Tuesday, March 26, 2013

The operation failed the messaging interfaces have returned an unknown error (Solved)

Found this issue on a windows 7(32bit) pc running outlook 2010 pro plus (32bit)
I run a Google Apps environment so I’m running the Google Apps sync tool(GASMO).

This particular user needed both a google apps account and an exchange account running simultaneously.
Everything seemed fine but this error pops up when you try to add an email address to any existing contact or try to create a new contact with an email address.
I could create a new contact without an email address but not with.

After much googling with no decent results I just started trudging around in Outlook trying to find a solution. I saw that both the exchange and the Google Apps account had the same name for the contact list “contacts” so I renamed one and after a restart of outlook. Fixed!


Error Message:

The operation failed the messaging interfaces have returned an unknown error.


Solution:
In Contacts in Outlook:
Right click the google apps contact list: properties -> outlook address book (tab)
Rename the list from “contacts” to something else eg. “google contacts”
Restart Outlook


Posted by admin in
Permalink
Thursday, June 28, 2012

How to request a certificate from windows server through the command line

To use the Certreq.exe utility to create and submit a certificate request, follow these steps:
Create an .inf file that specifies the settings for the certificate request. You can use the following sample code to create an .inf file.

[Version]

Signature=”$Windows NT$

[NewRequest]
Subject = “CN=corpdc1.fabrikam.com” ; must be the FQDN of domain controller
EncipherOnly = FALSE
Exportable = FALSE ; TRUE = Private key is exportable
KeyLength = 1024   ; Common key sizes: 512, 1024, 2048,
  ;  4096, 8192, 16384
KeySpec = 1         ; Key Exchange
KeyUsage = 0xA0   ; Digital Signature, Key Encipherment
MachineKeySet = True
ProviderName = “Microsoft RSA SChannel Cryptographic Provider”
ProviderType = 12
RequestType = CMC

; Omit entire section if CA is an enterprise CA
[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[RequestAttributes]
CertificateTemplate = WebServer ;Omit line if CA is a stand-alone CA
SAN=“dns=corpdc1.fabrikam.com&dns=.fabrikam.com&dns=ldap.fabrikam.com”

 

Save the file as Request.inf.
Open a command prompt.
At the command prompt, type the following command, and then press ENTER:
certreq -new request.inf certnew.req
This command uses the information in the Request.inf file to create a request in the format that is specified by the RequestType value in the .inf file. When the request is created, the public and private key pair is automatically generated and then put in a request object in the enrollment requests store on the local computer.
At the command prompt, type the following command, and then press ENTER:
certreq -submit certnew.req certnew.cer
This command submits the certificate request to the CA. If there is more than one CA in the environment, the -config switch can be used in the command line to direct the request to a specific CA. If you do not use the -config switch, you will be prompted to select the CA to which the request should be submitted.

The -config switch uses the following format to refer to a specific CA:
computername\Certification Authority Name
For example, assume that the CA name is Corporate Policy CA1 and that the domain name is corpca1.fabrikam.com. To use the certreq command together with the –config switch to specify this CA, type the following command:
certreq -submit -config “corpca1.fabrikam.com\Corporate Policy CA1” certnew.req certnew.cer
If this CA is an enterprise CA and if the user who submits the certificate request has Read and Enroll permissions for the template, the request is submitted. The issued certificate is saved in the Certnew.cer file. If the CA is a stand-alone CA, the certificate request will be in a pending state until it is approved by the CA administrator. The output from the certreq -submit command contains the Request ID number of the submitted request. As soon as the certificate has been approved, it can be retrieved by using the Request ID number.
Use the Request ID number to retrieve the certificate. To do this, type the following command, and then press ENTER:
certreq -retrieve RequestID certnew.cer
You can also use the -config switch here to retrieve the certificate request from a specific CA. If the -config switch is not used, you are prompted to select the CA from which to retrieve the certificate.
At the command prompt, type the following command, and then press ENTER:
certreq -accept certnew.cer
After you retrieve the certificate, you must install it. This command imports the certificate into the appropriate store and then links the certificate to the private key that is created in step 4.


Posted by admin in
Permalink
Thursday, June 14, 2012

Find Deleted DNS records with the DNSTombstoned attribute and ADFIND

ADFind is an invaluable resource for searching fields and pretty much anything in the heart of AD.
I wanted to enable some changed scavenging rules and be able to watch what was deleted during that new scavenge.
It took some searching to figure out exactly what I wanted (because the help window in a command prompt drives me bonkers).

adfind -nodn -csv -f (dnstombstoned=TRUE) > test.csv

And a breakdown of all of these commands are:

-nodn will strip the distinguished name, so instead of dc=blah,dc=blah,dc=domain,dc=com etc etc, you just get the name

-csv for csv output

-f filters to the specific attribute and its state (=true means it is tombstoned obviously)

> test.csv this is the standard fare for exporting/piping text to a text file instead of to the command window

I hope this helps someone else who may want to just be able to watch their tombstoned records.


