Windows Administrator “Lost Password” / “Password Reset”

KB ID 0000159

Problem

You have forgotten your password, or the administrators password fo your Windows machine.

Note: You can also ‘Blank’ or reset the DSRM (Directory Services Restore Mode) password on a Domain Controller (Tested on 2012 R2, by blanking the password). Using this method.

Lost Password : Fix

Lost Password Software Download Links

Password Reset CD Image (3.5Mb) Note: This is a .iso file – you need to burn it as an image! Simply dropping this file on a CD will NOT work.

WARNINIG – If your drive has been encrypted with Windows Bitlocker this procedure will not work!

Related Articles, References, Credits, or External Links

Windows 8 – Lost / Forgotten Password?

Factory Reset a Cisco Firewall

KB ID 0000007 

Problem

You want to wipe the firewall’s config and revert to the factory settings (passwords blank – management or inside set to 192.168.1.1 and DHCP enabled, with all other settings wiped).

Solution

1. Connect to the ASA via the console Cable. CLICK HERE

2. log in and go to configure terminal mode.

3. Execute the following command “config factory-default

4. Press the space bar a few times to execute the commands.

5. When you get back to command prompt Execute the following command “reload save-config noconfirm” (Or on a Cisco PIX, write mem {enter} > reload {enter}{enter}).

6. The Firewall will reboot, (set to factory settings).

Procedure carried out on a Cisco ASA 5508-X (Running version 9)

 

Procedure carried out on a Cisco PIX 515E (Running version 8)

Note: Now the management interface, (if you have one) will be set to lease DHCP addresses. If you don’t have a management interface, (i.e. you have an  ASA 5505, or an older PIX,) then the inside interface will lease DHP addresses instead. The outside interface will be set to obtain its IP address via DHCP.

Related Articles, References, Credits, or External Links

Cisco ASA – Password Recovery / Reset

Cisco PIX (500 Series) Recovery

VMware View Connection Server – Stop Session timeouts

KB ID 0000605

Problem

For security reasons, the VMware View Administrator will timeout after a short period of inactivity, and you will see the following.

Server Error
Your session has timed out. Please log in again.
Click OK to be redirected to the login screen.

However if you work in the console a lot, this can get quite annoying.

Solution

From within the View Administrator console > View Configuration > Global settings > Edit > Tick “Enable automatic status updates” > OK > OK.

Note: Another advantage to doing this is, you don’t have to keep pressing refresh to update the interface.

Related Articles, References, Credits, or External Links

NA

How to Tell if Windows is 32 or 64 bit

KB ID 0000153

Problem

If you want to know what version (x64 or x86) of Windows you are running, then this is the simplest way to find out.

Solution

Under accessories run system information;

Under System Type: If it says x86 then it’s 32 bit.

However if it says x64 then it’s 64 bit.

Windows XP and Server 2003

1. Click Start > Run > sysdm.cpl {enter} > General Tab.

Windows XP x32 (x86) and Windows XP x64

Windows Server 2003 x32 (x86) and Windows Server 2003 x64

Windows Vista / Windows 7 / Server 2008

1. Start > Control Panel > System.

Windows Vista and Windows 7

Windows Server 2008

 

Related Articles, References, Credits, or External Links

NA

Windows Update Fails

KB ID 0000359

Problem

There are a LOT of different reasons for Windows Updates to fail, I can’t cover every eventuality, but there a a few common steps to try.

Solution

1. As soon as the updates fail you should get an Error Message, that should point you in the right direction.


Update Error Code 80200011

2. If you error code matches one of these…

Code Error Description
0x80070002
ERROR_FILE_NOT_FOUND
The system cannot find the file specified.
0x8007000D
ERROR_INVALID_DATA
The data is invalid.
0x800F081F
CBS_E_SOURCE_MISSING
The source for the package or file not found.
0x80073712
ERROR_SXS_COMPONENT_STORE_CORRUPT
The component store is in an inconsistent state.
0x800736CC
ERROR_SXS_FILE_HASH_MISMATCH
A component’s file does not match the verification information present in the component manifest.
0x800705B9
ERROR_XML_PARSE_ERROR
Unable to parse the requested XML data.
0x80070246
ERROR_ILLEGAL_CHARACTER
An invalid character was encountered.
0x8007370D
ERROR_SXS_IDENTITY_PARSE_ERROR
An identity string is malformed.
0x8007370B
ERROR_SXS_INVALID_IDENTITY_ATTRIBUTE_NAME
The name of an attribute in an identity is not within the valid range.
0x8007370A
ERROR_SXS_INVALID_IDENTITY_ATTRIBUTE_VALUE
The value of an attribute in an identity is not within the valid range.
0x80070057
ERROR_INVALID_PARAMETER
The parameter is incorrect.
0x800B0100
TRUST_E_NOSIGNATURE
No signature was present in the subject.
0x80092003
CRYPT_E_FILE_ERROR
An error occurred while Windows Update reads or writes to a file.
0x800B0101
CERT_E_EXPIRED
A required certificate is not within its validity period when verifying against the current system clock or the time stamp in the signed file.
0x8007371B
ERROR_SXS_TRANSACTION_CLOSURE_INCOMPLETE
One or more required members of the transaction are not present.
0x80070490
ERROR_NOT_FOUND
Windows could not search for new updates.

