wullxz's questions

We're having some IPSec connection problems that seem connected to the UDP checksum beeing (incorrectly) set with some ISPs.
To investigate further, I want to reproduce the error within a controlled environment.
Now, I do not know what the ISP does exactly so I'd like to manipulate UDP packets directly to reproduce a given scenario (UDP checksum missing, set correctly and set incorrectly).

The client: A linux machine with some tools (perl, iptables, gnu tools, bash, tcpdump)
The server: A freeBSD based machine with almost no tools (bash, pf, tcpdump)

I want to test how the server reacts with different UDP checksum situations.
Since it doesn't have much tools, I figured the easiest way to reproduce these situations would be from the linux client.
I know there is the possibility to set the UDP checksum using the mangle table.
That only allows me to correctly set the UDP checksum.

How do I forge the UDP checksum of packets to be either nonexistent, correctly set or incorrectly set?

Any ideas on how to reproduce these scenarios - maybe in a different way - are also welcome in the comments.

I configured server side profiles using GPO (User Configuration\Policies\Windows-Settings\Folder Redirection) and that works fine.

My Setup:
Redirected Folders reside in \\servername\Users$\.
Server is a Windows Server 2012 R2 Essentials.
Clients are Windows 10 Professional x64.
The GPO object is linked to the Computers and the Users OU.
In security filtering I added the users group that have folder redirection enabled and the domain computers group.
I also made sure, using rsop.msc, that the computer policies are distributed to the computer that I'm testing this on atm.

My problem is, that those folders aren't cached at all and are sometimes not available during a network hickup or something.

I tried making those folders offline available using GPO but didn't succeed yet. These are the settings I'm trying atm:

In Computer Configuration\Policies\Administrative Templates\Network\Offline Folders I have set up:

• Sync all files before logoff: active
• Enable Backgroundsync: active with default values
• Configure slow-link mode: active with "Valuename" set to \\servername\Users$\* and "Value" set to "Latency=1"

I hope I translated all of them correctly as I'm on a german server with german GPO.

Is that all that has to be done to enable folder redirection with local caches?

I have a Xubuntu 14.04 Server here that runs xrdp to have a couple of users connect to it.
Now there's one problem: users who access this server via RDP from Windows thin clients often use the "X" to close the RDP session (therefore disconnect but not logout).

I know there are some options in sesman.ini to deal with that kind of behaviour, but as the manpage says, those options are currently ignored (and have been for years).
The options which would solve my problems are:
KillDisconnected
DisconnectedTimeLimit
IdleTimeLimit

Now I need to hack something that deals with disconnected sessions. My first thought was to just kill all remote users who are disconnected - but I don't know how to get that information which sessions are disconnected.

So... how do I find disconnected sessions?
Or: is there already any preferred way to deal with disconnected sessions?

We're running an openvpn server and let some clients connect to the vpn server through a socks proxy. This already works.

Our problem is now, that we need to change the ip address of our proxy frequently (once every 2 - 3 days) and can't deliver the ip address via dynamic DNS. We can still fetch an ip address on linux with wget for example and that's what I'd like to do automatically because there are too many clients to update them manually every time.

I've read that there is a --client-connect directive that runs a script before it connects. IIRC, the proxy ip has to be written in the config file and would already be read when the client-connect script is run.

How do I update my proxy ip each time a connection is opened? Preferably without third party tools (portable binaries or scripts are ok).

(I need a solution for windows, linux and mac but I'm okay with one solution for each platform.)

We're running OpenVPN AS servers which are accessable and working over a public IP. But some of our clients aren't allowed to access our VPN server directly (because of some nasty firewall admin - don't ask...). To bypass that problem, we've come up with a setup that will create a gateway in a virtual environment which will do a simple NAT to forward all incomming connections to our VPN server.

NAT is working properly (tcpdump on the server shows the same packets that were leaving our gateway). Our current iptables roules are (INPUT, FORWARD and OUTPUT are set to ACCEPT by default):

iptables -t nat -A PREROUTING -p udp --dport 1194 -j DNAT --to-destination $vpn_srv
iptables -t nat -A POSTROUTING -j MASQUERADE

I know that there might be some further configuration need but as long as the VPN server isn't responding to the packets he surely receives, there's no need for us to enhance the rules.

Every time a packet arrives at the VPN server, the server produces following log output:

2012-12-31 13:03:29+0000 [-] OVPN 1 OUT: 'Mon Dec 31 13:03:29 2012 TLS Error: incoming packet authentication failed from 123.123.123.123:35077'
2012-12-31 13:03:31+0000 [-] OVPN 1 OUT: 'Mon Dec 31 13:03:31 2012 Authenticate/Decrypt packet error: packet HMAC authentication failed'

So I suppose that we need to tell the VPN server to accept and reply to forwarded packets from this host. How do we do that?

Note: All servers (VPN server and NAT Gateway) are public.

