PFDAVAdmin error

You may run across this error when using it on servers. Esepcially Exchange 07 servers.

Could not expand https://FQDNServer/ExAdmin/Admin/HOME.LOCAL/public%20folders/:Name cannot begin with the ‘0′ character. hexadecimal value 0×30. Line 1. position 409.

It appears that this error is due to a .NET version problem. The tool requires the .NET 1.1 framework which on Exchange 07 servers probably wouldn’t be installed since Exchange 07 uses .NET 2.0.

It is also advised that you DO NOT install .NET 1.1 on a working Exchange 07 server since the .NET 1.1 installation will reset crucial config settings and break Exchange.

If you however install .NET1.1 before installing Exchange, then you should be fine there. Hence, its best to run the tool on a workstation that has .NET1.1 installed.

Undeleting Exchange Emails

If a user deleted a folder or item from a public folder or mailbox, and also deleted it from their deleted items folder as well, then not all is lost.

Using the MS tool PFDAVAdmin, @ http://www.microsoft.com/downloads/details.aspx?FamilyId=635BE792-D8AD-49E3-ADA4-E2422C0AB424&displaylang=en

Allows you to recover any email that has been deleted.

Domain Controller Replication Fails with Access Denied

Working on a multi-site AD setup, a DC was shutdown for a few months. When the server came backup, it appeared the computer account credentials had expired.

Normally a netdom resetpwd /server:Replication_Partner_Server_Name userd:domainname\administrator_id /passwordd:* would fix the issue, however in this case it didn’t.

Because the DC was reporting an access denied error, running DCpromo to Unpromo the DC didn’t work either. It failed with an Access Denied error as well.

The solution came to be that disabling KDC (net stop kdc), then running DCpromo and Unpromo the broken DC would then work. After a reboot, a DCpromo could be run again to make it a DC again.

ASA VPN Server config template

I keep forgetting the config required for setting up an ASA VPN server, so here it is for reference:

This is an ASA config with Radius authentication.

aaa-server RADIUS protocol radius
aaa-server RADIUS (inside) host <HOST>
key <KEY>

access-list VPN_splitTunnelAcl standard permit <NETWORK> <SUBNET>
ip local pool VPN-IP-POOL <FROM_IP>-<TO_IP> mask 255.255.255.0

access-list nonat extended permit ip any <NETWORK> <SUBNET>
nat (inside) 0 access-list nonat

group-policy <GROUP> internal
group-policy <GROUP> attributes
dns-server value <DNS_IP>
vpn-tunnel-protocol IPSec webvpn
ipsec-udp enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value VPN_splitTunnelAcl
default-domain value <DNS_SUFFIX>
webvpn
crypto ipsec transform-set ESP-3DES-SHA esp-3des esp-sha-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set transform-set ESP-3DES-SHA
crypto dynamic-map outside_dyn_map 10 set security-association lifetime seconds 28800
crypto dynamic-map outside_dyn_map 10 set security-association lifetime kilobytes 4608000
crypto dynamic-map outside_dyn_map 10 set reverse-route
crypto map outside_map 65535 ipsec-isakmp dynamic outside_dyn_map
crypto map outside_map interface outside
isakmp enable outside
isakmp policy 10 authentication pre-share
isakmp policy 10 encryption 3des
isakmp policy 10 hash sha
isakmp policy 10 group 2
isakmp policy 10 lifetime 1000
isakmp nat-traversal  20

tunnel-group <TUNNEL> type ipsec-ra
tunnel-group <TUNNEL> ipsec-attributes
pre-shared-key <PRESHAREKEY>
isakmp keepalive threshold 10 retry 2
tunnel-group <TUNNEL> general-attributes
address-pool VPN-IP-POOL
authentication-server-group RADIUS
default-group-policy <GROUP>

MS Word Mime type in Linux

It seems that the KDE people have added .doc as a text/plain mime type. Under normal circumstances, the application/ms-word should take precendance, however sometimes this doesn’t happen.