Then run the System Update Readiness Tool and then retry Windows Update.

Operating system Download
All supported x86-based versions of Windows Vista Download
All supported x64-based versions of Windows Vista Download
All supported x86-based versions of Windows Server 2008 Download
All supported x64-based versions of Windows Server 2008 Download
All supported IA-64-based versions of Windows Server 2008 Download
All supported x86-based versions of Windows 7 Download
All supported x64-based versions of Windows 7 Download
All supported x64-based versions of Windows Server 2008 R2 Download
All supported IA-64-based versions of Windows Server 2008 R2 Download

3. Otherwise Start > Run (or for Vista/Windows 7 or 2008 Type in the search box) > services msc {enter}.

4. First make sure the following three services are present and have started,

Windows Update
Background Intelligent Transfer Service
Cryptographic Services

If any are not running right click > Start. If they are all present and running then > Locate the “Windows Update” service> Right click it > Stop.

5. Open Windows Explorer and navigate to C:Windows > Locate the SoftwareDistribution folder> Rename it to UpdateOLD.

6. Go back to the service “Windows Update” service you stopped in step 4 and restart it > Then retry Windows Update.

7. If your still not working, then manually reset the Windows Update components using the BITS repair tool, or doing it manually, for instructions CLCK HERE.

8. You can also try using the Fix WU Utility (Written by Ramesh Kumar from TheWindowsClub ).

Note: If all else fails try using the Firegen Windows update Log Analyzer.

 

Related Articles, References, Credits, or External Links

NA

Windows – Lost / Forgotten Password?

KB ID 0000755

Problem

There are many reasons why you might want to do this, someone has managed to change a user password and that person is not available, you might simply have forgotten it. Or you might have been given a machine, or bought one from ebay that has come without a password. Also there have been a few times when a user has looked me in the eye and said “I’m typing my password in, but it’s not working”, I have never seen a password change on it’s own, so I will just put that down to the evil password gremlins.

The procedure will also work on the Windows local administrators password, just bear in mind that his account is disabled by default, (after Windows 8). This procedure will not work if the machine in question has had its hard drive encrypted using BitLocker.

You can use this procedure to blank, (or reset) a Domain Controllers DSRM (Directory Services Restore Mode) password.

You can avoid this procedure if you have access to another account on this machine that has administrative access. If you can log on as an administrator, then you can change the password of other local accounts on the affected machine without the need to do this.

Solution

How to Burn the ISO Disc Image

1. Download the Password Reset CD Image.

2. Download ImgBurn and install, Launch the program, if it does not look like this you need to select View >EX-Mode-Picker. Select the ‘Write image file to disc’ option.

2. The file you downloaded is a zip file that contains the disk image, you will need to extract the image from the zip file (i.e. drag it to your desktop). From within ImgBurn launch the browse option and navigate to the disk image you have just extracted > Open.

3. Select the burn to disc icon (Note: This will be greyed out, until there is a blank CD in the drive). The image is very small, it will not take long to burn.

Carry Out a Windows 8 Password Reset.

This procedure uses the boot CD you have just created, for it to work you need to make sure the machine will attempt to boot to its CD/DVD Drive before it boots to its hard drive. (Or it will simply boot into Windows again). This change in ‘Boot Order’ is carried out in the machines BIOS, how you enter this varies depending on machine vendor, when you first turn on the machine watch for a message that looks like Press {key} to enter Setup. Typically Esc, Del, F1, F2, or F9. When in the BIOS locate the boot order and move the CD/DVD Drive to the top of the list.

1. Boot your machine from your freshly burned CD, when you see this screen simply press {Enter} to boot.

2. Depending on how many disks/partitions you have it will discover them and assign a number to each one, here I only have 1 so I will type ‘1 {Enter}’.

Note: You may see a small 300Mb partition, ignore that. You may also see your machines recovery partition if it has one, if that’s the case you may have to carry out some trial and error to get the right one.

3. The system is set to look for the default registry location C:WindowsSystem32Config so simply press {Enter}. If it fails at this point you selected the wrong drive/partition.

4. We want password reset so select option 1.

5. We will be editing user data and passwords, so again select option 1.

6. You will be presented with a list of the user objects that it can locate, here I want to reset the password for the ‘PeteLong’ user object so simply type in the username you want to edit.

Note: As mentioned you can see here the administrator account is disabled, if you want to work with that account, you will need to unlock and enable it on the next screen before you blank or change the password.

7. You can choose option 2 and type in a new password, but I’m going the blank the password, then change it when I get back into the machine by selecting option 1.

8. To step back you need to enter an exclamation mark.

9. Enter a ‘q’ to quit.

10. To write the changes you have made enter a ‘y’.

11. As long as you are happy, and have no other accounts that need changing, enter ‘n’.

12. Now remove the boot CD, and press Ctrl+Alt+Delete to reboot the machine.

13. As the user object we are dealing with was the last one that has logged on, it will select that account as soon as the computer boots, and now it has a blank password it will automatically log on.

