Last week I had a client report that ‘some’ of his users were getting this popup repeatedly, every time they launched Outlook.
The Microsoft Exchange administrator has made a change that requires you quit and restart Outlook
This popup is usually seen during migrations, when mailboxes are being migrated, (or have just been migrated.) But you should only ever see it once.
Solution
I had recently retired the client’s old Exchange Server (Exchange 2007) So I assumed something must have been pointed at the old server, the client also reported that Recreating the Outlook profile also cured the problem. Which added weight to my theory.
I guessed (correctly as it happens) that the problem was the Public Folders on the old server. The client wasn’t using them, but I thought, the migrated users might still be trying to connect to them, I tried to cure the problem by forcing the clients NOT to look for Public Folders with the following registry key;
[box]HKEY_CURRENT_USER > Software > Microsoft > Exchange > Setup[/box]
Create 32 Bit DWORD: HasPublicFolders
Value: 0 (Zero)
Unfortunately that didn’t fix the problem, (in my case, however, some people reported it did solve theirs). I know from experience that public folders settings used to be defined, on the mailbox database, so I checked all the mailbox database attributes, and found the problem.
To view your Mailbox Database Attributes you need to look pretty deep into Active Directory, which means using ADSIEdit. When launched, connect to the ‘Configuration’ context.
Configuration > CN=Services > CN=Microsoft Exchange > CN=your organisation name > CN=Administrative Groups > CN=Exchange Administrative Group > CN=Databases > CN=your database name > Properties > Locate MSEXCHHomePublicMDB, and remove any value set.
At this point I rebooted the Exchange Server, and the affected clients, and the problem was resolved.
Related Articles, References, Credits, or External Links
There are times when a problem with your Outlook profile can manifest itself in many ‘annoying’ ways. Sometimes the simplest thing to do is to put your Outlook profile to one side, and create a fresh new one.
Solution
Ensure Outlook is closed, open Control Panel > Set the view to ‘Small icons’ > Mail > Show Profiles.
Add > Give the new profile a sensible name > OK.
Configure you mail account, (if using Exchange, it should auto-configure for you) > Finish
Change the settings to ‘Prompt for a profile to be used’ > Apply > OK.
Open Outlook and select the new profile.
Make sure everything loads up and syncs correctly > Close Outlook again.
Once you’re happy, go back to the ‘Mail’ Settings, and change it to always use the new profile. You can delete the old profile if you wish > Apply > OK.
Related Articles, References, Credits, or External Links
EZVPN is a technology that lets you form an ISAKMP/IPSEC VPN tunnel from a site with a dynamically assigned IP (EZVPN Client,) back to a device with a static IP (EZVPN Server).
I’ve called this EZVPN revisited, because this is a technology I’ve talked about before. So why am I here again? Well back then I used the ASDM. If you do that now, you need to go in and mess about with things to get it to work properly. Last week a client was asking me about buying a 5505 for his home, and putting a VPN into his place of work. Obviously he did not have a static IP at home, which was why I suggested EZVPN.
So it’s time to ‘Man Up’ and get to grips with the CLI. In the example below my corporate LAN is behind a Cisco ASA 5515-X, and my ‘Home Office’ is behind a Cisco ASA 5506-X, (you can use a 5508-X as well, or an old 5505).
Solution
So How does EZVPN Work? Well there’s no separate/special technology, it’s a good old fashioned Client IPSEC VPN. The one we used to use the OLD IPSEC VPN client for, (yes the one that went end of life – in 2011!)
But instead of using a piece of software to supply the username/password and the group/pre-shared-key, you configure a hardware device to supply those details. This enables the hardware device to bring up a software client VPN session. There are two methods of doing this, Client Mode and Network Extension Mode (NEM).
Client Mode: Works exactly like the VPN client software, and leases an IP address from a pool of IP addresses supplied by the ASA, (or a DHCP server).
Network Extension Mode: This works like a ‘proper’ site to site VPN, insofar as, all the IP addresses on the client/remote site can be addressed from the main site.
I’m going to use Network Extension Mode for this example, I’m also going to enable ‘Split tunnelling’ so that only VPN traffic goes over the VPN.
