Remote COM+ Network Access to Server 2012 Core

You have setup new Server 2012 core computer and you wish to perform remote management of the server through COM+ Network Access.  When you open a console such as Computer Management you receive the following error message:

Computer "SERVERNAME" cannot be connected. Verify that the network path is correct, the computer is available on the network, and that the appropriate Windows Firewall rules are enabled on the target computer.

To enable the appropriate Windows Firewall rules on the remote computer, open the Windows Firewall with Advanced Security snap-in and enable the following inbound rules.

COM+ Network Access (DCOM-In)
All rules in the Remote Event Log management group.

You can also enable these rules by using Group Policy settings for Windows Firewall and Advanced Security.  For servers that are running the Server Core installation option, run the Netsh AdvFirewall command, or the Windows PowerShell NetSecurity module.

Because COM+ Network Access is not allowed you cannot use the Windows Firewall and Advanced Security MMC Snapin to remotely connect to the server.  As a result you need to login to the Server 2012 core machine and run the following command from command prompt to enable remote access.

netsh advfirewall set currentprofile settings remotemanagement enable

Now you can remotely connect to the Server 2012 core machine using MMC snapins.

This article might also be of reference - Remote Disk Management of a Server 2012 core machine:

http://clintboessen.blogspot.com.au/2013/06/remote-disk-management-to-server-2012.html

Remote Disk Management to Server 2012 core

I had a requirement to utilise remote disk management to a Windows Server 2012 core installation.  When opening Computer Management and remotely connecting to the Windows Server 2012 computer we received the following error message when attempting to access disk management.

Disk Management could not start Virtual Disk Service (VDS) on SERVERNAME.  This can happen if the remote computer does not support VDS, or if the connection cannot be established because it was blocked by Windows Firewall.

For additional information about diagnosing and correcting this problem, see Troubleshooting Disk Management in Disk Management help.

To resolve this problem we logged into the Server 2012 core server and enabled the following firewall exception using the netsh command.

netsh advfirewall firewall set rule group="Remote Volume Management" new enable=yes

After adding the firewall exception to our Windows Server 2012 core computer, we can now connect to it using remote disk management.

 

Setup Windows Server 2012 Core Computer for Domain

You have provisioned a new Windows Server 2012 server core machine and you want to connect it to the domain.  Before you do this there are 5 steps you generally want to perform:

• Rename the computer
• Change the IP to static
• Join it to the domain
• Enter Product Key and Activate (not required if KMS is in use)
• Install Windows Updates

This article provides the commands and steps required to join a new Server 2012 server to the domain from command line so that it can be managed remotely using the Server 2012 GUI tools.

Rename Windows Server 2012 using NETDOM

Execute the following command to rename the server using the NetDom utility.

netdom renamecomputer Server2012 /NewName FileServer

Server2012 is the current name of the server, FileServer is the new name.  After the rename is complete you will need to restart with the following command:

shutdown -r -f -t 0

Upon reboot type "hostname" to identify the computer was renamed.

Configure the Network Interface

Next your going to most likely want to configure a static IP unless your intending to use DHCP to provide network configuration to your Windows Server 2012 computer.

The first step is to identify the name of the interface by executing the following netsh command.

netsh interface ip show config

Next you can set the IP address, Subnet Mask and Gateway with the following command:

netsh interface ip set address name="Ethernet" static 10.10.10.50 255.255.255.0 10.10.254.254 1

To configure a primary DNS server and secondary DNS server for your "Ethernet" network interface use the following commands:

netsh interface ip set dns name="Local Area Connection" static 10.10.10.230
netsh interface ip add dns name="Local Area Connection" 10.10.10.250 index=2

Validate the configuration with IPCONFIG /ALL

Join the Computer to the Domain

To join the Server 2012 computer to the domain execute the following command.

netdom join FileServer /domain:corporatedomain.local /userd:domain/username /passwordd:password

After the computer is joined execute the following command to reboot the server.

shutdown -r -f -t 0

For security purposes I blurred out my domain name, username and password.