14. To change the password, press Ctrl+I > Change PC settings.

15. Users > Create a password.

16. Type and confirm your new password, and enter a password hint > Next.

17. Log off the account and test the new password.

 

Related Articles, References, Credits, or External Links

NA

Using a KMS Server

KB ID 0000582

Problem

Given the amount of deployments I do, it’s surprising that I don’t use KMS more often. Like most technical types, I find a way that works for me, and that’s the way I do things from then on. However these last few weeks I’ve been putting in a new infrastructure for a local secondary school. Their internet access is through a proxy server, that refuses to let Windows activation work. Unfortunately the “Administrators” of this proxy server were not disposed to give me any help, or let me anywhere near it, to fix it.

So after activating a dozen servers over the phone, I decided enough was enough “I’m putting in a KMS Server!”

I’m deploying KMS on Windows Server 2008 R2, and it is for the licensing and activation of Serer 2008 R2 and Windows 7. I will also add in the licensing KMS mechanism for Office 2010 as well.

Note: If you are using Server 2003 it will need SP1 (at least) and this update.

Solution

To be honest it’s more difficult to find out how to deploy a KMS server, than it actually is to do. I’ve gone into a fair bit of detail below but most of you will simply need to follow steps 1-4 (immediately below). In addition, after that I’ve outlined how to deploy KMS from command line. Then how to test it, and finally how to add Microsoft Office 2010 Licenses to the KMS Server.

Install Microsoft Windows 2008 R2 Key Management Service (EASY)

1. The most difficult part is locating your KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Windows Server 2008 Std/Ent KMS B”

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Armed with your new key, you simply need to change the product key on the server that will be the KMS server, to the new key. Start > Right Click “Computer” > Properties. (Or Control Panel > System). Select “Change Product Key” > Enter the new KMS Key > Next.

3. You will receive a warning that you are using a KMS Key > OK. You may now need to activate your copy of Windows with Microsoft, this is done as normal, if you can’t get it to work over the internet you can choose to do it over the phone.

4. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Install Microsoft Windows 2008 R2 Key Management Service from Command Line

You will notice below that I’m running these commands from command windows running as administrator (Right click “Command Prompt” > Run as administrator).

1. Locate your “Windows Server 2008 Std/Ent KMS B” Key > From command line issue the following command;

[box]

cscript c:\Windows\System32\slmgr.vbs /ipk XXXXX-XXXXX-XXXXX-XXXXX-XXXXX

[/box]

Note: To License/Activate Server 2008 R2 AND Windows 7 THIS IS THE ONLY KEY YOU NEED. You do NOT need to add additional keys for Windows 7. (You DO for Office 2010, but I’ll cover that below).

2. Providing the command runs without error, we have just changed the product key for this Windows server to be the KMS key.

3. Now we need to activate the Windows Server > Run the following command;

[box]

c:\Windows\System32\slui.exe

[/box]

Select “Activate Windows online now” > Follow the on screen prompts.

4. When complete, it should tell you that it was successfully activated.

5. In a corporate environment (behind an edge firewall) you may have the local firewall disabled on the server. If you do NOT then you need to allow access through the local firewall for the “Key Management Service”, (this runs over TCP port 1688). To allow the service, Start > Firewall.cpl {enter} > Allow program or feature through Windows Firewall” > Tick Key Management Service > OK.

Note: Should you wish the change the port the service uses, you can do so with the following command, i.e. to change it to TCP Port 1024;

[box]

cscript c:\Windows\System32\slmgr.vbs /SPrt 1024

[/box]

That’s It! That is all you should need to do, your KMS Server is up and running.

Testing the Key Management Server

Before it will start doing what you want it to, you need to meet certain thresholds, with Windows 7 clients it WONT work till it has had 25 requests from client machines. If you are making the requests from Windows 2008 Servers then the count is 5. (Note: For Office 2010 the count is 5 NOT 25)

Interestingly: On my test network I activated five Windows 7 machines, then one server, and it started working.

Windows 7 and Windows 2008 R2 have KMS Keys BUILT INTO THEM, if you are deploying/imaging machines you should not need to enter a key into them (unless you have entered a MAK key on these machines then you will need to change it to a client KMS Key). These are publicly available (see here).

1. The service works because it puts an SRV record in your DNS, when clients want to activate, they simply look for this record before they try and activate with Microsoft, if they find the record, they activate from your KMS Server instead. If you look on your domain DNS servers, expand “Forward Lookup Zones” > {your domain name} > _tcp > You will see an entry for _VLMCS that points to your KMS Server.

2. From your client machines you can test that they can see the SRV record, by running the following command;

[box]

nslookup -type=srv _vlmcs._tcp

[/box]

Note: If this fails, can your client see the DNS server? And is it in the domain?

