451 4.7.0 Temporary Server Error

451 4.7.0 KB ID 0001823

Problem

If you attempt to connect to and send mail via command line to your Exchange Server, you may see the following error after you end the data section of the operation.

451 4.7.0 Temporary server error. Please try again later. PRX5

Solution 451 4.7.1 Error

Log into Exchange Amin Center > Mail Flow > Receive Connectors > Default Frontend {Server-Name} > Edit > Scope > Select the IPV4 entry (Either Remove it and ad a new one or edit it)

Specify the IP address you want to use.

So, it should look like this > Save > Exit Exchange Management.

Open Notepad (Note: you need to run as administrator). Navigate to C:\Windows 32\Drivers\Etc locate the hosts file (If you can’t see it change the option to “All Files

At the bottom of the file enter the IP hostname and FQDN of the server then save and exit.

Then restart the Exchange Transport Service.

Related Articles, References, Credits, or External Links

Exchange 2013 / 2016 / 2019 Default Receive Connector Settings

FortiGate Securing Remote Administration

KB ID 0001734

Problem

When considering Securing FortiGate  remote administration, I’ve written about changing the https management port to something other than TCP 443 before, I suppose that’s security by obfuscation (though even a script kiddy with one hours experience, will be able to spot an html responses).  Typically with other vendors you limit remote administration access, to specific IP addresses (or ranges). So how to do the same in Fortigate?

FortiGate Trusted Hosts

With FortiGate the approach is slightly different, (to Cisco anyway) in that, you allow access from ‘Trusted Hosts‘ and you do that ‘Per Administrator’ not for the entire remote access solution (like HTTPS or SSH). On reflection I like this, because by default you will have a user called ‘admin’ and an attacker will ‘possibly’ know that. With FortiGate you can restrict the admin account so it can only log on from inside, or from management hosts/networks or from an Out of Band management network.

You can also give an administrative password to one partner and only allow access from that partner’s public IP/Range, or if like my firm we need to support a lot of firewalls we can hard code this into our default deployments and retain remote administration. (Though FortiManager is the direction you want to be headed in, for that!)

Configure FortiGate ‘Per Administrator’ Trusted Hosts.

System > Administrators > Create New > Administrator.

Create a username/password > Select the admin level required > Enable ‘Restrict Login to Trusted Hosts’

Here’s an example where the admin account can only manage the firewall form the 192.168.1.0/24 network, and a management host 192.168.2100.3 For ‘external‘ access I’ve got a new administrator, who can get access from my management host, (for belt and braces), a single public network, and a public IP address.

Related Articles, References, Credits, or External Links

NA

VMware – {hostname} could not reach isolation address: none specified

KB ID 0000445 

Problem

Seen on vSphere:

Error Host {hostname} could not reach isolation address:none specified.

Solution

1. In my case the host did NOT have a default gateway, (this had occurred because the subnet mask of the server had been entered incorrectly when the server was built. So the default gateway appeared to be on a different network).

2. With the offending host selected, Configuration > DNS and Routing > Properties > Routing > Put in the correct default gateway > OK.

 

Related Articles, References, Credits, or External Links

NA

VMware VI Client – Remove Cached IP addresses and Hostnames

KB ID 0000644 

Problem

If you connect to a lot of ESX, ESXi and vCenter machines, the drop down list in your VI client can get a little cluttered.

Solution

1. Start > Run > Regedit {enter}

2. Navigate to;

[box]HKEY_CURRENT_CURRENT_USERSoftwareVMwareVMware Infrastructure ClientPreferences[/box]

Locate the ‘RecentConnections’ string value, and either delete them all, (or just the ones you no longer need).

3. Now things will be a little less cluttered.

Related Articles, References, Credits, or External Links

NA

VMware VI Client Error ‘Call “ServiceInstance.RetrieveContent” for object “ServiceInstance” on Server “IP-Address” failed’

KB ID 0000870 

Problem

This is a pretty generic error. It basically means “I cant connect to what you are asking me to connect to, on TCP Port 443 (https)”.

Solution

Internet searching for this error is very frustrating, everyone who was posting this error was seeing it because, instead of putting the IP address or name in the box (that actually tells you to put in the IP address or name (see image above)). If you put in https://{Name or IP Address}, you will see this error. However this was NOT MY PROBLEM.

