BIND DDNS

OK, So I have a requirement to host one of my domains internally. The reason for this is because I would like to be able to learn more about BIND9 as well as having flexibility to do Dynamic DNS.

I spawned a VM and install Ubuntu on it. During the installation, I selected DNS server as part of the feature to be installed.

Here are the steps I took to set it up:

Step #1 - Edit /etc/bind/named.conf.local

key "domain.com.au." {

        algorithm hmac-md5;

        secret "w81WcwhateverhereGnCQ==";

};

zone "domain.com.au" {

        type master;

        allow-update { key "domain.com.au."; };

        journal "/var/cache/bind/db.domain.com.au.jnl";

        file "/etc/bind/master/db.domain.com.au";

};

The key section is used for the automatic update using nsupdate tool which is part of BIND installation package. the secret value is generated by using the following:

dnssec-keygen -a HMAC-MD5 -b 128 -n HOST domain.com.au

This tool generates 2 files = .key and .private

open the .key file and copy the key, e.g. w81WcwhateverhereGnCQ==, and put it in the key section above. 

Note: That is NOT my KEY -

Then you need to save the .private file and keep is safe to be used later with nsupdate

The zone section is where my DNS zone is configured

Step #2 - Create Zone File

Create a master folder within /etc/bind

Copy /etc/bind/db.local to /etc/bind/master/db.domain.com.au

Change permission on the folder

chown -R bind:bind /etc/bind/master

chmod 775 -R /etc/bind/master

Step #3 - Edit /etc/bind/master/db.domain.com.au

Edit the file and adjust the content to suit your need

Restart the BIND process:

sudo /etc/init.d/bind9 restart

Have a look the syslog file to make sure everything is OK

tail -f /var/log/syslog

Step #4 - Create Dynamic DNS Script File

Create ddns.sh file with the following content:

#!/bin/bash

# This script fetches the current external IP Address, writes out an nsupdate file

# Then performs an nsupdate to our remote server of choice

# This script should be placed on a 10 minute crontab

WGET=$(which wget)

ECHO=$(which echo)

NSUPDATE=$(which nsupdate)

IP_FILE="/home/ddns/ip"

IP=$($WGET -q -O - checkip.dyndns.org|sed -e 's/.*Current IP Address: //' -e 's/<.*$//')

IS_UPDATE="no"

if [ -f $IP_FILE ]

then

        #Get file content

        IP_OLD=$(<$IP_FILE)

        $ECHO "File IP exists with the content: $IP_OLD"

        $ECHO "Old IP: $IP_OLD"

        if [ "$IP_OLD" == "$IP" ]

        then

                $ECHO "IP is not changing: $IP"

        else

                $ECHO "IP changes. OLD IP: $IP_OLD, NEW IP: $IP"

                $ECHO "$IP" > $IP_FILE

                IS_UPDATE="yes"

        fi

else

        $ECHO "File IP does not exist, creating one..."

        IS_UPDATE="yes"

        $ECHO "$IP" > $IP_FILE

fi

$ECHO "server bind.domain.com.au" > /tmp/nsupdate

$ECHO "debug yes" >> /tmp/nsupdate

$ECHO "zone domain.com.au." >> /tmp/nsupdate

$ECHO "update delete domain.com.au A" >> /tmp/nsupdate

$ECHO "update add domain.com.au 600 A $IP" >> /tmp/nsupdate

$ECHO "update delete www.domain.com.au A" >> /tmp/nsupdate

$ECHO "update add www.domain.com.au 600 A $IP" >> /tmp/nsupdate

$ECHO "send" >> /tmp/nsupdate

$ECHO "Is Update: $IS_UPDATE"

if [ "$IS_UPDATE" == "yes" ]

then

        $NSUPDATE -k /home/ddns/Kdomain.com.au.+157+05161.private -v /tmp/nsupdate 2>&1

        $ECHO "Updating..."

fi

The script does the following:

• Get the Public IP address from checkip.dyndns.org
• Check whether or not the IP has changed from the previous pooling. This is done by storing the IP to a file and compare it on the next query
• If the IP has changed, run nsupdate

Notice the .private key is used here.

Then you can do cronjob to run ddns.sh regularly

VMware VCAP5-DCA Passed

Today I sat on the exam for VCAP5-DCA. Before the exam, I was googling the Internet for the experience and everyone says time management is the main issue. You know what? They all are right! It was 23 questions for 180 minutes.

I was struggling to answer the questions to the last seconds!

I was skipping the questions that I thought was going to take a while and marked the question number on the plastic paper provided and went back to them later. I did the easy one first until the end and got back to the question numbers I marked on the paper.

The blueprint spots on, I was asked about:

• Distributed vSwitch, Static vSwitch
• RESXTOP
• vCO
• PowerCLI
• HA
• DRS
• SNMP
• SATP
• SSL Certificate
• Traffic Blocking
• SSO
• Users, Groups and Roles
• Performance Graphs
• vSphere Replication
• and much more :)

To be honest, it was stressing exam. You were given scenario and you need to follow the instruction. The stress bit for me is that after you do it, you are not sure whether or not you did it correctly. 

I finished the test at 4PM and was told that it is going to take 15 business days to get the result. I got the email result at 4:30PM! and I PASSED!!! with the score 403

VMware VCP550D Passed

Sat on the online exam for VCP550D and passed!

VCAP5-DCA Study Guide

I have been studying for this VMware VCAP5-DCA exam for the last 2 months. This exam is for vSphere 5.5.