Remote EZVPN Client WARNING
The client that ‘dials in’ cannot be running any other VPN solution. In fact it can’t even have IKE policies defined, (even if they are not in use).
My interfaces are called inside and outside, yours might be different!
Crypto Map Warning: If you already have a crypto map applied to the outside interface use the name of the existing one (i.e NOT CRYPTO-MAP), or your exiting VPN’s will stop working! Issue a ‘show run crypto map‘ command to check.
I have not enabled PFS. (If I had it would have been in the crypto map).
To add another site in Client Mode you would simply add another username and password, on the EZVPN server. With Network Extension Mode then you would add an object and NAT exemption on the main site, then setup a new username and password for that site like so;
Every time this happens to me I have a rant about it, and everyone looks perplexed, surely this does not only happen to me? Using ESX6.5 I build a new Windows VM, and theres no mouse, web client has nothing, try the VMRC then I get a mouse pointer, but it’s as responsive as trying to play chess with a firehose!
Once you install VMware tools it’s fine, but here’s the problem – try installing VMware tools with no mouse! Now before you all start typing ‘We didn’t always used to have mice, learn to use a keyboard doofus’ comments. Let’s be clear, I’m a keyboard ninjutsu legend, I can navigate with Tab and Spacebar!
And when I can get a command windows open, I can launch VMware tools install from CLI- Yay! Then when the installer re-opens the install window and it’s not the active window, Alt+Tab wont work – I swear louder.
Solution
Don’t forget to present the VMware Tools disk to the virtual machine before you start!
OK this is more of a work around than a solution. First challenge is to get logged in. That’s simple; just keep pressing ‘Tab’ and the first letter of your password until you start seeing the password appear.
Now you are in, get a command window open, by either pressing ‘Tab’ until you see the ‘start button’ highlighted, then press {Enter}, you can then type cmd {Enter}. OR, if you have a Windows keyboard press the ‘right click/menu’ key and create a shortcut for ‘cmd’.
At command execute the following command;
[box]setup64.exe /s /v”/qn reboot=n”[/box]
It will look like nothing is happening, go and have a cup of coffee, in fact have two. When you return reboot the VM. Use ‘reboot -r -f’ if you’re still at command line. When the VM reboots, VMware tools will be installed, and all will be well with the world.
Related Articles, References, Credits, or External Links
I had been messing around with ports groups and VLANS, and afterwards when attempting to present a server some vNICs I got this error.
Solution Virtual Center Appliance
I have to completely restart the Virtual Center Appliance, before this error would clear!
Solution (Windows vCenter)
No matter what I did this error refused to budge, when this happens it’s usually because vCenter has got its knickers in a twist. On the vCenter server simply restart the VMware Virtual Center Server service and try again.
Related Articles, References, Credits, or External Links
Note: As the title suggests, this is quite an old post! you might prefer THIS ONE.
Disclaimer: This information is designed to help people who are locked out of their own PC’s and not for Hacker Wannabe’s with the IQ of a haddock. Information is not inherently dangerous, just some people are. If you want to break things and be a general pain in the ass, sod off to Google and leave the grown ups alone. Pete Long 16/05/04
Generally if people are reading this they have lost or forgotten their administrator password, the more technically astute of you will baulk at this as you know the importance of this password, the simple fact is most people don’t, and by the time they need it its on a long lost post-it note. Similarly if you buy a second hand PC from eBay for example the seller will not always furnish you with the admin password.This can be resolved by wiping the hard drive and simply re-installing windows from scratch, but the chances are there will be information you need to save of the PC and you are stuck in a catch 22 situation.
OK so how do you get into the system? Well in truth there are a myriad of ways into a PC providing you are at the keyboard.
Solution
STEP 1
To be honest the simplest solution is the one most overlooked, is the password set to blank? try just pressing enter and not putting in a password. Most people use one password for everything (though this is not very secure 🙂 use the password you would normally use and remember Windows Passwords are CaSe SEnsitiVe, so try capitalising the first letter for example.
