Tuesday, December 31, 2013

NetScaler Blank Screen with Internet Explorer 9+

If you customized your NetScaler theme and when trying to login to its Access Gateway or VPN using Internet Explorer 10 or 11, you might get a blank screen instead of a login screen.

To fix this issue, you can tell your users to run their IE on compatibility mode or you need to edit the index.html file located on your theme folder

I am using the Symphony1 theme, so my index.html file location is on

/var/vpn/themes/Symphony1/ns_gui/vpn/index.html

Edit the file using vi and add the following line:

<META http-equiv="X-UA-Compatible" content="IE=EmulateIE9" />

right after <link

Location of <META> Tag

Save the file and try again :)

Friday, November 29, 2013

PowerShell Awesomeness!!

Loves PowerShell!

Here is how to get the details of all mailboxes in Exchange 2013 and then assign it to the new App of Enterprise Vault 10.0.4 in a particular OU:


Get-ADUser -SearchBase "OU=My Users,DC=domain,DC=local" -SearchScope Subtree -Filter {proxyaddresses -like "smtp:*"} | ForEach-Object {$mbx = Get-Mailbox $_.SamAccountName; New-App -mailbox $mbx.LegacyExchangeDN -Url ("https://vault.domain.local/EnterpriseVault/OfficeMailAppManifest.aspx?LegacyMbxDn=" + $mbx.LegacyExchangeDN + "&BaseURL=https://vault.domain.com/EnterpriseVault")}


Don't forget the change the -SearchBase, -Url parameters.

All the users in the OU with mailbox enabled will get the new Enterprise Vault Web Application!

Monday, November 25, 2013

Exchange 2013 CU2 v2 Installation Guide

Here are the steps that I have followed to upgrade my Exchange 2013 CU1 servers to CU2 v2 version

I have 1x (MBX + CAS) Server role, 2x MBX Server role and 2x CAS Server role. The order of patching is to have MBX server done first, then CAS server following after that. All the MBX servers I have are a member of the same DAG Cluster

Exchange Schema Version
Exchange 2013 CU2 is upgrading the Active Directory schema as part of the installation.
To check the existing schema version of the Exchange, run the following PowerShell script:


$root  = [ADSI]"LDAP://RootDSE"
$name  = "CN=ms-Exch-Schema-Version-Pt," + $root.schemaNamingContext
$value = [ADSI]( "LDAP://" + $name )
"Exchange Schema Version = $( $value.rangeUpper )"

The CU1 schema version is: 15254

I prefer to run the schema change using the Setup.exe command line rather then using the GUI.
Make sure the server that you are running the schema change is on the same site with the domain controller who holds the schema master FSMO
Make sure the account that you are using to run the schema change is a member of Enterprise Admin group

To run the schema upgrade, using the setup.exe from the extracted CU2 file:


Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms
Setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms



After the schema upgrade, the version is: 15281

Exchange Mailbox Role Upgrade
Make sure the PowerShell Script Execution Policy is set to "Unrestricted" before you are starting the upgrade process

Set-ExecutionPolicy Unrestricted

If there is another language pack of UM installed other then en-US, it must be uninstalled (for example if you have en-AU language pack installed):

Setup.exe /RemoveUMLanguagePack:en-AU

If you are using SCOM to monitor this mailbox server, put the agent under maintenance

If you have an active Mailbox database on this server, move it to another server

Drain the Hub Transport

Set-ServerComponentState <servername> -Component HubTransport -State Draining -Requester Maintenance

Redirect Message to another server
Redirect-Message -Server <servername> -Target <target-server.fqdn>
Note: target-server.fqdn MUST be FQDN


Suspend DAG Node
Suspend-ClusterNode -Name <servername>

Disable database copy activation
Set-MailboxServer <servername> -DatabaseCopyActivationDisabledAndMoveNow $true

Review the existing database copy auto activation policy
Get-MailboxServer <servername> | Select DatabaseCopyAutoActivationPolicy
Take a note of the copy auto activation policy **

Set AutoActivation policy to blocked
Set-MailboxServer <servername> -DatabaseCopyAutoActivationPolicy Blocked