In this case, one needs to remove the offending line in the text/plain mime type.

To do this, edit /usr/share/mime/packages/kde.xml

Find the text/plain entry and comment out or remove the .doc entry.

The run “update-mime-database /usr/share/mime”

SecureCRT Cisco Factory Reset Script

The other day I had to password recovery and erase the config of about 15 routers. Not fun if its not automated in some way.

Hence, I knocked up this script to perform a password recovery and erase the startup config and reset the router.

All you need to do is save it to your harddrive as a .vbs and run it from within secureCRT.

#$language = "VBScript"
#$interface = "1.0"
'''''''''''''''''''''''''''''''''''''''''''''''
'Performs Password recovery procedure
'And erases the startup config
'Hence performing an equivelent Factory Reset
'''''''''''''''''''''''''''''''''''''''''''''''
Sub Main
 crt.Session.Connect "/SERIAL COM1 /BAUD 9600 /NOCTS /DATA 8 /NODSR /PARITY NONE /NOXON"
 crt.Dialog.MessageBox("THIS SCRIPT WILL ERASE THE CONFIG" & vbCr & "Please Turn on the router")
 crt.Screen.WaitForString "main memory"
 crt.Session.Disconnect
 crt.Session.Connect "/SERIAL COM1 /BAUD 1200 /NOCTS /DATA 8 /NODSR /PARITY NONE /NOXON"
 'Send break seqence'
 crt.Screen.Send("                                                   ")
 crt.Sleep 100
 crt.Screen.Send("                                                   ")
 crt.Sleep 100
 crt.Screen.Send("                                                   ")
 crt.Sleep 100
 crt.Screen.Send("                                                   ")
 crt.Sleep 100
 crt.Session.Disconnect
 crt.Session.Connect "/SERIAL COM1 /BAUD 9600 /NOCTS /DATA 8 /NODSR /PARITY NONE /NOXON"
 'Setup conf-register
 crt.Screen.Send(vbCr)
 crt.Screen.Send(vbCr)
 crt.Screen.WaitForString "ommon 1 >"
 crt.Screen.Send "confreg 0x2142" & vbCr
 crt.Screen.WaitForString "ommon 2 >"
 crt.Screen.Send "reset" & vbCr
 'Get past new router prompts
 crt.Screen.WaitForString "configuration dialog? [yes/no]:"
 crt.Screen.Send "no" & vbCr
 crt.Screen.WaitForString "RETURN to get started!"
 crt.Sleep 15000
 'Perform erase of config
 crt.Screen.Send(vbCr)
 crt.Screen.WaitForString "outer>"
 crt.Screen.Send "en" & vbCr
 crt.Screen.WaitForString "outer#"
 crt.Screen.Send "erase start" & vbCr
 crt.Screen.WaitForString "[confirm]"
 crt.Screen.Send (vbCr)
 crt.Screen.WaitForString "outer#"
 crt.Screen.Send "conf t" & vbCr
 crt.Screen.WaitForString "outer(config)#"
 crt.Screen.Send "config-register 0x2102" & vbCr
 crt.Screen.WaitForString "outer(config)#"
 crt.Screen.Send "exit" & vbCr
 crt.Screen.WaitForString "outer#"
 crt.Screen.Send "reload" & vbCr
 crt.Screen.WaitForString "Save? [yes/no]:"
 crt.Screen.Send "no" & vbCr
 crt.Screen.WaitForString "[confirm]"
 crt.Screen.Send (vbCr)
 crt.Screen.WaitForString "cisco Systems, Inc."
 crt.Session.Disconnect
 crt.Dialog.MessageBox("Factory Reset procedure Completed")
End

CiscoFactoryReset.pdf

Converting between ssl certificate formats on Linux

As the title says, commansd to convert between formats:

Use the openssl command to convert between formats as follows:

To convert a certificate from PEM to DER:

x509 –in input.crt –inform PEM –out output.crt –outform DER

To convert a certificate from DER to PEM:

x509 –in input.crt –inform DER –out output.crt –outform PEM

To convert a key from PEM to DER:

rsa –in input.key –inform PEM –out output.key –outform DER

To convert a key from DER to PEM:

rsa –in input.key –inform DER –out output.key –outform PEM

Taken from Citrix KB CTX106631

Redundent Cisco ASA in Transparent mode

Something I thought would have been more widely spread but I could not find any examples of is having two Cisco ASA’s in redundent Active-Standby but with both in transparent mode.

