daknetworks.com

SITUATION

You have a new computer and you test out Linux destroying everything on the hard drive. You go to reinstall Windows and you realize that you do not have the PRODUCT KEY. There is no label on the side/back/inside of the pc. You have an OEM Windows 8.1 disk. The pc does not have a DVD drive.

RESOLUTION

Find a pc that has a DVD drive.

1-create an ISO with 7ZIP.

• -open 7-ZIP-FILE-MANAGER as ADMINISTRATOR.
• -select the DVD DRIVE.
• -click VIEW (at the top).
• -click OPEN ROOT FOLDER.
• -click VIEW (at the top).
• -click UP ONE LEVEL.
• -in the main window you will see: \\. (backslash, backslash, dot).
• -double-click \\.
• -select the DVD drive.
• -click FILE > COPY-TO (at the top)
• -select the folder where you want the ISO to go.

2-copy that ISO to your EASY2BOOT USB.

• -easy squeezy.

NOTE: if you do not have one, get one. It's super easy. Run tool. Have USB.

3-install WINDOWS.

• -the install should use the PRODUCT KEY from the UEFI (or in laymans terms BIOS).
• -if you are being prompted for a product key, it means that you have the wrong installation media and that's when the Windows 8.1/10 installer can't detect Windows 8/8.1 product key from UEFI firmware (BIOS).
• -it will prompt which version to install, WINDOWS 8.1, WINDOWS 8.1 CORE, WINDOWS 8.1 SINGLE LANGUAGE (same as PRO), WINDOWS 8.1 PRO
• -do NOT select "I don't have a product key". Activation will not be successful.

4-find WINDOWS PRODUCT KEY in the UEFI.

• -use a wonderful tool called RWEVERYTHING here: http://rweverything.com/download/
• -open the tool.
• -click ACPI (at the top).
• -click MSDM tab (towards the top)
• -look at the last line, it is the embedded PRODUCT KEY ;-)

There are other ways to do this such as:

• -open COMMAND PROMPT.
• -type: WMIC Path SoftwareLicensingService Get OA3xOriginalProductKey

As well as other ways.

NOTES:

• -media creation tool for WINDOWS 10 here: http://www.microsoft.com/en-us/software-download/windows10
• -media creation tool for WINDOWS 8.1 here: https://www.microsoft.com/en-us/software-download/windows8
• (WINDOWS 8 is no longer being supported [not WINDOWS 8.1].)

SCENARIO

Fresh install of Ubuntu. Wrong time. Day later, still wrong time.

HOW TO FIX THE WRONG TIME ON UBUNTU

• -edit /etc/ntp.conf
• -comment out the "pool" servers.
• -comment out the fallback "pool" server.
• -add a new line.
• -type: server 192.168.1.1 (or local server/router/switch that can provide NTP services)
• -save
• -stop service: /etc/init.d/ntp stop
• -start service: /etc/init.d/ntp start
• -your finished!

This may happen for various reasons. For me, the high-end firewall was blocking outside NTP servers from talking on port 123.

NOTES: do not use/install ntpdate package, it is depreciated.

Getting Digital Watchdog Spectrum Client on Ubuntu 16.0.4 LTS can be not-so-straight-forward especially if you are not from the Linux world.

DOWNLOAD:

• download from here: http://publiclibrary.dwcc.tv/DW_Spectrum/downloads.html
• (NOTE: this is NOT the obvious place of http://digital-watchdog.com/DW_Spectrum/)

TO INSTALL:

• open TERMINAL
• type: cd ~/Downloads
• type: sudo dkpg -i digitalwatchdog-client-2.4.1.10278-x64-release.deb
• (NOTE: do not just double-click on the file. Do not install with UBUNTU SOFTWARE MANAGER).
• go through the setup process.

On UBUNTU 14.02, you are finished. On UBUNTU 16.0.4, you need the following:

• type: sudo apt-get install libgstreamer-plugins-base0.10-dev

That's it! You should now be able to use the Digital Watchdog Spectrum client.

This:

http://directedge.us/content/abr-activation-backup-and-restore

plus this:

http://en.community.dell.com/support-forums/software-os/m/microsoft_os

 = Umm... WOW!

Transfer hard drive to new hardware. It can be done.

• -take note of current setup bios for the ATA, AHCI, RAID setup.
• -run c:\windows\system32\sysprep\sysprep.exe
• -click GENERALIZE
• -wait an hour and let it shutdown.
• -tranfer to new hardware.
• -boot pc
• -change bios to match old setup.
• -wait for it to boot

All of your stuff should be intact.

If for some reason that doesn't work, you can always load the drivers in the Windows in an offline manner.

• -find your motherboard model number.
• -download the CHIPSET DRIVERS.
• -extract them to the C drive (for example: c:\drivers\chipset)
• -boot into REPAIR MODE or start with WINDOWS OS INSTALL media (usb, CD, PXE, etc).
• -click REPAIR YOUR COMPUTER (bottom-left).
• -click COMMAND PROMPT.
• -find what letter your WINDOWS-DIRECTORY is.
• -type: dism /image:c:\ /add-driver /Driver:e:\install\chipset\ /recurse
• -hit ENTER
• -type EXIT
• -reboot

I love DNS servers. I really do. You ask a question, they give an answer. Here are some of the more popular ones.

LEVEL 3 DNS SERVERS

4.2.2.1
4.2.2.2
4.2.2.3
4.2.2.4
4.2.2.5

GOOGLE DNS SERVERS

8.8.8.8
8.8.4.4

NETWARE DNS SERVERS

137.65.1.1
137.65.1.2
137.65.1.3

COMCAST DNS SERVER

75.75.75.75
75.75.76.76

OPENDNS SERVERS

208.67.222.222
208.67.220.220

You can use OPENDNS as a web content filtering tool to automatically block inappropriate content and keep children safe.

HOW TO ASK QUESTIONS

To ask a question you can use DIG (*nix) or NSLOOKUP (Windows). I prefer DIG and install it on Windows rather easily via GNUWIN.

• -open shell of some kind (putty, command, power, etc)
• -type: dig daknetworks.com
• -type: nslookup daknetworks.com

To ask a question of a specific server:

• -type: dig daknetworks.com @4.2.2.2
• -type: nslookup daknetworks.com 4.2.2.2

To ask a specific type of record:

• -type: dig -t mx daknetworks.com
• -type: nslookup set type=mx daknetworks.com

To ask for an authoritative record:

• -type: dig -t ns daknetworks.com
• -type: nslookup -type=soa daknetworks.com

To ask for all the info:

• -type: nslookup -debug daknetworks.com 1.2.3.4

I have a 128GB SSD HD and I want to upgrade to a newly acquired 512GB SSD HD. How do I upgrade my ssd hard drive to a larger ssd hard drive on my MacBook Pro?

ps- I have Boot Camp with a Windows partition.
pss- many posts claim this can't be done or post a really, really long and complicated instruction set. Don't believe them. ;-)

SHORT ANSWER

• -clone the drive (clonezilla).
• -resize the Windows Boot Camp partition (gparted).
• -sync the partition tables (gparted).
• -resize the OSX partition (diskutil).
• -fix the Windows bootloader (Windows).

LONG ANSWER

NEEDED
-usb with ubcd with parted magic (UBCD is universal boot cd).
-host system.
-Windows 7/8 cd/usb (or a Windows repair disk).

CLONE
-plug both ssd's into the host system.
-boot via usb.
-start parted-magic.
-start clonezilla
-clone disk to disk
-wait till finished
(this could take awhile)

MOVE/RESIZE WINDOWS PARTITION
-you should still be in parted-magic
-start gparted
-resize windows partition as needed (grab the handles)
-move windows partition to the end
-move the osx recovery boot loader next to the windows partition
-apply changes
-wait
-after it's finished, if needed, you can fix the filesystem for both OSX and WINDOWS.

SYNC FOR BOOT CAMP
-you should still be in parted-magic
-open terminal
-type: sudo gptsync /dev/sda (or other device such as sdb sdc sdd. gparted will show you).
-confirm Y
-shutdown

RESIZE OSX PARTITION
-boot into os x with the new, larger hd.
-open Disk Utility.
-click the disk on the left hand side.
-click the PARITION button (at the top).
-select the volume you want to grow.
-look at the info-window (at the bottom).
-note the Disk Identifier (mine was disk0s2).
-open Terminal.
-type the following command: diskutil resizeVolume /dev/disk0s2 limits
-it will show the current size, minimum size and maximum size.
-note the maximum size (mine was 254.2GB. Do not get the part in parentheses.)
-type the following command: sudo diskutil resizeVolume /dev/disk0s2 254.2GB
(NOTE: the number above requires a GB but no space.)
-enter your password if prompted.
-wait.
-shutdown

FIX WINDOWS BOOTLOADER
This also works if you get messages like "No boot device found" etc.

This happens when the items get fouled up. How do you know if items are fouled up?
Boot MacBook Pro to Windows either:
-through holding the OPTION key on boot up (after chime).
-boot into OSX and go to SYSTEM-PREFERENCES and choose the START-UP DISK.
-you will see "No boot device" or Windows is going into repair mode on it's own.

In either case, the following will work as a full instruction set. Adjust as needed.

-insert Windows 7/8 cd/usb (or a Windows repair disk).
-boot while holding OPTION key.
-wait for windows 7 cd/usb shows (it could take a minute).
-select Windows 7.
-select your language.
-click NEXT.
-select REPAIR YOUR COMPUTER (bottom left).
-click NO (for automatic repair).
-click NEXT (at bottom right).
-click COMMAND PROMPT.
-type: bootrec /scanos.
(If it isn't already there, it should find the WINDOWS installation and ask if you want to add it.)
-type: Y

-type: Diskpart
-type: LIST DISK
-type: SELECT DISK 0 (change this to the number of the disk . most likely 0)
-type: LIST PARTITION
-type: SELECT PARTITION 4 (change this to your partition number. most likely 4)
-type: DETAIL PARTITION
(it will show the details of the partition. We're trying to find the partition with the windows installation.)
-if you found it, it will probably say ACTIVE: NO
-type: ACTIVE
-type: EXIT

-type: bootrec /fixmbr (needed?)
-type: bootrec /fixboot (needed?)
-type: bootrec /rebuildbcd
-type: exit
-click RESTART

CHECKDISK
-when it restarts it will do a chkdsk.
-let it finish.
-it will reboot.
-voila! You can bootcamp Windows!

BOOT MANAGER/LOADER INFO

For diagnostic information, this is provided.

-boot to osx
-open terminal
-type: diskutil list
-type: sudo gpt -r -vv show disk0
-type: sudo fdisk /dev/disk0

DEFINITIONS
boot manager: manages your booting process. This can actually be changed to REFIND, PLOP, LILO, GRUB2 and a few others. Fun stuff! Not for the faint of heart! (see here for boot loaders https://en.wikipedia.org/wiki/Comparison_of_boot_loaders)
boot loader: load an OS kernel and hand off control of the computer to that kernel.
kernel: loads the booting os

        /--bl-->k-->osx
bm--|--bl-->k-->centos/rhel
        \--bl-->k-->win7/8/10

NOTES:

-http://www.rodsbooks.com/refind/

I was going to write a blog post about SATA, AHCI, RAID, RST, IRST, ICH10R, X58 and the drivers needed along with the settings and the difference between the drivers and the software but this post does a better job than I ever would be able to (as well as better explanation than Intel does too):
http://www.win-raid.com/t2f23-Intel-RST-RSTe-Drivers-newest-v-WHQL-v-WHQL.html

I will say that the SATA/AHCI/RAID/IRST drivers are driving the southbridge (ICH10R, etc) which is the HOST-CONTROLLER (aka DISK-CONTROLLER aka STORAGE-CONTROLLER) and that the CHIPSET drivers are driving the northbridge (X58, etc).

Also, I will say that the speed of the SATA-I (150MB), SATA-II (300MB) or SATA-III (600MB) depends on both the HARD-DRIVE itself and the HOST-CONTROLLER. The easy ways to find the HOST-CONTROLLER speed is by using CPUID or HWINFO.

Lastly, I'll say that you only need the RST if you are running in AHCI or RAID mode. If not, then you can use the chipset drivers.

Here's how:

• 1 -if you are in IDE mode, change to AHCI mode:
  For Windows 7, change the registry. In cmd (as admin), type: echo y | reg add "HKLM\System\CurrentControlSet\Services\Msahci" /v Start /d 0
  For Windows 10, set to boot into safe mode with msconfig. You will need your local admin password, no domain or Microsoft accounts can access safe mode.
• 2 -reboot
• 3 -In the bios, the SATA drive should be set to AHCI (not IDE).
  Dell systems automatically are set to RST/RAID. I guess so that it is flexible in case someone wants to setup a RAID, they can without too much difficulty. Also, there is a little boost in performance. I have witnessed the extremely slow systems due to incorrect RST drivers, even on new systems. The RST drivers need to be updated as this is can be a limiting factor. In some cases (Optiplex/Inspirion All in One pc's), Dell is not providing updated RST drivers and you must source them from Intel.
• 4 -reboot.
  For Windows 10, set to boot into normal mode with msconfig.
• 5 -reboot.
• 6 -install the newest RST drivers for your chipset.

NOTES:
-https://support.microsoft.com/en-us/help/922976/
-SSD's should be set to RAID/RST as there will be a little boost in performance.
-ICH10R can only go to RST v11.
-as of this writing the RST v15 is the newest.
-you will need a couple of reboots, in case you couldn't tell.
-use HWinfo to get the motherboard chipset.
-it will say something like "QM77 series." That is the "Mobile 7 Series."
-Mobile 7 Series pairs with IRST v13 available at the Intel web site.
-the Intel-Update utility does not update the IRST to the newest version automatically.
-again, the Dell web site does not provide updated RST drivers and you must source them from Intel.
-for IRST, there are DRIVERS and there is the IRST program. You need the drivers (typically x64). The program is not needed.
-device-manager > storage-controllers
-right-click > properties
-driver > update-driver
-browse-my-computer > path to the newest IRST drivers.

Don't believe QUICKBOOKS support when they tell you that you have to upgrade to the newest version of QUICKBOOKS for MAC. QUICKBOOKS 2011 will work fine.

In the spirit of "just fix it" here's how:

• -close out of QUICKBOOKS 2011
• -click here: https://support.apple.com/kb/dl1572
• -click DOWNLOAD
• (direct link http://support.apple.com/downloads/DL1572/en_US/javaforosx.dmg)
• -run the installation
• -open QUICKBOOKS 2011
• -e-high-five!

You're familiar with RPM. Windows has a similar package manager. Windows has something similar for Windows packages only.

It should be called WPM for Windows Package Manager but it's called DISM for Deployment Image Servicing and Management.

Show all Windows packages:

dism /online /get-packages /Format:Table

Find if a certain package is installed:

dism /online /get-packages |findstr KB2919355

Remove package:

dism /online /remove-package /packagename:Package_for_KB2919355~31bf3856ad364e35~amd64~~~6.3.1.14

Scan to see if there is corruption:

dism /online /cleanup-image /scanhealth

Report if there is corruption:

dism /online /cleanup-image /checkhealth

Repair if there is corruption:

dism /online /cleanup-image /restorehealth

Restore to a source image:

dism /online /cleanup-image /restorehealth /source:wim:d:\your\source\here\install.wim:1 /limitaccess

Remove old versions of packages:

dism /online /cleanup-image /startcomponentcleanup

Lock in all packages and service-package so that they cannot be uninstalled:

dism /online /cleanup-image /startcomponentcleanup /resetbase

Check for Bad Sectors

Check to see if you have bad sectors on a disk:

• -use HDTUNE

This will give a graphical representation of any bad sectors on the disk. It will mark it as red.

If you have bad sectors, it isn't the end of the world. We can mark them as bad so that those sectors won't be used any more. If you have 1-9 bad sectors, this isn't a problem. If you have more than 9 then most likely the issue will grow. More bad sectors will show and then the drive will become useless.

Fix Bad Sectors

Fix bad sectors on a disk:

• -use UBCD > HDD > DIAGNOSTICS > HDAT2
• -type: HDAT2
• -select the disk by using the arrows keys on keyboard.
• -hit ENTER.
• -select DEVICE TESTS MENU
• -select DETECT AND FIX BAD SECTORS MENU
• -select VERIFY/WRITE/VERIFY
• -let it run all the way through.

In my experience, if too many bad sectors happen, it's easier to clone the drive and move on with the data loss. At that point, the data might be able to be replaced/repaired.

Cloning can be done with Clonzilla or many other tools. I prefer DDRESCUE as in this article.

Again, there are so manu tools in this area like DATA-LIFEGUARD, SEATOOLS, CRYSTALDISKINFO, etc that it's hard to know what to use and what not to bother with. The above reference of:

• HDTUNE
• HDAT2
• DDRESCUE

is a good start. I wish I retained all the info I've learned and used in the past but most of it escapes me now. No doubt that a data expert will have his or her own choice set of tools. I'd love to hear about them!

Dell Optiplex Wake On Lan doesn't work even though the Wake On Lan setting is enabled in the BIOS.

SOLUTION

This is because the DEEP SLEEP setting is ENABLED in the BIOS.

• -enter BIOS.
• -expand POWER-MANAGEMENT.
• -click DISABLED.
• -click SAVE.

If that doesn't work, make sure the BIOS is the newest version.

Note that there are many possible outcomes based on the variables of the WOL bios setting, WOL network driver setting and DeepSleep bios setting. Dell has a matrix of possible outcomes here:
https://downloads.dell.com/manuals/common/dell-emc-remote-wake-up-config-dell-client-cmd-suite.pdf

A Polycom Phone Set (Fonality) is saying NOT REGISTERED in the http://cp.fonality.com
(I guess this could be any Polycom Phone Set and Asterisk.)

Basically, the EXTENSION PASSWORD has to be typed into the PHONE SET. Here's how:

• -open CP.FONALITY.COM
• -click USERS/EXTENSION > VIEW USERS (at the top).
• -click the EXTENSION you need to fix.
• -expand the EXTENSION section (at the bottom).
• -find SIP PASSWORD (on the right).
• -click SHOW

This should show you the SIP PASSWORD which will be a random set of letters and numbers.

• -find the IP of the phone set you want to change.
• -login to that phone set via a web browser.
• -USER: Polycom (case-sensitive) (or possibly there is no USER).
• -PASS: 456 (or possibly the Fonality default password of: 9418941962).
• -click LINES (or possibly SIMPLE-SETUP > SIP LINE IDENTIFICATION)
• -find the PASSWORD area.
• -USER: should be the MAC of the phone (do not change this if something is already there).
• -type in the password that it showed from the first section.

What threw me for a loop here is that the first time around, the SIP PASSWORD section wasn't showing. If the SIP PASSWORD section doesn't show:

• -click APPLY ALL CHANGES (at the bottom) (yes, without changing anything).
• -afterwards, the section should show.

UPDATE

If you have to manually do this:

-updated phone to newest firmware.
-cd /tftpboot
-changed the <mac>.cfg to refer the newest *.ld file
-ensure that the user is in the /etc/asterisk/sip.conf file. (case-sensitive)
-changed the <mac>-reg-basic.cfg to use the username/password that is in the sip.conf file. (case-sensitive)
-change the polycom.UC4.1.8.device-<site>.cfg to TFTP from the local server (rather than FTP to the hq server).

