KB ID 0001194 Dtd  22/08/17

Problem

In vSphere 5 and earlier versions this was not a ‘fun’ job at all, many times I sat down to do it, and lost the will to live. Now there’s a nice new tool built into vCenter that does ‘most’ of the hard work for you. Here I’m using the vCenter appliance but the tool is also available on the Windows version.

For my certificates I’m using Microsoft Certificate Services. I’m going to issue a ‘Subordinate CA’ certificate to my vCenter Appliance, then it can issue signed certificates to each of its services.

Solution

Make sure you have published a ‘Subordinate Certification Authority’ certificate template.

Connect the the vCenter appliance using SSH and enable ‘shell’

shell.set --enabled True

Create a directory to store our certificates and requests in, then launch the certification-manager tool.

mkdir /root/SSLCerts
/usr/lib/vmware-vmca/bin/certificate-manager

The app will launch, and present you with a bunch of options.

Select option 2 > No we don’t want to use the configuration file > enter your logon information, (administrator@vsphere.local and password)  > Enter all the items required for the certificate request.

Choose option 1 (Generate Certificate signing request)  > Specify the folder you created above, (/root/SSLCerts) > Two files will be generated > Enter ‘2’ to exit.

The files;

vCenter 6.5

• vmca_issued_key.key (the private key)
• vmca_issued_csr.csr (the request)

vCenter 6.0.0

• root_signing_cert.key (the private key)
• root_signing_cert.csr (the request)

Now we need to get the CSR (signing request).

cat /root/SSLCerts/vmca_issued_csr.csr
OR
cat /root/SSLCerts/root_signing_cert.csr

Copy the certificate PEM file.

Open the web enrolment portal of your certificate services server, (https://server.domain.com/certsrv) > Request a certificate > Advanced Certificate Request > Submit a certificate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file > Paste in the PEM text  > Remember to use the Subordinate Certificate Authority template > Submit.

Base 64 Encoded > Download Certificate  > Save it somewhere you can find it, and give it a sensible name!

Now download the Base 64 version of your CA certificate from the main page of your certificate services website, (press ‘back’ a few times).

Now back in your SSH session, change to your SSLCerts directory, and create an ’empty’ file to paste our certificate information into.

cd /root/SSLCerts/
touch vmca_signing_cert.cer
vi vmca_signing_cert.cer

Open the certificate for the vCenter Appliance in a text editor, and PASTE IN BELOW it, the text from the Root-CA certificate. Then copy ALL the text to the clipboard, and go back to the SSH session.

Paste the text you have coped into the open ‘vi editor’ page (Press I, then P) > Save and Exit (Press Esc > :wq {enter})

If you ‘ls’ (thats list short, or dir if you are a Windows type), you will see you now have a .CSR, a .KEY and a .CER file. (the names of which vary between version 6 and 6.5).

Version 6.5

Version 6.0

Launch the certificate-manager application again > Option 2 again > No (again) > Login (again) > ‘N’ > Option 2 (Import custom certificate(s))  > Give it the path to the certificate file > Then the path to the key file.

Yes we want to replace the certificates.

Go get a coffee, this will take a while.

Thats vCenter done.

Next we will concentrate on the ESX hosts

 VMware ESXi6 – Replacing the Default Certificates

Related Articles, References, Credits, or External Links

Original Article Written 25/05/16

KB ID 0001340 Dtd 24/08/17

Problem

I can’t really take the credit for this, I was at a client’s site a few weeks ago, and they were doing this. I thought ‘That’s cool, I’ll have a play with that when I get the chance”.

Essentially, you update the description of the Computer object(s) in AD so that they list;

• The last user who logged on.
• What time they logged on.
• What AD ‘Site’ the machine is in.
• Model of the PC/Laptop.
• Serial Number of the machine.
• Operating System.
• 32 or 64 bit.

I tested it in VMware so my machine type and serial number are a little misleading but this is what it looks like.

Now I can think of loads of situations when that information would be very helpful?

Solution

So how do you do it? Well to make a change to a computer’s ‘Description’ filed in AD, requires some rights, locate the OU (or OUs) that contain your computers/servers and open the advanced properties on their security tab.

You can either ‘Add’ (as shown), or select the existing ‘Authenticated Users’ object from the list.

Change the ‘Applies to’ section to ‘Descendant Computer Objects’.

Scroll down and tick, ‘Write Description’

Isn’t that dangerous? Well not really, it gives users the right to change a computer objects description field, they would need to have the technical ability to do so. And if they did it would get overwritten the next time a user logged onto that machine anyway.

Download the ComputerDescriptionLogonStamp.zip file, and extract the two files you find inside it, into your domain netlogon share (\\{your-domain-name}\netlogon). Edit the domain name in the ComputerDescriptionLogonStamp.bat file so it matches YOUR domain name not mine!

Now create a new Group Policy Object, linked to your USERS.

Edit the policy, and navigate to;

Add in the UNC path to the ComputerDescriptionLogonStamp.bat file (Note: Make sure you use a UNC path, to your Netlogon folder, and you do NOT browse locally to the file, if the path looks like;  C:\windows\sysvol\pnl.con\sysvol\ComputerDescriptionLogonStamp.bat IT WON’T WORK.)

Close the Group policy editor, then either wait, or force a group policy update.

Windows – Forcing Domain Group Policy

Related Articles, References, Credits, or External Links

NA

KB ID 0001341 Dtd 26/08/17

Problem

I was trying to deploy some client AV packages today, there was an x86 version (x32 Bit) and a x64 bit version of the client software. As I was deploying the software via Group Policy I needed to write a different policy for each package. Then I needed to make sure the x32 bit client only deployed to x32 bit machines, and the 64 bit client only deployed to x64 bit machines.

To do that you need a simple WMI filter.