The Cisco documentation covers how to do to this but focuses on routed mode ASA’s. It doesn’t cover in any detail how transparent mode would work and any caveats that could arise if it were used.

In any case I figured I’ld write something up for reference the next time I might need it.

The situation is this:

• Two ASA 5505’s
• Outside Interface connected together to the Default router (1.1.1.254)
• Inside Interface connected together to the Customers servers

The active IP will be 1.1.1.1 and the Standby IP will be 1.1.1.2.

Note that in transparent mode, the above IP’s are for management only.

First setup the transparent configuration:

firewall transparent
interface Vlan1
nameif outside
security-level 0
!
interface Vlan2
nameif inside
security-level 100
!
interface Ethernet0/0
!
interface Ethernet0/1
switchport access vlan 2
!
route outside 0.0.0.0 0.0.0.0 1.1.1.254

Note you need to create the relevant ACL’s for the outside interface to allow traffic through.

Next is the Redundency configuration:

interface Vlan255
description Used to Sync configs between ASA’s
!
interface Ethernet0/7
switchport access vlan 255
!
ip address 1.1.1.1 255.255.255.0 standby 1.1.1.2
!
failover
failover lan unit primary
failover lan interface failover Vlan255
failover interface ip failover 192.168.255.1 255.255.255.252 standby 192.168.255.2

All thats required on the standby is to set the ASA to transparent mode, setup vlan255 and attach it to an interface, join the two failover interfces together and run the failover commands.

Notes:

1. Spanning Tree Loops
   1. It doesn’t appear to produce any loops
2. Config syncing
   1. Running config is sync’ed in realtime
   2. Startup config is sync’ed on a “copy run start” command
3. Never change the config on the standby router, it will cause config desyncronization

Sysprep answer file

After the blogs on WDS and XP, I figured i’ll post up my sysprep.inf for reference.

I have successfully deployed to HP Desktops and also includes drivers for IBM desktops as well.

Its a faily long file so click more to see it.

 Read the rest of this entry »

WDS and XP Part 4

Intro

This part will cover the deployment of your newly created image.

Importing

Once the XP reference machine has been captured you will need to import it into WDS.

Open up the WDS console and right-click the Images folder and select Add.

Add the Windows XP image.

Sysprep

One perculier thing about WDS and XP is that you have to copy the sysprep answer file you created for the system into the WDS image folder.

To do this, goto the WDS Image folder. In there locate the Windows XP image you imported. In that directory create a folder named exactly the same as you Windows XP image. For example if you your image was called “biz_deployment_image.wim” then you need to create a folder called “biz_deployment_image”.

Inside that folder create a folder called $OEM$

Inside that folder create a folder called $1

Inside that folder create a folder called sysprep

Inside this folder copy your sysprep.inf file into here.

You will need to edit your sysprep.inf file to allow automatic domain joining and computer naming.

Open up the sysprep.inf file and change the following options:

• OrgName = “%ORGNAME%”
• ComputerName = %MACHINENAME%
• JoinDomain = %MACHINEDOMAIN%
• TiemZone = %TIMEZONE%

Once this is done save a close the file.

Deployment

Boot up your destination computer with network boot and select the Windows Boot Image.

Run through the wizard and select the Windows XP image you created.

The system will then deploy the image to the machine, sysprep’s mini-setup will run and configure the system, then driverpacks will install its drivers and save them if you asked it to do so, next thing you know you will have a Windows XP desktop presented to you ready to go.