Palo Alto Networks Protocols Defined

I have to often do validation on rules set created on a Palo Alto firewall, now if you’ve done this you’ll know there’s  a specific requirement to define which protocol to test against. Generally you’ll use UDP or TCP, and ICMP if needing to validate ping rules.

However PAN uses numbers and the provided direct KB from them does not define them all (1-255). So googling I found a nice simplified post by Kerry Cordero on his site here. Where he got this info from I’m not certain, he did not reference any PAN KB’s or anything. For prosperity of the internet I have quotes his list as it was on his site.

Many Thanks to Kerry for this work on this.

Protocol Options:
When it comes to the protocol #, you have several options to choose from like:

TCP = 6
UDP = 17
ICMP = 1
ESP = 50

Below is a full list of options you can use.

Decimal Keyword Protocol IPv6 Extension Header Reference
0 HOPOPT IPv6 Hop-by-Hop Option Y [RFC8200]
1 ICMP Internet Control Message [RFC792]
2 IGMP Internet Group Management [RFC1112]
3 GGP Gateway-to-Gateway [RFC823]
4 IPv4 IPv4 encapsulation [RFC2003]
5 ST Stream [RFC1190][RFC1819]
6 TCP Transmission Control [RFC793]
7 CBT CBT [Tony_Ballardie]
8 EGP Exterior Gateway Protocol [RFC888][David_Mills]
9 IGP any private interior gateway
(used by Cisco for their IGRP)
[Internet_Assigned_Numbers_Authority]
10 BBN-RCC-MON BBN RCC Monitoring [Steve_Chipman]
11 NVP-II Network Voice Protocol [RFC741][Steve_Casner]
12 PUP PUP [Boggs, D., J. Shoch, E. Taft, and R. Metcalfe, “PUP: An
Internetwork Architecture”, XEROX Palo Alto Research Center,
CSL-79-10, July 1979; also in IEEE Transactions on
Communication, Volume COM-28, Number 4, April 1980.][[XEROX]]
13 ARGUS (deprecated) ARGUS [Robert_W_Scheifler]
14 EMCON EMCON [<mystery contact>]
15 XNET Cross Net Debugger [Haverty, J., “XNET Formats for Internet Protocol Version 4”,
IEN 158, October 1980.][Jack_Haverty]
16 CHAOS Chaos [J_Noel_Chiappa]
17 UDP User Datagram [RFC768][Jon_Postel]
18 MUX Multiplexing [Cohen, D. and J. Postel, “Multiplexing Protocol”, IEN 90,
USC/Information Sciences Institute, May 1979.][Jon_Postel]
19 DCN-MEAS DCN Measurement Subsystems [David_Mills]
20 HMP Host Monitoring [RFC869][Bob_Hinden]
21 PRM Packet Radio Measurement [Zaw_Sing_Su]
22 XNS-IDP XEROX NS IDP [“The Ethernet, A Local Area Network: Data Link Layer and
Physical Layer Specification”, AA-K759B-TK, Digital
Equipment Corporation, Maynard, MA.  Also as: “The
Ethernet – A Local Area Network”, Version 1.0, Digital
Equipment Corporation, Intel Corporation, Xerox
Corporation, September 1980.  And: “The Ethernet, A Local
Area Network: Data Link Layer and Physical Layer
Specifications”, Digital, Intel and Xerox, November 1982.
And: XEROX, “The Ethernet, A Local Area Network: Data Link
Layer and Physical Layer Specification”, X3T51/80-50,
Xerox Corporation, Stamford, CT., October 1980.][[XEROX]]
23 TRUNK-1 Trunk-1 [Barry_Boehm]
24 TRUNK-2 Trunk-2 [Barry_Boehm]
25 LEAF-1 Leaf-1 [Barry_Boehm]
26 LEAF-2 Leaf-2 [Barry_Boehm]
27 RDP Reliable Data Protocol [RFC908][Bob_Hinden]
28 IRTP Internet Reliable Transaction [RFC938][Trudy_Miller]