Put Server in Maintenance Mode
Set-ServerComponentState <servername> -Component ServerWideOffline -State InActive -Requester Maintenance

Apply CU2 to the server
Run the setup.exe from the CU2 extracted folder
Once finished, reboot the server

Stop DAG Maintenance mode
Set-ServerComponentState <servername> -Component ServerWideOffline -State Active - Requested Maintenance

Resume DAG node
Resume-ClusterNode -Name <servername>

Set AutoActivation policy to original setting
Set-MailboxServer <servername> -DatabaseCopyAutoActivationPolicy Unrestricted (** original settings from the above command)

Enable database copy activation
Set-MailboxServer <servername> -DatabaseCopyActivationDisabledAndMoveNow $false

Put Server in Active Mode
Set-ServerComponentState <servername> -Component HubTransport - State Active -Requested Maintenance

- Re-install Language Pack if needed
- Take server out of maintenance mode in SCOM


Exchange CAS Role Upgrade
Make sure the PowerShell Script Execution Policy is set to "Unrestricted" before you are starting the upgrade process

If you are using SCOM to monitor this mailbox server, put the agent under maintenance


Apply CU2 to the server
Run the setup.exe from the CU2 extracted folder
Once finished, reboot the server


- Take server out of maintenance mode in SCOM

Wednesday, November 13, 2013

Exchange 2010 Mailbox Restore with NetBackup 7.5.6

Today, I needed to restore a mailbox from Exchange 2010 from NetBackup.
Here is the steps I did to get it done:

Create a Recovery Database

Add a storage to the exchange server (e.g. virtual disk to the VM)
Assign a drive letter to this newly created disk in the exchange server (e.g. Z: drive)
Create a folder for the recovery DB (e.g. Z:\Recovery)
Create a folder for the recovery log (e.g. Z:\Recovery\Log)

Run the PowerShell below to create a recovery DB:

New-MailboxDatabase -Recovery -Name recoveryDB -Server exc01 -EdbFilePath ”Z:\Recovery\Mailbox01.edb” -LogFolderPath “Z:\Recovery\Log”

I make the EDB file name exactly the same file name with the original EDB file

On the properties of the recoveryDB, make sure the "This database can be overwritten by a restore" is selected



Restore the Database Backup

From the Netbackup Console, Add the client: File - Specify NetBackup Machines and Policy Type...
Click on Edit Client List button
Add the client name
Source client for restores: exc01
Destination client for restores: exc01
Policy type for restores: MS-Exchange-Server

Select the date of the backup to be restored


Navigate to the Microsoft Information Store and select both database and log


Click the restore icon
On Microsoft Exchange tab: 
Point-in-Time Recovery (Replay only restored log files)
Commit after last backup set is restored



On General tab:
Restore everything to a different location (maintaining existing structure)
Destination: Microsoft Exchange Database Availability Groups:\dag\Microsoft Information Store\RecoveryDB\

Note: Make sure the Destination is RecoveryDB



Click Start Restore

Mount the Database

Once the restore is completed, mount the RecoveryDB (if not mount automatically)

Create a Recovery Account

Create a recovery account for mailbox (target)
Run the PowerShell to restore the mailbox

Restore-Mailbox -Identity recoveryUser -RecoveryDatabase RecoveryDB -RecoveryMailbox sourceMailboxUser -TargetFolder Recovery

Thursday, October 31, 2013

Changing Network Location on Windows 2008R2/2012

For some unknown reason, one of my domain controller servers has changed its network location from domain to public:

This is annoying because the 'public domain' firewall then starts blocking all unknown incoming traffic to my server.
We need to change this network location to be domain. However sometime, the location name is not clickable!!

To fix this, I found a trick:
Navigate to this network properties and un-tick the Internet Protocol Version 6 (TCP/IPv6) stack


Click OK

Then it should change the network location type to domain
Now you can change the IPv6 stack back ON

Tuesday, October 29, 2013

Upgrade Wordpress Procedures

I am hosting my own wordpress website and very often needed to upgrade the wordpress package. Obviously there is an automatic way to upgrade wordpress which requires FTP server. I do not have FTP server and thus doing the manual way.

