daknetworks.com

You are here: Blog

Collecting Inventory

Collecting inventory is an increasingly difficult task to accomplish escpecially with the new licensing process with Microsoft. But MATRIX42 helps: https://www.matrix42.com

Syn Flooding Machine

In my article FIND COMPUTER ON NETWORK THAT IS SENDING OUT SPAM WITH SONICWALL, I indicate that the logs show the following:

46:26.9 Alert Intrusion Prevention Possible SYN Flood on IF X0 - src: 10.1.10.123:63383 dst: 66.236.42.7:25  <blank>  <blank>
46:30.6 Alert Intrusion Prevention SYN-Flooding machine on IF X0 - xx:xx:bb:62:2c:95 with SYN rate of 1001/sec blacklisted  <blank>  <blank>

This indicates that there is a SYN FLOODING MACHINE going at the rate of 1001 items per second. Wow! That's a lot. You can also see above that the DESTINATION is port 25. You can see that by the colon twenty-five (:25).

But what's a SYN FLOODING MACHINE?

A SYN FLOODING MACHINE is a zombie machine participating in a DDOS attack. Uh-oh. Yup... Users. They weak point of all security systems.

A SYN FLOOD ATTACK directs packets to a listening TCP port on a victim server; typically a web server (port 80), an FTP server (port 21) or a mail server (port 25).

When a server receives a SYN packet it returns an ACK packet to the client to acknowledge it received the inital packet. More or less:

"Hi" the visitor said.

"How are you?" the host replied.

The problem is that the visitor never acknowledges with a "Just fine."

Until the visitor acknowledges the reply, the host server will keep that connection open until timeout. This is typically 75 seconds. Staring for 75 seconds.

If you've ever run a server before, you should know that the number of connections is finite. In QPSMTPD, this connection limit is set for an overall connection limit (default 40) {config setprop qpsmtpd Instances xx} and a limit per IP ADDRESS (default 5) {config setprop qpsmtpd InstancesPerIP xx}.

Once those connections are all used up, no more connections can be made.

So, in our logs above, our bad client machine on our network was sending about 1000 connections per second to the victim 66.236.42.7 which happens to be owned by XO COMMUNICATIONS and leased by the SAN DIEGO SOURCE EMAIL SERVER secondary connection, mx2.sddt.com (priority 20).

mx1.sddt.com (priority 10) & mx3.sddt.com (priority 30) were not affected.

Using Mandrill with Exchange 2013

Using Mandrill with Exchange 2013 to send outgoing mail in case your IP ADDRESS gets blacklisted on SENDERBASE.ORG and your reputation takes awhile to get out of the POOR rating. There are two parts to this; creating a MANDRILL account and setting EXCHANGE to use MANDRILL.

CREATE A MANDRILL ACCOUNT

Once you start an account, you will see your details for connection. It will look something like this:

  • Host: smtp.mandrillapp.com
  • Port 587
  • SMTP Username: foo@fee.tld
  • SMTP Password any valid API key

Now all you need is an API KEY.

  • -click NEW API KEY

Be patiance as it generates a new api key. It will display after about 20 seconds. Great! You should have your new API-KEY to be used as your SMTP-PASSWORD.

NOTE: It uses an api key rather than the password to your account so that you can change the password to your account without affecting the accounts ability to send email.

SET EXCHANGE TO USE MANDRILL

  • -open the EXCHANGE ADMIN CENTER (EAC) also known as the EXCHANGE CONTROL PANEL (ECP).
  • -click MAIL-FLOW (on the right-hand side).
  • -click SEND-CONNECTORS (at the top).
  • -click the plus symbol (+).
  • -type: Mandrill.
  • -bullet "Custom".
  • -click NEXT.
  • -bullet "Route mail through smart host".
  • -click the plus symbol (+).
  • -type: smtp.mandrillapp.com
  • -click SAVE
  • -click NEXT
  • -bullet BASIC AUTHENTICATION
  • -type: your-user-email-for-your-mandrill-account
  • -type: your-user-password-for-your-mandrill-account
  • -click NEXT
  • -click the plus symbol (+) for ADDRESS SPACE.
  • -leave TYPE as SMTP.
  • -type * (asterisk) for FDQN.
  • -leave COST as 1
  • -[This is preference. Works the same as MX RECORD preferences. The lower the cost, the more preference it has. 1 will be used before 2 and so on. An equal number will round-robin.].
  • -click SAVE
  • -[A "Scoped send connector" will only work internally for domains on the server.]
  • -click NEXT
  • -click the plus symbol (+) for SOURCE SERVER.
  • -if you only have 1 server, click ADD (at the bottom).
  • -click OK > FINISH.

This will automatically add the SEND CONNECTOR to the list and enable it.

Now we have to change the outgoing port for the MANDRILL SEND CONNECTOR.

  • -disable the MANDRILL SEND CONNECTOR.
  • -open the EXCHANGE MANAGEMENT SHELL (EMS).
  • -type: Set-SendConnector -Identity Mandrill -port 587

Great! Now you are ready to go.

You have a few options from here. You can either:

  • -start sending using the MANDRILL SEND CONNECTOR right away by simply enabling the connector (and disabling the existing connector if you have one).

or

  • -test out the MANDRILL SEND CONNECTOR by pausing the SEND QUEUE in the QUEUE VIEWER and enabling the connector (and disabling the existing connector if you have one).

That's it! You are awesome.

Block All Traffic on Port 25 in SonicWall

To block all traffic on port 25 in a SonicWall, follow this link:

https://support.software.dell.com/kb/sw5623

Find How Many Exchange CALs You Need on Server 2012

To get the user-accounts of EXCHANGE that require a STANDARD EXCHANGE CAL's on a SERVER 2012:

  • -click EXCHANGE MANAGEMENT SHELL (EMS)
  • -type: Get-ExchangeServerAccessLicenseUser –LicenseName “Exchange Server 2013 Standard CAL”

If you combine this with the wonderful GNUWIN32 (see below) then you can type the following to get the exact number you need:

  • -type: Get-ExchangeServerAccessLicenseUser –LicenseName “Exchange Server 2013 Standard CAL” | grep CAL -c

Voila!

Windows Stuck During Windows Updates

 net stop wuauserv  
 ren c:\windows\softwaredistribution sd.old  
 net start wuauserv  

or

  • -boot from WIN8 cd.
  • -look for a Repair Windows.

Temporary Web Site Links

Sometimes a temporary web site link contains an IP ADDRESS and looks like this:

http://174.136.3.119/~username

The issue is that the links in the web site won't work or the administrator panel (/administrator or /wp-login) won't work becase search-engine-friendly links are on.

This is resolved by using the SERVERNAME or FQDN rather than using the IP ADDRESS. Like this:

http://servername.directrouter.com/~username

RSA Appliance Version 8 Reset Password

The Good About RSA Security Appliance

RSA is really secure.

The Bad About RSA Security Appliance

RSA is really secure so figuring out what the current password is, is just about so difficult that many have to revert to writing down the password to remember it. This, coincidentally, weakens security.

If you forget the SUPER-USER password in RSA APPLIANCE, then you might be in a tough place.

Here's how to reset the SUPER-USER password in RSA APPLIANCE VERSION 8 (very high level. This is not detailed information. I will not be explaining how to do step-by-step).

  • -ssh into the rsa-box
  • -change directories to: /opt/rsa/am/utils
  • -run the following command: ./rsautil restore-admin –u tempadmin
  • -follow the screen prompts. You will need your OC username & password (not SC username & password).
  • -user the tempadmin account to reset the SUPER-USER account.

NOTE: the tempadmin user access expires after 24 hours.

Exchange 2013 Reset Password for Users

In Exchange 2013, resetting the password for users can be difficult. It might be missing or you may not see the option when you click on a USERNAME.

Luckily, this isn't difficult to overcome. I found the steps here:
http://www.mustbegeek.com/reset-user-password-in-exchange-2013/

  • -click PERMISSIONS (on the left-hand side).
  • -click ADMIN-ROLES (at the top).
  • -double-click ORGANIZATIONAL MANAGEMENT (in the middle).
  • -find the ROLES section.
  • -click the + (plus-symbol).
  • -find RESET PASSWORD (in the list).
  • -click ADD (at the bottom).
  • -click OK > SAVE.
  • -logout of EAC.
  • -login to EAC.

This should enable you to change the passwords within EXCHANGE EAC.

 

Business One Centos

NOTE: this project was killed. I will not pursue.

If I'm going to work with BUSINESS ONE, I'm dedicated to getting working on HANA on CENTOS. I haven't done this yet as I don't have access to some of the build items but if it's possible, I'm going to get it working. I will post the results here.

The last direction I want to take is have to put this on some type of crappy MS server box.

This is a posting area for my notes:

http://en.wikipedia.org/wiki/SAP_HANA

BUSINESS ONE COMMUNITY NETWORK
(GENERAL, SDK, API)
http://scn.sap.com/community/business-one-sdk

HANA ON RED HAT:
http://help.sap.com/hana/red_hat_enterprise_linux_rhel_6_5_configuration_guide_for_sap_hana_en.pdf

BUSINESS ONE ACADEMY:
http://scn.sap.com/docs/DOC-57116

BUSINESS ONE CONTENT:
http://scn.sap.com/community/business-one/content

NOTE: this project was killed. I will not pursue.

Perfect Software

There is no perfect software in the world. The big question is, "Will it work for us and do what we want it to do?" That question will only be answered through time.

2 Moment You Know That Software Will Not Work

Usually, you will stick with software until one of two moments occur.

First, the moment when the software doesn't do what you want/need it to do. Eventually, you will get to a point where you need it to do something. Either is can or it can't. When it can't, is the break point moment at which you start looking for something else. For example, you need it to track technicians. If it doesn't, then it doesn't work for you. It's as simple as that.

Secondly, when something better comes along. Something new, something hip, something that does tricks will catch your attention through either a friend, colleague or competitor and you will salivate because your software doesn't do it that good. This is simply the grass is greener on the other side.

Tradeoff

There is no perfect software and I know all too well that software is simply a tradeoff. Having it do certain items really well and having it not do certain items well is in every software. The look and feel, the interaction, the interface, the upgrades, sooner or later you will see that all software is simply trading one aspect for another. My wife will usually choose the one that looks pretty and works reliably. Hence her iPhone 6. I choose works reliably as a top priority and usually stay away from the bleeding edge technology. It's nothing more than a tradeoff.

4 Sofware Principles to Focus On

In light of this, and with a handful of experience from a tech perspective, I have four unconventional areas that I typically focus on. They are:

1-automating best practices:

Too often software is concerned with customization (you can eventually get there) rather than focusing on what needs to be done (here is the shortest path). The answer to this is simple. If software is automating best practices, then this is a good signal the software company is a good fit and focusing on customer needs.

2-simplicity:

I shouldn't need a masters degree to run/setup/maintain the software. Easily adapting from my current knowledge base is key. A simple interface and hiding the complexity behind the curtain is the second signal.

3-extensibility:

This means the software should have the option to extend beyond. Beyond what? You might ask. Beyond it's current state. This issue is the future. The unknown. There needs to be an outlet for the unknown items that the future holds. Having a way to tap into that is vital to the survivability of software.

4-reliability:

This means that the software should work the first time, every time. Anything less is unacceptable. If anything is shown to be insecure, it needs to be replaced with the best available option.

I didn't come up with these items sitting under a tree. They came from reading the works of Gordon Rowell. I was lucky enough to meet with Rowell a few years back and it's amazing how true these principles still hold true today.

 

Want to make your Wordpress Web Site Run Faster?

Want to make your WordPress web site run faster? Use Better WordPress Minify.

  • -install it.
  • -run it.
  • -let it do it's work.

Duplicate jQuery

Just a mental note for myself to click here if I need to remove duplicate jQuery is some CMS's:

http://www.simplifyyourweb.com/index.php/downloads/category/8-loading-jquery

How to Encrypt USB Drives

There's probably many ways to encrypt USB drives but to make everything easy, I've used the software here:
http://www.sandisk.com/products/software/secureaccess/

It creates an encrypted, password-protected folder on the USB stick. If the USB stick gets lost/stolen, the new person will not be able to access any of the information on the USB stick.

RSA Security Console Setup

Client needs RSA Security Console setup so that when you connect to the VPN, it asks for a TOKEN (instead of a password).

The Big Idea

The TOKEN comes from a KEY FOB. It's a little device that you typically put on your keychain of your car/house. You press the only button on the device and it does one thing, give you a TOKEN. A TOKEN is a bunch of letters and numbers.

So it goes like this:

  • -press button.
  • -it displays: 123ABC
  • -you connect to VPN.
  • -you type in the USERNAME.
  • -you type in the TOKEN.
  • -you type in a PIN/PASSWORD.
  • -you gain access.

The benefit here is that if your password gets compromised, it doesn't help the other person. They also need the TOKEN.

Think of it like you house. You need a key to access the house. If you don't have the physical key, you can't access the house. Same idea here. If you don't have the physical TOKEN, you can't access the house of data.

I've used this before but I've never set one up. Setting it up is a pain.

Purchase Equipment

The first hurdle to overcome is purchasing the equipment. I thought it was just software that installs on the WINDOWS SERVER 2012. Upon calling EMC (the company that owns RSA) they talked for about 15 minutes. When I asked for the next step, they prompted me to call one of their authorized dealers. Hmmmm... Not that I'm not grateful for the talk but in my mind, it would have been nice to know that upfront.

Getting the quote from CDW that only included software, I ran it by my new friend at EMC to make sure I had all the necessary parts. I want it working right the first time. EMC quickly pointed out that I also needed a hardware appliance (since the client isn't using virtual server).

Installing the Equipment

I've often said before that large companies are nothing more than crappy software with great marketing. The same holds true here. Upon getting the equipment and inspecting it, the hardware appliance is some sort of 1U server from MBX-like house that will powder coat your brand on the faceplate.

The rails are different in that they don't use typical holders. It has some type of quick setup rail system. Kinda cool. I always disliked the whole screw thing anyway.

First Impressions

Upon starting it up, it seems to running some type of Linux with an apache/httpd server (update: it's actually SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, PATCHLEVEL = 3 with an Oracle WebLogic Server). Make a change in the web-console and the value is changed in the config file and the service is restarted. I get the idea. Sounds familiar.

Everything is controlled via the web console. The web console is comprised of 3 areas:

SECURITY-CONSOLE:
(assign tokens)
https://rsa-server/sc

OPERATIONS-CONSOLE:
(sync users between systems, date, time, network, etc)
https://rsa-server/oc

SELF-SERVICE-CONSOLE:
(users can set PIN's and update their info)
https://rsa-server/ssc

Setup Users

You can setup the users via INTERNAL DATABASE or sync the users with an EXTERNAL DATABASE. This external database is typically an LDAP read-only database. This means it can be WINDOWS SERVER ACTIVE DIRECTORY or it can be an OPEN LDAP on RHEL/CENTOS.

The sync will only happen via a SECURE CONNECTION meaning LDAPS. So funny thing is that WINDOWS SERVER 2012 has their own way of dealing with CERTIFICATES which makes this nearly impossible. What's worse is that if the sync fails, it simply says "failed." It doesn't say why or what happened or give any log info.

I tried a couple of times but I couldn't get mine to sync with AD. So I threw in the towel and went to INTERNAL DATABASE.

  • -login to https://rsa-server/sc
  • -click IDENTITY > USERS > MANAGE-EXISITING
  • -nothing shows up because it's an LDAP. You have to do a search.
  • -click SEARCH (on the bottom right).
  • -all the users show.
  • -click ADD NEW (at the top).
  • -add the user.
  • -repeat if necessary.

Import Tokens

While the example at the beginning of the article talked about a KEY FOB (or hard-token), in recent years, most will simply use their smart phone (or soft-token). In either case (I suppose), the tokens have to imported into the system.

The tokens come on a CD package. The password for the tokens come on a second package.

  • -put the CD into the system you are sitting at and using to access the web console.
  • -copy the file on the CD to the DESKTOP (it's an XML file).
  • -login to https://rsa-server/sc
  • -click AUTHENTICATION > SECUREID-TOKENS > IMPORT-TOKEN-JOB > ADD-NEW.
  • -keep the defaults.
  • -browse for the file and select the XML on the DESKTOP.
  • -type in the password (from the second package).
  • -bullet OVERWRITE ALL DUPLICATE TOKENS.
  • -click SUBMIT JOB.

The job should go through smoothly. If not, double-check the password and make sure you are using the file copied to the desktop. Sometimes, the system cannot "consume" the file if it is read-only.

 Setup a Software Token Profile

A Software Token Profile has to be created before assigning the tokens. The profile determines items like:

  • -what kind of device the token can be used on.
  • -how long the token lasts.
  • -the length of the token.

So to setup the SOFTWARE TOKEN PROFILE:

  • -login to https://rsa-server/sc
  • -click AUTHENTICATION > SOFTWARE-TOKEN-PROFILE > ADD-NEW.
  • -name the profile anything you want.
  • -select the device type.
  • -select the length of the token (6 digits or 8 digits).
  • -select the time-frame of the token.
  • -select PIN INTEGRATED WITH TOKENCODE.
  • -select CT-KIP.

In the ATTRIBUTES section, there are 2 attributes. The first is the STRING that only allows it to be installed on the DEVICE TYPE you selected. For example, it can only be installed on APPLE DEVICES. The second section is the default name of the token. I'll explain later. For now, type "MY TOKEN."

 So for ATTRIBUTES:

  • -leave the first attribute as the default value.
  • -type: MY TOKEN (for software token nickname).
  • -click SAVE.

Install RSA APP on IPHONE

Before you dish out the TOKENS, the users must have the RSA APP installed on their device, in this case the IPHONE. This sucks because now everyone has to have an APPLE-ID to continue which is it's own set of instructions.

Nevertheless, go to the APP STORE and install the RSA SECURID SOFTWARE TOKEN.

Note that the RSA APP won't work until it has a TOKEN installed. This is what confuses most people. They think, "I just installed the APP. Why doesn't it just work?"

Assign Token to Users

Now here is the fun part. We assign the tokens to the users. You can either assign the tokens in bulk or you can assign them one-by-one. I would love to think that going bulk would work but realistically, going one-by-one is probably easier in the long run.

  • -login to https://rsa-server/sc
  • -click AUTHENTICATION > SECURID TOKENS > MANAGE-EXISTING
  • -click the UNASSIGNED tab (at the top).
  • -click the top token.
  • -click ASSIGN TO USER.
  • -the user-panel shows but since it's LDAP, nothing shows.
  • -click SEARCH (in the bottom-right) to show all the users.
  • -bullet the user-you-want.
  • -click ASSIGN (at the bottom).

Distribute the Tokens

Distributing the TOKENS is an additional step. Without distributing the TOKENS, the users have nothing more than an APP installed on their phone.

Go back to the token list (assigned):

  • -login to https://rsa-server/sc
  • -click AUTHENTICATION > SECURID TOKENS > MANAGE-EXISTING.
  • -click the token-you-want-to-distribute.
  • -click DISTRIBUTE.
  • -select the SOFTWARE-TOKEN-PROFILE already created.

Now remember those attributes? Here's where you can customize them for each user. The first attribute (DeviceSerialNumber) can be changed so that the TOKEN will only install on the IPHONE belonging to the user (rather than just any IPHONE). The second attribute will let you customize what the user will see when they click on the RSA APP.

To get the specific DEVICE-SERIAL-NUMBER:

  • -get the iphone.
  • -open the RSA app.
  • -click INFO button (at the bottom-right).
  • -the BINDING-ID is the ID that needs to be typed into the DeviceSerialNumber attribute.
  • -you can either email this to the super-admin (by clicking the email button next to the number) or you can tell him the number or you can just hand your phone to him/her.
  • -type in a NICKNAME (so that it shows something other than just "Token 1").
  • -select SYSTEM-GENERATED-CODE if the ACTIVATION-CODE (keep reading) is random or if the ACTIVATION-CODE is known as the DEVICESERIALNUMBER.
  • -click SAVE & DISTRIBUTE.

Upon doing so, the admin has the option to distribute the TOKEN. Typically, that is done via email. After all, if it will only work on the specified device, there's really no harm in emailing the token. Is there?

At this point, you have another option, you can either:

  • -email the whole token.
  • -or you can email part of the token and force it require an ACTIVATION CODE.

If you require the ACTIVATION CODE, you will have to get that ACTIVATION CODE to the user. Good luck.

This whole process is complicated but it allows you to put as much security into your system as possible.

I opt to make it easy as possible while still maintaining security and assign the token directly to the device and I opt to email the whole token with activation code for a push-one-button install.

What happens

What happens if you try to install a TOKEN onto a device that isn't in the DEVICESERIALNUMBER?

It will ask you for the ACTIVATION CODE. Then it will say, "Token import failed. Invalid activation code. Contact your administrator."

Pretty cool. The TOKEN will only work on the device assigned to the TOKEN.

Everywhere, users are screaming "SECURITY!!!"

Integrating the RSA into Something

What's cool here is that the RSA appliance can be used to protect a few different items. Possibly you want it to protect a web site, a VPN or simply the computer system itself. It can protect all of these and integrate into just about anything. Theoretically anyway.

So far, I have witnessed protecting a web site. Protecting a computer system.

The VPN protection can be via Windows VPN or it can be via SonicWall VPN. The SonicWall has RSA integration capabilities.

To be able to secure an item, typically the item will use a SECURITY AGENT. This is a fancy term for a bit of code that integrates into the item you are protecting so that the USER/PASS request is sent to the RSA SERVER rather than the web site, AD server, etc.

Integrating the RSA into the RRAS (Windows VPN)

As of this writing, this isn't possible. I talked to RSA tech support. RSA doesn't integrate into RRAS/Windows 2012 VPN. It's on the roadmap and I'll be notified once it's complete.

