Recently trying to remove a mailbox however was greeted with the error “mailbox database is associated with one or more active MailboxImport“

Doing a

Get-MailboxImportRequest | Remove-MailboxImportRequest

Still did not work , in the end I had to use ADSI Edit to Nagivate to the below path and clear the value manually

CN=Configuration  -> CN=Services -> CN=Microsoft Exchange -> CN=DOMAIN -> CN=Mailbox Replication -> CN=MailboxImportRequests

• No Comments

Recently a user tried to send an email from 365 to 365 user  ( external not internet ) and got the following bounce back  

Generating server: SYYP282MB0848.AUSP282.PROD.OUTLOOK.COM

Remote Server returned ‘450 4.5.0 Unable to proxy recipient (6a40c324-f14c-4772-8173-153f28bd5a97,c668bfef-4e9a-4374-9709-f7cc3ab2e31e)’

A look at the headers showed it never left 365! The email was resent and did not bounce back , there must of been an internal 365 issue

• No Comments

Recently had a customer be able to change passwords from Exchange webmail and for the password to sync back to their local computer without having direct access to the domain controller on a LAN or via VPN.

To trace this 365 support were able to use the below script from here

Download the file Auth.zip from https://cesdiagtools.blob.core.windows.net/windows/Auth.zip

Logs as shows : 

To obtain the TGT we starting locating a DC and fail to find one standard Dclocator (expected as no VPN or connection to Domain Controller)

Now we see a call to KDCProxy, this is what is responsible for getting you authenticated without having a line of site to your DC.

Line two of this tells you the KDC proxy gateway is connecting too

This is what we see when the correct password is entered.

The question in my mind , was how was it able to get KDC proxy gateway address? Its a FQDB used by the RDP Gateway , and the below found my answer

“This is called the KDC Proxy Service (KPS), and it was introduced as a supporting service for Direct Access and Remote Desktop Gateway deployments”

KDC Proxy is installed with 2016 Server Remote Desktop Gateway role , so if you have a Terminal Server Enviroment listing on Port 443 which it needs for the Gateway you have this running!

But I have never seen this elsewhere and they have RDP Gateway roles?

This site gives a nice rundown of it all KDC Proxy for Remote Access (syfuhs.net) – There’s a little known feature in Windows called the KDC Proxy that lets clients communicate with KDC servers over an HTTPS channel instead of TCP.

By default , the Keys HttpsClientAuth and DisallowUnprotectedPasswordAuth do no exist in  HKLM\SYSTEM\CurrentControlSet\Services\KPSSVC\Settings , however this setup they did 

Which enabled this Password reset without connection to Domain Controller

Its must secure to Enable this without Password Auth and Windows Hello instead as you open yourself up for a Brute Force attack ( as the Logins are not restricted and count towards lockout polices ) 

• No Comments

Setting up iSCSI with VMware ESXi and the FlashArray – Cody Hosterman

• No Comments

When Ciphertrust Managers ( Key Secures ) loose access to their Corresponding HSM device , they go in an offline state per below

The Certificates for the devices go back to self signed as well ( web-firstboot.keysecure.local ) 

On Reboot you get the normal locked issue of the boot device

When running

ksctl diskenc secureboot -i "Z:\PEMFile" --url https://keysecure --configfile file.yaml 

it might display the below error

Make sure your Yaml file is correct

• No Comments

When Optus provide details for a new internet connection they may be displayed in the below format. Bit confusing as CE\PE Wan is used as MPLS : 

Circuit ID : XXXXXXXXXXXX

THIS is your main Gateway

CE WAN IP : XXXXXXXXXXX

THIS is your main Address Block 

PE WAN IP : XXXXXXXXXXXX

Subnets Marks : 255.255.2555.252

THIS is your additional Address Block 

Requested /29 Global Ip Address Scope 

Order Reference : XXXXXXXXXXXXXXXXXX

CE WAN IP : XXXXXXXXXXX

PW WAN IP : XXXXXXXXXXXX

Subnets Marks : 255.255.2555.248

THIS is your main Address Block 

Usable IP Range : XXXXXXXXXX to XXXXXXXXXXXX

• No Comments

We’re collecting a standard set of instructions to follow for all consultants to save time and have a standard approach for ths;

Client Updated; Print Server Not Updated (Reported Behaviour: Dial comes up do you trust the server, then asks credentials, when trying to print)

Requires the following key on the Client

HKEY_LOCAL_MACHINE\Software\Policies\Microsoft\Windows NT\Printers\PointAndPrintRestrictDriverInstallationToAdministrators = 0 (REG_DWORD)

Reboot afterwards

Then at a later date we need to review workstation patching policies

Print Server Updated; Client Not Updated  (Check for Cumulative Update September)

Requires the following key on the Server

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\Print\RpcAuthnLevelPrivacyEnabled = 0 (REG_DWORD)

Restart the print spooler on the server afterwards

This key was put in place in January to mitigate cve-2021-1678 but not enforced until now.

You’re expected going to have this issue if your workstations haven’t been updated since January but I’ve seen a few cases with more recently updated workstations.

Ref: https://support.microsoft.com/en-us/topic/managing-deployment-of-printer-rpc-binding-changes-for-cve-2021-1678-kb4599464-12a69652-30b9-3d61-d9f7-7201623a8b25

• No Comments

#Unlock diag user and set password

NETAPP::> security login unlock -username diag

NETAPP::> security login password -username diag

Go into Privileged Mode

NETAPP::> set -privilege advanced

Change to Diag User

NETAPP::> set diag

NETAPP::> systemshell local

Once here you can telnet like normal

NETAPP%>telnet mail.domain.com 25

to Break out 

CTRL C and CTRL D 

Relock Diag Account

NETAPP::> security login unlock -username diag

• No Comments

system node autosupport modify -node * -state enable -mail-hosts email%[email protected]:587 -to [email protected] -support enable

DNS Issues?

vserver services name-service dns show

• No Comments

1. Add new WAN interface, enable for Ping and HTTPS
2. Add a new Static Route with the gateway of ISP with interface of above
3. Make sure the distance is the same as the existing WAN interface( without the same distance it won’t appear in the routing table )
4. Try and ping ISP Gateway from CLI
5. Test Inbound access to https (on right port ) 
6. Add Policies for new Interface Inbound and Outbound
7. Make sure the priority is lower than the existing WAN connection for testing, when ready to match existing priority

• No Comments