Tuesday, September 09, 2014

Manually removing SCCM 2012 SP1 Secondary Site

By simply deleting & choosing uninstall of the secondary site from SCCM Console's Administration tab should be sufficient to remotely uninstall all the necessary secondary site components. However in certain cases, the remote uninstall procedure could be stalled and the secondary site's status would be left in "Deleting" state. Steps below are to manually remove the secondary site from both the Primary site's database as well as on the secondary site's system as well.

On the Primary Site server
1. Run: %ConfigMgrProgramFilePath%\bin\X64\00000409\preinst.exe /delsite XXX
*where XXX is the secondary site's code
2. Refresh & verify from the SCCM Console that the secondary site (and it's system) is deleted.

On the Secondary Site server
1. Uninstall the ConfigMgr Secondary Site from the Control Panel
2. Uninstall the Microsoft SQL server and its components from the Control Panel
3. Remove the secondary site's ConfigMgr ProgramFile folder
4. Remove the registry key: HKLM\Software\Microsoft\SMS
5. Restart

Thursday, July 11, 2013

Exchange 2010 Version and Build Number

Get-ExchangeServer's AdminDisplayVersion does not reflect Rollup's build number.

Instead, use: "GCM exsetup |%{$_.Fileversioninfo}"

Monday, May 13, 2013

Adding ability to vSphere 4 to run Windows 8, Windows 2012 or WinPE 4.0 (SCCM 2012 SP1 OSD)

Windows 8, 2012 and WinPE 4.0 boot-image requires specific flags from the CPU before it will boot. Unfortunately for older Pentium processors or VMware vSphere pre 5.0 update 1 these flags are either not available or not exposed from the BIOS.

To allow VMware vSphere 4 to allow booting the Windows 8 boot-image, follow the following steps:

1. Download this BIOS image or here: https://hotfile.com/dl/221377063/b1c9f54/bios.440.rom.zip.html
2. Create a new Virtual Guest and use Windows 2008 R2 64bit (experimental) option.
3. Once the Virtual Guest have been successfully created, note the Datastore location and proceed to remove  it from Inventory (!!! DO NO DELETE IT FROM DISK !!!)
4. Go into the created Virtual Giest location in the Datastore and upload the downloaded BIOS image into it. It should on the same level as the Virtual Guest's .VMX file.
5. Download and modify the Virtual Guest's .VMX file and append the following lines:

bios440.filename = "bios.440.rom"
mce.enable = TRUE
cpuid.hypervisor.v0 = FALSE
vmGenCounter.enable = FALSE
6. Upload back the .VMX file into same location in the Datastore, overwriting the original (!!!backup the original .VMX as necessary!!!), right-click it and Add to inventory.
7. Boot your Virtual Guest with the Windows 8/2012/WinPE4.0 as needed.

Wednesday, May 01, 2013

You must either run windows server 2012 setup or enter a windows server 2012 standard evaluation product key

Server Manager throws "You must either run windows server 2012 setup or enter a windows server 2012 standard evaluation product key" when attempting to activate an Evaluation version of Windows Server 2012 using a valid Product Key.

The following workaround solved the above for me:
!!!WARNING!!! Windows Product Activation on an Evaluation Edition running as a Domain Controller is *UNSUPORTED*, Demote the machine first and then run the steps below. Re-promote the machine back to Domain Controller afterwards. If this is your *ONLY* Domain Controller, this might be the right time to deploy a second unit...
  1. Run Command Prompt in Elevated Mode
  2. Run the following: "DISM /online /Set-Edition:ServerStandard /ProductKey:XXXXX-XXXXX-XXXXX-XXXXX-XXXXX /AcceptEula"
  3. DISM will request for a system restart... choose Y(es) and restart the server.
  4. After boot-up, run the following: "cscript C:\windows\system32\slmgr.vbs -ato"
*replace XXXXX-XXXXX-XXXXX-XXXXX-XXXXX with the valid Product Key

Wednesday, March 06, 2013

Allow unsupported (non-coded) SFP to be used by Cisco Catalyst Switches

The IOS on Cisco Catalyst switches does not allow non-Cisco SFP transceivers to be used; the affected switch interface will be taken down if a non-Cisco-coded SFP transceiver is inserted.