Now your ready to go, your new Server 2012 system is on the domain.  As an optional task you can add domain groups to the local admins group on the system using the following command.

net localgroup administrators /add DomainName\UserName


Enter Product Key and Activate

Enter the product key and activate Windows provided you do not have a Key Management Server (KMS) on your network.  To enter the product key use the following command:

start /w slmgr.vbs -ipk XXXX-XXXX-XXXX-XXXX-XXXX

To Activate Windows use the following command.

start /w slmgr.vbs -ato

Install Windows Updates

To install the Windows Updates on server core we need to use a tool called sconfig.exe.  Launch sconfig.exe from command line.

Select option 6 to download and install updates.

 

 

Next select A to install All Updates.

 

Lastly select A to install all updates or alternatively select single updates to install from the list.

 

02A2: BMC System Error Log (SEL) Full.

A customer of mine had a HP ProLiant ML110 G6 server which did not boot successfully.  Upon booting the boot would halt with the following error message:

02A2: BMC System Error Log (SEL) Full.

The fix for this problem was to go into the BIOS by hitting F10 and setting Clear System Event Logs to Enabled in the BIOS.

This can be found under IPMI on the Advanced Tab.

Navigate to System Event Log

And setting the Clear System Event Log to Enabled.  This will ensure the event log is cleared on next boot.  As you see there are no remaining event logs in our BIOS flash memory hence why the error is occurring.

Upon reboot the system will automatically set Clear System Event Log back to Disabled after the clear has been performed.

Schemus - User synchronization failed. Update abandoned

One of my customers who utilises Symantec Cloud email and web filtering was experiencing an issue with the Schemus synchronisation tool when synchronising Mail Address, Groups and Users to Symantec Cloud.

The error they were experiencing was:

User synchronization failed. Update abandoned

After speaking to Symantec this issue can occur sometimes with Schemus due to corruption in one of the following files:

• users.sus
• syncdata.sus
• groups.sus

These files are located in the following directory:

C:\ProgramData\Schemus\configurations\SYNCJOBNAME

In our case it was:

C:\ProgramData\Schemus\configurations\SymantecADSync

To fix this problem, first close Schemus.

Next rename or move these files to another location.

Lastly reopen Schemus and attempt another sync, these files will regenerate.  After making this change Synchronisation is now working correctly.

 

CloudLink - The current account doesn't have sufficient privileges

In the process of setting up Symantec Enterprise Vault Cloud for Microsoft Exchange, I had an issue where the ArchiveTools CloudLink tool would not accept my service account I created called cloudlink.  It is complaining the account does not have Logon As Service privileges on my CloudLink server however I know the account does as I already granted this User Rights Assignment manually.

The error we were getting was:

CloudLink - The current account doesn't have sufficient privileges to give 'Logon As Service' privilege to the selected account. An administrator will need to manually allow this account to run as service.  Failing to do so will prevent the service from running.

The problem?  Good old User Account Control or UAC for short.

After trying again by running ArchiveTools CloudLink  as "Run as Administrator" the problem was resolved.

 

You don't currently have permission to access this folder

With the introduction of Windows Vista came the first implementation of User Account Control (UAC) and with it, a file server NTFS permission issue which has been driving me nuts for years.  If you are a Windows server admin you have probably seen this too but never thought twice.

When accessing a folder on a Windows file server, it prompts saying "You don't currently have permission to access this folder".  Now I know this folder has the following permissions set on it:

• SYSTEM - Full Control
• Administrators - Full Control
• Users - Create Folder append data

My user account is a member of Domain Admins and I know that Domain Admins is nested in the Administrators group on the file server.  I should have permission to access this folder.

If I click continue to this prompt, UAC will automatically add my user name with full control permissions to the folder and all sub folders and files which I'm attempting to access.  With multiple administrators maintaining a file server this results in unwanted user name ACL's spread across folders and files throughout the file server making the permission structure a mess.

After many years and now with the release of Windows Server 2012 this issue is still occurring.  It's about time we spend some time and work out what's going on.

