Force Apache2 to redirect from HTTP to HTTPS

Want to redirect requests for http://www.yoursite.com to https://www.yoursite.com?

Simply change to your httpd.conf file (or if you are running Ubuntu or another distro that splits the httpd.conf file into multiple files, in your /etc/apache2/sites-available/{yoursite} configuration file. (If you are running a pretty Ubuntu install, the file is /etc/apache2/sites-available/default)

This technique still uses the rewrite engine (so you’ll need mod_rewrite module) but it places the configuration in the httpd.conf file (or its equivalent) and out of the .htaccess file.  There are many reasons you might want to do this, such as prevent it from being changed (many site configurations allow users to edit all .htaccess files but prevent them from editing the httpd.conf file) or to prevent it from being overwritten by certain web application packages (many application packages including WordPress and MediaWiki employ custom .htaccess files to provide more friendly URLs).

The change is simple, in your httpd.conf file, change the following part of your virtual host section:

root@itdoc /etc/apache2# ls
apache2.conf  conf.d  envvars  magic  mods-available  mods-enabled  ports.conf  sites-available  sites-enabled
root@itdoc /etc/apache2# cd sites-enabled/
root@itdoc apache2/sites-enabled# ls
phpmyadmin  wordpress
root@itdoc apache2/sites-enabled# ls -lt
total 0
lrwxrwxrwx 1 root root 29 Oct 16  2013 phpmyadmin -> ../sites-available/phpmyadmin
lrwxrwxrwx 1 root root 28 Oct 16  2013 wordpress -> ../sites-available/wordpress
root@itdoc apache2/sites-enabled# cat wordpress
NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
UseCanonicalName Off
ServerAdmin  webmaster@localhost
DocumentRoot /var/www/wordpress
</VirtualHost>

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.pem
ServerAdmin  webmaster@localhost
DocumentRoot /var/www/wordpress
</VirtualHost>

<Directory /var/www/wordpress>
Options +FollowSymLinks
AllowOverride All
order allow,deny
allow from all
</Directory>
root@itdoc apache2/sites-enabled# nano wordpress
root@itdoc apache2/sites-enabled# /etc/init.d/apache2 restart
[….] Restarting web server: apache2apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName
… waiting apache2: Could not reliably determine the server’s fully qualified domain name, using 127.0.1.1 for ServerName
. ok
root@itdoc apache2/sites-enabled# cat wordpress
NameVirtualHost *:80
NameVirtualHost *:443

<VirtualHost *:80>
#    UseCanonicalName Off
#    ServerAdmin  webmaster@localhost
#    DocumentRoot /var/www/wordpress
RewriteEngine on
ReWriteCond %{SERVER_PORT} !^443$
RewriteRule ^/(.*) https://%{HTTP_HOST}/$1 [NC,R,L]
</VirtualHost>

<VirtualHost *:443>
SSLEngine on
SSLCertificateFile /etc/ssl/certs/cert.pem
ServerAdmin  webmaster@localhost
DocumentRoot /var/www/wordpress
</VirtualHost>

<Directory /var/www/wordpress>
Options +FollowSymLinks
AllowOverride All
order allow,deny
allow from all
</Directory>

Managing Certificates using Powershell

Because of my recent work with ADFS I was looking for a way to automate most of the certificate configuration by scripts. The usual run-books I write would usually include the use of the mmc and a bunch of screenshot to accompany them.

