TLS and NPS

TLS and NPS

Looks like NPS only supports TLS1.0 by default. So if you go restricting your ciphers too much you’ll find none of your NPS clients able to connect using EAP.

That’s a bit of a problem when you have an 802.1x secure network and every client is expected to authenticate. If a cipher is not available on both client and server then you’ll get a client unable to connect or reconnect when their sessions require.

So in order to expand the ciphers supported by newer systems you should ensure you can deliver them over a wider number of protocols , including TLS1.1 and 1.2.

Ensure you have the required update patch for your system

To add these registry values, follow these steps:

  1. Click Start, click Run, type regedit in the Open box, and then click OK.
  2. Locate and then click the following subkey in the registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\RasMan\PPP\EAP\13
  3. On the Edit menu, point to New, and then click DWORD Value.
  4. Type TlsVersion for the name of the DWORD, and then press Enter.
  5. Right-click TlsVersion, and then click Modify.
  6. In the Value data box, use the following values for the various versions of TLS, and then click OK. TLS version DWORD value TLS 1.0 0xC0 TLS 1.1 0x300 TLS 1.2 0xC00 Any OR’ed combination of these values will enable the corresponding protocols. By default, TLS 1.0 is enabled. If any invalid value is configured, TLS 1.0 will be used.
  7. Exit Registry Editor, and then either restart the computer or restart the EapHost service.

Support for TLS1.0, 1.1 and 1.2 = 0xFC0. TLS1.1 and 1.2 only = 0xF00.

What does Robocopy mean by tweaked, lonely, and extra?

What does Robocopy mean by tweaked, lonely, and extra?

“Tweaked”, “Lonely”, and “Extra” refer to RoboCopy “Classes” of files.

For each directory processed RoboCopy constructs a list of files matching the Include Filespecs, in both the source and destination directories. The program then cross-references these lists, seeing which files exist where, comparing file times and sizes where possible, and places each selected file in one of the following classes:

File        Exists In   Exists In        Source/Dest     Source/Dest   Source/Dest
Class       Source      Destination      File Times      File Sizes    Attributes
=========== =========== ================ =============== ============= ============
Lonely      Yes         No               n/a             n/a           n/a
Tweaked     Yes         Yes              Equal           Equal         Different
Same        Yes         Yes              Equal           Equal         Equal
Changed     Yes         Yes              Equal           Different     n/a
Newer       Yes         Yes              Source > Dest   n/a           n/a
Older       Yes         Yes              Source < Dest   n/a           n/a
Extra       No          Yes              n/a             n/a           n/a
Mismatched  Yes (file)  Yes (directory)  n/a             n/a           n/a

y default, Lonely files (and directories) are always copied, unless /XL switch is used. Changed, Newer and Older files will be considered to be candidates for copying (subject to further filtering described below), Same files will be skipped (not copied), and Extra and Mismatched files (and directories) will simply be reported in the output log.

Normally, Tweaked files are neither identified nor copied – they are usually identified as Same files by default. Only when switch /IT is used will the distinction between Same and Tweaked files be made, and only then will Tweaked files be copied.

Use the following switches to override this default behaviour:

Switch   Function
======== =====================
/XL      eXclude Lonely files and directories.
/IT      Include Tweaked files.
/IS      Include Same files.
/XC      eXclude Changed files.
/XN      eXclude Newer files.
/XO      eXclude Older files.

Use the following switch to suppress the reporting and processing of Extra files:  
/XX      eXclude eXtra files
Windows cannot access the specified device, path or file.

Windows cannot access the specified device, path or file.

On Windows 2019 you can get this error trying to opening some setting.

To resolve please run gpedit.msc to open Group Policy Editor, then switch to Computer Configuration—> Windows Settings—> Security Settings —> Local Policies—> Security Options, then enable “User Account Control: Admin Approval Mode for the Built-in Administrator account”.

After all restart Windows to take effect.

Figure as below:

Server 2012/2016/2019 Deduplication Data – how check save data

Server 2012/2016/2019 Deduplication Data – how check save data

If you have a file server and you want get know how much data  you will be able save if  migrate to Server 2012 , copy from Windows Server 2012  from path c:\windows\system32\ you will found  tool ddpeval.exe

This tool only show you, how much data You will be able to save. This tool does not deduplicate ! Examples

ddpeval.exe \\dchv\d 

or

ddpeval.exe :d

————————————————————————————————————

In pictures below you can see how turn on deduplication on the server and result of real deduplication

FIRST  “enable deduplication data”  ( feature of file server role ),

start-DedupJob
get-DedupStatus

Deduplicate features works with local disks, volumes , no remote network store, remote network shares

Fortigate SNMP monitoring

Fortigate SNMP monitoring

Technical Note: SNMP ifDescr missing in FortiOS 5.4

Description With FortiOS 5.2, and lower the “ifDescr” OID is systematically filled in with the interface name. 

This behavior was not compliant as per RFC 1213 that states: “ifDescr should be filled in with a textual string containing information about the interface. This string should include the name of the manufacturer, the product name and the version of the hardware interface.” 