NOTES:
-the <mac>.cfg should just have the rest of the *.cfg files.
-the <mac>-reg-basic.cfg will have the setting for the phone-set to make calls.
-the <mac>-features.cfg will have the features of the phone such as background, volume, etc
-the <mac>-phone.cfg will have the phone overrides. Settings set by changing the settings on the phone set itself.
-the <mac>-web.cfg will have the web overrides. Settings set by changing the settings on the web site itself.
-the polycom.UC4.1.8.device-<site>.cfg will have the FTP/TFTP settings.

You're awesome!

You have an EXCHANGE 2013 server.

This web site works: https://mail.domain.tld

This web site does not work: http://mail.domain.tld

You get an error message:
"HTTP ERROR 403.3 - Forbidden. The page you are tryig to acces is a secured with Secure Sockets Layer (SSL)."
or
"Server Error: 403 - Forbidden: Access is denied."

Here's how to fix:

• -open SERVER-MANAGER
• -click TOOLS > INTERNET INFORMATION SERVICES MANAGER (IIS)
• -expand SERVER > SITES > DEFAULT-WEB-SITE
• -click ERROR PAGES (in the middle).
• -click ADD (on the right).
• -type: 403.4 (in STATUS CODE).
• -bullet RESPOND WITH A 302 REDIRECT
• -type: https://mail.domain.tld
• -click OK.

First of all, this can happen for many reasons. However, in my experience, this happens because the web site is required to have HTTPS and not HTTP. What is amazing here is a perfect scenario of different people groups think differently. Accordingly, the amount of mis-information on this is mind-boggling and complex.

For example, one MS article recommends to turn off SSL:
https://support.microsoft.com/en-us/kb/2839692

Ummm, that's a big NO. Recommending to do so is simply irresponsible.

Others recommend a complex setup for a URL-REWRITE, like this
https://www.youtube.com/watch?v=U7USHit5mhY

Ummm, that's also a big NO.

Others recommend to do a HTTP REDIRECT on the OWA section of the web site:
https://www.itsupportguides.com/exchange-2010/exchange-2010-outlook-web-access-error-403-access-is-denied/

Ummm, that's also a big NO. In fact, doing so will kill access to EXCHANGE altogether.

Like usual, the only way I found to handle this was through a comment on a random blog article here:
https://www.sslshopper.com/iis7-redirect-http-to-https.html

Messing around with EXCHANGE 2013 EDB files can be tricky. It's best to have a plan before you start typing in commands. Here's my cheat-sheet.

REPAIR THE EDB FILE & MOUNT RECOVERY EDB

Again from last time, you can do this with StorageCraft. Paying the license is worth the hassle it saves and more affordable than dealing with MS SUPPORT.

MAKE A COPY OF THE EDB & THE LOG FILES
I don't care how you do it, just do it. If it takes 2 hours to do, then wait the 2 hours for the copy to happen. If you have to run to the store to buy a spare HD, then run to the store. !!!DO NOT BE CARELESS WITH THE EDB FILE!!! Rather, perform your work on a working-copy.

$cd e:\exchange-repair\working-copy

CHECK TO SEE THE STATE
$eseutil /mh '.\Mailbox Database FOO.edb'

SOFT RECOVERY
$eseutil /r E00 /l E:\exchange-repair\working-copy /d E:\exchange-repair\working-copy

CHECK TO SEE THE STATE
$eseutil /mh '.\Mailbox Database FOO.edb'

HARD RECOVERY (IF NECESSARY)
$eseutil /p '.\Mailbox Database FOO.edb'
(!!!CAUTION!!!: performing this will render the database with data loss.)

CONNECT THE RECOVRY DATABASE
$New-MailboxDatabase -Server exchange-server-name -Name RecoveryDB -Recovery -EdbFilePath 'E:\exchange-repair\working-copy\Mailbox Database FOO.edb' -LogFolderPath 'E:\exchange-repair\working-copy\recoverylogs'

DISMOUNT THE CURRENT RECOVERY DATABASE
$dismount-database RDB
(There can only be 1 recovery database mounted at any one time. There can be more than 1 recovery datase connected. See the difference between CONNECTED & MOUNTED?

MOUNT THE RECOVERY DATABASE
$Mount-Database RecoveryDB

CHECK THE STATS OF THE RECOVERY DATABASE

CHECK THE STATS OF THE ENTIRE RECOVERY DATABASE
$Get-MailboxStatistics -Database RecoveryDB | ft -auto

CHECK THE STATS OF THE CURRRENT USER-MAILBOX
$Get-MailboxStatistics foo.user

CHECK THE STATS OF THE RECOVERY USER-MAILBOX
$Get-MailboxStatistics -Database RecoveryDB | where mailboxguid -eq 24b5b78e-9396-456f-9ece-a5acaeb3e3e7

RESTORE MAILBOX FROM A RECOVERY DATABASE

The RESTORE requires DisplayName, MailboxGUID, or LegacyExchangeDN. The most exact is the MAILBOXGUID since the DisplayName can be lengthy with spaces.

GET THE MailboxGUID:
$Get-MailboxStatistics -Database RecoveryDB | ?{$_.DisplayName -like 'FirstNameHere*'} | fl DisplayName,MailboxGuid,DisconnectDate

It will spit out the mailbox accounts that match along with the GUIDs.

RESTORE THE RECOVERY USER-MAILBOX
$New-MailboxRestoreRequest -SourceDatabase RecoveryDB -SourceStoreMailbox 28282f8e-e37b-4965-9dea-4e8658fada43 -TargetMailbox foo.user -AllowLegacyDNMismatch

-see the status of all the requests:
$Get-MailboxRestoreRequest

-see detail status of individual request:
$Get-MailboxRestoreRequestStatistics -Identity "foo.user\MailboxRestore"

-see the detail status of all the requests:
$Get-MailboxRestoreRequest | Get-MailboxRestoreRequestStatistics

-the request hangs around until you stop it. They are not automatically cleared. Only run this when the request is complete.
$Remove-MailboxRestoreRequest -Identity "foo.user\MailboxRestore"

-or remove all the completed requests:
$Get-MailboxRestoreRequest -Status Completed | Remove-MailboxRestoreRequest

IMPORT A PST INTO THE EDB

Sometimes a user has the pst from their laptop and you can import that pst back into the edb. Don't worry, by default it doesn't duplicate items.

First, enable the import/export of .pst into a mailbox as it is not turned on by default:
$New-ManagementRoleAssignment -Role "Mailbox Import Export" -SecurityGroup "Organization Management"
-restart EMS (this means shut down your powershell and open it back up ;-))

-import a PST file into a user's primary mailbox
(NOTE: By default, the import checks for duplication of items and doesn't copy the data from the .pst file into the mailbox or archive if a matching item exists in the target mailbox or target archive.)
-you have to use the new-mailboximportrequest command. It requires UNC path (eg: \\exchange-server\foo-folder$). It will not work with an absolute path (C:\foo-folder\recovered.pst). Definitely an oversight.
-create an easy folder (i.e.: c:\foo-folder\)
-share the folder as a hidden share by putting a dollar-sign ($) behind the name (foo-folder$).
-grant full-access to 'exchange trusted subsystem'
(NTFS and Share permissions)

-import the pst:
$New-MailboxImportRequest -FilePath \\exchange-server\foo-folder$\Recovered.pst -Mailbox foo.user

-see the status of the import request:
$get-mailboximportrequest

-see the details of the import request:
$Get-MailboxImportRequestStatistics -Identity foo.user\mailboximport

-the request hangs around until you stop it. They are not automatically cleared. Only run this when the request is complete.
$Remove-MailboxImportRequest -Identity "foo.user\MailboxImport"

-or remove all the completed requests:
$Get-MailboxImportRequest -Status Completed | Remove-MailboxImportRequest

SEE MOVE REQUESTS

Hopefully, the syntax is becoming clearer. Let's see if you know what this is...

$Get-MoveRequest
$Get-MoveRequest | $Get-MoveRequestStatistics
$Get-MoveRequest -MoveStatus Completed | Remove-MoveRequest

EXPORT PST FROM EDB

If for some reason you need to export a pst from the edb, you can do that too. Again, it can only be done to a UNC (eg: \\exchange-server\foo-folder$). It cannot be done to an absolute path (C:\foo-folder\recovered.pst). Definitely an oversight.

$New-MailboxExportRequest -Mailbox foo.user -FilePath "\\exchange-server\recovery$\foo.user.recovered.pst"
$Get-MailboxExportRequest
$Get-MailboxExportRequest | Get-MailboxExportRequestStatistics
$Get-MailboxExportRequest -Status Completed | Remove-MailboxExportRequest

MAILBOX REPLICATION SERVICE (MRS)

Throttling is done by the MRS. It it configured here:
C:\Program Files\Microsoft\Exchange Server\V15\Bin\MsExchangeMailboxReplication.exe.config

Do not try to mass import/export/move, unless you know what you are doing. The default settings for the MRS will most definitely bite you. The processes will error out and eventually die after 12 hours.

I wouldn't do more than 20 at a time. There's too many switches. Basically, the more you do at a time, the more resources it takes. The more resources it takes, the longer it takes. If you hit 12 hours, the request stalls. Yes, you can configure all of these settings if you really want to.

This is the best resource for more info:
http://thoughtsofanidlemind.com/2014/09/29/exchange-2013-workload-management-controls-mailbox-replication-service/

NOTES

• Transferring from EDB into an empty mailbox is preferred. In my experience, it is much better. In my experience, mailbox to mailbox misses items and pst to mailbox misses items too.
• If you can, import into a dummy mailbox account so that you can test and approve the contents before you import it into the real mailbox.

What can I say?

• PDQ
• Lansweeper
• LogicNow
• Matrix42

TL;DR: http://mikepfeiffer.net/2010/04/getting-an-exchange-database-into-a-clean-shutdown-state-using-eseutil/

MY EXPERIENCE

Ughhh.... Users report that they can't access their email. Message is, "Microsoft.Exchange.Data.Stoarage.MailboxOfflineException"

Ok, so the Mailbox is offline. Why is it offline?

The database for the Exchange 2013 is broken into 3 different groups.

• A-H
• I-P
• Q-Z

Databases I-P & Q-Z are working fine but database A-H won't mount.

Why won't it mount? It won't mount because it is corrupt.

How did it get like this? It got like this because EXCHANGE 2013 uses EDB files. It is a single file that stores everything. This file grows. Sooner or later it craps out. I'm not sure why but my guess is on NTFS.

If I check the EVENT LOG > APPLICATION, I see,

"Active Manager failed to mount the database Mailbox A-H. Error: An Active Manager operation failed. Error: The database action failed. Error: Operation failed with message: MapiExceptionDatabaseError: Unable to mount database. (hr=0x80004005, ec=1108)"

It gets worse, I'm also getting:
"Microsoft Exchange Information Store worker process (18152) has encountered and unexpected database error (Disk IO error) for database Mailbox A-H with a call stack of..."

And still worse:
"Database copy Mailbox A-H on this server appears to have a serious I/O error." "Service recovery was attempted by failover to another copy. Failover was unsuccessful in restoring the service. Error: There is only one copy of this mailbox database. Automatic recovery is not available."

And worse:
"Information Store - Mailbox A-H ; Database recovery/resotre failed with unexpected error - 1022"

And worse:
"Information store - Mailbox A-H: An attempt to write to the file "C:\Program Files\Microsoft\Exchange\V15\Mailbox\Mailbox Database 1889704935\Mailbox Database 1889704935.edb" at offset... bytes failed after 0.000 seconds with system error 665. The requested operation could not be complete due to a file system limitation. The writer operation will fail with error - 1022. If this error persists then the file may be damaged and may need to be restored from a previous backup."

All of this to say that the database is corrupt.

We got 2 options:

1. restore from backup.
2. repair database.

To repair:

• cd \
• cd \Program Files\Microsoft\Exchange Server\V15\Mailbox\Mailbox Database Foo\
• eseutil /mh ".\database-name.edb"
• eseutil /p ".\database-name.edb" /g

Then I moved all the log files away from Exchange log folder. First create a backup-directory, then move all the files into the backup-directory:

• mkdir bkp
• move * bkp

Then move the database-file.edb back where it came from:

• cd bkp
• move database-name.edb ..\

Now defrag the database-file.edb:

• eseutil /d database-file.edb

Now check to see if the database-file.edb is OK:

• eseutil /mh ".\database-name.edb"

Finally, mount the database:

• $Mount-Database "database-name"

NOTE: you can run eseutil.exe /mh without effect. It is informational only.

In the end, it was easier to create a new database-name.edb and import the items needed via edbmails. Don't ask me why it took more than 24 hours to get to a solution that should have been the first option. This is exactly why I keep a note of items here.

MS SUPPORT

Luckily, I called MS support. So you get the short of the conversation without having to pay ;-)

-too many log files.

-database file is too large. It is 539GB.

-ran eseutil /mh ".\database-name.edb"

-error 1811. Bad news.

-stop MS Exchange Information Store

-uninstall Veeam Backup

-get-mailboxdatabase

-get-mailboxdatabasecopystatus *

-wait for the databases to mount.

-shows "Dismounted"

-event-viewer > application and they see the same errors I already found.

-uninstall some programs that might be accessing the file.

-ran eseutil /mh ".\database-name.edb"

-error 1032. This means it's being used somewhere.

-storagecraft was trying to mount it.

-stop storagecraft service

-ran ran eseutil /mh ".\database-name.edb"

-success

-see that the log-required is lengthy

-sequence is from E000015CD80 to E000015CDCF

-created new folder & moved the sequence into this new folder

-ran eseutil /ml ".\database-folder\new folder\E00"

-"no damaged log files were found"

-ran eseutil /r E00 /d ".\database-name\new folder" /l "new-folder" /S "new-folder" /a

-ran eseutil /r E00 /d ".\database-name\new folder" /l "new-folder" /S "new-folder" /i

-ran eseutil /mh ".\database-name.edb"

NEW PLAN

-copy the database-name.edb

-start a new database-name.edb (this will get everyone receiving email)

-repair the database-name.edb

-merge the file back into the new-database-name.edb

INFO GATHER

-get-exchangeserver | fl name,*admin*,*role*,*site*

-repair is 5-6GB per hour

-ran eseutil /p ".\old-database-name.edb"

-merge into new-database-name.edb

[PS] c:\users\admin> cd "C:\Program Files\Microsoft\Exchange Server\V14\Bin"

[PS] C:\Program Files\Microsoft\Exchange Server\V14\Bin>eseutil /r E00 /i /l 'Y:\ExchangeRestore\Mailbox Database' / 'Y:\ExchangeRestore\Mailbox Database'

FINDINGS

StorageCraft to the rescue again with Granular Recovery for Exchange.

Testing it out now...

OK, I'm back. The StorageCraft GRE is a good tool. It does what eseutil should do but makes it easy for the stressed out administrator. It also has the added benefit of having granular restore. You can restore just one email.

If you have the budget, I recommend it. It's way better than EDBMAILS and other software I've tried.

There should only be one NTP SERVER on the network. You can have more but it would be redundant.

SERVER / NON-DOMAIN COMPUTERS

The domain-server should be set to sync with an external source.

• -open POWERSHELL (as admin)
• $w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update
• $stop-service w32time
• $sc stop w32time
• $start-service w32time
• $sc start w32time

DOMAIN COMPUTERS

The domain-clients should automatically get their time from the server. If for some reason, a domain-client doesn't, then force it:

• -open POWERSHELL (as admin)
• $w32tm /config /syncfromflags:domhier /update
• $stop-service w32time
• $sc stop w32time
• $start-service w32time
• $sc start w32time

HYPER-V MANAGER

If it is a VIRTUAL-OS, disable TIME-SYNCHRONIZATION from the HYPER-V settings:

• -open HYPER-V MANAGER
• -click on the VM
• -click SETTINGS (on the right-hand side)
• -scroll down to INTEGRATION SERVICES
• -uncheck TIME-SYNCHRONIZATION
• -click OK

You can check to see if a NTP Server is working.

If it's a VIRTUAL-HOST,

• -check to see if an external NTP server is working.
• -if you get an error, check to see if an internal NTP server is working.
• -set the server to a working NTP server
• External: $w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update
• Internal: $w32tm /config /syncfromflags:manual /manualpeerlist:192.168.1.1 /reliable:yes /update

You can check the config:

• $w32tm /query /configuration
• $w32tm /query /status
• $w32tm /query /source
• External-check: $w32tm /monitor /computers:pool.ntp.org
• Internal-check: $w32tm /monitor /computers:192.168.1.1

Won't change from Local CMOS Clock

I had a really strange issue where the clock would not use the external pool.ntp.org servers. It stayed Local CMOS Clock.

Check the config with:

• w32tm /query /configuration | findstr /i policy
• reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\
• reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
• reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
• reg query HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\\TimeProviders

If you see "(Policy)", then the setting is set by policy and overrides your manual settings.

Change the local policy by:

• gpedit.msc
• computer-configuration > administrative-template > system > windows-time-service

Find the FSMO role of PDC:

• netdom query fsmo

The local policy might be overriding the settings but the PDC FSMO should have the following:

1. PDC announces that it is an NTP server:
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Config
Key Name: AnnounceFlags
Type: REG_DWORD (DWORD Value )
Data: 0x5
AnnounceFlags value determines whether the authoritative time server receives its time from an external time source (e.g. internet time server) or its built in CMOS clock.
1) AnnounceFlags value to 0xA/10 means that the server announce itself as a reliable time source and uses the built-in complementary metal oxide semiconductor (CMOS) clock.
2) AnnounceFlags value 0x5 is used to configure an internal time server to synchronize with an external time source.

2. Change the server type to NTP:
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters\Type
Key Name: Type
Type: REG_SZ(String Value)
Data: NTP

3. Enable the NTP server:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\TimeProviders\NtpServer
Key Name: Enabled
Type: REG_DWORD
Data: 1

4. Specify which server to act as the NTP server:
Path: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters
Key Name: NtpServer
Type: REG_SZ(String Value)
Data: Peers (example: pool.ntp.org,0x9 or 192.168.2.50,0x9)

5. Only if our PDC machine is a virtual machine, we need to set this registry. If it is not a virtual machine, there is no information about this registry. Because our PDC is a virtual machine, we need set the following registry.
HLM\SYSTEM\CurrentControlSet\services\w32time\TimeProviders\VMICTimeProvider
Name: Enabled
Type: REG_DWORD
Data:0

Some recommend (I have not tried this):

• -force the VIRTUAL-HOST to use an external source via regedits
• (HKLM/SYSTEM\CURRENTCONTROLSET\SERVICES\W32TIME\TIMEPROVIDERS\NTPSERVER\ENABLED: 1)
• -set the external: $w32tm /config /syncfromflags:manual /manualpeerlist:"0.pool.ntp.org 1.pool.ntp.org 2.pool.ntp.org 3.pool.ntp.org" /reliable:yes /update
• $stop-service w32time
• $start-service w32time
• -then set the VIRTUAL-OS to use the internal VIRTUAL-HOST: $w32tm /config /syncfromflags:manual /manualpeerlist:192.168.1.1 /reliable:yes /update
• (rather than through INTEGRATION SERVICES)
• $stop-service w32time
• $start-service w32time

Some recommend (I have not tried this):

-set the VIRTUAL-OS to use the internal VIRTUAL-HOST via INTEGRATON SERVICES

The issue is usually around the vmitimesync.