This is happening because there is no communication between you and the ESX/vCenter you are trying to connect to. The first thing you need to do is see if HTTPS is open. On the affected machine open a web browser and point it to the same target and make sure you see the web console of the ESX/vCenter server. If you can’t see this, check firewalls (and proxies) and make sure HTTPS is not getting blocked.

In my case I could see this but it still did not work! Then I was reminded we have had strange comms problems on this site before, which I have documented here. Sure enough, when I dropped the MTU on the server I was trying to connect from (which was over a site to site VPN tunnel). It started to work fine.

Related Articles, References, Credits, or External Links

NA

DrayTek Vigor – Reset To Factory Settings

KB ID 0000573

Problem

If you cannot get access to your router, or you have bought, found or been given one, and you cannot access it. The simplest thing to do it to reset to to factory settings. Once the Router has been reset its settings will be as follows;

DrayTek Default Username and Passwords

Model
Username
Password
Vigor Rev. ALL admin admin
Vigor 2600 admin {blank}
Vigor 2800 {blank} {blank}
Vigor 2900+ admin admin
Vigor 3300 draytek 1234

Note: The Router will set itself up with a static IP address http://192.168.1.1) and will act as a DHCP server (Make sure your network card it set to get its address automatically.

 

Solution

Warning: Make sure you have all your Routers settings, before you start, especially your ADSL username and password (ring your ISP and confirm) before resetting the Router as all these settings will be WIPED!

Factory Reset DrayTek Vigor: Option 1 (If you do not know the password)

Note: Model shown is a DrayTek Vigor 2800

1. with the router powered on in normal operation the power light should be blinking (slowly)

2. Use a pen, to depress the factory reset button on the rear of the device.

3. The power light will blink rapidly.

4. Release the factory reset button.

Factory Reset DrayTek Vigor: Option 2 (If you know the password)

If you can log in but just want to wipe the settings, and revert to factory defaults.

1. Connect to the web management console and navigate to, System Maintenance > Reboot system > Tick “Using factory default configuration”.

Factory Reset DrayTek Vigor: Option 3 (If you know the password)

If you can log in but just want to wipe the settings, and revert to factory defaults.

1. Familiarise yourself with the DrayTek Vigor firmware upgrade procedure. But use the firmware that ends in .RST NOT the firmware that ends in .ALL. (Note: The .all firmware just updates the firmware but keeps the settings).

 

Related Articles, References, Credits, or External Links

Draytek Router – Firmware Update

Draytek Vigor Router Port Forwarding

 

BT Domains Center – Setup Your Mail Server DNS Records

KB ID 0000900 

Problem

If you are used to setting up DNS records, then the BT Web Portal (btdomainmanager.com) can be a little confusing. I was stuck yesterday, luckily I had another client I could get to check their records for me.

Solution

In the example below I’ve got two IP addresses to which I want mail delivering to, 123.123.123.123 and 123.123.123.125, (yours may be on completely different ranges, that’s OK.)

In addition to the two MX records, I’ve also setup two A (host) records that point the host-names mail and mail2 to those two IP addresses.

Note: Most of you, will only have one IP address, and one host record to create.

Related Articles, References, Credits, or External Links

Setting up the Correct DNS Records for your Web or Mail Server

 

Windows – ipconfig – Stop the tunnel adaptors showing

KB ID 0000024

Problem

Windows ipconfig – annoyingly shows lots of info you don’t want to see, so you have to scroll to the top of the list to see your IP address all the time.

Solution

1. Stat > run > devmgmt.msc

2. View > Show Hidden Devices.

3. Expand Network Adaptors.

4. Disable all that start with isatap

5. Make sure your comms still work.

6. Re-run ifconfig.

Related Articles, References, Credits, or External Links

NA

Windows Server – DHCP Service Starts then Stops again

KB ID 0000617 

Problem

Saw this last week on an SBS 2011 Server. When attempting to get the DHCP service running it span up then stopped straight away.

Solution

A quick look in Event Viewer showed me what the problem was,

Event ID 1054

The DHCP/BINL service on this computer is shutting down. See the previous event log messages for reasons

Fair enough lets see the previous error on the same server;

Event ID 1053

The DHCP/BINL service has encountered another server on this network with IP Address, (IPv4 or IPv6 address), belonging to the domain

In this example the offending IP (192.168.87.254) Was a Cisco PIX 501 firewall that was running a DHCP server. Thankfully My main job that day was to replace the firewall so when I put in a new ASA I didn’t have the DHCPD service running.

