Monday, December 14, 2009
Local Security Policy > Local Policies > User Rights Assignment > Log On As A Batch Job > Add User or Group
Next add the user account to the Backup Administrator's group in Computer Management > Local Users and Groups
You will also need to tweak the job in Task Scheduler to have the following things: Select "Run whether user is logged on or not" and check "Run with Highest Privileges". If you do not select the "Run with Highest Privileges" check box then you will get the following error:
ERROR : You do not have the Backup and Restore Files user rights.
***** You need these to perform Backup copies (/B or /ZB).
ERROR : Robocopy ran out of memory, exiting.
ERROR : Invalid Parameter #%d : "%s"
ERROR : Invalid Job File, Line #%d :"%s"
That box is the equivalent of right click, "Run As Administrator" on the command prompt window.
Wednesday, July 8, 2009
Error Source: i8042prt
Description: The ring buffer that stores incoming mouse data has overflowed (buffer size is configurable via the PS/2 mouse properties in device manager).
Tuesday, July 7, 2009
All of my DNS static entries are going to get nuked and changed to a completely different IP space (yes, the computers too). However since this is such a massive task and we have minimal time to make the change we would like to complete as much ahead of time as we can. All of my DNS servers are DCs running AD-Integrated Zones. The only way I can think of to do this ahead of time is by creating a spreadsheet and filling in the hostnames and the new IPs and then on the day of the IP change import the new records into DNS. So, the question is how exactly can I update the DNS tables on an AD Integrated Zone using a script or file import?
Here is what I found:
The simple answer is you can't :) However there is a workaround...
1. Export your DNS information to a CSV File
2. Modify the DNS information to show the correct IP information. I acomplished this by using Excel Spreadsheets sent to users to be filled in with the new IPs. Then using SQL I imported the Spreadsheets into a database and then scripted a massive UPDATE statement on the master DNS list. Then exported the updated master DNS list as a TAB DELIMITED file.
3. Next I needed to remove all my DNS Servers except one. Pick one to keep, uninstall DNS on all others.
4. On the remaining DNS Server I changed all my zones from Active-Directory Integrated Zones to Primary using the following: (right click on each zone) > Properties > General > Change Type > (Uncheck) "Store the zone in Active Directory"
5. Repeat for all zones
6. Keep the "Load Zone Data on Startup" at "From Active Directory and registry"
7. Open the DNS zone files (
8. Modify the DNS zone file with your new information keeping the proper TAB Delimited format.
9. Reboot the DNS server, this is gonna take a while but if you don't you are going to get an error like "the specified directory partition does not exist".
10. Open DNS Manager again and move all of your zones back to AD-Integrated Zones. Steps are the reverse of Step 4.
11. Reinstall DNS on all the other DNS Servers that we uninstalled on Step 3.
12. Once DNS is installed on all the other DNS Servers check to make sure that they have the latest DNS entries. They should and at this point you are done.
Piece of cake :)
Friday, June 19, 2009
Friday, June 5, 2009
It appears to have quite a bit of conversion options so if you are doing any conversions check it out.
Friday, May 29, 2009
Source: Exchange Migration
Event ID: 1008
Category: Restore Mailbox
The restore-mailbox task for mailbox 'XXXX' failed.
Error: Failed to copy messages to the destination mailbox store with error:
The operation was cancelled.
As odd as this sounds the fix is to skip the wizard and run the same commands in the EMS (Exchange Management Shell) directly. Here is the syntax:
Restore-Mailbox -identity "Target Mailbox" -RSGDatabase "Recovery Storage Group\RSG Datastore" -RSGMailbox "Mailbox to be restored" -TargetFolder "Folder in -Identity to place data in" -BadItemLimit "Int32"
Wednesday, May 27, 2009
Wednesday, May 20, 2009
Thursday, May 14, 2009
Tracing route to www.l.google.com [22.214.171.124]
over a maximum of 30 hops:
1 <1 ms <1 ms <1 ms xxxxxx.xxxxx.xxxx[xx.xx.0.1]
2 <1 ms <1 ms <1 ms xx.xx.0.1
3 <1 ms <1 ms <1 ms xx.xx.0.9
4 4 ms 4 ms 4 ms xxx.xxx-1-0.xxxx-cust1.dnvr.uswest.net [xx.224.x
5 4 ms 4 ms 4 ms cls-core-02.inet.qwest.net [126.96.36.199]
6 30 ms 32 ms 31 ms dap-brdr-03.inet.qwest.net [188.8.131.52]
7 30 ms 30 ms 30 ms 184.108.40.206
8 49 ms 48 ms 49 ms cr2.dlstx.ip.att.net [220.127.116.11]
9 48 ms 48 ms 49 ms cr1.attga.ip.att.net [18.104.22.168]
10 48 ms 48 ms 48 ms 22.214.171.124
11 * * * Request timed out.
