While troubleshooting some connectivity issues I used the Test-EcpConnectivity commandlet and got the following error;
Test user ‘extest_bebc4142688e4’ isn’t accessible so this cmdlet wont be able to test Client Access Server connectivity
Solution
To enable the test user you need to run a script, and you will find it in the script directory in the Exchange setup media . Locate and run the new-testcasconnectivityuser.ps1 script. You will need to supply a password for this account, but from this point forward Exchange will look after that for you.
Related Articles, References, Credits, or External Links
I always forget the syntax for this, and I’ve been meaning to publish this for a while so here you go. If you have AAA setup and people can’t log in, then the ability to test authentication against a user’s username and password is a good troubleshooting step!
Usually I’m on a Cisco ASA but I’ll tag on the syntax for IOS as well.
Solution
Cisco ASA Test AAA Authentication From Command Line
You will need to know the server group and the server you are going to query, below the ASA is using LDAP, but the process is the same for RADIUS, Kerberos, TACACS+, etc.
[box]
Petes-ASA# show run | begin aaa
aaa-server TEST-LDAP-SERVER protocol ldap
aaa-server TEST-LDAP-SERVER (inside) host 192.168.110.10
ldap-base-dn dc=TEST,dc=net
ldap-scope subtree
ldap-naming-attribute sAMAccountName
ldap-login-password *****
ldap-login-dn cn=asa,OU=Users,OU=Test-Corp,dc=TEST,dc=net
server-type auto-detect
[/box]
To test your user, (username: ttester password: Password123);
[box]
Petes-ASA# test aaa-server authentication TEST-LDAP-SERVER host 192.168.110.10 username ttester password Password123
INFO: Attempting Authentication test to IP address (timeout: 12 seconds)
INFO: Authentication Successful
[/box]
Cisco ASA Test AAA Authentication From ASDM
Log into the ADSM > Configuration > Device Management > Users/AAA > Select the Server Group > Select the Server > Test.
Select ‘Authentication’ > Enter Username/Password > OK.
Cisco IOS Test AAA Authentication From Command Line
As above, you need to know which server group, and server, you are going to test authentication against;
[box]
Petes-Router#show run aaa
!
aaa authentication login default local
aaa authorization exec default local
!
aaa group server radius RADIUS-GROUP
server-private 192.168.110.10 key 666999
!
aaa new-model
aaa session-id common
!
[/box]
Text
[box]
Petes-Router#test aaa group RADIUS-GROUP tester Password123 legacy
Attempting authentication test to server-group RADIUS-GROUP using radius
User was successfully authenticated.
OR
Petes-Router#test aaa group RADIUS-GROUP tester Password123 new-codeUser successfully authenticated
USER ATTRIBUTES
Framed-Protocol 0 1 [PPP]
service-type 0 2 [Framed]
noescape 0 True
autocmd 0 " ppp negotiate"
Petes-Router#
[/box]
Related Articles, References, Credits, or External Links
ESX is designed for building both enterprise class networks, and networks solely for test purposes. That’s all fine and dandy but what if you want turn on DHCP in your network but still have it connected to the outside world? Yes you could deploy a Windows server running Routing and Remote Access – as a router, but that seems to be overkill in the extreme. In the past I’ve done articles on deploying virtual firewalls. But again that might be a little too much for your scenario.
Solution
To solve the problem, we can do what VMware do on their own training courses, for anyone who has done a VCP3 or VCP4 course you will have seen this router deployed in one of the labs.
FreeSco is a linux router on a floppy disk, (Microsoft Disciples “don’t panic” there will be next to no sandal wearing coming up). I hunted all over the internet for the version I used on my course and most of the links I found are dead, or provide a router we don’t know the root password for. However after much searching I found one that works, we know the password for,and can be configured.
1. It’s a simple one to solve, the server was built with the HP ESXi build, and the management agents are complaining because the iLO is not connected to the network.
2. When you connect the iLO socket to the network the alarm should change as shown below.
3. Once you have connected or disabled it you can reset the alarm.
4. Take the opportunity to log in and configure the iLO. Access via an internet browser (it will get a DHCP address by default, you can set a static IP address by entering the iLO setup at boot (see disabling iLO section below)).
5. The user name is Administrator (capital A) and the password will be either on a pull out tab on the front of the server, or a brown cardboard label tied to the front of the server (you did keep that didn’t you!), or on a brown sticker on top of the server chassis. On certain models HP also stick this information under the server lid.
6. Then you can log in and configure.
Disable the iLO
1. If you do not want to use the iLO then you can disable it (I cant think why you would want to, because its a handy piece of kit, but heres how to do it.)
