Aruba 5400R Dual Management Card Redundancy Configuration / Firmware Update

 redundancy management-module nonstop-switching

show redundancy

redundancy rapid-switchover 60

redundancy swtchover

show redundancy detail

Firmware-

boot set-default flash primary 

write memory

boot standby

show redundancy (wait for sync

redundancy switchover 

How to copy all UPNs (usernames) to email address field in AD.

Check users email fields-
 get-aduser -Filter * -Properties mail | select name,mail | Out-GridView

Command to copy-
Get-ADUser -LDAPFilter '(userPrincipalName=*)' ` -Properties userPrincipalName,mail | Select-Object * | ` ForEach-Object { Set-ADObject -Identity ` $_.DistinguishedName -Replace ` @{mail=$($_.userPrincipalName)} }

How to set up Mimecast Personal Portal to authenticate to DUO Cloud SSO (SAML2) 2021

 Here is how to set up Mimecast to work with Duo's Cloud SSO.  The online instructions are confusing and inaccurate.

DUO SSO-
Deploy and configure DUO SSO if you haven't already.
https://duo.com/docs/sso

DUO Application-
In Duo, go to Applications, click Protect an Application, search for Generic, there will be two Generic Service Providers, select the one that says "2FA with SSO hosted by DUO".

Fill in the following-
Entity ID- us-api.mimecast.com.ACCOUNTCODE (Replace account code with your account code, it will be something like CUSA88U99)
Assertion Consumer Services ACS URL- https://us-api.mimecast.com/login/saml
Copy the metadata URL to notepad, you'll need it later.
Name (under settings)- Mimecast
Leave everything else alone, click save.

Mimecast-
Administration, Services, Applications, Authentication Profiles, Default Authentication Profile.
Check the box that says "Enforce SAML Authentication for Mimecast Personal Portal"
Provider- Other
Metadata URL- paste the Metadata URL you copied earlier.  Click Import.
Click Save and Exit.
Repeat above if you want to enforce User Applications.
Repeat above in Administration, Services, Applications, Authentication Profiles, Account_Administrators_Authentication_Profile if you want to enforce it for admins.

Start Menu won't open for users on Windows Server 2016

 1. DISM /Online /Cleanup-Image /RestoreHealth

2. Get-AppXPackage -AllUsers | Foreach {Add-AppxPackage -DisableDevelopmentMode -Register “$($_.InstallLocation)\AppXManifest.xml”} --

3. Delete this folder for each user: C:\Users\username\AppData\Local\TileDataLayer

Chrome "You cannot visit localhost right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later."

 

You get- "You cannot visit localhost right now because the website uses HSTS. Network errors and attacks are usually temporary, so this page will probably work later."

IF YOU'RE CERTAIN the page is safe, you can type thisisunsafe and you will be able to reach the site.

Delete or Disable AD account but keep mailbox in Office 365

You want to keep a user's mailbox indefinitely, however, you do *not* want to keep their AD account (or you want it disabled).  Converting it to a shared mailbox still anchors it to their AD account, so purging that deletes the mailbox.

 - Delete or Disable the account in AD.

 - Run an AD Sync.

 - Ensure the account is gone in Office 365. 

 - In Office 365 Admin Center, open the Azure Active Directory Admin Center.

 - Gop into Users, Deleted Users, find the user in question, check the box and click "Restore User".

 - Go into the user's cloud account and reapply the license.

 - Once their mailbox is in Exchange Admin Center, convert the mailbox to a shared mailbox.

 - Remove the license from their user account.

You get HTTP 500 after Exchange Security Update (SU)

 (Get-AuthConfig).CurrentCertificateThumbprint | Get-ExchangeCertificate | Format-List

New-ExchangeCertificate -KeySize 2048 -PrivateKeyExportable $true -SubjectName "cn=Microsoft Exchange Server Auth Certificate" -FriendlyName "Microsoft Exchange Server Auth Certificate" -DomainName @()

Set-AuthConfig -NewCertificateThumbprint <ThumbprintFromStep1> -NewCertificateEffectiveDate (Get-Date)

Set-AuthConfig -PublishCertificate

Set-AuthConfig -ClearPreviousCertificate

IISReset

VEEAM B&R- Warning Skipping credentials backup because the encryption is disabled.

 In Veeam Backup and Replication you get the notification "Warning Skipping credentials backup because the encryption is disabled. This will complicate the restore process significantly. Enable configuration backup encryption to stop receiving this warning."