12 * * 293 ms 126.96.36.199
13 * * * Request timed out.
14 287 ms * * 188.8.131.52
15 * * * Request timed out.
16 * * * Request timed out.
17 287 ms * 288 ms qw-in-f104.google.com [184.108.40.206]
Everything looks good at this point, but it really makes you appreciate having Google.
Also, here are some tools to help out when taking a look at outages like this:
Wednesday, April 29, 2009
1. HP ProLiant Integrated Lights-Out Management Interface Driver for Windows Server 2003/2008 x64 Editions to version 220.127.116.11
2. HP ProLiant iLO 2 Management Controller Driver for Windows Server 2003 x64 Editions to version 18.104.22.168
Thursday, April 16, 2009
If you are looking for help feel free to contact them at 469-252-5200.
Wednesday, April 15, 2009
Here is a sanatized email the I sent last night that has a very interesting problem that we ran into at work. Never ran into ARP Poisoning before...
Sent: Thursday, April 16, 2009 12:21 AM
To: XXXXX XXXXX
Subject: ARP Poisoning
Ok, so here is 12 hours of work boiled down into a couple sentences of “what happened” …
Basic Topography: 10.70.0.1(hop1) > 10.50.0.1(2) > 10.50.0.9(3) > Internet(4) > Destination(5)
MAC Address for 10.50.0.1 = XX:XX:XX:XX:b4:23
Scenario: We isolated the issue (mainly by completely replacing 10.70.0.1 (ISA 2006) & 10.50.0.1 (Core Router) to no avail) so that we knew that traffic was going from 10.70.0.1 out to the internet, hitting the destination and generating response traffic. This response traffic made it to the firewall but died before reaching back to the 10.70.0.1 ISA server. This leaves 10.50.0.1 and 10.50.0.9 as the only possible culprits for the missing traffic. After replacing 10.50.0.1 we discovered that the traffic still exhibited the same behavior and we realized that the chances of 2 Routers both being bad was really remote so we focused on the firewall. Taking a packet trace with the network up and another when the network was dead we found a very subtle difference in the packets. While the network was operating normally the packets were flowing from the firewall to the core router using the level 2 routing address’ of:
Src: XX:XX:XX:XX:ea:b0 - dst: XX:XX:XX:XX:b4:23
When the network was broken the level 2 flow of inbound packets was like:
Src: XX:XX:XX:XX:ea:b0 - dst: 00:0c:29:a9:d2:25
So what we have at this point is ARP Poisoning where another machine on the 10.50.x.x is impersonating 10.50.0.1 which is the Core Router; the result of this is that all traffic coming inbound from the internet (hop3 > hop2) was getting redirected to the mystery machine (hop3 > hop_blackhole) with the mac of 00:0c:29:a9:d2:25. Going from switch to switch we tracked the mac to MachineNameX. After unplugging the machine from the network and clearing the ARP cache on the firewall traffic immediately started working normally and the network is happy. Check out the cool wireshark screenshot attached… now you know what ARP poisoning looks like.
Bottom line: Wireshark is awesome, the 10.50.x.x switches have a command “show bridge address-table” which shows you the mac address’ that are associated with each port on the switch, 2 heads and 4 eyes are better than 1 head and 2 eyes… and sleep is overrated.. :)
Monday, April 13, 2009
You are the responder: I will be backing this XServe up to a Windows File Server where the files will then be picked up to go to tape.
Step 1: Create the appropriate file share on the Windows box and and assign the proper permissions to it. Give it a unique AD Service Account since the password is stored in plain text in the backup scripts.
Step 2: Create a folder on the Apple that will be the mount point for your smbfs to the Windows File Server
Step 3: Create a batch file on the Apple that looks like this:
/sbin/mount_smbfs //ADuserName:ADPassword@WinFileServer/ShareToSaveFilesTo /MyAppleMountPoint
tar -cf backup-servername-`date '+%d-%B-%Y`.tar /Volume/FoldertoBackup
cp backup-servername-`date ' +%f-%B-%Y`.tar /MyAppleMountPoint
Step 4: Test the script and see if it works when launched manually. If you cut and paste it from here you will need to use dos2unix to fix the hidden EOL characters since they are different from standard unix EOL.
