Quickie: Powershell not just for work

June 21st, 2013 No comments

I installed Microsoft Lync couple monts ago at one customer. He asked me when his licence will expire. I knew date when Lync was installed (28/2/2013) and expiration period for Microsoft Lync server (180 days). I used power of shell (powershell) to check it out:

Get-Data AddDays

How cool is that? I really love powershell 🙂

Categories: Powershell, Quickie Tags: ,

Nastroj na pripravu systemu

June 8th, 2013 2 comments

image

Trvalo mi nejaky ten cas kym som pochopil (vsimol si v zatvorke), ze “Nastroj na pripravu systemu” je po nasom SysPrep 🙂

Naco to prekladaju? Len s tym matu nepriatela. 🙂

ARP protokol alebo ako sa stat guru u zakaznikov

June 6th, 2013 3 comments

Uz dlhsie som rozmyslal ci napisat dany clanok a az teraz som sa rozhodol, ze ano. A ze dokonca bude po slovensky 🙂 aj ked bez diakritiky. Pokusim sa vam popisat tri situacie ked som bol povolany do boja proti neposlusnej sieti. A taktiez ako som ich poriesil pomocou porozumeniu ARP protokolu (Address Resolution Protocol).

1. pripad

Bol to moj prvy pripad v terajsom zamestnani. Zakaznik mal siet o rozsahu 192.168.0.0/24. Dosli mu IP adresy, tak sa rozhodol rozsirit IP rozsah zmenou sietovej masky na /23. Cize servery na serveroch a aktivnych prvkoch, o ktorych ITckari vedeli, prehodli sietovu masku na /23. Taktiez na DHCP pool-e zmenili sietovu masku na /23. A vtedy sa zacali problemy. Prejavovalo sa to nasledovne. Ked na klientskom PC dali pingat IP adresu servera, tak presli 2 pingy a 3 sa stratili, 2 pingy presli a 3 sa stratili,…atd. Bolo to zaujimave. Nastartoval som WireShark a napisal filter ARP. Vtedy som si vsimol nieco zaujimave na sietej komunikacii. Zacal som pingat server na lokalnej sieti. Predtym ako sa poslal ICM Request, tak sa poslal ARP Request. Dostal som ARP Reply, naco som nasledne poslal ICMP Request na MAC adresu ziskanu ARP Reply (MAC adresa servera). Po dvoch ICMP Requestoch dosla dalsia ARP Reply z uplne inej MAC adresy ako bola MAC adresa servera. A kedze Windows very kazdej MAC Reply (vsak ako by sme robili Man-In-the-Middle?), tak zacal moj komp posielat ICMP Request na novu MAC adresu. A ta, samozrejeme, neodpovedala. Takze preto par pingov preslo a par nepreslo.

Riesenie

Problem spocival v tom, ze lokalny ITckari nezmenili IP rozsahy na vsetkych zariadeniach. Zabudli na to, ze maju v sieti este nejake zabudnuty Cisco router a na tom nezmenili sietovu masku. A na Cisco zariadeniach je defaultne zapnute Proxy ARP. Kedze si zakaznik rozsiril IP rozsah, a klientsky DHCP pool sa presunul do noveho rozsahu, mimo 192.168.0.0/24, tak pre Cisco routery tieto IP adresy boli mimo ich rozsah, takze sa chovali presne ako sa od nich ocakava, ked je zapnute Proxy ARP. Cize podvrhuju svoju MAC adresu, pretoze sa “pokusia” dorucit paket pre IP adresy mimo ich lokalny rozsah. Viac o Proxy ARP.

2. pripad

Inokedy som bol prizvany ku dalsiemu problemu. Popis od zakaznika znel tak, ze blbne im IP telefonia a Slovak Telecom, od koho mali IP Telco ustrednu, nema ziaden problem. Ze maju vsetko zelene 🙂 Tak som vyrazil na hodinovu cestu. Pri dojdeni na miesto som sa pozeral na zaujimavy stav. Stal som v kancelarii a telefony blikali ako v zlom filme o hackeroch 🙂 Zelene telefony boli v poriadku a svietiace na cerveno boli v zlom stave. Ich stavy sa nahodne menili a blikalo to cele v kancelarii ako ked sa strasny hacker infiltruje do siete FBI 🙂 Tu som bol za guru ako nikdy predtym, pretoze som zapol notebook, nastartoval WireShark, nastavil IP adresu z rozsahu pre IP telefoniu a hned po cca 20 paketoch ARP protokolu som videl nasledovne:

