I have a client who had two sites, one didn’t have a particularly good internet connection, (which is the actual problem that needed to be solved). But in the interim, he wanted me to prioritise RDP traffic, as his staff were constantly complaining about the speed of their connections.
Note: They may be a myriad of reasons why user experience is bad for an RDP session, this was quite simply a bandwidth issue.
The client requested I prioritise RDP traffic on the link. We were not really sure if that would cure the problem, but they have not complained since!
Solution
On the main site, (with the RDP server(s) on), create an ‘access-list‘ to match our interesting traffic. (I’m just using ‘any’ as the source.)
This tripped me up for quite a while, (it kept saying access denied). I’d tested this previously and everything was working. Note: If you have never had it working, ensure that the name you are using is resolvable in DNS and it’s the name on the certificate of the MRS Proxy server, (or at least a subject alternative name) See this link for how to set it up properly.
Assuming, (like me) everything is OK and the MRS proxy service is running etc, then I found the root cause of my problem by running;
[box]Get-MigrationEndpoint | fl[/box]
I saw the problem straight away, it was using ‘cached credentials for an admin user who had changed their password, now all I had to do was work out how to replace the credentials!
Within the the Exchange admin center > Recipients > Migration > {Ellipsis} > ‘Migration Endpoints’.
Update.
Enter the new (correct credentials) > Save > Save.
Now retry your ‘batch’ migration.
Office 365 Migration Endpoint Error
If you get the same error when attempting to setup a Migration Endpoint in Office 365;
Then simply skip setting up the endpoint, and perform a batch migration, the system will then connect to the MRS proxy service and work.
Related Articles, References, Credits, or External Links
Me to the office: Does anyone know how to create a password protected Zip file on a Mac?
Reply: Use Windows
Well actually this advice is ‘bobbins!’ Windows still can’t do this without installing an application, (I would recommend 7-Zip). But with a Mac of course you can 🙂
Solution
First open an Terminal window, then ‘change directory’ to the folder that contains the uncompressed file(s), or folder(s) you want to Zip.
Changing Directory With Spaces In Your Foldernames
I thought I’d better put this here, if you have spaces in your folder names, you use the following syntax;
And repeat if you have multiple spaces like so;
Mac OSX: Create a Normal Zip File
Before we try and password protect a Zip, file let’s see how to create a simple one;
PeteNetLive is full of Exchange Migration walkthroughs, going all the way back to Exchange 2003. But what if you are migrating to another forest? Well for small migrations you can of course export mail from the old Exchange Server, and them import it into the new mailbox in the new domain/forest (usually via .PST files). I’ll provide links at the bottom of the page, if that’s what you would prefer to do.
Earlier this year, I got involved with a client that was migrating many domains into one, and this method seemed a better fit for them. The process/screenshots below are taken from my testing and proof of concept for this project.
As you can see, (above) I’ve got a source Exchange server, (Running Exchange 2010) in domaina.com, and I’ve got a target Exchange server, (Running Exchange 2016) in domainz.com
Note: You may guess from the server names, these are also domain controllers, (this is not recommended in a production environment!) My old Exchange server is also running Certificate Services, which will become apparent below.
Solution
The service that does all the ‘heavy lifting’, is the Microsoft Exchange Mailbox Replication Service. Out first task is to get it running on the legacy Exchange server. Open the Exchange Shell and execute the following command;
[box]Set-WebServicesVirtualDirectory -Identity “EWS (Default Web Site)” -MRSProxyEnabled $true -MRSProxyConnections 50[/box]
Ensure the service is running;
The front end of the MRS service is presented via IIS, and it’s secured with HTTPS, so it will use the certificate you have presented, (i.e the same one for OWA). Therefore the new (Target Exchange Server) needs to trust that certificate. If you have a publicly signed certificate from a third party vendor, then you don’t need to import anything you can skip this step.
The World is Full of People Who are Scared of Certificates! I have no idea why? For a certificate to work, you need to TICK TWO BOXES;
BOX ONE: You need the trust the Certificate Authority who issued the certificate, (this is printed onto the certificate, and in most cases can be extracted from the web certificate as well. This is the CA Certificate of the issuer, NOT the certificate you see in OWA.
BOX TWO: The certificate will have a name on it, it will be either the common name, or a subject alternative name (within the certificate), it will look something like, owa.your-domain.com, or *.your-domain.com for example. This must be resolvable via DNS, and also be the hostname you are looking at.
Below, I’m simply importing the Root CA Certificate, from DomainA into my Exchange server on DomainZ.