Run the following command (IOS) on the Catalyst to allow the use of such *unsupported* SFP transceivers:
> enable
# configure terminal
#(config) service unsupported-transceiver
#(config) no errdisable detect cause gbic-invalid

The information above is only to be used for testing & development purposes. The writer holds no responsibility for failure or loss on the part of the reader..

Saturday, February 09, 2013

Adding custom options in ISC-DHCPD's dhcpd.conf

There was a need to add a custom option code 138 into ISC-DHCPD to facilitate our wireless controllers and CAPWAP for its managed access points. Following is the excerpt required in dhcpd.conf:

#CAPWAP Settings
option capwap code 138 = ip-address;
option capwap 0x0A102001;
if exists dhcp-parameter-request-list {
option dhcp-parameter-request-list=concat(option dhcp-parameter-request-list,8A);

Explaination as below:

option capwap code 138 = ip-address;
This line declares a namespace "capwap" which should return dhcp-option code 138 and it should take values in the format of ip-adresses.

In ISC-DHCP, ip-address values takes the form of octal representation such as or in hexadecimal representation such as 0xC0A80101

Other types of *common* values are strings and arrays of ip-address (ip-address separated by a comma',')

...option capwap 0x0A102001;
This is the actual variable=value line. In the sample above, it is declared in the global declarations, it can also be specified in the pool declarations.

...option dhcp-parameter-request-list=concat(option dhcp-parameter-request-list,8A);
Without this line, ISC-DHCPD will *never* include the custom options in its DHCP offer messages. The item 8A refers to the custom dhcp-option 138 in hexadecimal representation. For multiple custom options, separate the dhcp-parameter-request-list values with commas. For example:

...option dhcp-parameter-request-list=concat(option dhcp-parameter-request-list,8A,8B,8C);
This represents custom option for dhcp-option 138,139 and 140

Friday, September 14, 2012

Exchange 2010 Error: Registry key has subkeys and recursive removes are not supported by this method

Thank you to Paul Cunningham for this Post.

After a prolonged network failure, my DAG registers error in its Database synchronization. Attempts to Suspend also failed (thus I am not able to Resume the sync).

When attempting to remove the Database (and Add/Re-create the Database copy), the following error appears:

"Registry key has subkeys and recursive removes are not supported by this method"

This error seems to be caused by an orphaned registry key in the/each Mailbox server under the replication replay's key.

The following method, carried out on *each* Mailbox server that requires the Database Copy addition resolves the above issue:

1. In PowerShell, run:

'Get-MailboxDatabase "Database Name" | fl guid'
 - This will print out the Database's GUID value

2. In PowerShell, run:

'Remove-Item HKLM:\Software\Microsoft\ExchangeServer\v14\Replay\State\\DumpsterInfo'

Tuesday, September 04, 2012

How to reset Fortinet's Fortigate *admin* Password

  1. Connect to the Fortigate unit via Console cable
  2. Immediately after the login prompt comes up (within 3 seconds) enter the following credentials:
  • Username: maintainer
  • Password: bcpbXXXXXXXXXXXXXXXX
  • ... where  XXXXXXXXXXXXXXXX is the unit's serial number
For instance if the serial number is FG123A1234567890 then the password would be: 

Reset the password by running the following command:
config system admin
 edit admin
  set password newPassword

Wednesday, December 21, 2011

STOP: c00002e2 Directory Services could not start


Out of a sudden, one of the Windows 2008 Server Standard x64 Domain Controller encountered the following BSOD error:

-c00002e2 Directory Services could not start because of the following error:

-A device attached to the system is not functioning.

-Error Status: 0x0000001.

Most of the solutions points to the disk where the NTDS is located. In virtualized environments, after changes have been made to the virtual disk setting (for instance a P2V), the second disk (in most cases storing the NTDS) were found offline. The solution would to simply boot into Directory Services Restore Mode, go to the Windows Storage Manager and re-online the affected disk.

However, in my case, I am only using a single disk with a single SYSTEM partition for both my OS & NTDS. Furthermore, in the DSRM, the disk were (surely) online.

