Home » Computers » Enterprise Computing (Page 2)

Category Archives: Enterprise Computing

Allow Anonymous Relay Through Exchange Hub Transport

Use this Exchange Management Shell command to allow anonymous relay to external domains. (This should not be done on external facing servers.)

Get-ReceiveConnector "<servername>\Receive Connector Name" | Add-ADPermission -User "NT AUTHORITY\ANONYMOUS LOGON" -ExtendedRights "Ms-Exch-Accept-Headers-Routing","Ms-Exch-SMTP-Accept-Any-Sender","Ms-Exch-SMTP-Accept-Authoritative-Domain-Sender","Ms-Exch-SMTP-Submit","Ms-Exch-SMTP-Accept-Any-Recipient"

The last ExtendedRights permission is the one that can only be set through the shell.  (The other permissions can be set in the GUI console.)

Set Exchange 2010 Alias to samAccountName

Use these PowerShell commands to set a users Exchange mailbox Alias to their username (AKA samAccountName/samid):

$aliasname = Get-Mailbox -OrganizationalUnit "OUNameHere" -ResultSize Unlimited
$aliasname | Foreach-Object{
$_ | Set-mailbox -Alias $_.SamAccountName
} 

Cisco ASA pre-shared Key Recovery

Use this at the ASA’s Enable prompt to show the pre-shared VPN keys:

hostname(config)# more system:running-config
...
tunnel-group mytunnel type ipsec-ra
tunnel-group mytunnel general-attributes
 default-group-policy myGROUP
tunnel-group mytunnel ipsec-attributes
 pre-shared-key PASSWORD
...

NetApp disk assign

Move disk ownership from one NetApp controller to another:

Remove ownership on system that owns the disk (FAS1):

fas1> disk assign –s unowned 0a.23 

The disk shows up as unowned with the physical address it has on FAS2:

fas2> disk show –n

Take ownership of the unowned disk on the partner system:

fas2> disk assign 0b.23

Windows Server Multipath I/O

You can enable the Windows Server 2008 R2 Multipath I/O (MPIO) feature from the command line using this DISM command:

dism /online /enable-feature:MultipathIo

To disable this feature use:

dism /online /disable-feature:MultipathIo

To show the currently enabled/installed features use this DISM command:

dism /online /get-features

Find Empty Active Directory Groups

Find Empty Active Directory Groups

Following one-liners will find Active Directory Groups that have no users.

** To find empty Global Security groups:
Click Start -> Run -> Cmd.exe -> OK -> Copy and Paste following statement
DSQuery * -Filter “(&(sAMAccountType=268435456)(!member=*))” -Limit 0

** You can save the output to a text file by using Dos redirection operator > with file name.

DSQuery * -Filter “(&(sAMAccountType=268435456)(!member=*))” -Limit 0 >C:\EmptyGroups.txt

Above statement will create EmptyGroups.txt file on C: drive root listing all empty security groups.

** To find empty Local Security groups:

DSQuery * -Filter “(&(sAMAccountType=536870912)(!member=*))” -Limit 0

** To find empty Distribution groups:

DSQuery * -Filter “(&(sAMAccountType=268435457)(!member=*))” -Limit 0

** To find ALL empty groups (either local, global Security or Distribution groups):

DSQuery * -Filter “(&(objectClass=group)(!member=*))” -Limit 0

Exchange Address List Segregation

An address list is a collection of recipient and other Active Directory objects. Each address list can contain one or more types of objects (for example, users, contacts, groups, public folders, conferencing, and other resources). You can use address lists to organize recipients and resources, making it easier to find the recipients and resources you want. Address lists are updated dynamically. Therefore, when new recipients are added to your organization, they’re automatically added to the appropriate address lists.

(more…)

User Profiles on Remote Desktop Servers

If you have Remote Desktop Servers (RDS) and use a central file share for your users’ roaming profiles the world is good. Some small bit of background information: you set a user’s RDS profile location on the “Remote Desktop Services Profile” tab of a domain user’s account properties dialog. (Active Directory Users and Computers.)

But happens when you need to deploy another Remote Desktop Server in a location/site that does not have network file share access to the user’s defined profile location?

