Symptoms: After you finished deploying your Hyper-V server but in this case without the Server connected to the Internet and time is configured properly.
After you have created and configured new VMs and installed them, when you connect your physical Hyper-V host server to the Internet you notice the time changed and your VMs become inaccessible for certificate issue..
here’s the error and how to fix it.
3- EXCHANGE_OI on HASIMI NODE2 –
Action
Media Clipboard View Help
Virtual Machine Connection
The application encountered an error while attempting
to change the state of •g- EXCHANGE 01
•3- EXCHANGE_OI’ could not initialize.
Could not initiallze machine remoting system. Error. •Element not
found.’ (000070490).
not find a usable cetificate. Element not found.’
(0000704″).
•3- EXCHANGE_OI’ could not initialize. (Virtual machine 10
B967FUc-20A2-43BD.83EE.99R321DCD55)
•3- EXCHANGE_OI’ could not initialize machine remoting system. Error:
‘Element not found.'(Ox8D070490). (Virtual machine ID
g967FUc.20A2-43gD.B3EE.g9A2321DCD55)
•3- EXCHANGE_OI’ could not find a usable certificate. Error: ‘Element not
Status: Off
found.’ (oxeoc70490). machine
B967FUc-20A2-a3BD-B3EE-99A2321DCD55)
@ Hide details
Close
Symptoms
If the Hyper-V Host Server doesn’t have internet and you have configured it after creating a VM then the server date will change and the self-signed certificate date will change as it won’t be verified by Hyper V manager and will cause launching the VM to fail to start.
Solution:
Delete old certificate and Create a new Self signed certificate.
To do so open MMC
Navigate to Certificates
In Certificates select Service Account
Choose local computer and click next
Then select the Hyper-V Virtual Machine Management Service account and open
Under the Personal, check the date of the certificate there ..
Delete the certificate
Open Service Console and restart all Hyper-V Services
Once the service is restarted, you’ll see a new certificate that has been automatically created
Now if you try to open the VM console again, it should work.
If you type your credentials, it most likely won’t connect and will keep prompting or will probably say that request is invalid!
Resolution:
What if we changed the RPC path from autodiscover to mail.demotesas.com? The authentication method might be the problem in this case as I am using a total different authentication methods for the mail and for autodiscover rules.
Once we publish the rule, we will have to check the result of the following link
In migration, Powershell can be a very crucial tool to achieve success and finalize projects within deadline or even fix issues.
During the time of working with Exchange we had lots of issues with users not able to send an email to their migrated colleagues due to some issues with contacts which was caused by the Legacy Exchange DN not being migrated with the user or lost due to some wrong deletion.
Once users try to send an email to that particular user with the missing Legacy Exchange DN. The receiving Exchange server will result an error and send it to the user as NDR message explaining to them that the error is due to not finding the particular address.
The solution to this particular problem is very simple especially if it’s couple of users however to resolve the address you’ll need to google and understand the language that Exchange server users to match the original used address in the missing user’s attributes.
The below script would work accordingly with whatever situation that faced me and it became very handy to me.
How to use:
1- Copy the script to a notepad and save as convert.ps1 on Desktop
2- Run script and try to type in powershell convert-X500 then hit enter.
3- Copy and paste the address you got from the error message above.
Once you copy and paste hit enter and you’ll get the final result
Note: Make sure you remove the @domain.local in the end
Function Convert-X500{ # Define the Legacy Exchange DN here
Write-Host “”Enter your X500 Address here…”” -ForegroundColor Green -BackgroundColor Black
$X500Source = read-host
# Converts the various strings to the proper syntax
$X500 = $X500Source.Replace(“_”, “/”)
$X500 = $X500.Replace(“+20″, ” “)
$X500 = $X500.Replace(“IMCEAEX-“, “”)
$X500 = $X500.Replace(“+28”, “(“)
$X500 = $X500.Replace(“+29”, “)”)
$X500 = $X500.Replace(“+2E”, “.”)