Some items suggest that the RSA integration is via an authentication agent found here:
http://www.emc.com/security/rsa-securid/rsa-authentication-agents/windows.htm

Other items suggest this may be possible via RADIUS. For example, the horses-mouth docs say that VPN is done through RADIUS here:
http://blogs.technet.com/b/networking/archive/2014/01/13/configuring-native-vpn-client-through-pc-settings.aspx

And it gives instructions here:
http://technet.microsoft.com/en-us/library/jj900206.aspx

Integrating the RSA into SonicWall VPN

The RSA can be integrated into the SonicWall VPN without too much trouble. SonicWall is it's own topic unto itself. I won't go into all the details of the SonicWall or else we will be writing/reading a book.

The SonicWall has 2 types of VPN. The GLOBAL-VPN (GVPN) and the SSLVPN. For many reasons, pretend like the GLOBAL-VPN doesn't exist and simply go straight to the SSLVPN.

On this regard, to get the SSLVPN working, I'll simply refer to this awesome YouTube video:
https://www.youtube.com/watch?v=qPv-tz-zN6A&index=6&list=PLC909885E4476986B

At some point, I'll write out the instructions but for now, the above link will suffice.

After the VPN is up and running, we have to integrate the RSA users into the SONICWALL. On this section, to get the RSA users into the SONICWALL, I'll simply refer to this awesome DELL KB post:
https://support.software.dell.com/kb/sw9818

It uses RADIUS, so the RADIUS SERVER must be setup on the RSA and the RADIUS CLIENT must be setup on the SONICWALL.

Final VPN steps

So to get this working, you must have the SONICWALL VPN software setup on the laptop. What's cool here is that the software is embedded into firmware in the SONICWALL. This software should install automatically upon visting the VPN/SONICWALL web site but I'm finding that if the SSL is SELF-SIGNED and not originated from a TRUSTED-STORE then the software doesn't download/install correctly.

To get around this, you can manually install the software from the SONICWALL VPN web site here:
https://your-sonicwall-public-ip-address.tld:4433/NXSetupU.exe

Recap

So to recap, here are the steps why the RSA is so secure and the high-level steps needed:

-must have company iphone/device.
-token can only be installed on company iphone/device.
-enter PASSCODE for general iphone access.
-press RSA token app.
-type pin.
-press enter.
-see token.
-type token into vpn software.

NOTES:
    -token is one time use only. Once you try it, it won't work again. You will have to wait for another token.
    -just be clear, you cannot test token and then use it.
    -if you don't enter the pin before getting a TOKEN, it will give a TOKEN but it will be the wrong one.

Internals

The RSA package lives in:

/opt/rsa/

It has it's own SERVICE. Rather than the typical:

service biztier status

RSA calls it rsaserv puts it here:

/opt/rsa/am/server

So checking the RSA services goes like this:

./rsaserv status all

RSA puts all the unique services here:

/opt/rsa/am/server/servers/

This is different than placing it in the typical directory of:

/etc/rc.d/init.d/

External References

This has helped:

http://www.petenetlive.com/KB/Article/0000962.htm

GPO Settings for IE11

Well it looks like at this time the settings for IE11 are left out of the GROUP-POLICY settings in SERVER 2012.

Here's how to get them.

  • -download the ADM TEMPLATE here: http://www.microsoft.com/en-gb/download/details.aspx?id=40905
  • (unizip it of course)
  • -open the GPO on the SERVER 2012.
  • -click USER-CONFIGURATION > POLICIES > ADMINISTRATIVE-TEMPLATES
  • -right-click ADMINISTRATIVE-TEMPLATES
  • -click ADD/REMOVE TEMPLATES
  • -click ADD
  • -select the unzipped file.
  • -awesome!

The next part to this is to change the settings in the GPO for IE 11.

  • -open the GPO on the SERVER 2012.
  • -click USER-CONFIGURATION > PREFERENCES > CONTROL-PANEL-SETTINGS > INTERNET SETTINGS
  • -right-click INERNET-SETTINGS
  • -click NEW > INTERNET-EXPLORER 10
  • (While IE 11 doesn't show, the settings for IE10 will work for IE 11)

Sagonet DataCenter

After having a client server at Sagonet DataCenter, I can make the recommendation to try and find another solution.

Here is my history of more than 7 years with 8 significant issues. Keep in mind that every issue cause more than 100 people to either call or email asking questions. Plus it reflected poorly on the client business and was witnessed as unreliable.

1
11/28/08: power failure. Outage due to under supplied power blamed on FPL causing the backup car batteries to have zero power.

2
08/29/09: Aug 28 23:13:37 server kernel: You probably have a hardware problem with your RAM chips
Aug 28 23:13:37 server kernel: Uhhuh. NMI received. Dazed and confused, but trying to continue

3
07/16/10: backup options $140 per month

4
12/13/11: access from comcast issue. Locations at Comcast couldn't connect.

5
06/02/12: server unavailable... suddendly re-appeared.

6
06/20/12: hd died.

7
09/21/12: access from comcast issue. Locations at Comcast couldn't connect.

8
01/14/14: all of tampa unavailable for several days. No response for more than 24 hours. When response was received, it was "we are working on it."
Panicked, I tried to move to new datacenter.
Server crashed during transfer to new server.

=======================

The bright side to all of this is that it obviously forced the client to get a new server at a new datacenter with whom I am very pleased.

My recommendation is that if you have an enterprise, host at RackSpace. It's pricey but you get what you pay for.

Recover Accidentially Deleted Files

Need to recover files that are accidentially deleted? Who hasn't dropped over 103 mysql databases by typing in the wrong commands at one point or another? Here's my recommendation:

  • testdisk.
  • ext4magic
  • r-studio

PROCEDURE
====================================
=============
-lvm vgscan
-lvm lvscan
-lvm vgchange -a y
-lvm pvscan
-lvm lvscan
-lvm vgrename main mainold
-exit

=============
fdisk -lu /dev/sdb
mdadm -AR /dev/md8 /dev/sdb2
lvm vgscan
lvm lvscan
lvm vgchange -a y
mkdir -p /mnt/olddrive
mount -t ext3 /dev/mainold/root /mnt/olddrive

 

RECOVERY
====================================
ext4magic -R -f /dev/olddrive/var/lib/mysql -d /installs/RECOVERDIR1
ext4magic /dev/olddrive/var/lib/mysql -j /installs/BACKUPPATH/journal.copy -d /installs/BACKUPPATH -m -R

??????????
ext4magic -R -f /dev/olddrive/var/lib/mysql
ext4magic -R -f /dev/mapper/mainold-root var/lib/mysql
ext4magic -R -f /dev/md8 var/lib/mysql
ext4magic -R -f /dev/sdb2 var/lib/mysql
ext4magic -R -f var/lib/mysql

 

Find Computer on Network that is Send Out Spam With SonicWall

So you have a network. One of the devices on the network is sending out spam at an amazing rate. How do you find and locate the misbehaving computer?

If you have a SONICWALL, you can look at the current connections across all your devices at any given time.

  • -login to SONICWALL.
  • -click SYSTEM > DIAGNOSTICS
  • -find the DIAGNOSTIC TOOL area.
  • -change the dropdown to CONNECTIONS-MONITOR

This will show all the connections from the outside network to the inside network and vise-versa. You are looking for any connection with a DESTINATION PORT of 25. Should be pretty obvious as it will be the IP ADDRESS that is NOT your internal mail server. It will be the IP ADDRESS that is a client machine (laptop/desktop).

But this only shows the current active connections. What if the laptop went home? What if you want to search through the logs for the day?

  • -login to SONICWALL.
  • -click LOG > VIEW
  • -find PRIORITY
  • -change to ALERT
  • -click APPLY FILTERS

This should show a list of ALERTS in the last 24 hours or so. Carefully look through them to see if anything is sending to PORT 25.


 

What's interesting is that in a typical situation the logs typically look like this:

Time Priority Category Message Source Destination
32:13.7 Alert Intrusion Prevention Possible port scan detected 199.96.57.6, 443, X1 10.1.10.206, 56114, X5

The destination and port number are easily available.

In my situation, the log look like this:

46:26.9 Alert Intrusion Prevention Possible SYN Flood on IF X0 - src: 10.1.10.123:63383 dst: 66.236.42.7:25  <blank>  <blank>
46:30.6 Alert Intrusion Prevention SYN-Flooding machine on IF X0 - xx:xx:bb:62:2c:95 with SYN rate of 1001/sec blacklisted  <blank>  <blank>

The destination isn't in the DESTINATION column but rather in the MESSAGE column.

Regardless, with this information, I now know that client 10.1.10.123 is the machine causing an issue.

Exchange 2013 Message Queue

To look at the message-queue in EXCHANGE 2013, it's actually rather easy.

  • -click START > PROGRAMS > MICROSOFT-EXCHANGE-SERVER-2013 > EXCHANGE-TOOLBOX
  • -click QUEUE-VIEWER

Here you will see any messages that are waiting to be delivered. Sometimes a receiving server might delay the message or the receiving server might simply be not available, in which case, the message will wait to be sent again. After a certain period of time, I believe that it's 48 hours, the message will bounce as undeliverable or NDR.

Linux Logs for Login Attempts

Logs for logins are located here:

/var/run/utmp
The current login status.

/var/log/wtmp
The historical login status.

/var/log/btmp
The failed login status.

You can't read these files directly, you have to use the following command: last

So, it would go like this:

last -f /var/run/utmp

Or if you want to see something scary use:

last -f /var/log/btmp

Add AD Group as an EAC Group.

What's hard to wrap your mind around in MICROSOFT world is the whole disconnect between systems. In other words, it has fine-grain control. It can be connected but it isn't connected automatically by default.

So let's take this example of adding a group to AD & EAC:

  • -create a group in ACTIVE DIRECTORY (AD) called TESTGROUP.
  • -add people to a group.
  • -go to the EXCHANGE ADMIN CENTER (EAC).
  • -the group doesn't show.

If you try to add the group in the EAC, you get an error message: "Active Directory operation failed on" ... "already exists."

It's trying to tell you that you can't create the group in EAC because that group is already created in AD.

So let's add the AD GROUP so that it shows in the EAC GROUP:

  • -go the AD USERS & COMPTUERS
  • -double-click on the group-name-that-you-want-to-change.
  • -bullet UNIVERSAL (rather than GLOBAL)
  • -click OK
  • -connect via POWERSHELL.
  • -type: Enable-DistributionGroup -Identity "GROUP_NAME" -Alias "GROUP_ALIAS"
  • -refresh the screen in the EAC and the group name will show.

Awesome! Good work.

Now when you try to make a change to the group you find that you can't change the settings for that group in EXCHANGE 2013. You get a message "You don't have sufficient permissions. This operation can only be performed by a manager of the group."

You can get around this by using the -BypassSecurityGroupManagerCheck option in the powershell and take ownership of it. Let me show you:

  • -connect to via POWERSHELL.
  • -type: Set-DistributionGroup -Identity testgroup -ManagedBy administrator -BypassSecurityGroupManagerCheck

This will add the ADMINISTRATOR as the OWNER of the TESTGROUP.

Block Websites with SonicWall

I service a SONICWALL 2400. I want to block certain web sites. Even though the license for Premium Content Filtering Service shows as EXPIRED, this doesn't mean you can't block web sites and it doesn't mean you don't have Content Filtering Service. It just means you don't have Premium Content Filtering Service. The Premium Content filtering allows you to filter on the basis of categories (http://www.sonicwall.com/us/en/products/Network_Security_Content_Filtering_Categories.html).

  • -login to SONICWALL
  • -click SYSTEM > LICENSES
  • -look for "Comprehensive Gateway Security Suite Upgrade"
  • -underneath, look for "Premium Content Filtering Service."
  • -next to it, I see EXPIRED.

A little miffed and upset because I feel like I'm being hi-jacked to pay for something that just about any home router can do out of the box, I give it a try anyway.

  • -login to SONICWALL.
  • -click SECURITY-SERVICES (on the left-hand side).
  • -click CONTENT FILTER.
  • -you may see UPGRADE REQUIRED (in big red letters).
  • -not true (just like their AUTO-DOWNLOAD FIRMWARE feature).
  • -find the second section called CONTENT FILTER TYPE.
  • -select CONTENT FILTER SERVER (in the dropdown box).
  • -click CONFIGURE.
  • -click ENABLE HTTPS CONTENT FILTERING.
  • -click CUSTOM LIST (tab at the top).
  • -find FORBDDEN DOMAINS.
  • -click ADD.
  • -type in the domain you want to block (for example: aol.com).
  • -click OK > OK
  • -that should do it! Test it out and let me know how it goes.

LSI MegaRaid STORCLI

Here are some tips on using the STORCLI.

Like last time, you have to run as admin.

  • -right-click CMD
  • -click RUN AS ADMINISTRATOR
  • -browse to the STORCLI location

Show all the info about the MegaRaid card:
storcli /c0 show all

I would post more but this site already has most of it:
http://www.thomas-krenn.com/en/wiki/LSI_StorCLI

The goal for me is to get 4 physical drives in a RAID1. I want to hot-swap pull one of the drives and store it away for safe-keeping. Then I want to insert a new fresh drive into the array.

The older drive is should be able to be used/mounted without difficulty.

LSI MegaRAID Firmware Failed to FLASH flash. Stop!!!

So upgrading the firmware on this puppy was rather brutle. I kept on getting, "Firmware Failed to FLASH flash. Stop!!!".

Luckily, there is someone out there (http://www.wobblycogs.co.uk/index.php/computing/hardware/110-lsi-megaraid-firmware-upgrade-under-vmware) that understand that this means that you are trying to upgrade too far of a gap. You can't go from v2.007.403-3066 to v2.130.403-3066. You have to step up to the upgrade.

He also was kind enough to post the step-upgrade-firmware since LSI doesn't offer that firmware anymore.

Here's how:

As a requirement, use the STORCLI (it is the successor of the MegaCLI). To be clear, the MegaCLI should not be used. It is outdated.

  • -right-click CMD
  • -click RUN AS ADMINISTRATOR
  • -browse to the STORCLI location
  • -make sure the firmware ROM's are in the same folder (it isn't necessary but it makes it easier).
  • -type: StorCLI /c0 download file=AF2108_FW_Image.rom
  • -it should take about 10 minutes.
  • -reboot server.
  • -wait nervously as it performs the upgrade during the reboot.
  • -go back to the same location in CMD.
  • -type: StorCLI /c0 download file=mr2108fw.rom
  • -it should take about 10 minutes.
  • -reboot server.
  • -wait nervously as it performs the upgrade during the reboot.
  • -bliss ensues.

Update Exchange Malware Definitions

  • -open POWERSHELL
  • -type: & $env:ExchangeInstallPath\Scripts\Update-MalwareFilteringServer.ps1 -Identity <yourservername.yourdomain.tld>
  • -press enter

Hopefully, obviously replace the full <yourservername.yourdomain.tld> with your actual domain name. This could be server.domain.local or server.domain.com or foo.fee.tld. To find this value type:
_GetHostFqdn

Now look at the EVENT VIEWER:

  • -server-manager
  • -click TOOLS > EVENT-VIEWER
  • -click WINDOWS-LOGS > APPLICATION (on the left-hand side).
  • -look for EVENT-ID: 6033

This should indicate that the definitions were successfully updated.

Exchange 2013 Logs

I'm so used to Centos being so easy that it's difficult for me to wrap my head around MS thinking. Typically in Centos, front-end mail logs would be in:
/var/log/qpsmtpd

With internal/external delivery being in:
/var/log/qmail

Well from the following link from MS, I was able to piece together a little more info on how it routes the email through the system:
https://technet.microsoft.com/en-us/library/aa996349%28v=exchg.150%29.aspx

High-level logs (general connection status) are documented here:
http://technet.microsoft.com/en-us/library/aa997624%28v=exchg.150%29.aspx

Low-level logs (specific connection status) are documented here:
https://technet.microsoft.com/en-us/library/dd302434%28v=exchg.150%29.aspx

QPSMTPD

In MS EXCHANGE, the logs are in:
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog

There you will find 2 directories that are hopefully self explanatory:
SmtpRecieve
SmtpSend

This will show the details of the data transfer including what email address it came from and what email address it's going to. This would be equivalent to the qpsmtpd.

CONNECTIVITY

Some more logs are in:
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\Connectivity

This is for sending email. It will show the SMTP responses such as "Failed connection to...." It will not show the DATA transfer details.

QMAIL

This shows delivery of internal email which skips the external QPSMTPD. Here is another spot:
%ExchangeInstallPath%TransportRoles\Logs\Mailbox\ProtocolLog\SmtpReceive

INDIVIDUAL MESSAGE TRACKING

This is going a little overboard as it tracks details of every single message.

Some more logs are in:
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking

This will show the following:
#Fields: date-time,client-ip,client-hostname,server-ip,server-hostname,source-context,connector-id,source,event-id,internal-message-id,message-id,network-message-id,recipient-address,recipient-status,total-bytes,recipient-count,related-recipient-address,reference,message-subject,sender-address,return-path,message-info,directionality,tenant-id,original-client-ip,original-server-ip,custom-data

That's a bunch of information. In my mind, this is equivalent to the qmail logs.

If you want to look through the logs, this is the place to do it! Want to make it easier? Find my article on installing GNUWIN32 so that you can grep through the logs. Sweet!

ENABLE LOGGING

Since logging is disabled by default, we have to turn it on. This is turning the logging on for the FRONT-END/QPSMTPD:

  • -login to EXCHANGE MANAGEMENT SHELL.
  • -type: Get-ReceiveConnector "FOO\Default Frontend Foo" |fl *
  • (This will show the details for the connector.)
  • -type: Set-ReceiveConnector "FOO\Default Frontend Foo" -ProtocolLoggingLevel Verbose

SEARCHING THROUGH THE MESSAGE TRACKING LOGS

http://exchangeserverpro.com/exchange-2010-message-tracking-log-search-powershell/

The above link helped me here. Searching through the message logs is the only way to see if a TRANSPORT RULE or MAIL FLOW RULE has been triggered. To see the whole message log, it's like this:

Get-MessageTrackingLog | fl *

If a message has been block by a TRANSPORT RULE or MAIL FLOW RULE, it will give an EVENTID of "FAIL" and the STATUS will say "550 5.2.1 Message deleted by the transport rules agent."

MAIL FLOW RULES (TRANSPORT RULES) AND MESSAGE TRACKING

From a SENDER
Get-MessageTrackingLog -Sender This e-mail address is being protected from spambots. You need JavaScript enabled to view it

To a RECIPIENT:
Get-MessageTrackingLog -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it

On a DATE
Get-MessageTrackingLog -Start "06/13/2016"

A specific EVENT (Such as FAIL):
Get-MessageTrackingLog -EventId FAIL

Shows the FAILED messages for the day (including messages that fail due to MAIL FLOW RULES (TRANSPORT RULES):
Get-MessageTrackingLog -EventId FAIL -Start "01/01/2000"

Adding them together to find an email that didn't go through (EVENT FAIL) FROM a USER, TO a USER on a certain DATE:
Get-MessageTrackingLog -EventId FAIL -Start "06/01/2016" -Sender This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Resultsize Unlimited

See the expanded details about the messages:
Get-MessageTrackingLog -EventId FAIL -Start "06/13/2016" -Sender This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Resultsize Unlimited | fl

Show me everything about the item by using the InternalMessageId:
Get-MessageTrackingLog -InternalMessageId 89279485181957 | fl

Event Parameters can be the following: BadMail, Defer Deliver, DSN, Expand, Fail, PoisonMessage, Receive, Redirect, Resolve, Send, Submit, and Transfer.

 

Joomla 2.5: Manager Group Can't Access Admin Login

Some components, namely FRONTPAGE SLIDESHOW (aka FPSS) gets the parent_id incorrect.

  • -access MYSQL
  • -access #_assests
  • -re-organized via "parent_id"
  • -change all the 0's (zero's) to 1's (one's).
  • -change the "Root Asset" to 0 (zero).

In mysql speak, it looks like this:

UPDATE `#_assets` SET `parent_id`=1 WHERE `parent_id` = '0';
UPDATE `#_assets` SET `parent_id`=0 WHERE `title` = 'Root Asset';

Install Grub onto a HD

Here's how to install Grub onto a HD:

  • grub
  • grub> device (hd0) /dev/sdb
  • grub> root (hd0,0)
  • grub> setup (hd0)
  • grub> quit

If you look closely, you are installing grub on SDB (not SDA). Also note that you are installing grub as HD0 or the FIRST HD. The reason you do this is because grub is already installed on SDA and while grub only needs to be installed on one disk (it doesn't need to be installed on two disks), you need to consider what happens if SDA dies.

If SDA dies then SDB is going to be the next disk in line and possibly the only disk. The boot process or bootstrap will skip SDA and try to boot from SDB. If grub is not found, then the system will not boot. Installing grub on SDB as the FIRST HD, ensures that the system boots to the first stage menu and allows you to pick your installation or begin stage 2.

Getting Hardware Info

Getting hardware information from a server that you've never laid eyes on, is thousands of miles away and can physically access is sometimes difficult.

Below are some items that I've used in the past to get details of the hardware in the system. You can harmlessly type the commands in as they only inspect info and do not change anything.

dmidecode

I like this one. It gets the info from the bios, even the product name, serial number and Dell service tag number. It even gets the BASEBOARD info (or motherboard info) and the CHASSIS info (the actual physical case) with it's locked status.

The full is is:

  • dmidecode
  • lspci
  • lsusb
  • df -h
  • fdisk -l
  • mount | column -t
  • cat /proc/cpuinfo
  • cat /proc/meminfo
  • cat /proc/scsi/scsi
  • cat /proc/version
  • uname -a
  • cat /proc/partitions

AWS S3 Clients

Amazon Web Services or AWS is amazing. There's so much I'm like the proverbial kid in a candy store. This changes everything. Walls are torn down technologywise. And price isn't a barrier.

One issue is what is so seemingly simple like sync a local directory to AWS S3 is so complicated. There are a number of ways to automatically sync items that I have found in my travels and wanted to list them out.

CLOUDBERRY

http://www.cloudberrylab.com/

This is the standard of what you want. It connect a new DRIVE LETTER to your computer which syncs with S3. So it adds a Z DRIVE to your computer. That Z DRIVE is actually your S3. Cool.

The problem becomes, what if I don't want it as a DRIVE LETTER and I want it to connect to an existing folder/directory.

