All posts by bsdman

Currently working as an IT Manager. Worked for an OIT company as a Network Engineer in 2011. Worked for a Medical IT company as the Network Administrator 2009-2011. Worked as the Senior Systems Administrator at a computer reseller from 2005-2009. Worked as a Computer Consultant for several small companies from 2007-2009. Worked as a Computer Technician at a computer reseller from 2002-2004.
Microsoft

Exchange 2007 Self-Signed Certificate

1 Comment

This will probably never come up in my ventures as the Administrator here at my job, but it has come up with one of our customers. They do not have a Certificate Authority (CA) and do not pay for an outside certificate. They also use Exchange 2007. I’m not privy to all the ins and outs of their network, but they’re a standard small business with 4 or 5 servers. And it’s been 53 weeks since they installed Exchange 2007.

Why is 53 a number you should scoff at? Every 52 weeks (365 days, 12 months, 1 year, 1/10th of a decade…) you have to resign the self-signed certificate that Exchange gives itself. Why do I even need a certificate, you ask. The certificate is required for all TLS communication. Anything that’s even remotely secured uses TLS. Outlook uses TLS. If the certificate is invalid or non-existent, Outlook will refuse to send and receive emails from your Exchange server. Not good. I’m not sure why their server lasted 53 weeks and not 52, but maybe the guy got it wrong (he’s fairly technical though).

Here’s a quick and easy way of renewing your certificate:
1.) On your Exchange 2007 server, open up the Exchange Management Shell
2.) Type “get-exchangecertificate” and hit enter. This will show all installed certificates.
Type “get-exchangecertificate | fl *” to show everything about the installed certificates.
Type “get-exchangecertificate | fl services, thumbprint” to show only the services with the thumbprint for each certificate.
3.) Type “get-exchangecertificate -thumbprint thumbprint_of_cert | new-exchangecertificate
4.) Type “enable-exchangecertificate -thumbprint thumbprint_of_new_cert -services “IMAP,POP,SMTP,IIS”
5.) Test the services
6.) Remove the old certificate. Type “remove-exchangecertificate – thumbprint thumbprint_of_old_cert

You’ll have to do this every year if you use the self-signed certs. If you use a CA, the issued certificate will last anywhere from 1 to 5 years. You can also use your internal CA to issue new signed-certificates. You can use the standard website template, and then use the Exchange Management Shell to add the services to the new certificate (enable-exchangecertificate -thumbprint thumbprint -services “imap,pop,smtp”. You can leave out IIS since it *should* already be there.

**** EDIT ****

New-ExchangeCertificate -SubjectName "DC=domain, DC=com, CN=server.domain.com" -DomainName server.domain.com,mail.domain.com -IncludeAcceptedDomains -IncludeAutoDiscover -Services "SMTP" -PrivateKeyExportable $true
This updates the certificate to cover all domains used by Exchange. You can also specify other domains like mail.domain, webmail.domain etc.

Get-ExchangeCertificate
Get-ExchangeCertificate | FL
These allow you to find the thumbprint of the certificate you created.

Enable-ExchangeCertificate -Thumbprint THUMBPRINT -Services SMTP,IMAP,POP,IIS
This will turn on the services for your thumbprinted certificate. Obviously you can choose which services to allow.

Export-ExchangeCertificate -Thumbprint THUMBPRINT -BinaryEncoded:$true -Path C:\SSCert.pfx -Password:(Get-Credential).password
This exports your personal certificate PFX file with the password you choose at the prompt. This can then be pushed out to users to trust this file. Check for root certificate installations for other details.

OR, if you have your own Certificate Authority:

New-ExchangeCertificate -GenerateRequest -SubjectName "o=My, o=Site, cn=MyServer.MyDomain.com" -IncludeAcceptedDomains
-Path c:\MyServer.MyDomain.com.req
Open this file using notepad or the like, and copy the information between the start and end of the certificate.
Now log into your Certificate Authority
http://CAServer/certsrv
Click Request a certificate
Submit an advanced certificate request
Submit a certifcate request by using a base-64-encoded CMC or PKCS #10 file, or submit a renewal request by using a base-64-encoded PKCS #7 file
Paste the certificate information from earlier
Change the Certificate Template to Web Server
Click submit

You should now have a certificate issued. You’ll probably want to download it – so select Base64 encoded and download the certificate. I always choose to download the full path AND the general cert.

