Tuesday, November 17, 2015

Exchange Calendar Permissions Using PowerShell

With Exchange 2010 and now extended into Exchange 2013 and 2016, Microsoft added the ability to manage permissions on folders in a user's email account through PowerShell.

The most common is managing calendar permissions.  Here's an example of some commands:

To get the permission on a mailbox:

Get-MailboxPermission -Identity "Boss Hog"

To get the permissions of a subfolder:

Get-MailBoxFolderPermission -Identity "Boss Hog:\Calendar"

To change permissions on a subfolder:

Add-MailboxFolderPermission -Identity "Boss Hog:\Calendar" -user "Roscoe" -AccessRights Reviewer

To remove permissions on a subfolder:

Remove-MailboxFolderPermission -Identity "Boss Hog:\Calendar" -user "Roscoe"

Here's also a list of all of the permissions you can assign.  HERE is a link to Office support with some details on what each of these permission levels can do.

  • None
  • Free/Busy
  • Free/Busy, Subject, Location
  • Contributor
  • Reviewer
  • Nonediting Author
  • Author
  • Publishing Author
  • Editor
  • Publishing Editor
  • Owner
Hopefully this will give you some assistance when you need to edit calendar permissions without the need to login as that user account and then use Outlook to make the edits.  Granted that's the GUI route but this works best from an Exchange administrator's perspective.

Good luck!

Thursday, August 27, 2015

Convert Cisco 1700/2700 Series APs to Autonomous Mode

For smaller environments it's not always cost effective to buy a WLC so the need arises to put the APs into autonomous mode.

Since the 1700/2700 series APs ship in lightweight mode, here's how to change them over to autonomous mode:

1.  Log in to www.cisco.com
2.  Click on "Support" at the top of the page.
3.  Click the "Downloads" button.
4.  Select "Wireless" from the left side.
5.  Select "Access Points".
6.  Select "Cisco 1700 Series Access Points".
7.  Select Cisco Aironet 1702i Access Points".
8.  Click "Autonomous AP IOS Software".  As of this writing the latest version is 15.3.3-JBB1(ED)
9.  Connect to the AP using a console cable.
10.  Power on the AP.  If you have a POE switch then that way is best.  If not use a power injector or power cord for the AP.
11.  Start a TFTP server on your laptop or PC and set the LAN interface to
12.  Open a serial connection to the AP.  Once the boot up finishes log in.  Remember the default password is Cisco.
13.  Enter the following commands in this order:

  • enable
  • debug capwap console cli
  • debug capwap client no-reload
  • capwap ap ip address
  • capwap ap ip default-gateway
  • archive download-sw /force /overwrite tftp://
14.  Once the upload, extraction, and installation is complete (3 to 5 minutes) the AP will restart.
15.  Once the restart is completed log in and do a show version command.
16.  Verify the AP now provides access to the full suite of IOS commands.
17.  Configure as needed.

If you get any errors from the AP while it is still in lightweight mode during this process I find it easiest to just put these commands into a text file and then paste them into Putty vs trying to type them in with the lines scrolling.

I hope this helps you get your APs setup faster and don't have to deal with a complicated process.

Good luck.

Monday, August 24, 2015

Time Based ACL for Cisco Wireless AP Access

Recently I was tasked with setting up two Cisco 1142 APs in autonomous mode with restrictions on access between the hours of 6AM and 11PM.  Anytime outside that range, wireless SSIDs would be on and broadcasting but there would be no traffic allow out.

After doing some research I have gotten it working and here's how to pull this off.  Pretty simple really.  Make sure before you do this that the time on the APs is set correctly.  I have the two I configured in this example setup to use NTP to pool.ntp.org and verified the time is set correctly.

1.  Create a time range:
     time-range BusinessHours
     periodic weekdays 6:00 to 23:00

2.  Create an ACL
     ip access-list extended 101
     permit ip any any time-range BusinessHours

3.  Apply the ACL to the appropriate interface
     interface Dot11Radio0.1 (.1 is the only VLAN configured on these APs on interface 0)
     ip access-group 101 out

4.  Check the work
     show time-range BusinessHours
     show access-list 101 (this is how it determines the toggle between active and inactive)
     show running-config (verify the ACL is applied to the correct interface)

One thing to make sure of is that you do no apply this config to the Ethernet interface on the AP because then you will lose internal communication from the LAN as well.  By applying it to the Radio interface this only stops traffic coming in via the wireless Radio.