IP duplicity

Riesenie

Takze bolo potrebne len vystopovat danu MAC adresu, ktora mala nastavenu rovnaku IP adresu ako IP telco ustredna a vsetko bolo v poriadku. Na koniec sme zistili, ze dana MAC adresa patrila jednemu ITckarovi 😀 Takze sumar dna: 1 hodina cesta ku zakaznikovi, 10 sekund najdenie dovodu vypadkov, 2 minuty najdenie pachatela, 30 minut vymyslanie pribehu pre management a 1 hodina cesta domov 🙂

3. pripad

Bol to rovnaky zakaznik ako v pripade cislo 2. Mali problem s citackami ciarovych kodov v sklade. Pri telefonate som zistil, ze citacky ciarovych kodov maju v rovnakej VLANe ako PCcka a telefoniu. Problem bol, ze vypadavalo z citaciek pripojenie na SAP server v serverovej VLANe. Ked sme dali pingat dany server z klientskeho PC, tak vypadavali pingy na server a dokonca aj na vlastnu default gateway. Router nemal ziadne vytazenie (<1%). Co bolo divne. Takze sme nastartovali WireShark. A pri zadani filtra ARP som spozoroval, ze pomedzi ARP spravy, ktore tam mali byt som videl ARP spravy tykajuce sa IP rozsahu VLANy v ktorej su tlaciarne a tlacovy server. Co bolo celkom divne. Tak som si nastavil druhu IP adresu z rozsahu tlacovej VLANy a zistil som, ze ked pingnem tlacovy server, tak idem na priamo a nie cez router. Takze problem bol detekovany hned, mali domiesane VLANy.

Riesenie

Ked som si nastavil druhu IP adresu z rozsahu tlacovej VLANy, tak som mohol na switchoch dohladat kde sa dane VLANy domiesali/zoskratovali. 🙂 Takze siel som switch za switchom az som dosiel na nejaky lacny TP Link na ktorom bol vypnuty Spanning Tree Protocol. Tak som ho skonfiguroval a zrazu sa siet prebrala a zacala robit co mala. Pri dalsej analyze som zistil, ze u zakaznika mala dojst nejake navsteva a kedze upratovali nezapojene LAN kable, tak iniciativni ludia ich pozapajali kde prislo. Tym sa zmiezali VLANy a taktiez sa spravili slucky na switchoch, ktore nemali STP zapnuty a tak vznikali slucky/broadcast stormy a dalsie prejavy “zoskratovaneho prepinaca”.

Takze tolko som sa chcel podelit s mojimi skusenostami ako sa stat sietovym guru v ociach zakaznika. Dokonca niektore problemy poriesit do 5 minut 🙂 Samozrejme sa musim podakovat mojemu dobremu ucitelovi sieti, ktory mi dal velmi dobre zaklady – Peter Palúch. Dakujem Peto!

Failing VMTools installation

April 29th, 2013 No comments

Problem

When I was installing VMTools on Windows Professional 2000 server I received weird error:

VMTools installation error

Server didn’t specify any error so I tried to dig into it.

Solution

When you do the installation of application, most of the time, this application installation unpacks its sources into temporary location. So I have looked into %temp% directory while error windows was displayed and I found one directory with actual date. So I have looked into it and I found couple files. One of them was called VMware Tools.msi. I tried to run VMware Tools.msi and it worked out.

I hope this saves someone time 🙂

Quickie: How to clear all port statistics on Brocade switches

April 23rd, 2013 5 comments

During one migration I wanted to clear out all port statistics on Brocade switch. I couldn’t find any command which would clear statistics for all port and I had to do it one by one 🙁

portstatsclear 0
portstatsclear 1
portstatsclear 2
portstatsclear 3
portstatsclear 4
portstatsclear 5
portstatsclear 6
portstatsclear 7
portstatsclear 8
portstatsclear 9
portstatsclear 10
portstatsclear 11
portstatsclear 12
portstatsclear 13
portstatsclear 14
portstatsclear 15

So I posted this article so I can copy and paste commands to the switch 🙂

 

Categories: Quickie Tags: , ,

Problems with CPU in incompatible error during VMWare vMotion

April 23rd, 2013 14 comments

One of our users reported problems with vMotion after firmware upgrade of IBM server. Firmware were upgraded using BOMC (utility to create ISO images to upgrade IBM server to the lastest versions available).