There is the official way to upgrade it manually, however, I am using the following methods to upgrade it

Backup wordpress

#Backup the database
#Backup the files

rsync -a wordpress/ wordpress.backup/

Download the latest wordpress

wget http://wordpress.org/latest.tar.gz

Extract the tar file

gunzip latest.tar.gz
tar -xvf latest.tar

this creates a wordpress directory

Disable all the plugins

Navigate to the admin panel and disable all the plugins

Copy the updated files

rsync -rtv new_wordpress/wordpress/ old_path/wordpress/

Check the website

Browse the website which usually prompts for the database upgrade.
If everything is OK, you can delete wordpress.backup/ folder



Saturday, September 28, 2013

Configuration File is not well-formed XML

Today, I found one of my Exchange 2013 servers start generating Event ID 2001


It turns out that Exchange has corrupted the applicationHost.config file. If you try to open the file, you will see corrupted garbage characters all over the place.

Luckily I have got another Exchange 2013 server running on DAG, so I just copy the file applicationHost.config from C:\Windows\System32\inetsrv\config folder and replace the corrupted one then do IIS Reset

Saturday, September 07, 2013

OwnCloud - Setting IT Up

I need a solution to store my files, in fact I need to have some way of synchronisation for my files across 2 or more computers. Found this owncloud solution.

Setting it up is straight forward - just follow the doco. However, by default owncloud stores its file repository in the local server where owncloud is installed. I have a windows file share and I want all my files store in the windows file share

I am running Ubuntu and install owncloud in it.

I created a shared folder in my windows server, create a user account on my windows domain, straight forward.

on my Ubuntu server, firstly, I created a hidden file that contains the username and password of the windows domain account I created earlier

> vi /path/.smbcredentials

username=myuser
password=mypassword

save this file

next, I created a mount point to which I will mount the shared folder of my windows to this Ubuntu server

> mkdir /mount/projects

then I find the group id of the user account who is running the web server, in my case it is www-data

> id www-data

uid=33(www-data) gid=33(www-data) groups=33(www-data)

next, I edit the fstab file to mount the file share

> vi /etc/fstab

and add the following line:

//server.domain.local/share /mount/projects cifs credentials=/path/.smbcredentials,iocharset=utf8,sec=ntlm,dir_mode=0770,uid=33,gid=33 0 0

then do

> mount -a

it should mount the windows shared folder to /mount/projects

now, during owncloud installation, it will ask for the data folder, you can put /mount/projects !!

Monday, August 26, 2013

Monday, August 12, 2013

Micro$oft, what the.... ???

Got these a lot on my server for the last 4 days:

The IP 157.56.162.105 has just been banned by Fail2Ban after
6 attempts against ssh.

Here are more information about 157.56.162.105:

Lines containing IP:157.56.162.105 in /var/log/auth.log

Aug 11 20:40:08 x sshd[60929]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105  user=root
Aug 11 20:40:10 x sshd[60929]: Failed password for root from 157.56.162.105 port 62640 ssh2
Aug 11 20:40:10 x sshd[60929]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 20:40:18 x sshd[60931]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105  user=root
Aug 11 20:40:20 x sshd[60931]: Failed password for root from 157.56.162.105 port 1112 ssh2
Aug 11 20:40:20 x sshd[60931]: Connection closed by 157.56.162.105 [preauth]
Aug 11 20:50:17 x sshd[60935]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105  user=root
Aug 11 20:50:18 x sshd[60935]: Failed password for root from 157.56.162.105 port 1064 ssh2
Aug 11 20:50:19 x sshd[60935]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 20:50:21 x sshd[60937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105  user=root
Aug 11 20:50:23 x sshd[60937]: Failed password for root from 157.56.162.105 port 62560 ssh2
Aug 11 20:50:23 x sshd[60937]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 20:50:29 x sshd[60939]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105  user=root
Aug 11 20:50:31 x sshd[60939]: Failed password for root from 157.56.162.105 port 1184 ssh2
Aug 11 20:50:31 x sshd[60939]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 21:00:34 x sshd[60943]: Connection closed by 157.56.162.105 [preauth]

and guess who owns the 157.56.162.105?



