Exchange. Change TimeZone via Powershell.

Due many requests about TimeZone settings in Exchange I decide to share additional solution.
As you may know from previous post DST is cancelled for AZT time zone.

Exchange doesn’t use your computer time setting for mailboxes and therefore when you will switch DST off on your server- OWA will ignore this and time will be shifted for a one hour for Web Clients.
To avoid problem with OWA and your Web Calendar you should use following command:

This will get all mailboxes with AZT timezone and change it to Arabian Standard Time.
You should change it back when exchange will update their timezone db.

Microsoft will distribute DST patch approximately with regular “Second Thuesday Update” on May.

Change TimeZone and DST setting via Group Policy. Step-by-Step Guide.

Dear Colleagues from Azerbaijan, Now Time will not be adjusted to summertime and probably no one OS vendor will publish a new timezone file in this month.
To change time for all computers we need to create a GPP and apply to all computer (We can create a script which will use tzutil.exe but legacy systems lack of this app).
First please apply my register file, it will set AZT time with Daylight Saving Off.
Let’s create our policy with register wizard, start gpmc.msc
2
Open key that you imported:

Select Key and all value.
3

Copy DisableAutoDaylightTimeSet (Right click—>;Copy—>>;Pate) from this GPP and edit and change action from update to create for one of key.
4

Policy ready and you can deploy it for your computers.
But here is a one thing that we need to know, time setting will be applied when Windows Time service (W32Time) will reload configuration. To force reload time config you can use PSExec (From Systinternals suite, you can direct download from here or from Microsoft Site) to run ‘net stop w32time && net start w32time’.
I can’t run following command from my DC because of exception:

Therefore, following script will be executed from Powershell with AD Modules installed:

5
You might know that Kerberos protocol use timestamp when generate ticket and maximum time skew between DC and Computer by default is 5 minutes. To avoid problems with machine who is offline now you can temporary change this setting to 65 minutes and remove them when all your computers will pool your latest GPO.
You can change default settings from “Default Domain Policy” or can create your own policy (but make Policy Precedence order lower if you will create new policy file).

6

P.S. You can adjust all settings via Powershell and the only reason I use PSExec is to execute command across all device include legacy computers without PS.

Have a nice Holidays!

Mount Windows CIFS share to *nix servers using KERBEROS auth. Step-by-Step.

In my example I will use kerberos to authenticate my linux server on Active Directory and use this credentials to get CIFS share.
My lab

dc02.digitalbears.net -Domain controller
lpi2.digitalbears.net -Linux (CentOS 7)

First we need create an object in AD which we will use for authentication. We can create machine account in AD, but you should regenerate key
when your machine changes its password (you can’t set “password never expires” for computer object). To avoid this case, we will create a user
object in AD.

We will use created in AD user lpi@digitalbears.net.
You should add SPN for this account to allow linux server with FQDN lpi2.digitalbears.net (It’s some kind of delegation which will allow your lpi2.digitalbears.net
host to get Kerberos Ticket Granting Service on behalf of lpi@digitalbears.net user account).

To do it run from windows with ad permission:

Now you need to generate keytab file which you will use on centos server. Do it on same cmd.exe\powershell.exe:

Pass: Password for lpi@digitalbears.net
princ: “host”- include many services and CIFS one of them, “lpi2.digitalbears.net”- my linux server fqdn, @digitalbears.net my domain name (must be specified in uppercase)
mapuser: user name which will be used to generate keytab

Now you need to transfer C:\krb.keytab to lpi2.digitalbears.net, then from ssh console:

Past following information, but change digitalbears.net with your domain name in uppercase and digitalbears.net with you domainname in lowercase

Save this changes.
Check that no one kerberos tickets added to system:

Then you need to generate kerberos ticket using your keytab file. (You can remove your ticket by running kdestroy command)

You can see that kerberos ticket is imported and now we are ready to mount:

You are done, you can access this shared folder with permission which admin setup for username lpi@digitalbears.net on this folder.

Capture network traffic from Windows without Netmon or Wireshark.

Here is a way for traffic capture from Windows Computers without netmon or wireshark.
Of course you can install any traffic sniffer in minute but assume that you have a production server and policy does not allow to install additional soft on it.

Like tcpdump in Linux, You can run following program from cmd.exe

1

Then in Network Monitor open generated ETL file.
You should set “Windows” parser to make your data readable.
2
3

 

P.S. MS does not recommend to install Wireshark because it create filter on NDIS.

Hyper-V/SCVMM. How to enable NPIV to support Virtual SAN switch on converged Emulex adapter.

On HP BL460 G9 which is running with Emulex 650FLB you cannot create a virtual SAN because NPIV disabled by default.

1

To solve this problem you need to download HP ProLiant Converged Network Utility

After installation you should run a command line utility which will enable NPIV support.

2

Now you need to reboot server to apply changes.

3-e1456919993360