Unusually, the solution was to simply backdate the system date in my BIOS (on Virtualized platforms, the virtual BIOS). I backdated the date to a few months back & the Domain Controller booted successfully into the OS.

I can now proceed to restore/replicate/demote/promote my Domain Controller.

Wednesday, August 17, 2011

Password Strength

This comic is saying that the password in the top frames "Tr0ub4dor&3" is easier for password cracking software to guess than "correcthorsebatterystaple". And this is absolutely true that people make passwords hard to remember because that means that they are "safer".

The important thing to take away from this comic is that longer passwords are better because each additional character adds much more time to the breaking of the password.

Steve Gibson from the Security Now podcast did a lot of work in this arena and found that this password 'D0g.....................' is harder to break than this password 'PrXyc.N(n4k77#L!eVdAfp9'. Steve Gibson makes this very clear in his password haystack reference guide and tester:

'Once an exhaustive password search begins, the most important factor is password length!'

That's what xkcd is trying to get through here. Complexity does not matter unless you have length in passwords. Complexity is more difficult for humans to remember. Length is not.

Sunday, April 03, 2011

Microsoft Exchange Server 2010 SP1 on Windows 2008 Server R2 post-installation gotchas: Installing Active Directory Web Services


Active Directory Web Services (ADWS) is an option to enable Web based API access to Active Directory; predominantly via PowerShell and Active Directory Administration Console (ADAC). Read: http://blogs.msdn.com/b/adpowershell/archive/2009/04/06/active-directory-web-services-overview.aspx

This functionality by default is available on Domain Controllers running Windows 2008 R2 and is currently available as add-on for Windows 2003 and Windows 2008 systems (Download from: http://www.microsoft.com/downloads/en/details.aspx?displaylang=en&FamilyID=008940c6-0296-4597-be3e-1d24c1cf0dda).

NOTE: ADWS uses TCP port 9389; ensure firewalls to and from clients and ADWS-enabled Domain Controllers does not block this port !!!

Microsoft Exchange Server 2010 SP1 on Windows 2008 Server R2 post-installation gotchas

Installation of Microsoft Exchange 2010 SP1 on a Windows 2008 R2 Server should be a straightforward process due to the descriptive Wizard and auto resume of the Setup process. As per the Wizard, following will be the pre-requisites of the Exchange 2010 installation:

  1. Installation of Microsoft .NET Framework 3.5 SP1
    1. This can be installed from Windows Manager – Add Feature – .NET Framework 3.5
    2. .NET would also require basic Web Service (IIS) role as its dependency.
  2. Running ‘setup /PrepareAD’
    1. This would be run automatically by the Setup process
    2. Make sure the account used to run Setup have the proper Domain and Schema Admins permission
  3. Select the language options
    1. Pretty straightforward, just choose use all language available in the DVD or download from the Internet if your language preference is extensive.

After enabling the basic pre-requisites above and resuming the Setup, further verifications by Role will commence. Depending on your existing configuration of the server, this will include:

  1. Enabling IIS Basic, Integrated Windows and Digest Authentication methods
    1. This can be updated from Windows Manager – Roles – Web Service – Add Role Features
  2. Enabling IIS Static and Dynamic Compression
    1. This can be updated from Windows Manager – Roles – Web Service – Add Role Features

After appeasing the requirements above, you should be able to continue the Setup process. Depending whether you are creating a new Exchange organization or adding a new Exchange server in an existing Organization, additional parameters would be required; this would be very straightforward and Setup should complete successfully. Reboot afterwards !!!

That would be the end of the Exchange installation and you should be happily configuring and using your Exchange installation; NOT !!! Depending on the symptoms that may or may not appear, further tweaking would need to be carried out.

NOTE: This may differ between OS versions (2008 SP2 or 2008 R2 SP1) or Exchange versions (RTM, SP1) etc.