STEP 2
Well if Step 1 didn’t help you now have a choice,If your on a network with a DOMAIN you can gain access by using a domain administrators account, or if you can get in with YOUR username Click Start > Run > lusrmgr.msc {enter} right click the administrator and see if YOU have rights to change the password. OR you can simply wipe and rebuild the system, if that’s not an option and you simply HAVE TO get into the system then proceed to STEP 3
STEP 3
OK, more choices, the simplest solution is to change the admin password, using some third party software, this will let you in with administrative access and is pretty simple to do, there are a ton of applications to do this, I’ll demonstrate the one I usually use, and provide links to other tools at the end. There’s also another option which is to change the way windows starts to simply bypass the login completely, this is a little more complex to do but I’ll run through that as well. For some of you that may not be a solution, there may be a reason that you simply need the existing password, this is considerably more complex and can only be done in one way, that involves removing all the passwords and using software to de-crypt them. (This will cost you money)
Changing the Existing Password
Lets be honest, this is what 99.9% of you will want to do, you will also need to do this on another PC that has internet access to download the files and create the boot floppy disk you require, as I’ve already said there are a lot of tools available to you the one I use is free and can be downloaded from eunet.no
NOTE: If you have encrypted files with the administrator account then these will files will be unavailable to you after carrying this out. (If your now wondering if you have – the fact you’re wondering usually indicates you don’t 🙂
From the zip file select all the files and “EXTRACT” them to your hard drive.
Now you have extracted the files you need to use them to create the boot floppy you require. Put a blank floppy disk in the floppy drive (warning all files on this disk will be wiped ensure there’s nothing important on it.)
Now either open windows explorer or double click “My Computer” and navigate to your C: drive, you are looking for a file called “install.bat” (NB on your system it may just look like “install” depending on how your machine is set up) when you locate the file double click it to run it.
The setup program will run, and ask you which drive you want to create the boot image on, press a then press {Enter}, It will ask you to put a clean floppy in the drive and press {enter}
The setup program will chug along and create the floppy for you. You will know its finished when its displayed the following, just press any key to exit.
Well that’s your tool created, its time to take it to the offending machine. For it to work the offending machine will need its boot order setting so that it boots from floppy BEFORE the hard drive, for the majority of you it will be set up this way, if it wont launch the floppy disk when you boot the PC chances are this is the problem. To rectify it you need to enter the PC’s BIOS settings and change the boot order, and put the floppy (or A: drive) first in the boot order. This procedure is slightly different depending on your PC manufacturer and the BIOS itself. When your PC first boots it usually tells you how to enter the BIOS, typically by saying “Press <key> to enter setup” where <key> is usually F1, F2, F10, Esc, Delete or another key or combination of key strokes. When you get into the BIOS navigate through the screens until you see the boot order and move floppy (or A: drive) to the top on the list.
When the PC boots a lot of info will flash up on the screen, its just loading a bit of Linux don’t panic. When it settles down it asks you where windows is (its talking in UNIX speak don’t worry) you probably only have one operating system, if your clever enough to multiboot (have multiple operating systems on one PC) then Ill assume your clever enough to locate the partition you are looking for, for the rest of you just press {Enter}
It now asks “Where is the registry” but it displays the default location so just press {Enter}
Now you want to use a thing called the SAM, don’t panic just press {Enter}
The administrator is just a user so you need to accept the default choice of “Edit user data and passwords” by pressing {Enter}
The software selects the administrator by default, if it’s another user your after you can type its username (They are all listed above to help you) but we want the administrator so just hit {Enter}
You can now either type in a new password, or simply type an asterisk (this sets a blank password), you will be asked to confirm, do so by pressing Y then {Enter} all being well you will get a “Changed!” pop up on the screen and it will ask if there is another user you want to change the password for, Press ! {Enter} to return to the main menu, then press q {Enter} you now need to COMMIT the changes, press Y then {Enter} after doing some work it will say ***** EDIT COMPLETE ****** then press n {Enter} Now remove the floppy and press Ctrl+Alt+Delete to reboot.
When windows reboots it will run its built in disk checking program “Chkdsk” DONT interrupt it, just let it do its own thing, after a while windows will boot normally and you can login with the new password. (NB: Windows XP users, if you don’t see the Administrator account listed on the welcome screen press Ctrl+Alt+Delete TWICE to get a standard login screen.)
I DONT HAVE A FLOPPY DRIVE!!!!