I'll update this when needed. So far, I simply sync'd to external on 1 server and sync'd everything else to that. Seems to work. I'll post when I run into issues

So your CERTIFICATE expired on your EXCHANGE 2013. No one can access email and you are being innundated with phone calls, pop-ins and text messages to notify you that "email isn't working" or "OUTLOOK isn't working."

We've all been there. If not, you will be there some day. Sometimes this even happens on very large email systems. There was a similar story recently where google.com didn't register their domain name (http://www.businessinsider.com/this-guy-bought-googlecom-from-google-for-one-minute-2015-9).
[I like to put these story links in here to let you know that you are not alone. It happens to just about everyone.]

This happens because CERTIFICATES are installed for multiple years terms; 2 years, 3 years, 5 years, 10 years, etc. And the expiration notices are going to a non-personal email account that no one regularly checks (like This e-mail address is being protected from spambots. You need JavaScript enabled to view it ) or to an email account that doesn't exist anymore.

Then the certificate expires and you wake up to voicemails and texts if you are in a worldwide company.

It's best to have a plan written out so you can follow it to fix quickly rather than use that time as a learning experience. Let me say it again with emphasis... FIX IT AS FAST AS POSSIBLE!

Here's how:

ACCESS THE CERTIFICATES ON THE SERVER

• -click SERVER-MANAGER.
• -click TOOLS > IIS MANAGER.
• -click YOUR-SERVER-NAME (on the left-hand side).
• -double-click SERVER-CERTIFICATES (in the middle).

This will list out all the PERSONAL CERTIFICATES installed on the server. You will see the expired certificate in the list.

RECORD THE SUBJECT ALTERNATIVE NAMES

Before you go any further, view the expired-certificate to write down the SUBJECT ALTERNATIVE NAMEs

• -click on the EXPIRED-CERTIFICATE.
• -click VIEW (on the right-hand side).
• -click DETAILS (at the top).
• -scroll down to SUBJECT ALTERNATIVE NAME.
• -write down all the names (in the lower box at the bottom).

The reason this is important is because if you are access an email server called "mail.domain.tld" via a web site and you don't have that SUBJECT ALTERNATIVE NAME in the CERTIFICATE, then it will complain. And since EXCHANGE needs to have the local FULL QUALIFIED DOMAIN NAME (FQDN) (ie server.domain.tld), the EXTERNAL DOMAIN NAME (mail.domain.tld) and the AUTODISCOVERY NAME (autodiscover.domain.tld), it's important not to miss one of the names. If you do, you have to re-issue the CERTIFICATE and it can lead to longer down time.

CREATE A CERTIFICATE REQUEST (or CSR)

• -click CREATE CERTIFICATE REQUEST (on the right-hand side).
• COMMON NAME: domain.tld
• ORGANIZATION: Company Name
• ORGANIZATION UNIT: Domain Control Validated
• CITY: Jupiter
• STATE: FL
• COUNTRY: us
• For Cryptographic service provider, select "Microsoft RSA SChannel Cryptographic Provider".
  For Bit length, select 2048 or higher, and then click Next.
• -save the CSR on the server and call it mail.domain.tld.csr
• -this is a typical text file. Open it up with NOTEPAD.
• -copy the entire contents (yes, even the "-----BEGIN NEW CERTIFICATE REQUEST-----")
• -paste it into the web ONLINE APPLICATION (in your account at GODADDY, ENOM, NETWORK-SOLUTIONS, etc).
• -wait a few minutes (about 2 minutes).
• -download it. It will be named mail.domain.tld.cer and it might have an INTERMEDIATE CERTIFICATE.

INSTALL THE INTERMEDIATE CERTIFICATE

The INTERMEDIATE CERTIFICATE must be installed.

There are ROOT CERTIFICATES installed on every device. These come from companies named like EQUIFAX, GEOTRUST, VERISIGN, THAWTE, GTE, MICROSOFT, etc. These are installed during the time of OS installation or through an update. In this case, Windows Update. But it can also happen durning iOS update.

Sometimes these ROOT COMPANIES can be viewed as manufacturers who do not do business with end-users directly. You have to use a dealer of their product.

Consequently, these dealers need to be installed. These come from companies named like RAPIDSSL, GODADDY, etc.

Let's install the INTERMEDIATE CERTIFICATE:

• -click START > RUN
• -type: mmc
• -click FILE > ADD/REMOVE-SNAP-IN (at the top).
• -select CERTIFICATES (from the list on the left).
• -click ADD (in the middle).
• -bullet COMPUTER ACCOUNT.
• -click FINISH > OK (at the bottom).

The CERTIFICATE MANAGER shows. On the left are the different STORES and in the middle are the different CERTIFICATES.

• -click to expand the CERTIFICATES (on the left-hand side).
• -right-click INTERMEDIATE CERTIFICATION AUTHORITIES
• -click ALL-TASKS > IMPORT
• -click NEXT > BROWSE
• -find FILE-NAME (at the very bottom).
• -select "PKCS #7 CERTIFICATES (*.spc;*.p7b)" (in the dropdown to the right).
• -select the INTERMEDIATE CERTIFICATE that you downloaded from your DOMAIN-PROVIDER (godaddy, rapidssl, etc). It might be called something like *_iis_intermediates.p7b
• -click NEXT
• -select PLACE ALL CERTIFICATES IN THE FOLLOWING STORE
• -click BROWSE
• -select INTERMEDIATE CERTIFICATE AUTHORITIES.
• -click OK
• -click NEXT > FINISH
• -exit out of the window.
• -click NO (when it asks if you want to save).

INSTALL THE CERTIFICATE

• -click SERVER-MANAGER.
• -click TOOLS > IIS MANAGER.
• -click YOUR-SERVER-NAME (on the left-hand side).
• -double-click SERVER-CERTIFICATES (in the middle).
• -click COMPLETE CERTIFICATE REQUEST (on the right-hand side).
• -select the mail.domain.tld.cer or mail.domain.tld.crt (that was downloaded from the domain provider).
  (Note that you it will look for a *.cer automatically; simply change it to *.* and use the .crt file and it will still work.)
• -type a "Friendly Name": mail.domain.tld
• -select PERSONAL (for the CERTIFICATE STORE).
• -click OK
• -the CERTIFICATE should now show in your list of CERTIFICATES
• -if needed, highlight the EXPIRED-CERTIFICATE and click REMOVE (on the right-hand side)

BIND THE CERTIFICATE TO SERVICE

Even though the CERTIFICATE is installed. It isn't being used until you BIND the CERTIFICATE to the service (SMTP, WEBSITE, etc).

BIND TO EXCHANGE BACK END

• -click to expand the SERVER-NAME (on the left-hand side).
• -click to expand SITES (on the left-hand side).
• -you will see all the WEBSITES (on your server). Typically, there is DEFAULT-WEB-SITE & EXCHANGE-BACK-END
• -click EXCHANGE-BACK-END
• -click BINDINGS (on the right-hand side)
• -select HTTPS-444-* (in the middle)
• -click EDIT (on the right-hand side)
• -select mail.domain.tld (in the dropdown selection under SSL CERTIFICATE
• -click OK > CLOSE

BIND TO WEBMAIL

• -click DEFAULT WEB SITE (on the left-hand side)
• -click BINDINGS (on the right-hand side)
• -select HTTPS-443-* (in the middle)
• -click EDIT (on the right-hand side)
• -select mail.domain.tld (in the dropdown selection under SSL CERTIFICATE
• -click OK
• -select HTTPS-443-127.0.0.1 (in the middle)
• -click EDIT (on the right-hand side)
• -select mail.domain.tld (in the dropdown selection under SSL CERTIFICATE)
• -click OK > CLOSE

RESTART IIS

• -right-click the SERVER-NAME (on the left-hand side).
• -click STOP
• -wait for it to stop. It might take 2 minutes or so.
• -right-click the SERVER-NAME (on the left-hand side).
• -click START

That should do it!!! Visit your web site at mail.domain.tld and you should be OK with the CERTIFICATE. With this plan in place, you should be able to fix your certificate issue within a few minutes.

MS SQL setup is a PITA. Here are a few of my notes:

1-the install package is the only way to install databases. In other words, if you have one database and you want another, you have to go through the setup process again. So keep that SQL INSTALLATION SETUP file on the system.

2-the versions are wacky. There is:

• SQL - costs for license.
• SQL EXPRESS - free for up to 10GB.
• SQL CE (or compact edition) - Meant to be used in use with an application.
• SQLITE - I don't know what this is for.

3-to connect and manage the SQL, you have to install SQL MANAGEMENT STUDIO. Think of this as their version of PHPMYADMIN. It can actually control different versions at the same time. It can control a 2012 SQL database and a 2014 SQL database at the same time.

4-which leads me to my next point. SQL versions can coincide. Both 2012 and 2014 can run at the same time.

5-permissions are wacky. They just are. They can be either SQL permissions or they can be WINDOWS permissions. But even if you use SQL permissions, you might have to setup WINDOWS permissions anyway. This is for a local LAN installation.

6-when you install, it automatically adds your USERNAME as the owner of the database. This is required so that you can add/remove other user permissions.

7-to see/add/change/remove the permissions:
(good video to explain the below: https://www.youtube.com/watch?v=gsr8ID2pY-A&feature=youtu.be)

• expand the DATABASE-INSTANCE name.
• expand the SECURITY folder
• expand the LOGINS folder
• right-click LOGINS
• click NEW-LOGIN

Here, you can see where the permission can be either WINDOWS or SQL.

I find it's easier to use the WINDOWS AUTHENTICATION (although it doesn't seem like it should be so). The reason is that when the APP SERVICE runs (whatever APP is being used), the SERVICE is being run as the current-logged-in-user. I find (and this may be incorrect) that if you use the SQL SERVER AUTHENTICATION (like I want to), then you also have to go back and add the current-logged-in-user as well. This can add up to quite the number if you have many users.

To get around this, I add a specific DATABASE-USER account in ACTIVE-DIRECTORY. Then I change all the APP SERVICE on the clients machines to run as the DATABASE-USER (rather than the current-logged-in-user). This is done in SERVICES.MSC. Then I add that DATABASE-USER to the permissions on the SQL MANAGEMENT STUDIO.

• select the DATABASE-USER.
• leave the rest as the defaults.

Now you have to add this user to the DATABASE.

• select USER MAPPING (on the left-hand side).
• select the DATABASE you are controlling.
• click OK (at the bottom).

After this is done (and only after), you now have to add permissions to the DATABASE for this user.

• expand the DATABASES folder.
• right-click the DATABASE name.
• select PROPERTIES (at the bottom).
• click PERMISSIONS (on the left).
• select the USER (in the list).
• place a CHECKMARK in the GRANT column for the following
• DELETE, EXECUTE, INSERT, SELECT, UPDATE

8 -for the client machine to see and connect to the SQL DATABASE, you have to allow the port through the firewall.

9 -the port for each instance is randomly assigned.

10 - to find the port number, you have to use the SQL SERVER CONFIGURATION MANAGER.

• open the SQL SERVER CONFIGURATION MANAGER.
• click SQL SERVER NETWORK CONFIGURATION (on the left-hand side).
• click on the DATABASE you are working on.
• double-click TCP/IP (on the right-hand side).
• click IP ADDRESSES (at the top)
• scroll to the bottom.
• find TCP DYNAMIC PORTS
• mine says 51772

11 -you have to allow 2 PORTS through the WINDOWS FIREWALL.

• random assigned TCP port.
• UDP PORT 1434 (notice that this is a UDP PORT, not a TCP port).

I will post more as I come across.

Here is the location for Windows update:

http://catalog.update.microsoft.com/v7/site/Install.aspx?q=KB2952664

Looking to see if a package is installed?

• -start > run
• -type: cmd
• -click OK
• -type: dism /online /get-packages | findstr 3035583

You have the following options in the DELL BIOS:

SATA, AHCI, RAID.

What do you choose?

Choose AHCI.

Afterwards, make sure you have the following installed in the correct order:

• -CHIPSET DRIVERS
• -MANAGEMENT-ENGINE
• -INTEL RST

While many sites claim that you must make your selection in the BIOS before WINDOWS-OS install, we don't accpet that around here. Of course it can be changed. But you'll need to make sure that the WINDOWS has the correct drivers enabled to start up.

    For ACHI:
        HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\atapi

    For RAID:

As a last resort, if that doesn't work, the incorrect drivers might be installed. Here's how to install the correct drivers.

This also applies when the motherboard is changed by DELL PRO SUPPORT and new drivers might need to be installed.

• -find your motherboard model number.
• -download the CHIPSET DRIVERS.
• -extract them to the C drive (for example: c:\drivers\chipset)
• -boot into REPAIR MODE or start with WINDOWS OS INSTALL media (usb, CD, PXE, etc).
• -click REPAIR YOUR COMPUTER (bottom-left).
• -click COMMAND PROMPT.
• -find what letter your WINDOWS-DIRECTORY is.
• -type: dism /image:e:\ /add-driver /Driver:e:\install\chipset\ /recurse
• -hit ENTER
• -type EXIT
• -reboot

It may take awhile to reboot but it will install the correct drivers and start up fine.

Don't know why I've never had to do this before but in the past working with SolidWorks and Dell Precision Machines, I've found the need to inspect hardware detail information. This can be done in the following ways:

• AIDA64
• CPUID
• HWINFO
• PRIME95
• CARRONA
• MEMTEST
• FURMARK
• INTEL PROCESSOR TEST
• SYSINTERNALS (COREINFO, PROCEXP, PS-TOOLS)

Exchange 2013 Get-Mailbox Only Returns Myself. Get-Mailbox only shows your own record. You expect to see all the accounts because you are an Administrator. But you only see one mailbox when I type in: Get-Mailbox. It looks like this:

My Name     my.account     server-name     Unlimited

That's it. No other users.

Type in the following to see the ROLEGROUPS:

-Get-RoleGroup

You will see all the ROLE GROUPS in EXCHANGE 2013. There's only one important group here. ORGANIZATION MANAGEMENT. Even though you might be an ADMINISTRATOR group in ACTIVE-DIRECTORY, that does not automatically make you an ADMINISTRATOR in EXCHANGE. To be an ADMINISTRATOR in EXCHANGE, you must be in the ORGANIZATIONAL MANAGEMENT group.

Let's look to see who is in the ORGANIZATION MANAGEMENT group.

-Get-RoleGroupMember "organization management"

You will see all the MEMBERS in the ORGANIZATION MANAGEMENT group. Most likely, there is only one and that is the Administrator account. Now let's add an account other than "Administrator" account.

-Add-RoleGroupMember "Organization Management" -Member my.account

Now when you type Get-Mailbox, you will get all the accounts in the domain.

GUI-wise you do this through the EAC:

-click PERMISSIONS (on the left)
-click ADMIN-ROLES (at the top)
-double-click ORGANIZATION-MANAGEMENT
-find MEMBERS section (at the bottom)
-click the PLUS SYMBOL +
-type in the account
-click OK > SAVE

ACTIVE-DIRECTORY-wise you do this through the AD USERS & GROUPS:

-click MICROSOFT EXCHANGE SECURITY GROUPS
-doubl-click ORGANIZATION MANAGEMENT
-click MEMBERS tab (at the top)
-add you users here

Install .NET Framework 3.5 on Windows Server 2012:

-run POWERSHELL (as admin)
-type: Install-WindowsFeature Net-Framework-Core
-wait 10 minutes.

That should do it! Congrats!

You can check to see if it installed by:

-type: Get-WindowsFeature

And if you install the GnuWin32, you can grep to your heart's content:

-type: Get-WindowsFeature | grep -i framework

To rename computers in a domain:

netdom renamecomputer currentcompname /newname:newcompname /usero:domain\adminname /passwordo:* /userd:domain\adminname /passwordd:* /force /reboot:10

Drop off the /reboot if you want the change to happen the next time the computer is rebooted (and not immediately). So it would be:

netdom renamecomputer currentcompname /newname:newcompname /usero:domain\adminname /passwordo:* /userd:domain\adminname /passwordd:* /force

PowerShell v5 has a new way of renaming computers found here: https://technet.microsoft.com/en-us/library/hh849792.aspx

Here is the command for the local computer:

Rename-Computer -ComputerName . -NewName <New name>

But if I wanted to rename a local computer, I would just do it graphically. The point is to rename a remote computer.

Rename-Computer -NewName Server044 -DomainCredential Domain01\Admin01 -Restart

SMTP Client
Enable SMTP Client: Enable
Enable SSL: Accept all certificates without CA
SSL/TLS: STARTTLS
SMTP Server Address: smtp.gmail.com
POP Before SMTP: Disable
Authentication: Plain
Login Name:  This e-mail address is being protected from spambots. You need JavaScript enabled to view it
Login Password: setthistosomething
Maximum Email / Internet Fax Size: 20 MB
Port Number: 587
SMTP Client Connection Timeout: 30 Seconds

The Digital Watchdog Blade (DW-BJBLADE) is a much better NVR than that last NVR product I reviewed (see NVR Part 1 - HIKVISION). It is more robust in it's ability and power. As always, with more more power comes more cost and potential complexity.

The Digital Watchdog (DWD) NVR is a Linux Ubuntu system running on an Atom x64 processor. They don't even try to hide or limit the Ubuntu system. The system boots directly to the Ubuntu desktop.

Since it is a full GUI desktop, they even include TEAMVIEWER for each system to allow for remote access.

What was surprising for me was how well UBUNTU performed on such a low-powered ATOM x64 processor.

The issue I had was that the incorrect QUICK-START-GUIDE was included. I found the correct version (listed below) with a simple google search.

Requirement Packages

The DWD NVR solution is comprised of 3 software packages:
1. Enterprise Controller (managing database)
2. Media Sever (recording video)
3. Client (viewing recorded video)

The software packages have to be installed that way as well due to dependencies.

For me, the CLIENT was not installed on the system. (This is what lead to the hours I devoted in breaking/researching/fixing/RMA'ing the system).

Download

Most likely, you will need the x64 packages.

All the packages should be here:
http://publiclibrary.dwcc.tv/

AFAICT, there is not seperate packages for different NVR's. The same SPECTRUM software is used across all products. The only difference is the version number (v1, v2, v3, etc) and the install base (Windows, Linux, Mac, etc) as well as the architecture (x86 or x64).

DO NOT USE THE PACKAGES LISTED ON THE PRODUCT PAGE HERE:
http://digital-watchdog.com/productdetail/Blackjack-Blade
(click DOWNLOAD [at the bottom])

They list the incorrect versions. They listed the Beta versions of 2.3. The CONTROLLER was mis-matched at verion 2.1 (a downgrade in version from what was installed). The last thing I want is to install Beta versions at a client install or have an untested version mis-match. And repairing a v2.2 with a v2.1 is impossible.

