Admins Handbook

In a command prompt:
wmic useraccount get name,sid

Due to an error in proftpd, you might need an virtual group.

/etc/proftpd/proftpd.conf:

GroupOwner www-data
Umask 002 003

AllowOverwrite on
AuthGroupFile /etc/proftpd/ftpd.group

/etc/proftpd/ftpd.group
www-data:x:33:testuser
Same ID and name as the local user.

/etc/nginx/ssl
openssl req -new -newkey rsa:2048 -nodes -keyout *.mydomain.com.key -out *.mydomain.com.csr

Inside config:
/etc/nginx/sites-available/default

ssl on;
ssl_certificate /etc/nginx/ssl/*.mydomain.com.crt;
ssl_certificate_key /etc/nginx/ssl/*.mydomain.com.key;
ssl_trusted_certificate /etc/nginx/ssl/chain.crt;
ssl_dhparam /etc/nginx/ssl/dhparam.pem;

chain.crt:
AlphaSSL SHA-256 R1 Intermediate Certificates (DER64)

dhparam.pem:
openssl dhparam -out dhparam.pem 4096

Office 365 sends emails from a lot of mailservers. retrys are often from a new IP.
Then you have delays of 5 min + 5 min etc…

Office 365 uses this IP’s:
https://technet.microsoft.com/en-us/library/dn163583

In your Mailscanner, you can Whitelist Office 365 Exchange IP’s by adding them to this:
/etc/sqlgrey/clients_ip_whitelist.local

OR
/etc/sqlgrey/clients_fqdn_whitelist.local
*.messageslabs.com
outbound.protection.outlook.com
*.outbound.protection.outlook.com
*.microsoftonline.com
*.hotmail.com

/etc/init.d/sqlgrey restart

Install telnet client:
dism /online /Enable-Feature /FeatureName:TelnetClient

Disable firewall:
netsh advfirewall set allprofiles state off

Boot on Windows 2012 install media
Choose Troubleshoot and in a command prompt type:
bcdedit /set {bootmgr} displaybootmenu Yes
bcdedit /set {bootmgr} timeout 10
Enables the bootmenu
Now you can use “safe mode”.

Start “Dynamics NAV 2016 Administration Shell”.

Show Server Instances:
Get-NAVServerInstance

Show online users:
Get-NAVServerSession -ServerInstance dynamicsnav90

wusa.exe /kb:3114409 /uninstall

Show all locked accounts:
Get-Eventlog -logname Security | Where EventID -EQ “4740” | Format-Table

When trying to set rights with the command: Add-ADPermission you get this error:
Active Directory operation failed on DC.dom.local. This error is not retriable. Additional information: Access is denied.
Example:
Add-ADPermission -Identity TestGroup1 -user TestUser1 -AccessRights writeproperty -Properties member

You need to give “Full access” to the user “Exchange trusted subsystem” on the AD group opject.
Tip: Enable “advanced features” in AD to add the security tab.

Create this reg-key and load it on the veeam server:

—
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\PowerShell\1\PowerShellSnapIns\VeeamPSSnapIn]
“PowerShellVersion”=”2.0”
“Vendor”=”Veeam”
“Description”=”Include the Veeam’s cmdlet.”
“VendorIndirect”=”VeeamPSSnapIn, Veeam”
“DescriptionIndirect”=”VeeamPSSnapIn,This is a PowerShell snap-in that includes the Veeam’s cmdlet.”
“Version”=”8.0.0.0”
“ApplicationBase”=”C:\\Program Files\\Veeam\\Backup and Replication\\Backup”
“AssemblyName”=”Veeam.Backup.PowerShell, Version=8.0.0.0, Culture=neutral, PublicKeyToken=bfd684de2276783a”
“ModuleName”=”C:\\Program Files\\Veeam\\Backup and Replication\\Backup\\Veeam.Backup.PowerShell.dll”

—

Load:
asnp VeeamPSSnapin

Run this as an example:
Get-VBRJob

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\policies\system
EnableLUA (dword) 00000000

If rpc over https is wrongly configurated, or the certificate for some reason not trusted on your local computer, you can disable the SSL check.
Simply add this key:
HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Outlook\RPC
DefConnectOpts (dword) 0

If running HP servers you need the customized HP VMware image to install ESX.

Show controller configuration:
/opt/hp/hpssacli/bin/hpssacli controller all show detail

Show disk info:
/opt/hp/hpssacli/bin/hpssacli controller slot=0 physicaldrive all show

Enable Drive Write Cache
/opt/hp/hpssacli/bin/hpssacli controller slot=0 modify dwc=enable forced

Array cache read and write ratio (read/write)
/opt/hp/hpssacli/bin/hpssacli controller slot=0 modify cacheratio=40/60 forced

Change log level, to see were the error happens.
Most of the time, it is an error in the smtp address or an user without an email address.
(user included in address book but having no email).

Set-EventLogLevel “Exch1\MSExchangeSA\OAL Generator” -level high
Set-EventLogLevel “Exch1\MSExchangeSA\OAL Generator” -level lowest

Remove the 120 days time bomb.
Remove this key:
HKLM\System\CurrentControlSet\Control\Terminal Server\RCM
GracePeriod
Restart server.

If you have a license server:
$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting
$obj.GetSpecifiedLicenseServerList()
$obj.SetSpecifiedLicenseServerList(“server.dom.local”)
$obj.GetSpecifiedLicenseServerList()

Set lines mode, device or user:
$obj = gwmi -namespace “Root/CIMV2/TerminalServices” Win32_TerminalServiceSetting
$obj.ChangeMode(value)
Value can be 2 (per Device) or 4 (Per user)
$obj. LicensingType
$obj.LicensingName

Create a regfile:

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced]
“TaskbarGlomLevel”=dword:00000002

2: Never combine
1: Combine when taskbar is full
0: Always combine

Example:
esxcli software vib update -d /vmfs/volumes/ESX03\:storage1/ESXi500-201502001.ZIP

Use “update” insted of “install” if using cust. image

Find this file: Stream_autocomplete (on the source computer).
In this location: C:\Users\%username%\AppData\Local\Microsoft\Outlook\RoamCache

could have a name like this: Stream_Autocomplete_0_8D3BCAEDYTGFEB43A6DDDDDD8B2B89BF
Close Outlook on target computer, and copy this file to same location.

