Tag Archives: Microsoft

RDS, Windows Server 2019

Changing RDWeb default Port on Windows Server 2019

July 9, 2020 Mohammed Hamada Leave a comment

Story:

When you install RDS on a server which uses the port 443, you will get the following error when you try to access RDWeb main page.

Reason for this is the server you installed RDWeb on is most likely already using the port 443 or something else.

Error Message:

When trying to access RDWeb on the same server you’ll get the following error:

Service Unavailable

Http Error 503. The Service is unavailable

Troubleshooting

To Troubleshoot, Let’s see what is using the port 443.

Run CMD or PowerShell as an Administrator and type the following command

Netstat -anbo | findstr 443

Changing Port to 1443 or 8443

Let’s try changing the Port using the RD Gateway Manager

From the Gateway Manager click on the Properties on the right pane > Go to Transport Settings Tab and change the HTTPS port to 1443 or 8443

Changing Ports using Registry

Navigate to and make sure you first take a backup (Export the key)

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core]

Change the following registry value

IsUdpEnabled REG_DWORD 0

Backup and change the following port value to the intended one

[HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\TerminalServerGateway\Config\Core]

HttpsPort REG_DWORD (8443)

Change the base to Decimal to type the write port number.

Restart Service

From PowerShell restart the service

net stop tsgateway

net start tsgateway

Let’s see the listening port 8443

From PowerShell type

Netstat -anbo | findstr 8443

Let’s go to the main page and see if it works..

Voila! Finally it worked

Azure, Microsoft, Virtual Machine Manager

Deploy Azure Linux and Windows servers in 10 mins via cli

January 16, 2020 Mohammed Hamada Leave a comment

This is a step by step guide about deploying Linux or Windows servers on Azure via CLI.

Why Cli?

Some people prefer using Linux rather than PowerShell and it seems sometimes easier and faster to learn esp if you’re not GUI type of person.

Installation Options

If you’re working on Windows and would like to use CLI, you’ll have two options to install CLI

Option 1

Run Azure CLI installation directly from your Powershell (PowerShell needs to run from a privileged account)

Invoke-WebRequest -Uri https://aka.ms/installazurecliwindows -OutFile .\AzureCLI.msi; Start-Process msiexec.exe -Wait -ArgumentList ‘/I AzureCLI.msi /quiet’

As soon as you run this command, it’ll take about 5 mins or less depending on the connection you have.

Option 2

Download the MSI file directly from MS’s link and install it on your Computer.

https://docs.microsoft.com/en-us/cli/azure/install-azure-cli-windows?view=azure-cli-latest

Connect to Azure CLI from PowerShell

Run PowerShell or CMD and type the following command to connect

Az Login then hit enter

As soon as you type this, a web page will be launched asking you for your Azure Account credentials so open the session for your Cli window.

The moment you verified your account, PowerShell will list your azure plans that you have / had before.

If you’re going to use Linux (Ubuntu, Debian) flavor then you’d have to following the following instructions

Manual install instructions

If you don’t want to run a script as superuser or the all-in-one script fails, follow these steps to install the Azure CLI.

Get packages needed for the install process:

bash


sudo apt-get update

sudo apt-get install ca-certificates curl apt-transport-https lsb-release gnupg

Download and install the Microsoft signing key:

bash


curl -sL https://packages.microsoft.com/keys/microsoft.asc | 

    gpg --dearmor | 

    sudo tee /etc/apt/trusted.gpg.d/microsoft.asc.gpg &gt; /dev/null

Add the Azure CLI software repository:

bash


AZ_REPO=$(lsb_release -cs)

echo "deb [arch=amd64] https://packages.microsoft.com/repos/azure-cli/ $AZ_REPO main" | 

    sudo tee /etc/apt/sources.list.d/azure-cli.list

Update repository information and install the

azure-cli

package:

bash
```
sudo apt-get update

sudo apt-get install azure-cli
```

Run the Azure CLI with the

command. To sign in, use the az login command.

Run the

login

command.

Azure CLI

Try It
```
az login
```
If the CLI can open your default browser, it will do so and load an Azure sign-in page.

Otherwise, open a browser page at https://aka.ms/devicelogin and enter the authorization code displayed in your terminal.
Sign in with your account credentials in the browser.

To learn more about different authentication methods, see Sign in with Azure CLI.