Copy your newly issued/downloaded certificate to your Exchange server.
Import-ExchangeCertificate -Path c:\2009mycert.cer | Enable-ExchangeCertificate -Services SMTP,POP,IMAP,IIS

If you already have a certificate that’s the default one on Exchange, you’ll notice that the SMTP and IIS settings DO NOT STAY.
You’ll have to:
Enable-ExchangeCertificate -Thumbprint MYTHUMBPRINT -Services SMTP,IIS
Exchange will ask if you want to overwrite the current certificate with Y for yes.
You’re done!

Linux, Microsoft, Miscellaneous

Forgotten Passwords

Leave a comment

I can’t tell you the number of people that come up to me and ask if I can retrieve their password. For certain devices I can either reset the password or I can figure out a way to reset the password. Several websites give options to reset your password. Several Instant Messaging programs give the option to reset your password. I’m really just trying to see how many times I can type “reset your password”.

So here’s the lowdown on what can be reset, and a mostly “how-to” do it:

Mac OS 6.* – 8.5: If you set up a password you’re a fool. The OS doesn’t support native passwords and is a single user OS. You set one? Reformat and start from scratch. Or just live with it.
Mac OS 8.6 – 9.*: Read above. The OS was meant to be a single user Operating System, but somewhere along the line someone decided it would be a good idea to include basic password login protection. Usually a reboot will yield an “auto login” situation where you can change the preferences of a screen saver password. Otherwise you’ll have to reformat once again.
Mac OS X.*: Here’s the really easy part – Apple has included the utility to reset the password for you. It’s on the Apple Installation Disc. Don’t have the disc? You’ll have to download or buy one then. Have the disc? Boot off of it (press and hold C while turning on the computer), and then when you see a menu at the top of the screen click on Utilities. You’ll now see a “reset password” option. You can get the rest from there.

Windows 95/98: Press ESC instead of trying to login.
Windows ME: Burn your computer and that crappy Operating System and buy a new one.
Windows 2000/NT/XP/2003/Vista: Find a linux boot disc (knoppix should work) that can edit SAM files and reset administrator passwords.

Ubuntu: Press ESC at the grub prompt, Press E for edit, Select the line that begins with Kernel and press E, Go to the very end of the line and add “rw init=/bin/bash” without the quotes, Press enter and then B to reboot. This will give you full root shell access, so then type “passwd ” to reset that user’s password.

A lot of people work in corporations with Active Directory Microsoft Windows computers. Here’s a couple things that people should know:
1.) Administrators do NOT know your password for your login to the computer. We can reset it, but we can’t retrieve it (with normal means)
2.) Administrators do NOT know your password for your personal chatting application. We, like EVERY OTHER PERSON, can go to the provider’s website (ie yahoo.com/aim.com/msn.com) and have them send a reset password email to the registered email address.
3.) Administrators do NOT know the POP server or IMAP settings to your personal email. I actually block access to POP and IMAP so I don’t have to hear this one daily.

Miscellaneous

No I Will Not Fix Your Computer

Leave a comment

I stole this from another site (http://www.broowaha.com):

The real reason your company’s computer guy doesn’t want to work on your personal PC.

“I’m sorry, I don’t work on personal PC’s. It’s nothing personal, I promise”.

Have you ever heard these words come from the lips of your company’s in house IT guy? Have you ever asked and been rebuffed? Well don’t fret. Rest assured dear user, it really isn’t personal. A lot of us computer guys just don’t work on personal PC’s.

“But why not?” you ask. A computer is a computer right? If it’s broke you can certainly fix it and maybe make a little money on the side. It shouldn’t take you long, you’re an expert.

As tempting as tax free money on the side sounds, it usually just isn’t worth the hassle. That’s right, I said it. It’s a hassle for us to work on personal PC’s. The laundry list of why it is a hassle is long, but I will try to just touch on the most significant aspects of it.

First off you have to realize that people that work in a corporate or government IT dept are used to dealing with standardized hardware and software configurations and being in total control over the goings on of their network. We know the hardware and software inside and out. We are in control of the inventory, we know what types of printers we have, and know what the most common problems are that occur with our standardized hardware and software. We like to be in control. When you bring us your personal PC from home, we don’t know what kind of software you have installed, where it came from, or what kind of hardware you may have connected to it that may or may not be causing your issues.