29 ISO-TP4 ISO Transport Protocol Class 4 [RFC905][<mystery contact>]
30 NETBLT Bulk Data Transfer Protocol [RFC969][David_Clark]
31 MFE-NSP MFE Network Services Protocol [Shuttleworth, B., “A Documentary of MFENet, a National
Computer Network”, UCRL-52317, Lawrence Livermore Labs,
Livermore, California, June 1977.][Barry_Howard]
32 MERIT-INP MERIT Internodal Protocol [Hans_Werner_Braun]
33 DCCP Datagram Congestion Control Protocol [RFC4340]
34 3PC Third Party Connect Protocol [Stuart_A_Friedberg]
35 IDPR Inter-Domain Policy Routing Protocol [Martha_Steenstrup]
36 XTP XTP [Greg_Chesson]
37 DDP Datagram Delivery Protocol [Wesley_Craig]
38 IDPR-CMTP IDPR Control Message Transport Proto [Martha_Steenstrup]
39 TP++ TP++ Transport Protocol [Dirk_Fromhein]
40 IL IL Transport Protocol [Dave_Presotto]
41 IPv6 IPv6 encapsulation [RFC2473]
42 SDRP Source Demand Routing Protocol [Deborah_Estrin]
43 IPv6-Route Routing Header for IPv6 Y [Steve_Deering]
44 IPv6-Frag Fragment Header for IPv6 Y [Steve_Deering]
45 IDRP Inter-Domain Routing Protocol [Sue_Hares]
46 RSVP Reservation Protocol [RFC2205][RFC3209][Bob_Braden]
47 GRE Generic Routing Encapsulation [RFC2784][Tony_Li]
48 DSR Dynamic Source Routing Protocol [RFC4728]
49 BNA BNA [Gary Salamon]
50 ESP Encap Security Payload Y [RFC4303]
51 AH Authentication Header Y [RFC4302]
52 I-NLSP Integrated Net Layer Security  TUBA [K_Robert_Glenn]
53 SWIPE (deprecated) IP with Encryption [John_Ioannidis]
54 NARP NBMA Address Resolution Protocol [RFC1735]
55 MOBILE IP Mobility [Charlie_Perkins]
56 TLSP Transport Layer Security Protocol
using Kryptonet key management
[Christer_Oberg]
57 SKIP SKIP [Tom_Markson]
58 IPv6-ICMP ICMP for IPv6 [RFC8200]
59 IPv6-NoNxt No Next Header for IPv6 [RFC8200]
60 IPv6-Opts Destination Options for IPv6 Y [RFC8200]
61 any host internal protocol [Internet_Assigned_Numbers_Authority]
62 CFTP CFTP [Forsdick, H., “CFTP”, Network Message, Bolt Beranek and
Newman, January 1982.][Harry_Forsdick]
63 any local network [Internet_Assigned_Numbers_Authority]
64 SAT-EXPAK SATNET and Backroom EXPAK [Steven_Blumenthal]
65 KRYPTOLAN Kryptolan [Paul Liu]
66 RVD MIT Remote Virtual Disk Protocol [Michael_Greenwald]
67 IPPC Internet Pluribus Packet Core [Steven_Blumenthal]
68 any distributed file system [Internet_Assigned_Numbers_Authority]
69 SAT-MON SATNET Monitoring [Steven_Blumenthal]
70 VISA VISA Protocol [Gene_Tsudik]
71 IPCV Internet Packet Core Utility [Steven_Blumenthal]
72 CPNX Computer Protocol Network Executive [David Mittnacht]
73 CPHB Computer Protocol Heart Beat [David Mittnacht]
74 WSN Wang Span Network [Victor Dafoulas]
75 PVP Packet Video Protocol [Steve_Casner]
76 BR-SAT-MON Backroom SATNET Monitoring [Steven_Blumenthal]
77 SUN-ND SUN ND PROTOCOL-Temporary [William_Melohn]
78 WB-MON WIDEBAND Monitoring [Steven_Blumenthal]
79 WB-EXPAK WIDEBAND EXPAK [Steven_Blumenthal]
80 ISO-IP ISO Internet Protocol [Marshall_T_Rose]
81 VMTP VMTP [Dave_Cheriton]
82 SECURE-VMTP SECURE-VMTP [Dave_Cheriton]
83 VINES VINES [Brian Horn]
84 TTP Transaction Transport Protocol [Jim_Stevens]
84 IPTM Internet Protocol Traffic Manager [Jim_Stevens]
85 NSFNET-IGP NSFNET-IGP [Hans_Werner_Braun]