SPRIGHTLYSOFT

http://sprightlysoft.com/S3Sync/

This is strictly a command-line tool. It will walk you through getting the command correct but then you are responsible for running the command directly or on a cron. Not exactly what I was looking for.

ALLWAYS SYNC

http://allwaysync.com/index.html

This looks promising but it doesn't have the GovCloud access region of AWS that I need.

ioncube loader

Unzip the IonCube File & Load It Into the PHP

  • -untar/unzip the ioncube download tar.gz
  • -it will give a bunch of files.
  • -use the phpinfo file to look at the all the php info details.
  • -find where the extension_dir is.
  • -for me, it is: /usr/lib64/php/modules
  • -copy the most recent ioncube_loader into that directory (there will be other extensions in there as well).
  • -for me, the file is: ioncube_loader_lin_5.3.so

Edit the php.ini file

  • -go to the end of the file.
  • -type:

[ionCube]
zend_extension = /usr/lib64/php/modules/ioncube_loader_lin_5.3.so

Restart the Httpd

  • -type: service httpd-e-smith stop
  • -type: service httpd-e-smith start

DRAC Settings

DRAC EXPLAINED

As stated, DRAC is basically DELL's propitary version of IPMI. This is OUT-OF-BANDWIDTH control. This means you can control the server even if it doesn't have an OPERATING SYSTEM on it. You can load an OS from thousands of miles away. I have successfully done this. You can control the BIOS settings, you can restart the PC, you can watch the PC boot up and you can remotely connect and view the PC (This is different than RDP). Awesome!

CONNECT TO THE DRAC SETTINGS

You can control the DRAC setting through either LOCAL access (directly on the PC) or REMOTE access (from another system). For the LOCAL access, you can use the OPEN MANAGE software previously discussed. It will install a SERVER-MANAGER icon on the desktop that can control some of the settings.

REMOTE DRAC

The REMOTE access can be obtained by simply setting an IP ADDRESS on the DRAC and hitting the DRAC via a web browser. What's surprising to me is that the REMOTE access seems to have more options than the local access. In fact, I really don't know why there are 2 different interfaces. It would make sense to redirect the local interface to the remote interface.

DRAC VIRTUAL MEDIA

One of the options of the REMOTE is VIRTUAL MEDIA access. This means that the remote system will boot from the VIRTUAL MEDIA. It goes like this.

  • -put the OS INSTALL DISK into your computer.
  • -connect to the DRAC via browser.
  • -connect the VIRTUAL MEDIA to the remote system.
  • -the remote system will boot from the CD! (that is totally awesom!!!).
  • NOTE: the same will happen with an ISO image.

DISABLE VIRTUAL FLASH

On the DRAC settings via REMOTE, you can configure the VIRTUAL MEDIA settings.

  • -connect the the DRAC via browser.
  • -click SYSTEM > MEDIA > CONFIGURATION
  • -find VIRTUAL FLASH ENABLED.
  • -uncheck VIRTUAL FLASH ENABLED.
  • -click APPLY CHANGES (at the bottom).

WHY DISABLE VIRTUAL FLASH ON THE DRAC

The reason you want to do this is because most systems won't install when the VIRTUAL FLASH is enabled along with the VIRTUAL MEDIA. Both the VIRTUAL FLASH & the VIRTUAL MEDIA are enabled by default by DELL (probably an oversight on their part).

Another reason you want to do this is that if the VIRTUAL FLASH is enabled, it may show up on the WINDOWS system as an empty drive that is not formatted.

TROUBLE ACCESSING VIA REMOTE

Also note that since you're accessing a remote system, usually the connection is through JAVA. I've had many issues trying to get it to work. It seems like it works best from IE on a WINDOWS system. I have very little success from the MAC BOOK PRO > FIREFOX combo.

This is true of bothe IPMI and of DRAC.

Happy remote accessing!

Upgrading the DRAC Firmware

Here's what I did to upgrade the DRAC firmware:

  • -open command prompt and run this command to disable Virtual Flash:
  • -type: racadm config -g cfgRacVirtual -o cfgVirMediaKeyEnable 0
  • -run the DRAC update - around 10 minutes to install
  • -still in command prompt run the command to enable Virtual Flash:
  • -type: racadm config -g cfgRacVirtual -o cfgVirMediaKeyEnable 1

You can also upgrade the DRAC firmware via the REMOTE access to the DRAC. It seems to be easier. I don't know why that is so.

Download Office - Glory Days of Software

In case you don't know, the glory days of software are officially over. The new licensing in Microsoft 2013 make it nearly impossible to retreive an INSTALL KEY, PRODUCT KEY or skip ACTIVATION. I will bypass the horrors of trying to manage this for a large set of computers and go straight to the point that MS has put up a catch-all page (404 page) that will allow you to download a product if you have a valid KEY.

In other words, you still need an INSTALL KEY or PRODUCT KEY.

MS landing page for sofware download if you already have a KEY (this will attach the KEY to your MS ACCOUNT/MS EMAIL):
http://microsofthup.com/hupus/error404.html

MS 2010 items can still be directly downloaded here:
https://drcdn.blob.core.windows.net/office2010

For example, PROJECT PRO 2010:
https://drcdn.blob.core.windows.net/office2010/X17-75407.exe

The following link has collected all of the links for us:
http://www.heidoc.net/joomla/technology-science/microsoft/18-office-2010-direct-download-links#
http://www.heidoc.net/joomla/technology-science/microsoft/73-office-2013-direct-download-links

Auto Login To Windows Domain

Did you ever have that one executive that has a locked office and refused to type in a USERNAME & PASSWORD because they can't diferentiate between their COMPUTER PASSWORD, EMAIL PASSWORD and ICLOUD PASSWORD?

I've had that before. It's easier to just automatically log them in than dealing with the phone calls.

Here's how:

That's it! The Autologon for Windows v3.01 should take care of the rest. You are doing great!

Backup Cisco 2960-s Config File

I haven't done this stuff since college nearly 20 years ago. Most of my experience has been in Small to Medium Enterprises with a just-get-it-done attitude and a we-just-need-internet desire that I haven't had the need to get into the details.

I will say that it seems as if some of these companies simply complicate proceedures to be able to justify their pricing. Backing up a config file should be a 1 button push. It's almost 2015.

  • -click START > RUN > CMD
  • -type: telnet
  • -type: o 111.222.333.444 (that the letter o as in lmnop and the ip address of the switch)
  • -type in the password
  • -type: enable (enable is their sudo command)
  • -type in the password (yes again for sudo)
  • -type: copy run tftp
  • -type 111.222.333.444 (that's the ip address of the tftp server, if you don't have a tftp server, download the http://tftpd32.jounin.net/ portable tftp server & allow UDP port 69).

That should do it!

 

Add USB Drive to Linux

When you add a fresh USB DRIVE to Linux, it should automatically assign it a device. Something like:

  • /dev/sda
  • /dev/sdb
  • /dev/sdc
  • /dev/sdd

and so on.

Discover the USB Drive

The easiest way to check this is to look through the message log::

grep kernel /var/log/messages

You will see something like:

Sep 26 18:07:24 server kernel: usb 2-1: new high speed USB device using ehci_hcd and address 5
Sep 26 18:07:24 server kernel: usb 2-1: configuration #1 chosen from 1 choice
Sep 26 18:07:24 server kernel: scsi6 : SCSI emulation for USB Mass Storage devices
Sep 26 18:07:24 server kernel: usb-storage: device found at 5
Sep 26 18:07:24 server kernel: usb-storage: waiting for device to settle before scanning
Sep 26 18:07:29 server kernel:   Vendor: ST310003  Model: 40AS              Rev:
Sep 26 18:07:29 server kernel:   Type:   Direct-Access                      ANSI SCSI revision: 02
Sep 26 18:07:30 server kernel: SCSI device sdd: 1953523055 512-byte hdwr sectors (1000204 MB)
Sep 26 18:07:30 server kernel: sdd: Write Protect is off
Sep 26 18:07:30 server kernel: sdd: Mode Sense: 34 00 00 00
Sep 26 18:07:30 server kernel: sdd: assuming drive cache: write through
Sep 26 18:07:30 server kernel: SCSI device sdd: 1953523055 512-byte hdwr sectors (1000204 MB)
Sep 26 18:07:30 server kernel: sdd: Write Protect is off
Sep 26 18:07:30 server kernel: sdd: Mode Sense: 34 00 00 00
Sep 26 18:07:30 server kernel: sdd: assuming drive cache: write through
Sep 26 18:07:30 server kernel:  sdd:
Sep 26 18:07:30 server kernel: sd 6:0:0:0: Attached scsi disk sdd
Sep 26 18:07:30 server kernel: sd 6:0:0:0: Attached scsi generic sg3 type 0
Sep 26 18:07:30 server kernel: usb-storage: device scan complete

If you look closely at the above logs, you will see that the system assigned the letter d to the USB DRIVE. So, the device is /dev/sdd

If the USB DRIVE already has a file system on it, you might be able to find more details by:

df -h

or simply

mount

Partition the USB DRIVE

The fresh USB DRIVE will have no filesystem so it probably won't be mounted anywhere. To format the USB DRIVE:

  • fdisk /dev/sdd
  • n (to add a new partition)
  • p (to make a primary partition)
  • 1 (that's the number one, the number you want to assign to the partition)
  • w (write and exit)

Format the USB DRIVE

Now that there is a partition on the USB DRIVE, we have to format the partition with a filesystem.

  • mkfs.ext3 -L BackupDrive1 /dev/sdd1

Where

  • ext3 is the filesystem itself (explaining filesystems is beyond this article).
  • -L option is to label the USB DRIVE

Mount the USB DRIVE

To mount the USB DRIVE, issue a:

  • mount /dev/sdc1 /media/BackupDrive1/

Reliably mount multiple disks in the one location

In case you want to use a rotating set of disk drives for backups, you may want to mount different USB DRIVES in the same location. Of course, make sure you don't plug both in at the same time.

Edit the /etc/fstab. Add the lines by typing:

  • LABEL=BackupDrive1      /media/BackupDrive1     ext3    defaults
  • LABEL=BackupDrive2      /media/BackupDrive1     ext3    defaults

Set The Label On The Partition

This will set the label on the partition:

  • e2label /dev/sdd1 MyLabel

Check The Label On The Partition

This will check the label on the partition:

  • e2label /dev/sdd1

Unmount the USB DRIVE

If you need to unmount the USB DRIVE, it's like this:

  • umount /media/BackupDrive1/

How to Keep the USB DRIVE From Falling Asleep

I won't go into too much detail here but sometimes the USB DRIVE is going to fall asleep because of the USB DRIVE CADDY that it is in. The easist way for me to fix it was to mount it around 5 minutes before the back is scheduled to start.

  • mkdir -p /etc/e-smith/templates-custom/etc/crontab/26usb-drive
  • vi 26usb-drive

# Keep the USB drive from going into standby.
#5 * * * * /bin/touch /dev/sdc &>/dev/null
50 21 * * * root mount /dev/sdc1 /media/BackupDrive1/
55 21 * * * root umount /media/BackupDrive1/

How to Selective Restore From DAR Backup

Here's how to selective restore from DAR backup:

dar -x /media/BackupDrive1/server.domain.local/set2/full-201408092200 -N -R / -w -g home/e-smith/files/ibays/share_data/files

You will also have to restore all the incrementals:

dar -x /media/BackupDrive1/server.domain.local/set2/inc-001-201408102200.1.dar -N -R / -w -g home/e-smith/files/ibays/share_data/files
dar -x /media/BackupDrive1/server.domain.local/set2/inc-002-201408112200.1.dar -N -R / -w -g home/e-smith/files/ibays/share_data/files
dar -x /media/BackupDrive1/server.domain.local/set2/inc-003-201408122200.1.dar -N -R / -w -g home/e-smith/files/ibays/share_data/files
dar -x /media/BackupDrive1/server.domain.local/set2/inc-004-201408132200.1.dar -N -R / -w -g home/e-smith/files/ibays/share_data/files

How to Manually Start a Backup

Here's how to manually start a backup routine

  • /sbin/e-smith/do_backupwk

How to Set the Backup Sets

Backup Sets are an entire week; a full backup on Friday plus the remaining 6 days (SAT, SUN, MON, TUE, WED, THU). This data can be large. Currently, on one server, I have 600GB of data for the entire backup set.

A USB backup drive needs to be large enough for the number of full sets you want (how far back in history do you want to go) + 1. In other words, N + 1.

As an example, if you have a 2TB drive and you can only go back 2 sets.

Why? Well if you have 3 sets that is a total of 1.8TB (600 x 3) which is the desired result. The problem becomes that the next backup cannot run because it collects the backup and then it deletes the oldest backup. The next backup can only go to about 200GB and then it will error out. I learned this the hard way.

Putting the backup sets to 2 will result in 1.2TB. The next backup set will finish for a total of 1.8TB and then delete the oldest backup for a total of 1.2TB again.

Cisco Port Security

I had to get port-security running on a Cisco Catalyst 2960-S:

Show the port information on a Cisco 2960-S

  • -click START > RUN > CMD
  • -type: telnet
  • -type: o 111.222.333.444 (that the letter o as in lmnop and the ip address of the switch)
  • -type in the password
  • -type: show interfaces (this will give the long version).
  • -type: show interfaces summary (this will give the traffic summary version).
  • -type: show interface description
  • -type: show ip interface (this will give the ports up/down status).
  • -type: show ip interface brief (this will give the ports up/down status at a glance).

NOTE: 2960-S platform has a 100mbp/s management port identified as fastethernet0.

Show the Port Security on a Cisco 2960-S

  • -type: enable
  • -type: the-sudo-password
  • -type: show port-security (this will give the ports with the security violations).
  • -type: show port-security interface Gi 0/1 (this will give the individual port status as per port security).
  • -type: show port-security address (this will give the port security memorization table).

Configure the Port Security on a Cisco 2960-S

  • -type: config terminal
  • -type: interface Gi 0/19 (to configure that port).
  • -or type: interface range Gi 0/1 - 19 (to configure a range of ports).
  • -type: switchport port-security (to enable port security)
  • -type: switchport port-security maximum 1 (allows only 1 mac address to be assigned to the port).
  • -type: switchport port-security violation shutdown (shutdown the port if there's a violation and requires manual).
  • -type: switchport port-security mac-address sticky (collects the mac address and memorizes it).
  • -type: switchport port-security aging time 0 (set the aging time to 0)
  • -type: switchport port-security aging type absolute (set the mac address type to the only mac address allowed).

Manually Enable the Port after a Violation on Port Security

  • -while still in config mode.
  • -type: shutdown (this shuts the port down).
  • -type: no shutdown (this brings the port back up).

When a security violation happens, the port is shutdown and will not work. It requires manual intervention to make certain there is no malicious activity happening. The commands above will bring the port back up working with the original MAC address.

Clear out the Stick Mac Address to Allow Another Computer/Device

  • -login to switch.
  • -type: enable
  • -type: config terminal
  • -type: interface G 0/19
  • -type: shut
  • -type: do clear port-security all interface gi0/19
  • -type: no switchport port-security mac-address sticky
  • -type: switchport port-security mac-address sticky
  • -type: no shutdown

This will clear out the mac-address that is remembered and bring the port back up so that it will work with another NEW-MAC address.

However, if the mac-address is still in the address-table, you will not be able to use this mac-address on another port. The mac-address has to be cleared from the original-port it is attached to.

First, find out if the mac-address is attached to a port and make note of the port.

  • -type: show port-security address

Now, shut down the new port:

  • -type: config t
  • -type: int gi0/28
  • -type: shut

Now, clear out the mac-address from the original port:

  • -type: config t
  • -type: int gi0/19
  • -type: shut
  • -type: do clear port-security all interface gi0/19
  • -type: no shut

Now, verify the mac-address is gone:

  • -type: do show port-security address
  • -type: end

Finally, bring back up the new port:

  • -type: config t
  • -type: int gi0/28
  • -type: no shut

You can see if a port is in violation by:

  • -type: show int status

To recover any port that is in violation:

  • -type: config t
  • -type: errdisable recovery cause psecure-violation

But then you have to wait the Timer-Interval-Seconds before the port is available again.

To see the timeout:

  • -type: show errdisable recovery

You might want to see if any mac-address is in the table:

-type: show mac address-table

Disable Port Security

  • -while in config mode & while in an interface or range of interfaces
  • -type: no switchport port-security

End the Config Session

  • -type: end

To Tail the Logs

  • -type: terminal monitor
  • -type: terminal no monitor

Save the Changes

  • -type: write memory
  • -or type: copy running-config startup-config

Robocopy

Windows can't keep copying correct by default. As a note for myself, I'm shamelessly copying from somewhere on the internet:

robocopy source destination /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /LOG:Robocopy.log

A real-world example is copying the BACKUP-DRIVE to an EXTERNAL-DRIVE but only files for the last 90 days:

robocopy z:\ t:\ /MIR /Z /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /MAXAGE:90 /LOG:Robocopy.log

Here's what the switches mean:

  • source :: Source Directory (drive:\path or \\server\share\path).
  • destination :: Destination Dir  (drive:\path or \\server\share\path).
  • /E :: copy subdirectories, including Empty ones.
  • /ZB :: use restartable mode; if access denied use Backup mode.
  • /DCOPY:T :: COPY Directory Timestamps.
  • /COPYALL :: COPY ALL file info (equivalent to /COPY:DATSOU).  Copies the Data, Attributes, Timestamps, Ownser, Permissions and Auditing info
  • /R:n :: number of Retries on failed copies: default is 1 million but I set this to only retry once.
  • /W:n :: Wait time between retries: default is 30 seconds but I set this to 1 second.
  • /V :: produce Verbose output, showing skipped files.
  • /TEE :: output to console window, as well as the log file.
  • /LOG:file :: output status to LOG file (overwrite existing log).

The above will copy the directory. You will have to manually re-setup the share.

This is why the best practice is to use full permission for everyone on the share, and limit the permission using NTFS permissions. And wait till everyone leaves the office.

NOTE: Robocopy can be cantankerous. If you get error message, "access is denied" or "This security ID may not be assigned as the owner of this object" then try it this way.

-first, map a drive: net use k: \\server\share-name /user:pc-name\username password-here

-second, use robocopy with /COPY:DAT instead of /COPYALL. Like this: robocopy E: K:\share-name /E /ZB /DCOPY:T /copy:DAT /R:1 /W:1 /V /TEE /MT:12 /LOG:Robocopy.log

Find the Size of the current directory

I can never remember how to find the size of the current directory in linux. Here it is:

du --max-depth=1

BCD Replaces Boot.ini

Twice this week I've been bitten by the BCD or BOOT CONFIGURATION DATA.

BCD replaces the BOOT.INI file in older systems such as XP. BCD is found in WINDOWS VISTA and newer systems. The BCD is a OPERATING SYSTEM FILE and will be hidden unless the options are set to view those files:

  • -open any EXPLORER window.
  • -click ORGANIZE > FOLDERS & SEARCH OPTIONS
  • -click the VIEW tab (at the top).
  • -uncheck HIDE PROTECTED OPERATING SYSTEM FILES.
  • -click OK.

Previously, there was a boot.ini file. To edit the boot.ini file, simply edit the file with a text editor. Now to edit the BCD, you must use BCDEdit.exe.

The overall problem becomes that the BCD is unreliable (hence the name Microsoft). It causes issues like:

"the trust relationship between this workstation and the primary domain failed" in WINDOWS 7
(bcdedit /set S:\Boot\BCD {default} bootstatuspolicy ignoreallfailures)

and

"inaccessible boot device" WINDOWS 8.1
(Bcdedit /store S:\BOOT\BCD /set {default} truncatememory 4294967296)
(T:\windows\system32\bcdedit /store S:\boot\bcd /set {default} truncatememory 4294967296)

Both require edits to the BCD. But how do you edit the BCD when the system isn't accessible?

 


How to Edit the BCD

The BCD is actually a file in a small hidden directory. If you could connect the external drive to a working system and assign the letter S to the drive, the file location would be:

S:\Boot\BCD

Please note that this is NOT the WINDOWS OS partition. This is a small NTFS partition (100MB for WINDOWS 7 & 300MB for WINDOWS 8) before the the WINDOWS OS partition. This partition is marked as ACTIVE and will therefore be chosen as the partition to boot from.

This is really confusing because there is a T:\Boot\BCD as well.

True to MS standard, they put out way too much unnecessary jargon here:http://technet.microsoft.com/en-us/library/cc721886%28WS.10%29.aspx#BKMK_bcdedit

  • -connect the harddisk with the corrupt BCD into another computer that is running Windows.
  • -mount the defective partition on a drive (in my case S:\)
  • -in the partition the file S:\Boot\BCD is the one that needs to be repaired.
  • -open a command prompt (Cmd.exe) (as administrator)
  • -type: T:\Windows\System32\bcdedit /store S:\Boot\BCD /enum
  • -you are viewing the BCD.
  • -to view everything in the BCD...
  • -type: T:\Windows\System32\bcdedit /store S:\Boot\BCD /enum all

 


How to Edit Some of the BCD Settings:

The BCD will have a BOOT-MANAGER called BOOTMGR. This is a boot manager for the entire disk. You can think of it as a GRUB, LILO, GRUB4DOS, etc or any other bootloader. It can be used to redirect the boot the MAIN WINDOWS OS but it can also boot other OS's as well. Most people won't get this far. They just want their MAIN WINDOWS OS to boot correctly.

After the BOOTMGR section, comes all the WINDOWS OS sections. Typically, the main section will be called DEFAULT and it will show as {default}.
(NOTE: don't let the curly brackets scare you).

For example, if you wanted to change the BOOTMGR device and the DEFAULT device, here's how.
(Please do not type this in... This is just an example.)

T:\Windows\System32\bcdedit /store S:\Boot\BCD /set {bootmgr} device boot
T:\Windows\System32\bcdedit /store S:\Boot\BCD /set {default} device boot
T:\Windows\System32\bcdedit /store S:\Boot\BCD /set {default} osdevice boot

This will change the settings for those key values.