Thursday, July 18, 2013

Securing SSH Server with fail2ban and Email Notification

I use fail2ban to secure my SSH server, using the following guide

https://help.ubuntu.com/community/Fail2ban

this helps me to ban the IP address and notify me by email of the failed attempt
and I use the following script to notify me by email of the successful login

edit or create /etc/sshd/sshrc

DATE=`date "+%d.%m.%Y--%Hh%Mm"`
IP=`echo $SSH_CONNECTION | awk '{print $1}'`
REVERSE=`dig -x $IP +short`
echo "Subject: SSH Login Successfully" > /tmp/mail.content
echo "$DATE, user $USER just logged in from $IP ($REVERSE)" >> /tmp/mail.content 
sendmail -f "MyBox <fromemail@domain.tld>" -t "Lau, Laurence <me@domain.tld>" -s smtprelay.domain.tld < /tmp/mail.content &


Saturday, June 08, 2013

MCSA 2012

Yay! just passed Microsoft Exam 70-417 and officially MCSA 2012

Wednesday, June 05, 2013

SMTP TLS Authentication Testing

To test the SMTP connection, sometimes we are using telnet to port 25 and run some SMTP commands to diagnose the problems. What if you want to test the SMTP authentication using telnet? What if the SMTP server only authenticates on TLS only?

To test whether your SMTP support authentication, try the following

telnet your-smtp-server.domain.tld 25

Connected to your-smtp-server.domain.tld.
Escape character is '^]'.
220 your-smtp-server.domain.tld ESMTP

EHLO localhost
250-your-smtp-server.domain.tld
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN


As you can see, the responds from the SMTP server after your issued EHLO localhost command, is that it does not support Authentication, however it supports TLS (250-STARTTLS)