After upgrade user was not able to do vMotion. They received following error:

Host CPU is incompatible with the virtual machine’s requirements at CPUID level 0x1 register ‘ecx’.

CPU is incompatible

After couple minutes of googling I found out following official articles:

Based on information there is change when you do firmware upgrade. Sometime (from some version) AES feature is Enabled and sometime is disabled. This setting cannot be changed in BIOS and this is really sad. So let’s look at the way you can change it.

In second mentioned article IBM suppose to download some prepared ISO image called BoMC-2.20-uEFI-AesEnable-to-enabled-vmotion-fix.iso. But I couldn’t find this ISO image. So I had to use other way around. I downloaded IBM Advanced Setting Utility. I downloaded and installes version for Windows 64b. You need your RSA card to be accessible through network. Then you can run following command to check actual value:

asu64.exe showvalues UEFI.AesEnable –host RSA_IP_ADDRESS –user RSA_USER –password RSA_PASSWORD

AES showvalue

You can check it on all ESX servers. To decide whether feature should be enabled or disabled you this article. We need to change it to the same setting using following command:

asu64.exe set UEFI.AesEnable Disable –host RSA_IP_ADDRESS –user RSA_USER –password RSA_PASSWORD

set AES

When values are the same on all ESX server you are able to do vMotion. I was kinda mad on IBM, because I would preffer to change this value in BIOS instead of some application.

Fun: Internet Explorer 6 or 10?

April 19th, 2013 No comments

I was browsing at Brocade website lot last couple days, but when I accessed it from my Internet Explorer 10 I received following warning:

 

IE10 or IE 6

 

I thin Internet Explorer is out for a quite time, so Broacade had time to “implement” it on its website 🙂

 

ESET Smart Security makes problems when migrating computers between domains

April 13th, 2013 6 comments

I was facing weird problem with computers when I was trying to migrate computer accounts between two active directory domains. When you use ADMT to migrate computer accounts, ADMT installs ADMT Agent on computer and this ADMT Agent makes all changes during computer account migration.

Problem

When there was computer with ESET Smart Security installed I had following problems. First problem was that migration failed and in ADMT log file I received following error:

2013-04-12 16:29:54 The Active Directory Migration Tool Agent will be installed on CENTRALA.DOMAIN.LOCAL
2013-04-12 16:29:59 WRN1:0000 Could not open SCManager on \\CENTRALA.DOMAIN.LOCAL : GetLastError() returned 5
2013-04-12 16:29:59 WRN1:7015 Failed to connect to the service control manager on \\CENTRALA.DOMAIN.LOCAL, rc=5   Access is denied.
2013-04-12 16:29:59 ERR2:7006 Failed to install agent on \\CENTRALA.DOMAIN.LOCAL, rc=5   Access is denied.

 So error number 5 means I have no rights somewhere. After reading couple pages of ADMT documentation I found out that ADMT installs ADMT Agent using Admin share called ADMIN$. So I tried to access ADMIN$ share on computer CENTRALA.DOMAIN.LOCAL. I received following error:

Problem with NETLOGON service

I have never seen such an error:”An attempt was made to logon, but the network logon service was not started.”. I checked services on computer CENTRALA.DOMAIN.LOCAL and Windows was right. Service NETLOGON was Disabled!

Solution

I had to temporary turn off ESET Smart Security (I would preffer not use this software at all 🙂 ) and also enable and start service NETLOGON.

Conclusion

Every computer I migrated and had installed ESET Smart Security had the same problems. So IMHO ESET Smart Security has changed service NETLOGON to Disabled. I really don’t understand why this is necessary, but I think it’s not right way “smart security product” should protect your computer.

I found one article about disabling NETLOGON service as security practice. It’s maybe good security practice, but there is also pitfall stated on websie:

If you disable the NetLogon service, a workstation no longer functions reliably as a domain member. This setting may be appropriate for some computers that do not participate in domains. However, it should be carefully evaluated before deployment.

I’m wondering what other functions are not available when NETLOGON disabled (besides not accessible ADMIN$ share) on domain member computer.

