Archive for the ‘Windows’ Category

After installing Cyberghost VPN on a Windows 7 machine I was unable to launch the application. The following error was returned each time:
There is a problem with your Cyberghost VPN Installation. Should Cyberghost try to solve the problem automatically?

After choosing yes the application still failed to launch. I was able to resolve the issue by following these steps:

1. Open up Device Manager:
Start -> Control Panel -> System -> Device Manager

2. Scroll down to Network adapters and expand it.

3. Here I had three different “TAP-Win32 Adapter” instances each with a different V#. Right click each one and choose Uninstall.

4. Install OpenVPN which will install the appropriate TAP-Win32 driver. This can be downloaded here.

5. Now there will only be one instance of “TAP-Win32 Adapter” under Network Adapters and you should be able to launch Cyberghost without error.

First create a new Windows user which will have access to the directory. If this user already exists, skip to step #5.

1. Open Server Manager by clicking Start -> Administrative Tools -> Server Manager

2. Expand Configuration -> Local Users and Groups

3. Right click Users and select New User.

4. Enter the desired user name and password. Make sure to uncheck “User must change password at next logon” and check both options for “User cannot change password” and “Password never expires”.

5. Open IIS Manager by clicking Start -> Administrative Tools -> Internet Information Services (IIS) Manager

6. Expand the server name in IIS then Sites. Expand the site in question and select the directory you are looking to secure.

7. Double click “Authenticaton” under the IIS heading on the right. If you do not see this, make sure you “Features view” is selected at the bottom of IIS.

8. Right click “Anonymous Authentication” and choose Disable.

9. Right click on “Windows Authentication” and choose Enable.

By default the new user we created will be a member of the “Users” group and this group has access to the directory we are securing. However if you want to limit this access to a select user(s) instead of all users on your server, follow the extra steps below.

1. Right click the directory again on the left side of IIS and choose Edit Permissions.

2. Click the Security tab and then click Advanced.

3. Click Change Permissions

4. Select the Users group and choose Remove

5. Click Add -> Advanced -> Find Now to browse for the new user

6. Click OK until all dialogue boxes are closed

I needed to enable PAE across a large number of servers, some running Server 2003 and some on 2008. Luckily these were part of an Active Directory domain so scripting the update did not require login details for each individual server.

The following batch file will loop through “servers.txt” and enable PAE on each one. Make sure to create the “servers.txt” file with the list of IPs or hostnames one per line. This utilizes psexec so if you need to download this it can be found here.


FOR /F %%i IN (servers.txt) DO (
::Enable PAE on Server 2003:
psexec \\%%i bootcfg /raw "/pae" /A /ID 1
::Enable PAE on Server 2008:
psexec \\%%i Bcdedit /set PAE forceenable
)

If this needs to be enabled on a small number of servers it can be done by running the appropriate command above in a command prompt.

Server 2003:
bootcfg /raw “/pae” /A /ID 1

Server 2008:
Bcdedit /set PAE forceenable

By default IIS will listen for connections on port 80 for any IP bound to the server. This happens even if there are no host headers or bindings set for a specific IP. This can be a problem when trying to run multiple web servers on port 80.

To set IIS to listen on specific IPs follow the instructions below.

Windows Server 2003/IIS 6:

1. This requires the Server 2003 support tools. If this is not already installed it can be downloaded here.

2. Once installed open a command prompt and navigate to the support tools installation folder (default is C:\Program Files\Support Tools).
cd C:\Program Files\Support Tools

3. Stop http.
net stop http /y

4. Use this command to display the current list of IPs:
httpcfg query iplisten

5. By default it will listen on all IPs (0.0.0.0) so we can remove this.
httpcfg delete iplisten -i 0.0.0.0

6. Specify the IP(s) that IIS should listen on. Make sure to update 127.0.0.1 to the desired IP and run the command for each IP IIS should listen on.
httpcfg set iplisten -i 127.0.0.1

