Software

How to demote a Windows Server 2012 Domain Controller

In this short write up I will go over steps to demote a Server 2012 domain controller.

If you have worked in Active Directory and Windows Domain Administration over the years you may recall that in previous version of Windows Server that you would use the command line tool of ‘DCPROMO’ to promote or demote a server. Since Server 2012, the use of DCPROMO has been deprecated. In fact, if you attempt to use it you will be inform of this via the Active Directory Domain Service Installed.

In Server 2012 and later versions the use of Server Manager or PowerShell is required to promote / demote a server to/from a Domain Controller (DC). Below I provide steps on how to demote a server with some illustration along the way. Also, here is a quick YouTube video on the process: https://youtu.be/sBK2_APaDdg

Log into the domain controller you intend on demoting and Launch the Server Manager, select the Manage drop down menu, select Remove roles and features.

On the server selection page, select the desired server from the pool.

On the Remove Roles and Features Wizard, un-tick the Active Directory Domain Services box

The Remove Roles and Features dialog box will open. Click Remove features

On the Remove Roles and Features Wizard dialog box Validation Results box will appear. The domain controller must be demoted before continuing. Click on Demote this domain controller.

On the Active Directory Domain Services Configuration Wizard enter the required credentials to demote this server, click Next.

You will have several removal options. From the forced remove of failed domain member, to removing of the last domain in your forest. Make the selections which is appropriate for your remove task and click Next

Finally you will arrive on the New Administrator Password, enter and confirm the new local administrator account password, click Next.

On the Review Options verify the information is correct and click Demote.

After the server has restarted it will no longer be a domain controller

And that is it.

Tech Short: Debug VPN in Checkpoint R77.30

The following tech short will provide a list of commands used to enable debugging in Checkpoint’s R77.30 Firewall. To start you must  SSH into firewall host (or active member).

To turn on VPN debug from the expert mode:

# vpn debug trunc

At this point you want to test your VPN connection and verify that IKE Phases. This can be done with the following commands:

# vpn tu (option 1 and 2), you may need to reset tunnel to test. This is done by using (option 7)

To tune off the VPN debug the following commands should be issued:

# vpn debug off

# vpn debug ike off

 

When completed retrieve the logs vpnd.elg and ike.elg – located under $FWDIR/log

Checkpoint has an IKEView tool which is located on their site, and used to review the logs, else using a tool such as Notepad++ for analysis is helpful.

OpenVPN Access Server on Ubuntu

I recently retired my OpenVPN Turnkey appliance and needed to get my VPN solution up and running again. I decided to go with installing OpenVPN Access Server on a clean install of Ubuntu Server to create a stable and light weight Virtual Private Network (VPN) to access my network.

I chose to go with OpenVPN AS because its using the OpenVPN I know and trust, but it also has the value added feature of an administrative server used for user and access management.

Setup is straight forward after a few small prerequisites are established.

Requirements:

  • Ubuntu Server – Running the latest version and updates. I am using 16.04.2-as my base
  • Root or possibly sudo access

Software:

Download the latest release of the OpenVPN AS Server
https://openvpn.net/index.php/access-server/download-openvpn-as-sw.html

The direct Ubuntu installs here

 

The following steps can be used to download and install:

  1. Download the install package: wget http://swupdate.openvpn.org/as/openvpn-as-2.1.9-Ubuntu16.amd_64.deb
  2. Install the downloaded package: dpkg -i openvpn-as-2.1.9-Ubuntu16.amd_64.deb
  3. Change the password for the openvpn user: passwd openvpn

When the installation has completed, the Access Server web UIs will be available here:
Admin UI: https://<yourip>:943/admin
Client UI: https://<yourip>:943/

 

And just like that you now can take better control over your privacy, security.

Note: I did not go over the configuration of OpenVPN AS, I may do this in another post. I just wanted to run though the steps of getting this software installed.

Ubuntu Linux for Windows 10 Released On Windows App Store

We can now get Ubuntu Linux for Windows 10 from the Windows App Store. Hows that for an amazing new feature. Simply open the Windows store and search for “Ubuntu”. I would be remiss if i didn’t mention that Windows Insiders Members get first go at this new application.