Deploying Linux (CentOS):

Creating a Resource Group for Azure Container Instances (ACI)

We will start first by creating a Resource Group for our Machine, calling it a AzureLinuxServersGroup to easily identify that this group contains our Linux Servers

az group create –name AzureLinuxServersGroup –location westeurope

Next we will be creating a container to contain the Linux OS on the resource group which we have just created

First, How we know which Image to use and if that will be proper for our deployment?

To answer that, we will use the following command which will view the available latest edition Linux OS with different flavors.

I would like to use CentOS since its identical to RedHat and used by majority of Enterprises.

To list the Images, Enter the following command

az vm image list –output table

Notice there are many columns, The one which we are going to use in terminal command line is the UrnAlias. It’s important to remember this.

az vm create \

–resource-group AzureLinuxServersGroup \

–name AzureCentOSWP \

–image CentOS \

–admin-username Moh10lyUser \

–generate-ssh-keys

Since we are using Bash, It’s a case sensitive and it complained about user having capital letters. So we’ll go ahead and use small letters

After running the command with small letters, it’s telling us where we can find the keys in order for us to reach and get them to use later to login to this newly created machine.

SSH key files ‘/home/moh10ly/.ssh/id_rsa’ and ‘/home/moh10ly/.ssh/id_rsa.pub’ have been generated under ~/.ssh to allow SSH access to the VM. If using machines without permanent storage, back up your keys to a safe location.

The deployment of the machine takes about 3 mins, and it’ll be created with the default minimum resources. Let’s view

Our machine is ready to be accessed now

In order for you to get the SSH Keys, you’ll have to have a bit of knowledge

I am going to go the location mentioned previously after creating a machine and copy the keys from the bash screen into a file. Save the file and Import it into SSH client which I will be using (Bitvise in my case).

From the bash screen goto cd /

Cd /home/user/.ssh/

Cat id_rsa hit enter and copy the key and save it into notepad.

Cat id_rsa.pub and copy/save into a notepad as the public key.

After loading both keys, I was able to successfully login to the Server

Get a list of Azure VMS

az vm image list

Let’s List and deploy a WordPress on CentOS

To view the list of available CentOS images, we’ll use the following cli command

az vm image list -f CentOS –all

The image needs to be grabbed from dockerhub URL

cognosys:wordpress-with-centos-77-free:wordpress-with-centos-77-free:1.2019.1008

az container create –resource-group mohazbackupgroup –name mohcontainer –os-type Linux –image cognosys:wordpress-with-centos-77-free:wordpress-with-centos-77-free:1.2019.1008 –dns-name-label azmohlinux –ports 22

Create Windows Server core with IIS

az container create –resource-group mohazbackupgroup –name mohcontainer –os-type windows –image mcr.microsoft.com/windoervercore/centos –dns-name-label azmohlinux –ports 22ws/servercore/iis:nanoserver –dns-name-label azmohiis –ports 80

Here we go I got a machine ready (took about 5 mins)

azmohiis.westeurope.azurecontainer.io

To delete the container, you can write the following

az container delete –resource-group mohazbackupgroup –name mohcontainer

Stay tuned for more articles about Azure.

ADFS, Office 365, Office365

Error After Migrating ADFS from 2012R2 to 2016

January 7, 2020 Mohammed Hamada Leave a comment

The Story:

You might have got a request to upgrade from ADFS 2012 R2 to Windows ADFS 2016.

This process can be complicated especially if you’ll have to migrate the Database as well and it would be more of an issue when the Database is WID (Windows Internal Database) since there’s no much documentation about troubleshooting issues involving WID on ADFS.

I have got a request from a client whom have done a migration with another consultant and obviously it was not done right.

Symptoms

On Windows 2016 ADFS when trying to update the ADFS SSL certificate I get the following error:

Set-AdfsSslCertificate -ThumbPrint A7etc : PS0159 : The Operation is not supported at the current Farm Behavior Level ‘1’. Raise the farm to at least version ‘2’ before retrying.

At line:1 char:1

Trying to update the database from 1 to 2,3 will also fail with the following error:

Invoke-AdfsFarmBehaviorLevelRaise

Error:

Database upgrade cannot be performed on AdfsServer.domain.com. Error: A database for the target behavior level already exists.

Troubleshooting:

If you’re installing ADFS on WID (Windows Internal Database) you should run the following to get the database name/Connect String

On ADFS Server

Open Windows PowerShell

Enter the following:
$adfs = gwmi -Namespace root/ADFS -Class SecurityTokenService

and hit Enter
Enter the following:
$adfs.ConfigurationDatabaseConnectionString

and hit enter.
You should see the connect string information.

