2015. január 9., péntek

How to flush / empty / purge / resize your System Volume Information folder

vssadmin list shadowstorage
[....]
Shadow Copy Storage association                                                         
For volume: (F:)\\?\Volume{7df38471-635b-11e4-9415-000c29dbe934}\                    
Shadow Copy Storage volume: (F:)\\?\Volume{7df38471-635b-11e4-9415-000c29dbe934}\    
Used Shadow Copy Storage space: 249 GB (41%)                                         
Allocated Shadow Copy Storage space: 251 GB (41%)                                    
Maximum Shadow Copy Storage space: UNBOUNDED (2863325530%)
[...]
                        
vssadmin resize shadowstorage /on=F: /For=F: /Maxsize=40GB 
Successfully resized the shadow copy storage association  
  

How to remote control your domain Windows 7 computers via remote powershell and remote registry from a Windows 2012 domain controller

From briantist.com

If you are lucky enough to have no machines in your environment below Windows 7 / 2008 R2 (where do you work?!) then this is the only one you need. All of the settings we are using will be in Computer Configuration so if you want to disable User Configuration as I have go ahead.
  1. Create your GPO, name it what you want, place it where you want, etc.
  2. Edit your policy.

Enabling WinRM

  1. Browse to:
    Policies > Administrative Templates > Windows Components > Windows Remote Management (WinRM) > WinRM Service
    1. Open the “Allow Remote Server management through WinRM” policy setting (Server 2008 R2 and later).
    2. Open the “Allow automatic configuration of listeners” policy setting (Server 2008 and earlier).
  2. Set the Policy to Enabled.
  3. Set the IPv4 and IPv6 filters to * unless you need something specific there (check out the help on the right).

Setting the Firewall Rules

You can use the new Firewall with Advanced Features policy to configure the rule instead, but this will only work on Vista and above. Additionally, you should configure this from a Windows 7 / 2008 R2 machine because of a difference in the pre-defined rule.

  1. Browse to:
    Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security > Windows Firewall… > Inbound Rules
  2. Right click and choose “New Rule…”
  3. Choose the “Windows Remote Management” pre-defined rule.
  4. When you click next you should see the two rules that will be added.
  5. Click next, choose to Allow the connection, and then Finish.

Service Configuration

At this point we have enough in place to get this working, but I like to do a few more things to ensure that the WinRM service is configured to start automatically and to restart on failure.
  1. Browse to:
    Policies > Windows Settings > Security Settings > System Services
  2. Find the “Windows Remote Management (WS-Management)” service.
  3. Define the policy and give it a startup mode of Automatic.
  4. Browse to:
    Preferences > Control Panel Settings > Services
  5. Create a new Service preference item with the following parameters:
    1. General Tab
      1. Startup: No Change (the policy we set above will take precedence over this anyway)
      2. Service name: WinRM
      3. Service action (optional): Start service
    2. Recovery Tab
      1. First, Second, and Subsequent Failures: Restart the Service
 Whole article is here

Set powershell execution policy

Go to Computer configuration / Policies / Administrative templates: Policy definitons (ADMX files) / Windows components / Windows Powershell. Set "Turn on script execution" to "Allow all scripts". This policy setting exists under both "Computer Configuration" and "User Configuration" in the Local Group Policy Editor. The "Computer Configuration" has precedence over "User Configuration." If you disable or do not configure this policy setting, it reverts to a per-machine preference setting; the default if that is not configured is "No scripts allowed." !


Remote registry access enable

1. On a domain controller, Start > administrative tools > Group Policy Editor > Either edit an existing policy or create a new one (Remember its a computer policy you need to link it to something with computers in it, if you link it to a users OU nothing will happen).
2. Navigate to, Local Computer Policy > Computer Configuration > Policies > Windows Settings > Security Settings > System Services.
3. In the right hand pane locate "Remote Registry".
4. Define the policy, and set the startup type to automatic.
Article is from petenetlive.

2014. december 22., hétfő

Windows 2012 DHCP cluster has been split - check your timeservers

This is the icon you definitely don't want to see on your DHCP console:




First, check your network connectivity with the partner server. If it has gone down previously the parner relationship should be restored automatically when it comes back.
Second, you likely have a time diff issue. Standardize your time setup on ALL your physical Windows servers (NOT just on your PDC emulator. No doubt. Trust me.) (and, therefore, time is getting ready on domain clients) with the following commands:

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org,time-b.nist.gov"
w32tm /config /reliable:yes
net start w32time


No need to w32tm /resync after this. Time should be corrected immediately

2014. december 8., hétfő

Create a new virtual disk / disk group on a Dell PowerVault MD3220i

I've recently added two 1TB disks to a PowerVault MD3220i to be used as backup storage in a RAID1 mirror. Without further ado, here are my smart-steps.

No pools, my setup here requires a new group.

Let's begin. Since I have two new hot-added disks, the software intelligent enough to recognize the situation.

Name the physical array and choose manual mode, just to be on the safe side.

RAID1, choose disks and don't forget to click on Calculate Capacity. Then, Finish.

YES we want to do it.

Capacity, name... and I map it to my host group right here and now.

We've done here. I don't want to create an other virtual disk since I've used up all my available disk space.
Wait approx. an hour till the new 1TB virtual disk gets ready. (See the green bar on the bottom?)



2014. november 25., kedd

Little dear ones of mine

How to take actions on a directory that contains hundreds of subdirectories, named like this...
0001
0002
....
0100
0101
...
0999
1000
...

