Friday, May 25, 2018

Windows Printer Driver Causes Lexmark Firmware Error 900

I had an interesting issue with a AD Deployed printer causing a firmware crash in our Lexmark MX1145 printer.

Our Lexmark MX1145 MFP has been setup on our Server 2012R2 Server using Printer Driver version 1.2.0.0 though our ethernet network. This appears to be an issue with a gif file embedded in the email.


The Setup:


Windows Server 2012R2 Active Directory deployed printer using driver version 1.2.0.0, to a Windows 10 Pro Client using chrome and gmail.


What Causes it:


The client prints a page in printer layout format in chrome (gmail) and when the job is sent to the printer causes a firmware error 900. I believe it is an issue with the Gif file embedded in the email as viewing source and printing did not cause a crash, neither did saving the file to a PDF. It also crashes on other emails that we have from the same place, not just this one off email.






When you go to print the printer immediately crashes.



Resolution:


Update to the Universal Printer Driver Version 2XL (2.11.0.0). The troublesome emails didn't crash the printer anymore.

Sunday, May 20, 2018

How to use Nexus Font in Windows 10

How to use Nexus Font in Windows 10

Download and install nexus font from http://www.xiles.net/ Once installed you will need to get some fonts if you don't have any. You can get free fronts from https://www.fontsquirrel.com/ along with other font sources. You can see the whole how to video on my youtube page.


1. Create a folder in your Documents folder for adding and removing custom fonts.  In this case I called the folder "My Fonts"

2. Open Nexus Font from the desktop the icon for the program is shown below

3. When opened Nexus Font will load all the system default Fonts as shown below.

4. Add a “New Folder Group” by right clicking under the Library Heading and name your group I called mine “Custom Fonts” and hit OK

5. After you have added your collection your Library will look like this.

6.Now you will want to add a Folder to your Folder Group by right clicking on the Custom Fonts Group and select “Add Folder” then browse to your “My Fonts” folder in your documents


7. If you have any fonts in subfolders in your “My Fonts” directory they will not load.  You have to add the fonts folders separately repeating step 4 but browse to the fonts directory you want to load.  In this case HelveticaNeue
8. Once loaded and your library will look like the following.  The fonts will be activated but any software that loads fonts in the beginning will need to be reloaded to add the newly activated fonts.

9. You will need to relaunch Nexus font everytime to activate your custom fonts for your programs so make sure your run it first before launching any programs you might need your custom fonts for.

Friday, May 11, 2018

Oracle CredSSP Encryption Error

I remotely manage about a dozen or so Hyper-V servers from a remote workstation and my post on how to setup and configure it is here.  However that changed this morning when I logged in and tried to connect to one of my remote Hyper-V servers using the console and got the error 

Remote desktop would not connect, giving the following error
An Authentication error has occurred.
The function requested is not supported.
This could be due to CredSSP encryption oracle remediation

After doing some checking it appears to have come from the last series of windows updates around May 8, 2018.

The resolution is a registry entry on the machine your connecting from.

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\CredSSP\Parameters] "AllowEncryptionOracle"=dword:00000002



You will need to make the keys CredSSP and Parameters as shown above.  Then add a 32bit dword with the value of 2.

You will NOT need to reboot, you will be able to connect to the console right away.

Friday, May 04, 2018

PFSENSE LAGG Modifications and Recovery


My organization had an issue with our firewall, the hard drive died.  It has a 4 port LAGG which is unnecessary but we were troubleshooting some issues (long story).  Anyway we wanted to reduce the LAGG ports from 4 to 2 and took this hard drive failure to do it.


Here is how you start.  Make sure you have an up-to-date backup of your PFSENSE Config.  I know you backup before every time you do an upgrade right… ;)

We want to make the following modifications to the config.xml file.

<laggs>
<lagg>
<members>igb0,igb1,igb2,igb3</members>
<descr></descr>
<laggif>lagg0</laggif>
<proto>lacp</proto>

to this below

<laggs>
<lagg>
<members>igb0,igb1</members>
<descr></descr>
<laggif>lagg0</laggif>
<proto>lacp</proto>

Save your modified config.xml to a thumb drive.  The drive should be formatted for fat32.


You will also want to make sure you have your network documentted. It's good practice but you will need to re-assign the interfaces because of the LAGG modifications.

Here is an example of the network documentation required.

WAN -> LAGG0.40 -> v4: 1.1.1.250/24
LAN -> LAGG0.30 -> v4: 1.1.2.250/24
opt1 -> LAGG0.50 -> v4: 1.1.5.250/24
opt2 -> LAGG0.60 -> v4: 1.1.6.250/24

so on and so forth.  

If you are using OpenVPN you shouldn't need to define that, and you should also not be defining the actual physical interfaces such as igb0, igb1.



I’ve found the easiest way to do the restore is to reinstall pfsense. Once you've either login to the web interface and re-upload the config or put the config in after the install using the console. This procedure is going to use the console.


After install reinstall of PFSense is complete boot off drive.


Clean PFSENSE Installation
Plugin usb key with backup config.xml file

USB Drive is da0
Plugin your usb drive, make note of the drive


In this case DA0; since it’s fat32 we want partition 1 which is S1 and we mount the drive with the following command


Mount -v -t msdosfs -o large /dev/da0s1 /mnt


cd to the /mnt directory and copy the file in this case config-FW2.xml to the /conf folder

Mount the USB Drive with the modified config file
Copy the config file from the mounted drive to the /conf directory. You could do a complete over write of the config but I am much more cautious. I like to make a backup of the default config first then copy over.

cp /conf/config.xml /conf/config_bak.xml
cp /mnt/config-FW2.xml /conf/config.xml


Change the permissions of the newly copied config.xml to 644

chmod 644 /conf/config.xml


Reboot.