Hope this helps with security on your network OR if you happen to use these at home and have teenagers that don't want to obey bedtime for school.  Works for both.

Good luck.

Thursday, August 06, 2015

Stop Windows 10 Pushing to Domain Computers

Many networks I work on have appeared to be slow the past several days.  After doing some research I found out that Microsoft is pushing Windows 10 to domain joined machines even though they don't qualify for the "free" upgrade.

This is causing many networks internally and their Internet connections to slow to a crawl because of all of the data saturation.

Here's how to shut it off using Group Policy:  (You will need at least one Server 2012R2 Domain Controller for this to work)

The setting is located via [Computer Configuration > Policies > Administrative Templates > Windows Components > Windows Update].  The name of the policy is "Turn off upgrade to the latest version of Windows through Windows Update"

Given that these files can be between 2G and 3G (stored in a hidden folder on the local disk called #Windows.~BT) it is easy to see how this can impact a network of several hundred machines.  My research says this happens without the end user ever seeing the white 'Get Windows 10 flag'.

I put this policy in place on our network tonight as researching network traffic through our ASA has proven this to be true.

I like what Microsoft has done with Windows 10 so far but this is taking things a bit too far.

Thursday, July 30, 2015

Windows 8.1 Full Backup Prior to Windows 10 Upgrade

Short and sweet on this one.  Today's post is about backing up Windows 8.1 prior to the Windows 10 upgrade.

Get yourself a large USB drive or a network location with enough room to store the image and run the command below from PowerShell started as Administrator

wbAdmin start backup -backupTarget:D: -include:C: -allcritical -quiet

Make sure you change the drive letter of the backup target from D: to the letter for your drive letter prior to running the command.  What this does is simple.  It executes Windows Backup (since Microsoft removed the GUI interface for it in Windows 8/8/1) and runs a full backup for you.

If you want to save your backup to a network location this is the command

wbAdmin start backup -backupTarget:\\sharedfolder\foldername -user:username -password:userpassword -include:C: -allCritical -quiet

This will kick off the same backup process as above and send it to your network storage instead.

Once the backup completes you can browse the backup location and you'll find some very familiar folders.  The old WindowsImageBackup folder, the .xml and .vhd files that were used in the Windows 7 backup and restore feature.

That's all there is to it.  I wish you luck with your Windows 10 upgrade.

Monday, July 27, 2015

Backup Cisco WLC Configuration (Without Cisco Prime)

This article is part of a new mini-series here on my blog as I work toward obtaining my Cisco Wireless 640-722 CCNA certification.

The official way Cisco wants you to do this is to buy and implement Cisco Prime.

One way you can get around this is to use SolarWinds CatTools to send commands to your devices.

Using this I configured a job to connect to the WLC via SSH and push a backup of the config to my TFTP server.  Here's how:

>transfer upload mode tftp
>transfer upload datatype config
>transfer upload filename WLC-Config-Backup_%DateISO%.txt
>transfer upload path .
>transfer upload serverip
>transfer upload start

Once you select "Y" to begin the backup you'll see in the text a warning that file encryption is disabled.  Solarwinds CatTools can answer this Y or Yes if needed.  After this the config will push to your TFTP directory.

The variable in the command %DateISO% will automaticaly fill out the date of the file for you.  As of now the freeware version is limited to 5 devices and 5 activities only.

If you need more it can scale up from there.

Sunday, July 19, 2015

Archive Cisco Switch and Router Configs Using TFTP and Configuration Archive

The worst time to realize you don't have a current backup of your switch or router is when that device is having issues or worst case dies and it is actually needed.  For a great comprehensive list of Cisco IOS commands I recommend THIS BOOK.  It's for Amazon Kindle.

Administrators have the ability to run a manual backup of the configs or you can set it to do this automatically or every time you do a "write memory" to save a config change.

Given how easy this is to setup there's no reason for you not to have this on your switches.

Let's dive into how easy this is to setup.

First you'll need a good TFTP server program.  Personally I like the free Solarwinds TFTP Server.  This like is for the Windows version.  You can run it on a server or a workstation if needed.  The price is right, setup is simple, and you'll have this going in a couple of minutes.