Note: Start > Run > mmc.msc > File > Add/Remove Snap-in > Certificates > Local Computer.
In production, I’d setup conditional forwarding between the two domains to handle DNS, but in this case I’m being lazy and just putting the FQDN of the Exchange 2010 server in the Exchange 2016’s hosts file, (old school eh!)
Providing you have done everything correctly, you should be able to ‘browse’ from Exchange 2016, to Exchange 2010, to the following URL, and not receive any certificate errors, it should look like this;
Note: If you get any certificate/untrusted errors, fix them before proceeding.
Pre-Staging the Cross Forest MailBox Migration
Actually moving the mailboxes is a ‘two-step‘ procedure, first you pre-stage the move, this creates a Mail User* in the new domain.
*Note: A Mail User is an a little bit like a Contact insofar as they both have external email addresses (i.e ‘username@domaina.com’, while the mail user is in domainz.com, (until the mailbox is migrated). The difference between a Mail user and a contact is, a mail user has a logon name and a password. Once migrated the Mail User is converted into a User Mailbox in the new domain, and the User Mailbox back in old domain gets converted into a Mail User with an email address of username@domainz.com for the mail user in domaina.com. This (while being cool) allows mail flow between the domains during migration. (Assuming your DNS is all setup correctly, of course).
The following procedure is carried out on the new Exchange server, open an Exchange Shell Window and execute the following command;
[box]$Rcred = Get-Credential[/box]
Then supply an administrative account in the SOURCE, (remote) domain.
Repeat the procedure, but this time use Lcred;
[box]$Lcred = Get-Credential[/box]
Then supply an administrative account in the TARGET, (local) domain.
Exchange has a script to do the do the staging for you, it’s in the Exchange install directory, in the ‘scripts’ folder. Mine is in the C: drive, but the path to yours may be different, (depending on how you installed Exchange). But once located, you need to change to the directory that the Prepare-MoveRequest.ps1 script is in i.e.;
Note: This assumes you have created the OU to migrate into! And, (as you can see in the example below,) I’m using the public email address of my user, not the internal one, (it doesn’t matter).
Execute Cross Forest Mailbox Migration
Now the mailboxes are ‘pre-staged’ we can select them for migration, in the new Exchange environment, Recipients > Migration >Add > Move to this forest.
Add.
Select the User(s) > Add > OK.
Next.
Enter the administrative credentials for the source domain > Next.
Enter the FQDN, of the legacy server, (use the SAME NAME that’s on the certificate) > Next.
Give the migration ‘Batch’ a name > Set the ‘target’ email domain > Select the target Exchange Database, (and Archive database if applicable) > Next.
Note: If you keep getting failed migrations, that say ‘FailedOther‘ then you can raise the bad item limit, and large item limits.
Select a user to get the mail notification > Select ‘Automatically Complete Migration Batch’ (or it will stop at 95% and you will have to complete this manually) > New.
You can now view progress in the ECP, (a big buggy and slow to update,) or by running ‘Get-MoveRequest | Get-MoveRequestStatistics‘
If there’s a problem, both the ECP (Exchange Control Panel) and EMS (Exchange Management Shell) should give you a clue. You can remove and rerun a migration on a failed user and nothing will break! Sometimes you need to raise the bad item limit or make sure the source mailbox isn’t too large before proceeding for example. (Use the search box at the top of the page, I’ve posted a lot of Mailbox Move problems).
Related Articles, References, Credits, or External Links
Seen when trying to install the ‘ADMT Password Export Server Service’, whilst doing a domain migration;
Invalid Password!
The supplied password does not match this encryption key’s password. ADMT’s Password Migration Filter DLL will not install without a valid encryption key.
Solution
At first I assumed I was suffering from ‘fat fingers‘ and just entering the wrong password, (or the Caps Lock was on.) However, it became apparent that this was not the case. I attempted to generate a new file by re-running the command on the ADMT server;
Same error? The only way I could get this to work was cancel the install, then launch an administrative command window, and finally running the install, ‘en-US_pwdmig.msi’ file from within that Administrative Window.
Related Articles, References, Credits, or External Links
Saw this while attempting to connect to my ASA this week.
AnyConnect Secure Mobility Downloader
Failed to get configuration from secure gateway. Contact your system administrator
Solution
Well luckily I’d just made a change so I could focus on the right area straight away. I’d been messing around with the profile xml file associated with my AnyConnect GroupPolicy. If you take a look at my profile below you will see it’s not associated.