$X500 = $X500.Replace(“+5F”, “_”)
$X500 = $X500.Replace(“@YourDC.localHere“, “”)
Write-Host X500:$X500
This article presumes that you have setup all the initial steps for the Cross Forest migration to work:
– Configure DNS resolution and trust between two AD forests.
– Create and configure Send connector between Source.com and Target.com
– Create and configure Availability service between Source.com and Target.com
– Configure Source.com as accepted domain in blue.com
– Install and configure ADMT server at the target domain Target.com
– Install and configure Password Encryption Server (PES) on the source domain Source.com
– Configure MRSProxy on Source and Target CAS Servers (Enabling MRSProxy, Increase limits..etc.).
– Configured Public Certificates between both CAS Servers or installed self signed CA certs.
In order for two Cross forest Exchange users to send an E-mail to one another before or during Cross forest migration; Each forest have to have the other forest’s users as external contacts on their Exchange environment to ease the finding of any particular user in that other organization and avoid X500 errors after the migration.
During the migration this process is critical and very important to be up to date in order to not mess users included in distribution groups before, during and after user migration from source to target forests.
For Cross forest user migration, User has to be prepared via Microsoft’s own prepare-moverequest Powershell which is included in the $Exscript directory that prepares the target user’s attributes (Before or after ADMT copy) for the migration using the Powershell script new-moverequest.
However, before that user is migrated and before doing the prepare move request the user must have their user object mail user enabled in order to get all the proper attributes for the move request to work which means the Contact has to either be deleted or lose the SMTP which is goin to be enabled on the mail enabled user.
For this process and in a big environment a tool, 3rd party or a script must be used to hasten the migration of users otherwise it would take ages and would be a very problematic process.
User Creation:
Using ADMT then Prepare-Moverequest script
Starting with the creation of target user using ADMT or by Prepare-MoveRequest Script, If ADMT is used prior to PrepareMoveRequest. The target user will have exchange attributes migrated and mail-user enabled by default but due to some incomplete or incorrect attributes the user will most probably have a corrupted mail user object that needs to be disabled and re-enabled with the proper mail address.
Using Prepare-MoveRequest before ADMT
In the case of using Prepare-Moverequest the user will be created in the target forest properly without any issue but will not have their SIDHistory copied so after creation of the user account ADMT must be used to copy user’s SIDHistory with Exchange attributes excluded.
Note:
– This method has an advantage over using ADMT first, User don’t have to create a new outlook profile in order to use their target mailbox after migration.
– You don’t have to mailenable user.
Mail Enabling User:
The first step for the migration to work is to Mail enable user in the target forest. Assuming you have a user called Tim@source.com the user gets his AD Object copied to the target forest with ADMT and user gets his UPN changed from tim@source.com to tim@target.localautomatically, still user will get his SIDhistory and the Groups he’s in if groups are migrated prior to that however, in some rare cases that I have seen while doing this kind of project the SIDHistory might not get copied and you might not notice that unless you take a very close look at the log that ADMT is generating for you, In the script I am attaching below and prior to preparing the user for migration I added a script to bulk check user list for SIDHistory. The script below will disable mailuser that’s migrated with ADMT and show you their SIDHistory attribute in order to double check before you migrate their mailbox.
$Users = import-csv -path “C:\List\List1.csv”
foreach ($User in $Users)
{
$Identity = $User.Alias
$UIdentity = $User.Sam
$Mail = $User.Proxy
$NProxy = $User.NewProxy
#Before Migration, Show if user has SIDHistory or Not, If not don’t migrate User
Enable-Mailuser –Identity Tim –ExternalAddresstim@domain.com
In this case user will be ready for the prepare moverequest script to work and get his source Exchange attributes to be copied to the target one.
Prepare-MoveRequest for Single mailbox:
The Prepare-Moverequest powershell is pretty easy to use for a single user and all you need is to enter target and Remote credentials in a variable to use it with the command.
