You are here: Blog

Network Node Central Management

What can I say?

  • PDQ
  • Lansweeper
  • LogicNow
  • Matrix42

Exchange 2013 Failed to Mount Database

TL;DR: http://mikepfeiffer.net/2010/04/getting-an-exchange-database-into-a-clean-shutdown-state-using-eseutil/


Ughhh.... Users report that they can't access their email. Message is, "Microsoft.Exchange.Data.Stoarage.MailboxOfflineException"

Ok, so the Mailbox is offline. Why is it offline?

The database for the Exchange 2013 is broken into 3 different groups.

  • A-H
  • I-P
  • Q-Z

Databases I-P & Q-Z are working fine but database A-H won't mount.

Why won't it mount? It won't mount because it is corrupt.

How did it get like this? It got like this because EXCHANGE 2013 uses EDB files. It is a single file that stores everything. This file grows. Sooner or later it craps out. I'm not sure why but my guess is on NTFS.

If I check the EVENT LOG > APPLICATION, I see,

"Active Manager failed to mount the database Mailbox A-H. Error: An Active Manager operation failed. Error: The database action failed. Error: Operation failed with message: MapiExceptionDatabaseError: Unable to mount database. (hr=0x80004005, ec=1108)"

It gets worse, I'm also getting:
"Microsoft Exchange Information Store worker process (18152) has encountered and unexpected database error (Disk IO error) for database Mailbox A-H with a call stack of..."

And still worse:
"Database copy Mailbox A-H on this server appears to have a serious I/O error." "Service recovery was attempted by failover to another copy. Failover was unsuccessful in restoring the service. Error: There is only one copy of this mailbox database. Automatic recovery is not available."

And worse:
"Information Store - Mailbox A-H ; Database recovery/resotre failed with unexpected error - 1022"

And worse:
"Information store - Mailbox A-H: An attempt to write to the file "C:\Program Files\Microsoft\Exchange\V15\Mailbox\Mailbox Database 1889704935\Mailbox Database 1889704935.edb" at offset... bytes failed after 0.000 seconds with system error 665. The requested operation could not be complete due to a file system limitation. The writer operation will fail with error - 1022. If this error persists then the file may be damaged and may need to be restored from a previous backup."

All of this to say that the database is corrupt.

We got 2 options:

  1. restore from backup.
  2. repair database.

To repair:

  • cd \
  • cd \Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database Foo\
  • eseutil /mh ".\database-name.edb"
  • eseutil /p ".\database-name.edb" /g

Then I moved all the log files away from Exchange log folder. First create a backup-directory, then move all the files into the backup-directory:

  • mkdir bkp
  • move * bkp

Then move the database-file.edb back where it came from:

  • cd bkp
  • move database-name.edb ..\

Now defrag the database-file.edb:

  • eseutil /d database-file.edb

Now check to see if the database-file.edb is OK:

  • eseutil /mh ".\database-name.edb"

Finally, mount the database:

  • $Mount-Database "database-name"

NOTE: you can run eseutil.exe /mh without effect. It is informational only.

In the end, it was easier to create a new database-name.edb and import the items needed via edbmails. Don't ask me why it took more than 24 hours to get to a solution that should have been the first option. This is exactly why I keep a note of items here.


Luckily, I called MS support. So you get the short of the conversation without having to pay ;-)

-too many log files.

-database file is too large. It is 539GB.

-ran eseutil /mh ".\database-name.edb"

-error 1811. Bad news.

-stop MS Exchange Information Store

-uninstall Veeam Backup


-get-mailboxdatabasecopystatus *

-wait for the databases to mount.

-shows "Dismounted"

-event-viewer > application and they see the same errors I already found.

-uninstall some programs that might be accessing the file.

-ran eseutil /mh ".\database-name.edb"

-error 1032. This means it's being used somewhere.

-storagecraft was trying to mount it.

-stop storagecraft service

-ran ran eseutil /mh ".\database-name.edb"


-see that the log-required is lengthy

-sequence is from E000015CD80 to E000015CDCF

-created new folder & moved the sequence into this new folder

-ran eseutil /ml ".\database-folder\new folder\E00"

-"no damaged log files were found"

-ran eseutil /r E00 /d ".\database-name\new folder" /l "new-folder" /S "new-folder" /a

-ran eseutil /r E00 /d ".\database-name\new folder" /l "new-folder" /S "new-folder" /i

-ran eseutil /mh ".\database-name.edb"


-copy the database-name.edb

-start a new database-name.edb (this will get everyone receiving email)

-repair the database-name.edb

-merge the file back into the new-database-name.edb


-get-exchangeserver | fl name,*admin*,*role*,*site*

-repair is 5-6GB per hour

-ran eseutil /p ".\old-database-name.edb"

-merge into new-database-name.edb

[PS] c:\users\admin> cd "C:\Program Files\Microsoft\Exchange Server\V14\Bin"

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Bin>eseutil /r E00 /i /l 'Y:\ExchangeRestore\Mailbox Database' / 'Y:\ExchangeRestore\Mailbox Database'


StorageCraft to the rescue again with Granular Recovery for Exchange.

Testing it out now...

OK, I'm back. The StorageCraft GRE is a good tool. It does what eseutil should do but makes it easy for the stressed out administrator. It also has the added benefit of having granular restore. You can restore just one email.

If you have the budget, I recommend it. It's way better than EDBMAILS and other software I've tried.

Setting Windows Time - w32tm

Here's how this goes. There should only be one NTP SERVER on the network. You can have more but it would be redundant.


The domain-server should be set to sync with an external source.

  • -open POWERSHELL (as admin)
  • $w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update
  • $stop-service w32time
  • $sc stop w32time
  • $start-service w32time
  • $sc start w32time


The domain-clients should automatically get their time from the server. If for some reason, a domain-client doesn't, then force it:

  • -open POWERSHELL (as admin)
  • $w32tm /config /syncfromflags:domhier /update
  • $stop-service w32time
  • $sc stop w32time
  • $start-service w32time
  • $sc start w32time


If it is a VIRTUAL-OS, disable TIME-SYNCHRONIZATION from the HYPER-V settings:

  • -click on the VM
  • -click SETTINGS (on the right-hand side)
  • -scroll down to INTEGRATION SERVICES
  • -click OK

You can check to see if a NTP Server is working.


  • -check to see if an external NTP server is working.
  • -if you get an error, check to see if an internal NTP server is working.
  • -set the server to a working NTP server
  • External: $w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update
  • Internal: $w32tm /config /syncfromflags:manual /manualpeerlist: /reliable:yes /update

You can check the config:

  • $w32tm /query /configuration
  • $w32tm /query /status
  • $w32tm /query /source
  • External-check: $w32tm /monitor /computers:pool.ntp.org
  • Internal-check: $w32tm /monitor /computers:

Some recommend (I have not tried this):

  • -force the VIRTUAL-HOST to use an external source via regedits
  • -set the external: $w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update
  • $stop-service w32time
  • $start-service w32time
  • -then set the VIRTUAL-OS to use the internal VIRTUAL-HOST: $w32tm /config /syncfromflags:manual /manualpeerlist: /reliable:yes /update
  • (rather than through INTEGRATION SERVICES)
  • $stop-service w32time
  • $start-service w32time

Some recommend (I have not tried this):

-set the VIRTUAL-OS to use the internal VIRTUAL-HOST via INTEGRATON SERVICES

The issue is usually around the vmitimesync.

I'll update this when needed. So far, I simply sync'd to external on 1 server and sync'd everything else to that. Seems to work. I'll post when I run into issues.

Expired Certificate on Exchange 2013

So your CERTIFICATE expired on your EXCHANGE 2013. No one can access email and you are being innundated with phone calls, pop-ins and text messages to notify you that "email isn't working" or "OUTLOOK isn't working."

We've all been there. If not, you will be there some day. Sometimes this even happens on very large email systems. There was a similar story recently where google.com didn't register their domain name (http://www.businessinsider.com/this-guy-bought-googlecom-from-google-for-one-minute-2015-9).
[I like to put these story links in here to let you know that you are not alone. It happens to just about everyone.]

This happens because CERTIFICATES are installed for multiple years terms; 2 years, 3 years, 5 years, 10 years, etc. And the expiration notices are going to a non-personal email account that no one regularly checks (like This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) or to an email account that doesn't exist anymore.

Then the certificate expires and you wake up to voicemails and texts if you are in a worldwide company.

It's best to have a plan written out so you can follow it to fix quickly rather than use that time as a learning experience. Let me say it again with emphasis... FIX IT AS FAST AS POSSIBLE!

Here's how:


  • -click SERVER-MANAGER.
  • -click TOOLS > IIS MANAGER.
  • -click YOUR-SERVER-NAME (on the left-hand side).
  • -double-click SERVER-CERTIFICATES (in the middle).

This will list out all the PERSONAL CERTIFICATES installed on the server. You will see the expired certificate in the list.


Before you go any further, view the expired-certificate to write down the SUBJECT ALTERNATIVE NAMEs

  • -click on the EXPIRED-CERTIFICATE.
  • -click VIEW (on the right-hand side).
  • -click DETAILS (at the top).
  • -scroll down to SUBJECT ALTERNATIVE NAME.
  • -write down all the names (in the lower box at the bottom).

The reason this is important is because if you are access an email server called "mail.domain.tld" via a web site and you don't have that SUBJECT ALTERNATIVE NAME in the CERTIFICATE, then it will complain. And since EXCHANGE needs to have the local FULL QUALIFIED DOMAIN NAME (FQDN) (ie server.domain.tld), the EXTERNAL DOMAIN NAME (mail.domain.tld) and the AUTODISCOVERY NAME (autodiscover.domain.tld), it's important not to miss one of the names. If you do, you have to re-issue the CERTIFICATE and it can lead to longer down time.


  • -click CREATE CERTIFICATE REQUEST (on the right-hand side).
  • COMMON NAME: domain.tld
  • ORGANIZATION: Company Name
  • ORGANIZATION UNIT: Domain Control Validated
  • CITY: Jupiter
  • COUNTRY: us
  • For Cryptographic service provider, select "Microsoft RSA SChannel Cryptographic Provider".
    For Bit length, select 2048 or higher, and then click Next.
  • -save the CSR on the server and call it mail.domain.tld.csr
  • -this is a typical text file. Open it up with NOTEPAD.
  • -copy the entire contents (yes, even the "-----BEGIN NEW CERTIFICATE REQUEST-----")
  • -paste it into the web ONLINE APPLICATION (in your account at GODADDY, ENOM, NETWORK-SOLUTIONS, etc).
  • -wait a few minutes (about 2 minutes).
  • -download it. It will be named mail.domain.tld.cer and it might have an INTERMEDIATE CERTIFICATE.



There are ROOT CERTIFICATES installed on every device. These come from companies named like EQUIFAX, GEOTRUST, VERISIGN, THAWTE, GTE, MICROSOFT, etc. These are installed during the time of OS installation or through an update. In this case, Windows Update. But it can also happen durning iOS update.

Sometimes these ROOT COMPANIES can be viewed as manufacturers who do not do business with end-users directly. You have to use a dealer of their product.

Consequently, these dealers need to be installed. These come from companies named like RAPIDSSL, GODADDY, etc.


  • -click START > RUN
  • -type: mmc
  • -click FILE > ADD/REMOVE-SNAP-IN (at the top).
  • -select CERTIFICATES (from the list on the left).
  • -click ADD (in the middle).
  • -click FINISH > OK (at the bottom).

The CERTIFICATE MANAGER shows. On the left are the different STORES and in the middle are the different CERTIFICATES.

  • -click to expand the CERTIFICATES (on the left-hand side).
  • -click ALL-TASKS > IMPORT
  • -click NEXT > BROWSE
  • -find FILE-NAME (at the very bottom).
  • -select "PKCS #7 CERTIFICATES (*.spc;*.p7b)" (in the dropdown to the right).
  • -select the INTERMEDIATE CERTIFICATE that you downloaded from your DOMAIN-PROVIDER (godaddy, rapidssl, etc). It might be called something like *_iis_intermediates.p7b
  • -click NEXT
  • -click BROWSE
  • -click OK
  • -click NEXT > FINISH
  • -exit out of the window.
  • -click NO (when it asks if you want to save).


  • -click SERVER-MANAGER.
  • -click TOOLS > IIS MANAGER.
  • -click YOUR-SERVER-NAME (on the left-hand side).
  • -double-click SERVER-CERTIFICATES (in the middle).
  • -click COMPLETE CERTIFICATE REQUEST (on the right-hand side).
  • -select the mail.domain.tld.cer (that was downloaded from the domain provider).
  • -type a "Friendly Name": mail.domain.tld
  • -select PERSONAL (for the CERTIFICATE STORE).
  • -click OK
  • -the CERTIFICATE should now show in your list of CERTIFICATES
  • -if needed, highlight the EXPIRED-CERTIFICATE and click REMOVE (on the right-hand side)


Even though the CERTIFICATE is installed. It isn't being used until you BIND the CERTIFICATE to the service (SMTP, WEBSITE, etc).


  • -click to expand the SERVER-NAME (on the left-hand side).
  • -click to expand SITES (on the left-hand side).
  • -you will see all the WEBSITES (on your server). Typically, there is DEFAULT-WEB-SITE & EXCHANGE-BACK-END
  • -click BINDINGS (on the right-hand side)
  • -select HTTPS-444-* (in the middle)
  • -click EDIT (on the right-hand side)
  • -select mail.domain.tld (in the dropdown selection under SSL CERTIFICATE
  • -click OK > CLOSE


  • -click DEFAULT WEB SITE (on the left-hand side)
  • -click BINDINGS (on the right-hand side)
  • -select HTTPS-443-* (in the middle)
  • -click EDIT (on the right-hand side)
  • -select mail.domain.tld (in the dropdown selection under SSL CERTIFICATE
  • -click OK
  • -select HTTPS-443- (in the middle)
  • -click EDIT (on the right-hand side)
  • -select mail.domain.tld (in the dropdown selection under SSL CERTIFICATE
  • -click OK > CLOSE


  • -right-click the SERVER-NAME (on the left-hand side).
  • -click STOP
  • -wait for it to stop. It might take 2 minutes or so.
  • -right-click the SERVER-NAME (on the left-hand side).
  • -click START

That should do it!!! Visit your web site at mail.domain.tld and you should be OK with the CERTIFICATE. With this plan in place, you should be able to fix your certificate issue within a few minutes.

MS SQL Setup

MS SQL setup is a PITA. Here are a few of my notes:

1-the install package is the only way to install databases. In other words, if you have one database and you want another, you have to go through the setup process again. So keep that SQL INSTALLATION SETUP file on the system.

2-the versions are wacky. There is:

  • SQL - costs for license.
  • SQL EXPRESS - free for up to 10GB.
  • SQL CE (or compact edition) - Meant to be used in use with an application.
  • SQLITE - I don't know what this is for.

3-to connect and manage the SQL, you have to install SQL MANAGEMENT STUDIO. Think of this as their version of PHPMYADMIN. It can actually control different versions at the same time. It can control a 2012 SQL database and a 2014 SQL database at the same time.

4-which leads me to my next point. SQL versions can coincide. Both 2012 and 2014 can run at the same time.

5-permissions are wacky. They just are. They can be either SQL permissions or they can be WINDOWS permissions. But even if you use SQL permissions, you might have to setup WINDOWS permissions anyway. This is for a local LAN installation.

6-when you install, it automatically adds your USERNAME as the owner of the database. This is required so that you can add/remove other user permissions.

7-to see/add/change/remove the permissions:
(good video to explain the below: https://www.youtube.com/watch?v=gsr8ID2pY-A&feature=youtu.be)

  • expand the DATABASE-INSTANCE name.
  • expand the SECURITY folder
  • expand the LOGINS folder
  • right-click LOGINS
  • click NEW-LOGIN

Here, you can see where the permission can be either WINDOWS or SQL.

I find it's easier to use the WINDOWS AUTHENTICATION (although it doesn't seem like it should be so). The reason is that when the APP SERVICE runs (whatever APP is being used), the SERVICE is being run as the current-logged-in-user. I find (and this may be incorrect) that if you use the SQL SERVER AUTHENTICATION (like I want to), then you also have to go back and add the current-logged-in-user as well. This can add up to quite the number if you have many users.

To get around this, I add a specific DATABASE-USER account in ACTIVE-DIRECTORY. Then I change all the APP SERVICE on the clients machines to run as the DATABASE-USER (rather than the current-logged-in-user). This is done in SERVICES.MSC. Then I add that DATABASE-USER to the permissions on the SQL MANAGEMENT STUDIO.

  • select the DATABASE-USER.
  • leave the rest as the defaults.

Now you have to add this user to the DATABASE.

  • select USER MAPPING (on the left-hand side).
  • select the DATABASE you are controlling.
  • click OK (at the bottom).

After this is done (and only after), you now have to add permissions to the DATABASE for this user.

  • expand the DATABASES folder.
  • right-click the DATABASE name.
  • select PROPERTIES (at the bottom).
  • click PERMISSIONS (on the left).
  • select the USER (in the list).
  • place a CHECKMARK in the GRANT column for the following

8 -for the client machine to see and connect to the SQL DATABASE, you have to allow the port through the firewall.

9 -the port for each instance is randomly assigned.

10 - to find the port number, you have to use the SQL SERVER CONFIGURATION MANAGER.

  • click SQL SERVER NETWORK CONFIGURATION (on the left-hand side).
  • click on the DATABASE you are working on.
  • double-click TCP/IP (on the right-hand side).
  • click IP ADDRESSES (at the top)
  • scroll to the bottom.
  • mine says 51772

11 -you have to allow 2 PORTS through the WINDOWS FIREWALL.

  • random assigned TCP port.
  • UDP PORT 1434 (notice that this is a UDP PORT, not a TCP port).

I will post more as I come across.



