Westminster's NetMan

The Network Manager at Westminster School presents solutions to sticky problems...

Friday, 21 August 2015

Remote Routing Address Woes - A Hybrid Exchange Problem

So you have to have the Hybrid Exchange. You are better off with either all in, or all out, but Hybrid is an option. There are some problems with Hybrid and that's when you get the Remote Routing Address wrong. How do you change it?

You create a user in the On Premises Active Directory, and then you let it sync to the cloud. You set up your licensing and then you run Enable-RemoteMailbox which includes the -RemoteRoutingAddress option. Of course, if you get it wrong...

Exchange Online will not let you change it. Exchange On Premises refuses to recognize the option in Set-RemoteMailbox. So... you now have to delete the RemoteMailbax, which in turn deletes the user account, you have to... 

Well, no. See, the value is stored in AD under the value targetAddress. Change this and your problems are over.

Added a lot of users in one go? Have a lot to change? No fear:

Create a CSV file with two headings: email, remote

Under email add "userprincipalname=username@domain" This is your filter.
Under remote add "SMTP:username@domain.onmicrosoft.com" being the correct remote routing address in the correct format for the targetAddress value. Now, turn to powershell (run as administrator, of course):

Import-Module ActiveDirectory
new-psdrive -PSProvider activedirectory -Name Users -Root "AD:\OU=Users,DC=domain,DC=com"
Set-Location Users:
$users = import-csv c:\temp\users.csv
foreach ($user in $users) {
write-host $user.email
Set-ItemProperty -filter $user.email -path * -Name targetAddress -Value $user.remote
}

The write-host line is for comfort only. The Set-ItemProperty does not report back when run in a script.

Wednesday, 8 April 2015

When does Appendable not mean Appendable?

When you use Append Infinite in Backup Exec 2014...

When a media set is set to Append Infinite the media automatically becomes un-appendable. The work around is to apply a limited append period to the media set and your media becomes writeable for append jobs once more.

Remember also: Only the first tape in a media set can be appendable. If the job runs over to a second tape it will only try to overwrite it, not append to it.

Thursday, 26 March 2015

Displaying C# Dialogs in the 64bit SCCM Task Sequence

Task Sequence Variables are a powerful tool when deploying new Operating Systems with Task Sequences in System Center 2012 R2. With a Task Sequence Variable, stored on a collection, you can reduce the number of Task Sequences you maintain. Each action or group of actions can be executed based on what the content of a Task Sequence Variable is.

The next logical step to using Task Sequence Variables for existing systems is to use them for unknown computers. For that you need a user dialog box to appear at the start of the Task Sequence to allow the person building the new PC to select what options to include in the build. You might want to be very specific about the drivers you install, for example.

For a Task Sequence with a 32bit boot image Psexec.exe is perfect for launching a dialog in Session 0. Without the option to do this the dialog does not appear. The application will run but it cannot display a GUI without having been launched in the same session at the Task Sequence.

However, 32bit is a bit old in the tooth. Most sensible people are now switching to 64bit operating systems. Psexec.exe however is a purely 32bit application that will not run on a 64bit WinPE image because WinPE does not support Windows on Windows (WOW64.) There are instructions on Technet Blogs about how to write your own application, which you then have to go search out each step of the way.

I did this and found the path a bit harrowing. It's not for the feint hearted but it's doable. I managed to write it first time. To make the application specific to Task Sequences (and not exploitable for other uses) it is written in such a way that it is tied to the task sequence process and will otherwise fail. If you like you can download it from here.

To use it, add it and the dialog executable to a package. In the task sequence use a "Run Command Line" option. Specify the package and for the command-line use tslaunch.exe

This was built for .Net 4.5.1 and works with the Window 8.1 64bit WinPE image (6.3.9600.16384)

If you would like the source code, please contact me on Google+ and I'd be happy to oblige.

Saturday, 12 July 2014

Upgrade to VMWare VI 5.5 going wrong?

When upgrading to VI 5.5 all seemed to go fine, until Virtual Machines started failing to vMotion. Failing at 13% with the wonderfully clear and helpful explanation: "a general system error occurred: invalid argument"

Further to that, our Veeam installation was failing to replicate and backup with the following errors:

Error: Client error: NFC storage connection is unavailable. Storage: [stg:datastore-446,nfchost:host-6879,conn:]. Storage display name: []. Failed to create NFC download stream. NFC path: [nfc://conn:,nfchost:host-6879,stg:datastore-446@/.vmx]. 