So now we can try to communicate using TLS, with the following

openssl s_client -starttls smtp -crlf -connect your-smtp-server.domain.tld:25

CONNECTED(00000003)
depth=0 C = AU, ST = NSW, L = Sydney, O = Laurence Corp, OU = IT, CN = your-smtp-server.domain.tld
verify error:num=18:self signed certificate
verify return:1
depth=0 C = AU, ST = NSW, L = Sydney, O = Laurence Corp, OU = IT, CN = your-smtp-server.domain.tld
verify return:1
---
Certificate chain
 0 s:/C=AU/ST=NSW/L=Sydney/O=Laurence Corp/OU=IT/CN=your-smtp-server.domain.tld
   i:/C=AU/ST=NSW/L=Sydney/O=Laurence Corp/OU=IT/CN=your-smtp-server.domain.tld
---
Server certificate
-----BEGIN CERTIFICATE-----
MIIC8jCCAlugAwIBAgIJAMCZFNimordBMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD
VQQGEwJBVTEMMAoGA1UECAwDTlNXMQ8wDQYDVQQHDAZTeWRuZXkxJzAlBgNVBAoM
HkludmVzdGEgUHJvcGVydGllcyBQdHkgTGltaXRlZDELMAkGA1UECwwCSVQxLTAr
BgNVBAMMJG1haWwuYnVpbGRpbmdzZXJ2aWNlcy5pbnZlc3RhLmNvbS5hdTAeFw0x
MzA2MDUwMDQ5MzFaFw0yMzA2MDMwMDQ5MzFaMIGRMQswCQYDVQQGEwJBVTEMMAoG
A1UECAwDTlNXMQ8wDQYDVQQHDAZTeWRuZXkxJzAlBgNVBAoMHkludmVzdGEgUHJv
cGVydGllcyBQdHkgTGltaXRlZDELMAkGA1UECwwCSVQxLTArBgNVBAMMJG1haWwu
YnVpbGRpbmdzZXJ2aWNlcy5pbnZlc3RhLmNvbS5hdTCBnzANBgkqhkiG9w0BAQEF
AAOBjQAwgYkCgYEA3Vys9Nf1CpuBMzPWCIwldQkHY0EdMTAqh8sKhx/xhjOhRxwB
xKsZFrZ1guWBxqt5/JMt40BL80dpS6lLRZrz83TnFUm9FNZwjhD3mD1axqj2o4Nv
NFZ5I3Z3fP2hIj0y+urKVj81th/GMHrUBEBSqHUTGVEuRsCkJFuJIxYwTYMCAwEA
AaNQME4wHQYDVR0OBBYEFPvDIre1ur+c+i1H5EymKQrOU3vhMB8GA1UdIwQYMBaA
FPvDIre1ur+c+i1H5EymKQrOU3vhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF
BQADgYEAEgHjkzqZaZfWxALWTR/KEQsrE3NonN8cDefTtdaPPOaKXYPU/pKvogj2
TwouZpOQ7qaSrvgAMPLSYmMLuVVGzBccygN1f3xAXiTtOzaerLSJeelpYW2I5uRD
OJInTiHuzs/nnQa+3pT0IGS48fJJhn6xEBLsHrVzYl4Ud3iEsgo=
-----END CERTIFICATE-----
subject=/C=AU/ST=NSW/L=Sydney/O=Laurence Corp/OU=IT/CN=your-smtp-server.domain.tld
issuer=/C=AU/ST=NSW/L=Sydney/O=Laurence Corp/OU=IT/CN=your-smtp-server.domain.tld
---
No client certificate CA names sent
---
SSL handshake has read 1564 bytes and written 411 bytes
---
New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA
Server public key is 1024 bit
Secure Renegotiation IS supported
Compression: zlib compression
Expansion: zlib compression
SSL-Session:
    Protocol  : TLSv1.1
    Cipher    : ECDHE-RSA-AES256-SHA
    Session-ID: 163CF3718E7E3DAD34259654B2510CEFD6CDBFEE0D067FAF6D816C6145D45301
    Session-ID-ctx:
    Master-Key: FEEAB321DE6A876EB0954FB3372A540CC09D3E8F14D4EBBEB8448FE7D6CDADD3DAB9201B7450FDCAA7F2448BC0949AF7
    Key-Arg   : None
    PSK identity: None
    PSK identity hint: None
    SRP username: None
    TLS session ticket lifetime hint: 3600 (seconds)
    TLS session ticket:
    0000 - 8f 85 00 21 ba e2 05 db-9d c2 1c 04 86 29 e2 68   ...!.........).h
    0010 - 1f 62 6a fa b8 d4 9f a6-a9 0b 1a 56 20 60 80 a2   .bj........V `..
    0020 - d0 67 1a 16 87 d0 a7 00-95 57 ff b1 14 1a fc f1   .g.......W......
    0030 - 3c 1e 4f 5e 9d 5a f7 d8-20 02 33 9a cf df 38 85   <.O^.Z.. .3...8.
    0040 - e6 bd fb 84 26 b7 90 6c-04 a3 aa 2e 61 f5 66 8d   ....&..l....a.f.
    0050 - d2 75 6e b3 04 f8 58 6c-e9 60 66 65 4d 25 63 a4   .un...Xl.`feM%c.
    0060 - 4f 11 cb 7e 67 49 77 cf-36 23 cc 9d 57 70 8d d4   O..~gIw.6#..Wp..
    0070 - 1e 34 3e 15 c0 ba 22 48-b1 d3 47 0e ca 16 08 79   .4>..."H..G....y
    0080 - e4 fc a6 7f 2f 8b 73 94-0d e9 dd e3 1c 82 a2 a9   ..../.s.........
    0090 - f7 00 94 ad 14 5d f7 c2-2b 3e d1 f7 4d 9c 9b 1c   .....]..+>..M...
    00a0 - 33 2b 54 8b dd 6e 96 70-83 77 47 c9 26 8c c0 df   3+T..n.p.wG.&...