One of the best study guides is to watch Jason Nash's VMware vSphere Optimize & Scale

Then I read the VCAP5-DCA Official Cert Guide:

The last one is to do the VMware Hands On Lab which is the best for you to use it for lab and try some of practice concepts.

VMware vCenter Operations Manager

Just been trained on VMware vCOPS recently and below is the "OO" style of objects relationship

QNAP Reset Permissions

To reset QNAP file share permissions

SSH login to it
Run:

[#] set_volume_mode <Share Name>

For example

[#] set_volume_mode Public
Volume: news
Path: /share/MD0_DATA/news

this will Set directory mode to 0777 and file mode to 0666(keep execute permission)

XenDesktop 7.5 Publish Application to Multiple Delivery Group

Recently I deployed XenApp/XenDesktop 7.5 environment with StoreFront 2.5. By default, using the GUI console, it only allows you to publish an application to a single Delivery Group.

If you have 4 servers and 2 delivery groups, and in each delivery group, 2 servers are registered, with this configuration in mind, you can only publish a particular application to a single delivery group, which equals to 2 servers only.

There was a requirement to be able to publish an application to all the 4 servers within 2 delivery groups. Apparently this is not possible using the GUI console.

However, using PowerShell you can !

You publish the application to the 1st delivery group using the GUI console, then you publish to the 2nd delivery group using the following

Add-BrokerApplication -Name "My Published App" -DesktopGroup "Delivery Group 2"

Note: There is a bug with this, which I believe is fixed with 7.6. The bug is if you were assigning a user to only a single delivery group, that user won't be able to see any of published application assigned to him/her. The user must be assigned to both delivery group.

Citrix XenApp 6.5 Cloning

Here are the steps I've followed successfully to clone a non Data Collector XenApp role without using PvS: 

Find out about VMware Customisation

yes or no

Find out Data Collector

qfarm

Local Admin Password

find out the username/password for local admin of the cloned machine

Shutdown XenApp Server

shutdown

Backup

Take a snapshot of all XenApp Servers

SQL database

Start the XenApp Server

start

XenApp Role Manager

Start XA Role Manager

Edit Configuration

Prepare this server for imaging and provisioning

Do NOT remove this server from the farm

Apply

Change IMA to Manual

(if) there is NO VMware customisation Wizard

Run sysprep here (or not if want to use as a VMware template later)

Shutdown XenApp Server

shutdown

Clone

Clone use vShpere Clone

- customize (if sysprep has not been done)

- no customize (if want to convert this as a template)

After finish cloning, convert the cloned VM to a template

Deploy

Deploy VM from Template and Customize

Make sure it does not have network connected

Remove from Domain

Let it reboot once

Join to Domain

Connect the network

Join the deployed VM to the domain

Reboot

Start IMA

Start IMA

Check Server Join to farm

Change IMA to automatic

Change the original master server IMA to automatic

Citrix PS or XenApp Data Store Move - Domain Service Account

To move Citrix SQL data store from one server to another and using domain service account rather than SQL built-in account, follow the process below

• Stop IMA services from all Citrix servers
• Backup the database from the source SQL server
• Restore the database to the destination SQL server
• Add the domain service account to the SQL server and assign dbo rights to the database that just been restored
• Edit the MF20.DSN file on each Citrix Server and make sure the following value exist

UID = DOMAIN\USERNAME
Trusted_Connection=Yes
DATABASE=SQL-SERVER-DATABASE-NAME
WSID=CITRIX-SERVER-NAME
SERVER=SQL-SERVER-NAME[\INSTANCE]

• Save the MF20.DSN file
• Run the following command

dsmaint config /user:DOMAIN\USERNAME /pwd:PASSWORD /dsn:"FULL-PATH-TO-MF20.DSN FILE"

Note: /dsn: requires double quote ""

Then run this:

dsmaint recreatelhc

Then Start the IMA Service

Getting AD NetBIOS Name From User DN

(Get-ADDomain (($user.DistinguishedName.Split(",") | ? {$_ -like "DC=*"}) -join ",")).NetBIOSName

SSL Certificate Binding to Process

SSL certificate is usually used in Web Server, IIS for example. Obviously binding an SSL certificate to IIS site is a very straightforward task.

Using IIS Manager, you go to the site

Edit Site Bindings...

Select the https (443)

The select the certificate from the list

Sometime you need to bind SSL certificate to a process or an application. If the application has got an interface or GUI to bind to an SSL certificate, great!. If not, then you need to follow the process here:

Get the application ID, by running WMI query:

wmic product list

This query produces a list of application name, its identifying number and install location

Get the application identifier number (highlighted)

The next step is to get the SSL certificate hash/thumbprint. To get this you can either run:

netsh http show sslcert

or

Get it from the certificate itself

Finally you can bind it using the following command:

netsh http add sslcert ipport=<ip address>:<port> certhash=<cert thumbprint> appid={<app id>}

PowerShell Sorting Hash Table

This is just a quick one, how to sort PowerShell Hash Table:

$ht = @{}
$ht.Add(key1,value1)
$ht.Add(key2,value2)

$ht = $ht.GetEnumerator() | Sort-Object -Descending Value

PowerShell Module Quick Rundown

Yes, you have created PowerShell Script. But you better off converting your PowerShell script to a PowerShell Module.