Next it's time to setup the switch or router to do the automatic backups for you.

Let's look at a couple of way to set this up.

The first way is to just backup each time you do a "write memory".  This is my favorite setup as it does not generate unnecessary network traffic and I know that the files on my TFTP server are the latest config as long as they were saved.

R1(config-archive)#path tftp://

Now one of the details I add after the IP address and forward slash is the name of the device so when it creates the automatic backup file I know which device it came from based on the device's host name.

Another way to set this up is to do backups daily for you automatically without the need to a manual update.  This setup will archive every day or if you do a "write memory" command on the switch.

R1(config-archive)#path tftp://
R1(config-archive)#time-period 1440

Now these two methods ensure your switch configs are backed up either as you do a change and save it or automatically each day.

Finally the great thing about these auto backups is you can also restore them using the same functions.  One thing to note is that this command does not merge the settings with what is currently running, it fully replaces it so use caution.

R1# configure replace tftp://
This will apply all necessary additions and deletions
to replace the current running configuration with the
contents of the specified configuration file, which is
assumed to be a complete configuration, not a partial
configuration. Enter Y if you are sure you want to proceed. ? [no]: Y
Loading R1-config-3 !
[OK - 3113/4096 bytes]

Friday, June 26, 2015

Backup and Restore ESXi Host Configuration

Today's post involves something I haven't done before which is backing up and then restoring an ESXi hosts's configuration.  

In my examples today I am going to use the tools directly built into ESXi and vSphere to get this done.  I'm going to use PowerCLI 5.5 (latest version as of this writing) to get this done.

PowerCLI is one of the many tools that are bundled for free with the vSphere environment.  I highly recommend you have it installed on your management server or workstation and if you're running vCenter on Windows it's even better to place it there.  You can download PowerCLI from the VMware website.

The process of backing up and restoring the configuration is pretty simple so here we go.

Before running any of these commands you should run this command in PowerShell on Windows to make sure PowerCLI has the ability to execute the commands needed for this process to work.

Set-ExecutionPolicy RemoteSigned

Open PowerCLI and use the Connect-VIServer IPAddress command to connect to the server.

Next run the command below to backup your host's configuration.  Make sure you create the backup location folder before you run the command.

Get-VMHostFirmware -VMHost ESXi_host_IP_Address -BackupConfiguration -DestinationPath “Output_Directory”

When the process completes you'll have files that look like this:

That's all there is to backing up the configuration of your ESXi host.  Now for the really cool part.  
If you're upgrading hosts to new hardware there a couple of things I've done and the restore has went off without a hitch.  Make sure you have the VMware install on the new host at the exact same version as the host you backed up.  If not this isn't a supported process but you can use the "-force" command at the end of the restore to make it do it anyway.  The next thing is to ensure you have the network cables in the exact same port numbers as the old host.  In other words port 0 on the old host should get the cable for port 0 on the new.
If you're unsure which cables correspond to which port, once you've migrated all VMs off of the old host you can look at the network configuration in the vSphere client and pull the cables one at a time.  From there just label each one so you know where to put it in the new server.
Once you've got the new box cabled up, on the same build of VMware as the old server, and powered on here's all you need to do.
First put the host into maintenance mode.  This is required or the next step will not work.  You can use the hostname, IP address, or FQDN if you want.
Set-VMHost -VMHost esx1 -State “Maintenance”
Next enter the restore command.
Set-VMHostFirmware -VMHost -Restore -Force -SourcePath
Once you do this the host will immediately restart.  During the restart it will import the backed up configuration prior to completing the loading process.
After the host has fully restarted you will be able to see that all of your prior settings have been restored including those many times complicated network, VLAN, and MTU settings.
On the hosts I have performed this on if they have local storage I have had to configure the large datastore again but given how much time this saves that's a minor thing to get the new server online much, much quicker.
Good luck with your upgrades!

Friday, May 22, 2015

Exchange 2013 Blank ECP/OWA Screen, Showing Event ID 15021 HttpEvent System Log

I hit this one today after switching out an expired UCC certificate on two Exchange 2013 servers in a DAG.  Both the ECP/OWA screens after login just went to a white page and never load.  The servers were both showing hundreds of ID 15021 in the system event log that says "An error occurred while using SSL configuration for endpoint  The error status code is contained within the returned data."

