user called scans and give it administrator permissions

2- turn on the smb1 through the appwiz.cpl

3- create a scans folder at c:\scans

4- share the folder & grant scans user read/write

5- the ntfs permissions should be automatically set.

====================

You can check your work by seeing the users on the system:

net user

You can see the details of the scans user to see group membership:

net user scans

You can check to see the share & share-permissions:

net share scans

You can check to see the ntfs-permissions:

icacls c:\scans

Troubleshooting

Sometimes it works after I:

• -turn off smb1: dism /online /disable-feature /featurename:smb1protocol
• -turn on smb1: dism /online /enable-feature /featurename:smb1protocol
• -reboot: shutdown -r -t 3

## Outlook 2016 Search Not Working

There are many problem with Outlook 2016 not working. Here's a fix for some:

• -open Outlook
• -go to “File” > “Options” > “Search” > “Indexing Options” > “Modify”
• -uncheck “Microsoft Outlook“.
• -click “Close”
• -close OUTLOOK.
• -navigate to the folder where the OST file lives (“C:\Users\username\AppData\Local\Microsoft\Outlook“).
• -right-click a highlighted file
• -click “Properties“.
• -checkmark “Allow this file to have contents indexed in addition to file properties” option if it isn’t checked already.
• -click “OK“
• -open Outlook
• -go to “File” > “Options” > “Search” > “Indexing Options” > “Modify”
• -recheck “Microsoft Outlook“
• -click “Close”

## SQL Server 2017 High CPU

Have a client with Windows SQL Express 2017. Every once in a while the thing goes awol, tops out the CPU and is slow to respond. This happens for a few hours then it settles down and doesn't happen for another four months or so. They are asking me why.

I'll tell you... I have no idea. They claim something is wrong with the server... I think a sql query is zombied and gone awry.

Here are my notes for the future...

### Diagnostics

As for some diagnostics, this says it better than I can:

https://blogs.msdn.microsoft.com/poojakamath/2018/05/03/where-is-my-sql-bpabest-practice-analyzer-for-sql-201420162017/

Just:

• -click FILE.
• -go to: C:\Program Files (x86)\Microsoft SQL Server\140\Tools\Policies\DatabaseEngine\1033
• -select all the files.
• -click EVALUATE.

### Multiple Instances

There might be multiple sql server versions running. Or instances running. We left the 2014 as a failsafe in case something went wrong with 2017, since we didn't know how it would react.

### Upgrade Away from Sql 2014:

I still think there's a serious bug in 2014 that everyone's ignoring. Since sql-2016 and sql-2017 released, there's no reason to fix bug per se. As a fix, simply upgrade, kill off 2014 and move on.

You are probably fine with 2017 and are at a place where we can remove sql-2014.

### Remove Any Unused Sql instance:

Or perhaps there's some type of process in the othe sql-instance that is set to run. If you are not using the other Sql instance, it is probably best to remove it so you can narrow down the number of variables.

### Ram-memory:

Ram-memory is meant to be used. That's what it is for. So if it is at 100% there's no need to be alarmed. In a traditional physical system, once the ram-memory is used up, the cpu will access the hard drive as virtual-memory/swap-space.

In a virtual system, such as this system, more ram-memory is dynamically added as the system needs it. This is referred to as hot-add ram. And it will keep a 20% buffer.

While this is supported by the operating system of the database server (Windows Server 2012 Standard), what I'm finding out is that SQL-Express (and the SQL-Standard version btw) is unable to hot-add ram. As shown here (Hot add memory):
https://docs.microsoft.com/en-us/sql/sql-server/editions-and-components-of-sql-server-2017?view=sql-server-2017

Also, looking at the link above, it shows that SQL-Express has a max buffer pool/buffer-cache of 1410MB, so hot-adding ram wouldn't help.

Looking into the db, this is exactly what it is using now:

1429700 kb physical_memory_in_use

This system is set to start with 4GB of ram-memory. Adding the 1410MB memory from above will put the usage around 5400MB. Adding 20% buffer will assign 6480MB. Here is the recent screenshot of memory assignment looking similar to our calculations:

All of this to say that you can double the startup Ram to 8GB. According to the datapoints, this is overkill and unnecessary but you have the memory so we might as well try it.

If those 3 items don't work then perhaps we can get away with using the Developer version of sql on the system which doesn't have the limitations.

Lastly, if the CPU load is at 100% then something is topping it out. A bad query is going to consume all resources available no matter how much you have. Adding more resources to compensate for a bad query is a bad idea.

NOTES:
https://www.mssqltips.com/sqlservertip/2393/determine-sql-server-memory-use-by-database-and-object/

## vmware tools on Centos 6.9 / SME 9

vmware-tools are here:

https://packages.vmware.com/tools/releases/index.html

This means the Centos packages are here:

https://packages.vmware.com/tools/releases/latest/rhel6/x86_64/index.html

It seems like these packages should work. Maybe there is something that I am missing but vmware-tools can be a pain. This says it better than I can:

https://unix.stackexchange.com/a/423219

For me, here's how I did it:

-open bash shell

-type (or copy/paste):

/sbin/e-smith/db yum_repositories set epel repository \
Name 'Epel - EL6' \
BaseURL 'http://download.fedoraproject.org/pub/epel/6/$basearch' \ MirrorList 'http://mirrors.fedoraproject.org/mirrorlist?repo=epel-6&arch=$basearch' \
EnableGroups no \
GPGCheck yes \
GPGKey http://dl.fedoraproject.org/pub/epel/RPM-GPG-KEY-EPEL \
Exclude perl-Razor-Agent \
Visible no \
status disabled

-type: signal-event yum-modify

-type: yum --enablerepo=* install open-vm-tools

-Voila! I get the following:

-don't forget to start them by typing: /etc/init.d/vmtoolsd start

NOTES:

mkdir /mnt/cdrom

/dev/cdrom /mnt/cdrom

## Hyper-V P2V Missing Operating System

I used Disk2VHD to create a P2V. Then I started Hyper-V and created a new VM. Upon startup I got, "Missing Operating System."

Here's how to fix:

-connect Windows 10 iso (or a Windows repair disk).
-press any-key to boot via iso.
-wait for windows 10 to show (it could take a minute).
-select Windows 10.
-click NEXT.
-select REPAIR YOUR COMPUTER (bottom left).
-click NO (for automatic repair).
-click NEXT (at bottom right).
-click COMMAND PROMPT.
-type: bootrec /scanos.
(If it isn't already there, it should find the WINDOWS installation and ask if you want to add it.)
-type: Y

Now, at this point, if you try to do some work in bootrec (rebuildbcd), you will get a message, ""the volume does not contain a recognized file system."

-type: Diskpart
-type: LIST DISK
-type: SELECT DISK 0 (change this to the number of the disk . most likely 0)
-type: LIST PARTITION
-type: SELECT PARTITION 3 (change this to your partition number. most likely 3)
-type: DETAIL PARTITION
(it will show the details of the partition. We're trying to find the partition with the windows installation.)
-if you found it, it will probably say ACTIVE: NO
-type: ACTIVE
-type: EXIT

-type: bootrec /fixmbr (needed?)
-type: bootrec /fixboot (needed?)
-type: bootrec /rebuildbcd
-type: exit
-click RESTART

-boot from the iso one more time.
-click STARTUP-REPAIR.

It should find the Windows 10 installation and fix itself.

NOTES:

## Outlook 2016 | Exchange 2013: The signature is too big. Please try a smaller format.

When a person goes to OWA and tries to customize the signature, they get a message that the signature is too big.

• -go to EMS:
• -type: Get-MailboxMessageConfiguration foo.user

You will see the SignatureHtml. Most likely, there will be inline css styles in the signature pushing the character limit.

Or the DefaultFontSize is greater than what is acceptable. The following should clear the clear the signature-text and the signature-html. Then have the account try again to set the signature:

• -type: Set-MailboxMessageConfiguration -Identity user -SignatureText $null -DefaultFontSize 7 ## In-Place Archive Exchange 2013 The archive mailbox is an additional mailbox that's enabled for an account where messages older than 2 years are automatically moved (this can be customized in the retentionpolicy). This keeps the everyday mailbox at a more manageable level and allows for faster indexing and email searches. Some power users will familiar with archiving in Outlook as they may have crossed this issue in the past. They archive the email older than 2 years into a pst file. That pst file will show as a separate set of folders on the left hand side. In-Place Archive is very similar. However, where this different is that in-place archive is controlled by the Exchange administrator and does not require user intervention. The Exchange administrator can turn archiving on/off on the fly and control where the archive mailbox lives; this can be placed on the same edb or a different edb. Here's how to enable archiving: set-mailbox foo.user -archive Here's how to see what accounts have archive enabled: get-mailbox -Filter {ArchiveState -Eq 'local'} If you want to get the pertinent details of the archive such as archive database and archivename: get-mailbox -Filter {ArchiveState -Eq 'local'} |select alias,archivestate,archivedatabase,archivename,retentionpolicy |fl NOTES: https://docs.microsoft.com/en-us/exchange/policy-and-compliance/in-place-archiving/manage-archives https://docs.microsoft.com/en-us/exchange/policy-and-compliance/mrm/apply-retention-policies-to-mailboxes ## Federation Trust in Exchange ### Setup 1-First setup a trust to the Microsoft servers: • -login to the EAC. • -click ORGANIZATION. • -click SHARING. • -click ENABLE to add a Federation Trust to the Microsoft servers. • -click CLOSE. • -click MODIFY. • -select the PRIMARY domain. • -click OK. • -it will return a TXT record. • -create a TXT record for this domain on your public DNS server that contains the key. It will look like this: g1lg/IZ3MIHN0TaBsNMF+QzYbbA8Z39B/d46rQfQVmtNYbb6w0vRDQagL1b+bkbXbhstfg6PWw6JRtQqIIJ3Q== • -create a TXT record for this domian on your Private DNS servers in your Active Directory. • -wait. This should be around 15 minutes but can take 24 hours. 2-Second, the outside domain must do the same steps above. 3-Third setup an ORGANIZATION-SHARING using the outside domain. It will fail if the domains have not setup the trusts. • -checkmark enable calendar free/busy information sharing. 4-Fourth setup an INDIVIDUAL-SHARING policy and set it as the default policy for everyone in the Exchange server. ### Result That should do it; you should now be able to see each others calendars as FREE/BUSY (not details). To my dismay, this does not update users in the Global Address List (GAL) to include the outside domain. This means that, by default, looking up another person's calendar in the outsidedomain.tld is near impossible. You either have to manually type in all the outsidedomain.tld users into Exchange or use tools to do the sync for you; it is not built into Exchange. Grrrr... ### Troubleshooting As troubleshooting, you can get the URL by: • -hold CONTROL • -right-click the OUTLOOK icon (bottom-right). • -click TEST-EMAIL-AUTOCONFIGURATION. • -type in your password. • -click TEST. • -the AVAILABILITY-SERVICE-URL is the important URL. Also, in the EMS, you can use the commands: get-sharingpolicy foo-policy |fl get-organizationrelationship |fl get-federationinformation -DomainName outsidedomain.tld Test-FederationTrust -useridentity mail\inside.foo.user test-organizationrelationship -useridentity This e-mail address is being protected from spambots. You need JavaScript enabled to view it -identity outsidedomain.tld As a result of the above test-organizationrelationship troubleshooting command failing, I had to toggle two properties and had to run the following: Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -WSSecurityAuthentication$false
Get-WebServicesVirtualDirectory | Set-WebServicesVirtualDirectory -WSSecurityAuthentication $True Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication$false
Get-AutodiscoverVirtualDirectory | Set-AutodiscoverVirtualDirectory -WSSecurityAuthentication $True ## Setup Send Connector in Exchange 2013 With Custom Port Number Setup Send Connector in Exchange 2013 With Custom Port Number • -login to ECP. • -click MAIL-FLOW (left-hand side). • -click SEND-CONNECTORS (top) • -click the "+" symbol. • -name it anything you want. Let's say "foo-send-connector". • -bullet CUSTOM. • -click NEXT. • -bullet ROUTE-THROUGH-SMART-HOSTS • -click the "+" symbol. • -type in the IP ADDRESS of the server you want to deliver the mail to. • -click SAVE. • -click NEXT. • -bullet EXTERNALLY SECURED. • -click NEXT. • -click the "+" symbol. • -type in the domain name that will be used for this sending setup. In other words, this setup is only going to be used with a particular domain name; contoso.com. In another way, when sending to contoso.com use the following custom smtp route instead of the normal smtp route. • -checkmark SCOPED-SEND-CONNECTOR. • -click the "+" symbol. • -select the server that this will apply to. Small setups will probably only have 1 server. • -click FINISH. Now this will work. But it is setup on the default port 25. This is standard. But what if you want a non-standard port. Let's say because the SAP setup is out of your control. -start the EMS. -type: Get-SendConnector |fl This will allow you to see the complete Send Connector setup in the steps above. You will notice the Port number is in the setup. -type: Set-SendConnector -identity "foo-send-connector" -Port:587 ## Ricoh Windows 10 1803 This article says it better than I can on how to setup a Ricoh Printer with Windows 10 v1803. ## WordPress Multiple Category Search Where do I start? Forgot my rant on how the world operates and has chosen WordPress over so many other better CMS's... Have an array in an URL like this: &foo=1,2,3,4 Take that array and search for all of them. The OPERATOR => IN, is the includes. Basically, we are trying to get a %like% sql statement. if (isset($_GET['area']) && !empty($_GET['area']) &&$_GET['area'] != 'all') {
$propareaArray = explode(",",$_GET["area"]);
$tax_query[] = array( 'taxonomy' => 'property_area', 'field' => 'slug', //'terms' =>$_GET['area'],
//'terms' => array($proparea[0],$proparea[1]),
'terms' => array_values($propareaArray), 'operator' => 'IN' ); } NOTES: Don't ask me why 'EXISTS' doesn't work. I think it should. If it did, I wouldn't have to go through this. ## Manage Printers In Windows 10 So, I'm late to the game on this one: printmanagement.msc ## Shared Mailbox Won't Disconnect From Outlook Scenario You are an administrator of an Exchange system. Through the ECP, you add yourself FULL-ACCESS to another mailbox account. The account naturally shows in your Outlook. You are finished with the account and no longer need access to it. Again, through the ECP, you remove yourself FULL-ACCESS. The account still shows in your Outlook. What gives? You might be tempted to remove the FULL-ACCESS through the EMS with the following: remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess But that yields: WARNING: An inherited access control entry has been specified: [Rights: CreateChild, Delete, ReadControl, WriteDacl, WriteOwner, ControlType: Allow] and was ignored on object "CN=where,OU=ever,OU=city,OU=Users,DC=domain,DC=tld". Description The mailbox is inheriting FullAccess permissions and has explicit FullAccess permissions. So when you removed the explicit FullAccess permissions, it won't have any effect unless a Deny permission is added. The problem is that Exchange doesn't tell you it is doing this. Solution To fix this, simply clear the Deny permission: remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess -Deny NOTES: I've must have run into this before as I already have this post: http://www.daknetworks.com/blog/404-remove-mailbox-permissions-that-are-not-inherited ## ColdFusion Access The access page for ColdFusion: https://foo.tld/CFIDE/administrator/index.cfm If needed, you can remove the USERNAME & PASSWORD by editing: C:\ColdFusion10\cfusion\lib\neo-security.xml • -find: admin.security.enabled variable tag. • -change 'true' to 'false' • -restart the ColdFusion application server. Once you access the CFIDE, you can change the email settings there and test them as you save the settings. Any undelivered emails will show in: C:\ColdFusion10\cfusion\Mail\Undelivr You simply drop them back into the spool directory and ColdFusion will send them: C:\ColdFusion10\cfusion\Mail\Spool ## SuperMicro IKVM | Remote Console So the IKVM/Remote-Console doesn't work with Java 8 (aka jre1.8.0_171). Apparently, this is because starting with JAVA-8 any JAR signed with an MD5 hash will no longer be considered trusted. There are instructions to workaround the new JAVA limits but why bother. ### DOWNLOAD IKVM ### GET THE SERVER IKVM INFO If you can connect to the SUPERMICRO server, when you try to launch the CONSOLE-REDIRECT, it will download a LAUNCH.JNLP file. • -open the LAUNCH.JNLP file with NOTEPAD. • -at the bottom, it will have all the parameters neededd. ### RUN IKVM WITH PARAMETERS • -to run, type: "C:\Program Files (x86)\SUPERMICRO\IPMIView\iKVM.jar" IP-ADDRESS USERNAME PASSWORD PORT • (ie: "C:\Program Files (x86)\SUPERMICRO\IPMIView\iKVM.jar" 10.7.14.8 ADMIN PASSWORD null 5900 623 0 0) • -or type: "C:\Program Files (x86)\SUPERMICRO\IPMIView\iKVM.exe" IP-ADDRESS USERNAME PASSWORD PORT ## Cloning Disks Cloning disk can be in many ways. A following is a list of some of the ways: ## Move Wordpress Subdomain Creating a new web site in WordPress. Doing so, I create the web site at a subdomain such as: new.foowebsite.tld After the web site is up to client standards, we change the dns at the name servers. Now we have little squares where pictures once were. The pictures are coming from the CSS but only strange characters show. Here's how to fix. ### 1- change in the sql database: -go to myphpadmin -use the following as a guide. Be sure to change "wp_" with the prefix of your database "fooprefix_". UPDATE wp_options SET option_value = replace(option_value,'http://old.url.tld','https://www.newurl.tld') WHERE option_name ='home' OR option_name ='siteurl'; UPDATE wp_posts SET guid = replace(guid,'http://old.url.tld','https://www.newurl.tld'); UPDATE wp_posts SET post_content = replace(post_content,'http://old.url.tld','https://www.newurl.tld'); UPDATE wp_postmeta SET meta_value = replace(meta_value,'http://old.url.tld','https://www.newurl.tld'); This can be used to go from http to https as well. Or to go to an entirely different domain name. ### 2- change in the file names: But that doesn't change the files. If you are a sysadmin, you can use grep. Also WordPress has some built in functionality if you ssh into the server. First, test: wp search-replace 'http://old.url.tld' 'https://www.newurl.com' --dry-run Then run: wp search-replace 'http://old.url.tld' 'https://www.newurl.com' ### 3- check the wp-config.php Sometimes the site is hardcoded into the wp-config.php file. Check it to make sure it is correct. The hard coded line will typically be the last lines. NOTES: -here is the long version: https://codex.wordpress.org/Moving_WordPress ## Add New Domain Email Address to All Mailboxes in Exchange 2013 Lets say that your Exchange 2013 has multiple domains from various companies over the years: • @company1.tld • @company2.tld • @company3.tld Some mailboxes have @company1.tld email addresses but not all mailboxes have @company1.tld email addresses. A decision has been made that everyone without an @company1.tld email address needs to have one. Or you are staging for a domain change or company merger of some type. How do you find the mailboxes without @company1.tld and then add an @company1.tld email address without changing the current email address? Here's how: Get-Mailbox -Filter {EmailAddresses -notlike "*company1.tld"} |ForEach {set-mailbox$_.samaccountname -EmailAddresses @{Add=$_.samaccountname+"@company1.tld"}} Boom. (Of course, this is provided that your samaccountname/computer-username is the name that you want to use for your email address. Most of the time it is.) Check your work: Get-Mailbox -Filter {EmailAddresses -notlike "*company1.tld"} |select emailaddresses ## DNS Scavenging First it is important to note that the dns record is owned by the node or individual computer. The dns record is not owned by the dns server. The dns server only keeps a record of the individual dns records. Kinda strange, right? What often happens is that the dns record changes on the individual computer but the dns server is not updated. When a query is run against the dns server, the record is incorrect because it was not updated. Secondly, there are 2 server roles here that work together; DNS and DHCP. Thirdly, the lease-time should be set to double the refresh-rate. Let's begin by starting with the DNS server: • -right-click on the server-name. • -click SET-AGING-SCAVENGING-FOR-ALL-ZONES. • -checkmark "Scavenge stale resource records". • -set both the no-refresh and the refresh interval to: 2-days • -click OK • -click "Apply these settings to existing..." • -click OK Great! You are on your way! Let's move to the the DHCP server: • -right-click on each dhcp zone. • -click PROPERTIES. • -set the dhcp-lease-time to: 4 days • -click the DNS tab (at the top). • -checkmark "Enable DNS Dynamic Updates..." • -bullet "Always Dynamically Update DNS" • -checkmark "Discard A and PTR records..." • -checkmark "Dynamically Update DNS Records..." Awesome! Almost finished. Finally, let's move back the DNS server: • -right-click on the server-name. • -click ADVANCED tab (at the top). • -checkmark "Enabled Automatic Scavanging of Stale Records" • -set the scavenging interval to: 1-day. You're done! BONUS If you have more than one DHCP server (for example, mulitple locations): • -open AD Users-&-Computers • -find the built-in group, DnsUpdateProxy • -add the DHCP servers from all locations. ## Find User's OU You know Joel in Sales. But you don't remember Joel's last name (because you've been staring at names all week) and you don't know Joel's OU. Here's how to find Joel: get-aduser -filter * |select samaccountname |findstr /i joel This will bring up all the Joel's in the domain. Hopefully you can narrow it down from here. Now to find Joel's OU in the details of his record: get-aduser joel.user This will show the "distinguishedname" and allow you to narrow down the OU. If you really want to see this properly in one line, we need to use the "canonicalname" and it would be like this: get-aduser -filter * -Properties Canonicalname |select samaccountname,canonicalname |fl |findstr /i joel ## Dell Bios Upgrade Command Line Here's how to upgrade the bios for Dell Latitude/Precision laptop if from remote: • -download the new bios • -cd c:\path-to-the-download • -click START > RUN > CMD • -type: c:\drivers\bios\Latitude_5X80_Precision_3520_1.9.3.exe /s /r "/s" is silent "/r" is reboot • "/f" is force if the battery is not present. And if the battery is not present in the Dell Latitude/Precision laptop: • -type: c:\drivers\bios\Latitude_5X80_Precision_3520_1.9.3.exe /forceit "/forceit" is force if the battery is not present. ## Schedule a Restart with Command Line & Powershell Usually I schedule a restart with some network tools I have. But in this case, I can remotely access the system via command-line/powershell but my network tools are not working. Probably because it needs a reboot after installing some updates. Here's how to schedule a reboot with command line/powershell (works in either): • -click START > RUN • -type: cmd (or type: powershell) • -click OK • -type: schtasks /create /sc once /tn restart /tr “shutdown -r -f “”restart””” /st 13:00 /RU system Where "/st" is the time in 24H clock and "/ru" is necessary to run even if the user is logged in or not. ## Core i7 6500u Dell Inpiron 5559 Core i7 6500u Dell Inpiron 5559 should be a good fast processor. The laptop was dreadfully slow. Something had to be wrong. • -hit CTRL+ALT_DEL • -start TASK-MANAGER • -click PERFORMANCE tab • -click CPU (on the left-hand side) You will notice the SPEED to around 0.39GHz. Hmmm... seems like something is throttling the CPU. ### BIOS Settings I tried to fix some Bios Settings: • c-states = off • intel speedstep = off • intel turboboost = off Same result. Hmmm.... there must be some settings not being shown in the Bios that can be adjusted. ### ThrottleStop Here's how to fix (as shown in my really edited picture below): • -download ThrottleStop • 1-click LIMITS (on the right-hand side) • 2-this will show you exactly why the throttle is happening. The culprit being BD_PROCHOT. • 3-uncheck BD_PROCHOT (on the left-hand side) • 4-checkmark DISABLE-TURBO • 5-do NOT turn on SPEEDSTEP • 5-do NOT turn on SPEED-SHIFT-EPP (if on, it will have a green SST "speed shift technology".) (you can change the number next to SPEED-SHIFT and set it to zero, just delete the number and type over it) You will notice the SPEED to around 2.49GHz and the speed is noticably faster. ### Schedul to Auto Start • -start TASK-SCHEDULER using the basic scheduler. • -open the properties of the task. • -start THROTTLESTOP on startup whether someone is logged in or not. • -change the user to be SYSTEM. • -since THROTTLESTOP doesn't have to stay running, you can close it automatically. Find the THROTTLESTOP.INI file in the THROTTLESTOP directory/folder, open with text editor and change "DCExitTime" to the number of seconds to remain open, say 5 seconds. ### Final Thoughts There are reasons why this is happening. In the end, buy business class hardware (Dell Latitude/Precision; Lenovo ThinkPads, etc) that have more options in the BIOS. Intel-Adaptive-Thermal-Monitor might be the actual culprit. The issue is that there is no option to turn off in the BIOS. NOTES: ## Exchange Distribution Group Members Here's how to blank out all members in a distribution group: Update-DistributionGroupMember foo.group -Members$null