Windows Update Location

Here is the location for Windows update:


Looking to see if a package is installed?

  • -start > run
  • -type: cmd
  • -click OK
  • -type: dism /online /get-packages | findstr 3035583

ATA, AHCI, RAID Selection

You have the following options in the DELL BIOS:


What do you choose?

Choose AHCI.

Afterwards, make sure you have the following installed in the correct order:


While many sites claim that you must make your selection in the BIOS before WINDOWS-OS install, we don't accpet that around here. Of course it can be changed. But you'll need to make sure that the WINDOWS has the correct drivers enabled to start up.

    For ACHI:


    For RAID:


As a last resort, if that doesn't work, the incorrect drivers might be installed. Here's how to install the correct drivers.

This also applies when the motherboard is changed by DELL PRO SUPPORT and new drivers might need to be installed.

  • -find your motherboard model number.
  • -download the CHIPSET DRIVERS.
  • -extract them to the C drive (for example: c:\drivers\chipset)
  • -boot into REPAIR MODE or start with WINDOWS OS INSTALL media (usb, CD, PXE, etc).
  • -click REPAIR YOUR COMPUTER (bottom-left).
  • -click COMMAND PROMPT.
  • -find what letter your WINDOWS-DIRECTORY is.
  • -type: dism /image:e:\ /add-driver /Driver:e:\install\chipset\ /recurse
  • -hit ENTER
  • -type EXIT
  • -reboot

It may take awhile to reboot but it will install the correct drivers and start up fine.

Inspecting Hardware Info

Don't know why I've never had to do this before but in the past working with SolidWorks and Dell Precision Machines, I've found the need to inspect hardware detail information. This can be done in the following ways:

Exchange 2013 Get-Mailbox Only Returns Myself

Exchange 2013 Get-Mailbox Only Returns Myself. Get-Mailbox only shows your own record. You expect to see all the accounts because you are an Administrator. But you only see one mailbox when I type in: Get-Mailbox. It looks like this:

My Name     my.account     server-name     Unlimited

That's it. No other users.

Type in the following to see the ROLEGROUPS:


You will see all the ROLE GROUPS in EXCHANGE 2013. There's only one important group here. ORGANIZATION MANAGEMENT. Even though you might be an ADMINISTRATOR group in ACTIVE-DIRECTORY, that does not automatically make you an ADMINISTRATOR in EXCHANGE. To be an ADMINISTRATOR in EXCHANGE, you must be in the ORGANIZATIONAL MANAGEMENT group.

Let's look to see who is in the ORGANIZATION MANAGEMENT group.

-Get-RoleGroupMember "organization management"

You will see all the MEMBERS in the ORGANIZATION MANAGEMENT group. Most likely, there is only one and that is the Administrator account. Now let's add an account other than "Administrator" account.

-Add-RoleGroupMember "Organization Management" -Member my.account

Now when you type Get-Mailbox, you will get all the accounts in the domain.

GUI-wise you do this through the EAC:

-click PERMISSIONS (on the left)
-click ADMIN-ROLES (at the top)
-find MEMBERS section (at the bottom)
-click the PLUS SYMBOL +
-type in the account
-click OK > SAVE

ACTIVE-DIRECTORY-wise you do this through the AD USERS & GROUPS:

-click MEMBERS tab (at the top)
-add you users here

Install .NET Framework 3.5 on Windows Server 2012

Install .NET Framework 3.5 on Windows Server 2012:

-run POWERSHELL (as admin)
-type: Install-WindowsFeature Net-Framework-Core
-wait 10 minutes.

That should do it! Congrats!

You can check to see if it installed by:

-type: Get-WindowsFeature

And if you install the GnuWin32, you can grep to your heart's content:

-type: Get-WindowsFeature | grep -i framework

Renaming computers in a domain

To rename computers in a domain:

netdom renamecomputer currentcompname /newname:newcompname /usero:domain\adminname /passwordo:* /userd:domain\adminname /passwordd:* /force /reboot:10

Drop off the /reboot if you want the change to happen the next time the computer is rebooted (and not immediately). So it would be:

netdom renamecomputer currentcompname /newname:newcompname /usero:domain\adminname /passwordo:* /userd:domain\adminname /passwordd:* /force

PowerShell v5 has a new way of renaming computers found here: https://technet.microsoft.com/en-us/library/hh849792.aspx

Here is the command for the local computer:

Rename-Computer -ComputerName . -NewName <New name>

But if I wanted to rename a local computer, I would just do it graphically. The point is to rename a remote computer.

Rename-Computer -NewName Server044 -DomainCredential Domain01\Admin01 -Restart

Toshiba Scan to Email Settings

SMTP Client
Enable SMTP Client: Enable
Enable SSL: Accept all certificates without CA
SMTP Server Address: smtp.gmail.com
POP Before SMTP: Disable
Authentication: Plain
Login Name:  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Login Password: setthistosomething
Maximum Email / Internet Fax Size: 20 MB
Port Number: 587
SMTP Client Connection Timeout: 30 Seconds

NVR Part 2 - Digital Watchdog Blade (DW-BJBLADE)

The Digital Watchdog Blade (DW-BJBLADE) is a much better NVR than that last NVR product I reviewed (see NVR Part 1 - HIKVISION). It is more robust in it's ability and power. As always, with more more power comes more cost and potential complexity.

The Digital Watchdog (DWD) NVR is a Linux Ubuntu system running on an Atom x64 processor. They don't even try to hide or limit the Ubuntu system. The system boots directly to the Ubuntu desktop.

Since it is a full GUI desktop, they even include TEAMVIEWER for each system to allow for remote access.

What was surprising for me was how well UBUNTU performed on such a low-powered ATOM x64 processor.

The issue I had was that the incorrect QUICK-START-GUIDE was included. I found the correct version (listed below) with a simple google search.

Requirement Packages

The DWD NVR solution is comprised of 3 software packages:
1. Enterprise Controller (managing database)
2. Media Sever (recording video)
3. Client (viewing recorded video)

The software packages have to be installed that way as well due to dependencies.

For me, the CLIENT was not installed on the system. (This is what lead to the hours I devoted in breaking/researching/fixing/RMA'ing the system).


Most likely, you will need the x64 packages.

All the packages should be here:

AFAICT, there is not seperate packages for different NVR's. The same SPECTRUM software is used across all products. The only difference is the version number (v1, v2, v3, etc) and the install base (Windows, Linux, Mac, etc) as well as the architecture (x86 or x64).

(click DOWNLOAD [at the bottom])

They list the incorrect versions. They listed the Beta versions of 2.3. The CONTROLLER was mis-matched at verion 2.1 (a downgrade in version from what was installed). The last thing I want is to install Beta versions at a client install or have an untested version mis-match. And repairing a v2.2 with a v2.1 is impossible.

Install Packages

On an Ubuntu system:

-the package manager is: dpkg
(this is like rpm in redhat/rhel/centos. Stands for Debian Package)

-the gui package manager is Ubuntu Software Manager.

-the update manager is apt-get (manages dependencies.)
(this is like yum in redhat/rhel/centos)

DWD recommends to:

-download the packages.
-right-click and open-with UBUNTU-SOFTWARE-CENTER
-click INSTALL/UPGRADE/RE-INSTALL (at the top right).

Forgot Password

If for some reason, you forgot the password, you can re-install the CONTROLLER software by using the steps above. Reinstalling the CONTROLLER package will go through a setup and allow you to reset the password. If you have an existing system and need to keep the database, please choose to KEEP THE DATABASE. Obviously, if you choose to delete the existing database, you will not be able to get it back without a backup.

That's it!!! Happy NVR'ing!!!


QUICK-START-GUIDE: http://publiclibrary.dwcc.tv/Sales%20Tool/DW%20Spectrum%20Documents%20&%20Videos/Documents/Blackjack_Spectrum_QSG.pdf

MANUAL: http://publiclibrary.dwcc.tv/Sales%20Tool/DW%20Spectrum%20Documents%20&%20Videos/Documents/DWSpectrum_User_Manual.pdf

REPO: http://publiclibrary.dwcc.tv/

Sonos Surround Speakers

What's great about Sonos is that the speakers can be paired and grouped in different ways all through the Sonos app either on the ipad/iphone/droid or through the app on the Win/Mac platform.

Playbar, Sub and Surround. Oh my!

The Sonos Playbar/Soundbar is rather straightforward. Adding the Sonos Sub is straightforward as well.

Adding the surround can be not-so-straightforward:

  • -setup Playbar/Soundbar via Sonos app.
  • -setup the Surround Amp via Sonos app.
  • -afterwards, click help > about-my-sonos-system
  • -find the IP of the Playbar/Soundbar (not Amp).
  • -open a browser (Internet-Explorer, Firefox, Chrome)
  • -type: http://the-ip-of-the-soundbar:1400/wiredsat.htm
    (for example:

It is straightforward from this point.

Taskbar Location

TASKBAR Location:
%appdata%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar


NVR Part 1 - Hikvision DS-7608NI-SE/8P

PTZ = pan, tilt zoom

NVR = network video recorder.

LPR = license plate recognition.


Cameras are just dumb devices. They simply display the video. You can connect directly to the camera by typing in the IP address of the camera. The cameras have different settings & functions depending on the carmera manufacturer. Most of the time though, you can at least view what's on the camera. What's interesting is that all the capabilities of the camera are not always available via the web interface. More on that later.

Take note however, that what's being displayed on the camera is in no way related to what's being recorded. These are actually two different resolutions depending on settings.

For a HIKVISION NVR () to record what's on the camera, it must connect to the camera. To be able to connect to the camera, it needs:

  • -the camera IP address.
  • -a protocol.
  • -a port number.
  • -a channel number.
  • -a username.
  • -a password.

The important part here is that as long as the NVR can communicate with the camera, it should be able to record the video.

This leads to two scenarios.

1- in the first scenario, if the NVR can communicate to the camera, everything is good as long as it has the settings above.

2- in the second scenario, some NVR's have their own IP address range and use this range on the switch built into the device. This IP range is 192.168.xxx.(1-254). So if you look at the back of the device, you will see 4 ports or 8 ports or possibly more. When a camera with DHCP is plugged into one of these ports the NVR will assign it's own IP address to the camera. For example,

If a camera has a static IP set, the NVR will NOT assign an IP address. Consequently, you must:

  • -connect the camera to the local network (not the back of the NVR).
  • -change the IP address to that of the internal NVR network (for example
  • -this will cause the camera to no longer be accessible.
  • -manually plug the camera into the back of the NVR.


Regardless of how you connect, the protocol must match. There are different protocols for each manutfacturer (Axis, etc) and an ONVIF protocol as a generic protocol using port 80.

Stream Types

The cameras have multiple streams and in different formats.

The record is on the MAINSTREAM (stream-1 or channel-1). Typically this stream is of higher quality and bit rate compared to a sub-stream..

The view is on the SUBSTREAM or SECONDARY STREAM (stream-2 or channel 2). This happens because stream-1 but might not be good for viewing over the wan internet. Typically the sub-stream is a lower-resolution.

MJPEG: This format uses standard JPEG still images in the video stream. These images are then displayed and updated at a rate sufficient to cr eate a stream that shows constantly updated motion.

MPEG-4: This is a video compression standard that makes good use of bandwidth, and which can provide high-quality video stre ams at less than 1 Mbit/s. MPEG-4 can be encoded in 2 ways either SIMPLE (sets the coding type to H.263 ) or ADVANCED. Usually SIMPLE is fine.

Communication Methods

To deliver live streaming video over IP networks, various combinations of transport protocols and broadcast methods are employed.

• RTP (Real-Time Transport Protocol) is a protocol that allows programs to manage the real-time transmission of video data. It uses UDP.

• RTSP (Real-Time Streaming Protocol) allows a connecting client to start an MPEG-4 stream. It serves as a control protocol, to negotiate which transport protocol to use for the stream. RTSP is thus used by a viewing client to start a unicast session, see below. It uses TCP. The default setting is port 554. If it is not enabled, MPEG-4 streams will not be available.

• UDP (User Datagram Protocol) is a communications protocol that offers limited service for exchanging data in a network that uses the Internet Protocol (IP). UDP is an alternative to the Transmission Control Protocol (TCP). The advantage of UDP is that it is not required to deliver all data and may drop network packets when there is network congestion, for example. This is suitable for live video, as there is no point in re-transmitting old information that will not be displayed anyway.

• Unicasting is communication between a single sender and a single receiver over a network. This means that the video stream goes independently to each user, and each user gets their own stream. A benefit of unicasting is that if one stream fails, it only affects one user.

Unicasting should be used for video-on-demand broadcasting, so that there is no video traffic on the network until a client connects and requests the stream. However, if more and more unicast clients connect, the server will at some point become overloaded. There is also the maximum of 20 simultaneous viewers to be considered.

• Multicast is bandwidth-conserving technology that reduces bandwidth usage by simultaneously delivering a single stream of information to multiple network recipients. This technology is used primarily on delimited networks (intranets), as each user needs an uninterrupted data flow and should not rely on network routers.

It is not possible to multicast through a router. Consequently, it is not possible to multicast over the Internet. It is possible to get around that by using RTP tunneled over RTSP. Crazy isn't it.

Accessing Video Real-Time

As single JPEG images in a browser. Enter the path, for example: http:///axis-cgi/jpg/ image.cgi?resolution=CIF

  • • Windows Media Player. This requires codecs to be installed. The paths that can be used are listed below, in the order of preference.
  • • Unicast via RTP: axrtpu :///mpeg4/media.amp
  • • Unicast via RTSP: axrtsp:///mpeg4/media.amp
  • • Unicast via RTSP, tunneled via HTTP : axrtsphttp:///mpeg4/media.amp
  • • Unicast via RTSP, tunneled via HTTP S: axrtsphttps:///mpeg4/media.amp
  • • Multicast: axrtpm:///mpeg4/media.amp


  • D1 = 704x480
  • HD = 1920x1080p

CCTV Camera Systems & NVR's

So far, I have dealt with some of the following for Camera solutions:

  • -Hikvision
  • -Geovision
  • -Digital Watchdog

So far, I have dealt with some of the following NVR/VR solutions:

  • -Hikvision
  • -Digital Watchdog

VOIP Solutions

So far, I have dealt with some of the following for VOIP solutions:

  • -Fonality
  • -IPitomy
  • -Zultys
  • -Sark
  • -Mitel

The only SIP service I've dealt with is:

  • -Level3 Sip Trunk

Windows 10 Upgrade on Domain

NOTE: This article post is out of date. Microsoft starting pushing WINDOWS 10 to computers on domains in Q2 2016.

By default, computers on a domain will not receive the upgrade-notification to Windows 10.

You have two options:

1-If you are going to do this a bunch of times, download the WINDOWS 10 DOWNLOAD TOOL here:

It will save a bunch of bandwidth in a corporate environment since each computer will download a few GB of data.

2-add a regedit here:

  • -click here for the regedit: windows10.reg
  • -click on the regedit.
  • -click YES (when it asks if you want to merge).
  • -restart computer.
  • -click UPDATE TO WINDOWS 10

I prefer the second method since bandwidth is "free" and only costs time. On the good side, it happens automatically ;-)

Wifi Access Points

So far, I have dealt with most typical wireless solutions for smaller projects:

  • -Linksys
  • -Netgear
  • -Dlink
  • -Asus
  • -DDWRT

I have also dealt with some enterprise solutions:

  • -Cisco
  • -Meru
  • -Watchguard

Now I'm getting into middle-ground projects:

  • -Luxul
  • -Ruckus
  • -Engenuis
  • -Ubiquity

These solutions focus in on the look of the WAP as well as the function of the WAP.

Google Sheet Import Another Google Sheet

Google Sheet Import Another Google Sheet. Or move Google Sheet to another Google Sheet.

You'd think this would be simple to find but it isn't. Unfortunately, it's probably the semantics.

  • -open the GOOGLE SHEET you want to move.
  • -you will see the tabs below.
  • -click the down-arrow in the tab you want to move.
  • -click COPY TO.
  • -select the GOOGLE SHEET you want to move to.
  • -voila!

The sheet will take a new name called. "copy of sheet-name-you-just-moved."

remote desktop connection cannot verify the identity of the computer that you want to connect to

You are on a Mac. You want to use REMOTE DESKTOP CONNECTION (rdp). When you try and use it to connect to a WINDOWS SERVER, you get,"remote desktop connection cannot verify the identity of the computer that you want to connect to."


-upgrade the a newer version of REMOTE DESKTOP CONNECTION via APP STORE on the MAC.

This will work if you are on v10.7 and higher. This will not work on 10.6.8 and lower. I suppose in 08/2015 that a more up-to-date OSX version is mostly everywhere but I still prefer stability. And that means 10.6.8. Looks like it's time to upgrade the OSX.

-get CORD.

Download. Install. Voila!

Office365 Password is Incorrect

Office 2011 is installed on your Mac. You click on WORD, EXCEL or other Microsoft Mac Product. It asks you to login. You type in your email address and password to your Microsoft account. It returns, "Sign in failed because the password is incorrect or the sign-in name does not exist."

Here's how to fix:

  1. -sign in to your Microsoft account @ https://account.live.com/ (This is different than https://office.microsoft.com)
  2. -click SECURITY & PRIVACY (top right).
  3. -find ACCOUNT SECURITY section (top left-most section).
  5. -scroll down to find APP PASSWORDS section.
  7. -at this point it will either show you an APP PASSWORD or you will have to create a new APP PASSWORD.
  8. -use that APP PASSWORD to login on WORD, EXCEL or other Microsoft Mac Product


Here's a nice one that's been hitting some of my web sites:

Apparently, it's an tool to scrape the content off of someone's web site. In this case, mine.

The web and technology can be an awesome and exciting place. It can also be a place for theives and low lifes. I still don't understand why people wouldn't want to spend their time in creation rather than theivery.