To create a module, first you need to convert your script to a function. Test the function and when you are ready:

(optional) - Export Function to be exposed to the public

add the following line to the end of your PowerShell Script File

Export-ModuleMember -Function <Function Name>

Save the file as <ModuleName>.psm1

Note: <ModuleName> is the module name

Get the PS Module path

$env:PSModulePath

Go to the PS Module Path

Create a folder EXACTLY the same name with <ModuleName>

Store the <ModuleName>.psm1 to the PS Module Path folder created

Check the Module is now available

Get-Module -ListAvailable

Import Module

Import-Module <ModuleName>

To view command available in the module

Get-Command -Module <ModuleName>

(optional) - To Create Manifest

New-ModuleManifest -Path <Path to the .psd1 new manifest file> -FunctionsToExport <Name of functions to be exported> -Author <Author Name> -CompanyName <Company> - Copyright <Copyright> -ModuleVersion <version#> -Description <Module Description>

Note: Path must be the same location where the actual module file (.psm1) is located

Passed Microsoft Exam 074-409

Today, I passed 074-409 Microsoft Exam: Server Virtualization with Windows Server Hyper-V & System Center. Not bad... what's next I wonder?

BitLocker Day

Today is the BitLocker day. I am BitLocking my file system with BitLocker. I have a QNAP and a File Server running Windows 2012 R2. My client machines, Windows 8.1 is having mapped drives that attach to the network shares on the File Server.

To secure the files:
Firstly I have a iSCSI drive set at QNAP and my File Server is using that drive by iSCSI initiator, lets say I: drive

Secondly, I create a VHDX file and store it in the I: drive. This newly created VHDX file is then mapped as a volume, lets say G: drive.

Thirdly, I have my data stored in the G: drive and share it as necessary to be used by my Windows 8.1 client.

Lastly, I enable BitLocker on the G: drive so that the VHDX is encrypted.

By having this configuration, the actual data is stored within the VHDX file which is encrypted by BitLocker. The I: drive is not encrypted - however it only contains .VHDX file(s) that need password if you want to mount that.

I purposely do not enable BitLocker auto-mount on G: drive. This to ensure if both File Server and QNAP are stolen, my data is not exposed. The only disadvantage of this method is that I need to mount the G: drive every time the File Server is rebooted - no biggie.

Git Server Part #2

I found out today that WebDAV is not the best way to setup Git server. Instead we are better of using Git-HTTP-Backend or "Smart" HTTP

Also we are going to install gitweb too, to enable us viewing project and repositories using the web browser.

To install gitweb:

sudo apt-get install gitweb

Install fcgid Apache2 Mod:

sudo apt-get install libapache2-mod-fcgid

Enable all Apache2 modules required:

sudo a2enmod env alias fcgid

Restart Apache2:

sudo service apache2 restart

From the previous blog, I have Git website setup already, so I need to modify my site.conf file.

Modification #1 - Give Access to git-http-backend 

<Directory /usr/lib/git-core>
Require all granted
Options +ExecCGI +FollowSymLinks
</Directory>

Modification #2 - Setup Alias for Gitweb

Alias /gitweb /usr/share/gitweb

<Directory /usr/share/gitweb>
Options +FollowSymLinks +ExecCGI
AddHandler cgi-script .cgi
</Directory>

Modification #3 - Add Script Alias

ScriptAliasMatch "(?x)^/(.*/(HEAD | info/refs | objects/(info/[^/]+ | [0-9a-f]{2}/[0-9a-f]{38} | pack/pack-[0-9a-f]{40}.(pack|idx)) | git-(upload|receive)-pack))$" /usr/lib/git-core/git-http-backend/$1

Modification #4 - Add Environment Variables

SetEnv GIT_PROJECT_ROOT /home/www/git

SetEnv GIT_HTTP_EXPORT_ALL

SetEnv REMOTE_USER=$REDIRECT_REMOTE_USER

Next is to configure Gitweb. Edit gitweb.conf

sudo vi /etc/gitweb.conf

Change the $projectroot to the location of your project root folder

Save it

Next is to delete the gitweb.conf from /etc/apache2/conf.d/ folder

Now to access your gitweb, just point to: http://git.domain.tld/gitweb

Setting Up Git Server for Remote Repository

I have been wanting to have my own local software development repository. My development 'mode' is ON again and ready to rock-and-roll. While using Visual Studio 2013, I noticed that it natively supports Git. Looking it further, found this amazing tutorial jump start of Git on MVA.

Git is a distributed repository model, however it also supports remote repository where commits can be pushed to the central remote repository and be shared with others if needed.

I am running my own Ubuntu server and while developing on my Visual Studio 2013 Git-ing locally, I would also like to 'Sync' all the commits to the central repository. So setting up Git 'Server' on my Ubuntu server is a good idea.

Git supports multiple protocols, like SSH, Git and HTTP. I prefer the later as I might want to collaborate with other developers in the future and HTTP is the better option for that.

I have Ubuntu 14.04 LTS Running Apache 2.4.7

Install Git

So, firstly first -setting up Git on Ubuntu server by running apt-get:

apt-get install git-core

Directory Structure

Now, I am going to create the home folder for this site located in: /home/www/git, then create different path for each prod, test and dev repos. To do that:

cd /home/www
mkdir git
cd git
mkdir prod
cd prod
mkdir repo01
cd repo01
git --bare init
git update-server-info

As you can see above, I am creating the first Git repo in /home/www/git/prod/repo01 and initialise the Git bare repository. Do the same thing for each test and dev repos.

Next, let's take ownership of the file structure

cd /home/www/git
chown -R www-data.www-data .