Install Packages

On an Ubuntu system:

-the package manager is: dpkg
(this is like rpm in redhat/rhel/centos. Stands for Debian Package)

-the gui package manager is Ubuntu Software Manager.
(click START > APPS > UBUNTU-SOFTWARE-CENTER)

-the update manager is apt-get (manages dependencies.)
(this is like yum in redhat/rhel/centos)

DWD recommends to:

-download the packages.
-right-click and open-with UBUNTU-SOFTWARE-CENTER
-wait
-click INSTALL/UPGRADE/RE-INSTALL (at the top right).

Forgot Password

If for some reason, you forgot the password, you can re-install the CONTROLLER software by using the steps above. Reinstalling the CONTROLLER package will go through a setup and allow you to reset the password. If you have an existing system and need to keep the database, please choose to KEEP THE DATABASE. Obviously, if you choose to delete the existing database, you will not be able to get it back without a backup.

That's it!!! Happy NVR'ing!!!

Notes

QUICK-START-GUIDE: http://publiclibrary.dwcc.tv/Sales%20Tool/DW%20Spectrum%20Documents%20&%20Videos/Documents/Blackjack_Spectrum_QSG.pdf

MANUAL: http://publiclibrary.dwcc.tv/Sales%20Tool/DW%20Spectrum%20Documents%20&%20Videos/Documents/DWSpectrum_User_Manual.pdf

REPO: http://publiclibrary.dwcc.tv/

Streaming video is usually done through RTSP or real-time streaming protocol. IP-Cameras typically have RTSP.

However, it's possible (not probable) that NVR/DVR have RTSP as well.

HIKVISION NVR:

rtsp://[admin]:[12345]@<IP>:[PORT]/Streaming/Channels/<ID>

<ID> is YXX where Y = channel number and XX is main (01) or sub stream (02)

ID 501 = Channel 5 main stream
ID 402 = Channel 4 sub stream

EXAMPLES:

rtsp://admin: This e-mail address is being protected from spambots. You need JavaScript enabled to view it /Streaming/Channels/201
rtsp://192.168.1.64/Streaming/Channels/602
rtsp://user: This e-mail address is being protected from spambots. You need JavaScript enabled to view it :10554/Streaming/channels/101
rtsp://admin: This e-mail address is being protected from spambots. You need JavaScript enabled to view it :10554/Streaming/channels/102

How I Do It

What I do is get the ONVIF DEVICE MANAGER. It is a free Windows-based dedicated program (download ONVIF DEVICE MANAGER here) that lists out all the devices on the location and shows all the settings in the camera or NVR. This happens even if the options don't show in the devices natural web portal.

What's better is that ONVIF DEVICE MANAGER will show the correct RTSP URL for both the cameras and the NVR's. The reason for this is because OEM's are changing their RTSP port from the default of 554 for security reasons.

You can type this into VSPLAYER or VLC MEDIA PLAYER.

NOTE ABOUT HIKVISION / LOREX / SWANN

Hikvision/Swann/Lorex are sometimes all the same. Hikvision is the OEM. Swann/Lorex rebrand the equipment. Apparently, they have other OEM's as well.

What's great about Sonos is that the speakers can be paired and grouped in different ways all through the Sonos app either on the ipad/iphone/droid or through the app on the Win/Mac platform.

Playbar, Sub and Surround. Oh my!

The Sonos Playbar/Soundbar is rather straightforward. Adding the Sonos Sub is straightforward as well.

Adding the surround can be not-so-straightforward:

• -setup Playbar/Soundbar via Sonos app.
• -setup the Surround Amp via Sonos app.
• -afterwards, click help > about-my-sonos-system
• -find the IP of the Playbar/Soundbar (not Amp).
• -open a browser (Internet-Explorer, Firefox, Chrome)
• -type: http://the-ip-of-the-soundbar:1400/wiredsat.htm
  (for example: http://192.168.1.147:1400/wiredsat.htm)

It is straightforward from this point.

TASKBAR Location:
%appdata%\Microsoft\Internet Explorer\Quick Launch\User Pinned\TaskBar

PTZ = pan, tilt zoom

NVR = network video recorder.

LPR = license plate recognition.

Cameras are just dumb devices. They simply display the video. You can connect directly to the camera by typing in the IP address of the camera. The cameras have different settings & functions depending on the carmera manufacturer. Most of the time though, you can at least view what's on the camera. What's interesting is that all the capabilities of the camera are not always available via the web interface. More on that later.

Take note however, that what's being displayed on the camera is in no way related to what's being recorded. These are actually two different resolutions depending on settings.

For a HIKVISION NVR (DS-7608NI-SE/8P) to record what's on the camera, it must connect to the camera. To be able to connect to the camera, it needs:

• -the camera IP address.
• -a protocol.
• -a port number.
• -a channel number.
• -a username.
• -a password.

The important part here is that as long as the NVR can communicate with the camera, it should be able to record the video.

This leads to two scenarios.

1- in the first scenario, if the NVR can communicate to the camera, everything is good as long as it has the settings above.

2- in the second scenario, some NVR's have their own IP address range and use this range on the switch built into the device. This IP range is 192.168.xxx.(1-254). So if you look at the back of the device, you will see 4 ports or 8 ports or possibly more. When a camera with DHCP is plugged into one of these ports the NVR will assign it's own IP address to the camera. For example, 192.168.254.10

If a camera has a static IP set, the NVR will NOT assign an IP address. Consequently, you must:

• -connect the camera to the local network (not the back of the NVR).
• -change the IP address to that of the internal NVR network (for example 192.168.254.12).
• -this will cause the camera to no longer be accessible.
• -manually plug the camera into the back of the NVR.

Protocol

Regardless of how you connect, the protocol must match. There are different protocols for each manutfacturer (Axis, etc) and an ONVIF protocol as a generic protocol using port 80.

Stream Types

The cameras have multiple streams and in different formats.

The record is on the MAINSTREAM (stream-1 or channel-1). Typically this stream is of higher quality and bit rate compared to a sub-stream..

The view is on the SUBSTREAM or SECONDARY STREAM (stream-2 or channel 2). This happens because stream-1 but might not be good for viewing over the wan internet. Typically the sub-stream is a lower-resolution.

MJPEG: This format uses standard JPEG still images in the video stream. These images are then displayed and updated at a rate sufficient to cr eate a stream that shows constantly updated motion.

MPEG-4: This is a video compression standard that makes good use of bandwidth, and which can provide high-quality video stre ams at less than 1 Mbit/s. MPEG-4 can be encoded in 2 ways either SIMPLE (sets the coding type to H.263 ) or ADVANCED. Usually SIMPLE is fine.

Communication Methods

To deliver live streaming video over IP networks, various combinations of transport protocols and broadcast methods are employed.

• RTP (Real-Time Transport Protocol) is a protocol that allows programs to manage the real-time transmission of video data. It uses UDP.

• RTSP (Real-Time Streaming Protocol) allows a connecting client to start an MPEG-4 stream. It serves as a control protocol, to negotiate which transport protocol to use for the stream. RTSP is thus used by a viewing client to start a unicast session, see below. It uses TCP. The default setting is port 554. If it is not enabled, MPEG-4 streams will not be available.

• UDP (User Datagram Protocol) is a communications protocol that offers limited service for exchanging data in a network that uses the Internet Protocol (IP). UDP is an alternative to the Transmission Control Protocol (TCP). The advantage of UDP is that it is not required to deliver all data and may drop network packets when there is network congestion, for example. This is suitable for live video, as there is no point in re-transmitting old information that will not be displayed anyway.

• Unicasting is communication between a single sender and a single receiver over a network. This means that the video stream goes independently to each user, and each user gets their own stream. A benefit of unicasting is that if one stream fails, it only affects one user.

Unicasting should be used for video-on-demand broadcasting, so that there is no video traffic on the network until a client connects and requests the stream. However, if more and more unicast clients connect, the server will at some point become overloaded. There is also the maximum of 20 simultaneous viewers to be considered.

• Multicast is bandwidth-conserving technology that reduces bandwidth usage by simultaneously delivering a single stream of information to multiple network recipients. This technology is used primarily on delimited networks (intranets), as each user needs an uninterrupted data flow and should not rely on network routers.

It is not possible to multicast through a router. Consequently, it is not possible to multicast over the Internet. It is possible to get around that by using RTP tunneled over RTSP. Crazy isn't it.

Accessing Video Real-Time

As single JPEG images in a browser. Enter the path, for example: http:///axis-cgi/jpg/ image.cgi?resolution=CIF

• • Windows Media Player. This requires codecs to be installed. The paths that can be used are listed below, in the order of preference.
• • Unicast via RTP: axrtpu :///mpeg4/media.amp
• • Unicast via RTSP: axrtsp:///mpeg4/media.amp
• • Unicast via RTSP, tunneled via HTTP : axrtsphttp:///mpeg4/media.amp
• • Unicast via RTSP, tunneled via HTTP S: axrtsphttps:///mpeg4/media.amp
• • Multicast: axrtpm:///mpeg4/media.amp

Resolution

• D1 = 704x480
• HD = 1920x1080p

So far, I have dealt with some of the following for Camera solutions:

• -Hikvision
• -Geovision
• -Digital Watchdog

So far, I have dealt with some of the following NVR/VR solutions:

• -Hikvision
• -Digital Watchdog

So far, I have dealt with some of the following for VOIP solutions:

• -Fonality
• -IPitomy
• -Zultys
• -Sark
• -Mitel

The only SIP service I've dealt with is:

• -Level3 Sip Trunk

NOTE: This article post is out of date. Microsoft starting pushing WINDOWS 10 to computers on domains in Q2 2016.

By default, computers on a domain will not receive the upgrade-notification to Windows 10.

You have two options:

1-If you are going to do this a bunch of times, download the WINDOWS 10 DOWNLOAD TOOL here:
http://www.microsoft.com/en-us/software-download/windows10

It will save a bunch of bandwidth in a corporate environment since each computer will download a few GB of data.

2-add a regedit here:

• -click here for the regedit: windows10.reg
• -click on the regedit.
• -click YES (when it asks if you want to merge).
• -restart computer.
• -click START > SETTINGS > CONTROL-PANEL > WINDOWS-UPDATE
• -click UPDATE TO WINDOWS 10

I prefer the second method since bandwidth is "free" and only costs time. On the good side, it happens automatically ;-)

So far, I have dealt with most typical wireless solutions for smaller projects:

• -Linksys
• -Netgear
• -Dlink
• -Asus
• -DDWRT

I have also dealt with some enterprise solutions:

• -Cisco
• -Meru
• -Watchguard

Now I'm getting into middle-ground projects:

• -Luxul
• -Ruckus
• -Engenuis
• -Ubiquity

These solutions focus in on the look of the WAP as well as the function of the WAP.

Google Sheet Import Another Google Sheet. Or move Google Sheet to another Google Sheet.

You'd think this would be simple to find but it isn't. Unfortunately, it's probably the semantics.

• -open the GOOGLE SHEET you want to move.
• -you will see the tabs below.
• -click the down-arrow in the tab you want to move.
• -click COPY TO.
• -select the GOOGLE SHEET you want to move to.
• -voila!

The sheet will take a new name called. "copy of sheet-name-you-just-moved."

You are on a Mac. You want to use REMOTE DESKTOP CONNECTION (rdp). When you try and use it to connect to a WINDOWS SERVER, you get,"remote desktop connection cannot verify the identity of the computer that you want to connect to."

SOLUTIONS

-upgrade the a newer version of REMOTE DESKTOP CONNECTION via APP STORE on the MAC.

This will work if you are on v10.7 and higher. This will not work on 10.6.8 and lower. I suppose in 08/2015 that a more up-to-date OSX version is mostly everywhere but I still prefer stability. And that means 10.6.8. Looks like it's time to upgrade the OSX.

-get CORD.

Download. Install. Voila!

The downloadable Windows 7 ISO's from Microsoft are no longer available unless you have a retail INSTALL-KEY. Probably due to the push to Windows 10.

I found myself in a position with a Windows 7 ISO OEM and no Windows 7 DVD.

How do you burn a Windows 7 ISO to a Bootable USB on Mac?

Despite various other attempts, this is the only instruction set that worked.

START WITH FRESH USB STICK

• -insert usb-stick.
• -open DISK-UTILITY.
• -partition with 1 partition.
• -format at it as raw disk.
• -select the option to have a GPT BOOT.
• -apply changes.

COPY ISO TO USB STICK

• -open terminal.
• -type: diskutil list
• -it should output the disks, their device-names and the partitions.
• -type: diskutil unmountDisk /dev/disk1 (substitute for your disk number here)
• -type: sudo dd if=/path/to/downloaded.img of=/dev/rdisk1 bs=1m
• -wait about 20~30 minutes.
• -diskutil eject /dev/disk1 (substitute for your disk number here)

NOTES:

• -you do not have to format the usb stick with a filesystem (ntfs, fat, hfs+, etc). The ISO already has the filesystem in it.
• -if terminal is open, you can check the progress by hitting CTRL+t.

Office 2011 is installed on your Mac. You click on WORD, EXCEL or other Microsoft Mac Product. It asks you to login. You type in your email address and password to your Microsoft account. It returns, "Sign in failed because the password is incorrect or the sign-in name does not exist."

Here's how to fix:

1. -sign in to your Microsoft account @ https://account.live.com/ (This is different than https://office.microsoft.com)
2. -click SECURITY & PRIVACY (top right).
3. -find ACCOUNT SECURITY section (top left-most section).
4. -click MORE SECURITY SETTINGS.
5. -scroll down to find APP PASSWORDS section.
6. -click CREATE A NEW APP PASSWORD.
7. -at this point it will either show you an APP PASSWORD or you will have to create a new APP PASSWORD.
8. -use that APP PASSWORD to login on WORD, EXCEL or other Microsoft Mac Product

Here's a nice one that's been hitting some of my web sites:
http://scrapy.org/

Apparently, it's an tool to scrape the content off of someone's web site. In this case, mine.

The web and technology can be an awesome and exciting place. It can also be a place for theives and low lifes. I still don't understand why people wouldn't want to spend their time in creation rather than theivery.

You might be able to steal my content but you can't steal my ability to think rationally and solve problems. And that, ultimately, is the only real item of value.

So you know a CMDLET-KEYS like NEW-TRANSPORT or GET-TRANSPORT but how do you find out the VARIABLES? What is possible to type in after the KEY?

Definition

Even though I refer to these as KEYS/VARIABLES/VALUES, in the MS-POWERSHELL world (or MS-POWERSHELL-ISA world), these are referred to as the CMDLET/ParameterName/ParameterValue.

HowTo

Use the following as a guide:

TYPE: (Get-Command New-TransportRule).Parameters

TYPE: (Get-Command Get-TransportRule).Parameters

(What's interesting here is that they refer to the list as the KEY => VALUE .)

Here's one for you. How do you block a sender that keeps changing the email address they use? For example, I want to block "Tom Night". I don't care what email address "Tom Night" uses, I want his emails gone. Poof.

• -open ecp
• -mail-flow > rules
• -click CREATE NEW RULE
• -click MORE OPTIONS (at the bottom)
• -click APPLY THIS RULE IF... > A MESSAGE HEADER > INCLUDES ANY OF THESE WORDS
• -click ENTER TEXT (for header)
• -type FROM
• -click OK
• -click ENTER WORDS
• -type "Tom Night"
• -click the + (plus symbol)
• -click OK
• -click DO THE FOLLOWING > BLOCK THE MESSAGE > DELETE THE MESSAGE WITHOUT NOTIFYING ANYONE
• -click SAVE

That should do it. What's happening here is that we are blocking the NAME in the HEADER rather than using the FROM-parameter as the FROM-parameter uses email-addresses (externally) and mailboxes (internally).

Something like:

Set-TransportRule "Block Tom Night" -HeaderContainsMessageHeader "From" -HeaderContainsWords "FirstName LastName" -Actions {DeleteMessage} -DeleteMessage True

If you want to see all the TRANSPORTRULE options, type:

Get-TransportRulePredicate

My take on remote support software.

TeamViewer Host

$750 1-time fee. But it only is good for that version. And versions don't intermingle. If you upgrade your server, you must upgrade all your clients. :-(

Remote Utilities

$500 1-time fee. Windows only. No mac support. :-(

LogMeIn Rescue

$1299 per year :-( But it's a final solution with reboot into safe mode plus other goodies. ;-) Many large support companies use.

Ammyy

I can't figure out the pricing. I think it's around $30 per remote pc. It only works on windows. No Mac support. :-(

CrossLoop

No longer available.

Aero Admin

$280 1-time fee. Not seemless. No service. Must config via Windows task scheduler. Yuck. :-(

Join.Me

$240 per year. I've had trouble with UAC, no mouse moving, etc. :-(

RAdmin

$50 per client :-(

GoToAssist

$850 per year. But it's enterprise ready.

Bomgar

$7000 1-time fee. Enterprise ready.

ServiceConnect

$350 1-time fee. :-) Many features.

GovernLan

$950 1-time fee. :-) Seems to be just for LAN/AD/MPLS/VPN. WAN capabilities limited.

DameWare

$350 1-time fee. :-) SolarWinds portfolio. :-) WAN capabilities limited.

CentraStage / Autotask

$24 per node annually. I'm not sure but many are upset at Autotask. I'll choose to stay away.

GFI Max

$12 per computer annually & $150 per server annually.

Continuum

$15 per computer annually & $175 per server annually or little higher than GFI Max is all I found. But they have an interesting white label tech support with 24 hour availability.

LabTech

Can't find much but I know it's similar to those above. Price per node per month.

Windows Profile Always Loads Default Profile (Or Temporary Profile).

How to fix:

• -login to another account with ADMINISTRATIVE PRIVILEDGES.
• -click START > RUN > REGEDIT
• -browse to: HKLM/SOFTWARE/Microsoft/Windows NT/CurrentVersion/Profilelist/
• -find profile that isn't working.
• -you might find duplicate profile in this area. The new one is being loaded with nothing in it. The old one may have .bak at the end.
• -add .old to end of incorrect profile.
• -removed .bak from end of correct profile.
• -go to the profile not working (only if needed).
• -changed refcount from 1 to 0 (only if needed).
• -changed state value from 33024 to 0 (only if needed).
• -restart and login to the user account.

That's it!!! You're hired!

A list of tools that I want to use and some I've never knew of:

• -vi
• -putty
• -solarwinds stuff
• -ninite
• -powershell/cmd
• -hirens
• -ubcd
• -knoppix
• -MRAT
• -mremoteng
• -nagios/prtg/zabbix
• -devolutions-remotedesktopmanager
• -leatherman
• -wire-tester/toner-probe
• -lansweeper

product

• veeam
• sonicwall/watchguard
• virus/spyware/malware
• printer setup/service
• server management
• desktop management
• shadowprotect
• esxi free, hyperv, xenserver
• wireless setup
• lan/wan design & implementation
• remote support
• break/fix
• contract support/managed-service-provider

If 727-777-5827 is a scam. Here's the short version:

• -got a phone call from 727-777-5827.
• -automatic message.
• -press 1 to speak to local representative.
• -"Hi, who is this?" I asked.
• -"Gene."
• -"Who are you with?"
• -"SEO INC."
• -"Where are you located?" I asked.
• -"Southern California."
• -"That's not very local." I stated.
• -They hung up.