You have to rename file, so it overwrites the name from same file on target.

Log into the system as Administrator and open regedit.

HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList
In this path you can see all users, and inside this you can see their profile path etc c:\users\test1
You will also see the user SID

This SID can be found in: HKEY_USERS

If you for some reason need two RDP-Tcp connections in Windows 2008 you could easily add one in the “Remote desktop Session Host Configuration” tool.

This tool does not exist in Windows 2012 and you have to do it with regedit.
Make an export of this:
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp

Edit this regfile and change the path
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\WinStations\RDP-Tcp-3390

This will be your new RDP-Tcp connection.
Change “LanAdapter” to the listening netcard
0 = all
1= netcard1
2=netcard2
3=netcard3

Change “PortNumber” to the port listening on the RDP-Tcp-3390
In this way, the original RDP-Tcp could listening on port 3389 with netcard1 and RDP-Tcp-3390 listening on port 3390 with netcard2

Show netcard ID:
netsh interface ipv4 show interfaces

Show assignments in powershell:
gwmi Win32_TSNetworkAdapterSetting -filter “TerminalName=’RDP-Tcp'” -namespace “root/cimv2/TerminalServices” | Select NetworkAdapterLanaID,NetworkAdapterName
and
gwmi Win32_TSNetworkAdapterSetting -filter “TerminalName=’RDP-Tcp-3390′” -namespace “root/cimv2/TerminalServices” | Select NetworkAdapterLanaID,NetworkAdapterName

RUNDLL32 PRINTUI.DLL,PrintUIEntry /y /n “RICOH 3228C”

If you need a delay og 10 sec, add this before:
ping 1.1.1.1 -n 1 -w 10000 > nul

—-
Alternative:

In bat file:
cscript print.vbs

In vbs file:
Option Explicit
On Error Resume Next
Dim objNetwork
Set objNetwork = CreateObject(“WScript.Network”)

objNetwork.SetDefaultPrinter “printer MFP(PCL) (redirected 1)”
objNetwork.SetDefaultPrinter “printer MFP(PCL) (redirected 2)”
objNetwork.SetDefaultPrinter “\\server\printer”

WScript.Quit

Get-MailboxStatistics -Database Exchange-DB1 | Where { $_.DisconnectReason -eq “Disabled” } | Format-List LegacyDN, DisplayName, MailboxGUID, DisconnectReason

Remove-Mailbox –Database Exchange-DB1 –StoreMailboxIdentity 7b4sss06-5000-4111-9111-11121c474e

In powershell on server:
Start-ManagedFolderAssistant -Identity “test1-user”

The Synology NAS have three network cables connected to the switch.
(post 1, 2 and 3).

On the HP ProCureve Switch:
trunk 1,2,3 trk2 lacp
vlan 3 untag trk2

show vlans
show trunks

Write memory

Enable running scripts:
set-ExecutionPolicy Unrestricted

GCM exsetup |%{$_.Fileversioninfo}

Exchange versions. Service packs and updates

Enable SSH access on ESX host
Install vmware vSphere CLI

Go to:
C:\Program Files (x86)\VMware\VMware vSphere CLI\bin

See configuration with:
vicfg-snmp.pl –server 10.0.0.42 -s

Setup snmp:
vicfg-snmp.pl –server 10.0.0.42 -c info -p 161 -t 10.0.0.10@161/public,10.0.0.17@161/public
CIM:
vicfg-snmp -server 10.0.0.42 -y indications

IPMI:
vicfg-snmp -server 10.0.0.42 -y sensors

10.0.0.42 — esx host
161 – port (udp)
10.0.0.10/10.0.0.17 target (HP SIM etc.)
info – my community string

Enable snmp
vicfg-snmp.pl –server 10.0.0.42 -E

Se configuration agin.
vicfg-snmp.pl –server 10.0.0.42 -s

test with snmpwalk:
SnmpWalk.exe -r:10.0.0.42 -c:info

Update:
On a ESXi5.1 and newer, use esxcfg-snmp.pl isted of vicfg-snmp.pl

postqueue -p | tail -n +2 | awk ‘BEGIN { RS = “” } / refund_of_tax@mycomp\.com/ { print $1 }’ | tr -d ‘*!’ | postsuper -d –

Script:

#Bash
while true; do
sleep 5
postqueue -p | tail -n +2 | awk ‘BEGIN { RS = “” } / refund_of_tax@mycomp\.com/ { print $1 }’ | tr -d ‘*!’ | postsuper -d –
done

Block the email:

nano /etc/postfix/recipient_access
refund_of_tax@mycomp.com REJECT

postmap /etc/postfix/recipient_access
/etc/init.d/MailScanner restart

Check the limits:

Get-ReceiveConnector | fl name,MaxMessageSize
Get-TransportConfig | fl MaxReceiveSize,MaxSendSize

Power off the VM and add a virtual disk to the VM.
This new disk gets the name /dev/sdc
Now this disk is used to extend the original /var

lvm pvcreate sdc
lvm vgextend vg_var /dev/sdc
lvextend -l +100%FREE /dev/vg_var/lv_var
resize2fs /dev/vg_var/lv_var

From the “METRO” you can right-click “this pc” and have some options from there.

Map Network drive is one of them.

Use this in a script:
C:\Progra~2\Google\Chrome\Application\chrome.exe –make-default-browser

List of switches:
http://peter.sh/experiments/chromium-command-line-switches/

Download and install:
https://adblockplus.org/en/internet-explorer

GPO:
Computer Configuration –> Administrative Template –> Windows Components –> Internet Explorer
Automatically activate newly installed add-ons
Enable

User Configuration –> Administrative Templates –> Windows Components –> Internet Explorer –> Toolbars
Hide the status bar
Disabled

You might want to disable Automatic updates:
Edit the hostfile
127.0.0.1 update.adblockplus.org

On old DHCP Server:
netsh dhcp server export C:\dhcp.txt all

On new DHCP Server:
netsh dhcp server import c:\dhcp.txt all

If errors, remove the scope options on the new server.