The answer is that powershell management for Certificates is there and here are some examples:

 

#Powershell exposes certs under cert:\
PS C:\> Get-PSDrive
Name Used (GB) Free (GB) Provider Root CurrentLocation
—- ——— ——— ——– —- —————
A FileSystem A:\
Alias Alias
C 14.37 45.29 FileSystem C:\
Cert Certificate \
D FileSystem D:\
Env Environment
Function Function
HKCU Registry HKEY_CURRENT_USER
HKLM Registry HKEY_LOCAL_MACHINE
Variable Variable
WSMan WSMan
PS C:\> cd cert:
PS Cert:\> dir localmachine
Name : TrustedPublisher
Name : ClientAuthIssuer
Name : Remote Desktop
Name : Root
Name : TrustedDevices
Name : CA
Name : REQUEST
Name : AuthRoot
Name : TrustedPeople
Name : My
Name : SmartCardRoot
Name : Trust
Name : Disallowed
Name : AdfsTrustedDevices

#Browsing through the stores is pretty intuitive
PS Cert:\> dir Cert:\LocalMachine\My
Directory: Microsoft.PowerShell.Security\Certificate::LocalMachine\My
Thumbprint Subject
———- ——-
E31234DEF282437D167A64FD812342B650C20B42 CN=XXXXa
8912343319B07131C8FD1234E250DC67CBE08D7A CN=XXXX
69AD2C21912340919D186503631234A6F0BE9F7F CN=*.xxx.ca,XXX..

#Exporting a cert is something a little less intuitive
PS Cert:\> $ExportCert = dir Cert:\LocalMachine\Root | where {$_.Thumbprint -eq “892F212349B07131C12347F8E250DC67CBE08D7
A”}
PS Cert:\> $ExportCryp = [System.Security.Cryptography.X509Certificates.X509ContentType]::pfx
PS Cert:\> $ExportKey = ‘pww$@’
PS Cert:\> $ExportPFX = $ExportCert.Export($ExportCryp, $ExportKey)
PS Cert:\> [system.IO.file]::WriteAllBytes(“D:\Temp\CertToExportPFXFile.PFX”, $ExportPFX)

#same mess for importing
# Define The Cert File To Import
$CertFileToImport = “D:\Temp\CertToImportPFXFile.PFX”
# Define The Password That Protects The Private Key
$PrivateKeyPassword = ‘Pa$$w0rd’
# Target The Cert That Needs To Be Imported
$CertToImport = New-Object System.Security.Cryptography.X509Certificates.X509Certificate2 $CertFileToImport,$PrivateKeyPassword
# Define The Scope And Certificate Store Within That Scope To Import The Certificate Into
# Available Cert Store Scopes are “LocalMachine” or “CurrentUser”
$CertStoreScope = “LocalMachine”
# For Available Cert Store Names See Figure 5 (Depends On Cert Store Scope)
$CertStoreName = “My”
$CertStore = New-Object System.Security.Cryptography.X509Certificates.X509Store $CertStoreName, $CertStoreScope
# Import The Targeted Certificate Into The Specified Cert Store Name Of The Specified Cert Store Scope
$CertStore.Open([System.Security.Cryptography.X509Certificates.OpenFlags]::ReadWrite)
$CertStore.Add($CertToImport)
$CertStore.Close()

For import/export, I’d recommend using code from here: http://poshcode.org/?lang=&q=import%2Bcertificate

 

ADFS Proxy Trust certificate on WAP doesn’t auto renew

Once upon a time, the web application proxy for ADFS proxy started throwing error.

The Remote Access Management console could not do much complaining with an error code “the operation stopped due to an unknown general error” as always really helpful message.

Looking at the logs, the WAP was also complaining about establishing its trust with the ADFS server.

Fairly enough the ADFS proxy was also complaining about the trust saying that the proxy trust certificate had expired.

Back to the WAP and surely enough it was. However from the GUI I could not find any way to recreate the trust and had to use my DuckDuckGo powers.

So I found that the wizard had to be tricked for reinitialization prior to doing anything as in http://channel9.msdn.com/Events/MEC/2014/USX305

HKLM\Software\Microsoft\ADFS\ProxyConfigurationStatus

We need to set the ProxyConfigurationStatus REG_DWORD to a value of 1 (meaning “not configured”) instead of 2 (“configured”). Once that change is made, re-open the GUI. No reboot is required.

The Remote Access Manager should now allow you to re-run the configuration wizard.