Note: If you select change group policy mine wouldn’t apply, it failed with an error trying to delete a profile I’d used in the past.
So to fix the problem I’m going to need to log on at command line, let’s make sure my new profile is listed;
Note: You can ‘show flash‘ and make sure the file is in flash memory as well.
I will list all my group-policies, and you can see the last one has a profile that’s associated with it that no longer exists (it’s not in flash memory either).
[box]
Petes-ASA# show run group-policy
group-policy DfltGrpPolicy attributes
vpn-simultaneous-logins 0
group-policy IPSEC-VPN internal
group-policy IPSEC-VPN attributes
dns-server value 192.168.100.10
vpn-simultaneous-logins 3
vpn-tunnel-protocol ikev1
password-storage enable
split-tunnel-policy tunnelspecified
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
nem enable
group-policy PNL-GP-ANYCONNECT-ACCESS internal
group-policy PNL-GP-ANYCONNECT-ACCESS attributes
wins-server none
dns-server value 8.8.8.8 8.8.4.4
vpn-simultaneous-logins 3
vpn-tunnel-protocol ssl-client
split-tunnel-policy tunnelall
split-tunnel-network-list value SPLIT-TUNNEL
default-domain value petenetlive.com
split-tunnel-all-dns enable
webvpn
anyconnect mtu 1398
anyconnect profiles value PNL-Profile type user
anyconnect ssl df-bit-ignore enable
[/box]
It’s easy to remove it.
[box]
Petes-ASA(config)# group-policy PNL-GP-ANYCONNECT-ACCESS attributes
Petes-ASA(config-group-policy)# webvpn
Petes-ASA(config-group-webvpn)# no anyconnect profiles
[/box]
Then simply add the correct one back in, and save the changes.
[box]
Petes-ASA(config-group-webvpn)# anyconnect profiles value AnyConnect-VPN-Profie type user
Petes-ASA(config-group-webvpn)# write mem
Building configuration...
Cryptochecksum: 67c49642 778e75bd df747b94 7d4c8787
23272 bytes copied in 3.260 secs (7757 bytes/sec)
[OK]
[/box]
Now if you ‘refresh’ your ASDM, you will see it displays correctly again;
Problem Solved.
Related Articles, References, Credits, or External Links
I’ve seen this asked a lot in forums, and it came up on EE again today. I’ve never had to set this up in the past, but I’ve posted the links to the correct Cisco articles when people have asked.
After the question was asked again today, I thought I’d take the time to write a decent article on how to do it.
Why would you want to do this? You might want to map/reconnect a mapped drive, or perform anything thats usually acheivable with a login script.
Solution
1. First make sure you have your script, I’m using a simple batch file but you can also use .vbs. As you can see my script just maps a drive (s:) to a network share on the machine you are looking at.
Note: I’ve used an IP address rather than a DNS name, there’s nothing wrong with using a DNS name, providing your remote AnyConnect clients are able to resolve that hostname.
Note2: I’m also embedding the username and password in the drive mapping request, This is because my AnyConnect uses LOCAL usernames and passwords on the ASA, so the server wouldn’t be able to authenticate the request.
2. To ’embed’ this script into the firewall, log into the ASDM > Configuration > Remote Access VPN > Network (Client) Access > AnyConnect Customization/Localization > Script > Import > Give it a name > Select ‘Script runs when client connects‘ > Platform = win > Browse Local Files > Locate your batch file > OK > Import Now > OK.
3. The script wont run unless scripts are allowed in the VPN Client Profile > Note: You may, or may not already have a client VPN Profile > Navigate to Configuration > Remote Access VPN > AnyConnect Client Profile > Add (Or skip to Edit if you already have one) > Give the profile a name > Select your AnyConnect Group Policy (If you don’t know, connect with an AnyConnect client, and see what is shown under ‘Group‘) > OK.
4. Edit your policy.
5. Preferences (Part 2) > Tick ‘Enable Scripting‘ > Tick ‘User Controllable‘ (Note: this just lets a user untick enable scripting in their client software) > OK.
6. Save the changes > Apply > File > Save Running Configuration to Flash.
If you have a publicly facing website, and you DON’T want it indexed by the major search engines, then this is the post for you. Why would you want this? Well you might have a development server that you don’t want appearing in peoples search results, or you might be hosting files and folders you want publicly available, but again you don’t want those files and folders showing in peoples Google/Bing search results.