ROBOCOPY \\srv1\c$\share\ \\srv2\d$\share\ /MIR /SEC /R:2 /W:5 /LOG+:C:\AdminFolder\log.txt

MIR : mirrors files
SEC : NTFS rights
R:2 : Retry two times
W:5 : wait 5 seconds

If you are running into this error, you can try to disable the services:

File Replication Service (FRS) – Most likely only this
Distributed File System (DFS)
Windows Search
Indexing Service

Just install the indexing service (role service)
It does not have to index anything!

OR

Windows Search Service

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:”ntp.siminn.dk”
w32tm /config /reliable:yes
net start w32time
w32tm /query /configuration

find /www/website/www/ -newermt $(date +%Y-%m-%d -d ’10 day ago’) -type f -print

grep -R email@emailtest.local /www/folder/

This searches for email@emailtest.local inside files in a folder and all sub folders.

In this example, Exim4 stops if the queue grows lager then 100

#!/bin/bash
TERM=linux
export TERM
_limit=100
clear;
_queue=”`/usr/sbin/exim -bpc`”
if [ “$_queue” -ge “$_limit” ]; then
/etc/init.d/exim4 stop
fi

A rebuild of a failed disk can by design take two days.
If you raise the “speed limit” it can go faster.

/proc/sys/dev/raid
Have two files:
speed_limit_min
speed_limit_max

Old versions of DSM (Synology firmware) has a limit in “speed_limit_min” of 1000.
New versions have 10000.
Remember to use the newest version of DSM, but you can still edit the value by hand.
echo 20000 > /proc/sys/dev/raid/speed_limit_min

HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\AU
“UseWUServer”=dword:00000000

C:
Cd\Windows\System32\spool
Cacls.exe PRINTERS /e /g users:C

restart spooler
—
/T Changes ACLs of specified files in
the current directory and all subdirectories.

/L Work on the Symbolic Link itself versus the target

/M Changes ACLs of volumes mounted to a directory

/S Displays the SDDL string for the DACL.

/S:SDDL Replaces the ACLs with those specified in the SDDL string
(not valid with /E, /G, /R, /P, or /D).

/E Edit ACL instead of replacing it.

/C Continue on access denied errors.

/G user:perm Grant specified user access rights.
Perm can be:
R Read
W Write
C Change (write)
F Full control

/R user Revoke specified user’s access rights (only valid with /E).

/P user:perm Replace specified user’s access rights.
Perm can be:
N None
R Read
W Write
C Change (write)

If your replicated databaces is susspended or failed you may need to reeseed them.

Check status:
Get-MailboxDatabaseCopyStatus -server MyExchange

Reseed:
Update-MailboxDatabaseCopy DatabaseName\ReplicaServerName -SourceServer ActiveServerName -DeleteExistingFiles:$True
ReplicaServerName is the server with the FAILED copy.

Id Content index is in failed:
Update-MailboxDatabaseCopy -Identity DatabaseName\ReplicaServerName’ –CatalogOnly”

Create a task:
%windir%\system32\defrag.exe
With the drive as argument.
-c or -d

The recommended default permissions of 755 for directories and 644 for files should be reasonably secure.
Use this two commands to make your www direktory have this setup:

find /www/wordpress/www/ -type f -print0 | xargs -I {} -0 chmod 0644 {}
find /www/wordpress/www/ -type d -print0 | xargs -I {} -0 chmod 0755 {}

For joomla you may need FTP to the local database.
For that, you need to edit the proftp configuration.
Se below:

RequireValidShell off
(/etc/password needs a false shell)

<VirtualHost 127.0.0.1>
RequireValidShell 		off
FactsAdvertise		off
DefaultRoot			~
MasqueradeAddress		127.0.0.1
PassivePorts 64000 65000
Port 21
<Directory />
AllowOverwrite on
</Directory>

<Directory /www> 
GroupOwner	www-data
Umask		002 003
</Directory>
</VirtualHost>

<VirtualHost 192.168.55.2>
RequireValidShell 		off
FactsAdvertise		off
DefaultRoot			~
MasqueradeAddress		80.80.80.80
PassivePorts 64000 65000
Port 21
<Directory />
AllowOverwrite on
</Directory>
<Directory /www> 
GroupOwner	www-data
Umask		002 003
</Directory>
</VirtualHost>

Create a bat file:

C:\Progra~1\MySQL\MYSQLS~1.5\bin\mysqldump.exe –opt –single-transaction –user=root –password=xxxx DB-name > backup_DB-name.sql

set backupFilename=%DATE:~6,4%%DATE:~3,2%%DATE:~0,2%
C:\Progra~1\7-Zip\7z a MyBackup%backupFilename%.zip *.sql

Add this to the .htaccess for every extension:
AddType application/octet-stream .reg

In proftpd.conf, you could have some virtual host’s
If you have, groupowner is set in this way:

<VirtualHost 10.0.0.30>
DefaultRoot ~
MasqueradeAddress 80.xx.xx.xx
PassivePorts 64000 65000
Port 21
<Directory />
AllowOverwrite on
</Directory>
<Directory /www>
GroupOwner www-data
Umask 002 003
</Directory>
</VirtualHost>
 
 

In the search box: Slui.exe 0x3
In the command prompt: slmgr.vbs -ipk 00000-00000-00000-00000-00000

http://handbook.dk/download/DisableAntiSpam2007.reg
http://handbook.dk/download/DisableAntiSpam2010.reg
http://handbook.dk/download/DisableAntiSpam2013.reg

Make a script with this content:

Windows 2003:
DEL C:\”Documents and Settings\%username%\Local Settings\Temporary Internet Files”\*.* /Q /F /S

Windows 2008:
DEL C:\”Users\%username%\AppData\Local\Microsoft\Windows\Temporary Internet Files”\*.* /Q /F /S

Add is as an logoff script
Great on Terminal servers.

