Category Archives: Random Bits

Cannot browse network neighborhood under Windows 10 Fall Creators update 1709 and newer

Once again, Microsoft has thrown a monkey wrench into the operation of how your network neighborhood (or “Network”) item under Windows 10 works.

I had previously created this blog post which addressed the initial issues with Windows 10 not allowing the Network to show a list of all your local computers.

Well, due to the Fall Creators update and versions 1709 and later, Microsoft has moved even further to stop the use (and functionality) of the Network icon inside windows explorer.

Microsoft has completely disabled (and removed) SMBv1 in Windows 10 (and modern Windows Server 2016) starting with the FALL CREATORS UPDATE build 1709 and later.   This in-effect completely disables the ability for your NETWORK item in Windows Explorer to populate a list of your local network computers.

I manage several small networks and it is EXTREMELY helpful to be able to browse a list of all the local computers.

To fix this issue, go to WINDOWS FEATURES (just use Cortana and type in windows features), expand SMB 1.0/CIFS File Sharing Support

CHECK: SMB 1.0/CIFS CLIENT and SERVER

click OK

it will prompt you to reboot

when you’ve rebooted, go to windows file explorer and click on NETWORK.  you may need to hit the refresh icon, but it should pull the list of all local PC’s and magically your network neighborhood will now work!

 

**Note: if you try this and it still doesn’t work, make sure you do the registry entry on my prior blog post (link at the top of this post).  You will need to add that registry key and reboot.

 

1080p HDTV as second monitor display blinks on and off while watching video

I have a second monitor which is a Philips 1080p 40 inch TV (that I switch the HDMI inputs to alternate between cable and a second monitor).

When I play streaming video from YouTube on the monitor, the display blinks on and off continuously.  This does NOT happen when using the Philips for TEXT displays (outlook, explorer, etc.)

The fix is easy.

First, make sure your second monitor (HDTV) is in “PC” mode. (This is not the fix in itself).

Secondly, I have the most current NVIDIA drivers installed.

Go to NVIDIA CONTROL PANEL (right click on an empty desktop)

Click ADJUST DESKTOP COLOR SETTINGS

click on your secondary monitor name (in my case, PHILIPS)

You will see a dropdown box appear.

Set “content reported to the desktop” to “Desktop Programs”.

 

That’s it.

Your secondary monitor should now be rock stable while watching videos.

 

let me know if this helped you!

Adding DKIM records to Kerio Connect

If you want to implement DKIM (signed email) to your Kerio Connect setup, here’s the easy way.

Start by reading these links

Kerio link 1

Kerio link 2

The following setup is for Kerio Connect 9.x, and Windows Server 201X DNS server

  1. Make sure your email server is properly connected to a good public DNS server, such as Google (8.8.8.8 and 8.8.4.4.)
  2. Go to Kerio Connect, Configuration, Domains.
  3. Click SHOW PUBLIC KEY and copy it.
  4. paste it into notepad.  We’ll need to rework it a bit to be compatible with Windows DNS.  Note:  Windows DNS limits the length of one single string of characters, so we’ll need to split it into several lines.
  5. Reformat it like this.  Break it into even lines, around 100 characters each.  The exact length doesn’t matter.  Just do it evenly, hit enter at each breakpoint.
  6.  NOTE:  make SURE there is a SPACE between the semicolon and the p
    1. as in v=DKIM1; p=xxxx
  7. example properly reformatted
  8. Copy this reformatted string
  9. Go to the domain in your Windows DNS server.  For example, if your domain is mydomain.com go to that domain in the DNS Server management console.
  10. right click, other records, add TXT record
  11. Record name is:  mail._domainkey
  12. after you enter that, you will see the FQDN look like this:
    1. mail._domainkey.mydomain.com
  13. Paste the string from #7 above into the text box, as-is.
  14. Hit ok and save that change.
  15. repeat this for any other domain.  On Kerio Connect, all the domains on the one email server use the exact same DKIM keys.
  16. Now we are going to test the DKIM record to make sure it can be properly read.
    1. go to https://mxtoolbox.com/
    2. type in your domain
    3. hit check MX
    4. when that completes (successfully), change the drop down to “DKIM Lookup”
      1. type in your full DKIM string:
      2. mail._domainkey.mydomain.com.
    5. Run the DKIM Lookup
    6. You should see a successful test, and your report should look just like this:
    7. if it doesn’t look like this, then you did something wrong with your TXT record creation, or you forgot to put the entire DKIM key in the lookup.
    8. Since all is well, proceed.
  17. next, go back to Kerio Connect.
  18. while still on the domain, check the checkbox to enable DKIM
  19. If the DNS on your email server is setup properly, and it is communicating properly to your DNS server, you should see the box above.
    1. If you see a message “DKIM public key not found in public DNS”
    2. try restarting KMS
    3. Try going to a command prompt and ipconfig /flushdns
  20. Presuming that you do see the proper message in #18 above, we now need to do a test email to verify everything is working.
  21. Go to http://www.appmaildev.com/en/dkim
  22. click next step
  23. the site will generate an email address
  24. copy this email address and send a blank email to that address FROM AN EMAIL ACCOUNT ON THE DOMAIN you setup with DKIM above.
  25. Wait for the site to receive the email and generate it’s report (a few seconds)
  26. you should see DKIM = PASS