If you want to look at these records in depth.
adsiedit allows you to view and edit all domain fields (so be careful), however you can see this attribute on any field if you need to and even edit it.
All records are located in:
dc=domaindnszones,dc=domain,dc=com


Posted by admin in
Permalink
Thursday, February 09, 2012

Cannot Open your default email folders gsync.dll

Installed the Google Sync tool for Outlook with this following error and found a quick fix.
I found this on a google solutions post.


Error Message:

Error: Cannot open your default e-mail folders. An unexpected error has occurred.
MAPI was unable to load the information service gsync.dll. Be sure the service is correctly installed and configured.


1) Right-click “My Computer” and choose properties
2) Click the “Advanced” tab
3) Click “Environment Variables”
4) In the lower box, double-click “Path”
5) For the variable value, leave what’s there, but at the end of the line add the following (the semi-colon at the beginning is supposed to be there):

;C:\Program Files\Google\Google Apps Sync

6) Click “OK” until all of the dialogs are closed
7) Open Outlook


Posted by admin in
Permalink
Friday, January 06, 2012

Export from outlook for mac to mail

Trying to get mail out of outlook for mac and into mail was easy, once I knew how.

Mail that is in archives in outlook can be dragged folder by folder to the desktop (subfolders won’t work so carry them across individually). You literally just grab the folder and drag it onto the desktop and it will be stored as an mbox file.
From there you can just go into mail and choose File->import mailboxes-> files in mbox format
This will just import them as local folders in the mail app.

Perfect


Posted by admin in
Permalink
Thursday, December 08, 2011

Handy AD LDAP Fields (Active Directory)

Moving through my customization of adaxes, I have stumbled across some awesome fields that in general are great to know about.
This will hopefully be a work in progress list as I find more treasures.

proxyAddresses: If you are like me and have no exchange server but need a way to have aliases synced to google apps, you use this field, handy to list this to see all the aliases a user has.
badPwdCount: Showing you how many times a bad password has been entered.
badPasswordTime: Showing the time of the last bad password entered.
lastLogon: Last time a logon to a domain controller was logged.


Posted by admin in
Permalink
Wednesday, December 07, 2011

Rename a Domain Controller

AS of 2003 functional level domains running server 2008 machines only, you can rename the domain controllers with netdom.
for 2003 and below domain controllers, there are other articles helping you out that meet that need.

Run the following command
NETDOM computername oldcomputername.local /add:newcomputername.local
Make sure DNS propagation is up to date with the new name then run
NETDOM computername oldcomputername.local /makeprimary:newcomputername.local
you will need to reboot the DC now to apply that change.
then remove the old name
NETDOM computername newcomputername.local /remove:oldcomputername.local


Posted by admin in
Permalink
Tuesday, November 29, 2011

Change Users Default Number of Machines Limit in Active Directory

Change mS-DS-MachineAccountQuota

The process is:
- Start ADSI Edit (start/run/adsiedit.msc)
- Expand out the Domain node, right click on DC=

,DC=com and select properties
- Move down to ms-DS-MachineAccountQuota
- Modify the value as appropriate, or clear the value to remove the limit entirely.


Posted by admin in
Permalink
Friday, August 26, 2011

Google Apps Proxyaddresses email alias field edits without an exchange server

Problem: Edit proxyaddresses field without an exhchange server. Solution: Easy

I am running an Active Directory (AD) environment internally but have no exchange server, it’s all nice and shiny 2008 servers so the attributes I need for snycing aliases with google apps sync tool are there.

The way to alter these fields so that I can add and sync aliases with google apps is to open up the active directory users and computers mmc and up the top from the “View” drop-down select “Advanced Features”.
Now when you open up a user, you get a new bunch of tabs, one of which is “Attributes Editor” in there you get a non scary gui version of ADSI edit, just scroll down to the “proxyaddresses” field and edit it, add and remove full email addresses as you see fit!

Amazingly easy and means people who aren’t savvy with adsi edit (or you don’t want touching adsi edit) are able to administer aliases for your google apps deployment.


Posted by admin in
Permalink
Thursday, August 11, 2011

Install Dell Open Manage on XEN

I am doing some funky stuff with Nagios monitoring XEN servers and part of that is a template that will monitor the DELL hardware through open manage (Fans, RAID, PSU, Temperature).
There wasn’t alot of great info on just how you install this properly so here it is.

