PowerShell Inventory Operating Systems in Active Directory

PowerShell Inventory KB ID 0001838

Problem

I needed to get a list of operating systems  ‘in-use‘ in my active directory this week. bear in mind this will pull information from all enables computer accounts in AD, so if you are ‘not good‘ at tidying out old machines and servers you might get a lot of garbage in your output!

Solution: PowerShell Inventory

Use the following PowerShell.

[box]

Get-ADComputer -Filter 'enabled -eq "true"' `
-Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address |
Sort-Object -Property Operatingsystem |
Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address

[/box]

All being well, your output should look something like this.

If you wanted to output that information to CSV then use the following.

[box]

Get-ADComputer -Filter 'enabled -eq "true"' `
-Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address |
Sort-Object -Property Operatingsystem |
Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address |
Export-Csv -Path “C:\Temp\AD-Operating-Systems.csv” -NoTypeInformation

[/box]

If you wanted to output that information to HTML then use the following.

[box]

Get-ADComputer -Filter 'enabled -eq "true"' `
-Properties Name,Operatingsystem,OperatingSystemVersion,IPv4Address |
Sort-Object -Property Operatingsystem |
Select-Object -Property Name,Operatingsystem,OperatingSystemVersion,IPv4Address |
ConvertTo-Html | Out-File C:\Temp\AD-Operating-Systems.htm

[/box]

Related Articles, References, Credits, or External Links

NA

PowerShell: Find Computers Last Logon Date

KB ID 0001612

Problem

I had to find the last time a particular server had logged on for a client the other week, so we knew for sure it was dead!

Solution

The two commands you may need are;

Locate Servers Last Login Time

[box]

Get-ADComputer -Filter {OperatingSystem -Like '*SERVER'} -Properties lastlogondate,operatingsystem | Select name,laslogondate,operatingsystem

[/box]

Locate Clients Last Login Time

[box]

Get-ADComputer -Filter {OperatingSystem -notLike '*SERVER'} -Properties lastlogondate,operatingsystem | Select name,laslogondate,operatingsystem

[/box]

Short and sweet!

Related Articles, References, Credits, or External Links

NA

VMware Horizon: ‘VM With Unsupported Guest OS’

KB ID 0001592

Problem

Seen when attempting to deploy Window Server 2016, as an ‘Image‘ (Parent VM,) with VMware Horizon View.

‘VM With Unsupported Guest OS’

I double checked, and Server 2016 (Standard and DataCenter) were supported, as was Server 2019 (Standard and DataCenter.) The image also had a new version of the VMware Horizon View agent installed in it?

Solution

In my case this was an embarrassingly easy fix, previously I’d deployed Windows 7, 8, and 10 with Horizon View, this was the first time I’d ever deployed a server OS as a VDI image, (With Windows Server Datacenter, this works out cheaper, licensing wise).

By Default: VMware Horizon View does not allow server operating systems, (even though they are supported.) You just need to enable the feature! Launch Horizon Administrator, View Configuration > Global Settings > Edit > Tick ‘Enable Windows Server Desktops‘ > OK.

Doh! That cost me two hours, (hope it saved you some time).

Related Articles, References, Credits, or External Links

NA

Device Boots to ROMMON (Cisco ASA)

KB ID 0001199 

Problem

After recently picking up some second hand ASA5512-X firewalls, I went to run them up, and make sure they were ok, however on boot up they went straight to ROMMON like so;

[box]

Use ? for help.
rommon #0>

[/box]

Now I know what ROMMON is, it’s the base operating system of the device, its job is a bit like the BIOS on a PC, it locates and loads the operating system. The only time you should ever see a rommon prompt is

  • If you ‘force’ a device into rommon mode as it boots.
  • The devices config register is incorrectly set.
  • The operating system is missing/corrupt.
  • The flash memory of the device is broken, (or needs reformatting).

Chances are, the firm who ‘re-sold’ them simply did some password recovery, and forgot to set the config register back again.

Solution

I’ve recovered enough passwords and booted form the network enough times to know that if the OS is present on the device, I can load it manually with the ‘boot’ command.

[box]

rommon #0> boot
Launching BootLoader...
Boot configuration file contains 2 entries.


Loading disk0:/asa923-smp-k8.bin...

[/box]

Once loaded up and logged in, lets have a look at the config register, (it should look like 0x1).

[box]

ciscoasa# show ver | incl register
Configuration register is 0x40 << Aha!!
ciscoasa#

[/box]

The easiest way to rectify this is to delete the config register, and it will then reset to the default.

