Test Port Connectivity Through a Firewall

KB ID 0001541

Problem

Test Port Connectivity: I was asked if I had a test Exchange server that someone could test TCP port 587 to this morning. Usually if I need to test a port I simply use Microsoft IIS and then set it to the appropriate port, add a ‘welcome banner’ and telnet to it. This time it didn’t work, so I found a small application that you can use for this very purpose.

How to Test Port Connectivity

Test Port Connectivity with PowerShell

Use the following syntax;

[box]

Test-NetConnection {Target-IP} -Port {Port-Number}

[/box]

Test Port Connectivity with Telnet and Listen.exe

The application is called listen.exe and is from Allscoop.com Simply run it after a port number and a welcome banner message > Listen.

Test it internally first ‘telnet localhost {port-number}‘, on the machine where you are running it, and from another machine on the LAN.

Then assuming your firewalls are setup correctly you can test it from outside the network.

Each time there’s a successful connection you will see it, and the time stamp.

Related Articles, References, Credits, or External Links

Windows – ‘Telnet’ is not recognized as an internal or external command

Mac High Sierra – Telnet and FTP Missing?

Veeam: Error No Backup Proxy is Available

KB ID 0001540

Problem

I was asked to take a look at this by a colleague;

Unable to allocate processing resources Error: No backup proxy is able to process this VM due to proxy processing mode restrictions.

Solution

This is a pretty generic error to be honest, at first glance it would look like the proxy either needed more CPU/RAM, (or another proxy adding altogether). However  and the root cause was the Veeam server was attached to the storage network via fibre HBA. And it has lost is connection to the Data-stores. This resulted in it not being able to use the ‘Direct Storage Access’ backup mode to backup, (there’s three modes Network (most common), Virtual Appliance, and Direct Attached Storage.

After correcting the storage presentation, a quick look in ‘Disk Management’, and a rescan told me the storage was now presented correctly;

Note: Yes they are meant to be offline!

The backups then completed as normal.

Related Articles, References, Credits, or External Links

Veeam Backup and Recovery Download

Veeam Availability Suite Download

Veeam Backup For Office 365 Download

Veeam Backup For Azure Download

Veeam Backup for AWS Download

Remote Connect to macOS

KB ID 0001539

Problem

Remotely connecting to Windows is easy we’ve had RDP since Windows NT4, (yes I’m that old). But what if you want to remote connect to a mac? Well that has ‘Screen Sharing’ built in, (which it pretty much the same, but it uses VNC). 

If you’re unfamiliar with VNC, (Virtual Network Computing,) you can install it on both Windows and Linux. Normally you need a client, (to connect with) and a server, (to connect to). VNC server is built into your Mac, so you just need to switch it on. 

Note: To access though a firewall you will need to have TCP port 5900 open/forwarded to the mac.

Solution

Apple Symbol > System Prefernces > Sharing.

Tick: ‘Screen Sharing‘ > Computer Settings > Tick VNC viewers may control screen with password > Enter a password > OK.

On a remote machine download a VNC client (there are a lot to choose from!) > Point it to the IP address of your mac > Enter the password you set, (above).

And you are connected.

Related Articles, References, Credits, or External Links

NA

Windows Adding Firewall Rules With PowerShell

KB ID 0001538

Problem

There was a question on Experts Exchange this morning, the asker wanted to be able to add a ‘Trusted’ network range to their Windows Server Firewall settings as a ‘allow all ports’ rule.

Solution

You can of course add this manually in the GUI, normally I’d simply Add a Firewall Rule with a Group Policy. but the problem with that is, that’s fine if you want to open a particular TCP/UDP/ICMP port, but NOT if you want to open ALL ports. But you CAN use PowerShell like so;

[box]

New-NetFirewallRule -RemoteAddress 192.168.100.0/24 -DisplayName "Trusted Subnet" -Direction inbound -Profile Any -Action Allow

[/box]

Then you can check the settings, just as if you had created the rule in the GUI.

 

Related Articles, References, Credits, or External Links

NA

Safari – Download ZIP files (Not Open Them!)

KB ID 0001537

Problem

I’d forgotten Safari did this, after replacing my mac a few weeks ago I was trying to download a ZIP file from Github, and was perplexed that it was getting extracted to a folder in my downloads folder, and not appearing as a ZIP file?

Solution

After about the third time, the penny dropped. Safari does this by default. You need to disable it. Safari > Preferences > General > UNTICK : Open “Safe” Files after downloading. (It’s at the bottom!)

Related Articles, References, Credits, or External Links

NA

You Have Exceeded the Maximum Number of Computer Accounts

KB ID 0001536

Problem

A few weeks ago, this was asked in a forum, and while I knew what the problem was, I’d never seen it myself. So I recreated the problem on the test network to look at why it happened, and how to fix / get around the problem.

The following error occurred attempting to join the domain {domain-name}

You computer could not be joined to the domain, You have
exceeded the maximum number of computer accounts you are
allowed to create in this domain. Contact your system|
administrator to have this limit reset or increased.