I followed the guide HERE to install Dell OpenManage Server Admistrator (OMSA), hardware management tools such as RAID manager (omconfig), and to be able to upgrade the BIOS/firmware on the XenServer host hardware from the XEN console. Updating the firmware from the console is so much easier since you can retrieve the packages from DELL via the internet and just install them right in the console rather than messing about with burning disks or usb sticks or having to run through the clunky DRAC console to update the firmware.

If you run into problems installing # yum install srvadmin-all , use the following to fix:

Open /etc/yum.repos.d/CentOS-Base.repo and

Add enabled=1 at the end of Base & Updates config; just compare the below with your file.

[base]
name=CentOS-$releasever - Base
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=os
#baseurl=http://mirror.centos.org/centos/$releasever/os/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
exclude=kernel-xen*, *xen*
enabled=1

#released updates
[updates]
name=CentOS-$releasever - Updates
mirrorlist=http://mirrorlist.centos.org/?release=$releasever&arch=$basearch&repo=updates
#baseurl=http://mirror.centos.org/centos/$releasever/updates/$basearch/
gpgcheck=1
gpgkey=file:///etc/pki/rpm-gpg/RPM-GPG-KEY-CentOS-5
exclude=kernel-xen*, *xen*
enabled=1

Now run yum clean all
and proceed from yum install srvadmin-all


Also they neglect to tell you to enable and start the services for this to all work:
# /opt/dell/srvadmin/sbin/srvadmin-services.sh status
# /opt/dell/srvadmin/sbin/srvadmin-services.sh enable
# /opt/dell/srvadmin/sbin/srvadmin-services.sh start

You can access the interface from https://host.ip:1311

I have firewalls enabled on XEN which I’m pretty sure is the default so I couldn’t access the OpenManage web interface.
I had to add some iptables rules.

in /etc/sysconfig/iptables

I had to add the following so I could connect to it from my LAN:
Under :INPUT ACCEPT [0:0]

# Dell OpenManage Rules
-A INPUT -p tcp -m tcp—sport 1024:65535—dport 1311 -m state—state NEW -j ACCEPT
-A INPUT -p tcp -m tcp—sport 1024:65535—dport 1311 -j ACCEPT
-A INPUT -p udp—dport 161 -j ACCEPT

Restart iptables
/etc/init.d/iptables restart

If you are doing this for nagios and are polling snmp, modify the snmp on XEN
Edit the following file:
/etc/snmp/snmpd.conf

change com2sec notConfigUser default     public
Change out public with your secret
then service snmpd restart

Done!


If you know your way around the XEN console, here are the cliff notes of those articles:

Grab the omsa 6.5 install from the dell repo:
wget -q -O - http://linux.dell.com/repo/hardware/OMSA_6.5/bootstrap.cgi | bash

Fix repositories so you can yum some additional packages
Open /etc/yum.repos.d/CentOS-Base.repo and add enabled=1 at the end of Base & Update config

Install srvadmin-all
yum install srvadmin-all

Enable and start the services:
# /opt/dell/srvadmin/sbin/srvadmin-services.sh status
# /opt/dell/srvadmin/sbin/srvadmin-services.sh enable
# /opt/dell/srvadmin/sbin/srvadmin-services.sh start

Poke some holes in IPTABLEs to expose the nonstandard port of the web interface
in /etc/sysconfig/iptables

-A INPUT -p tcp -m tcp—sport 1024:65535—dport 1311 -m state—state NEW -j ACCEPT
-A INPUT -p tcp -m tcp—sport 1024:65535—dport 1311 -j ACCEPT
-A INPUT -p udp—dport 161 -j ACCEPT

Restart iptables
/etc/init.d/iptables restart

/etc/snmp/snmpd.conf

If you are doing this for nagios and are polling snmp, modify the snmp on XEN
Modify: /etc/snmp/snmpd.conf
change com2sec notConfigUser default     public
Change out public with your secret
then service snmpd restart

You can access the interface from https://host.ip:1311

If you need to do Firmware upgrades, follow the commands on the Dell OMSA article


Posted by admin in
Permalink
Wednesday, August 10, 2011

Google Apps Password Sync with Active Directory (AD)

Sync Active Directory Password with Google Apps working
I started a long journey of setting up google apps for an organization and found out the hard way that when you synchronize accounts using googles apps directory sync tool (GADS). http://www.google.com/support/a/bin/answer.py?answer=106368
That passwords, are not synced. The full reason for this is explained at the end of this article.  It’s long whinded and there be dragons.