I have experience with many firewalls.

• -SonicWall
• -WatchGuard (FireBox).
• -DDWRT/BusyBox.
• -PFSENSE.
• -Untangle.
• -anything Linux/Unix with IPTABLES.

What's funny is that one time a CFO starting asking me questions about the firewall because they allowed a KEY-LOGGER onto one of their accounting systems and because of their poor choice in banks it logged the USERNAME and PASSWORD to the web site that allows them to do WIRE TRANSFERS.

During the course of asking questions, she said, "You don't seem to know a lot about this?"

Funny.

Still at some level, a point can be derived that not all firewalls are the same. The general idea is that you want to block/allow access to certain items at a network level rather than at a desktop level. You are trying to block incoming items at that network level.

To the network administrator, this can be seen as blocking/allowing the ports needed and directing them where they need to go.

To a client, this is blocking everything bad in the universe from getting on the local machine. So if the person in accounting is playing games, clicks on a link in a spam email and downloads something harmful, this is a result of the firewall not being strong enough and not a result of the person in accounting.

Nor is it the fact that they were trying to save money by going with a less than average bank who ALLOWS WIRE TRANSFERS BY A SIMPLE USERNAME AND PASSWORD!!! ARE YOU OUT OF YOUR MIND!!!

Still firewalls can be used to keep people from harming themselves by blocking some types of files. From this point, you'll have to manage the fine balance of allowing items through to make work flow and block evil stuff all at the same time.

Here is the Polycom Phone Set Password:

PHONE SETS:
USER: Polycom
PASS: 9418941962

You can apply this to the other Polycom articles in this blog.

Again, what's interesting is that some of the settings have to be set via the phone set itself and some of the settings have to be set via the server.

In this particular case, I wanted to display the EXTENSION instead of the NAME. This is set via the phone config rather than via the server config.

Let's say you want to view a user's mailbox in Exchange 2013. Here's the trick:

• -open browser
• -type: https://computername.domainname.tld/owa/ This e-mail address is being protected from spambots. You need JavaScript enabled to view it

This will get you into their mailbox. If you don't have permission, it will say, "You don't have permission to open this mailbox."

To fix this, you'll have to go into the powershell and type:

• Add-MailboxPermission foo.user -user foo.user2 -AccessRights FullAccess

You can view but you can't send mail as them. You have to go one step further:

• Add-ADPermission foo.user -user foo.user2 -ExtendedRights Send-As

So let's say you have DDPE encrypting the full drive. The drive won't boot. Now you can access your computer and the files you can access are encrypted so you can't read them. What do you do?

Well if you have the encryption keys, you'll be able to retrieve the documents with a set of tools from Dell called the DDPE Administrative Utilities.

• -build a WINDOWS PE disk from a working computer (how to do this is outside the scope of this document).
• -copy over the DELL WINDOWS RECOVERY KIT (really what we need are the unzipped OFFLINE TOOLS, more specifically the cmgau.exe. See below.)
• -copy over the encryption keys (It'll say something like LSARecovery_machine-name-here.exe).
• -boot from the USB
• -exit out of OPAL SED
• -at the command prompt go to e:\dell-offline-admin-32bit-version-number-here\
• -type: cmgau.exe -o
• -type in the directories you want decrypted.
• -point to the LSARecovery_machine-name-here.exe
• -type in the PASSWORD for the LSARecovery_machine-name-here.exe

The process with decrypt the DDPE directories that you specified. You will have to wait for it to decrypt and then transfer those documents over to a working drive.

The following help:
DELL OFFLINE UTILITIES HERE
http://www.dell.com/support/article/us/en/19/SLN294503/EN
ftp://ftp.dell.com/Manuals/all-products/esuprt_software/esuprt_endpoint_security_soln/dell-data-protection-encryption_Administrator%20Guide2_en-us.pdf

I'm in a situation where I need to use OPENVPN on a Mac. This requires an OPENVPN MAC CLIENT.

So my natural question progression is this...

Q: Can I use the built-in VPN client on the MAC?
A: Because OPENVPN uses a different mechanism than what's built into MAC OS X, a software package is required. This mechanism is called a kernel extension or kext. The kext that is needed is either TUN or TAP. Since you need a kext, you need to install a software package.

Q: What software package is needed then?
A: There are a few options:

1. original OpenVPN Connect app.
2. Tunnelblick.
3. Viscosity.

Q: What is recommended?A: It seems everyone tends to use Tunnelblick.

A PERSONAL EMAIL CERTIFICATE is a certificate that verifies that the email is from the original author and that the email message isn't altered. This is like a seal on an real message. That seal might be a wax spot with a unique marking. The seal doesn't prevent someone from reading the message (this is the job of encryption). All someone has to do is open the message. What the seal does, it that it ensures that the message is verified from the author and that the message hasn't been altered.

There are several places to get PERSONAL EMAIL CERTIFICATES. MOZILLA helped in identifying some of those places here:
http://kb.mozillazine.org/Getting_an_SMIME_certificate

After about a minute of searching, I figured the best route to go was with COMODO as it's free. I can afford free.

Get a Personal Email Certificate

• -click here: https://www.comodo.com/home/email-security/free-email-certificate.php
• -fill out the information and click NEXT.
• -it will email you.
• -click on the link in the email.
• -the certificate will install on your BROWSER.

Export the Personal Email Certificate

The issue here is that we need it installed on the OS SYSTEM (not in the BROWSER).

• -click FIREFOX > PREFERENCES > ADVANCED (on the left-hand side) > CERTIFICATES (at the top).
• -click VIEW CERTIFICATES (at the bottom).
• -click YOUR CERTIFICATES (at the top).
• -click BACKUP (at the bottom).
• -save the certificate to your DESKTOP.
• -type in a password so it can't be used elsewhere.
• -it should save it as something like "foo.p12"

Great! You have the certificate on your system. Now we have to install it.

Install the Personal Email Certificate on MAC OS X (not needed on Windows 10)

Let's install the Personal Email Certificate.
(FYI - this is for a MAC OS X system.)

• -click GO > UTILITIES > KEYCHAIN ACCESS
• -click FILE > IMPORT ITEMS (at the top menu).
• -select the file "foo.p12"
• -select LOGIN (next to "Destination Keychain").
• -click OPEN.
• -type in the password for the certificate.
• -type in the password for the keychain (if required).

That's it! It should save the certificate in the correct spot.

Get OUTLOOK to Use the Personal Email Certificate

Now we have to get OUTLOOK to use the Personal Email Certificate.

This is for a MAC OS X system / OUTLOOK 2011:

• -click TOOLS (at the top) > ACCOUNTS > ADVANCED (at the bottom).
• -click SECURITY (at the top).
• -find the top section called DIGITAL SIGNING.
• -select your certificate.
• -click SIGN OUTGOING MESSAGES.
• -click OK (at the bottom).

This is for WINDOWS 10 / OUTLOOK 2016:

•  -open OUTLOOK 2016
• -click FILE > OPTIONS
• -click TRUST-CENTER (on the left-hand side).
• -click TRUST-CENTER-SETTINGS (bottom-right).
• -click EMAIL-SECURITY (left-hand side).
• -find DIGITAL-ID'S (CERTIFICATES) section
• -click IMPORT/EXPORT
• -find the .p12 file.
• -type in the password that you created for the file.
• -click OK.
• -checkmark ADD DIGITAL SIGNATURE TO OUTGOING MESSAGES.
• -click OK > OK.

That should do it! Your certificate is installed and people will get a little cool lock that indicates that email messages from you are really yours. This gives confidence to your readers that you are who you say you are and that you really are smart and conscience about security! Good job!

As title says, blank page after login to the EAC. Or the OUTLOOK clients can't connect. Or the IPHONE clients can't connect. Or the Exchange Management Shell Fails to connect.

Looking in the WINDOWS-LOGS > SYSTEM, I see, "An error occurred while using SSL configuration for endpoint 0.0.0.0:444."

This happens because EXCHANGE screwed up its binding to the SSL CERTIFICATE.

First, make sure you know what SSL CERTIFICATE the EXCHANGE should be using. You can see a list of SSL CERTIFICATES in IIS:

• -open IIS MANAGER.
• -click SERVER CERTIFICATES.

You want to make sure that it is issued by a TRUSTED SOURCE (like GoDaddy, GlobalSign, Comodo, Symantec). Also, make sure that all the appropriate alternative names are in the certificate (like autodiscover., computer-name., www., mail., webmail., null)

Once you know what certificate that you want to use.

• -open IIS MANAGER.
• -browse to the "Exchange Back End" website.
• -click Bindings (on the right-hand side).
• -mark the "https" binding (normally on port 444) and click Edit...
• -change to the correct certificate.
• -click OK > CLOSE.
• -click server name (on the left-hand side).
• -restart IIS.

That should do it. Sometimes the binding to the SSL CERTIFICATE gets screwed up. There are other threads out there talking about "netsh http show sslcert" and to "netsh http add sslcert ipport" but this doesn't change it to the correct SSL CERT. Changing it to another SSL CERT is simply guessing which is an overall bad idea. We need to understand the problem.

Let's say you have a group called "Everyone". But you only want internal people to be able to email the group and possibly another company.

• -open the EXCHANGE MANAGEMENT SHELL.
• -type: set-TransportRule -Name 'Block Email to GROUPNAME Except from ACCEPTED Domains' -AnyOfToHeader ' This e-mail address is being protected from spambots. You need JavaScript enabled to view it ' -IsValid true -Actions {RejectMessage} -ExceptIfSenderDomainIs {validDomain1.com, validDomain2.com}

There are some other parameters in there too but that should do it.

If you want to do it visually:

• -open the EAC.
• -click MAIL-FLOW (on the left-hand side).
• -click NEW.
• -type: A-NAME-FOR-THE-RULE
• -click THE MESSAGE > THE TO BOX CONTAINS.
• -search for GROUP-NAME.
• -click ADD > OK.
• -BLOCK THE MESSAGE > REJECT THE MESSAGE AND INCLUDE EXPLANATION.
• -type UNKNOWN USER or some other explanation.
• -click MORE OPTIONS.
• -click ADD EXCEPTION.
• -click THE SENDER > DOMAIN IS
• -type: domain1.com
• -click +
• -and so on.
• -click OK > SAVE (at the bottom).

Let's say you have an IP ADDRESS on the WAN trying to perform a DDOS or a SYN-FLOOD attack to your location. Even though you have the DDOS attack proxied via FIREWALL-SETTINGS > FLOOD-PROTECTION as "Proxy WAN client connection when attack is suspected", you still want to send a message that these types of activities will not be tolerated.

Or you find out that the WAN IP ADDRESS is most definitely malicious as in the following IP from OFFSHORE RACKS: 181.174.167.251

This IP ADDRESS happens to be a Russian forum for DARKMONEY.CC. I can't even read the web site. It's irrelevant at this point. I know it malicious.

To block the WAN IP ADDRESS:

• -create an ADDRESS OBJECT (FIREWALL > ADDRESS OBJECTS).
• -set the "Zone" as WAN.
• -Navigate to the Firewall > Access Rules page.
• -Select the WAN to LAN button to enter the Access Rules (WAN > LAN) page.
• -Click Add to open the Add Rule window.
• -Select DENY as the Action.
• -Select ANY as the Service
• -Select Source as the address object or group created earlier.
• -Select ANY as the Destination
• -Click Add and Close.

The above is adapted from here:
https://support.software.dell.com/kb/sw9982

The REAL-TIME-DEMO can be accessed here:
https://realtime.demo.sonicwall.com/main.html

Here's an interesting one to collect all computer names in the active directory. Run from CMD:

CSVDE -f adexport.csv -r objectClass=computer -l “DN,cn,objectClass,lastLogon,lastLogonTimestamp,pwdLastSet,userAccountControl,operatingSystem,operatingSystemVersion,whenCreated,description”

In my recent article USING MANDRILL WITH EXCHANGE 2013, I show how to add Mandrill to Exchange as a SEND CONNECTOR. Further questions become:

1: How do I use it as a load balancer. In other words, how do I set it up so that some of the email goes through the second SEND CONNECTOR?

2: How do I use it as a failover? In other words, how do I set it up so that if the first SEND CONNECTOR doesn't route email, it re-routes through the second SEND CONNECTOR?

 Let's address each individually.

Load Balancer

The problem is this, multiple equal cost send-connectors will not balance. Or as I read, "When the cost of the Send Connectors and the proximity to their source servers are the same, Exchange will simply choose the one with the alphanumerically lower connector name, and will not load balance the outgoing email across both connections."

The actual way to load balance is when multiple smart hosts are configured on a single Send Connector the outgoing email will be correctly load balanced.

The problem becomes, if you try this in reality, you must use the same USERNAME & PASSWORD for all SMARTHOSTS, which isn't a possibility. And secondly, you cannot load balance both the local connection and a smarthost.

The workaround solution for crappy software is (reprinted from http://www.c7solutions.com/2012/05/highly-available-geo-redundancy-with-html):

by creating a fake domain in DNS. Lets say smarthost.local and then creating A records in this zone for each SMTP smarthost (i.e. mail.oxford.smarthost.local). Then create an MX record for your first site (oxford.smarthost.local MX 10 mail.oxford.smarthost.local). Repeat for each site, where oxford is the site name of the first site in this example.

Then you create second MX records, lower priority, in any site but use the A record of a smarthost in a different site (oxford.smarthost.local MX 20 mail.cambridge.smarthost.local).

Then add oxford.smarthost.local as the target smarthost in the send connector. Exchange will look up the address in DNS as MX first, A record second, IP address last), so it will find the MX record and resolve the A records for the highest priority for the domain and then round-robin across these A records.

Failover

Failover seems to be answered via the same path. The idea is create 1 send connector. The first MX record in the fake SMARTHOST in the SEND-CONNECTOR is back to the local system. The second MX record in teh fake SMARTHOST is to the remote SMARTHOST.

As per http://technet.microsoft.com/en-us/magazine/jj159083.aspx

First of all, ensure you have DNS A records for your mail gateways in place. Next, come up with a random name for your soon-to-be-created MX record in DNS. In this example, I chose allsmarthosts.forest1.local. Create the required MX records in DNS.

As with plain MX-based routing, Exchange will use the MX record with the higher priority, as long as it’s available. Now the only thing left to do is to reconfigure the Exchange Send Connector to read allsmarthosts.forest1.local as the only smart host.

By doing so, Exchange will use primary.forest1.local for outbound mail, as long as it’s available. Once it goes down or becomes unreachable, Exchange will start using secondary.forest1.local as the smart host. That’s what a little DNS trickery can do for you.

 Conclusion

The idea of this is to use MANDRILL if for some reason mail is not being sent through the local connection (for example, blacklist). I didn't implement the solutions above simply because I don't think it will work with a SMARTHOST that requires a USER/PASS. I'm not willing to try. That's suicide by client.

In the end, software is set to work in a certain way. When it doesn't, trying to find workarounds is nearly impossible and seemingly pointless. The end result is that EXCHANGE 2013 isn't set to work this way. I wanted this to happen automatically. Since it doesn't, I'll just have to manually switch SEND CONNECTORS if the need arises. Maybe it doesn't matter a whole lot in an ever-increasing cloud world.

Collecting inventory is an increasingly difficult task to accomplish escpecially with the new licensing process with Microsoft. But MATRIX42 helps: https://www.matrix42.com

In my article FIND COMPUTER ON NETWORK THAT IS SENDING OUT SPAM WITH SONICWALL, I indicate that the logs show the following:

This indicates that there is a SYN FLOODING MACHINE going at the rate of 1001 items per second. Wow! That's a lot. You can also see above that the DESTINATION is port 25. You can see that by the colon twenty-five (:25).

But what's a SYN FLOODING MACHINE?

A SYN FLOODING MACHINE is a zombie machine participating in a DDOS attack. Uh-oh. Yup... Users. They weak point of all security systems.

A SYN FLOOD ATTACK directs packets to a listening TCP port on a victim server; typically a web server (port 80), an FTP server (port 21) or a mail server (port 25).

When a server receives a SYN packet it returns an ACK packet to the client to acknowledge it received the inital packet. More or less:

"Hi" the visitor said.

"How are you?" the host replied.

The problem is that the visitor never acknowledges with a "Just fine."

Until the visitor acknowledges the reply, the host server will keep that connection open until timeout. This is typically 75 seconds. Staring for 75 seconds.

If you've ever run a server before, you should know that the number of connections is finite. In QPSMTPD, this connection limit is set for an overall connection limit (default 40) {config setprop qpsmtpd Instances xx} and a limit per IP ADDRESS (default 5) {config setprop qpsmtpd InstancesPerIP xx}.

Once those connections are all used up, no more connections can be made.

So, in our logs above, our bad client machine on our network was sending about 1000 connections per second to the victim 66.236.42.7 which happens to be owned by XO COMMUNICATIONS and leased by the SAN DIEGO SOURCE EMAIL SERVER secondary connection, mx2.sddt.com (priority 20).

mx1.sddt.com (priority 10) & mx3.sddt.com (priority 30) were not affected.

Using Mandrill with Exchange 2013 to send outgoing mail in case your IP ADDRESS gets blacklisted on SENDERBASE.ORG and your reputation takes awhile to get out of the POOR rating. There are two parts to this; creating a MANDRILL account and setting EXCHANGE to use MANDRILL.

CREATE A MANDRILL ACCOUNT

• -start a MANDRILL account at https://mandrillapp.com

Once you start an account, you will see your details for connection. It will look something like this:

• Host: smtp.mandrillapp.com
• Port 587
• SMTP Username: foo@fee.tld
• SMTP Password any valid API key

Now all you need is an API KEY.

• -click NEW API KEY

Be patiance as it generates a new api key. It will display after about 20 seconds. Great! You should have your new API-KEY to be used as your SMTP-PASSWORD.

NOTE: It uses an api key rather than the password to your account so that you can change the password to your account without affecting the accounts ability to send email.

SET EXCHANGE TO USE MANDRILL

• -open the EXCHANGE ADMIN CENTER (EAC) also known as the EXCHANGE CONTROL PANEL (ECP).
• -click MAIL-FLOW (on the right-hand side).
• -click SEND-CONNECTORS (at the top).
• -click the plus symbol (+).
• -type: Mandrill.
• -bullet "Custom".
• -click NEXT.
• -bullet "Route mail through smart host".
• -click the plus symbol (+).
• -type: smtp.mandrillapp.com
• -click SAVE
• -click NEXT
• -bullet BASIC AUTHENTICATION
• -type: your-user-email-for-your-mandrill-account
• -type: your-user-password-for-your-mandrill-account
• -click NEXT
• -click the plus symbol (+) for ADDRESS SPACE.
• -leave TYPE as SMTP.
• -type * (asterisk) for FDQN.
• -leave COST as 1
• -[This is preference. Works the same as MX RECORD preferences. The lower the cost, the more preference it has. 1 will be used before 2 and so on. An equal number will round-robin.].
• -click SAVE
• -[A "Scoped send connector" will only work internally for domains on the server.]
• -click NEXT
• -click the plus symbol (+) for SOURCE SERVER.
• -if you only have 1 server, click ADD (at the bottom).
• -click OK > FINISH.