Solution
From ‘Administrative Tools’ open ‘Internet Information Services (IIS) Manager’ > Select the Server > HTTP Response Headers.
Seen when attempting to open the Exchange Management Console;
Exception calling “GetSteppablePipeline: with “1” argument(s): File C:\ProgramFiles\Exchange Server\v14\RemoteScripts\ConsoleInitialize.ps1 cannot be loaded because the execution of scripts is disabled on this system. Please see “get-help about_signing” for more details.”
Solution
This is usually caused by an update rollup, and can be easily fixed by running the following command at an administrative PowerShell session.
Note: Below I’m using Exchange 2016, but the same approach will work for previous versions.
There are a load of reasons why you might want to do this, but before you go off in this direction consider why you are doing this in the first place. For example, if the user requesting this does not need an Exchange mailbox, i.e. because they only use their Gmail account then it’s probably a better idea to make them a mail-user. (That’s an AD user account, that has an external mailbox, and does not have an Exchange mailbox). For staff e.g. external contractors, part time staff, holiday cover staff, Mail-users might be a better fit.
If you are still reading you have a user with an Exchange mailbox, and you want to forward their email to an Email address outside your organisation, there are many ways of enabling forwarding, but fundamentally there’s only two things to consider;
Do you still want mail to get delivered to their Exchange mailbox while forwarding?
What is the external Email address you want to forward to?
Armed with this information you can decide what approach you want to take to achieve this.
Solution
Option 1: Get The User to Set Up Mail Forwarding in OWA
The best option for the lazy admin! “Oh, are you aware you can set this up yourself?” Even give them this URL as a walkthrough if you like 🙂
From within Outlook Web App open your ‘Options’
Mail > Inbox and Sweep Rules > Inbox Rules > Add
Note: On older versions of OWA look in Organize email > inbox rules > Add.
Give the rule a name > Set to [Apply to all messages] > Forward Redirect or Send > Forward Message To.
Note: Setting Redirect instead of Forward will NOT keep a copy in you local Exchange Mailbox.
Enter the external email address to forward to > Save.
OK.
Option 2: Enable Mail Forwarding In Exchange Admin Center
To forward mail externally for an ‘Exchange Mailbox User’, you need to create a ‘Contact’. A contact is an active directory object (not a user) that has an email address (in our case the external one). Log into Exchange Admin Center > Recipients > Contacts > Add > Mail Contact.
Create a contact and give it a sensible name (so when it appears in the Global Address List it’s obvious what it is*)
*Note: You can hide them from the GAL if you like, with the following PowerShell;
On the Mailbox Tab, locate the user you want to setup forwarding for, and edit them.
Mailbox Features > Scroll Down to ‘Mail Flow‘ > View Details > Tick ‘Enable Forwarding‘ > Browse to the CONTACT you created earlier > OK.
Note: You may also want to select “Deliver message to both forwarding address and mailbox”.
Option 3: Setup Mailbox Forwarding With PowerShell
There’s a lot of rubbish written about this online, sites give you a line of PowerShell to paste in and it does not work, because there’s other things you need to do to make this work.
Example 1: Couldn’t find object “pete@externaldomain.com“. Please make sure that it was spelled correctly or specify a different..
If you setup mail forwarding using the ExternalEmailAddress you need to CREATE A CONTACT FIRST! Or you see the error above.
To Setup External Forwarding and Keep a Local Copy of the Email
Note: It’s the ‘$false‘ that does not maintain the local copy.
What about ExternalSMTPEmailAddress?
OK there’s another parameter you can set, it’s called ExternalSMTPAddress when you set this you DON’T NEED A CONTACT. This sounds great and again theres a load of blog posts that give you the PowerShell to set this for a user AND IT DOES NOT WORK!
Note: If you setup mail forwarding using this method the forwarding address is NOT VIEWABLE IN THE GUI, if you have enabled keep a local copy, that IS viewable.
Example 2 : My ExternalSMTPAddress Forwarder is not working?
This is because what other sites don’t tell you is unless you specified the target domain (for the remote email address), as AutoForwardEnabled it has a habit of not working!
See Below to setup Mail forwarding with ExternalSMTPAddress properly.
To Setup External Forwarding and Keep a Local Copy of the Email
Note: It’s the ‘$false‘ that does not maintain the local copy.
Removing Mail Forwarding For a User
I wont insult your intelligence and tell you how to do this in the GUI just reverse engineer the above, but if you used ForwardingSMTPAddress you wont see it in the GUI! To remove ALL forwarding for a user, use the following command;