Microsoft Edge Printing PDFs

Posted by robd on June 07, 2022
Windows 10 / No Comments

When a user prints a PDF from Microsoft Edge the following would appear:

“Check Your Printer and try again. Printing Failed.”

The fix for us was to disable Use System Print Dialog and push out this registry change to users:

Windows Registry Settings
  • Path (Mandatory): HKEY_CURRENT_USER\SOFTWARE\Policies\Microsoft\Edge
  • Value Name: UseSystemPrintDialog
  • Value Type: REG_DWORD
  • Value: 0x00000000

Microsoft Edge Browser Policy Documentation | Microsoft Docs

We used Ivanti to rollout the changes:

Tags: ,

Ubuntu Joining the Domain

Posted by robd on May 04, 2022
Linux / No Comments

Hello,

I had to join a Ubuntu server to a Window Domain recently, here’s what I did, the # are just annotated notes:

#Update the \etc\hosts file for 127.0.0.1 to be the hostname
sudo vi /etc/hosts
127.0.0.1 UbuntuServer.domain.com UbuntuServer


#Install the packages
sudo apt-get update
sudo apt-get install krb5-user samba sssd sssd-tools libnss-sss libpam-sss ntp ntpdate realmd adcli

#Update NTP for domain time
sudo vi /etc/ntp.conf

#In the ntp.conf file, create a line an add the following:
server domain.com
# I also removed out all the other NTPs


#stop and start ntp and we are golden
sudo systemctl stop ntp
sudo ntpdate domain.com
sudo systemctl start ntp


#Dicover the fookin domain (Case SeNsAtIvE)
sudo realm discover DOMAIN.COM
#should see the domain


#Initialise Kerberos (Case SeNsAtIvE) use yor own frickin username
kinit -V admin@DOMAIN.COM
#chuck in your password


#join the muther fuzin domain baby, you have a choice here, if your server can reach all your DCs in your domain then use the first command, if it cant then you have to specify one:
#1
#sudo realm join --verbose DOMAIN.COM -U admin@DOMAIN.COM --install=/
#2
sudo realm join --verbose -U admin@DOMAIN.COM dc01.DOMAIN.COM --install=/


#comment out the use fully qualified thing
sudo vi /etc/sssd/sssd.conf
# use_fully_qualified_names = True

#restart ssssd
sudo systemctl restart sssd

#enable the user to vcreate home dirve
sudo vi /etc/pam.d/common-session
#place the following under the line that contains session optional pam_sss.so
session required pam_mkhomedir.so skel=/etc/skel/ umask=0077

#test
id admin@DOMAIN.COM

#visudo bitches
sudo visudo -f /etc/sudoers
%Domain\ Admins ALL=(ALL) NOPASSWD:ALL


#change the domains so we can login
sudo vi /etc/krb5.conf

        DOMAIN.COM = {
                kdc = dc01.domain.com
                kdc = dc02.domain.com
                admin_server = admin.domain.com
        }

.domain.com = DOMAIN.COM

#allows these to ssh
sudo realm permit -g 'Domain Admins'
sudo realm permit -g 'Tronstride Servers Local Admins'


#toublshoot
tail -f /var/log/auth.log

 

Tags: , , ,

Cisco ISE – Live Logs Broken

Posted by robd on February 24, 2022
Cisco / No Comments

Hello,

After upgrading to Cisco ISE 3.0 and updating some certs we noticed the Radius Live Logs broke:

So to fix, I changed certs and rebooted nodes and basically spent hours trying everything.

I dint get anywhere so I raised a Cisco TAC and they fixed it by doing the following (which took two seconds), they un-checked:

 

 

Tags: , ,

VMware vRops Azure error

Posted by robd on February 23, 2022
vmware / No Comments

So we’ve been getting a very annoying error when trying to monitor Azure with vrops:

“Unable to establish a valid connection to the target system. javax.net.ssl.SSLHandshakeException: General SSLEngine problem”

 

vrops error

I found this article that states how to fix it, which gave me a clue but didnt actually fix the problem:

https://kb.vmware.com/s/article/50122228

Basically the certs for Azure had expired so it couldn’t check the status.

The fix for me was to download all the new Azure Certs:

https://docs.microsoft.com/en-us/azure/security/fundamentals/tls-certificate-changes

azure certs

Convert them to pem files:

https://cheapsslsecurity.com/p/convert-a-certificate-to-pem-crt-to-pem-cer-to-pem-der-to-pem/

Now upload the pem files to vrops:

/usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/

 

Now ssh to vrops and get the keystore password:

cd /storage/vcops/user/conf/ssl/

keytool -list -keystore tcserver.truststore

and finally import your pem files:

cd /storage/vcops/user/conf/ssl/
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/Microsoft_RSA_Root_Certificate_Authority_2017.pem -alias azure1 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/Microsoft_ECC_Root_Certificate_Authority_2017.pem -alias azure2 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/D-TRUST_Root_Class_3_CA_2_2009.pem -alias azure3 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/BaltimoreCyberTrustRoot.pem -alias azure4 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/DigiCertGlobalRootCA.pem -alias azure5 -keystore tcserver.truststore
keytool -import -file /usr/lib/vmware-vcops/user/plugins/inbound/microsoftazure_adapter3/conf/certs/DigiCertGlobalRootG2.pem -alias azure6 -keystore tcserver.truststore

 

 

 

Tags: , ,

ISATAP – Direct Access Manage Out

Posted by robd on January 14, 2022
Direct Access / No Comments

I was working with Direct Access recently and the manage out function. The idea is servers on premises can communicate with direct access clients on the internet who are using a IPv6 over IPv4 protocol.