3. There is no GUI console for KMS to see its status, so run the following command on the KMS server;

[box]

cscript c:\Windows\System32\slmgr.vbs /dli

[/box]

4. As I’ve mentioned above, with Windows clients you need 25, and Windows Servers you will need 5 requests before KMS will work, before this you will see;

Windows Activation
A problem occurred when Windows tried to activate. Error Code 0xC004F038

5. For each of these failures, look-in the KMS Server, and the “Current count” will increment by 1 till it starts to work). In a live environment this wont be a problem, (You probably wont be looking at KMS with less than 25 clients!). On a test network just clone/deploy a load of machines until you hit the threshold.

Troubleshooting KMS Clients

To make things simple the command to execute on the clients, is the same command that you run on the KMS server to check the status.

[box]

cd c:\windows\system32
slmgr /dli

[/box]

For further troubleshooting, see the following links.

How to troubleshoot the Key Management Service (KMS)

Managing License States

Adding an Office 2010 KMS Key to Your KMS Server.

In addition to servers and clients, KMS can activate and handle Office 2010 licenses as well. You simply need to add in Office support, and your Office 2010 KMS key. As mentioned above, unlike Windows clients, you only need five requests to the KMS server before it will start activating Office 2010 normally.

If you want a KMS Server for JUST OFFICE 2010 and not Windows, then simply install and run the Office 2010 Key Management Service Host.

1. First locate your Office 2010 KMS Key! If you have a Microsoft License agreement, log into the the Microsoft Volume License Service Center, and retrieve the KMS License Key for “Office 2010 Suites and Apps KMS”

Note: As with Windows 7, and Server 2008 R2, Office 2010 comes with a KMS key already installed, if you have changed the key to a MAK key you can change it back using the Microsoft public KMS keys (see here).

2. Download and run the “Microsoft Office 2010 KMS Host License Pack“.

3. When prompted type/paste in your “Office 2010 Suites and Apps KMS” product key > OK.

4. It should accept the key.

5. Press {Enter} to close.

6. Once you have five Office 2010 installations they should start to activate from your KMS server.

Troubleshooting Office 2010 KMS Activation

If you have a client that refuses to work you can manually force it to activate against your KMS server;

x64 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com 
cscript "C:\Program Files (x86)\Microsoft Office\Office14\OSPP.VBS" /act 

[/box]

x32 Bit Clients. (Where kms.domaina.com is the FQDN of the KMS server)

[box]

cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /sethst:kms.domaina.com
cscript "C:\Program Files\Microsoft Office\Office14\OSPP.VBS" /act [/box]

Related Articles, References, Credits, or External Links

KMS Activation – Error: 0xC004C008

Exchange – Failed to mount database(hr=0x80040115, ec=-2147221227)

KB ID 0000664 

Problem

The Exchange server on my test network stopped working, the mailbox database was not mounted. When I attempted to mount it:

[box]
--------------------------------------------------------
Microsoft Exchange Error
--------------------------------------------------------
Failed to mount database '{Database Name}'.
{Database Name}
Failed
Error:
Couldn't mount the database that you specified. Specified database: {Database Name}; 
Error code: An Active Manager operation failed with a transient error. Please retry 
the operation. Error: Database action failed with transient error. Error: A 
transient error occurred during a database operation. Error: MapiExceptionNetworkError: 
Unable to make admin interface connection to server. (hr=0x80040115, ec=-2147221227)
Diagnostic context:
......
Lid: 12696 dwParam: 0x6D9 Msg: EEInfo: Generation Time: 2012-08-28 13:55:49:266
Lid: 10648 dwParam: 0x6D9 Msg: EEInfo: Generating component: 2
Lid: 14744 dwParam: 0x6D9 Msg: EEInfo: Status: 1753
Lid: 9624 dwParam: 0x6D9 Msg: EEInfo: Detection location: 501
Lid: 13720 dwParam: 0x6D9 Msg: EEInfo: Flags: 0
Lid: 11672 dwParam: 0x6D9 Msg: EEInfo: NumberOfParameters: 4
Lid: 8856 dwParam: 0x6D9 Msg: EEInfo: prm[0]: Unicode string: ncalrpc
Lid: 8856 dwParam: 0x6D9 Msg: EEInfo: prm[1]: Unicode string:
Lid: 12952 dwParam: 0x6D9 Msg: EEInfo: prm[2]: Long val: -1988875570
Lid: 12952 dwParam: 0x6D9 Msg: EEInfo: prm[3]: Long val: 382312662
Lid: 24060 StoreEc: 0x80040115
Lid: 23746
Lid: 31938 StoreEc: 0x80040115
Lid: 19650
Lid: 27842 StoreEc: 0x80040115
Lid: 20866
Lid: 29058 StoreEc: 0x80040115 [Database: {Database Name}, Server: 
PNL-EX.petenetlive.net].
An Active Manager operation failed with a transient error. Please retry the operation. 
Error: Database action failed with transient error. Error: A transient error occurred 
during a database operation. Error: MapiExceptionNetworkError: Unable to make admin 
interface connection to server. (hr=0x80040115, ec=-2147221227)
Diagnostic context:
......
Lid: 12696 dwParam: 0x6D9 Msg: EEInfo: Generation Time: 2012-08-28 13:55:49:266
Lid: 10648 dwParam: 0x6D9 Msg: EEInfo: Generating component: 2
Lid: 14744 dwParam: 0x6D9 Msg: EEInfo: Status: 1753
Lid: 9624 dwParam: 0x6D9 Msg: EEInfo: Detection location: 501
Lid: 13720 dwParam: 0x6D9 Msg: EEInfo: Flags: 0
Lid: 11672 dwParam: 0x6D9 Msg: EEInfo: NumberOfParameters: 4
Lid: 8856 dwParam: 0x6D9 Msg: EEInfo: prm[0]: Unicode string: ncalrpc
Lid: 8856 dwParam: 0x6D9 Msg: EEInfo: prm[1]: Unicode string:
Lid: 12952 dwParam: 0x6D9 Msg: EEInfo: prm[2]: Long val: -1988875570
Lid: 12952 dwParam: 0x6D9 Msg: EEInfo: prm[3]: Long val: 382312662
Lid: 24060 StoreEc: 0x80040115
Lid: 23746
Lid: 31938 StoreEc: 0x80040115
Lid: 19650
Lid: 27842 StoreEc: 0x80040115
Lid: 20866
Lid: 29058 StoreEc: 0x80040115 [Database: {Database Name}, 
Server: PNL-EX.petenetlive.net]
An Active Manager operation failed with a transient error. Please retry the operation. 
Error: MapiExceptionNetworkError: Unable to make admin interface connection to server. 
(hr=0x80040115, ec=-2147221227)
Diagnostic context:
......
Lid: 12696 dwParam: 0x6D9 Msg: EEInfo: Generation Time: 2012-08-28 13:55:49:266
Lid: 10648 dwParam: 0x6D9 Msg: EEInfo: Generating component: 2
Lid: 14744 dwParam: 0x6D9 Msg: EEInfo: Status: 1753
Lid: 9624 dwParam: 0x6D9 Msg: EEInfo: Detection location: 501
Lid: 13720 dwParam: 0x6D9 Msg: EEInfo: Flags: 0
Lid: 11672 dwParam: 0x6D9 Msg: EEInfo: NumberOfParameters: 4
Lid: 8856 dwParam: 0x6D9 Msg: EEInfo: prm[0]: Unicode string: ncalrpc
Lid: 8856 dwParam: 0x6D9 Msg: EEInfo: prm[1]: Unicode string:
Lid: 12952 dwParam: 0x6D9 Msg: EEInfo: prm[2]: Long val: -1988875570
Lid: 12952 dwParam: 0x6D9 Msg: EEInfo: prm[3]: Long val: 382312662
Lid: 24060 StoreEc: 0x80040115
Lid: 23746
Lid: 31938 StoreEc: 0x80040115
Lid: 19650
Lid: 27842 StoreEc: 0x80040115
Lid: 20866
Lid: 29058 StoreEc: 0x80040115 [Server: PNL-EX.petenetlive.net]
MapiExceptionNetworkError: Unable to make admin interface connection to server. 
(hr=0x80040115, ec=-2147221227)
Diagnostic context:
......
Lid: 12696 dwParam: 0x6D9 Msg: EEInfo: Generation Time: 2012-08-28 13:55:49:266
Lid: 10648 dwParam: 0x6D9 Msg: EEInfo: Generating component: 2
Lid: 14744 dwParam: 0x6D9 Msg: EEInfo: Status: 1753
Lid: 9624 dwParam: 0x6D9 Msg: EEInfo: Detection location: 501
Lid: 13720 dwParam: 0x6D9 Msg: EEInfo: Flags: 0
Lid: 11672 dwParam: 0x6D9 Msg: EEInfo: NumberOfParameters: 4
Lid: 8856 dwParam: 0x6D9 Msg: EEInfo: prm[0]: Unicode string: ncalrpc
Lid: 8856 dwParam: 0x6D9 Msg: EEInfo: prm[1]: Unicode string:
Lid: 12952 dwParam: 0x6D9 Msg: EEInfo: prm[2]: Long val: -1988875570
Lid: 12952 dwParam: 0x6D9 Msg: EEInfo: prm[3]: Long val: 382312662
Lid: 24060 StoreEc: 0x80040115
Lid: 23746
Lid: 31938 StoreEc: 0x80040115
Lid: 19650
Lid: 27842 StoreEc: 0x80040115
Lid: 20866
Lid: 29058 StoreEc: 0x80040115
[/box]


Solution

1. On closer inspection, I noticed the Exchange System Attendant was not running, and when I tried to launch it is started then stopped?

2. And the Exchange Information Store service was also not running, (that explains why the database won’t mount).

3. And when I tried to start that:

Error Windows could not start the Microsoft Exchange Information Store on Local Computer. For more information review the System Event Log. If this is a non Microsoft service, contact the service vendor, and refer to server-specific error code -2147221213

4. Fair enough, the Event Viewer yielded this:

Event ID 5003

Error
Unable to initialize the Microsoft Exchange Information Store service because the clocks on the client 
and on the server machine are skewed. This may be caused by a time change either in the client or the 
server machine, and may require a reboot of that machine. Other than that, verify that your domain is 
properly configured and is currently online.