Also to note that this is not a full version of the Linux Operating System “Ubuntu”. This application is mainly utilizing terminal via bash with included gui-less utilities such as  ssh, git, apt, etc…

  • Navigate to Control Panel > Program and Features
  • Select Turn Windows features on or off
  • Select Windows Subsystems for Linux and Click OK
  • Reboot

 

 

 

[SOLVED] Unable to migrate VM’s to other host

I had encountered the following issue when attempting to migrate a live VM to another host w/in my lab cluster.
The error received was: 

Currently connected network interface” ‘Network adapter 1’ cannot use network ‘VM Network’, because “the destination network on the destination host is configured for different offload or security policies than the source network on the source host”.

I was able to fix this by checking the configuration of the virtual switch (vSwitch0) on the ESXi host I was moving the virtual machine guest to.

  1. I click on each host went to the configure
  2. Under the Networking subsection located the virtual switch
  3. Selected edit on that virtual switch.
  4. Reviewed the settings in the Security tab and the Traffic Shaping tab between the hosts.

In my case the issue was with the Security tab.  The destination host did not match the source.
Just another reasons to use host profiles between systems so that settings all match.

 

Restore of Checkpoint Fails with “The following hotfixes seem to be missing”

Ran into a slight snag when attempting to restore a production backup into a VM(*VMware*) image of Checkpoint R77.30. I was using the Gaia WebUI to restore image returns a message: “The following hotfixes seem to be missing”.

The message points me to a log file located under /tmp/ which indicates missing updates to the firewall I am restoring to. To get around this the following steps were taken.

 

  1. Log into the Checkpoint firewall via SSH to access the console (You could also console in  (i’m using a vm so the terminal would work also).
  2. Enter ‘Expert’ mode (password required.)
  3. The the command: dbset backup:override_hfs t’ from  the expert mode.
  4. Go back into Gain WebUI and attempt the restore of the backup.

Wait … Wait… The system will reboot and the configuration will be restored.

All done.

Cause of this issue was the backup file was taken from a system which had a version different from the system I was restoring into. In some cases, this message can be safely ignored and the restore can be performed without incident.

Please take time to review your configuration after you restore.

Fix for Checkpoint VPN tunneling Option being grayed out on Check Point Endpoint Security Client

I noticed that my Windows VPN client on my computer was forcing all traffic through the gateway of my VPN endpoint. Something that in most cases would be find however this limited my ability to access local network resources in addition to browsing the internet via my local internet provider (Split Tunneling).

What I soon noticed was that I could not remove the setting that encrypted all traffic, routing it to the gateway

To make these changes to the client the following needs to be done.

Step 1: Modify configuration allowing for trac.config to be edited as its obscured for security purpose.

  1. Exit the Check Point Endpoint Security Client
  2. Stop the “Check Point Endpoint Security” service
  3. Edit c:\program files (x86)\checkpoint\endpoint connect\trac.defaults

Change the top line from:

OBSCURE_FILE INT 1 GLOBAL 0

to

OBSCURE_FILE INT 0 GLOBAL 0

Step 2:

  1. Start the “Check Point Endpoint Security” service
  2. Start the Check Point Endpoint Security client
  3. Verify that the c:\program files (x86)\checkpoint\endpoint connect\trac.config file is de-obscured.
  4. Shutdown the Check Point Endpoint Security Client
  5. Stop the “Check Point Endpoint Security” service
  6. Edit c:\program files (x86)\checkpoint\endpoint connect\trac.config

Search and edit the following line:

From: <PARAM neo_route_all_traffic_through_gateway=”false”></PARAM>

To: <PARAM neo_route_all_traffic_through_gateway=”true”></PARAM>

Step 3:

  1. Delete c:\program files (x86)\checkpoint\endpoint connect\trac.config.bak
  2. Start the “Check Point Endpoint Security” service
  3. Start the Check Point Endpoint Security Client

Notes: Pros and Cons of Split VPN you should know about

Pros

If you are going to split tunnel, then you are going to reduce the overall bandwidth impact on your Internet circuit. Only the traffic that needs to come over the VPN will, so anything a user is doing that is not “work related” will not consume bandwidth. In addition, anything external to your network that is also latency sensitive will not suffer from the additional latency introduced by tunneling everything over the VPN to the corporate network. Users will get the best experience in terms of network performance, and the company will consume the least bandwidth.