Here's how to update the members in a distribution group:

Update-DistributionGroupMember rochester.hills -Members foo.user1, foo.user2, foo.user3

If you need to adjust the list, do so in Excel, Word, Notepad, etc.

Here's how to add a Dynamic Distribution Group that contains all emails of a certain Organizational Unit (OU) in Active Directory (AD):

New-DynamicDistributionGroup -Name "foo.group.dynamic" -OrganizationalUnit "Foo OU" -RecipientFilter {((RecipientTypeDetails -eq 'UserMailbox'))}

There's probably a better way to do this.

Here's how to see the members of a Dynamic Distribution Group:

$foovariable = Get-DynamicDistributionGroup foo.dynamic.group Get-Recipient -RecipientPreviewFilter$foovariable.RecipientFilter -OrganizationalUnit $foovariable.RecipientContainer ## Exchange 2013 Distribution Groups Allow Outside Email First, find the groups you want to change and give us the group email name and the value: [PS] Get-DistributionGroup |Where {$_.alias -like "verse*"} |select name,RequireSenderAuthenticationEnabled
(where "*" is anything. So *foo is barfoo but not food. And foo* is foobar and food but not barfoo.)

Let at the results and see if these are the groups you want changed.

Next, get the groups and change the value you want changed:

[PS] Get-DistributionGroup |Where {$_.alias -like "verse*"} |Set-DistributionGroup -RequireSenderAuthenticationEnabled$false

## Asterisk Interoffice Calling Doesn't Work | IAX2

Three pbx/asterisk servers. MPLS is in place. Two servers can interoffice call through extension number. The third is reachable through the main number but not through extension number. It waits, then says "goodbye" and hangs up.

Looking at the logs when a call is made:

-type: asterisk -rvvvvv
-dial an extension in the other office
-returns:
======

[Apr 26 16:52:37] WARNING[5653]: app_dial.c:1523 dial_exec_full: Unable to create channel of type 'IAX2' (cause 20 - Unknown)
== Everyone is busy/congested at this time (1:0/0/1)
-- Executing [s@macro-remote-call:11] Goto("Local/P1220@hud-caller-answer-e107;1", "s-CHANUNAVAIL,1") in new stack
-- Goto (macro-remote-call,s-CHANUNAVAIL,1)
-- Executing [s-CHANUNAVAIL@macro-remote-call:1] Goto("Local/P1220@hud-caller-answer-e107;1", "s,x-dial") in new stack
-- Goto (macro-remote-call,s,12)
-- Executing [s@macro-remote-call:12] Dial("Local/P1220@hud-caller-answer-e107;1", "IAX2/c10325x@c16067x/1524775950.8016-1-3109-external-") in new stack
[Apr 26 16:52:37] WARNING[5653]: app_dial.c:1523 dial_exec_full: Unable to create channel of type 'IAX2' (cause 20 - Unknown)
== Everyone is busy/congested at this time (1:0/0/1)
-- Executing [t@internal:1] BackGround("Local/P1220@hud-caller-answer-e107;1", "vm-goodbye") in new stack

=====

-type: asterisk -R -x 'iax2 show peers'
c23013x          10.162.44.31    (S)  255.255.255.255  4569          OK (44 ms)
c23013i          10.162.44.31    (S)  255.255.255.255  4569          OK (44 ms)
c16067x          10.162.30.10    (S)  255.255.255.255  4569          UNREACHABLE
c16067i          10.162.30.10    (S)  255.255.255.255  4569          UNREACHABLE
4 iax2 peers [2 online, 2 offline, 0 unmonitored]

This shows that the servers are set to be reached through the local IP addresses in the MPLS. This also shows that the second server is "unreachable."

-there is a file at: /etc/asterisk/iax.conf
-iax is interoffice asterisk exchange

Perhaps what is happening here is that the UDP port binding in the MPLS is maintained by sending traffic through it. The binding expired, and there is no way for Asterisk to communicate with the IAX peer (other-Asterisk).

-go to remote asertisk server that cannot be reached.
-type: asterisk -R -x 'iax2 show peers'
c23013x          10.162.44.31    (S)  255.255.255.255  4569          UNREACHABLE
c23013i          10.162.44.31    (S)  255.255.255.255  4569          UNREACHABLE
c11025x          10.162.100.31   (S)  255.255.255.255  4569          UNREACHABLE
c11025i          10.162.100.31   (S)  255.255.255.255  4569          UNREACHABLE
4 iax2 peers [0 online, 4 offline, 0 unmonitored]

This shows that the server cannot reach either of the other two servers.

Rebooted the server:

-type: /sbin/shutdown -r +5

-wait for reboot to finish

-type: asterisk -R -x 'iax2 show peers'
c23613x          10.162.44.31    (S)  255.255.255.255  4569          OK (40 ms)
c23613i          10.162.44.31    (S)  255.255.255.255  4569          OK (41 ms)
c11325x          10.162.100.31   (S)  255.255.255.255  4569          OK (28 ms)
c11325i          10.162.100.31   (S)  255.255.255.255  4569          OK (28 ms)

You can see the peers are reachable again.

## Watchguard Partner Announcement

DAK Networks Company is pleased to announce that we are certified to sell/support/maintain WatchGuard firewalls, routers and access points through our relationship with the GigJit Company.

This relationship allows us to provide a total solution to clients as an easy solution for problems that small and medium sized companies deal with on a daily basis.

So no matter if you are IT manager at a medium-sized company, a CEO/President at a small company or a marketing manager at a small to medium sized company, we can help you make sure that your WatchGuard Firewall equipment is installed, subscribed and working correctly.

## 6B3B8D23-FA8D-40B9-8DBD-B950333E2C52

In 2 separate occasions today, I've come across the following error:

The application-specific permission settings do not grant Local Activation permission for the COM Server application with CLSID  {6B3B8D23-FA8D-40B9-8DBD-B950333E2C52}  and APPID {4839DDB7-58C2-48F5-8283-E1D1807D0D7D}

To fix, I followed this:

Also in both cases, the system was a Dell All In One. One was an Dell Inspirion 24" and one was a Dell Optiplex 7440. Both had Intel HD Graphics 530 and both needed the Intel RST updated.

I don't know why just yet but the RST drivers for the systems are not on the Dell Drivers web site. But they are in the Dell Enterprise Wiki:
http://en.community.dell.com/techcenter/enterprise-client/w/wiki/11654.optiplex-7440-aio-windows-10-driver-pack

Everything you need is in the CAB file.

Once again, I urge everyone to purchase Dell business class computers. I've been saying this for 20 years now and it is still the same issue. The business class systems are supported better. It isn't worth saving the money just to have you paying me to fix it for you. There is no savings.

## Konica BizHub Error Deletion

Printers are a pain for so many reasons.

This time around, printing to a Konica BizHub would automatically delete the print job with the status "Error Deletion" and the details, "Login Error."

But yet, others could print without hassle. What gives?

Konica BizHub printer options are awesome. There are so many settings it is mind blowing. One of these settings is User-Authentication or User-Auth.

If User-Auth is set to ON (on the physical printer\web settings) and the printer is installed, the driver is set to automatically pickup the settings of the physical-printer. Since the setting is User-Auth = ON (on the physical printer\web settings), the driver picks up that setting and tries to send a username & password. Since there are no usernames & passwords setup, the print job fails due to a login error.

How do you get around this?

So to print, you can manually set the settings on the print driver (rather than automatic). This allow you to set printer to User-Auth = OFF (on the driver).

Here's how in picture format:

## Hyper-V VHDX Disk to VirtualBox VDI Disk

Hyper-V VHDX disks can be created from a physical computer with Disk2VHD. You will end up with a VHDX disk. If you run into a problem where you cannot run Hyper-V, VirtualBox is a good alternative. The roadblock you might run into is that VirtualBox cannot run VHDX files. To convert to VirtualBox VDI Disk (VirtualBox native format):

• -click START > RUN
• -type: cmd
• -inside the command window, type: cd c:\program files\oracle\VirtualBox\
• -hit enter
• -type: VBoxManage clonemedium disk c:\path-to-vhdx\DESKTOP.VHDX c:\path-to-vdi\DESKTOP.VDI --format VDI

Now simply create a VM and use/attach the VDI disk.
(In the settins, I had to checkmark "Enable I/O APIC")

### Bonus

Let's say you want to start the VM without a GUI. This is "headless". If you want the VM to start when the host starts:

• -click START > RUN
• -type: cmd
• -inside the command window, type: cd c:\program files\oracle\VirtualBox\
• -hit enter
• -type: VBoxManage list vms
(this will show a list of VM's)

Let's add the VM to start automatically on a Windows host:

• -click START > RUN
• -type: shell:startup
• -create a shortcut in this directory
• VBoxManage startvm MyVM --type headless

## Delete Emails Across Entire Exchange 2013

1-First create a folder in your Outlook called: SearchAndDeleteLog
(As a root folder. Not an INBOX subfolder)

2-Now in Exchange-Mangement-Shell EMS) search for the messages with the SENDER, DATE and SUBJECT and put the results in your own mailbox:

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery {from: This e-mail address is being protected from spambots. You need JavaScript enabled to view it AND Received:"03/17/2018" AND Subject:"Your bank statement"} -TargetMailbox "my.account" -TargetFolder "SearchAndDeleteLog" -LogOnly -LogLevel Full

Or for a date-range:

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery {from: This e-mail address is being protected from spambots. You need JavaScript enabled to view it AND Received:"03/16/2018 10:00..03/17/2018 13:00" AND Subject:"Your bank statement"} -TargetMailbox "my.account" -TargetFolder "SearchAndDeleteLog" -LogOnly -LogLevel Full

3-Look in your Outlook and verify the results.

4-After you are sure of the results, run the command to delete:

Get-Mailbox -ResultSize unlimited | Search-Mailbox -SearchQuery {from: This e-mail address is being protected from spambots. You need JavaScript enabled to view it AND Received:"03/17/2018"} -DeleteContent

If you need to copy the messages from a specific mailbox:

Get-Mailbox foo.user | Search-Mailbox -SearchQuery {from: This e-mail address is being protected from spambots. You need JavaScript enabled to view it AND Received:"03/01/2018"} -TargetMailbox "my.account" -TargetFolder "SearchAndDeleteLog"

## Resource Room in Exchange 2013

Resource room in Exchange 2013. Let's say you have a conference room. And you want everyone in the office to:

• -see a calendar for the conference room.
• -see if the conference room is available/busy.
• -schedule an event for the conference room.
• -see the details of the conference room.

#### Create Resource Room

First create a mailbox resource room. This can be a ROOM or it can be EQUIPMENT. The idea is that it is a shared resource.

• $new-mailbox foo.resource -type room or •$new-mailbox foo.resource -type equipment

Afterwards, set the permissions for the mailbox and the calendar. This must be done at the top-of-information-store AND at the calendar level:

• $set-MailboxFolderPermission foo.room:\ -user Default -AccessRights Reviewer •$set-MailboxFolderPermission foo.room:\calendar -user Default -AccessRights Reviewer

To schedule the calendar in OUTLOOK,

• -click NEW > MEETING
• -click TO
• -select ALL-ROOMS
• -click the room required.
• -click RESOURCES (at bottom-left, to add the room to the RESOUCE area).
• -click the date and time you need.
• -click SEND

This will schedule the room for you, put the event on your personal calendar, put the event on the room calendar for everyone to see and manage if it is in use or not.