No problem, there are CD Based boot utilities that will do the same job 🙂
EBCD-Emergency boot CD “change password of any user, including administator of Windows NT/2000/XP OS. You do not need to know the old password.”
Change the way Windows Starts
Note:This will not work on Windows Server 2003
If you turn your PC on it will eventually get to logon, if you do nothing a screen saver will launch, this screensaver is called LOGON.SCR, all very well and good you say but what use is that? Well If you replace LOGON.SCR with the windows command line program (cmd.exe) it will launch a command line window instead, and not just any command line window, you are then typing commands with the SYSTEM rights, (This is higher than administrator)
So how is that done? Well it depends on your setup, if you have formatted the machine as FAT32 you are in luck simply download a boot disk from boot disk.com, and change.
Then reboot when the system reboots go and have a coffee, when you see the command window type
net user administrator password {Enter}
The password will now be set to password, reboot and change logon.bak to logon.scr and cmd.bak to cmd.exe
However Most people will have their machines formatted as NTFS which, being more secure is not able to be changed from a boot disk, unless its a boot disk with NTFSPro on it, then it can (WARNING THIS IS NOT FREE). Or simply remove the hard drive and place it in another (working PC) then use windows explorer to back up the logon.scr and cmd.exe files (change their extensions to .bak) and rename cmd.exe to logon.scr, Put it back in your PC and away you go.
WARNING THE FOLLOWING COSTS MONEY 🙁
If you have got this far down the page, and your not in yet, then we are going to have to break the habit of a lifetime (and spirit of this site) and spend some cash. Basically the most drastic (and time consuming) method involves removing the entire list of encrypted passwords from the inaccessible machine and decrypting them.
Your encrypted passwords are help in two locations, the first is called the SAM (system account manager) and the second is the PC’s registry.
The files you need live in the following locations….
Windows XP C:WINDOWSsystem32configSAM & C:WINDOWSsystem32configSYSTEM
WIndows 2000 C:WINNTsystem32configSAM & C:WINNTsystem32configSYSTEM
NOTE: The system file is too big to fit on a floppy if you are using floppies you will need a dos compression utility like RAR to compress it.
OK, I’ve detailed above how to get at files on a system you don’t have access to, I’d recommend putting the drive in another PC and just copying it out, If you want a FREE alternative download Knoppix (this is Linux that runs from a CD, boot with it and extract the file straight from the affected system.)
Now you have extracted the two files you need to extract the passwords this takes specialist software, the most famous is LophtCrack from @Stake software but at time of writing its nearly $600 another choice is Proactive Windows Explorer from Elcomsoft which is half the price.
Related Articles, References, Credits, or External Links
I don’t know why this happens sometimes with GNS3, and EVE-NG but occasionally I will get a connection between two devices that constantly complains.
%CDP-4-DUPLEX_MISMATCH: duplex mismatch discovered on {interface-name} (not half duplex), with {host-name} {interface-name} (half duplex).
For the uninitiated, a speed/duplex mismatch, usually happens when both ends of the link are set differently, or (more commonly) both ends are set to ‘auto’.
[box]
!
interface FastEthernet0/1
ip address 192.168.1.1 255.255.255.0
duplex autospeed auto
!
[/box]
Solution
WARNING: DO NOT carry out this procedure on live networking equipment, this is only for use in the GNS3 environment.
If this happens to you, you will sensibly try and set the speed/duplex of both ends of the link correctly, on real networking equipment that would solve the problem like so;
[box]
PetesRouter(config)#interface FastEthernet0/1
PetesRouter(config-if)#duplex full
*Aug 6 13:40:39.815: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
*Aug 6 13:40:41.823: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Aug 6 13:40:42.823: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
PetesRouter(config-if)#speed 100
*Aug 6 13:40:47.855: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to down
*Aug 6 13:40:49.859: %LINK-3-UPDOWN: Interface FastEthernet0/1, changed state to up
*Aug 6 13:40:50.859: %LINEPROTO-5-UPDOWN: Line protocol on Interface FastEthernet0/1, changed state to up
PetesRouter(config-if)#
[/box]
But in some cases on GNS3 it does not, (not sure if it’s a bug?)
Is that happening to you, the only way to stop it is to suppress the error. To do this add the ‘no cdp log mismatch duplex’ command to the interface giving you the error.