Find this in regedit:
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Installer\UserData\S-1-5-18\Products\AE1D439464EB1B8488741FFA028E291C\Patches\DAB7360D98CBBF4498895E7EF3AFC452′

The key “DisplayName” gives the version (SP and rollup)

Example: Update Rollup 6 for Exchange Server 2010 Service Pack 2 (KB2746164) 14.2.342.3

All users desktop
C:\Users\Public\Desktop
(The Desktop folder is hidden)

All users start menu and programs:
C:\ProgramData\Microsoft\Windows\Start Menu
C:\Users\All Users

The “list” zen.spamhaus.org combines all spamhaus.org’s filters including the PBL
PBL is a DNSBL database of end-user IP address ranges and this could give false positivs

Instead you could use: sbl-xbl.spamhaus.org
Rumors says, When Zen is used solely as the single test to block spam it could lead to false positives.

Configuration:
/etc/postfix/main.cf
Change:
smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client zen.spamhaus.org
to:
smtpd_client_restrictions = permit_sasl_authenticated, reject_rbl_client sbl-xbl.spamhaus.org

Alternatives:
xbl.spamhaus.org
sbl-xbl.spamhaus.org
zen.spamhaus.org
bl.spamcop.net

/etc/Mailscanner/spam.lists.conf

Restart postfix and Mailscanner

Download the ADMX/ADM files from here:
http://www.microsoft.com/en-us/download/details.aspx?id=18968
Extract the downloaded file.

Copy the content of the ADMX folder to this folder on the DC:
\\localhost\SYSVOL\domain.local\Policies\policydefinitions

Create the folder policydefinitions if it is missing.
The new policies are automatically replicated to all the DC’s.
And they are visible in GPMC

Remember this last step.
The old gpo’s is now missing. This is because the new “policydefinitions” folder is in control.
You need to copy the contents of: C:\Windows\PolicyDefinitions
from a DC to this folder – then the old polycy’s are back.
Remember, Widows update does not update this new store’s policy’s!
You need to do this by hand.

First, give the right to do it, access to the new cmd’s:
New-ManagementRoleAssignment –Role “Mailbox Import Export” –User Administrator

Restart the EMC

Next, you need a share where “Exchange Trusted Subsystem” have write access.

Do the export:
New-MailboxExportRequest -Mailbox kim.nielsen -FilePath \\nas1\pst\kim.nielsen.pst

View the progress:
Get-MailboxExportRequest
Get-MailboxExportRequest | Get-MailboxExportRequestStatistics

Import:
New-MailboxImportRequest -FilePath \\nas1\pst\kim.nielsen.pst -Mailbox kim.nielsen -TargetRootFolder “Mailbox – Kim”
TargetRootfolder creates a root folder inside the mailbox

taskkill /F /IM iexplorer.exe
taskkill /F /IM iexplore.exe
taskkill /F /IM firefox.exe
taskkill /F /IM chrome.exe
taskkill /F /IM javaw.exe
taskkill /F /IM jqs.exe
taskkill /F /IM jusched.exe
wmic product where “name like ‘Java%%'” call uninstall /nointeractive
msiexec.exe /i \\Fileserver\jre-7u11\jre1.7.0_11.msi /qn

Explanation:
First. Kill all the processes needed to install java
vmic search after “Java * ” in “add-remove” programs.
If something starts with “Java”, it will be removed.
Last. Do a silent install

You need the two files in the folder where java is installed from:
Data1.cab
jre1.7.0_11.msi

If you start up the java install double clicking “jre-7u11-windows-i586.exe”, they can be found in:
C:\Users\user\AppData\LocalLow\Sun\Java\jre1.7.0_11
———————————–
What version of Java is installed and do somethig based on that:

IF (@PRODUCTTYPE) = “Windows 7 Professional Edition”
? “Windows 7”
$FileVersionWin7 = GetFileVersion(“C:\Program Files (x86)\Java\jre7\bin\java.exe”)
IF $FileVersionWin7 >= “7.0.150.3”
? “Java: ” + $FileVersionWin7 + ” No update”
else
? “Java: ” + $FileVersionWin7 + “Update”
RUN “\\nas\Java\jre-7u15\update.cmd”
endif
? “…”

EndIF

IF (@PRODUCTTYPE) = “Windows XP Professional”
? “Windows XP”
$FileVersionXP = GetFileVersion(“C:\Programs\Java\jre7\bin\java.exe”)
IF $FileVersionXP >= “7.0.150.3”
? “Java: ” + $FileVersionXP + ” No update”
else
? “Java: ” + $FileVersionXP + ” Update”
RUN “\\nas\Java\jre-7u15\update.cmd”
endif

For some reasons you might want to recreate the Rpc and RpcWithCert folders in IIS7. The reasons could be:

– Something went wrong with the old ones
– You have to use different SSL certificates, one for internal use and one for external use.
– You are using SAN SSL, certificates with trusted internal names but now this type is discontinued.

Lets make the Default Web Site the new “internal” with its own SSL for this use. Then we create a new “external”.

How is all that done?
Start with adding an additional IP to your net card.

An example, You now have 192.168.10.5 and 192.168.10.6. The “internal” website should now listen on 192.168.10.5. Add a SSL cert to this one. In Exchange 2010 EMC a self signed SSL can be created. For some reason only one year can be the limit. Export the SSL and make a GPO to make it trusted on your clients. When trusted there will be no errors in the webmail and Outlook will work.

You can remote the local Activesync folder if you want

remove-ActiveSyncVirtualDirectory -identity “Exchange\microsoft-server-activesync (default web site)”

Remember the DNS
The internal DNS shuld point to the “internal” website/IP (192.168.10.5)
When adding the extra IP, a DNS reccord is automaticaly created on the DNS server. Remove this.
On the DNS server remove the external IP from the list of interfaces it listen on.