  1. You find the Mailbox Database name to be too robotic (Mailbox_Database_1234567XXX…yuck) and decide to create a NEW Mailbox Database only to have error code 0x00000005 “INSUFF_ACCESS_RIGHTS” thrown at you !!! Read here
  2. You try to remove the default/first Mailbox Database and Exchange complains that you need to move out all mailboxes first before the Database can be deleted; problem is, as far as you can see there are no more mailboxes in the database to be moved out !!! Read here
  3. You open Microsoft Exchange PowerShell and in the initial Module loading stage it complains that Active Directory Web Service cannot find any available Domain Controller !!! Read here
  4. You try opening Outlook Web App (OWA) from your Web Browser (e.g: https://exch2010.tld/owa) and nothing comes out; just a blank page !!! Read here
  5. After rebooting the Exchange Server, after logging in to OWA in the login page, you are then presented with an empty page, or worse HTTP error 5XX !!! Read here

Microsoft Exchange Server 2010 SP1 on Windows 2008 Server R2 post-installation gotchas: Microsoft Exchange services start up issues


This is due to Microsoft Exchange Forms Based Authentication service not running; possibly after a normal reboot or power failure.

This is a Microsoft known issue since Exchange 2003 and also affects the Microsoft Exchange System Attendant service. Read and use the solution in http://support.microsoft.com/kb/940845

Microsoft reports that this issue affects installations of Exchange on Domain Controllers due to the delayed Global Catalog availability but it is prevalent even on standalone Exchange installations.

The only solution thus far is to configure the affected services with a Automatic Startup (Delayed) as opposed to the default Automatic Startup.

Also enable the 1st, 2nd and 3rd service recovery to attempt startup of the services if startup failed in the first try.

Microsoft Exchange Server 2010 SP1 on Windows 2008 Server R2 post-installation gotchas: Exchange 2010 required Windows Features


Thanks to http://www.stefanjagger.co.uk/03/default-exchange-2010-owa-shows-blank-page/.

After successfully installing Exchange 2010, if you find your OWA page to be blank (but with a successful redirection URI, e.g: https://exch2010.tld/owa/logon/logon.aspx?blablabla) you may not  have all the dependencies installed. Install them using the steps below:

1. Installing dependencies using PowerShell. NOTE: This may reboot the server !!!

   1: Import-Module ServerManager
   2: Add-WindowsFeature NET-Framework,RSAT-ADDS,Web-Server,Web-Basic-Auth,Web-Windows-Auth,Web-Metabase,Web-Net-Ext,Web-Lgcy-Mgmt-Console,WAS-Process-Model,RSAT-Web-Server,Web-ISAPI-Ext,Web-Digest-Auth,Web-Dyn-Compression,NET-HTTP-Activation,RPC-Over-HTTP-Proxy -Restart

2. Installing dependencies using Server Manager:

    1. Open Windows Manager-Features-Add Features

    2. Add the RPC over HTTP Proxy feature; this will auto-install the other required dependencies as the PowerShell method above.

Retry the OWA login via your Web Browser.

NOTE: If the initial OWA login page can be displayed but a blank page is displayed ONLY after submitting the login, this could be due to the Microsoft Exchange Forms Based Authentication service not starting !!! Read here

Microsoft Exchange Server 2010 SP1 on Windows 2008 Server R2 post-installation gotchas: Deleting Arbitration Mailboxes

Exchange mailboxes consists of the normal user/resource Mailboxes and Arbitration mailboxes.

Arbitration mailboxes are “… used for managing approval workflow. For example, an arbitration mailbox is used for handling moderated recipients and distribution group membership approval”. Refer: http://technet.microsoft.com/en-us/library/bb123685(EXCHG.140).aspx

To delete a Mailbox database (especially the first created Mailbox database), you need to move out ALL mailboxes first into another Mailbox database.

In a normal Exchange console or from Get-Mailbox command these Arbitration mailboxes would not appear unless supplied with an additional –Arbitration parameter. Thus, in Exchange 2010, to move all mailboxes to another database would require the following command:

1. Moving all normal user/resource mailboxes from DB1 to DB2

   1: Get-Mailbox -Database DB1 | New-MoveRequest -TargetDatabase DB2

2. Moving all Arbitration mailboxes from DB1 to DB2

   1: Get-Mailbox -Database DB1 -Arbitration | New-MoveRequest -TargetDatabase DB2

Wait for the move request to complete and delete/remove the required database.