Go to Service Console and stop ADFS Service or from Powershell type Net stop adfssrv

Run SQL Server 2017 Database Engine Tuning Advisor as an administrator

Use the Server name as this

\\.\pipe\MICROSOFT##WID\tsql\query

As for Authentication, Use the Windows Authentication with the user you’re logged into if you know that’s a privileged user and can authenticate, If not try with a user which you’ve done the upgrade of ADFS with.

After authenticating, You will be able to see AdfsConfiguration , AdfsConfigurationV3 and AdfsArtifactStore. What we need to see is that AdfsConfigurationV3 has data in it and is not totally empty.

After checking and comparing the size between V1 and V3, It appeared that V3 database is empty. So what next?

Solution

Deleting the AdfsConfigurationV3 was the first thought that hit my mind however, before deleting anything I always take a snapshot of the VM since backing up the WID is more painful and takes more time than simply backing up the VM (Checkpoint, Snapshot).

So the steps to fix this issue is

Taking a VM Snapshot/Checkpoint/Backup.
Download Microsoft SQL Server Management Studio from this link https://go.microsoft.com/fwlink/?linkid=864329
Install Microsoft SQL Server Management Studio on ADFS Server
Run MS SQL Server Management Studio as Administrator
In the Server Name type :

\\.\pipe\MICROSOFT##WID\tsql\query

Leave the Authentication as it is and logon.

From the SQL Object Explorer right click and Delete the AdfsConfigurationV3 and leave AdfsConfiguration Database only.

After deleting the Database, Start ADFS Service to make sure that it can load the old database without an issue.
Then run the cmdlet Invoke-AdfsFarmBehaviorLevelRaise and Accept by typing Y and Enter.

This might take about 5 minutes to finish.

When this process is done, You should see the following message indicating the success of the Database Upgrade.

To double check, We will run the cmdlet Get-AdfsFarmInformation

Updating Certificate

After this success, I am going to run the cmdlet below to replace the current certificate with the new one

Set-AdfsSslCertificate -Thumbprint 9b19426e17180c0b9c5d4atye53dda3bce9dbff

And here we go. It works perfectly fine

References:

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/troubleshooting/ad-fs-tshoot-sql

https://docs.microsoft.com/en-us/windows-server/identity/ad-fs/design/federation-server-farm-using-sql-server

Networking, VPN

Setting up SoftEther VPN with Most Secure Settings:

January 6, 2020 Mohammed Hamada Leave a comment

Why VPN?

Before reading this article or going through it maybe you want to know why you’re supposed to use VPN wherever you go ?

If you use one of the following on your computer/Phone/Tablet then you must use VPN

Online Banking?
Paying Bills?
Purchasing online Services?
Checking Private Emails?
Connecting to work Email?

The list goes on and on and won’t probably end with only those, But the most important thing to acknowledge that nowadays there is absolutely nothing safe on the Internet World. Your data could be exposed, hacked at anytime anywhere and esp if you go to public Internet places e.g. (Starbucks, University, Your Friend’s home even).

So what is SoftEther VPN Server/Client?

As introduced by Softether itself, SoftEther VPN (“SoftEther” means “Software Ethernet”) is one of the world’s most powerful and easy-to-use multi-protocol VPN software. It runs on Windows, Linux, Mac, FreeBSD and Solaris.

SoftEther VPN is open source. You can use SoftEther for any personal or commercial use for free charge.

Clients

SoftEther VPN is an optimum alternative to OpenVPN and Microsoft’s VPN servers. SoftEther VPN has a clone-function of OpenVPN Server. You can integrate from OpenVPN to SoftEther VPN smoothly. SoftEther VPN is faster than OpenVPN. SoftEther VPN also supports Microsoft SSTP VPN for Windows Vista / 7 / 8. No more need to pay expensive charges for Windows Server license for Remote-Access VPN function.

Use:

SoftEther VPN can be used to realize BYOD (Bring your own device) on your business. If you have smartphones, tablets or laptop PCs, SoftEther VPN’s L2TP/IPsec server function will help you to establish a remote-access VPN from your local network. SoftEther VPN’s L2TP VPN Server has strong compatible with Windows, Mac, iOS and Android.

Download

Download the Windows Server version of Softether from the following Page:

https://www.softether-download.com/en.aspx?product=softether

Installation Requirements:

Windows Server/Windows 10
4GB RAM
100 GB Disk
2 VCPU

These resources are estimated and not calculated, It’s only in case of small amount of users (Max 100 User). If you’re going to use more than that you’ll have to check depending on how many concurrent connections are there going to be.

