You have forgotten your password, or the administrators password fo your Windows machine.
Note: You can also ‘Blank’ or reset the DSRM (Directory Services Restore Mode) password on a Domain Controller (Tested on 2012 R2, by blanking the password). Using this method.
Lost Password : Fix
Lost Password Software Download Links
Password Reset CD Image(3.5Mb) Note: This is a .iso file – you need to burn it as an image! Simply dropping this file on a CD will NOT work.
WARNINIG – If your drive has been encrypted with Windows Bitlocker this procedure will not work!
Related Articles, References, Credits, or External Links
You want to wipe the firewall’s config and revert to the factory settings (passwords blank – management or inside set to 192.168.1.1 and DHCP enabled, with all other settings wiped).
Solution
1. Connect to the ASA via the console Cable. CLICK HERE
2. log in and go to configure terminal mode.
3. Execute the following command “config factory-default”
4. Press the space bar a few times to execute the commands.
5. When you get back to command prompt Execute the following command “reload save-config noconfirm” (Or on a Cisco PIX, write mem {enter} > reload {enter}{enter}).
6. The Firewall will reboot, (set to factory settings).
Procedure carried out on a Cisco ASA 5508-X (Running version 9)
Procedure carried out on a Cisco PIX 515E (Running version 8)
Note: Now the management interface, (if you have one) will be set to lease DHCP addresses. If you don’t have a management interface, (i.e. you have an ASA 5505, or an older PIX,) then the inside interface will lease DHP addresses instead. The outside interface will be set to obtain its IP address via DHCP.
Related Articles, References, Credits, or External Links
3. Otherwise Start > Run (or for Vista/Windows 7 or 2008 Type in the search box) > services msc {enter}.
4. First make sure the following three services are present and have started,
Windows Update
Background Intelligent Transfer Service
Cryptographic Services
If any are not running right click > Start. If they are all present and running then > Locate the “Windows Update” service> Right click it > Stop.
5. Open Windows Explorer and navigate to C:Windows > Locate the SoftwareDistribution folder> Rename it to UpdateOLD.
6. Go back to the service “Windows Update” service you stopped in step 4 and restart it > Then retry Windows Update.
7. If your still not working, then manually reset the Windows Update components using the BITS repair tool, or doing it manually, for instructions CLCK HERE.
There are many reasons why you might want to do this, someone has managed to change a user password and that person is not available, you might simply have forgotten it. Or you might have been given a machine, or bought one from ebay that has come without a password. Also there have been a few times when a user has looked me in the eye and said “I’m typing my password in, but it’s not working”, I have never seen a password change on it’s own, so I will just put that down to the evil password gremlins.
The procedure will also work on the Windows local administrators password, just bear in mind that his account is disabled by default, (after Windows 8). This procedure will not work if the machine in question has had its hard drive encrypted using BitLocker.
You can use this procedure to blank, (or reset) a Domain Controllers DSRM (Directory Services Restore Mode) password.
You can avoid this procedure if you have access to another account on this machine that has administrative access. If you can log on as an administrator, then you can change the password of other local accounts on the affected machine without the need to do this.
2. Download ImgBurn and install, Launch the program, if it does not look like this you need to select View >EX-Mode-Picker. Select the ‘Write image file to disc’ option.
2. The file you downloaded is a zip file that contains the disk image, you will need to extract the image from the zip file (i.e. drag it to your desktop). From within ImgBurn launch the browse option and navigate to the disk image you have just extracted > Open.
3. Select the burn to disc icon (Note: This will be greyed out, until there is a blank CD in the drive). The image is very small, it will not take long to burn.
Carry Out a Windows 8 Password Reset.
This procedure uses the boot CD you have just created, for it to work you need to make sure the machine will attempt to boot to its CD/DVD Drive before it boots to its hard drive. (Or it will simply boot into Windows again). This change in ‘Boot Order’ is carried out in the machines BIOS, how you enter this varies depending on machine vendor, when you first turn on the machine watch for a message that looks like Press {key} to enter Setup. Typically Esc, Del, F1, F2, or F9. When in the BIOS locate the boot order and move the CD/DVD Drive to the top of the list.