I still don’t know why it would not renew, but given that the certification of the trust goes by every 2 weeks I will seen pretty soon.

How to extend a volume on an IBM DS3400

I inherited an old array that seems easy to manage using Storage Mangement Suite called IBM DS Storage Manager.

I had to extend one of the volumes hosted on that box. So I started up the management GUI, found the box, the correct array, and volume (“Logical drive”), and expected to just right click and add capacity.

I could add disks hence capacity to the array using the GUI but could not find anything about extending the volume.

I had to use my favorite search engine – duckduckgo– and found out that this operation can only be performed from the Shell. Which is actually a special shell utility.

PS C:\Program Files (x86)\IBM_DS\client> .\SMcli.exe 172.17.1.114 -p $#$#@$password
Please type desired command.

show logicaldrive[“COMPANY-FS2-F”]
;
VOLUME DETAILS

STANDARD LOGICAL DRIVES——————————

Logical Drive name: COMPANY-FS2-F

Logical Drive status: Optimal

Capacity: 557.793 GB
Logical Drive ID: 60:0a:0b:80:00:75:26:3d:00:00:01:c7:4d:9e:d3:d0
Subsystem ID (SSID): 0
Associated array: RAID5_ARRAY1
RAID level: 5

Drive type: Serial Attached SCSI (SAS)
Enclosure loss protection: No

Preferred owner: Controller in slot A
Current owner: Controller in slot A
Segment size: 128 KB
Capacity reserved for future segment size changes: Yes
Maximum future segment size: 2,048 KB
Modification priority: High
Read cache: Enabled
Write cache: Enabled
Write cache without batteries: Disabled
Write cache with mirroring: Enabled
Flush write cache after (in seconds): 10.00
Dynamic cache read prefetch: Enabled

Enable background media scan: Enabled
Media scan with redundancy check: Disabled

Pre-Read redundancy check: Disabled

After checking the details about the volume, I was able to extend the volume using:

set logicalDrive [COMPANY-TOR-FS2-F”] addCapacity=500 GB;

show logicalDrive [“COMPANY-TOR-FS2-F”] actionProgress;
Logical Drive COMPANY-TOR-FS2-F
Action: Initialization
Percent Complete: 53%

when growing the volume it does tell you much. Be sure to use the other command to verify the status.

And if you are looking for more information, I found the CLI manual here and not on the IBM website.

 

Troubleshoot KMS

This is the recipe for a KMS activation. This should serve a minimum of 25 machines up to plenty.

You will need:

1 KMS server (aka kms)
1 network
1 or more server to be activated
1 Volume Product Key for your server to be activated
1 working DNS

First of all KMS uses DNS to find where the KMS server is. do a nslookup to find out if this is configure it. Please note the address and port

nslookup -type=SRV _vlmcs._tcp.domain.local
Server:  asterix.domain.local
Address:  172.24.1.20
_vlmcs._tcp.domain.local   SRV service location:
priority       = 0
weight         = 0
port           = 1688
svr hostname   = p1-kms1.domain.local
p1-kms1.domain.local       internet address = 172.24.5.126

Verify connectivity from the server to be activated to the KMS server using [address] and [port]

Do a

cscript.exe slmgr.vbs -dlv

to verify what you have. Expect the VOLUME_KMS_*_* channel.

Do a

cscript.exe slmgr.vbs -ato

to activate

and if you are looking for your keys, and not the key for the KMS server which you get from your MSFT licensing portal, go to technet: https://technet.microsoft.com/en-us/library/jj612867.aspx

Comparing the free load balancers – VPX express, LoadMaster

I am looking for free load balancing solutions for lab or perhaps tiny production systems. can you help me filling out the blanks and perhaps recommending others?