For a short summary, here is what is required.
1. Secure the Division attribute: By default this field is visible to ANY authenticated user, this means you have put all passwords into unsalted SHA1 hashes and any user with the knowhow could poll for the entire domains userbase and get all their passwords. Again understanding why this is bad is explained at the end of this article.

2. sha1hexfltr – this DLL is installed on all writeable domain controllers (DC’s), it captures/intercepts any password resets AFTER it is installed and makes a SHA1 hash of the password and puts it in the division attribute field. This is accessible from LDAP, this makes it ideal because LDAP is how the Google Apps sync tool gets all its info to the Google servers.

3. Sync account creation: It may seem obvious but some people make some glaring mistakes about this part of the process and are just so happy it is working, they forget to finish off an important part of this process.

1. Secure the division attribute so people can’t crawl it
I used to try and do this by attempting to lock down the division attribute. This, as it turns out is not possible to do (or if it is, it isn’t easy).
so the new approach for this is found here: http://angrytechnician.wordpress.com/2011/05/04/securing-your-google-apps-sha1-password-hashes/#


2. Install DLL on domain controllers (write DC, not on read only RODC)
download link here
http://code.google.com/p/sha1hexfltr/wiki/installation

Installation procedure for 2008 R2 64bit/32bit

Downloaded older Oct 2009 64bit dll for 2008 (the one that doesn’t specify win2k3)
2 - Copy the file to the ‘Windows/System32’ directory.
Why you don’t need to put anything in the syswow64 directory
http://en.wikipedia.org/wiki/WoW64
It’s for 32bit apps running on a 64bit architecture, irrelevant when you have the 64bit DLL
3 - Register the filter
• Click Start -> Run
• type ‘regedit’ -> click ‘OK’
• Go to: HKEY_LOCAL_MACHINE -> SYSTEM -> CurrentControlSet -> Control -> Lsa
• Modify ‘Notification Packages’ by adding sha1hexfltr to the end of the list ( Do NOT include the ‘.dll’ part. )
• Reboot for the filter to take effect.

Was able to run before and after the reboot, handy to run before in case you are like me and running on automatic, don’t check a servers architecture and copy/install the 64bit DLL on a 32bit server.

rundll32 sha1hexfltr.dll,about

in a command window and it responded “test this” hooray.

Note: sometimes windows can lock these downloaded files, you may need to right click -> properties and unlock the file so it isn’t prevented from being readable.


Why can’t I just use LDAP synchronizing in realtime like my VPN appliance etc.

LDAP is not supported in this manner with google, due to the distributed nature of their setup. This is not feasible, they must hold copies of passwords as you will not all hit the same server and may change servers at any time. They probably hold your mail on tens if not hundreds of servers worldwide at once, how are you supposed to get authentication working in that type of distributed nature from your one little LDAP server? Let alone creating a massive single point of failure for your setup, googles 99.99% uptime goes out the window if your LDAP server can’t talk to their systems and all of a sudden no-one can logon to see their mail.

Why cant Googles apps tool just get my passwords out of active directory?

You cannot retrieve your passwords because Active Directory (in its current iteration) stores passwords as an LM hash and an NT hash and stores them in the Security Accounts Manager (SAM).
http://social.technet.microsoft.com/Forums/en-US/winserverDS/thread/034a0e33-a8ab-474e-ba6c-3371724d0be1/
If you are reading this, find out it is on for your system and want to disable it. You should read this article, http://support.microsoft.com/kb/299656 you can prevent LM storing from happening at all.
This goes a long way to you being a better admin and securing your network against attacks. These are the kinds of things that separate the systems that earn Microsoft the name of being unsecure from those that don’t. As with any system, it’s only as secure as the person administering it. Be aware that legacy systems can be affected by this so be very sure this will not break functionality, (that is what your test domain that everyone has is for right? right?)

What not to do

Don’t have an admin account that can be removed, at the least your sync tool has two options. When a user is dropped from AD (delete the GAPPS account or suspend it) always suspend. There is a 10 day turnaround on an account that is deleted. You heard me right, go on, do it now. Go into your console, create a new user account, great, now delete it, now try to recreate it. Oh that error message is not fun when you thought you would just delete and recreate a user to save the headache of something that would have taken you 10 minutes to resolve.

This could be CATASTROPHIC to your environment if you get this wrong.

Make sure that the account is well labeled and all admins are well aware of the impacts of moving or doing anything to this account.