You might be able to steal my content but you can't steal my ability to think rationally and solve problems. And that, ultimately, is the only real item of value.

Exchange 2013 Get Parameters of Cmdlets (Get Command Variables)

So you know a CMDLET-KEYS like NEW-TRANSPORT or GET-TRANSPORT but how do you find out the VARIABLES? What is possible to type in after the KEY?


Even though I refer to these as KEYS/VARIABLES/VALUES, in the MS-POWERSHELL world (or MS-POWERSHELL-ISA world), these are referred to as the CMDLET/ParameterName/ParameterValue.


Use the following as a guide:

TYPE: (Get-Command New-TransportRule).Parameters

TYPE: (Get-Command Get-TransportRule).Parameters

(What's interesting here is that they refer to the list as the KEY => VALUE .)

Exchange 2013 Block Sender (Block From)

Here's one for you. How do you block a sender that keeps changing the email address they use? For example, I want to block "Tom Night". I don't care what email address "Tom Night" uses, I want his emails gone. Poof.

  • -open ecp
  • -mail-flow > rules
  • -click CREATE NEW RULE
  • -click MORE OPTIONS (at the bottom)
  • -click ENTER TEXT (for header)
  • -type FROM
  • -click OK
  • -click ENTER WORDS
  • -type "Tom Night"
  • -click the + (plus symbol)
  • -click OK
  • -click SAVE

That should do it. What's happening here is that we are blocking the NAME in the HEADER rather than using the FROM-parameter as the FROM-parameter uses email-addresses (externally) and mailboxes (internally).

Something like:

Set-TransportRule "Block Tom Night" -HeaderContainsMessageHeader "From" -HeaderContainsWords "FirstName LastName" -Actions {DeleteMessage} -DeleteMessage True

If you want to see all the TRANSPORTRULE options, type:


Remote Support

My take on remote support software.

TeamViewer Host

$750 1-time fee. But it only is good for that version. And versions don't intermingle. If you upgrade your server, you must upgrade all your clients. :-(

Remote Utilities

$500 1-time fee. Windows only. No mac support. :-(

LogMeIn Rescue

$1299 per year :-( But it's a final solution with reboot into safe mode plus other goodies. ;-) Many large support companies use.


I can't figure out the pricing. I think it's around $30 per remote pc. It only works on windows. No Mac support. :-(


No longer available.

Aero Admin

$280 1-time fee. Not seemless. No service. Must config via Windows task scheduler. Yuck. :-(


$240 per year. I've had trouble with UAC, no mouse moving, etc. :-(


$50 per client :-(


$850 per year. But it's enterprise ready.


$7000 1-time fee. Enterprise ready.


$350 1-time fee. :-) Many features.


$950 1-time fee. :-) Seems to be just for LAN/AD/MPLS/VPN. WAN capabilities limited.


$350 1-time fee. :-) SolarWinds portfolio. :-) WAN capabilities limited.

CentraStage / Autotask

$24 per node annually. I'm not sure but many are upset at Autotask. I'll choose to stay away.


$12 per computer annually & $150 per server annually.


$15 per computer annually & $175 per server annually or little higher than GFI Max is all I found. But they have an interesting white label tech support with 24 hour availability.


Can't find much but I know it's similar to those above. Price per node per month.

Windows Profile Always Loads Default Profile (Or Temporary Profile)

Windows Profile Always Loads Default Profile (Or Temporary Profile).

How to fix:

  • -login to another account with ADMINISTRATIVE PRIVILEDGES.
  • -click START > RUN > REGEDIT
  • -browse to: HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Profilelist/
  • -find profile that isn't working.
  • -you might find duplicate profile in this area. The new one is being loaded with nothing in it. The old one may have .bak at the end.
  • -add .old to end of incorrect profile.
  • -removed .bak from end of correct profile.
  • -go to the profile not working (only if needed).
  • -changed refcount from 1 to 0 (only if needed).
  • -changed state value from 33024 to 0 (only if needed).
  • -restart and login to the user account.

That's it!!! You're hired!

NiNite et al

A list of tools that I want to use and some I've never knew of:

  • -vi
  • -putty
  • -solarwinds stuff
  • -ninite
  • -powershell/cmd
  • -hirens
  • -ubcd
  • -knoppix
  • -MRAT
  • -mremoteng
  • -nagios/prtg/zabbix
  • -devolutions-remotedesktopmanager
  • -leatherman
  • -wire-tester/toner-probe
  • -lansweeper


  • veeam
  • sonicwall/watchguard
  • virus/spyware/malware
  • printer setup/service
  • server management
  • desktop management
  • shadowprotect
  • esxi free, hyperv, xenserver
  • wireless setup
  • lan/wan design & implementation
  • remote support
  • break/fix
  • contract support/managed-service-provider

727-777-5827 is a Scam

If 727-777-5827 is a scam. Here's the short version:

  • -got a phone call from 727-777-5827.
  • -automatic message.
  • -press 1 to speak to local representative.
  • -"Hi, who is this?" I asked.
  • -"Gene."
  • -"Who are you with?"
  • -"SEO INC."
  • -"Where are you located?" I asked.
  • -"Southern California."
  • -"That's not very local." I stated.
  • -They hung up.


I have experience with many firewalls.

  • -SonicWall
  • -WatchGuard (FireBox).
  • -DDWRT/BusyBox.
  • -Untangle.
  • -anything Linux/Unix with IPTABLES.

What's funny is that one time a CFO starting asking me questions about the firewall because they allowed a KEY-LOGGER onto one of their accounting systems and because of their poor choice in banks it logged the USERNAME and PASSWORD to the web site that allows them to do WIRE TRANSFERS.

During the course of asking questions, she said, "You don't seem to know a lot about this?"


Still at some level, a point can be derived that not all firewalls are the same. The general idea is that you want to block/allow access to certain items at a network level rather than at a desktop level. You are trying to block incoming items at that network level.

To the network administrator, this can be seen as blocking/allowing the ports needed and directing them where they need to go.

To a client, this is blocking everything bad in the universe from getting on the local machine. So if the person in accounting is playing games, clicks on a link in a spam email and downloads something harmful, this is a result of the firewall not being strong enough and not a result of the person in accounting.

Nor is it the fact that they were trying to save money by going with a less than average bank who ALLOWS WIRE TRANSFERS BY A SIMPLE USERNAME AND PASSWORD!!! ARE YOU OUT OF YOUR MIND!!!

Still firewalls can be used to keep people from harming themselves by blocking some types of files. From this point, you'll have to manage the fine balance of allowing items through to make work flow and block evil stuff all at the same time.

Polycom Phone Set Password

Here is the Polycom Phone Set Password:

USER: Polycom
PASS: 9418941962

You can apply this to the other Polycom articles in this blog.

Again, what's interesting is that some of the settings have to be set via the phone set itself and some of the settings have to be set via the server.

In this particular case, I wanted to display the EXTENSION instead of the NAME. This is set via the phone config rather than via the server config.

View User's MailBox in Exchange 2013

Let's say you want to view a user's mailbox in Exchange 2013. Here's the trick:

This will get you into their mailbox. If you don't have permission, it will say, "You don't have permission to open this mailbox."

To fix this, you'll have to go into the powershell and type:

  • Add-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

You can view but you can't send mail as them. You have to go one step further:

  • Add-ADPermission foo.user -user foo.user2 -ExtendedRights Send-As

DDPE Recovery

So let's say you have DDPE encrypting the full drive. The drive won't boot. Now you can access your computer and the files you can access are encrypted so you can't read them. What do you do?

Well if you have the encryption keys, you'll be able to retrieve the documents with a set of tools from Dell called the DDPE Administrative Utilities.

  • -build a WINDOWS PE disk from a working computer (how to do this is outside the scope of this document).
  • -copy over the DELL WINDOWS RECOVERY KIT (really what we need are the unzipped OFFLINE TOOLS, more specifically the cmgau.exe. See below.)
  • -copy over the encryption keys (It'll say something like LSARecovery_machine-name-here.exe).
  • -boot from the USB
  • -exit out of OPAL SED
  • -at the command prompt go to e:\dell-offline-admin-32bit-version-number-here\
  • -type: cmgau.exe -o
  • -type in the directories you want decrypted.
  • -point to the LSARecovery_machine-name-here.exe
  • -type in the PASSWORD for the LSARecovery_machine-name-here.exe

The process with decrypt the DDPE directories that you specified. You will have to wait for it to decrypt and then transfer those documents over to a working drive.

The following help:

OpenVPN and Mac Client

I'm in a situation where I need to use OPENVPN on a Mac. This requires an OPENVPN MAC CLIENT.

So my natural question progression is this...

Q: Can I use the built-in VPN client on the MAC?
A: Because OPENVPN uses a different mechanism than what's built into MAC OS X, a software package is required. This mechanism is called a kernel extension or kext. The kext that is needed is either TUN or TAP. Since you need a kext, you need to install a software package.

Q: What software package is needed then?
A: There are a few options:

  1. original OpenVPN Connect app.
  2. Tunnelblick.
  3. Viscosity.

Q: What is recommended?A: It seems everyone tends to use Tunnelblick.

Personal Email Certificates for Outlook - Digital Signature

A PERSONAL EMAIL CERTIFICATE is a certificate that verifies that the email is from the original author and that the email message isn't altered. This is like a seal on an real message. That seal might be a wax spot with a unique marking. The seal doesn't prevent someone from reading the message (this is the job of encryption). All someone has to do is open the message. What the seal does, it that it ensures that the message is verified from the author and that the message hasn't been altered.

There are several places to get PERSONAL EMAIL CERTIFICATES. MOZILLA helped in identifying some of those places here:

After about a minute of searching, I figured the best route to go was with COMODO as it's free. I can afford free.

Get a Personal Email Certificate

Export the Personal Email Certificate

The issue here is that we need it installed on the OS SYSTEM (not in the BROWSER).

  • -click FIREFOX > PREFERENCES > ADVANCED (on the left-hand side) > CERTIFICATES (at the top).
  • -click VIEW CERTIFICATES (at the bottom).
  • -click YOUR CERTIFICATES (at the top).
  • -click BACKUP (at the bottom).
  • -save the certificate to your DESKTOP.
  • -type in a password so it can't be used elsewhere.
  • -it should save it as something like "foo.p12"

Great! You have the certificate on your system. Now we have to install it.

Install the Personal Email Certificate on MAC OS X (not needed on Windows 10)

Let's install the Personal Email Certificate.
(FYI - this is for a MAC OS X system.)

  • -click FILE > IMPORT ITEMS (at the top menu).
  • -select the file "foo.p12"
  • -select LOGIN (next to "Destination Keychain").
  • -click OPEN.
  • -type in the password for the certificate.
  • -type in the password for the keychain (if required).

That's it! It should save the certificate in the correct spot.

Get OUTLOOK to Use the Personal Email Certificate

Now we have to get OUTLOOK to use the Personal Email Certificate.

This is for a MAC OS X system / OUTLOOK 2011:

  • -click TOOLS (at the top) > ACCOUNTS > ADVANCED (at the bottom).
  • -click SECURITY (at the top).
  • -find the top section called DIGITAL SIGNING.
  • -select your certificate.
  • -click OK (at the bottom).

This is for WINDOWS 10 / OUTLOOK 2016:

  •  -open OUTLOOK 2016
  • -click FILE > OPTIONS
  • -click TRUST-CENTER (on the left-hand side).
  • -click TRUST-CENTER-SETTINGS (bottom-right).
  • -click EMAIL-SECURITY (left-hand side).
  • -find DIGITAL-ID'S (CERTIFICATES) section
  • -click IMPORT/EXPORT
  • -find the .p12 file.
  • -type in the password that you created for the file.
  • -click OK.
  • -click OK > OK.

That should do it! Your certificate is installed and people will get a little cool lock that indicates that email messages from you are really yours. This gives confidence to your readers that you are who you say you are and that you really are smart and conscience about security! Good job!

Exchange 2013: Blank Page After Login | An error occurred while using SSL configuration for endpoint

As title says, blank page after login to the EAC. Or the OUTLOOK clients can't connect. Or the IPHONE clients can't connect. Or the Exchange Management Shell Fails to connect.

Looking in the WINDOWS-LOGS > SYSTEM, I see, "An error occurred while using SSL configuration for endpoint"

This happens because EXCHANGE screwed up its binding to the SSL CERTIFICATE.

First, make sure you know what SSL CERTIFICATE the EXCHANGE should be using. You can see a list of SSL CERTIFICATES in IIS:

  • -open IIS MANAGER.

You want to make sure that it is issued by a TRUSTED SOURCE (like GoDaddy, GlobalSign, Comodo, Symantec). Also, make sure that all the appropriate alternative names are in the certificate (like autodiscover., computer-name., www., mail., webmail., null)

Once you know what certificate that you want to use.

  • -open IIS MANAGER.
  • -browse to the "Exchange Back End" website.
  • -click Bindings (on the right-hand side).
  • -mark the "https" binding (normally on port 444) and click Edit...
  • -change to the correct certificate.
  • -click OK > CLOSE.
  • -click server name (on the left-hand side).
  • -restart IIS.

That should do it. Sometimes the binding to the SSL CERTIFICATE gets screwed up. There are other threads out there talking about "netsh http show sslcert" and to "netsh http add sslcert ipport" but this doesn't change it to the correct SSL CERT. Changing it to another SSL CERT is simply guessing which is an overall bad idea. We need to understand the problem.

Block Messages to Exchange Group Except From Certain Domains

Let's say you have a group called "Everyone". But you only want internal people to be able to email the group and possibly another company.

There are some other parameters in there too but that should do it.

If you want to do it visually:

  • -open the EAC.
  • -click MAIL-FLOW (on the left-hand side).
  • -click NEW.
  • -type: A-NAME-FOR-THE-RULE
  • -search for GROUP-NAME.
  • -click ADD > OK.
  • -type UNKNOWN USER or some other explanation.
  • -click MORE OPTIONS.
  • -click ADD EXCEPTION.
  • -type: domain1.com
  • -click +
  • -and so on.
  • -click OK > SAVE (at the bottom).

Block IP Address on Sonicwall

Let's say you have an IP ADDRESS on the WAN trying to perform a DDOS or a SYN-FLOOD attack to your location. Even though you have the DDOS attack proxied via FIREWALL-SETTINGS > FLOOD-PROTECTION as "Proxy WAN client connection when attack is suspected", you still want to send a message that these types of activities will not be tolerated.

Or you find out that the WAN IP ADDRESS is most definitely malicious as in the following IP from OFFSHORE RACKS:

This IP ADDRESS happens to be a Russian forum for DARKMONEY.CC. I can't even read the web site. It's irrelevant at this point. I know it malicious.

To block the WAN IP ADDRESS:

  • -set the "Zone" as WAN.
  • -Navigate to the Firewall > Access Rules page.
  • -Select the WAN to LAN button to enter the Access Rules (WAN > LAN) page.
  • -Click Add to open the Add Rule window.
  • -Select DENY as the Action.
  • -Select ANY as the Service
  • -Select Source as the address object or group created earlier.
  • -Select ANY as the Destination
  • -Click Add and Close.

The above is adapted from here:

The REAL-TIME-DEMO can be accessed here:

Collect Computer Names from Windows Server 2013

Here's an interesting one to collect all computer names in the active directory. Run from CMD:

CSVDE -f adexport.csv -r objectClass=computer -l “DN,cn,objectClass,lastLogon,lastLogonTimestamp,pwdLastSet,userAccountControl,operatingSystem,operatingSystemVersion,whenCreated,description”

Exchange 2013 Send Connector Load Balancing and Failover

In my recent article USING MANDRILL WITH EXCHANGE 2013, I show how to add Mandrill to Exchange as a SEND CONNECTOR. Further questions become:

1: How do I use it as a load balancer. In other words, how do I set it up so that some of the email goes through the second SEND CONNECTOR?

2: How do I use it as a failover? In other words, how do I set it up so that if the first SEND CONNECTOR doesn't route email, it re-routes through the second SEND CONNECTOR?

 Let's address each individually.

Load Balancer

The problem is this, multiple equal cost send-connectors will not balance. Or as I read, "When the cost of the Send Connectors and the proximity to their source servers are the same, Exchange will simply choose the one with the alphanumerically lower connector name, and will not load balance the outgoing email across both connections."

The actual way to load balance is when multiple smart hosts are configured on a single Send Connector the outgoing email will be correctly load balanced.

The problem becomes, if you try this in reality, you must use the same USERNAME & PASSWORD for all SMARTHOSTS, which isn't a possibility. And secondly, you cannot load balance both the local connection and a smarthost.

The workaround solution for crappy software is (reprinted from http://www.c7solutions.com/2012/05/highly-available-geo-redundancy-with-html):

by creating a fake domain in DNS. Lets say smarthost.local and then creating A records in this zone for each SMTP smarthost (i.e. mail.oxford.smarthost.local). Then create an MX record for your first site (oxford.smarthost.local MX 10 mail.oxford.smarthost.local). Repeat for each site, where oxford is the site name of the first site in this example.

Then you create second MX records, lower priority, in any site but use the A record of a smarthost in a different site (oxford.smarthost.local MX 20 mail.cambridge.smarthost.local).

Then add oxford.smarthost.local as the target smarthost in the send connector. Exchange will look up the address in DNS as MX first, A record second, IP address last), so it will find the MX record and resolve the A records for the highest priority for the domain and then round-robin across these A records.


Failover seems to be answered via the same path. The idea is create 1 send connector. The first MX record in the fake SMARTHOST in the SEND-CONNECTOR is back to the local system. The second MX record in teh fake SMARTHOST is to the remote SMARTHOST.

As per http://technet.microsoft.com/en-us/magazine/jj159083.aspx

First of all, ensure you have DNS A records for your mail gateways in place. Next, come up with a random name for your soon-to-be-created MX record in DNS. In this example, I chose allsmarthosts.forest1.local. Create the required MX records in DNS.

