2014. december 22., hétfő

Windows 2012 DHCP cluster has been split - check your timeservers

This is the icon you definitely don't want to see on your DHCP console:




First, check your network connectivity with the partner server. If it has gone down previously the parner relationship should be restored automatically when it comes back.
Second, you likely have a time diff issue. Standardize your time setup on ALL your physical Windows servers (NOT just on your PDC emulator. No doubt. Trust me.) (and, therefore, time is getting ready on domain clients) with the following commands:

net stop w32time
w32tm /config /syncfromflags:manual /manualpeerlist:"1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org,time-b.nist.gov"
w32tm /config /reliable:yes
net start w32time


No need to w32tm /resync after this. Time should be corrected immediately

2014. december 8., hétfő

Create a new virtual disk / disk group on a Dell PowerVault MD3220i

I've recently added two 1TB disks to a PowerVault MD3220i to be used as backup storage in a RAID1 mirror.

No pools, my setup here requires a new group.

Let's begin. Since I have two new hot-added disks, the software intelligent enough to recognize the situation.

Name the physical array and choose manual mode, just to be on the safe side.

RAID1, choose disks and don't forget to click on Calculate Capacity. Then, Finish.

YES we want to do it.

Capacity, name... and I map it to my host group right here and now.

We've done here. I don't want to create an other virtual disk since I've used up all my available disk space.
Wait approx. an hour till the new 1TB virtual disk gets ready.(See the green bar on the bottom?) (Time applies for 7200RPM SATA3 disks.)


The second part of this artice is here.

2014. november 25., kedd

Little dear ones of mine

How to take actions on a directory that contains hundreds of subdirectories, named like this...
0001
0002
....
0100
0101
...
0999
1000
...

...but just on the first some hundreds of them so their proper naming could be an issue. Solution:
#!/bin/bash

for i in $(seq 500);do
lngt=`expr length $i`
case $lngt in
    1)
    i=000$i
    ;;
    2)
    i=00$i
    ;;
    3)
    i=0$i
    ;;
esac
ls /home/samba/archive/$i -LRs >> /root/content.txt
done

It could be more solid but you know, always Keep It Simple&Stupid. :-)
Here is a more complex one. It's a cron driven script that checks your openvpn logfile and email you if an event (e.g. if certain user connects) found. It remembers its last run so that a logline never get processed twice. Also handles logrotate events.
#!/bin/bash

cd /var/log/openvpn
[ -e temp ] && rm temp
echo "" > connectionz
NOW=`cat openvpn.log|wc -l`
LAST=`cat last`
CHECK=$(($NOW-$LAST))
    if [[ $CHECK -ge 0 ]]; then # change found
    echo $NOW > last # if 0 then doesn't matter but no harmful
    else
    echo 0 > last # logrotation happened, nulling last
    LAST=0
    fi
tail -$CHECK openvpn.log|grep Initiated >
connectionz
while read line
 do
 USER=`echo $line|cut -d '[' -f2|cut -d ']' -f1`
 DATUM=`echo $line|cut -d ' ' -f2-5`
  if [ $USER = "JohnSmith" ] || [ $USER = "PeteSmith" ] || [ $USER = "JaneSmith" ] ; then
   echo "A user connected:"$USER" event time:"$DATUM >> temp
   echo "" >> temp
  fi
 done < connetionz
[ -e temp ] && cat temp | mail -n -s "OPENVPN CONNETION initiated" myemail@mydomain.com,yourdomain@yourdomain.com

2014. november 17., hétfő

IPTABLES - how to allow or deny certain countries of the world

It's a usual request for a sysadmin to ban or allow only a certain country in firewalls or .htaccesses of apache. Here are two common ways to do that.