#### Everyone In Office To Add Events To A Shared Calendar

If everyone in the office is "playing nice" and if you just want the calendar to show, have people double-click on the calendar day to start an event and schedule a time, then set the calendar permissions to AUTHOR:

• $set-MailboxFolderPermission foo.room:\calendar -user Default -AccessRights Author #### NOTES: -REVIEWER role is the following: (the "-" is not allowed) ReadItems FolderVisible -CreateItems -EditOwnedItems -EditAllItems -CreateSubfolders -DeleteOwnedItems -DeleteAllItems -FolderOwner -FolderContact -AUTHOR role is the following: (the "-" is not allowed) ReadItems FolderVisible CreateItems EditOwnedItem DeleteOwnedItemss -EditAllItems -CreateSubfolders -DeleteAllItems -FolderOwner -FolderContact More at: https://technet.microsoft.com/en-us/library/dd298062(v=exchg.150).aspx ## Can't Scan From Ricoh Printer After Update | Can't Scan From Savin Printer After Update Your scanning used to work from the Ricoh/Savin. It used to go right into a folder you had setup. Then the computer updated itself in the Fall/Winter of 2018 or early 2018. Now when you try to scan, it doesn't work. This is because the computer updated to Windows 10 v1709 (aka Fall Creators Update). In this update, a change was made so that your computer can no longer talk to the Ricoh/Savin scanner. The update took away a communication protocol called SMBv1. The correct fix is to change the way the scanner talks to the computer and use a newer communication protocol. In lieu of making those changes, you can re-enable SMBv1: • -click START > RUN • -type: CMD • -click OK • -type: dism /online /enable-feature /featurename:smb1protocol The same is true for disabling: • -type: dism /online /disable-feature /featurename:smb1protocol ## Fix Office 2016 For 32-bit (x86) Office 2013 installed in 32-bit Windows using Click-To-Run: • "C:\Program Files\Microsoft Office 15\ClientX86\OfficeClickToRun.exe" scenario=Repair platform=x86 culture=en-us For 32-bit (x86) Office 2013 installed in 64-bit Windows using Click-To-Run: • "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe" scenario=Repair platform=x86 culture=en-us For 64-bit (x64) Office 2013 installed in 64-bit Windows using Click-To-Run: • "C:\Program Files\Microsoft Office 15\ClientX64\OfficeClickToRun.exe" scenario=Repair platform=x64 culture=en-us For Office 2013 installed using traditional MSI method: • "C:\Program Files\Common Files\microsoft shared\OFFICE15\Office Setup Controller\Setup.exe" ## Outlook Rules / Exchange 2013 Rules / Inbox Rules For Mail You can see INBOX rules every mailbox: GET:$get-InboxRule -mailbox foo.user

You will get something like:
Name                          Enabled                       Priority                      RuleIdentity
----                          -------                       --------                      ------------
foo.bar.rule                  True                          1                             6404806255763783681

Of course, you can see the details by:

## Get Computer Information Via Command Line - WMIC

I spent some time in compuer maintenance. This is thousands of computers across multiple locations on the globe. If I have to physically visit a computer, I've lost. The goal is to be able to provide network administration to all computers without ever having to physically visit on-site.

Because of this goal, gathering information is important.

WMIC is one tool for this. Here are some nice cheatsheet items:

Get the video card information/display-adapter information:
wmic path win32_VideoController get name

Get the video card driver:
wmic path win32_VideoController get driverVersion

Get the motherboard information:
wmic baseboard get product

Get the onboard devices:
wmic onboarddevice get description

Get the serial number in the bios:
wmic bios get serialnumber

Get the bios version:
wmic bios get smbiosbiosversion

Love it!

## Dropbox See What Computer Is Making Chages

There are three areas that we need to look at to see what computer is making changes. This is in the online web site version.

In the RECENT area:

• -click the ELIPSES (the dots next to the title).
• -click the VERSION-HISTORY.
• -hover over the word DESKTOP. It will show the name of the computer that made the change.

## Remove Mailbox Permissions That Are Not Inherited

In performing a periodic check on permissions on mailboxes in EXCHANGE 2013, I saw that there are some permissions that would not remove.

Here's how to check for additional permissions across all mailboxes:

Get-Mailbox | Get-MailboxPermission | where {$_.user.tostring() -ne "NT AUTHORITY\SELF" -and$_.IsInherited -eq $false} | Select Identity,User,@{Name='Access Rights';Expression={[string]::join(', ',$_.AccessRights)}} | Export-Csv -NoTypeInformation mailboxpermissions-v1.csv

There are some entries that did not belong that look like this:

RunspaceId: 03d29daa-2ca3-4428-bbe4-4ebc1102b86e
AccessRights: {FullAccess}
Deny: True
InheritanceType: All
User: DOMAIN:foo.user2
Identity: DOMAIN/Users/foo.user
IsInherited: False
IsValid: True
ObjectState: Unchanged

When I tried to remove them, I used this command:

remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

But that didn't work, the permission remained the same. I could see that the permission is not-inherited and that the permission is to DENY.

To get it to work, I had to remove the DENY permission, like this:

remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess -InheritanceType All -deny

The MS doc site shows like the following but I had no idea what <switchparameter> options were.

[-Deny <SwitchParameter>]

NOTES:

I've run into this more than one, as I created another post: http://www.daknetworks.com/blog/439-shared-mailbox-wont-disconnect-from-outlook

## Brother Printer DOA

Brother Printer DOA. Plugged in. Turned on. Lights flash. Then go off.

Called Brother support. They said it was a firmware issue and I had to take it to the authorized Brother dealer... I guess I can't handle it.

• -find a Windows XP computer.
• -install the Brother Maintenance USB Driver.
• -plug in the USB printer.
• -the computer should recognize it and install the device in the PRINTERS list.
• -click on the MAINTENANCE printer in the list to highlight it.
• -click FILE > PRINT-FILE
• -select the firmware.
• -wait a few minutes till all  the lights on the printer are on and stay on.
• -power cycle the printer.

NOTES:

## "Windows 10" Black Screen After September 2017 Updates

Client Dell Latitude Laptop E5570 boots past the Dell logo (bios logo) and gets a black screen and can see nothing. The computer responds to a remote support software. I see nothing but I can run commands via command line (cmd) and get a response.

• -start the command line interface.
• -type: sc config "appreadiness" start= disabled
• -type: shutdown -r -t 3

This will disable the appreadiness service and restart the computer. The computer should boot to the login screen without difficulty.

If I didn't have the command line interface and simply has a laptop at home, I would try to get into safe-mode and then run the commands there:

• -click start > run
• -type: cmd
• -click OK
• -type: sc config "appreadiness" start= disabled
• -type: shutdown -r -t 3

## Add Photo into Outlook / Exchange 2013 for Everyone

Sometimes when I get an email from someone in OUTLOOK, their photo shows. How do they do that?

Setting your picture can happen in a few ways.

OUTLOOK

• -open OUTLOOK.
• -click FILE (at the top-right).
• -click CHANGE (under the picture).

WEB SITE

This is also possible on the web site at:

• -https://domain.tld/owa
• -click your name (at the top-right).
• -click CHANGE (under the picture).

This is also possible by having the administrator do it for a single user, OU or entire domain.

For a single user and you know the file location:

• Set-UserPhoto "username" -PictureData ([Byte[]] $(Get-Content -Path "C:\path-to-file\username.jpg" -Encoding Byte -ReadCount 0)) -Confirm:$false

For everyone:

• -save photos in common location.
• -name the photos the same as the username.
• -get all the users in EXCHANGE:
get-user -resultsize unlimited |select samaccountname |export-csv c:\pah-to-file\users.csv
• -add a column called "picture"
• -run the command:
Import-csv "c:\pah-to-file\users.csv" | foreach {Set-UserPhoto -Identity $_.samaccountname -PictureData ([System.IO.File]::ReadAllBytes(c:\path-to-pics\$_.samaccountname.jpg)) -Confirm:$false} For an OU • get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" -properties HomeDirectory |foreach ($_.samaccountname ) {Set-UserPhoto -Identity $_.samaccountname -PictureData ([System.IO.File]::ReadAllBytes($_.HomeDirectory+"\"+$_.samaccountname+".jpg")) -Confirm:$false}

Done!

## Compress PDF With Ghostscript On Windows

Compress PDF with Ghostscript On Windows

Installation is easy but the installer doesn't put the directory in the PATH. Until that time, you will have to type in the whole path to run the program:
C:\Program Files\gs\gs9.21\bin\gswin64c.exe

Adding to the PATH allows you to run the program by just using:
gswin64c.exe

To change the PATH temporarily, you can add to the PATH by typing in the command line:
set PATH=%PATH%;C:\Program Files\gs\gs9.21\bin\;C:\Program Files\gs\gs9.21\lib\

Or you can:

• -right-click MY-COMPUTER/
• -click PROPERTIES
• -click ENVIRONMENTAL-VARIABLES (at the bottom-right).
• -in the lower section called "SYSTEM VARIABLES", find PATH
• -click EDIT
• -find VARIABLE VALUE
• -keep everything there
• -go to the end of the value
;C:\Program Files\gs\gs9.21\bin\;C:\Program Files\gs\gs9.21\lib\;

NOTE: do not remove any of the existing values.

### RUNNING GHOSTSCRIPT

The idea here is that Ghostscript will create PDF's for you without step-by-step interaction. Let's say you have a directory of PDF that somebody scanned at 1200dpi with each PDF at 10MB. After time, this directory becomes entirely too large. We can use Ghostscript to re-compress the PDF's by 90% and take each PDF down to 1MB.

Ghostscript is suite of commands and not just one command. The command we are interested in is: ps2pdf

To run for a single file:
ps2pdf -dPDFSETTINGS#/ebook C:\path\to\input\file.pdf c:\path\to\output\file.pdf

There are a bunch of options but the most are correctly set by default:
https://www.ghostscript.com/doc/current/Ps2pdf.htm

Here is a script to run for an entire directory. Create the batch file and name it compress-all.bat. Put the batch file in the directory for which you want to compress files. Run the batch file from command line. It will create a "compressed" folder and put a copy of the compressed files in there:
=====

@echo off
setlocal
set GS_OUTPUT_DIR=compressed
mkdir %GS_OUTPUT_DIR%
for %%i in (*.pdf) do ps2pdf -dPDFSETTINGS#/ebook "%%i" "%GS_OUTPUT_DIR%\%%i"


## Branch Office AD isn't working when the HQ AD is offline

### SITUATION DISCOVERY

Branch Office Domain Controller Active Directory isn't working when the HQ DC AD is offline. Hurricane Irma knocked power out at the HQ location. The HQ DC AD server was shut down to prevent any issues.

Branch offices across North America have DC's, AD's and DNS.

When users go to a local server share, they get the login box with an error message:
"Search Results The system cannot contact a domain controller to service the authentication request"

When I go to the AD Users & Computers, I get an error message:
"Active Directory Naming Information Could Not Be Located"

The Users & Computers tree on the left hand side has an X for "Active Directory Users and Computers" and the center box is blank.

### DIAGNOSTICS

I make sure DNS is setup correctly:
IPV4: 10.162.99.99
DNS1: 10.162.99.99 (SELF, always should be this way)
DNS2: 10.162.55.55 (HQ1)
DNS3: 10.162.55.56 (HQ2)

==========
I make sure the FORWARDERS are set correctly:
4.2.2.2

And working:
nslookup where-ever.tld 4.2.2.2

PASS     PASS

==========
Ping domain:
ping my-domain-name-here.com

Positive reply. So I know the domain and AD exists. I just can't reach it.

==========
Next, I try a dcdiag /fix:
dcdiag /fix

<snip>
"Warning: DcGetDcName(GC_SERVER_REQUIRED) call failed, error 1355
A Global Catalog Server could not be located - All GC's are down.
</snip>

Bummer... it cannot reach a Global-Catalog. This is certainly the heart of the issue.

==========
Next, I check to see if my server is a GLOBAL-CATALOG server:

Repadmin: running command /options against full DC DC-01.my-domain-here.com
Current DSA Options: IS_GC

Well, I now know that the server I am using is a GLOBAL-CATALOG.

==========
Next, I check to see what servers are global catalog servers as stated in DNS:
nslookup gc._msdcs.my-domain-name-here.com

Server:  dc-al-01.my-domain-name-here.com

Name:    gc._msdcs.my-domain-name-here.com
10.162.190.213
10.162.509.231
10.162.260.101
10.162.430.110
10.162.410.19
10.162.100.222

The server is in the list on DNS as a GLOBAL-CATALOG.

==========
Next, I try a dsquery:
dsquery server -isgc

dsquery failed:The specified domain either does not exist or could not be contacted.

==========
Next, I try a nltest:
nltest /dsgetdc:my-domain-name-here.com
Getting DC name failed: Status = 1355 0x54b ERROR_NO_SUCH_DOMAIN

==========
Next, I look at a registry value:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Netlogon\Parameters

### CAUSE

There is certainly more to this. The AD isn't setup correctly. Active Directory uses the _msdcs.my-domain-here.com sub-domain to host SRV records. These records are not automatically updated, even in 2012-R2. Consequently, there may be outdated servers listed. In addition, the new servers will be missing.

You can find the domain and the servers here:

DNS -> DC-SERVER-01 > FORWARD > my-domain-name-here.com > _msdcs

dc1.my-domain-name-here.com
dc.my-domain-name-here.com

Since this list is not updated automatically, the old servers are not available to provide the info. The new servers are not in the list since it is not added automatic. That means that the only server in the list was the original server. Once that server is no longer available, AD is unavailable. So much for fault tolerance.

### SOLUTION

Workaround solution:

This makes the SYSVOL folder available and the AD Users-&-Computers should populate.

Permanent solution:

Once available, go to DNS -> DC-SERVER-01 > FORWARD > my-domain-name-here.com > _msdcs

Manually edit them. Remove the ones that don't exist and add the ones that do.

## SMTP Providers

SMTP providers:

