Destination IP

Trying to get mail out of outlook for mac and into mail was easy, once I knew how.

Mail that is in archives in outlook can be dragged folder by folder to the desktop (subfolders won’t work so carry them across individually). You literally just grab the folder and drag it onto the desktop and it will be stored as an mbox file.
From there you can just go into mail and choose File->import mailboxes-> files in mbox format
This will just import them as local folders in the mail app.

Perfect

Moving through my customization of adaxes, I have stumbled across some awesome fields that in general are great to know about.
This will hopefully be a work in progress list as I find more treasures.

proxyAddresses: If you are like me and have no exchange server but need a way to have aliases synced to google apps, you use this field, handy to list this to see all the aliases a user has.
badPwdCount: Showing you how many times a bad password has been entered.
badPasswordTime: Showing the time of the last bad password entered.
lastLogon: Last time a logon to a domain controller was logged.

AS of 2003 functional level domains running server 2008 machines only, you can rename the domain controllers with netdom.
for 2003 and below domain controllers, there are other articles helping you out that meet that need.

Run the following command
NETDOM computername oldcomputername.local /add:newcomputername.local
Make sure DNS propagation is up to date with the new name then run
NETDOM computername oldcomputername.local /makeprimary:newcomputername.local
you will need to reboot the DC now to apply that change.
then remove the old name
NETDOM computername newcomputername.local /remove:oldcomputername.local

Change mS-DS-MachineAccountQuota

The process is:
- Start ADSI Edit (start/run/adsiedit.msc)
- Expand out the Domain node, right click on DC=,DC=com and select properties
- Move down to ms-DS-MachineAccountQuota
- Modify the value as appropriate, or clear the value to remove the limit entirely.

Problem: Edit proxyaddresses field without an exhchange server. Solution: Easy

I am running an Active Directory (AD) environment internally but have no exchange server, it’s all nice and shiny 2008 servers so the attributes I need for snycing aliases with google apps sync tool are there.

The way to alter these fields so that I can add and sync aliases with google apps is to open up the active directory users and computers mmc and up the top from the “View” drop-down select “Advanced Features”.
Now when you open up a user, you get a new bunch of tabs, one of which is “Attributes Editor” in there you get a non scary gui version of ADSI edit, just scroll down to the “proxyaddresses” field and edit it, add and remove full email addresses as you see fit!

Amazingly easy and means people who aren’t savvy with adsi edit (or you don’t want touching adsi edit) are able to administer aliases for your google apps deployment.

I am doing some funky stuff with Nagios monitoring XEN servers and part of that is a template that will monitor the DELL hardware through open manage (Fans, RAID, PSU, Temperature).
There wasn’t alot of great info on just how you install this properly so here it is.

I followed the guide HERE to install Dell OpenManage Server Admistrator (OMSA), hardware management tools such as RAID manager (omconfig), and to be able to upgrade the BIOS/firmware on the XenServer host hardware from the XEN console. Updating the firmware from the console is so much easier since you can retrieve the packages from DELL via the internet and just install them right in the console rather than messing about with burning disks or usb sticks or having to run through the clunky DRAC console to update the firmware.

If you run into problems installing # yum install srvadmin-all , use the following link to fix:

http://www.delltechcenter.com/thread/4563389/?offset=0&maxResults=10#fbid=zEw-WSgUP3O

Also they neglect to tell you to enable and start the services for this to all work:
# /opt/dell/srvadmin/sbin/srvadmin-services.sh status
# /opt/dell/srvadmin/sbin/srvadmin-services.sh enable
# /opt/dell/srvadmin/sbin/srvadmin-services.sh start

You can access the interface from https://host.ip:1311

I have firewalls enabled on XEN which I’m pretty sure is the default so I couldn’t access the OpenManage web interface.
I had to add some iptables rules.
in /etc/sysconfig/iptables

I had to add the following so I could connect to it from my LAN:

-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1311 -m state --state NEW -j ACCEPT
-A INPUT -p tcp -m tcp --sport 1024:65535 --dport 1311 -j ACCEPT
-A INPUT -p udp --dport 161 -j ACCEPT

Restart iptables
/etc/init.d/iptables restart

If you are doing this for nagios and are polling snmp, modify the snmp on XEN
Edit the following file:
/etc/snmp/snmpd.conf

change com2sec notConfigUser default public
Change out public with your secret
then service snmpd restart

Done!

Sync Active Directory Password with Google Apps working
I started a long journey of setting up google apps for an organization and found out the hard way that when you synchronize accounts using googles apps directory sync tool (GADS). http://www.google.com/support/a/bin/answer.py?answer=106368
That passwords, are not synced. The full reason for this is explained at the end of this article.  It’s long whinded and there be dragons.

For a short summary, here is what is required.
1. Secure the Division attribute: By default this field is visible to ANY authenticated user, this means you have put all passwords into unsalted SHA1 hashes and any user with the knowhow could poll for the entire domains userbase and get all their passwords. Again understanding why this is bad is explained at the end of this article.