A similar error was produced if you tried to browse the datastores and download a file from them.

None of the solutions on Veaam or VMWare helped. 

The only solution was to rebuild the Host from scratch using a 5.5 image. Of course, without vMotion live VMs cannot be migrated. But rather than shutting down and cold migrating all the VMs, just suspend them. It's only Live Migration using vMotion that fails. VMs are then only down for ~30 seconds if you are quick.

Wednesday, 8 May 2013

Xubuntu 12.10 on VMware Desktop Crash

Using Xubuntu (server edition) as a CUPS print server serving AirPrint clients seemed like a good idea and, on the whole has worked out to a fair degree of success. We did have one problem that could have been a show stopper.

When logging out of the X session, the lightdm login manager would crash without recovery. The same thing happens if you try to change the desktop resolution from its initial cramped 800x600 workspace. These days, anything smaller than 1024x768 feels like the dark ages.

The solution? Create your own config. Now X used to create xorg.conf files based on user input. These days X does everything on the fly based on auto-detect. The xorg.conf is therefore defunct and on its way out the door. You can always try to run X -configure (remembering to shutdown your existing xwindows session) but you might run into the same problem as us, where the configure script runs into problems and panics, leaving you without a configurable script.

That is not the end of the World. The brave new world of the modern X server now uses additional files that it finds in the /usr/share/X11/xorg.conf.d directory. These additions are added to the auto-config on startup and prove to be very useful in stabilising what might end up being an unstable configuration.

We are running VMware 5.1. The VM does not have 3D graphics enabled. We created a file in said directory called 10-monitor.conf and added the following information:

Section "Monitor"
    Identifier    "Monitor0"
    HorizSync 1.0 - 10000.0
    VertRefresh 1.0 - 10000.0
EndSection
Section "Device"
    Identifier    "Device0"
    Driver        "vmware"
EndSection
Section "Screen"
    Identifier    "Screen0" 
    Device        "Device0"
    Monitor       "Monitor0"
    DefaultDepth  24 #Choose the depth (16||24)
    SubSection "Display"
        Viewport 0 0
        Depth       24
        Modes     "1024x768"
    EndSubSection
EndSection

Save the file and log out. Now the login manager displays at 1024x768 and after logging in, changing the resolution to 1024x768 no longer produces the hang and crash scenario.

Tuesday, 16 April 2013

RPC over HTTP with Apache's mod_proxy

Well, let us get the bad news over and done with. Unless you revert to 2.0.53 or earlier, you can forget proxying RPC over HTTP with Apache web server.

Why is this?

Apache prefetches the entire body before establishing a connection. This mitigates a serious smuggling exploit that is detailed here: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2005-2088

Microsoft's idiosyncratic implementation of RPC over HTTP establishes two connections, RPC_DATA_IN and RPC_DATA_OUT, in order to send data between the Outlook Client and the Exchange Server, or between the Remote Desktop Client and Desktop Gateway. The problem is that the client sends a minuscule amount of data over the RPC_DATA_IN connection, somewhere in the region of 100 bytes. This is not enough to trigger a connection in the Apache implementation of HTTP/1.1

While not strictly forbidden in the RFC, it does mean that allowing the connection creates an insecure environment. Consequently no amount of begging is going to make Apache developers change their minds. To make matters worse, Microsoft in their protocol publication, have applied their right to enforce patents on the use of their protocol. Game over.

So if you are looking for RPC over HTTP, you will have to stay with Microsoft, who, in their infinite wisdom, have apparently ditched their very successful ISA/TMG product without a replacement. Either that or not use Microsoft products in future. We may well tell our users that Outlook Anywhere is no longer an option rather than punch holes in our firewalls to allow what is by design an insecure protocol.

Tuesday, 9 April 2013

Building Apache 2.4.4 from the Unix source with Openssl, zlib, libxml2, ipv6 support on Windows with Visual Studio 2012 to x86 binaries

Why would I want to even think about it? Well, because all the binaries compiled for windows have IPv6 disabled by default and the only way to enable it is to compile it yourself. Now I have to warn you, it took me well over a week to figure out what was going on and had endless failures. This procedure that follows is likely to test your patience, however, the result is a working Apache httpd running on Windows Server 2012.