Cons

If security is supposed to monitor all network traffic, and protect users from malware and other Internet threats by filtering traffic, users who are split tunneling will not get this protection and security will be unable to monitor traffic for threats or inappropriate activity. Traffic to websites that use HTTPS will still be protected, but other traffic will be vulnerable.

Ref: https://www.cpug.org/forums/archive/index.php/t-14545.html

Check Point 600 Appliance Software Blade Stuck in Updating status

Recently I had a chance to get my hands on this excellent Firewall by Checkpoint. And as you know not everything goes perfectly, and this is where you get a chance to learn how it works, while you fix.

I encountered an issue where one of the Threat Prevention Blades was stuck in updating mode for several hours. I had logged into the appliance via SSH to view to CPU utilization and observed nothing which would indicate an issue.

I started thinking about what events occurred which may have caused this. So I looked at the auto update schedule for the blades and noticed that all 3 blades where set to upgrade simultaneously.

I have observed that these updated can causes very high consumption of CPU and which that perhaps the blade with the issue became stuck in an upgrading status.

To address this situation, I issued the update command from the CLI :

  1. Log into the firewall via SSH
  2. Enter into expert mode by typing ‘expert’ in the CLI – You will be asked for your expert password. Once in export you will be in a standard Linux bash prompt.
  3. Run the following while in expert mode depending on which update you require:
  • Anti-Virus Blade: [Expert@jermsmit.com]# online_update_cmd -b AV -o update
  • IPS Blade: [Expert@jermsmit.com]# online_update_cmd -b IPS -o update
  • Application Control Blade: [Expert@jermsmit.com]# online_update_cmd -b APPI -o update

 

Now return and refresh your webUI and you should notice that the blade(s) that were once stuck in the upgrading status are now showing up to date.

Quick How To Share a Document with OneDrive for Business


You can share file(s): Documents and such with Onedrive for Business

1.      In the file list, right-click a document, or select a document and then select Share.

2.      Select Get a link.

3.      Choose who to share with, and if they can view or edit the file.

4.      To share with people inside your organization, choose:

5.      View link – account required – people inside your organization can view, copy, or download the document.

6.      Edit link – account required – people inside your organization can edit, copy, or download the document.

7.      To share with people outside your organization, choose:

8.      View link – no sign-in required – people outside your organization can view, copy, and download the document.

9.      Edit link – no sign-in required – people outside your organization can edit, copy, and download the document.

10.  For external links, select SET EXPIRATION, and choose when you want the link to expire.

11.  Click Copy and paste the link in an email or post it.

Note: Links created that don’t require a sign-in can be opened by anyone, so make sure the content can be shared publicly. Consult your Corporate Information Security Policy and IT if needed.

Note: Sharing of folders is not possible at this time.

Exchange Remote PowerShell Broken in Windows 10 Anniversary Update

So you updated to Windows 10 Anniversary and now have found yourself unable to connect to a remote PowerShell sessions. I noticed this in my management of Exchange Online in Office 365 after upgrading to Windows 10 version 1607 aka Anniversary Edition.

In my attempts to connect, as I have done in the past: http://jermsmit.com/azure-active-directory-module-for-windows-powershell-how-to-connect/ I encountered a error message:

 

Later comparing this with my down-level installs of Windows 10 and Server 2012 R2 this issue does not exist. So what changed?

It seems that the version of PowerShell which was updated may have something to do with this issue. This is when I attempted to run PowerShell in a down-level mode.

This is done by issuing the following command in an elevated command prompt (Run As Administrator): PowerShell.exe -Version 2.0

From this point we can now connect without issue.

Hope this helps