Resolution

After leasing with some colleagues of mine in Microsoft who work on the file services team they told me two group policy settings are responsible for this behaviour which can be found under:

Computer Configuration --> Windows Settings --> Security Settings --> Local Policies --> Security Options

• User Account Control: Admin Approval Mode for the Built-in Administrator account
• User Account Control: Behaviour of the elevation prompt for administrators in Admin Approval Mode

If you set these policies to Disabled and Elevate without prompting it resolves the issue.

You don't have to create a group policy object to implement these changes unless you have multiple file servers you want to target.  In this instance I simply utilised GPEDIT.MSC on the local file server and set these changes as a local policy.

Now when my administrators navigate the file server they are no longer prompted to add their account to NTFS permissions and in result making a mess of my NTFS permission structure.

AD Replication Issue - The naming context is in the process of being removed or is not replicated from the specified server

I had an Active Directory replication problem at a customer site with a multi domain environment.  Two domain controllers exists in a child domain called DC1 and DC2.  DC1 resided in a remote branch location and DC2 exists in a datacentre.

• DC2 was able to replicate changes to DC1 without issues.
• DC1 was not able to replicate changes to DC2.

Please note the name of the domain and domain controllers involved have been renamed to protect customer privacy.

Symptoms

When attempting a manual replication attempt the following error was experienced:

The following error occurred during the attempt to synchronize naming context "ROOT DOMAIN" for domain controller DC1 to domain controller DC2:

The naming context is in the process of being removed or is not replicated from the specified server.

The operation will not continue.

 

When doing repadmin /showrepl all inbound replication partners came back successful under the last replication attempt however all outbound replication partners such as the replication attempt from DC1 to DC2 came back as failed with the following errors:

 Source: RemoteSiteName\DC1
******* 216 CONSECUTIVE FAILURES since 2013-04-21 07:32:26
Last error: 8524 (0x214c):
            Can't retrieve message string 8524 (0x214c), error 1815.

Naming Context: CN=Configuration,DC=ROOTDOMAIN,DC=LOCAL
Source: RemoteSiteName\DC1\
******* WARNING: KCC could not add this REPLICA LINK due to error.

Naming Context: DC=CHILDDOMAIN,DC=ROOTDOMAIN,DC=LOCAL
Source: RemoteSiteName\DC1
******* WARNING: KCC could not add this REPLICA LINK due to error.

Running a DCDiag on DC1 came back with the following errors:

Starting test: Connectivity

The host 9b2163cf-b8e7-4ad4-bd54-2342e6cfc1db._msdcs.rootdomain.local could not be resolved to an IP address.  Check the DNS server, DHCP, server name etc.

Although the GUID DNS name 9b2163cf-b8e7-4ad4-bd54-2342e6cfc1db._msdcs.rootdomain.local couldn't be resolved, the server name (DC1.child.rootdomain.local) resolved to the IP address xx.xx.xx.xx and was pingable.  Check that the IP address is registered correctly with the DNS server.

Resolution

The following error message is the one which lead me to the resolution of this replication issue.

The host 9b2163cf-b8e7-4ad4-bd54-2342e6cfc1db._msdcs.rootdomain.local could not be resolved to an IP address.  Check the DNS server, DHCP, server name etc.

Although the GUID DNS name 9b2163cf-b8e7-4ad4-bd54-2342e6cfc1db._msdcs.rootdomain.local couldn't be resolved, the server name (DC1.child.rootdomain.local) resolved to the IP address xx.xx.xx.xx and was pingable.  Check that the IP address is registered correctly with the DNS server.

The first domain you promote in a new Active Directory forest is the forest root domain (this can never be changed without building a new forest).  The forest root domain contains a MSDCS container in DNS and contains a bunch of CNAME records for all domain controllers in the root domain as well as any child domains/new tree domains.  These CNAME records are what Active Directory uses to lookup domain controllers when attempting to perform replication.

This is shown in the following screenshot.