Since  FortiOS 5.4 and above, the “ifDesc” OID now behaves as per RFC 1213 i.e. “ifDesc” OID is effectively filled in with the interface description, that is: 
– The “description” variable value of each specific interface (CLI) 
– The “comment” field value of each specific interface (GUI) 

To summarize, in FortiOS 5.4 and above: 
– ifDescr OID returns the interface description 
– ifAlias OID returns interface alias 
– ifName OID returns interface name 

On FortiGates running FortiOS 5.2.x, all interfaces by default have SNMP ifDescr MIB populated.$ snmpwalk -v3 -u blahblah -a MD5 -A blahblah1 -x DES -X blahblah1 -l authPriv -Oa 10.8.8.8 | grep -i descSNMPv2-MIB::sysDescr.0 = STRING: Fortigate v5.2.11SNMPv2-MIB::sysORDescr.1 = STRING:IF-MIB::ifDescr.1 = STRING: port1IF-MIB::ifDescr.2 = STRING: port2IF-MIB::ifDescr.3 = STRING: port3IF-MIB::ifDescr.4 = STRING: port4IF-MIB::ifDescr.5 = STRING: port5IF-MIB::ifDescr.6 = STRING: port6IF-MIB::ifDescr.7 = STRING: port7IF-MIB::ifDescr.8 = STRING: port8IF-MIB::ifDescr.9 = STRING: port9IF-MIB::ifDescr.10 = STRING: port10IF-MIB::ifDescr.13 = STRING: ssl.root

FortiGate running FortiOS 5.4.x the default SNMP ifDescr MIB values have changed
$ snmpwalk -v3 -u blahblah -a MD5 -A blahblah1 -x DES -X blahblah1 -l authPriv -Oa 10.8.8.8 | grep -i descSNMPv2-MIB::sysDescr.0 = STRING: Fortigate v5.4.5SNMPv2-MIB::sysORDescr.1 = STRING:IF-MIB::ifDescr.1 = STRING:IF-MIB::ifDescr.2 = STRING:IF-MIB::ifDescr.3 = STRING:IF-MIB::ifDescr.4 = STRING:IF-MIB::ifDescr.5 = STRING:IF-MIB::ifDescr.6 = STRING:IF-MIB::ifDescr.7 = STRING:IF-MIB::ifDescr.8 = STRING:IF-MIB::ifDescr.9 = STRING:IF-MIB::ifDescr.10 = STRING:IF-MIB::ifDescr.11 = STRING: Workaround

In FortiOS v5.4 you can get the port descriptions using the following MIB

IF-MIB:ifMIB.ifMIBObjects.ifXTable.ifXEntry – 1.3.6.1.2.1.31.1.1.1

OpsView wrong ipmi result

OpsView wrong ipmi result

Opsview cache the result into /var/log/nagios/.freeipmi/sdr-cache with file named by ip address.

Remove them to recreate cache from new device

Fixing the broken/corrupt Locker Partition on Esxi

Fixing the broken/corrupt Locker Partition on Esxi

Sometimes can occur an esxi corrupted partition that can appear with error mounting vmware tools iso


To resolve this issue, you must connect via ssh to host and than follow the below guide

commands: 
ls -ltrh / | grep store
 vmkfstools -P /vmfs/volumes/5cdce747-375af1f6-b185-0050569674de
 
Output: 
ls -ltrh / | grep store 
lrwxrwxrwx    1 root     root           6 May 13 23:03 locker -> /store lrwxrwxrwx    1 root     root          49 May 16 04:29 store -> /vmfs/volumes/5cdce747-375af1f6-b185-0050569674de 

vmkfstools -P /vmfs/volumes/5cdce747-375af1f6-b185-0050569674de
vfat-0.04 (Raw Major Version: 0) file system spanning 1 partitions.
File system label (if any):
Mode: private
Capacity 299712512 (36586 file blocks * 8192), 299712512 (36586 blocks) avail, max supported file size 0
Disk Block Size: 512/0/0
UUID: 5cdce747-375af1f6-b185-0050569674de
Partitions spanned (on "disks"):
        mpx.vmhba0:C0:T0:L0:8
Is Native Snapshot Capable: NO 

Make a note of the device under the line Partitions spanned (on “disks”):

Note: The :8 on the above result signific that this is partition 8 of the disk
Note: On a default install, the locker/tools iso are always stored to partition 8 of the installed disk/drive.

