My notes, things I have learned, and documentation I have created.

I changed my CD/DVD drive letter after I installed Windows Server 2012 R2 and a couple other features. Then, I wanted to install the .NET Framework 3.5 feature. It kept complaining out not being able to find the source. I had to set the new source location for it to install correctly.

From Server Manager, you add the role as you normally would until you get to the “Confirm installation selections” window:

Click the “Specify an alertnate source path” link and for the path enter the location with the correct directory of your 2012 R2 installation source. Since I changed my drive letter to the Z drive, mine was as follows.

Z:\Sources\sxs

From here, it installed as it normally would.

Note: I also discovered that if you apply some updates and then need to add the .NET 3.5 Framework feature, you might need to uninstall one or two of the updates. In my case, I had to remove update 2966828. I used the method specified here: http://jim-zimmerman.com/?p=1381.

To list all installed updates:

c:\>wmic qfe list

To install an update:

c:\>wusa C:\somedirectory\someupdate1234567.msu

To uninstall an update:

c:\>wusa /uninstall /kb:1234567

Sometimes you need to make a change to a lot of desktops, and you need to use an account with administrator level privilege. The best way I found to do this other running a script that would make the changes remotely was to add it to the startup script option in the a Group Policy.

I wrote the script (and tested it, obviously), and saved it with the logon scripts so it would replicate to all the domain controllers.

Then, I identified a current policy and edited it. This is a Computer Configuration policy that causes the script to be run upon reboot. You want to change the properties (add your script/command) for:

Computer Configuration/Policies/Windows Settings/Scripts/Startup
Click Add…
Browse…
You can run the script from anywhere, but I chose the logon script directory for redundancy and efficiency.

This is where I stored the script and referenced:
\\DOMAIN.LOCAL\SysVol\DOMAIN.LOCAL\Scripts\MyScript.cmd

Another option is store the script with the policy which might even be a better choice:
\\DOMAIN.LOCAL\SysVol\DOMAIN.LOCAL\Policies\{12345678-ABCD-1234-ABCD-123456789012}\Machine\Scripts\Startup

Once you’ve added the script, click Ok and close the Group Policy Management Editor.

Note: This is to create a new partition that is encrypted. Do not do this on an existing partion, because you will lose all the data on the partition.

Note: I added a summarization to the end of this post to provide a bit more clarity about the volume names, etc.

Add the disk to the system and identify it. I used the following:
See if it is there already:

# fdisk -l

If not, scan for it on all your buses:

# echo “- – -” > /sys/class/scsi_host/host0/scan
# echo “- – -” > /sys/class/scsi_host/host1/scan
# echo “- – -” > /sys/class/scsi_host/host2/scan

Check again:

# fdisk -l

Create a volume:
Add the physical disk:

# pvcreate /dev/sdb

Create a volume group;

# vgcreate centos_test /dev/sdb

Activate the volume group:

# vgchange -a y centos_test

Create the volume:

# lvcreate -l 100%FREE -n test centos_test

Write random data to the partition. This is important when reusing a volume.

# shred -v –iterations=1 /dev/centos_test/test

Install cryptsetup:

# yum install cryptsetup

Initialize the volume and set the passphrase:

# cryptsetup –verbose –verify-passphrase luksFormat /dev/centos_test/test

Open the volume and setup the mapping:

# cryptsetup luksOpen /dev/centos_test test

Create the filesystem:

# mkfs.ext3 /dev/mapper/centos_test-test

Mount it:

# mount /dev/mapper/centos_test-test /mnt

Add the volume to be mounted at boot to the crypttab file:
# vi /etc/crypttab
…
centos_test-test /dev/centos_test/test none
…

Add the mount to the fstab:

# vi /etc/fstab
…
/dev/mapper/centos_test-test /mnt ext3 defaults 1 2
…

Restore selinux context:

# /sbin/restorecon -v -R /mnt

I was not getting prompted for the passphrase at boot. So, I had to boot into single user mode. When I did, I was prompted for the passphrase and the partition mounted fine. I needed to do remove the rhgb parameter from the boot parameters to be prompted when booting into multi-user mode:

# cd /etc/default

Remove the rhgb parameter from kernel parameters.