Well if you don’t absolutely need to sync the users’ RDS profile across your servers, you can set the Local Group Policy on the Remote Desktop Servers:
Run... -> gpedit.msc -> Computer -> Administrative Templates -> System -> User Profiles -> Only Allow local user profiles -> Enabled
This will override the Profile Location Setting defined in a user’s account properties and force the use of a local profile on the server.

Better than nothing…

VMware Networking Issues with Windows 7

If you need a Firewall between the physical host and its guest virtual machines, this workaround is not for you.

The problem is that on Windows 7 (x86/x64) the VMware virtual adapters and subnets are found and reported as “Unidentified Network”. This means that the built-in Windows Firewall can only treat the VMware networks, and thus the guest VMs, as type Public.

When the network type is set to Public, the Windows Firewall by default blocks Microsoft File & Print, and other most other network traffic, which effectively prevents useful direct communication between the physical host and its VM guests. You might, if allowed, disable the Firewall or configure exception rules for the VMware virtual subnets and/or hosts. Disabling the Firewall for all public networks is a bad security practice and managing the Windows Firewall is a tedious task that still leaves potential security holes.

Below are the instructions from the VMware Knowledge Base Article 1004813 that I used to change the VMware virtual network adapters to be endpoints. Endpoints do not show up in the “Network and Sharing Center” are also excluded from control of the Windows Firewall. This makes it easier to manage the Firewall rules and Home, Work, and Public network types for real, physical adapters.

This work around solution can be used until VMware updates their networking technology to meet current operating systems standards.

# VMware KB Article: 1004813
# Updated: Apr 29, 2010

Redefine the VMware virtual NICs as endpoint devices

This procedure is permanent and allows for the continued use of Bridged, NAT, and Host Only networking. However, doing this causes the VMware virtual NICs to disappear from the Network and Sharing Center, even though they remain visible under Network Connections. This also causes the VMware virtual NICs to be exempt from all Windows Firewall access rules. When implemented, the control of virtual machine network access must be done from the guest operating system of each virtual machine. This bypasses the default security model of Windows Vista with respect to the the VMware virtual NICs, and the implications of using this procedure must be carefully considered.

To redefine the VMware virtual NICs as endpoint devices:

  1. Click Start > Run.
  2. Type regedit and click OK.
  3. Double-click HKEY_LOCAL_MACHINE>System>CurrentControlSet>Control>Class>{4D36E972-E325-11CE-BFC1-08002BE10318}.
    Caution: VMware recommends that you back up this registry key before proceeding:
    1. If {4D36E972-E325-11CE-BFC1-08002BE10318} is not still highlighted, click it.
    2. Click File > Export.
    3. Pick a location and name for the Registration File (*.reg).
    4. Click Save.
  4. Click 0000.
  5. Look at the content of the Data field associated with the DriverDesc entry.
  6. If you see VMware Virtual Ethernet Adapter for VMnetx , where x is replaced by a number, then:
    1. Right-click an empty space in the right content pane.
    2. Click New > Dword.
    3. Type *NdisDeviceType
      and press Enter.
      Note: Ensure to include the asterisk (*) at the beginning of the entry.
    4. Double-click *NdisDeviceType.
    5. Type 1 and press Enter.
  7. Repeat steps 4-6, replacing 0000 in step 4 with the next entry in numerical order, until you have reached the end of all numerical entries.
  8. Follow the Disable the VMware virtual NICs section of this article above.
  9. Repeat step 8 but click Enable this network device instead.

SQL Slipstreaming

By Perry Whittle, 2010/12/27

How to: SQL Slipstreaming SP\CU During Setup

Most of us by now have encountered the issues with the RTM SQL Server 2008 installation media, the issues are more apparent during the installation of a clustered SQL Server instance. There are various ways of coping with the installation issues, but it is far easier to update the SP\CU files during the setup process.

SQL Server 2008 has a new feature called “Slipstreaming”, this basically enables you to integrate the Service Pack and Cumulative Update installation during the RTM SQL Server setup process. There are various prerequisites depending upon the Operating System in use, they are covered further on in this article.

So, how do we slipstream the Service Pack and the Cumulative Update?

The first operation is to obtain the relevant SP and if required the relevant CU. At the time of writing SP1 and SP2 are available for SQL Server 2008 (this does not apply to SQL Server 2008 R2). I prefer to copy my update executable(s) onto the server and then extract locally onto a folder on the C drive.