Method 1.
Using xtables and maxmind

apt-get install libtext-csv-xs-perl module-assistant geoip-database libgeoip1
module-assistant --verbose --text-mode auto-install xtables-addons
mkdir /usr/share/xt_geoip
cd /usr/share/xt_geoip
# this is a rather old package but for free
wget http://terminal28.com/wp-content/uploads/2013/10/geoip-dl-build.tar.gz
tar xvf geoip-dl-build.tar.gz
./xt_geoip_dl
./xt_geoip_build -D . *.csv
##EXAMPLE ##EXAMPLE ##EXAMPLE ##EXAMPLE ##EXAMPLE ##EXAMPLE ##EXAMPLE 
iptables --flush # BEWARE
iptables -A INPUT -p tcp --dport 443 -m geoip --src-cc HU,CZ,PL,RO -j ACCEPT
iptables -A INPUT -p tcp --dport 443 -j DROP
 
 







Method 2.
Simply using https://www.countryipblocks.net/country_selection.php to get ranges to allow/deny


 

2014. október 14., kedd

Can't install an additional Exchange 2013 in the domain

Today I've just run into this funny issue. It took two hours for me to get the clue!

Here is the error report:

Error:
Global updates need to be made to Active Directory, and this user account isn't a member of the 'Enterprise Admins' group.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.GlobalUpdateRequired.aspx

Error:
You must be a member of the 'Organization Management' role group or a member of the 'Enterprise Admins' group to continue.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.GlobalServerInstall.aspx

Error:
You must use an account that's a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedBridgeheadFirstInstall.aspx

Error:
You must use an account that's a member of the Organization Management role group to install the first Client Access server role in the topology.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedCafeFirstInstall.aspx

Error:
You must use an account that's a member of the Organization Management role group to install the first Client Access server role in the topology.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedFrontendTransportFirstInstall.aspx

Error:
You must use an account that's a member of the Organization Management role group to install or upgrade the first Mailbox server role in the topology.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedMailboxFirstInstall.aspx

Error:
You must use an account that's a member of the Organization Management role group to install or upgrade the first Client Access server role in the topology.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedClientAccessFirstInstall.aspx

Error:
You must use an account that's a member of the Organization Management role group to install the first Mailbox server role in the topology.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.DelegatedUnifiedMessagingFirstInstall.aspx

Error:
Setup encountered a problem while validating the state of Active Directory: Couldn't find the Enterprise Organization container.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.AdInitErrorRule.aspx

Error:
The forest functional level of the current Active Directory forest is not Windows Server 2003 native or later. To install Exchange Server 2013, the forest functional level must be at least Windows Server 2003 native.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.ForestLevelNotWin2003Native.aspx

Error:
Either Active Directory doesn't exist, or it can't be contacted.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.CannotAccessAD.aspx

Warning:
Setup will prepare the organization for Exchange 2013 by using 'Setup /PrepareAD'. No Exchange 2010 server roles have been detected in this topology. After this operation, you will not be able to install any Exchange 2010 servers.
For more information, visit: http://technet.microsoft.com/library(EXCHG.150)/ms.exch.setupreadiness.NoE14ServerWarning.aspx


Obviously, the AD was prepared previously (having a working Exchange 2013) and I'm a Schema and Enterprise Admin.
Solution:
It turned out that I was trying to install the Exchange in site A (a site with a working DC) but the the Schema Master FSMO role holder DC was located in site B. Of course both was perfectly connected and replicating with the other. However, for whatever reason my clever Exchange setup was simply unable to connect the Schema Master and exited in such a stupid way. I moved the Schema Master role to site A and voila, Exchange setup immediately worked.