Microsoft Exchange Server 2010 SP1 on Windows 2008 Server R2 post-installation gotchas: 0x00000005 INSUFF_ACCESS_RIGHTS

This is possibly due to disabled ‘Inheritable permission’ option causing the ‘Exchange Trusted Subsystem’ group not being able to have Full Access to a number of important Microsoft Exchange OUs in the Active Directory configuration dSE.

As Exchange 2010 runs its Active Directory access via the Exchange Trusted Subsystem group permission (not as the logged-on user account permission), relevant objects in the Active Directory would require Full Access rights for this group. This would be (automatically) achievable if the Active Directory objects inherit the permissions from the parent object as the parent’s security permission is changed during Exchange setup’s PrepareAD process.

However, if certain child objects have their Inheritable permission option disabled beforehand, it would not acquire the correct permission level for the Exchange Trusted Subsystem to access them. For resolution, use the steps below:

  1. Using ‘adsiedit,msc’ traverse the Active Directory configuration schema and verify that the following OUs have its inheritable permission enabled (checkout Richard’s Exchange Ramblings blog: http://blogs.technet.com/b/richardroddy/archive/2010/07/12/exchange-2010-and-the-exchange-trusted-subsystem.aspx):
    1. RootDSE-Configuration-Services-Microsoft Exchange-First Organization
    2. RootDSE-Configuration-Services-Microsoft Exchange-First Organization-Administrative Groups
    3. RootDSE-Configuration-Services-Microsoft Exchange-First Organization-Administrative Groups-Exchange Administrative Group (FYDIBOHF23SPDLT)
  2. Remove the Exchange Server computer account from the Exchange Trusted Subsystem group and adding it back again.
  3. Reboot the relevant Exchange server.
  4. Ensure that your currently logged-on account is a member of the Active Directory Schema admins.
    1. In an Administrator elevated Command Prompt re-run Exchange setup’s PrepareAD parameter “%ExchangeInstallationFiles\setup /PrepareAD”
    2. Reboot the Exchange server again.

Wednesday, January 26, 2011

The Linux boot process, a chart - SysAdmin1138 Expounds

The Linux boot process, a chart - SysAdmin1138 Expounds
  • POST
  • Read bootable media
  • Load Master Boot Record
  • Execute MBR
  • POST
  • Read bootable media
  • Load the GPT table
  • Mount the EFI system-partition
  • Run EFI-specific code
  • Stage 1 loaded into MBR/EFI and gets executed by BIOS/EFI
  • Stage 1.5 loaded by Stage 1, including critical drivers
  • Stage 2, in the boot filesystem, executes
  • Stage 2 loads the kernel
  • Stage 1 loaded into MBR/EFI and gets executed by BIOS/EFI
  • Load first sector of core.img
  • Continues loading core.img
  • Loads GRUB config
  • Loads the kernel
  • Stage1 loaded into MBR (or EFI by ELILO) and executed by BIOS/EFI
  • Stage2 is leaded by Stage 1, executes
  • Loads LILO information.
  • Loads the kernel
Kernel Load
  • The kernel uncompresses into memory
  • If configured, the kernel mounts the Initial Ramdisk, which contains needed modules to load the rest of the OS
  • Mounts the root filesystem, loading any needed modules from initrd
  • Swaps / from initrd to the actual root filesystem
  • Executes the specified init process
  • Is launched by the kernel as PID 1
  • Checks /etc/inittab for loading procedures
  • Runs scripts specified by inittab
    • Mounts needed filesystems
    • Loads needed modules
    • Starts needed services based on runlevel
    • Finishes setting up userspace
  • Is launched by the kernel as PID 1
  • Reads /etc/system.conf
  • Mounts needed filesystems
  • Loads needed modules
  • Starts services as needed
  • Is launched by the kernel as PID 1
  • Runs startup events listed in /etc/events.d based on runlevel.
  • Loads needed modules
  • Mounts needed filesystems
  • Starts needed services
  • Is launched by the kernel as PID 1
  • Reads /etc/launchd.conf for config details
  • Reads /etc/launchd.plist for per-driver/service details

Tuesday, January 11, 2011

How I '”usually” bypass transparent content-filters (for troubleshooting purposes)

In my work, transparent content-filtering devices usually throws a (transparent ?) spanner into my troubleshooting work. This usually could be in the form of IPS/IDS devices or transparent proxies. It’s there, happily doing its thing, but quite invisible from end-point device’s perspectives.