Here's the steps to fix it:

1. Open a command prompt.

2. Enter netsh http show sslcert  This will show the certs on the server.  Copy and paste this information into notepad.  Copy this info "IP: port:".  Note that this information contains the certificate hash and the application ID.  This is the information needed.

3.  Run this command:  netsh http delete sslcert ipport=

4.  Next run this command:  netsh http add sslcert ipport= certhash=123443211234321123 appid="{ab34k32abkr3252jsnekgljw}"  Make sure to include the quotes around the appid.

5. Finally restart the server.

This is all it takes to correct the issue.  Apparently this glitch is specific to Exchange 2013 as a web based ECP doesn't exist in the earlier versions.

Simple fix to a real inconvenience.

Good luck!

Certificate Not Showing After Importing Into Exchange 2013

I ran into this one today with two servers in a DAG.  This is caused by the certificate you're using not having the private key.  Here's how I fixed it:

Go to the 1st server -> Start -> Run -> MMC -> File -> Add/Remove Snap Ins -> Certificates -> Computer Certificates -> Local Computer

Browse to the personal certificate store, right click on the correct certificate, select All Tasks, and then Export.  Make sure here you choose "Export Private Key" and assign a password.  Click Next and then name the file and where you want to save it.  The file will have a .pfx extension.

From there on the 1st server inside ECP you can go to Servers -> Certificates -> Choose the server you want and then import the certificate.

Once this process is done just assign the services to the certificate (SMTP, POP, etc) and then restart the server if possible.  If not some say you can do an IISRESET from the command prompt and then you'll be good.

Good luck!

Wednesday, May 13, 2015

Unable to scan IIS status - The IIS Common Files... Server 2012/2012 R2

I ran into this issue today while trying to run the Microsoft BPA (Best Practices Analyzer) 2.3 on a Windows Server 2012 R2 box with IIS 8.5 installed.  Below is the full text of the error:

"Unable to scan IIS status - The IIS Common Files are not installed on the local computer.  Refer to the system requirements list under the Microsoft Business Security Analyzer Help."

Here's the short fix:

Go back into Roles and under Web Server (IIS) and install IIS 6 Management Compatibility --> IIS 6 Metabase Compatibility.

Apparently from what I find this is a Windows Server 2003 item that hasn't been updated in the current server platform documentation on the MBSA to reflect the need for this additional set of files.

The longer explanation is that in order for the MBSA to be able to scan IIS properly it needs to have IIS 6 Management Compatibility turned on and more specifically the IIS 6 Metabase Compatibility.

I hope this one helps as it took me quite a bit of research to run this issue down.

Good luck.

Friday, April 24, 2015

Manually Applying Updates to Trend IMSVA

Whenever Trend issues an update for these virtual machines the GUI interface isn't always able to apply the patches to the VM.

 This is where a bit of time and patience have to come in to get them updated. Below is how I get it done quickly without much headache to keep these VMs current.

1. Download the patch or hot fix to your computer (Ex: imsva_90_en_criticalpatch1560.zip).

2. Extract the file.  You'll see a couple of files extracted such as readme_en.txt and imsva_90_en_criticalpatch1560.tar.gz listed.

3.  Use a program to upload the files to the IMSVA virtual machine.  I choose to use WinSCP.  Upload the file to the /tmp folder.

4.  Login to the IMSVA using root privilege using Putty or another program via SSH.  NOTE: You have to use SCP on WinSCP as the protocol and the root account for the VM.  If not it won't connect with the standard "admin" and password the web browser login uses.

5.  Run the following commands:

   # tar -zxvf /tmp/imsva_90_en_criticalpatch15160.tar.gz -C /tmp
   # cd /tmp/imsva_90_en_criticalpatch15160
   # ./imssinst

6.  Allow the installation to run and when the install completes you'll see something similar to this:

   Installation is complete and related services are started.

Just a note when you are done you can delete both the *.tar.gz file and the folder it created off of the IMSVA virtual machine to save space.

Login to the web interface and verify with the "About" option the new build version of your IMSVA.

I have found that not every hot fix or patch raises the build level in the web interface but if you try to apply it again to the IMSVA you'll find out it has already been installed.

For those of you that are not great in the Linux/Unix world I hope these instructions help you keep your critical infrastructure system patched and up to date.

It's Friday afternoon now so I hope you all have a great weekend.