Installation Steps:

As soon as you start Softether VPN – Create new Connection and set the password for the Administrator

Configure Softether as Remote Access VPN Server

I am going to setup new Remote Access VPN Server:

This will create a new Virtual Hub, Give it whatever name you want.

If you have no Static Public IP address

Set a dynamic DNS function name, This is useful in case the IP you have keeps changing like in the case of ADSL connections at home ..etc

VPN Type:

In the IPSEC/L2TP/EtherIP /L2TPv3 Server settings, you’ll need to choose the most secure VPN connection to allow your users to safely and securely browse the internet. This needs L2TP server function to be enabled along with setting the Ipsec Pre-Shared key to provide the most secure VPN connectivity.

AZURE Settings:

If you don’t have access to Firewall to configure NAT, or configure your firewall access to the Softthere VPN Server you must enable this feature (VPN Azure Cloud VPN Service (Free) by the Japanese University of Subuka.

We have set the Azure hostname previously already so no need to change it unless you wanna use something else.

Creating Users

I will create a user, assign it to my admins group, then Create a Certificate for this user to login to make sure I have the maximum security and authentication methods offered.

Creating Certificate

Since I already have created the root certificate, I Am going to create a client certificate for this particular user from the root certificate.

Finally user is created

Choosing the right connection to set as Local Bridge

I need to make sure to choose the NIC which reflects my internet outbound NIC in order to connect properly (In my case it’s going to be Ethernet 2)

Using the most secure Encryption Algorithm for our connection

By default Softether uses AES128-SHA, while this is considered secured and used by most common VPN service providers it’s always better to use something that’s level or more secure. So we are going to change the default changes to AES256-GCM-SHA384

To change those settings, Navigate to the main menu of Softether VPN Server Manager and click on “Encryption and Network”

Change the “Encryption Algorithm Name:” to AES256-GCM-SHA384

AES256-GCM-SHA384 is based on the cipher suite TLSv 1.3 which is considered the most recent and secure cipher suite that’s being used right now.

Default Setting:

Change to

Client Configuration:

In the setting name: we are going to enter a random name.
The hostname: will be the name which we created previously for Dynamic IP cases. This will be useful to remember even If you have a static Public IP address.
User Authentication Setting: We will be using the certificate which I created before (I copied this cert to my client computer where I am going to connect via the VPN client manager).
Virtual Hub Name: Here you’ll need to copy the exact name of the Virtual Hub name which you have created on the server side.

Connectivity Test:

After settings everything, I am going to try and connect with my user using Certificate and the Password I set.

Ref:

https://www.softether.org/

https://wiki.mozilla.org/Security/Server_Side_TLS

https://www.softether.org/4-docs/1-manual/3._SoftEther_VPN_Server_Manual/3.3_VPN_Server_Administration#3.3.6_Listener_Ports

https://www.iplocation.net/encryption

Licensing, Microsoft

KMS Server Deployment step by step Guide

January 2, 2020 Mohammed Hamada Leave a comment

So What is KMS ?

KMS stands for the abbreviation (Key Management Service) in which enterprises and big companies manage their Software, End user and Servers licenses keys through a single server (Called KMS) which automates the whole process of activation and eliminates the need for an individual or admin interfering to activate them.

Prerequisites for KMS Host:

In order to use KMS, You will need to install Server version of Microsoft Windows. This server can be installed on a Virtual machine or physical one. But still there are requirements to activate other machines.

Server needs to be joined to Domain to activate other machines/products.
VLSC (Volume License Service Center) Host Key (Can only be acquired through the VLSC portal.
If you’re going to activate any Office products (Office 2016/ Office 2019) then you’ll need to download the Office Volume License Pack for those products from the links attached.
Run the License Pack you downloaded and enter the Office Key to activate it.

After deploying Windows 2016/2019 Server you can install the role from Server manager or from PowerShell

KMS Installation

Launch powershell in Admin mode and run the following CMDLET

Install-WindowsFeature -Name VolumeActivation

Continue to the next window and add the required Features

The next window will let give you some information about the automation of the license activation for MS products and how KMS works.

There are two options of how activating licenses, One is through using a service or the other through joining server/computer to Active Directory KMS will auto activate products if their relevant KMS licenses are entered in the KMS Host server.

