Use PowerShell to Remotely Enable Firewall Exceptions

Posted by robd on October 18, 2018
powershell / No Comments

Got this today while connecting to Event viewer on a remote windows 10 machine:

To Fix remotely:

 

 

 

Tags:

Office 365/Outlook 2016 with MFA and the dreaded Password prompt of doom

Posted by robd on October 12, 2018
Exchange Online / No Comments

We recently started implementing Multiple Factor Authentication with office 365 and today I ran into a weird issue while working from home.

Laptop – Windows 10 1703

Outlook 2016 – 16.0.7726.1049

While opening Outlook 2016 I was prompted for my 365 credentials (over and over again) without any MFA prompt.

Would not not go away and would not connect.

So I checked

OWA – https://outlook.office365.com/owa – worked no problem and was prompted with MFA.

Teams – local install, worked no bother with MFA.

So I went to Azure Active Directory and could see loads of failed attempts:

Specifically: User did not pass MFA challenge (non Interactive)

So my guess was Outlook wasnt prompting me for MFA for what ever reason. I tried a new Outlook profile which wouldnt connect and the following registry entried to try and force basic connections from Outlook:

HKCU\SOFTWARE\Microsoft\Office\16.0\Common\Identity\EnableADAL

dword value 0

HKEY_CURRENT_USER\Software\Microsoft\Office\16.0\Common\Identity

DisableADALatopWAMOverride

dword value 1

None of this worked so I went all out and did the following which fixed the issue:

  1. Sign out of Office 365
    1. Open Word
    2. In the upper-right corner of the Office 2016 app, click your name, and then click Switch Account.
    3. On the Accounts screen, click Sign out.
    4. Locate the account that you want to remove, and then click Sign out.
  2. Remove the cached credentials in Credentials Manager.
    1. To do this, follow these steps: Open Control Panel, and then click Credentials Manager.
    2. Under Windows Credentials, remove all the accounts under Generic Credentials
  3. Clear cached credentials on the computer from the registry.
    1. Click Start, click Run, type regedit, and then click OK.
    2. In Registry Editor, locate and backup then delete the following registry subkey:

4. Launch Word and sign into Office 365 (it logged in without issue)

5. Launch Outlook and I was prompted for my MFA credentials and which I authenticated via my phone and I was in.

 

Tags: , ,

WSUS – Updates not downloading updates

Posted by robd on October 11, 2018
WSUS / No Comments

Had this very annoying issue on the WSUS console where updates would just stick.

The fix was really very simple although I tried a varierty of things that didnt work first.

The fix:

Stop the following services (I actually had to disable and reboot as they wouldnt stop):

Then delete this folder:

Restart the services and bobs your uncle.

 

What didnt work but might for you (or me in the future):

Find the failed update:

From the WSUS management console, you can go to Updates -> All Updates. After searching out the approved updates, and then adding the column for File Status, you can see the updates in downloading.

For the updates downloading incompletely, you can decline these updates.

or

Look for these events and decline the update:

Or

Cancel all updates from PowerShell

Then let them download and keep and eye on which is struggling and decline it.

Or

Reset WSUS content:

1) Correct any settings above or disapprove any unneeded updates.

2) Close any open WSUS consoles.

3) Go to Administrative Tools – Services and STOP the Update Services service.

4) In Windows Explorer browse to the WSUSContent folder (typically D:\WSUS\WSUSContent or C:\WSUS\WSUSContent)

5) Delete ALL the files and folders in the WSUSContent folder.

6) Go to Administrative Tools – Services and START the Update Services service.

7) Open a command prompt and navigate to the folder: C:\Program Files\Update Services\Tools.

8) Run the command WSUSUtil.exe RESET

Or

Check the permission of the WSUS Content folder, check if NETWORK SERVICE and WSUS administrators have full permission

Or

Reindex the SQL DB:

https://gallery.technet.microsoft.com/scriptcenter/6f8cde49-5c52-4abd-9820-f1d270ddea61

Tags: ,

Direct Access – IPSec Issue

Posted by robd on October 10, 2018
Direct Access / 2 Comments

Had a odd issue with our Direct Access servers today, We kept getting the following errors:

“There is no valid certificate to be used by IPsec which chains to the root/intermediate certificate configured to be used by IPsec in the DirectAccess configuration.”

After a day or two of not doing anything we couldnt event open the direct access console:

Or see any of the settings in PowerShell:

So whats the issue?  Turns out our Certificates had updated, namly our root and intermediate certificate and the direct access console didnt know what to do.