Once you use the script it’ll copy the source user and their Exchange attributes including Proxy Addresses, it’ll convert the LegacyExchangeDN into X500 address in the target user’s mailbox object so users in the source forest wont get any cache issue reaching to the migrated user and will set other attributes like Displayname, MailNickName..etc like in the screenshot below.
Once the list is ready and you run the powershell script the target CAS server would connect to the source CAS and start migration as in the following screenshot.
Once users migration is finished, On the source forest user will be converted to MailUser so non-migrated users in the source forest will still be able to send emails to this user however, The Groups on target forest must be manually maintained and updated with users that are being migrated.
– Contacts Issue
In the target forest those two migrated users were already contacts there prior to migrating them and thus Target forest users who have sent those two users email have the LegacyExchangeDN Address of those contacts cached in their Outlook in X500 format which will create an issue if those contacts are deleted without exporting their LegacyExchangeDN and add it to the migrated users’s ProxyAddress Attributes.
Prior to deleting those contacts, From the Target forest I have exported their info to CSV with the following attributes.
Name, Alias, PrimarySMTPAddress and LegacyExchangeDN Attribute using the following powershell script
The PowerShell will export contacts in the following format and in order to import them you’ll need to bulk edit the file using Notepad or Notepad++
In notepad replace “/o= with X500:/o=
and Replace all “ with nothing
After you save the file in the target forest, Only in the condition of migrating Source users to the target forest use the following script to Import those users’ LegacyExchangeDN as X500 to their migrated Mailbox objects.
Sometimes while we do Exchange projects in big environments where there more than 10 or 15 servers we need to quickly get a particular server’s hostname or IP.
I created a simple PowerShell script that does the work for you
#Get all mailbox Exchange Servers IP address remotely
#Import Exchange Management Shell if ran from PowerShell
In an Exchange Crossforest migration the distribution groups can be a very painful operation that would cause loss of time, lots of issues and continues headache if not solved within a timely manner.
The migration can be a long boring process that needs to be as accurate as possible to avoid any issue related to members in the group or/and Group’s Primary SMTP details.
While doing a Crossforest migration I came through through this headache and tried to seek a script that would satisfy my migration’s requirements but only thing I found is the exportPowershell made by Satheshwaran Manoharan.
Export Process:
The script exports all groups and their members from the source forest, but to import there’s no option and I had to write my own script.
To make use of this script first make sure you that you have migrated the Groups with ADMT in the recommended order otherwise the migration would be problematic.
First: Universal Groups
Second: Global Groups
Third: Domain Local Groups
Once groups are migrated to the target forest you can check how they look like through Exchange management shell and whether they have members added or SMTP address set.
After I checked it apparently shows that group is empty and has no Primary SMTP address associated with it.
Import Process:
In order to add members during the migration since this is a Hybrid/Coexistence migration not cutover, It took time to migrate users and therefore I have to add non-migrated users in target forest as External Contacts to the Distribution Groups and add migrated users as Mailbox users.
Then after adding the users I have to setup Primary SMTP address for the groups according to the exported CSV file from the Source Forest.
To Import users, I had to setup a CSV file with the following format:
In this format, the Display name, Alias, RecipientType and PrimarySMTPAddress belong to the User object that’s included in the group meanwhile, The Dgroup is the Distribution group’s Alias and DGSMTP is the Group’s Primary SMTP address.
The following script imports groups members to their relative groups
Since distribution groups are mostly imported without Primary SMTP address through ADMT then we’ll have to also make sure that we fix this for our groups, but what if the destination forest has similar groups or the SMTP is used already ? In order to avoid any mistake when associating the Primary SMTP address I have created a script that would check distribution groups with null value in their primary SMTP Address and copy the SMTP address to these groups avoiding any overwrite or change of the destination Distribution groups.