Then create a new website “external” and make it listen on 192.168.10.6.

Add a SSL certificate with external trust.

Now create all the sub folders in the external website with this commands:

New-OWAVirtualDirectory -Name “owa” -WebSite “External”
New-EcpVirtualDirectory -WebSiteName “External”
New-ActiveSyncVirtualDirectory -WebSiteName “External” -ExternalURL “https://externalDNSname.domain.com/Microsoft-Server-ActiveSync”
New-AutodiscoverVirtualDirectory -WebSiteName “External”
New-OABVirtualDirectory -WebSiteName “External” -recovery New-WebServicesVirtualDirectory -WebSiteName “External”

Find the IIS7 website cobfiguration file:

C:\Windows\System32\inetsrv\config\applicationHost.config

(You need to use Notepad to edit this one)

Add this in the right sections

You can disable Java update notifications by editing the registration database.
Set the values to zero.

HKEY_LOCAL_MACHINE\SOFTWARE\JavaSoft\Java Update\Policy
EnableAutoUpdateCheck
EnableJavaUpdate
NotifyDownload

The Terminal server restarted, but why?
You see this in the log:
The Windows Installer initiated a system restart to complete or continue the configuration of ‘Adobe Acrobat X Standard

A “user” can initiate an update or repair of Adobe Reader. In the end of this process, the software initializes an system restart.
This has to be disabled on an terminal server.

Disable Reapir:
Adobe Reader X32
Adobe Reader x64
Adobe Acrobat X32
Adobe Acrobat x64

Hide update menu:
In this folder, but the file: HideMenu.js
C:\Program Files (x86)\Adobe\Reader 10.0\Reader\Javascripts

Customization Wizard X

More info:
http://blog.stealthpuppy.com/deployment/deploying-adobe-reader-x/

Get-Mailbox -OrganizationalUnit “OU-Name” | Get-MailboxStatistics | ft  displayName,TotalItemSize -Autosize

Get-MailboxStatistics | Sort -Property TotalItemsize | Format-Table DisplayName, LastLoggedOnUserAccount, ItemCount, @{expression={$_.totalitemsize.value.ToMB()};label=”Size(MB)”}, LastLogonTime, LastLogoffTime

Show number of users connected to Client Access Servers
Get-Counter “\MSExchange RpcClientAccess\User Count” -ComputerName cas1,cas2 |ft

Show number of users connected to Outlook Web Access / Webmail
Get-Counter “\MSExchange OWA\Current Unique Users” -ComputerName cas1,cas2 |ft

Show named users connected to CAS and Mailbox server
Get-LogonStatistics -Server “exch1” | where {$_.clientname -eq “cas1”}| ft username,servername,clientname

Detailed list from Microsoft here

Folder Exclusions:
C:\Program Files\Microsoft\Exchange Server\V14\Mailbox
C:\Program Files\Microsoft\Exchange Server\V14\Mailbox\MDBTEMP
C:\Program Files\Microsoft\Exchange Server\V14\ExchangeOAB
C:\Program Files\Microsoft\Exchange Server\V14\ClientAccess
C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles
C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\data\Queue
C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\data\IpFilter
C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Logs
C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Data\Queue
C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Data\IpFilter
C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Data\Adam
C:\Program Files\Microsoft\Exchange Server\V14\TransportRoles\Data\SenderReputation
C:\Program Files\Microsoft\Exchange Server\V14\Working\OleConvertor
C:\Program Files\Microsoft\Exchange Server\V14\GroupMetrics
C:\Program Files\Microsoft\Exchange Server\V14\Logging
C:\Program Files\Microsoft\Exchange Server\V14\Logging\POP3
C:\Program Files\Microsoft\Exchange Server\V14\Logging\IMAP4
C:\Program Files\Microsoft\Exchange Server\V14\Working\OleConvertor
C:\Program Files\Microsoft\Exchange Server\V14\UnifiedMessaging\grammars
C:\Program Files\Microsoft\Exchange Server\V14\UnifiedMessaging\Prompts
C:\Program Files\Microsoft\Exchange Server\V14\UnifiedMessaging\voicemail
C:\Program Files\Microsoft\Exchange Server\V14\UnifiedMessaging\temp
C:\Windows\System32\inetsrv
C:\Windows\Cluster
C:\witness
C:\inetpub\temp\IIS Temporary Compressed Files
C:\Windows\System32\inetsrv
C:\inetpub\logs\LogFiles
—
Processes Exclusions:
C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeADTopologyService.exe
C:\Program Files\Microsoft\Exchange Server\V14\Bin\ExFBA.exe
C:\Program Files\Microsoft\Exchange Server\V14\bin\store.exe
C:\Program Files\Microsoft\Exchange Server\V14\bin\mad.exe
C:\Program Files\Microsoft\Exchange Server\V14\Bin\msftesql.exe
C:\Program Files\Microsoft\Exchange Server\V14\bin\Microsoft.Exchange.AddressBook.Service.exe
C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.AntispamUpdateSvc.exe
C:\Program Files\Microsoft\Exchange Server\V14\Bin\Microsoft.Exchange.EdgeSyncSvc.exe
C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeFDS.exe
C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxAssistants.exe
C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailboxReplication.exe
C:\Program Files\Microsoft\Exchange Server\V14\Bin\MSExchangeMailSubmission.exe
C:\Program Files\Microsoft\Exchange Server\V14\bin\Microsoft.Exchange.ProtectedServiceHost.exe