Note: Extracting and then launching the SP from the C drive forces the SP to use a temporary folder on that drive, this can be very useful in clustered environments as clustered drives may offline and online during installation (an issue many have encountered).

For this article I am going to slipstream my SQL Server 2008 installation with SP1 and CU7 for SP1. I have the following executables which i have copied to the server

  • en_sql_server_2008_sp1_x64.exe
  • SQLServer2008-KB979065-x64.exe

To extract the updates, use the following syntax noting my chosen paths

  • C:\en_sql_server_2008_sp1_x64.exe /X:C:\SP1
  • C:\SQLServer2008-KB979065-x64.exe /X:C:\CU7

Two folders will be created on the C drive containing the update files. If you are using Windows 2003 server you must first install the following prerequisites. If the SQL Server 2008 DVD autoruns, cancel this and proceed manually.

  • Filestream Hotfix KB937444 (download from MS site)
  • Windows Installer update (this is on the SQL Server 2008 install DVD)
  • .NET 3 Framework (this is on the SQL Server 2008 install DVD)

For a Windows 2008 server simply go into server features and enable the .NET 3.51 feature

Once the prerequisites are installed you need to launch the SQLSupport.msi inside the C:\CU7\x64\setup\1033 folder. With the support files installed, launch the SQL Server setup process using the following from a command prompt.

Note: my DVD drive is drive D:

D:\setup /CUSource=C:\CU7 /PCUSource=C:\SP1

The SQL Server Installation Center opens, you may now install your SQL Server instance leaving the installation center and the command prompt open in the background. The following screenshots from the installation process, indicate that a slipstream action is being performed,




Login to the new SQL Server instance and a quick version check reveals 10.0.2766, SQL Server 2008 SP1 CU7! You may also create a “Merged Drop” media, this comprises of the original RTM media with the update files overlaid creating an updated install media. More on this can be found at the following Microsoft link: http://support.microsoft.com/kb/955392

By Perry Whittle, 2010/12/27

Better DNS Servers

Free Fast Public DNS Servers

Service provider: Google

=> Google public dns server IP address:

  • 8.8.8.8
  • 8.8.4.4

=> Service provider:Dnsadvantage
Dnsadvantage free dns server list:

  • 156.154.70.1
  • 156.154.71.1

=> Service provider:OpenDNS
OpenDNS free dns server list / IP address:

  • 208.67.222.222
  • 208.67.220.220

=> Service provider:Norton
Norton free dns server list / IP address:

  • 198.153.192.1
  • 198.153.194.1

=> Service provider: GTEI DNS (now Verizon)
Public Name server IP address:

  • 4.2.2.1
  • 4.2.2.2
  • 4.2.2.3
  • 4.2.2.4
  • 4.2.2.5
  • 4.2.2.6

=> Service provider: ScrubIt
Public dns server address:

  • 67.138.54.100
  • 207.225.209.66
  • 4.2.2.1
  • 4.2.2.2
  • 4.2.2.3
  • 4.2.2.4
  • 4.2.2.5
  • 4.2.2.6

Reduce SQL Log and TempDB File Sizes

Shrink the TempDB:
use tempdb
go
-- this command shrinks the primary data file
dbcc shrinkfile (tempdev, 'target size in MB')
go
-- this command shrinks the log file, look at the last paragraph.
dbcc shrinkfile (templog, 'target size in MB')
go

Shrink Log File:
DBCC SHRINKFILE ('Test_log',TRUNCATEONLY)
BACKUP LOG "Test DB Name" WITH TRUNCATE_ONLY

Examples of AD from the Command-line

User Information
Find DN of Currently Logged On User

Paste code as is:

dsquery * domainroot -filter “(samAccountName=%USERNAME%)”

Find User With Primary Email Address

Retrieve user object matching given address as primary SMTP e-mail.

Syntax:

dsquery * domainroot -filter “(&(objectClass=User) (mail=))” -l -d -attr *

Example:

dsquery * domainroot -filter “(&(objectClass=User) (mail=John.Doe@mydom.com))” -l -d mydom.local -attr *

Find User With Any Email Address

Retrieve user object matching any assigned e-mail address.