1. Boot your machine from your freshly burned CD, when you see this screen simply press {Enter} to boot.
2. Depending on how many disks/partitions you have it will discover them and assign a number to each one, here I only have 1 so I will type ‘1 {Enter}’.
Note: You may see a small 300Mb partition, ignore that. You may also see your machines recovery partition if it has one, if that’s the case you may have to carry out some trial and error to get the right one.
3. The system is set to look for the default registry location C:WindowsSystem32Config so simply press {Enter}. If it fails at this point you selected the wrong drive/partition.
4. We want password reset so select option 1.
5. We will be editing user data and passwords, so again select option 1.
6. You will be presented with a list of the user objects that it can locate, here I want to reset the password for the ‘PeteLong’ user object so simply type in the username you want to edit.
Note: As mentioned you can see here the administrator account is disabled, if you want to work with that account, you will need to unlock and enable it on the next screen before you blank or change the password.
7. You can choose option 2 and type in a new password, but I’m going the blank the password, then change it when I get back into the machine by selecting option 1.
8. To step back you need to enter an exclamation mark.
9. Enter a ‘q’ to quit.
10. To write the changes you have made enter a ‘y’.
11. As long as you are happy, and have no other accounts that need changing, enter ‘n’.
12. Now remove the boot CD, and press Ctrl+Alt+Delete to reboot the machine.
13. As the user object we are dealing with was the last one that has logged on, it will select that account as soon as the computer boots, and now it has a blank password it will automatically log on.
14. To change the password, press Ctrl+I > Change PC settings.
15. Users > Create a password.
16. Type and confirm your new password, and enter a password hint > Next.
17. Log off the account and test the new password.
Related Articles, References, Credits, or External Links
Given the amount of deployments I do, it’s surprising that I don’t use KMS more often. Like most technical types, I find a way that works for me, and that’s the way I do things from then on. However these last few weeks I’ve been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the “Administrators” of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.
So after activating a dozen servers over the phone, I decided enough was enough “I’m putting in a KMS Server!”
I’m deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.
Note: If you are using Server 2003 it will need SP1 (at least) and this update.
Solution
To be honest it’s more difficult to find out how to deploy a KMS server, than it actually is to do. I’ve gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I’ve outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.
Install Microsoft Windows 2008 R2 Key Management Service (EASY)
1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Windows Server 2008 Std/Ent KMS B”
Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).
2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click “Computer” > Properties. (Or Control Panel > System). Select “Change Product Key” > Enter the new KMS Key > Next.
3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can’t get it to work over the internet you can choose to do it over the phone.
4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.
Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;
[box]
cscript c:\Windows\System32\slmgr.vbs /SPrt 1024
[/box]
That’s It! That is all you should need to do, your KMS Server is up and running.
Install Microsoft Windows 2008 R2 Key Management Service from Command Line
You will notice below that I’m running these commands from command windows running as administrator (Right click “Command Prompt” > Run as administrator).
Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).
2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.
3. Now we need to activate the Windows Server > Run the following command;
[box]
c:\Windows\System32\slui.exe
[/box]
Select “Activate Windows online now” > Follow the on screen prompts.
4. When complete, it should tell you that it was successfully activated.
5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.
Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;
[box]
cscript c:\Windows\System32\slmgr.vbs /SPrt 1024
[/box]
That’s It! That is all you should need to do, your KMS Server is up and running.
Testing the Key Management Server
Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)
Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.
Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).
1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand “Forward Lookup Zones” > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.
2. From your client machines you can test that they can see the SRV record, by running the following command;
[box]
nslookup -type=srv _vlmcs._tcp
[/box]
Note: If this fails, can your client see the DNS server? And is it in the domain?
3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;
[box]
cscript c:\Windows\System32\slmgr.vbs /dli
[/box]
4. As I’ve mentioned above, with Windows clients you need 25, and Windows Servers you will need 5 requests before KMS will work, before this you will see;
Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038
5. For each of these failures, look-in the KMS Server, and the “Current count” will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.
Troubleshooting KMS Clients
To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.
[box]
cd c:\windows\system32
slmgr /dli
[/box]
For further troubleshooting, see the following links.
In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.