Format the partition with fat filesystem using the below command: Ensure you DO NOT MISS the partition number

vmkfstools -C vfat /dev/disks/mpx.vmhba0:C0:T0:L0:8
eg: 
vmkfstools -C vfat /dev/disks/mpx.vmhba0:C0:T0:L0:8
create fs deviceName:'/dev/disks/mpx.vmhba0:C0:T0:L0:8', fsShortName:'vfat', fsName:'(null)'
deviceFullPath:/dev/disks/mpx.vmhba0:C0:T0:L0:8 deviceFile:mpx.vmhba0:C0:T0:L0:8
Checking if remote hosts are using this device as a valid file system. This may take a few seconds...
Creating vfat file system on "mpx.vmhba0:C0:T0:L0:8" with blockSize 1048576 and volume label "none".
Successfully created new volume: 5cdcf45e-68f98eec-adb0-0050569674de

Note: If the format fails with the resource in use errors, the host will need a reboot.

re-create the symlink for store:

ln -snf /vmfs/volumes/5cdcf45e-68f98eec-adb0-0050569674de /store

ln -snf /vmfs/volumes/5cdcf45e-68f98eec-adb0-0050569674de /locker

Copy contents of the store partition from a working host, same Esxi build

Powershell script to import LDAP object into exchange contact

Powershell script to import LDAP object into exchange contact

Whith this powershell script, it’s possible to import external ldap object into active directory mail-contact.

Exchange will parse and create a list of contact available for everyone.

The script will clear all OU before importing.

$count = 0
#load Exchange pssnapin
Add-PSSnapIn Microsoft.Exchange.Management.PowerShell.E2010
#load Assembly DirectoryServices
[System.Reflection.Assembly]::LoadWithPartialName("System.DirectoryServices.Protocols") 
[System.Reflection.Assembly]::LoadWithPartialName("System.Net") 
#load user and password to logon in Openldap
$UserName = "uid=reader,ou=users,dc=example,dc=com"  
$Password = "Password"
$OU = "OU-IMPORT"

$filter = "(objectclass=inetOrgPerson)"
#Insert openLDAP source server and the OU of the company created in this openLDAP 
$domain = "LDAP://10.10.10.1:389/o="+$OU+",dc=example,dc=com"

#Launch the search in the openLDAP
$root = New-Object -TypeName System.DirectoryServices.DirectoryEntry($domain,$UserName,$Password,'FastBind')
$query = New-Object System.DirectoryServices.DirectorySearcher($root,$filter)
$objuser = $query.findall()

#search user by user in the openLDAP ou
foreach ($user in $objUser.GetEnumerator()) {
  
    #this counter is only a security counter and for testing porpouses, in case of you dont want to launch all users at the same time
    if ($count -ge 0) #insert the number of users you want to import
    { 
    write-host "-------------------------------------------------------"
    #select the mail of the user in openLDAP
    $smtpmail = [Microsoft.Exchange.Data.ProxyAddress]("$($user.properties.mail)")		

if(-not([string]::IsNullOrEmpty($smtpmail.SmtpAddress))) # check if the smtp field is not empty
    {
    
    $mail = $smtpmail.SmtpAddress        
    write-host $user.properties.cn
   
  If ([string]$user.properties.displayname -ne (Get-MailContact ([string]$user.properties.displayname) -ErrorAction silentlycontinue)) #check if the user exist in the AD yet   
	{
	    write-host "the contact doesnt exist, I create it"
    	#change the OU where the contacts will be created in your AD, changing "-organizationalunit" property
        New-MailContact -Name $user.properties.cn -DisplayName $user.properties.displayname -FirstName $user.properties.givenname -LastName $user.properties.sn -OrganizationalUnit ("OU="+$OU+",OU=LDAP-Tesa,DC=CGTE,DC=local") -ExternalEmailAddress $mail #-Alias $_.mailNickname
		Set-Mailcontact -identity ([string]$user.properties.displayname) -CustomAttribute10 $OU
		Set-Mailcontact -identity ([string]$user.properties.displayname) -CustomAttribute11 "updated"
    }
	Else
	{
	    write-host "the contact exist, I wait for a 2 secons"
		#Start-Sleep -s 15 #delay of 5 seconds to let AD to replicate the contact in the DCS servers
		Write-host "update contacts properties.... " $user.properties.displayname
        Set-Contact -identity ([string]$user.properties.displayname) -Phone $user.properties.telephonenumber -mobilePhone $user.properties.mobile -Office $user.properties.physicaldeliveryofficename -Title $user.properties.title -Department $user.properties.department -Company $user.properties.o -city $user.properties.l
	    Set-Mailcontact -identity ([string]$user.properties.displayname) -CustomAttribute10 $OU
		Set-Mailcontact -identity ([string]$user.properties.displayname) -CustomAttribute11 "updated"
	}
    
    
    
    }
    $count++
 }
}
#Remove contact not update, aka deleted from ldap
get-mailcontact -OrganizationalUnit ("OU="+$OU+",DC=example,DC=com") -filter {CustomAttribute11 -eq $null}|remove-mailcontact -Confirm:$false
Start-Sleep -s 30 #delay of 30 seconds to let AD to replicate the contact in the DCS servers
get-mailcontact -OrganizationalUnit ("OU="+$OU+",DC=example,DC=com") -filter {CustomAttribute11 -ne $null}|set-mailcontact -CustomAttribute11 ""
Start-Sleep -s 30 #delay of 30 seconds to let AD to replicate the contact in the DCS servers