 

While you’re at it, don’t forget to create SPF and DMARC records for your domain to cover all the bases.

 

Proper DNS configuration for iPhone and Exchange Autodiscover

In order to get Autodiscover to work properly on your iPhone when doing an “Exchange” setup, you need the correct DNS records.

**note: I am assuming you already have a proper SSL cert on your email server, have the correct ports opened (80, 443m 587) and you KNOW your email server is working properly.  You’ll also need a standard MX record that points at your server.

 

Additional DNS records needed to make autodiscover work on an iPhone:

Create an SRV record with the following settings (on each domain you want autodiscover to work)

Service:  _autodiscover

Protocol: _tcp

domain: your domain (this should be prefilled under windows server when setting up the SRV record)

Priority: 0

Weight: 5

Port: 443

Target:  the mx record name for your server, for example, mail.yourdomain.com  (this MUST match the MX record name)

 

One more record needed:

Create an A record called autodiscover and point it to the same IP as your MX record IP address.

 

** at this point you are at the mercy of the public DNS servers expiring their cache and catching the new records.

 

iPhone Setup

on your iPhone, add email account, pick Exchange

type in the email address and password.  description (whatever you want here)

hit Next

At this point, one of two things may happen:

  1. you may get a server warning message.  if you do, click CONTINUE
    1. when you do that you (should) go right to the “Exchange” screen in #2 below.
  2. you may go directly to the “Exchange” screen with radio boxes for mail, contacts etc.

If you get the dreaded “server name” screen instead, this means your phone is not picking up the most current DNS settings.

Try it again later…

These settings have been tested and confirmed, so it does work – but like I said you have to wait for the DNS settings to get updated by whatever DNS server you are using.  If you have your TTL set very high (hours or a day) you may have to wait a day for this to work.

 

TEST YOUR AUTODISCOVER SETUP:

https://testconnectivity.microsoft.com

go to the above URL and run the “Outlook Autodiscover” test.

You’ll need to enter in an actual mailbox account username and password, but it will fully test your setup and verify that autodiscover is properly setup.

 

Quick Migration of Windows Server 2008 R2 Hyper-V to Windows Server 2012 or 2016

Here are the proven and tested steps for migrating from Windows Server 2008 R2 to Windows Server 2012 or 2016.  Note:  You cannot IMPORT a VM from 2008 R2 into 2012 or 2016, so you have to do the whole process manually.  That’s the reason for this post.