So to fix it, I’ll need to update the cert.

Open PowerShell and find the cert you want to use (the root or intermediate cert you used before):

Then set this cert:

Open the Direct Access console and give it a try.

Tags: , ,

Disable Dedup

Posted by robd on September 23, 2018
powershell, Server 2012 / No Comments

How to disable Dedup:

First an important point about disabling dedup (via GUI or PowerShell), when you disable it only stops further deduplication from occurring i.e data that has already been deduplicated will remain deduplicated

If you want to “move” the data back to the original files and out of the deduplication store (Chunk Store) you need to use powershell command

You can check the status on where this is at by using

Here’s another gotcha, chunk size (love that name) will not get smaller until you run two more commands, GarbageCollection and Scrubbing.  GargabeCollection will find and remove unreferenced chunks and scrubbing will perform an integrity check but this wont work unless dedup is on….so enable dedup:

Then run garage collection:

Once your drive is small again then disable dedup:

Tags: , ,

Microsoft Dedup

Posted by robd on September 22, 2018
Server 2012 / No Comments

I posted about Microsoft Dedup recently and thought I should mention how to setup dedupe:

Data deduplication is a feature that allows space reduction on a data volume by removing duplicate copy of data and replacing it with a reference file that looks exactly the same to the end user.

Microsoft does not recommend dedup on databases such as .edb, .mdf and .ldf files. This feature help IT admins reduce storage costs if it’s applied to the right data such as File shares such as home folders.

Below is the recommendation of dedup feature based on data type

Recommend Deduplication File Servers, VHD Files, Software Repositories, Backups and other static data.
Not Recommended Virtualization Hosts, WSUS, Database servers or any data that changes very frequently.

Requirements

  • Windows Server 2012 Operating system
  • At least 4GB of RAM
  • 1 CPU core and 350MB of RAM for every 1.5TB worth of data
  • Must be on non-system volume such as boot volume
  • Mapped drives via net use is not supported. Must be a local volume.
  • Must be using NTFS with MBR or GPT partition
  • Not supported on ReFS file system

To install the deduplication feature, use the Server Manager – Server Manager > Server Roles > File and storage services > File services > Data Deduplication.

Or PowerShell

Run below powershell commands to install the feature
To turn on deduplication feature, use below command (where E is the volume)
To Set the minimum file age before deduplication
To get a list of deduped volumes, run
To get dedup status, run
To start a dedup job manually, run
To get current dedup schedule, run

How to calculate dedup rate

Installing the “Data Deduplication” feature will automatically install the DDPEVAL.exe in c:\windows\system32 . This tool will allow you determine if deduplication is effective your data type.

This tool can be copied from any server running Windows Server 2012 R2 or Windows Server 2012 to systems running Windows Server 2012, Windows Server 2008 R2, or Windows 7. You can use it to determine the expected savings that you would get if deduplication is enabled on a particular volume.

To use:

More info:

https://docs.microsoft.com/en-us/previous-versions/windows/it-pro/windows-server-2012-R2-and-2012/hh831700(v=ws.11)

 

Dedup and Chunk Store is Huge!

Posted by robd on September 21, 2018
powershell, Server 2012 / 1 Comment

Found a drive was running low on space today and on closer inspection with tree size I found that ChunkStore (brilliant name) was taking up the drive space:

Odd as it looks as dedup wasn’t working:

To fix it I ran the following PowerShell:

What does this do I hear you say, Garbage collection is the process to remove “data chunks” that are no longer referenced i.e. to remove references to deleted files and folders. This process deleted content to free up additional space. Data scrubbing checks integrity and validate the checksum data.

To monitor it I ran:

This seems to have fixed it for me:

Tags: ,

Wireless – Insulation

Posted by robd on September 06, 2018
Wireless / No Comments

Hello,

I’ve been meaning to post something on wirelss for a while, actually since I gained my CCNA Wireless cert, but I’ve not really been sure what to post…until now.

I install quite a lot of Cisco wireless in factories and although I’m new to Ekahau (any complimentrary Ekahau training would be awesome) recently had the opertunity to test the attenuation of some insulation.

The kit I used to test was:

I tested two types of standard foam insulation that I currently cant name but here are the results:

Here’s the free path loss from the AP to the sidekick

Here’s with some insulation in the way:

So,

free loss  -46dBm

insulation = 2.4m in length and 2m depth and 3m height.

loss = -45dBm

= 1dBm loss!