The reason DC1 was unable to replicate to any other DC in the domain was because someone deleted the GUID mapping the CNAME record for DC1 from the msdcs container in Active Directory.  From the DCDIAG error message we manually recreated the 9b2163cf-b8e7-4ad4-bd54-2342e6cfc1db._msdcs.rootdomain.local record mapping to DC1 as a CNAME record. 

After 45 minutes replication began working again for DC1.

Hope this post helps someone with the same problem.

WSUS - An HTTP error occured

In the process of setting up a new WSUS server I received the following error message when attempting to perform a sync.  This is after installing WSUS 3.0 Service Pack 2 available from http://support.microsoft.com/kb/2720211

An HTTP error occurred

Clicking Details provides the following error output.

WebException: The request failed with the error message:
--
Object moved
Object moved to %2fmicrosoftupdate%2fv6%2ferrorinformation.aspx%3ferror%3d15"
--.
at System.Web.Services.Protocols.SoapHttpClientProtocol.ReadResponse(SoapClientMessage message, WebResponse response, Stream responseStream, Boolean asyncCall)
   at System.Web.Services.Protocols.SoapHttpClientProtocol.Invoke(String methodName, Object[] parameters)
   at Microsoft.UpdateServices.ServerSyncWebServices.ServerSync.ServerSyncProxy.GetAuthConfig()
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.InternetGetServerAuthConfig(ServerSyncProxy proxy, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.ServerSyncLib.Authenticate(AuthorizationManager authorizationManager, Boolean checkExpiration, ServerSyncProxy proxy, Cookie cookie, WebServiceCommunicationHelper webServiceHelper)
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.SyncConfigUpdatesFromUSS()
   at Microsoft.UpdateServices.ServerSync.CatalogSyncAgentCore.ExecuteSyncProtocol(Boolean allowRedirect)


After researching this error message I discovered Microsoft moved data on the Microsoft Update servers early 2013 and as a result the WSUS installation package which comes with Windows Server 2008 R2 no longer knows the correct URL to synchronise with (this is after installing WSUS 3.0 SP2 from KB2720211).

After installing WSUS 3.0 SP2 from KB2720211 you then must install another critical update which can be downloaded from KB2734608.  This will tell WSUS the new location to synchronise from.  In total you should have installed the following two updates including the Report Viewer 2008 package.

Download KB2734608: http://support.microsoft.com/kb/2734608

After installing KB2734608 on my WSUS 3.0 Service Pack 2 server, WSUS now referenced the right Microsoft Update location and synchronisation started working successfully.

 

Windows Update Error 80244018

Today I had issues patching a Windows Server 2008 R2 server at one of my clients.  Windows Update provided me with the following error message:

A error occurred while checking for new updates for your computer.
Error Code 80244018

 

This error code is generated when a computer has issues connecting to the Windows Update server.  My customer used Threat Management Gateway as a firewall solution.  After reviewing the firewall rules there was a rule which prevented access to Microsoft Windows Update servers.

Removed the rule and problem resolved.

SM Bus Controller VEN 8086 DEV 1E22

When setting up a new Lenovo X230 for a customer I had problems finding the correct driver for an SM BUS Controller.  The hardware had the following Vendor and Device Id's.

PCI\VEN_8086&DEV_1E22&SUBSYS_21FA17AA&REV_04

After research it turns out that this hardware matches a Intel 7 Series/C216 Chipset Family SMBus Host Controller.

To download the Intel 7 Series/C216 Chipset Family SMBus Host Controller driver please see the following website:

http://devid.info/download/56602/27

Scroll through the ads until you find 56602_Chipset_9.3.0.1019.zip (2.87 Mb)

Icons Do Not Appear in Internet Explorer 10 for RD Web Access

After upgrading to Internet Explorer 10 when accessing a 2008 R2 Remote Desktop Services (RDS) RD Web Access, we noticed the icons no longer display.

Running Internet Explorer 9, the icons display correctly:

However if you switch Internet Explorer 10 into compatibility mode, the icons also display correctly.  To enable compatibility mode click the following page icon next to the address bar.

When it turns blue in colour, this means compatibility mode is enabled and the RD Web Access icons will reappear in RD Web Access.