Write-Host Group $GroupAlias has $GroupSMTP Setup as primary SMTP -ForegroundColor Green -BackgroundColor Black }}
The script will check if the groups has primary SMTP matches the one in the CSV file, if it doesn’t it’ll setup the primary SMTP address for that group with green color like in the below screenshot
You can use this script with the same CSV file that you will use for adding members to the groups too , If groups SMTP exists already you’ll get the following error
Note:
Attached below, You can find the new version of the powershell and the CSV along with it.
In order to setup Squid Guard you should have two packages installed on your Pfsense for it to work properly.
First package should be Squid 3 (In case you’re publishing Exchange web services with it) or Squid if not.
Second Package would be Squid Guard-Squid3 for Squid 3 or in case you don’t have Squid 3 you can use the normal “Stable” Squid-Guard version for Squid.
Squid Package
In my case I am using Squid 3 because I use its reverse proxy to publish Exchange web services so I will install SquidGaurd-Squid 3 to configure its proxy server.
I already downloaded and installed it but If you didn’t do so then you will have to navigate to >System > Packages >Available Packages and there you can find it and install it.
From the Services Menu drop down you will find those 3 below (Proxy Filter, Proxy Server and Reverse Proxy)
First I will go to Proxy Server tick which Interfaces I want to enable the proxy on (LAN, DMZ) and Enable “Transparent Http Proxy” and “Allow users on interface” in the General tab page
If you scroll down you will find “Logging Settings” and other options that you don’t need to enable. Logging is required mostly for troubleshooting times.
Next I will go to “Local Cache” tab and change the Squid Hard Disk cache Settings in order to take more than 100 mb. I will make it 5000mb which is 5 GB to make internet browser faster for users who visit the same websites often.
After that you don’t need to do anything except saving changes in the end of the page below
Go to “ACLs” page and enable the Local networks that I have, I will write them in the “Allowed subnets” section and save the page.
I am finished with the Proxy Server settings, I will go to Proxy Filter and I will scroll down to the end of the page to Enable Blacklist option and paste the link below then click Save to save the changes
When I finish downloading I will go to “Common ACL” tab page and configure the Rules there which we have downloaded. As you can see below I have everything already configured but in order for you to configure it you will have to press on the > Green Start button first of all
After you press on the Green button It will show you the rules that you want to configure. I have already configured (Alcohol, Deny, Gambling, Hacking, Social net)…
Then next I will configure the Redirect mode and type my own customized message that will appear to the clients behind Pfsense and use safeSearch.
When done I will save this page and go to the General tab page and will click on Apply all changes and save the page.
Note:
you should see that SafeGuard service state “Started” in order for it to work. If for any reason the service is not started try to navigate to >Status > System logs and check your logs here if there’s anything related to SafeGaurd or Squid.
Now I will go to the Client and check if my client with “Pfsense as their default gateway” will respond to the Safe Guard rules or not.
I tried opening Facebook or Twitter but both are not working and they gave me the same message which I have customized in Pfsense.
Over all this had been easy setup and everything works perfectly
This page will guide you through the steps of publishing Microsoft Exchange web services on Pfsense’s last version 2.1.5. If you don’t have it already installed, you can check out my guide on how to install Pfsense and prepare it on your environment.
Note:
Before starting you must know that if you’re going to use the same Public IP (WAN) for Pfsense for Exchange Web service then you must set Pfsense to use a non-standard HTTP/HTTPS port.
First thing, we will have to install Squid3 plugin to Pfsense
Installing Package
I will click on the Plus sign + next to the Squid3 package to install it.
Now I will go to the Reverse proxy after I check if it’s installed on the Services Menu
Will have to export the Certificate from our Exchange and import it to the Certificate store in Pfsense.
I’ll click on the + on the CAs to import the Certification Authority root certificate
I opened the CA certificate in Notepad++ and copied it all then give it a name and clicked on Save
After clicking on Save here is what I got.
Add the Exchange’s personal certificate and Key and use Digicert’s tool to export the key as in the following screenshot
Now I’ll go back to Pfsense’s portal to the Certificate section to add the Exchange’s certificate, I will go to Certificates tab and click on the + sign to add the cert.