To be honest there’s no way I can think of to reset that limit, (short of deleting and recreating your domain user account!) So what’s going on? Well every authenticated domain user has the RIGHT to join a computer to the domain, and the amount of computers they can join is limited to 10 (ten).

Exceptions / Users Not Affected

Members of the domain admins group, and users that have been delegated the right to create a computer object are exempt this limit. 

Solution Option 1 – Use an Administrative Account

Pretty straight forward, the easiest way to avoid this is to add computers to the domain using an account that’s a member off the Domain Admins Group.

Solution Option 2 – Raise The Limit From 10

This limit is set at a Domain level, i.e. it’s not set on a particular user, so you have to raise the limit for ALL Users. To do this log onto a domain controller and launch Adsiedit.msc > Connect To > Default Naming Context > OK.

Select CN={Your Domain} > Properties > Locate ms-DS-MachineAccountQuota > Edit > Change the value from 10 to something greater.

Solution Option 3 – Delegate Create Computer Object Right

Locate the OU (or container) that your new computer objects get added to, (I say container because ‘Computers’ is NOT an OU) > Right Click > Delegate Control > Next > Add your domain user > Next > Create a custom task > Next.

Only the following object in the folder > Tick: Computer Objects > Tick: Create selected object in this folder > Next > Tick: Property specific > Tick: Read All Properties > Next > Finish

Solution Option 4 – Pre-Stage Computer Objects in Active Directory

Not very scalable, but you can pre-create the computer object before the computer is joined to the Domain, (providing you know its computer-name / host-name). This can be done in Active directory Users and Computers.

Then you can simply join the computer to the domain.

How Does This Work

When a computer is joined to a domain a few things happen, the account you are using is checked, if it’s a normal, (not delegated or non domain admin) user, then the SID (Security Identifier) of that user is stamped on the COMPUTER object in a value called ms-DS-CreatorSID 

What does NOT happen: There is NOT value on the USER object that increments by one for each machine joined to the domain, the ONLY reference is on the COMPUTER object. Yes this seems inefficient, but there we go that’s how it works.

If the user has delegated rights to create computer objects, or is a member of domain admins then, ms-DS-CreatorSID is left empty, (if you query it using PowerShell or programatically it will return ‘null’).

Finding Out Who Joined a Computer to The Domain

Because of the way this is stamped on the computer, and not the user, then if you want to find out how many computers a particular user, or users, have added it’s not straight forward! If it’s something that’s happened recently you can look on your domain controllers in the security log for Event 4741.

Or if you need to do something complicated, then scripting is your friend!

Getting a List of Computers Joined to a Domain (By User)

Use the following PowerShell, (this is one command if it gets wrapped after you copy/paste it).

[box]

Get-ADComputer -Filter * -Properties ms-DS-CreatorSID | Where-Object -FilterScript { $_."ms-DS-CreatorSID" -ne $Null } | Format-Table -AutoSize -Property Name,@{Label='User';Expression={(New-Object System.Security.Principal.SecurityIdentifier($_."mS-DS-CreatorSID".Value)).Translate([System.Security.Principal.NTAccount]).Value}}

[/box]

Like so;

Related Articles, References, Credits, or External Links

NA

Sysprep Was Unable to Validate

KB ID 0001535

Problem

While building a new Windows 10 machine to be used as a template, I ran Sysprep to generalise the installation, and got this;

Sysprep was not able to validate your Windows Installation.
Review the log file at
%WINDIR%\System32\Sysprep\Panther\setupact.log for
details. After resolving the issue, use Sysprep to validate yout
Installation again.

Solution

What I did was Google the error, instead of looking at the log file, and read a post that said this can happen if the reference machine has not been activated, and went down a blind alley because THATS NOT TRUE of course you can generalise a newly deployed ‘non-activated’ reference machine.

When I finally read the error log, I found the following;

[box]

Package Microsoft.LanguageExperiencePacken-GB_17763.6.14.0_neutral__8wekyb3d8bbwe was installed for a user, but not provisioned for all users. This package will not function properly in the sysprep image.
Failed to remove apps for the current user: 0x80073cf2
Exit code of RemoveAllApps thread was 0x3cf2.

[/box]

This problem is being caused by an app, (Windows has suffered with this since Windows 8!) I’ve highlighted the app name above, yours may have a different name, but the fix is the same. We need to remove that app, and stop Windows connecting to the internet to install more app shenanigans!

Disconnect the reference machine from the internet by disconnecting its NIC, (below I’m using a VMware VM).

Run a PowerShell window, (as Administrator) and execute the following command, (obviously use the name of your offending app rather than mine if it’s different!).

[box]

Get-AppxPackage –Name *LanguageExperience* | Remove-AppxPackage

[/box]

Then you should be able to run Sysprep successfully. 

DON’T FORGET to reconnect the NIC if you are creating a template, once the machine has shut down.