Well the clock on the Exchange server was correct, as were the clocks on the domain controllers they were both sync’d and in the same time zone.

5. The Exchange server is a VMware virtual machine, and even though it is not set to take it’s time from the host, the time on the host was incorrect.

6. Firstly set the time correctly on the ESX host, (below I’ve used an external NTP server, though you can just manually set the time).

7. Then restart the Exchange Active Directory Topology Service, make sure all the services come up correctly, and check the database has mounted.

Related Articles, References, Credits, or External Links

NA

Cisco ASA – Enable Split Tunnel for Remote Clients

KB ID 0000066

Problem

This is a simple job to do from command line, however the world is full of people who would rather spend an hour in the ASDM working out how to do it! So I’ve included both methods.

What is split tunneling?

This is the process of letting a remote VPN user browse the web, and access local resources etc, from their location whilst connected to your VPN in this case via SSLVPN, but also from WebVPN or IPSEC VPN.

Solution

Option 1 Enable Split Tunnel via Command Line.

1. Connect to the ASA > Go to enable mode > Then to global configuration mode > Create an ACL that permits traffic from the network behind the ASA to any. (Note: Add additional ACL’s for additional internal networks).

[box]

Type help or '?' for a list of available commands.
PetesASA> enable
Password: ******
PetesASA# configure terminal
PeteASA(config)# access-list Split-Tunnel standard permit 10.0.0.0 255.255.255.0

[/box]

2. Add the split tunnel to the policy you are using for you remote VPN, (if you are unsure issue a show run group-policy).

[box]

PeteASA(config)# group-policy SSL_Policy attributes
PeteASA(config-group-policy)# split-tunnel-policy tunnelspecified
PeteASA(config-group-policy)# split-tunnel-network-list value Split-Tunnel
PeteASA(config-group-policy)# exit
PeteASA(config)#

[/box]

3. Save the changes.

[box]

PeteASA(config)# write mem
Building configuration...
Cryptochecksum: cb28eeb2 3d203272 eda92e1c a3b70d09

3166 bytes copied in 0.890 secs
[OK]
PeteASA(config)#

[/box]

Enable Split Tunnel on an older (PIX Firewall)

[box]

Type help or '?' for a list of available commands.
PetesPIX> enable
Password: ******
PetesPIX# configure terminal
PetesPIX(config)# access-list Split-Tunnel permit ip 10.0.0.0 255.255.255.0 any
PetesPIX(config)# vpngroup RemoteVPN split-tunnel Split-Tunnel

[/box]  

Option 2 Enable Split Tunnel via ASDM

1. Launch the ASDM > Configuration > Remote Access VPN > Network (Client) Access > Group Policies > Select your policy.

2. Edit > Select Advanced > Split Tunneling.

3. Next to Policy > Untick “Inherit” > Change to “Tunnel Network List Below”.

4. Next to “Network List” remove the tick from Inherit > Click Manage.

5. Add ACL > Call it something sensible like Split-Tunnel > OK.

6. Then click Add ACE.

7. Select Permit and enter the network BEHIND THE ASA> OK.

8. Should look a bit like this > OK.

9. OK.

10. Apply > File > Save running configuration to flash.

Related Articles, References, Credits, or External Links

Original Article Written 14/06/12

Troubleshooting Cisco ASA Split Tunnel

Cisco ASA – Remote VPN Client Internet Access

PPTP VPN – Enable Split Tunneling

Deploy Cisco ASA 55xx in Active / Standby Failover

KB ID 0000048 

Problem

You want to deploy 2 Cisco ASA 55xx Series firewalls in an Active/Standby failover configuration.

Solution

Assumptions.

Hardware on both ASA firewalls is identical.
The correct license’s for failover are installed on both firewalls.
The same software versions are installed on both firewalls.
You have your PRIMARY firewall set up and running correctly (Everything works!).

In this example the firewalls were ASA5510’s and all interfaces were being used, so the Management port was used as the “Failover Link” (That needs a security plus license!).
This Link will use a crossover cable (Only available after version 7.0(2) before that you had to use a switch – I think!).

Also I’m using the same link for LAN Based failover (heartbeat) AND Stateful replication.

IP Addresses

Each interface will need its existing IP address, and an address to use whilst in “Standby”. In this example I will use the following,


Click For Larger Image

Outside Interface (Ethernet 0/0) 123.123.123.123 255.255.255.0
Outside Interface STANDBY 123.123.123.124 255.255.255.0
DMZ1 Interface (Ethernet0/1) 192.168.1.1 255.255.255.0
DMZ1 Interface STANDBY 192.168.1.254 255.255.255.0
DMZ2 Interface (Ethernet0/2) 192.168.2.1 255.255.255.0
DMZ2 Interface STANDBY 192.168.2.254 255.255.255.0
Inside Interface (Ethernet 0/3) 172.16.1.1 255.255.255.0
Inside Interface (STANDBY) 172.16.1.254 255.255.255.0
Failover Interface (Management0/0) 172.16.254.254 255.255.255.0
Failover Interface STANDBY 172.16.254.250 255.255.255.0

Step 1 Carry Out this procedure on the PRIMARY (Already configured and working) firewall.

