Factory resetting a Fortigate 30D

Pretty easy to do but can get confusing with these models since they have no console port and the fortiexplorer software doesn't seem to work anymore or not available.  Anyways follow these steps and your FortiGate 30D will reset to factory:

1.    Remove the power
2.    Reinstate power
3.    When the status light starts blinking press the reset button for 5 secs
4.    The status light should start blinking faster, which means its resetting
5.    Wait till the system has rebooted (solid status light)

The FortiGate should be up and running with DHCP enabled and an IP address of 192.168.1.99

Always forget how to do this process so I'll note it here......geez its been awhile since i posted something......meh.

-Fr33ze

Outlook 2016 and Exchange 2010

There i was thinking that Microsoft was trying to outsource Exchange......

TBH I'm starting to dislike Office 365 with its licensing scenarios and so on, but then again its a cheaper option in some aspects than using Office Pro + Exchange.

ANYWHO!!!!

Outlook 2016 was released and failed to incorporate a manual method to connect to exchange from outside the company, in other words its method to connect to an onsite exchange server would be the same as connecting to Office 365.

So the steps we need to complete are as follows (Assuming your exchange server has been setup correctly for autodiscover internally):

-Setup autodiscover.yourdomain.co(m)

Create this as a CNAME that resolves to your current mail server's external address or MX record

-Create new Exchange certificate to include autodiscover.yourdomain.co(m)

Import it into exchange GUI and check IIS for correct bindings

http://www.careexchange.in/how-to-use-a-self-signed-certificate-in-exchange-2010/

If you are using SBS for this then you will have to install the Web Enrollment feature for the currently installed CA.

If you are missing the "WebServer" template within the web enrollment you will HAVE to use this command from a CMD:

Certreq.exe –submit –attrib “CertificateTemplate:webserver” C:\RequestFile.req NewCertName.cer

Then:

Certreq.exe –accept NewCertName.cer

If the first command comes up with an error regarding being (Incomplete) then look at this article:

http://www.itwriting.com/blog/3544-microsoft-exchange-2010-annoyance-certificate-wizard-incompatible-with-certificate-services.html

It says that you need to open the .req file and re save it with ANSI encoding.

-Copying the certificate

Go to the Certificate Authority and copy the newly created certificate to a Base64 file.

-Test your autodiscover setting

Using https://testconnectivity.microsoft.com/

-Install root certificate on client PC

Copy your CA's root certificate to your external clients computer and install it into Trust Root Certs store.  The above link explains this.  If there is a certificate problem Outlook will not connect.

-Setup Outlook 2016 to connect using autodiscovery setting

Enter your details into outlook 2016 and cross your fingers for 3 green ticks

Through this process you will be going too and fro between these articles so becareful not to get lost.

So fear not it is possible to still use Exchange with Office 2016

Create an Email address policy based on a Database

We have a client who has 2 different databases within their exchange server, i needed to have different primary SMTP addresses for the recipients within these 2 database.  The main policy added an email based on the Alias of the user which was fine for the first database but needed a different primary email for the second database.

So again i went to the Internets and found this very helpful article.

https://social.technet.microsoft.com/Forums/exchange/en-US/e464e76e-47b0-4323-987f-82f40421ef5b/apply-email-address-policy-to-database?forum=exchange2010

What i did first was i created a basic policy within the GUI and made sure that the email address was what i wanted it to be i.e %s%1g@domain.com, I made sure i didn't apply the policy yet, if you do you will apply those changes to ALL email enabled users.  Then went to the management shell and ran this command:

Set-EmailAddressPolicy "test" -RecipientFilter { (Database -eq "CN=General Database,CN=First Storage Group,CN=InformationStore,CN=Exchange2003ServerName,CN=Servers,CN=First Administrative Group,CN=Administrative Groups,CN=contoso,CN=Microsoft Exchange,CN=Services,CN=Configuration,DC=contoso,DC=com") }

Use get-mailbox | fl to get the distinguished name of the server, once you have run this command goto the policy within the GUI, right click and apply immediately.  You will see it has a filter on it so you know you have been successful in applying the filter.

-Fr33ze

Licensing for Terminal Server 2012

I had an issue where i believe i'd setup the licensing correctly for 2012 R2, seems there are a few things i need to do behind the scenes if i want a simple Session host that allows my client to connect to the terminal server via RDP.

http://blogs.technet.com/b/askperf/archive/2013/09/20/rd-licensing-configuration-on-windows-server-2012.aspx

This article above shows how to achieve this, but there is some small fine print that allows you to connect to a licensing server when none of those above steps seems to get a connection.