1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Office 2010 Suites and Apps KMS”
Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).
1. On closer inspection, I noticed the Exchange System Attendant was not running, and when I tried to launch it is started then stopped?
2. And the Exchange Information Store service was also not running, (that explains why the database won’t mount).
3. And when I tried to start that:
Error Windows could not start the Microsoft Exchange Information Store on Local Computer. For more information review the System Event Log. If this is a non Microsoft service, contact the service vendor, and refer to server-specific error code -2147221213
4. Fair enough, the Event Viewer yielded this:
Event ID 5003
Error
Unable to initialize the Microsoft Exchange Information Store service because the clocks on the client
and on the server machine are skewed. This may be caused by a time change either in the client or the
server machine, and may require a reboot of that machine. Other than that, verify that your domain is
properly configured and is currently online.
Well the clock on the Exchange server was correct, as were the clocks on the domain controllers they were both sync’d and in the same time zone.
5. The Exchange server is a VMware virtual machine, and even though it is not set to take it’s time from the host, the time on the host was incorrect.
6. Firstly set the time correctly on the ESX host, (below I’ve used an external NTP server, though you can just manually set the time).
7. Then restart the Exchange Active Directory Topology Service, make sure all the services come up correctly, and check the database has mounted.
Related Articles, References, Credits, or External Links
This is a simple job to do from command line, however the world is full of people who would rather spend an hour in the ASDM working out how to do it! So I’ve included both methods.
What is split tunneling?
This is the process of letting a remote VPN user browse the web, and access local resources etc, from their location whilst connected to your VPN in this case via SSLVPN, but also from WebVPN or IPSECVPN.
Solution
Option 1 Enable Split Tunnel via Command Line.
1. Connect to the ASA > Go to enable mode > Then to global configuration mode > Create an ACL that permits traffic from the network behind the ASA to any. (Note: Add additional ACL’s for additional internal networks).
[box]
Type help or '?' for a list of available commands.
PetesASA> enable
Password: ******
PetesASA# configure terminal
PeteASA(config)# access-list Split-Tunnel standard permit 10.0.0.0 255.255.255.0
[/box]
2. Add the split tunnel to the policy you are using for you remote VPN, (if you are unsure issue a show run group-policy).
PeteASA(config)# write mem
Building configuration...
Cryptochecksum: cb28eeb2 3d203272 eda92e1c a3b70d09
3166 bytes copied in 0.890 secs
[OK]
PeteASA(config)#
[/box]
Enable Split Tunnel on an older (PIX Firewall)
[box]
Type help or '?' for a list of available commands.
PetesPIX> enable
Password: ******
PetesPIX# configure terminal
PetesPIX(config)# access-list Split-Tunnel permit ip 10.0.0.0 255.255.255.0 any
PetesPIX(config)# vpngroup RemoteVPN split-tunnel Split-Tunnel
[/box]
Option 2 Enable Split Tunnel via ASDM
1. Launch the ASDM > Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Select your policy.
2. Edit > Select Advanced > Split Tunneling.
3. Next to Policy > Untick “Inherit” > Change to “Tunnel Network List Below”.
4. Next to “Network List” remove the tick from Inherit > Click Manage.
5. Add ACL > Call it something sensible like Split-Tunnel > OK.
6. Then click Add ACE.
7. Select Permit and enter the network BEHIND THE ASA> OK.
8. Should look a bit like this > OK.
9. OK.
10. Apply > File > Save running configuration to flash.
Related Articles, References, Credits, or External Links
You want to deploy 2 Cisco ASA 55xx Series firewalls in an Active/Standby failover configuration.
Solution
Assumptions.
Hardware on both ASA firewalls is identical.
The correct license’s for failover are installed on both firewalls.
The same software versions are installed on both firewalls.
You have your PRIMARY firewall set up and running correctly (Everything works!).
In this example the firewalls were ASA5510’s and all interfaces were being used, so the Management port was used as the “Failover Link” (That needs a security plus license!).
This Link will use a crossover cable (Only available after version 7.0(2) before that you had to use a switch – I think!).
Also I’m using the same link for LAN Based failover (heartbeat) AND Stateful replication.