    Compression: 1 (zlib compression)
    Start Time: 1370408569
    Timeout   : 300 (sec)
    Verify return code: 18 (self signed certificate)
---
250 DSN

EHLO localhost
250-your-smtp-server.domain.tld
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5
250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

As you can see now after we are connected using TLS, and issue EHLO localhost command, the 250-AUTH command is supported and it also supports PLAIN

To test the authentication, you need to generate encode base 64 value, using PERL. To do that, for example if you have a username: myname and password: mypass, you would run the following command in the format of: perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password")'

perl -MMIME::Base64 -e 'print encode_base64("myname\0myname\0mypass")'
bXluYW1lAG15bmFtZQBteXBhc3M=

You then have the encode base 64 value of bXluYW1lAG15bmFtZQBteXBhc3M=
You can then issue the AUTH PLAIN command

AUTH PLAIN bXluYW1lAG15bmFtZQBteXBhc3M=
235 2.7.0 Authentication successful

As you can see we are authenticated, you can then do the usual stuff with SMTP


Thursday, May 02, 2013

FreePBX Voicemail Drops Call With Error: lack of rtp activity in 31 seconds

I have got FreePBX setup @home and for some reasons my voicemail is not working properly. It basically drops the connection after 30 seconds while the person on the phone is waiting on Music on Hold.

It turns out the FreePBX detects there was no audio/RTP activity within 30 seconds (configurable) and drops the connection.

To change this: on your FreePBX, navigate to: Settings > Asterisk SIP Settings > Media and RTP Settings
Change the rtptimeout from 30 to 300, change rtpkeepalive from 0 to 30

Tuesday, April 30, 2013

Blackberry Device Service 10 SSL Certificate

After you install your brand new Blackberry 10 server (Blackberry Device Service 10), you might want to replace the default self-signed SSL certificate. I do, because I think this what caused my Blackberry Management Studio not talking properly with the BAS 10, e.g. I have got bad_certificate error on the log file.

So, in summary you need to do the followings:

  • Backup BAS keystore
  • Delete the default alias from keystore
  • Generate a new key in keystore
  • Generate CSR
  • Submit CSR to your CA
  • Import CA(s)
  • Import public key for your SSL certificate
Now, I am using Microsoft CA to generate the SSL certificate and my BAS 10 is running on Windows 2008 R2 (x64). All the commands below is using keytool.exe which is located in your JAVA JRE\bin folder.

You need either reset your web keystore password or get the current password from BES10 console- Servers and components - Blackberry Solution Topology - Blackberry Domain - Component View - Blackberry Administration Service. Under Security settings, there is a Default password to encrypt the web.keystore file

Backup BAS keystore
Just take a copy of the following file:

C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore

Delete the default alias from keystore
This will delete the key pair with an alias of httpssl - which is being used by BAS 10

keytool -delete -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore"

This will ask for the keystore password - enter it

Generate aa New Key in Keystore
Replace the -dname with your own value. CN is the FQDN of the SSL to be used

keytool -genkey -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -dname "CN=bes.domain.local, OU=IT, O=Laurence Blog, L=Sydney, ST=NSW, C=AU" -keyalg RSA -keysize 2048

Generate CSR
This generates a certreq.csr file which will be used for the next step

keytool -certreq -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\certreq.csr" -keyalg RSA -keysize 2048

Submit CSR to your CA
Navigate to your CA using IE browser: https://caserver.domain.local/certsrv
Navigate to Request a certificate
Navigate to Submit a certificate request by using a base-64-encoded CMC or ...
Paste the content of the CSR file to the Saved Request field
Use the default: Web Server template
Submit
Download the certificate
Download all the Root and issuing/intermediate CA as well

Import CA(s)
Import all the CA you have (e.g. root/issuing/intermediate). Make sure you are using a unique alias name for each CA

keytool -import -alias rootca -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\rootca.cer"

keytool -import -alias intermediateca -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\issuingca.cer"

Import Public Key for SSL Certificate
This imports the certificate from your CA to the keystore

keytool -import -alias httpssl -keystore "C:\Program Files (x86)\Research In Motion\BlackBerry Device Service\bas\bin\web.keystore" -file "C:\Temp\public.cer"

Restart the Blackberry Administration Service - Native Code Container

You can also do the same thing for the Blackberry Management Studio (*Fusion) using the same steps above
The keystore location is:

C:\Program Files (x86)\Research In Motion\BlackBerry Management Studio\BlackBerryMobileFusion.keystore

The keypair name is: fusionssl


Wednesday, April 17, 2013

Active Directory Domain Controller GPO Reset

I have these 2x Windows 2012 Domain Controllers that inherited policies from the old GPO which were created since Windows 2003 days. I did not realize there were problems until some of the features that I want to use started acting badly (e.g. access denied, etc).