Cdb.exe
Microsoft.Exchange.Search.Exsearch.exe
Cidaemon.exe
Microsoft.Exchange.Servicehost.exe
Clussvc.exe
MSExchangeADTopologyService.exe
Dsamain.exe
MSExchangeFDS.exe
EdgeCredentialSvc.exe
MSExchangeMailboxAssistants.exe
EdgeTransport.exe
MSExchangeMailboxReplication.exe
MSExchangeMailSubmission.exe
GalGrammarGenerator.exe
MSExchangeRepl.exe
Inetinfo.exe
MSExchangeTransport.exe
MSExchangeTransportLogSearch.exe
Microsoft.Exchange.AddressBook.Service.exe
MSExchangeThrottling.exe
Microsoft.Exchange.AntispamUpdateSvc.exe
Msftefd.exe
Microsoft.Exchange.ContentFilter.Wrapper.exe
Msftesql.exe
Microsoft.Exchange.EdgeSyncSvc.exe
OleConverter.exe
Microsoft.Exchange.Imap4.exe
Powershell.exe
Microsoft.Exchange.Imap4service.exe
SESWorker.exe
Microsoft.Exchange.Infoworker.Assistants.exe
SpeechService.exe
Microsoft.Exchange.Monitoring.exe
Microsoft.Exchange.Pop3.exe
TranscodingService.exe
Microsoft.Exchange.Pop3service.exe
UmService.exe
UmWorkerProcess.exe
Microsoft.Exchange.RPCClientAccess.Service.exe
W3wp.exe

get-OutlookAnywhere
Set-OutlookAnywhere -Name EXCHSERVER -ClientAuthenticationMethod NTLM
Set-OutlookAnywhere -Name EXCHSERVER -IISAuthenticationMethod Basic,NTLM

http://go.microsoft.com/?linkid=9726441

http://support.microsoft.com/kb/310049/en

dim objNetwork
set objNetwork = createobject(“Wscript.Network”)

WScript.Sleep 1000 * 60 * 1
objNetwork.SetDefaultPrinter “PrinterName”
—
Just make a .vbs file. You can use it in a startup script (GPO)
The line: WScript.Sleep 1000 * 60 * 1
makes an delay of one minute.

It is nice to see the history of crashed applications in Windows 2008.
But when you start up “reliability monitor” it is empty – why is that?
You have tried this: http://support.microsoft.com/kb/983386 but still no lock.
Are you running as Domain Controller on the server, it could be a right issue of the service.

Changed the RacTask on DCs to run “AS System” instead of “Local Service”.
Can be found in “task scheduler” –> “Microsoft” –> “Windows” –> “RAC”
RacTask

You have a shared calendar but the users cannot see the details and the appointments are not auto accepted.

Set-CalendarProcessing User_in_Exchange -AutomateProcessing AutoAccept
Set-MailboxFolderPermission User_in_Exchange:\Calendar -User Default -AccessRights Reviewer

Set-CalendarProcessing -Identity recurce-cal -DeleteComments $false
Set-CalendarProcessing -Identity recurce-cal -DeleteSubject $false

get-CalendarProcessing -Identity recurce-cal| Format-List
—
AutomateProcessing : AutoAccept
AllowConflicts : False
BookingWindowInDays : 180
MaximumDurationInMinutes : 1440
AllowRecurringMeetings : True
EnforceSchedulingHorizon : True
ScheduleOnlyDuringWorkHours : False
ConflictPercentageAllowed : 0
MaximumConflictInstances : 0
ForwardRequestsToDelegates : True
DeleteAttachments : True
DeleteComments : False
RemovePrivateProperty : True
DeleteSubject : false
AddOrganizerToSubject : True
DeleteNonCalendarItems : True
TentativePendingApproval : True
EnableResponseDetails : True
OrganizerInfo : True
ResourceDelegates : {}
RequestOutOfPolicy : {}
AllRequestOutOfPolicy : False
BookInPolicy : {}
AllBookInPolicy : True
RequestInPolicy : {}
AllRequestInPolicy : False
AddAdditionalResponse : False
AdditionalResponse :
RemoveOldMeetingMessages : True
AddNewRequestsTentatively : True
ProcessExternalMeetingMessages : False
RemoveForwardedMeetingNotifications : False

Backup ESXi configuration on host

Vcli
http://www.vmware.com/support/developer/vcli/

Enter:
C:\Program Files\VMware\VMware vSphere CLI\bin

viccfg-cfgbackup.pl –server esxhost/IP –username root –password securepass -s c:\tmp\hostbackup.bak

Get-VM | Get-Snapshot | select vm, name, sizemb, created
or with grafical view:
Get-VM | Get-Snapshot | select vm, name, sizemb, created | Out-gridview

Computer Conf –> Preferences –> Control Panel Settings –> Folder Options –> Right click –> New –> File Type

User Conf –> Preferences –> Control Panel Settings –> Folder Options –> Right click –> new –> Open With

You can remove the “Admin Tools folder” with a GPO.

Go to:
User Configuration\Preferences\Windows Settings\Registry

Add a new Registry Item:
Action: Update
Hive: HKEY_CURRENT_USER
Key path: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Value name: StartMenuAdminTools
Value type: REG_DWORD
Value data: 00000000

Add a second Registry Item:
Action: Update
Hive: HKEY_CURRENT_USER
Key path: Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced
Value name: StartAdminToolsRoot
Value type: REG_DWORD
Value data: 00000000

Remember to enable Loopback on the OU where the RD Host are.
Computer Configuration\Policies\Administrative Templates\User Group Policy loopback processing mode
Mode: Merge

Create new keystore with a 2048 bit certificate:
c:\PROGRA~1\AHSAYO~1\conf>c:\progra~1\ahsayo~1\java\bin\keytool -genkey -keysize
2048 -alias tomcat -keyalg RSA -keystore keystore.2012

Make a request:
c:\PROGRA~1\AHSAYO~1\conf>c:\progra~1\ahsayo~1\java\bin\keytool -certreq -keyalg
RSA -alias tomcat -file MyDom.csr -keystore keystore.2012

Import root cert:
c:\PROGRA~1\AHSAYO~1\conf>c:\progra~1\ahsayo~1\java\bin\keytool -import -alias r
oot -keystore keystore.2012 -trustcacerts -file root.crt

Import intermediate cert:
c:\PROGRA~1\AHSAYO~1\conf>c:\progra~1\ahsayo~1\java\bin\keytool -import -alias i
ntermed -keystore keystore.2012 -trustcacerts -file intermediate.crt

Import the trusted SSL cert:
c:\PROGRA~1\AHSAYO~1\conf>c:\progra~1\ahsayo~1\java\bin\keytool -import -alias t
omcat -keystore keystore.2012 -trustcacerts -file MyDom.crt

More info

If you get this error trying to open a Office document: “The file is corrupt and it cannot be open” it might be a security setting.