86 DGP Dissimilar Gateway Protocol [M/A-COM Government Systems, “Dissimilar Gateway Protocol
Specification, Draft Version”, Contract no. CS901145,
November 16, 1987.][Mike_Little]
87 TCF TCF [Guillermo_A_Loyola]
88 EIGRP EIGRP [RFC7868]
89 OSPFIGP OSPFIGP [RFC1583][RFC2328][RFC5340][John_Moy]
90 Sprite-RPC Sprite RPC Protocol [Welch, B., “The Sprite Remote Procedure Call System”,
Technical Report, UCB/Computer Science Dept., 86/302,
University of California at Berkeley, June 1986.][Bruce Willins]
91 LARP Locus Address Resolution Protocol [Brian Horn]
92 MTP Multicast Transport Protocol [Susie_Armstrong]
93 AX.25 AX.25 Frames [Brian_Kantor]
94 IPIP IP-within-IP Encapsulation Protocol [John_Ioannidis]
95 MICP (deprecated) Mobile Internetworking Control Pro. [John_Ioannidis]
96 SCC-SP Semaphore Communications Sec. Pro. [Howard_Hart]
97 ETHERIP Ethernet-within-IP Encapsulation [RFC3378]
98 ENCAP Encapsulation Header [RFC1241][Robert_Woodburn]
99 any private encryption scheme [Internet_Assigned_Numbers_Authority]
100 GMTP GMTP [[RXB5]]
101 IFMP Ipsilon Flow Management Protocol [Bob_Hinden][November 1995, 1997.]
102 PNNI PNNI over IP [Ross_Callon]
103 PIM Protocol Independent Multicast [RFC7761][Dino_Farinacci]
104 ARIS ARIS [Nancy_Feldman]
105 SCPS SCPS [Robert_Durst]
106 QNX QNX [Michael_Hunter]
107 A/N Active Networks [Bob_Braden]
108 IPComp IP Payload Compression Protocol [RFC2393]
109 SNP Sitara Networks Protocol [Manickam_R_Sridhar]
110 Compaq-Peer Compaq Peer Protocol [Victor_Volpe]
111 IPX-in-IP IPX in IP [CJ_Lee]
112 VRRP Virtual Router Redundancy Protocol [RFC5798]
113 PGM PGM Reliable Transport Protocol [Tony_Speakman]
114 any 0-hop protocol [Internet_Assigned_Numbers_Authority]
115 L2TP Layer Two Tunneling Protocol [RFC3931][Bernard_Aboba]
116 DDX D-II Data Exchange (DDX) [John_Worley]
117 IATP Interactive Agent Transfer Protocol [John_Murphy]
118 STP Schedule Transfer Protocol [Jean_Michel_Pittet]
119 SRP SpectraLink Radio Protocol [Mark_Hamilton]
120 UTI UTI [Peter_Lothberg]
121 SMP Simple Message Protocol [Leif_Ekblad]
122 SM (deprecated) Simple Multicast Protocol [Jon_Crowcroft][draft-perlman-simple-multicast]
123 PTP Performance Transparency Protocol [Michael_Welzl]
124 ISIS over IPv4 [Tony_Przygienda]
125 FIRE [Criag_Partridge]
126 CRTP Combat Radio Transport Protocol [Robert_Sautter]
127 CRUDP Combat Radio User Datagram [Robert_Sautter]
128 SSCOPMCE [Kurt_Waber]
129 IPLT [[Hollbach]]
130 SPS Secure Packet Shield [Bill_McIntosh]
131 PIPE Private IP Encapsulation within IP [Bernhard_Petri]
132 SCTP Stream Control Transmission Protocol [Randall_R_Stewart]
133 FC Fibre Channel [Murali_Rajagopal][RFC6172]
134 RSVP-E2E-IGNORE [RFC3175]
135 Mobility Header Y [RFC6275]
136 UDPLite [RFC3828]
137 MPLS-in-IP [RFC4023]
138 manet MANET Protocols [RFC5498]
139 HIP Host Identity Protocol Y [RFC7401]
140 Shim6 Shim6 Protocol Y [RFC5533]
141 WESP Wrapped Encapsulating Security Payload [RFC5840]
142 ROHC Robust Header Compression [RFC5858]
143 Ethernet Ethernet [RFC8986]
144-252 Unassigned [Internet_Assigned_Numbers_Authority]
253 Use for experimentation and testing Y [RFC3692]
254 Use for experimentation and testing Y [RFC3692]
255 Reserved [Internet_Assigned_Numbers_Authority]