That is, one that has been compiled from the original sources, and not one that has been added to by Bob down the road who has slipped in his own datalogger, if you know what I mean...

The main requirements are: Visual Studio 2012, the Platform latest SDK, perl and awk in the environment path, and CMake. Next...

Download it all

Download the latest version of apache source and unpack (Unix sources suffice) into a httpdxx root directory. All the following packages will end up in the srclib directory.
Download latest version of openssl source and unpack in to sub directory srclib\openssl
Download latest version of zlib source and unpack into in to subdirectory srclib\zlib
Download latest pcre source
Download the expat binaries compiled for windows and put into srclib\win32\bin\release
Download the prceombiled binaries and the dev packages for libiconv and copy into srclib\libiconv
Download the source for libxml2 and place into srclib\libxml

Build pcre

Unzip source into a seperate directory from your httpdxx directory. Add a build subirectory as a destination for your CMake build. Use CMake to create a solution for native Visual C 11 with the following options:
• BUILD_SHARED_LIBS Yes
• CMAKE_INSTALL_PREFIX (your httpdxx\srclib\pcre folder)
• PCRE_SUPPORT_UTF
Open the solution in Visual Studio and change to Release. Check the project to make sure that PDB’s are created. Compile the BUILDALL project. If all compiles, build the INSTALL project. Make sure the binaries end up in the same place.
Copy the pcre.dll and pcre.pdb into the srclib\pcre (needed because of badly written includes and this was the easiest option.)

Build zlib

Open your Visual Studio Dev Environment command line and cd to httpdxx\srclib\zlib
open VS Command Prompt and navigate to srrclib\zlib. build using:
nmake /f win32\Makefile.msc
nmake /f win32\Makefile.msc test

Build Openssl

cd to httpdxx\srclib\openssl
perl Configure VC-WIN32 enable-camellia no-idea no-rc5
(You do not really want zlib compiled into openssl do you? I’m shocked. Really!)
ms\do_ms.bat
nmake -f ms\ntdll.mak
Create an empty file store.h in srclib\openssl\inc32\openssl or OpenSSL will fail to build into the rest of the projects.

Prepare httpd

Update srclib\apr\include\apr.hw and change: (default is 0) This enables IPv6
#define APR_HAVE_IPV6           1
Run the following from the root of the httpd source to deal with UNIX line endings and prepared the projects for use with .net compilers:
>Perl .\srclib\apr\build\lineends.pl
>Perl .\srclib\apr\build\cvtdsp.pl -2005
Now open Visual Studio and open the Apache.dsw workspace file. It will convert the file to a Apache.sln and convert all the projects to .vcxproj.
Change properties of libhttpd:
Configuration Properties -> Linker -> General -> Additional Library Directories add .\srclib\pcre\lib (Location of pcre.lib)
Configuration Properties -> C/C++ -> General -> Additional Include Directories add ./srclib/pcre/include (location of pcre.h)
Open ApacheMonitor.rc and comment out the following line with a #:
"CREATEPROCESS_MANIFEST_RESOURCE_IF RT_MANIFEST "ApacheMonitor.manifest""
Change the Properties of ApacheMonitor:
Configuration Properties -> C/C++ -> Manifest Tool -> Input and Output -> Additional Manifest Files. Add ApacheMonitor.manifest
Change the properties of Mod_xml2enc
Configuration Properties -> C/C++ -> General -> Additional Include Directories add ./srclib/apr-iconv/lib