You can also use an awesome handy tool called VISUAL BCD EDITOR located at: http://www.boyans.net

 


Fix the BCD

If you would like to rebuild the BCD, here's how:

  1. Put the Windows Vista or Windows 7 or Windows 8 media in the DVD drive / usb, and then start the computer.
  2. Press a key when you are prompted.
  3. Select a language, a time, a currency, a keyboard, or an input method, and then click Next.
  4. Click Repair your computer.
  5. Select the operating system that you want to repair, and then click Next.
  6. In the System Recovery Options dialog box, click Command Prompt.
  7. Type Bootrec.exe, and then press Enter.

That will automatically try and fix the BCD if it's broken.

 


Rebuild the BCD

Same as fixing the BCD above but using switches at the end.

Bootrec.exe /FixMbr
Bootrec.exe /FixBoot
Bootrec.exe /ScanOs
Bootrec.exe /RebuildBcd

 


WINDOWS 8.1 Considerations

WINDOWS 8.1 installs a hidden 300MB NTFS partition.

If WINDOWS is loaded, some may investigate and fiddle around with the BCD on the main partition in C DRIVE not realizing that the BCD loading in another hidden partition for the purpose of the BCD.

If you boot from a CD/USB, the BCD PARTITION will be the C DRIVE and the WINDOWS OS PARTITION will be the D DRIVE.

 


BCDEDIT Says zero Total Identified Windows installations

If you get as far as: Bootrec.exe /ScanOs

And it says:

"zero Total Identified Windows installations: 0"

Then you may have to rebuild the BCD. Be sure to backup the original BCD first.

  • boot from a WINDOWS VISTA/7/8 media as above.
  • cd c:\boot (note that this is not the normal C DRIVE. If you boot from a WINDOWS 7 or WINDOWS 8 install disk, the disk will see all the partitions and LETTER them accordingly. The C DRIVE will be the BCD partition and the D DRIVE will be the WINDOWS partition.)
  • bcdedit /export c:\bcdbackup
  • attrib c:\boot\bcd -h -r -s
  • ren c:\boot\bcd bcd.old
  • bootrec /rebuildbcd
  • type: Y
  • press: ENTER

You should get some kind of awesome message to let you know that it is rebuilt correctly.

Set VPN Idle Timeout on Windows Server 2012

  • -open SERVER-MANAGER.
  • -click TOOLS > ROUTING & REMOTE ACCESS
  • (a new window opens)
  • -right-click REMOTE ACCESS LOGGING (on the left-hand side).
  • -click LAUNCH NPS.
  • (a new window opens)
  • -click NETWORK POLICIES (on the left-hand side).
  • -right-click "Connections to Microsoft Routing and Remote Access server"
  • -click PROPERTIES.
  • -click CONSTRAINTS tab (at the top).
  • -click IDLE TIMEOUT (on the left-hand side).

The IDLE TIMEOUT settings can be configured here.

GnuWin32 Where Have You Been All My Life?

GnuWin32 Where Have You Been All My Life? As they say, necessity is the mother of invention. I always wanted to use *nix commands on Windows platform before but never really needed it until I was forced to deal with a Windows Server on a daily basis.

My digust for some of the way Windows operates should be apparent by now but if not, let me tell you; I'm disgusted. I could have learned commands in the 1970's that are still in practice today. Or if I traveled with Windows, I would have to learn over and over again.

GnuWin32 is a application package suite that alllows you to use *nix commands on Windows.

This should get all your familiar *nix command in the COMMAND SHELL.

Group Policy, Organization Units, Server 2012

In my mind, it's very simple. You have USERS and you have GROUPS (anything that is more than 1 user). If I need to do something, I should create a rule and apply it to the group.

In Microsoft Server 2012, it doesn't exactly work that way. It, in true fashion, has to be as difficult as humanly possible.

To look at the default structure:

  • -click SERVER-MANAGER (I'm pretty sure they ripped this name off another project).
  • -click TOOLS > ACTIVE DIRECTORY USERS & COMPUTERS.
  • -a DOMAIN TREE shows.
  • (It has USERS, COMPUTERS but it doesn't have GROUPS. GROUPS are erroneously mixed in with USERS)

To add a GROUP.

  • -click USERS.
  • -right-click USERS.
  • -click NEW > GROUP
  • -type in the GROUP-NAME.

To add USERS to GROUP.

  • -double-click GROUP NAME.
  • -click MEMBERS tab (at the top).
  • -click ADD.
  • -type in the NAMES you want to add.

Since I'm a big fan of GROUPS, I want to apply a login script just for a certain GROUP.

To look at the default Group Policy structure:

  • -click SERVER-MANAGER (I'm pretty sure they ripped this name off another project).
  • -click TOOLS > GROUP POLICY MANAGEMENT.
  • -a GROUP-POLICY DOMAIN TREE shows.
  • (It has "GROUP POLICY OBJECTS". All your GPO's are here.)

Active Directory Hierarchy And The Way You See It Taught

Now what's interesting is that this doesn't match the USERS & COMPUTERS. There is no GROUPS section. Why? Because this is based off of LDAP. Why is that important? Because LDAP is hierarchical (and not relational). This means that one-child can only have one-parent. (But one parent can have many childres. [Don't ask.]). So instead of GROUPS, they use ORGANIZATIONAL-UNITS. This hierarchical structure means that a USER cannot be a member of 2 different GROUPS in an ACTIVE DIRECTORY ORGANIZATIONAL UNIT (or AD and OU). The end result is that a USER-object can only be place in one OU.

This is why there are so many articles and videos about structuring your AD and OU's correctly. Because it doesn't make sense to rational thinking and someone has to explain it in details just to get it working. And even then, they have trouble getting it working smoothly. Most of the advice demonstrate that you should create OU's and then to put both the computer-objects and the user-objects inside of that OU. The GROUP-POLICY is then applied to the OU and consequently it will be applied to the USER and/or COMPUTER.

Of course it will. The GP is attaching to the individual USER or COMPUTER.

Active Directory And The Way It Should Be Enterprise

In short, this may work well for the ENTERPRISE (company more than 300 users). Traditionally you should create OU's along geographic boundaries and then to put both the computer-objects and the user-objects inside of that OU. It would look something like this:

OU-Kansas-City
----first-floor
--------computers
--------users
----basement
--------computers
--------users
OU-Chicago
----first-floor
--------computers
--------users
----basement
--------computers
--------users

The GROUP-POLICY is then applied to an OU and consequently it will be applied to the USER and/or COMPUTER.

Active Directory And The Way It Should Be Small Business

But what about everyone else? It doesn't work well for the small to medium enterprise (as defined by MS: a company less than 300 users). For this segment, it's faulty thinking. I don't have a bunch of offices across the globe. I don't have multiple floors, levels and locations. If I follow the common advice, I no longer have a section called USERS that contains all my users. And I don't have a section called GROUPS that contains all my groups.

My mind doesn't work the way of the enterprise. I group people all the time and they can be in many groups at the same time. I can group my friend Jason as being the WORK GROUP, FRIEND GROUP and CHURCH GROUP. But again, you can't do this in AD.

What is nice about AD is that it is highly customizable. Consequently, you will see many (and I stress many) different ways to do this in articles, videos and in practice. Also due to this customization, I can create the way I want it, I just have to create it myself rather than this feature coming ready out-of-the-box.

All of that set aside, ultimately at the root-level of AD I want to have an OU called GROUPS. Under that GROUPS-OU, I locate all my SECURITY-GROUPS objects (out of the USERS and into the GROUPS). These are common units like ACCOUNTING, PRODUCTION, HR, IT, MANAGEMENT, MARKETING, OPERATIONS, SALES, etc. Each SECURITY-GROUP has the members that are needed.

The result looks similar to:

DOMAIN
    BUILTIN
    COMPUTERS
    GROUPS
        ACCOUTING
        BUILTIN
        HR
        IT
        MANAGEMENT
        MARKETING
        OPERATIONS
        SALES
    USERS

This makes it easy on myself. Just keep it simple and create those SECURITY-GROUPS in the new GROUPS-OU, leave the computers in the COMPUTERS-OU and the users in the USERS-OU.

For clarity, if you click on USERS, there are only USER-OBJECTS in there. There are no GROUP-OBJECTS in there. All of the GROUPS have all been moved to the appropriate place in the GROUPS-OU.

GROUP POLICY That Applies To Groups

Now the problem becomes the GROUP-POLICY.

Counter-intuitively, GROUP-POLICY-OBJECTS (GPO's) cannot be applied to GROUP-OBJECTS. GPO's can only be applied to USER-OBJECTS and COMPUTER-OBJECTS. Remember from above where many tutorials, classes, videos and articles say to put the objects in the OU? This is why they teach you to do it this way. If they don't put the OBJECTS in the OU, the GP doesn't work.

So how do I apply a GPO to a SECURITY-GROUP?

By creating a GPO on domain-level (not the OU level), editing the GPO and assigning the GPO to the GROUP through SECURITY-FILTERING.

To create a new GPO:

  • -click SERVER-MANAGER (I'm pretty sure they ripped this name off another project).
  • -click TOOLS > GROUP POLICY MANAGEMENT.
  • -a GROUP-POLICY DOMAIN TREE shows.
  • -right-click the domain-name (ie contoso.com).
  • -click CREATE-A-GPO-IN-THIS-DOMAIN,-AND-LINK-IT-HERE [sic].
  • -type in a NEW-NAME.
  • -click OK

Edit the GPO:

  • -right-click the GPO.
  • -click EDIT.
  • -make all your changes in here. Don't worry about anything else at this point.

Assign GPO to the GROUP:

  • -click the GPO.
  • -you should be on the SCOPE tab (at the top).
  • -click ADD (at the bottom).
  • -type in the name of the GROUP.
  • -click OK.
  • -click DELEGATION tab (at the top).
  • -click ADVANCED button (at the bottom right).
  • (a new windows pops up).
  • -click AUTHENTICATED USERS (at the top section).
  • -find APPLY GROUP POLICY (at the bottom section).
  • -uncheck the ALLOW.
  • -find READ (at the bottom section).
  • -checkmark ALLOW (this should already be done but just to verify).
  • (This is not a typo. This allows all users to READ the GPO but doesn't assign it to them.)

Run The GPO On The Client Computer

  • -click START > RUN
  • -type: CMD
  • -type: gpupdate /force
  • -type: gpresult /h new-report.html (or if you are savy, type: gpresult /R) (or if you want to punish yourself, type: gpresult /Z).
  • -open new-report.html to view results

SUMMARY

In summary, there are USERS-&-GROUPS section in AD and there are OU's in GPO. They don't match. So we create our own GROUP-STRUCTURE in AD, create a GPO, link it to an OU and only give the AD GROUP access to the to the GPO through SECURITY-FILTERING.

NOTES:

-A good source of information is here: http://www.grouppolicy.biz
-And there are good videos on YouTube here:https://www.youtube.com/user/itfreetraining
-EVERYONE group does not include EVERYONE.
-AUTHENTICATED-USERS also includes DOMAIN-COMPUTERS. This is why it should not be entirely-removed from the GPO.
-On 06/22/16 a MS update breaks many GPO's but not the method above. Read the rest of the story here:
https://blogs.technet.microsoft.com/askds/2016/06/22/deploying-group-policy-security-update-ms16-072-kb3163622/

AWS S3, GovCloud and DropBox

So let's say that you need to share files with outside vendors. Historically, this is done through an FTP site. The problem is that FTP is insecure, really insecure. So insecure that in 2014 (and for many years before) it shouldn't even exist (you can throw telnet into this category as well).

In more modern times, this is done through services like DropBox, Gdrive, OneDrive, etc; with DropBox seemingly leading the way.

The problem becomes that certain industries are not allowed to use DropBox, not because DropBox doesn't meet technological requirements but because DropBox doesn't meet regulations. One of these industries is Government.

In walks Amazon Web Services or AWS. AWS has a number of cloud based products. There's so many services, it's dizzying. I'd be lying if I said that I knew and understood them all.

Now take all of these services and boil them down to the top 12 absolutely necessary services. Now make sure that only US Persons are able to access these services. This is GovCloud.

One of the primary services of AWS & GovCloud is S3. S3 is a simple cloud storage.

Create a DIRECTORY for the S3 to live:

  • -login to AWS GOVCLOUD.
  • -click S3.
  • -click CREATE BUCKET.

Create an OUTSIDE USER to access the S3:

  • -login to the AWS GOVCLOUD
  • -click IAM (or IDENTITY AND ACCESS MANAGEMENT).
  • -click USERS > CREATE NEW USERS.
  • -type in the USERNAME.
  • -click CREATE (at the bottom right).
  • -record the ID & KEY (you will not have another chance to do this).
  • -click CLOSE > CLOSE.
  • -click on the USER-YOU-JUST-CREATED.
  • -scroll to bottom.
  • -click MANAGE PASSWORD.
  • -click APPLY (at the bottom right).
  • -record the PASSWORD (you will not have another chance to do this).

 The rest can be done through the AWS GOVCLOUD web site but it's actually easier to use CLOUDBERRY S3 EXPLORER PRO. It costs $30 at the time of writing but so what.

Assign USER to allow access to S3 bucket:

  • -click ACCESS MANAGER (at the top).
  • -click NEW POLICY WIZARD.
  • -click NEXT.
  • -bullet SELECT AN EXISTING IAM USER.
  • -checkmark the OUTSIDE-USER
  • -select NEXT.
  • -bullet GRANT READ & WRITE ACCESS TO SELECTED BUCKETS ONLY.
  • -checkmark ALLOW USER ACCESS TO AWS CONSOLE.
  • -click NEXT.
  • -checkmark the S3 BUCKETS you want to allow access to.
  • -click NEXT.

It will show you the STATEMENT it is going to implement. This will work for AWS S3 but it won't work for GOVCLOUD. GOVCLOUD has a different RESOURCE NAME. I'll spare you the details.

  • -everywhere you see "aws", replace it with "aws-us-gov"
  • (This took me an entire day to discover).
  • -click NEXT > NEXT.
  • if it gives an error saying that a policy already exists... ignore it. We already know. We just created it.

 Now you have 2 sets of credentials for the OUTSIDE USER. You have a USERNAME & PASSWORD they can type in for the web site. They also have an ID and KEY they can use for a program.

Find DRAC IP Address

So you have a DRAC or DELL REMOTE ACCESS CONTROLLER. It is their proprietary version of IPMI. You can configure the DRAC via IP ADDRESS.

But how you find the IP ADDRESS of the DRAC?

FIND DRAC IP ADDRESS

-install OPENMANAGE.

(as of print is: http://en.community.dell.com/techcenter/systems-management/w/wiki/1760.openmanage-server-administrator-omsa.aspx#Documentation_OMSA)

-click START > RUN

-type: cmd

-type: racadm getniccfg

(this gets the IP ADDRESS. By default it is usually: 192.168.0.120)

SET DRAC IP ADDRESS:

-type: racadm setniccfg -s ipAddress gatewayAddress subnetMask

OR

-click START > RUN

-click DELL OPENMANAGE > SERVER MANAGER.

 

Quickbooks 2014 H202 Error

SETUP

Quickbooks 2014 H202 error. So the Quickbooks is setup in a traditional style. The Quickbooks Server is installed on the Windows Server 2012 x64. Quickbooks is setup on the Windows 7 x64 client pc's.

The FILE SHARE is mapped to Q DRIVE but QUICKBOOKS is trying to access the file via \\ip-address-here\qb-file-name-here

ERROR

The client PC's can see the FILE SHARE trying to access the Quickbooks file gets the dreaded H202 error. This basically means, "something's wrong."

SOLUTION

The FILE SHARE is locked down to the ACCOUNTING group. The Quickbooks QuickBooksDB24 Service is starting with a new user called Quickbooks-something-I-can't-remember.

Either:

  • -add the QBUSER to the group that has access to the FILE SHARE.

OR:

  • -click START > RUN
  • -type: services.msc
  • -double-click: QuickBooksDB24
  • -a new window opens.
  • -click LOGON (at the top).
  • -bullet THIS ACCOUNT.
  • -type in a USERNAME & PASSWORD of a USER in the group that has access to the FILE SHARE.
  • -restart the QUICKBOOKSDB24 service.

That should do it.

Polycom Administrator Manual

http://supportdocs.polycom.com/PolycomService/support/global/documents/support/setup_maintenance/products/voice/soundpoint_ip_soundstation_ip_administrators_guide_v2_2.pdf

This is what I need. Read and digest.

I'm having a hard time with this. There simply too much info that doesn't compute along with too much outdated info.

Apparently, you can configure the phones individually but also via config files from the server. That's what I want to do but I can't figure it out.

=============================

UPDATE 02/01/18

While it is certain that information is spread throughout the internet, I was finally able to piece this together that makes sense for me. Please see the Upgrading Polycom Phones Across Entire Location

Find Devices in Linux

To find devices in Centos/RHEL, you can issue a:

cat /proc/partitions

Or you can issue a:

fdisk -l

Either will do. The fdisk gives a little more info.

If you need to get the info for a USB device, try:

lsusb

DDWRT Guest Network

[UPDATE: This process isn't worth it anymore. For low-end projects, just buy an Asus router (it doubles as an access-point). For mid-sized projects, buy Ubiquiti. For high-end projects, buy Watchguard. Boom. Done. Easy.]

The goal is to have one wireless unit providing both the OFFICE WIFI and the GUEST WIFI. This wireless unit is an access point already running the OFFICE WIFI. It is not a router/gateway/firewall. A SonicWall is the router/gateway/firewall.

So how do we have a wireless GUEST WIFI as well as a regular OFFICE WIFI?

ADD GUEST WIFI NETWORK

  • -click WIRELESS > BASIC SETTINGS.
  • -find VIRTUAL INTERFACES (at the bottom).
  • -click ADD.
  • -give your guest wifi network a name.
  • -select ENABLE for AP ISOLATION.
  • -click SAVE > APPLY.

ADD PASSWORD TO GUEST WIFI NETWORK

  • -click WIRELESS SECURITY (at the top).
  • -select a mode (I chose WPA2 PERSONAL).
  • -select an algorithm (I chose TKIP + AES).
  • -type a password.
  • -click SAVE.

CREATE A BRIDGE

  • -click SETUP > NETWORKING (at the top).
  • -find BRIDGING SECTION (should be the 2nd from the top).
  • -click ADD.
  • -type: br1 (in the first box).
  • -click SAVE (at the bottom).
  • -new options will show under the bridge.
  • -type in an IP ADDRESS & SUBNET MASK (I typed in 192.168.2.1 & 255.255.255.0).
  • The idea here is that it must be a separate network from the main network. Since most small networks are 192.168.1.1 or 192.168.0.1, using 192.168.2.1 is fine.
  • -click SAVE > APPLY.

ASSIGN GUEST WIFI TO BRIDGE

  • -go to the BRIDGING SECTION again.
  • -find ASSIGN TO BRIDGE.
  • -click ADD.
  • -select BR1.
  • -select WL0.1
  • -click SAVE > APPLY.

 ADD 2ND DHCP SERVICE

The DHCP service must be running to add a secondary DHCP service.

  • -click SETUP > BASIC SETUP (at the top).
  • -find the DHCP section.
  • -select DHCP SERVER.
  • -verify the appropriate network information.
  • -checkmark USE DNSMASQ FOR DHCP.
  • -checkmark USE DNSMASQ FOR DNS.
  • -checkmark DHCP-AUTHORITATIVE.
  • -click SAVE (at the bottom).
  • -click SETUP > NETWORKING (at the top).
  • -find the DHCPD section (at the bottom).
  • -click ADD.
  • -select BR1.
  • -select ON.
  • -click SAVE > APPLY SETTINGS (at the bottom).

 CUSTOMIZE THE 2ND DHCP SERVICE

  • -click SERVICES (at the top).
  • -find the DNSMASQ section.
  • -select ENABLE for DNSMASQ.
  • -select ENABLE for LOCAL DNS.
  • -select ENABLE for NO DNS REBIND.
  • -type the following in the Additional DNSMasq Options:

dhcp-option=3,192.168.1.1
dhcp-range=192.168.1.100,192.168.1.150,255.255.255.0,24h
dhcp-option=6,192.168.1.1,4.2.2.2
interface=br1
dhcp-option=br1,3,192.168.2.1
dhcp-range=br1,192.168.2.100,192.168.2.150,255.255.255.0,24h
dhcp-option=br1,6,4.2.2.2,8.8.8.8

This should be fairly straight forward. We are setting the options for 2 sets of DHCP. Each set customizes the GATEWAY, DHCP RANGE and DNS for the each DHCP set. You will have to customize this to fit your own needs.

This is different than most instructions you will see. This is because since this is an ACCESS POINT and not a GATEWAY/ROUTER/FIREWALL. When that happens the AP will automatically try to become the DNS & the GATEWAY for both sets of DHCP ranges. That obviously won't do since we need have to other items perform those functions. More importantly, I do not want the guest network to have the same DNS settings as the regular network. The settings above allow us to customize them to our needs.

ADD FIREWALL RULES

  • -click ADMINISTRATION > COMMANDS (at the top).
  • -find the COMMAND SHELL box.
  • -type the following:

iptables -I FORWARD -i br1 -m state --state NEW -j ACCEPT
iptables -I FORWARD -p tcp --tcp-flags SYN,RST SYN -j TCPMSS --clamp-mss-to-pmtu
iptables -I FORWARD -i br0 -o br1 -m state --state NEW -j DROP
iptables -I FORWARD -i br1 -d `nvram get lan_ipaddr`/`nvram get lan_netmask` -m state --state NEW -j DROP
iptables -t nat -I POSTROUTING -o br0 -j SNAT --to `nvram get lan_ipaddr`
iptables -I INPUT -i br1 -p tcp -dport telnet -j REJECT -reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp -dport ssh -j REJECT -reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp -dport www -j REJECT -reject-with tcp-reset
iptables -I INPUT -i br1 -p tcp -dport https -j REJECT -reject-with tcp-reset

  • -click SAVE FIREWALL (at the bottom).

This isn't straight forward at all. Basically, the first 5 commands allow internet access to flow. The last 4 commands block the GUEST WIFI from accessing the OFFICE WIFI.