 

Features Citrix VPX express Kemp Free loadmaster Some open source
Virtual appliance Yes Yes  
Balancer Throughout (L7) Up to 5Mbps Up to 20Mpbs  
TLS (SSL) TPS License (2K Keys) Up to Up to 50  
Layer 4 concurrent connections   Up to max’d memory  
Max Servers / Virtual Clusters   1000/256  
GSLB Multi-Site Load Balancing   Yes  
Support   Community  
Layer 4/7 Load Balancing   Yes  
Web Application Firewall Pack (AFP)   Yes  
Content Switching Yes Yes  
Caching, Compression Engine   Yes  
IPS (SNORT-Rules compatible)   Yes  
L7 Cookie Persistence (Active/Passive)   Yes  
Templates major application workloads   SPS2013, SfB, EXC2013, ADFS v3  
Active/Hot-standby Redundant Operation   No  
IPSec Tunnels Yes – up to 5 users Yes  
Licensing Mechanism 1 year – manual renew Online –  auto renewal every 30 days  
URL rewrite Yes Yes  
Footprint 200Mb 70Mb  

Get a List of All Useless Group Policy Objects

I have another problem today. The problem is that the previous Group Policy administrator had no strategy. I have been the chosen one to clean up our Group Policy strategy. As a result there are bunch of Group Policy objects (GPOs) that go nowhere or do nothing.

I had noticed this powershell guys article, but it looked like utterly complex.

import-module grouppolicy 
 
function IsNotLinked($xmldata){ 
    If ($xmldata.GPO.LinksTo -eq $null) { 
        Return $true 
    } 
     
    Return $false 
} 

Function IsEmpty($xmldata){
    If ($xmldata.GPO.Computer.VersionDirectory -eq 0 -and $xmldata.GPO.User.VersionDirectory -eq 0) { 
        Return $true 
    } 
     
    Return $false 
}
 
$unlinkedGPOs = @() 
$emptyGPOs = @() 

#Search for NotLinked GPOs
Get-GPO -All | ForEach { $gpo = $_ ; $_ | Get-GPOReport -ReportType xml | ForEach { If(IsNotLinked([xml]$_)){$unlinkedGPOs += $gpo} }} 
 
If ($unlinkedGPOs.Count -eq 0) { 
    "No Unlinked GPO's Found" 
} 
Else{
	$unlinkedGPOs | Select DisplayName,ID | ft 
	$unlinkedGPOs | backup-GPO -path S:\ActiveDirectory\GPOBackups | select DisplayName,GpoID, BackupDirectory | ft
	$unlinkedGPOs | remove-gpo -Confirm
}

#Search for Empty GPOs
Get-GPO -All | ForEach { $gpo = $_ ; $_ | Get-GPOReport -ReportType xml | ForEach { If(IsEmpty([xml]$_)){$emptyGPOs += $gpo} }} 

If ($emptyGPOs.Count -eq 0) { 
    "No Empty GPO's Found" 
} 
Else{
	$emptyGPOs | Select DisplayName,ID | ft 
	$emptyGPOs | backup-GPO -path S:\ActiveDirectory\GPOBackups | select DisplayName,GpoID, BackupDirectory | ft
	$emptyGPOs | remove-gpo -Confirm
}

It is to be used simply and get some output list – or uncomment the warranty info and backup and then delete the nasty stuff.

DisplayName                                                 Id
———–                                                 —
Disable Outlook Cache                                       7aca484c-ebcd-4779-9bc8-b2fb8e7302d1
Turn Outlook Junk Mail Filter Off                           de14544c-39be-444f-ac53-089ca0bc65a8
Microsoft Office Trust Centre                               ed6fb632-fdd2-4718-96b0-b3981b4145bd

DisplayName                                                 Id
———–                                                 —
Portal Home page — mandatory                               bbc9efe7-05c3-4187-92ac-948772f50bf8

Please note that GPO backup ID during the Backup-gpo is not the GPOID!

Extending the AD delegation wizard

I found myself trying to reorganize IT teams while focusing on security – also because there was no time to analyze logs to see who did what.

AD permission can be tweaked to infinity and beyond while most of the time IT shops just use the same permission roles. That’s when I noticed that the default delegation wizard did not offer much of those roles.