For example, it’s great when you want to manage SCCM clients who are not in the office.

To do this you need an ISATAP server that sits in-between the Direct Access servers and the internal servers, I like to think of ISATAP as like a DHCP/DNS server that gives out IPv6 addresses to internal servers which then in turn allows them to query IPv6 clients.

I’m going to presume you’ve setup Direct Access and ISATAP and at some point it was all working (if anyone wants a guide on setup of ISATAP, just shout), now for what ever reason you can not resolve IPv6 clients!!

  • Logon to your Direct Access (DA) Server, pick a client and check you can ping it, it should return a IPv6 address.
  • ping
  • Logon to your ISATAP server and ping the same client, if it does then great the issue is not between DA and ISATAP, if not then it’s time to check your connectivity (firewall and routes) between the two servers.
  • Logon to a server that that using the ISATAP server and ping the same client, in my case this did not work.
  • So first check the interface on the server, ipconfig /all

This is bad.  If its fe80 it means windows has assigned a IP itself and not had a address assigned from ISATAP, bit like APIPA address.

  • You can disable and enable ISATAP on the server to check if it changes to fe70
netsh int ipv6 isatap set state disable

netsh int ipv6 isatap set state enable
  • Moving back to the ISATAP server, there basically two things to check, the interface and the routes
  • First check the interface and its idx number:
netsh Int ipv6 show int
  • In my case I know the interface I configured when I set up the server was IDX 6 where as below it shows IDX 9, this means that something has changed, potentially a VMWare hardware update.

  • As the interface has changed that means the interface settings have been lost and the static routes, so lets add them again:
    • First on the NIC, add forwarding:
netsh Int ipv6 set int 12 forwarding = enabled

    • Then on the ISATAP Interface
netsh Int ipv6 set int 9 advertise = enabled
netsh Int ipv6 set int 9 forwarding = enabled

  • Next check the routes for the interface, the magic route is mising
netsh int ipv6 show route

  • Add it back
netsh interface ipv6 add route fd07:4444:4444:1::/64 9 publish=yes

  • Finally check the server again

  • YAY!!!

Tags: , , ,

Firmware Update Cisco SG350

Posted by robd on January 12, 2022
Cisco / No Comments

I had to update a Cisco SG350 recently, which should have been really easy but ended up being a bit of a pain.

Here’s how I’d do it again:

  • Download the firmware:

https://www.cisco.com/c/en/us/support/switches/sg350-28-28-port-gigabit-managed-switch/model.html

  • Ignore the GUI, pretend it never existed, as best I can work out it just doesn’t work well.
  • Download a tftp software, I suggest tftpd64 as it brilliant:

https://pjo2.github.io/tftpd64/

  • Run the tftp software and point it at the firmware, make a note of the IP.
  • SSH to the switch with putty and run the following to check the version:
show ver
  • Then run this command on the switch (The IP if the IP of the tftp software):
boot system tftp://192.168.1.2/image_tesla_hybrid_2.5.8.15_release_cisco_signed.bin

  • Now reboot:
reboot
  • Once it’s rebooted, check the version, and you are done!
show ver

Tags: , ,

vMotion Slow

Posted by robd on January 11, 2022
vmware / No Comments

We recently replaced our estate of trusty PowerEdge R620 Dell servers, with shiny new Cisco UCS C220 M5SX Servers.

On each server, VMware ESXi was installed. We used LAG with 4 10 GB NIC’s, each server had 10 7200rpm drives setup in a RAID 6 (no SSDs, don’t ask why).

All looked great, but when moving the VM’s to the Cisco servers with vMotion, the process was super slow.

After a lot of digging, we discovered the issue was with the way the Wite Policy was setup on the RAID, we’d used Write Through, and we should have used Write Back Bad BBU:

 

– Write Through— Data is written through the cache and to the physical drives. Performance is improved, because subsequent reads of that data can be satisfied from the cache.

– Write Back— Data is stored in the cache, and is only written to the physical drives when space in the cache is needed. Virtual drives requesting this policy fall back to Write Through caching when the BBU cannot guarantee the safety of the cache in the event of a power failure.

– Write Back Bad BBU—With this policy, write caching remains Write Back even if the battery backup unit is defective or discharged.

Once we changed it, everything worked superfast.