Apache Configuration

Next is to configure Apache2 to enable WebDAV Module and setup a new site for Git:
To enable WebDAV on Apache2, run the a2enmod command:

a2enmod dav_fs

after you enable the module, you can check with a2query

a2query -m dav_fs
a2query -m dav

To create the site, do the following:

cd /etc/apache2/sites-available
vi git.domain.tld.conf

once the editor opens, use this content:

<VirtualHost *:80>
ServerAdmin info@domain.tld
ServerName git.domain.tld
ServerAlias git2.domain.tld
#Indexes + Directory Root
DirectoryIndex index.php
DocumentRoot /home/www/git/
#Log Files
ErrorLog /home/www/log/git.error.log
CustomLog /home/www/log/git.access.log combined
<Directory /home/www/git>
DAV on
Require all granted
</Directory>
</VirtualHost>

The most important line is the DocumentRoot where you points to the folder where the root of Git repository will be. The second one is DAV on for WebDAV.

At this stage there is NO authentication and authorization setup on the Apache VirtualHost and I will show you how to use Active Directory as the LDAP for authentication later. Also noted that it is running on HTTP only at this point. In the future if I would like to publish this to the Internet, I will setup a reverse-proxy with HTTPS on the Internet-facing interface.

Testing Git

To test Git, on the client side:

mkdir /home/user/test
cd /home/user/test
git init
git remote add origin http://git.domain.tld/prod/repo01
touch index.php
git add .
git commit -a -m "Testing commit"
git push origin master

have fun!

Setting Up Hyper-V 2012 R2 Server Core

In the past year or two, I used to have 2 Hyper-V Servers. They are good for hypervisor platform. The best thing I like about having 2 Hyper-V Servers is Replication. I need the replication to make sure my critical virtual machines are available when one of the hosts failed.

Anyway, I decided to shutdown one of the hosts. I still need the replication for my critical virtual machines. My physical host has got a local RAID controller, on which all the virtual machines are running. I decided to create a virtual Hyper-V Server 2012 R2 Core running on this physical host.

Within the virtual Hyper-V server, I initiate iSCSI to my QNAP NAS and set the Hyper-V replication settings to use this iSCSI disk as the target for Hyper-V replication, e.g. all replicated vdisk will be stored in the iSCSI disk

The challenge is to configure Hyper-V server core, which by default has the firewall enabled.
Firstly, I need to enable the firewall for Remote Disk Management. The rules are there, but by default is disabled. We need to find the group on which the rules are specified.

To find the grouping:

Get-NetFirewallRule | Select DisplayGroup -Unique | Sort DisplayGroup

As you can see there is a group called Remote Service Management and Remote Volume Management

 To find the rule within the group:

Get-NetFirewallRule | Where {$_.DisplayGroup -eq "Remote Service Management"} | Select Name

As you can see there are 3 rules associated with the group. To enable them:

Get-NetFirewallRule | Where {$_.DisplayGroup -eq "Remote Service Management"} | Enable-NetFirewallRule

You then need to do the same thing for Remote Volume Management and Hyper-V Replica HTTP

Once you have enabled all the rules, from your physical host, using Server Manager, you can add your Hyper-V Core Server and right click on the server and run Computer Management from the context menu

Now because I would like to run iSCSI initiator from this virtual Hyper-V Core server, I then enable the Microsoft iSCSI Initiator Service and change its startup type to be Automatic

You then need to setup the iSCSI, by running iscsicpl from the command prompt of the Hyper-V Core Server

Enter the details of your iSCSI target and then using the Disk Management you can format and assign a drive letter to the newly created iSCSI disk. Once you have the disk, using Hyper-V Manager, run Hyper-V Settings

Within Hyper-V Settings, select Replication Configuration

Select Enable this computer as a Replica Server, and select either Use Kerberos (HTTP) or Use certificate-based Authentication (HTTPS)

Lastly, specify the default location to store Replica files

You can now start replicating your Virtual Machines!!

Java 7 Update 45 Security Warning Workaround

I am sure you have seen this warning message from Java:

Basically you need to click "I Accept..." and Run button to continue with your broken Java application. The worst thing is that, even you accept and terms and click Run every time this happens, some times it still does not want to run the Java application

This behaviour starts happening if you have Java 7 Update 45 installed.

There are work arounds obviously, first you can downgrade your Java to version before Update 45.
Or your can disable Java cache on your endpoint, by going:

In windows:

1. Control Panel
2. Java
3. General Tab
4. Temporary Internet File
5. Settings button
6. List item
7. New Dialog : Temporary Files Settings dialog
8. Disable the option : keep temporary files on my computer.

PsExec and PsInfo

PsExec and PsInfo have always been a great tools to execute remotely. I recently needed to push Flash Player 12 to remote machines.

I copied both PsExec.exe and PsInfo.exe  and flashplayer12-0_install_win_ax.exe file to my machine C:\Temp

To check the installed software on my machine, I run:

C:\Temp> PsExec.exe \\remote-machine -u DOMAIN\Username -c -f C:\Temp\PsInfo.exe -accepteula -s

-c : copy the PsInfo.exe to the remote machine
-f : force copy if the file exists on the remote machine
-s: Info for software

To Install the Adobe Flash 12 ActiveX on the remote machine, I run:

C:\Temp> PsExec.exe \\remote-machine -u DOMAIN\Username -c -f -h C:\Temp\flashplayer12-0_install_win_ax.exe -install

-h : run the installer with higher privileges
-install : adobe silent install flag

NetScaler Blank Screen with Internet Explorer 9+

If you customized your NetScaler theme and when trying to login to its Access Gateway or VPN using Internet Explorer 10 or 11, you might get a blank screen instead of a login screen.