Related Articles, References, Credits, or External Links

NA

VMware: Fiber Channel HBA Reports Wrong WWN?

KB ID 0001534

Problem

I was building some new ESX 6.7 U1 (HPE) servers this week, they had Emulex Fiber HBA’s in them. When it came to ‘allowing’ them access to the SAN, I went to get the Port World Wide Name;

And was presented with this;

Not only is that 19 Characters long, and not 16 characters, but BOTH VMHBA’s WERE THE SAME! Like MAC addresses they should be unique? So I’m guessing this is a bug.

Solution

Thankfully they were cabled into a SAN Switch which told me the correct WWN addresses. But what if we didn’t have a SAN switch? Or we had a lot of servers and needed to get all the correct WWN addresses documented?

As usual, command line is your friend, SSH into the host, and run the following command;

[box]

esxcli storage core adapter list

[/box]

Above, you can see the 16 character WWN, between the ‘fc:’ and the second ‘:’ I’ve highlighted the WWN for vmhba1 and indicated the second one.

Related Articles, References, Credits, or External Links

NA

Cisco IOS: Ether-Channel Trunks

KB ID 0001533

Problem

This is a subject that every time I need to create an Ether-Channel I end up checking beforehand, so it’s about time I wrote it up. We are combining two different things, an Ether-channel, (an aggregation of links) and a Trunk (the ability to carry many VLANS). If you are NOT from a Cisco background then you might want to read though the following post first to avoid confusion about the world ‘Trunk‘.

HP and Cisco – VLANs and Trunks Confusion!

So this is what I’m going to create;

I will combine the TWO links between the switches to act at one link (Ether-Channel). An Ether-Channel can have up to eight links.

Note: I’m only concentrating on the Ether-Channel setup so VLANs/VTP and Routing are not covered.

Solution

You can use two types of Ether-Channels PAgP (Port Aggregation Protocol), but WHY when it only works on Cisco switches. LACP (Link Aggregation control Protocol) which is supported by just about everything else, so let’s stick with that! By default a ‘Trunk’ will pass ALL VLANS, you might not want that, I’ll cover filtering VLANs a bit further down.

WARNING: If you simply connect two switches with two cables you will create a LOOP, if you have STP enabled the network will recover and block one of the links, but your colleagues will shake their heads and pull a ‘frowny face’. For that reason ‘SHUT THE PORTS DOWN BEFORE YOU CABLE / CONFIGURE THEM“. 

Starting on Switch1 make sure there’s is no existing Ether-Channels configured;

[box]

SW-1#show etherchannel
                Channel-group listing:
                ----------------------

Group: 1
----------
Group state = L2
Ports: 2   Maxports = 4
Port-channels: 1 Max Port-channels = 4
Protocol:   LACP
Minimum Links: 0

[/box]

Above there is already an Ether-Channel (port-channel) on the switch (group 1) so you would have to use group 2. For arguments sake we will say I don’t have one, so I can use group 1.

Note: ‘show etherchannel summary’ is also a handy command to remember!

[box]

First shut down the uplinks, Note the syntax for the 'range interfaces', may differ from device to device, 
so use the TAB key.

SW-1#configure terminal
Enter configuration commands, one per line. End with CNTL/Z.
SW-1(config)#interface range ethernet 0/1 - 2
SW-1(config-if-range)#shutdown

Add the ports to channel group 1, Note 'Active' denotes use LACP, (Passive also works, but one (or both) ends
should be active.)

SW-1(config-if-range)#channel-group 1 mode active
Creating a port-channel interface Port-channel 1

Create a 'trunk' with 802.1q encapsulation.

SW-1(config-if-range)#switchport trunk encapsulation dot1q
SW-1(config-if-range)#switchport mode trunk

[/box]

Then configure the other end the same, (assuming the port numbers are the same!) As mentioned above you can use LACP mode ‘passive‘ but I tend to set both ends active.

Once you have both ends configured and the cables in place, enable the interfaces with a ‘no shutdown‘ command, on both ends!

[box]

SW-1(config)#interface range ethernet 0/1 - 2
SW-1(config-if-range)#no shutdown

[/box]

Filtering VLANs on an Ether-Channel Trunk

Any further port-channel changes need to be done on the port-channel interface, so if you want to filter what’s allowed you simply use the following syntax;

[box]

SW-1#configure terminal
Enter configuration commands, one per line.  End with CNTL/Z.
SW-1(config)#interface Port-channel1
SW-1(config-if)#switchport trunk allowed vlan 1,10,100,200

[/box]

Note: When adding any future VLANS check the syntax, if you simply add a new one it will overwrite all the others, and things will break!

Do all Ether-Channels need to be Trunks? No! Not at all, they can be access ports (as long as they are all in the same VLAN), and they can also be routed uplinks, with an IP address at both ends, (specified in the port-channel interface). 

Related Articles, References, Credits, or External Links

NA