The default settings will only describe 13 “roles”. Microsoft documents how to extend this to 70 common roles here with the infamous appendix O. The article points to C:\%WINDIR%\inf which is fine for Windows Server 2003 I think. Anything above will be in c:\%WINDIR%\system32 directly. You can obviously tweak it to your liking and follow the other infamous kb 308404.

Once you have that it should be easier to delegate security by roles.

This said, you will still need tools to find out what the current permissioning is and how to clean it.  My favorite, Liza, is a free tool for Active Directory environments which allows you to display and analyze object rights in the directory hierarchy.

With the CLI, the assigned permissions can be display in the form of access control entries (ACE) with the command tool DSREVOKE and can be removed too.

More traditionnal dsacls or ADUC should do the trick but is way less intuitive.

Microsoft also lists some of them here.

HP Comware 5500 Initial Config and Essentials

#go to conf

system-view

System View: return to User View with Ctrl+Z.

#Set the hostname

sysname TT-SWCR-1

#Time settings

ntp-service unicast-server 192.168.1.8

ntp-service unicast-server 192.168.1.5
clock timezone EST minus 4:00:00
clock summer-time EDT repeating 02:00:00 2012 March second Sunday 02:00:00 2012 November first Sunday 02:00:00

#logging to Alienvault

info-center loghost 192.168.1.247

#snmp

snmp-agent community write your_snmp

snmp-agent sys-info contact “IT Infrastructure”

snmp-agent sys-info location “Server Rack 9th Floor”

#enable snmpv2

snmp-agent sys-info version v2c

#Set up some access

header motd %

#######################################################################

# Authorised Users Only

# Property of Yours Ltd. All unauthorized access will be prosecuted.

# If you are not authorized to access this device,

# please disconnect immediately. Your activities are

# monitored for security reasons.

########################################################################

%

#Create users and security

[TT-SWCR-1]local-user manager

[TT-SWCR-1-luser-manager]password simple epl$#hp1w

[TT-SWCR-1-luser-manager]service-type ssh

[TT-SWCR-1-luser-manager]authorization-attribute level 3

#Crypto

public-key local create rsa

ssh server enable

#no telnet

user-interface vty 0 4

authentication-mode scheme

protocol inbound ssh

#Do some verification

#[TT-SWCR-1]display ssh server status

# SSH server: Enable

# SSH version : 1.99

# SSH authentication-timeout : 60 second(s)

# SSH server key generating interval : 0 hour(s)

# SSH authentication retries : 3 time(s)

# SFTP server: Disable

# SFTP server Idle-Timeout: 10 minute(s)

user-interface aux 0

[TT-SWCR-1-ui-aux0]idle-timeout 10

#Enable Network features

stp enable

#dhcp-snoop if config well done. Otherwise can block dhcp relay

#create vlan and interface

[]vlan 99

[vlan 99]name 99-mgmt

[vlan 99]quit

[] interface vlan-interface 99

[interface vlan-interface 99]ip address 10.80.99.10 255.255.255.0

[]quit

#configure a port as trunk for all vlans

[]int ten 1/0/29
port link-mode bridge
port link-type trunk
port trunk permit vlan all

#OR do a LACP group – dynamic is important for inter-make connection such as comware/procurve

interface Bridge-Aggregation10

description LACP to old Core

link-aggregation mode dynamic

#then put the interface inside

interface GigabitEthernet1/0/10
port link-aggregation group 10

#only then configure the trunk type and so on

[TT-SWCR-1-Bridge-Aggregation10]port link-type trunk
[TT-SWCR-1-Bridge-Aggregation10]port trunk permit vlan all

Please wait……………………………………. Done.

Configuring GigabitEthernet1/0/10……………………………………. Done.

Configuring GigabitEthernet1/0/11……………………………………. Done.

Configuring GigabitEthernet2/0/10……………………………………. Done.

Configuring GigabitEthernet2/0/11……………………………………. Done.