This will automatically add the SEND CONNECTOR to the list and enable it.

Now we have to change the outgoing port for the MANDRILL SEND CONNECTOR.

• -disable the MANDRILL SEND CONNECTOR.
• -open the EXCHANGE MANAGEMENT SHELL (EMS).
• -type: Set-SendConnector -Identity Mandrill -port 587

Great! Now you are ready to go.

You have a few options from here. You can either:

• -start sending using the MANDRILL SEND CONNECTOR right away by simply enabling the connector (and disabling the existing connector if you have one).

or

• -test out the MANDRILL SEND CONNECTOR by pausing the SEND QUEUE in the QUEUE VIEWER and enabling the connector (and disabling the existing connector if you have one).

That's it! You are awesome.

To block all traffic on port 25 in a SonicWall, follow this link:

https://support.software.dell.com/kb/sw5623

To get the user-accounts of EXCHANGE that require a STANDARD EXCHANGE CAL's on a SERVER 2012:

• -click EXCHANGE MANAGEMENT SHELL (EMS)
• -type: Get-ExchangeServerAccessLicenseUser –LicenseName “Exchange Server 2013 Standard CAL”

If you combine this with the wonderful GNUWIN32 (see below) then you can type the following to get the exact number you need:

• -type: Get-ExchangeServerAccessLicenseUser –LicenseName “Exchange Server 2013 Standard CAL” | grep CAL -c

Voila!

net stop wuauserv
net stop bits

 ren c:\windows\softwaredistribution sd.old

net start wuauserv
net start bits

or

• -boot from WIN8 cd.
• -look for a Repair Windows.

Sometimes a temporary web site link contains an IP ADDRESS and looks like this:

http://174.136.3.119/~username

The issue is that the links in the web site won't work or the administrator panel (/administrator or /wp-login) won't work becase search-engine-friendly links are on.

This is resolved by using the SERVERNAME or FQDN rather than using the IP ADDRESS. Like this:

http://servername.directrouter.com/~username

The Good About RSA Security Appliance

RSA is really secure.

The Bad About RSA Security Appliance

RSA is really secure so figuring out what the current password is, is just about so difficult that many have to revert to writing down the password to remember it. This, coincidentally, weakens security.

If you forget the SUPER-USER password in RSA APPLIANCE, then you might be in a tough place.

Here's how to reset the SUPER-USER password in RSA APPLIANCE VERSION 8 (very high level. This is not detailed information. I will not be explaining how to do step-by-step).

• -ssh into the rsa-box
• -change directories to: /opt/rsa/am/utils
• -run the following command: ./rsautil restore-admin –u tempadmin
• -follow the screen prompts. You will need your OC username & password (not SC username & password).
• -user the tempadmin account to reset the SUPER-USER account.

NOTE: the tempadmin user access expires after 24 hours.

In Exchange 2013, resetting the password for users can be difficult. It might be missing or you may not see the option when you click on a USERNAME.

Luckily, this isn't difficult to overcome. I found the steps here:
http://www.mustbegeek.com/reset-user-password-in-exchange-2013/

• -click PERMISSIONS (on the left-hand side).
• -click ADMIN-ROLES (at the top).
• -double-click ORGANIZATIONAL MANAGEMENT (in the middle).
• -find the ROLES section.
• -click the + (plus-symbol).
• -find RESET PASSWORD (in the list).
• -click ADD (at the bottom).
• -click OK > SAVE.
• -logout of EAC.
• -login to EAC.

This should enable you to change the passwords within EXCHANGE EAC.

NOTE: this project was killed. I will not pursue.

If I'm going to work with BUSINESS ONE, I'm dedicated to getting working on HANA on CENTOS. I haven't done this yet as I don't have access to some of the build items but if it's possible, I'm going to get it working. I will post the results here.

The last direction I want to take is have to put this on some type of crappy MS server box.

This is a posting area for my notes:

http://en.wikipedia.org/wiki/SAP_HANA

BUSINESS ONE COMMUNITY NETWORK
(GENERAL, SDK, API)
http://scn.sap.com/community/business-one-sdk

HANA ON RED HAT:
http://help.sap.com/hana/red_hat_enterprise_linux_rhel_6_5_configuration_guide_for_sap_hana_en.pdf

BUSINESS ONE ACADEMY:
http://scn.sap.com/docs/DOC-57116

BUSINESS ONE CONTENT:
http://scn.sap.com/community/business-one/content

NOTE: this project was killed. I will not pursue.

There is no perfect software in the world. The big question is, "Will it work for us and do what we want it to do?" That question will only be answered through time.

2 Moment You Know That Software Will Not Work

Usually, you will stick with software until one of two moments occur.

First, the moment when the software doesn't do what you want/need it to do. Eventually, you will get to a point where you need it to do something. Either is can or it can't. When it can't, is the break point moment at which you start looking for something else. For example, you need it to track technicians. If it doesn't, then it doesn't work for you. It's as simple as that.

Secondly, when something better comes along. Something new, something hip, something that does tricks will catch your attention through either a friend, colleague or competitor and you will salivate because your software doesn't do it that good. This is simply the grass is greener on the other side.

Tradeoff

There is no perfect software and I know all too well that software is simply a tradeoff. Having it do certain items really well and having it not do certain items well is in every software. The look and feel, the interaction, the interface, the upgrades, sooner or later you will see that all software is simply trading one aspect for another. My wife will usually choose the one that looks pretty and works reliably. Hence her iPhone 6. I choose works reliably as a top priority and usually stay away from the bleeding edge technology. It's nothing more than a tradeoff.

4 Sofware Principles to Focus On

In light of this, and with a handful of experience from a tech perspective, I have four unconventional areas that I typically focus on. They are:

1-automating best practices:

Too often software is concerned with customization (you can eventually get there) rather than focusing on what needs to be done (here is the shortest path). The answer to this is simple. If software is automating best practices, then this is a good signal the software company is a good fit and focusing on customer needs.

2-simplicity:

I shouldn't need a masters degree to run/setup/maintain the software. Easily adapting from my current knowledge base is key. A simple interface and hiding the complexity behind the curtain is the second signal.

3-extensibility:

This means the software should have the option to extend beyond. Beyond what? You might ask. Beyond it's current state. This issue is the future. The unknown. There needs to be an outlet for the unknown items that the future holds. Having a way to tap into that is vital to the survivability of software.

4-reliability:

This means that the software should work the first time, every time. Anything less is unacceptable. If anything is shown to be insecure, it needs to be replaced with the best available option.

I didn't come up with these items sitting under a tree. They came from reading the works of Gordon Rowell. I was lucky enough to meet with Rowell a few years back and it's amazing how true these principles still hold true today.

Note to myself. Here's how to rename the WordPress Admin Login:
https://www.ostraining.com/blog/wordpress/rename-login/?mc_cid=4d128ab010&mc_eid=766d3d7470

Want to make your WordPress web site run faster? Use Better WordPress Minify.

• -install it.
• -run it.
• -let it do it's work.

Just a mental note for myself to click here if I need to remove duplicate jQuery is some CMS's:

http://www.simplifyyourweb.com/index.php/downloads/category/8-loading-jquery

There's probably many ways to encrypt USB drives but to make everything easy, I've used the software here:
http://www.sandisk.com/products/software/secureaccess/

It creates an encrypted, password-protected folder on the USB stick. If the USB stick gets lost/stolen, the new person will not be able to access any of the information on the USB stick.

Client needs RSA Security Console setup so that when you connect to the VPN, it asks for a TOKEN (instead of a password).

The Big Idea

The TOKEN comes from a KEY FOB. It's a little device that you typically put on your keychain of your car/house. You press the only button on the device and it does one thing, give you a TOKEN. A TOKEN is a bunch of letters and numbers.

So it goes like this:

• -press button.
• -it displays: 123ABC
• -you connect to VPN.
• -you type in the USERNAME.
• -you type in the TOKEN.
• -you type in a PIN/PASSWORD.
• -you gain access.

The benefit here is that if your password gets compromised, it doesn't help the other person. They also need the TOKEN.

Think of it like you house. You need a key to access the house. If you don't have the physical key, you can't access the house. Same idea here. If you don't have the physical TOKEN, you can't access the house of data.

I've used this before but I've never set one up. Setting it up is a pain.

Purchase Equipment

The first hurdle to overcome is purchasing the equipment. I thought it was just software that installs on the WINDOWS SERVER 2012. Upon calling EMC (the company that owns RSA) they talked for about 15 minutes. When I asked for the next step, they prompted me to call one of their authorized dealers. Hmmmm... Not that I'm not grateful for the talk but in my mind, it would have been nice to know that upfront.

Getting the quote from CDW that only included software, I ran it by my new friend at EMC to make sure I had all the necessary parts. I want it working right the first time. EMC quickly pointed out that I also needed a hardware appliance (since the client isn't using virtual server).

Installing the Equipment

I've often said before that large companies are nothing more than crappy software with great marketing. The same holds true here. Upon getting the equipment and inspecting it, the hardware appliance is some sort of 1U server from MBX-like house that will powder coat your brand on the faceplate.

The rails are different in that they don't use typical holders. It has some type of quick setup rail system. Kinda cool. I always disliked the whole screw thing anyway.

First Impressions

Upon starting it up, it seems to running some type of Linux with an apache/httpd server (update: it's actually SUSE Linux Enterprise Server 11 (x86_64), VERSION = 11, PATCHLEVEL = 3 with an Oracle WebLogic Server). Make a change in the web-console and the value is changed in the config file and the service is restarted. I get the idea. Sounds familiar.

Everything is controlled via the web console. The web console is comprised of 3 areas:

SECURITY-CONSOLE:
(assign tokens)
https://rsa-server/sc

OPERATIONS-CONSOLE:
(sync users between systems, date, time, network, etc)
https://rsa-server/oc

SELF-SERVICE-CONSOLE:
(users can set PIN's and update their info)
https://rsa-server/ssc

Setup Users

You can setup the users via INTERNAL DATABASE or sync the users with an EXTERNAL DATABASE. This external database is typically an LDAP read-only database. This means it can be WINDOWS SERVER ACTIVE DIRECTORY or it can be an OPEN LDAP on RHEL/CENTOS.

The sync will only happen via a SECURE CONNECTION meaning LDAPS. So funny thing is that WINDOWS SERVER 2012 has their own way of dealing with CERTIFICATES which makes this nearly impossible. What's worse is that if the sync fails, it simply says "failed." It doesn't say why or what happened or give any log info.

I tried a couple of times but I couldn't get mine to sync with AD. So I threw in the towel and went to INTERNAL DATABASE.

• -login to https://rsa-server/sc
• -click IDENTITY > USERS > MANAGE-EXISITING
• -nothing shows up because it's an LDAP. You have to do a search.
• -click SEARCH (on the bottom right).
• -all the users show.
• -click ADD NEW (at the top).
• -add the user.
• -repeat if necessary.

Import Tokens

While the example at the beginning of the article talked about a KEY FOB (or hard-token), in recent years, most will simply use their smart phone (or soft-token). In either case (I suppose), the tokens have to imported into the system.

The tokens come on a CD package. The password for the tokens come on a second package.

• -put the CD into the system you are sitting at and using to access the web console.
• -copy the file on the CD to the DESKTOP (it's an XML file).
• -login to https://rsa-server/sc
• -click AUTHENTICATION > SECUREID-TOKENS > IMPORT-TOKEN-JOB > ADD-NEW.
• -keep the defaults.
• -browse for the file and select the XML on the DESKTOP.
• -type in the password (from the second package).
• -bullet OVERWRITE ALL DUPLICATE TOKENS.
• -click SUBMIT JOB.

The job should go through smoothly. If not, double-check the password and make sure you are using the file copied to the desktop. Sometimes, the system cannot "consume" the file if it is read-only.

 Setup a Software Token Profile

A Software Token Profile has to be created before assigning the tokens. The profile determines items like:

• -what kind of device the token can be used on.
• -how long the token lasts.
• -the length of the token.

So to setup the SOFTWARE TOKEN PROFILE:

• -login to https://rsa-server/sc
• -click AUTHENTICATION > SOFTWARE-TOKEN-PROFILE > ADD-NEW.
• -name the profile anything you want.
• -select the device type.
• -select the length of the token (6 digits or 8 digits).
• -select the time-frame of the token.
• -select PIN INTEGRATED WITH TOKENCODE.
• -select CT-KIP.

In the ATTRIBUTES section, there are 2 attributes. The first is the STRING that only allows it to be installed on the DEVICE TYPE you selected. For example, it can only be installed on APPLE DEVICES. The second section is the default name of the token. I'll explain later. For now, type "MY TOKEN."

 So for ATTRIBUTES:

• -leave the first attribute as the default value.
• -type: MY TOKEN (for software token nickname).
• -click SAVE.

Install RSA APP on IPHONE

Before you dish out the TOKENS, the users must have the RSA APP installed on their device, in this case the IPHONE. This sucks because now everyone has to have an APPLE-ID to continue which is it's own set of instructions.

Nevertheless, go to the APP STORE and install the RSA SECURID SOFTWARE TOKEN.

Note that the RSA APP won't work until it has a TOKEN installed. This is what confuses most people. They think, "I just installed the APP. Why doesn't it just work?"

Assign Token to Users

Now here is the fun part. We assign the tokens to the users. You can either assign the tokens in bulk or you can assign them one-by-one. I would love to think that going bulk would work but realistically, going one-by-one is probably easier in the long run.

• -login to https://rsa-server/sc
• -click AUTHENTICATION > SECURID TOKENS > MANAGE-EXISTING
• -click the UNASSIGNED tab (at the top).
• -click the top token.
• -click ASSIGN TO USER.
• -the user-panel shows but since it's LDAP, nothing shows.
• -click SEARCH (in the bottom-right) to show all the users.
• -bullet the user-you-want.
• -click ASSIGN (at the bottom).

Distribute the Tokens

Distributing the TOKENS is an additional step. Without distributing the TOKENS, the users have nothing more than an APP installed on their phone.

Go back to the token list (assigned):

• -login to https://rsa-server/sc
• -click AUTHENTICATION > SECURID TOKENS > MANAGE-EXISTING.
• -click the token-you-want-to-distribute.
• -click DISTRIBUTE.
• -select the SOFTWARE-TOKEN-PROFILE already created.

Now remember those attributes? Here's where you can customize them for each user. The first attribute (DeviceSerialNumber) can be changed so that the TOKEN will only install on the IPHONE belonging to the user (rather than just any IPHONE). The second attribute will let you customize what the user will see when they click on the RSA APP.

To get the specific DEVICE-SERIAL-NUMBER:

• -get the iphone.
• -open the RSA app.
• -click INFO button (at the bottom-right).
• -the BINDING-ID is the ID that needs to be typed into the DeviceSerialNumber attribute.
• -you can either email this to the super-admin (by clicking the email button next to the number) or you can tell him the number or you can just hand your phone to him/her.
• -type in a NICKNAME (so that it shows something other than just "Token 1").
• -select SYSTEM-GENERATED-CODE if the ACTIVATION-CODE (keep reading) is random or if the ACTIVATION-CODE is known as the DEVICESERIALNUMBER.
• -click SAVE & DISTRIBUTE.

Upon doing so, the admin has the option to distribute the TOKEN. Typically, that is done via email. After all, if it will only work on the specified device, there's really no harm in emailing the token. Is there?

At this point, you have another option, you can either:

• -email the whole token.
• -or you can email part of the token and force it require an ACTIVATION CODE.

If you require the ACTIVATION CODE, you will have to get that ACTIVATION CODE to the user. Good luck.

This whole process is complicated but it allows you to put as much security into your system as possible.

I opt to make it easy as possible while still maintaining security and assign the token directly to the device and I opt to email the whole token with activation code for a push-one-button install.

What happens

What happens if you try to install a TOKEN onto a device that isn't in the DEVICESERIALNUMBER?

It will ask you for the ACTIVATION CODE. Then it will say, "Token import failed. Invalid activation code. Contact your administrator."

Pretty cool. The TOKEN will only work on the device assigned to the TOKEN.

Everywhere, users are screaming "SECURITY!!!"

Integrating the RSA into Something

What's cool here is that the RSA appliance can be used to protect a few different items. Possibly you want it to protect a web site, a VPN or simply the computer system itself. It can protect all of these and integrate into just about anything. Theoretically anyway.

So far, I have witnessed protecting a web site. Protecting a computer system.

The VPN protection can be via Windows VPN or it can be via SonicWall VPN. The SonicWall has RSA integration capabilities.

To be able to secure an item, typically the item will use a SECURITY AGENT. This is a fancy term for a bit of code that integrates into the item you are protecting so that the USER/PASS request is sent to the RSA SERVER rather than the web site, AD server, etc.

Integrating the RSA into the RRAS (Windows VPN)

As of this writing, this isn't possible. I talked to RSA tech support. RSA doesn't integrate into RRAS/Windows 2012 VPN. It's on the roadmap and I'll be notified once it's complete.

Some items suggest that the RSA integration is via an authentication agent found here:
http://www.emc.com/security/rsa-securid/rsa-authentication-agents/windows.htm

Other items suggest this may be possible via RADIUS. For example, the horses-mouth docs say that VPN is done through RADIUS here:
http://blogs.technet.com/b/networking/archive/2014/01/13/configuring-native-vpn-client-through-pc-settings.aspx

And it gives instructions here:
http://technet.microsoft.com/en-us/library/jj900206.aspx

Integrating the RSA into SonicWall VPN

The RSA can be integrated into the SonicWall VPN without too much trouble. SonicWall is it's own topic unto itself. I won't go into all the details of the SonicWall or else we will be writing/reading a book.

The SonicWall has 2 types of VPN. The GLOBAL-VPN (GVPN) and the SSLVPN. For many reasons, pretend like the GLOBAL-VPN doesn't exist and simply go straight to the SSLVPN.

On this regard, to get the SSLVPN working, I'll simply refer to this awesome YouTube video:
https://www.youtube.com/watch?v=qPv-tz-zN6A&index=6&list=PLC909885E4476986B

At some point, I'll write out the instructions but for now, the above link will suffice.

After the VPN is up and running, we have to integrate the RSA users into the SONICWALL. On this section, to get the RSA users into the SONICWALL, I'll simply refer to this awesome DELL KB post:
https://support.software.dell.com/kb/sw9818

It uses RADIUS, so the RADIUS SERVER must be setup on the RSA and the RADIUS CLIENT must be setup on the SONICWALL.

Final VPN steps

So to get this working, you must have the SONICWALL VPN software setup on the laptop. What's cool here is that the software is embedded into firmware in the SONICWALL. This software should install automatically upon visting the VPN/SONICWALL web site but I'm finding that if the SSL is SELF-SIGNED and not originated from a TRUSTED-STORE then the software doesn't download/install correctly.