Create an x86 (32 Bit) WMI Filter

Open the Group Policy Management Console (gpmc.msc) on a domain controller > Drill down to your domain > WMI Filter > New > Give it a sensible name (you will be picking it from a list) > Add > Paste in the following;

Click OK > Accept the warning > OK.

Create a 64 Bit WMI Filter

Open the Group Policy Management Console (gpmc.msc) on a domain controller > Drill down to your domain > WMI Filter > New > Give it a sensible name (you will be picking it from a list) > Add > Paste in the following;

Click OK > Accept the warning > OK.

Applying a WMI Filter to a GPO

With the group policy selected > Scope Tab > WMI Filtering > Select the appropriate filter.

Related Articles, References, Credits, or External Links

Windows 10 Create a WMI Filter for Group Policy

KB ID 0001342 Dtd 31/08/17

Problem

I seem to get all the PKI/Certificate services problems! Yesterday I was trying to use the web enrolment portal on a certificate services server, and could not get in locally, (or remotely) via http, (or https) it simply showed me a 403.14 error.

HTTP Error 403.14 Forbidden

Solution

This was an odd one, in IIS Manager select the ‘Certsrv’ virtual directory > Advanced Options > And look at the ‘Path’.

Mine was missing the ‘en-us‘ folder from the end of the path!

Note: You will need to open an administrative command window, and then execute an iisreset command, before the change will take effect.

Related Articles, References, Credits, or External Links

NA

KB ID 0000456 Dtd 01/09/17

Problem

Syslog Error Seen on ESXi 6.0 and 6.5

System logs on host {host-name} are stored on non-persistent storage.

Syslog Error Seen on ESXi 5.1

Error Configuration Issues System logs on host {host-name} are stored on non-persistent storage.

Syslog Error Seen on ESXi 5

Error Configuration Issues System logging is not configured on host {host-name}.

Syslog Error Seen on ESXi 4

Error Configuration Issues Issue detected on {host-name}: Warning: Syslog not configured. Please check Syslog options under Configuration.Software.Advanced Settings.

Solution

Seen on ESXi hosts that boot from an internal SD card, (or USB Drive.)  ESXi likes to have some persistent storage to keep its logs on.

To stop this error you need to give it a location for the logs. That location is setup as follows;

ESXi (Post Version 6) Setting a Syslog Location

First, create a folder on some shared storage to save you logs into, below you can see my datastore name is [iSCSI-RAID5-SAS], and Ive created a folder called ‘Logs’

Select the host with the error > Configure > Advanced System Settings > Type ‘Global’ in the search criteria > Locate Syslog.Global.LogDir > Select it > Edit.

Once again, search for Global and change the location to [DATASTORE-NAME]Logs\HOST-NAME > OK.

The error should cease immediately, without the need to restart anything.

ESXi (Pre Version 6) Setting a Syslog Location

With an ESXi host selected, Configuration > Advanced Settings > Syslog > Syslog.global.logDir.

Here you have two options,

Option 1 Store the Syslogs on the SD Card

Note: If you have built the ESXi Server from a manufacturers ESXi DVD (the HP build for example) there may not be enough room on the SD card for the logs.

In the example below, I’ve got an ESXi host, that’s running ESXi from an SD card (4GB) and I’ve put the syslog on there by using the default entry of;

Click OK > After a couple of seconds the alert will disappear (without the need to reboot).

Option 2 Store the Syslogs on Local or Shared Storage.

ESXi 5 Putting the syslog onto a DataStore

With an ESXi host selected, Configuration > Storage > On a datastore, right click > Browse Datastore > Select the new folder icon > call the folder LOGS > OK.

Note: In this example I’m storing the syslog on local storage (on the ESXi host) if you have shared storage , i.e. a SAN or NAS, I suggest you create a sub-folder for each ESXi host within the LOGS directory and set the path on each host accordingly. This will take effect without a reboot and the error should cease.

ESXi 4 Putting the syslog onto a DataStore

In this case I created a syslog area on one of the shared data stores.

With an ESX host selected, Configuration > Storage > On a datastore, right click > Browse Datastore > Select the new folder icon > call the folder syslog > OK.

Then select Advanced Settings > Syslog > Enter a value in the following format:

[datastore]/syslog/hostname.log

i.e. [Volume 3]/syslog/esx2.log

3. Click OK, you should not need to reboot, the error should cease straight away.

Related Articles, References, Credits, or External Links

Original Article Written 22/11/12

KB ID 0001343 Dtd 02/09/17

Problem

Before you think about upgrading your hosts, you should upgrade your vCenter,

Upgrade vSphere vCenter Appliance to Version 6.5

Assuming thats all done, your task now is to upgrade your hosts, if you have a vanilla VMware ESXi version installed. You COULD simply SSH into the host, and execute the following commands;

esxcli network firewall ruleset set -e true -r httpClient
esxcli software profile install -p ESXi-6.5.0-20170702001-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

Well that’s great but if you are using a custom ESXi image, the process won’t even start, you simply get warned that this won’t work as it will break all the vendor specific drivers/software, (which is a good thing I suppose!)

Still, if you have a vendor modified copy of ESX what do you do? Well the following procedure will work for any version of the software, either vanilla VMware or HP/Dell/IBM etc. AND IT RETAINS ALL THE HOST SETTINGS, i.e. licences, vSwitches (standard and distributed), certificates etc.

Solution

I’ve got two hosts, one’s a Dell PowerEdge and the other a HP Proliant, I’ve already upgraded the HP server, you will see that in the screen shots below, now I’m going to upgrade the Dell.

Before Starting;

• Download the install .ISO file that has the newer version of the ESXi software.
• vMotion all the VM’s off the host being upgraded, (to save time).
• If you have two hosts, (like me.) You might want to disable HA and DRS on the cluster as well temporarily!

Connect to vCenter > Home.

Update Manager.

Select the vCenter > Manage > ESXi Images > Import ESXi image.