 SERVICE PRICE ElasticEmail (up to 150K free) $- AWS SES$       2.50 SendInBlue $7.37 MailGun$       7.50 MailJet $8.00 SparkPost$       9.00 SendGrid $10.00 SCANMAILX$   15.00 Mandrill $20.00 PostMark$   37.50 SocketLabs $80.00 -based on 25K emails per month. ## apcupsd apcupsd runs ups's. It's rather simple: ### DOWNLOAD & INSTALL Downloading and installation isn't hard ### RUN APCUPSD Running apcupsd isn't hard: • -click START > PROGRAMS > APCUPSD > START-APCUPSD This will shut your computer down when the battery is nearing end of power. ### TEST BATTERY WITH APCUPSD One of my favorite parts is that apcupsd has some options to test a battery and set some battery options. Here's how: • -first, stop apcupsd by: click START > PROGRAMS > APCUPSD > STOP-APCUPSD • -you may have to stop the APCUPSD service: click START > RUN > SERVICES.MSC. Find APCUPSD in the list. Click STOP. • -CMD (as admin) • -cd to: C:\apcupsd\bin • -type apcaccess.exe to see stats • -type apctest.exe to test/configure battery ### PERFORM CALIBRATION Most of the trouble comes from performing calibration to the unit. This can be done in 2 different ways: • -with APCTEST. • -with a manual calibration. A manual calibration is basically, to put at least a 30% load on the unit. Unplug the unit and let it drain to zero. Plug the unit back in. ### NOTES: -you cannot run apctest.exe with apcupsd running. -click here for manual calibration docs as it gets into more detail than I care to display: http://www.apcupsd.com/manual/manual.html#manual-runtime-calibration ## FileMaker on a cloud Virtual Machine I've had a interest in FileMaker for decades. Nothing else seems to fit the custom software solution like FMP does. So putting the FMP Server on a cloud VM was a information worth pursuing. The costs from various places range like this (obscured to avoid any love letters):  SOURCE MONTHLY-COST TOTAL COST aws 50 600 lsn 50 600 host-1 71 852 host-2 79 948 host-3 99 1188 host-4 100 1200 host-5 130 1560 host-6 130 1560 host-7 140 1680 host-8 150 1800 host-9 150 1800 As outgoing Rackspace CEO recently referenced, it is hard to beat a disrupter like AWS. You're going to have to join them. In the end, I decided to go with LSN. They have a CloudStack running and I can rely on their support if I'm ever in a jam. NOTES: http://www.soliantconsulting.com/blog/2016/01/filemaker-server-on-amazon-web-services ## The Quick and Dirty Windows 10 Fix 1- fix Windows Update Use the Windows Update Troubleshooter here: https://support.microsoft.com/en-us/help/10164/fix-windows-update-errors 2- fix Windows Image -open POWERSHELL (as admin) -type: DISM.exe /Online /Cleanup-image /Restorehealth 3- fix Windows System File -type: sfc /scannow 4- fix Windows Apps: -type: Get-AppXPackage | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register "$($_.InstallLocation)\AppXManifest.xml"} ## Exchange 2013 Error: The Global Catalog Verification failed Exchange 2013 Error: The global catalog verification failed Working on Exchange 2013 and adding permissions to a mailbox, I get: Active Directory operation failed on exchange.domain.tld. This error could have been caused by user input or by the Active Directory server being unavailable. Please retry at a later time. Additional information: Additional information: The global catalog verification failed. The global catalog is not available or does not support the operation. Some part of the directory is currently not available. Active directory response: 000020E1: SvcErr: DSID-03200672, problem 5002 (UNAVAILABLE), data 0 Here's how to fix: • -delete the files in: C:\Users\administrator\AppData\Roaming\Microsoft\MMC (or C:\Users\administrator.<foo>\AppData\Roaming\Microsoft\MMC) • -re-run the command: Add-MailboxPermission foo.user -User foo.user2 -AccessRights FullAccess -InheritanceType All • set-mailbox foo.user -GrantSendOnBehalfTo foo.user1,foo.user2,foo.user3 That is all. ## The Trust Relationship Between This Workstation and the Primary Domain Has Failed The Trust Relationship Between This Workstation and the Domain Has Failed ### Reset-ComputerMachinePassword Just as a USER-ACCOUNT is an object in AD, a COMPUTER-ACCOUNT is an object in AD. This has a password but the password isn't working. Let's reset the password. •$credential = Get-Credential
(enter the domain admin account when prompted)
• -type: Reset-ComputerMachinePassword -Server ClosestDomainControllerNameHere -Credential $credential ### Test-ComputerSecureChannel Now, let's test the secure channel • -start > programs > powershell (as administrator) • -type: Test-ComputerSecureChannel It will come back either TRUE or FALSE. If it's false, let's try and repair it. • -type: Test-ComputerSecureChannel -repair • -if that didn't work, try: Test-ComputerSecureChannel -Repair -Credential ### Netdom An older way of fixing this was with NETDOM -type: netdom reset computer /domain:domainname /userd:domainadmin /passwordd:password ### What Lead Me Here I found out the relationship failed by: • -right-click a folder that is a shared folder for a group on the domain. • -click properties • -click security tab (at the top) • -click advanced button (at the bottom) • -effective-access tab • -select a user • -click VIEW-EFFECTIVE-ACCESS ## ForensiT User Profile Wizard For Entire Location ForensiT User Profile Wizard is a great tool when you are migrating from domainold.tld to domainnew.tld. The free version is a manual process but the corporate version is an automated process that helped migrate an entire office. ### Cost The cost is around$2 USD per computer. So for 100 computers, the cost is $200. Priced correctly on the time you will save. ### Installation Simply download and install. It will install in c:\program files\ForeensiT\Profile Wizard\. A license file will be emailed to you. Save the file in the location: C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\ ### Run The Wizard Running the wizard will create a CONFIG file. The config file is an xml file that is editable by any text editor. The options are pretty standard. You will be able to get through them. Very simple, nothing complex. I think the only gotchas are: -reboot without notice (as you'll be doing this off-hours). -create a SINGLE-DEPLOYMENT-FILE. When finished. It will save the CONFIG file in: C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\ ### Edit the Config File Edit the CONFIG file at C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\. Run the PROFWIZ.EXE again to edit the file you just created. You need to edit a few items to get it to work the way we want it to. Namely, the following: <! -- Corporate Edition Settings -- > < AdsPath > OU=Workstations,OU=Office,DC=olympic,DC=domain-name,DC=tld < Silent > True < NoMigrate > False < NoReboot > False < RemoveAdmins > True < MachineLookupFile >\\server\share\migrate-pc-file.csv < Log > \\sever\share\Migrate.Log < ScriptLocation > \\server\share\Migrate.vbs (yes, change this even if it says not to. I find having the server share is more accomodating) <! -- Settings for migrating all profiles -- > < All > True < Exclude > ASPNET,Administrator <! -- Advanced Settings -- > < Persist > False < NoGUI > True < ProtocolPriority > LDAP < DC > \ \ britannic2.britannic.domainname.tld < ProfBatRetryLimit > 3 < ProfBatRetryDelay > 2 Most of the key/values are self explanitory. To choose which domain controller you want to join, the ProtocolPriority must be set to LDAP and the DC setting specifies the FQDN of the domain controller (make sure you precede with the "\\"). ### Create Migrate-PC.CSV File A .csv file needs to be created. Column A is the current computer name. Column B is the new computer name. If the names are the same then the computer name doesn't change. Save this file in \\server\share\migrate-pc-file.csv Save the single-deployment-file in the same location: \\server\share ### Deployment I used 3 ways to deploy. 1- automatic from admin workstation: • -download PROFBAT at: http://www.forensit.com/support-downloads.html • -save it in:C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\ • -make sure you are still on the domainold.tld and logged in a users at domainold.tld • -reboot all the computers for a fresh start (use PDQ inventory if you need to do this automatically). • -click START > PROGRAM-FILES > FORENSIT > COMMAND-LINE (you do not need to run this as-admin) • -a cmd prompt opens • you should be at: C:\ProgramData\ForensiT\User Profile Wizard Corporate\Deployment Files\ • -type: profbat.exe • -hit enter • -wait... It will give some feedback but not much. • -it will automatically go through all the computers in the .csv list, migrate all the profiles and join the new domain and reboot the computers. • -once rebooted, everyone can use their new login at newdomain.tld • -AWESOME! • -the logs should be at \\server\share • -each pc will have it's own migration log. 2- manually from admin workstation: • -click START > PROGRAM-FILES > FORENSIT > COMMAND-LINE (you do not need to run this as-admin) • -a cmd prompt opens • -type: profwiz.exe /COMPUTER computer-name-here • -hit enter • -you will see: > • -wait... It won't give any verbose information. • -soon it will go to a new line once finished and you will see: > > • -the logs are the place you indicated (which should be \\server\share\). 3-manually at admin workstation after domainnew.tld If for some reason, the pc's are joined to the domainnew.tld without the profiles being migrated, don't worry as it is pretty much the same process. The most important part is the first step: • -make sure you are on the domainnew.tld and logged into a user with domainnew.tld • -click START > PROGRAM-FILES > FORENSIT > COMMAND-LINE (you do not need to run this as-admin) • -a cmd prompt opens • -type: profwiz.exe /COMPUTER computer-name-here • -hit enter • -you will see: > • -wait... It won't give any verbose information. • -soon it will go to a new line once finished and you will see: > > • -the logs are the place you indicated (which should be \\server\share\). 4- manually at the client computer: • -save the profwiz.exe, profwiz.config, migrate.exe, migrate.vbs at the share: \\server\share\ • -edit the profwiz.config • -change: <GUI> True • -save • -run: migrate.vbs • -it should show the progress and migrate all the profiles over. • -reboot the computer. 5- automatically via logonscript • -save the profwiz.exe, profwiz.config, migrate.exe, migrate.vbs at the share: \\server\share\ • -add the migrate to the login-script: \\server\share\migrate.vbs • -login to the client pc. It will begin the migrate process and skip if has already been run (of course it won't be referenced once the computer is joined to the new domain). ### Final Thoughts That's it! That should handle all the scenarios that will work. Of course, there are many scenarios that will NOT work. Most of the errors will be trying to move a client-pc on domainold.tld by using an admin-workstation already joined to domainnew.tld (and logged into domainnew.tld user). Or vice-versa. If you are making changes, the client-pc and the admin-pc must be on the same domain (at least for it to be easy). In any event, in all scenarios I did not visit a single client pc. Everything worked with a little thinking. This should be built into Windows Server. NOTES: https://www.forensit.com/Downloads/User%20Profile%20Wizard%20Corporate%20User%20Guide.pdf For the curious... Yes, it is possible to have 2 domains on the same network subnet at the same time. But there can only be one DHCP and both domains should reference the other in the DNS -> FORWARD LOOKUP ZONES. Simply add the other domain and IP address of the other domian server. ## Null result from socket | Watchguard, Mimecast and Office365 Watchguard, Mimecast and Office365 Couldn't get email from certain outside domains. Further investigation revealed that this is only happening from domains hosted at Office365. The error message in Mimecast is "Null result from socket." This means that there is no response from the internal email server when Mimecast tries to deliver the message. That means it is being blocked by the WatchGuard. WatchGuard logs show, something about the header size being 20656 and "header-line too large." So WatchGuard is blocking anything where the header is too large. You can see above the "Maximum email header size" is at 20,000 bytes. We set it to: 21000. Save > Push-Config That did it! NOTES: http://www.watchguard.com/help/docs/wsm/xtm_11/en-us/content/en-us/proxies/smtp/proxy_smtp_gen_settings_c.html ## Set Logon Script For Everyone in Domain With Powershell | Set Logon Script For Everyone in OU With Powershell ### Set Logon Script For Everyone in Domain | Set Logon Script For Everyone in OU Good morning class! Today, let's set the LOGON SCRIPT for everyone in a domain or in an OU: -run powershell (as admin) To clear the value: -type: get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" |set-aduser -clear scriptpath To set the value: -type: get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" |set-aduser -scriptpath "<file-name>" Or for a single user: -type: set-aduser foo.user -clear scriptpath -type: set-aduser foo.user -scriptpath <file-name> (ie: set-aduser foo.user -scriptpath ls) ### See Logon Script for Everyone in Domain | Set Logon Script For Everyone in OU -type: get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" |get-aduser -properties scriptpath Or in table form: -type: get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" |get-aduser -properties scriptpath |ft Or for a single user: get-aduser foo.user -properties scriptpath ### What About More? I Want More! Like the Home Folder? Now I already know what you are going to ask... "Can I set the HOME FOLDER as well?" YES!!! It's a little complicated so it is in another article here: http://www.daknetworks.com/index.php/blog/390-how-to-setup-home-drives-home-folders-and-login-scripts ## How To Setup Home Drives, Home Folders and Login Scripts ### How To Setup Home Drives, Home Folders and Login Scripts Automatically Good morning class! This isn't duplicate content. This is valuable! I don't want the HOME-DRIVES part of the other article lost. So here it is: • -setup a "users" folder on the server. • -share the folder as: users$
• -set share-permissions to: EVERYONE=FULL-ACCESS.
• -set ntfs-permissions > disable-inheritance.
• -set ntfs-permissions: DOMAIN-USERS (or other sub-group is large domain) > this-folder-only = Traverse | Create-Folders
• -set ntfs-permissions: CREATOR OWNER > Subfolders-and-files = Full-Control
• -set ntfs-permissions: SYSTEM > this-folder-Subfolders-and-files = Full-Control
• -set ntfs-permissions: DOMAIN-ADMINS > this-folder-Subfolders-and-files = Full-Control
• -to get the values, type: get-aduser foo.user -properties homedrive, homedirectory, scriptpath
• -to clear the values, type: set-aduser foo.user -clear homedrive, homedirectory, scriptpath
• -to set the values, type: set-aduser foo-user -homedrive Z -homedirectory \\<server-name>\users$\foo.user -scriptpath logonscriptfilenamehere We used to use %username% as a variable. But that doesn't work in powershell. However if you want to get same, it's a little long winded: • -type:$username = (get-aduser foo.user -properties samaccountname |foreach { $_.samaccountname }).ToString() • -type: set-aduser$username -homedrive Z -homedirectory \\<server-name>\users$\$username -scriptpath logonscriptfilenamehere

$username should be left as is. The folder will automatically be created and named exactly as the username! Too bad it doesn't automatically create the folder permissions like the GUI does in AD. To set the permissions: • -type: icacls("\\<server-name>\users$\'$username'") /grant ("$username" + ':(OI)(CI)F') /T

### For an entire Domain or OU

How about for the whole domain or for an OU. Forget the long-winded scripts you see plastered all over the internet:

• -to get the values, type:
get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" -properties homedrive, homedirectory, scriptpath |ft name, homedrive, homedirectory
• -to clear the values, type:
• -to set the values, type:
$usernames = (get-aduser -filter * -searchbase "ou=<location>,ou=<users>,dc=<domain-name>,dc=com" -properties samaccountname |foreach {$_.samaccountname })
foreach ($username in$usernames) {set-aduser $username -homedrive Z -homedirectory \\<server-name>\users\$username -scriptpath logonscriptname}
• -to set the permissions, type:
$userfolder = "\\<server-name>\users$\"
foreach ($username in$usernames) {icacls ("$userfolder" + "$username") /grant ("$username" + ':(OI)(CI)F') /T} !!!Please double-check and triple-check to make sure you have the correct punctuation above. This can be a career-changing event if you get this wrong!!! NOTES: Hopefully, it is obvious that <location>, <users>, <file-name> and <domain-name> should be replace/adjusted/deleted/added with your values. https://windowsserveressentials.com/2012/10/29/powershell-make-it-do-something-useful/ ### Users Complain that the HomeDrive is Not Available in VPN Connections Since the user logs in without being connected to the domain, the homedrive is not setup correctly. You can use the following GPO to get connected so that the homedrive is also a mapped drive which will be available upon vpn. user-configuration > preferences > windows-settings >drive-maps ## Create Trust Between Two Domains I was going to write an article on how to create a trust relationship between two domains but the hard work has already been done by the fabulous people over at: https://blog.thesysadmins.co.uk/admt-series-1-preparing-active-directory.html ## Rename Domain RENAME DOMAIN -rdp into dc1.olddomain.tld (dc1 is your domain controller) -go to dns tree. -add new FORWARD-LOOKUP-ZONE. -right-click FORWARD-LOOKUP-ZONE. -click NEXT > NEXT > NEXT -type in newdomain.tld -click NEXT > NEXT > FINISH (this is your new domain name) -cd c:\installs -rendom /list -edit c:\installs\Domainlist.xml -replace olddomain.tld with newdomain.tld (in 4 places. The last place doesn't have a .tld) -rendom /upload -rendom /prepare -rendom /execute -reboot -netdom computername dc1.olddomain.tld /add:dc1.newdomain.tld -netdom computername dc1.olddomain.tld /makeprimary:dc1.newdomain.tld -reboot -gpfixup /olddns:olddomain.tld /newdns:newdomain.tld -gpfixup /oldnb:olddomain /newnb:newdomain -rendom /clean -rendom /end -remove olddomain.tld from dns tree. -final reboot to make sure it survives reboot. -go to DHCP tree. -go to ipv4 > server-options -change dns domain name to newdomain.tld -restart DHCP service -you have have to change each scope > scope-options Client computers will need to be rebooted twice. -once dc is rebooted, wait 15 minutes. -reboot client computers. -wait 15 minutes. -reboot client computers again. Client computers suffix should be changed automatically. If you need a regedit to change the primary dns suffix when membership changes: echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v SyncDomainWithMembership /t REG_DWORD /d 00000001 If you have problems with a client pc joining the new domain, you can: -netdom remove oldpc /Domain:olddomain.tld /Force -reboot -join newdomain.tld If you really, really, really need, you can use the USER-PROFILE-WIZARD at https://www.forensit.com/downloads.html NOTES: -these are better instructions than mine: https://mizitechinfo.wordpress.com ## Hyper-V Migration Hyper-v migration. This is an offline migration (not a live migration). Here's how: On the older HYPER-V host: -shutdown the VM off gracefully. -click ACTION > EXPORT (at the top). This will export the entire VM somewhere. This can be an external drive or a network share. On the newer HYPER-V host: -click ACTION > IMPORT-VIRTUAL-MACHINE -select the folder of the EXPORT (from above). -select REGISTER THE VIRUTAL MACHINE This will leave the VM where it is. -select RESTORE THE VIRTUAL MACHINE. This will place the VM where you tell it to. ## Delete AD User but Mailbox Doesn't Show Disconnected There is a link between AD and EXCHANGE. But it isn't a hard link. Meaning that just because you create an AD account doesn't mean an Exchange account will be created. Conversely, if you delete an AD account doesn't mean that the EXCHANGE account is deleted. Rather it is DISCONNECTED. It remains this way for 30 days. Then it is deleted. Sometimes if you delete the AD account and the EXCHANGE account doesn't show DISCONNECTED until the MAILBOX-DATABASE runs its regular maintenance. But you can force it to run by: • Get-MailboxDatabase | Get-MailboxStatistics | Format-List DisplayName, MailboxGuid, Database, DisconnectReason, DisconnectDate • Update-StoreMailboxState -Database “db_name” -Identity “mailbox_guid” This is useful if you want to import some AD users into the domain from another domain but they already have EXCHANGE accounts. You can: • -delete the AD accounts. • -import the other AD accounts. • -show the mailboxes as disconnected. • -reconnect the mailboxes to the other AD accounts. ## Avago 3108 | LSI | MegaRaid | Broadcom | Supermicro MegaRaid controllers can be confusing and difficult because of the companies that keep on merging together. Currently, Broadcom maintains LSI equipment. But, in my opinion, they are being difficult recently and forcing you to get support through the OEM's. OEM's like Supermicro don't have much information either. In any event, you can control the MegaRaid cards either: -upon boot up with a CTRL+H -or through the MegaRaid Management Software Again, I would list more but this web site has more information than we can provide: https://www.thomas-krenn.com/en/download/frame.only_content/hide_filter.1/hide_filter_serial.1/product.9943.html Upon installation, the login is the login of the computer you are using. You can now manage your raid. ## VHDX to Physical Disk I created a VHDX from a physical disk using a program called Disk2vhd. Now I want to copy that VHDX back to a physical disk. • -boot from E2B USB disk • -select: systemrescuecd Get your bearing by seeing what is recognized: • fdisk |grep "/dev/" To connect the VHDX and clone to the physical drive: • -type: qemu-nbd --connect=/dev/nbd0 --format=VHDX <vhdx_file_name> • -type: ddrescue --verbose --force /dev/nbd0 /dev/sda To disconnect the VHDX: • -type: unmount /mnt • -type: qemu-nbd --disconnect /dev/nbd2 ## Migrating Active Directory Users and Merging Domains Migrating Active Directory Users and Merging Domains Imagine you are part of a company. That company is being bought out by a larger company. To ease feelings, new email accounts are created at the larger company (ie This e-mail address is being protected from spambots. You need JavaScript enabled to view it ). The computers remain on the domain of the smaller company (ie @branch.tld). Now comes a point in time where the larger company wants to join the domains together. What are the options? How do you handle this situation? Very good questions. OPTION-1: 1 Forest & 2 Domains A forest is a group of domains. It is possible to keep the domains separate but still have the same forest. @hq.tld and @branch.tld will live happily together and have a trust-relationship. Two users would still exist. For example, This e-mail address is being protected from spambots. You need JavaScript enabled to view it and This e-mail address is being protected from spambots. You need JavaScript enabled to view it would still exist which is confusing for people. OPTION-2: Parent-Child Domain The parent domain is hq.tld. It is possible to have a child domain such as branch.hq.com (or is you prefer, us.company.tld). Two users would still exist. For example, This e-mail address is being protected from spambots. You need JavaScript enabled to view it and This e-mail address is being protected from spambots. You need JavaScript enabled to view it would still exist which is confusing for people. OPTION-3: Flat & Import This consolidates everything down. It gets rid of messiness and flattens the company to 1 domain of hq.tld. Only one user exist per person and this makes sense for people. How To Flatten Domain and Import Users ## Outlook 2016 Autocomplete (nk2) When you start an email and you start to type in an email address, OUTLOOK will show a drop-down list of email addresses you've written to before. This is an AUTOCOMPLETE-list (This is not an address-book or contact-list). What's surprising to me is that, to users, this list is more important than the contact-list or address-book. Probably because it automatically show. What's more suprising is that there is no connection between the contact-list, address-book or AUTOCOMPLETE-list. ### History Autocomplete The AUTOCOMPLETE file used to be called the NK2 file. There is a ton of information about the NK2 file.But it's 2017 and closing to 2018, the NK2 file is no longer relevant. The data on the internet is becoming long in the tooth. So much bad information. ### Location Autocomplete In any event, the AUTOCOMPLETE list in OUTLOOK 2016 is here: C:\Users\foo.user\AppData\Local\Microsoft\outlook\RoamCache\ The file name is something like: Stream_Autocomplete_0_A603AC42FB764D4C9662D971D85637C2.dat ### !!!Step 1 For Autocomplete!!! Before you do anything, copy this file as a backup!!! The file size is small and can be copied in less than 5 seconds. This file is known to be volitile and can go from a large size down to zero without warning. This is why you want a backup. ### Transfer Autocomplete If you have an old computer and OUTLOOK setup and your new comuter and OUTLOOK setup doesn't have the list, you can: • -close OUTLOOK. • -copy this file to the new computer. • -place in the following directory: C:\Users\foo.user\AppData\Local\Microsoft\outlook\RoamCache\ • -rename the current DAT file to something like: Stream_Autocomplete_0_A603AC42FB764D4C9662D971D85637C2.dat.old • -change the wanted DAT file (with all the info in it) name to the current name, something like: Stream_Autocomplete_0_A603AC42FB764D4C9662D971D812345.dat ### Export Autocomplete You can export the names in the DAT file. Despite the name, the NK2EDIT is the best tool for this: This will save the file as an NK2 file that can later be imported somewhere else. ### Import Autocomplete This is for a fresh OUTLOOK with no AUTOCOMPLETE. • -open the NK2 from the old system. • -click FILE > EXPORT-TO-MESSAGE-STORE This will overwrite the existing AUTOCOMPLETE with the items from the old AUTOCOMPLETE. ### Merge Autocomplete This is to merge old AUTOCOMPLETE with the current AUTOCOMPLETE. • -open the NK2 from the old system. • -click FILE > IMPORT-FROM-MESSAGE-STORE • (This will merge the current AUTOCOMPLETE with the info from the older AUTOCOMPLETE.) • -click FILE > EXPORT-TO-MESSAGE-STORE This will overwrite the existing AUTOCOMPLETE with the items from the old AUTOCOMPLETE. ### Rebuild Autocomplete Let's say that the AUTOCOMPLETE file is gone. For whatever reason, it is emtpy (I'm bashfully looking away, avoiding eye contact). But you still have your PST/OST file. Can't you just rebuild the AUTOCOMPLETE with information that is in the SENT-ITEMS folder? Yes, you can. Here's how: • -open NK2EDIT (the list will be empty). • -click ACTION > ADD-RECORDS-FROM-MAILBOX-RECIPIENT This will allow you to rebuild the AUTOCOMPLETE with items from your SENT-ITEMS folder. This is probably what you want; as everyone you've written an email to will automatically be placed in here. In addition, you can place a checkmark to items from your INBOX as well. Fiddle around with the settings and when you are satisfied, click FILE > EXPORT-TO-MESSAGE-STORE. ### Edit the AUTOCOMPLETE • -open NK2EDIT and edit away. • -be sure to FILE > EXPORT-TO-MESSAGE-STORE. ### Final Thoughts In short, this is an oldy but goody. Considering the importance of AUTOCOMPLETE items to users, you wonder why this isn't built directly into the OUTLOOK. ### NOTES There is a POWERSHELL script that didn't exactly work for me but it looks promising if could be updated: http://blog.degree.no/2012/01/outlook-adding-all-emails-in-sent-items-to-autocomplete-list/ ## Outlook 2016 Won't Open - Crashes Upon Starting Outlook 21016 Outlook 2016 Won't Open - Crashes Upon Starting Outlook 21016. Here's how I fixed it: ### Office365 Repair • -close OUTLOOK • -click START > CONTROL-PANEL > PROGRAMS-AND-FEATURES • -click MICROSOFT-OFFICE-365 • -click CHANGE (at the top). • -click FULL-REPAIR (not "quick-repair") • -wait 15 minutes. • -try OUTLOOK again when finished. ### x64 Bit If that doesn't work, I've found the x64 bit to be more stable: • -uninstall Microsoft Office x32 • -restart computer. • -install Microsoft Office x64 ### Outlook Safe Mode If that doesn't work: • -hold CONTROL • -click OUTLOOK icon to open. • -click YES (for disable plugins) • -click FILES > OPTIONS > ADD-INS > COM-ADD-INS > GO • -uncheck everything. • -checkmark MICROSOFT-EXCHANGE-ADD-IN • -click OK • -close OUTLOOK • -open OUTLOOK in normal mode. ### Set Data File If that doesn't work: • -click START > SETTINGS > CONTROL-PANEL > MAIL • -click EMAIL-ACCOUNTS • -click DATA-FILES (at the top) • -select your mail account in the list. • -click SET-AS-DEFAULT • (yes, even if it already is). • -click CLOSE > CLOSE. • -open OUTLOOK. ### Update iCloud If that doesn't work: ### Office365 Account Conflict If that doesn't work, you might have an OFFICE365 account conflict. You may have one OFFICE365 account for WORD, EXCEL, OUTLOOK and another OFFICE365 account for EMAIL. • -click START > SETTINGS > ACCOUNT • -click EMAIL-&-APP-ACCOUNTS (on the left-hand side). • -remove the OFFICE365 account that is only for email (leaving the OFFICE365 account that is for WORD, EXCEL, etc or the one that you use to login to the computer [ie same as your username]). • -make sure the correct DATA-FILE is set as the DEFAULT (see above). • -open OUTLOOK ### Office Update If that doesn't work: • -click START > SETTINGS • -click UPDATE-&-SECURITY • -click CHECK-FOR-UPDATES • -install any updates and restart the computer. ### Redo If that doesn't work, you've probably spent too much time on this: • -start a new profile. • -add the email accounts back in. ## Microsoft Edge Pop Up Blocker Exceptions Microsoft Edge Pop Up Blocker Exceptions As of this writing, there is not pop up blocker exception setting in Microsoft Edge. There is only an ON/OFF option. However, you can still adjust this manually through the registry or regedit. You can manually edit here: [HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\Allow] ### Pop Up Blocker Exceptions Allow Or you can follow the instructions below: • -click start > run • -type: cmd • -type: echo y | reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\Allow" /v "url-name-here" /t REG_BINARY /d 00000000 (NOTE: keep the quotes in-tact. Use *.domain.tld for wildcard.) ### Pop Up Blocker Exceptions Allow In Private Also note that PrivateWindows mode has separate values located here (which doesn't mean they are all that private): • -click start > run • -type: cmd • -type: echo y | reg add "HKCU\SOFTWARE\Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.microsoftedge_8wekyb3d8bbwe\MicrosoftEdge\New Windows\AllowInPrivate" /v "url-name-here" /t REG_BINARY /d 00000000 (NOTE: keep the quotes in-tact. Use *.domain.tld for wildcard.) ## Exchange 2013 - Get the Number of Emails in a Folder Exchange 2013 - Get the Number of Emails in a Folder Here's how: Get-MailboxFolderStatistics foo.user |Select Name, ItemsInFolder It will show the folder structure and the number of items in each folder. ## Exchange could not load the certificate with thumbprint Exchange could not load the certificate with thumbprint. Or as the warning message states in the logs: Microsoft Exchange could not load the certificate with thumbprint of 59235427B7C322A8CFD7E1EB939445A2EAF9F670 from the personal store on the local computer. ### Get the information There's a few ways to get the information to see the current certificate list. First is through the Exchange Management Shell (EMS): • -type: get-exchangecertificate You can see the same list in the Exchange Admin Center (EAC): • EAC > servers > certificates You can also see the same list in Internet Information Services (IIS): • -click server-name (on the left-hand side). • -click SERVER-CERTIFICATES (on the middle section). Once you have the information displayed, find the thumbprint of the certificate you are using for email. ### Fix the error In EMS: • -type: Enable-ExchangeCertificate -Thumbprint <new_certificate_thumbprint> -Services None • -type: Enable-ExchangeCertificate -Thumbprint <new_certificate_thumbprint> -Services IMAP,POP,IIS,SMTP ### Explanation This error is actually coming from the configuration of the: get-transportservice More specifically, the value at: get-transportservice |select InternalTransportCertificateThumbprint In older versions this is called: get-transportserver More specifically, the value at: get-transportserver |select InternalTransportCertificateThumbprint With this command you will see the thumbprint of the certificate in the log. Typing the commands above will replace this value with the new value. For the curious, there is no fine-tuned fix. In other words, the following does not exist or work. Use the above commands: set-transportservice InternalTransportCertificateThumbprint <new-certificate-thumbprint-here> ## Find All Distribution Groups A User Is A Member Of Find All Distribution Groups A User Is A Member Of. I hope that makes sense. Let's say you have a user name: foo.user. What groups is foo.user a member of? Here's how: Get-DistributionGroup -Filter "Members -like 'CN=foo user,OU=where-ever,OU=Users,DC=domain-name-here,DC=tld'" Since the DistinguishedName is used, it makes it nearly impossible to use the command unless you keep it in a handy note somewhere. Instead, this may be easier: -type:$distinguishedName =  (Get-Mailbox -Identity foo.user).distinguishedname
-type: $group = Get-DistributionGroup -Filter "Members -like '$($distinguishedName)'" -type: Write-Host$group

## Adobe Lightroom High CPU on Mac OSX

Another article on the internet about Adobe Lightroom with high cpu on Mac OSX because, well, it's a problem (and Apple doesn't care).

• -close Lightroom app.
• -delete anything else that looks like it belongs to Lightroom in: /Users/<username>/Library/Preferences/
• -delete anything that looks like it belongs to Lightroom in: /Users/<username>/Library/Preferences/Adobe/
• -delete anything that looks like it belongs to Lightroom in: /Users/<username>/Library/Application Support/Adobe/
• -delete anything that looks like it belongs to Lightroom in: /Users/<username>/Library/Caches/Adobe/
• -open LIGHTROOM

• -click LIGHTROOM > PREFERENCES > GENERAL.
• -uncheck "Select the current/previous import collection during import."
• -click PERFORMANCE (at the top).
• -uncheck "Use Graphics Processor."
• -make sure the import folder that it is trying to import from exists. In other words, sometimes the last import location is a external drive that doesn't exist anymore. Change it to somewhere neutral like the DESKTOP.

## Windows 10 Lock Icons

Windows 10 Lock Icons. Here's how:

• -move the program to: C:\Program Files (x86)\DeskLock
• -right-click DeskLock.exe
• -click CREATE-SHORTCUT
• -move the shortcut to: C:\Users\$username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup (where$username is your-username that you use to login to your computer)
• -arrange the icons the way you want.
• -reboot the computer.

Having various clients, it's always interesting to see different perspectives. There is a class of client that approaches computers differently than I do. One question this class asks is, "How do I lock my icons on my DESKTOP?"

The thinking is that the DESKTOP is the User Interface (UI). This UI should not be changed unless given specific permission and instructions to do so. Changing it without permission or instruction is nearly a violation of human rights.

With as much attention that UI gets (and rightly so), one would think that the DESKTOP arrangement is utmost important rather than being flippantly changed every time a feature update comes along. One Operating System that I know of (Ubuntu) went so far as to lock the UI so that the TASKBAR and START-BUTTON are locked on the left hand side of the screen. And, of course, Mac OSX has always had the TASKBAR and APPLE menu at the top.

A person unfamiliar or afraid of computers will not want anything changed. And as we get older, we have the tendency to want everything to stay the same. Don't have 2 buttons if you can have one. Even Mac mouses have only 1 button until told otherwise.

Referring to Windows 10 annoying habit of re-arranging icons, as one client put it, "It's like someone coming into your home and rearranging your furniture without asking."

I don't disagree.

## Mimecast Undeliverable - Unknown Address Error

Problem

Mimecast Undeliverable - Unknown Address Error. You get the message:

=====

The following message to < This e-mail address is being protected from spambots. You need JavaScript enabled to view it > was undeliverable.

The reason for the problem:

5.1.0 - Unknown address error 550-'Invalid Recipient - https://community.mimecast.com/docs/DOC-1369#550'

=====

Further more, looking at the TRACKING diagnostics, you see the "Rejection Information" states, "Failed Known address verification."

The issue is that the email address does exist in Exchange. What gives?

Solution

Well Mimecast has a few settings to receive email. This setting is on the domain/internal-directory level (administration > directories >internal-directories).

There are a few options. One is "Accept emails for known recipients only." Accordingly, each user that you want to receive email for must be added to Mimecast. The first time a user sends an email outbound via Mimecast a user will be created.

Since groups don't send email (typically), a Mimecast account is never added. So it's possible that there could be an email address in EXCHANGE that is not in Mimecast.

Fortunately, users can also be added to Mimecast through:

• import (ie import a list)
• manually

If there are not a bunch of groups, it's probably easiest to just add the group email addresses manually.

## Generating Barcodes - Code 39 and Code 128

Generating barcodes is somewhat easy but can get complicated for various reasons. Before we get to it, know that there are several types of barcode formats. We're focusing on linear barcodes, CODE 39 and CODE 128.

### Code 39 (or Code 3 of 9)

Code 39 is simple. In short, surround the text with asterisks and change the font to 3-OF-9.

• -install the Code39 font here: http://www.fonts2u.com/3-of-9-barcode.font ([c] CAIL v1.0 - 1993)
• -install the font.
• -reboot the computer (this is required).
• -in WORD:
• type what you want in a barcode (ie ABC123).
• surround it with asterisks (ie *ABC123*).
• change the font to 3-OF-9.
• that should do it!
• -in EXCEL
• type what you want in a barcode in column A: (ie ABC123)
• create a simple formula (use the CONCAT function) in column B that surrounds the text with asterisks: (ie *ABC123*)
• create a simple formula in column C that simply mirrors column B.
• change the font on column C to font 3-OF-9.
• that should do it!
• -in FILEMAKER
• create a field called INFO as text.
• create a field called INFO_BARCODE as calculation.
• create a calculation that concats the INFO field surrounded by asterisks ("*" & INFO & "*").
• put the fields on the layout.
• on the INFO_BARCODE field, change the font to 3-OF-9.

### Code 128

Code128 is a little more challenging than Code39. You would want to use Code128 when you need a compact barcode in a small space where Code39 will not fit.

The challenging item with Code128 is that you need to translate what you want in a barcode into a barcode-string that contains accent letters.

• -install the Code128 font here: http://www.dafont.com/code-128.font ([c] GRANDZABU v1.2 - 2003)
• -install the font.
• -reboot the computer (this is required).
• -go to an online barcode-string-builder, here: http://www.jtbarton.com/Barcodes/BarcodeStringBuilderExample.aspx
• -type what you want barcoded.
• -click TO CODE 128
• -in WORD:
• paste in the results.
• change the font to CODE-128.
• that should do it!
• -in EXCEL:
• -in FILEMAKER
• close FILEMAKER.
• copy the plugin file called IDAutomation.fmx and paste it in C:\Program Files\FileMaker\FileMaker Pro\Extensions (adjust the path to your version accordingly).
• open FILEMAKER.
• create a field called INFO as text.
• create a field called INFO_BARCODE as calculation.
• create a calculation that returns the INFO field as a barcode string. Use the custom function like so: IDAu_Code128( INFO )
• the result should be calculated as TEXT (not NUMBER).
• put the fields on the layout.
• click FORMAT > FONTS > CONFIGURE/MORE-FONTS (at the top menu).
• find CODE-128 (on the left-hand column).
• click MOVE.
• click OK.
• select the INFO_BARCODE field.
• hold CTRL and ALT keys (on your keyboard).
• select the font to Code-128 (at the top).
• that should do it!

### NOTES:

For whatever reason, I struggled do this for days. Again, I found a bunch of misinformation or confusing documents that lead me astray. Even different/newer versions of the fonts were red herrings and did not produce correct results.

With the correct fonts, installed correctly, with the correct plugins, installed correctly, with the correct calculations, calculating correctly and the fonts configured correctly, I was finally able to do this.

## Exchange 2013 Shared Mailbox

### Background

A mailbox is a typical account. You have John Doe. He has an account. His account is a mailbox account. The account is This e-mail address is being protected from spambots. You need JavaScript enabled to view it .

### Options

John works with others doing proposals. What are the options?

1. pseudonym
2. group-account
3. separate account
4. shared mailbox
5. outside system

### Option 1 - Pseudonym (What you start out doing)

1-We can setup a pseudonym/fake-account/vanity-account. No matter what you call it, the idea is the same. It is an email address that automatically goes a real account. For example: This e-mail address is being protected from spambots. You need JavaScript enabled to view it automatically goes to the inbox of John Doe. This is great if only one person is responsible. But as the team grows, this becomes cumbersome.

### Option 2 - Group Account (What you graduate to)

2-We can setup a group-account. This is similar to above but the email goes to more than one person. For example: This e-mail address is being protected from spambots. You need JavaScript enabled to view it automatically goes to the INBOX of John Done and Jane Doe. This is great if it is a small team. The problem becomes, not everyone on the group know if a response was sent. Also folder organization is different for everyone on the group. You want everyone to have the same info, and see the same responses, then see further on.