My favourite tool in this situation is SSH and its port-forwarding functionality.

Since tunelled traffic is encapsulated and encrypted in SSH transmissions, these pesky transparent device wouldn’t know any better but to allow them through; however, always double-check your Firewall/IPS configurations that it DOES NOT block SSH (default TCP/22) traffic in the first place. Take the following scenario where normal traffic is being (transparently) intercepted and certain policies are applied.


This is what SSH and its port-tunnelling accomplishes:


It pays to have the endpoint devices to be able to ‘talk’ SSH to have the above to work though. The OpenSSH client on *nix systems or Putty on Windows should work perfectly well as the client.

However, native OpenSSH daemon (as the SSH server component) is not easily available on Windows system (in cases where both endpoints are Windows systems). Have a try at freeSSHd, a Windows implementation of SSH server component; it’s easier than trying to run a Cygwin implementation of sshd.

Thursday, January 06, 2011

Updating Sendmail access file (Revisited)

Sendmail access file format for IP addresses is based on full octet wildcards. for example:

  • 10 represent
  • 172.16 represents (sorry, /12 is not available)
  • 192.168.100 represents

A sample of Sendmail’s access file (normally located as /etc/mail/access) is as such:

10                     RELAY
172.16                 RELAY
192.168                RELAY
mydomain.com           OK

After editing the Access file, remember to:

1. Run makemap to create/update the access database read by Sendmail from the edited text Access file.

"makemap hash /etc/mail/access < /etc/mail/access"

2. Restart Sendmail

"service sendmail restart" OR "/etc/init.d/sendmail restart"

Wednesday, January 05, 2011

NetBIOS-ssn issue when a naming collision/conflict is detected

I encountered an issue today affecting NetBIOS/CIFS/SMB filesharing, the situation is as follow:
  1. User have one physical Windows 2003 server connecting to a remote CIFS fileserver as mapped drive.
  2. Remote connection is via Firewall and IPS appliances. Firewall only allows TCP/139 outbound, TCP/445 is blocked.
  3. I P2Ved that Windows 2003 server into vSphere
  4. Overall operation of the P2Ved server is OK.
  5. End-user complains that the virtualized server now cannot access the fileshare either directly via UNC or via "net use" command
Unfortunately the end-user did not network-disconnect or powered-off the original physical server, they merely changed its IP address.
This causes the broadcast domain to have a NetBIOS name collision, both the old physical and the new virtualized server uses the same NetBIOS name (but with different IP address).
It seems that when a NetBIOS name collision is detected on the local host, the host refuses to use legacy ports (UDP/137, UDP/138 and TCP/139) and only uses TCP/445 for NetBIOS connection.
Since the connection to the external fileserver has its TCP/445 blocked by the firewall, and since the new server refuses to use legacy NetBIOS ports, i.e.: UDP/137, UDP/138 and TCP/139, the filesharing fails.
Any of the method below should solve the issue:
  • Shutdown or network disconnect the old physical server, Reboot the new server afterwards or
  • Rename the NetBIOS name of the old physical server and reboot the new server or
  • Allow TCP/445 to destination fileserver (destination fileserver must support Microsoft-DS; Windows 2000 and above).

Sunday, January 02, 2011

How I learned to stop worrying and love the game

Once upon a time there was a Principal who thought oh-so highly of one of its Partner.

The Principal gave them price protection that would enable them to win biddings even if other Partners slashed their margin up to 0.1%.

One day, that preferred Partner lost a bidding to an oh-not so preferred Partner. End of story? Not really.

The not-so preferred Partner requested for a consolation discount from the Principal; anyways, their Product still got sold and the Principal still retained good margin on the Product. Better margin than if the Product was sold along with the protected pricing of the preferred Partner.