That should do it! Save and Restart the unit to make sure that it survives a reboot. There are 2 separate networks, the OFFICE WIFI and the GUEST WIFI. The GUEST WIFI can access the internet but cannot access the office network. That includes any shares, printers or any other computers on the office network.

Show Last Logon

Let's say that you had a requirement to show the last time your logged onto the computer system, including any failed attempts.

To be clear, this message shows after anyone logs into the computer and before the DESKTOP shows.

  • click SERVER-MANAGER > TOOLS > GROUP POLICY MANAGEMENT
  • right-click DEFAULT DOMAIN POLICY.
  • click EDIT.
  • click COMPUTER-CONFIGURATION > POLICIES > ADMINISTRATIVE-TEMPLATES >WINDOWS-COMPONENTS > WINDOWS LOGON OPTIONS
  • enable DISPLAY INFORMATION ABOUT PREVIOUS LOGONS...

Add a Login Message in Windows Server 2012

Let's say that you had a requirement to show a login message before someone logged into the computer. Maybe something like, "Hi, system usage is monitored, recorded, and subject to audit. By using the system, you grant consent to such monitoring and recording. Unauthorized use is prohibited and subject to criminal and civil penalties."

To be clear, this message shows before anyone logs into the computer and before the LOGIN BOX shows.

  • click SERVER-MANAGER > TOOLS > GROUP POLICY MANAGEMENT
  • right-click DEFAULT DOMAIN POLICY.
  • click EDIT.
  • click COMPUTER-CONFIGURATION > POLICIES > WINDOWS-SETTINGS > SECURITY SETTINGS > LOCAL-POLICIES > SECURITY-OPTIONS.
  • click INTERACTIVE LOGON: MESSAGE TEXT
  • edit the text.
  • click INTERACTIVE LOGON: MESSAGE TITLE.
  • edit the text.

(NOTE: Both have to be set or else it doesn't show.)

Windows Server 2012 Backup System State

I like to manually backup the SERVER STATE before I make any changes:

Add A Disclaimer to Exchange 2013

The best guide I've witnessed on this occasion is here:

http://www.techieshelp.com/exchange-2013-add-a-disclaimer/

I'm posting for my own reference.

ADD EXCEPTION

The only other items I would like to add is that there should be an EXCEPTION:

-click MORE OPTIONS.
-select THE SUBJECT OR BODY INCLUDES ANY OF THESE WORDS.
-paste the disclaimer in the box (don't worry if the whole disclaimer doesn't fit).
-click the + (the plus sign).
-click SAVE.

NOTES:
-the disclaimer will be placed directly at the end of the email.
-the disclaimer will only show at the very bottom of the email; underneath any forwards or replies that may be in the email.
-the disclaimer will only show once and will not repeat if the disclaimer already exists. This means it will not repeat on forwarded emails and reply emails.

Polycom Phone Sets Digitmap

Are you experiencing different results when you dial directly from the Polycom phone set than if you pickup the Polycom phone set and dial?

For example, to make a call:
-walk to the phone.
-dial 540-552-0497 (automated weather service number).
-hit DIAL.
-the call goes through on speaker phone.

Now, try this:
-walk to the phone.
-pick up the hand set (you hear a dial tone).
-dial 540-552-0497 (automated weather service number).
-nothing... (or possibly, "I am sorry, that is not a valid extension).

As referenced in the last post, a DIAL PLAN, is a set of numbers that is used to dial out. What's interesting with the Fonality/Polycom solution is that the DIAL PLAN on the SERVER, doesn't apply to the POLYCOM PHONE SETS directly. So what's happening here is when you simply dial the number and hit DIAL, you are using the SERVER DIAL PLAN.

When you pick up the phone set and dial the number, you are using the POLYCOM PHONE SET DIGITMAP (notice the difference between the DIAL PLAN & DIGITMAP).

What's even more interesting, is that the two sets don't corrospond. You can't simply take the SERVER DIAL PLAN and simply copy it to the POLYCOM PHONE SET DIGITMAP and expect it to work. Trust me. I've tried. We have to translate them.

So here are the SERVER DIAL PLANS again:

9 + nxxnxxxxxx
9 + 411
9 + 611
9 + 0
9 + nxxxxxxx
9 + 1nxxnxxxxxx
9 + 011.
9 + 11

To start fresh, I've wiped out the POLYCOM PHONE SET DIGITALMAP.

The letter "n" is any single number other than 1 or 0. The problem is that "n" doesn't exist on the DIGITALMAP. You have to use [2-9].

The letter "x" is any single number. "x" does exist on the DIGITALMAP.

So here is my on-the-fly-translation:

[2-9]xx[2-9]xxxxxx
[2-9]11
-covered by rule 2
0 (telco operator)
[2-9]xxxxxxx
1[2-9]xx[2-9]xxxxxx
011xxx.T
-covered by rule 2

Additonal DIGITALMAP rules are as follows:

0T (allows for local operator)
[7]xxx (allows for local extension)
9[2-9]xx[2-9]xxxxxx
91[2-9]xx[2-9]xxxxxx
9011xT.

The complete final DIGITALMAP looks like this:
[2-9]xx[2-9]xxxxxx|[1][2-9]xx[2-9]xxxxxx|9[2-9]xx[2-9]xxxxxx|91[2-9]xx[2-9]xxxxxx|[2-9]11|0|[7]xxx|011xxx.T|9011x.T

Port Mapping on SonicWall

Let's say I want to access a server on port 5901 in the internal network but rom the outside network, I want to connect to port 5900.

So it may look like this: 5900 => 5901

STEP 1: Create new custom service.

Create new service: RedirectExtPort on TCP 5901.

STEP 2: Add firewall-access-rule.

Firewall -> Access Rules

WAN -> LAN

Service: RedirectExtPort
Source: Any
Destination: WAN IP

STEP 3: Add NAT Policy

go to Network -> NAT Policies

New Policy:

Original Source: Any
Translated Source: Original
Original Destination: WAN IP
Translated Destination: InternalServerIP
Original Service: RedirectExtPort
Translated Server: RDP5900
Inbound Interface: WAN Port
Outbound Interface: Any

10 Steps In Setting Up a Fonality Server

Recently, I had the priviledge to be involved in a new fiber line install from LEVEL3. The fiber line service was also ordered with a SIP service. This is new to me so I'll explain slowly in terms I can understand.

A SIP service is basically telephone service via internet only (no copper lines). Sometimes, this is called a SIP TRUNK or a VOIP TRUNK. Basically, it's the main connection with a USERNAME & a PASSWORD that they provide along with an OUTSIDE IP ADDRESS. To to be clear, the only connection we have to the outside world is one internet connection, the fiber line. In this particular case, the connection's capacitiy is 10 Mbps.

Sitting in a physical brown box was a Fonality phone server. I have no idea who Fonality is or the extent of their service. I pulled it out of the box and rack it in the four post rack.

From here, I have no idea what to do. I have no idea how the Fonality server connects to anything. I have no idea where the phone numbers are coming from.

Here is the process I went through.

1-collect the phone numbers or the phone number block or the list of phone numbers that are assigned to the company. This block is coming from the company that is providing the SIP service. Call the company and get them.

2-collect the MAC ADDRESSES of the phone devices. The MAC ADDRESSES are needed to be collected and given to the crew at FONALITY. They will somehow associate the MAC ADDRESSES with the account. If the MAC ADDRESS is not associated with the account, the device cannot be used. I'm finding out more about this as I should be able to add devices myself. Currently, to my knowledge there is no way to add the sets by yourself. The Fonality support crew must do this for you.

3-connect the FONALITY server to the internet. It doesn't matter how. It just needs an internet connection. On mine, there were 2 nics on the back. NIC1 was the one that worked. To configure, I had to plug in a monitor, keyboard and mouse. Logging in with:

USER: ip
PASS: ip

This gave me limited options and one was to change the IP address. If you can't set it manually, it should be set to get an IP ADDRESS via DHCP.

The magic of the FONALITY is that upon connecting to the internet, it will automatically make a VPN call back to the FONALITY HQ SERVERS. The FONALITY HQ has a WEB ADMIN CONTROL PANEL (https://cp.fonality.com/) that configures (with pulls and pushes) to the local PHYSICAL FONALITY SERVER via the VPN. Pretty cool.

4-connect to the WEB ADMIN CONTROL PANEL at https://cp.fonality.com/. FONALITY should give you a USERNAME & PASSWORD. I received one with a WELCOME LETTER in the box but it didn't work. I had to contact support to get the USER/PASS reset.

5-setup USERS/EXTENSIONS. Upon logging into the CP, you have to setup the USERS. This comes down to FIRST NAME, LAST NAME & EXTENSION NUMBER. The EXTENSION NUMBER can be any 4 digit extension but it cannot be changed later on. If you want to change the extension, the extension has to be deleted and recreated. At the bottom of the page, add the DEVICE to the EXTENSION.

6-setup the SIP account. Again, the SIP account is just a USER/PASS along with an OUTSIDE IP ADDRESS. Click OPTIONS > VOIP. Type in those 3 pieces of information and click ADD VOIP ACCOUNT.

7-setup DIAL PLAN. A DIAL PLAN is how the phones will be used to dial out for items such as local phone calls, long distance phone calls and international phone calls. Such as dial 9 to get an outside line. Click OPTIONS > DIAL PLAN. Here are the dial plans I setup:

9 + nxxnxxxxxx local call
9 + 411 Information local call
9 + 611 Phone Trouble local call
9 + 0 local call
9 + nxxxxxxx Standard local call local call
9 + 1nxxnxxxxxx long distance
9 + 011. International international
9 + 11 emergency

8-setup SONICWALL or other firewall. The Fonality server is going to require certain ports open on the firewall to work correctly. On a simple firewall, direct the following ports to the internal ip address:

  • icmp:0
  • icmp:3
  • icmp:4
  • icmp:5
  • icmp:8
  • icmp:9
  • icmp:10
  • icmp:11
  • tcp:21
  • tcp:22
  • tcp:53
  • udp:53
  • tcp:80
  • udp:4569
  • udp:5060
  • udp:5061
  • udp:5070
  • udp:5222
  • tcp:5222
  • tcp:6600
  • tcp:8000
  • udp:9710

On a SONICWALL, the concept is the same but you have to create an ADDRESS OBJECT. Create the services, if they are not already there. Finally create the NAT POLICY. Typically, I use the WIZARD to set these up. At least with one service but then add the other services later on.

9-setup phone sets via IP ADDRESS. Amazingly to me, some of the settings need to setup individually; phone set by phone set. This kind of ruined the whole point of central management but so be it. If the phone has an IP ADDRESS, type it in along with the USER/PASS. The important setup items here are LINE1 with the EXTENSION NUMBER. Also setup the NTP for the NETWORK TIME. Click GENERAL > TIME. The important part here is to setup the server name which is something like s123456.fonality.com.

10-last of all Fonality recommends setting an A RECORD in the DNS settings. A RECORD is s123456.fonality.com the IP ADDRESS is the INTERNAL IP ADDRESS of the server. This way when the phone sets request info they will be redirected internally rather than externally. It saves a few milliseconds.

LEVEL3 Fiber Line and Sonicwall

Just a mental note that a SONICWALL INTERFACE (X0, X1, X2, etc) needs to be manually set with a LINK SPEED of 100MB FULL DUPLEX for a LEVEL3 Fiber Line. It cannot be set to AUTONEGOTIATE.

Upgrade Exchange 2013

CURRENTLY:

-we are at EXCHANGE 2013 15.9.516.32 aka RTM
(You can find yours by typing: get-exchangeserver | fl AdminDisplayVersion)
(Visit the following for the current version list: https://technet.microsoft.com/en-us/library/hh135098%28v=exchg.150%29.aspx)
-underlying OS is WINDOWS SERVER 2012 STANDARD
-verified we have .NET 4.5 installed

AVAILABLE:
-CU5 15.0.913.22
-SP1

STEPS:
-only need CU5
(CU4 aka SP1 is not needed. All CU's are full updates and are not dependent upon previous CU's in any way.)
-downloaded CU5 to the server.


BACKUP AD
Take a confirmed backup of Active Directory

BACKUP EXCHANGE DB
Take a confirmed backup of your existing Exchange 2013 servers and databases


VERIFY AD HEALTH
-DCDIAG
-REPADMIN /SYNCALL

EXTRACT CU INTO ROOT DIRECTORY
-c:\Exch2013CU5


PREPARE AD LEVEL1
-setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms


VERIFY AD HEALTH
-repadmin /showreps
-DCDIAG

PREPARE AD LEVEL2
-Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms
-Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms

SET EXECUTIONPOLICY
-click START > ALL PROGRAMS > ACCESSORIES > WINDOWS POWERSHELL
-get-executionpolicy –list
-get-executionpolicy
-Set-ExecutionPolicy Unrestricted
-get-executionpolicy

ADD RSAT TOOL
-click Manage > Add Roles and Features > Features
-Expand to RSAT > FAT > FCT > FAILOVER CLUSTER COMMAND INTERFACE
-checkmark it
-click NEXT
-click INSTALL

PERFORM THE UPGRADE
-Setup /m:upgrade /IAcceptExchangeServerLicenseTerms

SET EXECUTIONPOLICY
-click START > ALL PROGRAMS > ACCESSORIES > WINDOWS POWERSHELL
-get-executionpolicy –list
-get-executionpolicy
-Set-ExecutionPolicy RemoteSigned
-get-executionpolicy


=================
FRIENDLY WEBSITES
=============================================
http://enterpriseit.co/microsoft-exchange/2013/prepare-ad-prepare-schema/
http://blog.jasonsherry.net/2014/05/28/exchange-2010-sp3-ur6-and-2013-cu5-released/
http://windowsitpro.com/blog/exchange-2013-cu5-a-good-update
http://exchangeserverpro.com/exchange-server-2013-cumulative-update-5-released/
http://msexchangeteam.in/how-to-backup-exchange-server-2013-database-part-1/

Datacenter Backups Are Tough

Datacenter backups are tough. They have been killing me through the years. Why? Simply because there is too much data. Sure backuping up a desktop or a phone isn't too hard as the options are available but what do I do in a datacenter? What are my options?

Good question. What are my options? Well, lets think about it.

Typically, the fist option I think of is a backup to an external HD or a USB HD. On a desktop this easy, plug the USB HD into the desktop and off you go. In a datacenter, I can't plug in the USB. It's thousands of miles away. When I called one datacenter about this option, they said I would have to rent out another unit or another U. This is obviously expensive. Plus I would have to pay for USB drive and the time for a tech to work with me. That part shouldn't be too bad but you never know.

But if I'm going to pay for another U, I might as well have a second server to backup to.

Which leads to the second option, a second server. A second server wouldn't be too bad. There are many pros, it is available, I have control and I could use it in a pinch for something else if I needed and possibly exteriment with high availability items.

The issue with a second server is setup. The thought of having to setup a secure RSYNC is daunting to me. There's too many things that could go wrong and I wouldn't know it until they did go wrong. Items like my backup not working until I needed it.

The second issue with a second server is simply my pennywise roots. I'm not paying a full server setup simply for backup if I can get around it.

The third option is to backup to desktop. This simply won't work. There's simply too much data. I'm not downloading 500GB of info via web to a local desktop. Even if I did go down this path the major issue would be restoring it if I needed to. How would I get the data back to the rebuilt server? Wait days for it to transfer 500GB? It would be faster if I drove it there. I simply don't like it.

Luckily for me, my new awesome datacenter has a fourth option; NAS. Network attached storage. So basically it's an external HD that is accessible via LAN connection. Better yet, I can setup it up without their required intervention. I can just order it up via my control panel they provide and it is ready to go in a matter of 1 minute. Awesome. They automatically provide the NAS connection name, the share name, the username and the password.

But would it work? Well, they offer a free 20GB NAS for testing out. Huh? Are you kidding me? That's awesome.

So I type in the credentials on the backup panel, signal a manual backup and voila, it works. After all these years, a seemingly daunting and expensive task it boiled down to a literal 5 minute operation. Amazing.

Thank you to all the datacenter professionals and backup developers that made this possible.

SuperMicro Intelligent Management

Wow! I'm learning a whole bunch about SuperMicro Intelligent Management. It basically provides a way to control the physical server from a remote location. Or as they put it you can have "system management in a pre-OS or an OS-absent environment." Pretty cool.

I can view the bios, change bios settings, change IP settings, view the screen as if I were sitting right in front of the server. Again, pretty cool.

A couple of notes for me:

-CONSOLE REDIRECTION and KVM CONSOLE and CONSOLE REDIRECTION and IPMI are all the same type of item and refer to the same item, a remote console.

-SOL is SERIAL OVER LAN. I do not know what this is but I think it's passe. I'll check and report if I find differently.

Here you can get the IPMIView:

ftp://ftp.supermicro.com/utility/

But you don't need it. Just hit the IP address of the IPMI nic in INTERNET-EXPLORER (will not work in FIREFOX) and a login page will show. The default user/pass is:

  • USER: ADMIN
  • PASS: ADMIN
  • (case-sensitive)

You may have to add the ip address to the JAVA security section before this will work:

  • -start > control-panel > java
  • -click SECURITY tab (at the top).
  • -click EDIT-SITE-LIST
  • -type your ip-address like so: https://1.2.3.4
  • -click OK > OK

To add an ISO:

  • -click VIRTUAL-MEDIA > VIRTUAL-STORAGE

From here you can add an ISO, IMA, USB, etc

To update the SUPERMICRO BIOS:

  • -get a bootable ISO here: http://pingtool.org/downloads/fd11src_live.iso
  • -get the bios zip file for your motherboard from the supermicro web site
  • -extract the bios zip files
  • -open AMI.BAT in a text-editor
  • -comment out the following lines by adding the double colon (::) in front of the lines:
    ::REN AFUDOSU.SMC AFUDOSU.EXE
    ::REN AFUDOSU.EXE AFUDOSU.SMC
  • -manually rename AFUDOSU.SMC to AFUDOSU.EXE
  • -download the MAGICISO program.
  • -install MAGICISO.
  • -start MAGICISO.
  • -open the bootable ISO.
  • -add the bios files to the FREEDOS > 3RDPARTY folder
  • -save the ISO (click file > save).
  • -connect the ISO to the VIRTUAL-MEDIA (as above).
  • -choose FREEDOS from the menu.
  • -change to the 3RDPARTY folder: cd 3RDPARTY
  • -type: AMI filename.xxx (ie: ami X10SLM5.c21)
  • -hit ENTER
  • -wait.
  • -wait more.
  • -wait longer.
  • -eventually it will complete.
  • -once you get the message "System must power-off to have the changes take effect!", turn the power-off on the IMPI.
  • -disconnect the ISO.
  • -power-on the system.
  • -let it reboot 4 times on it's own.
  • -once it reboots to something, enter the bios and reset to the defaults (this is necessary as there are defaults that cannot be manually changes and must be set).
  • -reboot again and enter bios.
  • -set your bios options to your preference.

NOTES / LINKS:

Running a VDMK on VirtualBox

  • open VIRTUALBOX.
  • click NEW (at the top).
  • type in the name you want to see.
  • select the TYPE of system (in my case it's WINDOWS 7).
  • select the VERSION of system (in my case it's WINDOWS 7 X64).
  • select USE AN EXISTING HARD DRIVE FILE.
  • select the folder or CHOOSE.
  • browse to the VMDK file.
  • click CREATE.

Try to start it. Most likely it will BSOD with 0×0000007B.

Booting a VMDK in VIRTUALBOX BSOD's with 0×0000007B.

Now when you try to boot it, it will BSOD on you. It's happening because of the STORAGE CONTROLLER is fubar'd. The Problem is that Images you import from other plattforms to Virtual Box gets by default the wrong HDD config and Windows hates you for changing hard drive controllers. Here's how to fix it (loose instructions as specific changes from version to version):

  • open VIRTUALBOX.
  • right-click on the VM.
  • click SETTINGS.
  • click STORAGE.
  • select the SATA CONTROLLER.
  • click REMOVE.
  • click ADD NEW CONTROLLER.
  • click ADD NEW ATTACHMENT TO STORAGE.
  • select IDE.

Now the VMDK should boot fine.

 

Manually Send An Email To An Outside Domain

Want to manually send an email to an outside domain from your Exchange 2013?

Destination SMTP server:   mail.foo-receive.com
Source domain:   foo-send.com
Sender's e-mail address: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Recipient's e-mail address: This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Message subject:   Test from foo-send
Message body:   This is a test message

click START > RUN

type: cmd

at the command prompt type: telnet

press ENTER.

This command opens the Telnet session.

type: set localecho

This optional command lets you view the characters as you type them. This setting may be required for some SMTP servers.

press ENTER.

Type: set logfile c:\telnetsession.txt

This optional command enables logging of the Telnet session to the specified log file. If you only specify a file name, the location of the log file is the current working directory. If you specify a path and a file name, the path must be local to the computer. Both the path and the file name that you specify must be entered in the Microsoft DOS 8.3 format. The path that you specify must already exist. If you specify a log file that doesn't exist, it will be created for you.

Type: open mail.foo-receive.com 25

press ENTER.

Type EHLO foo-send.com

press ENTER.

Type MAIL FROM: This e-mail address is being protected from spambots. You need JavaScript enabled to view it

press ENTER.

Type RCPT TO: This e-mail address is being protected from spambots. You need JavaScript enabled to view it NOTIFY=success,failure

press ENTER.

The optional NOTIFY command defines the particular delivery status notification (DSN) messages that the destination SMTP server must provide to the sender. DSN messages are defined in RFC 1891. In this case, you are requesting a DSN message for successful or failed message delivery.

Type DATA

press ENTER.

You will receive a response that resembles the following:

354 Start mail input; end with <CLRF>.<CLRF>

Type Subject: Test from foo-send

press ENTER.

press ENTER.

RFC 2822 requires a blank line between the Subject: header field and the message body.

Type: This is a test message

press ENTER.

Press ENTER

type a period ( . )

press ENTER.

You will receive a response that resembles the following:

250 2.6.0 <GUID> Queued mail for delivery

To disconnect from the destination SMTP server, type: QUIT

press ENTER.

You will receive a response that resembles the following:

221 2.0.0 Service closing transmission channel

To close the Telnet session, type: quit

press ENTER.