Browse to the .iso file you downloaded and upload it to update manager.

After a short pause you should see the image appear, (Note: you can see the HP one I uploaded earlier) > Select the one to deploy > Create Baseline.

Give it a sensible name > OK.

Back in ‘Hosts and Clusters’ View > Select the Cluster > Update Manager > Attach Baseline.

Select your new one > OK.

Scan for updates > Select Upgrade Only > OK.

After a while, you will see your baseline saying ‘Non-Compliant‘ > Select it > Remediate.

Select the new baseline again > Next > Select the ‘Target Host’ to upgrade > Next > Accept the EULA > Next.

Next > Next.

Next > Finish.

Watch the task bar > Remediation will start > The host will go into Maintenance mode, get upgraded, reboot, and be taken out of maintenance mode.

Here you can see my host is now upgraded. (Mines an older server, it took about 45 minutes).

Note: If you disabled HA, DRS etc, you will want to re-enable that now.

Related Articles, References, Credits, or External Links

Upgrade vSphere vCenter Appliance to Version 6.5

VMware Upgrading the vSphere Virtual Center Appliance

VMware ESXi 5 – Applying Patches and Updates

Update VMware ESXi from 4.0 to 4.1

Upgrade ESX 3 to version 4.1.0

KB ID 0001345 Dtd 11/09/17

Problem

I still think P2V conversions are cool, and I’ve been doing them since version 3! It seems though every time I try and do one with the standalone converter though I get this error;

VMware vCenter Converter Standalone
Unable to complete installation/uninstallation of converter agent on ‘{target}’

Solution

I always spend five minutes messing with firewalls, checking remote registry services, credentials, and the fix is nearly always the same;

Locate VMware-Converter-Agent.exe in  C:\Program Files (x86)\VMware\VMware vCenter Converter Standalone, copy it to the target machine, and install it manually. Then try the conversion again.

If it gets this far, your problem is solved.

Related Articles, References, Credits, or External Links

NA

KB ID 0001344 Dtd 11/09/17

Problem

While replacing a FirePOWER Management console, I got this error;

Interface Status
Interface ‘DataPlaneInterface0’ is not receiving any packets

Solution

A look a the health monitor showed me the same thing;

Firstly, common sense dictates, that this is a live firewall and traffic is actually flowing though it? In my case the traffic simply needed to be ‘sent though’ the module. Execute the following, (or check for the presence of matching configuration);

access-list ACL-FirePOWER extended permit ip any any
class-map CM-SFR
 match access-list ACL-FirePOWER
 exit
policy-map global_policy 
 class CM-SFR
  sfr fail-open
exit
exit
write mem

Note: Here I’m assuming you want to ‘fail-open’ i.e. not block traffic if the FirePOWER module fails, and you are inspecting ‘inline’ (not passively).

Then apply the cup of coffee rule, and ensure some traffic is sent via the firewall.

Related Articles, References, Credits, or External Links

NA

KB ID 0001346 Dtd 12/09/17

Problem

Before you create your logon banner it’s important to understand;

• Where you want it to appear.
• What the underlying file is actually called (on ESXi).

For access to the vSphere Web client (including the Flash client), the setting you want is ”Login Banner’ (Note: vCenter 6.0.Update2 or higher is required);

Using this you CAN FORCE, (but you don’t have to) a user to tick “I Agree..” to your banner before they can login.

This does not mean that vCenter does not have ‘Message of the Day’, it does, it just behaves a little differently, i.e.

With the ESXi hosts there are essentially TWO files we are concerned with, the etc/issue file and the etc/motd* file, and they display in two subtly  different places.

*Note: MOTD stands for message of the day.

The ‘Issue‘ File

The ‘motd‘ file

You can use either one, (or both) to suit your requirements. 

Solution

Logon Banner Text Example

What you actually put in the banners is up to you, here are a couple of examples I’ve used in the past, feel free to copy and adapt them to suit your own requirements.

Example 1

/-------------------------------------------------------------\
|                      ! WARNING !                            |
|   Notice to All Users (Both Authorised or Unauthorised)     |
|                                                             |
|       You have accessed a private computer network.         |
|  Unauthorised access or use of this system is prohibited.   |
|                                                             |
|       If you are not authorised to use this system          |
|           please terminate access immediately.              |
|                                                             |
|     Any or all uses of this system and all data on this     |
|    system may be intercepted, monitored, recorded, copied,  |
|     audited, inspected, and disclosed to authorised sites   |
|     and law enforcement personnel, as well as authorised    |
|    officials of other agencies. By using this system, the   |
|     user consent to such disclosure at the discretion of    | 
|   authorised site personnel. Unauthorised or improper use   |
|  of this system may result in administrative disciplinary   |
|   action, civil and criminal penalties. By continuing to    | 
|     use this system you indicate your awareness of and      | 
|     consent to these terms and conditions of use. STOP      | 
|    IMMEDIATELY!!! if you do not agree to the conditions     | 
|                   stated in this warning.                   |
\-------------------------------------------------------------/

Example 2

**********************************************
***   You are responsible for all activity ***
***          Performed on this device      ***
***       All config changes are logged    ***
***                                        ***
***       For further Information          ***
***        Please Contact either           ***
***              IT Manager                ***
***                 or                     ***
***              Pete Long                 ***
**********************************************

Adding the vSphere Web Client Banner/Terms and Conditions

To get access to these settings you need to log into your PSC (Platform Services Controller).

https://{FQDN of vCenter or PSC}/psc

Configuration > Login Banner > Edit > Tick ‘Enabled‘ > Tick ‘Checkbox Consent‘, (to force them to tick “I Agree..”) > Enter a Title and the message/banner test to display > OK.

Adding the vSphere Web Client MOTD

Log into vSphere Select the vCenter> Configuration >Message of the Day > Edit > Type in the text.