# vi grub

I removed the rhgb parameter from this line:

GRUB_CMDLINE_LINUX=”rd.lvm.lv=centos/swap vconsole.font=latarcyrheb-sun16 crashkernel=auto vconsole.keymap=us rd.lvm.lv=centos/root quiet”

Update grub with the new settings:

# grub2-mkconfig -o /boot/grub2/grub.cfg

When you reboot, you will be prompted for the passphrase you set when prompted in the cryptsetup.

# shutdown -r now

Here is a short summary. Pay particular attention to the luksOpen and mount command and the format of the crypttab and fstab files. Hopefully, these names will make it easier to keep straight.:

# fdisk -l
# fdisk /dev/sdb
# shred -v –iterations=1 /dev/sdb
# pvcreate /dev/sdb
# vgcreate vgtest /dev/sdb
# vgchange -a y vgtest
# lvcreate -l 100%FREE -n lvtest vgtest
# shred -v –iterations=1 /dev/vgtest/lvtest
# cryptsetup –verbose –verify-passphrase luksFormat /dev/vgtest/lvtest
# cryptsetup luksOpen /dev/mapper/vgtest-lvtest lvtest
# mkfs -t ext4 /dev/mapper/lvtest
# mount /dev/mapper/lvtest /mnt

# vi /etc/crypttab
…
lvtest /dev/mapper/vgtest-lvtest none
…

# vi /etc/fstab
…
/dev/mapper/lvtest /mnt ext4 defaults 1 2
…

Windows Server 2012 fully updated.
IIS version 8.
Exchange 2010 fully updated.

Initially, I tried doing this with the default “HTTP Redirect.” I simply wanted to have a more generic DNS name using HTTP to redirect to the Outlook Web Access URL using HTTPS. This introduced to a couple issues. One, I needed to have SSL not be required for the “Default Web Site”, and two, I created a loop since the redirect will apply to all virtual directories below the “Default Web Site.”

I discovered the “URL Rewrite” module below:
http://www.microsoft.com/en-us/download/details.aspx?id=7435

Previously, I had used rewrite rules in Apache to accomplish a similar task, so I knew I was on the right track.

First thing you have to do is get the SSL settings right. For this I used the IIS Manager UI. I wish I had taken the time to find out how to do this with PowerShell, and here is why. For the “Default Web Site”, you open “SSL Settings” and uncheck “Require SSL.”. Now, when you do this, it will change it for all your virtual directories. So, you have select each virtual directory, open “SSL Settings”, and check “Require SSL.” Ugh.

Once that is done, install the “URL Rewrite” module. It is pretty straight forward. Once it is installed, you need to restart IIS using “iisreset”. Back in IIS Manager, select “Default Web Site” and you will notice a “URL Rewrite” icon as been added. Open it up and click “Add Rule..” under the Action menu. You give it a name, and the pattern to match. The “Action type” is “Rewrite”, and the “Rewrite URL” is where you put the HTTPS url.

Here is what I used to redirect http://mail to https://myexchangeserver.my.domain/owa:
Pattern: Matches the Pattern
Using: Regular Expressions
Pattern: http://mail
Ignore case: checked
No Conditions added.
No Server Variables added.
Action type: Rewrite
Rewrite URL: https://myexchangeserver.my.domain/owa
Append query string: checked
Log rewritten URL: unchecked
Stop processing of subsequent rules: unchecked

I got the following error when trying to look at mailbox using EMS from an Exchange 2010 server. The mailbox was on an Exchange 2003 server.