Edit:
No Ideas? I know that it's possible to run an OpenVPN server behind a firewall (simple NAT as in any home network). How is my setup different from that one?

Edit (10.01.2013):
We would try any solution that allows us to forward the vpn traffic from a "gateway" to our vpn server. Preferably using an encryption because it seems that the firewall scans for specific vpn pakets which will be dumped.

I downloaded the pem file on my Windows machine and I am able to connect to my instance with the puttygen generated ppk file (which has a public and a private key in it). I copied the pem file over onto a linux box and tried ssh -i pemfile.pem [email protected] -v but ssh is asking me for a password. The debug output (-v) is as follows:

debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: publickey
debug1: Trying private key: /home/w/jpgate.pem
debug1: read PEM private key done: type RSA
debug1: Authentications that can continue: publickey,password
debug1: Next authentication method: password
[email protected]'s password:

So I suppose I need a public key, right? How do I get the public key on linux? Why does every tutorial tell that I only need to ssh -i key.pem [email protected]?

I need to test whether an OpenVPN Service (ssl-vpn) is listening on a specific IP address and port from a linux box. I'd like to do that with a bash script or some code in python or c/c++ but that's not the problem - I can implement it as soon as I know how UDP works here.

My problem is: the VPN service on the remote machine is configured to use UDP and since UDP isn't a protocoll that supports connections like TCP I assume that any answer to a message/package that I sent to the remote machine is answered to another port on my local machine.

I know netcat but obviously I won't receive an answer using the connectionless UDP protocoll, so checking with nc -u ip port won't work.

So, how do I check if VPN is really up and running behind an IP address and port.

Edit:
Is it possible to emulate the VPN with a bash script? Something like connecting with a HELO like in SMTP and checking if the VPN server sent an answer back? I'd know how this works with tcp but I have no clue how to do that with UDP.

Edit2:
I just found this answer. So, how do I listen to ICMP packages that should be answered when the remote server isn't available? Is that possible with bash/python/c/c++ or netcat? How do I know if the server is there, listening to requests (there shouldn't be an ICMP response then, right?)?

One of our clients accidently moved a public folder into a public addressbook. Sadly, it's not possible to move that folder back and there is no database-level backup of the exchange (a new message is opening when we try to drag and drop the folder back to its old place).

The exchange server is a small business server 2008 with exchange 2007.

This is how it looks now:

Any Idea how we can get this public folder back?

no ideas?

We're using the Small Business Server Backup that comes with SBS 2008 to backup all drives to an iomega iSCSI-Target. The Backup works fine and everything is shown as successfully backed up.

But the exchange-logs in C:\Program Files\Microsoft\Exchange Server\Mailbox\First Storage Group and C:\Program Files\Microsoft\Exchange Server\Mailbox\Second Storage Group aren't flushed.

What could cause this behaviour?

We're running CA ARCserve Backup r12.5 (Build 5854) - Small Business Server Edition on our Small Business Server 2008. There is a daily job which saves the systemdrive, exchange and 3 databases to our backup storage.

It seems like this daily job creates these additional jobs every time it runs. I don't know why it's doing this. Can anybody tell me why this is happening?

(I'm sorry this screenshot is in german... "Ergänzungsjob" means something like "extensionjob" or "additionjob")

Edit:
Forgot to tell you:
This job is configured to do a full backup. There is no rotation configured.

I have one Windows Small Business Server 2008 with his system-event-log flooded with eventid 10009 and source DCOM. DCOM works perfectly with every single machine in the network except the iomega storage. I don't know if the iomega storage should be able to process DCOM requests, but if not, there must be any way to prevent SBS 2008 from contacting the storage via DCOM.

Any ideas or clarifications?

Update:

The iomega-storage is part of the Domain (it's added to Domain-Computers in AD). I would really like to eliminate that error. I'd be thankfull for each hint that leads me to the right direction.

We have following situation:

• SBS 2008 that runs Exchange 2007 (built in)
• Several mailboxes on that SBS
• One user that uses a hosted exchange mailbox because the user needs Blackberry-services that we host in our datacenter (exchange-2007)
• That single user has a different maildomain as the other users on the local SBS

Now, if that single user with the hosted mailbox is in the internal network, he permanently gets the username and password-dialog from remote.local-sbs-domain.local. I think Outlook does that because it looks for autodiscover in the local network first.

So, I need to get autodiscover running for internal users and that single external user (because of Out-Of-Office-Assistant, Calendar and so on). Is it possible to tell the SBS to redirect the autodiscover-request for that external hosted domain?

We have several view-desktops and I need a script to be performed once on all desktops. Sadly, WMI is disabled. These desktop are all running Windows XP SP3

I thought I read about the possibility to execute commands in a guest-vm via VMwares PowerCLI. Can anyone confirm if that is possible or can even provide a link?

My admin-account in our Datacenter get's permanently locked and I have to unlock it again and again with our general Datacenter-Administrator. I want it to stop, but I don't know who locks my account and on which machine that happens.