Note: Remember this displays as a popup for users logged into vCenter, but as a ‘nag-message’ for anyone login  in in future.

Changing the ESX ‘Issue’ Banner

Log onto the ESX server > issue the following command ‘vi /etc/issue‘ > Paste in your text > Save and exit the file > Restart the SSH daemon with the following command ‘/etc/init.d/SSH restart’.

Changing the ESX ‘MOTD’ Banner

Log onto the ESX server > issue the following command ‘vi /etc/motd‘ > Paste in your text > Save and exit the file > Restart the SSH daemon with the following command ‘/etc/init.d/SSH restart’.

Changing Issue and MOTD banners from the vSphere Client

Yes you can do this in the vSphere client, the problem is, you can only paste on a block of text, so the fancy formatting I put in above will be lost. If that’s not a problem for you, then open the vSphere Client > Hosts and Clusters > Select the Host > Configure > Advanced System Settings > Edit > Search for ‘Config.etc’ > Chang the Config.etc.issue and/or Config.etc.motd files as required.

Related Articles, References, Credits, or External Links

Using the VI Editor (For Windows Types)

KB ID 0001347 Dtd 13/09/17

Problem

This is another question I see getting asked a lot in forums!

You see something like the following;

000032: *Sep 28 09:35:32.507 UTC: %PHY-4-SFP_NOT_SUPPORTED: The SFP in Gi3/0/50 is not supported (PNL-3750-Stack)
000033: *Sep 28 09:35:32.507 UTC: %PM-4-ERR_DISABLE: gbic-invalid error detected  on Gi3/0/50, putting Gi3/0/50 in err-disable state (PNL-3750-Stack)

The usual response is ‘Enable unsupported SFP’s’, and while that sometimes is the answer, it’s not always the answer!

Solution

1. Firstly Check the Modules and the Switches, Are you tying to plug a 10GB SFP+ into a slot that only supports SFP, (that includes plugging a twinax cable into an old switch!) In your ‘show run’ you should see TenGigabitEthernet (if your using SFP+ modules). Some switches with network modules list the same interface twice (once as 10GB interfaces and once at 1GB modules, I’ve blogged about that before see THIS ARTICLE, and to confuse things even further, the four interface versions, are grouped as two pairs with each pair consisting of one SFP slot and one SFP+ slot.)

2. Make sure your cable is NOT a CAB-SFP-50CM, (unless you are connecting a 3560 to ANOTHER 3560).

3. Are you using a 2960-S? If so you may need to update the IOS to use SFP+ (assuming your model supports SFP+ not all 2960-S models do).

4. Are you plugging into a Nexus switch with a 1GB connection? If so check the other end for the following error;

Description: Gi1/1/15: This port has been disabled because Non Compliant Gigabit Interface Converter (GBIC) connector detected.

If so, you may need to Manually set the speed on the 5K to 1000, (it wont auto-sense).

5. Is it a non-cisco branded SFP? If so it may still work, (but you will get no joy if you log a TAC call) with the following commands;

Petes-SW(config)#service internal
Petes-SW(config)#no errdisable detect cause gbic-invalid
Petes-SW(config)#service unsupported-transceiver

If you are still in doubt check the Compatibility Matrix.

Related Articles, References, Credits, or External Links

NA

KB ID 0001348 Dtd 14/09/17

Problem

Normally I don’t like upgrading the SFR this way. But then I tend to install new firewalls set them up and walk away, so its easier (and a LOT quicker) to simply image the module to the latest version and then set it up.

Like So; Re-Image and Update the Cisco FirePOWER Services Module

This week I had an existing customer, who has an ASA5508-X but wasn’t using his FirePOWER, I’d installed the controller licence when I set it up originally, (as a safe guard in case the licence got lost, which nearly always happens!) The firewall was pretty much up to date but the SFR was running 5.4.0 (at time of writing we are at 6.2.2). So Instead of imaging it I decided to upgrade it, this takes a LOOOOOOOONG TIME! (4-6 hours per upgrade) and you cannot simply upgrade straight to the latest version.

Thankfully this does not affect the firewall itself, (assuming you set the SFR to Fail Open).

Solution

First task is to find out what the latest version is, at time of writing thats 6.2.2, open the release notes for that version and locate the upgrade path, it looks like this;

Well that’s a lot of upgrades! You may notice that there’s some ‘pre-installation packages’. Sometimes when you go to the downloads section at Cisco these are no-where to be found! This happens when a version gets updated, in the example above one of my steps is 6.0.1 pre installation package, this was no where to be found, so I actually used 6.0.1-29.

The files you need are the ones which end in .sh, i.e. Cisco_Network_Sensor_Patch-6.0.1-29.sh (DON’T Email me asking for updates you need a valid Cisco support agreement tied to your Cisco CCO login.)

Once you have downloaded your update, login to the ASDM > Configuration > ASA FirePOWER Configuration > Updates > Upload Update.

Upload your update, (this can take a while).

When uploaded > Select your update > Install, (if the install needs a reboot accept the warning).

Note: This is a reboot of the FirePOWER module, NOT the Firewall.

You can follow progress (to a point) from the task information popup (Once the SFR module goes down you wont see anything apart form an error, unless your version is 6.1.0 or  newer (which shows a nice progress bar). So;

1. Don’t panic: it looks like it’s crashed for hours – it’s fine.
2. There are other things you can look at if you’re nervous.

Monitoring FirePOWER upgrades

What I like to do is SSH into the firewall and issue the following command;

Then you can (after a long pause of nothing appearing to happen!) see what is going on.

You can also (before it falls over because of the upgrade) look at Monitoring > ASA FirePOWER Monitoring > Task Status.

If you are currently running 6.1.0 or above you get this which is a little better.

Or you can connect directly to the FirePOWER module IP (you will need to know the admin password) to watch progress.

Back at the firewall, if you issue a ‘show module‘ command during the upgrade it looks like the module is broken! This will be the same of a few hours!

