How to demote a Windows Server 2012 Domain Controller

In this short write up I will go over steps to demote a Server 2012 domain controller.

If you have worked in Active Directory and Windows Domain Administration over the years you may recall that in previous version of Windows Server that you would use the command line tool of ‘DCPROMO’ to promote or demote a server. Since Server 2012, the use of DCPROMO has been deprecated. In fact, if you attempt to use it you will be inform of this via the Active Directory Domain Service Installed.

In Server 2012 and later versions the use of Server Manager or PowerShell is required to promote / demote a server to/from a Domain Controller (DC). Below I provide steps on how to demote a server with some illustration along the way. Also, here is a quick YouTube video on the process:

Log into the domain controller you intend on demoting and Launch the Server Manager, select the Manage drop down menu, select Remove roles and features.

On the server selection page, select the desired server from the pool.

On the Remove Roles and Features Wizard, un-tick the Active Directory Domain Services box

The Remove Roles and Features dialog box will open. Click Remove features

On the Remove Roles and Features Wizard dialog box Validation Results box will appear. The domain controller must be demoted before continuing. Click on Demote this domain controller.

On the Active Directory Domain Services Configuration Wizard enter the required credentials to demote this server, click Next.

You will have several removal options. From the forced remove of failed domain member, to removing of the last domain in your forest. Make the selections which is appropriate for your remove task and click Next

Finally you will arrive on the New Administrator Password, enter and confirm the new local administrator account password, click Next.

On the Review Options verify the information is correct and click Demote.

After the server has restarted it will no longer be a domain controller

And that is it.

Tech Short: Capturing packets on Checkpoint

I’ve recently found myself capturing network traffic to troubleshoot reported issues. To successfully capture packets the use of tcpdump is required.  And while you may be familiar with using this tool, the use is slightly different on Checkpoint devices.

The devices in this reference is Checkpoint R77.30 and R80 devices.

To capture the correct network packets you must first disable Checkpoints SecureXL feature which is an acceleration solution that maximizes network performance of the Firewall.

To disable SecureXL, run the command:

fwaccel off

To check the overall SecureXL status:

fwaccel stat

Now that SecureXL has been disabled, continue to the capture steps below:

To capture packets, issue the following command:

tcpdump -s 0 -nni <interface_name> -w capture_file_name.pcap

Press Control-C (Ctrl C) to break the capture

Re-enable SecureXL, by running the following command:

fwaccel on

Retrieve the capture file and review using a tool such a Wireshark

Tech Short: Debug VPN in Checkpoint R77.30

The following tech short will provide a list of commands used to enable debugging in Checkpoint’s R77.30 Firewall. To start you must  SSH into firewall host (or active member).

To turn on VPN debug from the expert mode:

# vpn debug trunc

At this point you want to test your VPN connection and verify that IKE Phases. This can be done with the following commands:

# vpn tu (option 1 and 2), you may need to reset tunnel to test. This is done by using (option 7)

To tune off the VPN debug the following commands should be issued:

# vpn debug off

# vpn debug ike off


When completed retrieve the logs vpnd.elg and ike.elg – located under $FWDIR/log

Checkpoint has an IKEView tool which is located on their site, and used to review the logs, else using a tool such as Notepad++ for analysis is helpful.

X1 Set-Top Box Issues RDK-03004 & RDK-03033

Excellent Comment from one of my previous post:

Sharing the information below.  Thanks dude for sharing.


Equipment List:

1. Cable Modem -> Xfinity TG1682G internet cable modem (
2. Main DVR Unit -> Xfinity PX0113ANM main cable box (
3. Remote Units -> 2 Xfinity PXD01ANI receivers (
4. Amplifier -> Commscope CSAPDU5VP 5 port Subscriber Amplifier (
5. MoCa Filter -> PPC MoCA Ground Block PoE Filter, Combo Wave (


Xfinity internet was disconnecting frequently, and the main Xfinity cable box (PX013ANM) was rebooting. Basically, service was going in and out.  Neighbors were not having any issues.  Called Comcast a number of times.  Sometimes they customer service representative could ping (i.e. see) the devices, other times they could not.

Complicating Factors

Internet was consistently dropping.  Great performance, then nothing. Reboot the modem, work for a period, then same issue would repeat.

All of a sudden main cable DVR unit would reboot multiple times per day.

Cable would begin randomly freezing on remote units.  I would reboot the remote units, and they would time out, not connect, and display the error: rdk-03036.

I’ll jump to the solution so I don’t bore you to sleep….


After hours (possibly days) of internet research, hair pulling, and deep, deep soul searching, I figured out the issue and now (knock on wood) have a speed demon, high-performance Xfinity network.