7. Start http and test out your sites.
net start http

Windows Server 2008/IIS 7:

1. Open a command prompt and type “netsh”.
netsh

2. Type “http”.
http

3. Enter the following command to display the current list of IPs to listen on. Note if no IPs are displayed like in the below image, IIS will listen on all IPs (default).
show iplisten

4. Use the command below to set IIS to listen on a specific IP. Make sure to replace 127.0.0.1 with the correct IP and run the command again for any additional addresses.
add iplisten ipaddress=127.0.0.1

5. In case you need to delete an IP from this list, use the following command.
delete iplisten ipaddress=127.0.0.1

6. Restart IIS to apply these changes.
iisreset

Sometimes when using a wildcard SSL or Unified Communications Certificate (UCC) it is necessary to add multiple https host headers for a single IP. Unfortunately the IIS 7 GUI does not allow you to set a host header on a https binding however this can be achieved using the “appcmd” command.

1. First bind the certificate to one site as normal by adding the https binding through the IIS GUI.

2. Open a command prompt and navigate to C:\Windows\System32\Inetsrv\ using the command below:

cd C:\Windows\System32\Inetsrv\

3. Enter the following command to manually set the binding bearing in mind the notes below:

appcmd set site /site.name:"SiteNameInIIS" /+bindings.[protocol='https',bindingInformation='IP.Add.re.ss:443:www.example.com']

Make sure to change the following values on the command above accordingly:

SiteNameInIIS: The site name exactly how it appears in IIS. For instance “example.com”.

IP.Add.re.ss: The IP used by the site.

www.example.com: The desired hostname. Note in most cases there will be one for www and non-www.

Example command:

appcmd set site /site.name:"example.com" /+bindings.[protocol='https',bindingInformation='1.2.3.4:443:www.example.com']

Running the appcmd command from a batch file:

To make this process easier you can use the batch file below. This will prompt you for the site name, IP, and host header value and then make the appropriate host header change.

Save the code as something like “addsslbinding.bat” and then call it from a command prompt by entering the name of the file (ie. “addsslbinding”).


@echo off
echo Enter site name in IIS:
set /p SiteName=
echo Enter IP address:
set /p IP=
echo Enter host header value (ie. www.domain.com):
set /p HostHeader=
C:\Windows\System32\Inetsrv\appcmd set site /site.name:"%SiteName%" /+bindings.[protocol='https',bindingInformation='%IP%:443:%HostHeader%']

Example:

By default 32 bit Windows installs will not be able to utilize more than 4GB of memory. However PAE (Physical Address Extension) can be enabled which allows the OS to see memory beyond 4GB. Note that each individual process is still limited to 4GB of memory, even if the OS can see more than that. The only solution to allow a single process to access more than 4GB is to upgrade to a 64 bit OS.

1. Click Start -> Control Panel -> System

2. Select the Advanced tab

3. Click Settings under “Startup and Recovery”

4. Click Edit

5. The boot.ini file will open in Notepad for editing. The last line of this file should look something like this:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Standard" /noexecute=optout /fastdetect

Just add “/PAE” to the end of this line so it looks like the example below:

multi(0)disk(0)rdisk(0)partition(1)\WINDOWS="Windows Server 2003, Standard" /noexecute=optout /fastdetect /PAE

6. Save the file and click OK twice

7. Reboot the server to apply the change.

Even with PAE enabled the OS still has a memory limit. To see the limit for a specific Windows release please refer to:
Memory Limits for Windows Releases

In this example the server is running Server 2003 Standard which has an OS limit of 4GB so enabling PAE would not help. This was just done for demonstrative purposes.

There is often a need to determine which application pool a w3wp.exe process is responsible for. There are separate commands for determining this in depending on the version of IIS.

IIS 6:
When running IIS 6 the following command can be used in a command prompt:

iisapp

Example output:

This process ID will match what is displayed on the Task Manager.