To fix this issue, you can tell your users to run their IE on compatibility mode or you need to edit the index.html file located on your theme folder

I am using the Symphony1 theme, so my index.html file location is on

/var/vpn/themes/Symphony1/ns_gui/vpn/index.html

Edit the file using vi and add the following line:

<META http-equiv="X-UA-Compatible" content="IE=EmulateIE9" />

right after <link

Location of <META> Tag

Save the file and try again :)

PowerShell Awesomeness!!

Loves PowerShell!

Here is how to get the details of all mailboxes in Exchange 2013 and then assign it to the new App of Enterprise Vault 10.0.4 in a particular OU:

Get-ADUser -SearchBase "OU=My Users,DC=domain,DC=local" -SearchScope Subtree -Filter {proxyaddresses -like "smtp:*"} | ForEach-Object {$mbx = Get-Mailbox $_.SamAccountName; New-App -mailbox $mbx.LegacyExchangeDN -Url ("https://vault.domain.local/EnterpriseVault/OfficeMailAppManifest.aspx?LegacyMbxDn=" + $mbx.LegacyExchangeDN + "&BaseURL=https://vault.domain.com/EnterpriseVault")}

Don't forget the change the -SearchBase, -Url parameters.

All the users in the OU with mailbox enabled will get the new Enterprise Vault Web Application!

Exchange 2013 CU2 v2 Installation Guide

Here are the steps that I have followed to upgrade my Exchange 2013 CU1 servers to CU2 v2 version

I have 1x (MBX + CAS) Server role, 2x MBX Server role and 2x CAS Server role. The order of patching is to have MBX server done first, then CAS server following after that. All the MBX servers I have are a member of the same DAG Cluster

Exchange Schema Version
Exchange 2013 CU2 is upgrading the Active Directory schema as part of the installation.
To check the existing schema version of the Exchange, run the following PowerShell script:


$root  = [ADSI]"LDAP://RootDSE"
$name  = "CN=ms-Exch-Schema-Version-Pt," + $root.schemaNamingContext
$value = [ADSI]( "LDAP://" + $name )
"Exchange Schema Version = $( $value.rangeUpper )"

The CU1 schema version is: 15254

I prefer to run the schema change using the Setup.exe command line rather then using the GUI.
Make sure the server that you are running the schema change is on the same site with the domain controller who holds the schema master FSMO
Make sure the account that you are using to run the schema change is a member of Enterprise Admin group

To run the schema upgrade, using the setup.exe from the extracted CU2 file:


Setup.exe /PrepareSchema /IAcceptExchangeServerLicenseTerms
Setup.exe /PrepareAD /IAcceptExchangeServerLicenseTerms
Setup.exe /PrepareDomain /IAcceptExchangeServerLicenseTerms



After the schema upgrade, the version is: 15281

Exchange Mailbox Role Upgrade
Make sure the PowerShell Script Execution Policy is set to "Unrestricted" before you are starting the upgrade process

Set-ExecutionPolicy Unrestricted

If there is another language pack of UM installed other then en-US, it must be uninstalled (for example if you have en-AU language pack installed):

Setup.exe /RemoveUMLanguagePack:en-AU

If you are using SCOM to monitor this mailbox server, put the agent under maintenance

If you have an active Mailbox database on this server, move it to another server

Drain the Hub Transport

Set-ServerComponentState <servername> -Component HubTransport -State Draining -Requester Maintenance

Redirect Message to another server
Redirect-Message -Server <servername> -Target <target-server.fqdn>
Note: target-server.fqdn MUST be FQDN


Suspend DAG Node
Suspend-ClusterNode -Name <servername>

Disable database copy activation
Set-MailboxServer <servername> -DatabaseCopyActivationDisabledAndMoveNow $true

Review the existing database copy auto activation policy
Get-MailboxServer <servername> | Select DatabaseCopyAutoActivationPolicy
Take a note of the copy auto activation policy **

Set AutoActivation policy to blocked
Set-MailboxServer <servername> -DatabaseCopyAutoActivationPolicy Blocked

Put Server in Maintenance Mode
Set-ServerComponentState <servername> -Component ServerWideOffline -State InActive -Requester Maintenance

Apply CU2 to the server
Run the setup.exe from the CU2 extracted folder
Once finished, reboot the server

Stop DAG Maintenance mode
Set-ServerComponentState <servername> -Component ServerWideOffline -State Active - Requested Maintenance

Resume DAG node
Resume-ClusterNode -Name <servername>

Set AutoActivation policy to original setting
Set-MailboxServer <servername> -DatabaseCopyAutoActivationPolicy Unrestricted (** original settings from the above command)

Enable database copy activation
Set-MailboxServer <servername> -DatabaseCopyActivationDisabledAndMoveNow $false

Put Server in Active Mode
Set-ServerComponentState <servername> -Component HubTransport - State Active -Requested Maintenance

- Re-install Language Pack if needed
- Take server out of maintenance mode in SCOM


Exchange CAS Role Upgrade
Make sure the PowerShell Script Execution Policy is set to "Unrestricted" before you are starting the upgrade process

If you are using SCOM to monitor this mailbox server, put the agent under maintenance


Apply CU2 to the server
Run the setup.exe from the CU2 extracted folder
Once finished, reboot the server


- Take server out of maintenance mode in SCOM

Exchange 2010 Mailbox Restore with NetBackup 7.5.6

Today, I needed to restore a mailbox from Exchange 2010 from NetBackup.
Here is the steps I did to get it done:

Create a Recovery Database

Add a storage to the exchange server (e.g. virtual disk to the VM)
Assign a drive letter to this newly created disk in the exchange server (e.g. Z: drive)
Create a folder for the recovery DB (e.g. Z:\Recovery)
Create a folder for the recovery log (e.g. Z:\Recovery\Log)