#if all is ok the flag will be ACDEF on comware on partner’d on procurve

#Verify trunk and LACP

[TT-SWCR-1]display link-aggregation verbose

Loadsharing Type: Shar — Loadsharing, NonS — Non-Loadsharing

Port Status: S — Selected, U — Unselected

Flags: A — LACP_Activity, B — LACP_Timeout, C — Aggregation,

D — Synchronization, E — Collecting, F — Distributing,

G — Defaulted, H — Expired

Aggregation Interface: Bridge-Aggregation10

Aggregation Mode: Dynamic

Loadsharing Type: Shar

System ID: 0x8000, 7848-5952-8f88

Local:

Port             Status Priority Oper-Key Flag

——————————————————————————–

GE1/0/10         S       32768   1         {ACDEF}

GE1/0/11         S       32768   1         {ACDEF}

GE2/0/10         S       32768   1         {ACDEF}

GE2/0/11         S       32768   1         {ACDEF}

Remote:

Actor           Partner Priority Oper-Key SystemID               Flag

——————————————————————————–

GE1/0/10         217     0       349       0xcf00, 0018-71ca-cf00 {ACDEF}

GE1/0/11         219     0       349       0xcf00, 0018-71ca-cf00 {ACDEF}

GE2/0/10         218     0       349       0xcf00, 0018-71ca-cf00 {ACDEF}

GE2/0/11         220     0       349       0xcf00, 0018-71ca-cf00 {ACDEF}

tor_sw1-5412zl(config)# show lacp

LACP

LACP     Trunk     Port               LACP     Admin   Oper

Port   Enabled   Group     Status   Partner   Status   Key     Key

—-   ——-   ——-   ——-   ——-   ——-   —— ——

A23   Active   Trk5     Up       Yes       Success   0       294

A24   Active   Trk5     Up       Yes       Success   0       294

J1     Active   Trk60     Up       Yes       Success   0       349

J2     Active   Trk60     Up       Yes       Success   0       349

J3     Active   Trk60     Up       Yes       Success   0       349

J4     Active   Trk60     Up       Yes       Success   0       349

#verify trunks

[TT-SWCR-1]dis port trunk

Interface               PVID VLAN passing

BAGG10                   1     1, 99-100,

XGE1/0/29               1     1, 99-100,

XGE1/0/30               1     1, 99-100,

XGE2/0/29               1     1, 99-100,

XGE2/0/30               1     1, 99-100,

#info on lacp

[TT-SWCR-1]dis interface Bridge-Aggregation

Bridge-Aggregation10 current state: DOWN

IP Packet Frame Type: PKTFMT_ETHNT_2, Hardware Address: 7848-5952-8f88

Description: LACP to old Core

Unknown-speed mode, unknown-duplex mode

Link speed type is autonegotiation, link duplex type is autonegotiation

PVID: 1

Port link-type: trunk

VLAN passing : 1(default vlan), 99-100

VLAN permitted: 1(default vlan), 2-4094

Trunk port encapsulation: IEEE 802.1q

Last clearing of counters: Never

Last 300 seconds input: 0 packets/sec 0 bytes/sec   -%

Last 300 seconds output: 0 packets/sec 0 bytes/sec   -%

Input (total): 0 packets, 0 bytes

0 unicasts, 0 broadcasts, 0 multicasts

Input (normal): 0 packets, – bytes

0 unicasts, 0 broadcasts, 0 multicasts

Input: 0 input errors, 0 runts, 0 giants, 0 throttles

0 CRC, 0 frame, – overruns, 0 aborts

– ignored, – parity errors

Output (total): 0 packets, 0 bytes

0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses

Output (normal): 0 packets, – bytes

0 unicasts, 0 broadcasts, 0 multicasts, 0 pauses

Output: 0 output errors, – underruns, – buffer failures

0 aborts, 0 deferred, 0 collisions, 0 late collisions

0 lost carrier, – no carrier

#note for PVID 1

#As per 802.1q, the PVID cannot be tagged so I arbitrarily set the PVID of all port trunk to port trunk pvid vlan 77 so that there are tagged for vlan 1 (yet untagged for vlan 77)