Install your Windows 2016/2019 KMS Host Server key to create AD Object for KMS

Choose your activation Method in order to activate the KMS server

If activation continues successfully you’ll be able to see KMS telling you that continuing will create an AD object . Click Yes to continue

We’ll wait until this finishes

When this works, The next window will give you a warning that Clicking Next will delete the current activation Object which is the AD object that has been previously created. Click Close since we want to keep that.

KMS Host Activation

To view the activation of your KMS Host, You can open CMD on the KMS Server and type

slmg.vbs –dlv

As you can see below, it’ll show summary information about the license you entered and other related info.

To make sure your installation has went successfully, you can launch ADSI Editor and see if the AD object has been created or not.

From CMD or Powershell type adsiedit.msc

Navigate to Configuration>Services> Microsoft SPP> You should see the Activation Objects there.

Activating Office 2016 / 2019

As we mentioned previously to activate office 2016 or Office 2019 you will need to download the Office License pack from the links attached previously.

– Office 2016 License Package link https://www.microsoft.com/download/details.aspx?id=49164

– Office 2019 License Package Link https://www.microsoft.com/en-us/downloads/details.aspx?id=57342

NOTE:

You should not launch Volume License Manager when activating Office products or when trying to enter a KMS License key for Office products, Instead when executing the Office Package it will launch it for you and all you have to do is Enter the Office license key and restart Microsoft Windows Client to get Office activated.

Verifying KMS is Working:

To check if KMS is working on the end user’s side we need to get our hands on one of those clients, restart the user’s PC and then launch one of Office apps and see if it’s activated or not. The condition for the End user is that they need to be domain joined to acquire a license from KMS server.

It gets activated right after a restart!

Reference

https://docs.microsoft.com/en-us/deployoffice/vlactivation/configure-a-kms-host-computer-for-office

https://docs.microsoft.com/en-us/deployoffice/vlactivation/activate-office-by-using-active-directory

Exchange 2016, Exchange 2019, Microsoft Exchange, Office365

Search and Delete certain Items/Folders from a Mailbox

December 16, 2019 Mohammed Hamada Leave a comment

The Story

During a project of Hybrid migration from Exchange on-premises to Exchange online, I was almost about to finalize the project by moving the last remaining users mailboxes however had an interesting issue to deal with where a user was failing with the following error:

Error:

Error: MigrationPermanentException: Mailbox dumpster size 50.87 GB (54,620,074,576 bytes) exceeds target quota 30 GB –> Mailbox dumpster size 50.87 GB exceeds target quota.

After some research it turned out that you can clean the dumpster using search-mailbox PowerShell cmdlet, Sync the user’s object with ADConnect and then continue the migration from the last failure.

To solve the issue, Go on your Exchange on-premises and launch Exchange Management shell

Solution:

First, Let’s see the user’s dumpster and recoverable items

Get-MailboxFolderStatistics -Identity “User” -FolderScope RecoverableItems | Format-Table Name,FolderPath,ItemsInFolder,FolderAndSubfolderSize

To Delete the dumpster only use this

Delete dumpster only

Search-mailbox -identity User -SearchDumpsterOnly –DeleteContent

To delete a certain email with certain subject in the dumpster use the following:

Get-mailbox “user”| search-mailbox –searchquery “Subject:’*'” –DeleteContent –SearchDumpsterOnly

The cmdlet will search and delete

Reference:

https://docs.microsoft.com/en-us/microsoft-365/compliance/search-for-and-delete-messagesadmin-help

Active Directory, Powershell, Security

Powershell script to audit users who authenticated against DC servers

December 10, 2019 Mohammed Hamada Leave a comment

The story:

I have got a request from a client asking to find out which server(s) is using which domain admin or a highly privileged account as a service.

To find this I already wrote a powershell script that does this, Search the non standard/(Domain only users) and show the services and name of the servers where those accounts are configured on utilizing Remote powershell to do so and the use of a Domain Admin user.

You can refer to this link to see this article by clicking here

Creating the script process:

The same client wanted to also know which of those accounts did authenticate and wanted to know from which server/Computer did the request originate from and to which DC did it go.

I have started thinking of the process of doing so by again utilizing remote PowerShell to check against certain security events on AD to check which user among the Domain admin members did authenticate.

After sometime and with the help of some forums I managed to get script ready which looks in all Domain Controllers for users that are members of the Domain Admin groups who triggered an event ID 4624 and from which Computer did this request came from.