Run the PowerShell below to create a recovery DB:

New-MailboxDatabase -Recovery -Name recoveryDB -Server exc01 -EdbFilePath ”Z:\Recovery\Mailbox01.edb” -LogFolderPath “Z:\Recovery\Log”

I make the EDB file name exactly the same file name with the original EDB file

On the properties of the recoveryDB, make sure the "This database can be overwritten by a restore" is selected

Restore the Database Backup

From the Netbackup Console, Add the client: File - Specify NetBackup Machines and Policy Type...
Click on Edit Client List button
Add the client name
Source client for restores: exc01
Destination client for restores: exc01
Policy type for restores: MS-Exchange-Server

Select the date of the backup to be restored

Navigate to the Microsoft Information Store and select both database and log

Click the restore icon
On Microsoft Exchange tab: 
Point-in-Time Recovery (Replay only restored log files)
Commit after last backup set is restored

On General tab:
Restore everything to a different location (maintaining existing structure)
Destination: Microsoft Exchange Database Availability Groups:\dag\Microsoft Information Store\RecoveryDB\

Note: Make sure the Destination is RecoveryDB

Click Start Restore

Mount the Database

Once the restore is completed, mount the RecoveryDB (if not mount automatically)

Create a Recovery Account

Create a recovery account for mailbox (target)
Run the PowerShell to restore the mailbox

Restore-Mailbox -Identity recoveryUser -RecoveryDatabase RecoveryDB -RecoveryMailbox sourceMailboxUser -TargetFolder Recovery

Changing Network Location on Windows 2008R2/2012

For some unknown reason, one of my domain controller servers has changed its network location from domain to public:

This is annoying because the 'public domain' firewall then starts blocking all unknown incoming traffic to my server.
We need to change this network location to be domain. However sometime, the location name is not clickable!!

To fix this, I found a trick:
Navigate to this network properties and un-tick the Internet Protocol Version 6 (TCP/IPv6) stack

Click OK

Then it should change the network location type to domain
Now you can change the IPv6 stack back ON

Upgrade Wordpress Procedures

I am hosting my own wordpress website and very often needed to upgrade the wordpress package. Obviously there is an automatic way to upgrade wordpress which requires FTP server. I do not have FTP server and thus doing the manual way.

There is the official way to upgrade it manually, however, I am using the following methods to upgrade it

Backup wordpress

#Backup the database
#Backup the files

rsync -a wordpress/ wordpress.backup/

Download the latest wordpress

wget http://wordpress.org/latest.tar.gz

Extract the tar file

gunzip latest.tar.gz
tar -xvf latest.tar

this creates a wordpress directory

Disable all the plugins

Navigate to the admin panel and disable all the plugins

Copy the updated files

rsync -rtv new_wordpress/wordpress/ old_path/wordpress/

Check the website

Browse the website which usually prompts for the database upgrade.
If everything is OK, you can delete wordpress.backup/ folder

Configuration File is not well-formed XML

Today, I found one of my Exchange 2013 servers start generating Event ID 2001

It turns out that Exchange has corrupted the applicationHost.config file. If you try to open the file, you will see corrupted garbage characters all over the place.

Luckily I have got another Exchange 2013 server running on DAG, so I just copy the file applicationHost.config from C:\Windows\System32\inetsrv\config folder and replace the corrupted one then do IIS Reset

OwnCloud - Setting IT Up

I need a solution to store my files, in fact I need to have some way of synchronisation for my files across 2 or more computers. Found this owncloud solution.

Setting it up is straight forward - just follow the doco. However, by default owncloud stores its file repository in the local server where owncloud is installed. I have a windows file share and I want all my files store in the windows file share

I am running Ubuntu and install owncloud in it.

I created a shared folder in my windows server, create a user account on my windows domain, straight forward.

on my Ubuntu server, firstly, I created a hidden file that contains the username and password of the windows domain account I created earlier

> vi /path/.smbcredentials

username=myuser
password=mypassword

save this file

next, I created a mount point to which I will mount the shared folder of my windows to this Ubuntu server

> mkdir /mount/projects

then I find the group id of the user account who is running the web server, in my case it is www-data

> id www-data

uid=33(www-data) gid=33(www-data) groups=33(www-data)

next, I edit the fstab file to mount the file share

> vi /etc/fstab

and add the following line:

//server.domain.local/share /mount/projects cifs credentials=/path/.smbcredentials,iocharset=utf8,sec=ntlm,dir_mode=0770,uid=33,gid=33 0 0

then do

> mount -a

it should mount the windows shared folder to /mount/projects

now, during owncloud installation, it will ask for the data folder, you can put /mount/projects !!

Pass 70-413 Exam

Just pass 70-413 exam today! Next one will be 70-414

Micro$oft, what the.... ???

Got these a lot on my server for the last 4 days:

The IP 157.56.162.105 has just been banned by Fail2Ban after
6 attempts against ssh.