Build Libxml2

The Libxml2 source contains a folder called win32\VC10. Add the libxml2.vcxproj to your Apache solution. Change the properties of the libxml2 project. (You may need to upgrade the project first by going to Project -> Upgrade Projects.)
Configuration Properties -> General
-Configuration Type Dynamic Library (.dll)
Configuration Properties -> C/C++ -> All Options
-Enable Function-Level Linking: No
-Enable Instrisic Function: No
-Output Directory ..\Release (Or it will go into the httpd\Release folder. Not a good idea. You will need to create a win32\Release folder)
Configuration Properties -> Linker -> All Options
-Output File: ../Release/libxml2.dll
-Additional Library Directories: ../../../libiconv/lib;../../../libiconv/bin
-SubSystem: Windows
-Additional Dependencies: libiconv.lib;libcharset.lib;ws2_32.lib;mswsock.lib;
-Link Time Code Generation: Default
-Generate Debug Info: Yes
Modify mod_proy_html and mo_xml2enc. These two projects need Lib2xml.
Configuration Properties -> C/C++ -> All Options
-Additional Include Directories: ../../include;../../srclib/apr/include;../../srclib/libiconv/include;../../srclib/apr-iconv/include;../../srclib/apr-util/include;../../srclib/libxml2/include;
Configuration Properties -> Linker -> All Options
-Additional Library Directories: ../../srclib/libxml2/win32/Release;../../srclib/libiconv/lib;../../srclib/libxml2/win32/bin.msvc;
-Additional Depdencies: (Add) ws2_32.lib;mswsock.lib;

Build Apache

Go to Solution Congifuration. Change to Release and remove the build tick from the following projects:
• all projects beginning apr_db
• BuildAll
• BuildBin
• Fcgistarter
• gen_test_char
• InstallBin
• Libarpiconv_ccs_modules
• Libarpiconv_ces_modules
• Mod_lbmethod_rr
• Mod_lua
• Mod_session_crypto
• Mod_socache_dc
Build the Solution. This should allow everything to build successfully. There may well be something I have missed. Believe me, it is possible to fix it! I did.
Open your Visual Studio Dev Environment command line.
>Cd \htppdxx\srclib\apr-iconv\ces
Use NMake to create a batch file from the MakeFile instructions:
>NMAKE /nologo /f Makefile.win BUILD_MODE="Win32 Release" BIND_MODE=shared /N /U >>make.bat
Edit the make.bat file to remove all the leading tabs and remove all of " /Yuinconv.h " This stops the building of components using precompiled headers, otherwise you get an external reference error.
Run the batch file to compile these, do NOT compile them in Visual Studio.
Do the same in the ccs directory.
Amend Makefile.win. Find the section list below and add the line in bold:
!IF EXIST("srclib\libxml2")
 copy srclib\libxml2\win32\$(LONG)\libxml2.$(src_dll) "$(inst_dll)" <.y 

 copy modules\filters\$(LONG)\mod_proxy_html.$(src_so)  "$(inst_so)" <.y
 copy modules\filters\$(LONG)\mod_xml2enc.$(src_so)  "$(inst_so)" <.y
Save MakeFile.win.
Finally go to the root of the source directory and run the install script to pull out all the compiled files into an installation directory (in my case D:\Apache24)
>cd \httpdxx
>nmake -f makefile.win INSTDIR=D:\apache24 SHORT=R LONG=Release _install

Strip the Binaries

You now have about 86MB of Apache Server. You can make that a lot lighter by doing the following.
Remove all the debug information (i.e. del /S /Q *.pdb)
Delete the Manual Directory (That why Google was invented)
Delete the Include and Lib directories (Unless you are going to do some development work using this set of binaries.)
You should now have about 8MB of web server.

Install on Server 2008 R2/2012

Install the Visual C redistributable (You will need the 2012 version, of course)
Copy your cut down binaries to your chosen location on your server.
From a (elevated) Command Prompt, navigate to bin directory and run:
httpd.exe –k install (installs as a service and starts…)
Configure Server using the configuration files
Now – I cheated – of sorts. In order to get an initially working conf file, I installed apache using the MSI and ran through the initial configuration. When I then compiled my own version of apache, I used the same working configuration file and amended it from there.

Configuration Gotchas

SSLPassPhraseDialog The default setting (builtin) does not work on windows so you need to point to a pass phrase programme. I used Notepad.exe. I removed the pass phrases from my passwords (Just Google “retrieving a key and certificate from a PFX file.” Very effective)
SSLSessionCache This requires a path not broken by spaces. If you have installed to the default location (as with the msi installed provided by apache) then you’re not quite stuck, but it feels it. Create a shortcut in the root of the c drive that points to your apache directory. Then use shmcb:C:\Apache\etc…

And that is it. As I have said, I have probably missed some things out here, but I do have a working solution, so it is possible, if akin to having your fingernail being pulled out.