2. sha1hexfltr – this DLL is installed on all writeable domain controllers (DC’s), it captures/intercepts any password resets AFTER it is installed and makes a SHA1 hash of the password and puts it in the division attribute field. This is accessible from LDAP, this makes it ideal because LDAP is how the Google Apps sync tool gets all its info to the Google servers.

3. Sync account creation: It may seem obvious but some people make some glaring mistakes about this part of the process and are just so happy it is working, they forget to finish off an important part of this process.

1. Secure the division attribute so people can’t crawl it
http://slashsot.org/index.php/2011/05/changing-active-directory-object-permissions/

This article is a fantastic guide of how to do this process, what you are doing is going into the Schema and creating a rule that is very much like you would in a firewall.

You are locking down that attribute so anyone who is a member of “domain users” cannot view it. This secures it very well, it does mean you must have an account that is not a member of that group to view it, and this will be your account that syncs with GADS, it can view the attribute whilst no-one else can.

One part missing from the guide, how do you do this?
Firstly, if you have admin permissions set up properly, you will have the following issue. The active directory schema security is greyed out. This happens because you don’t have enough permissions, an account that is a member of schema admins will have permissions in here, log in as a user that does or add your account to become a member of schema admins.
By default an account is defined as a domain user and that is it’s primary group, you have to add it to another group (in my case I made it a member of a group called GADSSYNC) hit apply, close the window open it again and now you can define that as the primary and remove the domain users. You can then use an LDAP explorer to test with both the GADS account and your own domain account. You should not be able to see the division attributes when authenticated as yourself but the GADS account should.

2. Install DLL on domain controllers (write DC, not on read only RODC)
download link here
http://code.google.com/p/sha1hexfltr/wiki/installation

Installation procedure for 2008 R2 64bit/32bit

Downloaded older Oct 2009 64bit dll for 2008 (the one that doesn’t specify win2k3)
2 - Copy the file to the ‘Windows/System32’ directory.
Why you don’t need to put anything in the syswow64 directory
http://en.wikipedia.org/wiki/WoW64
It’s for 32bit apps running on a 64bit architecture, irrelevant when you have the 64bit DLL
3 - Register the filter
• Click Start -> Run
• type ‘regedit’ -> click ‘OK’
• Go to: HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Control -> Lsa
• Modify ‘Notification Packages’ by adding sha1hexfltr to the end of the list ( Do NOT include the ‘.dll’ part. )
• Reboot for the filter to take effect.

Was able to run before and after the reboot, handy to run before in case you are like me and running on automatic, don’t check a servers architecture and copy/install the 64bit DLL on a 32bit server.

rundll32 sha1hexfltr.dll,about

in a command window and it responded “test this” hooray.

Note: sometimes windows can lock these downloaded files, you may need to right click -> properties and unlock the file so it isn’t prevented from being readable.

Why can’t I just use LDAP synchronizing in realtime like my VPN appliance etc.

LDAP is not supported in this manner with google, due to the distributed nature of their setup. This is not feasible, they must hold copies of passwords as you will not all hit the same server and may change servers at any time. They probably hold your mail on tens if not hundreds of servers worldwide at once, how are you supposed to get authentication working in that type of distributed nature from your one little LDAP server? Let alone creating a massive single point of failure for your setup, googles 99.99% uptime goes out the window if your LDAP server can’t talk to their systems and all of a sudden no-one can logon to see their mail.

Why cant Googles apps tool just get my passwords out of active directory?

You cannot retrieve your passwords because Active Directory (in its current iteration) stores passwords as an LM hash and an NT hash and stores them in the Security Accounts Manager (SAM).
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/034a0e33-a8ab-474e-ba6c-3371724d0be1/
If you are reading this, find out it is on for your system and want to disable it. You should read this article, http://support.microsoft.com/kb/299656 you can prevent LM storing from happening at all.
This goes a long way to you being a better admin and securing your network against attacks. These are the kinds of things that separate the systems that earn Microsoft the name of being unsecure from those that don’t. As with any system, it’s only as secure as the person administering it. Be aware that legacy systems can be affected by this so be very sure this will not break functionality, (that is what your test domain that everyone has is for right? right?)

What not to do

Don’t have an admin account that can be removed, at the least your sync tool has two options. When a user is dropped from AD (delete the GAPPS account or suspend it) always suspend. There is a 10 day turnaround on an account that is deleted. You heard me right, go on, do it now. Go into your console, create a new user account, great, now delete it, now try to recreate it. Oh that error message is not fun when you thought you would just delete and recreate a user to save the headache of something that would have taken you 10 minutes to resolve.

This could be CATASTROPHIC to your environment if you get this wrong.

Make sure that the account is well labeled and all admins are well aware of the impacts of moving or doing anything to this account.

