24 December 2019

Office 365 – Winmail.dat

After changing over from on-prem Exchange to O365, I had one user where the recipients of their emails would receive any attachment that was sent as the “dreaded” winmail.dat file instead of the .pdf or whatever file the user was actually sending. It was intermittent however, in that some users would get the actual file and some (all external) would get the winmail.dat file.

First thing that I did was check that user was sending their mail as HTML, and not Rich-Text. After changing that value, I check back a week or so later and the user was still experiencing the issue, so it was time to dig a little deeper. After some searching online I was able to find that this was not an uncommon issue.

The issue happens because the receiver’s email client can not interpret the email message that was sent from Outlook in the Rich-Text format. When using Outlook to end an email using the Rich-Text format, a plain text copy of the email is also sent along with an attachment named winmail.dat. This ‘winmail.dat’ attachment is what contains all of the formatting, elements, and other data specific to Rich-Text email messages. This method of sending the email message is called “Transport Neutral Encapsulation Format” or “TNEF” for short.

Unfortunately, many non-Microsoft email programs can not properly open message that are received in TNEF. To fix this, we can use PowerShell to force Exchange Online to convert Rich-text messages to HTML before it sends it off. You can use the commands shown below to set the ‘RemoteDomain’ property “TNEFEnabled” to false on the Default policy.

1) Connect to Exchange Online via Powershell.

2) Get your Default RemoteDomain policy:
Get-RemoteDomain | fl *

3) Set the TNEFEnabled property:
Set-RemoteDomain Default -TNEFenabled $false
Re-run step 2 and you should see that “TNEFEnabled” is set to “False”.

Just in case… Here is how to change it back to a NULL value to undo your change in step 3, and let the Outlook client again decide how it wants to send the message.

4) Set the TNEFEnabled property back to NULL:
Set-RemoteDomain Default -TNEFenabled $nul

Category: Microsoft, Office | LEAVE A COMMENT
20 December 2019

File management – Cisco Flash

When working on Cisco devices, sometimes you have to delete files from the device. It’s moreless the same on all Cisco devices. While there are other file systems available to you on your device (see first command listed), Cisco devices use “flash:” as their default file system. My examples will also use the default “flash:” but note that the commands will work the same on any other available file system, such as “usb0:“.

Show Available File Systems
Device# show file systems

Show Files
Device# dir flash:

Create Directory
Device# mkdir folder

Step into Directory
Device# cd folder

Delete File
Device# delete /force flash:/filename
Device# delete flash:/filename

Delete Directory
Device# delete /force /recursive flash:/folder

Copy File
Device# copy usb0:[/directory]/filename flash0:[/directory]/filename

Category: Cisco | LEAVE A COMMENT
18 December 2019

MDT loading to cmd prompt

I was running an MDT LiteTouch deployment and the computer kept getting stuck at a command prompt after loading into MDT environment. Normally it should have launched right into the LiteTouch wizard, but for whatever reason, it just didn’t want to go beyond this point on its own. I discovered two possible ways to circumvent it.

I had used this same means of deployment on other machines of the same make and model, with the same Task Sequence, so I knew it wasn’t a driver issue as many eluded to in the various forums I looked at. However, I went ahead and did an “ipconfig” and also tried to mount the MDT share using “net use“, just to make sure there was no network issues. net use z:\\<servername>\deploymentshare$ Well, it turned out that I did already have an IP address and the mapped drive was already in use. So how can I now get on with my deployment?

The first and possibly the easiest way was to just manually launch the LiteTouch. It is as straight forwards as it sounds. I entered the command below into my command prompt, and viola! The LiteTouch wizard came right up and I continued on my way. X:\windows\system32> Z:\scripts\LiteTouch.vbs

The second method, really isn’t any more difficult than the first. Sometimes a folder named “MININIT” already exists on the computer’s C: drive and it can cause issues when trying to do a new deployment. The way around that is just to wipe the drive and essentially start back at square one. Warning though – Following this method WILL erase the drive and wipe any data that is on it. While it probably doesn’t matter, as you’re stuck anyways, but it is just something to be aware of.

At the first Wizard window, press F8. Then type:

  1. Diskpart (enter)
  2. List disk (enter)
  3. Select disk 0 (choose your main OS disk) (enter)
  4. Clean (enter)
  5. Reboot and start your imaging process again.

After wiping the disk of any pre-existing partitions your next deployment attempt should go smoothly as it now has a blank HDD to work on.

Category: Microsoft | 7 Comments on MDT loading to cmd prompt
18 December 2019

Cisco 3850 – Upgrading IOS

Upgrading the IOS version on your Cisco 3850 Catalyst switch is not something to be dreaded. In fact it should probably be rejoiced, as these days it most likely means you’re also catching up on patching some vulnerabilities on your device. While the upgrade process is a little different on the 3850 then older generations of the Catalyst switches, not much has changed. Overall it is an easy process that won’t take you long to complete.