Windows 7 Won't Boot, Windows 7 Won't Boot Into Safe Mode, Hang On Searching For Windows Installations

How I got there:

  • user shutdown computer via START > SHUTDOWN.
  • computer started to load 8 updates during shutdown.
  • user didn't want to wait and hard shutdown pc by holding power button.
  • slap forhead.
  • boot into normal mode. Result: takes forever and then reboots (about an hour).
  • boot into safe mode. Result: takes forever to load and then reboots (about an hour).
  • same result for safe mode with command line.
  • boot from WINDOWS 7 CD. Click REPAIR YOUR COMPUTER. It goes to SEARCHING FOR WINDOWS INSTALLATIONS and stays for long time (I hard shutdown at about 1 hour).

What to do:

1 - MAKE BACKUP OF YOUR DATA.
In running a CHECKDISK, you are risking that an error will be discovered and the disk will refuse to run or start clicking.
You can easily use a KNOPPIX CD to access and transfer the data.

2 - MAKE BACKUP OF YOUR DATA.
Yes, this is in twice because the data is important. In running a CHECKDISK, you are risking that an error will be discovered and the disk will refuse to run or start clicking.
You can easily use a KNOPPIX CD to access and transfer the data.

3 - RUN A CHECKDISK

  • boot from WINDOWS 7 CD.
  • choose language & keyboard.
  • press SHIFT + F10.
  • a command prompt opens.
  • type: chkdsk c: /R

4- RENAME THE WINDOWS UPDATE

  • type: Ren c:\windows\winsxs\pending.xml pending.old

5 - RUN A SYSTEM FILECHECK

  • type: CD /D C:
  • type: SFC /SCANNOW /OFFBOOTDIR=C:\ /OFFWINDIR=C:\WINDOWS
  • reboot to WINDOWS 7 CD.
  • type: SFC /SCANNOW /OFFBOOTDIR=C:\ /OFFWINDIR=C:\WINDOWS
  • reboot to WINDOWS 7 CD.
  • type: SFC /SCANNOW /OFFBOOTDIR=C:\ /OFFWINDIR=C:\WINDOWS
  • reboot to hard drive.
  • yes 3 times. The above is NOT a typo.

In my particular case, the CHKDSK found and error and refused to proceed. A hard shutdown was performed. Upon reboot, the drive started clicking. The drive is now at a data recovery center.

NOTE: Thank you to to the following link:http://www.sevenforums.com/tutorials/219533-troubleshooting-windows-7-failure-boot.html

Downgrade Windows 7 Professional to Windows 7 Home Premium

I like to skip the story usually of how I go into the situation but on this occassion it's worth it since I can imagine this scenario happening for many.

I was repairing a client's computer since the hard drive died. I replaced the hard drive and needed to load the OS. The sticker on the computer box said WINDOWS HOME PREMIUM but the client didn't have the CD since the manufacturer doesn't include them anymore. I didn't have one either. I only had WINDOWS 7 PRO.

"What's the big deal," I thought. "I'm sure it's simple to change it afterwards." Well, it isn't.

I loaded the Windows 7 Professional but then it complained about not being activated and not being genuine.

Just like most other issues, there is so much mis-information on the internet, it's almost impossible to fix anything nowadays. But it is possible to fix.

So here's my notes:

1-regedit
-go to HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion
-edit EDITIONID:

Options are:
Ultimate
Professional
HomePremium
HomeBasic
Starter

-edit: PRODUCTNAME:

Options are:Windows 7 Professional
Windows 7 Ultimate
Windows 7 HOMEPREMIUM
Windows 7 Business
Windows 7 HOMEBASIC

2-download the freely available ISO of the WINDOWS version found here:

Windows 7 Home Premium 32Bit: http://msft.digitalrivercontent.net/win/X17-58996.iso
Windows 7 Home Premium 64Bit: http://msft.digitalrivercontent.net/win/X17-58997.iso

Windows 7 Professional 32Bit: http://msft.digitalrivercontent.net/win/X17-59183.iso
Windows 7 Professional 64Bit: http://msft.digitalrivercontent.net/win/X17-59186.iso

Windows 7 Ultimate 32Bit: http://msft.digitalrivercontent.net/win/X17-59463.iso
Windows 7 Ultimate 64Bit: http://msft.digitalrivercontent.net/win/X17-59465.iso

(NOTE: the product key number on the side of the computer box has to match the WINDOWS VERSION but it doesn't matter about the BIT VERSION. A Windows 7 Home Premium number will work with both the 32bit and the 64 bit)

3-download the eicfg_removal_utility.zip tool found here:
http://code.kliu.org/misc/winisoutils/

4-run the utility on the ISO to remove ei.cfg from the ISO.

5-download RUFUS found here:
http://rufus.akeo.ie/

6-run RUFUS and put the ISO on a USB.
(select all the defaults)

7-run SETUP.EXE on the USB.
(Do not boot from the USB).

8-click INSTALL NOW
(it's the only option it gives you).

9-click UPGRADE (it should allow you to go through the upgrade/downgrade process. It will keep all programs & files intact.)

10-type the product key on the side of the computer box.

Give it about an hour to complete this process.

Migrate to Office365

The migration to Office 365 is a pain. I'm not a fan. I could go on and on but there's almost no point in resisting. I even recommend switching to it to some of my clients.

To start the migration, you need an end-point. That end point needs to have the

WEB SITE NAME: mail.contoso.com
SERVER NAME: contoso-dc (yes, this is the actual computer name).

In the migration, do not setup the users on the new side. The migration will automatically setup the users for you.

Block Cryptolocker on Exchange 2013

-log into your EXCHANGE ADMIN CENTER (EAC) with an Admin account.
-click on the Admin in the upper right hand corner.
-select Exchange.
-go to Mail Flow on the left.
-make sure you are on Rules.
-click the + (to Create New Rule).
-name it Block EXE.
-in the Apply this rule if... drop down select Any attachment's content includes...
-click the Enter words...
-type EXE
-hit the + (you should not see EXE where the Enter words... was).
-(if you want to add other extensions like BAT, MSI, CMD and so on, you can just click in that same spot).
-in the Do the following... drop down selected Reject the message with the explanation...
-type in: Executable content not allowed. 
-leave the Audit this rule with severity level: checked drop down as is (Not specified).
-choose a mode for this rule: radio button should be on Enforce.
-now hit Save


=====================================
Now add a second rule. This time when setting up the rule in mail flow, you need to:

-click on 'more options' (at the bottom of the rule).
-go back to 'apply this rule if' (at the top)
-select 'any attachment' then 'has executable content'.

Maybe I'll add a video here. Contact me if you really want one.

Connect PowerShell to Exchange 2013

Here's how to connect PowerShell to Exchange 2013:

-$Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri http://jdi/PowerShell/ -Authentication Kerberos
-Import-PSSession $Session

EXCHANGE 2013 PUTS MESSAGES IN DRAFTS FOLDER

Is your Exchange 2013 (Windows Server 2012) putting messages in the DRAFTS folder?

-hard code the IP ADDRESS in the c:\windows\system32\drivers\etc\hosts file as both FQDN and Friendly name.

It will look like this:

192.168.1.2     server.domain.tld
192.168.1.2     server

Restart the MAIL TRANSPORT service and everything should be right as rain.

This happens because the server is trying to use IPv6 and for some unknown-reason-to-me, the IPv6 wasn't working as it should. Hard coding the ip address in the HOSTS file forces the server to use IPv4.

Another 6 hours down the drain due to lack of logs in Microsoft Windows. This is exactly why I stopped using Microsoft software more than 10 years ago. At least with Red Hat (RHEL, Centos, Linux) you have something to go on. If you are business, I recomment getting a support contract so that you can call when you need to.

OUTLOOK Email Calendar Crashes OUTLOOK

PROBLEM:
Emailing Calendar dates from OUTLOOK 2007 crashes the OUTLOOK app.

SOLUTION:
The WindowsShell.manifest file is missing from C:\Windows folder. Find another workstation where this file exists and copy it over.

Manually Transfer SME Server Data to New Install

Manually Transfer SME Server Data to New Install

SEQUENCE OF HOW WE GOT HERE

-3 drives (sda, sdb, sdc) in RAID 5 config.
-sudden power outage.
-sme won't boot.
-bad block on sda which makes up MD1.
-removing sda doesn't work for some reason.


WHAT I DID

Install Fresh SME Server

-buy new HD
-remove all old HD's
-install new HD
-install fresh SME on new HD
-shutdown machine

Re-insert Old HD

-remove new HD
-insert one of the good old HD drives

Boot from CD

-put in SME SERVER cd
-boot
-type: sme rescue
-hit enter
-don't start network
-accept other defaults

Change the LVM Name

(It's ok to run these commands. Only the last command affects the setup. Which can be easily changed back if needed)
-lvm vgscan
-lvm lvscan
-lvm vgchange -a y
-lvm pvscan
-lvm lvscan
-lvm vgrename main mainold
-exit

Re-insert New HD

-remove old HD
-insert new HD drive

Boot New HD & Access Old HD

-boot up via new HD
-connect old HD via USB caddy.
-it should be /dev/sdb
-type: fdisk -lu /dev/sdb
-mdadm -AR /dev/md8 /dev/sdb2
-lvm vgscan
-lvm lvscan
-lvm vgchange -a y
-mkdir -p /mnt/olddrive
-mount -t ext3 /dev/mainold/root /mnt/olddrive

Manually Copy Old Info

-cd /
-signal-event pre-restore
-/bin/cp -Ra /mnt/olddrive/etc/e-smith/templates-custom/ /etc/e-smith/
-/bin/cp -Ra /mnt/olddrive/etc/e-smith/templates-custom/ /etc/e-smith/
-/bin/cp -Ra /mnt/olddrive/etc/group /etc/
-/bin/cp -Ra /mnt/olddrive/etc/gshadow /etc/
-/bin/cp -Ra /mnt/olddrive/etc/passwd /etc/
-/bin/cp -Ra /mnt/olddrive/etc/samba/secrets.tdb /etc/samba/
-/bin/cp -Ra /mnt/olddrive/etc/samba/smbpasswd /etc/samba
-/bin/cp -Ra /mnt/olddrive/etc/shadow /etc/
-/bin/cp -Ra /mnt/olddrive/etc/smbpasswd /etc/
-/bin/cp -Ra /mnt/olddrive/etc/ssh/ /etc/
-/bin/cp -Ra /mnt/olddrive/etc/sudoers /etc/
-/bin/cp -Ra /mnt/olddrive/root/ / (I cheated here. I only grabbed the htop config file. I left the rest)
-/bin/cp -Ra /mnt/olddrive/opt/ /
-/bin/cp -Ra /mnt/olddrive/home/e-smith/db/ /home/e-smith/
-/bin/cp -Ra /mnt/olddrive/home/e-smith/Maildir/ /home/e-smith/
-/bin/cp -Ra /mnt/olddrive/home/e-smith/web/ /home/e-smith/

Manually Copy Mysql Info

service mysqld stop
/bin/cp -Ra /mnt/olddrive/var/lib/mysql/ /var/lib/
cd /var/lib/
chown -R mysql:mysql ./mysql
service mysqld start

Reboot with Transferred Configuration

-signal-event post-upgrade
-reboot
-this allows people to work/access iinternet

Manually Copy Rest of Data

/bin/cp -Ra /mnt/olddrive/home/e-smith/files/ /home/e-smith/


Copy to New External HD

-leave HD's in the server.

Boot from CD

-plug in new HD via usb
-put in SME SERVER cd
-boot
-type: sme rescue
-hit enter
-don't start network
-accept other defaults

The new drive should show up as /dev/sdd.

Parition New HD

-type: fdisk /dev/sdd
-Press p > Press n > Press p, partition 1, default 1 > Press w
-type: mkfs.ext3 /dev/sdd1

Change to Old Info

-chroot /mnt/sysimage

Mount New HD

-mkdir -p /mnt/newdrive
-mount /dev/sdd1 -t ext3 /mnt/newdrive

Copy Info

-/bin/cp -Ra /home/ /mnt/newdrive

ScanMailX

ScanMailX

If running your own mail server is still important to then you will need a few item in today's world even if they are not RFC required. These items are mainly:

  • spam filtering
  • antivirus filtering
  • spf
  • dkim
  • dmarc

You either have to build these yourself or use a product that has it built in. With cloud systems clearly on the rise, most are going to find that it isn't worth the trade off and succumb to the pressure of using Gmail or Microsoft Hosted Exchange for around $4 per month.

However there are other options out there. If you don't want to give up control of the mail server (and I wouldn't blame you if fall into this category) but still want the items listed above, you could always use SCANMAILX.COM

Though it doesn't look like much on the outside, it is actually a terrific product depending on the number of account you need to manage. For about $175, you can protect and secure all the accounts on the domain.

Jesper Knudsen is the brains behind SCANMAILX and one of the most brilliant developers of our time. After emailing back and forth a few short times so I could feel comfortable with the product, I signed up.

It is rather easy to get going as well. You don't even have to setup accounts on the SCANMAILX side. Three simple steps to change to SCANMAILX.

CHANGE TO SCANMAILX

  • change MX records TTL to 3600 (1 hour. The lowest TTL possible in NS).
  • be certain the FORWARD HOST is correctly configured in SCANMAILX account.
  • change DNS mx records to mxdk01.scanmailx.com & mxdk02.scanmailx.com.

It's been a few months since signing up and everything is humming along just fine and dandy. The controls at the administrator side of their web site is pretty straight forward.

Canon Advanced C5235: Change SMTP Port

Canon Advanced C5235: Change SMTP Port

Of course with the recent changeover to Hosted Exchange, or Office365, we need to change all the outgoing email settings, or SMTP settings, on all the copiers. Most copiers it is pretty simple. But with Canon, they haven't put their SMTP Port in the web interface. Nearly 2014 and companies still design and engineer with brain damage.

  • walk to copier.
  • press the settings button.
  • press the numbers 2 & 8 simultaneously.
  • press the settings button again.
  • press the number 2 and the settings button once again (go into "level 2" of service mode).
  • press NETWORK > SMTPTXTN.
  • press the i symbol.

Running My Own Email Server

Running My Own Email Server

For the past 10 years, I've been running my own email server for a company of 750 accounts. It was built in my spare bedroom as a hobby and it intrigued my desire to learn. It worked very well and saved a ton of money, so I implemented it.

The Reasons

One of the reasons I did this was strictly control. I could easily control accounts, look into situations and make corrections if needed.

Another reason I did this was because of detailed information I could get by looking at the log files. Like above, I could easily look into the logs to see what's happening in real-time and didn't have to put up with cryptic or erroneous messages.

Another primary reason was speed. I could make changes via command line faster than most people could change channels on their TV. A simple command line and BAM!, the info I needed was there.

The last primary reason I did was because I trusted myself rather than someone else. I knew that as long as the hardware was working correctly, the Centos email-server would be the energizer bunny of the rack.

The Downfall

The downfall of all of this is actually running it. And everything that comes with it. The technical aspect was the easy part. As I said, most Centos systems are rock solid stable. The tough part is the people. When email doesn't go through, they automatically think that there is something wrong with the system. Especially when business is on the line. It's easier to blame the system rather than themselves. Never do they think or admit that they could have made a mistake.

The reality is much different. If this 10 year project has taught me anything it's that people make a massive amount of mistakes. Massive. Let me say it again: MASSIVE!

The Human Factor

Telling people that the email didn't go through because they spelled the email address incorrectly was nearly a daily occurrence. It went like this... They spelled the name incorrectly. They received a bounce message. They assumed that something is wrong with the email server. They complained to me. Never once did they actually look at the bounce message and read what it said.

>> NO USER BY THAT NAME

"Oh, I must have spelled the email address incorrectly. Let me try again and spell it correctly." Were never words that anyone said. It was always, "I need this email to go through!!! There is something wrong with the system!!! How can we operate like this!!!"

When you tell them the email address incorrect, they call you a smart-@$$ and grumble as they walk away. Really I have better things to do than spend my adult years telling other adults that they can't spell.

Spam

Then comes the big issue: SPAM. I've nearly devoted my life to rid my accounts of spam. It's been a back and forth battle. There were some days that I thought I would simply pull the plug and quit. But I stuck in there and eventually an updated RPM would come through fixing the problem for awhile until the process started again.

In recent years, the server has sometimes nearly choked on itself fighting the contents of messages but it kept pushing through.

Blacklisting

While blocking other blacklisted servers is a good idea in my mind it is obviously not good for the people trying to get messages. In my mind, the complaints sounded like this, "My friend has a GoDaddy account that she bought the other night for a dollar and the account is on a server that sending out millions of spam messages advertising pharmaceuticals. It's obviously black-listed for very good reason as most, if not all, blacklisted servers are but I need her messages to come through. Can you fix it?"

So I'm supposed to adjust my system because theirs is obviously broken.

Example

Here's the progression of an actual complaint taken verbatim:

THEM: "I've had repeated complaints of emails getting denied, kicked back or undeliverable when people use my [removed].com address. Am about to lose a new listing because of... What's the problem!?"

ME: "They are on a blacklist. We don't receive email from blacklisted servers."

THEM: "I contacted my friend. Here is what he said..."

"Your email server uses a German blacklist database provider that looks to be shady at best. The IP address [blah, blah, blah] is owned by Network Solutions who hosts one of the largest email systems. Any reputable black list service would contact Network Solutions directly before blacklisting one of their email servers seeing how blacklisting a Network Solution server would cause a great deal of email to be 'bounced' or undelivered to your system. I recommend removing this black list from your mail server immediately. I would also recommend using an ironport or some other reputable SPAM filtering hardware over a hosted database look up. If you do decide to use a hosted service to reduce SPAM, definitely choose a more reputable company than UCEPROTECT...."

ME: "The server is on more than 5 different blacklists. They can't all be wrong. There is obviously an issue with the other server."

THEM: "...the email addresses [sic] are famous for being undependable. (Just ask [removed] from [removed company], [removed], [removed] and more)... Many [removed] agents use their own email addresses due to the poor workings of [removed] addresses."

ME: "Their email is hosted on Unified Layer. One of Unified Layer's servers was behaving badly. Consequently, that server was put on an external BLACKLIST that we utilize. This blocked all email from that particular server. Unified Layer has full time staff to handle issues like this and they fixed the issue rather quickly so everything should be ok. It is a common issue with Unified Layer just search on google here: https://www.google.com/search?q=unified+layer+blacklist"

THEM: "Our regular [removed] emails are not all coming in. I did not receive multiple emails from [removed] a couple days ago, and apparently our new client (who is about to list a $1m+ with us) is being rejected. Please fix asap, as he is very techy [sic] and if we are not receiving his emails..."

ME: "He's so techy [sic] that he's using Unified Layer as his email. Not a good sign. They are black listed again. Look at the 17 million results when you search for it via google."

THEM: "If [removed], [removed], [removed] and I (repeatedly)are all kicked back from [removed]- we have a problem. I know other agents have addressed this same concern - answer always comes back that it is not [removed]'s issue. Yet our ability to receive necessary email continues to be compromised. More than likely, this very message will be kicked back. This is beyond frustrating - has been going on for 2+ years now with no success in remedying this crippling situation. It is not just 1 or 1 isolated incidents. Too many senders are being rejected."

ME: "Thanks for contacting me. You can help me by contacting me if you have a particular issue. You need to let me know what the issue is and what bounce message is. In other words, if someone sends you a message and they receive a bounce message, find out what the bounce is and send it to me. I'll be glad to look at it and point out where the issue is and make adjustments if necessary.

Can I make adjustments on technical information that is never sent to me? No I can't. Which is why I ask for your help.

They don't all get kicked back. Unified had a problem with one of their servers. They fixed it as they should. You can see from the info below that Barracuda agrees that this is an issue outside of [removed].

Nobody has sent me any bounce messages from [removed] but [removed] and I email each other on a regular basis. In fact we traded emails over the weekend.

Nobody has sent me any messages from [removed].

Concerning your email, you might have sent a message in the past but not recently. Again, if you are receiving a bounce message, let me know what it is."

Boring

The above is boring. That is my point. It's boring and pointless. They are trying to convince me that something is wrong on my end. I am trying to convince them to use a good email service like gmail so something similar that costs less than $5 per month.

The Switch

Today, I put an end to all of it. I switched over to a cloud service. It came down to Gmail or Microsoft Hosted Exchange. I chose Hosted Exchange because I don't like where Gmail is headed with the funny and ultimately too small compose message box on their web site. Yes, that is really why I did't choose them.

The total project is going to cost 50K per year or 500K of the same period I was doing it for free.

The biggest relief is that I don't have to do it anymore. If something is wrong, it's their fault. Do you think I will still get complaints?

Connect Powershell to Office365

Connect Powershell to Office365


If you need to connect to the EXCHANGE part of Office 365:

Start POWERSHELL (as administrator)

Then you run these commands:

  • Set-ExecutionPolicy RemoteSigned
  • net start winrm
  • winrm get winrm/config/client/auth
  • $LiveCred = Get-Credential
    (Then type in your This e-mail address is being protected from spambots. You need JavaScript enabled to view it & password.)
  • $Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell/ -Credential $LiveCred -Authentication Basic -AllowRedirection
  • Import-PSSession $Session

I saved the above 5 commands in a TXT document and put it here:
C:\Documents and Settings\[username]\My Documents\WindowsPowerShell

I renamed the file to:
Microsoft.PowerShell_profile.ps1

If you need to connect to the Active Directory part of Office 365:

  • Import-Module MSOnline
  • $MyCredential = Get-Credential
  • $O365Session = New-PSSession -ConfigurationName Microsoft.Exchange -ConnectionUri https://ps.outlook.com/powershell -Credential $MyCredential -Authentication Basic -AllowRedirection
  • Import-PSSession $O365Session -AllowClobber
  • Connect-MsolService -Credential $MyCredential

Powershell Useful Commands

Powershell Useful Commands

This is my Powershell Useful Commands. They are commands that I want to use but can't remember their silly non-sensical syntax. I'll update it as I see fit. This is for me. If you can use it, great.