  1. log into the existing 2008 R2 virtual machine and note the following
    1. memory and CPU config
    2. IP addressing information (you need all the IP information, static IP’s etc.)
  2. Shut down the 2008 R2 virtual machine
  3. copy the VHD from the 2008 R2 virtual machine to the new host.
  4. On the new host open Hyper-V manager
    1. Edit disk
    2. select the VHD
    3. CONVERT to VHDX
    4. this will take a while
  5. When that completes, create a new VM
    1. DO NOT attach the hard drive.  Select “add a HD later”.  (I have seen issues with attaching the hard drive as part of the setup here, so I skip it and do it separate)
    2. Generation 1 VM
    3. set the memory and CPU configs
    4. complete the VM creation
    5. edit the VM and attach the VHDX file as IDE 0 master
  6. Using the Hyper-V remote control interface (by double clicking on a VM)
  7. Start the new VM
  8. boot into windows
  9. while on the desktop, after ~15-60 seconds you might see a “REBOOT” notification after changes are made to the OS.  If you get this notification, go ahead and reboot.  Otherwise, continue on.
  10. at this point in the Hyper-V manager, you need to double click on the VM and remotely control it through the Hyper-V manager
  11. while you are logged into the VM as administrator and at the desktop, insert the Hyper-V integration tools disc and upgrade the Hyper-V tools
  12. reboot when that completes
  13. log in again to the machine through the Hyper-V remote control interface
  14. edit the network adapter properties and set it exactly as it was before.
    1. Note:  During this whole process your OLD NIC will be hidden (because it’s gone now) and you will be given a new NIC and it will be in DHCP mode from the start.
    2. you will need to edit that new NIC and put in the correct static TCP/IP information if applicable to your setup.
    3. ALL OTHER settings (machine name, IIS, DNS, etc.) will retain fine.  Just edit the NIC and config the NIC the same way it was on the old VM

 

All done!

Migrate Symantec Backup Exec 2015 14.2 to new server with a DIFFERENT name

I have used this procedure to successfully migrate an installation of BUE 2015 ver. 14.2 to a new server, with a different machine name.  If you are moving things from the old machine to the new machine and they both have the same names, see my post here and use that instead.

I used this procedure for a client who was ONLY using local disk based backups, but this will also work for tape/other device backups as well.

First, download this document.  It contains most of the steps, with the additions/changes below.

Using the PDF document from above:

  1. Setup the new server.  Patch it up to date through Windows updates.  Join it to the domain.  Make sure the machine name is correct (what you want it to be going forward)
  2. Install BUE onto the new server.
    1. This is SECTION 3 of the PDF, “Install Backup Exec on the Destination Computer”
  3. Make sure both the old BUE server and the new BUE server have the exact same
    1. Software version, BUE 2015 / 14.2 (etc.)
    2. Patches.
      1. Run live update on both machines and make 100% sure both have the same version and hotfixes
  4. Perform step #1 in the PDF, “Obtain information about the current Backup Exec installation”
  5. Perform step #2 in the PDF, “Move Backup Exec data to a temporary location”
    1. Note:  it’s up to you if you want to copy directly from the old server to the new server.  I directly copied things over the lan from the old machine to the new machine and left the old machine intact.
  6. Skip step #3 (already done above)
  7. Start step #4 “Move Backup Exec data from temporary location to the destination…”  NOTE:  Stop after 4.3.  Do not proceed yet.
    1. Complete steps 4.1, 4.2 and 4.3
  8. In our case, this client was using a disk based backup strategy.  At this point, we shut down the old server, shut down the new server, and installed the 3tb hard drive from the old server into the new server.
    1. we also made sure the DRIVE LETTER was the same on the new server for this drive as it was on the old server (after startup)
  9. On the new server, go to the BUE path:
    1. C:\Program Files\Symantec\Backup Exec\Catalogs
    2. You will see the copied over files from your old server.
    3. You need to make a COPY of the folder name from your old server and copy that folder (and contents) into the same “Catalogs” directory, but renamed for the new BUE server name.
      1. For example, if your catalogs folder contains a folder BACKUPSERVER1 (and within that folder are many files), create a new folder named for the NEW server name (whatever that is) and copy all the FILES and FOLDERS from within the BACKUPSERVER1 folder, to the new folder.
      2. You will now have to folders now, one named for the old machine and one for the new machine, each with identical contents
  10. On the new server, do this procedure:
    open a command prompt as administrator and enter the following pressing the ENTER key after each line:
    
    osql -E -S .\BKUPEXEC
    
    1>use bedb
    
    2>go
    
    1>SELECT partitionname FROM datapartition
    
    2>go
    
    *At this point, the old server-name should be listed
    
    1>UPDATE DataPartition SET PartitionName="new-server-name" WHERE PartitionID =0
    
    2>Go
    
    * # of rows affected should be listed To verify the change took place; run the original commands:
    
    1>SELECT partitionname FROM datapartition
    
    2>Go
    
    *At this point the new server-name should be listed
  11. At this point, RESTART the new server
  12. When it boots back up, login and launch BUE
  13. if all went well you should be ready to go.