### Option 3 - Separate Account (What you shouldn't do)

3-We can setup a separate account. This is a typical account but instead of assigning it to one person, you give the username/password to a group of users. For example: This e-mail address is being protected from spambots. You need JavaScript enabled to view it has its own inbox and several users connect to it through way of username/password.

NOTE: While this seems like a good idea, years of experience says that this is a bad, bad, bad idea. Mainly because years on down the line, you can't find out who is responsible for the account. When you check the account it has a bunch of email in the inbox that no one has checked for years. I have witnessed this countless times in many clients. Kindly convince them to do it another way or just agree with them and set it up another way. The end result will be the same as below.

### Option 4 - Shared Mailbox (What you'll be required to do)

4-We can setup a shared mailbox. A shared mailbox is very similar to a separate account. The difference is that rather than handing out a username/password and letting them connect to it, you assign the account to users and it automatically shows in their folder structure on OUTLOOK as a separate INBOX. This way when five years pass, you can tell who is using the account.

Here's how:

set-mailbox foo.user -Type Shared

Great! You are almost there. Now assign permissions of the people who need to use the shared-mailbox. The people will need both FULL-ACCESS and SEND-AS permissions to control the account and send messages. There is also a SEND-ON-BEHALF option available.

NOTE:
-the FULL-ACCESS permission is an EXCHANGE permission (add-mailboxpermission/set-mailboxpermission/get-mailboxpermission/remove-mailboxpermission).
-the SEND-ON-BEHALF permission is an EXCHANGE key property (set-mailbox foo.user -GrantSendOnBehalfTo/get-mailbox foo.user |select GrantSendOnBehalfTo).

Here's how to add the FULL-ACCESS and the SEND-AS permissions:

Add-MailboxPermission foo.user -User user1 -AccessRights FullAccess -InheritanceType All | Add-ADPermission -Identity "foo user" -User user1 -ExtendedRights "Send As"

You may have to fiddle around with the add-adpermission command as it want the AD name like this, "FirstName LastName" (not the DISPLAY-NAME or ALIAS).

ANOTHER NOTE:
-the command does not accept multiple values for the users. Your options are to create a group & run the command on the group (hint: do not do this), run the command separately for each user wanting access (hint: do this if there's a handful), run the command using a txt file (hint: do this if there's a bunch) or use the EAC/ECP.

You are doing great! That should just about do it.

#### Automapping Issues

But there's one more item to cover; AUTOMAPPING. AUTOMAPPING automatically shows the shared-mailbox to show in Outlook. This way, users do not have to manually add the account to their OUTLOOK... the shared-account automatically shows. This saves a bunch of hassle trying to get everyone to use a second account and it prevents dreaded OUTLOOK problems.

Adding the permissions above will automatically turn AUTOMAPPING on. There should be no further steps.

However, what happens if the shared-account doesn't show in OUTLOOK? What then?

Well, this seems to be an issue many run into for various reasons. So let's cover some of them.

First, there is a way to set the AUTOMAPPING off so that you can add the account manually:

Add-MailboxPermission foo.user -User user1 -AccessRights FullAccess -InheritanceType All -automapping $false To check AUTOMAP, you have to use the Get-ADuser command (not an EXCHANGE command): Get-ADUser foo.user -Properties msExchDelegateListLink | Select msExchDelegateListLink |fl This command will show a list of accounts. If the account is in the list, then AUTOMAPPING is turned on for that account. Second, AUTOMAPPING won't work for Organization-Managment-Administrators. This is because this group already has mailboxperissions set and it automatically includes a DENY (or DENY: True). DENY takes priority over ALLOW. There are ways to get around this but it is outside the scope of this article. Third, AUTOMAPPING doesn't work if DNS is incorrect/not-working-the-way-that-makes-OUTLOOK-happy. For whatever reason, AUTOMAPPING works fine for locations where we have a flat domain structure (everyone is on the same domain). It doesn't work when we have separate domains (ie local computer domain is remotedomain.tld and email domain is emaildomain.tld). Again, troubleshooting this is outside the scope of this article. Fourth, wait. For whatever reason sometimes it takes a few hours to show. Give it 24 hours before sounding the alarm. #### Checking Your Work So putting it all together. See the FULL-ACCESS permissions: get-mailboxpermission foo.user |select user,accessrights,deny,inheritancetype get-mailboxpermission foo.user |where { ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } |select user,accessrights,deny,inheritancetype

See the SEND-AS permissions:

get-ADPermission "foo user" |where {($_.ExtendedRights -like “*Send-As*”) -and ($_.IsInherited -eq $false) -and -not ($_.User -like “NT AUTHORITY\SELF”)} |ft user,extendedrights,accessrights

### NOTES

What's interesting to me is that the builtin documentation claims there are more settings.

To see the builtin documentation:

help set-outlookanywhere -detailed

To see the online documentation:

https://technet.microsoft.com/en-us/library/bb123545(v=exchg.150).aspx

They list out the settings as the following with no further info on the other options:

Basic | Digest | Ntlm | Fba | WindowsIntegrated | LiveIdFba | LiveIdBasic | WSSecurity | Certificate | NegoEx | OAuth | Adfs | Kerberos | Negotiate | LiveIdNegotiate | Misconfigured

## Managing Exchange 2013 Groups

Managing Exchange 2013 Groups

### Simplified System

In a simplified logical system, there are the following:
-user: a single individual.
-group: more than one user.

In addition, groups are universal in the company. A group is a group. There are no group types. A group can access resources and receive email.

### Windows Server

In MS world, there are more options for fine-grain control. There is a security-group to access resources and a distribution-group to receive email.
(For the curious, these are the only two types of groups, there are no other types of groups.)

Let's begin, shall we.

### GET-DISTRIBUTIONGROUP

To see all the distribution groups:

To see all the distribution groups that receive email from the outside world:
Get-DistributionGroup | ? {$_.RequireSenderAuthenticationEnabled -eq$true} | select PrimarySMTPAddress

To see all the distribution groups that receive email only from within the company:
Get-DistributionGroup | ? {$_.RequireSenderAuthenticationEnabled -eq$false} | select PrimarySMTPAddress

Great! Let's move on to the AD side of the system

But before we do, note that typically, using a command and "|fl" will let you see all the info. On get-adgroup command, it doesn't work. You have to use:

To see all of the AD group properties:

Also note that the get-adgroup command uses the SAMACCOUNTNAME (it does not use the NAME or DISPLAYNAME as other commands). So if you have an ad-group with the name FOO-GROUP-NAME but the SAMACCOUNTNAME is FOO-GROUP-SAMACCOUNTNAME, you have to use the SAMACCOUNTNAME:

To see all the groups (both AD and distribution as all distribution groups are AD groups):
Get-ADGroup -Filter * -Prop * |select name,samaccountname,mailnickname

Get-ADGroup -filter {GroupCategory -eq "Security"} |select name,samaccountname

Get-ADGroup -Filter 'GroupCategory -eq "Distribution"' -prop * |select name,samaccountname,mailnickname

### ISSUES

Theoretically, this list should match the get-distributiongroup list from above. But you might notice that some distribution-groups that do not have email addresses. That's kinda strange. What gives?

Sometimes the AD distribution-group does not have the necessary info in the database. Having this info is called mail-enabled. There's even a command just to handle this.

To mail-enable a distribution group that needs it:
Enable-DistributionGroup -Identity "foo-group"
(NOTE: This will even work on security-groups.)

Also, there are some items in the get-distributiongroup list from above that are not in the get-adgroup command above. What gives?

Well because groups can be mail-enabled, it is possible for a security-group to be mail-enabled as well.

To see AD security-groups with mail-enabled:
Get-ADGroup -Filter 'GroupCategory -eq "Security"' -prop * |select name,mailnickname

Finally as a last question, if both group-types (distribution and security) can be mail-enabled, what's the point of having group types? Good question. There isn't. It is the way the world works.

## Restore Deleted User in Active Directory

Restore Deleted User in Active Directory

• -click Start > Right click Command Prompt/PowerShell > Select Run as Administrator
• -type: ldp
• -press Enter
• -click CONNECTION > CONNECT
• -type in the server name: foo-dc1 (leave everything as default)
• -click OK
• -click CONNECTION > BIND
• -bullet 'Bind As Currently Logged On User'
• -click OK
• -click VIEW > TREE
• -select DC=domain-name-here,DC=tld(ie DC=daknetworks,DC=com)
• -double-click CN=Deleted Objects,DC=domain-name-here,DC=tld (on the left hand side)

A list of deleted objects will show on the left hand side and will look like this:

• -find the deleted user that was deleted.
• -double-click on the user.
• (the details of the user will show on the right-hand side)
• -right-click on the user > Modify
• -for ATTRIBUTES, type: isDeleted
• -for OPERATION, bullet DELETE
• -click ENTER

Now we have to tell AD where to restore the user.

• -for ATTRIBUTES, type: distinguishedName
• -for VALUES, type the original DN of the object.
• You can find the last-known distinguishedName by looking on the right-hand side. It will say "lastKnownParent". Simply add the user name before. For example:
CN=foo user,OU=whatever,OU=wherever,OU=allUsers,DC=daknetworks,DC=com
• -for OPERATION, bullet REPLACE
• -click ENTER
• -checkmark EXTENDED (lower-left).
• -click RUN.

The user is restored successfully to the OU you defined. You might have to re-add some info and re-enable the Exchange mailbox.

## Recover Deleted Items from Exchange 2013 | Recover Deleted Items from Outlook2013 | Recover Deleted Items from Outlook 2016

Recover Deleted Items from Exchange 2013 | Recover Deleted Items from Outlook2013 | Recover Deleted Items from Outlook 2016

### DEFINITIONS

DELETE - deletes the messages from the folder. Moves the messages into the DELETED-ITEMS folder (or the TRASH folder).

RETENTION - the time that you can recover items even if the messages were permanently-deleted (or deleted from the DELETED-ITEMS folder).

### DISCOVERY

Exchange 2013 will have a RETENTION time for permanently-deleted messages. This setting is on the MAILBOX-DATABASE and not on the MAILBOX or individual account.

To see the settings, first find all the MAILBOX-DATABASEs names and their retention time:

-get-mailboxdatabase |select Name,DeletedItemRetention

It will spit out something like:

Name                                                        DeletedItemRetention
----                                                        --------------------
Mailbox A                                                   14.00:00:00
Mailbox B                                                   14.00:00:00
Mailbox C                                                   14.00:00:00

Great! You know that you have 14 days to retrieve something that was deleted.

### SET RECOVERY

If you need to set recovery on a MAILBOX-DATABASE to say 30 days or if a retention is not set and you need to set it:

set-mailboxdatase "mailbox b" -DeletedItemRetention 30.00:00:00

(days.hours:minutes:seconds)

### RECOVER IN OUTLOOK 2013 | RECOVERY IN OUTLOOK 2016

-click DELETED-ITEMS (on the left-hand side).
-click RECOVER-DELETED-ITEMS-FROM-SERVER (at the top).

You should see a list of the messages from the last 2 weeks.

-control-click to select the messages you want.
-click OK to restore them.

It should put them back into the folder where they went missing.

### RECOVER IN EXCHANGE 2016

If that's too much trouble for the person, then you can do it on their behalf in the EMS.

This will put all the recovery items in the user's mailbox in a recovery-folder called 'foo.user.recovery':

Search-Mailbox foo.user -SearchDumpsterOnly -TargetMailbox foo.user -TargetFolder foo.user.recovery -LogLevel Full

And if you really want to search through the recovery items and restore them:

Search-Mailbox foo.user -SearchQuery "sent: '04/10/17' AND from: 'foo.sender'" -TargetMailbox foo.user -TargetFolder "foo.user.recovery" -LogLevel Full

## Create a NIC Team, Create NIC Bond, Create Load-Balancing, LBFO, For Hyper-V

Here's how to create a NIC Team/NIC Bond/Load-Balancing/LBFO setup. This setup is then used in a virtual machine enviroment for all the VM's to use.

First update drivers to INTEL newest drivers v21.1.

We will be using LBFO (LOADBALANCING-FAILOVER) which is built into Windows Server rather than INTEL ANS (Advanced Networking Services) which is built into the Intel driver. The reason for this is that ultimately there are too many issues if you do not use what is built into the Windows OS. Updates and other items will keep having trouble with INTEL ANS.

### Remove Existing Settings

-remove static settings from existing nics.
-remove virtual switch in Hyper-V.

### Establish New Settings in PowerShell

-renamed nic1 to TeamNic1: rename-netadapter "Local Area Connection" "TeamNic1"
-renamed nic2 to TeamNic2: rename-netadapter "Local Area Connection 2" "TeamNic2"
-created nic team with name ManagementTeam: new-netlbfoteam -Name "ManagementTeam" -TeamMembers TeamNic1,TeamNic2 -TeamingMode SwitchIndependent -LoadBalancingAlgorithm TransportPorts
-created virtualswitch called ConvergedNetSwitch: New-VMSwitch "ConvergedNetSwitch" -MinimumBandwidthMode weight -NetAdapterName "ManagementTeam"
-click SERVER-MANAGER (the management gui in Windows Server that shows when you start the server)
-click LOCAL-SERVER (on the left-hand side).
-find NIC-TEAMING (at the top section)
-click ENABLED (next to NIC-TEAMING)
(a windows shows)
-right-click on MANAGEMENTTEAM (lower-left) > click PROPERTIES
-set SWITCH-INDEPENDENT
-set ADDRESS-HASH (if you set to the HYPER-V-PORT setting, each VM will be assigned to a specific NIC).
-set STANDBY as NONE

### To Verify New Settings

-type: get-VMSwitch |fl
-here's my output:

ComputerName                        : foo
Name                                : ConvergedNetSwitch
Id                                  : d64482dc-d6d4-4b64-8d24-4105c1ef80a4
Notes                               :
SwitchType                          : External
AllowManagementOS                   : True
AvailableVMQueues                   : 63
NumberVmqAllocated                  : 3
IovEnabled                          : False
IovVirtualFunctionCount             : 0
IovVirtualFunctionsInUse            : 0
IovQueuePairCount                   : 0
IovQueuePairsInUse                  : 0
AvailableIPSecSA                    : 2048
NumberIPSecSAAllocated              : 0
BandwidthPercentage                 : 100
BandwidthReservationMode            : Weight
DefaultFlowMinimumBandwidthAbsolute : 0
DefaultFlowMinimumBandwidthWeight   : 1
Extensions                          : {Microsoft NDIS Capture, Microsoft Windows Filtering Platform}
IovSupport                          : False
IovSupportReasons                   : {This network adapter does not support SR-IOV.}
IsDeleted                           : False

### Start New Settings

-rebooted to make sure it survives a reboot.

### NOTES

***To be clear, this is set for LOAD-BALANCING (not FAILOVER).*** We would need another NIC to enable failover. Simply add the NIC to the team. Then choose that NIC to be the STANDBY ADAPTER.
A real team/bond requires configuration on the switchs (or more specifically on the switch ports) to create an EtherChannel. If you are to do this, make it easy on yourself and make certain all the switches are the same model. Then make certain all have the same OS before stacking. Once stacked, configure the EtherChannel.

## Outlook 2016 Calendar Sharing - "You Don't Have Permission To Create An Entry In This Folder"

Outlook 2016 Calendar Sharing - "You Don't Have Permission To Create An Entry In This Folder"

### SCENARIO

You try and share a calendar in Outlook 2016. When the person who has EDITOR accessrights adds the shared calendar to their Outlook, they get the following message:
"You Don't Have Permission To Create An Entry In This Folder...."

### RESOLUTION

There can be many reasons why this is happening. Ultimately it is a permission issue or a cache permission issue.

#### 1-check to see if the calendar has the correct permissions.

Show Calendar Permissions
Get-MailboxFolderPermission foo.user:\calendar

Add-MailboxFolderPermission foo.user:\calendar -User foo.user2 -AccessRights Editor

The non-working mailbox calendar has the correct permissions and it still doesn't work.

#### 2-temporarily change the primary smtp address on the shared account.

Don't ask me why but I've witnessed that if the shared account ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) changes the primary smtp email address domain ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) sometimes the person trying to access the calendar can suddenly edit the calendar if they remove the calendar and add it back in. Here's how...

On OUTLOOK where you are trying to access the shared calendar:
-click CALENDAR (bottom-left).
-find OTHER CALENDARS.
-right-click on the calendar-name.
-click DELETE CALENDAR (don't worry, this only removes the calendar. It doesn't actually delete the calendar).
-close OUTLOOK.

-change primary smtp via ECP (web interface) from This e-mail address is being protected from spambots. You need JavaScript enabled to view it to: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

-open OUTLOOK.

-click CALENDAR (bottom-left).
-find OTHER CALENDARS.
-right-click OTHER CALENDARS > ADD CALENDAR > OPEN SHARED CALENDAR.
-type in the name of the person.
-click OK.

WORKS WITH NEW DOMAIN!!! And can edit the calendar.

-remove the shared calendar (same as above).

-change primary smtp via ECP (web interface)from This e-mail address is being protected from spambots. You need JavaScript enabled to view it to: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

WORKS WITH ORIGINAL DOMAIN!!! And can edit the calendar.

It is important to note that changing via Exchange Management Shell (EMS) did not work and resulted in the original error.

$Set-Mailbox foo.user -PrimarySmtpAddress This e-mail address is being protected from spambots. You need JavaScript enabled to view it$Add-MailboxFolderPermission foo.user:\calendar -User foo.user2

I'm not sure if this is an emailaddresses issue. Or a missing value in one of the keys that is changed in the ECP and not in the EMS. Or if it is a global-address cache issue. Or if it a GAL sync issue that takes time. All I can tell you is that I performed the steps above and it worked. Took me a good 30 hours or so to figure that out.

In any event, I checked the following but nothing produced any meaningful results concerning this issue:
$Get-mailboxpermission foo.user |fl$Get-Mailbox foo.user| Select-Object -ExpandProperty EmailAddresses
$Get-CalendarProcessing foo.user |fl$Get-CASmailbox foo.user| fl

#### 3-check the offlineaddressbook setting for the mailboxdatabase

Somewhere along the line during initial install, a CU update or creation of a new mailboxdatabase, the OFFLINEADDRESS book key is blank/null. I think it would automatically default to the default address book but I really don't know. I haven't found any info that says have a null value is bad but most info I see says to set it for all mailboxdatabases.