1. Backup the running config on the primary firewall.

[box]

PetesASA# copy run flash:/before_failover.cfg

Source filename [running-config]?

Destination filename [before_failover.cfg]?
Cryptochecksum: babed83d 62a5fba7 e5ea368d 642157bd

8549 bytes copied in 3.670 secs (2849 bytes/sec)
PetesASA#

[/box]

2. Blow away the config on the interface you are going to use for failover.

[box]

PetesASA(config)# clear configure interface GigabitEthernet1/7
PetesASA(config)# int GigabitEthernet1/7
PetesASA(config-if)# no shut
PetesASA(config)#

[/box]

3. Change the interface IP addresses – (to add the standby addresses for each interface).

[box]

PetesASA(config)#
PetesASA(config)# interface GigabitEthernet1/1
PetesASA(config-if)# speed 1000
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif outside
PetesASA(config-if)# security-level 0
PetesASA(config-if)# ip address 123.123.123.123 255.255.255.0 standby 123.123.123.124
PetesASA(config-if)# interface GigabitEthernet1/2
PetesASA(config-if)# speed 1000
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif DMZ1
PetesASA(config-if)# security-level 50
PetesASA(config-if)# ip address 192.168.1.1 255.255.255.0 standby 192.168.1.254
PetesASA(config-if)# interface GigabitEthernet1/3
PetesASA(config-if)# speed 1000
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif DMZ2
PetesASA(config-if)# security-level 55
PetesASA(config-if)# ip address 192.168.2.1 255.255.255.0 standby 192.168.2.254
PetesASA(config-if)# interface GigabitEthernet1/4
PetesASA(config-if)# speed 1000
PetesASA(config-if)# duplex full
PetesASA(config-if)# nameif inside
PetesASA(config-if)# security-level 100
PetesASA(config-if)# ip address 172.16.1.1 255.255.255.0 standby 172.16.1.254
PetesASA(config-if)# exit
PetesASA(config)#

[/box]

4. Set up the failover LAN interface (In config mode!).

[box]

PetesASA(config)#
PetesASA(config)# failover lan interface FAIL-OVER Gigabitethernet1/7
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces
PetesASA(config)#

[/box]

5. Setup failover link IP address.

[box]

PetesASA(config)#
PetesASA(config)# failover interface ip FAIL-OVER 192.168.254.1 255.255.255.0 standby 192.168.254.2
PetesASA(config)#

[/box]

6. Setup a shared key.

[box]

PetesASA(config)#
PetesASA(config)# failover key 666999
PetesASA(config)#

[/box]

7. Set it as the primary firewall.

[box]

PetesASA(config)#
PetesASA(config)# failover lan unit primary
PetesASA(config)#

[/box]

8. Turn on failover.

[box]

PetesASA(config)#
PetesASA(config)# failover
PetesASA(config)#

[/box]

9. Now we need to enable stateful failover.

[box]

PetesASA(config)#
PetesASA(config)# failover link FAIL-OVER
PetesASA(config)#

[/box]

10. Save the config.

[box]

PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 5c8dfc45 ee6496db 8731d2d5 fa945425

8695 bytes copied in 3.670 secs (2898 bytes/sec)
[OK]
PetesASA(config)#

[/box]

 

NOW CONFIGURATION IS FINISHED ON THE PRIMARY FIREWALL, ENSURE THE CABLING IS IN PLACE ON BOTH FIREWALLS THEN CONNECT TO THE STANDBY FIREWALL

Step 2 Carry Out this procedure on the Standby Firewall.

11. Enter enable mode .

[box]

ciscoasa>
ciscoasa> enable
Password:********
ciscoasa#

[/box]

12. Clear the configuration on the failover interface (Management 0/0 in this example), then open the failover link and issue a “no shut” command.

[box]

ciscoasa#
ciscoasa# conf terminal
ciscoasa(config)# clear configure interface GigabitEthernet1/7
ciscoasa(config)# interface GigabitEthernet1/7
ciscoasa(config-if)# no shut
ciscoasa(config-if)# exit
ciscoasa(config)#

[/box]

13. Turn on LAN interface for failover.

[box]

ciscoasa(config)#
ciscoasa(config)# failover lan interface FAIL-OVER Gigabitethernet1/7
INFO: Non-failover interface config is cleared on Management0/0 and its sub-interfaces
ciscoasa(config)#

[/box]

YES: that’s the same as the primary firewall there WON’T be a conflict).