[box]

ciscoasa# configure terminal
ciscoasa(config)# no config-register
ciscoasa(config)# exit
ciscoasa#
ciscoasa# show ver | incl register
Configuration register is 0x40 (will be 0x1 at next reload)
ciscoasa#

[/box]

Reload/reboot the firewall and if it boot properly, then you know you have rectified the problem, but you can re-check..

[box]

ciscoasa# show ver | incl register
Configuration register is 0x1 << Boom!
ciscoasa#

[/box]

Related Articles, References, Credits, or External Links

NA

Juniper SRX – Update the Operating System / Firmware

KB ID 0000989 

Problem

With two brand new SRX240 firewalls on the bench my first task was to get them updated to the latest operating system.

Solution

Before you start get the updated Juniper software.

Option 1 Update the SRX firewall via Command Line

1. Connect to the firewall via either Console cable, telnet, or SSH.

2. Log on and then go to CLI mode, and then configuration mode.

[box] login: root
Password: *******

— JUNOS 12.1X44-D30.4 built 2014-01-11 03:56:31 UTC

root@FW-02% cli
root@FW-02> configure
Entering configuration mode

[edit]
root@FW-02# [/box]

2. The more observant of you will have noticed that it has already shown you the OS version above, but in case there is any doubt.

[box] root@FW-02# show version
## Last changed: 2014-08-26 21:15:09 GMT
version 12.1X44-D30.4;

[edit]
root@FW-02# exit[/box]

3. I’ve always got 3CDeamon on my laptop so I’ll copy the update file over via FTP to the /var/tmp folder. (Note: We’re not at CLI or configure mode!)

[box]root@FW-02% ftp 10.5.0.2
Connected to 10.5.0.2.
220 3Com 3CDaemon FTP Server Version 2.0
Name (10.5.0.2:root): PeteLong
331 User name ok, need password
Password:********
230 User logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> lcd /var/tmp
Local directory now /cf/var/tmp
ftp> bin
200 Type set to I.
ftp> get junos-srxsme-12.1X47-D10.4-domestic.tgz
local: junos-srxsme-12.1X47-D10.4-domestic.tgz remote: junos-srxsme-12.1X47-D10.
4-domestic.tgz
200 PORT command successful.
150 File status OK ; about to open data connection
100% |**************************************************| 158 MB 00:00 ETA
226 Closing data connection; File transfer successful.
166060642 bytes
received in 64.50 seconds (2.46 MB/s)
ftp> bye
221 Service closing control connection
root@FW-02%[/box]

4. Now perform the upgrade.

[box] root@FW-02% cli
root@FW-02> request system software add no-copy /var/tmp/junos-srxsme-12.1X47-D10.4-domestic.tgz
NOTICE: Validating configuration against junos-srxsme-12.1X47-D10.4-domestic.tgz
.
NOTICE: Use the ‘no-validate’ option to skip this if desired.
Formatting alternate root (/dev/da0s2a)…
/dev/da0s2a: 627.4MB (1284940 sectors) block size 16384, fragment size 2048
using 4 cylinder groups of 156.86MB, 10039 blks, 20096 inodes.
super-block backups (for fsck -b #) at:
32, 321280, 642528, 963776
Extracting /var/tmp/junos-srxsme-12.1X47-D10.4-domestic.tgz …
Checking compatibility with configuration
Initializing…
Verified manifest signed by PackageProduction_12_1_0
Verified junos-12.1X44-D30.4-domestic signed by PackageProduction_12_1_0
Using junos-12.1X47-D10.4-domestic from /altroot/cf/packages/install-tmp/junos-1
2.1X47-D10.4-domestic
Copying package …
Verified manifest signed by PackageProduction_12_1_0
Hardware Database regeneration succeeded
Validating against /config/juniper.conf.gz
Usage: license-check -f “<features>” -m -p -q -M -u -U -V
Validation succeeded
Installing package ‘/altroot/cf/packages/install-tmp/junos-12.1X47-D10.4-domesti
c’ …
Verified junos-boot-srxsme-12.1X47-D10.4.tgz signed by PackageProduction_12_1_0
Verified junos-srxsme-12.1X47-D10.4-domestic signed by PackageProduction_12_1_0
JUNOS 12.1X47-D10.4 will become active at next reboot
WARNING: A reboot is required to load this software correctly
WARNING: Use the ‘request system reboot’ command
WARNING: when software installation is complete
Saving state for rollback …

root@FW-02> [/box]