I will paste the certificate data and the key as well and save.
I added the Cert’s code data and the cert’s Key as well, and after I clicked on Save here’s what it looks like.
Now I will go on the reverse proxy tab and configure it for Exchange. First thing I should do is Enable HTTP and HTTPS ports and choose the certificate for Exchange.
NOTE: placing the standard ports e.g. (80, 443) for http and https might work in earlier versions of Pfsense like 1.5 and 2.0 but not 2.1 and 2.2, in order for the reverse proxy to work on the new versions you’ll have to use the port field empty if you decide to use the standard ports.
Here I have enabled all the ports and choose the right certificate, I will also import the Intermediate certificate in case it was needed.
I will go back to the Exchange Server where I have all the certificates and export the Intermediate Certificate
In order to know the intermediate Certificate, I will go to the MMC and click on the personal certificate and check it’s path.
I will double click on the certificate and check its certification path
Opening the Intermediate certificate store.
I will use MMC Wizard to export the Certificate with Base 64 Encoded option.
After I exported
Now I will enable OWA and fill the information related to it as following.
Next I will go to the firewall (NAT) part to configure the required ports and IPS. Click on Firewall tab and NAT
I will only need to configure the port 25 and 443 since I have a certificate already and want to use HTTPS instead of http.
Here ıs what my firewall looks like right now.
Note: On Exchange server the default gateway should be the LAN IP of the Pfsense or at least there should be a persistent route to the local IP of Pfsense.
I will save this rule and check if I can browse to OWA from my browser, note that I am connecting remotely and I have Exchange server hosted on hyper V from a different place.
WHOA, It works without any issues but still I’ll sign in and make sure I can still login without any problem.
Now I will check if I can send e-mail back and forth to Gmail and Exchange. starting by sending an e-mail from Exchange. I can get an e-mail to Gmail.
Now I am replying the e-mail from Gmail to Exchange.
In this tutorial. I will integrate my Active directory with Pfsense in order to authenticate Users from Active directory instead of using Pfsense’s User manager.
The process will give you more options and will make managing users much easier. so in order to do that follow the following steps.
First open your Pfsense Web UI and click on System – > user manager
Next go to Servers Tab
Click + in the right corner
After you click on the + icon you will get the following page.
Fill these details accordingly, for help on how to fill these in check the below snapshot
Note: Make sure that your password is simple and contains only letters, no numbers or special characters e.g. Pfsense
When done click on Select and the result will be that you will be able to view the following OU/CN.
Now create a group on AD e.g. “PF” and create the same identical group name on Pfsense. On AD add any user to this group.
Then go back to pfsense – > system – > user manager -> goto Settings Tab – > from Authentication server select your AD and save
Now click on Diagnostic -> Authentication -> select your AD server
Type in your username and password for the user which you have added to the group pf in the AD and click test then you will see the result on top. “User: Pfsense authenticated successfully. this user is a member of these groups: pf
Hope this will help you find your way through Pfsense. 🙂
ERROR: No digital signature! If you are *SURE* you trust this PBI, re-install with –no-checksig option.
of squidguard-squid3-1.4_4-amd64 failed!
Installation aborted.Removing package…
Starting package deletion for squidguard-squid3-1.4_4-amd64…done.
Removing squidGuard-squid3 components…
Tabs items… done.
Menu items… done.
Services… done.
Loading package instructions…
Include file squidguard.inc could not be found for inclusion.
Deinstall commands…
Not executing custom deinstall hook because an include is missing.
Removing package instructions…done.
Auxiliary files… done.
Package XML… done.
Configuration… done.
done.
Failed to install package.
Installation halted.
Reasons: as it indicates in the error above the reason why the package is not installed is due to not being digitally signed which might be something related to the new version.
Resolution:
In order to resolve this issue and successfully install SquidGaurd you will have to connect to your Pfsense from SSH (SSH Must be enabled and firewall rule must be configured) and do the following in order to install it by ignoring the Digital signature check.