 

Tags: , , ,

dbatools

Posted by robd on January 06, 2022
powershell, SQL / No Comments

Hello,

Been a while since I posted but here I am!

I recently needed to copy SQL users from one DB to another without changing SIDs etc, while googling how best to do this a colleague just told me to use dbatools.

Well I’m glad I did, they are amazing! If you’re not sure what dbatools is, its PowerShell for SQL!!

Here’s what I did:

Install the tools on my device:

Install-Module dbatools -Scope CurrentUser

Then I simply ran:

Copy-DbaLogin -Source SourceDB -Destination DestDB -force

and thats it.

 

 

Tags: , ,

Windows 10 and Fast Roaming Standards

Posted by robd on April 09, 2021
Windows 10, Wireless / No Comments

Did you know that Windows 10 supports fast roaming standards such as 802.11r/k/v?

Well it does but there’s a few caveats.

If you’re unsure what these standards are and how they operate then keep reading:

Remember, the CLIENT decides when to roam, not the Access Point!!!!

802.11k (Neighbor Reports)

Access points that have it will send out special reports of their Neighbours to the windows 10 device.  Neighbour Reports contain information about neighbouring access points so would allow a Windows 10 device to know if it can roam if it needs too. Windows 10 takes advantage of this capability by shortening the list of channels that the device needs to scan before finding a neighbouring AP to roam to.

802.11v (BSS Transition Management Frames)

Access points that support 802.11v can suggest that Windows 10 devices to roam to another AP that it believes will provide a better wireless experience.  Windows 10 devices can now accept and respond to these Basic Service Set (BSS) Transition Management frames, leading to improved wireless quality i.e. potentially better SNR or RSSI.

802.11r (Fast BSS Transition)

Fast BSS Transition reduces the time needed for a Windows 10 device to move/roam to another AP that supports 802.11r. This time reduction results from fewer frames being exchanged with the AP prior to data transfer. By moving quickly to a new AP the tranistion time will be less interupotive to the client, for example a slow move would disrupt a video call. You must be using Radius authentication (802.1X), Pre-Shared Key (PSK) and Open Networks are currently not supported.

 

Unfortunately there only these intel chipsets are supported with Windows 10:

https://www.intel.com/content/www/us/en/support/articles/000021562/wireless/intel-wireless-products.html

 

What about other clients such as MACs and RF scanners???

MACs

Yes but it depends, have a look at this:

https://support.apple.com/en-gb/HT202628

RF Scanners

Yes but it depends, for example 802.11r is support on mc9200 if the radio is updated to 2.03 so please ensure these devices are updated to the latest version.

https://www.zebra.com/us/en/support-downloads/software/release-notes/operating-system/mc9200-operating-system-standard-bsp-15-57-16-release-notes.html

 

If you’d like to know more on client roaming and supporting it then this video is interesting:

https://www.youtube.com/watch?v=8upYZYKXRc4

 

Any questions please let me know.

Tags: , , ,

Domain Controller – Sysvol and Group Polices

Posted by robd on February 16, 2021
Active Directory / No Comments

Had some strange issues recently where some group polices weren’t populating to certain sites.

i.e. you’d logon to a new device on a site and the work folders GPO wouldnt apply, after spending 5 minutes looking at RSOP.MSC I could see the policy just wasnt applied, at all.

So after some digging on the domain controller and googling events in the event viewer I found:

https://support.microsoft.com/en-gb/help/2958414/dfs-replication-how-to-troubleshoot-missing-sysvol-and-netlogon-shares

Which lead me to this nifty command to check the sysvol folder:

For /f %i IN ('dsquery server -o rdn') do @echo %i && @(net view \\%i | find "SYSVOL") & echo

As you can see from the above, all looks ok!!!

So now lets have a look-see at the DFS replication:

For /f %i IN ('dsquery server -o rdn') do @echo %i && @wmic /node:"%i" /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo WHERE replicatedfoldername='SYSVOL share' get replicationgroupname,replicatedfoldername,state

Run it and look for the “state”, the  values can be any of the following:

0 = Uninitialized
1 = Initialized
2 = Initial Sync
3 = Auto Recovery
4 = Normal
5 = In Error

As you can see on the above, the last one is wonky donkey!!! DFS BE BROKEN

So lets have a look through the events for dfs broken events:

and to double check with Powershell on the affected DC:

Get-WmiObject -Namespace 'root\MicrosoftDFS' -Class DfsrReplicatedFolderInfo

Nothing comes up, this is BAD!

So in the regisrty you should be able to check the recovery status

Computer\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\DFSR\Parameters

So its stopped and not recovering.

The fix:

First get the guid of the C:\ drive:

MountVol

Now run this in a elevated command prompt:

wmic /namespace:\\root\microsoftdfs path dfsrVolumeConfig where volumeGuid="cc9a4e7a-0000-0000-0000-602200000000" call ResumeReplication

Wait 10 and check the replication status again:

and run the dsquery again:

HORRAY!!!!!  GPOs for everyone.

Tags: , , ,