Secondly, we don’t like to have to “overlook” stuff you may have on your computer that may or may not be “legal”. Is that copy of Office 2007 you have installed on your PC properly licensed? Did you pay for the thousands of mp3’s you have in your “My Music” folder? It honestly bothers us to work on somebody’s computer and see software like Limewire or the likes of it, because we then know you are illegally downloading music. Honestly we want no part of that. We don’t want to know because many of us possess professional technical certifications from Microsoft and others, and with those designations come ethical responsibilities and the like. These companies are our bread and butter if you will, and we don’t like to see them ripped off. Plus when you get sued by the RIAA, we don’t want to be called on to testify against you.

Thirdly, we honestly can’t charge you what our time is actually worth. When you bring in your PC loaded down with viruses and trojans, we could literally have to spend hours cleaning it up, and even then we may not be able to successfully clean it. Nasty infections are generally very difficult to get rid of and usually require that the operating system be reinstalled from scratch, which just adds time to our task.

Fourthly, (is that even a word?) we don’t enjoy working on computers as much as you might think. You know those guys you see on TV that are always messing with computers and talking about the latest whiz bang graphics card that renders a bajillion polygons per second? Guess what. We’re not them. We are IT professionals. We are usually highly specialized in our fields and concentrate on one area of expertise. We usually don’t know about the latest graphics card unless one of our AutoCAD users is getting a new machine and it requires a high end graphics processing unit. To us computers are just a job, a way to make a living. When we go home at night, we want to spend time with our families, chilling in front of the tube and eating dinner. We don’t want to spend all evening trying to figure out why your ipod won’t talk to your computer.

Please understand I’m not trying to be rude. I’m just trying to make it easier for you to understand that it’s really not personal, it’s not that we don’t like you. We really just don’t like to work on personal PC’s.

Microsoft, Troubleshooting

Virus EXE Rundll32 Issue

Leave a comment

I love it when people bring in their virus-laden machines for me to look at. They always come up with some silly excuse for why it’s not working or how it’s broken: “I let [insert name of child here] play on it the other day and now it’s running slow” or “I haven’t been able to use email for the last few months but thought nothing of it until the computer started deleting my files and randomly rebooting”. GOLD!

I’m usually pretty good at getting rid of a virus if it’s in the early stages. Adware, malware, popups, backdoor trojans, they’re all pretty easy to dispose of. Some of the hijack programs that take over the homepage for IE are pretty tough though.

The steps I go through are usually the same:
1.) MSconfig and remove all non-microsoft programs
2.) Install nod32 and kick the crap out of whatever was installed

Although a lot of times I’m not able to run any commands. Recently I couldn’t open any EXE files on a system. It kept looking for rundll32.exe and not finding it (windows\system32\rundll32.exe). So then msconfig, add remove programs (control appwiz.cpl), and even the system information (windows key + pause/break) didn’t work. I couldn’t even open cmd.exe without problems – lucky for me it was an associated filetype for exe files.

So then, with the command line open:
1.) Download The EXE Registry Fix and import it into your registry
2.) SFC /scannow (this requires either the i386 folder or the windows installation media to check and see if all the required microsoft files are in place)
3.) MRT (microsoft’s malicious removal tool)
4.) msconfig and uncheck any non-microsoft related items

Someone also told me that the exe file associated could have broken this computer. I didn’t try it since I only imported the registry key and it worked. But here’s the steps to do that too:

1.) CMD
2.) assoc.exe=exefile

Microsoft

Exchange 2007 Mailbox Statistics

Leave a comment

If only Microsoft would realize that it’s pretty easy to add a single column known as “size of mailbox” when searching through the GUI exchange management tool. Instead, we have to open up the Command prompt tool. Big deal.