A bug has been logged with Microsoft on this issue.

Delegate Permissions to Change Permissions on Mailboxes - Exchange 2007

I am currently in the process of a delegation project for one of my customers running Exchange Server 2007.  My customer requires that all service desk staff members have the ability to manage Exchange recipients but can make no other changes within Exchange.  Part of the Recipient Management requires the service desk staff must have the ability to:

• Manage Full Access Permission
• Manage Send As Permission

By default the Exchange 2007 Exchange Recipient Administrators group does not provide the ability to manage permissions on mailboxes however this can easily be granted.

To grant Exchange Recipient Administrators the ability to change permissions on mailboxes they must have the ExtendedRights "ms-Exch-Store-Admin" in Active Directory on the Configuration Partition.  This can be granted using the following powershell command:

Add-ADPermission -Identity "CN=Exchange Org,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=domain,DC=local" -User "domain\Exchange Recipient Administrators" -ExtendedRights ms-Exch-Store-Admin -InheritanceType All
Ensure you change the Exchange Org to reflect your Exchange org and the domain\ to reflect your domain's NetBIOS name.

If the permissions are not set right you will get an error similar to:

Domain\username
Failed
Error:
Failed to commit the change on object "a757e5a9-64e0-49cb-ac90-acda685c7f1c" because access is denied.
MapiExceptionNoAccess: Unable to set mailbox SecurityDescriptor. (hr=0x80070005, ec=-2147024891)

Exchange Management Shell command attempted:
Add-MailboxPermission -Identity 'CN=Domain User,OU=People,DC=domain,DC=local' -User 'DOMAIN\account.name' -AccessRights 'FullAccess'
Elapsed Time: 00:00:00

Failed to commit the change on object because access is denied.

Hope this post has been helpful.

Controlling the Auto Shared Mailbox Mapping Feature

From Exchange 2010 SP1 onwards, Exchange Autodiscover now has the ability to automatically add a mailbox to a user account which has full control of the mailbox to Microsoft Outlook.  This was done by changes made to Autodiscover and the addition of a new attribute called MSExchDelegateListLink.

From Exchange 2010 SP1 onwards, whenever you grant a user full access to a mailbox, the user which was granted full access is by default added to an attribute called MSExchDelegateListLink on the shared mailbox.  This tells Autodiscover to automatically add the mailbox to the users Outlook profile.

For example take a look at a shared mailbox called "Spam" which is responsible for holding all spam emails on my Exchange server.  As you see it has 3 accounts associated with the msExchDelegateLinkList attribute one of them being me, Clint Boessen.

 

If I only want myself to receive the spam mailbox by default, I would remove the other two accounts from this attribute.  This can also be done by powershell with the AutoMapping parameter on the Add-MailboxPermission cmdlet.

 

Add-MailboxPermission "Shared Mailbox" -User -AccessRights FullAccess -AutoMapping:$false

 

Hope you learnt something in this post.

Warning: Attribute userAccountControl of DC is: 0x82020

When running a DCDiag at a customer site today I had the following error occur.

Warning:  Attribute userAccountControl of DC is: 0x82020 = ( UF_PASSWD_NOTREQD | UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
Typical setting for a DC is 0x82000 = ( UF_SERVER_TRUST_ACCOUNT | UF_TRUSTED_FOR_DELEGATION )
This may be affecting replication?
It is a bug when we pre-create a computer account in ADUC and then promote it as DC, the UserAccountControl is set to 532512 instead of the default 532480. You need to manually set the vaulue to 532480 in ADSIEDIT.MSC.

UserAccountControl values for the certain objects:
Typical user : 0x200 (512)
Domain controller : 0x82000 (532480)
Workstation/server: 0x1000 (4096)

Change it to represent 0x82000.

 

Exchange 2010 Outlook Anywhere Connection Randomly Drops Out

One of my customers experienced an issue where Outlook clients randomly lost their HTTPS connection to the Exchange server.  All Outlook clients at my customer connect to the Exchange server using http/RPC rather then TCP (MAPI) both internally and externally.  Randomly once a day the Outlook HTTP connection would break and fall back to TCP (internally) or break completely for external users.