PETES-FW# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508            JAD2008761R
 sfr FirePOWER Services Software Module           ASA5508            JAD2008761R

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00c8.8ba0.9b71 to 00c8.8ba0.9b90  1.0          1.1.8        9.7(1)
 sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b89  N/A          N/A          6.0.0-1005

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Not Applicable   6.0.0-1005

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Unresponsive       Not Applicable

MANY HOURS LATER

PETES-FW# show module

Mod  Card Type                                    Model              Serial No.
---- -------------------------------------------- ------------------ -----------
   1 ASA 5508-X with FirePOWER services, 8GE, AC, ASA5508            JAD2008761R
 sfr FirePOWER Services Software Module           ASA5508            JAD2008761R

Mod  MAC Address Range                 Hw Version   Fw Version   Sw Version
---- --------------------------------- ------------ ------------ ---------------
   1 00c8.8ba0.9b71 to 00c8.8ba0.9b79  1.0          1.1.8        9.7(1)
 sfr 00c8.8ba0.9b70 to 00c8.8ba0.9b70  N/A          N/A          6.0.1-29

Mod  SSM Application Name           Status           SSM Application Version
---- ------------------------------ ---------------- --------------------------
 sfr ASA FirePOWER                  Up               6.0.1-29

Mod  Status             Data Plane Status     Compatibility
---- ------------------ --------------------- -------------
   1 Up Sys             Not Applicable
 sfr Up                 Up

Related Articles, References, Credits, or External Links

NA

KB ID 0001349 Dtd 22/09/17

Problem

I had to do this today and realised, it’s been so long since I did it last, I’d forgotten how to do it. Before we go forward, please be clear, I’m talking about MAIL CONTACTS, these are Active Directory Objects that have an Email address, but DO NOT have a mailbox in your Exchange Organisation, and DO NOT have an Active Directory User. I point this out because you can have MAIL USERS that have an Active Directory User Object and have an External Email address (i.e. a Gmail or Hotmail address) associated with the MAIL USER object.

Traditionally mail contacts are used for listing outside mail addresses in your global address list, (like mail users do) but are also used to forward mail to as well.

Solution

I was exporting from Exchange 2010, from the EMC run the following command;

And there’s my file.

You can see my exported CSV list in, DisplayName, Name, PrimarySmtpAddress format. You will need to do some work with it in Excel to get it in > Name, Firstname, Lastname, ExternalEmailAddress format.

Once you have you CSV file ready, import it into the Target Exchange Server with the following command;

There’s my new contacts 🙂

Related Articles, References, Credits, or External Links

NA

KB ID 0001350 Dtd 05/10/17

Problem

Note: Below I’m using Exchange 2016, but the same approach will work for previous versions.

There are a load of reasons why you might want to do this, but before you go off in this direction consider why you are doing this in the first place. For example, if the user requesting this does not need an Exchange mailbox, i.e. because they only use their Gmail account then it’s probably a better idea to make them a mail-user. (That’s an AD user account, that has an external mailbox, and does not have an Exchange mailbox). For staff e.g. external contractors, part time staff, holiday cover staff, Mail-users might be a better fit.

If you are still reading you have a user with an Exchange mailbox, and you want to forward their email to an Email address outside your organisation, there are many ways of enabling forwarding, but fundamentally there’s only two things to consider;

1. Do you still want mail to get delivered to their Exchange mailbox while forwarding?
2. What is the external Email address you want to forward to?

Armed with this information you can decide what approach you want to take to achieve this.

Solution

Option 1: Get The User to Set Up Mail Forwarding in OWA

The best option for the lazy admin! “Oh, are you aware you can set this up yourself?” Even give them this URL as a walkthrough if you like 🙂

From within Outlook Web App open your ‘Options’

Mail > Inbox and Sweep Rules > Inbox Rules > Add

Note: On older versions of OWA look in Organize email > inbox rules > Add.

Give the rule a name > Set to [Apply to all messages] > Forward Redirect or Send > Forward Message To.

Note: Setting Redirect instead of Forward will NOT keep a copy in you local Exchange Mailbox.

Enter the external email address to forward to > Save.

OK.

Option 2: Enable Mail Forwarding In Exchange Admin Center

To forward mail externally for an ‘Exchange Mailbox User’, you need to create a ‘Contact’. A contact is an active directory object (not a user) that has an email address (in our case the external one). Log into Exchange Admin Center > Recipients > Contacts > Add > Mail Contact.

Create a contact and give it a sensible name (so when it appears in the Global Address List it’s obvious what it is*)

*Note: You can hide them from the GAL if you like, with the following PowerShell;

On the Mailbox Tab, locate the user you want to setup forwarding for, and edit them.

Mailbox Features > Scroll Down to ‘Mail Flow‘ > View Details > Tick ‘Enable Forwarding‘ > Browse to the CONTACT you created earlier > OK.

Note: You may also want to select “Deliver message to both forwarding address and mailbox”.

Option 3: Setup Mailbox Forwarding With PowerShell

There’s a lot of rubbish written about this online, sites give you a line of PowerShell to paste in and it does not work, because there’s other things you need to do to make this work.

Example 1: Couldn’t find object “pete@externaldomain.com“. Please make sure that it was spelled correctly or specify a different.. 

If you setup mail forwarding using the ExternalEmailAddress you need to CREATE A CONTACT FIRST! Or you see the error above.

To Setup External Forwarding and Keep a Local Copy of the Email

Execute the following commands;

New-MailContact -Name Pete.Long-External -ExternalEmailAddress pete@externaldomain.com 
Set-Mailbox -Identity “Pete.Long” -DeliverToMailboxAndForward $true -ForwardingAddress pete@externaldomain.com 

Note: It’s the ‘$true‘ that maintains the local copy.