2014. október 10., péntek

How to mass-upload profile pictures to Exchange 2013

It's friday afternoon, an hour before the end of your shift. Biggest boss walkes into your office and says:
- It's good to see you being so happy to see me. I've got a job for you. You gotta load our new employees' high-resolution photos into our company's Exchange2013 immediately. You should be able to find all the 180 picture files on the fileserver. Actualy, it should have done yesterday. So... (dramatic pause)... have you done it yet ?
  1. - Don't panic.
  2. - Resize or cut those freaking profile photos to 648x648 pixels with a free smart photo viewer, for example with a batch job in Irfanview.
  3. - Rename the files to match your users' login names, e.g. Bill Gates -- billgates.jpg - That's the trickiest part if your files are called user3412_10102014.png or whatever. That'd suck. Force your colleagues to name the files properly next time.
  4. - Use this script. It reads all the files in the sourcedir, takes the username from filename and puts the picture into that user's corresponding Exchange attribute.

$sourcedir = "c:\temp\photos\"
$files = Get-ChildItem $sourcedir -Filter "*.jpg"
$files | ForEach-Object {

   $fullpath= $sourcedir + $_.Name
   $name = $_.BaseName
   write $fullpath
   write $name

   $photo = ([Byte[]] $(Get-Content -Path $fullpath -Encoding Byte -ReadCount 0))
   Set-UserPhoto -Identity $name -PictureData $photo -Confirm:$False
   Set-UserPhoto -Identity $name -Save -Confirm:$False
  
}


once ready... paste the following into your PS:
Set-OwaVirtualDirectory -ChangePasswordEnabled $true -SetPhotoEnabled $false -DisplayPhotosEnabled $true

Set-CASMailbox user -OWAMailboxPolicy Default 
or
Get-CASMailbox -ResultSize Unlimited | Set-CASMailbox -OWAMailboxPolicy Default

Curious why 648x648 is that dimension exactly? Nobody knows. Frankly. The point is you will end up with 3 different sized picture stored for each account in your AD and Exchange 2013 and Lync 2013 or Sharepoint 2013 (if you have any)
  1. 48 x 48 pixels in AD thumbnailPhoto attribute field (If you upload a photo to Exchange 2013, Exchange will automatically create a 48 pixel by 48 pixel version of that photo and update the user's thumbnailPhoto attribute. Note, however, that the reverse is not true: if you manually update the thumbnailPhoto attribute in Active Directory the photo in the user's Exchange 2013 mailbox will not automatically be updated).
  2. 96 x 96 pixels for use in Microsoft Outlook 2013 Web App and Microsoft Outlook 2013
  3. 648 x 648 pixels for use in Lync 2013 and Sharepoint 2013

2014. június 10., kedd

Yet another ultimate howto: a collection of hotfixes for Exchange 2010 for Windows 2008 R2

Want to install Exch2k10 on a W2k8R2? You can save lots of time making use of these links before the installation.
Prereqs:
 (run powershell commands from here) : http://www.enterprisenetworkingplanet.com/datacenter/Installing-Exchange-2010-Step-by-Step-3877601.htm
Grab these files:
http://www.microsoft.com/en-US/download/details.aspx?id=40779 (.NET 4.51)
http://www.microsoft.com/en-us/download/details.aspx?id=17331 (KB974405-x64)
http://www.microsoft.com/en-us/download/details.aspx?id=17062 (Office 2010 filter pack)
http://thehotfixshare.net/board/index.php?autocom=downloads&req=download&code=confirm_download&id=12354 (KB982867-v2-x64)
http://thehotfixshare.net/board/index.php?autocom=downloads&req=download&code=confirm_download&id=12136 (KB977020-v2-x64)
http://connect.microsoft.com/VisualStudio/Downloads/DownloadDetails.aspx?DownloadID=29092 (KB983440-x64)
http://www.microsoft.com/en-US/download/details.aspx?id=16335 (KB979099-x64)
http://connect.microsoft.com/VisualStudio/Downloads/DownloadDetails.aspx?DownloadID=27109  (6.1: KB979744-v2-x64 )


Also, don't forget SP3 http://www.microsoft.com/en-us/download/details.aspx?id=36768 (just run it from command line:
C:\Admin\ex2010sp3>setup /mode:upgrade /installwindowscomponents
and UR5 http://www.microsoft.com/en-us/download/details.aspx?id=42001 .