 

Second piece of insulation:

free loss -58dBm

insulation = 2.4m in length and 2m depth and 3m height.

insulation -52dBm

= 6dBm loss.

 

So all in all I’d say depending on the insulation there can be quite a lot of attenuation.

Citrix and vCentre

Posted by robd on September 05, 2018
Citrix, vmware / No Comments

Annoyingly our venctre broke recently meaning our Citrix clients wouldnt boot which had the knock on affect users couldnt logon.

To easily check the connection status of citrix and vcentre, you can run the following PowerShell command on a Citrix delivery server (or whereever Citrix PS is installed):

This is what it looks like when its broken, notice the State:

Fixing vcentre and rebooting the citrix server it then looks like this:

 

Tags: , , ,

Office 365 to Exchange 2010 on prem calendar free/busy information

Posted by robd on August 22, 2018
exchange 2010 / No Comments

Hello,

Preface this post by saying a man from Exchange support said “This is the most complicated Exchange environment I’ve ever seen”.

That said this issue is pretty common and hopefully this post will help someone else.

We have an Exchange 2010 to 365 hybrid environment that look a bit like this:

We had an issue where users on our 365 tenancy couldn’t see on the Exchange 2010 on-premises free/busy info for users in Group2.contoso.com.

Now I know what your thinking, just compare the settings on Group1 to Group2, well due to company rules and politics I can’t….I can only troubleshoot group2 and the servers there.

So first things first, check users permissions and setup a test user and find the error in Outlook:

Thanks to Babunski and his post I found this really good troubleshooting guide and everything looked ok:

https://support.microsoft.com/en-us/help/10092/troubleshooting-free-busy-issues-in-exchange-hybrid-environment

  • Firewall is fine,
  • Network is ok,
  • DNS surprising is working,
  • Check Exchange online tool:

https://www.testexchangeconnectivity.com

  • 365 to prem relationship is ok:

  • IIS Logs look ok, %SystemDrive%\inetpub\logs\LogFiles

  • EWS logs look ok, %SystemDrive%\inetpub\logs\LogFiles

  • Checked the external URL – seems ok.

  • Check the IIS permissions with – this looked ok

  • Checked IIS EWS and Autodiscover:

  • Checked more relationship stuff – all ok

Next – contact support!  🙁

 

Before I contact support I did find one more URL that suggests to check the certs and import the cert you used to setup the federation onto the CAS server which unfortunately didn’t work for us:

https://support.microsoft.com/en-gb/help/3057905/exchange-online-users-cannot-access-free-busy-information-of-users-in

 

Soooo here I am, time to contact support.

 

The first thing they checked was the local url on the client access server:

https://ClientAccessGroup2Server1.group.contoso.com/ews/exchange.asmx

So there’s an issue, basically we didn’t add the server to our wild card cert.  So added the server names as Subject alternative names and imported it using PowerShell onto both Client access servers and then rebooted:

Fixed:

Checked the URLS set in Exchange:

Our internal URL was actually set to Client Access array for Contoso rather than group2.contoso.com so we changed this:

And rebooted again.

 

Next we disabled and re-enabled ISS security (this broke OOF for a while, we had to run this twice):

So here are stuck…..

 

MS ran some traces using Extra:

 

And went away for a while and came back with:

Internet facing Site Conotso.com is able to look up the user and send a request to Group2 servers.

The request failed with an empty response.

On group2 server we notice below error,

 

So the long and short of it is they think IIS is broken. The traffic is being passed to the Group2 services but these services are not passing the information back up the stream.

 

MS decided they wanted swap out the EWS web.config with a new one from:

 

The reason being in the config file it was referencing:

And it should be referencing (or where ever you install of Exchange is):

And another reboot.

 

Next we checked the logging from Outlook:

Which dumps files too: %Temp%\outlook logging

And they found this error:

 

This prompted MS to check the IIS bindings which were wrong

So we added some missing bindings using these command:

No change and still the same error: Response Code ErrorProxyRequestProcessingFailed

 

So we checked windows services and would you believe it but these dot net services were not installed:

net.tcp lisener adapter

net.pipe listener adapter

 

So we installed the missing features:

Rebooted both.

And Boom we are working!!!!!!!!!!!!!!!!!!!!!

Tags: , , , ,

Copy Protected by Chetan's WP-Copyprotect.