[box]
PetesRouter(config)#interface FastEthernet 0/1
PetesRouter(config-if)#no cdp log mismatch duplex
PetesRouter(config-if)#exit
PetesRouter(config)#exit
*Aug 6 13:45:55.235: %SYS-5-CONFIG_I: Configured from console by console
PetesRouter#write mem
Building configuration...
[OK]
PetesRouter#
[/box]
Related Articles, References, Credits, or External Links
When attempting to bring up a ‘3rd VLAN’ on an ASA 5505 firewall you see an error like this;
[box]
Petes-ASA# configure terminal
Petes-ASA(config)# int vlan 3
Petes-ASA(config-if)# nameif DMZ
ERROR: This license does not allow configuring more than 2 interfaces with
nameif and without a "no forward" command on this interface or on 1 interface(s)
with nameif already configured.
Petes-ASA(config-if)#
[/box]
Or if you work in the ASDM;
Or on much older versions;
Solution
This is because you have a ‘licence limitation’. The BASE licence on an ASA 5505 firewall lets you have three VLANS, BUT the 3rd vlan can only be accessed from OUTSIDE which gives it the name ‘DMZ Restricted’. It was designed for that very reason, (to let you host a DMZ.) You can see that, by simply issuing a ‘show version‘ command’;
[box]
Petes-ASA(config)# show version——Output removed for the sake of brevity——
Licensed features for this platform:
Maximum Physical Interfaces : 8
VLANs : 3, DMZ Restricted
Inside Hosts : 50
Failover : Disabled
VPN-DES : Enabled
VPN-3DES-AES : Enabled
VPN Peers : 10
WebVPN Peers : 2
Dual ISPs : Disabled
VLAN Trunk Ports : 0
AnyConnect for Mobile : Disabled
AnyConnect for Linksys phone : Disabled
Advanced Endpoint Assessment : Disabled
UC Proxy Sessions : 2
This platform has a Base license.
——Output removed for the sake of brevity——
[/box]
Or in the ASDM > Home > Licence.
So if you need more VLANS, and you don’t simply want a DMZ, then you are going to need to upgrade the licence. But if you do need a DMZ read on….
At command line you simply need to define the interface, (VLAN) that you want to BLOCK FORWARDING FROM. (i.e. the inside vlan, which is usually vlan1)
[box]
Petes-ASA(config)# interface vlan 3
Petes-ASA(config-if)# no forward interface vlan 1
Petes-ASA(config-if)# nameif DMZ
INFO: Security level for "DMZ" set to 0 by default.
Petes-ASA(config-if)# no shutdown
Petes-ASA(config-if)# ip address 192.168.100.254 255.255.255.0
Petes-ASA(config-if)# interface ethernet 0/3
Petes-ASA(config-if)# switchport access vlan 3
Petes-ASA(config-if)# no shut
[/box]
Note: Above I’m allocating VLAN 3 to the physical interface labelled 3 on the firewall.
In the ASDM, you need to do this on the ‘Advanced‘ tab when creating the interface, like so;
Note: If you ever try and remove the block, (without purchasing a licence.) You will see this error;
Related Articles, References, Credits, or External Links
I can’t believe I’m writing this, it’s been so long since 8.3 was released (7 Years!) And still there’s firewalls out there running old code?
Why is the 8.3 upgrade important? This update made some very major changes to the way we did NAT, and also the way we wrote ACL’s. It was a big change. I remember keeping my client firewalls on 8.2 for a while until I fully understood the changes. And even then if there was anything ‘complicated’ I’d build them with 8.2 and then upgrade them!
So why am I writing this now? Well I’ve done a LOT of these, and every time I’ve got another one to do I check my notes. I was upgrading a clients 5510 today, so I thought I’d polish my notes and publish them for anyone else that has a ‘teal coloured dinosaur’ that needs an upgrade.
Solution
Make sure your firewall has enough RAM! To upgrade to/install 8.3 (or above) needs a larger amount of RAM than was installed in the 5500 firewall range before Feb 2010. Cisco RAM is expensive! I suggest a trip to eBay e.g. memory for my 5510 cost me £15.00 and memory for my 5505 cost me $6.00. Ive already written about the memory requirements, see the article below;
Before you do anything, take a full backup of the Firewall. The amount of time I’ve asked ‘You did back it up first didn’t you?’ and the answer is an awkward silence, is far to high!