Find the name of the OFFLINE ADDRESS BOOK:

Now set the MAILBOXDATABASE to use that name:

### NOTES

Calendar Permissions can be set individually or by role. The DEFAULT permissions are:
ReadItems, CreateItems, EditOwnedItems, EditAllItems, CreateSubfolders, FolderVisible

Or another way to view the DEFAULT role is like this (the minus is what the role doesn't have):
CreateItems
EditOwnedItems
EditAllItems
CreateSubfolders
FolderVisible
-DeleteOwnedItems
-DeleteAllItems
-FolderOwner
-FolderContact

The EDITOR role permissions are:
ReadItems, CreateItems, EditOwnedItems, EditAllItems, FolderVisible, DeleteOwnedItems, DeleteAllItems

Or another way to view the EDITOR role is like this (the minus is what the role doesn't have):
CreateItems
EditOwnedItems
EditAllItems
-createsubfolders
FolderVisible
DeleteOwnedItems
DeleteAllItems
-FolderOwner
-FolderContact

#### GET PERMISSION TO MAILBOX

Sometimes getting the permissions to the mailbox helps:
Get-MailboxPermission foo.user

#### GET PERMISSION TO MAILBOX THAT IS ANOTHER USER

Sometimes it helps to see who else has permission to the mailbox:
Get-MailboxPermission foo.user |? {$_.IsInherited -ne "true" -and$_.User -ne "NT AUTHORITY\SELF"}

Another way is:
get-mailboxpermission foo.user |where { ($_.IsInherited -eq$false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } |select user,accessrights,deny,inheritancetype Which is the same as: Get-MailboxPermission foo.user |? {$_.IsInherited -eq "$false -and$_.User -ne "NT AUTHORITY\SELF"} |select user,accessrights,deny,inheritancetype

#### CHANGE PERMISSION TO MAILBOX

Sometimes you need to change permissions on the mailbox:
Set-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

Add-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

#### REMOVE PERMISSION TO MAILBOX

remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

#### SEE COMPLETE FOLDER STRUCTURE

Sometimes, seeing the complete folder structure of the mailbox helps:
get-MailboxFolder foo.user:\ -recurse

#### GET THE CALENDAR NAME

Sometimes getting the calendar name helps because it is changed from another language:
Get-MailboxFolderStatistics foo.user |where-object { $_.FolderType -eq "Calendar" } |select-Object Name #### ADD CALENDAR FOLDER PERMISSIONS Sometimes you need to add permissions to the calendar: Add-MailboxFolderPermission foo.user:\calendar -User foo.user2 -AccessRights Editor #### REMOVE CALENDAR FOLDER PERMISSIONS Sometimes you need to remove permissions to the calendar: remove-MailboxFolderPermission -Identity foo.user:\calendar -User foo.user2 #### SEE MAILBOXES IN ORGANIZATIONAL UNIT Sometimes you need to see the email in a single AD OU: get-mailbox -OrganizationalUnit "ou=where-ever,ou=whatever-users,dc=domain,dc=tld" -resultsize unlimited |get-mailboxstatistics |ft DisplayName,TotalItemSize,Itemcount #### REMOVE CACHE SHARED CALENDAR FOLDERS IN OUTLOOK 2016: Sometimes working off of cached shared calendar folders causes an issue and you need to remove the cache folders from OUTLOOK 2016: -account-settings > email > change > more-settings > advanced -uncheck "Download Shard Folders" -restart OUTLOOK #### REMOVE CACHE FOLDERS IN OUTLOOK 2016: Sometimes working off of cached folders causes an issue and you need to remove all the cache folders from OUTLOOK 2016: -account-settings > email > change -uncheck "Use Cached Exchange Mode" -click NEXT > FINISHED -restart OUTLOOK ## Windows Server 2012 Connect Branch Office to HQ Domain And Replicate Domain And Replicate DNS Windows Server 2012 Connect Branch Office to HQ Domain And Replicate Domain And Replicate DNS I had new 10K server and wanted to test out before making changes. The goal is to turn it into a VM. Test out connecting to the HQ domain and replicate the domain and dns. In this situation the branch office already had a domain. The location was purchased by HQ and needed to roll into the HQ domain. Couple of notes before we begin: -keep your domain flat. If you can, do NOT do subdomains, trusts, etc. It's too much of a pain later on. Keep it simple. -you can have 2 domains on the same network (just not 2 DHCP servers). ### CREATE VIRTUAL MACHINE HYPER-V is included in WINDOWS-10. So all we have to do is create a new VHDX from the existing SDD that came with the server. -connect SDD to WINDOWS-10 via USB caddy. -download DISK2VHD. -created server-2012r2 vm with DISK2VHD (you only need the main partition). -started HYPER-V -created new VM (do not import, etc). -attached newly created VHDX, no-network, 4 processors, 10GB ram. -booted for first time. -installed dns, ad, file. -shutdown. -create VSWITCH external-network & allow-management-operating-system-to-share-this-network-adapter (no vlan id). -attached VSWITCH to VM. ### ADD BRANCH OFFICE TO DOMAIN -on hq ad server: ad-sites-services > create-new-site-for-branch-office -on hq ad server: ad-sites-services > subnets > create subnets-for-branch-office & attach to branch-office -on hq ad server: ad-sites-services > inter-site-transports > ip > create new > hq/branch > 15 mins ### JOIN BRANCH OFFICE SERVER TO HQ DOMAIN Simple enough but if you've never done it before you might be thinking there's something more to it. There isn't. -start VM -change ip address to static-ip -change dns to dns at hq -join domain -restart ### PROMOTE BRANCH OFFICE SERVER AS DOMAIN CONTROLLER -click MANAGE > ADD-ROLES-AND-FEATURES -click NEXT > NEXT > NEXT -click ACTIVE-DIRECTORY-DOMAIN-SERVICES -let it go through its setup. -click promote to DOMAIN-CONTROLLER (upper-right flag) -select ADD-A-DOMAIN-CONTROLLER-TO-AN-EXISTING-DOMAIN -select DNS SERVER & GC (global catalog) -create DRSM password. -except defaults until INSTALL. -click INSTALL -wait -server reboots ### REPLICATE BRANCH OFFICE SERVER DOMAIN CONTROLLER -check USERS&COMPUTERS to see if in DOMAIN-CONTROLLERS -check SITES&SERVICES -view all servers are correct. -click NTDS SETTINGS -right-click right-panel -click REPLICATE-NOW -cycle through all NTDS SETTINGS -right-click NTDS-SETTINGS > ALL-TASKS > CHECK-REPLICATION-TOPOLOGY -cycle through all NTDS SETTINGS -ps-type: repadmin /replsummary (on the new server, the largest delta is 'unknown') -click NTDS SETTINGS -right-click right-panel -click REPLICATE-NOW -ps-type: repadmin /replsummary (on the new server, notice the time is now a few seconds) High-five!!! NOTES: thai-mswindows (youtube) ## CTS2600 I have a storage array with 12 3.5" drives. It's a little older but it works. It has an LSI sticker on it. I pop in some hard drives, plug in the Ethernet connection and power it on. Now, how do I control it? There is no monitor connection. So, I look at the DHCP find the ip address. I put the ip address in the browser but nothing shows. With a tool, I see that it is showing as a NETAPP device. Hmmm... I thought it was LSI but OK. I do a little googling and find that NETAPP purchased the storage array division from LSI. So I go to the NETAPP (who acquired LSI) web site for support. I see that it needs a program called SANTRCITY. SANTRICITY isn't offered as a free download, I have to register for it. No problem. I register for the support site and try to download it. No go. I'm "unauthorized" for that download. No problem. I provide the SERIAL-NUMBER on the device and wait. I receive a message from NETAPP stating that they won't provide support since they made it for someone else who branded it as their own. Also known as an OEM. It even states in their LSI acquire document: http://mysupport.netapp.com/NOW/public/apbu/oemcp/NetApp_Engenio_Support_Integration_FAQ.pdf But who is the OEM? I don't know. There are no markings on the device. This OEM is supposed to provide SANTRICITY or a rebrand of the app to control the storage device. I find out that the device is actually an LSI CTS2600. The LSI CTS2600 was made for DELL as the POWERVAULT MD3200. I download the DELL software but it doesn't find the array that is booted. I try a couple more times without success. I finally hear back from NETAPP that the OEM is BLUEARC. Great! A little more googling and I see that it is a BlueArc Mercury 50. BLUEARC was purchased by HITACHI. Humph... Siging up for the access to Hitachi support web site. The BLUEARC software was incorporated into HITACHI COMMAND SUITE. https://support.hds.com/en_us/user/downloads/ is empty. So I emailed support. Support writes back that there is no support contract on the device so they will not provide any help. Now I have a 20K SAN that boots and physically works but I have no way to control it or manage it. In other words, I have a 20K boat anchor. Good thing there are FTP sites with admins that don't lock them up :-) ## System Volume Information Folder Size If you are "missing" free space, and only have a few GB left when you should have many GB left (or TB), the culprit could likely be: • -permission issue. You cannot see the size of a folder if you do not have read permissions to access the folder. • -SHADOW COPIES. You can see if there are SHADOWS by following the instructions in the previous post. One item that VSSADMIN and DISKSHADOW will not show is the size of the SHADOW. Bummer. The Windows OS saves these SHADOWS in the SYSTEM VOLUME INFORMATION folder. For various reasons, a typical administrator does not have permissions to that folder. This causes an issue because you cannot know the size of the folder through EXPLORER. So how do you know the size of the SYSTEM VOLUME INFORMATION folder? Here's how using robocopy: • robocopy "c:\System Volume Information" c:\dummy /l /xj /e /nfl /ndl /njh /r:0 /b For most other items, WINDIRSTAT will show you the way. ## DISKSHADOW And VSSADMIN DISKSHADOW And VSSADMIN control shadows. But what's a "shadow"? Good question. A shadow is copy of file or a volume. This can be done even while the file is in use. The proper name for this is Volume Snapshot Service or Volume Shadow Copy Service or VSS. And it works at a block level (rather than a file level). There are a couple of parts to this but the heart of the technology is the VOLUME SHADOW COPY SERVICE which performs the actual copy. The transfer of the data is called a PROVIDER. While Windows comes with its own PROVIDER, other software companies can create their own providers. An example of a built-in PROVIDER is SYSTEM RESTORE or PREVIOUS VERSIONS for a file or folder. An example of an outside software company is SHADOWPROTECT. While SHADOWPROTECT is an outside company, it still relies on VSS to create the shadow on its behalf. SHADOWPROTECT does not create its own shadow. The shadows are traditionally managed by VSSADMIN. Here's how to show all PROVIDERS in either powershell or command-line: • vssadmin list providers And here's how to show the SHADOWS: • vssadmin list shadows And here's how to show the SHADOW storage: • vssadmin list shadowstorage VSSADMIN is not the only tool. Another tool gives more info. That is DISKSHADOW. DISKSHADOW is a interactive command interpreter like DISKPART. What I've found is that DISKSHADOW is a more accurate and more powerful tool. Here's how to enter DISKSHADOW interactive: • DISKSHADOW Here's how to show all PROVIDERS: • DISKSHADOW> list providers Here's how to show all SHADOWS: • DISKSHADOW> list shadows all It will show all the SHADOWS, if it is created for a builtin provider or for an 3rd party provider. And it will show the provider ID for each shadow. To add info, you should be able to limit the size of a shadow: • -computer-management • -right-click SHARD-FOLDER (on the left-hand side) • -click ALL-TASK > CONFIGURE-SHADOW-COPIES • -click SETTINGS for each drive and adjust the size as you see fit. NOTE: you can also do this on the DISK-MANAGEMENT snap-in. ## Upgrading Polycom Phones Across Entire Location [NOTE: please read entire document before proceeding.] Upgrading all the Polycom phones across an entire location has been a mission. Again, there's so much mis-information and different setups it is hard to weed through it all. In short, you need first provision the phones. Secondly, you need to update the firmware and software. In older Polycom phones, called SoundPoint phones, you need 2 files uploaded to your phone-server for each model of phone-set. The 2 files are: • the bootrom/bootloader/updater file. • the sip/uc-software/application (sip.ld) file. In newer Polycom phone, called VVX phones, the bootrom/bootloader/updater file is automatically included in the sip/uc-software/application (sip.ld) file. ### STAGE 1: Provision Polycom Phones Polycom phones can boot with power or POE (hint, use POE). Without a configuration, they won't do anything except complain. Configurations are great because they determine nearly everything on the phone. You can set phone call features, backgrounds and even speakerphone volume. In fact, you can set just about everything. The configuration can be kept in one of the following locations: • phone: settings set by the buttons on the phone. • web: settings set by the web interface. • server: central server that provides the configuration. We are interested in large deployments, so we will focus on central server deployments. This is important because the configuration of the setup is usually more than just the phone server and attention is needed elsewhere. If your phone are getting configurations and you don't see them in the phone set or on the phone server, the the DHCP server is where to look. Central server deployments can serve the configuration files through: • FTP • TFTP • HTTP/HTTPS Most deployments will use FTP since it can be setup everywhere; meaning inside the office and outside the office. On the other hand, TFTP will only be available inside the office. Upon booting, phones will naturally try to get an IP address from a DHCP server. When they talk to the DHCP server, the server can respond with some options to tell the Polycom phones where to look for the configuration files. The options are: • OPTION-066: this is a typical TFTP server option. However, it may already be in use by something else so Polycom had to put in a higher priority option customized just for Polycom phones. • OPTION-160: this is a Polycom specific TFTP server option. Polycom phones are hard-coded to look for this option first. This will have to be added as an option on a MS DHCP server. To add the option to MS DHCP: • -start the DHCP server-manager • -right-click IPV4 or IPV6 (on the left-hand side). • -click SET-PREDEFINED-OPTIONS • -click ADD • -type: NAME: Polycom Boot Server Name DATA: String CODE: 160 DESCRIPTION: doesn't-matter To add the OPTION-160 to the DHCP scope: This is the secret sauce and test it out before roll-out on large deployments by rebooting just one phone. This will set the value on the phone. If the value is set incorrectly and is unable to find the central-server, the phone will not be able to obtain the configuration files and will use the cached configuration. The only way I know to clear the cache is to login to the web interface: • -click UTILITIES > SOFTWARE-UPGRADE • -click CLEAR-UPGRADE-SERVER If that doesn't work, factory default the phone. This can be harder than it sounds. • -hold 1-3-5; type in 456 or type in the macaddress from the bottom of the phone (001122334455) • -press HOME > SETTINGS > ADVANCED > ADMINISTRATOR-SETTINGS > RESET-TO-DEFAULTS > RESET-LOCAL-CONFIG • (wipes macaddress-phone.cfg from server) • -press HOME > SETTINGS > ADVANCED > ADMINISTRATOR-SETTINGS > RESET-TO-DEFAULTS > RESET-WEB-CONFIG (wipes macaddress-web.cfg from server) • -press HOME > SETTINGS > ADVANCED > ADMINISTRATOR-SETTINGS > RESET-TO-DEFAULTS > RESET-TO-FACTORY (wipes all configuration containers on the device) • -press HOME > SETTINGS > ADVANCED > ADMINISTRATOR-SETTINGS > RESET-TO-DEFAULTS > FORMAT-FILE-SYSTEM (wipes app from phone and will require provisioning server to work again) You can see if the provisioning worked by looking at the phone: • -press HOME > SETTINGS > STATUS > PLATFORM > CONFIGURATION • -see the boot server, boot type and configuration files. ### STAGE 2: THE BOOTROM/UPLOADER 1-First, download the BOOTLOADER/BOOTROM/UPDATER files here for the SOUNDPOINT phones (the VVX phones have thier BOOTROM/UPDATER included in the sip.ld file): http://downloads.polycom.com/voice/voip/uc/SoundPoint_IP_BootROM_4_4_0_Upgrader_release_sig.zip (or if you have a SoundStation 6000/7000, you need the B version here: http://downloads.polycom.com/voice/voip/uc/SoundPoint_IP_BootROM_4_4_0B_Upgrader_release_sig.zip) 2-unzip the download and inside the folder you will see the bootloader files like: 2345-12560-001.bootrom.ld 3-Take all the BOOTROM files and upload them to your phone-server (provisioning server) in the tftpboot directory. (fyi - the tftpboot directory will be at the root of the filesystem: /tftpboot.) The chart below will show what bootrom goes with what phone-set model.  FILES DESCRIPTION bootrom.ld Concatenated BootROM 2345-12345-001.bootrom.ld ????? (Probably SoundPoint IP 300/302/320/330) 2345-12360-001.bootrom.ld SoundPoint IP 321 2345-12365-001.bootrom.ld SoundPoint IP 331 2345-12375-001.bootrom.ld SoundPoint IP 335 2345-12450-001.bootrom.ld SoundPoint IP 450 2345-12500-001.bootrom.ld SoundPoint IP 550 2345-12560-001.bootrom.ld SoundPoint IP 560 2345-12600-001.bootrom.ld SoundPoint IP 650 2345-12670-001.bootrom.ld SoundPoint IP 670 2345-17960-001.sip.ld VVX 1500 3111-15600-001.bootrom.ld SoundStation IP 6000 3111-17823-001.dect.ld VVX D60 Wireless Handset & Base Station 3111-19000-001.sip.ld SoundStation Duo 3111-30900-001.bootrom.ld SoundStation IP 5000 3111-33215-001.sip.ld SoundStructure 3111-36150-001.sip.ld SpectraLink 8440 3111-36152-001.sip.ld SpectraLink 8450 3111-36154-001.sip.ld SpectraLink 8452 3111-40000-001.bootrom.ld SoundStation IP 7000 3111-40250-001.sip.ld VVX 101 3111-40450-001.sip.ld VVX 201 3111-44500-001.sip.ld VVX 500 3111-44600-001.sip.ld VVX 600 3111-46135-002.sip.ld VVX 300 3111-46161-001.sip.ld VVX 310 3111-46157-002.sip.ld VVX 400 3111-46162-001.sip.ld VVX 410 3111-48300-001.sip.ld VVX 301 3111-48350-001.sip.ld VVX 311 3111-48400-001.sip.ld VVX 401 3111-48450-001.sip.ld VVX 411 3111-48500-001.sip.ld VVX 501 3111-48600-001.sip.ld VVX 601 3111-48810-001.sip.ld VVX 150 3111-48820-001.sip.ld VVX 250 3111-48830-001.sip.ld VVX 350 3111-48840-001.sip.ld VVX 450 Great! You are halfway there. ### STAGE 3: THE SIP.LD FILE aka POLYCOM-UC-SOFTWARE aka APPLICATION) The SIP.LD file is the image that will be served by the TFTP/FTP central server. This is the same as the APPLICATION VERSION or the SIP APPLICATION VERSION. 1-First, look at the Polycom Matrix for older phones (ie SOUNDPOINT/SOUNDSTATION phones) here: http://downloads.polycom.com/voice/voip/sip_sw_releases_matrix.html Or the Polycom Matrix for newer phones (ie VVX phones) here: http://downloads.polycom.com/voice/voip/uc_sw_releases_matrix.html 2-Second, download the most recent version of the firmware (get the SPLIT-DOWNLOAD [not combined-download]). There are many options here but they should be boiled down to either "Current GA for Microsoft Lync" or "Current GA Release" (Hopefully it's obvious, the MS Lync is for MS Lync servers. If you do not know what that is, don't worry about it as it is not the one you need). (As of this writing the Current General Availability for SOUNDPOINT phone-sets is v4.0.11). 3-unzip the download and inside the folder, you will see SIP.LD files like: 2345-12560-001.sip.ld 4-Take all the LD files and upload them to your phone-server (provisioning server) in the tftpboot directory. Overwrite any files that are currently there (even if they are from the bootrom zip from above). [This process is easier than figuring out if we need the files or not. Having everything will not hurt anything.] 5-Once there, rename the file according to your system. Use the guide above as direction. I had to rename the files as such: sip.SPIP560.4.0.11.revc.ld sip.VVX410.5.7.0.revc.ld ### STAGE 4: CONFIG FILES ----------From here, there might be some troubleshooting. Namely, some of the old config files may not work with the most recent firmware. Edit the files accordingly in the tftpboot directory. Each phone will have a MAC-address number on the back. Something like, 0004123EDT78. So, each phone will have a base-config file of mac-number.cfg. Something like, 0004123EDT78.cfg The phones are hard coded to look for this file. The first part of the file will dictate that SIP.LD/APPLICATON file. It will look like this: APPLICATION APP_FILE_PATH="sip.[PHONE_MODEL].3.2.3.revc.ld" With our directory structure in place, we can have the same model of phones use different APPLICATION versions at the same time. And we can have different models of phones use different APPLICATION versions at the same time. All of this is done by changing the base-config file. This file will determine what SIP.LD file to use and what further config files to use. Before the update, the contents will look something like this: <APPLICATION APP_FILE_PATH="sip.[PHONE_MODEL].3.2.3.revc.ld" CONFIG_FILES="deviceset-12345.cfg, phone-0004123EDT78.cfg, sip.3.2.3.revc.cfg" MISC_FILES="0004123EDT78-directory.xml" LOG_FILE_DIRECTORY="" OVERRIDES_DIRECTORY="" CONTACTS_DIRECTORY="" LICENSE_DIRECTORY=""> </APPLICATION> After the update, you need to edit the file to look something like this: <APPLICATION APP_FILE_PATH="sip.[PHONE_MODEL].4.0.11.revc.ld" CONFIG_FILES="deviceset-12345.cfg, phone-0004123EDT78.cfg, sip.4.0.11.revc.cfg" MISC_FILES="0004123EDT78-directory.xml" LOG_FILE_DIRECTORY="" OVERRIDES_DIRECTORY="" CONTACTS_DIRECTORY="" LICENSE_DIRECTORY=""> </APPLICATION> You can do this file-by-file if needed. Or you can run one command on the phone-server. 1-make sure you are in the tftpboot directory 2-make a directory for the backup of the files: mkdir cfgfiles 3-copy all the base config files into this directory: cp ./000*.cfg ./cfgfiles (or cp ./6416*.cfg ./cfgfiles) 4-change all the files at once: sed -i -e "s/3.2.3.revc.ld/4.0.11.revc.ld/g" ./000*.cfg This will update all the base-config files to tell the phone-sets to use the new SIP.LD/APPLICATION files. #### PHONE OVERRIDE FILES Phone override files are changes made from the phone-set and are named <MAC Address>-phone.cfg. So something like, 0004123EDT78-phone.cfg On my phone-server, the older phone override files were named phone-0004123EDT78.cfg If they have parameters older than v3.3.0, you will get an error message. To fix, see below in the "UPDATE CONFIG FILE WITH UTILITY" section. #### WEB OVERRIDE FILES If you change something via the phone-set web interface, it will save the settings in a web-override file named <MAC Address>-web.cfg. So something like, 0004123EDT78-web.cfg ### STAGE 5: REBOOT Now reboot the phone. It should upgrade the bootrom automatically. You do not need to do anything as the phone is hard coded to look for and use the newest bootrom available. After the bootrom is updated, the application/sip.ld will update. This process may take around 10 minutes per phone. If you have a POE switch, you can do this across the network by unplugging the POE switch. Wait about 1 minute. Plug the POE switch back in. Then wait about 15 minutes for all the phone to upgrade. (Of course, wait for after hours time period.) ### STAGE 6: UPDATE CONFIG FILE WITH UTILITY If you have an older config file, the Polycom phone-set will give an error. Something like, "phone-0004123EDT78.cfg is pre-3.3.0 params." Basically it is saying that you are trying to config a parameter that doesn't exist. You can see what config files are being used and which have errors by: • -press HOME > SETTINGS > STATUS > PLATFORM > CONFIGURATION scroll down on the phone and it will show the number of PRE-3.3.0, ERRORS, DUPLICATES and OK's. Consequently, you will have to update your config files to remove those parameters.This can be done parameter-by-parameter by looking at the log file on the phone (or server) and manually adjusting for each. Or you can do this automatically with a Windows software utility called: CFCUtility. Your results may vary so be careful with the utility. • -download it here: http://support.polycom.com/PolycomService/support/us/support/eula/ucs/UCConfig_agreement.html • -unzip. • -in the CFCUtiliy folder, create a folder called "config-files". • -on the central-server, make sure you are in the tftpboot directory. • -make a backup directory: mkdir cfgphonefiles • -copy all the phone files to this directory (as a backup for safe keeping): cp ./*cfg ./cfgphonefiles/ • -gather all the config-files in the folder called "config-files". (this can be done by mounting usb drive, ftp, scp, etc) • -from a Windows command-line change to the CFCUtiliy folder. • -type: cfcUtility.exe -t ./config-files • -it will ask you some generic questions and accept the defaults. Now you can transfer the files back to the phone-server in the tftpboot directory. • -reboot the phone(s). (remember, if you have a POE switch unplug the switch and plug back in for a network-wide solution) • -it will reboot 2 or 3 times on it's own. ### UNCOMPLICATING CONFIG FILES All the configuration for the phones can be done in one config file if we really wanted to. Or we could have one really long config file for each phone. But for sanity's sake, we break this out. In the tftpboot directory, you will have some files for each phone-set: 0004123EDT78.cfg (the base config. The backup is in the cfgfiles directory) 0004123EDT78-phone.cfg (the new phone override, used automatically) 0004123EDT78-web.cfg (the new web override, used automatically) phone-0004123EDT78.cfg (the old phone override, used by the base-config file. This file is converted and a backup is in the cfgphonefiles directory. It can be deleted since it is not being used.) Other config files can be present as well (but not required). In the unzip folder of the Polycom UC Software from STAGE-3, you can find the generic config files: applications.cfg dect.cfg device.cfg features.cfg firewall-nat.cfg H323.cfg lync.cfg pstn.cfg reg-advanced.cfg reg-basic.cfg region.cfg sip-basic.cfg sip-interop.cfg site.cfg tr069.cfg video.cfg video-integration.cfg Each has it's own place in life. I usually see: 64167f920093-reg-basic.cfg (for the line registration) 64167f920093-features.cfg (for the features of the phone) polycom.UC5.7.0.sip-basic-11325.cfg (for the line registration of the location) polycom.UC5.7.0.device-11325.cfg (for device settings for the location) polycom.UC5.7.0.sip-interop-11325.cfg (for interoffice operation settings) polycom.UC5.7.0.site-11325.cfg (for site settings like timezone) You can see the entire list of options/values by inspecting the 73,000 line file in the unzip download: Polycom-UC-Software-5-7-0-rts18-release-sig-split\Config\polycomConfig.xsd #### FOR NEWER FIRMWARE VERSIONS, SINGLE PHONE For newer phone-sets with updated firmware versions, simply redirect the provisioning server to: voipt2.polycom.com/<version-number> 1. go to phone 2. press Menu > Settings > Advanced (default password: 456) > Administration Settings > Network Configuration > Provisioning-Server 3. change Server Type to HTTP. 4. type: voipt2.polycom.com (for Server Address) • Example: to load the latest SIP 4.04 = voipt2.polycom.com/404 • Example: to load the latest SIP 4.0.11 = voipt2.polycom.com/4011 5. reboot the phone-set 6. wait 15 minutes 7. once updated, change the server back to the local provisioning-server For a current live directory list go here: http://voipt2.polycom.com/WEBCONTENT/directory.html NOTES: -the config files are explained here: http://documents.polycom.com/topics/139356 ## Update the ADMX Templates in Windows Server to Apply GPO to Windows 10 Updating the ADMX Templates in Windows Server to Apply GPO to Windows 10 is a manual process. A Windows Server can control Windows client computers through Group Policy/Group Policy Objects (GP/GPO). It does this through template files called ADMX files. These ADMX files simply correspond to registry-edits (regedits). Since not all regedits are available on OS versions (for example, controlling OneDrive was included along the way), there is a set of ADMX files for common milestones like: • -Windows 7 • -Windows 7 SP1 • -Windows 8 • -Windows 8.1 • -Windows 10 • -Windows 10 (1511) • -Windows 10 (1607) Anniversary Update The ADMX files are not automatically updated on the Windows Server. They must be manually updated. The updates are in MSI files (and not zipped files). The instructions are pretty simple once someone shows you: • -download the ADMX msi. • -install the ADMX msi (this will unpack the ADMX files in a folder called "Policy Definitions"). • -copy the entire contents to: C:\Windows\SYSVOL\sysvol\domain-name\Policies\PolicyDefinitions\ You can find the ADMX files here: -Windows 10 (1511) https://www.microsoft.com/en-us/download/details.aspx?id=48257 -Windows 10 (1607) Anniversary Update https://www.microsoft.com/en-us/download/details.aspx?id=53430 This video explains it better than I can: ## Creating Shares On Server 2012 Many experience admins get this wrong. Here's how to do it right. There are a 5 parts to this. CREATE THE GROUP • -login to server. • -click ACTIVE-DIRECTORY-USERS-AND-COMPUTERS. • -create an GROUP (aka SECURITY-GROUP). • -add the users/members. CREATE THE SHARE • -create a folder. • -right-click to PROPERTIES > SHARING. • -click ADVANCED-SHARING. • -checkmark SHARE-THIS-FOLDER. • -if hidden, add a$ at the end.