2014. április 30., szerda

ULTIMATE howto for GIT with LDAP auth

There are lots of tutorials on this subject but hardy any of them are straigtforward and up-to-date. For me, it took plenty of days to get this disguisting system work on a Debian. (BTW, SVN FTW :))
Note that there are two, I repeat two methods to work with a GIT server: webdav and git-http-backend.
Webdav is nicer and cheaper but it has some drawbacks. No further details about it here.
In the following we will setup a version hosting and control system called git with git-http-backend and an authentication mechanism against an LDAP server. My internal domain name is ring.local and my external hostname is git.ring-of-fire.com
We will set up a gitweb to ease the supervision.
If everything's going well, entering https://git.ring-of-fire.com/web in a browser and having confirmed that you are a member of ring_developers_webadmin, you will have your gitweb console.
Then you enter https://git.ring-of-fire.com/git/YourMightyRepo in your GIT client and confirm yourself to be a valid member of the ring_developers LDAP group.
Successfully authorized... guess what. We happy Vincent?

What to do in a nutshell. (version numbers are valid only for April 2014)
1
apt-get install....

ii apache2 2.2.22-13+deb7u1 i386 Apache HTTP Server metapackage 
ii apache2-mpm-worker 2.2.22-13+deb7u1 i386 Apache HTTP Server - high speed threaded model 
ii apache2-utils 2.2.22-13+deb7u1 i386 utility programs for webservers 
ii apache2.2-bin 2.2.22-13+deb7u1 i386 Apache HTTP Server common binary files 
ii apache2.2-common 2.2.22-13+deb7u1 i386 Apache HTTP Server common files 
ii git 1:1.7.10.4-1+wheezy1 i386 fast, scalable, distributed revision control system 
ii git-core 1:1.7.10.4-1+wheezy1 all fast, scalable, distributed revision control system (obsolete)
ii git-man 1:1.7.10.4-1+wheezy1 all fast, scalable, distributed revision control system (manual pages)
ii gitweb 1:1.7.10.4-1+wheezy1 all fast, scalable, distributed revision control system (web interface) 

2
root@git:/etc/apache2/sites-enabled# cat *  

ServerName git.ring-of-fire.com # real FQDN, IMPORTART!! for git's sake
 <VirtualHost *:80>
ServerAdmin webmaster@localhost

 DocumentRoot /var/www/default  
Options -Indexes -FollowSymLinks -MultiViews AllowOverride None 
ErrorLog ${APACHE_LOG_DIR}/zhttp-error.log 
LogLevel warn 
CustomLog ${APACHE_LOG_DIR}/zhttp-access.log combined 
# a default site with any kind of index.html or .htaccess  
 </VirtualHost>
<VirtualHost *:443>
ServerAdmin webmaster@localhost 
DocumentRoot /var/www 
Options Indexes FollowSymLinks MultiViews AllowOverride All  
ErrorLog ${APACHE_LOG_DIR}/error.log 
LogLevel warn CustomLog ${APACHE_LOG_DIR}/access.log combined 
SSLEngine On 
SSLCertificateFile /etc/apache2/ssl/git_ring.crt 
SSLCertificateKeyFile /etc/apache2/ssl/git_ring.key 
SSLCACertificateFile /etc/apache2/ssl/git_ring_bundle.ca 
BrowserMatch "git" nokeepalive ssl-unclean-shutdown 
 # this https site is for the real use 
 </VirtualHost>

3
root@git:/etc# cat gitweb.conf
# path to git projects (<project>.git)
$projectroot = "/var/www/git"
;
....
This is the only parameter you need to change.