SharePoint Site Has Not Been Shared With You

SharePoint Site Not Accessible

Overview Story

Created brand new SharePoint Teams site.

Enabled Publishing Feature.

Created Access groups, Nest User in Group.

 

Troubleshooting

First Source Disable Access request feature. This feature was enabled, disable it, Result….

Second Source far more thing to try.

  1. Cache, not the case same issue from any browser and client machine.
  2. *PROCEED WITH CAUTION* Stop and Start “Microsoft SharePoint Foundation Web Application” service from Central Admin >>Application Management >>Manage services on server. In case, you face issues, use STSADM command line.cd “c:\program files\common files\microsoft shared\Web Server Extentions\16\BIN”Stop:
    stsadm -o provisionservice -action stop -servicetype spwebservice
    [Time taken ~30min not sure went for a break since it was taking so long]
    iisreset /noforce [!1min]
    Start:
    stsadm -o provisionservice -action start -servicetype spwebservice
    [Roughly 15 min]
    iisreset /noforce

Result, SharePoint completely broken, Central Admin is accessible, but all sites are in a non working state. I cannot recommend to try this fix, but if you have to ensure you are doing so either in a test environment or have a backup plan.

I managed to resolve the issue in my test environment, as it turned out the sites were all defined to be HTTPS, however the binding was done manually on IIS to certs created, and then the AAMs updated on CA. Sources one and two

Running these commands SharePoint is not aware to recreate the HTTPS bindings so this has to be done manually.

Result:

Ughhhhhhhhhhhh!

3.If are migrated from SharePoint 2010, or backup-restore/import-exported: If your source site collection is in classic windows authentication mode and the target is in claims authentication

Not the case, but tried it anayway, and results…

This is really starting to bug me…

4.If you have a custom master page verify it’s published! Checked-out master pages could cause this issue.

We did make changes to the master page to resolve some UI issues, but this had to be published to even have those changes show, so YES, no change in result.

5.If you have this feature enabled: “Limited-access user permission lockdown mode” at site collection level – Deactivate it. – Because, this prevents limited access users from getting Form pages!

Found this, deactivated it and….

Ughhhhh….

6.On publishing sites: Make sure you set the cache accounts: Super User & Reader to a domain account for the SharePoint 2013 Web Application with appropriate rights.

I’ve read this from a different source as well however none of my other sites that are teams sites with publishing enabled have these extra properties defined and they are working without issue, I decided to try anyway,

Result:

7. If you didn’t run the product and configuration wizard after installation/patch, you may get this error even if you are a site collection administrator. Run it once and get rid of this issue.

Let’s give it a whirl… Now I pushed this down from #2 as it’s pretty rough like the suggestion I put as #2, which I should probably shift down for the same risk reasons, but I did try this before the other ones and it like the stsadm commands it broke my ShaerPoint Sites, it stated errors about features defined in the content database of attached sites that the features were not installed on the front end server.

In this case I tried to run my scripts I had written to fix these types of issues (publishing of script pending), but it wouldn’t accept the site URL stating it was not a site collection, it was at this point running get-spsite returned an error…

and sure enough…

AHHHHHHHHHHHH!!!!!!!!!

I asked my colleague for help since he seems to be good at solving issue when I feel I’ve tried everything. He noted the master pages and layouts area had unique permissions, setting it to inherit from parent made the pages finally load. But is this normal? I found someone asking about the permissions here, apparently it shouldn’t be inherited and they list the default permission sets:

Yes, Master Page Gallery use unique permissions by default.
Here is the default permissions for your information:
Approvers SharePoint Group Approvers Read
Designers SharePoint Group Designers Design
Hierarchy Managers SharePoint Group Hierarchy Managers Read
Restricted Readers SharePoint Group Restricted Readers Restricted Read
Style Resource Readers SharePoint Group Style Resource Readers Read
System Account User SHAREPOINT\system Full Control

Setting there defaults I still got the page was not shared problem, for some reason it works when I set the library to inherit permissions from the parent site.

When checking other sites I was intrigued when there was only the Style Resource Readers defined. I found this blog on a similar issue when sub site inheritance is broken which interesting enough directly mentions this group.

“It occurs when the built-in SharePoint group “Style Resource Readers” has been messed with in some way.”

Will check this out.

So I went through his entire validation process for that group, it all checked out, however as soon as I broke inheritance on the master page library, made it the “known defaults” and verified all Style Resources users were correct and all permission for it on all listed libraries and lists all match,  I continued to receive Site not shared with you error.