LOOK AT USER ACCOUNT EVERYTHING:
1.Get-Mailbox USERACCOUNT | Select *
LOOK AT USER ACCOUNT SELECTED PROPERTIES:
1.Get-Mailbox USERACCOUNT | Select prop1, prop2, etc
GET USER FORWARD EMAIL ACCOUNT
1.Get-Mailbox USERACCOUNT | FL *forward*
2.Get-Mailbox USERACCOUNT | Select Name, PrimarySMTPAddress, ForwardingAddress, ForwardingSMTPAddress, DeliverToMailboxAndForward

NOTE: There are two properties that are very similar ForwardingAddress & ForwardingSMTPAddress.

Here is the difference:
ForwardingAddress: This is to forward to another account within the same domain.
ForwardingSMTPAddress: This is to forward to an external account.

SET FORWARDING TO EXTERNAL EMAIL ADDRESS
1.Set-Mailbox USERNAME -DeliverToMailboxAndForward $true -ForwardingSMTPAddress forwarding-email-address.tld
DELETE FORWARDING TO EXTERNAL EMAIL ADDRESS
1.Set-Mailbox USERNAME -DeliverToMailboxAndForward $false -ForwardingSMTPAddress $Null
SET USER PSEUDONYM
1.Set-Mailbox USERACCOUNT -EmailAddresses foouser1-AT-domain.tld, foouser2-AT-domain.tld
2.<h5>FIND ALL USERS WITH FORWARDING ADDRESS IS SET TO EXTERNAL EMAIL ADDRESS</h5>
3.<h5>{code}Get-Mailbox | Where {$_.ForwardingsmtpAddress -ne $null} | Select Name, ForwardingAddress,ForwardingsmtpAddress, DeliverToMailboxAndForward
FIND ALL USERS IN A GROUP
1.Get-DistributionGroupMember GROUP-NAME-at-DOMAIN.TLD
FIND ALL INFO ABOUT A GROUP
1.Get-DistributionGroup GROUP-NAME-at-DOMAIN.TLD|FL
ADD USER TO A GROUP
1.Add-DistributionGroupMember -Identity GROUP-NAME-at-DOMAIN.TLD -Member USERNAME -BypassSecurityGroupManagerCheck"
REMOVE USER FROM A GROUP
1.Remove-DistributionGroupMember -Identity GROUP-NAME-at-DOMAIN.TLD -Member USERNAME -BypassSecurityGroupManagerCheck

By default only internal-accounts can email groups. To set a group to accept Senders outside of organization:

SET A GROUP TO ACCEPT SENDERS OUTSIDE OF THE ORGANIZATION
1.Set-DistributionGroup -Identity GROUP-NAME-at-DOMAIN.TLD -RequireSenderAuthenticationEnabled $False

WINDOWS AZURE AD MODULE

I don't know how to explain this. But here it goes... The following are commands that affect the USERACCOUNT at a root level. Because of this, REGULAR POWERSHELL (and all it's dependencies) can't run the commands. You have to get a SUPER POWERSHELL.

They call it the WINDOWS AZURE AD MODULE. It will only run on WINDOWS-7 & WINDOWS-8 and it requires something called ONLINE SERVICES SIGN IN ASSISTANT. Even though it is called a MODULE which maybe should just upgrade your current POWERSHELL, the truth is that it's another POWERSHELL (Trust me, nothing in Microsoft world makes sense).

DOWNLOAD WINDOWS AZURE AD MODULE

So, AS ADMINISTRATOR, you have to use this AD MODULE rather than POWERSHELL to make changes.

CONNECT WINDOWS AZURE AD MODULE TO OFFICE365
1.right-click WINDOWS AZURE AD MODULE click RUN AS ADMINISTRATOR type: $msolcred = get-credential type: connect-msolservice -credential $msolcred
SET USERNAME TO NOT REQUIRE STRONG PASSWORD
1.Set-MsolUser -UserPrincipalName jsmith-at-company.com -StrongPasswordRequired $false
HARD SET THE USERNAME PASSWORD AND DON'T REQUIRE A CHANGE
1.Set-MsolUserPassword -UserPrincipalName jsmith-at-company.com -NewPassword new-password-here -ForceChangePassword $false
DELETE USERNAME
1.Remove-MsolUser –UserPrincipalName USERNAME-at-DOMAIN.TLD
ADD USERNAME
1.New-MsolUser -DisplayName "testuser" –UserPrincipalName testuser-AT-yourdomain.com –UsageLocation "US" | Set-MsolUserLicense -AddLicenses "tenantname:ENTERPRISEPACK"

OTHER COMMON COMMANDS

ls: lists contents of directory.

cat: read contents of text file.

Select-String: the MS version of grep.

DDWRT Kong Build Updates

I periodically check for newer hardware and firmware builds when it comes to routers. I am more interested in stability than performance but of course would like to have both.

In my last update, I was using:
Asus RT-N16 + r18050

In this check, I'm still sticking with Asus RT-N16. They are plentiful and affordable. New routers are available but they are 100% higher in costs and I don't think are worth the trade-off yet.

Stable More Affordable Version

The only change at this time is to move to the latest K26 r22200 build here:
Asus RT-N16 + http://www.desipro.de/ddwrt/K26/r22200

I was looking into the K3.x builds for the RT-N16 but it seems a rather complex process.

Stable Upgraded Bleeding Edge Version

Since I'd rather wait till hardware changes and the process is a little more straight forward, the next step up seems to be:
Asus AC-RT66U + http://www.desipro.de/ddwrt/K3-AC/22715

DDWRT Kong Build Updates

I periodically check for newer hardware and firmware builds when it comes to routers. I am more interested in stability than performance but of course would like to have both.

In my last update, I was using:
Asus RT-N16 + r18050

In this check, I'm still sticking with Asus RT-N16. They are plentiful and affordable. New routers are available but they are 100% higher in costs and I don't think are worth the trade-off yet.

Stable More Affordable Version

The only change at this time is to move to the latest K26 r22200 build here:
Asus RT-N16 + http://www.desipro.de/ddwrt/K26/r22200/

I was looking into the K3.x builds for the RT-N16 but it seems a rather complex process.

Stable Upgraded Bleeding Edge Version

Since I'd rather wait till hardware changes and the process is a little more straight forward, the next step up seems to be:
Asus AC-RT66U + http://www.desipro.de/ddwrt/K3-AC/22715/

The Option of Options

The Option of Options

Leaders are gatekeeps. They decide what a group of people will have and what they won't have. In the same way an editor of a newspaper decides what stories people will read and what stories will never make the frontpage, leaders eventually have to decide what to offer as well.

One of the most powerful principles a leader will come across is the option of options. What do good leaders give as an option to another group? Do you give the as many as possible? After all, that seems to be what people want.

The truth is that while people want options to be able to choose, they don't want too many options. If you give a person too many options, their brain goes into overload and quits the decision making process altogether to find another way to proceed.

A good example of this is CostCo. You might have been to CostCo before. The huge warehouse superstore that does nearly everything by bulk. I actually stretch before I go in and I heard a rumor that it will be added to the next Summer Olympics. Just kidding.

One of the most common complaints about CostCo is the lack of choice. Do you know what CostCo thinks? Perfect. That's exactly what they want. They want options but very few of them. Options are good but too many options and it hinders the decision making process.

The brain can handle about 6 options easily. Any more than that and it starts to give up.

This was one of the brilliance of Steve Jobs. One of the best actions he took when he was reintroduced to Apple in the early 2000's was to limit the product line. Forget about having all sorts of options that competitors were offering. Boil the product line down to the most basic of items. Keep the options so simple that a non-working wife of a well-to-do husband could understand and make the decision on her own. He limited it down to the:

  • iMac (home computer use)
  • Mac Pro (professional computer use)
  • iBook (home laptop use)
  • Mac Book Pro (professional laptop use)

What could be easier? Each option is clear. Each option is distinct. Each option is easily understood by the target market. Diving deeper into each one of these simple options will reveal that there are further options to upgrade but those options come later and are re-presented at another stage.

What's funny is how quickly a company can change when the leader is vacated. In such a short time, Apple has lost it's focus that was so easily identifiable a few years ago.

This week they will release 2 new iPhones, the 5s and the 5c. Our target market can't tell the difference between the two. There's no clear difference. There's no easily identifiable differentiators. It can't be easily understood. Do you think both will be a success? Or do you think that one will succeed and one will fall flat on it's face? Or maybe both will be doomed? I guess we will find out.

Now to you leader. Will you offer options? You will offer many and confuse? Or will you be helpful. Offer no more than 6 options. Make each one clear and easily identifiable. Don't confuse. Clarify.

Paying for a SMTP Relay

Paying for a SMTP Relay

I manage a server that handles email for a medium sized company. It processes about 1,000 messages per hour or 24,000 per day. The box sits inside the office humming away for about 10 years.

Then one day, for some reason, executable content comes through the email service which isn't picked up by ClamAV. Then, for some reason, a user opens an email that's obvious-to-me-but-not-to-them that they shouldn't open. Then, for some reason, my choice of antivirus at the time (Panda Cloud) does nothing and... poof. Cutwail virus city. This thing starts sending out spam by the thousands every minute and the IP address is quickly put on blacklists all across the world.

Great.

If you are given a map and dropped into nowhere, you can usually find your way around pretty quickly. If you're dropped in the middle of nowhere, it takes longer to find your way out.

I discover they're on a blacklist pretty quickly. Through blacklist diagnostics, I can see that a cutwail virus is on the network. I wait till the end of day and start to scrub client pc's and think "I'm too old of this stuff."

I find a client pc, disinfect it with Microsoft Saftey Scanner and feel good. I put in for delisting and wake up the next day to find they were re-listed for the same reason.

I missed a client pc behind a closed door. Executives. The reason the world spins slowly.

Finally getting physical access by persuasion that there's an obvious problem, I disinfect the second client pc as well. Feeling really good, I put in for another delisting. The next morning they stay that way.

Good.

The next few days were spent delisting from any blacklist or RBL at MXToolBox.

Now here's the problem, despite delisting, the IP address is on-radar at larger outfits like Yahoo & AOL who run their own internal spam metrics. Because of poor stats, the server is still getting blocked.

To ease this, I switch over to the ISP smtp server which is used to work fine for quite a long time: smtp.fdn.com. That doesn't work. They were bought out. So I use the newer smtp server: smtp.nuvox.net. That doesn't work. They were bought out by Windstream. I don't know the smtp server for them.

I call support knowing that large customers get to talk to knowledgeable people in a few minutes. Obtaining that Windstream's smtp server is: mailhost.windstream.com, I start using that.

Everything is going good.

A few hours pass.

Rrrrrriiiiiinnnnggg!!!! Rrrrrrriiiiinnnngggg!!! Rrrrrriiiinnnnnngggg!!!

"I'm not getting email!"

I look in the logs: "Too many recipients in the past hour."

So Windstream has an hourly limit on sending. This used to not be so. Normally it isn't a problem but when blast company wide messages go out, the server spikes above that level.

I switch back to the internal smtp.

Everything is going good.

A few hours pass.

Rrrrrriiiiiinnnnggg!!!! Rrrrrrriiiiinnnngggg!!! Rrrrrriiiinnnnnngggg!!!

"I'm not gettting email!"

I look in the logs: "(DYN:T1) http://postmaster.info.aol.com/errors/421dynt1.htm"

So AOL has dynamically blocked the IP address because it went too high on the stats.

I switch back to the Windstream smtp.

My only problem is AOL. If they would remove the DYN:T1 block, my life would be normal again.

I switched back and forth between the internal smtp and the Windstream smtp for the next several days hoping the block would be removed.

After getting enough complaints because of too much delay, I realize I'm too old for this and my hobby projects in my 20's which are now production projects in my 30's probably need to be shutdown. I just can't take it.

I look for outside help.

I remember hearing about Amazon smtp services or simple email service (SES). It's part of their Amazon Web Services (AWS) or their cloud services.

I sign up feeling like they are a good partner.

Their documentation takes a few reads because of the whole credentials aspect. They have a set of credentials for accessing the service but they have a different set for accessing SMTP. This set is created automatically.

Their documentation is also confusing about SSL/TLS on port 465 but I test it out over the next few days and get it working in my test. Here's what I used

SMTPSmartHost=email-smtp.us-east-1.amazonaws.com

smtp-auth-proxy=service
Debug=disabled
Passwd=not-posted-in-plain-text
PeerPort=465
Userid=AKIAILKTFOYH47NR5MEA
status=enabled

Unfortunately, the service won't work for forwarding accounts. In other words, if I receive emails on behalf of someone and forward them onto their private email address at for example, AOL, it bounces with a message about the sending domain being invalid.

Back to the drawling board.

You would think that an SMTP service for large volume would be easy to find and obtain. Well, it's easy to find enough. Like most, I go to google and type "smtp services."

Cutting out the details, here's the services that make my short list:

  • MandrillApp
  • Ongage
  • Critsend
  • Mailgun
  • MailJet
  • SendGrid
  • Dyn

I moved on to the next service on the list, MandrillApp. Super easy. Create an account and the credentials are right there, easy to understand and ready to be used.

  • Host smtp.mandrillapp.com
  • Port 587
  • SMTP Username This e-mail address is being protected from spambots. You need JavaScript enabled to view it
  • SMTP Password any valid API key

I turn them on over the weekend and montior it. Everything is great. It even has detail stats on the sending such as percentages and graphs that make you feel good. The problem becomes, you lose control.

Managing my own server, I can watch the outgoiong process in real time. If the receiving server gives a message, I can see it. When you outsource this to another company, you don't get to see anything. You have no idea what is happening. All you know is that there is a problem.

Over the next few days, I deal with issues such as mail stuck in the queue with no way to send it, message sending limits being lowered to 29 messages per hour with no way to lift them and rejected messages with no reason why. Messages aren't getting through.

No one can run a business without messages getting through.

I contact their support through email and wait about 24 hours for a response each time. The responses are all the same, they sound great but in the end the service is automatic and their's nothing they can/will do.

So I ask the ultimate question, "What's the point of having a sending service that doesn't help you send?" I didn't pay them to be critics on what I was sending, I pay them to send, period. If they are not going to help me do that then we are not a good fit.

I change the sending back to local server. I move on.

I cannot have another experience like the failed MandrillApp trial run. Being afraid, I breeze over Ongage, CritSend, MailGun and MailJet. They all seem to be similar. Built for developers so that a product can automatically send messages to their clients.

They really aren't services that help send messages on a day to day basis. Most of their documentation starts talking about send limits and unsubscribes.

I decide using the local service is the best option just like that past 10 years. I made some changes to limit the number of messages that can be sent per second and I dish sending off to the ISP smtp server. It seems to be working OK with only a few hiccups.

AOL has seemed to stop blocking with these low limits and the passing of 30 days time from the original incident. My only issue is some Yahoo servers are still blocking. Not all. Only some. Arrrrgggghhh. I'll deal with it.

I'll have to work on the IP reputation in the near future by turning on SPF, DKIM, and DMARC. Believe it or not, I turn towards friends and I have one who runs scanmailx.com. I'll test the service out but know that the developers are some of best around.

Walk Through: Clone Hard Drive with Bad Blocks By Using ddrescue

Walk Through: Clone Hard Drive with Bad Blocks By Using ddrescue

OK, here it is again in simple terms. You can't fix bad blocks. Once it happens, it grows. If you see bad blocks anywhere, replace the HD as soon as possible.

The best way to make this happen is by cloning the disk. Here's how:

This process ignores filesystems so it will work on Windows (NTFS) and Linux (ext2, ext3). I haven't tried other filesystems but can imagine it would work fine as well. Although on Mac's I use Carbon Copy Cloner (CCC).

  • -shutdown the computer that needs fixing.
  • -buy a disk the exact same size (or larger) as the disk that has bad blocks on it.
  • -physically install the HD in the computer.
  • -download SYSRESCUE CD here:
  • -make a bootable SYSRESCUE CD.
  • -boot off of the SYSRESCUE CD.
  • -accpect the defaults as it boots.
  • -you are at a black command prompt.
  • -find which HD is in which position.
1.sfdisk -luS /dev/sda /dev/sdb

-typically the sda will have a partition table & sdb will have nothing and you'll get "no partitions found".

-Great. Wonderful.

-Now let's clone the disk by rescuing a whole disc with all partitions in /dev/hda to /dev/hdb.

Note: you do not need to partition the new disk /dev/hdb beforehand, but if the partition table on /dev/hda is damaged, you'll need to recreate it somehow on /dev/hdb.

1.ddrescue -f -n /dev/sda /dev/sdb rescue.log

If the system is really important, then do it a second time with the following options. This pass will be slower but more thorough.

1.ddrescue -d -f -r3 /dev/sda /dev/sdb rescue.log

Now let's shutdown.

Remove sda (the old drive).

Now reboot.

Boot fine! It recognizes the new cloned drive as sda.

Shutdown.

Reposition the drive sda to the first slot for sanity's sake.

Macbook Pro Slow After 10.8 Upgrade

Macbook Pro Slow After 10.8 Upgrade

Macbook Pro slow after 10.8 update. Many are having the same issue. I threw in the towel and purchased another after market hard drive from macsales.com. They promise it will work with some custom firmware they have on it. The hard drive I purchase is located here:

http://eshop.macsales.com/item/HGST/0J22423S2/

With a fresh 1TB hard drive that's verified to work and original CD's in hand, I went onto install Mac OS X 10.6 with a fresh install rather than cloning this time. It wouldn't install... See above.

Macbook Pro Won't Install

Macbook Pro Won't Install

Macbook Pro won't install OS X with an error message "Installation failed, Mac OS X could not be installed on your computer..." I don't know why. I don't really care. I just want it to work.

  • restart the install from the disk.
  • select OPTIONS.
  • uncheck everything except the BASE SYSTEM (I think that's what it's called).
  • it should install this time.

One thing is for sure, Apple is not the promise land... it's just a new set of problems.

Macbook Pro Slow During OS X Install

Macbook Pro Slow During OS X Install

Macbook Pro is slow and taking forever (say about 15 minutes) with no progress update or the little sounds that make me feel like something's happening. You can see the install logs by clicking:

  • window.
  • installer log.

Select to SHOW ALL LOGS. This way I know what's happening. That makes me feel better. Or just be patient and let it go through. It's actually doing something.

Macbook Pro Pinwheel of Death During 10.8 Upgrade

Macbook Pro Pinwheel of Death During 10.8 Upgrade

What a disaster... If you see the pinwheel of death, aka the beachball of death, aka spinning ball, let it go for about 10 minutes. Still happeing? Hard shutdown by holding the power button for 5 seconds or so. It will shutdown. Press again to start up the Macbook Pro. The upgrade process should begin automatically.

Can't Print to Bizhub C360 From Mac OSX

Can't Print to Bizhub C360 From Mac OSX

DEFAULT USERNAME & PASSWORD:

USER: admin
PASS: 12345678

INSTRUCTIONS

  • -download drivers from the bizhub website
  • -add printer as normal using those drivers (not generic)
  • -print something
  • -click SHOW DETAILS (in print dialog box) (or you might have to click USE SYSTEM DIALOG)
  • (Basically we are trying to get to the part where we have many options.)
  • -change to OUTPUT METHOD
  • -checkmark USER AUTHENTICATION
  • -bullet PUBLIC
  • -click SAVE SETTINGS > OK
  • -click SAVE AS DEFAULT SETTINGS

In some cases, I've had to use ACCOUNT TRACKING (rather than USER AUTHENTICATION). For this, a USER must be setup on the Bizhub C360 under ACCOUNT TRACKING. The USER must have a NAME & PASSWORD.

On the Mac OSX side

  • -print something
  • -click SHOW DETAILS (in print dialog box) (or you might have to click USE SYSTEM DIALOG)
  • (Basically we are trying to get to the part where we have many options.)
  • -change to OUTPUT METHOD
  • -checkmark ACCOUT TRACKING
  • -type in ACCOUNT & PASSWORD
  • -click SAVE SETTINGS > OK
  • -click SAVE AS DEFAULT SETTINGS

The Specified Domain Either Does Not Exist or Could Not Be Contacted

The Specified Domain Either Does Not Exist or Could Not Be Contacted

When you try to add a computer (XP, SERVER 2003, WIN7, etc) to a domain, you get: "The Specified Domain Either Does Not Exist or Could Not Be Contacted"

If I know that the domain does exist, check to make sure the computer you are working on has the right network settings. You may have to release and renew the IP address. Usually, the DNS is incorrect. If it still doesn't work, set the WINS server as well.

unrecoverable I/O read error for block 976557696

unrecoverable I/O read error for block 976557696

unrecoverable I/O read error for block 976557696

TLDR; (SHORT VERSION)

I'm going to walk you through this one. It happened during a raid recovery. SDA is in the system and I'm trying to add a new SDB. I hate posting logs but it looks like this:

01.Dec 24 15:38:10 server kernel: sd 0:0:0:0: SCSI error: return code = 0x08000002
02.Dec 24 15:38:10 server kernel: Result: hostbyte=DID_OK driverbyte=DRIVER_SENSE,SUGGEST_OK
03.Dec 24 15:38:10 server kernel: sda: Current [descriptor]: sense key: Medium Error
04.Dec 24 15:38:10 server kernel:     Add. Sense: Unrecovered read error - auto reallocate failed
05.Dec 24 15:38:10 server kernel:
06.Dec 24 15:38:10 server kernel: Descriptor sense data with sense descriptors (in hex):
07.Dec 24 15:38:10 server kernel:         72 03 11 04 00 00 00 0c 00 0a 80 00 00 00 00 00
08.Dec 24 15:38:10 server kernel:         3a 38 46 23
09.Dec 24 15:38:10 server kernel: raid1: sda: unrecoverable I/O read error for block 976557696
10.Dec 24 15:38:10 server kernel: ata1: EH complete

It can't resync the raid because there's a read error on the only remaining disk, sda. I wish it would just skip over it because the value of having a working raid is more important than the value of having a bit of information that is probably not that important anyway. I think it's a bug in the mdadm package that's fixed in current versions but I'm stuck with what I have.