If admin account gets suspended
http://www.google.com/support/a/bin/request.py?hl=en&contact_type=cuf&rd=1
to request a reset, doesn’t require you to be able to send email which you may have broken.
Password resets are set to go to an alternative in the google apps cpanel, make that something you can access easily. I just created a free gmail account called mydomainnamepasswordrecovery@gmail.com

- DO NOT turn on “store passwords using reversible encryption”
Here is why
http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
Someone happily discussing how easily this allows you to export all passwords as clear text.

I also discovered an article talking about the initial setup with screenshots if you are having trouble getting that far through this process. http://sgoodger.wordpress.com/2010/04/14/google-apps-directory-sync-and-ad-passwords/#comment-162

I got this error after I restored a time machine backup and had to rebuild my bootcamp from scratch.
Uninstalling and reinstalling vmware fusion didn’t help.
The solution was to delete the records of the old bootcamp setup and when i next opened vmware fusion and hit start on the bootcamp image, it rebuilt it and worked like a charm.

A fresh Lion install and an upgrade are running side by side at the moment to just start heavy user testing so we can OK the deployment ASAP.

Issue 1 VMWare Install fail: VMWare Fusion failed to install on my fresh install of Lion - Solved

Issue 2 Joining to domain succeeded, home drives are not mapping

Issue 3 Parallels: Unresponsive on Lion - Solved

If you are having issues with remote desktop sessions being really slow and laggy, this can be related to Vista and Windows 7 (Windows Auto Tuning).

Trying to add an additional virtual disk to an existing VM it listed the new disk as Device path , it was also listed as not active.

The solution turned out to be pretty easy but was totally frustrating as it is not documented and no one seems to have had this issue and resolved it and/or told anyone about it.

The closest I found to my issue was a post where the issue resolved itself without any explanation by a user here

Here is a screenshot of what I’m seeing in XenCenter

Position 4 is the disk that was giving me trouble.

I got this error when setting up a fresh install and for some weird reason this was simple as stopping Nagios twice, at some point I must have started it twice and I just had to stop twice and start up Nagios again.

Updating Ubuntu via command line for DynDNS might be something you need to do as well, here is an easy way to get that done.

Running a Linode I decided it would just be easier to use Dynamic DNS for the name as I am a firm believer in using DNS for everything over remembering IP Addresses. The problem with DynDNS is that after 30 days of no updates it will expire any DNS entry you have submitted if it isn’t updated, for this reason you need to have some sort of automated update utility in those situations to just keep the lights on.

Install the package via apt

sudo apt-get install ddclient

The gui then runs in command line with pretty straightforward questions that you can answer easily (such as your user and password), you can even let it detect your dns entries available from that account.
once that is done it is best to configure the system to actually auto update do this by editing the conf file

sudo nano /etc/ddclient.conf

add the following line

daemon=1036800

that number is the number of seconds in 12 days, you can make that whatever you want but I have a static IP so all i want it to do is update faster than the minimum expiry window which is a month, this way it tries twice in a month in case the first one tires out for any reason.

Hint: if you are too lazy to figure out “12 days in seconds” like me, just google exactly that phrase and it will convert it for you! http://lmgtfy.com/?q=12+days+in+seconds

Why Bother with DNS updates at all if you have a static IP?

I find this is more than ever a good habit with the inevitable IPV6 impending doom, you might find it easy to remember your current 32-Bit address such as 10.1.1.100 but how will you be when that IP changes to 0000:0000:0000:0000:0000:0000:0a01:0164, seems simple now since you are only using the first 32-Bits for them but once we start using the rest of that 128-Bits, everything will change. There will be no asking someone to ping fe80:0:0:0:202:b3ff:fe1e:8329 will there? (or at least I hope not).

If you need more guidance because things aren’t working how they should then there is a great article on the Ubuntu site.

https://help.ubuntu.com/community/DynamicDNS

I was looking for an alternative to using the default OSX SSH client built into the terminal, something that would be similar to Putty for windows.
I wanted something with bookmarks and ideally something free (because I’m cheap), unless something really did something super for me in the world of secure terminals I can’t see a reason to pay for it.

I was also getting annoyed by the issue of the built in terminal using my mac account by default when i tried to ssh as i would always forget to put in the “-l root” or “ssh user@1.2.3.4” or similar before hitting an IP. If this is your single issue however there is a solution.
http://fabien.potencier.org/article/19/quick-ssh-tip
Which means that once you have that alias setup, it isn’t ideal however.

I ended up with iTerm2 as my choice http://code.google.com/p/iterm2/

Some steps to attempt to resolve lockups when opening itunes.

I have the current model (2010) macbook air and since updating all the software including an itunes and osx combo update everything freezes and the only resolution is to power down and back on again.

Any attempt to open itunes freezes the computer completely, from reading up it seems this issue is isolated to the current model of the MacBook Air.