The Script :

# Get domain admin user list
$DomainAdminList = Get-ADGroupMember -Identity 'Domain Admins'
# Get all Domain Controller names
$DomainControllers = Get-ADDomainController -Filter * | Sort-Object HostName
# EventID
$EventID = '4624'
#
# Get only last 24hrs
$Date = (Get-Date).AddDays(-3)
# Limit log event search for testing as this will take a LONG time on most domains
# For normal running, this will have to be set to zero
$MaxEvent = 100

# Loop through Dcs
$DALogEvents = $DomainControllers | ForEach-Object {
    $CurDC = $_.HostName
    Write-Host "`nSearching $CurDC logs..."
    Get-WinEvent  -ComputerName $CurDC -FilterHashtable @{Logname='Security';ID=$EventID;StartTime = $Date} -MaxEvents $MaxEvent |`
    Where-Object { $_.Properties[5].Value -in $DomainAdminList.SamAccountName } |`
    ForEach-Object {
        [pscustomobject]@{SourceIP = $_.Properties[18].Value; SamAccountName = $_.Properties[5].Value;Time = $_.TimeCreated;LogonEventLocation = $CurDC}
    }
}
$DALogEvents

How to run:

The Script must be run on DC with a privileged account in order to get the write results, The default time interval is set to 3 days but you can choose to increase that.

You can also change the default group where you want to search for members by changing Domain Admin groups to something else.

Screenshot of the result

Mac, Microsoft, Office 365, Office365

Microsoft Office 365 is available in Mac App Store now

January 24, 2019 Mohammed Hamada Leave a comment

Last year Microsoft has promised that it’ll bring Microsoft office 365 on the Mac App Store and today is the day.

The statement by MS reads:

“We are excited to welcome Microsoft Office 365 to the all new Mac App Store in macOS Mojave. Apple and Microsoft have worked together to bring great Office productivity to Mac users from the very beginning. Now, with Office 365 on the Mac App Store, it’s easier than ever to get the latest and best version of Office 365 for Mac, iPad, and iPhone.”
—Phil Schiller, Apple’s senior vice president of Worldwide Marketing

Office 365 apps are already available for Mac however, placing these app in Mac App Store gives the Mac users the capability to manage apps updates, control their installation and much more.

The Office 365 apps were supposed to be released last year but due to delay for unknown reasons they have postponed it to 2019.

Image of a MacBook open displaying Dark Mode in PowerPoint.

Download Office 365 from the Mac App Store.*

Exchange 2013, Exchange 2016, Exchange 2019, Microsoft, Security

Microsoft Exchange 2013–2016-2019 Security Vulnerability (URGENT)

January 9, 2019 Mohammed Hamada Leave a comment

CVE-2019-0586 | Microsoft Exchange Memory Corruption Vulnerability

Yesterday Microsoft has published an KB article about a security threat to Exchange 2013-2016 and 2019.

The article mentions CU10-CU11 for Exchange 2016, CU21 for Exchange 2013 and RTM version of Exchange 2019 as well.

I spoke to Microsoft of whether this issue affects earlier CU versions for Exchange and they confirmed it

Vulnerability details:

A remote code execution vulnerability exists in Microsoft Exchange software when the software fails to properly handle objects in memory. An attacker who successfully exploited the vulnerability could run arbitrary code in the context of the System user. An attacker could then install programs; view, change, or delete data; or create new accounts.

Exploitation of the vulnerability requires that a specially crafted email be sent to a vulnerable Exchange server.

The security update addresses the vulnerability by correcting how Microsoft Exchange handles objects in memory.

Download link:

https://support.microsoft.com/en-us/help/4471389/description-of-the-security-update-for-microsoft-exchange-server-2019

Exchange 2016, Microsoft

Installation of Exchange 2016 with DAG

September 25, 2015 Mohammed Hamada Leave a comment

1- Prepare for Installation of Exchange 2016

Friday, July 31, 2015

10:53 AM

Install-WindowsFeature RSAT-ADDS

From <https://technet.microsoft.com/en-us/library/bb691354{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}28v=exchg.160{308b10a016e19a1cd6a208cbc3961927e16fc6766a4020d3c4ef54ea17925f0f}29.aspx?f=255&MSPPError=-2147217396>

Install-WindowsFeature AS-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

Windows 2016 (Windows Server)