...but just on the first some hundreds of them so their proper naming could be an issue. Solution:
#!/bin/bash

for i in $(seq 500);do
lngt=`expr length $i`
case $lngt in
    1)
    i=000$i
    ;;
    2)
    i=00$i
    ;;
    3)
    i=0$i
    ;;
esac
ls /home/samba/archive/$i -LRs >> /root/content.txt
done

It could be more solid but you know, always Keep It Simple&Stupid. :-)
Here is a more complex one. It's a cron driven script that checks your openvpn logfile and email you if an event (e.g. if certain user connects) found. It remembers its last run so that a logline never get processed twice. Also handles logrotate events.
#!/bin/bash

cd /var/log/openvpn
[ -e temp ] && rm temp
echo "" > connectionz
NOW=`cat openvpn.log|wc -l`
LAST=`cat last`
CHECK=$(($NOW-$LAST))
    if [[ $CHECK -ge 0 ]]; then # change found
    echo $NOW > last # if 0 then doesn't matter but no harmful
    else
    echo 0 > last # logrotation happened, nulling last
    LAST=0
    fi
tail -$CHECK openvpn.log|grep Initiated >
connectionz
while read line
 do
 USER=`echo $line|cut -d '[' -f2|cut -d ']' -f1`
 DATUM=`echo $line|cut -d ' ' -f2-5`
  if [ $USER = "JohnSmith" ] || [ $USER = "PeteSmith" ] || [ $USER = "JaneSmith" ] ; then
   echo "A user connected:"$USER" event time:"$DATUM >> temp
   echo "" >> temp
  fi
 done < connetionz
[ -e temp ] && cat temp | mail -n -s "OPENVPN CONNETION initiated" myemail@mydomain.com,yourdomain@yourdomain.com

2014. november 17., hétfő

IPTABLES - how to allow or deny certain countries of the world

It's a usual request for a sysadmin to ban or allow only a certain country in firewalls or .htaccesses of apache. Here are two common ways to do that.

Method 1.
Using xtables and maxmind

apt-get install libtext-csv-xs-perl module-assistant geoip-database libgeoip1
module-assistant --verbose --text-mode auto-install xtables-addons
mkdir /usr/share/xt_geoip
cd /usr/share/xt_geoip
# this is a rather old package but for free
wget http://terminal28.com/wp-content/uploads/2013/10/geoip-dl-build.tar.gz
tar xvf geoip-dl-build.tar.gz
./xt_geoip_dl
./xt_geoip_build -D . *.csv
##EXAMPLE ##EXAMPLE ##EXAMPLE ##EXAMPLE ##EXAMPLE ##EXAMPLE ##EXAMPLE 
iptables --flush # BEWARE
iptables -A INPUT -p tcp --dport 443 -m geoip --src-cc HU,CZ,PL,RO -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
 
 







Method 2.
Simply using https://www.countryipblocks.net/country_selection.php to get ranges to allow/deny


 

2014. október 14., kedd

Can't install an additional Exchange 2013 in the domain

Today I've just run into this funny issue. It took two hours for me to get the clue!

Here is the error report:

Error:
Global updates need to be made to Active Directory, and this user account isn't a member of the 'Enterprise Admins' group.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.GlobalUpdateRequired.aspx

Error:
You must be a member of the 'Organization Management' role group or a member of the 'Enterprise Admins' group to continue.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.GlobalServerInstall.aspx

Error:
You must use an account that's a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedBridgeheadFirstInstall.aspx

Error:
You must use an account that's a member of the Organization Management role group to install the first Client Access server role in the topology.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedCafeFirstInstall.aspx

Error:
You must use an account that's a member of the Organization Management role group to install the first Client Access server role in the topology.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedFrontendTransportFirstInstall.aspx

Error:
You must use an account that's a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedMailboxFirstInstall.aspx

Error:
You must use an account that's a member of the Organization Management role group to install or upgrade the first Client Access server role in the topology.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedClientAccessFirstInstall.aspx

Error:
You must use an account that's a member of the Organization Management role group to install the first Mailbox server role in the topology.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedUnifiedMessagingFirstInstall.aspx

Error:
Setup encountered a problem while validating the state of Active Directory: Couldn't find the Enterprise Organization container.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.AdInitErrorRule.aspx

Error:
The forest functional level of the current Active Directory forest is not Windows Server 2003 native or later. To install Exchange Server 2013, the forest functional level must be at least Windows Server 2003 native.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.ForestLevelNotWin2003Native.aspx

Error:
Either Active Directory doesn't exist, or it can't be contacted.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.CannotAccessAD.aspx

Warning:
Setup will prepare the organization for Exchange 2013 by using 'Setup /PrepareAD'. No Exchange 2010 server roles have been detected in this topology. After this operation, you will not be able to install any Exchange 2010 servers.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.NoE14ServerWarning.aspx


Obviously, the AD was prepared previously (having a working Exchange 2013) and I'm a Schema and Enterprise Admin.
Solution:
It turned out that I was trying to install the Exchange in site A (a site with a working DC) but the the Schema Master FSMO role holder DC was located in site B. Of course both was perfectly connected and replicating with the other. However, for whatever reason my clever Exchange setup was simply unable to connect the Schema Master and exited in such a stupid way. I moved the Schema Master role to site A and voila, Exchange setup immediately worked.