Running iisreset would fix the problem but the problem would always re-emerge.

To ensure that Outlook clients retain their connection with the Exchange server using HTTP and not TCP both "On fast networks, conect using HTTP first" and "On slow networks, connect using HTTP first" must be selected.

Activesync and webmail continued to work ok and were not effected by this issue.

This issue was caused by the RPC web application using te Default Application Pool (DefaultAppPool) which is configured to recycle worker processes every 1740 minutes (29 hours).  During the recycling process, IIS allows active worker threads an additional 90 seconds to finish servicing requests before IIS terminates the active threads.

Because RPC over HTTP uses long-running connections, the connections may not finish within an additional 90 secosd that were given to the worker threads.  In this scenario, the connections are terminated.  Therefore Outlook loses connectivity with IIS.  When this action occurs, Outlook immediately tries to reconnect.  If many Outlook clients are disconnected at the same time, the large number of concurrent reconnections may overwhelm the server.

To resolve this problem create a new Application Pool dedicated to the RPC over HTTP web application with a larger HTTP sys que limit.  Please refer to the following TechNet article with instructions on how to perform this procedure:

http://technet.microsoft.com/en-us/library/dd421855.aspx

An Insight into Stellar Phoenix Outlook PST Repair tool

In this article we are going to look at how to repair a corrupt PST file using the Outlook PST Repair tool created by Stellar Phoenix.

Before we dive into Outlook PST Repair lets quickly cover Scanpst.exe.  Scanpst.exe is a free tool shipped with Microsoft Outlook 2003/2007/2010 which lets you repair corrupt PST files.

On my Office 2010 installation, ScanPST can be found in the following path:

C:\Program Files\Microsoft Office\Office14


Below is a screenshot of ScanPST.

Stellar Phoenix labs performed testing with ScanPST and from their testing they discovered that the free PST repair tool is capable of repairing PST files with only minor structural errors.  PST files with severe correction or PST files where the indexing table is completely removed, ScanPST will not repair the file.

Stellar Phoenix claim that their tool Outlook PST Repair v4.5 can repair a corrupt PST file and bring it back to a consistent state regardless how severe.  I questioned this with Stellar Phoenix as 100% of corruption is a big claim however the company was confident to back it.  All content within the corrupt the PST file which is in its valid state can be recovered.  Data which has been lost due to corruption is gone, no tool will be able to recover this.

Outlook PST Repair v4.5 has been designed to look like Microsoft Outlook to provide users and administrators with a familiar user experience.  When a corrupt PST loaded, all content which is still readable inside the corrupt PST file will be displayed.  Companies have the flexibility of recovering individual emails, attachments, sub folders or entire PST files.

Below is a screenshot of the the Outlook PST Repair tool:

To begin using the tool simply the Open an Outlook File to Repair.

Select the location of the PST file which is corrupt.  In my case I have a corrupt PST file called test.pst.

Hit the Start button and Outlook PST Repair will go through and scan for all recoverable content.

The tool displays all data which is now recoverable.  The user is able to browse mail items, calendars, contacts, tasks, notes everything which can be displayed in Outlook using the Outlook PST Repair tool.

The user is able to do the following things once a corrupt PST file has been loaded in Outlook PST Repair v4.5:

• Export all content which is readable within the corrupt PST into a new PST file.
• Export select content from a corrupt PST file by selecting what content they wish to export.
• Extract attachments from emails
• Export individual emails to MSG or EML format

Outlook PST Repair v4.5 comes in a demo version and a full version.  What is the difference between the demo version and the full version?

The demo version allows you to see all items which can be discovered, read email and look at calendar items however it does not allow you to extract any information out of the corrupt PST file including attachments, individual items or folders.

The full version allows you to browse a corrupt PST file and export content from a corrupt PST file to a new PST.

There are two licencing versions for purchasing the full version of Outlook PST Repair 4.5.  Both licences come are lifetime and come with 24/5 technical support free with the purchase.