To get around this, you can manually install the software from the SONICWALL VPN web site here:
https://your-sonicwall-public-ip-address.tld:4433/NXSetupU.exe

Recap

So to recap, here are the steps why the RSA is so secure and the high-level steps needed:

-must have company iphone/device.
-token can only be installed on company iphone/device.
-enter PASSCODE for general iphone access.
-press RSA token app.
-type pin.
-press enter.
-see token.
-type token into vpn software.

NOTES:
    -token is one time use only. Once you try it, it won't work again. You will have to wait for another token.
    -just be clear, you cannot test token and then use it.
    -if you don't enter the pin before getting a TOKEN, it will give a TOKEN but it will be the wrong one.

Internals

The RSA package lives in:

/opt/rsa/

It has it's own SERVICE. Rather than the typical:

service biztier status

RSA calls it rsaserv puts it here:

/opt/rsa/am/server

So checking the RSA services goes like this:

./rsaserv status all

RSA puts all the unique services here:

/opt/rsa/am/server/servers/

This is different than placing it in the typical directory of:

/etc/rc.d/init.d/

External References

This has helped:

http://www.petenetlive.com/KB/Article/0000962.htm

Well it looks like at this time the settings for IE11 are left out of the GROUP-POLICY settings in SERVER 2012.

Here's how to get them.

• -download the ADM TEMPLATE here: http://www.microsoft.com/en-gb/download/details.aspx?id=40905
• (unizip it of course)
• -open the GPO on the SERVER 2012.
• -click USER-CONFIGURATION > POLICIES > ADMINISTRATIVE-TEMPLATES
• -right-click ADMINISTRATIVE-TEMPLATES
• -click ADD/REMOVE TEMPLATES
• -click ADD
• -select the unzipped file.
• -awesome!

The next part to this is to change the settings in the GPO for IE 11.

• -open the GPO on the SERVER 2012.
• -click USER-CONFIGURATION > PREFERENCES > CONTROL-PANEL-SETTINGS > INTERNET SETTINGS
• -right-click INERNET-SETTINGS
• -click NEW > INTERNET-EXPLORER 10
• (While IE 11 doesn't show, the settings for IE10 will work for IE 11)

After having a client server at Sagonet DataCenter, I can make the recommendation to try and find another solution.

Here is my history of more than 7 years with 8 significant issues. Keep in mind that every issue cause more than 100 people to either call or email asking questions. Plus it reflected poorly on the client business and was witnessed as unreliable.

1
11/28/08: power failure. Outage due to under supplied power blamed on FPL causing the backup car batteries to have zero power.

2
08/29/09: Aug 28 23:13:37 server kernel: You probably have a hardware problem with your RAM chips
Aug 28 23:13:37 server kernel: Uhhuh. NMI received. Dazed and confused, but trying to continue

3
07/16/10: backup options $140 per month

4
12/13/11: access from comcast issue. Locations at Comcast couldn't connect.

5
06/02/12: server unavailable... suddendly re-appeared.

6
06/20/12: hd died.

7
09/21/12: access from comcast issue. Locations at Comcast couldn't connect.

8
01/14/14: all of tampa unavailable for several days. No response for more than 24 hours. When response was received, it was "we are working on it."
Panicked, I tried to move to new datacenter.
Server crashed during transfer to new server.

=======================

The bright side to all of this is that it obviously forced the client to get a new server at a new datacenter with whom I am very pleased.

My recommendation is that if you have an enterprise, host at RackSpace. It's pricey but you get what you pay for.

Need to recover files that are accidentially deleted? Who hasn't dropped over 103 mysql databases by typing in the wrong commands at one point or another? Here's my recommendation:

• testdisk.
• ext4magic
• r-studio

PROCEDURE
====================================
=============
-lvm vgscan
-lvm lvscan
-lvm vgchange -a y
-lvm pvscan
-lvm lvscan
-lvm vgrename main mainold
-exit

=============
fdisk -lu /dev/sdb
mdadm -AR /dev/md8 /dev/sdb2
lvm vgscan
lvm lvscan
lvm vgchange -a y
mkdir -p /mnt/olddrive
mount -t ext3 /dev/mainold/root /mnt/olddrive

RECOVERY
====================================
ext4magic -R -f /dev/olddrive/var/lib/mysql -d /installs/RECOVERDIR1
ext4magic /dev/olddrive/var/lib/mysql -j /installs/BACKUPPATH/journal.copy -d /installs/BACKUPPATH -m -R

??????????
ext4magic -R -f /dev/olddrive/var/lib/mysql
ext4magic -R -f /dev/mapper/mainold-root var/lib/mysql
ext4magic -R -f /dev/md8 var/lib/mysql
ext4magic -R -f /dev/sdb2 var/lib/mysql
ext4magic -R -f var/lib/mysql

So you have a network. One of the devices on the network is sending out spam at an amazing rate. How do you find and locate the misbehaving computer?

If you have a SONICWALL, you can look at the current connections across all your devices at any given time.

• -login to SONICWALL.
• -click SYSTEM > DIAGNOSTICS
• -find the DIAGNOSTIC TOOL area.
• -change the dropdown to CONNECTIONS-MONITOR

This will show all the connections from the outside network to the inside network and vise-versa. You are looking for any connection with a DESTINATION PORT of 25. Should be pretty obvious as it will be the IP ADDRESS that is NOT your internal mail server. It will be the IP ADDRESS that is a client machine (laptop/desktop).

But this only shows the current active connections. What if the laptop went home? What if you want to search through the logs for the day?

• -login to SONICWALL.
• -click LOG > VIEW
• -find PRIORITY
• -change to ALERT
• -click APPLY FILTERS

This should show a list of ALERTS in the last 24 hours or so. Carefully look through them to see if anything is sending to PORT 25.

What's interesting is that in a typical situation the logs typically look like this:

The destination and port number are easily available.

In my situation, the log look like this:

The destination isn't in the DESTINATION column but rather in the MESSAGE column.

Regardless, with this information, I now know that client 10.1.10.123 is the machine causing an issue.

To look at the message-queue in EXCHANGE 2013, it's actually rather easy.

• -click START > PROGRAMS > MICROSOFT-EXCHANGE-SERVER-2013 > EXCHANGE-TOOLBOX
• -click QUEUE-VIEWER

Here you will see any messages that are waiting to be delivered. Sometimes a receiving server might delay the message or the receiving server might simply be not available, in which case, the message will wait to be sent again. After a certain period of time, I believe that it's 48 hours, the message will bounce as undeliverable or NDR.

Logs for logins are located here:

/var/run/utmp
The current login status.

/var/log/wtmp
The historical login status.

/var/log/btmp
The failed login status.

You can't read these files directly, you have to use the following command: last

So, it would go like this:

last -f /var/run/utmp

Or if you want to see something scary use:

last -f /var/log/btmp

What's hard to wrap your mind around in MICROSOFT world is the whole disconnect between systems. In other words, it has fine-grain control. It can be connected but it isn't connected automatically by default.

So let's take this example of adding a group to AD & EAC:

• -create a group in ACTIVE DIRECTORY (AD) called TESTGROUP.
• -add people to a group.
• -go to the EXCHANGE ADMIN CENTER (EAC).
• -the group doesn't show.

If you try to add the group in the EAC, you get an error message: "Active Directory operation failed on" ... "already exists."

It's trying to tell you that you can't create the group in EAC because that group is already created in AD.

So let's add the AD GROUP so that it shows in the EAC GROUP:

• -go the AD USERS & COMPTUERS
• -double-click on the group-name-that-you-want-to-change.
• -bullet UNIVERSAL (rather than GLOBAL)
• -click OK
• -connect via POWERSHELL.
• -type: Enable-DistributionGroup -Identity "GROUP_NAME" -Alias "GROUP_ALIAS"
• -refresh the screen in the EAC and the group name will show.

Awesome! Good work.

Now when you try to make a change to the group you find that you can't change the settings for that group in EXCHANGE 2013. You get a message "You don't have sufficient permissions. This operation can only be performed by a manager of the group."

You can get around this by using the -BypassSecurityGroupManagerCheck option in the powershell and take ownership of it. Let me show you:

• -connect to via POWERSHELL.
• -type: Set-DistributionGroup -Identity testgroup -ManagedBy administrator -BypassSecurityGroupManagerCheck

This will add the ADMINISTRATOR as the OWNER of the TESTGROUP.

I service a SONICWALL 2400. I want to block certain web sites. Even though the license for Premium Content Filtering Service shows as EXPIRED, this doesn't mean you can't block web sites and it doesn't mean you don't have Content Filtering Service. It just means you don't have Premium Content Filtering Service. The Premium Content filtering allows you to filter on the basis of categories (http://www.sonicwall.com/us/en/products/Network_Security_Content_Filtering_Categories.html).

• -login to SONICWALL
• -click SYSTEM > LICENSES
• -look for "Comprehensive Gateway Security Suite Upgrade"
• -underneath, look for "Premium Content Filtering Service."
• -next to it, I see EXPIRED.

A little miffed and upset because I feel like I'm being hi-jacked to pay for something that just about any home router can do out of the box, I give it a try anyway.

• -login to SONICWALL.
• -click SECURITY-SERVICES (on the left-hand side).
• -click CONTENT FILTER.
• -you may see UPGRADE REQUIRED (in big red letters).
• -not true (just like their AUTO-DOWNLOAD FIRMWARE feature).
• -find the second section called CONTENT FILTER TYPE.
• -select CONTENT FILTER SERVER (in the dropdown box).
• -click CONFIGURE.
• -click ENABLE HTTPS CONTENT FILTERING.
• -click CUSTOM LIST (tab at the top).
• -find FORBDDEN DOMAINS.
• -click ADD.
• -type in the domain you want to block (for example: aol.com).
• -click OK > OK
• -that should do it! Test it out and let me know how it goes.

Here are some tips on using the STORCLI.

Like last time, you have to run as admin.

• -right-click CMD
• -click RUN AS ADMINISTRATOR
• -browse to the STORCLI location

Show all the info about the MegaRaid card:
storcli /c0 show all

I would post more but this site already has most of it:
http://www.thomas-krenn.com/en/wiki/LSI_StorCLI

The goal for me is to get 4 physical drives in a RAID1. I want to hot-swap pull one of the drives and store it away for safe-keeping. Then I want to insert a new fresh drive into the array.

The older drive is should be able to be used/mounted without difficulty.

So upgrading the firmware on this puppy was rather brutle. I kept on getting, "Firmware Failed to FLASH flash. Stop!!!".

Luckily, there is someone out there (http://www.wobblycogs.co.uk/index.php/computing/hardware/110-lsi-megaraid-firmware-upgrade-under-vmware) that understand that this means that you are trying to upgrade too far of a gap. You can't go from v2.007.403-3066 to v2.130.403-3066. You have to step up to the upgrade.

He also was kind enough to post the step-upgrade-firmware since LSI doesn't offer that firmware anymore.

Here's how:

As a requirement, use the STORCLI (it is the successor of the MegaCLI). To be clear, the MegaCLI should not be used. It is outdated.

• -right-click CMD
• -click RUN AS ADMINISTRATOR
• -browse to the STORCLI location
• -make sure the firmware ROM's are in the same folder (it isn't necessary but it makes it easier).
• -type: StorCLI /c0 download file=AF2108_FW_Image.rom
• -it should take about 10 minutes.
• -reboot server.
• -wait nervously as it performs the upgrade during the reboot.
• -go back to the same location in CMD.
• -type: StorCLI /c0 download file=mr2108fw.rom
• -it should take about 10 minutes.
• -reboot server.
• -wait nervously as it performs the upgrade during the reboot.
• -bliss ensues.

• -open POWERSHELL
• -type: & $env:ExchangeInstallPath\Scripts\Update-MalwareFilteringServer.ps1 -Identity <yourservername.yourdomain.tld>
• -press enter

Hopefully, obviously replace the full <yourservername.yourdomain.tld> with your actual domain name. This could be server.domain.local or server.domain.com or foo.fee.tld. To find this value type:
_GetHostFqdn

Now look at the EVENT VIEWER:

• -server-manager
• -click TOOLS > EVENT-VIEWER
• -click WINDOWS-LOGS > APPLICATION (on the left-hand side).
• -look for EVENT-ID: 6033

This should indicate that the definitions were successfully updated.

I'm so used to Centos being so easy that it's difficult for me to wrap my head around MS thinking. Typically in Centos, front-end mail logs would be in:
/var/log/qpsmtpd

With internal/external delivery being in:
/var/log/qmail

Well from the following link from MS, I was able to piece together a little more info on how it routes the email through the system:
https://technet.microsoft.com/en-us/library/aa996349%28v=exchg.150%29.aspx

High-level logs (general connection status) are documented here:
http://technet.microsoft.com/en-us/library/aa997624%28v=exchg.150%29.aspx

Low-level logs (specific connection status) are documented here:
https://technet.microsoft.com/en-us/library/dd302434%28v=exchg.150%29.aspx

QPSMTPD

In MS EXCHANGE, the logs are in:
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\FrontEnd\ProtocolLog

There you will find 2 directories that are hopefully self explanatory:
SmtpRecieve
SmtpSend

This will show the details of the data transfer including what email address it came from and what email address it's going to. This would be equivalent to the qpsmtpd.

CONNECTIVITY

Some more logs are in:
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\Hub\Connectivity

This is for sending email. It will show the SMTP responses such as "Failed connection to...." It will not show the DATA transfer details.

QMAIL

This shows delivery of internal email which skips the external QPSMTPD. Here is another spot:
%ExchangeInstallPath%TransportRoles\Logs\Mailbox\ProtocolLog\SmtpReceive

INDIVIDUAL MESSAGE TRACKING

This is going a little overboard as it tracks details of every single message.

Some more logs are in:
C:\Program Files\Microsoft\Exchange Server\V15\TransportRoles\Logs\MessageTracking

This will show the following:
#Fields: date-time,client-ip,client-hostname,server-ip,server-hostname,source-context,connector-id,source,event-id,internal-message-id,message-id,network-message-id,recipient-address,recipient-status,total-bytes,recipient-count,related-recipient-address,reference,message-subject,sender-address,return-path,message-info,directionality,tenant-id,original-client-ip,original-server-ip,custom-data

That's a bunch of information. In my mind, this is equivalent to the qmail logs.

If you want to look through the logs, this is the place to do it! Want to make it easier? Find my article on installing GNUWIN32 so that you can grep through the logs. Sweet!

ENABLE LOGGING

Since logging is disabled by default, we have to turn it on. This is turning the logging on for the FRONT-END/QPSMTPD:

• -login to EXCHANGE MANAGEMENT SHELL.
• -type: Get-ReceiveConnector "FOO\Default Frontend Foo" |fl *
• (This will show the details for the connector.)
• -type: Set-ReceiveConnector "FOO\Default Frontend Foo" -ProtocolLoggingLevel Verbose

SEARCHING THROUGH THE MESSAGE TRACKING LOGS

http://exchangeserverpro.com/exchange-2010-message-tracking-log-search-powershell/

The above link helped me here. Searching through the message logs is the only way to see if a TRANSPORT RULE or MAIL FLOW RULE has been triggered. To see the whole message log, it's like this:

Get-MessageTrackingLog | fl *

If a message has been block by a TRANSPORT RULE or MAIL FLOW RULE, it will give an EVENTID of "FAIL" and the STATUS will say "550 5.2.1 Message deleted by the transport rules agent."

MAIL FLOW RULES (TRANSPORT RULES) AND MESSAGE TRACKING

From a SENDER
Get-MessageTrackingLog -Sender This e-mail address is being protected from spambots. You need JavaScript enabled to view it

To a RECIPIENT:
Get-MessageTrackingLog -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it

On a DATE
Get-MessageTrackingLog -Start "06/13/2016"

A specific EVENT (Such as FAIL):
Get-MessageTrackingLog -EventId FAIL

Shows the FAILED messages for the day (including messages that fail due to MAIL FLOW RULES (TRANSPORT RULES):
Get-MessageTrackingLog -EventId FAIL -Start "01/01/2000"

Adding them together to find an email that didn't go through (EVENT FAIL) FROM a USER, TO a USER on a certain DATE:
Get-MessageTrackingLog -EventId FAIL -Start "06/01/2016" -Sender This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Resultsize Unlimited

See the expanded details about the messages:
Get-MessageTrackingLog -EventId FAIL -Start "06/13/2016" -Sender This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Recipients This e-mail address is being protected from spambots. You need JavaScript enabled to view it -Resultsize Unlimited | fl

Show me everything about the item by using the InternalMessageId:
Get-MessageTrackingLog -InternalMessageId 89279485181957 | fl

Event Parameters can be the following: BadMail, Defer Deliver, DSN, Expand, Fail, PoisonMessage, Receive, Redirect, Resolve, Send, Submit, and Transfer.

Some components, namely FRONTPAGE SLIDESHOW (aka FPSS) gets the parent_id incorrect.

• -access MYSQL
• -access #_assests
• -re-organized via "parent_id"
• -change all the 0's (zero's) to 1's (one's).
• -change the "Root Asset" to 0 (zero).

In mysql speak, it looks like this:

UPDATE `#_assets` SET `parent_id`=1 WHERE `parent_id` = '0';
UPDATE `#_assets` SET `parent_id`=0 WHERE `title` = 'Root Asset';

Here's how to install Grub onto a HD:

• grub
• grub> device (hd0) /dev/sdb
• grub> root (hd0,0)
• grub> setup (hd0)
• grub> quit

If you look closely, you are installing grub on SDB (not SDA). Also note that you are installing grub as HD0 or the FIRST HD. The reason you do this is because grub is already installed on SDA and while grub only needs to be installed on one disk (it doesn't need to be installed on two disks), you need to consider what happens if SDA dies.

If SDA dies then SDB is going to be the next disk in line and possibly the only disk. The boot process or bootstrap will skip SDA and try to boot from SDB. If grub is not found, then the system will not boot. Installing grub on SDB as the FIRST HD, ensures that the system boots to the first stage menu and allows you to pick your installation or begin stage 2.

Getting hardware information from a server that you've never laid eyes on, is thousands of miles away and can physically access is sometimes difficult.

Below are some items that I've used in the past to get details of the hardware in the system. You can harmlessly type the commands in as they only inspect info and do not change anything.

dmidecode

I like this one. It gets the info from the bios, even the product name, serial number and Dell service tag number. It even gets the BASEBOARD info (or motherboard info) and the CHASSIS info (the actual physical case) with it's locked status.

The full is is:

• dmidecode
• lspci
• lsusb
• df -h
• fdisk -l
• mount | column -t
• cat /proc/cpuinfo
• cat /proc/meminfo
• cat /proc/scsi/scsi
• cat /proc/version
• uname -a
• cat /proc/partitions

Amazon Web Services or AWS is amazing. There's so much I'm like the proverbial kid in a candy store. This changes everything. Walls are torn down technologywise. And price isn't a barrier.

One issue is what is so seemingly simple like sync a local directory to AWS S3 is so complicated. There are a number of ways to automatically sync items that I have found in my travels and wanted to list them out.