Install-WindowsFeature Net-HTTP-Activation, Desktop-Experience, NET-Framework-45-Features, RPC-over-HTTP-proxy, RSAT-Clustering, RSAT-Clustering-CmdInterface, RSAT-Clustering-Mgmt, RSAT-Clustering-PowerShell, Web-Mgmt-Console, WAS-Process-Model, Web-Asp-Net45, Web-Basic-Auth, Web-Client-Auth, Web-Digest-Auth, Web-Dir-Browsing, Web-Dyn-Compression, Web-Http-Errors, Web-Http-Logging, Web-Http-Redirect, Web-Http-Tracing, Web-ISAPI-Ext, Web-ISAPI-Filter, Web-Lgcy-Mgmt-Console, Web-Metabase, Web-Mgmt-Console, Web-Mgmt-Service, Web-Net-Ext45, Web-Request-Monitor, Web-Server, Web-Stat-Compression, Web-Static-Content, Web-Windows-Auth, Web-WMI, Windows-Identity-Foundation

1- (Extending Schema)

Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>

(Preparing AD)

Setup.exe /PrepareAD /OrganizationName:”<organization name>” /IAcceptExchangeServerLicenseTerms

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>

Setup.exe /PrepareAD /OrganizationName:TEST /IAcceptExchangeServerLicenseTerms

Prepare one domain in the forest or all domains

Setup.exe /PrepareDomain:<FQDN of the domain you want to prepare> /IAcceptExchangeServerLicenseTerms

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>

To prepare all domains run the following cmd

Setup.exe /PrepareAllDomains /IAcceptExchangeServerLicenseTerms

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>

How do you know this worked?

Once you’ve done all the steps above, you can check to make sure everything’s gone smoothly. To do so, you’ll use a tool called Active Directory Service Interfaces Editor (ADSI Edit). ADSI Edit is included as part of the Active Directory Domain Services Tools feature in Windows Server 2012 R2 and Windows Server 2012. If you want to know more about it, check out ADSI Edit (adsiedit.msc).

Warning:

Never change values in ADSI Edit unless you’re told to do so by Microsoft support. Changing values in ADSI Edit can cause irreparable harm to your Exchange organization and Active Directory.

After Exchange extends your Active Directory schema and prepares Active Directory for Exchange, several properties are updated to show that preparation is complete. Use the information in the following list to make sure these properties have the right values. Each property needs to match the value in the table below for the release of Exchange 2016 that you’re installing.

In the Schema naming context, verify that the rangeUpper property on ms-Exch-Schema-Verision-Pt is set to the value shown for your version of Exchange 2013 in the Exchange 2016 Active Directory versions table.
In the Configuration naming context, verify that the objectVersion property in the CN=<your organization>,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=<domain> container is set to the value shown for your version of Exchange 2016 in theExchange 2016 Active Directory versions table.
In the Default naming context, verify that the objectVersion property in the Microsoft Exchange System Objects container under DC=<root domain is set to the value shown for your version of Exchange 2016 in the Exchange 2016 Active Directory versions table.

From <https://technet.microsoft.com/en-us/library/bb125224(v=exchg.160).aspx#Step1>

Software Prerequisites

Creating DAG

Since this is a LAB and I only have 2 nodes (DAG must have an odd number for Failover), so I am going to use the DC server as my FSW (Which is highly not recommended for Production Environment).

In order for the FSW on DC to work, you will have to add your DC to the Exchange Trusted Subsystem group

Here I added the DC as a member of the group

Normally file server feature is already added to the server by default, but to make sure I’ll run the following command

It’s already there

Now I’ll go back to Exchange servers and add a second NIC for Replication..

I usually rename each NIC so I know which is which, the default NIC belongs to the MAPI traffic and the other one is the replication NIC.

I will configure the Replication NICs on both exchange servers to disable the “Register this connection’s addresses in DNS”

Checking ping between Exchange servers on the Replication NIC

Now I will create the NGO Object (Computer Object) in the Active directory for the DAG

I will disable the object

Double click on the DAG object and go to Security tab and add Exchange servers

Now configure the security for the Exchange members to full

Apply and close…

Now on the DC I will create the FSW’s folder and give it full permission to the Trusted Subsystem group and exchange servers

Click apply and go back to EAC and I’ll start configuring the DAG

Microsoft says that one of the enhancements that have been added to Exchange 2016 is that DatabaseAvailabilityGroupIpAddresses is no longer required when creating a DAG. By default, the failover cluster will be created without an administrative access point, as this is the recommended best practice.

From <http://blogs.technet.com/b/exchange/archive/2015/05/05/exchange-server-2016-architecture.aspx>

So in this case we won’t need to assign any IP address to the DAG…

I’ll click on save and see what happens

Navigating to the administrators group on AD, The Exchange subsystem group is not added so I’ll add it.