To fix, in short, clone the disk and move on with life. Here's howto:

================================================
Use ddrescue to clone disk. It's a tool on a boot cd found here:
http://www.sysresccd.org

So download the disk image and burn it.
Boot to system rescue cd with defaults.
The raid starts to rebuild automatically, so we will have to stop it. First, fail and remove sdb1:

1.mdadm -f /dev/md1 /dev/sdb1
2.mdadm -r /dev/md1 /dev/sdb1

Now, fail and remove sdb2:

1.mdadm -f /dev/md2 /dev/sdb2
2.mdadm -r /dev/md2 /dev/sdb2

Now let's clone the disk:

1.ddrescue -f -n /dev/sda /dev/sdb rescue.log
2.ddrescue -d -f -r3 /dev/sda /dev/sdb rescue.log

Now let's shutdown.

Remove sda. Now reboot.

Boot fine! It recognizes the new cloned drive as sda.

Shutdown:

1.signal-event halt

Reposition the drive sda to the first slot for sanity's sake.
Place new hd into the second slot.
reboot.

01.console
02.manage disk array redundancy.
03.add sdb into array.
04.wait for resync.
05.# cat /proc/mdstat
06.Personalities : [raid1]
07.md1 : active raid1 sdb1[1] sda1[0]
08. 104320 blocks [2/2] [UU]
09.md2 : active raid1 sdb2[1] sda2[0]
10. 488279552 blocks [2/2] [UU]

resync's fine!!!

LONG VERSION

Here's the long version with all of my notes. It's the perfect example of a sysadmin's downward spiral into the 5th circle of hell.  It may or may not make sense.

The error return code is below. I had to look it up. Basically it says there's no error.
==============================================
0x08000002
DRIVER | HOST | MESSAGE | CONDITION
08 | 00 | 00 | 02
cat /usr/src/kernels/2.6.18-308.16.1.el5PAE-i686/include/scsi/scsi.h
DRIVER SOFT | NO ERROR | COMMAND COMPLETE | SAM_STAT_CHECK_CONDITION

Here's the real issue. It's a read error on the live disk.
==============================================
raid1: sda: unrecoverable I/O read error for block 976557696

This link explains it better than I do:
http://www.sjvs.nl/?p=12

In theory, this would work. First check the read of the sector:
==============================================
$ hdparm –read-sector 976766499 /dev/sda: Input/Output error

Then write to the sector:
==============================================
hdparm –write-sector 976766499 /dev/sda
hdparm –write-sector 976766499 –yes-i-know-what-i-am-doing /dev/sda

But I don't have those options in hdparm. I'm at hdparm v6.6 and these options are in hdparm v8.1. Hmmm... Let's look at the status:
==============================================
cat /proc/mdstat
Personalities : [raid1]
md1 : active raid1 sdb1[1] sda1[0]
104320 blocks [2/2] [UU]
md2 : active raid1 sdb2[2](S) sda2[0]
488279552 blocks [2/1] [U_]

Let's look at the details of md2:
==============================================
mdadm --detail /dev/md2

So md2 has:
1 active-sync member
1 removed member
1 spare member

We can't add the new drive into md2 because it's already added:
==============================================
mdadm -a /dev/md2 /dev/sdb2
mdadm: Cannot open /dev/sdb2: Device or resource busy

So we have to fail it and remove it:
==============================================
mdadm -f /dev/md2 /dev/sdb2
mdadm -r /dev/md2 /dev/sdb2

Now let's try to re-add it with the re-add option:
==============================================
mdadm /dev/md2 --remove detached
mdadm --re-add /dev/md2 /dev/sdb2

Same result. Humph...

==============================================
Let's remove the device, shutdown and add the original sdb back in.

Same result. Humph...

==============================================
We're back to the bad block. Exact same message, exact same block:
$raid1: sda: unrecoverable I/O read error for block 976557696

Modern hard disk drives are equipped with a small amount of spare sectors to reallocate damaged sectors. However, a sector only gets relocated when a write operation fails. A failing read operation will, in most cases, only throw an I/O error. In the unlikely event a second read does succeed, some disks perform a auto-reallocation and data is preserved. In my case, the second read failed miserably (“Unrecovered read error – auto reallocate failed“).

If there were another correctly working disk in the raid, I would just replace the bad disk. But this is the only disk left.

==============================================
Let's see the logical volume:
lvdisplay --maps |egrep 'Physical|LV Name|Type'

OK, it's: /dev/main/root

I'm going to try to run badblocks on the lv:
badblocks -n -s /dev/main/root

I get:
/dev/main/root is mounted; it's not safe to run badblocks!

===============================================
Boot from Install CD.
Type: sme rescue (at prompt)

Select your language. Select keyboard language.
Select READ/WRITE

Unmount the lvm:
unmount -l /dev/main/root

Check for bad blocks on the lv:
badblocks -n -s /dev/main/root

That took too long. Stopped at 1% compelete.

================================================
Let's check the remaining disk:
smartctl -a /dev/sda

Gives the error log:
40 51 08 22 46 38 e0  Error: UNC 8 sectors at LBA = 0x00384622 = 3687970

And also gives the proper LBA error:
LBA_of_first_error
976766499

This is the decimal number. The hexadecimal number is: 0x3a384623.

The system has a raid. LVM is on the raid. The file system is on LVM. Trying to map the bad phyiscal block, to the LVM logical block is nearly impossible because it's manual calculation. But I try anyway.

Finding the sda layout:
sfdisk -luS /dev/sda

Gives:
Disk /dev/sda: 60801 cylinders, 255 heads, 63 sectors/track
Units = sectors of 512 bytes, counting from 0

Device Boot    Start       End   #sectors  Id  System
/dev/sda1   *         1    208769     208769  fd  Linux raid autodetect
/dev/sda2        208770 976768063  976559294  fd  Linux raid autodetect

so the bad lba is in sda2.

The LBA minus the start of the partition:
976766499 - 208770 = 976557729

Let's get the size of the PHYSICAL EXTENT of the PHYSICAL VOLUME:
pvdisplay
--- Physical volume ---
PV Name               /dev/md2
VG Name               main
PV Size               465.66 GB / not usable 3.31 MB
Allocatable           yes (but full)
PE Size (KByte)       32768
Total PE              14901
Free PE               0
Allocated PE          14901
PV UUID               M1IIOi-nln7-encf-DgZC-DtjF-0ZGs-4OEFgK

So we have:
32768

So the LBA block size is 32768 * 2:
65536

Let's find the offset of the beginning of the first PE:
pvs -o+pe_start $part

Gives:
192.00K

Let's calculate the physical partition's bad block number / sizeof(PE) =
976557729 / 65536 = 14901.0883942

Find the LV of 14901:
lvdisplay --maps |egrep 'Physical|LV Name|Type'

Gives:
]# lvdisplay --maps |egrep 'Physical|LV Name|Type'
LV Name                /dev/main/root
Type                linear
Physical volume     /dev/md2
Physical extents    0 to 4702
Type                linear
Physical volume     /dev/md2
Physical extents    4765 to 14900

So we know it's in /dev/main/root

We need to know the block size of the LV:
dumpe2fs /dev/main/root | grep 'Block size'

Gives:
Block size:               4096

The logical partition begins on PE 4765

So let's find the badblock
(# PE's start of partition * sizeof(PE)) + parttion offset[pe_start] =
(4096 * 65536) + 192 = 268435648

Let's test the FS of the bad block:
dd if=/dev/main/root of=block268435648 bs=4096 count=1 skip=268435648

Nothing.

debugfs
debugfs 1.32 (09-Nov-2002)
debugfs:  open /dev/main/root
debugfs:  testb 268435648

976557696

I got:
Illegal block number passed to ext2fs_test_block_bitmap #268435648 for block bitmap for /dev/main/root
Block 268435648 not in use

This means my calculations are wrong.

Crap...

====================================
Back to the drawing board. Here's what I know:
debugfs must be used on the filesystem. The filesystem is on /dev/main/root
The disk has sectors of 512 bytes.
The logical block size of the FS is 4096 (Or the block size is 8 disk sectors)
The error message is: raid1: sda: unrecoverable I/O read error for block 976557696
(I don't know if this is the block on sda, sda2, md2 or /dev/main/root).
Doing a e2fsck -cvy /dev/main/root or a badblocks -n -s /dev/main/root takes too long.
The LBA_of_first_error is 976766499
The starting sector of sda2 is 208770.
The last sector of sda2 is 976768063.
The total sectors in sda2 is 976559294.
The problem is at 976557729 inside partition sda2.

====================================
If no LVM it would be:
((976766499 - 208770) * 512) / 4096 = 122069716.125

http://smartmontools.sourceforge.net/badblockhowto.html#bb

So I check to see if it's in the repos
yum --enablerepo=* search sg3

I get some pages back.

So I look at more info about it:
yum info sg3_utils

I get back the package is in the centos base repo.

Feeling safe, I install the package:
yum install sg3_utils

Now I can verify LBA block without feeling nausea:
sg_verify --lba=976766499 /dev/sda

I get:
verify (10):  Descriptor format, current;  Sense key: Medium Error
Additional sense: Unrecovered read error - auto reallocate failed
Descriptor type: Information
0x000000003a384623
medium or hardware error, reported lba=0x3a384623

I poke around other LBA from the logs:
sg_verify --lba=976557696 /dev/sda

I get nothing.

I'm all in and going to reassign the block:
sg_reassign --address=976766499 /dev/sda

I get:
REASSIGN BLOCKS not supported

Crap... The good news is that I've verified the LBA block or physical block.

================================================
Physcial block: 976766499
File system block: 3687970

b = (int)((L-S)*512/B)

================================================
I'm down to:
using a live cd to hdparm
or
Spinrite.
or
calculate something to use dd on the lvm filesystem.

================================================
I downloaded a gparted livecd & burn it to a cd
Booted from gparted live cd and entered command line mode.

hdparm –read-sector 976766499 /dev/sda: Input/Output error

Then write to the sector:
hdparm –write-sector 976766499 /dev/sda
hdparm –write-sector 976766499 –yes-i-know-what-i-am-doing /dev/sda

Read sector again:
hdparm –read-sector 976766499 /dev/sda
(a lot of zeroes should follow)
================================================

New error:
raid1: sda: unrecoverable I/O read error for block 976558336

================================================
# 1  Short offline       Completed: read failure       90%     44420         976766501

Booted from gparted live cd and entered command line mode.

This time when I read the sector, I get a bunch of zero's
hdparm –read-sector 976766501 /dev/sda

================================================
Reboot... won't boot.

Boot into file system recover mode (no live cd or rescue).
Look at /cat/proc/mdstat
Now md1 was automatically renamed md127 thanks to gparted livecd.

Go into single user mode:
telinit 1

Take a look at the mdadm.conf
mdadm --detail /dev/md127

If it says "Preferred Minor : 127" this this is your problem. You need to update the preferred minor.

mdadm --stop /dev/md127
mdadm --assemble --update=super-minor /dev/md1 /dev/sda1

Then you'll have your md127 assembled as md1. And it should stay this way in the future too.

================================================
Since I didn't do:
mdadm --assemble --update=super-minor /dev/md1 /dev/sda1 /dev/sdb1

I now have:
# cat /proc/mdstat
Personalities : [raid1]
md1 : active raid1 sda1[0]
104320 blocks [2/1] [U_]

md127 : active raid1 sdb1[1]
104320 blocks [2/1] [_U]

md2 : active raid1 sda2[0]
488279552 blocks [2/1] [U_]

unused devices: <none>

Wonderful. Let's stop md127. But first, unmount it:
# umount /dev/md127

I get:
umount: /dev/md127: not mounted

OK. Since it's unmounted, let's stop it:
# mdadm -S /dev/md127

I get:
mdadm: stopped /dev/md127

Great. Back to start. Let's see what we have:
# cat /proc/mdstat

I get:
Personalities : [raid1]
md1 : active raid1 sda1[0]
104320 blocks [2/1] [U_]

md2 : active raid1 sda2[0]
488279552 blocks [2/1] [U_]

unused devices: <none>

Let's zero out the superblock of sdb so that md127 doesn't com back via some type of magic out there.

Fist, I check the partition table of sdb with the -lu option so it shows sectors rather than cylinders.
# fdisk -lu /dev/sdb
or
# sfdisk -luS /dev/sdb

I get:
Disk /dev/sdb: 500.1 GB, 500107862016 bytes
255 heads, 63 sectors/track, 60801 cylinders, total 976773168 sectors
Units = sectors of 1 * 512 = 512 bytes

Device Boot      Start         End      Blocks   Id  System
/dev/sdb1   *           1      208769      104384+  fd  Linux raid autodetect
Partition 1 does not end on cylinder boundary.
/dev/sdb2          208770   976768063   488279647   fd  Linux raid autodetect

Let's zero out the superblock of sdb.
#mdadm --zero-superblock /dev/sdb1
#mdadm --zero-superblock /dev/sdb2

Now let's add sdb back in.
#console > Manage Disk Array > Add sdb

I get:
kernel: raid1: sda: unrecoverable I/O read error for block 976558336

================================================

hdparm –read-sector 976766501 /dev/sda: Input/Output error

Then write to the sector:
hdparm –write-sector 976766501 /dev/sda
hdparm –write-sector 976766501 –yes-i-know-what-i-am-doing /dev/sda

Read sector again:
hdparm –read-sector 976766501 /dev/sda
(a lot of zeroes should follow)

hdparm –read-sector 976767187 /dev/sda: Input/Output error

Then write to the sector:
hdparm –write-sector 976767187 /dev/sda
hdparm –write-sector 976767187 –yes-i-know-what-i-am-doing /dev/sda

Read sector again:
hdparm –read-sector 976767187 /dev/sda
(a lot of zeroes should follow)

================================================
kernel panic

crap!!!

================================================
Boot from livecd.

type: sme rescue
press ENTER for ENGLISH
press ENTER for US
press right arrow to select NO, Don't start network.
press ENTER to CONTINUE, Start filesystem.
press ENTER for OK

Take a look at:
cat /proc/mdstat

md1
md127

mdadm --detail /dev/md127

If it says "Preferred Minor : 127" this this is your problem. You need to update the preferred minor.

vgchange -an
can't deactivate volue group main with 2 open logical volumes

Can't stop the volume group because there's a logical volume open.

lvchange -an
lv main/root in use: not deactivating

Can't stop the logical volume. Don't know why.

Let's reboot without mounting the file system:
Boot from livecd.

type: sme rescue
press ENTER for ENGLISH
press ENTER for US
press right arrow to select NO, Don't start network.
SKIP the filesystem

mdadm --assemble --update=super-minor --uuid ce917023:5da6a14f:2a9c304f:a380120a /dev/md2

================================================
Use ddrescue to clone disk.
Boot to system rescue cd with defaults.
The raid starts to rebuild automatically, so we will have to stop it.

mdadm -f /dev/md1 /dev/sdb1
mdadm -r /dev/md1 /dev/sdb1

mdadm -f /dev/md2 /dev/sdb2
mdadm -r /dev/md2 /dev/sdb2

Now let's clone the disk:

ddrescue -f -n /dev/sda /dev/sdb rescue.log
ddrescue -d -f -r3 /dev/sda /dev/sdb rescue.log

Now let's shutdown.
halt

Remove sda. Now reboot.

Boot fine! It recognizes the new cloned drive as sda.

Shutdown:
signal-event halt

Reposition the drive sda to the first slot for sanity's sake.
Place new hd into the second slot.
reboot.
console
manage disk array redundancy.
add sdb into array.
wait for resync.

# cat /proc/mdstat
Personalities : [raid1]
md1 : active raid1 sdb1[1] sda1[0]
104320 blocks [2/2] [UU]

md2 : active raid1 sdb2[1] sda2[0]
488279552 blocks [2/2] [UU]

resync's fine!!!

================================================
Now reboot with only sdb. I get:
black screen.

I have to reinstall grub onto sdb. It should have happened on manage disk array redundancy. Asking for help.

In the end, the following worked fine:
grub-install sdb

md1 was automatically renamed md127 after using gparted livecd.

md1 was automatically renamed md127 after using gparted livecd.

Boot into file system recover mode (no live cd or rescue).
Look at:

1./cat/proc/mdstat

Now md1 was automatically renamed md127 thanks to gparted livecd.

Go into single user mode:

1.telinit 1

Take a look at the mdadm.conf

1.mdadm --detail /dev/md127

If it says "Preferred Minor : 127" this this is your problem. You need to update the preferred minor.

1.mdadm --stop /dev/md127
2.mdadm --assemble --update=super-minor /dev/md1 /dev/sda1 /dev/sdb1

This will rebuild, without data loss, md1.

Or to be more exact, use the uuid of the raid disk, md1, and update the name.

1.mdadm --assemble --update=super-minor --uuid ce917023:5da6a14f:2a9c304f:a380120a /dev/md1

Of course you need to re-adjust for your raid situation. In my case, md1 was built from sda1 and sdb1.

Then you'll have your md127 assembled as md1. And it should stay this way in the future too.

How Do I Remove md127?

How Do I Remove md127?

If you're following along, md127 is on the system because of the gparted live cd. It isn't being used because we've re-built the array as md1.

md127 is left over as a raid device but there are no disks to it. Let's stop md127. But first, unmount it:

1.# umount /dev/md127

I get:

1.umount: /dev/md127: not mounted

OK. Since it's unmounted, let's stop it:

1.# mdadm -S /dev/md127

I get:

1.mdadm: stopped /dev/md127

That should do it.

IE9 Won't Install - code 3715

IE9 Won't Install - code 3715

IE9 won't install on a Windows 7 64-bit system:

1.-download the SYSTEM UPDATE READINESS TOOL here:
3.-run the tool (as administrator)
4.-wait about 30 minutes.
5.-download the IE9 offline installer here:
7.-run the IE9 INSTALLER (as administrator).

That should do it.

PDF -The file is damaged and could not be repaired

PDF -The file is damaged and could not be repaired

Try to open a PDF in FIREFOX and get the message: The file is damaged and could not be repaired. Local\gobblygook

The fix, for me was a setting in KASPERSKY.

1.-click KASPERSKY > SETTINGS
2.-click WEB ANTIVIRUS (on the left-hand side).
3.-click SETTINGS (under SECURITY LEVEL, in the middle)
4.-click TRUSTED URLS (tab at the top)
5.-click ADD
6.-type: *.yourwebsitename.tld/*
7.-click OK > OK > OK

Office 2008 Mac Setup Assistant Loop

Office 2008 Mac Setup Assistant Loop

If you have the serial code for the software, you remove the files below:
~/Library/Preferences/Microsoft/Office 2008/Microsoft Office 2008 Settings.plist
/Applications/Microsoft Office 2008/Office/OfficePID.plist

If you are using the Mac Migration Assistant and migrate the Apps but not the user, copy the files from the old computer to the new user/computer.
~/Library/Preferences/Microsoft/Office 2008/Microsoft Office 2008 Settings.plist
/Applications/Microsoft Office 2008/Office/OfficePID.plist

That should do it.

eregi, preg_match | split, preg_split | ereg_replace, preg_replace

Quick note to myself; eregi, ereg_replace and split are depreciated php functions. Official note is here:

http://www.php.net/manual/en/reference.pcre.pattern.posix.php

Fix eregi with preg_match like so:

case (eregi('android',$user_agent));  // we find android in the user agent
case (preg_match('/(android)/i',$user_agent));  // we find android in the user agent

if ( eregi( "bmp|gif|jpg|png|jpeg", $file ) && is_file( $i_f ) ) {^M
if ( preg_match( "/(bmp|gif|jpg|png|jpeg)/i", $file ) && is_file( $i_f ) ) {^M

if (eregi("0$", $count)) {
if ( preg_match( "/(0$)/i", $count)) {

if (eregi("gif", $file) || eregi("jpg", $file) || eregi("png", $file))
if (preg_match("/(gif)/i", $file) || preg_match("/(jpg)/i", $file) || preg_match("/(png)/i", $file))

Fix split with preg_split like so:

split(':', $thumbSpace);^M
preg_split('/:/', $thumbSpace);^M

split('www', 'D:/Projects/job.com/www/www/path/source', 2);
preg_split('/www/', 'D:/Projects/job.com/www/www/path/source', 2);

Fix ereg_replace with preg_replace like so:

$output = ereg_replace (";", "", $output);
$output = preg_replace ("/;/", "", $output);

Dell 3100cn Won't Work with Windows 8

Dell 3100cn color laser printer won't work with Windows 8. When it asks for the driver:

  • select DELL (on the left hand side).
  • select DELL OPEN PRINTER DRIVER (PCL 5) (on the right hand side).

That should do it. It will work, it just won't automatically pick up the correct model number. Who cares. At least it works. Better than Dell not offering specific drivers.

Brother MFC Scanning Windows 8

Brother MFC 8440 won't scan as PDF on Windows 8 (32 bit). These are loose instructions as I can't provide step by step.

You'll have to start the scans from the computer. The scan buttons on the Brother MFC won't work. But at least you can scan to PDF.


Another option, if you really want PaperPort then:

You'll have to start the scans from the PaperPort in this instance. But at least you can use PaperPort and you can scan to PDF. The ConnectionTool also works if the SCAN button in greyed out in PaperPort for Windows 8.


All of this is provided that the twain driver is installed. The WIA driver won't work. If the twain driver needs installed:
  • right-click MY COMPUTER.
  • click MANAGE.
  • click DEVICE MANAGER.
  • find IMAGING DEVICES in the tree.
  • right click BROTHER MFC 8440.
  • click UPDATE DRIVERS.
  • click I HAVE THE DRIVERS.
  • browse to the driver folder and inf file.
  • click OK.

This will install the twain driver.

Allow Internal Lan Clients to Send Email

Upgrading to SME v8 (Centos v5, RHEL v5) requires email clients on the internal lan to send email with authentication turned on and SSL turned on. Without this, email will not get sent.

To send email from internal email clients without requiring authentication turned on and SSL turned on.

config setprop qpsmtpd RelayRequiresAuth disabled
signal-event email-update

How Do I Reset a Ricoh Printer Back to Factory Defaults?

To reset a Ricoh printer back to factory defaults:

  1. -go into SERVICE MODE
  2. -go to: SP 5-801

Page 3 of 4

Contact Dak Networks

Please contact us at the following.