What has changed is that the 3850 switch? Well the “operating system” that the hardware now runs on is called IOS-XE. Whereas previous generations of Cisco hardware ran on IOS software.

The IOS-XE software is delivered as a bundle containing a set of packages which your device will use. These packages, during the install step, will get expanded before they are actually installed on the device. The older generations of devices that ran IOS had a .bin file that was essenitally a “flat” image and not a bundle of packages. While there are other changes too, that is the main difference between the “new” IOS-XE and the “old” IOS.

Okay… Lets get our switch upgraded…

Step 1: Download the latest (or rather the recommended) IOS-XE version from the support portal of Cisco.com. (At the time of me writing this, the recommended release version is “Fuji-16.9.4”)

Step 2: Transfer the .bin file you downloaded in step 1 to your device. There are a few ways to so; TFTP or USB being the most common.

  • Via TFTP

3850-SW# copy tftp flash:
Address or name or remote host []? 10.1.2.3
Source filename[]? cat3k_caa-universalk9.16.09.04.SPA.bin
Destination filename[cat3k_caa-universalk9.16.09.04.SPA.bin]?
Accessing tftp://10.1.2.3/cat3k_caa-universalk9.16.09.04.SPA.bin...
Loading cat3k_caa-universalk9.16.09.04.SPA.bin from 10.1.2.3: !!!!!!!!!!!!!

  • Via USB

3850-SW# copy usbflash0:cat3k_caa-universalk9.16.09.04.SPA.bin flash:

Step 3: Start the Install.

3850-SW# software install file flash:cat3k_caa-universalk9.16.09.04.SPA.bin

Once the software install completes, you will need to reboot the switch so that it can boot into the freshly installed IOS-XE version.

3850-SW# reload

Step 4: Verify the new version. After rebooting the device in the previous step, you will want to verify that you are indeed running the new IOS version. You can run the following command to do so.

3850-SW# show version | i Switch
Cisco IOS Software [Fuji], Catalyst L3 Switch Software (CAT3K_CAA-UNIVERSALK9-M), Version 16.9.4, RELEASE SOFTWARE (fc2)
Switch Ports Model SW Version SW Image Mode

Here we can see that the switch is running Fuji, and that it is on version 16.9.4. And now we’re done!

Category: Cisco | LEAVE A COMMENT
13 December 2019

dracut-initqueue

I was updating the firmware on some Dell FC630 servers when I came across this. I really thought that the server hung during the update and I was in for a long night of trying to fix it. Wait and see what the fix was…

So using the DellEMC Repository Manager tool, I created a linux based SmartBootableISO that included the desired updates for my hardware. I then connected to the server’s iDrac virtual console, mounted the iso, and booted the server to the iso image. Everything appeared fine as I watched the server boot up. Then I saw it throw the following message:

dracut-initqueue[686]: mount /dev/sr0/ is write-protected, mounting read-only

Then after waiting and staring for about 5 minutes I started to worry. What’s going on? Did it just freeze?

Well… No, thankfully it had not froze.

It was just mounting a file as read-only, which apparently took longer than you would think it would. After waiting even longer felt right, it finally got past this step, and the server proceeded along with it’s boot-up process. The wait time varied slightly between servers, ranging from about 7 to 10 minutes.

So if you happen to see the “dracut-initqueue” message, don’t panic, your server did not hang. Just wait it out… Grab a coffee or go have a restroom break. Use those few minutes to stretch. Your server will continue chugging along shortly.

Category: Linux | 1 Comment on dracut-initqueue
4 December 2019

ReFS allocation size

I was reformatting a drive for some Veeam backups and was trying to recall what I had set the ReFS allocation unit size to when I initially setup the drive. Well, I could not remember to save my life. Luckily, with a little command line action, it’s easy enough to find out what it was set it to.

The command line tool to use is fsutils. To see what options are available to us when using fsutils, we can run the following command.fsutils fsinfo /?

Using “E:/” as the drive we are checking out, we can run the following line to discover information about the volume itself. fsutil fsinfo volumeinfo E:

To view the specific ReFS info on this drive, we can run the following line. fsutil fsinfo refsinfo E: Take a look at value for the “Bytes Per Cluster”, this is where we can see that when this drive was formatted, it’s allocation unit size was set to 65k. 65k is also the recommended setting for Veeam destinations if you are using ReFS.

Category: Backups, Microsoft | LEAVE A COMMENT
4 December 2019

Office 365 in-“stalled” at 51%

Out of an entire organization, we had one single machine that had issues installing O365, it would always get stuck at “51%”. I even let tried letting it run for an entire weekend. The weird part was that it was a Win10 machine, and it was all up-to-date in terms of applying Windows Updates. The same ODT script worked perfectly fine for all the other machines that were a mix of Win8.1 & Win10.