#For instance on this trunk link

#

interface Ten-GigabitEthernet1/0/29

port link-mode bridge

port link-type trunk

port trunk permit vlan all

port trunk pvid vlan 77

#

#so now it is tagged on VID1

[TT-SWCR-1]dis vlan 1

VLAN ID: 1

VLAN Type: static

Route Interface: not configured

Description: VLAN 0001

Name: leg-1-mgmt

Tagged   Ports:

Bridge-Aggregation10

GigabitEthernet1/0/10   GigabitEthernet1/0/11   GigabitEthernet2/0/10

GigabitEthernet2/0/11

Ten-GigabitEthernet1/0/29

Ten-GigabitEthernet1/0/30

Ten-GigabitEthernet2/0/29

Ten-GigabitEthernet2/0/30

Untagged Ports:

GigabitEthernet1/0/1     GigabitEthernet1/0/2     GigabitEthernet1/0/3

GigabitEthernet1/0/4     GigabitEthernet1/0/5     GigabitEthernet1/0/6

GigabitEthernet1/0/7     GigabitEthernet1/0/8     GigabitEthernet1/0/9

GigabitEthernet1/0/12   GigabitEthernet1/0/13   GigabitEthernet1/0/14

GigabitEthernet1/0/15   GigabitEthernet1/0/16   GigabitEthernet1/0/17

GigabitEthernet1/0/18   GigabitEthernet1/0/19   GigabitEthernet1/0/20

GigabitEthernet1/0/21   GigabitEthernet1/0/22   GigabitEthernet1/0/23

GigabitEthernet1/0/24   GigabitEthernet1/0/25   GigabitEthernet1/0/26

GigabitEthernet1/0/27   GigabitEthernet1/0/28   GigabitEthernet2/0/1

GigabitEthernet2/0/2     GigabitEthernet2/0/3     GigabitEthernet2/0/4

GigabitEthernet2/0/5     GigabitEthernet2/0/6     GigabitEthernet2/0/7

GigabitEthernet2/0/8     GigabitEthernet2/0/9     GigabitEthernet2/0/12

GigabitEthernet2/0/13   GigabitEthernet2/0/14   GigabitEthernet2/0/15

GigabitEthernet2/0/16   GigabitEthernet2/0/17   GigabitEthernet2/0/18

GigabitEthernet2/0/19   GigabitEthernet2/0/20   GigabitEthernet2/0/21

GigabitEthernet2/0/22   GigabitEthernet2/0/23   GigabitEthernet2/0/24

GigabitEthernet2/0/25   GigabitEthernet2/0/26   GigabitEthernet2/0/27

GigabitEthernet2/0/28

Viewing queues in Exchange 2013 with powershell

Now that Microsoft have changed all the GUI management I struggled to locate the queue viewer. As it turns out it is NOT part of the Exchange admin center (https://localhost/ecp). This tool is part of the Exchange Toolbox, you will find with your management package for Exchange and the queue viewer works like before.

But obviously one would prefer powershell to do so, right!

Get-Queue and Get-QueueDigest will be you friends. You would need to know your DAG prior to that…

>Get-DatabaseAvailabilityGroup

Name             Member Servers                                      Operational Servers
----             --------------                                      -------------------
MY-DAG1         {MY-TOR-EX2, MY-TOR-EX1}

>Get-QueueDigest -Dag MY-dag1

GroupByValue                      MessageCount DeferredMess LockedMessag StaleMessage Details
ageCount     eCount       Count
------------                      ------------ ------------ ------------ ------------ -------
[10.77.77.12]                     227          0            0            0            {MY-TOR-EX2\66427, MY-TOR-EX...
Submission                        1            1            0            0            {MY-TOR-EX2\Submission}