Syntax:

dsquery * domainroot -filter “(&(objectClass=User) (proxyAddresses=**))” -l -d -attr *

Example:

dsquery * domainroot -filter “(&(objectClass=User) (proxyAddresses=*John.Doe@mydom.com*))” -l -d mydom.local -attr *

Find Email of User when DN is Known

Retrieve user object matching given DN and show primary SMTP e-mail address.

Syntax:

dsquery * domainroot -filter “(distinguishedName=)” -d -l -attr mail

Example:

dsquery * domainroot -filter “(distinguishedName=CN=Kerekes\, Charlie,OU=Knoxville,DC=mydom,DC=local)” -d mydom.local -l -attr mail

Find Hidden GAL Recipients

Retrieve all user objects that are hidden from the Global Address List in Exchange.

Syntax:

dsquery * domainroot -filter “(&(objectClass=User) (msExchHideFromAddressLists=TRUE))” -l -d -attr displayName

Example:

dsquery * domainroot -filter “(&(objectClass=User) (msExchHideFromAddressLists=TRUE))” -l -d mydom.local -attr displayName

Users With Password Set to Never Expire

Retrieve list of users with the “Password never expires” attribute set.

Syntax:

dsquery * domainroot -filter “(&(objectClass=user) (userAccountControl>=65536))” -attr sAMAccountName userPrincipalName userAccountControl -d

Example:

dsquery * domainroot -filter “(&(objectClass=user) (userAccountControl>=65536))” -attr sAMAccountName userPrincipalName userAccountControl -d mydom.local

Group Information
List Members of a Group

Querying AD for group membership is a multi-step process. The reason is that AD stores group membership in two places. The first place is the most obvious—in the member attribute of the group object. The second is not as obvious—as an integer value in the primaryGroupID attribute of user objects.

For most scenarios, querying the member attribute of group objects will provide a complete list of members. However, if the group in question is set as a default group for any user object, that user will not be listed in the member attribute.

Query the Group’s “Member” Attribute

The sample below lists all members stored in the member attribute of the group. If this query is not showing all members, you will need to perform the queries in the next section as well.

Syntax:

dsquery * domainroot -filter “(&(objectClass=group)(name=))” -l -d -attr member

Example:

dsquery * domainroot -filter “(&(objectClass=group)(name=Help Desk Associates))” -l -d mydom.local -attr member

Query the User’s “primaryGroupID” Attribute

First, we determine the primary group ID for the group in question. We do this by finding the SID of the group object; the last segment of the SID is used as the primary group ID.

Syntax:

dsquery * domainroot -filter “(&(objectClass=group)(name=))” -l -d -attr objectSid

Example:

dsquery * domainroot -filter “(&(objectClass=group)(name=Help Desk Associates))” -l -d mydom.local -attr objectSid

The above query will produce an output similar to this:

S-1-5-21-123456789-1234567890-9876543211-1169

Now we are ready to find all user objects that have the above group set as their default.

Syntax:

dsquery * domainroot -filter “(&(objectClass=user)(primaryGroupID=))” -l -d -attr cn

Example:

dsquery * domainroot -filter “(&(objectClass=user)(primaryGroupID=1169))” -l -d mydom.local -attr cn

List Group Members with Additional User Attributes

If we want more than the DN of group members, we need to use a FOR statement to first generate the list of members, then query each member object for the desired attributes.

Please be aware that the example below queries only the member attribute of the group and will miss any user objects with this group as their default. See the above section for details about the primaryGroupID attribute.

Syntax:

for /F “delims=*” %i IN (‘dsquery * domainroot -filter “(&(objectClass=group)(name=))” -l -d -attr member’) DO @dsquery * domainroot -filter “(distinguishedName=%i)” -attr


Example:

for /F “delims=*” %i IN (‘dsquery * domainroot -filter “(&(objectClass=group)(name=Help Desk Associates))” -l -d mydom.local -attr member’) DO @dsquery * domainroot -filter “(distinguishedName=%i)” -attr displayName samAccountName mail

Computer Information
List All Computer Objects

Syntax:

dsquery * domainroot -filter “(objectClass=Computer)” -attr name -l -d

Example:

dsquery * domainroot -filter “(objectClass=Computer)” -attr name -l -d mydom.local

List Computer Objects in a Specific OU

This example lists all computer objects stored in the mydom.local/Servers/Exchange OU.