I don’t feel the fix I found is correct, but I can’t find any other cause, or solution at this time. I hope this blog post helps someone, but I’m sad to say I wasn’t able to determine the root cause nor the proper solution.

 

Renew Certificate with same Key via CMD

certutil -store my

The command above can be used to get the required serial number for the cert needing to be renewed. This should show the machine store, if you need certs displayed for the user store remove the “my” keyword.

certreq -enroll -machine -q -PolicyServer * -cert <serial#> renew reusekeys

If you get the following error:

Ensure the machine account has enroll permission on the published certificate template. For step by step guidance follow this blog post by itexperince.

If you get this error “The certificate Authority denied teh request. A required certificate is not within it’s validity period when verifying against currect system clock”:

Ensure the Certificate you are attempting to renew is not already expired.

If it is follow my guide on creating new certs via CLI.

afterwards it should succeed.

*NOTE* this option archives the old certificate, and generates a new one with a new expiration date, with the same key, with a new serial number. How services that are bound to the certificate update themselves, I’m not sure for this test I did not have the certificate bound to any particular services. Verifying this actually the web server using the cert did automatically bind to the new cert, I’d still recommend you verify where the certificate is being used and ensure those services are update/restarted accordingly to apply the changes.

Fixing SharePoint Search

Broken SharePoint Crawl

Issue: SharePoint Search

First Issue: Crawl ends in 1 min 20 seconds.

Solution: Check to see if the Page Loads when queried from the front end server. If you get a credential prompt 3 times.  Then you have to disable loop back checking.

How to:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

Add a new DWORD value named DisableLoopbackCheck and give it a value of 1. After setting the value reboot your server.

reg add HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa /v DisableLoopbackCheck /t REG_DWORD /d 1

Second Issue: Crawl appears to complete but Errors in Log

Log Details of “the content processing pipeline failed to process the item ExpandSegments”

You may find lots of sources stating to watch out for multi valued attributes or property names such as this nicely detailed blog post however, watch for the details in the log message and it’s a bit different. However I feel this TechNet was answered incorrectly.

I tried some of the basics, such as clearing the index and adding the search account as site admin, did not help. On that note I learnt that separate search content sources within a search application do not have their own indexes. You have to create dedicated search applications for each SharePoint site if you wish them to have their own index (“Database/Tables”).

After a bit more scouring I found many instances of the same problem with the solution always being you have to create a new search application, such as this TechNet post and this TechNet Post.

Solution:

Remove the content source from the existing Search Service Application.

Create an entirely new Search Service Application.

Reboot the Front End.

Add Crawl Content on new SSA. Crawl should work.

Third Issue: Red X on Search Service Application Services

*NOTE* After creating the new Search Application, a front end reboot is required to remove the red X’s on some of the application services statuses.

Fourth Issue: Search results not working

This from my testing appeared to have resolved the crawl issue at hand. However I wasn’t able to get results returned when entering data in to search. I did a bit of searching and testing and I found the solution. Turns out you have to associate the web application with the new search service application (In my testing I created a new uniquely defined search application to have a separate index then the other SharePoint Sites).

Solution:

Navigate to Central Admin > Application Management > Manage web applications >Highlight the web application > Select Service Connections from top ribbon > Make sure your Search service application is selected.

This was it for me, however if you still experience issues I have also read updating the front end servers can resolve issues as well, as blogged about by Stefan Goßner.

Fifth Issue: Runaway Crawl

For some unknown reason, when I went to check out the SharePoint front end after the weekend, I noticed it was using near 100% CPU usage, very similar to a Front End that is actively doing a crawl, I knew this wasn’t a normal time for a crawl and it generally never happens during this time.

To my amazement 3 crawls were on going for over 70+ hours. Attempting to stop them from the front end option “Stop all crawl” resulted in them being stuck in a stopping state.

Googling this I found stop and starting the SharePoint Search Service under services.msc did help to bring them back to “idle”.

Now I believe this next step is what caused my next issue, but it is uncertain.

I clicked on Remove Index, for the primary search service application. It was stuck at “This shouldn’t take long” for a really long time, and I believe it was my impatience here that caused the next problem, as I restarted the search service again after this fact.

Sixth Issue: Paused by System

All solutions I found for this issue resulted in no success. Even rebooting the server the primary search service content crawl states were “paused by system. Regardless of:

    1. Pausing and Resuming the Search Services
    2. Restarting the Search Services
    3. Rebooting the server

I was only able to resolve this issue the same way I fixed the initial issue with the crawl, rebuild the search service application.