To Setup External Forwarding and Keep and NOT keep Local Copy of the Email

Execute the following commands;

New-MailContact -Name Pete.Long-External -ExternalEmailAddress pete@externaldomain.com 
Set-Mailbox -Identity “Pete.Long” -DeliverToMailboxAndForward $false -ForwardingAddress pete@externaldomain.com 

Note: It’s the ‘$false‘ that does not maintain the local copy.

What about ExternalSMTPEmailAddress?

OK there’s another parameter you can set, it’s called ExternalSMTPAddress when you set this you DON’T NEED A CONTACT. This sounds great and again theres a load of blog posts that give you the PowerShell to set this for a user AND IT DOES NOT WORK!

Note: If you setup mail forwarding using this method the forwarding address is NOT VIEWABLE IN THE GUI, if you have enabled keep a local copy, that IS viewable.

Example 2 : My ExternalSMTPAddress Forwarder is not working?

This is because what other sites don’t tell you is unless you specified the target domain (for the remote email address), as AutoForwardEnabled it has a habit of not working! 

See Below to setup Mail forwarding with ExternalSMTPAddress properly.

To Setup External Forwarding and Keep a Local Copy of the Email

Execute the following commands;

Set-Mailbox -Identity “Pete.Long” -DeliverToMailboxAndForward $true -ForwardingSMTPAddress pete@externaldomain.com
New-RemoteDomain -Name ExternalDomain -DomainName externaldomain.com
Get-RemoteDomain ExternalDomain | Select DomainName, AutoForwardEnabled 

Note: It’s the ‘$true‘ that maintains the local copy.

To Setup External Forwarding and Keep and NOT keep Local Copy of the Email

Execute the following commands;

Set-Mailbox -Identity “Pete.Long” -DeliverToMailboxAndForward $false -ForwardingSMTPAddress pete@externaldomain.com 
New-RemoteDomain -Name ExternalDomain -DomainName externaldomain.com 
Get-RemoteDomain ExternalDomain | Select DomainName, AutoForwardEnabled  

Note: It’s the ‘$false‘ that does not maintain the local copy.

Removing Mail Forwarding For a User

I wont insult your intelligence and tell you how to do this in the GUI just reverse engineer the above, but if you used ForwardingSMTPAddress you wont see it in the GUI! To remove ALL forwarding for a user, use the following command;

Set-Mailbox -Identity “Pete.Long” -DeliverToMailboxandforward $False -ForwardingSMTPAddress $Null -ForwardingAddress $Null

Showing Which User(s) Have Email Forwarding Enabled

Use the following commands;

Get-Mailbox | Where {$_.ForwardingAddress -ne $null} | Select Name, UserPrincipalName, ForwardingAddress, DeliverToMailboxAndForward
OR /AND
Get-Mailbox | Where {$_.ForwardingSMTPAddress -ne $null} | Select Name, UserPrincipalName, ForwardingAddress, ForwardingSMTPAddress, DeliverToMailboxAndForward

Show Email Forwarding for a Single User

Use the following command;

Get-Mailbox Pete.long | fl name,forwardingSMTPAddress,delivertomailboxandforward

Related Articles, References, Credits, or External Links

NA

KB ID 0001351 Dtd 05/10/17

Problem

Seen when attempting to open the Exchange Management Console;

Exception calling “GetSteppablePipeline: with “1” argument(s): File C:\ProgramFiles\Exchange Server\v14\RemoteScripts\ConsoleInitialize.ps1 cannot be loaded because the  execution of scripts is disabled on this system. Please see “get-help about_signing” for more details.”

Solution

This is usually caused by an update rollup, and can be easily fixed by running the following command at an administrative PowerShell session.

Note: Sometimes you may get an error message;

Set-ExecutionPolicy : Access to the registry key ‘HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\ShellIds\Microsoft.PowerShell’ is denied.

If that happens launch regedit.exe navigate to the above value and change it from ‘Restricted’ to ‘Unrestricted’.

Related Articles, References, Credits, or External Links

NA

KB ID 0001352 Dtd 07/10/17

Problem

If you have a publicly facing website, and you DON’T want it indexed by the major search engines, then this is the post for you. Why would you want this? Well you  might have a development server that you don’t want appearing in peoples search results, or you might be hosting files and folders you want publicly available, but again you don’t want those files and folders showing in peoples Google/Bing search results.

Solution

From ‘Administrative Tools’ open ‘Internet Information Services (IIS) Manager’ > Select the Server > HTTP Response Headers.

Add  > Name = X-Robots-Tag > Value = noindex > OK.

Then from an administrative command window run ‘iisreset’.

Related Articles, References, Credits, or External Links

NA

KB ID 0001353

Problem

I’ve seen this asked a lot in forums, and it came up on EE again today. I’ve never had to set this up in the past, but I’ve posted the links to the correct Cisco articles when people have asked. 

After the question was asked again today, I thought I’d take the time to write a decent article on how to do it.

Why would you want to do this? You might want to map/reconnect a mapped drive, or perform anything thats usually acheivable with a login script.

Solution

1. First make sure you have your script, I’m using a simple batch file but you can also use .vbs. As you can see my script just maps a drive (s:) to a network share on the machine you are looking at.

Note: I’ve used an IP address rather than a DNS name, there’s nothing wrong with using a DNS name, providing your remote AnyConnect clients are able to resolve that hostname.

Note2: I’m also embedding the username and password in the drive mapping request, This is because my AnyConnect uses LOCAL usernames and passwords on the ASA, so the server wouldn’t be able to authenticate the request.

2. To ’embed’ this script into the firewall, log into the ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > Script > Import > Give it a name > Select ‘Script runs when client connects‘ > Platform = win > Browse Local Files > Locate your batch file > OK > Import Now > OK.