To guarantee that your TS will connect to a licensing server at all:

Run POWER-SHELL as Administrator

Run the following commands:

To configure the license server on RDSH/RDVH:

$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting

$obj.SetSpecifiedLicenseServerList("License.contoso.com")

Note “License” is the name of the License Server in the environment

To verify the license server configuration on RDSH/RDVH:

$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting

$obj.GetSpecifiedLicenseServerList()

To change the licensing mode on RDSH/RDVH:

$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting

$obj.ChangeMode(value) - Value can be 2 - per Device, 4 - Per user

To validate the licensing mode:

$obj = gwmi -namespace "Root/CIMV2/TerminalServices" Win32_TerminalServiceSetting

$obj. LicensingType

$obj.LicensingName

Once you have run these commands refresh the licensing page and you will see no more yellow warnings.

The issue seems to be related to not having a connection broker installed, if you don't have this installed then you will need to run these commands.

I personally do not need a connection broker but if you have more than 1 terminal server and need to contingency then it maybe required.

-Freeze

Recovering Email from Exchange 2010 using Shadow Protect

I had an opportunity to do a recovery on a few mailboxes from a site running Exchange 2010 and Shadow Protect.

So the procedure i used was simply to copy the database and log files from the shadow protect mounted backup to a folder on a drive that has enough space to restore the database to.  Lucky for me the database was small, only 8GB.

I copied the database logs to a folder called "Recovery" and under that folder i had speparate folders for both the logs and database.  One thing to remember is if the log files

So my folder stricture is:

X:\Recovery\Logs - Copy the exchange logs from the backup to here
X:\Recovery\Database - Copy the database from the backup to here

After the files have been copied i followed the instructions on these web pages to setup the dataabse as a recovery database within the production Exchange environment.

http://msexchangeguru.com/2010/05/23/exchange2010-recovery-database/

http://msexchangeguru.com/2009/07/12/exchange-database-recovery-using-eseutil-commands/

http://blogs.perficient.com/microsoft/2011/02/working-with-exchange-2010-recovery-databases-2/

The problem with exporting mail from a recovery database is the fact that you CANT!!

You have to restore the mailbox from the recovery database to a temp mailbox on the production database THEN you can use the cmdlet "new-mailboxexportrequest" to export the mail to PST.

There is an explanation within the last web page regarding the cmdlet used to restore mail from the recovery mailbox to the production investigation mailbox which I've pasted below and highlighted important parts:

Restore-Mailbox -RecoveryMailbox “1234, test” -Identity ex2010 -RecoveryDatabase RecoveryDatabase -TargetFolder “RecoveredItems” -StartDate 1/1/2010 -EndDate 12/31/2010

A few things to note about the command above:

First off, the source and target mailboxes can get a little confusing. Think of the Recovery-Mailbox as the source mailbox, and the Identity mailbox as the target mailbox. When entering my command, the contents of test1234 residing in the recovery database were restored to a subfolder called RecoveredItems in the mailbox called ex2010.

Second, the Recovery-Mailbox switch only accepts the Display Name of your source mailbox. Using the Exchange Alias will not work. If you try to use anything other than Display Name you will receive an error similar to the following:

Mailbox “test1234” doesn’t exist on database “RecoveryDatabase”

Believe me, this will frustrate you because you will see the mailbox definitely exists if you use the Get-MailboxStatistics command. Microsoft does not document the fact that the Restore-Mailbox switch only accepts Display Name very well so hopefully this will save you some time.

Once you have the hang of the procedure, it becomes easier to restore data as long as your backup is OK.

-Fr33ze

Office 365, Primary Email Address and Alias Email Addresses

We have a new client who we are moving to Office 365, part of the setup i have used DirSync to move their usernames to Office 365, I had run into an issue where i pretty much couldn't change anything because it was syncd with AD.  Well ok so what????

I decide to google away and found a couple of articles that i assume just scratches the surface of AD, DirSync and Office 365.

http://community.spiceworks.com/topic/410677-office-365-w-ad-sync-primary-email-address-woes

http://enterpriseit.co/office365/create-email-alias-dirsync/

The above articles explain using the proxyAddresses attribute within AD to add alias to email accounts within Office 365.

Basically you add the emails addresses to the proxyAddresses attribute in this format:

SMTP:main_email_address@company.com
smtp:alias@company.com
smtp:another_alias@company.com

Note:  Using upper case SMTP denotes Default Reply address.

-Fr33ze

Changing networks from Public to Private.

I was trying to access a Windows Server 2012 R2 box from behind an IPSEC VPN and i though that was going to be hard but it turns the hardest thing was trying to make this standalone server change its network profile from Public to Private.

In the end i followed this guide specifically "Option 4", the onyl thing to remember is to restart the computer.

-Fr33ze