If you see this elsewhere you will need to locate the offending IP and disable DHCP on it.

 

Related Articles, References, Credits, or External Links

NA

Windows Certificate Services – Setting up a CRL

KB ID 0000957

Problem

One of the often overlooked tasks of a PKI deployment is setting your Certificate Services CRL. For smaller deployments, with only one server then you don’t have to worry about how this will be designed (though a CRL does not have to be hosted on a Certificate Services server). In my test environment I only have one PKI server so everything will be going on that one box, In more complex environments you may have multiple root and subordinate PKI servers writing to your CRL (you may even have multiple CRL’s).

Solution

I would consider this a ‘post’ certificate services install task, so I’m assuming you already have that installed and configured.

1. Launch the Certification Authority management console > Right click the server-name > Properties > Extensions tab.

2. With CRL selected > Add > Type into the location http://crl.{your-domain-name}.{your-domain-extension}/crld

Note: You can use https:// but you may need to add a certificate in IIS manager and select ‘require TLS’ for the crld virtual directory.

3. In the variable section, select then ‘Insert’ the following onto the end of the URL;

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

Finally end the URL with .crl > OK.

Note: Is ‘should’ look like http://{FQDN-Of-Server}/crld/<CAName><CRLNameSuffix><DeltaCRLAllowed>.crl

4. With the CRL entry you have just created selected > Enable the following two options;

  • Include in CRL’s. Clients use this to find Delta CRL locations.
  • Include in the CDP extension of issues certificates.

Apply > OK > Yes.

5. Change the ‘Select extension’ drop down to ‘CRL Distribution Point (CDP)’ > Add > Type in a UNC path as follows ‘{Server-name}crldist$ > Then select and inset the variables onto the end of the path, (like you did above);

  • <CaName>
  • <CRLNameSuffix>
  • <DeltaCRLAllowed>

And then (as above) add .crl onto the end of the path > OK.

6. With the CDP selected > Select the following options;

  • Publish CRL’s to this location
  • Publish Delta CRL’s to this location

Apply > OK > Yes.

Windows DNS Requirements for CRL

7. So that your clients can resolve the name of the CRL you have just created, they need to be able to resolve the name you just created. On your DNS server open the DNS management console > Expand server-name > Forward Lookup Zones > {your-domain-name} > Right click > New Host (A or AAAA) > name crl > IP address = The IP address of the IIS server that will host the CRL > Add Host > Close DNS Manager.

Windows IIS Requirements for CRL

8. On the web server, open the Internet Information Services (IIS) Manager console > Expand and select your server-name > right click > Add Virtual Directory >Set the alias to CRLD.

Note: in IIS URL’s are not case sensitive.

9. Under ‘Physical path’ select the browse button > Select the C: Drive, (or another drive if you wish) > Make New Folder > Call the folder CRLDist > OK > OK.

10. Select server-name > Directory Browsing

Note: If you are serving other services from this web server, you might wish to only set directory browsing on the CRLD virtual directory.

11. Enable.

12. Select the CRLD directory (Click refresh if you cant see it) > Configuration Editor.

13. Navigate to System.webServer > security > RequestFiltering.


Note: On older versions of IIS, it’s under ‘System.webServer > security > authentication > RequestFiltering.’

14. Change allowDoubleEscaping to ‘True’ > Apply.

Windows Folder Permission Requirements for CRL

15. Navigate to the folder you just created (i.e C:CRLDist) > Right Click > Properties > Sharing > Advanced Sharing > Select ‘Share this folder’ > Add a dollar symbol to the end of its name i.e. CRLDist$.

Note: This simply creates a ‘hidden’ share, that cannot be seen when browsing the server shares.

Note: In Addition, Set the Windows NTFS Permissions for the Server(s) to Full Control also.

16. Permissions > Object Types > Add in Computers > OK > Enter the name of the server(s) that need to write to the CRL > OK.

17. Grant the Full Control permission to the sever(s) you just added > Apply > OK.

18. Back at the Certificate Services server > Launch the Certification Authority management console > Revoked Certificates > Right click > All Tasks > Publish > New CRL > OK.

19. If you check the folder you created earlier, you will see it now contains the CRL files.

Related Articles, References, Credits, or External Links

Microsoft Certificate Services Configuring OCSP

Publish CRL Error – Access Denied 0x80070005