Migrate Symantec Backup Exec 2015 14.2 to new server with same name

The process of moving BUE 2015/14.2 to a new server with the exact same name as the old server is pretty straightforward (but very long).

The entire procedure is in this PDF which I have tried and it works fine.

If you are moving to a new server with a different name, please use this post instead.

Notes:

  1. Setup the new server.  Install the same version of BUE, and run all LIVEUPDATES –on both the old and new servers.  Verify that both servers are on the exact same version and updates.
  2. follow the PDF as is
  3. Note:  Before step 4 in the PDF, if you are moving hardware, like a tape storage unit, disk based backups (to a local drive on the old server, etc.), you need to install that hardware prior to step 4.
    1. in our case we were moving a 3tb hard drive of disk based backups.  Prior to step 4, we shutdown both servers.  Removed the hard drive from the old server, moved it to the new server.  Started up the new server and made sure the drive letter for the drive was the SAME as on the old server.
    2. If you are using other hardware, you need to go ahead an install that onto the new server prior to completing step 4.
  4. If all goes well you should be fine.

 

Solution for Windows cross-subnet browsing issue in mid-2016

**NOTE: as of 12/2017 and the Fall Creator’s Update builds 1709 and later, Microsoft has again broken the functionality of the “Network” (Network Neighborhood) item inside Windows Explorer.  You will probably need to do both add the registry key below, as well as follow the directions in my new post, here.

=========

Hello all-

this is a follow-up to my original post in which I discussed how to setup cross-subnet browsing so that all computers come up in “Network” or “Network Neighborhood”.

For the last few months, my “Network” browse list has disappeared and would ONLY show computers from my LAN subnet.  My remote (VPN-to-VPN) network subnet disappeared from my “Network” computer list.

After >>MUCH<< research I have found the problem and will present the solution.

The problem is due to the Microsoft Windows Update (for both desktop and server OS’s) KB3161949  (read about it here).

Part of the effect of this update was to “harden” the NETBIOS service and prevent NETBIOS data from being sent between subnets.

 

THE SOLUTION:

Two ways of handling this.

  1. You can remove this specific hotfix
  2. You can add a registry setting to override it.

(YOUR CHOICE)

To REMOVE the hotfix:

On SERVERS:  Go to Control Panel, Uninstall a program, View Installed Updates… Remove 3161949.  You’ll need to reboot.  After rebooting, go check for windows updates again (MANUALLY)  3161949 will pop up.  Right click and HIDE UPDATE.

On Desktops:  Same process as above – HOWEVER – Depending on which version of windows, which OS Rollup you are on, 3161949 might not show up.  If you cannot remove 3161949, simply add the registry key below.

–OPTIONAL METHOD–

Involves a registry key addition, then you need to reboot the machine.

SUBKEY: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NetBT\Parameters
Value Name: AllowNBToInternet
Type: Dword
Value: 1

 

** REMEMBER TO REBOOT after you do either the uninstall or registry key.

** It will take 5-60 minutes for the Network browse lists to refresh

*** MOST IMPORTANT ***

You MUST do this on your domain servers (Master Browsers) on each side of the subnet.  For example, I have for domain servers, two on each side.  I did this procedure on both, then rebooted all four domain servers.

Then I did this on my Windows 10 Pro workstation (via registry key) and rebooted.

When I checked my computer 30 minutes later, all machines were showing up in the browse list under “Network” in Windows 10.

** ADDITIONAL NOTE:  Just for the heck of it, you might as while put that registry key onto all your domain servers.  Even though I had uninstalled 3161949 from all 4 of my domain servers (and hidden that update), one of my DC’s re-applied that patch and rebooted, thereby messing up my Network list again.  So I just went and put that reg key onto all 4 DC’s just in case they get that update somehow in the future.