I hope this helps someone 🙂

Exchange 2010 and aditional Active Directory sub-domain/child domain

April 13th, 2013 No comments

We had Active Directory domain called DOMAIN.LOCAL. There was Exchange 2010 installed. It was fully functional. After some time I added new sub-domain/child domain SUB.DOMAIN.LOCAL and migrated users with mailboxes from DOMAIN.LOCAL to SUB.DOMAIN.LOCAL.

Problem

When users from SUB.DOMAIN.LOCAL logged into OWA they received following view:

OWA Error

Error stated: Exception message: Could not find any available Domain Controller in domain DC … so problem is probably in the way Exchange locates domain controllers. When users clicked F5 or refreshed website, he could see his e-mails normally.

There was also event 2130 logged on Exchange server saying Exchange Active Directory Provider could not find an available domain controller in the domain.

Solution

When you want to install Exchange into Active Directory domain, you need to prepare forest and also domain before you install it. You use setup.com (from installation DVD of Exchange) with some switches (for example /PrepareSchema, /PrepareAD,…). So new added domain SUB.DOMAIN.LOCAL to existing AD Forest was not prepared for Exchange implementation. I ran following command setup.com /PrepareDomain:SUB.DOMAIN.LOCAL:

PrepareDomain

If you have more then one domain to prepare for Exchange, you can use command setup.com /PrepareAllDomains.

The best way to run /PrepareDomain or /PrepareAllDomains is:

  • to be logged domain controller with role Schema Admin
  • to be member of Enterprise Admins group
  • to be member of Schema Admins group

I hope you will not make same mistake as I did 🙂

 

Exchange read-only mailbox rights

April 11th, 2013 1 comment

Couple of days I’ve got question from my friend if there is way to setup Exchange mailbox to be Read-only for other users in company. I never needed it, because when someone else needed to access other’s mailbox, I just set FullAccess rights on mailbox and everythin worked fine.

Testing scenario

Exchange 2010

Tester user called Tester with following content of mailbox:

Tester mailbox

Tester user called Tester02 wich wants to access whole mailbox of user Tester, but Read-only.

When I set Reviewer for user Tester02 on mailbox Tester under Outlook:

Reviewer permissions

Problem

When I connect Tester’s mailbox into Tester02’s Outlook profile I can see following:

Inbox view

So I can see only Inbox. I don’t see any folder underneath it. We can check this permissions also using Powershell:

Get-MailboxFolderPermission

When we look on mailbox folder permissions underneath Inbox, for example “Inbox\My friends” folder, we can see following:

Permission on subfolder

This means that mailbox folder permissions are not inherited. So we can set permission per folder. So let’s test to add permission to folder Inbox and subfolder “My friends”:

Set-Folder Permissions

and now we can see also subfolders under account Tester02:

Accessible subfolders

This means that using Outlook or powershell commandlet Add-MailboxFolderPermission can set permissions only on one folder and these settings are not inherited! This is really weird. I couldn’t find any setting to allow inheritance.

Another way to set permissions of mailbox folders is set permissions on whole mailbox. This can be set by users which have rights to manage exchange mailboxes. Let’s look on powershell cmd-let Add-MailboxPermission. This cmdlet allows you to set just following access rights: FullAccess, SendAs, ExternalAccount, DeleteItem, ReadPermision, ChangePermision and ChangeOwner. Neither one of these rights define Read-only access to mailbox.

Solution

So there is no easy way to share whole mailbox between users in read-only manner. Only way I can think of is to run some powershell script. For example:

Add-MailboxFolderPermission tester -User tester02 -AccessRights Reviewer

 

ForEach($folder in (Get-MailboxFolderStatistics -Identity tester) )

{

$fname = “tester:” + $folder.FolderPath.Replace(“/”,”\”);

Add-MailboxFolderPermission $fname -User tester02 -AccessRights Reviewer

}

where “tester” is account with shared mailbox and “tester02” is account which want to access shared mailbox.

After this powershell commands are done, Tester02 can see Tester’s mailbox:

 

Shared mailbox accessible

 

But when user Tester creates new folder in his mailbox, user Tester02 will not see it unless user Tester sets permissions on new mailbox folder.

I hope guys from Microsoft will solve this issue in next release of Exchange. 🙂