Here are more information about 157.56.162.105:

Lines containing IP:157.56.162.105 in /var/log/auth.log

Aug 11 20:40:08 x sshd[60929]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105  user=root
Aug 11 20:40:10 x sshd[60929]: Failed password for root from 157.56.162.105 port 62640 ssh2
Aug 11 20:40:10 x sshd[60929]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 20:40:18 x sshd[60931]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105  user=root
Aug 11 20:40:20 x sshd[60931]: Failed password for root from 157.56.162.105 port 1112 ssh2
Aug 11 20:40:20 x sshd[60931]: Connection closed by 157.56.162.105 [preauth]
Aug 11 20:50:17 x sshd[60935]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105  user=root
Aug 11 20:50:18 x sshd[60935]: Failed password for root from 157.56.162.105 port 1064 ssh2
Aug 11 20:50:19 x sshd[60935]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 20:50:21 x sshd[60937]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105  user=root
Aug 11 20:50:23 x sshd[60937]: Failed password for root from 157.56.162.105 port 62560 ssh2
Aug 11 20:50:23 x sshd[60937]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 20:50:29 x sshd[60939]: pam_unix(sshd:auth): authentication failure; logname= uid=0 euid=0 tty=ssh ruser= rhost=157.56.162.105  user=root
Aug 11 20:50:31 x sshd[60939]: Failed password for root from 157.56.162.105 port 1184 ssh2
Aug 11 20:50:31 x sshd[60939]: Received disconnect from 157.56.162.105: 11: Bye Bye [preauth]
Aug 11 21:00:34 x sshd[60943]: Connection closed by 157.56.162.105 [preauth]

and guess who owns the 157.56.162.105?

Securing SSH Server with fail2ban and Email Notification

I use fail2ban to secure my SSH server, using the following guide

https://help.ubuntu.com/community/Fail2ban

this helps me to ban the IP address and notify me by email of the failed attempt
and I use the following script to notify me by email of the successful login

edit or create /etc/sshd/sshrc

DATE=`date "+%d.%m.%Y--%Hh%Mm"`
IP=`echo $SSH_CONNECTION | awk '{print $1}'`
REVERSE=`dig -x $IP +short`

echo "Subject: SSH Login Successfully" > /tmp/mail.content
echo "$DATE, user $USER just logged in from $IP ($REVERSE)" >> /tmp/mail.content 

sendmail -f "MyBox <fromemail@domain.tld>" -t "Lau, Laurence <me@domain.tld>" -s smtprelay.domain.tld < /tmp/mail.content &

MCSA 2012

Yay! just passed Microsoft Exam 70-417 and officially MCSA 2012

SMTP TLS Authentication Testing

To test the SMTP connection, sometimes we are using telnet to port 25 and run some SMTP commands to diagnose the problems. What if you want to test the SMTP authentication using telnet? What if the SMTP server only authenticates on TLS only?

To test whether your SMTP support authentication, try the following

telnet your-smtp-server.domain.tld 25

Connected to your-smtp-server.domain.tld.
Escape character is '^]'.
220 your-smtp-server.domain.tld ESMTP

EHLO localhost
250-your-smtp-server.domain.tld
250-PIPELINING
250-SIZE 10240000
250-VRFY
250-ETRN
250-STARTTLS
250-ENHANCEDSTATUSCODES
250-8BITMIME
250 DSN

As you can see, the responds from the SMTP server after your issued EHLO localhost command, is that it does not support Authentication, however it supports TLS (250-STARTTLS)

So now we can try to communicate using TLS, with the following

openssl s_client -starttls smtp -crlf -connect your-smtp-server.domain.tld:25

CONNECTED(00000003)

depth=0 C = AU, ST = NSW, L = Sydney, O = Laurence Corp, OU = IT, CN = your-smtp-server.domain.tld

verify error:num=18:self signed certificate

verify return:1

depth=0 C = AU, ST = NSW, L = Sydney, O = Laurence Corp, OU = IT, CN = your-smtp-server.domain.tld