** NOTE: Do this at your own risk.  I’m not responsible for your network security.  You have to make the decision on what’s more important to you here.  Being able to see the entire cross-subnet network, or security.  I can’t speak as to how this increases or decreases your security risk.

Let me know if any questions…

Kerio Mailserver CSR generation and import of SSL Cert

This is the entire process from CSR generation to installing the CRT with all trusted intermediate certs so that your connection is a good as possible.

The primary reason for this article is due to issues that Google Gmail has with remote POP mail checking if the SSL and all Intermediate Certs aren’t installed.

Note: This applicable for Kerio Mailserver 6.X and earlier.  I cannot verify if it 100% works with 7.0 or newer.

Generating the new CSR Certificate Signing Request from Kerio

  1. download the Kerio SSL tool here
  2. extract that file to a new directory off your C:\ root, something easy like “C:\SSL”
  3. inside the Kerio interface, go to the SSL Certs config page and
  4. New->New Certificate Request
  5. complete it and make sure your hostname is your full domain name to be protected by the SSL, eg “mail.yourdomainname.com”
  6. save this file into the new directory above.
  7. Run the following command from a command line.  Feel free to change the bits if needed.  We only use 4096
    1. openssl genrsa -out server.key 4096
    2. This will output a file called “server.key”
  8. Run the following command:
    1. openssl req -new -days 365 -key server.key -out server.csr -config openssl.cfg
  9. That will generate a file called “server.csr”. You will need this for Godaddy, Comodo or wherever you get the SSL cert

 

Buy a new SSL and use the “server.csr” file to process it.

 

Handling the installation of your new CRT and installing intermediate keys as well.

  1. extract the zip file with your new CRT file into the directory above
  2. you will need to locate and download the “intermediate certificates” for your SSL if they do not already come inside the zip file.  In my case, we had an “Comodo Instant SSL” and inside it there was our domain CRT file and a second file “mail_mydomainname_com.ca-bundle”.  I used the contents of this “ca-bundle” file for my needs.
  3. using a text editor like “Ultraedit” or “Notepad++”  (NOTE: DON’T USE NOTEPAD., open the .CRT file.
  4. Copy it
  5. paste it into a new blank document
  6. open the additional file(s)
  7. Paste them directly below your .CRT file text, into the text file.  If there is more than one past them back to back to back in the file.  Note: your domain CRT must be the first one, followed by the Int. certs.
  8.  Save the file.  Call it something mydomainname with extras.CRT
  9. open Kerio
  10. SSL Certs
  11. Import New Cert
  12. first it will ask for the KEY file you generated in the first section above.  locate that file and open it
  13. second it will be looking for our new combined CRT file that we just did in this section above.
  14. once it imports, select the new cert as the active cert
  15. restart kerio mailserver
  16. go to this site and run a test on your domainname.
  17. if you’ve done everything properly, you should have all “Green Checkmarks” and a clean bill of health on your domain name.

 

PFSENSE 2.3 PPTP VPN passthru workaround

PFSense 2.3.x and up have removed the PPTP tab, and PPTP passthru options.  This is because PPTP has been depreciated and it not considered 100% safe anymore.

For those of you still in need of using PPTP passthru to allow Windows VPN remote users into your LAN, here is the easy workaround.

  1. Firewall, NAT, Port forward.
    1. add port forward from WAN (presumably your outside interface name)
      1. TCP
      2. WAN ADDRESS
      3. DEST PORT RANGE=PPTP 1723
      4. REDIRECT TARGET IP=the internal IP of your Windows RRAS server.
      5. REDIRECT TARGET PORT=1723
      6. Allow it to ADD ASSOCIATED FILTER RULE for this entry
      7. SAVE
    2. add another rule, exactly the same as above EXCEPT for GRE.  All the same settings, but use GRE
  2. Once that is complete, go look at your WAN firewall rules.  You should have two new auto-created rules.  One for PPTP and one for GRE.
  3.  Remote users should now be able to connect just fine through PFSENSE 2.3.x into your Windows RRAS server.

Remember, using PPTP in 2016 is considered a risk, so do it at your own risk.  Please consider moving towards a newer VPN standard with better security.

1 2 3 4