Obviously the DCs have been joined to the domain and be put in the "Domain Controllers" OU by default after they were dcpromo-ed, which then got the old GPO applied to them.

So to clean them up all the registries, file systems security configuration that have been applied to DC, I need to reset the default domain policy and the default domain controllers policy. Before I do that, I back them up first, just in case.

To clean up the GPO run the following command:

C:\> DCGPOFIX

Then I need to clean up the actual settings that have been applied to my DCs by running the following command on each DC:

C:\> secedit /configure /cfg C:\windows\inf\defltdc.inf /db defltdc.sdb /overwrite

Reboot the DC

Thursday, April 04, 2013

Citrix StoreFront Authentication Check URL

Use the following URL to check the Authentication Method being used by a user:

https://storefront.domain.tld/Citrix/Authentication/Integrated/test.aspx

Sunday, March 31, 2013

FreePBX SIP Debugging

To debug FreePBX SIP, just get into the asterisk context by typing:

> asterisk -vvvvvr

localhost*CLI> sip show peers

it shows all your peers, then:

localhost*CLI> sip set debug peer (peer_name)

To stop debug, type:

localhost*CLI> sip set debug off

Tuesday, March 19, 2013

Manage Workgroup Servers with SCOM 2012

This is a very high level steps how to have your workgroup servers to be managed by SCOM 2012.
I have this task to have my Exchange Edge Transport server sitting on DMZ to be managed by SCOM

For them to be able to communicate and authenticate each other, they must be using a certificate.
I have my internal CA (lucky me)

1. Make sure your Workgroup server trusts your CA.
You can browse to your https://internal-ca.domain.com/certsrv URL and download the CA certificate and import this to the Workgroup server's Trusted Root CA (Computer store)

2. Make sure you have a certificate template that has Server and Client Authentication purposes 
If you don't have one, duplicate one from the "Computer" template with Windows 2003 version. Make sure "allow export private key" is selected and "subject name" is supplied in the request.

3. Request a certificate from your Workgroup server to your internal CA 
Use the template you created on step 2

4. Move certificate from user store to computer store 
After request the certificate, it will automatically install the certificate on the user store. You need to export this (along with the private key) and import it back to the computer store

5. Install SCOM 2012 Agent 
Insert SCOM installation ISO/DVD and install SCOM Agent. Make sure you are using FQDN for the SCOM server during the installation wizard

6. Firewall port need to be allowed on TCP 5723 inbound and outbound 
SCOM Agent is using TCP 5723 port number to communicate with SCOM Server, open this on your firewall inbound and outbound

7. Import the certificate to SCOM Agent
On the installation ISO/DVD, navigate to SupportTools\AMD64 and run MOMCertImport.exe. It then asks you to select which certificate to use. Select the one that you created on step 3

8. Restart the System Center Management service

9. Request a certificate from your SCOM Management Server
Do exactly the same thing like step 3-4, but now do this from the SCOM Management Server

10. Import the certificate to SCOM Management Server
Do exactly the same thing like step 7-8, but now do this from the SCOM Management Server

11. Wait
Your agent should come out on the Pending Management section of your SCOM Administration console

Monday, March 04, 2013

VBScript Open Internet Explorer with No Address Bar

Sometime you need to open IE with no address bar, like when you publish IE through Citrix XenApp: Below VBScript is the way to go:
Dim objIENoToolbars
Set objIENoToolbars = WScript.CreateObject ("InternetExplorer.Application")
ObjIENoToolbars.Toolbar = false
objIENoToolbars.Navigate "http://mywebsite.domain.com/"
objIENoToolbars.Visible = true 

Monday, January 21, 2013

Exchange 2010 SP2 RU 4v2 Bug - Mailbox Move

After applying the SP2 RU 4v2 to my Exchange 2010 environment, apparently there is a bug when a mailbox is moved between two different databases within the same server. According to Microsoft forum this bug was introduced by SP2 RU3. Anyone who is still running on SP2 RU2 is not affected.