5. Then reboot the firewall.

[box]

root@FW-02> request system reboot
Reboot the system ? [yes,no] (no) yes

Shutdown NOW!
[pid 2749]

root@FW-02>

*** FINAL System shutdown message from root@FW-02 ***

System going down IMMEDIATELY

[/box]

6. Post reboot, check the version again.

[box]

login: root
Password: ********

— JUNOS 12.1X47-D10.4 built 2014-08-14 22:21:50 UTC

root@FW-02% cli
root@FW-02> configure
Entering configuration mode

[edit]
root@FW-02# show version
## Last changed: 2014-08-26 21:51:09 GMT
version 12.1X47-D10.4;

[edit]
root@FW-02#

[/box]

 

Option 2 Update the SRX firewall via J-Web

1. To check the current version > Connect to the web console > Dashboard > Software Version.

2. Maintain > Software > Upload Package > Choose File > Browse to the file you downloaded earlier > Upload and Install Package.

Note: Here I have selected ‘Reboot Firewall’, in production you may NOT want to do that until later.

3. It can take a little while, (and look like nothing is happening), time for a coffee.

4. Post reboot, check the version again to make sure it has incremented.

Related Articles, References, Credits, or External Links

NA

Cisco PIX – “What are the files in flash”

KB ID 0000757

Problem

With modern Cisco ASA firewalls a show flash (or show disk0) command will give you a descriptive list of what is stored in NVRAM. With an older version 6 firewall the result is a little more confusing.

Solution

If you connect to the PIX and view the contents of the flash, you will see something like this;

[box]

Sent username “pix”

Type help or ‘?’ for a list of available commands.

Petes-PIX>

Petes-PIX> enable

Password: *******

Petes-PIX# show flash
flash file system: version:3 magic:0x12345679
file 0: origin: 0 length:1978424

file 1: origin: 2097152 length:4994

file 2: origin: 0 length:0

file 3: origin: 2228224 length:3152452

file 4: origin: 0 length:0

file 5: origin: 8257536 length:308

Petes-PIX#

[/box]

So what are all these files?

file 0 : This is the operating system file, it will have a .bin extension (e.g. 6.3(5) is pix635.bin, which is the version you can see here).

file 1: This is the firewalls config file, you can view it with a “show config” command, it is the config that gets loaded into memory and becomes the running config when the firewall boots.

Note: If you issue a “write erase” command this file will be removed, WARNING: Doing this will cause the firewall to revert to factory settings when it reloads (reboots).

file 2: This datafile stores the firewalls IPSec key and certificate information.

file 3: This is the firewalls PDM image file, it will have a .bin extension (e.g. 3.0(4) is pdm-304.bin, which is the version you can see here).

Note: There is no command to remove JUST this file, but if you TFTP in a new PDM image then pull the plug “mid-transfer”, the PIX will time out and delete it local PDM image from flash.

file 4: Crash-dump file.

file 5: File system record file.

Related Articles, References, Credits, or External Links

PIX 506E and 501 Firewall Image and PDM Upgrade

Find out your Cisco ASA version (Operating system and ASDM)

KB ID 0000690 

Problem

With all the command changes that have come in in the past few versions, it seems when I get asked ‘how do you do xyz?” my first question is ‘What is the OS version on your ASA?’

So next time I get a blank look, I can just point them here.

Also see: ASA 5505 Determine Your License Version

Solution

Get your ASA version and ASDM version from the ASDM.

1. Connect to the ASA via ASDM.

2. Home > Device Dashboard > Device Information.

Get your ASA version and ASDM version from Command Line.

1. Connect to the ASA via CLI.

2. Execute the following command;

[box]show ver[/box]

Note: This is the shortened version of ‘show version‘.

To download new ASA software go here, (Note: Valid Cisco Warranty/SmartNet, and CCO account required to download software).

Related Articles, References, Credits, or External Links

Connecting to and Managing Cisco Firewalls

Cisco ASA5500 Update System and ASDM (From ASDM)

Cisco ASA5500 Update System and ASDM (From CLI)

Cisco CSC – Upgrade the Operating System

KB ID 0000807 

Problem

Upgrading the operating system on the CSC module is pretty straight forward, as long as you have a valid support agreement for your hardware and a CCO account you can download the updates straight from Cisco (here).

Solution

WARNING: It’s rare that you can update straight to the latest version, by all means try, and the CSC module will simply error if it will not accept the version you are trying to update to.

WARNING 2: This may involve some downtime, especially if your CSC module is configured to fail-closed, you may wish to set it to fail-open during the upgrade to minimise disruption. Unless you have a dual failover firewall solution, in which case scroll down.