As with plain MX-based routing, Exchange will use the MX record with the higher priority, as long as it’s available. Now the only thing left to do is to reconfigure the Exchange Send Connector to read allsmarthosts.forest1.local as the only smart host.

By doing so, Exchange will use primary.forest1.local for outbound mail, as long as it’s available. Once it goes down or becomes unreachable, Exchange will start using secondary.forest1.local as the smart host. That’s what a little DNS trickery can do for you.


The idea of this is to use MANDRILL if for some reason mail is not being sent through the local connection (for example, blacklist). I didn't implement the solutions above simply because I don't think it will work with a SMARTHOST that requires a USER/PASS. I'm not willing to try. That's suicide by client.

In the end, software is set to work in a certain way. When it doesn't, trying to find workarounds is nearly impossible and seemingly pointless. The end result is that EXCHANGE 2013 isn't set to work this way. I wanted this to happen automatically. Since it doesn't, I'll just have to manually switch SEND CONNECTORS if the need arises. Maybe it doesn't matter a whole lot in an ever-increasing cloud world.

Collecting Inventory

Collecting inventory is an increasingly difficult task to accomplish escpecially with the new licensing process with Microsoft. But MATRIX42 helps: https://www.matrix42.com

Syn Flooding Machine

In my article FIND COMPUTER ON NETWORK THAT IS SENDING OUT SPAM WITH SONICWALL, I indicate that the logs show the following:

46:26.9 Alert Intrusion Prevention Possible SYN Flood on IF X0 - src: dst:  <blank>  <blank>
46:30.6 Alert Intrusion Prevention SYN-Flooding machine on IF X0 - xx:xx:bb:62:2c:95 with SYN rate of 1001/sec blacklisted  <blank>  <blank>

This indicates that there is a SYN FLOODING MACHINE going at the rate of 1001 items per second. Wow! That's a lot. You can also see above that the DESTINATION is port 25. You can see that by the colon twenty-five (:25).


A SYN FLOODING MACHINE is a zombie machine participating in a DDOS attack. Uh-oh. Yup... Users. They weak point of all security systems.

A SYN FLOOD ATTACK directs packets to a listening TCP port on a victim server; typically a web server (port 80), an FTP server (port 21) or a mail server (port 25).

When a server receives a SYN packet it returns an ACK packet to the client to acknowledge it received the inital packet. More or less:

"Hi" the visitor said.

"How are you?" the host replied.

The problem is that the visitor never acknowledges with a "Just fine."

Until the visitor acknowledges the reply, the host server will keep that connection open until timeout. This is typically 75 seconds. Staring for 75 seconds.

If you've ever run a server before, you should know that the number of connections is finite. In QPSMTPD, this connection limit is set for an overall connection limit (default 40) {config setprop qpsmtpd Instances xx} and a limit per IP ADDRESS (default 5) {config setprop qpsmtpd InstancesPerIP xx}.

Once those connections are all used up, no more connections can be made.

So, in our logs above, our bad client machine on our network was sending about 1000 connections per second to the victim which happens to be owned by XO COMMUNICATIONS and leased by the SAN DIEGO SOURCE EMAIL SERVER secondary connection, mx2.sddt.com (priority 20).

mx1.sddt.com (priority 10) & mx3.sddt.com (priority 30) were not affected.

Using Mandrill with Exchange 2013

Using Mandrill with Exchange 2013 to send outgoing mail in case your IP ADDRESS gets blacklisted on SENDERBASE.ORG and your reputation takes awhile to get out of the POOR rating. There are two parts to this; creating a MANDRILL account and setting EXCHANGE to use MANDRILL.


Once you start an account, you will see your details for connection. It will look something like this:

  • Host: smtp.mandrillapp.com
  • Port 587
  • SMTP Username: foo@fee.tld
  • SMTP Password any valid API key

Now all you need is an API KEY.

  • -click NEW API KEY

Be patiance as it generates a new api key. It will display after about 20 seconds. Great! You should have your new API-KEY to be used as your SMTP-PASSWORD.

NOTE: It uses an api key rather than the password to your account so that you can change the password to your account without affecting the accounts ability to send email.


  • -click MAIL-FLOW (on the right-hand side).
  • -click SEND-CONNECTORS (at the top).
  • -click the plus symbol (+).
  • -type: Mandrill.
  • -bullet "Custom".
  • -click NEXT.
  • -bullet "Route mail through smart host".
  • -click the plus symbol (+).
  • -type: smtp.mandrillapp.com
  • -click SAVE
  • -click NEXT
  • -type: your-user-email-for-your-mandrill-account
  • -type: your-user-password-for-your-mandrill-account
  • -click NEXT
  • -click the plus symbol (+) for ADDRESS SPACE.
  • -leave TYPE as SMTP.
  • -type * (asterisk) for FDQN.
  • -leave COST as 1
  • -[This is preference. Works the same as MX RECORD preferences. The lower the cost, the more preference it has. 1 will be used before 2 and so on. An equal number will round-robin.].
  • -click SAVE
  • -[A "Scoped send connector" will only work internally for domains on the server.]
  • -click NEXT
  • -click the plus symbol (+) for SOURCE SERVER.
  • -if you only have 1 server, click ADD (at the bottom).
  • -click OK > FINISH.

This will automatically add the SEND CONNECTOR to the list and enable it.

Now we have to change the outgoing port for the MANDRILL SEND CONNECTOR.

  • -type: Set-SendConnector -Identity Mandrill -port 587

Great! Now you are ready to go.

You have a few options from here. You can either:

  • -start sending using the MANDRILL SEND CONNECTOR right away by simply enabling the connector (and disabling the existing connector if you have one).


  • -test out the MANDRILL SEND CONNECTOR by pausing the SEND QUEUE in the QUEUE VIEWER and enabling the connector (and disabling the existing connector if you have one).

That's it! You are awesome.

Block All Traffic on Port 25 in SonicWall

To block all traffic on port 25 in a SonicWall, follow this link:


Find How Many Exchange CALs You Need on Server 2012

To get the user-accounts of EXCHANGE that require a STANDARD EXCHANGE CAL's on a SERVER 2012:

  • -type: Get-ExchangeServerAccessLicenseUser –LicenseName “Exchange Server 2013 Standard CAL”

If you combine this with the wonderful GNUWIN32 (see below) then you can type the following to get the exact number you need:

  • -type: Get-ExchangeServerAccessLicenseUser –LicenseName “Exchange Server 2013 Standard CAL” | grep CAL -c


Fix Windows Updates | Windows Stuck During Windows Updates

net stop wuauserv
net stop bits
 ren c:\windows\softwaredistribution sd.old
net start wuauserv
net start bits


  • -boot from WIN8 cd.
  • -look for a Repair Windows.

Temporary Web Site Links

Sometimes a temporary web site link contains an IP ADDRESS and looks like this:

The issue is that the links in the web site won't work or the administrator panel (/administrator or /wp-login) won't work becase search-engine-friendly links are on.

This is resolved by using the SERVERNAME or FQDN rather than using the IP ADDRESS. Like this:


RSA Appliance Version 8 Reset Password

The Good About RSA Security Appliance

RSA is really secure.

The Bad About RSA Security Appliance

RSA is really secure so figuring out what the current password is, is just about so difficult that many have to revert to writing down the password to remember it. This, coincidentally, weakens security.

If you forget the SUPER-USER password in RSA APPLIANCE, then you might be in a tough place.

Here's how to reset the SUPER-USER password in RSA APPLIANCE VERSION 8 (very high level. This is not detailed information. I will not be explaining how to do step-by-step).

  • -ssh into the rsa-box
  • -change directories to: /opt/rsa/am/utils
  • -run the following command: ./rsautil restore-admin –u tempadmin
  • -follow the screen prompts. You will need your OC username & password (not SC username & password).
  • -user the tempadmin account to reset the SUPER-USER account.

NOTE: the tempadmin user access expires after 24 hours.

Exchange 2013 Reset Password for Users

In Exchange 2013, resetting the password for users can be difficult. It might be missing or you may not see the option when you click on a USERNAME.

Luckily, this isn't difficult to overcome. I found the steps here:

  • -click PERMISSIONS (on the left-hand side).
  • -click ADMIN-ROLES (at the top).
  • -double-click ORGANIZATIONAL MANAGEMENT (in the middle).
  • -find the ROLES section.
  • -click the + (plus-symbol).
  • -find RESET PASSWORD (in the list).
  • -click ADD (at the bottom).
  • -click OK > SAVE.
  • -logout of EAC.
  • -login to EAC.

This should enable you to change the passwords within EXCHANGE EAC.


Business One Centos

NOTE: this project was killed. I will not pursue.

If I'm going to work with BUSINESS ONE, I'm dedicated to getting working on HANA on CENTOS. I haven't done this yet as I don't have access to some of the build items but if it's possible, I'm going to get it working. I will post the results here.

The last direction I want to take is have to put this on some type of crappy MS server box.

This is a posting area for my notes:






NOTE: this project was killed. I will not pursue.

Perfect Software

There is no perfect software in the world. The big question is, "Will it work for us and do what we want it to do?" That question will only be answered through time.

2 Moment You Know That Software Will Not Work

Usually, you will stick with software until one of two moments occur.

First, the moment when the software doesn't do what you want/need it to do. Eventually, you will get to a point where you need it to do something. Either is can or it can't. When it can't, is the break point moment at which you start looking for something else. For example, you need it to track technicians. If it doesn't, then it doesn't work for you. It's as simple as that.

Secondly, when something better comes along. Something new, something hip, something that does tricks will catch your attention through either a friend, colleague or competitor and you will salivate because your software doesn't do it that good. This is simply the grass is greener on the other side.


There is no perfect software and I know all too well that software is simply a tradeoff. Having it do certain items really well and having it not do certain items well is in every software. The look and feel, the interaction, the interface, the upgrades, sooner or later you will see that all software is simply trading one aspect for another. My wife will usually choose the one that looks pretty and works reliably. Hence her iPhone 6. I choose works reliably as a top priority and usually stay away from the bleeding edge technology. It's nothing more than a tradeoff.

4 Sofware Principles to Focus On

In light of this, and with a handful of experience from a tech perspective, I have four unconventional areas that I typically focus on. They are:

1-automating best practices:

Too often software is concerned with customization (you can eventually get there) rather than focusing on what needs to be done (here is the shortest path). The answer to this is simple. If software is automating best practices, then this is a good signal the software company is a good fit and focusing on customer needs.


I shouldn't need a masters degree to run/setup/maintain the software. Easily adapting from my current knowledge base is key. A simple interface and hiding the complexity behind the curtain is the second signal.


This means the software should have the option to extend beyond. Beyond what? You might ask. Beyond it's current state. This issue is the future. The unknown. There needs to be an outlet for the unknown items that the future holds. Having a way to tap into that is vital to the survivability of software.


This means that the software should work the first time, every time. Anything less is unacceptable. If anything is shown to be insecure, it needs to be replaced with the best available option.

I didn't come up with these items sitting under a tree. They came from reading the works of Gordon Rowell. I was lucky enough to meet with Rowell a few years back and it's amazing how true these principles still hold true today.


Want to make your Wordpress Web Site Run Faster?

Want to make your WordPress web site run faster? Use Better WordPress Minify.

  • -install it.
  • -run it.
  • -let it do it's work.

Duplicate jQuery

Just a mental note for myself to click here if I need to remove duplicate jQuery is some CMS's:


How to Encrypt USB Drives

There's probably many ways to encrypt USB drives but to make everything easy, I've used the software here:

It creates an encrypted, password-protected folder on the USB stick. If the USB stick gets lost/stolen, the new person will not be able to access any of the information on the USB stick.

RSA Security Console Setup

Client needs RSA Security Console setup so that when you connect to the VPN, it asks for a TOKEN (instead of a password).

The Big Idea

The TOKEN comes from a KEY FOB. It's a little device that you typically put on your keychain of your car/house. You press the only button on the device and it does one thing, give you a TOKEN. A TOKEN is a bunch of letters and numbers.

So it goes like this:

  • -press button.
  • -it displays: 123ABC
  • -you connect to VPN.
  • -you type in the USERNAME.
  • -you type in the TOKEN.
  • -you type in a PIN/PASSWORD.
  • -you gain access.

The benefit here is that if your password gets compromised, it doesn't help the other person. They also need the TOKEN.

Think of it like you house. You need a key to access the house. If you don't have the physical key, you can't access the house. Same idea here. If you don't have the physical TOKEN, you can't access the house of data.

I've used this before but I've never set one up. Setting it up is a pain.

Purchase Equipment

The first hurdle to overcome is purchasing the equipment. I thought it was just software that installs on the WINDOWS SERVER 2012. Upon calling EMC (the company that owns RSA) they talked for about 15 minutes. When I asked for the next step, they prompted me to call one of their authorized dealers. Hmmmm... Not that I'm not grateful for the talk but in my mind, it would have been nice to know that upfront.

Getting the quote from CDW that only included software, I ran it by my new friend at EMC to make sure I had all the necessary parts. I want it working right the first time. EMC quickly pointed out that I also needed a hardware appliance (since the client isn't using virtual server).

Installing the Equipment

I've often said before that large companies are nothing more than crappy software with great marketing. The same holds true here. Upon getting the equipment and inspecting it, the hardware appliance is some sort of 1U server from MBX-like house that will powder coat your brand on the faceplate.

The rails are different in that they don't use typical holders. It has some type of quick setup rail system. Kinda cool. I always disliked the whole screw thing anyway.

First Impressions

Upon starting it up, it seems to running some type of Linux with an apache/httpd server (update: it's actually SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, PATCHLEVEL = 3 with an Oracle WebLogic Server). Make a change in the web-console and the value is changed in the config file and the service is restarted. I get the idea. Sounds familiar.

Everything is controlled via the web console. The web console is comprised of 3 areas:

(assign tokens)

(sync users between systems, date, time, network, etc)

(users can set PIN's and update their info)

Setup Users

You can setup the users via INTERNAL DATABASE or sync the users with an EXTERNAL DATABASE. This external database is typically an LDAP read-only database. This means it can be WINDOWS SERVER ACTIVE DIRECTORY or it can be an OPEN LDAP on RHEL/CENTOS.

The sync will only happen via a SECURE CONNECTION meaning LDAPS. So funny thing is that WINDOWS SERVER 2012 has their own way of dealing with CERTIFICATES which makes this nearly impossible. What's worse is that if the sync fails, it simply says "failed." It doesn't say why or what happened or give any log info.

I tried a couple of times but I couldn't get mine to sync with AD. So I threw in the towel and went to INTERNAL DATABASE.

  • -login to https://rsa-server/sc
  • -nothing shows up because it's an LDAP. You have to do a search.
  • -click SEARCH (on the bottom right).
  • -all the users show.
  • -click ADD NEW (at the top).
  • -add the user.
  • -repeat if necessary.

Import Tokens

While the example at the beginning of the article talked about a KEY FOB (or hard-token), in recent years, most will simply use their smart phone (or soft-token). In either case (I suppose), the tokens have to imported into the system.

The tokens come on a CD package. The password for the tokens come on a second package.

  • -put the CD into the system you are sitting at and using to access the web console.
  • -copy the file on the CD to the DESKTOP (it's an XML file).
  • -login to https://rsa-server/sc
  • -keep the defaults.
  • -browse for the file and select the XML on the DESKTOP.
  • -type in the password (from the second package).
  • -click SUBMIT JOB.

The job should go through smoothly. If not, double-check the password and make sure you are using the file copied to the desktop. Sometimes, the system cannot "consume" the file if it is read-only.

 Setup a Software Token Profile

A Software Token Profile has to be created before assigning the tokens. The profile determines items like:

  • -what kind of device the token can be used on.
  • -how long the token lasts.
  • -the length of the token.


  • -login to https://rsa-server/sc
  • -name the profile anything you want.
  • -select the device type.
  • -select the length of the token (6 digits or 8 digits).
  • -select the time-frame of the token.
  • -select CT-KIP.

In the ATTRIBUTES section, there are 2 attributes. The first is the STRING that only allows it to be installed on the DEVICE TYPE you selected. For example, it can only be installed on APPLE DEVICES. The second section is the default name of the token. I'll explain later. For now, type "MY TOKEN."


  • -leave the first attribute as the default value.
  • -type: MY TOKEN (for software token nickname).
  • -click SAVE.


Before you dish out the TOKENS, the users must have the RSA APP installed on their device, in this case the IPHONE. This sucks because now everyone has to have an APPLE-ID to continue which is it's own set of instructions.

Nevertheless, go to the APP STORE and install the RSA SECURID SOFTWARE TOKEN.

Note that the RSA APP won't work until it has a TOKEN installed. This is what confuses most people. They think, "I just installed the APP. Why doesn't it just work?"

Assign Token to Users

Now here is the fun part. We assign the tokens to the users. You can either assign the tokens in bulk or you can assign them one-by-one. I would love to think that going bulk would work but realistically, going one-by-one is probably easier in the long run.

  • -login to https://rsa-server/sc
  • -click the UNASSIGNED tab (at the top).
  • -click the top token.
  • -click ASSIGN TO USER.
  • -the user-panel shows but since it's LDAP, nothing shows.
  • -click SEARCH (in the bottom-right) to show all the users.
  • -bullet the user-you-want.
  • -click ASSIGN (at the bottom).

Distribute the Tokens

Distributing the TOKENS is an additional step. Without distributing the TOKENS, the users have nothing more than an APP installed on their phone.

Go back to the token list (assigned):

  • -login to https://rsa-server/sc
  • -click the token-you-want-to-distribute.
  • -click DISTRIBUTE.
  • -select the SOFTWARE-TOKEN-PROFILE already created.