I hope this blogs helps anyone experiencing issues with SharePoint Search functionality. Cheers!

Verifying Web connections to SharePoint Sites

Simple as:

Get-Counter -Counter '\web service(_total)\current connections'

You can also use performance Monitor utilizing the same filter/”counter”.

To view all filter/”counter” types: (*note a lot of output, may want to pipe to file)

typeperf -qx

This is useful info if you plan on making Site Changes and need to know how many people might be affected. At the time of this writing I haven’t been able to figure out WHO these connections belong to, however I believe with more knowledge this might be possible. I’ll leave this open for the time being, and come back to it when time permits.

Rename Lync/Skype Server

Overview

Short Answer, Don’t start fresh.

If in a clustered topology with a dedicated CMS. Remove from topology,  add new server with new name to topology and redeploy fresh.

My Expereince:

Step 1) Restore LyncVM created on resource domain, change hostname.
Step 2) Stop All Lync Services
Step 3) Create SRV record for _sipinteraltls, and 3 a records (admin, meet, dialin)
Step 4) Remove old CSM, else topogly deployment will fail. (Remove-CSconfigurationStorelocation)
Step 4.1) Extend Storage to 80Gig, else publishing will fail. (https://docs.microsoft.com/en-us/skypeforbusiness/troubleshoot/server-install-or-uninstall/error-when-install-lync-server#:~:text=This%20issue%20occurs%20because%20the,16%20GB%20of%20free%20space.)
Step 5) Open Topology Builder, if host name same, open file, if new host create new topology. Publish
FAIL

Step 1) Cloned Server
Step 2) Removed from Domain (disconnected)
Step 3) changed Hostname, and joined Domain
Step 4) Run Deployment Wizard -> Prep First Standard eidtion server
Step 5) Run Deployment Wizard -> Setup or Remove Lync Components -> Step 2
FAIL

Step 1) Cloned Server
Step 2) Removed from Domain (disconnected)
Step 3) remove all local SQL instances
Step 4) Delete C:\CSData
Step 5) Rename, Join Domain
Step 6) Run Deployment Wizard, Prepare First standard edition server
Step 7) Adjust DNS (_sipinternaltls, admin, dialin, meet)
Step 8) Remove-CSConfigurationStoreLocation
Step 9) Create and Publish Topology
SUCCESS
However Install CMS: failed:
https://social.technet.microsoft.com/Forums/en-US/88fc3dc6-cf74-474e-baf7-08609211ac1b/cannot-open-database-quotxdsquot-requested-by-the-login-the-login-failed-login-failed-for-user?forum=lyncdeploy

Long Answer (Source): This info has been shared on many blogs, not sure who’s the originator of the list

  1. Remove Skype for Business server from topology
  2. Publish topology.
  3. Run Skype for Business Server Deployment Wizard local setup on server to remove Lync components (or run the bootstrapper)
  4. Uninstall SQL Server. Front-ends have LyncLocal and RTCLocal instances. Remove both, rebooting between instance removal.  Edge only has RTCLocal instance.
  5. Remove SQL Server 2012 Management Objects (x64)
  6. Remove SQL Server 2012 Native Client (x64)
  7. Remove Microsoft System CLR Types for SQL Server 2012 (x64)
  8. Remove Microsoft Skype for Business Server 2015, Front End Server
  9. Remove Microsoft Skype for Business Server 2015, Core Components
  10. Delete leftover data:
    Delete C:Program FilesMicrosoft SQL Server
    Delete C:Program FilesMicrosoft Skype for Business Server 2015
    Delete C:CSData
  11. Rename server and restart
  12. Wait until AD replication completes with new server name.
  13. Open Topology Builder, add a new server to existing pool and publish. (If this is a SBA or Standard Edition Server, the pool and the server FQDN is identical.)
  14. Reinstall Skype for Business Server 2015components and all cumulative updates
  15. Generate new certificate with updated server name and assign to appropriate services using Skype for Business Server 2015 Deployment Wizard.
  16. Restart all servers in pool at same time (only relevant for front-end servers in an Enterprise pool).

Summary

Don’t do it. It’s so much easier to start fresh then deal with this garbage.

Audit Client Side Outlook Archive Settings

Why…

What You Need to Know About Managing PST Files (ironmountain.com)

How?