Thursday, April 23, 2015

Managing FSMO roles with PowerShell in Server 2012 R2

Powershell was released some time ago but it feels to me like it was just yesterday.  Part of that is because as time moves on Microsoft is adding more and more features.  With Windows Server 2012 R2 now in full effect and quite stable, it's clear PowerShell is taking over as the primary Windows scripting language of choice.

I am a firm believer that everything in Windows Server 2012 R2 that can be done in the GUI can also be done in PowerShell.  Case in point, I just upgraded one of our network Domain Controllers from Windows Server 2012 to Windows Server 2012 R2.

Since this server was a DC the first thing I needed to do before the upgrade was to ensure the server was not running any of the five FSMO roles on our network.  To do this I ran the following command in PS on the server.
netdom query FSMO
This will return which DC or DCs on your network contain the FSMO roles.  Since the server I was upgrading had none then I had none to move before the upgrade.  Once the upgrade had completed I now wanted to make sure the newest DC on the network had the roles while others were being upgraded.

To transfer all five roles you can simply run this command in PS:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole 0,1,2,3,4
For reference the command line syntax replaces the role number for the full name of the FSMO role.
  • PDC Emulator = 0
  • RID Master = 1
  • Infrastructure Master = 2
  • Schema Master = 3
  • Domain Naming Master = 4
If you find yourself in a situation where the DC you want to transfer roles from is offline and cannot be brought back then you'll need to seize the roles.  Here's the command for that:
Move-ADDirectoryServerOperationMasterRole -Identity “Target_DC_name” –OperationMasterRole 0,1,2,3,4 - Force
 Finally to transfer or seize just one role you would run the exact same command and just use the number of the role you need to move.  These commands work on Server 2008 R2 and up or Windows 7 with the RSAT (Remote Server Administration Tools) installed.

I don't find myself moving FSMO roles often but when I need to this is much easier than using the GUI.  A great reference on PowerShell is Learn Windows PowerShell 3 in a Month of Lunches.  It's a great read and has tons of great PowerShell information.

Good luck.

Wednesday, March 04, 2015

RESOLVED: The WS-Management service cannot process the request.

RESOLVED:  The WS-Management service cannot process the request.  The user load quota of 1000 requests per 2 seconds has been exceeded.  Send future requests at a slower rate or raise the quota for this user.  The next request from this user will not be approved for at least X milliseconds.

This can happen if your Exchange server has recently received a new SSL (UCC) certificate.

What can happen is the remote PowerShell or the EMC will be using a certificate that is not trusted or valid anymore.

A simple "IISRESET" from PowerShell or the CMD prompt will correct the issue.

Good luck!

Wednesday, February 11, 2015

Cisco AnyConnect "Failed to Initialize Connection Subsystem"

I run Windows 8.1 and run Cisco AnyConnect Secure Mobility Client version 3.1.03103 to access a VPN.  After getting the error I updated to the latest AnyConnect Client version 4.0.00061 and got the same result.

Last night I install all of the updates from patch Tuesday (over 1.1G worth including Office 2013 patches).  Today, after I hit connect, it stopped working out of the blue with the error:

Failed to initialize connection subsystem

I suspect a recent Windows update must be the cuplrit.  Here's the steps you will find all over the web to fix it.  THIS DOESN'T WORK!  To fix just uninstall the KB3023607 published for install yesterday!

1. Close the Cisco AnyConnect Window and the taskbar mini-icon
2. Right click vpnui.exe in the “Cisco AnyConnect Secure Mobility Client” folder. (I have it in “C:\Program Files (x86)\Cisco\Cisco AnyConnect Secure Mobility Client\”
3. Click on the “Run compatibility troubleshooter” button
4. Choose “Try recommended settings”.
5. The wizard suggests Windows 8 compatibility.
6. Click “Test Program”.  This will open the program.
7. Close

Cisco has escalated this issue to Microsoft for investigation from what I can find.

This issue was introduced by KB# 3023607: Secure Channel cumulative update changes TLS protocol renegotiation and fallback behavior (https://support.microsoft.com/kb/3023607) and included with Microsoft Security Bulletin MS15-009 – Critical Security Update for Internet Explorer (3034682)

This issue is rumored to affect Windows 7 with IE 11 as well.  I have not experienced this myself as I no longer run Windows 7 on any of my machines.