Now remember those attributes? Here's where you can customize them for each user. The first attribute (DeviceSerialNumber) can be changed so that the TOKEN will only install on the IPHONE belonging to the user (rather than just any IPHONE). The second attribute will let you customize what the user will see when they click on the RSA APP.

To get the specific DEVICE-SERIAL-NUMBER:

  • -get the iphone.
  • -open the RSA app.
  • -click INFO button (at the bottom-right).
  • -the BINDING-ID is the ID that needs to be typed into the DeviceSerialNumber attribute.
  • -you can either email this to the super-admin (by clicking the email button next to the number) or you can tell him the number or you can just hand your phone to him/her.
  • -type in a NICKNAME (so that it shows something other than just "Token 1").
  • -select SYSTEM-GENERATED-CODE if the ACTIVATION-CODE (keep reading) is random or if the ACTIVATION-CODE is known as the DEVICESERIALNUMBER.
  • -click SAVE & DISTRIBUTE.

Upon doing so, the admin has the option to distribute the TOKEN. Typically, that is done via email. After all, if it will only work on the specified device, there's really no harm in emailing the token. Is there?

At this point, you have another option, you can either:

  • -email the whole token.
  • -or you can email part of the token and force it require an ACTIVATION CODE.

If you require the ACTIVATION CODE, you will have to get that ACTIVATION CODE to the user. Good luck.

This whole process is complicated but it allows you to put as much security into your system as possible.

I opt to make it easy as possible while still maintaining security and assign the token directly to the device and I opt to email the whole token with activation code for a push-one-button install.

What happens

What happens if you try to install a TOKEN onto a device that isn't in the DEVICESERIALNUMBER?

It will ask you for the ACTIVATION CODE. Then it will say, "Token import failed. Invalid activation code. Contact your administrator."

Pretty cool. The TOKEN will only work on the device assigned to the TOKEN.

Everywhere, users are screaming "SECURITY!!!"

Integrating the RSA into Something

What's cool here is that the RSA appliance can be used to protect a few different items. Possibly you want it to protect a web site, a VPN or simply the computer system itself. It can protect all of these and integrate into just about anything. Theoretically anyway.

So far, I have witnessed protecting a web site. Protecting a computer system.

The VPN protection can be via Windows VPN or it can be via SonicWall VPN. The SonicWall has RSA integration capabilities.

To be able to secure an item, typically the item will use a SECURITY AGENT. This is a fancy term for a bit of code that integrates into the item you are protecting so that the USER/PASS request is sent to the RSA SERVER rather than the web site, AD server, etc.

Integrating the RSA into the RRAS (Windows VPN)

As of this writing, this isn't possible. I talked to RSA tech support. RSA doesn't integrate into RRAS/Windows 2012 VPN. It's on the roadmap and I'll be notified once it's complete.

Some items suggest that the RSA integration is via an authentication agent found here:

Other items suggest this may be possible via RADIUS. For example, the horses-mouth docs say that VPN is done through RADIUS here:

And it gives instructions here:

Integrating the RSA into SonicWall VPN

The RSA can be integrated into the SonicWall VPN without too much trouble. SonicWall is it's own topic unto itself. I won't go into all the details of the SonicWall or else we will be writing/reading a book.

The SonicWall has 2 types of VPN. The GLOBAL-VPN (GVPN) and the SSLVPN. For many reasons, pretend like the GLOBAL-VPN doesn't exist and simply go straight to the SSLVPN.

On this regard, to get the SSLVPN working, I'll simply refer to this awesome YouTube video:

At some point, I'll write out the instructions but for now, the above link will suffice.

After the VPN is up and running, we have to integrate the RSA users into the SONICWALL. On this section, to get the RSA users into the SONICWALL, I'll simply refer to this awesome DELL KB post:

It uses RADIUS, so the RADIUS SERVER must be setup on the RSA and the RADIUS CLIENT must be setup on the SONICWALL.

Final VPN steps

So to get this working, you must have the SONICWALL VPN software setup on the laptop. What's cool here is that the software is embedded into firmware in the SONICWALL. This software should install automatically upon visting the VPN/SONICWALL web site but I'm finding that if the SSL is SELF-SIGNED and not originated from a TRUSTED-STORE then the software doesn't download/install correctly.

To get around this, you can manually install the software from the SONICWALL VPN web site here:


So to recap, here are the steps why the RSA is so secure and the high-level steps needed:

-must have company iphone/device.
-token can only be installed on company iphone/device.
-enter PASSCODE for general iphone access.
-press RSA token app.
-type pin.
-press enter.
-see token.
-type token into vpn software.

    -token is one time use only. Once you try it, it won't work again. You will have to wait for another token.
    -just be clear, you cannot test token and then use it.
    -if you don't enter the pin before getting a TOKEN, it will give a TOKEN but it will be the wrong one.


The RSA package lives in:


It has it's own SERVICE. Rather than the typical:

service biztier status

RSA calls it rsaserv puts it here:


So checking the RSA services goes like this:

./rsaserv status all

RSA puts all the unique services here:


This is different than placing it in the typical directory of:


External References

This has helped:


GPO Settings for IE11

Well it looks like at this time the settings for IE11 are left out of the GROUP-POLICY settings in SERVER 2012.

Here's how to get them.

  • -download the ADM TEMPLATE here: http://www.microsoft.com/en-gb/download/details.aspx?id=40905
  • (unizip it of course)
  • -open the GPO on the SERVER 2012.
  • -click ADD
  • -select the unzipped file.
  • -awesome!

The next part to this is to change the settings in the GPO for IE 11.

  • -open the GPO on the SERVER 2012.
  • -right-click INERNET-SETTINGS
  • (While IE 11 doesn't show, the settings for IE10 will work for IE 11)

Sagonet DataCenter

After having a client server at Sagonet DataCenter, I can make the recommendation to try and find another solution.

Here is my history of more than 7 years with 8 significant issues. Keep in mind that every issue cause more than 100 people to either call or email asking questions. Plus it reflected poorly on the client business and was witnessed as unreliable.

11/28/08: power failure. Outage due to under supplied power blamed on FPL causing the backup car batteries to have zero power.

08/29/09: Aug 28 23:13:37 server kernel: You probably have a hardware problem with your RAM chips
Aug 28 23:13:37 server kernel: Uhhuh. NMI received. Dazed and confused, but trying to continue

07/16/10: backup options $140 per month

12/13/11: access from comcast issue. Locations at Comcast couldn't connect.

06/02/12: server unavailable... suddendly re-appeared.

06/20/12: hd died.

09/21/12: access from comcast issue. Locations at Comcast couldn't connect.

01/14/14: all of tampa unavailable for several days. No response for more than 24 hours. When response was received, it was "we are working on it."
Panicked, I tried to move to new datacenter.
Server crashed during transfer to new server.


The bright side to all of this is that it obviously forced the client to get a new server at a new datacenter with whom I am very pleased.

My recommendation is that if you have an enterprise, host at RackSpace. It's pricey but you get what you pay for.

Recover Accidentially Deleted Files

Need to recover files that are accidentially deleted? Who hasn't dropped over 103 mysql databases by typing in the wrong commands at one point or another? Here's my recommendation:

  • testdisk.
  • ext4magic
  • r-studio

-lvm vgscan
-lvm lvscan
-lvm vgchange -a y
-lvm pvscan
-lvm lvscan
-lvm vgrename main mainold

fdisk -lu /dev/sdb
mdadm -AR /dev/md8 /dev/sdb2
lvm vgscan
lvm lvscan
lvm vgchange -a y
mkdir -p /mnt/olddrive
mount -t ext3 /dev/mainold/root /mnt/olddrive


ext4magic -R -f /dev/olddrive/var/lib/mysql -d /installs/RECOVERDIR1
ext4magic /dev/olddrive/var/lib/mysql -j /installs/BACKUPPATH/journal.copy -d /installs/BACKUPPATH -m -R

ext4magic -R -f /dev/olddrive/var/lib/mysql
ext4magic -R -f /dev/mapper/mainold-root var/lib/mysql
ext4magic -R -f /dev/md8 var/lib/mysql
ext4magic -R -f /dev/sdb2 var/lib/mysql
ext4magic -R -f var/lib/mysql


Find Computer on Network that is Send Out Spam With SonicWall

So you have a network. One of the devices on the network is sending out spam at an amazing rate. How do you find and locate the misbehaving computer?

If you have a SONICWALL, you can look at the current connections across all your devices at any given time.

  • -login to SONICWALL.
  • -find the DIAGNOSTIC TOOL area.
  • -change the dropdown to CONNECTIONS-MONITOR

This will show all the connections from the outside network to the inside network and vise-versa. You are looking for any connection with a DESTINATION PORT of 25. Should be pretty obvious as it will be the IP ADDRESS that is NOT your internal mail server. It will be the IP ADDRESS that is a client machine (laptop/desktop).

But this only shows the current active connections. What if the laptop went home? What if you want to search through the logs for the day?

  • -login to SONICWALL.
  • -click LOG > VIEW
  • -find PRIORITY
  • -change to ALERT
  • -click APPLY FILTERS

This should show a list of ALERTS in the last 24 hours or so. Carefully look through them to see if anything is sending to PORT 25.


What's interesting is that in a typical situation the logs typically look like this:

Time Priority Category Message Source Destination
32:13.7 Alert Intrusion Prevention Possible port scan detected, 443, X1, 56114, X5

The destination and port number are easily available.

In my situation, the log look like this:

46:26.9 Alert Intrusion Prevention Possible SYN Flood on IF X0 - src: dst:  <blank>  <blank>
46:30.6 Alert Intrusion Prevention SYN-Flooding machine on IF X0 - xx:xx:bb:62:2c:95 with SYN rate of 1001/sec blacklisted  <blank>  <blank>

The destination isn't in the DESTINATION column but rather in the MESSAGE column.

Regardless, with this information, I now know that client is the machine causing an issue.

Exchange 2013 Message Queue

To look at the message-queue in EXCHANGE 2013, it's actually rather easy.

  • -click QUEUE-VIEWER

Here you will see any messages that are waiting to be delivered. Sometimes a receiving server might delay the message or the receiving server might simply be not available, in which case, the message will wait to be sent again. After a certain period of time, I believe that it's 48 hours, the message will bounce as undeliverable or NDR.

Linux Logs for Login Attempts

Logs for logins are located here:

The current login status.

The historical login status.

The failed login status.

You can't read these files directly, you have to use the following command: last

So, it would go like this:

last -f /var/run/utmp

Or if you want to see something scary use:

last -f /var/log/btmp

Add AD Group as an EAC Group.

What's hard to wrap your mind around in MICROSOFT world is the whole disconnect between systems. In other words, it has fine-grain control. It can be connected but it isn't connected automatically by default.

So let's take this example of adding a group to AD & EAC:

  • -create a group in ACTIVE DIRECTORY (AD) called TESTGROUP.
  • -add people to a group.
  • -the group doesn't show.

If you try to add the group in the EAC, you get an error message: "Active Directory operation failed on" ... "already exists."

It's trying to tell you that you can't create the group in EAC because that group is already created in AD.

So let's add the AD GROUP so that it shows in the EAC GROUP:

  • -go the AD USERS & COMPTUERS
  • -double-click on the group-name-that-you-want-to-change.
  • -bullet UNIVERSAL (rather than GLOBAL)
  • -click OK
  • -connect via POWERSHELL.
  • -type: Enable-DistributionGroup -Identity "GROUP_NAME" -Alias "GROUP_ALIAS"
  • -refresh the screen in the EAC and the group name will show.

Awesome! Good work.

Now when you try to make a change to the group you find that you can't change the settings for that group in EXCHANGE 2013. You get a message "You don't have sufficient permissions. This operation can only be performed by a manager of the group."

You can get around this by using the -BypassSecurityGroupManagerCheck option in the powershell and take ownership of it. Let me show you:

  • -connect to via POWERSHELL.
  • -type: Set-DistributionGroup -Identity testgroup -ManagedBy administrator -BypassSecurityGroupManagerCheck

This will add the ADMINISTRATOR as the OWNER of the TESTGROUP.

Block Websites with SonicWall

I service a SONICWALL 2400. I want to block certain web sites. Even though the license for Premium Content Filtering Service shows as EXPIRED, this doesn't mean you can't block web sites and it doesn't mean you don't have Content Filtering Service. It just means you don't have Premium Content Filtering Service. The Premium Content filtering allows you to filter on the basis of categories (http://www.sonicwall.com/us/en/products/Network_Security_Content_Filtering_Categories.html).

  • -login to SONICWALL
  • -click SYSTEM > LICENSES
  • -look for "Comprehensive Gateway Security Suite Upgrade"
  • -underneath, look for "Premium Content Filtering Service."
  • -next to it, I see EXPIRED.

A little miffed and upset because I feel like I'm being hi-jacked to pay for something that just about any home router can do out of the box, I give it a try anyway.

  • -login to SONICWALL.
  • -click SECURITY-SERVICES (on the left-hand side).
  • -click CONTENT FILTER.
  • -you may see UPGRADE REQUIRED (in big red letters).
  • -not true (just like their AUTO-DOWNLOAD FIRMWARE feature).
  • -find the second section called CONTENT FILTER TYPE.
  • -select CONTENT FILTER SERVER (in the dropdown box).
  • -click CONFIGURE.
  • -click CUSTOM LIST (tab at the top).
  • -click ADD.
  • -type in the domain you want to block (for example: aol.com).
  • -click OK > OK
  • -that should do it! Test it out and let me know how it goes.


Here are some tips on using the STORCLI.

Like last time, you have to run as admin.

  • -right-click CMD
  • -browse to the STORCLI location

Show all the info about the MegaRaid card:
storcli /c0 show all

I would post more but this site already has most of it:

The goal for me is to get 4 physical drives in a RAID1. I want to hot-swap pull one of the drives and store it away for safe-keeping. Then I want to insert a new fresh drive into the array.

The older drive is should be able to be used/mounted without difficulty.

LSI MegaRAID Firmware Failed to FLASH flash. Stop!!!

So upgrading the firmware on this puppy was rather brutle. I kept on getting, "Firmware Failed to FLASH flash. Stop!!!".

Luckily, there is someone out there (http://www.wobblycogs.co.uk/index.php/computing/hardware/110-lsi-megaraid-firmware-upgrade-under-vmware) that understand that this means that you are trying to upgrade too far of a gap. You can't go from v2.007.403-3066 to v2.130.403-3066. You have to step up to the upgrade.

He also was kind enough to post the step-upgrade-firmware since LSI doesn't offer that firmware anymore.

Here's how:

As a requirement, use the STORCLI (it is the successor of the MegaCLI). To be clear, the MegaCLI should not be used. It is outdated.

  • -right-click CMD
  • -browse to the STORCLI location
  • -make sure the firmware ROM's are in the same folder (it isn't necessary but it makes it easier).
  • -type: StorCLI /c0 download file=AF2108_FW_Image.rom
  • -it should take about 10 minutes.
  • -reboot server.
  • -wait nervously as it performs the upgrade during the reboot.
  • -go back to the same location in CMD.
  • -type: StorCLI /c0 download file=mr2108fw.rom
  • -it should take about 10 minutes.
  • -reboot server.
  • -wait nervously as it performs the upgrade during the reboot.
  • -bliss ensues.

Update Exchange Malware Definitions

  • -open POWERSHELL
  • -type: & $env:ExchangeInstallPath\Scripts\Update-MalwareFilteringServer.ps1 -Identity <yourservername.yourdomain.tld>
  • -press enter

Hopefully, obviously replace the full <yourservername.yourdomain.tld> with your actual domain name. This could be server.domain.local or server.domain.com or foo.fee.tld. To find this value type:

Now look at the EVENT VIEWER:

  • -server-manager
  • -click WINDOWS-LOGS > APPLICATION (on the left-hand side).
  • -look for EVENT-ID: 6033

This should indicate that the definitions were successfully updated.

Exchange 2013 Logs

I'm so used to Centos being so easy that it's difficult for me to wrap my head around MS thinking. Typically in Centos, front-end mail logs would be in:

With internal/external delivery being in:

Well from the following link from MS, I was able to piece together a little more info on how it routes the email through the system:

High-level logs (general connection status) are documented here:

Low-level logs (specific connection status) are documented here:


In MS EXCHANGE, the logs are in:
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog

There you will find 2 directories that are hopefully self explanatory:

This will show the details of the data transfer including what email address it came from and what email address it's going to. This would be equivalent to the qpsmtpd.


Some more logs are in:
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\Connectivity

This is for sending email. It will show the SMTP responses such as "Failed connection to...." It will not show the DATA transfer details.


This shows delivery of internal email which skips the external QPSMTPD. Here is another spot:


This is going a little overboard as it tracks details of every single message.

Some more logs are in:
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking

This will show the following:
#Fields: date-time,client-ip,client-hostname,server-ip,server-hostname,source-context,connector-id,source,event-id,internal-message-id,message-id,network-message-id,recipient-address,recipient-status,total-bytes,recipient-count,related-recipient-address,reference,message-subject,sender-address,return-path,message-info,directionality,tenant-id,original-client-ip,original-server-ip,custom-data

That's a bunch of information. In my mind, this is equivalent to the qmail logs.

If you want to look through the logs, this is the place to do it! Want to make it easier? Find my article on installing GNUWIN32 so that you can grep through the logs. Sweet!


Since logging is disabled by default, we have to turn it on. This is turning the logging on for the FRONT-END/QPSMTPD:

  • -type: Get-ReceiveConnector "FOO\Default Frontend Foo" |fl *
  • (This will show the details for the connector.)
  • -type: Set-ReceiveConnector "FOO\Default Frontend Foo" -ProtocolLoggingLevel Verbose



The above link helped me here. Searching through the message logs is the only way to see if a TRANSPORT RULE or MAIL FLOW RULE has been triggered. To see the whole message log, it's like this:

Get-MessageTrackingLog | fl *

If a message has been block by a TRANSPORT RULE or MAIL FLOW RULE, it will give an EVENTID of "FAIL" and the STATUS will say "550 5.2.1 Message deleted by the transport rules agent."