We have several Server 2003, 2008 and 2008 R2 Servers in our Datacenter. Our 3 Domain Controllers are running 2 x Server 2008 and 1 x Server 2008 R2.

How can I track down from which client, on which Server my user get's permanently locked out?

Update: With LockOutStatus.exe I found out that last lockout time was 13:19. At this time, I have EventID 4771 logged on our DC. It tells me the Client-Address of one of our Terminal-Servers with Servicename "krbtgt/domain" Failure Code 0x18 and Pre-Authentication Type 2.

I looked for errors on that terminalserver but didn't found some Kerberos related. I did found GPO-related Errors on Systemlog of that terminalserver: EventID 1006 with ErrorCode 49. In fact I was logged on at this Terminalserver this time. But not tomorrow. This won't be the "root-error". Any thouhts what to do to find the problem?

Update / solved: There were 4 Sessions on a few servers where my user was logged on (but disconnected) using old-credentials. I used LockOutStatus.exe to find the time when my user was last locked. Then I looked at security logs and found an Event with ID 4771 which holds the client's IP that caused my user to lock out. I logged out the session, unlocked my user-account and waited for the next session/server to lock my user. I repeated that until my user didn't get locked out again.

Thanks to you for your good answers and tips :)

Environment:
WS 2008 R2 Terminalserver (we have 3 of them).
Client VPNs into Company Network and establishes a RDP-connection to one of the TS (load balancing).
Printer is a HP LaserJet 1200 and it's plugged in via USB at the client-machine (Win 7 32bit).
We installed the PCL 5 driver at the client. On the server, RDP Easy Print is used.
The printer has already been reinstalled.

When the client tries to print a list out of an application for value-added-taxes, it spools the printjob at the server. The printjob vanishes really quick at the server-print-queue. At the client, the print-job loads very slowly. It loads 1.44 MB out of about 12 MB and rests. After a (long) while, the job loaded 3 MB and prints the first page (out of about 10). After that, the job fails at the client.

Printing locally and out of other applications on the terminalserver works perfectly. But I can't say if there are other problems on the terminalserver with large documents because the above mentioned application is the only one that produces such big documents (anything other has maximal 2 sites).

I don't have any idea to solve this. I hope anyone can give me a few tips to solve this problem or find the problem.

Edit: If nobody has an idea, it would eventually help to know what you're doing to troubleshoot printing (over rdp). I'm open to any proposal.

I'm about to tune our autodiscover-config. For our main-domain it works perfectly. Now I'm about to add support for multiple domains.

In this article Jaap Wesselius describes how to add an additional virtual directory with an http-redirection to our main-domain-autodiscover-virtual-directory. He uses a 2nd IP-address for this but didn't mention why he is using a 2nd IP-address.

My question is: couldn't I just create a new virtual-directory in the default web site with the same IP for the redirect? What's the problem with it?

We're hosting several domains on our infrastructure, exchange and blackberry hosting included. Some of our clients have a direct vpn-connection into our datacenter because it's needed for their applications.
And this causes following problem:
Some Outlook clients connect to our exchange-server via direct mapi (tcp/ip - not via rpc over http) and that causes, that they can see every mail-address from other domains.

That's why we want to avoid users from connecting their clients directly via tcp/ip. They should only connect via rpc over http. Is there any whay to accomplish this without avoiding our BlackBerry Enterprise Server to connect to our exchange?

I read plenty of tutorials that describe how to install ADWS (ActiveDirectory Webservices) and Powershell. But I never saw any hint about installing ADWS on a SBS-2008 in order to work with Powershell and ActiveDirectory-module.

I know, that I should use the SBS-Console to manage users, but there are tasks where it could be good to use AD as database of users and computers to loop through them (e.g. remote-commands on all workstations, find out user-lastlogon-times etc).

Can anybody say, if it's ok (and supported?) to install AD-Powershell-Module and ADWS on a SBS-2008? Thanks

one client (it's allways the same client) has often problems with mapi sessions killed by the exchange server. The Application Eventlog on the exchange logs eventid 9646 with source MSExchangeIS:

Die MAPI-Sitzung '/o=xx/ou=Exchange Administrative Group (FYDIBOHF23SPDLT)/cn=Recipients/cn=xxxx' hat die maximal zulässige Anzahl von 250 Objekten vom Typ 'objtMessage' überschritten.

The client has no eventlogs logged about this error.

I looked for installed Outlook Add-Ins and found the default add-ins from microsoft, an adobe pdf add-in (which I deactivated because it's not needed) and an "Octopus" plugin from telekom.

Octopus is a CTI-application that connects to Outlook. My guess is, that Octopus (or its add-in) causes this error because this client has over 1100 contacts.

My question is: how can I find out, which application/add-in causes this problem?

Edit: I already looked at eventid.net but nothing helped.

Edit2: Exchange-Cache-Mode is not used nor are there any shared folders / mailboxes open.