Step 5: Automate with Crontab
a. 00 04 * * 02 /var/backups/backup_script.sh
This will execute the backup_script.sh file every Tuesday at 4am.
Step 6: You're done... sort of... Now you need to create a script to clean up the backup files after X amount of days on the Apple so you don't lose too much disk space. You can also edit the tar command to do differential backups if you so choose...
Wednesday, April 8, 2009
<163>%ASA-3-305005: No translation group found for tcp src (InterfaceName):(IPAddress/Port) dst (InterfaceName):(IPAddress/Port)
We wanted to disable just this one alert so that we do not get so many false positives. After trying several things to no avail I finally opened a support case with Cisco and got a quick and easy fix. To acomplish this all that you need to do is type in:
ciscoasa(config)# no logging message 305005
and to re-enable it all you need to do is type:
ciscoasa(config)# logging message 305005
That was easy!
Wednesday, March 18, 2009
2. To allow Instant Messenger you need to do two things:
- Allow IM in the firewall class maps. Configuration > Firewall > Objects > Class Maps > IM > Add. From here you can allow Yahoo! or MSN IM if you use the default criterion. You can also use Services Criterion to block certain features of IM such as Chat, Conference, File Transfers, Games, Voice Chat and Web Cam.
- Tweak the IM rules in the IPS module to allow and deny the traffic that you want.
3. The email alerting is configured using both the IPS and Device Management sliders. Make sure that you can reach the email server's IP from your device or put in a static route to your email server, otherwise you will never get your email alerts :)
4. Event Action Rules are important to your IPS. They define the levels of risk and what to do with the three different levels: HIGHRISK, MEDIUMRISK, LOWRISK. Create your Event Action Rule and then use it via your IPS Policy.
Tuesday, February 24, 2009
I built the batch file to do a few things including:
a. Add a HKLM key at HKLM\Software\Adobe\Acrobat Reader\8.0\JSPrefs
b. Add a DWORD value under that key called "bEnableJS" with a value of 0
Below is the script:
-------------------------Start Script ---------------------------------
set keypath=Software\Adobe\Acrobat Reader\9.0\JSPrefs
:: update current user
:: Add a Master Disable for all users by using HKLM
%regpath% add "HKLM\Software\Adobe\Acrobat Reader\9.0\JSPrefs" /f >nul
%regpath% add "%key%" /v %valuename% /d 0x00000000 /t REG_DWORD /f >nul:: update all other users on the computer, using a temporary hive
set key=%hive%\%keypath%:: set current directory to "Documents and Settings"
cd /d %USERPROFILE%\..
:: enumerate all folders
for /f "tokens=*" %%i in ('dir /b /ad') do ( if exist ".\%%i\NTUSER.DAT" call :AddRegValue "%%i" ".\%%i\NTUSER.DAT")endlocalgoto :EOF:AddRegValue
set upd=Yif /I %1 equ "All Users" set upd=N
if /I %1 equ "LocalService" set upd=N
if /I %1 equ "NetworkService" set upd=Nif %upd% equ Y (
%regpath% load %hive% %2 >nul 2>&1
%regpath% add "%key%" /v %valuename% /d 0x00000000 /t REG_DWORD /f >nul 2>&1 %regpath% unload %hive% >nul 2>&1
Note: Change all instances of "8.0" to "9.0" in the script for it to work with Acrobat Reader 9.0
Feel free to modify and use the script but like everything else, test it before you put it into production. I take no responsibility for what you do with it and any results that it might cause.
Thanks to the guys at http://www.ureader.com/ for the original script that I modified to get this running.
"Windows cannot access the specified device, path, or file. You may not have the appropiate permissions to access this item."
To get around this issue you can copy the file to your local drive, right click on the file and select properties. On the bottom of the General screen you will see a warning that the file is from another computer (This file came from another computer and might be blocked to help protect this computer) click "Unblock" and you can now execute the file.
or Uninstall the "Internet Explorer Enhanced Security Configuration".
Event Type: Error
Event Source: System Error
Event Category: (102)
Event ID: 1003
Time: 8:34:36 AM
Description:Error code 00000000000000d1, parameter1 0000000000000019, parameter2 0000000000000002, parameter3 0000000000000001, parameter4 fffffadfd99f4e5b.