Personally, I do not want the credentials stored in the configuration backups, so this is the desired behavior.  To suppress this warning-

HKEY_LOCAL_MACHINE\SOFTWARE\Veeam\Veeam Backup and Replication "ConfigurationBackupSuppressEncryptionWarning", DWORD, value "1"

Upgrade VMware ESXi 7.0.2 server to Update C to resolve Dell server hannging/USB issue

ESXi 7.0U2a Build 17867351

ESXi 7.0U2c Build 18426014

ESXi 7.0U3 Build 18644231

ESXi 7.0U3a Build 18825058

From SSH-

esxcli network firewall ruleset set -e true -r httpClient

esxcli software profile update -p ESXi-8.0U1c-22088125-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

esxcli software profile update -p ESXi-8.0U1c-22088125-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

esxcli software profile update -p ESXi-8.0U1c-22088125-standard -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

esxcli network firewall ruleset set -e false 

esxcli software vib list |grep driver_name

esxcli software vib remove -n driver_VIB_name 

esxcli software vib update -d /vmfs/volumes/{Datastore-Name}/VMWare-ESXi-6.5.0-Update2-9298722-HPE-preGen9-650.U2.9.6.8.3-Sept2018-depot.zip

esxcli software profile get

esxcli software sources profile list -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep ESXi-7.0

Run the update process:

esxcli software profile update -d https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml -p ESXi-7.0U3a-18825058-standard

ESXi-7.0U3a-18825058-standard

ESXi-8.0U1c-22088125-standard

List profiles - Online

esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml

Use grep to filter the list for your version, 

esxcli software sources profile list --depot=https://hostupdate.vmware.com/software/VUM/PRODUCTION/main/vmw-depot-index.xml | grep -i ESXi-6.7

How to convert a mailbox to be a shared mailbox, and remove their AD (Active Directory) account

 If you want to convert a mailbox to shared to preserve it, but you want to disable or delete the AD account, do the following-

 - Go into mailboxes in Exchange Admin Center, click "Convert to Shared" on the right.

 - To to the users in Microsoft 365, remove the users license.

 - Disable or delete the AD account, wait for Azure AD to sync.

 - Under Admin Centers, click Azure Active Directory, Users, Deleted Users.  Select the users and click "Restore Users."  This will move them to a "Cloud User" which will need to be maintained to prevent the mailbox from being deleted.  This account will not be able to log into the mailbox, however, so it presents a pretty minimal risk.  You can set a complex password and enable MFA.

Enable Modern Authentication (ModernAuth, OAuth) in Office 365, resolve Outlook Clients not using modern auth.

 First- Ensure Office 365 is set for Modern Auth-

    - Log in to the Office 365 portal, Edge seems to work the best.
    - Admin Centers, Exchange, Classic Exchange Admin Center.   
    - Hybrid, click "Configure" under Exchange Online Powershell Module.
    - Type "Connect-EXOPSSession -UserPrincipalName <your UPN>"
    - Get-OrganizationConfig | ft OAuth*
        - If it's set to "True", you're good to go, modern auth is enabled.
    - If it's set to false- Set-OrganizationConfig -OAuth2ClientProfileEnabled $True
    - Give it a couple of hours.

If a user is still getting the basic prompt in outlook-

    - Go into control panel, credential manager, delete everything related
    - In regedit, go to HKEY_CURRENT_USER\SOFTWARE\Microsoft\Office\16.0\Common\Identity. 
    - Create a new DWORD named "EnableADAL" and give it a value 1

If that doesn't work-

    - Create a new DWORD named "DisableAADWAM" and give it a value 1
    - Create a new DWORD named "DisableADALatopWAMOverride" and give it a value 1

Cisco ASDM "This app can't run on your PC" error message."

 

1. Choose Start > Cisco ASDM-IDM Launcher, and right-click the Cisco ASDM-IDM Launcher application.

2. Choose More > Open file location.

   Windows opens the directory with the shortcut icon.

3. Right click the shortcut icon, and choose Properties.

4. Change the Target to:

   C:\Windows\System32\wscript.exe invisible.vbs run.bat

5. Click OK.

How to Hard Match a user on Office 365

• Move the user to an OU that is not monitored by AD sync, perform an export, go to Azure AD and permanently delete the user.
• Connect-MsolService -Credential $credential
• Install-Module MSOnline
• import-module adsync 
  
  
• [system.convert]::ToBase64String((Get-Aduser dfcoughlin).objectGUid.ToByteArray())

• Set-MsolUser -UserPrincipalName user@abc.com -ImmutableId <INSERT B64 ID HERE>
  
  
• Move the AD user back to the monitored OU.

Other way to get GUID-

• Get-ADUser -Identity “<username>” 
  
  
• Convert the GUID to Base 64
• $guid = "3ab39606-c642-489b-84b6-58c038d3ef39"
• $base64 = [system.convert]::ToBase64String(([GUID]$guid).ToByteArray())
• $base64
  

How to unlink a cloud Azure AD account with the corresponding On Prem User (DeletingCloudOnlyObjectNotAllowed)

# Change UPN to "onmicrosoft"

set-MsolUserPrincipalName -UserPrincipalName user@domain.com -NewUserPrincipalName user@yourcompany.onmicrosoft.com

# Setting a new Random Immutable ID

set-MsolUser –UserPrincipalName user@yourcompany.onmicrosoft.com -ImmutableId "Z/-XGv2W4kWPM1mR/ddSdn!)"