Now I will add Exchange servers as members to the DAG

error

A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses. Error: Windows Failover Clustering isn’t installed on ‘EXCH2K16.test.com’.. [Server: EXCH2K16.test.com]

error

Error occurs due to firewall being enabled on the DC (Where the FSW is )

I disabled the firewall and gave full permission to the Exchange trusted system to the DAG object

After that I signed out of Exchange servers, signed back in.. Deleted DAG and recreated it… that didn’t work either

Tried using Exchange management shell but it didn’t work too

Checking the log coming in the description, I find out the log is complaining about not finding DAG while trying to resolve it.

Also the log says that it has installed Failover cluste rbut still the cluster can’t find FQDN called DAG.

So I will have to configure DAG in the dns and give it an IP of my first Exchange server

Checking DAG resolving from Exchange server

As the log says, restart is required after installing failover cluster so I’ll restart Exchange servers and then retry to add Exchange servers to the dag.

After restarting the server, It seems that things are working

The second server gave the following error

The Microsoft Exchange Replication service does not appear to be running on “EXCH2k1602”. Make sure that the server is operating, and that the services can be queried remotely.

Apparently the error is correct, After restarting the server it turned out that most of the second Exchange server’s services were not working.. To be honest I didn’t ask myself why did not the services started since I am using a preview version of Exchange 2016.

Interestingly while checking services, I noticed new services e.g. (DAG Management, Compliance Audit, Notifications broker)

After starting the services, now I tried to add the second server again to the DAG.

So eventually, DAG doesn’t need an IP address but still a DNS value needs to be created for the NCO object and needs to have an IP assigned to it which will be the Exchange server IP address..

Next: I will add a database copy and see how it’s improved and do I need to restart the IS service as in Exchange 2013.

I will leave all the default values and add the second server for the database to be copied on. Unlike Exchange 2013 in most of the times the database would fail first and gives an error .. In 2016 it starts directly seeding the database to the second Exchange server that’s member of the DAG.

On the second Server where the database has been copied to, I checked the Logs and Fastsearch was throwing errors as usual since database logs are not copied … as soon as the database logs finished copying the fastsearch will return ok and the database will appear as Healthy in EAC.

Fastsearch finally reported that indexing started on the newly copied DB.

The database copy should now report healthy in the EAC.

I will add the second database to the DAG and then create a new test mailbox and publish the Exchange server online to check the rest of the functionalities.

Story:

Error Message:

Troubleshooting

Changing Port to 1443 or 8443

Changing Ports using Registry

Restart Service

Why Cli?

Installation Options

Option 1

Option 2

Connect to Azure CLI from PowerShell

Manual install instructions

Get packages needed for the install process:

Download and install the Microsoft signing key:

Add the Azure CLI software repository:

Update repository information and install the azure-cli package:

Run the login command.

Sign in with your account credentials in the browser.

Deploying Linux (CentOS):

Creating a Resource Group for Azure Container Instances (ACI)

Next we will be creating a container to contain the Linux OS on the resource group which we have just created

To list the Images, Enter the following command

Get a list of Azure VMS

Let’s List and deploy a WordPress on CentOS

Create Windows Server core with IIS

The Story:

Symptoms

Set-AdfsSslCertificate -ThumbPrint A7etc : PS0159 : The Operation is not supported at the current Farm Behavior Level ‘1’. Raise the farm to at least version ‘2’ before retrying.

Error:

Troubleshooting:

On ADFS Server

Solution

Updating Certificate

Why VPN?

So what is SoftEther VPN Server/Client?

Clients

Use:

Download

Installation Requirements:

Installation Steps:

Configure Softether as Remote Access VPN Server

If you have no Static Public IP address

VPN Type:

AZURE Settings:

Creating Users

Creating Certificate

Choosing the right connection to set as Local Bridge

Using the most secure Encryption Algorithm for our connection

Default Setting:

Change to

Client Configuration:

Connectivity Test:

So What is KMS ?

Prerequisites for KMS Host:

KMS Installation

KMS Host Activation

Activating Office 2016 / 2019

NOTE:

Verifying KMS is Working:

The Story

Error:

Solution:

Delete dumpster only

The story:

Creating the script process:

The Script :

How to run:

Screenshot of the result

CVE-2019-0586 | Microsoft Exchange Memory Corruption Vulnerability

Vulnerability details:

Download link:

Just another IT Website

Update repository information and install the

azure-cli

package:

Run the

login

command.