Having good relationship with the end-users, the not-so preferred Partner then proceeded to pass the contact details of the end-user to the Principal to plead their case.

The Principal made a big hoo-haa of the oh-not-so preferred Partner NOT doing any groundwork in the project and thus not entitled to any discounts and rather than contacting the end-user, they proceeded to contact the preferred Partner (who lost the bid) and ask regarding the outcome of the bidding.

The clueless preferred Partner informed the more clueless Principal that the project is not yet awarded and the winner of the bid is still not decided by the end-user.

Quite odd as the oh-not-so preferred Partner even attached a copy of the Award letter when requesting for the consolation discount.

Sometimes, IMHO, even FreeBSD jail looks more attractive technically and Xen looks more attractive financially than this virtualization Product carried by this clueless Principal.

And they lived happily ever after..... the end. 

Sunday, December 26, 2010

Exchange Distribution Groups with external email Contacts as member

Sometimes, as vendor I would need to receive important emails sent to end-users; stuff like subscription expiry notifications, licensing renewal etc. Usually these emails are sent to Distribution groups of the end-user's organization.
Short of having an email account in the end-user's organization, I would request for my (external) email to be included as a member of such Distribution group. Its pretty straightforward except for the caveat that by default Exchange sets external Contacts to only receive emails from Authenticated senders. This automatically bars email coming from external sources such as Principals, ISPs etc.
Following is the PS command for creating an imaginary end-user Distribution group 'Licensing' and adding my Contact 'me@gmail.com' into it as member.
New-MailContact -Name "me@gmail.com" -ExternalEmailAddress "me@gmail.com"

Set-MailContact "me@gmail.com" -RequireSenderAuthenticationEnabled $False

New-DistributionGroup -Name "Licensing" Set-DistributionGroup "Licensing" -RequireSenderAuthenticationEnabled $false

Add-DistributionGroupMember "Licensing" -Member "me@gmail.com"

Thursday, December 16, 2010

Juniper ScreenOS & Fortigate FortiOS revisited 2010

This month, I had the opportunity of installing a Juniper SSG appliance (with ScreenOS) and two units of Fortigate (with FortiOS) for three separate clients. These two firewall brands really bring back interesting memories after years of deploying Watchguard which to date, STILL does not support IPv6 (what does that tell you about Watchguard's development cycles ?).

Checkout the list of IPv6 capable security product's here: https://www.icsalabs.com/technology-program/ipv6/ipv6-capable-security-products

At first look, it seems there's nothing much that have changed on the ScreenOS; I guess maybe most of Juniper's  development efforts were concentrated on the JunOS.

This could either be a good or a bad thing. In ScreenOS's case if it ain't broke, why fix it ?

As one of the first Active/Active capable firewalls that I had the opportunity to deploy, ScreenOS's NSRP is still the same reliable protocol it has always been.

It's Active/Active HA works on the principle of concurrent Virtual Security Groups (VSI) sharing the same cluster ID. Furthermore, it failovers PPPoE links too :)

The only downside is you'd need one IP addresses per Interface; one for each VSI group's interface. That would normally be translated into two IP addresses per HA interface/zone in a production environment.

FortiOS on the other hand works on the principle of Multicast ARP. From a first look, it operates as good, or even better than ScreenOS (maybe not the debugging bit) and you only need ONE IP addresses per HA interface. That simple capability saves your precious Public IP addresses (and end-user confusion) when doing HA on the Public IP segment.

And of course, ScreenOS stubbornly sticks with its trusted PPTP and L2TP as its user-based VPN methods while FortiOS have included all of the above AND SSL-based VPN as well. Mind you this includes SSL Tunnelling (OpenVPN) as well as Virtual Desktop functionalities (Java applet based). How cool is that ?

Maybe I'll try JunOS sometime and see if its worth cost-to-cost with FortiOS :)

Monday, November 29, 2010

Malaysia ISP recursive DNS servers

I've got this list from http://blog.datakl.com/2009/05/dns-isp/ ... 
for a quick reference in the future :)
  • TMnet DNS servers
  • Jaring DNS servers
  • TimeNet DNS servers
  • OpenDNS  Server (overseas)

Monday, April 26, 2010

Upgrading to Exchange 2010

As soon as a new version of Microsoft Exchange comes along, there would be an immediate clamour for an upgrade/migrate request from customers. "Save us from Exchange 2007" they said (probably hoping that Exchange 2010 will be less PowerShell-centric; tough luck).