IP Addresses
Each interface will need its existing IP address, and an address to use whilst in “Standby”. In this example I will use the following,
4. Set up the failover LAN interface (In config mode!).
[box]
PetesASA(config)#
PetesASA(config)# failover lan interface FAIL-OVER Gigabitethernet1/7
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces
PetesASA(config)#
ciscoasa(config)#
ciscoasa(config)# failover lan interface FAIL-OVER Gigabitethernet1/7
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces
ciscoasa(config)#
[/box]
YES: that’s the same as the primary firewall there WON’T be a conflict).
Detected an Active mate
Beginning configuration replication from mate.
[/box]
19. When is says that is has ended replication On the secondary firewall, issue a “show failover” (Note: the hostname will have changed to the one on the primary firewall).
[box]
PetesASA(config)#
PetesASA(config)# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.2(2), Mate 7.0(5)
Last Failover at: 14:49:43 UTC May 4 2007
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.2(2)) status (Up Sys)
Interface Outside (123.123.123.124): Link Down (Waiting)
Interface DMZ1 (192.168.1.254): Link Down (Waiting)
Interface DMZ2 (192.168.2.254): Link Down (Waiting)
Interface Inside (172.16.1.254): Link Down (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 514 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.0(5)) status (Up Sys)
Interface Outside (123.123.123.123): Link Down (Waiting)
Interface DMZ1 (192.168.1.1): Link Down (Waiting)
Interface DMZ2 (192.168.1.1): Link Down (Waiting)
Interface Inside (172.16.1.1): Link Down (Waiting)
slot 1: empty
[/box]
20. To double check go back to the PRIMARY firewall and issue the same command.
[box]
PetesASA(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.0(5), Mate 7.2(2)
Last Failover at: 13:21:42 UTC May 4 2007
This host: Primary - Active
Active time: 616 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.0(5)) status (Up Sys)
slot 1: empty
Interface Outside (123.123.123.123): Link Down (Waiting)
Interface DMZ1 (192.168.1.1): Link Down (Waiting)
Interface DMZ2 (192.168.2.1): Link Down (Waiting)
Interface Inside (172.16.1.1): Link Down (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.2(2)) status (Up Sys)
slot 1: empty
Interface Outside (123.123.123.124): Link Down (Waiting)
Interface DMZ1 (192.168.1.254): Link Down (Waiting)
Interface DMZ2 (192.168.2.254): Link Down (Waiting)
Interface Inside (172.16.1.254): Link Down (Waiting)
[/box]
21. The failover time out of the box is a bit pants, to nail it down a little, on the PRIMARY ASA
22. Save the config. (Note: config changed WILL be replicated to the standby firewall).
[box]
PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 6650f6c9 09bbb5f0 0dafa0d1 8fc08aba
8756 bytes copied in 3.680 secs (2918 bytes/sec)
[OK]
PetesASA(config)#
[/box]
23. When done pull the power on ASA 1 to fail. With a constant ping running you usually will only lose 1 ping packet.
Failover Commands to Copy and Paste
Note: This assumes you have already added ‘standby’ IP addresses to all you interfaces and is using GigabitEthernet0/4 as the failover interface. Change the values in bold to match your requirements.
[box]
Primary Firewall Config
clear configure interface GigabitEthernet0/4
interface GigabitEthernet0/4
no shut
exit
!
failover lan interface failover GigabitEthernet0/4
failover interface ip failover 192.168.255.9 255.255.255.252 standby 192.168.255.10
failover lan key 666999
failover lan unit primary
failover
failover link failover GigabitEthernet0/4
!
failover poll 1 hol 3
failover poll interface 3
interface GigabitEthernet0/4
failover poll interface 3
exit
!
Standby Firewall Config
clear configure interface GigabitEthernet0/4
interface GigabitEthernet0/4
no shut
exit
!
failover lan interface failover GigabitEthernet0/4
failover interface ip failover 192.168.255.9 255.255.255.252 standby 192.168.255.10
failover lan key 666999
failover lan unit secondary
failover
failover link failover GigabitEthernet0/4
!
[/box]
Related Articles, References, Credits, or External Links
Thanks to Barry van Dijk for correcting up my syntax mistake 🙂