When you move the mailbox, it will have the Move Request Status: Completed with warning
You also will get the following comment:

Warning: Failed to clean up the source mailbox after the move.
Error details: MapiExceptionUnexpectedMailboxState: Unable to delete mailbox. (hr=0x80004005, ec=2634)


In the log of the move request, you will see the error:

Failed to clean up the source mailbox 'Primary (9105c233-5387-47bc-99ea-2c0255cf63ad)' after the move. Attempt 1/6.
Error details: MapiExceptionUnexpectedMailboxState MapiExceptionUnexpectedMailboxState: Unable to delete mailbox. (hr=0x80004005, ec=2634) at Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, SafeExInterfaceHandle iUnknown, Exception innerException)
   at Microsoft.Mapi.ExRpcAdmin.DeletePrivateMailbox(Guid guidMdb, Guid guidMailbox, Int32 flags)
   at Microsoft.Exchange.MailboxReplicationService.LocalMailbox.DeleteMailboxInternal(Int32 flags)
   at Microsoft.Exchange.MailboxReplicationService.MailboxWrapper.<>c__DisplayClass2a.<Microsoft.Exchange.MailboxReplicationService.IMailbox.DeleteMailbox>b__29()
   at Microsoft.Exchange.MailboxReplicationService.ExecutionContext.Execute(GenericCallDelegate operation)
   at Microsoft.Exchange.MailboxReplicationService.MailboxWrapper.Microsoft.Exchange.MailboxReplicationService.IMailbox.DeleteMailbox(Int32 flags)
   at Microsoft.Exchange.MailboxReplicationService.MoveBaseJob.<>c__DisplayClass6d.<PostMoveCleanupSourceMailbox>b__6b()
   at Microsoft.Exchange.MailboxReplicationService.CommonUtils.CatchKnownExceptions(GenericCallDelegate del, FailureDelegate failureDelegate)


...
...

Post-move cleanup failed. The operation will try again in 30 seconds (5/6).
Failed to clean up the source mailbox 'Primary (9105c233-5387-47bc-99ea-2c0255cf63ad)' after the move. Attempt 6/6.
Error details: MapiExceptionUnexpectedMailboxState MapiExceptionUnexpectedMailboxState: Unable to delete mailbox. (hr=0x80004005, ec=2634)
   at Microsoft.Mapi.MapiExceptionHelper.ThrowIfError(String message, Int32 hresult, SafeExInterfaceHandle iUnknown, Exception innerException)
   at Microsoft.Mapi.ExRpcAdmin.DeletePrivateMailbox(Guid guidMdb, Guid guidMailbox, Int32 flags)
   at Microsoft.Exchange.MailboxReplicationService.LocalMailbox.DeleteMailboxInternal(Int32 flags)
   at Microsoft.Exchange.MailboxReplicationService.MailboxWrapper.<>c__DisplayClass2a.<Microsoft.Exchange.MailboxReplicationService.IMailbox.DeleteMailbox>b__29()
   at Microsoft.Exchange.MailboxReplicationService.ExecutionContext.Execute(GenericCallDelegate operation)
   at Microsoft.Exchange.MailboxReplicationService.MailboxWrapper.Microsoft.Exchange.MailboxReplicationService.IMailbox.DeleteMailbox(Int32 flags)
   at Microsoft.Exchange.MailboxReplicationService.MoveBaseJob.<>c__DisplayClass6d.<PostMoveCleanupSourceMailbox>b__6b()
   at Microsoft.Exchange.MailboxReplicationService.CommonUtils.CatchKnownExceptions(GenericCallDelegate del, FailureDelegate failureDelegate)
 

Request is complete.

The implication of this bug:
  • There will be delay of 30 seconds x 6 tries = 3 minutes for each mailbox being moved
  • During the last 3 minutes of the mailbox move, the Outlook client is being disconnected
  • Mailbox in the source database is not deleted, it is mark as soft deleted mailbox
 To view the Soft Deleted mailboxes:

Get-MailboxDatabase | Get-MailboxStatistics | where {$_.DisconnectReason -ne $null} | ft  displayname,database,disconnectreason -auto

To delete the Soft Deleted mailboxes:

Remove-StoreMailbox -database "Old database" -Identity "Smith, John" -MailboxState SoftDeleted

So far there is no report from my users who have got their mailboxes moved