4
root@git:/etc/apache2/conf.d# cat git.conf 
SetEnv GIT_PROJECT_ROOT /var/www/git # check
SetEnv GIT_HTTP_EXPORT_ALL
ScriptAlias /git /usr/lib/git-core/git-http-backend/ # check twice if this dir exists

<Directory "/usr/lib/git-core">
  Options +ExecCGI
  Allow From All
</Directory>

AliasMatch ^/git/(.*/objects/[0-9a-f]{2}/[0-9a-f]{38})$          /var/www/git/$1
AliasMatch ^/git/(.*/objects/pack/pack-[0-9a-f]{40}.(pack|idx))$ /var/www/git/$1
ScriptAliasMatch \
    "(?x)^/git/(.*/(HEAD | \
            info/refs | \
            objects/info/[^/]+ | \
            git-(upload|receive)-pack))$" \
    /usr/lib/git-core/git-http-backend/$1

<Location "/git/YourMightyREPO">
    AuthBasicProvider ldap
    AuthType Basic
    AuthzLDAPAuthoritative on
    AuthName "Git Server"
         AuthLDAPURL "ldap://YourLDAPServerIP:389/OU=YourADOU,DC=ring,DC=local?sAMAccountName?sub?(objectClass=*)" NONE
        AuthLDAPBindDN "CN=Your auth user name,cn=Users,dc=ring,dc=local"
        AuthLDAPBindPassword verysecretpassword
       Require ldap-group                 CN=ring_developers,OU=your_groups_container_OU,DC=ring,DC=local

</Location>


5
root@git:/etc/apache2/conf.d# cat gitweb.conf
Alias /web "/usr/share/gitweb/" # Check if /usr/share/gitweb there exists. Note the string /web

<Directory "/usr/share/gitweb">
    Options ExecCGI
    AllowOverride None
    AddHandler cgi-script .cgi
    DirectoryIndex gitweb.cgi
    Order deny,allow
    Allow from all

    AuthBasicProvider ldap
    AuthType Basic
    AuthzLDAPAuthoritative on
    AuthName "GITWEB for RING"
     AuthLDAPURL "ldap://YourLDAPserverIP:389/OU=your_users_container_OU,DC=ring,DC=local?sAMAccountName?sub?(objectClass=*)" NONE
    AuthLDAPBindDN "CN=Your LDAP bind user name,cn=Users,dc=ring,dc=local"
        AuthLDAPBindPassword verysecretpassword
        Require ldap-group CN=ring_developers_webadmin,OU=your_groups_container_OU,DC=ring,DC=local



6
Initialize, check and done.

root@git:/var/www/default# ls
index.html


root@git:# cd /var/www/git/
root@git:/var/www/git# ls
[nope]

mkdir YourMightyRepo && cd * && git --bare init
cd .. && chown www-data:www-data * -R
service apache2 restart
get-a-coffee


For further reference, find some more totally useless and misleading info here: http://git-scm.com/docs/git-http-backend

2014. január 23., csütörtök

Email forwarding

More powershell fun

Setting forward-only to an internal address :
Set-Mailbox -Identity "Joe Cool" -ForwardingAddress "james@mydomain.com"
Setting deliver-and-forward to an internal address :
Set-Mailbox -Identity "Joe Cool" -ForwardingAddress "james@mydomain.com" -DeliverToMailboxAndForward $true
Setting forward to an external address :
New-MailContact -Name "Very Important Dick" -ExternalEmailAddress "dick@vip.com"
Set-Mailbox "Joe Cool" -ForwardingAddress "dick@vip.com"
Listing what mailboxes are set to forward :
Get-Mailbox -Filter { ForwardingAddress -like '*' } | select-object Name,ForwardingAddress,ForwardingSmtpAddress
Cancel any type of forwarding:
Set-Mailbox -Identity [our.user@mydomain.com] -DeliverToMailboxandforward $False -ForwardingSMTPAddress $Null -ForwardingAddress $Null
Mass canceling:
Get-Mailbox | Where {$_.RecipientType -eq “UserMailbox”} | Set-Mailbox -ForwardingSmtpAddress $null