2. Reboot the server, and when prompted press F8 to enter the iLO setup.
3. Settings > Configure.
4. These are the default settings, use the cursor keys to select and the space bar to enable/disable the options.
5. All disabled.
Related Articles, References, Credits, or External Links
I’m in the United Kingdom, and even when I set the UK Keyboard layout, Ubuntu wants to use a US keyboard layout for the logon/login screen. For most people this won’t be a problem, but if you log into a domain you need the @ symbol. A US Keyboard has that in a different place, it’s only a small niggle because I know where it is, but if it annoys me, it will be annoying someone else.
Solution
1. Login and open a terminal window (Applications > Accessories > Terminal,) and issue the following command.
[box]sud nano /etc/default/console-setupo[/box]
2. You will be asked for your password, supply it and edit the file as shown below, set the XKBMODEL value to pc105 (assuming you have a standard 105 key keyboard), and XKBLAYOUT set to gb.
3. Press CTRL+X to exit and save the file, after a reboot you should be on the correct keyboard layout on your logon screen.
Related Articles, References, Credits, or External Links
It’s been a while since I had to do this, you used to simply take a number from the token pack, import it into the RSA Authentication Manager, job done. Now the tokens are shipped to you encrypted, you need to register them with RSA, decrypt them, then import them.
Solution
1. The tokens come with the licenses encrypted, on an accompanying CD. Go to the URL specified on the CD.
2. Good job I was alone and had no CD drive! Anyway the two numbers you need to enter on the website to register are;
Token Pack ID: On the sleeve, and on the CD
Confirmation Number : On the CD
3. When you have finished registration you will download a .zip file, save it somewhere sensible.
4. Put the CD in a computer > Run the ‘Run the Token Decryption Utility’ > You will need to give it the .zip file you downloaded and a password.
5. When complete, you will be given two files, an XML file that has all your token information.
6. And a password file, that gives you a password to import the XML file with.
7. Armed with these two files log into the ‘Security Console’ > Administration > SecureID Tokens > Import Tokens Job > Add New.
8. Give the job a name accept all the defaults and browse to the XML file, then copy and paste in the password form the text file and run the import job. Check on the completed tab to make sure it was a success.
Related Articles, References, Credits, or External Links
A client who we recently did a WDS (Windows 7) install for, needed to image a couple of Windows XP machines, (They had some software that either would not run, or was not supported on Windows 7).
They asked me for some documentation on how to do this, it’s been such a long time since I imaged any XP machine, so I took the opportunity to document it properly.
Solution
Before you begin, be aware you need to be building your reference machine with a Volume Licenced copy of Windows XP NOT an OEM or Retail copy (i.e. DONT build the machine with manufacturers rescue disks like Dell or HP). If you don’t do this you will need to activate every Windows machine that you deploy with Microsoft.
Make sure the version of sysprep you are using is at the same service pack level as the reference machine or bad things will happen.
1. Build your reference machine, and configure it as you require.
2. Create a folder on the root of the C: Drive called ‘Sysprep”. Insert the Windows XP CD and locate the Deploy cabinet file. (This is ‘like’ a zip file and it’s in the supporttools folder).
3. Double click the support cab, then copy over the sysprep.exe file, the setupcl.exe file and the setupmgr.exe file to your c:sysprep folder.
4. You can now run sysprep.exe and skip to step 13. BUT if you require an answerfile (a script that will answer all the questions Windows will ask while it’s reinstalling post sysprep) then run the setupmgr.exe program, at the welcome screen click next.
5. Create New > Sysprep Setup > Windows XP Professional.
6. Fully Automate > Enter Name and Organisation > Set the Display Properties.
7. Set Time Zone > Enter the Volume Licence unlock code > If you are joining a domain, I suggest generating a random name then changing it later.
8. Set the Local Administrators password > Typical settings will enable DHCP > Supply any domain and domain credentials you need to join your domain.
9. Telephony (I just skip this) > Regional Settings > Languages.
10. Printers > Run Once commands > Additional Commands.
11. Enter a string that will go into the registry, and can be identified later > Finish > Accept the default save path > OK > At this point it looks like it’s crashed, you can manually close the setupmgr.
12. Now you can run sysprep.exe > OK > I select ‘mini-setup’ (If you don’t, it will run the welcome to windows session and play the annoying music you cant turn down!) > If you have installed applications and are going to image the machine click Reseal > OK.
Note: Factory will literally set the machine back to a ‘day one’ install of Windows XP.
The machine will then shut down and can be imaged.
Final Note: If you power it back on, it will rebuild itself and delete the c:sysprep directory. Which is fine unless you are doing some testing and realise you have to do the whole thing from scratch!
Related Articles, References, Credits, or External Links
Windows Server has a password complexity requirement to make sure passwords are strong. Yes it can be disabled, but while it is in place you need your passwords to confirm to the following.