[box]

ciscoasa(config)#
ciscoasa(config)# failover interface ip FAIL-OVER 192.168.254.1 255.255.255.0 standby 192.168.254.2
ciscoasa(config)#

[/box]

15. Give it the same key you used above (In step 6).

[box]

ciscoasa(config)#
ciscoasa(config)# failover lan key 666999
ciscoasa(config)#

[/box]

16. Set it as the secondary (standby firewall).

[box]

ciscoasa(config)#
ciscoasa(config)# failover lan unit secondary
ciscoasa(config)#

[/box]

17. Turn on failover.

[box]

ciscoasa(config)#
ciscoasa(config)# failover
ciscoasa(config)#

[/box]

18. You should see……

[box]

Detected an Active mate
Beginning configuration replication from mate.

[/box]

19. When is says that is has ended replication On the secondary firewall, issue a “show failover” (Note: the hostname will have changed to the one on the primary firewall).

[box]

PetesASA(config)#
PetesASA(config)# show failover
Failover On
Failover unit Secondary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 5 seconds, holdtime 25 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.2(2), Mate 7.0(5)
Last Failover at: 14:49:43 UTC May 4 2007
This host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.2(2)) status (Up Sys)
Interface Outside (123.123.123.124): Link Down (Waiting)
Interface DMZ1 (192.168.1.254): Link Down (Waiting)
Interface DMZ2 (192.168.2.254): Link Down (Waiting)
Interface Inside (172.16.1.254): Link Down (Waiting)
slot 1: empty
Other host: Primary - Active
Active time: 514 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.0(5)) status (Up Sys)
Interface Outside (123.123.123.123): Link Down (Waiting)
Interface DMZ1 (192.168.1.1): Link Down (Waiting)
Interface DMZ2 (192.168.1.1): Link Down (Waiting)
Interface Inside (172.16.1.1): Link Down (Waiting)
slot 1: empty

[/box]

20. To double check go back to the PRIMARY firewall and issue the same command.

[box]

PetesASA(config)# show failover
Failover On
Failover unit Primary
Failover LAN Interface: failover Management0/0 (up)
Unit Poll frequency 1 seconds, holdtime 15 seconds
Interface Poll frequency 15 seconds
Interface Policy 1
Monitored Interfaces 4 of 250 maximum
Version: Ours 7.0(5), Mate 7.2(2)
Last Failover at: 13:21:42 UTC May 4 2007
This host: Primary - Active
Active time: 616 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.0(5)) status (Up Sys)
slot 1: empty
Interface Outside (123.123.123.123): Link Down (Waiting)
Interface DMZ1 (192.168.1.1): Link Down (Waiting)
Interface DMZ2 (192.168.2.1): Link Down (Waiting)
Interface Inside (172.16.1.1): Link Down (Waiting)
Other host: Secondary - Standby Ready
Active time: 0 (sec)
slot 0: ASA5510 hw/sw rev (1.1/7.2(2)) status (Up Sys)
slot 1: empty
Interface Outside (123.123.123.124): Link Down (Waiting)
Interface DMZ1 (192.168.1.254): Link Down (Waiting)
Interface DMZ2 (192.168.2.254): Link Down (Waiting)
Interface Inside (172.16.1.254): Link Down (Waiting)

[/box]

21. The failover time out of the box is a bit pants, to nail it down a little, on the PRIMARY ASA

[box]

PetesASA(config)#
PetesASA(config)# failover poll 1 hol 3
PetesASA(config)# failover poll interface 3
PetesASA(config)# int GigabitEthernet 1/7
PetesASA(config-if)# failover poll interface 3
PetesASA(config)#

[/box]

22. Save the config. (Note: config changed WILL be replicated to the standby firewall).

[box]

PetesASA(config)#
PetesASA(config)# write mem
Building configuration...
Cryptochecksum: 6650f6c9 09bbb5f0 0dafa0d1 8fc08aba

8756 bytes copied in 3.680 secs (2918 bytes/sec)
[OK]
PetesASA(config)#

[/box]

23. When done pull the power on ASA 1 to fail. With a constant ping running you usually will only lose 1 ping packet.

Failover Commands to Copy and Paste

Note: This assumes you have already added ‘standby’ IP addresses to all you interfaces and is using GigabitEthernet0/4 as the failover interface. Change the values in bold to match your requirements.

[box]

Primary Firewall Config 

 

clear configure interface GigabitEthernet0/4
interface GigabitEthernet0/4
no shut
exit
!
failover lan interface failover GigabitEthernet0/4
failover interface ip failover 192.168.255.9 255.255.255.252 standby 192.168.255.10
failover lan key 666999
failover lan unit primary
failover
failover link failover GigabitEthernet0/4
!
failover poll 1 hol 3
failover poll interface 3
interface GigabitEthernet0/4
failover poll interface 3
exit
!

Standby Firewall Config

clear configure interface GigabitEthernet0/4
interface GigabitEthernet0/4
no shut
exit
!
failover lan interface failover GigabitEthernet0/4
failover interface ip failover 192.168.255.9 255.255.255.252 standby 192.168.255.10
failover lan key 666999
failover lan unit secondary
failover
failover link failover GigabitEthernet0/4
!

[/box]

 

Related Articles, References, Credits, or External Links

Thanks to Barry van Dijk for correcting up my syntax mistake 🙂

Cisco ASA 5500 Active/Standby – Zero Downtime Upgrade