If admin account gets suspended
http://www.google.com/support/a/bin/request.py?hl=en&contact_type=cuf&rd=1
to request a reset, doesn’t require you to be able to send email which you may have broken.
Password resets are set to go to an alternative in the google apps cpanel, make that something you can access easily. I just created a free gmail account called mydomainnamepasswordrecovery@gmail.com

- DO NOT turn on “store passwords using reversible encryption”
Here is why
http://blog.teusink.net/2009/08/passwords-stored-using-reversible.html
Someone happily discussing how easily this allows you to export all passwords as clear text.

I also discovered an article talking about the initial setup with screenshots if you are having trouble getting that far through this process. http://sgoodger.wordpress.com/2010/04/14/google-apps-directory-sync-and-ad-passwords/#comment-162


Posted by admin in
Permalink
Thursday, August 04, 2011

VMWare Fusion Bootcamp cannot open the disk or one of the snapshots disks it depends on

I got this error after I restored a time machine backup and had to rebuild my bootcamp from scratch.
Uninstalling and reinstalling vmware fusion didn’t help.
The solution was to delete the records of the old bootcamp setup and when i next opened vmware fusion and hit start on the bootcamp image, it rebuilt it and worked like a charm.


Delete the following folder with VMWare Fusion closed
\Users\

\Library\Application Support\VMware Fusion\Virtual Machines\Boot Camp
Start VMWare Fusion and click start on the bootcamp image, it will rebuild and should start up fine.


Posted by admin in
Permalink
Friday, July 22, 2011

OSX Lion Problems and Fixes so far

A fresh Lion install and an upgrade are running side by side at the moment to just start heavy user testing so we can OK the deployment ASAP.

Issue 1 VMWare Install fail: VMWare Fusion failed to install on my fresh install of Lion - Solved

Issue 2 Joining to domain succeeded, home drives are not mapping

Issue 3 Parallels: Unresponsive on Lion - Solved


Issue 1 VMware Resolution: Kexts are not registered properly and I had to fix that by hand in the command line.

cd /Library/Application\ Support/VMware\ Fusion/kexts/
sudo kextutil vmci.kext
sudo kextutil vmioplug.kext
sudo kextutil vmmon.kext
sudo kextutil vmnet.kext

Issue 2 AD mapped home drive: Solution not found yet, will be working on that shortly.
Testing: Apple have changed the procedure for changing logging level in OD, troubleshooting directory services through the following now.
In terminal: odutil set log debug
revert with: odutil set log default
debug logs sent to /var/log/opendirectoryd.log


Issue 3 Parallels unresponsive: Updated to Version 6 seems to have resolved that.


Posted by admin in
Permalink
Thursday, June 16, 2011

Windows 7 Slow Remote Desktop

If you are having issues with remote desktop sessions being really slow and laggy, this can be related to Vista and Windows 7 (Windows Auto Tuning).


The fix that has worked for our testing is the following:

Run a command prompt as an administrator (this requires you to be a local administrator of the machine you are doing this on)

type the following command:

netsh interface tcp set global autotuninglevel=disabled

This should resolve the laggy or slow response in some remote desktop windows, the remote desktop windows will need to be closed and reconnected.

If you ever need to remove this option due to any adverse effects, use the following command to return this setting to default:

netsh interface tcp set global autotuninglevel=normal

How to run a command prompt as an administrator:

Demonstrated in this screenshot, you can access this by clicking on the start menu,

in the search bar typing cmd and then right clicking on the search result as displayed in the screenshot below and clicking run as administrator.


Posted by admin in
Permalink
Tuesday, June 14, 2011

Xencenter virtual disk device path unknown

Trying to add an additional virtual disk to an existing VM it listed the new disk as Device path

, it was also listed as not active.

The solution turned out to be pretty easy but was totally frustrating as it is not documented and no one seems to have had this issue and resolved it and/or told anyone about it.

The closest I found to my issue was a post where the issue resolved itself without any explanation by a user here

Here is a screenshot of what I’m seeing in XenCenter

Position 4 is the disk that was giving me trouble.


I had numbered the disk with the name “3” and its device path was listed as “


There are two things to try here, I suspect that the drive number 3 had been used previously where someone had created the disk and then deleted it and for some reason there was residual of the drive in the system somewhere that I couldn’t see it.

So I had numbered it 3 and changed that to 4 to escape that problem, I did notice that when it finally came up that it gave it a device path of /dev/hde instead of /dev/hdd which would be the next logical drive label. This also leads me to believe this was the issue.

The other thing I did during this troubleshoot however was to shut the server down to a powered off state, rather than just reboot it. I’m unsure which was the fix but both are worth a try to see if they resolve the issue for you.


Posted by admin in
Permalink
Page 1 of 6 pages  1 2 3 >  Last »