You can do this via command line if you wish, but it’s a lot simpler to do via the web console. You will need to download your updated software (with the .pkg extension NOT the .bin extension).

Once downloaded, log into the web portal of the CSC module https://{IP-Address}:8443 > Administration > Product Upgrade > Browse > Locate your update > Upload > Go an have a coffee, it will take a while.

Upgrading CSC Modules in a Failover Pair

If you have firewalls deployed in failover, then you will have two CSC modules to upgrade.

1. Just for ease I’m showing the command line and the web console view. Start by upgrading the CSC module in the Secondary Standby firewall, here I’m upgrading 6.3.1172.0 to 6.3.1172.4.

2. Now I take the same module to 6.6.1125.0.

3. Once I know the system has updated and is back online, I jump onto the Primary Active firewall and force a failover to the Secondary Standby firewall.

Check module status with;

[box]
show module 1 detail
[/box]

To force failover, on the Primary Active firewall.

[box]

configure terminal
no failover active

[/box]

4. Note: At this point the screen looks the same as above, but ‘physically’ the firewalls have swapped over, the Primary is now Standby and can be updated. Below I’m upgrading from 6.2.1599.0 to 6.2.1599.6.

5. Now we can see both modules are running the latest (at time of writing), product version.

6. Now to fail back simply issue the following command an the Secondary Active firewall;

[box]

configure terminal
no failover active

[/box]

7. You can also check the versions match with the following command;

[box]
show failover
[/box]

Related Articles, References, Credits, or External Links

NA

Upgrade Cisco PIX 515E to Version 8.0(4)

and ASDM version 6.1(5)

KB ID 0000424

Problem

I had to update a Cisco PIX 515E last week, Cisco 500 firewalls are a bit thin on the ground these days, and most of my corporate clients have replaced then with Cisco ASA 5500 firewalls. So as these units are now getting retired, or moved to the test bench, or sold on ebay. I thought I’d document probably the last one I did for posterity, and to help anyone else out.

Note: Cisco 506E and 501 firewall cannot be updated past version 6.3(5) see here.

Solution

Related Articles, References, Credits, or External Links

Also see Connecting to and Managing Cisco Firewalls.

For information on 3CDaemon TFTP Server click here.

 

Update Cisco ASA – Directly from Cisco (via ASDM)

KB ID 0000636 

Problem

Warning:

Before upgrading/updating the ASA to version 8.3 (or Higher) Check to see if you have the correct amount of RAM in the firewall (“show version” command will tell you). This is VERYIMPORTANT if your ASA was shipped before February 2010. See the link below for more information.

ASA – Memory Error (Post upgrade to version 8.3)

Warning 2:

Be aware, if you are upgrading to an OS of 8.4(2) or newer you can no longer access the device via SSH when using the default username of “pix” you need to enable AAA authentication for SSH, do this before you reboot/reload the firewall or you may lock yourself out.

ASA Enable AAA LOCAL Authentication for SSH

Its been a while since I wrote how to update the ASA by command line, and how to update the ASA from the ASDM. Now you can update the ASA directly from Cisco, providing you have a valid cisco CCO account.

Solution

1. Connect to the the ASDM on the ASA > Tools > Check for ASA/ASDM Updates.

2. Supply your Cisco CCO account information.

3. Next.

4. Decide if you want to update the OS of the ASA or the ASDM, or both.

5. Next.

6. The software will download. (The OS is downloading here), Note: it will get downloaded to the machine that the ASDM is running on first.

7. Then the ASDM software will download.

8. You may find that there is not enough room in flash memory, if so you will see this error. (if it does not error skip to step 11).

9. If you are stuck for room you can delete some items from your flash memory > Tools > File Management.

10. Here you can see I’m deleting and old version of the ASDM. Note you could delete the live version of the ASDM and Operating system if you had no choice (THOUGH DONT REBOOT THE FIREWALL until the new ones have uploaded, or you will be loading the files in in ROMMON mode!)

11. Once all the files have been downloaded to your location, they will be uploaded to the firewalls flash memory.

12. Next.

13. Finish.

Note: What happens now is the following commands are issued in the background automatically; (Note the versions numbers may be different in your case).

[box]

asdm image disk0:/asdm-649.bin
no boot system disk0:/asa843-k8.bin
boot system disk0:/asa844-1-k8.bin
boot system disk0:/asa843-k8.bin

[/box]

14. After the firewall reboots, it should come back up with the new OS and ASDM version.

Related Articles, References, Credits, or External Links

Cisco ASA5500 Update System and ASDM (From CLI)

Cisco ASA5500 Update System and ASDM (From ASDM)