At this point you can reconnect your network connections to the LAGG and CARP interfaces. This will just take a few minutes to boot up and mostly fix our network interfaces.

Now we want to reassign our interfaces as they are slightly messed up.  Note the igb0 and igb1.


Fix your interfaces igb0 and igb1 are lagged and should not be assigned.


Fix your interfaces igb0 and igb1 are lagged and should not be assigned.  To do this you will want to reassign your interfaces, but DO NOT modify the VLANs, to do that press 1 on the PFSENSE console menu.  I know you have your networks documented right… ;)

Again, here is an example of the network documentation required.

WAN -> LAGG0.40 -> v4: 1.1.1.250/24
LAN -> LAGG0.30 -> v4: 1.1.2.250/24
opt1 -> LAGG0.50 -> v4: 1.1.5.250/24
opt2 -> LAGG0.60 -> v4: 1.1.6.250/24


Reassigned network interfaces.


Once done, reboot your pfsense system, you may get something about removing igb because of an IPV6 conflict.  You can ignore this press control c to escape.

IT make take a few minutes for pfsense to get it’s networks sorted out.  If nothing on your switches have changed, you will be able to login to the web interface you can put the firewall back into production. The whole process should take no more then 10 to 20 minutes. Once you've accessed the web interface you will need to re-install any 3rd party extra's you may have installed such as the openvpn-client-export and the FTP_Client_Proxy.  Upon plugging the fixed firewall back into place, I had no issues or internet hiccups from the system coming back online. CARP was just as responsive as ever and failover worked flawlessly on the reconfigured lagg.

Tuesday, May 01, 2018

Active Directory Health and Security Audit

During my project to migrate users from roaming profiles to redirected folders I have been noticing errors with the Active Directory using lansweeper and the best practices analyzer. Now the organization I work for has an Active Directory that is approximately 20 years old, it was brought in during the late 90's on Windows NT version 3.5 or so I've been told. There is no documentation on the AD setup; though I think it is reasonable to assume that the domain is either a resource or user based domain based on how easy it is to manage users and computers. 

 All users were setup originally setup with roaming profiles which would be fine with small user accounts but I've successfully migrated all users to redirected folders. This really sped up our logon time but now when we are deploying new users and new systems I have been noticing errors in the Active Directory log with Errors such as this 





As an IT group we really haven’t been vigilant until recently in getting the Active Directory fixed up and in line with current best practices. To that end we are working to get the active directory setup so it doesn't need to be so micromanaged.  Currently we are having issues when creating new users, adding new machines where GP doesn't apply properly and things get missed when things are deployed.  Two excellent examples of this issue:



  1. Deploying a new computer added the machine to the domain; added it to the proper OU, did a GP update on the server, User logs in to the client and gets no redirected folders.
  2. Adding a new user for Email only access, put them into the proper security groups and OU, user is able to login to a network computer when they should be denied.

The AD has also evolved to use more then one AD controller (currently at 4) which is not necessary for an organization of this size (100 users and 100 devices) 2 are required for redundancy, but we also want a visualized domain controller for good measure and following best practices.

Issues to be rectified:

  • Offline Syncing
  • DFS Replication
  • Time Server Syncing
  • Primary Active Directory Controller (PAC) needs to be reassigned
  • Raise Domain Functionality
  • Confirm DFS Settings
  • Fix Shared Folder Names
  • Verify SYSVOL Replication
  • Make sure Best Practices Analyzer is free and clear from major errors.
  • Verify Active Directory Domain Administrator Password
  • Verify the Active Directory Backup Password
  • Remove unused Group Policies, OUs and Users
  • Setup Roll Based Administration
  • Review Global Catalog
  • Create Documentation for IT Staff

Current AD Setup



The Process to fix AD


Using lansweeper, the best practices analyzer and the Microsoft IPD Guide from the Microsoft Developer Network, IT staff intend to go over the Active Directory setup with great care and detail, documenting final results that may be lost or have changed over time such as the Active Directory Recovery Password. Using virtualization we will test and verify the schema, the forest root, design structure, scalability, ACLs, Backup/Restoration Needs, Centralized Security Management, ease of administration, user and computer rolls.

To verify these settings IT will make a mirror of our current AD in a Virtualized Private Network to test and verify settings before any fixed get applied to the production Active Directory. This will ensure the safety and validity of the processes we will use in fixing and optimizing the Active Directory. All procedures will be tested, verified and documented so they can be easily replicated.

Computers Used in Mirrored Setup:
  • Current Primary AD Controller (VM)
  • New Physical AD Controller 1
  • New Virtual AD Controller
  • New Physical AD Controller 2
  • Lansweeper
  • Windows 7 Client
  • Windows 10 Client
  • SHARE1
  • SHARE2
  • SHARE3

Following the updates to the Active Directory a Best Practices document will be created and will be checked semi-annually to verify any best practices that need to be updated and implemented.  Before implementing any changes with the AD it will be verified by the Mirrored setup using Hyper-V.

How to fix CURL call imporitng an RSS feed on a site blocking CURL calls

There is a 3rd party service provider that my organization uses called bibliocommons.  They have these nice book carousels.  However the car...