[SOLVED] Powershell Script find pst files on network – Spiceworks

From this guys script I wrote a simple script of my own.

As noted in the current issue that it only works running under the users current context. Though I know the results from testing, I can’t source any material on the CIM_DataFile class as to denote how or why this is the case.

For the time being this post will remain short as it’s a work in progress that I haven’t been able to resolve the interactive part of the script, I’m not happy with a requirement of a open share, and a logon script. As the script in its current state isn’t even written to support that design.

Will come back to this when time permits.

BitwardenRS Upgrade to Vaultwarden

The Story

A while a go I blogged about installing BitwardenRS, the on prem version of Bitwarden, which is amazing by the way.

Recently they announced they are changing the name to respect of the original project to avoid confusion.

You can follow this guys great video if you happen to use UNRAID (which I haven’t used myself but looks really neat).

If you followed my blog then you are running bitwardenrs via docker-compose.

In this case it was actually simpler than I thought.

Updating/Upgrading BitwardenRS to Vaultwarden

If you are simply updating to the latest build with the same old name.

Step 1) bring down the Container

cd \path\to\dockerimage
docker-compose down

Step 2) pull the latest build

docker-compose pull

Step 3) Bring up the new container

docker-compose up -d

That’s literally it, and it is super fast process.

However if you want to use the new image. You’ll have to change the name of the source project in the docker-compose yaml file:

Change the image: line

image: vaultwarden/server

Then, just like before, bring down the container, pull new, bring up.

Important Change (broken Email)

After updating I wasn’t first aware of an issue (as I normally don’t manage multiple users and orgs), however attempting to add a user to an org I got an error: SMTP improper Auth Mechanism selected.

No matter which one you pick the error remained (against a standard port 25 connection, anon). No matter what you entered in the “admin portal” under the SMTP configuration area, the same error would persist. My colleague started to dig through the source code, and the logic seemed clean. The issue seemed that once you configure specific “environment variables” (EG.
– SMTP_USERNAME=[username]
-SMTP_PASSWORD=[password]) that these for some reason are not being “overwritten” when defined in the admin portal. Since there was fields defined “[username]” the code was building a connection for auth, and expecting a proper auth mechanism. Since Auth Mechanism was never defined in the “environment variables”  and the bug of the settings of SMTP in the “admin panel” were not overwriting it would never hit the proper method in the SMTP code to make a standard port 25 anonymous connection.

To fix the issue you have to remove those two lines from the docker-compose YAML file.

So ONLY DEFINE:
SMTP_HOST=Email Relay DNS name
SMTP_FROM=from address
SMTP_PORT=25
SMTP_SS=false

Save the YAML file and bring down, and then bring up the container.

Watch as email works again. 😀

Super thanks to my buddy GB for the deep code analysis to help resolve this issue. 🙂

Check if Someone is Remoted into a Computer

Let’s say you have a shared workstation, and you’d liek to check if someone is using it without connecting first and having the “someone is already using the workstation”, or interrupting them in the first place.

I found this and I just have to make a super quick short post about it since it blew my mind.

Why it blew my mind.

  1. It’s been around for along time.
  2. It’s native to Windows.
qwinsta /server:RemoteMachine

That’s literally it from here. Admin not needed on local or remote machine, just need remote access to remote machine from my quick testing.

Cheers!

Check in all Files in a SharePoint Doc Library

Here’s a real quick and dirty way to check in all files using SharePoint Powershell.

Get the SharePoint Web application where the doc library sits.

$YourSPSite = Get-SPWeb https://sharepointweb.domain

Get the Document Library from the root (or as many sub layers as needed)

$DocLibrary = ($YourSPSite.RootFolder.SubFolders["Name of Folder"]).SubFolders["Name of Nested Folder"]

After this call the checkin method for each file that is not in a checked in state

$DocLibrary.Files | ?{$_.CheckOutStatus -ne "None"} | foreach {$_.CheckIn("File Checked in by Admin")}

If there are even more subfolders within this folder, they have to be taken care of by simply adding a nested .SubFolders call .EG.

$DocLibrary.SubFolders.Files | ?{$_.CheckOutStatus -ne "None"} | foreach {$_.CheckIn("File Checked in by Admin")}

At this point it doesn’t matter what the sub folders are named it’ll go through each of their files within that “layer” of nested folders.

Hope this helps someone