If the file is from the Internet / Outlook, it is blocked by default.

You can unblock in the file properties or make a GP
Goto: User Configuration > Administrative Templates > Windows Components > Attachment Manager Enable: Do not preserve zone information in file attachments

If you are using iscsi and have an fileserver, it is important that fileservices starts after the iscisi is of and running.
This specifik command soves this issue:

sc.exe config lanmanserver depand= msisci
(the space before msisci has to be there)

Error:
Microsoft Exchange Information Store Database [DB-Name] copy on this server experienced a corrupted search catalog

Fix with this command:
Update-MailboxDatabaseCopy -Identity “[type in your DB]\[Your Exchange server]” -CatalogOnly

Mailbox:
set-mailboxfolderpermission -Identity testuser:\calender -User cl -AccessRights editor

Get-User -identity “user 1”
Get-MailboxFolderPermission -identity “user 1”
Add-MailboxPermission -identity “User 1” -User “user 2” -AccessRights ReadPermission
Get-MailboxPermission -identity “User 1”
Remove-MailboxPermission -identity “User 1” -AccessRights ReadPermission -user “user 2”

Resource Calender:
Add-MailboxPermission –Identity testresource -User all-usersgroup -AccessRights FullAccess -InheritanceType All

Public folders:
Get-PublicFolderClientPermission -Identity “\firm1\firm1 calender”

Add-PublicFolderClientPermission -Identity “\firm1\firm1 calender” -AccessRights PublishingEditor -User testuser

Public folders – and all subfolders:
Get-PublicFolder –Identity “\folder\subfolder” –Recurse | Add-PublicFolderClientPermission –User user –AccessRights owner

Get-SendConnector | fl fqdn
Get-ExchangeCertificate | fl CertificateDomains
Get-ExchangeCertificate | fl thumbprint, services
Enable-ExchangeCertificate -Thumbprint A2AB2228777CE4539xxxxDF3F7D22A2E94326A99 -Services IMAP, POP, IIS, SMTP -DoNotRequireSSL

Rename the default role:
Set-RoleAssignmentPolicy “Default Role Assignment Policy” -Name “Unrestricted Role Assignment Policy”

Create new
New-RoleAssignmentPolicy -Name “Restricted Role Assignment Policy” -Description “Only base options.” -Roles MyBaseOptions -IsDefault:$True

If created grafical, you need to set it default this way:
Set-RoleAssignmentPolicy -identity “Restricted Role Assignment Policy” -IsDefault:$True

All new users get the new policy, but you need to run this command on everyone else:
set-mailbox usertest -RoleAssignmentPolicy “Restricted Role Assignment Policy”

more info

Add global address list:
New-GlobalAddressList -Name “Firm 4 – GAL” -IncludedRecipients MailboxUsers -ConditionalCompany Firm4
Creates the global address list based on “company” in the user object.

Remove global address list: remove-GlobalAddressList -identity “Firm 4 – GAL”

Show global address list: get-globaladdresslist

Regedit:
[HKEY_CURRENT_USER\Software\Policies\Microsoft\Office\14.0\outlook] “DisableAntiSpam”=dword:00000001

Download regfile

kernel: lnc0: Missed packet — no receive buffer
—
Your virtual hardware is to slow. If an option, try to install vmware-tools or use another network card type instead of vlance.

add this to the vmx:
ethernet0.virtualDev=”e1000″
ethernet1.virtualDev=”e1000″

This is an example how to create an site to site VPN between monowall and ASA

Monowall 1.33

ASA

access-list outside_20_cryptomap extended permit ip 10.1.1.0 255.255.255.0 192.168.36.0 255.255.255.0
access-list inside_nat0_outbound extended permit ip 10.1.1.0 255.255.255.0 192.168.36.0 255.255.255.0
nat (inside) 0 access-list inside_nat0_outbound

crypto ipsec transform-set ESP-3DES-MD5 esp-3des esp-md5-hmac
crypto ipsec security-association lifetime seconds 28800
crypto ipsec security-association lifetime kilobytes 4608000

crypto map outside_map 20 match address outside_20_cryptomap
crypto map outside_map 20 set pfs
crypto map outside_map 20 set peer 234.234.234.234
crypto map outside_map 20 set transform-set ESP-3DES-MD5
crypto map outside_map 20 set security-association lifetime seconds 28800
crypto map outside_map 20 set security-association lifetime kilobytes 4608000
crypto map outside_map interface outside
crypto isakmp enable outside
crypto isakmp policy 10
authentication pre-share
encryption 3des
hash md5
group 2
lifetime 86400

tunnel-group 234.234.234.234 type ipsec-l2l
tunnel-group 234.234.234.234 ipsec-attributes
pre-shared-key securepass

By default Windows use the driver “HP DeskJet500c” or “HP Color LaserJet 5/5M PS” if no exact driver is found.
This can be changed in regedit on the terminal server.

Below is “HP LaserJet 4” the default.

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\Wds\rdpwd]
“FallbackPclDriver”=”HP LaserJet 4”
“FallbackPsDriver”=”HP Color LaserJet 5/5M PS”

Download regfile

On a terminal server where a user is trying to print, you get whis error in the log:

“Win32 error code returned by the print processor: 5. Access is denied”

Give the users trying to print write access to thsi folder on the terminal server:
C:\Windows\System32\spool

You have a Windows 2008 64 bit terminal server and needs some additional printer drivers x86 and x64.
When installing the x86 drivers this error occurs:

“please provide a path to windows media x86”

All you have to do is finding ntprint.inf from a 32 bit Windows 7 and give it that file and folders.
From a Windows 7 find this folders:

C:\Windows\winsxs\x86_ntprint.inf.*

Move it to your Windows 2008 server, and point the wizard to this files.