1.  Make sure your cable line is GROUNDED.  This is important.  My cable line is grounded using the MoCa filter which is explained in #2 below.  Grounding the line really important.  Proper grounding reduces noise/static in the cable line which allows the data to perform better.  Here is a link explaining the situation:  Safety note: You also want to ground the line in the rare situation that the cable line outside gets hit by lightning, sending that dangerous current into your house destroying everything in its path (all electronics and possible your home)

2. Make sure you have a MoCa filter (see equipment list above) installed on your cable line BEFORE any amplifier or splitter.  This is very important – also, make sure the directional arrow on the filter points into the house as if data were flowing into your home.  NOTE: My MoCa filter is also the ground point.  I’ll explain this MoCa pain in the a$$ down below.

3. If you are using the Commscope amplifier, it is really important on where you connect your devices.  On my Commscope 5 port, there are four active ports (Out 1 -> Out 4), and one passive port (-4dB VoIP Out).   There is also the line IN port (this is where you connect the cable line coming into the house {assuming the MoCa filter is on the other end connect to the main line from the outside cable}), and the Power In port.

– The cable modem MUST be connect to the VoIP Out passive port.  This is defined as “passive”  since the amplifier does not send any power to it (i.e. amplification).  The main purpose is that if your power goes out, and your cable modem has a backup-battery, the phones will still work (i.e. land lines).
– The rest of your cable devices (main DVR, and remote boxes) should be connected to 1, 2, 3, and 4.  I’m only using 1, 2, 3.  My Main DVR is connected to Port number 1.  Also, if you have an open port, you should cap it with an F-Type terminator -> (aka dummy load)

4. Make sure the MoCa communications settings on the Cable Modem/Router is DISABLED!.  Using a browser on your home network, go to and login as the Admin.  (Note: the default password is “password”).  Select Communications, find MoCa and disable it.

5. Unplug all your devices, wait a few minutes and plug them back in.  Once they are all up and running, use the Xfinity My Account app on your mobile device, and send a REFRESH single to your system.

If all goes to plan, everything should come back to life.  If you still have issues, check the following:

1. Make sure you limit splitters on your cable network.  If you have any, and require splitting, please make sure they are high-quality.  Also, if you have a one to four, or one to two splitter, and you are not using all the connectors, the ports need to be capped with an f-type male terminator.  Otherwise, you lose signal.

2. If you are having internet issues and are using a downstream router, make sure all your Ethernet cables are high quality.  I had some old cables where the ends did not fit well, and that was causing internet problems.

3.  If you are still having cable issues on the remote boxes, go to the main DVR, grab the remote and perform the following procedure:

– Press and hold the EXIT button for five seconds
– Click the down arrow twice
– Hit the number 2 button

You should be presented with the diagnostics menu. Arrow to the MoCa Diagnostics section and confirm that the MoCa Link Status is set to LinkOn (not NoLink).  If this is set to NoLink, then your cable will not work on the remote boxes. Check to make sure the MoCa filter is installed correctly. Also, make sure MoCa is disabled on the cable modem router page.

*** MoCa PITA (Pain in the A$$) ***

So, I learned a lot about MoCa during this exercise.  Multimedia Over Coax Alliance (“MoCa”) is the data communications method used by the Xfinity devices to communicate.  The remote devices do nothing more than connect to the main DVR for processing. When you are watching cable on a TV connect to a remote PXD unit, all the interaction (guides, internet apps, DVR viewing) is being served by the main DVR unit in the home. All the data is being controlled by MoCa.  If you don’t have the MoCa filter connected to your cable line coming into the house, you can get MoCa traffic into your home network which causes congestion and conflict.  Hence, there is so much traffic that the devices can’t connect to the right host – your main DVR.  By installing the filter, outside MoCa traffic is left outside.

In theory, the MoCa configuration on your Comcast router should not impact the performance of your cable devices.  However, when I had it on, I had internet and cable problems.  By making sure the filter was installed correctly, and MoCa was OFF on the router, the system worked perfectly.

I hope this helps and saves at least one person some time and headaches.

submitted by frustrated xfinity (comcast) customer

OpenVPN Access Server on Ubuntu

I recently retired my OpenVPN Turnkey appliance and needed to get my VPN solution up and running again. I decided to go with installing OpenVPN Access Server on a clean install of Ubuntu Server to create a stable and light weight Virtual Private Network (VPN) to access my network.

I chose to go with OpenVPN AS because its using the OpenVPN I know and trust, but it also has the value added feature of an administrative server used for user and access management.

Setup is straight forward after a few small prerequisites are established.


  • Ubuntu Server – Running the latest version and updates. I am using 16.04.2-as my base
  • Root or possibly sudo access


Download the latest release of the OpenVPN AS Server

The direct Ubuntu installs here


The following steps can be used to download and install:

  1. Download the install package: wget
  2. Install the downloaded package: dpkg -i openvpn-as-2.1.9-Ubuntu16.amd_64.deb
  3. Change the password for the openvpn user: passwd openvpn

When the installation has completed, the Access Server web UIs will be available here:
Admin UI: https://<yourip>:943/admin
Client UI: https://<yourip>:943/


And just like that you now can take better control over your privacy, security.

