Recently we needed to add a new alias to a share for it to be accessible from 

1. Add DNS A record for that name ( e.g. fileshare -> 192.168.0.33 )
2. run setspn -S host/fileshare existingfileshareserver (e.g. setspn -S host/filenew file01)

• No Comments

$sid = (Get-ADUser -Filter {sAMAccountName -eq "<yourfiltervalue>" }| Select-Object SID) 
([string]$sid).ToCharArray() | % { $sidToHex += ("{0:x} " -f [int]$_) }
 $sidToHex

• No Comments

We had a synology that died a death and had to swap the HD out to a new system , Recently a colleague came to me with another device and he found this is a known fault with Intel c2000 failures

https://community.synology.com/enu/forum/1/post/120548?page=18&sort=oldest

Can be temp fixed with a 100ohm resistor

• No Comments

Recently I was trying to setup an LAG LCAP bond between a SG500X Cisco Stack and a HP Procurve Aruba Stack.

HP

trunk 1/A1 trk2 trunk lacp

Cisco SG500x

Upon plugging the ports in , the Cisco Port Light would go Active and start flashing , the HP Port would briefly go sold on the Mode light for 2-3 Seconds then go Off

Status of both ports in config were both Off ( even though the Cisco port light was flashing )

After much trial and error , messing with STP and LAG settings , we moved to another port and it worked straight off , so it was a Dud port Cisco END!

• No Comments

You have a device connected to a Router ( Fortigate for this case ) with two IP’s on different Subnets

• You try and speak to the Device on IP1
• Using best path traversal it comes back on the other IP2
• Due to this, the Packets are out of Sync ( and the Router drops the Requests coming from the other IP as it should of been coming back on IP1 )
• This is to stop this attack https://en.wikipedia.org/wiki/Replay_attack – the firewall tries to ensure symmetry in its traffic by using the same source-destination combination 

Solutions

• Disable Anti Replay https://kb.fortinet.com/kb/documentLink.do?externalID=FD47428 , Confirm Access and Communication on IP2 , Disable IP1 , Re-enable Anti Replay
• Remove Gateway for the IP2 and speak to it via the Switch in the same Vlan instead of via a router
• Change the Reply to come back out the same interface with App Config https://unix.stackexchange.com/questions/4420/reply-on-same-interface-as-incoming

• No Comments

I was recently trying to decommission a Storage drive D:\ from an Exchange server

All the Databases and logs had been moved off apart from one folder D:\ExchangeLogs\OfficeGraph\GraphStorageCompactLogs which could not be deleted and it was being used and w3wp.exe ( IIS )  locked a file 

Per this it’s actually ” Graph API is for hybrid Exchange 2016, since you don’t have Hybrid mode, I suggest to disable Graph API service to see if it will prevent that error events happening. 

https://blogs.msdn.microsoft.com/deva/2017/07/22/use-microsoft-graph-api-to-reach-on-premises-cloud-users-of-hybrid-exchange-2016/

There is no way to configure this, so in the end, I have to remove the drive manually

• No Comments

Recently I was trying to backup a workstation using Veeam Agents using Local Credentials

When the job ran to install the Veeam Agent an error came up 

The network name cannot be found. (ERROR_BAD_NET_NAME).

Trying to ping the IP and DNS worked fine

I was trying to Authenticate using .\Administrator ( Which should use its local Administrator account as on the domain

I had to change to PCNAME\Administrator to get it work 

• No Comments

Recently trying to remove a mailbox however was greeted with the error “mailbox database is associated with one or more active MailboxImport“

Doing a

Get-MailboxImportRequest | Remove-MailboxImportRequest

Still did not work , in the end I had to use ADSI Edit to Nagivate to the below path and clear the value manually

CN=Configuration  -> CN=Services -> CN=Microsoft Exchange -> CN=DOMAIN -> CN=Mailbox Replication -> CN=MailboxImportRequests

• No Comments

Recently a user tried to send an email from 365 to 365 user  ( external not internet ) and got the following bounce back  

Generating server: SYYP282MB0848.AUSP282.PROD.OUTLOOK.COM

Remote Server returned ‘450 4.5.0 Unable to proxy recipient (6a40c324-f14c-4772-8173-153f28bd5a97,c668bfef-4e9a-4374-9709-f7cc3ab2e31e)’

A look at the headers showed it never left 365! The email was resent and did not bounce back , there must of been an internal 365 issue

• No Comments

Recently had a customer be able to change passwords from Exchange webmail and for the password to sync back to their local computer without having direct access to the domain controller on a LAN or via VPN.

To trace this 365 support were able to use the below script from here

Download the file Auth.zip from https://cesdiagtools.blob.core.windows.net/windows/Auth.zip

Logs as shows : 

To obtain the TGT we starting locating a DC and fail to find one standard Dclocator (expected as no VPN or connection to Domain Controller)

Now we see a call to KDCProxy, this is what is responsible for getting you authenticated without having a line of site to your DC.

Line two of this tells you the KDC proxy gateway is connecting too

This is what we see when the correct password is entered.

The question in my mind , was how was it able to get KDC proxy gateway address? Its a FQDB used by the RDP Gateway , and the below found my answer

“This is called the KDC Proxy Service (KPS), and it was introduced as a supporting service for Direct Access and Remote Desktop Gateway deployments”

KDC Proxy is installed with 2016 Server Remote Desktop Gateway role , so if you have a Terminal Server Enviroment listing on Port 443 which it needs for the Gateway you have this running!

But I have never seen this elsewhere and they have RDP Gateway roles?

This site gives a nice rundown of it all KDC Proxy for Remote Access (syfuhs.net) – There’s a little known feature in Windows called the KDC Proxy that lets clients communicate with KDC servers over an HTTPS channel instead of TCP.

By default , the Keys HttpsClientAuth and DisallowUnprotectedPasswordAuth do no exist in  HKLM\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings , however this setup they did 

Which enabled this Password reset without connection to Domain Controller

Its must secure to Enable this without Password Auth and Windows Hello instead as you open yourself up for a Brute Force attack ( as the Logins are not restricted and count towards lockout polices ) 

• No Comments