• Single User Licence ($129 USD).  Users receive a key which they use to activate the Outlook PST Repair tool.  Once activated the key will only ever work on the Windows instance in which Outlook PST Repair tool was activated.  In the event the user purchases a new computer or re-installs Windows, the user must contact support to transfer the licence.
• Technician Licence (299 USD).  The technician licence can be used unlimited times on different workstations.  However a USB key must be connected to the machine to activate the licence and perform the recovery.  Only one recovery can be performed at a time.  One technician licence must be purchased per office.  Stellar Phoenix ship the USB key to the customer upon purchase.

Note: All pricing is subject to change, to get the latest pricing please visit www.stellarinfo.com

Summary

The Outlook PST Repair 4.5 tool is a fantastic tool for fixing corrupt PST files.  If Scanpst.exe fails to recover a corrupt PST file or you need to perform granular recovery from a corrupt PST file I encourage you to give Stellar Phoenix Outlook PST Repair a shot.

For more information or to obtain a copy of Stellar Phoenix Outlook PST Repair please visit the following website:

http://www.stellaroutlooktools.com/scan/pst-repair.php

How do I find out if an Email Address exists in Exchange

You want to determine if an Email address has been already configured on an Exchange server.  To do this you need to use the following cmdlet:

Get-Recipient

For Example:

Get-Recipient clint.boessen@avantgardetechnologies.com.au

You cannot use the Get-Mailbox cmdlet as remember you can configure email addresses on more then just user accounts.  Email addresses can be configured on groups, contacts even public folders.

Note: If you use Get-Mailbox with the -an switch it will only search the primary SMTP addresses.

Cisco - Port Two Public IP Addresses to the Same Internal Address

Today we required the ability to port forward two public IP addresses both listening on TCP25 to the same internal IP address listening on TCP25.  By default a Cisco router will not let you do this.  However there is an extenable option which you can put on the end of your command to allow you to do this.

 

For example to allow TCP25 from both 3.3.3.3 and 3.3.3.4 to 10.1.1.40 on TCP25 we would do the following:

 

perth-router(config)#do show run | in ip nat
ip nat inside source static tcp 10.0.8.10 25 3.3.3.3 25 extendable
ip nat inside source static tcp 10.0.8.10 25 3.3.3.4 25 extendable

Hope this has been helpful. 

HTTP Attack Resulted in RBL Listing

Today one of my customers was listed on the SpamHaus XBL list.  The Spamhaus Exploits Block List (XBL) is a realtime database of IP addresses of hijacked PCs infected by illegal 3rd party exploits, including open proxies (HTTP, socks, AnalogX, wingate, etc), worms/viruses with built-in spam engines, and other types of trojan-horse exploits.

My customer had all client workstations access the Internet from the same public IP address as what the Exchange 2010 server relayed email from.  Workstations did not connect to the Internet through a proxy, just sandard network address translation (NAT).

My customer did block TCP25 Outbound (SMTP Traffic) from all hosts on the network but the internal IP address of there Exchange 2010 server.  Despite this my customer was still added to the XBL.SpamHaus.org blocklist and as a result had difficulties sending and receiving email from many companies especially because SpamHaus is one of the more popular blocklists.

This was because a few workstations on their network was infected with the Pushdo trojan which was performing denial of service (DOS) attacks against target web servers.

Below is the reason why we were RBLed extracted from the SpamHaus.org website:

To get around this problem we changed the outgoing IP address of email, ensured a PTR record exists for the new IP address, updated the Sender Policy Framework (SPF)  TXT record on the DNS zone.  Finally we updated the port forward on the router and MX records to ensure all mail relay went through a dedicated email.

So what did we learn from this?

• If possible always use a dedicated public IP address for relaying mail (if possible)
• Use a proxy server for your users to surf the net and block HTTP/HTTPS and other ports if possible outbound to the Internet.

Regarding the Pushdo botnet, we got around to cleaning that up too to ensure my customers network was not used to DOS innocent web servers on the net.