Get-MessageTrackingLog -Sender This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Get-MessageTrackingLog -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it

Get-MessageTrackingLog -Start "06/13/2016"

A specific EVENT (Such as FAIL):
Get-MessageTrackingLog -EventId FAIL

Shows the FAILED messages for the day (including messages that fail due to MAIL FLOW RULES (TRANSPORT RULES):
Get-MessageTrackingLog -EventId FAIL -Start "01/01/2000"

Adding them together to find an email that didn't go through (EVENT FAIL) FROM a USER, TO a USER on a certain DATE:
Get-MessageTrackingLog -EventId FAIL -Start "06/01/2016" -Sender This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Resultsize Unlimited

See the expanded details about the messages:
Get-MessageTrackingLog -EventId FAIL -Start "06/13/2016" -Sender This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Resultsize Unlimited | fl

Show me everything about the item by using the InternalMessageId:
Get-MessageTrackingLog -InternalMessageId 89279485181957 | fl

Event Parameters can be the following: BadMail, Defer Deliver, DSN, Expand, Fail, PoisonMessage, Receive, Redirect, Resolve, Send, Submit, and Transfer.


Joomla 2.5: Manager Group Can't Access Admin Login

Some components, namely FRONTPAGE SLIDESHOW (aka FPSS) gets the parent_id incorrect.

  • -access MYSQL
  • -access #_assests
  • -re-organized via "parent_id"
  • -change all the 0's (zero's) to 1's (one's).
  • -change the "Root Asset" to 0 (zero).

In mysql speak, it looks like this:

UPDATE `#_assets` SET `parent_id`=1 WHERE `parent_id` = '0';
UPDATE `#_assets` SET `parent_id`=0 WHERE `title` = 'Root Asset';

Install Grub onto a HD

Here's how to install Grub onto a HD:

  • grub
  • grub> device (hd0) /dev/sdb
  • grub> root (hd0,0)
  • grub> setup (hd0)
  • grub> quit

If you look closely, you are installing grub on SDB (not SDA). Also note that you are installing grub as HD0 or the FIRST HD. The reason you do this is because grub is already installed on SDA and while grub only needs to be installed on one disk (it doesn't need to be installed on two disks), you need to consider what happens if SDA dies.

If SDA dies then SDB is going to be the next disk in line and possibly the only disk. The boot process or bootstrap will skip SDA and try to boot from SDB. If grub is not found, then the system will not boot. Installing grub on SDB as the FIRST HD, ensures that the system boots to the first stage menu and allows you to pick your installation or begin stage 2.

Getting Hardware Info

Getting hardware information from a server that you've never laid eyes on, is thousands of miles away and can physically access is sometimes difficult.

Below are some items that I've used in the past to get details of the hardware in the system. You can harmlessly type the commands in as they only inspect info and do not change anything.


I like this one. It gets the info from the bios, even the product name, serial number and Dell service tag number. It even gets the BASEBOARD info (or motherboard info) and the CHASSIS info (the actual physical case) with it's locked status.

The full is is:

  • dmidecode
  • lspci
  • lsusb
  • df -h
  • fdisk -l
  • mount | column -t
  • cat /proc/cpuinfo
  • cat /proc/meminfo
  • cat /proc/scsi/scsi
  • cat /proc/version
  • uname -a
  • cat /proc/partitions

AWS S3 Clients

Amazon Web Services or AWS is amazing. There's so much I'm like the proverbial kid in a candy store. This changes everything. Walls are torn down technologywise. And price isn't a barrier.

One issue is what is so seemingly simple like sync a local directory to AWS S3 is so complicated. There are a number of ways to automatically sync items that I have found in my travels and wanted to list them out.



This is the standard of what you want. It connect a new DRIVE LETTER to your computer which syncs with S3. So it adds a Z DRIVE to your computer. That Z DRIVE is actually your S3. Cool.

The problem becomes, what if I don't want it as a DRIVE LETTER and I want it to connect to an existing folder/directory.



This is strictly a command-line tool. It will walk you through getting the command correct but then you are responsible for running the command directly or on a cron. Not exactly what I was looking for.



This looks promising but it doesn't have the GovCloud access region of AWS that I need.

ioncube loader

Unzip the IonCube File & Load It Into the PHP

  • -untar/unzip the ioncube download tar.gz
  • -it will give a bunch of files.
  • -use the phpinfo file to look at the all the php info details.
  • -find where the extension_dir is.
  • -for me, it is: /usr/lib64/php/modules
  • -copy the most recent ioncube_loader into that directory (there will be other extensions in there as well).
  • -for me, the file is: ioncube_loader_lin_5.3.so

Edit the php.ini file

  • -go to the end of the file.
  • -type:

zend_extension = /usr/lib64/php/modules/ioncube_loader_lin_5.3.so

Restart the Httpd

  • -type: service httpd-e-smith stop
  • -type: service httpd-e-smith start

DRAC Settings


As stated, DRAC is basically DELL's propitary version of IPMI. This is OUT-OF-BANDWIDTH control. This means you can control the server even if it doesn't have an OPERATING SYSTEM on it. You can load an OS from thousands of miles away. I have successfully done this. You can control the BIOS settings, you can restart the PC, you can watch the PC boot up and you can remotely connect and view the PC (This is different than RDP). Awesome!


You can control the DRAC setting through either LOCAL access (directly on the PC) or REMOTE access (from another system). For the LOCAL access, you can use the OPEN MANAGE software previously discussed. It will install a SERVER-MANAGER icon on the desktop that can control some of the settings.


The REMOTE access can be obtained by simply setting an IP ADDRESS on the DRAC and hitting the DRAC via a web browser. What's surprising to me is that the REMOTE access seems to have more options than the local access. In fact, I really don't know why there are 2 different interfaces. It would make sense to redirect the local interface to the remote interface.


One of the options of the REMOTE is VIRTUAL MEDIA access. This means that the remote system will boot from the VIRTUAL MEDIA. It goes like this.

  • -put the OS INSTALL DISK into your computer.
  • -connect to the DRAC via browser.
  • -connect the VIRTUAL MEDIA to the remote system.
  • -the remote system will boot from the CD! (that is totally awesom!!!).
  • NOTE: the same will happen with an ISO image.


On the DRAC settings via REMOTE, you can configure the VIRTUAL MEDIA settings.

  • -connect the the DRAC via browser.
  • -click APPLY CHANGES (at the bottom).


The reason you want to do this is because most systems won't install when the VIRTUAL FLASH is enabled along with the VIRTUAL MEDIA. Both the VIRTUAL FLASH & the VIRTUAL MEDIA are enabled by default by DELL (probably an oversight on their part).

Another reason you want to do this is that if the VIRTUAL FLASH is enabled, it may show up on the WINDOWS system as an empty drive that is not formatted.


Also note that since you're accessing a remote system, usually the connection is through JAVA. I've had many issues trying to get it to work. It seems like it works best from IE on a WINDOWS system. I have very little success from the MAC BOOK PRO > FIREFOX combo.

This is true of bothe IPMI and of DRAC.

Happy remote accessing!

Upgrading the DRAC Firmware

Here's what I did to upgrade the DRAC firmware:

  • -open command prompt and run this command to disable Virtual Flash:
  • -type: racadm config -g cfgRacVirtual -o cfgVirMediaKeyEnable 0
  • -run the DRAC update - around 10 minutes to install
  • -still in command prompt run the command to enable Virtual Flash:
  • -type: racadm config -g cfgRacVirtual -o cfgVirMediaKeyEnable 1

You can also upgrade the DRAC firmware via the REMOTE access to the DRAC. It seems to be easier. I don't know why that is so.

Download Office - Glory Days of Software

In case you don't know, the glory days of software are officially over. The new licensing in Microsoft 2013 make it nearly impossible to retreive an INSTALL KEY, PRODUCT KEY or skip ACTIVATION. I will bypass the horrors of trying to manage this for a large set of computers and go straight to the point that MS has put up a catch-all page (404 page) that will allow you to download a product if you have a valid KEY.

In other words, you still need an INSTALL KEY or PRODUCT KEY.

MS landing page for sofware download if you already have a KEY (this will attach the KEY to your MS ACCOUNT/MS EMAIL):

MS 2010 items can still be directly downloaded here:

For example, PROJECT PRO 2010:

The following link has collected all of the links for us:

Auto Login To Windows Domain

Did you ever have that one executive that has a locked office and refused to type in a USERNAME & PASSWORD because they can't diferentiate between their COMPUTER PASSWORD, EMAIL PASSWORD and ICLOUD PASSWORD?

I've had that before. It's easier to just automatically log them in than dealing with the phone calls.

Here's how:

That's it! The Autologon for Windows v3.01 should take care of the rest. You are doing great!

Backup Cisco 2960-s Config File

I haven't done this stuff since college nearly 20 years ago. Most of my experience has been in Small to Medium Enterprises with a just-get-it-done attitude and a we-just-need-internet desire that I haven't had the need to get into the details.

I will say that it seems as if some of these companies simply complicate proceedures to be able to justify their pricing. Backing up a config file should be a 1 button push. It's almost 2015.

  • -click START > RUN > CMD
  • -type: telnet
  • -type: o 111.222.333.444 (that the letter o as in lmnop and the ip address of the switch)
  • -type in the password
  • -type: enable (enable is their sudo command)
  • -type in the password (yes again for sudo)
  • -type: copy run tftp
  • -type 111.222.333.444 (that's the ip address of the tftp server, if you don't have a tftp server, download the http://tftpd32.jounin.net/ portable tftp server & allow UDP port 69).

That should do it!


Add USB Drive to Linux

When you add a fresh USB DRIVE to Linux, it should automatically assign it a device. Something like:

  • /dev/sda
  • /dev/sdb
  • /dev/sdc
  • /dev/sdd

and so on.

Discover the USB Drive

The easiest way to check this is to look through the message log::

grep kernel /var/log/messages

You will see something like:

Sep 26 18:07:24 server kernel: usb 2-1: new high speed USB device using ehci_hcd and address 5
Sep 26 18:07:24 server kernel: usb 2-1: configuration #1 chosen from 1 choice
Sep 26 18:07:24 server kernel: scsi6 : SCSI emulation for USB Mass Storage devices
Sep 26 18:07:24 server kernel: usb-storage: device found at 5
Sep 26 18:07:24 server kernel: usb-storage: waiting for device to settle before scanning
Sep 26 18:07:29 server kernel:   Vendor: ST310003  Model: 40AS              Rev:
Sep 26 18:07:29 server kernel:   Type:   Direct-Access                      ANSI SCSI revision: 02
Sep 26 18:07:30 server kernel: SCSI device sdd: 1953523055 512-byte hdwr sectors (1000204 MB)
Sep 26 18:07:30 server kernel: sdd: Write Protect is off
Sep 26 18:07:30 server kernel: sdd: Mode Sense: 34 00 00 00
Sep 26 18:07:30 server kernel: sdd: assuming drive cache: write through
Sep 26 18:07:30 server kernel: SCSI device sdd: 1953523055 512-byte hdwr sectors (1000204 MB)
Sep 26 18:07:30 server kernel: sdd: Write Protect is off
Sep 26 18:07:30 server kernel: sdd: Mode Sense: 34 00 00 00
Sep 26 18:07:30 server kernel: sdd: assuming drive cache: write through
Sep 26 18:07:30 server kernel:  sdd:
Sep 26 18:07:30 server kernel: sd 6:0:0:0: Attached scsi disk sdd
Sep 26 18:07:30 server kernel: sd 6:0:0:0: Attached scsi generic sg3 type 0
Sep 26 18:07:30 server kernel: usb-storage: device scan complete

If you look closely at the above logs, you will see that the system assigned the letter d to the USB DRIVE. So, the device is /dev/sdd

If the USB DRIVE already has a file system on it, you might be able to find more details by:

df -h

or simply


Partition the USB DRIVE

The fresh USB DRIVE will have no filesystem so it probably won't be mounted anywhere. To format the USB DRIVE:

  • fdisk /dev/sdd
  • n (to add a new partition)
  • p (to make a primary partition)
  • 1 (that's the number one, the number you want to assign to the partition)
  • w (write and exit)

Format the USB DRIVE

Now that there is a partition on the USB DRIVE, we have to format the partition with a filesystem.

  • mkfs.ext3 -L BackupDrive1 /dev/sdd1


  • ext3 is the filesystem itself (explaining filesystems is beyond this article).
  • -L option is to label the USB DRIVE

Mount the USB DRIVE

To mount the USB DRIVE, issue a:

  • mount /dev/sdc1 /media/BackupDrive1/

Reliably mount multiple disks in the one location

In case you want to use a rotating set of disk drives for backups, you may want to mount different USB DRIVES in the same location. Of course, make sure you don't plug both in at the same time.

Edit the /etc/fstab. Add the lines by typing:

  • LABEL=BackupDrive1      /media/BackupDrive1     ext3    defaults
  • LABEL=BackupDrive2      /media/BackupDrive1     ext3    defaults

Set The Label On The Partition

This will set the label on the partition:

  • e2label /dev/sdd1 MyLabel

Check The Label On The Partition

This will check the label on the partition:

  • e2label /dev/sdd1

Unmount the USB DRIVE

If you need to unmount the USB DRIVE, it's like this:

  • umount /media/BackupDrive1/

How to Keep the USB DRIVE From Falling Asleep

I won't go into too much detail here but sometimes the USB DRIVE is going to fall asleep because of the USB DRIVE CADDY that it is in. The easist way for me to fix it was to mount it around 5 minutes before the back is scheduled to start.

  • mkdir -p /etc/e-smith/templates-custom/etc/crontab/26usb-drive
  • vi 26usb-drive

# Keep the USB drive from going into standby.
#5 * * * * /bin/touch /dev/sdc &>/dev/null
50 21 * * * root mount /dev/sdc1 /media/BackupDrive1/
55 21 * * * root umount /media/BackupDrive1/

How to Selective Restore From DAR Backup

Here's how to selective restore from DAR backup:

dar -x /media/BackupDrive1/server.domain.local/set2/full-201408092200 -N -R / -w -g home/e-smith/files/ibays/share_data/files

You will also have to restore all the incrementals:

dar -x /media/BackupDrive1/server.domain.local/set2/inc-001-201408102200.1.dar -N -R / -w -g home/e-smith/files/ibays/share_data/files
dar -x /media/BackupDrive1/server.domain.local/set2/inc-002-201408112200.1.dar -N -R / -w -g home/e-smith/files/ibays/share_data/files
dar -x /media/BackupDrive1/server.domain.local/set2/inc-003-201408122200.1.dar -N -R / -w -g home/e-smith/files/ibays/share_data/files
dar -x /media/BackupDrive1/server.domain.local/set2/inc-004-201408132200.1.dar -N -R / -w -g home/e-smith/files/ibays/share_data/files

How to Manually Start a Backup

Here's how to manually start a backup routine

  • /sbin/e-smith/do_backupwk

How to Set the Backup Sets

Backup Sets are an entire week; a full backup on Friday plus the remaining 6 days (SAT, SUN, MON, TUE, WED, THU). This data can be large. Currently, on one server, I have 600GB of data for the entire backup set.

A USB backup drive needs to be large enough for the number of full sets you want (how far back in history do you want to go) + 1. In other words, N + 1.

As an example, if you have a 2TB drive and you can only go back 2 sets.

Why? Well if you have 3 sets that is a total of 1.8TB (600 x 3) which is the desired result. The problem becomes that the next backup cannot run because it collects the backup and then it deletes the oldest backup. The next backup can only go to about 200GB and then it will error out. I learned this the hard way.

Putting the backup sets to 2 will result in 1.2TB. The next backup set will finish for a total of 1.8TB and then delete the oldest backup for a total of 1.2TB again.

Cisco Port Security

I had to get port-security running on a Cisco Catalyst 2960-S:

Show the port information on a Cisco 2960-S

  • -click START > RUN > CMD
  • -type: telnet
  • -type: o 111.222.333.444 (that the letter o as in lmnop and the ip address of the switch)
  • -type in the password
  • -type: show interfaces (this will give the long version).
  • -type: show interfaces summary (this will give the traffic summary version).
  • -type: show interface description
  • -type: show ip interface (this will give the ports up/down status).
  • -type: show ip interface brief (this will give the ports up/down status at a glance).
  • -type: show interface status (this will give the ports vlan, duplex and speed).
  • -type: show interface status err-disabled (this will give a quick report of the ports in err-disabled mode).
  • -type: show power inline (this will give the port power status).
  • -type: show version (for overall switch info and uptime).

NOTE: 2960-S platform has a 100mbp/s management port identified as fastethernet0.

Show the Port Security on a Cisco 2960-S

  • -type: enable
  • -type: the-sudo-password
  • -type: show port-security (this will give the ports with the security violations).
  • -type: show port-security interface Gi 0/1 (this will give the individual port status as per port security).
  • -type: show port-security address (this will give the port security memorization table).

Configure the Port Security on a Cisco 2960-S

  • -type: config terminal
  • -type: interface Gi 0/19 (to configure that port).
  • -or type: interface range Gi 0/1 - 19 (to configure a range of ports).
  • -type: switchport port-security (to enable port security)
  • -type: switchport port-security maximum 1 (allows only 1 mac address to be assigned to the port).
  • -type: switchport port-security violation shutdown (shutdown the port if there's a violation and requires manual).
  • -type: switchport port-security mac-address sticky (collects the mac address and memorizes it).
  • -type: switchport port-security aging time 0 (set the aging time to 0)
  • -type: switchport port-security aging type absolute (set the mac address type to the only mac address allowed).