WARNING: The object MY.DOMAIN/MYOUs/Firstname Lastname has been corrupted, and it’s in an inconsistent state. The following validation errors happened:
WARNING: Property expression “FLastname” isn’t valid. Valid values are: Strings that includes ‘@’, where ‘@’ cannot be the last character

It turns out that this issue was the userPrincipalName attribute for the user. It probably was missed in the migration from a Windows NT4 environment to Windows 2000/2003. I simply used ADSI Edit to add the @MY.DOMAIN to the end of current attribute setting, and all was well.

After a reboot of our Cisco PIX I was unable to login remotely using ssh. The first thing I tried doing was to remove the the pix entry from my ~/.ssh/known_hosts file. This did not work.

The only way I have found to gain access again is to regenerate the RSA key from the console:

MYPix (config)# ca zeroize rsa
MYPix (config)# ca generate rsa key 1024
MYPix (config)# ca save all

For a Cisco ASA:

MyASA (config)# crypto key generate rsa modulus 2048
MyASA (config)# write memory

To setup a network printer that is created and shared on SERVERNAME:

RUNDLL32.EXE printui.dll,PrintUIEntry /in /n\\SERVERNAME\PRINTERSHARENAME

To set that printer as the default printer:

RUNDLL32.EXE printui.dll,PrintUIEntry /y /n\\SERVERNAME\PRINTERSHARENAME

This can be useful to help somebody get a printer connected easily using a script.

More info: https://technet.microsoft.com/en-us/library/ee624057.aspx

While trying to access the Exchange Control Panel (https://exchangeserver/ecp), I kept getting the following error:

“Sorry! We’re having trouble processing your request right now. Please try again in a few minutes.”

Outlook Web Access (https://exchangeserver/owa) worked fine.

Thanks to jhoskins for the following post that provided the solution:
http://www.moderncs.net/node/98

As mentioned in the post, I was also running Exchange 2010 on Windows 2012 server.

Since OWA was working, it just a matter of getting the ECP Application Pool in IIS to use the same version of .Net Framework. When the ECP was not working, the MSExchangeECPAppPool Application Pool was set to use version 4.0.30319. I simply changed it to version 2.0.50727 like the MSExchangeOWAAppPool was set, and it started working fine.

To configure Exchange relay mail from something that is not another Exchange server, you will need to create an additional Receive Connector. The best approach is probably to create and named them based on authentication or Permission Groups. That way, if you need to add another later, it will easy to identity where you need to be and what you need to do. For example, you might name one “Anonymous No Auth” or “Anonymous TLS”.

To create a new Receive Connector, open the EMC (Exchange Management Console) and under “Server Configuration”, select “Hub Transport.” Select the Exchange server under in “Hub Transport” window in the top of the screen. This is show you all of your current Receive Connectors. In the Actions (right side of the screen), select “New Receive Connector …”

Name: Anoymous TLS
Select the intended use for this Receive connetor: Custom
Next

Local Network settings:
Next

Remote Network settings:
Select 0.0.0.0-255.255.255.255 and hit the red X to remove it. Then, add the IP or IP Range for which you want the connector to apply.
Next

New

Then, in the bottom window pane, you will the newly created Receive Connector. Right mouse click on it and go to Properties. Click on the “Authentication” tab. TLS should be selected by default. If you want no authentication for this connector (not recommended of course), you would uncheck TLS leaving nothing checked here.

On the “Permission Groups”, check “Anonymous users”.
Ok

If you are still getting a “5.7.1 Unable to relay” even after configuring the connector, you may need to modify the “ms-Exch-SMTP-Accept-Any-Recipient” attribute:

Get-ReceiveConnector “Non-Exchange Relay Support” | Add-ADPermission -User “NT AUTHORITY\ANONYMOUS LOGON” -ExtendedRights “ms-Exch-SMTP-Accept-Any-Recipient”

In Exchange 2013, Receive Connectors are under “Mail Flow” in the ECP.