# Changing it back to the original UPN

set-MsolUserPrincipalName -UserPrincipalName user@yourcompany.onmicrosoft.com -NewUserPrincipalName user@domain.com

Reset default users and computers folder so you can rename or delete SBSUsers OU

 ReDirUsr "CN=Users,DC=domain,DC=com"

ReDirCmp "CN=Computers,DC=domain,DC=com"

No drivers will install, you get "The Data is Invalid"

 Check to make sure the following services are NOT disabled, and start them-

Device Install Service
Device Setup Manager
Device Association Service

ASDM Certificate Authentication

  - Open up powershell-

$rootcert = New-SelfSignedCertificate -Type Custom  `
-Subject "CN=ASARoot" `
-KeyExportPolicy Exportable `
-KeySpec Signature `
-HashAlgorithm sha256 `
-KeyLength 2048 `
-CertStoreLocation "Cert:\CurrentUser\My" `
-KeyUsageProperty Sign `
-KeyUsage CertSign

 - Run MMC, add Certficiates, User, go to personal, Export, no to private key, pick Base-64 encoded, save file.

 - Log into ASA- 

MyASA(config)# crypto ca trustpoint ASACERT
MyASA(config-ca-trustpoint)# no ca-check
MyASA(config-ca-trustpoint)# enrollment terminal
MyASA(config-ca-trustpoint)# no id-usage
MyASA(config-ca-trustpoint)# exit
MyASA(config)# crypto ca authenticate ASACERT

 - Log into ASDM, Network Client Access, Anyconnect Connection Profiles, select profile and click Edit, set authentication to certificate only.

Cisco VPN dropping connectino/RDP

“sysopt connection preserve-vpn-flows

iPhone Secret Codes

 Field Test Mode- *3001#12345#*, Call.

Get IMEI- *#06#

Get Data Usage- *3282# or #3282

Bill Balance- *225# or #225 or #225#

Exchange Issues with Updates

Reinstall CU 23-
.\setup.exe /m:upgrade /IAcceptExchangeServerLicenseTerms

Windows Update Fails, error 80072efe

Windows Update Fails with error 80072efe.  Looking at C:\Windows\WindowsUpdate.log, you see windows unable to access a URL that begins with sls.update.microsoft.com.

If you open https://sls.update.microsoft.com in internet explorer, you this page can't be displayed.

SOLUTION-

Open HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Cryptography\Configuration\SSL

Delete Functions key. Reboot.

You're welcome.  This took me FOREVER to find.

Exchange HAFNIUM Vulnerability - Consolidated Information

 Information on Exploit-
https://www.microsoft.com/security/blog/2021/03/02/hafnium-targeting-exchange-servers/

Alternate Mitigation-
https://msrc-blog.microsoft.com/2021/03/05/microsoft-exchange-server-vulnerabilities-mitigations-march-2021/

Script to check server-
https://github.com/microsoft/CSS-Exchange/tree/main/Security

Microsooft Safety Scanner-
https://docs.microsoft.com/en-us/windows/security/threat-protection/intelligence/safety-scanner-download

How to reset Windows Update

net stop wuauserv 

net stop cryptSvc 

net stop bits 

net stop msiserver 

del /f /q "%ALLUSERSPROFILE%\Application Data\Microsoft\Network\Downloader\qmgr*.dat" 

del /f /s /q %SystemRoot%\SoftwareDistribution\*.*  

del /f /s /q %SystemRoot%\system32\catroot2\*.* 

del /f /q %SystemRoot%\WindowsUpdate.log

net start wuauserv 

net start cryptSvc 

net start bits 

net start msiserver 

You cannot register RHEL, you get rhsm.connection.RestlibException: HTTP error (401 - Unauthorized): Service not available, please try again later

 You cannot register RHEL, you get rhsm.connection.RestlibException: HTTP error (401 - Unauthorized): Service not available, please try again later

subscription-manager register --username your_username --password 'your$password'

subscription-manager attach --auto

To re-register-

Un-register the system :

sudo subscription-manager remove --all
sudo subscription-manager unregister
sudo subscription-manager clean

Re-register the system :

sudo subscription-manager register
sudo subscription-manager refresh

Search for the Pool ID :

sudo subscription-manager list --available

Attach to subscription :

sudo subscription-manager attach --pool=<Pool-ID>

Clean YUM and cache :

sudo yum clean all
sudo rm -r /var/cache/yum

Update the resources :

sudo yum upgrade

Unable to upload PFX certificate exported from Cisco ASA firewall.

 openssl enc -base64 -d -in Cert.pfx -out converted.pfx

RDS- Kill Session from Command Line

  - Open powershell as administrator.

 - run qwinsta.exe

 - Run rwinstal.exe <session#>