IIS 7:
The iisapp command will not work on IIS 7 however Microsoft provides an equivalent command:


%windir%\system32\inetsrv\appcmd.exe list wp

Example output:

This article assumes you have already installed the HTTP Redirection role. If this has not been installed follow the instructions listed here first:
Install HTTP Redirection in IIS 7

*Note: IIS creates a new web.config file or edits an existing one when a redirect is added. To avoid causing issues with an existing web.config file it is recommended to create a new site in IIS specifically for the redirect. Then the home directory for this new site can be pointed to an empty folder.

1. Open IIS and select the desired site.

2. Double click “HTTP Redirect” under the “IIS” heading.

3. Check the box next to “Redirect requests to this destination:” and enter the desired URL to redirect to.

4. Check the box next to “Redirect all requests to exact destination”

5. Choose the desired status code for the redirect. Most users choose the “Permanent (301)” as it will tell browsers the location has permanently changed. If this is something temporary like a maintenance page, select either of the other two options instead.

6. Click “Apply” under the Actions heading on the right hand side and test the new redirect.

Unfortunately the Exchange Management Console does not allow use of wildcard values for things like senders and recipients. These need to be specific user or list of users. However you can search these logs for wildcard values using the Exchange Management Shell.

Here are two examples to search for any user at example.com. These will output the results to a text file for easier viewing. Make sure to update the date ranges and domain name as needed.

Search for messages sent TO any users at example.com:

Get-MessageTrackingLog -ResultSize Unlimited -Start "5/1/2011" -End "5/12/2011" | where{$_.recipients -like "*@example.com"} | select-object Timestamp,SourceContext,Source,EventId,MessageSubject,Sender,{$_.Recipients} | export-csv C:\ExchangeLogResults.txt

Search for messages sent FROM users at example.com:

Get-MessageTrackingLog -ResultSize Unlimited -Start "5/1/2011" -End "5/12/2011" | where{$_.sender -like "*@example.com"} | select-object Timestamp,SourceContext,Source,EventId,MessageSubject,Sender,{$_.Recipients} | export-csv C:\ExchangeLogResults.txt

This information applies to Exchange 2003, 2007, and 2010.

I needed a way to be notified by email when a SQL failover occurred. The simple solution for this is to setup a job to send an email and set this job to be triggered when SQL agent starts. The SQL agent service on the passive server starts when a failover occurs.

The instructions are for SQL Server 2008 but the steps should be similar in other versions.

First we need to setup a SQL mail profile to connect to a mail server. This mail service does not need to be installed on the same server as SQL. If this is already configured skip to the “Configure the SQL job” section below.

Setup SQL mail profile:
1. Open Management Studio, connect to your SQL cluster, and expand Management

2. Double click Database Mail to start the Mail Configuration Wizard

3. Select Set up Database Mail by performing the following tasks -> Next

4. Enter a relevant profile name then hit Add next to SMTP accounts

5. Enter the email address you want to use for these alerts. I highly recommend using an existing user and enabling basic authentication. Otherwise you may have to allow the SQL server to send through your mail server without authentication.

6. Click Next -> Next -> Next -> Finish

Configure the SQL job:
1. Expand SQL Server Agent

2. Right click Jobs -> New Job

3. Fill out the General page with relevant details then click the Steps page -> New

4. Enter an appropriate name for the step and set type to Transact-SQL script (T-SQL)

5. Enter the following in the Command field. Make sure to modify the values as needed.


EXEC msdb.dbo.sp_send_dbmail
@profile_name = 'My mail account name',
@recipients='alerts@mydomain.com',
@Body='SQL Agent has started on the passive server.',
@from_address= 'alerts@mydomain.com',
@subject='SQL Cluster Failover Alert';

6. Click OK

7. Click the Schedules page -> New

8. Name the schedule appropriately and set schedule type to “Start automatically when SQL Server Agent starts”

9. Click OK -> OK

10. Right click the new job and select “Start job at step” to test the new job and make sure it can send mail properly