Note: I did not go over the configuration of OpenVPN AS, I may do this in another post. I just wanted to run though the steps of getting this software installed.

Some say…

Some say there are two great days in a person’s life: the day you were born and the day you discover why. I want to encourage you to seek what you were put on this earth to do. Then pursue it.  – #jermsmit #jermfit

Largest FREE Microsoft eBook Giveaway! 


Ubuntu Linux for Windows 10 Released On Windows App Store

We can now get Ubuntu Linux for Windows 10 from the Windows App Store. Hows that for an amazing new feature. Simply open the Windows store and search for “Ubuntu”. I would be remiss if i didn’t mention that Windows Insiders Members get first go at this new application.

Also to note that this is not a full version of the Linux Operating System “Ubuntu”. This application is mainly utilizing terminal via bash with included gui-less utilities such as  ssh, git, apt, etc…

  • Navigate to Control Panel > Program and Features
  • Select Turn Windows features on or off
  • Select Windows Subsystems for Linux and Click OK
  • Reboot




New Phishing Scam Using Microsoft Office 365

*** Attention Required ***

It seems that the bad guys are at it once again with an attempt to collect information by phishing credentials from those of us using Office 365 for corporate emails.  The characteristics of this particular attack the hackers intention is to deceive Office 365 users into providing their login credentials”.

The user sees a fake Office 365 login page, which requests their credentials. Once the Office 365 usernames and passwords have been compromised, the hackers can:

  • Send emails to other users in the victim’s address book, asking them for anything, sending fake invoices, sending more phishing emails, etc.
  • Access the user’s OneDrive account, to download files, install more malware, infect files with malware, etc.
  • Access the users SharePoint account, to download files, install more malware, etc.
  • Steal company intellectual property or other customer information such as customer SSNs, credit card numbers, email addresses, etc.

One of the characteristic of this recent attack is an email being sent with an embedded image which resembles an Microsoft Office Word document containing a link back to a site with a fake Office 365 logon page.  In addition to this the site URL ends in php?userid= syntax.

I have provided the following YouTube video to illustrate the interaction of the fake Office 365 logon page.




It’s an important part of your responsibility to be cautious when accessing emails even from known senders to ensure its legitimate by reviewing the email to ensure that its legitimate.

If in doubt do not open the email and reach out to the sender to ensure they sent you the email.  If you self-determine an email to be suspicious immediately report incidents as soon as they happen.


Here are a few guidelines below that could be followed.  Please review:


Check the sender.

Sometimes, cybercriminals and hackers will fake (or “spoof”) the sender of an email. If the “from” address doesn’t match the alleged sender of the email, or if it doesn’t make sense in the context of the email, something may be suspicious.

Check for (in)sanity.

Many typical phishing emails are mass-produced by hackers using templates or generic messages. While sophisticated attacks may use more convincing fake emails, scammers looking to hit as many different inboxes as possible may send out large numbers of mismatched and badly written emails. If the email’s content is nonsensical or doesn’t match the subject, something may be suspicious.

Check the salutation.

Many business and commercial emails from legitimate organizations will be addressed to you by name. If an email claims to come from an organization you know but has a generic salutation, something may be suspicious.

Check the links.

A large number of phishing emails try to get victims to click on links to malicious websites in order to steal data or download malware. Always verify that link addresses are spelled correctly, and hover your mouse over a link to check its true destination. Beware of shortened links like, http://goog.le, and If an email links to a suspicious website, something may be suspicious.

Don’t let them scare you.

Cyber criminals may use threats or a false sense of urgency to trick you into acting without thinking. If an email threatens you with consequences for not doing something immediately, something may be suspicious.

Don’t open suspicious attachments.

Some phishing emails try to get you to open an attached file. These attachments often contain malware that will infect your device; if you open them, you could be giving hackers access to your data or control of your device. If you get an unexpected or suspicious attachment in an email, something may be suspicious.

Don’t believe names and logos alone.

With the rise in spear phishing, cybercriminals may include real names, logos, and other information in their emails to more convincingly impersonate an individual or group that you trust. Just because an email contains a name or logo you recognize doesn’t mean that it’s trustworthy. If an email misuses logos or names, or contains made-up names, something may be suspicious.

If you still aren’t sure, verify!

If you think a message could be legitimate, but you aren’t sure, try verifying it. Contact the alleged sender separately (e.g., by phone) to ask about the message. If you received an email instructing you to check your account settings or perform some similar action, go to your account page separately to check for notices or settings.



Darrell’s Flashback Ugly 90s Fashion Show! – #DoubleFML FatDarrellPalooza!

Really cool that I got the honorable mention in this post. Brings back good memories.