Syntax:

dsquery * “” -filter “(objectClass=Computer)” -attr name -l -d

Example:

dsquery * “ou=Exchange,ou=Servers,dc=mydom,dc=local” -filter “(objectClass=Computer)” -attr name -l -d mydom.local

List All Domain Controllers

Syntax:

dsquery * “ou=domain controllers,

” -filter “(objectClass=Computer)” -attr name -l -d


Example:

dsquery * “ou=domain controllers,dc=mydom,dc=local” -filter “(objectClass=Computer)” -attr name -l -d mydom.local

Find DN of Computer Object in Current Domain

The DN contains the full directory path of the computer object and can be helpful in locating the computer using the GUI tools in a complex AD structure.

Syntax:

dsquery * domainroot -filter “(&(objectClass=Computer) (name=))”

Example:

dsquery * domainroot -filter “(&(objectClass=Computer) (name=exch19))”

Nonprofit CRM Systems

Here are some CRM systems that have specific offering to Nonprofit Organizations

  1. Open CiviCRM
  2. Microsoft Dynamics CRM
  3. SalesForce.com Foundation
  4. Convio

You may notice that a major vendor is missing from the list above.  Since I would not personally recommend Blackbaud Enterprise CRM, I have not included them a link to their site.

There are other open source CRM solutions that may also be good for nonprofit organizations but I have not investigated them thoroughly yet. One other open source project of note though is OpenERP.com. I have not seen any customizations or tailoring for nonprofits though.  OpenERP is much more that just a CRM, it is offers a complete enterprise solution that includes: accounting, CRM, HR, marketing, project management, warehouse management, and more.

Good luck with your CRM vendor search.

–Mike Wood

Salesforce.com for Non-Profits

It’s really hard for me to understand why more non-profit organizations are not using the Salesforce.com Foundation offering. (http://foundation.force.com/home)

They have over 9,000+ non-profit organizations using this enterprise grade platform.

Non-Profit Organizations should start here. (http://www.salesforcefoundation.org/products/nonprofit_solution/fundraising)

The Salesforce.com Foundation’s 1/1/1 program provides an opportunity for NPOs, their donors, and socially contributing companies to both extend and leverage a world class enterprise platform for the benefit of society.

Unlocking Windows NT/2000/2003 Domain Controllers

Petter Nordahl-Hagen has written a Windows NT/2000 offline password editor. I have been using various versions of this disk for several years and have had very good results with it. Thank you, Petter!

However, the program only resets the password for the MACHINE Administrator account, not the DOMAIN Administrator account. And wouldn’t you know it, on a Windows 2000 server which is an Active Directory controller, you CANNOT log into any machine-level account. Which means that resetting the MACHINE Administrator password is pretty much useless.

Or so it would seem. It turns out that “Directory Service Recovery Mode” uses the MACHINE-level accounts, since the whole point of this mode is that the AD control databases may be corrupted and you need a way to manually edit them (presumably using some high-priced third-party software package…)

I was able to reset the password on the DOMAIN Administrator account using the following procedure:

Again: If you are trying to fix a server, please READ THIS ENTIRE PAGE and MAKE SURE YOU UNDERSTAND IT before touching the server.

NOTE: If you are following these directions to try and “break into” a corporate domain which has one or more working Active Directory controllers, but YOU don’t have Administrator access to the domain, you’re wasting your time. The procedure detailed below will only work if you have physical access to a domain controller. It will also forcibly reset the AD Administrator password, which means that if you are somehow able to do this to a domain controller, the existing Administrator password will no longer work and the rightful administrators will know something is going on… and if they trace it back to you and fire you, or even better put you in jail, then you have gotten what you deserve.

  • Use Petter’s disk to reset the MACHINE Administrator password to “no password”.

NOTE: If you are following these directions to work on a machine which is not a domain controller, STOP RIGHT HERE. You now have access to the machine by rebooting and logging in as the machine’s Administrator account (with no password.) Everything below this message is specific to domain controllers.

NOTE: If you are following these directions to work on a machine which is running Windows XP, STOP RIGHT HERE. The machine IS NOT A DOMAIN CONTROLLER. Go back and re-read the note right above this one.

NOTE: If you are following these directions to work on a machine which is running Windows 2003, STOP RIGHT HERE and follow these directions instead.