So I gave the Office 365 uninstaller a whirl. It ran thru pretty quickly and said everything was removed. It ran so quick, it didn’t even seem like it did anything. I went ahead and tried my ODT script again. and voila – It worked!

So my only take away, is if you’re having issues with the installer “stalling” out, try MS’s uninstaller and try your install again.

Category: Microsoft, Office | LEAVE A COMMENT
30 November 2019

Bitnami – Disabling TLS v1.0 & v1.1

I was surprised when I ran the Qualys SSL Labs scan against my website that I got a lower score than I expected. The SSL Labs scan is a FREE deep analysis of the SSL configuration of your public facing website, that returns a score and grade of your server. It also provides some suggestions as to what you can do to improve your server’s score.

Well, it turns out there are two things that were hindering my score. One is easy to fix via a configuration change in Bitnamo, I’ll cover that in this article. The other isn’t necessarily hard, but it involves a DNS record known as a CAA, which I’m not going to cover in this article.

The quick easy fix was to change the versions of TLS that I allowed my server to use, by disabling the older versions of the TLS protocol, v1.0 and v1.1.

I used WinSCP to connect to my server, and went to the file. /opt/bitnami/apache2/conf/bitnami/bitnami.conf

Within the file you can set/remove the “SSL Protocol” directive. In my case, I set it to SSLProtocol all -SSLv2 -SSLv3 -TLSv1 -TLSv1.1

Once that change has been saved, all that’s left is to restart Apache. You can restart connecting over SSH to your server and issuing the following command sudo /opt/bitnami/ctlscript.sh restart apache

After you see Apache restart, go ahead and re-scan your website. I found that for my website, my score increased and thus my grade was better after disabling the older versions of TLS. Success!

Category: AWS, Bitnami | 2 Comments on Bitnami – Disabling TLS v1.0 & v1.1
30 November 2019

Stop the Ads @ Home – Pi-Hole

Advertising, love it or hate it, truly drives the internet. It is scary the amount of data companies skim about you from the ads that get served to and what you click onto. But with the right tools, you can do a lot to protect your privacy. One of the best thing you can do at home to protect your privacy and those stop unwanted ads, is to deploy Pi-hole.

As described on their homepage Pi-hole is “A black hole for Internet ads”, that is “Easy-to-install”, and “is a DNS sinkhole that protects your devices from unwanted content”. All of which can be done in a one-time setup, usually on a RaspberryPi, without installing any software on your devices.

Pi-hole acts upon your network. It takes on the role of serving as the DNS on your network, and optionally role of a DHCP server.

In most homes today, both of these roles are usually preform by your router/wifi access point. DNS, in its’ most simplistic terms, acts as the whitepages that helps your devices translate a URL to an IP addresses. DHCP allows your device to get a ‘dynamically’ assigned address on the network so that it can communicate with everythign else. So by utilizing some whitelists and blacklists, the PiHole can simply not serve the address to known advertising URLs. Cutting the ads off before the request ever leaves your house.

I’ve been using it at home for about 3 years now and absolutely love it. There are some ads that still come thru, and sometimes if I click on an ad, I’ll get a “page can’t be reached” message. It was different at first to get used to, but now… I would trade it for the world!

Another great piece of software to install on you RPi is PiVPN. It’s an easy and secure way to create a VPN (a private tunnel) to your home when you are out and about. The best part about it is that it can allow you to use Pi-Hole when your not at home. Check out my article here.

Category: DNS, Linux, Networking, RaspberryPi, Raspbian | LEAVE A COMMENT
28 November 2019

O365 MFA – “Office Phone”

Multi-factor authentication is something that you should have enabled in your Azure or Office 365 tenant. It’s going to solve at least 90% of your problems about worrying if someone is going to ‘hack’ into your organization. That said, it can provide a few headaches of it’s own.

When your user is choosing their methods or means to authenticate, one of the options is to use their “Office Phone”. That great… But if you sync your on-prem AD to AzureAD then you’ll quickly realize that that option is grayed out and you can’t set it. You’ll get some message about contacting your administrator.

To set this number, simply edit the properties of your user in your on-prem AD.

  • Open “Active Directory Users and Computers” and navigate to your user.
  • Right-click on the user and choose ‘properties’.
  • Under ‘Telephone’ enter the user’s phone number, country code first, like either of the examples below.
    • +1 8085551234
    • +1 8085551234 x123
  • Click ‘OK’ to save the edits.

After you have finished editing the user, all you have to do is wait for next sync cycle. From then on, your users will be able to authenticate and login by using their work desk phone.

Category: Microsoft, Office | LEAVE A COMMENT