Here’s the quick and easy way to list the name of the mailbox, size of said mailbox, and number of emails:
Get-MailboxStatistics | Sort-Object TotalItemSize -Descending | ft DisplayName,@{label="TotalItemSize(KB)";expression={$_.TotalItemSize.Value.ToKB()}},ItemCount

And apparently you can get it to email you if you write a script as follows:
###Send mailbox statistics script
###First, the administrator must change the mail message values in this section
$FromAddress = "MailboxReport@ngh.net"
$ToAddress = "administrator@ngh.net"
$MessageSubject = "Mailbox Size Report"
$MessageBody = "Attached is the current list of mailbox sizes."
$SendingServer = "e2k7.ngh.net"
###Now get the stats and store in a text file
Get-MailboxStatistics | Sort-Object TotalItemSize -Descending | ft DisplayName,@{label="TotalItemSize(KB)";expression={$_.TotalItemSize.Value.ToKB()}}, ItemCount > mailboxes.txt
###Create the mail message and add the statistics text file as an attachment
$SMTPMessage = New-Object System.Net.Mail.MailMessage $FromAddress, $ToAddress,
$MessageSubject, $MessageBody
$Attachment = New-Object Net.Mail.Attachment("./mailboxes.txt")
$SMTPMessage.Attachments.Add($Attachment)
###Send the message
$SMTPClient = New-Object System.Net.Mail.SMTPClient $SendingServer
$SMTPClient.Send($SMTPMessage)

But I couldn’t get it to actually attach the txt document.

EDIT!!!

11.11.2008

I got it to work – the problem was with a couple issues we had.

1.) In the Windows PowerShell, you must Set-ExecutionPolicy Unrestricted
2.) I wrote a bat file to open this once a week:
C:\WINDOWS\system32\WindowsPowerShell\v1.0\PowerShell.exe -PSConsoleFile "C:\Program Files\Microsoft\Exchange Server\bin\exshell.psc1" -command ". 'C:\sendstats.ps1'"
3.) I wrote a ps1 file to run the actual commands (see above for the code)
4.) If you get an error, see if the following command helps:
Add-PSSnapin Microsoft.Exchange.Management.PowerShell.Admin
5.) MAKE SURE the get-mailboxstatistics is all on one single line – I can’t tell you how much word-wrap in notepad screwed me out of 20 minutes of time.

***EDIT 05.23.2011***
So Exchange 2010 screwed me a little bit on this – it requires another flag:
Get-MailboxStatistics -server SERVERNAME | Sort-Object TotalItemSize -Descending | ft DisplayName,@{label="TotalItemSize(KB)";expression={$_.TotalItemSize.Value.ToKB()}},ItemCount

You can use -Identity MAILBOXORUSERNAME, -Database DATABASEHERE, or -Server SERVERNAMEHERE. I chose server as it’s exactly what I needed.

Microsoft

Exchange 2007 Remove Disconnected Mailboxes

Leave a comment

If you delete a user on Exchange 2007, it will delete the user in Active Directory. It will not, however, delete the mailbox that was associated with the user. This mailbox will then move onto bigger and better things – namely just taking up storage space on your Exchange server.

Quick and easy way:
On your Exchange server, open up the Exchange Management Shell
Get-MailboxStatistics | where-object { $_.DisconnectDate -ne $null } | Select DisplayName,MailboxGuid – This will show all the disconnected mailboxes AND their associated MailboxGuid (which is needed to delete the boxes)
Remove-Mailbox -Database [Database-Name] -StoreMailboxIdentity [MailboxGuid] – This will delete a single line item.

EDIT 11.13.2008:
You can run the Get-MailboxDatabase command to find out the name of the database and what server it resides on. The final delete command will be something like the following:
Remove-Mailbox -Database "servername\mailbox database" -StoreMailboxIdentity 2ae3c6f1-848e-4892-923c-614f9b3838f7
Then it will ask if you want to really remove the GUID from the database.

Microsoft

Show and Hide Hidden Formatting Word

Leave a comment

Sometimes people complain that they are seeing the hidden formatting characters on emails they’re trying to send. And then they are worried that their customers will also see said formatting marks. While I can explain that the customer will only see the text and not the marks, it’s actually much easier to just solve the problem.

Word 2003 had it nice and easy – just click on the standard toolbar Paragraph Mark. But with 2007, everything is hidden or moved. Don’t get me wrong – I like 2007 so far, but finding various tasks that used to be easy to explain are now hidden away somewheres.

And finding the key combination to reset this is difficult because NO ONE WRITES ABOUT IT.

So here’s the key combination:
Alt + Shift + 8. Just press the magic keys somewhere in your word document (or in the body of an email) and like magic (sense a theme going on?) they show/hide at your command.