• -click PERMISSIONS.
• -remove all groups/users.
• -add the GROUP required for this share.
• -checkmark FULL-CONTROL.
• -click OK > OK.

• -click SECURITY tab (at the top).
• -click ADVANCED (at the bottom).
• -click DISABLE ENHERITANCE.
• -click CONVERT INHERITED PERMISSIONS INTO EXPLICIT PERMISSIONS.
• -remove all groups/users except SYSTEM.
• -add the GROUP required for this share.
• -checkmark FULL-CONTROL.
• -click OK > APPLY.

TEST PERMISSIONS

• -click the EFFECTIVE ACCESS tab (at the top).
• -test the user/group you want to make sure can access.

NOTES:

• -the EVERYONE group does not include everyone. This is why it should not be used.
• -the most restrictive permissions win.
• -the group is assigned to the user upon login. Consequently, the user will have to logout and login again to test if the share is working.

## Find the FSMO in Your Domain

You have multiple servers. Despite there being a sync between them, only one can be the master for certain operations. For example, only one server can hold the official invitation list. The other bouncers will have to check the master list. This master is called the FSMO.

So how do you know which server is the FSMO? How do you find the FSMO in your domain?

Here's how:

• open cmd
• type: netdom query fsmo

You can also:

• -open ACTIVE-DIRECTORY-USERS-AND-COMPUTERS.
• -right-click on the domain-name (on the left-hand side).
• -click OPERATIONS MASTER.
• -it should show you there as well. At the different tabs at the top, you can select which OPERATION you are interested in.

There are other ways as well.

## Black Screen of Death on Windows 10 v1607 Update (aka Anniversary Update - a Feature Update)

Black Screen of Death on Windows 10 v1607 Update (aka Anniversary Update - a Feature Update) upon reboot. The only way to get out of it is to power down the computer. Upon reboot, the computer will revert to the previous version of Windows 10 v1511.

So how to get Windows 10 v1607 Update (aka Anniversary Update) to install?

-start the update.
-manually reboot to finish.
-before it reboots, unplug the USB dongle for the Logitech wireless mouse or wireless keyboard.
-the update will install.

## Intel HD Graphics on Windows 10 64-bit

In the spirit of "just show me how to fix it" I will be succinct.

The older Intel HD Graphics 3000 (or Sandy Bridge) is no longer working in WINDOWS-10(v1607). It used to work in WINDOWS-10(v1511) but INTEL is pushing foreword. The same is true for Intel HD Graphics 2000 and HD Graphics. This is basically the Intel 6 Generation Chipset.

-Intel refuses to produce drivers for this graphics card on it's own but has released a driver and provided it to MS.
-the driver is version 9.17.10.4459.
-the driver has to be gotten from MS and not from INTEL:
http://catalog.update.microsoft.com/v7/site/Search.aspx?q=9.17.10.4459
(it is named: 200028694_9f1eae50bc588760715acd70172f5487dc461e64)

CASE-1
-INTEL GRAPHICS HD 3000
-black screen of death trying to update to WIN-v1607.
-the driver is v9.17.10.4299.
-had to manually untar the cab.
-had to manually update the driver to v9.17.10.4459
-also installed the latest CHIPSET driver for QM67 (intel 6 series).

CASE-2
-INTEL GRAPHICS HD 2000
-black screen of death trying to update to WIN-v1607.
-the driver is v9.17.10.4299.
-had to manually untar the cab.
-had to manually update the driver to v9.17.10.4459
-also installed the latest CHIPSET driver for Q65 (intel 6 series).

CASE-3
-INTEL GMA 4500 (g41 chipset)
-black screen of death trying to update to WIN-v1607.
-the driver is v8.15.10.2702
-make sure KB3176938 is installed.

NOTES:
-use HWINFO to find out details of your computer.
-https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units
-https://en.wikipedia.org/wiki/List_of_Intel_chipsets

## Office365 Options

Office365 has many options and it can be confusing on their web site. Here's an easy to read all-in-one page to quickly identify your needs:

 EXCHANGE-1 EXCHANGE-2 OFFICE-365-ESSENTIALS OFFICE-365-BUSINESS OFFICE-365-PREMIUM OFFICE-365-PROPLUS OFFICE-365-E1 OFFICE-365-E3 OFFICE-365-E5 cost-montly $4.00$8.00 $5.00$8.25 $12.50$12.00 $8.00$20.00 $35.00 cost-annual$48.00 $96.00$60.00 $99.00$150.00 $144.00$96.00 $240.00$420.00 exchange YES YES YES NO YES NO YES YES YES mailbox-size 50GB 100GB 50GB 0GB 50GB 0GB UNLIMITED UNLIMITED UNLIMITED apps-online NO NO YES YES YES YES YES YES YES apps-desktop NO NO NO YES YES YES NO YES YES onedrive NO NO YES YES YES YES YES YES YES onedrive-size 0TB 0TB 1TB 1TB 1TB 1TB 1TB 1TB 1TB shared contacts YES YES YES NO YES NO YES YES YES shared calendar YES YES YES NO YES NO YES YES YES maximum users UNLIMITED UNLIMITED 300 300 300 UNLIMITED UNLIMITED UNLIMITED UNLIMITED

NOTES:

## Exchang 2013 Change Primary SMTP Email Address

Exchang 2013 Change Primary SMTP Email Address

You might get the following, "Couldn't update the primary SMTP address because this mailbox is configured to use an e-mail address policy."

Here's how to fix:
Set-Mailbox foo.user -PrimarySmtpAddress This e-mail address is being protected from spambots. You need JavaScript enabled to view it -EmailAddressPolicyEnabled $false Or if you need to set all the addresses for one mailbox all at once (the captial SMTP is the primary smtp address and the lowercase smtp is the additional smtp email addresses): Set-Mailbox foo.user -EmailAddresses smtp:foo.user@domain1, smtp:foo.user@domain2, SMTP:foo.user@domain3 -EmailAddressPolicyEnabled$false

## Grab All The Photos From A Web Site

So you want to grab all the photos from a web site do you? Here's how:

wget -nd -r -A jpg -e robots=off http://wherever.tld

This will put all the photos from the web site you reference (and all lower directories) to a single directory. This will not magically grab photos from a directory which has no page attached to it and has random names.

If you do know the names are sequential numbers then you can try:

wget -nd -r -A jpg -e robots=off http://wherever.tld/gallery/{0..1000}.jpg

Page 1 of 4

• «
•  Start
•  Prev
•  1
•  2
•  3
•  4
•  Next
•  End
• »