Manually Enable the Port after a Violation on Port Security

  • -while still in config mode.
  • -type: shutdown (this shuts the port down).
  • -type: no shutdown (this brings the port back up).

When a security violation happens, the port is shutdown and will not work. It requires manual intervention to make certain there is no malicious activity happening. The commands above will bring the port back up working with the original MAC address.

Clear out the Stick Mac Address to Allow Another Computer/Device

  • -login to switch.
  • -type: enable
  • -type: config terminal
  • -type: interface G 0/19
  • -type: shut
  • -type: do clear port-security all interface gi0/19
  • -type: no switchport port-security mac-address sticky
  • -type: switchport port-security mac-address sticky
  • -type: no shutdown

This will clear out the mac-address that is remembered and bring the port back up so that it will work with another NEW-MAC address.

However, if the mac-address is still in the address-table, you will not be able to use this mac-address on another port. The mac-address has to be cleared from the original-port it is attached to.

First, find out if the mac-address is attached to a port and make note of the port.

  • -type: show port-security address

Now, shut down the new port:

  • -type: config t
  • -type: int gi0/28
  • -type: shut

Now, clear out the mac-address from the original port:

  • -type: config t
  • -type: int gi0/19
  • -type: shut
  • -type: do clear port-security all interface gi0/19
  • -type: no shut

Now, verify the mac-address is gone:

  • -type: do show port-security address
  • -type: end

Finally, bring back up the new port:

  • -type: config t
  • -type: int gi0/28
  • -type: no shut

You can see if a port is in violation by:

  • -type: show int status

To recover any port that is in violation:

  • -type: config t
  • -type: errdisable recovery cause psecure-violation

But then you have to wait the Timer-Interval-Seconds before the port is available again.

To see the timeout:

  • -type: show errdisable recovery

You might want to see if any mac-address is in the table:

-type: show mac address-table

Disable Port Security

  • -while in config mode & while in an interface or range of interfaces
  • -type: no switchport port-security

End the Config Session

  • -type: end

To Tail the Logs

  • -type: terminal monitor
  • -type: terminal no monitor

Save the Changes

  • -type: write memory
  • -or type: copy running-config startup-config


Windows can't keep copying correct by default. As a note for myself, I'm shamelessly copying from somewhere on the internet:

robocopy source destination /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /LOG:Robocopy.log

A real-world example is copying the BACKUP-DRIVE to an EXTERNAL-DRIVE but only files for the last 90 days:

robocopy z:\ t:\ /MIR /Z /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /MAXAGE:90 /LOG:Robocopy.log

Here's what the switches mean:

  • source :: Source Directory (drive:\path or \\server\share\path).
  • destination :: Destination Dir  (drive:\path or \\server\share\path).
  • /E :: copy subdirectories, including Empty ones.
  • /ZB :: use restartable mode; if access denied use Backup mode.
  • /DCOPY:T :: COPY Directory Timestamps.
  • /COPYALL :: COPY ALL file info (equivalent to /COPY:DATSOU).  Copies the Data, Attributes, Timestamps, Ownser, Permissions and Auditing info
  • /R:n :: number of Retries on failed copies: default is 1 million but I set this to only retry once.
  • /W:n :: Wait time between retries: default is 30 seconds but I set this to 1 second.
  • /V :: produce Verbose output, showing skipped files.
  • /TEE :: output to console window, as well as the log file.
  • /LOG:file :: output status to LOG file (overwrite existing log).

The above will copy the directory. You will have to manually re-setup the share.

This is why the best practice is to use full permission for everyone on the share, and limit the permission using NTFS permissions. And wait till everyone leaves the office.

NOTE: Robocopy can be cantankerous. If you get error message, "access is denied" or "This security ID may not be assigned as the owner of this object" then try it this way.

-first, map a drive: net use k: \\server\share-name /user:pc-name\username password-here

-second, use robocopy with /COPY:DAT instead of /COPYALL. Like this: robocopy E: K:\share-name /E /ZB /DCOPY:T /copy:DAT /R:1 /W:1 /V /TEE /MT:12 /LOG:Robocopy.log

Find the Size of the current directory

I can never remember how to find the size of the current directory in linux. Here it is:

du --max-depth=1

And to make is human readable and sorted by number:

du -h --max-depth=1 |sort -n

BCD Replaces Boot.ini

Twice this week I've been bitten by the BCD or BOOT CONFIGURATION DATA.

BCD replaces the BOOT.INI file in older systems such as XP. BCD is found in WINDOWS VISTA and newer systems. The BCD is a OPERATING SYSTEM FILE and will be hidden unless the options are set to view those files:

  • -open any EXPLORER window.
  • -click the VIEW tab (at the top).
  • -click OK.

Previously, there was a boot.ini file. To edit the boot.ini file, simply edit the file with a text editor. Now to edit the BCD, you must use BCDEdit.exe.

The overall problem becomes that the BCD is unreliable (hence the name Microsoft). It causes issues like:

"the trust relationship between this workstation and the primary domain failed" in WINDOWS 7
(bcdedit /set S:\Boot\BCD {default} bootstatuspolicy ignoreallfailures)


"inaccessible boot device" WINDOWS 8.1
(Bcdedit /store S:\BOOT\BCD /set {default} truncatememory 4294967296)
(T:\windows\system32\bcdedit /store S:\boot\bcd /set {default} truncatememory 4294967296)

Both require edits to the BCD. But how do you edit the BCD when the system isn't accessible?


How to Edit the BCD

The BCD is actually a file in a small hidden directory. If you could connect the external drive to a working system and assign the letter S to the drive, the file location would be:


Please note that this is NOT the WINDOWS OS partition. This is a small NTFS partition (100MB for WINDOWS 7 & 300MB for WINDOWS 8) before the the WINDOWS OS partition. This partition is marked as ACTIVE and will therefore be chosen as the partition to boot from.

This is really confusing because there is a T:\Boot\BCD as well.

True to MS standard, they put out way too much unnecessary jargon here:http://technet.microsoft.com/en-us/library/cc721886%28WS.10%29.aspx#BKMK_bcdedit

  • -connect the harddisk with the corrupt BCD into another computer that is running Windows.
  • -mount the defective partition on a drive (in my case S:\)
  • -in the partition the file S:\Boot\BCD is the one that needs to be repaired.
  • -open a command prompt (Cmd.exe) (as administrator)
  • -type: T:\Windows\System32\bcdedit /store S:\Boot\BCD /enum
  • -you are viewing the BCD.
  • -to view everything in the BCD...
  • -type: T:\Windows\System32\bcdedit /store S:\Boot\BCD /enum all


How to Edit Some of the BCD Settings:

The BCD will have a BOOT-MANAGER called BOOTMGR. This is a boot manager for the entire disk. You can think of it as a GRUB, LILO, GRUB4DOS, etc or any other bootloader. It can be used to redirect the boot the MAIN WINDOWS OS but it can also boot other OS's as well. Most people won't get this far. They just want their MAIN WINDOWS OS to boot correctly.

After the BOOTMGR section, comes all the WINDOWS OS sections. Typically, the main section will be called DEFAULT and it will show as {default}.
(NOTE: don't let the curly brackets scare you).

For example, if you wanted to change the BOOTMGR device and the DEFAULT device, here's how.
(Please do not type this in... This is just an example.)

T:\Windows\System32\bcdedit /store S:\Boot\BCD /set {bootmgr} device boot
T:\Windows\System32\bcdedit /store S:\Boot\BCD /set {default} device boot
T:\Windows\System32\bcdedit /store S:\Boot\BCD /set {default} osdevice boot

This will change the settings for those key values.

You can also use an awesome handy tool called VISUAL BCD EDITOR located at: http://www.boyans.net


Fix the BCD

If you would like to rebuild the BCD, here's how:

  1. Put the Windows Vista or Windows 7 or Windows 8 media in the DVD drive / usb, and then start the computer.
  2. Press a key when you are prompted.
  3. Select a language, a time, a currency, a keyboard, or an input method, and then click Next.
  4. Click Repair your computer.
  5. Select the operating system that you want to repair, and then click Next.
  6. In the System Recovery Options dialog box, click Command Prompt.
  7. Type Bootrec.exe, and then press Enter.

That will automatically try and fix the BCD if it's broken.


Rebuild the BCD

Same as fixing the BCD above but using switches at the end.

Bootrec.exe /FixMbr
Bootrec.exe /FixBoot
Bootrec.exe /ScanOs
Bootrec.exe /RebuildBcd


WINDOWS 8.1 Considerations

WINDOWS 8.1 installs a hidden 300MB NTFS partition.

If WINDOWS is loaded, some may investigate and fiddle around with the BCD on the main partition in C DRIVE not realizing that the BCD loading in another hidden partition for the purpose of the BCD.

If you boot from a CD/USB, the BCD PARTITION will be the C DRIVE and the WINDOWS OS PARTITION will be the D DRIVE.


BCDEDIT Says zero Total Identified Windows installations

If you get as far as: Bootrec.exe /ScanOs

And it says:

"zero Total Identified Windows installations: 0"

Then you may have to rebuild the BCD. Be sure to backup the original BCD first.

  • boot from a WINDOWS VISTA/7/8 media as above.
  • cd c:\boot (note that this is not the normal C DRIVE. If you boot from a WINDOWS 7 or WINDOWS 8 install disk, the disk will see all the partitions and LETTER them accordingly. The C DRIVE will be the BCD partition and the D DRIVE will be the WINDOWS partition.)
  • bcdedit /export c:\bcdbackup
  • attrib c:\boot\bcd -h -r -s
  • ren c:\boot\bcd bcd.old
  • bootrec /rebuildbcd
  • type: Y
  • press: ENTER

You should get some kind of awesome message to let you know that it is rebuilt correctly.

Set VPN Idle Timeout on Windows Server 2012

  • (a new window opens)
  • -right-click REMOTE ACCESS LOGGING (on the left-hand side).
  • -click LAUNCH NPS.
  • (a new window opens)
  • -click NETWORK POLICIES (on the left-hand side).
  • -right-click "Connections to Microsoft Routing and Remote Access server"
  • -click PROPERTIES.
  • -click CONSTRAINTS tab (at the top).
  • -click IDLE TIMEOUT (on the left-hand side).

The IDLE TIMEOUT settings can be configured here.

GnuWin32 Where Have You Been All My Life?

GnuWin32 Where Have You Been All My Life? As they say, necessity is the mother of invention. I always wanted to use *nix commands on Windows platform before but never really needed it until I was forced to deal with a Windows Server on a daily basis.

My digust for some of the way Windows operates should be apparent by now but if not, let me tell you; I'm disgusted. I could have learned commands in the 1970's that are still in practice today. Or if I traveled with Windows, I would have to learn over and over again.

GnuWin32 is a application package suite that alllows you to use *nix commands on Windows.

This should get all your familiar *nix command in the COMMAND SHELL.

Group Policy, Organization Units, Server 2012

In my mind, it's very simple. You have USERS and you have GROUPS (anything that is more than 1 user). If I need to do something, I should create a rule and apply it to the group.

In Microsoft Server 2012, it doesn't exactly work that way. It, in true fashion, has to be as difficult as humanly possible.

To look at the default structure:

  • -click SERVER-MANAGER (I'm pretty sure they ripped this name off another project).
  • -a DOMAIN TREE shows.
  • (It has USERS, COMPUTERS but it doesn't have GROUPS. GROUPS are erroneously mixed in with USERS)

To add a GROUP.

  • -click USERS.
  • -right-click USERS.
  • -click NEW > GROUP
  • -type in the GROUP-NAME.

To add USERS to GROUP.

  • -double-click GROUP NAME.
  • -click MEMBERS tab (at the top).
  • -click ADD.
  • -type in the NAMES you want to add.

Since I'm a big fan of GROUPS, I want to apply a login script just for a certain GROUP.

To look at the default Group Policy structure:

  • -click SERVER-MANAGER (I'm pretty sure they ripped this name off another project).
  • (It has "GROUP POLICY OBJECTS". All your GPO's are here.)

Active Directory Hierarchy And The Way You See It Taught

Now what's interesting is that this doesn't match the USERS & COMPUTERS. There is no GROUPS section. Why? Because this is based off of LDAP. Why is that important? Because LDAP is hierarchical (and not relational). This means that one-child can only have one-parent. (But one parent can have many childres. [Don't ask.]). So instead of GROUPS, they use ORGANIZATIONAL-UNITS. This hierarchical structure means that a USER cannot be a member of 2 different GROUPS in an ACTIVE DIRECTORY ORGANIZATIONAL UNIT (or AD and OU). The end result is that a USER-object can only be place in one OU.

This is why there are so many articles and videos about structuring your AD and OU's correctly. Because it doesn't make sense to rational thinking and someone has to explain it in details just to get it working. And even then, they have trouble getting it working smoothly. Most of the advice demonstrate that you should create OU's and then to put both the computer-objects and the user-objects inside of that OU. The GROUP-POLICY is then applied to the OU and consequently it will be applied to the USER and/or COMPUTER.

Of course it will. The GP is attaching to the individual USER or COMPUTER.

Active Directory And The Way It Should Be Enterprise

In short, this may work well for the ENTERPRISE (company more than 300 users). Traditionally you should create OU's along geographic boundaries and then to put both the computer-objects and the user-objects inside of that OU. It would look something like this:


The GROUP-POLICY is then applied to an OU and consequently it will be applied to the USER and/or COMPUTER.

Active Directory And The Way It Should Be Small Business

But what about everyone else? It doesn't work well for the small to medium enterprise (as defined by MS: a company less than 300 users). For this segment, it's faulty thinking. I don't have a bunch of offices across the globe. I don't have multiple floors, levels and locations. If I follow the common advice, I no longer have a section called USERS that contains all my users. And I don't have a section called GROUPS that contains all my groups.

My mind doesn't work the way of the enterprise. I group people all the time and they can be in many groups at the same time. I can group my friend Jason as being the WORK GROUP, FRIEND GROUP and CHURCH GROUP. But again, you can't do this in AD.

What is nice about AD is that it is highly customizable. Consequently, you will see many (and I stress many) different ways to do this in articles, videos and in practice. Also due to this customization, I can create the way I want it, I just have to create it myself rather than this feature coming ready out-of-the-box.

All of that set aside, ultimately at the root-level of AD I want to have an OU called GROUPS. Under that GROUPS-OU, I locate all my SECURITY-GROUPS objects (out of the USERS and into the GROUPS). These are common units like ACCOUNTING, PRODUCTION, HR, IT, MANAGEMENT, MARKETING, OPERATIONS, SALES, etc. Each SECURITY-GROUP has the members that are needed.

The result looks similar to:


This makes it easy on myself. Just keep it simple and create those SECURITY-GROUPS in the new GROUPS-OU, leave the computers in the COMPUTERS-OU and the users in the USERS-OU.

For clarity, if you click on USERS, there are only USER-OBJECTS in there. There are no GROUP-OBJECTS in there. All of the GROUPS have all been moved to the appropriate place in the GROUPS-OU.

GROUP POLICY That Applies To Groups

Now the problem becomes the GROUP-POLICY.

Counter-intuitively, GROUP-POLICY-OBJECTS (GPO's) cannot be applied to GROUP-OBJECTS. GPO's can only be applied to USER-OBJECTS and COMPUTER-OBJECTS. Remember from above where many tutorials, classes, videos and articles say to put the objects in the OU? This is why they teach you to do it this way. If they don't put the OBJECTS in the OU, the GP doesn't work.

So how do I apply a GPO to a SECURITY-GROUP?

By creating a GPO on domain-level (not the OU level), editing the GPO and assigning the GPO to the GROUP through SECURITY-FILTERING.

To create a new GPO:

  • -click SERVER-MANAGER (I'm pretty sure they ripped this name off another project).
  • -right-click the domain-name (ie contoso.com).
  • -type in a NEW-NAME.
  • -click OK

Edit the GPO:

  • -right-click the GPO.
  • -click EDIT.
  • -make all your changes in here. Don't worry about anything else at this point.

Assign GPO to the GROUP:

  • -click the GPO.
  • -you should be on the SCOPE tab (at the top).
  • -click ADD (at the bottom).
  • -type in the name of the GROUP.
  • -click OK.
  • -click DELEGATION tab (at the top).
  • -click ADVANCED button (at the bottom right).
  • (a new windows pops up).
  • -click AUTHENTICATED USERS (at the top section).
  • -find APPLY GROUP POLICY (at the bottom section).
  • -uncheck the ALLOW.
  • -find READ (at the bottom section).
  • -checkmark ALLOW (this should already be done but just to verify).
  • (This is not a typo. This allows all users to READ the GPO but doesn't assign it to them.)

Run The GPO On The Client Computer

  • -click START > RUN
  • -type: CMD
  • -type: gpupdate /force
  • -type: gpresult /h new-report.html (or if you are savy, type: gpresult /R) (or if you want to punish yourself, type: gpresult /Z).
  • -open new-report.html to view results


In summary, there are USERS-&-GROUPS section in AD and there are OU's in GPO. They don't match. So we create our own GROUP-STRUCTURE in AD, create a GPO, link it to an OU and only give the AD GROUP access to the to the GPO through SECURITY-FILTERING.


-A good source of information is here: http://www.grouppolicy.biz
-And there are good videos on YouTube here:https://www.youtube.com/user/itfreetraining
-EVERYONE group does not include EVERYONE.
-AUTHENTICATED-USERS also includes DOMAIN-COMPUTERS. This is why it should not be entirely-removed from the GPO.
-On 06/22/16 a MS update breaks many GPO's but not the method above. Read the rest of the story here:

AWS S3, GovCloud and DropBox

So let's say that you need to share files with outside vendors. Historically, this is done through an FTP site. The problem is that FTP is insecure, really insecure. So insecure that in 2014 (and for many years before) it shouldn't even exist (you can throw telnet into this category as well).