For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.Data:0000: 53 79 73 74 65 6d 20 45 System E0008: 72 72 6f 72 20 20 45 72 rror Er0010: 72 6f 72 20 63 6f 64 65 ror code0018: 20 30 30 30 30 30 30 30 00000000020: 30 30 30 30 30 30 30 64 0000000d0028: 31 20 20 50 61 72 61 6d 1 Param0030: 65 74 65 72 73 20 30 30 eters 000038: 30 30 30 30 30 30 30 30 000000000040: 30 30 30 30 31 39 2c 20 000019, 0048: 30 30 30 30 30 30 30 30 000000000050: 30 30 30 30 30 30 30 32 000000020058: 2c 20 30 30 30 30 30 30 , 0000000060: 30 30 30 30 30 30 30 30 000000000068: 30 31 2c 20 66 66 66 66 01, ffff0070: 66 61 64 66 64 39 39 66 fadfd99f0078: 34 65 35 62 4e5b
It seems fairly random and there is not a whole lot to go on as far as troubleshooting... I found a MS patch (kb950772) that is supposed to fix "A computer that is running an x64-based version of Windows Server 2003... randomly restarts and then generates a Stop Error" After applying the patch the box seems stable and has yet to throw a stop error.
Patch Details at: http://support.microsoft.com/kb/950772
Monday, February 23, 2009
>service-policy global_policy global
Next I was able to upgrade the via the ASDM the ASA's Software and ASDM software. Once updated to the newest versions (8.01 and 6.1551 respectivly) I was able to re-download the ASDM client from the device and use the newest java version.
#10 Wifi: As you travel around you will frequently see “Free Public Wifi” in your list of available wireless networks. This is almost always a VIRUS on someone’s computer trying to get you to connect so it can infect you also. Think of this as the “free public used gum” stuck under your desk. DO NOT ‘connect’ to it for any reason. Never connect to any Wi-Fi you do not fully trust; unless of course you like hackers using your identity or credit cards…
#9 Fake News Emails: Never click on any links in an email from CNN or MSNBC, or any other "news alerts" that you have never subscribed to. No matter how realistic it looks. Usually they start with a very absurd or weird story such as "Britney Spears killed in a car accident or Bigfoot found in new jersey, etc.." Even if you have subscribed to news alerts it is best to be cautious when following links.
#8 Fake “tracking number” Emails: If you get a "UPS tracking " attachment never ever open these attachments, they are virus's. They also appear to come from FedEx, USPS, etc… A valid tracking email will never have an attachment.
#7 Fake “Greeting Cards”: Never open a email postcard (Hallmark e-card is the most popular) unless it’s your birthday and it’s from someone you expect it from. This is the main delivery mechanism of most of our virus’s today. Also, an e-card will never have an attachment with a .exe extension.
#6 Lock your Desktop when not in use and have a screensaver password. Also lock your mobile devices (phone) with a password. If you don’t lock the doors then it does not make much sense to bar the windows. Don’t make it easy for hackers or others who would want to cause damage.
#5 Fake Instant Messages: Many people here use IM to communicate. It is a great tool but you need to be suspicious of hyperlinks; even if the link appears to be from your friends or coworkers. When a computer gets infected by a virus it is not uncommon for it to steal the address book and email/IM all of that persons contacts with the same virus. Best rule of thumb: Don’t follow hyperlinks
#4 Don’t put every CD you get mailed or USB key you find lying in the parking lot into your PC, they can “auto-install” a virus onto your PC or do many other nasty things. You didn’t just win a free prize, this is like the “free used gum”; besides it is a very well known technique for hackers and pen-testers alike. Again, don’t make it easy for the bad guys.
#3 Make sure you have Antivirus Installed and make sure that it has recent definitions, if you AV software is not updating, it is almost as good as not having it at all. In today’s day and age antivirus is a must…. well maybe not if you don’t have an internet connection…
#2 Keep your software up to date. Do your Microsoft Updates and software updates for all the products that you use. This includes software like Adobe, VMware and whatever else you use. As the famous ex-hacker Kevin Mitnick suggests “Update your OS religiously and be vigilant in applying all security patches released by the software manufacturer.”And the #1 thing Everyone should do in 2009 is:
#1 Backup everything you use. Make sure you have it somewhere else, on an external hard drive, a file share, somewhere. Don’t assume that anyone else (even IT) is backing that data up. If you have a question if a file share is being backed up please contact the IT Department, otherwise assume it is not. One Worm or Trojan or drive crash can wipe out 100% of your data forever, don’t let it happen to you.
I hope that it is as much a blessing to you as it is to me. Now, the difficult part, actually living it...