1. Disable NAT Control (This is a throwback to version 6, when we had to have NAT to pass traffic between interfaces)
You may have it enabled
[box]
Petes-ASA# show run all nat-control
nat-control
[/box]
To disable it;
[box]
Petes-ASA# conf t
Petes-ASA#(config)# no nat-control
[/box]
Will it break anything? I’ve not seen it break anything.
2. Disable ‘names’: I was never a fan of these anyway, they seemed like a good idea, then made everything difficult to troubleshoot, I routinely disable ‘names’ when I’m troubleshooting things.
[box]
Petes-ASA# conf t
Petes-ASA#(config)# no names
[/box]
Will it break anything? Absolutely not!
3. Look at all your NAT statements: Their syntax is about to change A LOT, make sure you know what each one is doing, and why it’s there. Study the differences to the NEW NAT commands, and if you have enough time, convert them offline in notepad, then you have the commands ready to post in if there’s a drama. See the following article;
Note: During the upgrade the Pre 8.3 config is saved as disk0:/{version-number}_startup_cfg.sav, (i.e. disk0/:8_2_5_59_startup_cfg.sav). This will be critical if there’s a problem and you need to ‘roll-back’. Another handy file is upgrade_startup_errors_{time-stamp}.log (i.e. disk0:/upgrade_startup_errors_201711151046.log). But only look in there if you actually have a problem, because there will always be things in this file, and you will only panic needlessly!
The actual upgrade is the same process for any ASA upgrade. My recommendation is to go from 8.2 to 8.4(6), then you can perform further upgrades from there (as required).
Basic upgrade commands;
copy tftp://192.168.50.2/asa846-k8.bin flash
no boot system disk0:/asa825-59-k8.bin
boot system disk0:/asa846-k8.bin
write men
reload
VPNs Don’t Work? Make sure the upgrade has NOT added the keyword ‘unidirectional‘ to the NAT statements for the VPN tunnel, (bug if you upgrade straight to 8.3(2))
ACL’s Don’t Work? I’ve seen the upgrade process fail to change the IP address from the Public IP to the Private IP in the ACL.(Post 8.3 ACL Statements are written to allow traffic to the internal (pre-tranlslated) IP rather than the external/public (post-transtaled IP,) like you had to do BEFORE version 8.3. This is most common on ACLs applied to the outside interface.
I need to downgrade the ASA back to 8.2!!
To downgrade;
[box]
downgrade {image} {config}
e.g.
downgrade disk0:/asa825-59-k8.bin disk0/:8_2_5_59_startup_cfg.sav
[/box]
Related Articles, References, Credits, or External Links
If you have a Meraki Security device and have enabled ‘Content Filtering’, instead of a nice ‘block-page’ informing you why you are being blocked you may see this;
http://wired.meraki.com:8090
This is happening because your Corporate DNS is resolving ‘wired.meraki.com’ to 54.241.7.184, which you can also see if you look at the URL you are trying to connect to it on port 8090. A quick nmap of that IP will tell you port 8090 is not open, (only port 80 and port 443 are).
This is happening because if you were to use your Meraki Device for DNS forward lookups, it would ‘DNS Doctor’ the return DSN packet and insert its own IP address in there instead. That’s fine but most corporate networks don’t want to use their Meraki devices for DNS forward lookups.
The easiest way to resolve the problem, is with your own corporate DNS servers.
Solution
First you need the inside IP of your Meraki device(s). You can get these from the Meraki Dashboard (Security Devices > Addressing and VLANS). If you browse to that IP, you should se something similar to below;
Armed with that information, go to one of your DNS Servers, and create a new forward lookup zone.
Next > Primary zone > Next > To all DNS Servers… > Next.
Zone Name = wired.meraki.com > Next > Allow only Secure… > Next > Finish.
In the newly created zone, create a ‘New Host (A or AAAA) record.
Enter the Inside IP or your MX device (only) > Add Host > Repeat for each Meraki device, if you have more than one.
Now you will receive a slightly more friendly blocked page.
Related Articles, References, Credits, or External Links