In more modern times, this is done through services like DropBox, Gdrive, OneDrive, etc; with DropBox seemingly leading the way.

The problem becomes that certain industries are not allowed to use DropBox, not because DropBox doesn't meet technological requirements but because DropBox doesn't meet regulations. One of these industries is Government.

In walks Amazon Web Services or AWS. AWS has a number of cloud based products. There's so many services, it's dizzying. I'd be lying if I said that I knew and understood them all.

Now take all of these services and boil them down to the top 12 absolutely necessary services. Now make sure that only US Persons are able to access these services. This is GovCloud.

One of the primary services of AWS & GovCloud is S3. S3 is a simple cloud storage.

Create a DIRECTORY for the S3 to live:

  • -login to AWS GOVCLOUD.
  • -click S3.
  • -click CREATE BUCKET.

Create an OUTSIDE USER to access the S3:

  • -login to the AWS GOVCLOUD
  • -type in the USERNAME.
  • -click CREATE (at the bottom right).
  • -record the ID & KEY (you will not have another chance to do this).
  • -click CLOSE > CLOSE.
  • -click on the USER-YOU-JUST-CREATED.
  • -scroll to bottom.
  • -click APPLY (at the bottom right).
  • -record the PASSWORD (you will not have another chance to do this).

 The rest can be done through the AWS GOVCLOUD web site but it's actually easier to use CLOUDBERRY S3 EXPLORER PRO. It costs $30 at the time of writing but so what.

Assign USER to allow access to S3 bucket:

  • -click ACCESS MANAGER (at the top).
  • -click NEXT.
  • -checkmark the OUTSIDE-USER
  • -select NEXT.
  • -click NEXT.
  • -checkmark the S3 BUCKETS you want to allow access to.
  • -click NEXT.

It will show you the STATEMENT it is going to implement. This will work for AWS S3 but it won't work for GOVCLOUD. GOVCLOUD has a different RESOURCE NAME. I'll spare you the details.

  • -everywhere you see "aws", replace it with "aws-us-gov"
  • (This took me an entire day to discover).
  • -click NEXT > NEXT.
  • if it gives an error saying that a policy already exists... ignore it. We already know. We just created it.

 Now you have 2 sets of credentials for the OUTSIDE USER. You have a USERNAME & PASSWORD they can type in for the web site. They also have an ID and KEY they can use for a program.

Find DRAC IP Address

So you have a DRAC or DELL REMOTE ACCESS CONTROLLER. It is their proprietary version of IPMI. You can configure the DRAC via IP ADDRESS.

But how you find the IP ADDRESS of the DRAC?


-install OPENMANAGE.

(as of print is: http://en.community.dell.com/techcenter/systems-management/w/wiki/1760.openmanage-server-administrator-omsa.aspx#Documentation_OMSA)

-click START > RUN

-type: cmd

-type: racadm getniccfg

(this gets the IP ADDRESS. By default it is usually:


-type: racadm setniccfg -s ipAddress gatewayAddress subnetMask


-click START > RUN



Quickbooks 2014 H202 Error


Quickbooks 2014 H202 error. So the Quickbooks is setup in a traditional style. The Quickbooks Server is installed on the Windows Server 2012 x64. Quickbooks is setup on the Windows 7 x64 client pc's.

The FILE SHARE is mapped to Q DRIVE but QUICKBOOKS is trying to access the file via \\ip-address-here\qb-file-name-here


The client PC's can see the FILE SHARE trying to access the Quickbooks file gets the dreaded H202 error. This basically means, "something's wrong."


The FILE SHARE is locked down to the ACCOUNTING group. The Quickbooks QuickBooksDB24 Service is starting with a new user called Quickbooks-something-I-can't-remember.


  • -add the QBUSER to the group that has access to the FILE SHARE.


  • -click START > RUN
  • -type: services.msc
  • -double-click: QuickBooksDB24
  • -a new window opens.
  • -click LOGON (at the top).
  • -bullet THIS ACCOUNT.
  • -type in a USERNAME & PASSWORD of a USER in the group that has access to the FILE SHARE.
  • -restart the QUICKBOOKSDB24 service.

That should do it.

Polycom Administrator Manual


This is what I need. Read and digest.

I'm having a hard time with this. There simply too much info that doesn't compute along with too much outdated info.

Apparently, you can configure the phones individually but also via config files from the server. That's what I want to do but I can't figure it out.


UPDATE 02/01/18

While it is certain that information is spread throughout the internet, I was finally able to piece this together that makes sense for me. Please see the Upgrading Polycom Phones Across Entire Location

Find Devices in Linux

To find devices in Centos/RHEL, you can issue a:

cat /proc/partitions

Or you can issue a:

fdisk -l

Either will do. The fdisk gives a little more info.

If you need to get the info for a USB device, try:


DDWRT Guest Network

[UPDATE: This process isn't worth it anymore. For low-end projects, just buy an Asus router (it doubles as an access-point). For mid-sized projects, buy Ubiquiti. For high-end projects, buy Watchguard. Boom. Done. Easy.]

The goal is to have one wireless unit providing both the OFFICE WIFI and the GUEST WIFI. This wireless unit is an access point already running the OFFICE WIFI. It is not a router/gateway/firewall. A SonicWall is the router/gateway/firewall.

So how do we have a wireless GUEST WIFI as well as a regular OFFICE WIFI?


  • -find VIRTUAL INTERFACES (at the bottom).
  • -click ADD.
  • -give your guest wifi network a name.
  • -select ENABLE for AP ISOLATION.
  • -click SAVE > APPLY.


  • -click WIRELESS SECURITY (at the top).
  • -select a mode (I chose WPA2 PERSONAL).
  • -select an algorithm (I chose TKIP + AES).
  • -type a password.
  • -click SAVE.


  • -click SETUP > NETWORKING (at the top).
  • -find BRIDGING SECTION (should be the 2nd from the top).
  • -click ADD.
  • -type: br1 (in the first box).
  • -click SAVE (at the bottom).
  • -new options will show under the bridge.
  • -type in an IP ADDRESS & SUBNET MASK (I typed in &
  • The idea here is that it must be a separate network from the main network. Since most small networks are or, using is fine.
  • -click SAVE > APPLY.


  • -go to the BRIDGING SECTION again.
  • -click ADD.
  • -select BR1.
  • -select WL0.1
  • -click SAVE > APPLY.


The DHCP service must be running to add a secondary DHCP service.

  • -click SETUP > BASIC SETUP (at the top).
  • -find the DHCP section.
  • -select DHCP SERVER.
  • -verify the appropriate network information.
  • -checkmark USE DNSMASQ FOR DHCP.
  • -checkmark USE DNSMASQ FOR DNS.
  • -checkmark DHCP-AUTHORITATIVE.
  • -click SAVE (at the bottom).
  • -click SETUP > NETWORKING (at the top).
  • -find the DHCPD section (at the bottom).
  • -click ADD.
  • -select BR1.
  • -select ON.
  • -click SAVE > APPLY SETTINGS (at the bottom).


  • -click SERVICES (at the top).
  • -find the DNSMASQ section.
  • -select ENABLE for DNSMASQ.
  • -select ENABLE for LOCAL DNS.
  • -select ENABLE for NO DNS REBIND.
  • -type the following in the Additional DNSMasq Options:


This should be fairly straight forward. We are setting the options for 2 sets of DHCP. Each set customizes the GATEWAY, DHCP RANGE and DNS for the each DHCP set. You will have to customize this to fit your own needs.

This is different than most instructions you will see. This is because since this is an ACCESS POINT and not a GATEWAY/ROUTER/FIREWALL. When that happens the AP will automatically try to become the DNS & the GATEWAY for both sets of DHCP ranges. That obviously won't do since we need have to other items perform those functions. More importantly, I do not want the guest network to have the same DNS settings as the regular network. The settings above allow us to customize them to our needs.


  • -click ADMINISTRATION > COMMANDS (at the top).
  • -find the COMMAND SHELL box.
  • -type the following:

iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -p tcp -dport telnet -j REJECT -reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp -dport ssh -j REJECT -reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp -dport www -j REJECT -reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp -dport https -j REJECT -reject-with tcp-reset

  • -click SAVE FIREWALL (at the bottom).

This isn't straight forward at all. Basically, the first 5 commands allow internet access to flow. The last 4 commands block the GUEST WIFI from accessing the OFFICE WIFI.

That should do it! Save and Restart the unit to make sure that it survives a reboot. There are 2 separate networks, the OFFICE WIFI and the GUEST WIFI. The GUEST WIFI can access the internet but cannot access the office network. That includes any shares, printers or any other computers on the office network.

Show Last Logon

Let's say that you had a requirement to show the last time your logged onto the computer system, including any failed attempts.

To be clear, this message shows after anyone logs into the computer and before the DESKTOP shows.

  • right-click DEFAULT DOMAIN POLICY.
  • click EDIT.

Add a Login Message in Windows Server 2012

Let's say that you had a requirement to show a login message before someone logged into the computer. Maybe something like, "Hi, system usage is monitored, recorded, and subject to audit. By using the system, you grant consent to such monitoring and recording. Unauthorized use is prohibited and subject to criminal and civil penalties."

To be clear, this message shows before anyone logs into the computer and before the LOGIN BOX shows.

  • right-click DEFAULT DOMAIN POLICY.
  • click EDIT.
  • edit the text.
  • edit the text.

(NOTE: Both have to be set or else it doesn't show.)

Windows Server 2012 Backup System State

I like to manually backup the SERVER STATE before I make any changes:

Add A Disclaimer to Exchange 2013

The best guide I've witnessed on this occasion is here:


I'm posting for my own reference.


The only other items I would like to add is that there should be an EXCEPTION:

-paste the disclaimer in the box (don't worry if the whole disclaimer doesn't fit).
-click the + (the plus sign).
-click SAVE.

-the disclaimer will be placed directly at the end of the email.
-the disclaimer will only show at the very bottom of the email; underneath any forwards or replies that may be in the email.
-the disclaimer will only show once and will not repeat if the disclaimer already exists. This means it will not repeat on forwarded emails and reply emails.

Polycom Phone Sets Digitmap

Are you experiencing different results when you dial directly from the Polycom phone set than if you pickup the Polycom phone set and dial?

For example, to make a call:
-walk to the phone.
-dial 540-552-0497 (automated weather service number).
-hit DIAL.
-the call goes through on speaker phone.

Now, try this:
-walk to the phone.
-pick up the hand set (you hear a dial tone).
-dial 540-552-0497 (automated weather service number).
-nothing... (or possibly, "I am sorry, that is not a valid extension).

As referenced in the last post, a DIAL PLAN, is a set of numbers that is used to dial out. What's interesting with the Fonality/Polycom solution is that the DIAL PLAN on the SERVER, doesn't apply to the POLYCOM PHONE SETS directly. So what's happening here is when you simply dial the number and hit DIAL, you are using the SERVER DIAL PLAN.

When you pick up the phone set and dial the number, you are using the POLYCOM PHONE SET DIGITMAP (notice the difference between the DIAL PLAN & DIGITMAP).

What's even more interesting, is that the two sets don't corrospond. You can't simply take the SERVER DIAL PLAN and simply copy it to the POLYCOM PHONE SET DIGITMAP and expect it to work. Trust me. I've tried. We have to translate them.

So here are the SERVER DIAL PLANS again:

9 + nxxnxxxxxx
9 + 411
9 + 611
9 + 0
9 + nxxxxxxx
9 + 1nxxnxxxxxx
9 + 011.
9 + 11

To start fresh, I've wiped out the POLYCOM PHONE SET DIGITALMAP.

The letter "n" is any single number other than 1 or 0. The problem is that "n" doesn't exist on the DIGITALMAP. You have to use [2-9].

The letter "x" is any single number. "x" does exist on the DIGITALMAP.

So here is my on-the-fly-translation:

-covered by rule 2
0 (telco operator)
-covered by rule 2

Additonal DIGITALMAP rules are as follows:

0T (allows for local operator)
[7]xxx (allows for local extension)

The complete final DIGITALMAP looks like this:

Port Mapping on SonicWall

Let's say I want to access a server on port 5901 in the internal network but rom the outside network, I want to connect to port 5900.

So it may look like this: 5900 => 5901

STEP 1: Create new custom service.

Create new service: RedirectExtPort on TCP 5901.

STEP 2: Add firewall-access-rule.

Firewall -> Access Rules


Service: RedirectExtPort
Source: Any
Destination: WAN IP

STEP 3: Add NAT Policy

go to Network -> NAT Policies

New Policy:

Original Source: Any
Translated Source: Original
Original Destination: WAN IP
Translated Destination: InternalServerIP
Original Service: RedirectExtPort
Translated Server: RDP5900
Inbound Interface: WAN Port
Outbound Interface: Any

10 Steps In Setting Up a Fonality Server

Recently, I had the priviledge to be involved in a new fiber line install from LEVEL3. The fiber line service was also ordered with a SIP service. This is new to me so I'll explain slowly in terms I can understand.

A SIP service is basically telephone service via internet only (no copper lines). Sometimes, this is called a SIP TRUNK or a VOIP TRUNK. Basically, it's the main connection with a USERNAME & a PASSWORD that they provide along with an OUTSIDE IP ADDRESS. To to be clear, the only connection we have to the outside world is one internet connection, the fiber line. In this particular case, the connection's capacitiy is 10 Mbps.

Sitting in a physical brown box was a Fonality phone server. I have no idea who Fonality is or the extent of their service. I pulled it out of the box and rack it in the four post rack.

From here, I have no idea what to do. I have no idea how the Fonality server connects to anything. I have no idea where the phone numbers are coming from.

Here is the process I went through.

1-collect the phone numbers or the phone number block or the list of phone numbers that are assigned to the company. This block is coming from the company that is providing the SIP service. Call the company and get them.

2-collect the MAC ADDRESSES of the phone devices. The MAC ADDRESSES are needed to be collected and given to the crew at FONALITY. They will somehow associate the MAC ADDRESSES with the account. If the MAC ADDRESS is not associated with the account, the device cannot be used. I'm finding out more about this as I should be able to add devices myself. Currently, to my knowledge there is no way to add the sets by yourself. The Fonality support crew must do this for you.

3-connect the FONALITY server to the internet. It doesn't matter how. It just needs an internet connection. On mine, there were 2 nics on the back. NIC1 was the one that worked. To configure, I had to plug in a monitor, keyboard and mouse. Logging in with:

USER: ip
PASS: ip

This gave me limited options and one was to change the IP address. If you can't set it manually, it should be set to get an IP ADDRESS via DHCP.

The magic of the FONALITY is that upon connecting to the internet, it will automatically make a VPN call back to the FONALITY HQ SERVERS. The FONALITY HQ has a WEB ADMIN CONTROL PANEL (https://cp.fonality.com/) that configures (with pulls and pushes) to the local PHYSICAL FONALITY SERVER via the VPN. Pretty cool.

4-connect to the WEB ADMIN CONTROL PANEL at https://cp.fonality.com/. FONALITY should give you a USERNAME & PASSWORD. I received one with a WELCOME LETTER in the box but it didn't work. I had to contact support to get the USER/PASS reset.

5-setup USERS/EXTENSIONS. Upon logging into the CP, you have to setup the USERS. This comes down to FIRST NAME, LAST NAME & EXTENSION NUMBER. The EXTENSION NUMBER can be any 4 digit extension but it cannot be changed later on. If you want to change the extension, the extension has to be deleted and recreated. At the bottom of the page, add the DEVICE to the EXTENSION.

6-setup the SIP account. Again, the SIP account is just a USER/PASS along with an OUTSIDE IP ADDRESS. Click OPTIONS > VOIP. Type in those 3 pieces of information and click ADD VOIP ACCOUNT.

7-setup DIAL PLAN. A DIAL PLAN is how the phones will be used to dial out for items such as local phone calls, long distance phone calls and international phone calls. Such as dial 9 to get an outside line. Click OPTIONS > DIAL PLAN. Here are the dial plans I setup:

9 + nxxnxxxxxx local call
9 + 411 Information local call
9 + 611 Phone Trouble local call
9 + 0 local call
9 + nxxxxxxx Standard local call local call
9 + 1nxxnxxxxxx long distance
9 + 011. International international
9 + 11 emergency

8-setup SONICWALL or other firewall. The Fonality server is going to require certain ports open on the firewall to work correctly. On a simple firewall, direct the following ports to the internal ip address:

  • icmp:0
  • icmp:3
  • icmp:4
  • icmp:5
  • icmp:8
  • icmp:9
  • icmp:10
  • icmp:11
  • tcp:21
  • tcp:22
  • tcp:53
  • udp:53
  • tcp:80
  • udp:4569
  • udp:5060
  • udp:5061
  • udp:5070
  • udp:5222
  • tcp:5222
  • tcp:6600
  • tcp:8000
  • udp:9710

On a SONICWALL, the concept is the same but you have to create an ADDRESS OBJECT. Create the services, if they are not already there. Finally create the NAT POLICY. Typically, I use the WIZARD to set these up. At least with one service but then add the other services later on.

9-setup phone sets via IP ADDRESS. Amazingly to me, some of the settings need to setup individually; phone set by phone set. This kind of ruined the whole point of central management but so be it. If the phone has an IP ADDRESS, type it in along with the USER/PASS. The important setup items here are LINE1 with the EXTENSION NUMBER. Also setup the NTP for the NETWORK TIME. Click GENERAL > TIME. The important part here is to setup the server name which is something like s123456.fonality.com.

10-last of all Fonality recommends setting an A RECORD in the DNS settings. A RECORD is s123456.fonality.com the IP ADDRESS is the INTERNAL IP ADDRESS of the server. This way when the phone sets request info they will be redirected internally rather than externally. It saves a few milliseconds.

Page 3 of 5

Contact Dak Networks

Please contact us at the following.