  • Reboot, hit F8, and enter “Directory Service Recovery Mode”. The machine will boot up as a standalone server without any Active Directory support.
  • When the login screen appears, hit CTRL-ALT-DEL and log in as “Administrator” with no password. This is the MACHINE Administrator account, and does not have the ability to modify anything specific involving the Active Directory information, although it can backup and restore the physical files which contain the AD databases.
  • Run “regedit”. Navigate to HKEY_USERS\.Default\Control Panel\Desktop and change the following values:
    Value Original Change to
    SCRNSAVE.EXE logon.scr cmd.exe
    ScreenSaveTimeout 900 15
    ScreenSaveActive May be 0 or 1 1

 

  • Reboot normally. When the box appears asking you to hit CTRL-ALT-DEL to log in, just wait. After 15-30 seconds you will see a command prompt appear (since that is the screensaver.)
  • I have received an email from somebody which simplifies the process… I can’t verify this myself (because I don’t use Windows) but the method makes sense. Apparently, once you get the command prompt you can type this one command to reset the password:

    C:\WINNT\system32> NET USER ADMINISTRATOR newpassword

    Once you enter this command, you should be able to exit from the command prompt, hit CTRL-ALT-DELETE, and log into the domain Administrator account using the new password. Again, without a Windows server I have no way to verify that this does or does not work, so I would appreciate any feedback from people who have tried this and can tell me that it does or does not work with their particular version of Windows.

  • In the command prompt, type the following command:

    C:\WINNT\system32> MMC DSA.MSC

    This should bring up the management console where you can edit users’ passwords, including the password for the Administrator account. If you type this command and it doesn’t work, wait 30 seconds and try it again. This happened to me, it sounded like it was still in the process of loading drivers into memory in the background…

    If this doesn’t work after waiting the 30 seconds… realize that THIS IS A COMMAND PROMPT WITH FULL DOMAIN ADMINISTRATOR RIGHTS, and you’re running a command (“MMC.EXE”) with another filename (“DSA.MSC”) as an argument. If it “just plain doesn’t work”, maybe you need to locate these two files and type them in as full path names. Maybe something like “C:\WINNT\SYSTEM32\MMC.EXE C:\WINNT\SYSTEM32\DSA.MSC”.

    If you know absolutely nothing about how to use a command line, then reboot into DSR Mode, log in as Administrator, and use the graphical “Find Files” thingy to find the files, and write down their locations. Then try it again (reboot and wait for the command line, etc.)

WinRM & WinRS multi-hop

Multi-Hop Support in WinRM
http://msdn.microsoft.com/en-us/library/ee309365(VS.85).aspx

Windows Remote Management (WinRM) supports the delegation of user credentials across multiple remote computers. The multi-hop support functionality can now use Credential Security Service Provider (CredSSP) for authentication. CredSSP enables an application to delegate the user’s credentials from the client computer to the target server. CredSSP authentication is intended for environments where Kerberos delegation cannot be used. ***Support for CredSSP was added to allow a user to connect to a remote server and have the ability to access a second-hop machine, such as a file share. ***

To configure multi-hop support using CredSSP authentication for WinRM

CredSSP must be enabled in the client configuration settings.
winrm set winrm/config/client/auth '@{CredSSP="true"}'


CredSSP must be enabled in the WinRM service configuration settings.
winrm set winrm/config/service/auth '@{CredSSP="true"}'

Example
Using CredSSP Authentication with Explicit Credentials
winm OPERATION –remote:https://myMachine –authentication:CredSSP –username:myUsername –password:myPassword

Cisco ASA 5505 blocking Internet Radio

regueiro writes:
I have blocked Internet radio who use port 80.
You should inspect the port and you can add this commands

regex audio-mpeg "audio/.*"

 

policy-map type inspect http test_radio
parameters
protocol-violation action drop-connection log
match response header content-type regex audio-mpeg
drop-connection log
match request header user-agent regex _default_windows-media-player-tunnel
drop-connection log

 

 

class global-class-test
inspect http test_radio
 

 

To help you, use a sniffer and capture radio traffic and see http headers.
It is easy to block streaming from media-player, but for other I check the response header and when I see audio/* (like audio/* where * can be mpeg, x-mpeg, mpeg3, and/or x-mepg3 …) I close the connection. 

Sorry for my bad english.