3. The script wont run unless scripts are allowed in the VPN Client Profile > Note: You may, or may not already have a client VPN Profile > Navigate to Configuration > Remote Access VPN > AnyConnect Client Profile > Add (Or skip to Edit if you already have one) > Give the profile a name > Select your AnyConnect Group Policy (If you don’t know, connect with an AnyConnect client, and see what is shown under ‘Group‘) > OK.

4. Edit your policy.

5. Preferences (Part 2) > Tick ‘Enable Scripting‘ > Tick ‘User Controllable‘ (Note: this just lets a user untick enable scripting in their client software) > OK.

6. Save the changes > Apply > File > Save Running Configuration to Flash.

Troubleshooting AnyConnect OnConnect / Logon Scripts

If theres a problem (i.e. it does not work.) Your first task is to make sure the client got the script, it saves it in the following location.

%ALLUSERSPROFILE%\Cisco\Cisco AnyConnect VPN Client\Script

Connect your AnyConnect client, then execute each of the commands in the script locally to see why it’s not working.

Related Articles, References, Credits, or External Links

NA

KB ID 0001354

Problem

Saw this while attempting to connect to my ASA this week.

AnyConnect Secure Mobility Downloader
Failed to get configuration from secure gateway. Contact your system administrator

Solution

Well luckily I’d just made a change so I could focus on the right area straight away. I’d been messing around with the profile xml file associated with my AnyConnect GroupPolicy. If you take a look at my profile below you will see it’s not associated.

Note: If you select change group policy mine wouldn’t apply, it failed with an error trying to delete a profile I’d used in the past.

So to fix the problem I’m going to need to log on at command line, let’s make sure my new profile is listed;

Petes-ASA# show run webvpn
webvpn
 enable outside
 anyconnect-essentials
 anyconnect image disk0:/anyconnect-macos-4.4.03034-webdeploy-k9.pkg 1
 anyconnect image disk0:/anyconnect-win-4.4.03034-webdeploy-k9.pkg 2
 anyconnect profiles AnyConnect-VPN-Profile disk0:/anyconnect-vpn-profile.xml
 anyconnect enable
 tunnel-group-list enable

Note: You can ‘show flash‘ and make sure the file is in flash memory as well.

I will list all my group-policies, and you can see the last one has a profile that’s associated with it that no longer exists (it’s not in flash memory either).

Petes-ASA# show run group-policy
group-policy DfltGrpPolicy attributes
 vpn-simultaneous-logins 0
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
 dns-server value 192.168.100.10
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ikev1
 password-storage enable
 split-tunnel-policy tunnelspecified
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 nem enable
group-policy PNL-GP-ANYCONNECT-ACCESS internal
group-policy PNL-GP-ANYCONNECT-ACCESS attributes
 wins-server none
 dns-server value 8.8.8.8 8.8.4.4
 vpn-simultaneous-logins 3
 vpn-tunnel-protocol ssl-client
 split-tunnel-policy tunnelall
 split-tunnel-network-list value SPLIT-TUNNEL
 default-domain value petenetlive.com
 split-tunnel-all-dns enable
 webvpn
 anyconnect mtu 1398
 anyconnect profiles value PNL-Profile type user
 anyconnect ssl df-bit-ignore enable

It’s easy to remove it.

Petes-ASA(config)# group-policy PNL-GP-ANYCONNECT-ACCESS attributes
Petes-ASA(config-group-policy)# webvpn
Petes-ASA(config-group-webvpn)# no anyconnect profiles

Then simply add the correct one back in, and save the changes.

Petes-ASA(config-group-webvpn)# anyconnect profiles value AnyConnect-VPN-Profie type user
Petes-ASA(config-group-webvpn)# write mem
Building configuration...
Cryptochecksum: 67c49642 778e75bd df747b94 7d4c8787

23272 bytes copied in 3.260 secs (7757 bytes/sec)
[OK]

Now if you ‘refresh’ your ASDM, you will see it displays correctly again;

Problem Solved.

Related Articles, References, Credits, or External Links

AnyConnect Error: ‘The AnyConnect package on the secure gateway could not be located’

Cisco AnyConnect Error: ‘The VPN client driver has encountered an error’

Cisco AnyConnect Error: ‘The client could not connect because of a secure gateway address failure. Please verify Internet connectivity and server address’

AnyConnect Error:  ‘The secure gateway has rejected the connection attempt, No assigned address’

Cisco AnyConnect Error: (Mobile Devices)

KB ID 0001355

Problem

Seen when trying to install the ‘ADMT Password Export Server Service’, whilst doing a domain migration;

Invalid Password!

The supplied password does not match this encryption key’s password. ADMT’s Password Migration Filter DLL will not install without a valid encryption key.

Solution

At first I assumed I was suffering from ‘fat fingers‘ and just entering the wrong password, (or the Caps Lock was on.) However, it became apparent that this was not the case. I attempted to generate a new file by re-running the command on the ADMT server;

Same error? The only way I could get this to work was cancel the install, then launch an administrative command window, and finally running the install, ‘en-US_pwdmig.msi’ file from within that Administrative Window.

Related Articles, References, Credits, or External Links

ADMT (Active Directory Migration Tool) Domain Migration – Part 1

KB ID 0001356

Problem

PeteNetLive is full of Exchange Migration walkthroughs, going all the way back to Exchange 2003. But what if you are migrating to another forest? Well for small migrations you can of course export mail from the old Exchange Server, and them import it into the new mailbox in the new domain/forest (usually via .PST files). I’ll provide links at the bottom of the page, if that’s what you would prefer to do.

Earlier this year, I got involved with a client that was migrating many domains into one, and this method seemed a better fit for them. The process/screenshots below are taken from my testin,g and proof of concept for this project.

As you can see, (above) I’ve got a source Exchange server, (Running Exchange 2010) in domaina.com, and I’ve got a target Exchange server, (Running Exchange 2016) in domainz.com

Note: You may guess from the server names, these are also domain controllers, (this is not recommended in a production environment!) My old Exchange server is also running Certificate Services, which will become apparent below.