CLOUDBERRY

http://www.cloudberrylab.com/

This is the standard of what you want. It connect a new DRIVE LETTER to your computer which syncs with S3. So it adds a Z DRIVE to your computer. That Z DRIVE is actually your S3. Cool.

The problem becomes, what if I don't want it as a DRIVE LETTER and I want it to connect to an existing folder/directory.

SPRIGHTLYSOFT

http://sprightlysoft.com/S3Sync/

This is strictly a command-line tool. It will walk you through getting the command correct but then you are responsible for running the command directly or on a cron. Not exactly what I was looking for.

ALLWAYS SYNC

http://allwaysync.com/index.html

This looks promising but it doesn't have the GovCloud access region of AWS that I need.

Unzip the IonCube File & Load It Into the PHP

• -untar/unzip the ioncube download tar.gz
• -it will give a bunch of files.
• -use the phpinfo file to look at the all the php info details.
• -find where the extension_dir is.
• -for me, it is: /usr/lib64/php/modules
• -copy the most recent ioncube_loader into that directory (there will be other extensions in there as well).
• -for me, the file is: ioncube_loader_lin_5.3.so

Edit the php.ini file

• -go to the end of the file.
• -type:

[ionCube]
zend_extension = /usr/lib64/php/modules/ioncube_loader_lin_5.3.so

Restart the Httpd

• -type: service httpd-e-smith stop
• -type: service httpd-e-smith start

DRAC EXPLAINED

As stated, DRAC is basically DELL's propitary version of IPMI. This is OUT-OF-BANDWIDTH control. This means you can control the server even if it doesn't have an OPERATING SYSTEM on it. You can load an OS from thousands of miles away. I have successfully done this. You can control the BIOS settings, you can restart the PC, you can watch the PC boot up and you can remotely connect and view the PC (This is different than RDP). Awesome!

CONNECT TO THE DRAC SETTINGS

You can control the DRAC setting through either LOCAL access (directly on the PC) or REMOTE access (from another system). For the LOCAL access, you can use the OPEN MANAGE software previously discussed. It will install a SERVER-MANAGER icon on the desktop that can control some of the settings.

REMOTE DRAC

The REMOTE access can be obtained by simply setting an IP ADDRESS on the DRAC and hitting the DRAC via a web browser. What's surprising to me is that the REMOTE access seems to have more options than the local access. In fact, I really don't know why there are 2 different interfaces. It would make sense to redirect the local interface to the remote interface.

DRAC VIRTUAL MEDIA

One of the options of the REMOTE is VIRTUAL MEDIA access. This means that the remote system will boot from the VIRTUAL MEDIA. It goes like this.

• -put the OS INSTALL DISK into your computer.
• -connect to the DRAC via browser.
• -connect the VIRTUAL MEDIA to the remote system.
• -the remote system will boot from the CD! (that is totally awesom!!!).
• NOTE: the same will happen with an ISO image.

DISABLE VIRTUAL FLASH

On the DRAC settings via REMOTE, you can configure the VIRTUAL MEDIA settings.

• -connect the the DRAC via browser.
• -click SYSTEM > MEDIA > CONFIGURATION
• -find VIRTUAL FLASH ENABLED.
• -uncheck VIRTUAL FLASH ENABLED.
• -click APPLY CHANGES (at the bottom).

WHY DISABLE VIRTUAL FLASH ON THE DRAC

The reason you want to do this is because most systems won't install when the VIRTUAL FLASH is enabled along with the VIRTUAL MEDIA. Both the VIRTUAL FLASH & the VIRTUAL MEDIA are enabled by default by DELL (probably an oversight on their part).

Another reason you want to do this is that if the VIRTUAL FLASH is enabled, it may show up on the WINDOWS system as an empty drive that is not formatted.

TROUBLE ACCESSING VIA REMOTE

Also note that since you're accessing a remote system, usually the connection is through JAVA. I've had many issues trying to get it to work. It seems like it works best from IE on a WINDOWS system. I have very little success from the MAC BOOK PRO > FIREFOX combo.

This is true of bothe IPMI and of DRAC.

Happy remote accessing!

Here's what I did to upgrade the DRAC firmware:

• -open command prompt and run this command to disable Virtual Flash:
• -type: racadm config -g cfgRacVirtual -o cfgVirMediaKeyEnable 0
• -run the DRAC update - around 10 minutes to install
• -still in command prompt run the command to enable Virtual Flash:
• -type: racadm config -g cfgRacVirtual -o cfgVirMediaKeyEnable 1

You can also upgrade the DRAC firmware via the REMOTE access to the DRAC. It seems to be easier. I don't know why that is so.

In case you don't know, the glory days of software are officially over. The new licensing in Microsoft 2013 make it nearly impossible to retreive an INSTALL KEY, PRODUCT KEY or skip ACTIVATION. I will bypass the horrors of trying to manage this for a large set of computers and go straight to the point that MS has put up a catch-all page (404 page) that will allow you to download a product if you have a valid KEY.

In other words, you still need an INSTALL KEY or PRODUCT KEY.

MS landing page for sofware download if you already have a KEY (this will attach the KEY to your MS ACCOUNT/MS EMAIL):
http://microsofthup.com/hupus/error404.html

MS 2010 items can still be directly downloaded here:
https://drcdn.blob.core.windows.net/office2010

For example, PROJECT PRO 2010:
https://drcdn.blob.core.windows.net/office2010/X17-75407.exe

The following link has collected all of the links for us:
http://www.heidoc.net/joomla/technology-science/microsoft/18-office-2010-direct-download-links#
http://www.heidoc.net/joomla/technology-science/microsoft/73-office-2013-direct-download-links

Did you ever have that one executive that has a locked office and refused to type in a USERNAME & PASSWORD because they can't diferentiate between their COMPUTER PASSWORD, EMAIL PASSWORD and ICLOUD PASSWORD?

I've had that before. It's easier to just automatically log them in than dealing with the phone calls.

Here's how:

• -click here: http://technet.microsoft.com/en-us/sysinternals/bb963905
• -download
• -run
• -type in the domain information

That's it! The Autologon for Windows v3.01 should take care of the rest. You are doing great!

I haven't done this stuff since college nearly 20 years ago. Most of my experience has been in Small to Medium Enterprises with a just-get-it-done attitude and a we-just-need-internet desire that I haven't had the need to get into the details.

I will say that it seems as if some of these companies simply complicate proceedures to be able to justify their pricing. Backing up a config file should be a 1 button push. It's almost 2015.

• -click START > RUN > CMD
• -type: telnet
• -type: o 111.222.333.444 (that the letter o as in lmnop and the ip address of the switch)
• -type in the password
• -type: enable (enable is their sudo command)
• -type in the password (yes again for sudo)
• -type: copy run tftp
• -type 111.222.333.444 (that's the ip address of the tftp server, if you don't have a tftp server, download the http://tftpd32.jounin.net/ portable tftp server & allow UDP port 69).

That should do it!

When you add a fresh USB DRIVE to Linux, it should automatically assign it a device. Something like:

• /dev/sda
• /dev/sdb
• /dev/sdc
• /dev/sdd

and so on.

Discover the USB Drive

The easiest way to check this is to look through the message log::

grep kernel /var/log/messages

You will see something like:

Sep 26 18:07:24 server kernel: usb 2-1: new high speed USB device using ehci_hcd and address 5
Sep 26 18:07:24 server kernel: usb 2-1: configuration #1 chosen from 1 choice
Sep 26 18:07:24 server kernel: scsi6 : SCSI emulation for USB Mass Storage devices
Sep 26 18:07:24 server kernel: usb-storage: device found at 5
Sep 26 18:07:24 server kernel: usb-storage: waiting for device to settle before scanning
Sep 26 18:07:29 server kernel:   Vendor: ST310003  Model: 40AS              Rev:
Sep 26 18:07:29 server kernel:   Type:   Direct-Access                      ANSI SCSI revision: 02
Sep 26 18:07:30 server kernel: SCSI device sdd: 1953523055 512-byte hdwr sectors (1000204 MB)
Sep 26 18:07:30 server kernel: sdd: Write Protect is off
Sep 26 18:07:30 server kernel: sdd: Mode Sense: 34 00 00 00
Sep 26 18:07:30 server kernel: sdd: assuming drive cache: write through
Sep 26 18:07:30 server kernel: SCSI device sdd: 1953523055 512-byte hdwr sectors (1000204 MB)
Sep 26 18:07:30 server kernel: sdd: Write Protect is off
Sep 26 18:07:30 server kernel: sdd: Mode Sense: 34 00 00 00
Sep 26 18:07:30 server kernel: sdd: assuming drive cache: write through
Sep 26 18:07:30 server kernel:  sdd:
Sep 26 18:07:30 server kernel: sd 6:0:0:0: Attached scsi disk sdd
Sep 26 18:07:30 server kernel: sd 6:0:0:0: Attached scsi generic sg3 type 0
Sep 26 18:07:30 server kernel: usb-storage: device scan complete

If you look closely at the above logs, you will see that the system assigned the letter d to the USB DRIVE. So, the device is /dev/sdd

If the USB DRIVE already has a file system on it, you might be able to find more details by:

df -h

or simply

mount

Partition the USB DRIVE

The fresh USB DRIVE will have no filesystem so it probably won't be mounted anywhere. To format the USB DRIVE:

• fdisk /dev/sdd
• n (to add a new partition)
• p (to make a primary partition)
• 1 (that's the number one, the number you want to assign to the partition)
• w (write and exit)

Format the USB DRIVE

Now that there is a partition on the USB DRIVE, we have to format the partition with a filesystem.

• mkfs.ext3 -L BackupDrive1 /dev/sdd1

Where

• ext3 is the filesystem itself (explaining filesystems is beyond this article).
• -L option is to label the USB DRIVE

Mount the USB DRIVE

To mount the USB DRIVE, issue a:

• mount /dev/sdc1 /media/BackupDrive1/

Reliably mount multiple disks in the one location

In case you want to use a rotating set of disk drives for backups, you may want to mount different USB DRIVES in the same location. Of course, make sure you don't plug both in at the same time.

Edit the /etc/fstab. Add the lines by typing:

• LABEL=BackupDrive1      /media/BackupDrive1     ext3    defaults
• LABEL=BackupDrive2      /media/BackupDrive1     ext3    defaults

Set The Label On The Partition

This will set the label on the partition:

• e2label /dev/sdd1 MyLabel

Check The Label On The Partition

This will check the label on the partition:

• e2label /dev/sdd1

Unmount the USB DRIVE

If you need to unmount the USB DRIVE, it's like this:

• umount /media/BackupDrive1/

How to Keep the USB DRIVE From Falling Asleep

I won't go into too much detail here but sometimes the USB DRIVE is going to fall asleep because of the USB DRIVE CADDY that it is in. The easist way for me to fix it was to mount it around 5 minutes before the back is scheduled to start.

• mkdir -p /etc/e-smith/templates-custom/etc/crontab/26usb-drive
• vi 26usb-drive

# Keep the USB drive from going into standby.
#5 * * * * /bin/touch /dev/sdc &>/dev/null
50 21 * * * root mount /dev/sdc1 /media/BackupDrive1/
55 21 * * * root umount /media/BackupDrive1/

How to Selective Restore From DAR Backup

Here's how to selective restore from DAR backup:

dar -x /media/BackupDrive1/server.domain.local/set2/full-201408092200 -N -R / -w -g home/e-smith/files/ibays/share_data/files

You will also have to restore all the incrementals:

dar -x /media/BackupDrive1/server.domain.local/set2/inc-001-201408102200.1.dar -N -R / -w -g home/e-smith/files/ibays/share_data/files
dar -x /media/BackupDrive1/server.domain.local/set2/inc-002-201408112200.1.dar -N -R / -w -g home/e-smith/files/ibays/share_data/files
dar -x /media/BackupDrive1/server.domain.local/set2/inc-003-201408122200.1.dar -N -R / -w -g home/e-smith/files/ibays/share_data/files
dar -x /media/BackupDrive1/server.domain.local/set2/inc-004-201408132200.1.dar -N -R / -w -g home/e-smith/files/ibays/share_data/files

How to Manually Start a Backup

Here's how to manually start a backup routine

• /sbin/e-smith/do_backupwk

How to Set the Backup Sets

Backup Sets are an entire week; a full backup on Friday plus the remaining 6 days (SAT, SUN, MON, TUE, WED, THU). This data can be large. Currently, on one server, I have 600GB of data for the entire backup set.

A USB backup drive needs to be large enough for the number of full sets you want (how far back in history do you want to go) + 1. In other words, N + 1.

As an example, if you have a 2TB drive and you can only go back 2 sets.

Why? Well if you have 3 sets that is a total of 1.8TB (600 x 3) which is the desired result. The problem becomes that the next backup cannot run because it collects the backup and then it deletes the oldest backup. The next backup can only go to about 200GB and then it will error out. I learned this the hard way.

Putting the backup sets to 2 will result in 1.2TB. The next backup set will finish for a total of 1.8TB and then delete the oldest backup for a total of 1.2TB again.

I had to get port-security running on a Cisco Catalyst 2960-S:

Show the port information on a Cisco 2960-S

• -click START > RUN > CMD
• -type: telnet
• -type: o 111.222.333.444 (that the letter o as in lmnop and the ip address of the switch)
• -type in the password
• -type: show interfaces (this will give the long version).
• -type: show interfaces summary (this will give the traffic summary version).
• -type: show interface description
• -type: show ip interface (this will give the ports up/down status).
• -type: show ip interface brief (this will give the ports up/down status at a glance).
• -type: show interface status (this will give the ports vlan, duplex and speed).
• -type: show interface status err-disabled (this will give a quick report of the ports in err-disabled mode).
• -type: show power inline (this will give the port power status).
• -type: show version (for overall switch info and uptime).

NOTE: 2960-S platform has a 100mbp/s management port identified as fastethernet0.

Show the Port Security on a Cisco 2960-S

• -type: enable
• -type: the-sudo-password
• -type: show port-security (this will give the ports with the security violations).
• -type: show port-security interface Gi 0/1 (this will give the individual port status as per port security).
• -type: show port-security address (this will give the port security memorization table).

Configure the Port Security on a Cisco 2960-S

• -type: config terminal
• -type: interface Gi 0/19 (to configure that port).
• -or type: interface range Gi 0/1 - 19 (to configure a range of ports).
• -type: switchport port-security (to enable port security)
• -type: switchport port-security maximum 1 (allows only 1 mac address to be assigned to the port).
• -type: switchport port-security violation shutdown (shutdown the port if there's a violation and requires manual).
• -type: switchport port-security mac-address sticky (collects the mac address and memorizes it).
• -type: switchport port-security aging time 0 (set the aging time to 0)
• -type: switchport port-security aging type absolute (set the mac address type to the only mac address allowed).

Manually Enable the Port after a Violation on Port Security

• -while still in config mode.
• -type: shutdown (this shuts the port down).
• -type: no shutdown (this brings the port back up).

When a security violation happens, the port is shutdown and will not work. It requires manual intervention to make certain there is no malicious activity happening. The commands above will bring the port back up working with the original MAC address.

Clear out the Stick Mac Address to Allow Another Computer/Device

• -login to switch.
• -type: enable
• -type: config terminal
• -type: interface G 0/19
• -type: shut
• -type: do clear port-security all interface gi0/19
• -type: no switchport port-security mac-address sticky
• -type: switchport port-security mac-address sticky
• -type: no shutdown

This will clear out the mac-address that is remembered and bring the port back up so that it will work with another NEW-MAC address.

However, if the mac-address is still in the address-table, you will not be able to use this mac-address on another port. The mac-address has to be cleared from the original-port it is attached to.

First, find out if the mac-address is attached to a port and make note of the port.

• -type: show port-security address

Now, shut down the new port:

• -type: config t
• -type: int gi0/28
• -type: shut

Now, clear out the mac-address from the original port:

• -type: config t
• -type: int gi0/19
• -type: shut
• -type: do clear port-security all interface gi0/19
• -type: no shut

Now, verify the mac-address is gone:

• -type: do show port-security address
• -type: end

Finally, bring back up the new port:

• -type: config t
• -type: int gi0/28
• -type: no shut

You can see if a port is in violation by:

• -type: show int status

To recover any port that is in violation:

• -type: config t
• -type: errdisable recovery cause psecure-violation

But then you have to wait the Timer-Interval-Seconds before the port is available again.

To see the timeout:

• -type: show errdisable recovery

You might want to see if any mac-address is in the table:

-type: show mac address-table

Disable Port Security

• -while in config mode & while in an interface or range of interfaces
• -type: no switchport port-security

End the Config Session

• -type: end

To Tail the Logs

• -type: terminal monitor
• -type: terminal no monitor

Save the Changes

• -type: write memory
• -or type: copy running-config startup-config

Windows can't keep copying correct by default. As a note for myself, I'm shamelessly copying from somewhere on the internet:

robocopy source destination /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /LOG:Robocopy.log

A real-world example is copying the BACKUP-DRIVE to an EXTERNAL-DRIVE but only files for the last 90 days:

robocopy z:\ t:\ /MIR /Z /E /ZB /DCOPY:T /COPYALL /R:1 /W:1 /V /TEE /MAXAGE:90 /LOG:Robocopy.log

Here's what the switches mean:

• source :: Source Directory (drive:\path or \\server\share\path).
• destination :: Destination Dir  (drive:\path or \\server\share\path).
• /E :: copy subdirectories, including Empty ones.
• /ZB :: use restartable mode; if access denied use Backup mode.
• /DCOPY:T :: COPY Directory Timestamps.
• /COPYALL :: COPY ALL file info (equivalent to /COPY:DATSOU).  Copies the Data, Attributes, Timestamps, Ownser, Permissions and Auditing info
• /R:n :: number of Retries on failed copies: default is 1 million but I set this to only retry once.
• /W:n :: Wait time between retries: default is 30 seconds but I set this to 1 second.
• /V :: produce Verbose output, showing skipped files.
• /TEE :: output to console window, as well as the log file.
• /LOG:file :: output status to LOG file (overwrite existing log).

The above will copy the directory. You will have to manually re-setup the share.

This is why the best practice is to use full permission for everyone on the share, and limit the permission using NTFS permissions. And wait till everyone leaves the office.

NOTE: Robocopy can be cantankerous. If you get error message, "access is denied" or "This security ID may not be assigned as the owner of this object" then try it this way.

-first, map a drive: net use k: \\server\share-name /user:pc-name\username password-here

-second, use robocopy with /COPY:DAT instead of /COPYALL. Like this: robocopy E: K:\share-name /E /ZB /DCOPY:T /copy:DAT /R:1 /W:1 /V /TEE /MT:12 /LOG:Robocopy.log

If you need to copy just one file, then try something like:

robocopy D:\path\to\DIRECTORY_NAME K:\DIRECTORY_NAME "file-name-here.ext" /E /Z /ZB /R:5 /W:5 /TBD /V /MT:16

I can never remember how to find the size of the current directory in linux. Here it is:

du --max-depth=1

And to make is human readable and sorted by number:

du -h --max-depth=1 |sort -n