Its a very typical scenario here in Malaysia as we have assimilated the kiasu-ness that we have only just recently abhored and stuck our tongues at. Thankfully Microsoft have a clear migrate path for 2007 users.
Not so straightforward for 2003 and below users; or for people still stuck with Windows 2003 Server systems.
And realy vague on migration from non-Exchange platforms like Lotus Notes, IMAP/POP3 systems and yuck: Oracle Collaboration Suite :(

Let me be frank. Exchange 2010 is a pretty damn good software; cutting-edge. Better than 2007 and waaaaaayyyy better than 2003 or for that matter 5.5. But do you really need the functionalities that it has to offer or you just need the prestige (and bragging rights on who's running 64bit and who's not)?

- Consolidating MAPI access on CAS roles rather than on Mailbox role servers in 2007 (Public Folders are still accessed directly on Mailbox roles; onus for Sharepoint upgrade path).
- 2 server + 1 load-balancer makes a fully (single-site) redundant system.
- Database Availability Groups replacing the messy Cluster groups (however, there is still an IP resource cluster required for 2010)
- Consolidating CCR and SCR with DAG simplifies failover scenarios. Inter-server or inter-site ? DAG supports it.
- Advent of EWS Managed API which extends Exchange related tasks into PowerShell scripts which works with 2007 SP1 too :)
- Among other performance and database related capabilities.

In my next posts, I would be detailing a more intimate going-ons on the migration works relevant to Exchange 2010.

Tuesday, August 04, 2009

OpenVPN Bridging with FreeBSD

Under normal circumstances VPN connectivity are carried out in a routing (IP Forwarding) fashion. Routing is a preferred method as it minimzes layer 2 broadcasts and other unecessary chatters such as ARPs and BPDUs which is quite expensive when traversing Internet links.

However, some scenarios does require a Bridging solution. This includes an application's (lack of) flexibility, the exclusive use of non-routable protocols such NetBIOS, end-user's operation familiarity etc.

OpenVPN Server : /etc/rc.conf
ifconfig_em0="inet netmask"

ifconfig_bridge0="inet netmask up"

openvpn_if="tap bridge"

OpenVPN Server : /usr/local/etc/openvpn/openvpn.conf
proto udp
dev tap0
resolv-retry infinite
ca /usr/local/etc/openvpn/x.509/ca.crt
cert /usr/local/etc/openvpn/x.509/hq.crt
key /usr/local/etc/openvpn/x.509/hq.key
client-connect /usr/local/etc/openvpn/scripts/client-connect.sh
client-disconnect /usr/local/etc/openvpn/scripts/client-disconnect.sh

OpenVPN Server : /usr/local/etc/openvpn/scripts/client-connect.sh
ifconfig bridge0 addm $dev

OpenVPN Server : /usr/local/etc/openvpn/scripts/client-disconnect.sh

ifconfig bridge0 deletem $dev


OpenVPN Client : /etc/rc.conf
ifconfig_em0="inet netmask"
ifconfig_bridge0="addm em1 up"

openvpn_if="tap bridge"

OpenVPN Client : /usr/local/etc/openvpn/openvpn.conf
proto udp
dev tap0
remote hq.company.com 1194
resolv-retry infinite
ca /usr/local/etc/openvpn/x.509/ca.crt
cert /usr/local/etc/openvpn/x.509/branch.crt
key /usr/local/etc/openvpn/x.509/branch.key
up /usr/local/etc/openvpn/scripts/connect.sh
down /usr/local/etc/openvpn/scripts/disconnect.sh

OpenVPN Client : /usr/local/etc/openvpn/scripts/connect.sh
ifconfig bridge0 addm $dev

OpenVPN Client : /usr/local/etc/openvpn/scripts/disconnect.sh

ifconfig bridge0 deletem $dev