Solution

The service that does all the ‘heavy lifting’, is the Microsoft Exchange Mailbox Replication Service. Out fist task is to get is running on the legacy Exchange server. Open the Exchange Shell and execute the following command;

Ensure the service is running;

The front end of the MRS service is presented via IIS, and it’s secured with HTTPS, so it will use the certificate you have presented, (i.e the same one for OWA). Therefore the new (Target Exchange Server) needs to trust that certificate. If you have a publicly signed certificate from a third party vendor, then you don’t need to import anything you can skip this step.

The World is Full of People Who are Scared of Certificates! I have no idea why? For a certificate to work, you need to TICK TWO BOXES;

• BOX ONE: You need the trust the Certificate Authority who issued the certificate, (this is printed onto the certificate, and in most cases can be extracted from the web certificate as well. This is the CA Certificate of the issuer, NOT the certificate you see in OWA.
• BOX TWO: The certificate will have a name on it, it will be either the common name, or a subject alternative name (within the certificate), it will look something like, owa.your-domain.com, or *.your-domain.com for example. This must be resolvable via DNS, and also be the hostname you are looking at.

Below, I’m simply importing the Root CA Certificate, from DomainA into my Exchange server on DomainZ.

Note: Start > Run > mmc.msc > File > Add/Remove Snap-in > Certificates > Local Computer.

In production, I’d setup conditional forwarding between the two domains to handle DNS, but in this case I’m being lazy and just putting the FQDN of the Exchange 2010 server in the Exchange 2016’s hosts file, (old school eh!)

To Setup Conditional Forwarding; Take a look at the first three steps in this article.

Providing you have done everything correctly, you should be able to ‘browse’ from Exchange 2016, to Exchange 2010, to the following URL, and not receive any certificate errors, it should look like this;

Note: If you get any certificate/untrusted errors, fix them before proceeding.

Pre-Staging the Cross Forest MailBox Migration

Actually moving the mailboxes is a ‘two-step‘ procedure, first you pre-stage the move, this creates a Mail User* in the new domain.

*Note: A Mail User is an a little bit like a Contact insofar as they both have external email addresses (i.e ‘username@domaina.com’, while the mail user is in domainz.com, (until the mailbox is migrated). The difference between a Mail user and a contact is, a mail user has a logon name and a password. Once migrated the Mail User is converted into a User Mailbox in the new domain, and the User Mailbox back in old domain gets converted into a Mail User with an email address of username@domainz.com for the mail user in domaina.com. This (while being cool,) allows mail flow between the domains during migration. (Assuming your DNS is all setup correctly, of course).

The following procedure is carried out on the new Exchange server, open an Exchange Shell Window and execute the following command;

Then supply an administrative account in the SOURCE, (remote) domain.

Repeat the procedure, but this time use Lcred;

Then supply an administrative account in the TARGET, (local) domain.

Exchange has a script to do the do the staging for you, it’s in the Exchange install directory, in the ‘scripts’ folder. Mine is in the C: drive, but the path to yours may be different, (depending on how you installed Exchange). But once located, you need to change to the directory that the Prepare-MoveRequest.ps1 script is in i.e.;

Note: V15 denotes Exchange 2013 and 2016.

Now execute the following command, (this is all one command if it gets wrapped);

Note: This assumes you have created the OU to migrate into! And, (as you can see in the example below,) I’m using the public email address of my user, not the internal one, (it doesn’t matter).

Execute Cross Forest Mailbox Migration

Now the mailboxes are ‘pre-staged’ we can select them for migration, in the new Exchange environment, Recipients > Migration  >Add > Move to this forest.

Add.

Select the User(s) > Add > OK.

Next.

Enter the administrative credentials for the source domain > Next.

Enter the FQDN, of the legacy server, (use the SAME NAME that’s on the certificate) > Next.

Give the migration ‘Batch’ a name > Set the ‘target’ email domain > Select the target Exchange Database, (and Archive database if applicable) > Next.

Note: If you keep getting failed migrations, that say ‘FailedOther‘ then you can raise the bad item limit, and large item limits.

Select a user to get the mail notification > Select ‘Automatically Complete Migration Batch’ (or it will stop at 95% and you will have to complete this manually) > New.

You can now view progress in the ECP, (a big buggy and slow to update,) or by running ‘Get-MoveRequest | Get-MoveRequestStatistics‘

 If there’s a problem, both the ECP (Exchange Control Panel) and EMS (Exchange Management Shell) should give you a clue. You can remove and rerun a migration on a failed user and nothing will break! Sometimes you need to raise the bad item limit or make sure the source mailbox isn’t too large before proceeding for example. (Use the search box at the top of the page, I’ve posted a lot of Mailbox Move problems).

Related Articles, References, Credits, or External Links

Exchange 2007 / 2010 – Export Mailbox’s to PST files

Exchange 2003 – Exporting Mail to .pst files with ExMerge

Exchange (2010 Post SP1 and Newer) Bulk Importing Mail From PST Files

KB ID 0001357

Problem

Me to the office: Does anyone know how to create a password protected Zip file on a Mac?

Reply: Use Windows

Well actually this advice is ‘bobbins!’ Windows still can’t do this without installing an application, (I would recommend 7-Zip). But with a Mac of course you can 🙂

Solution

First open an Terminal window, then ‘change directory’ to the folder that contains the uncompressed file(s), or folder(s) you want to Zip.

Changing Directory With Spaces In Your Foldernames

I thought I’d better put this here, if you have spaces in your folder names, you use the following syntax;

And repeat if you have multiple spaces like so;

Mac OSX: Create a Normal Zip File

Before we try and password protect a Zip, file let’s see how to create a simple one;

Mac OSX: Adding Password Protection To Zip Files

Use the following syntax;

Related Articles, References, Credits, or External Links

NA