This works only with ESX3 and ESX4
Power down the VM
Add a line to the .vmx configuration
—
workingDir = “/vmfs/volumes/4e804054-a8b90408-d7d4-001e0b6dd2ce/vm-snapshots”
—
KB from VMware

You are using ESXpress and try to change the configuration from the console using ‘phd’.
This error pops up trying to save the configuration: “The esxpress gui is being used, make your changes there”.
The ESXpress software thinks it is controlled by the virtual phd appliance.
If you are not using that anymore, this can be disabled in the configuration on the host:
/etc/phd/esxpress.cfg
Change to ‘no’
—
# Global Quorum Configs
PHD_Q_ENABLE=’No’
#PHD_Q_ENABLE=Yes

[PS] C:\Users\Administrator\Desktop>enable-exchangecertificate -thumbprint 2baade861687416c03a099430228b345679999d8 -ser
vices iis, imap, smtp, pop, um, none -DoNotRequireSSL

Get-ExchangeCertificate |FL

NAT a range of ports on a Cisco ASA for FTP use.
In this example I need SSL support, passive ports.

object-group service PassiveFTP tcp
port-object range 60000 60015
static (inside,outside) tcp interface ftp 192.168.1.20 ftp netmask 255.255.255.255
access-list allow_inbound extended permit tcp host host object-group PassiveFTP
access-list allow_inbound extended permit tcp host interface outside eq ftp

static (inside,outside) tcp interface 60000 192.168.1.20 60000 netmask 255.255.255.255
static (inside,outside) tcp interface 60001 192.168.1.20 60001 netmask 255.255.255.255
static (inside,outside) tcp interface 60002 192.168.1.20 60002 netmask 255.255.255.255
static (inside,outside) tcp interface 60003 192.168.1.20 60003 netmask 255.255.255.255
static (inside,outside) tcp interface 60004 192.168.1.20 60004 netmask 255.255.255.255
static (inside,outside) tcp interface 60005 192.168.1.20 60005 netmask 255.255.255.255
static (inside,outside) tcp interface 60006 192.168.1.20 60006 netmask 255.255.255.255
static (inside,outside) tcp interface 60007 192.168.1.20 60007 netmask 255.255.255.255
static (inside,outside) tcp interface 60008 192.168.1.20 60008 netmask 255.255.255.255
static (inside,outside) tcp interface 60009 192.168.1.20 60009 netmask 255.255.255.255
static (inside,outside) tcp interface 60010 192.168.1.20 60010 netmask 255.255.255.255
static (inside,outside) tcp interface 60011 192.168.1.20 60011 netmask 255.255.255.255
static (inside,outside) tcp interface 60012 192.168.1.20 60012 netmask 255.255.255.255
static (inside,outside) tcp interface 60013 192.168.1.20 60013 netmask 255.255.255.255
static (inside,outside) tcp interface 60014 192.168.1.20 60014 netmask 255.255.255.255
static (inside,outside) tcp interface 60015 192.168.1.20 60015 netmask 255.255.255.255

Script:
EnableOnLoad.reg

Windows Registry Editor Version 5.00

[HKEY_CURRENT_USER\Software\Microsoft\Office\14.0\Excel\Security\FileValidation]
“EnableOnLoad”=dword:00000000

—

Group Policy:
“Options\Security\Trust Center\Protected View”

—

Reg file:
bProtectedMode.reg

The local harddrive of a client can be changed in a citrix invioment.
Create this on the server if you want it to be x:

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Citrix]
“InitialClientDrive”=”x:”
Type REG_SZ

On a terminal server all users are requested to enable or disable the protected mode in the new Adobe Reader X. On some systems enabling does not work.
You can easily disable this functionality for the user in regedit with the use of a login script running this command:

REG ADD “HKCU\SOFTWARE\Adobe\Acrobat Reader\10.0\Privileged” /v bProtectedMode /t REG_DWORD /d 0 /f

Update Adobe Reader XI
HKEY_CURRENT_USER\Software\Adobe\Acrobat Reader\11.0\Privileged
“bProtectedMode”=dword:00000000

What is coursing the svchost.exe to use 100% CPU?
Use this command:
tasklist /svc /fi “imagename eq svchost.exe

Show the dll’s:
tasklist /m /fi “imagename eq svchost.exe

Sysinternals Process Explorer

HKEY_CURRENT_USER\Software\Microsoft\Office\XX.X\Outlook\Security

XX.X indicates your version of Outlook:
14.0 – Microsoft Office 2010
12.0 – Microsoft Office 2007
11.0 – Microsoft Office 2003
10.0 – Microsoft Office 2002
9.0 – Microsoft Office 2000

Add a new string value key in that location:
Level1Remove
Add the extensions: .lnk;.com;.exe

Download a Reg file

Upgrade the admin folder in the office folder with the newest “Office Customization Tool” files.
Start the tool:
setup.exe /admin

Featues –> modify user setting –> Microsoft office 2010 system –> Privacy –> Trust center
Disable Opt-in Wizard on first run (enabled)
Enable customer Exoerience improvement program (Disabled)
Save the MSP file

Setup.exe /adminfile office.MSP
(Runs the installation)

GPedit:
User –> Administrative Temp. –> Microsoft Office 2010 system –> Privacy –> Trust center
Disable Opt-in Wizard on first run (enabled)
Enable customer Exoerience improvement program (Disabled)

User –> Administrative Temp, –> Microsoft Office 2007 –> tools account settings –> rss feeds
Turn off RSS feature

C:\>nslookup
Standardserver:   domc.mydom.dk
Address:  192.168.0.9

> set type=all
> _autodiscover._tcp.internetdom.dk
Server:   domc.mydom.dk
Address:  192.168.0.9

Ikke-autoritativt svar:
_autodiscover._tcp.internetdom.dk        SRV service location:
priority       = 0
weight         = 0
port           = 443
svr hostname   = server01.exchangeserver.dk
>

Test here: www.testexchangeconnectivity.com