verify return:1

---

Certificate chain

 0 s:/C=AU/ST=NSW/L=Sydney/O=Laurence Corp/OU=IT/CN=your-smtp-server.domain.tld

   i:/C=AU/ST=NSW/L=Sydney/O=Laurence Corp/OU=IT/CN=your-smtp-server.domain.tld

---

Server certificate

-----BEGIN CERTIFICATE-----

MIIC8jCCAlugAwIBAgIJAMCZFNimordBMA0GCSqGSIb3DQEBBQUAMIGRMQswCQYD

VQQGEwJBVTEMMAoGA1UECAwDTlNXMQ8wDQYDVQQHDAZTeWRuZXkxJzAlBgNVBAoM

HkludmVzdGEgUHJvcGVydGllcyBQdHkgTGltaXRlZDELMAkGA1UECwwCSVQxLTAr

BgNVBAMMJG1haWwuYnVpbGRpbmdzZXJ2aWNlcy5pbnZlc3RhLmNvbS5hdTAeFw0x

MzA2MDUwMDQ5MzFaFw0yMzA2MDMwMDQ5MzFaMIGRMQswCQYDVQQGEwJBVTEMMAoG

A1UECAwDTlNXMQ8wDQYDVQQHDAZTeWRuZXkxJzAlBgNVBAoMHkludmVzdGEgUHJv

cGVydGllcyBQdHkgTGltaXRlZDELMAkGA1UECwwCSVQxLTArBgNVBAMMJG1haWwu

YnVpbGRpbmdzZXJ2aWNlcy5pbnZlc3RhLmNvbS5hdTCBnzANBgkqhkiG9w0BAQEF

AAOBjQAwgYkCgYEA3Vys9Nf1CpuBMzPWCIwldQkHY0EdMTAqh8sKhx/xhjOhRxwB

xKsZFrZ1guWBxqt5/JMt40BL80dpS6lLRZrz83TnFUm9FNZwjhD3mD1axqj2o4Nv

NFZ5I3Z3fP2hIj0y+urKVj81th/GMHrUBEBSqHUTGVEuRsCkJFuJIxYwTYMCAwEA

AaNQME4wHQYDVR0OBBYEFPvDIre1ur+c+i1H5EymKQrOU3vhMB8GA1UdIwQYMBaA

FPvDIre1ur+c+i1H5EymKQrOU3vhMAwGA1UdEwQFMAMBAf8wDQYJKoZIhvcNAQEF

BQADgYEAEgHjkzqZaZfWxALWTR/KEQsrE3NonN8cDefTtdaPPOaKXYPU/pKvogj2

TwouZpOQ7qaSrvgAMPLSYmMLuVVGzBccygN1f3xAXiTtOzaerLSJeelpYW2I5uRD

OJInTiHuzs/nnQa+3pT0IGS48fJJhn6xEBLsHrVzYl4Ud3iEsgo=

-----END CERTIFICATE-----

subject=/C=AU/ST=NSW/L=Sydney/O=Laurence Corp/OU=IT/CN=your-smtp-server.domain.tld

issuer=/C=AU/ST=NSW/L=Sydney/O=Laurence Corp/OU=IT/CN=your-smtp-server.domain.tld

---

No client certificate CA names sent

---

SSL handshake has read 1564 bytes and written 411 bytes

---

New, TLSv1/SSLv3, Cipher is ECDHE-RSA-AES256-SHA

Server public key is 1024 bit

Secure Renegotiation IS supported

Compression: zlib compression

Expansion: zlib compression

SSL-Session:

    Protocol  : TLSv1.1

    Cipher    : ECDHE-RSA-AES256-SHA

    Session-ID: 163CF3718E7E3DAD34259654B2510CEFD6CDBFEE0D067FAF6D816C6145D45301

    Session-ID-ctx:

    Master-Key: FEEAB321DE6A876EB0954FB3372A540CC09D3E8F14D4EBBEB8448FE7D6CDADD3DAB9201B7450FDCAA7F2448BC0949AF7

    Key-Arg   : None

    PSK identity: None

    PSK identity hint: None

    SRP username: None

    TLS session ticket lifetime hint: 3600 (seconds)

    TLS session ticket:

    0000 - 8f 85 00 21 ba e2 05 db-9d c2 1c 04 86 29 e2 68   ...!.........).h

    0010 - 1f 62 6a fa b8 d4 9f a6-a9 0b 1a 56 20 60 80 a2   .bj........V `..

    0020 - d0 67 1a 16 87 d0 a7 00-95 57 ff b1 14 1a fc f1   .g.......W......

    0030 - 3c 1e 4f 5e 9d 5a f7 d8-20 02 33 9a cf df 38 85   <.O^.Z.. .3...8.

    0040 - e6 bd fb 84 26 b7 90 6c-04 a3 aa 2e 61 f5 66 8d   ....&..l....a.f.

    0050 - d2 75 6e b3 04 f8 58 6c-e9 60 66 65 4d 25 63 a4   .un...Xl.`feM%c.

    0060 - 4f 11 cb 7e 67 49 77 cf-36 23 cc 9d 57 70 8d d4   O..~gIw.6#..Wp..

    0070 - 1e 34 3e 15 c0 ba 22 48-b1 d3 47 0e ca 16 08 79   .4>..."H..G....y

    0080 - e4 fc a6 7f 2f 8b 73 94-0d e9 dd e3 1c 82 a2 a9   ..../.s.........

    0090 - f7 00 94 ad 14 5d f7 c2-2b 3e d1 f7 4d 9c 9b 1c   .....]..+>..M...

    00a0 - 33 2b 54 8b dd 6e 96 70-83 77 47 c9 26 8c c0 df   3+T..n.p.wG.&...

    Compression: 1 (zlib compression)

    Start Time: 1370408569

    Timeout   : 300 (sec)

    Verify return code: 18 (self signed certificate)

---

250 DSN

EHLO localhost

250-your-smtp-server.domain.tld

250-PIPELINING

250-SIZE 10240000

250-VRFY

250-ETRN

250-AUTH PLAIN LOGIN CRAM-MD5 DIGEST-MD5

250-AUTH=PLAIN LOGIN CRAM-MD5 DIGEST-MD5

250-ENHANCEDSTATUSCODES

250-8BITMIME

250 DSN

As you can see now after we are connected using TLS, and issue EHLO localhost command, the 250-AUTH command is supported and it also supports PLAIN

To test the authentication, you need to generate encode base 64 value, using PERL. To do that, for example if you have a username: myname and password: mypass, you would run the following command in the format of: perl -MMIME::Base64 -e 'print encode_base64("username\0username\0password")'

perl -MMIME::Base64 -e 'print encode_base64("myname\0myname\0mypass")'

bXluYW1lAG15bmFtZQBteXBhc3M=

You then have the encode base 64 value of bXluYW1lAG15bmFtZQBteXBhc3M=

You can then issue the AUTH PLAIN command

AUTH PLAIN bXluYW1lAG15bmFtZQBteXBhc3M=

235 2.7.0 Authentication successful

As you can see we are authenticated, you can then do the usual stuff with SMTP

FreePBX Voicemail Drops Call With Error: lack of rtp activity in 31 seconds

I have got FreePBX setup @home and for some reasons my voicemail is not working properly. It basically drops the connection after 30 seconds while the person on the phone is waiting on Music on Hold.

It turns out the FreePBX detects there was no audio/RTP activity within 30 seconds (configurable) and drops the connection.

To change this: on your FreePBX, navigate to: Settings > Asterisk SIP Settings > Media and RTP Settings
Change the rtptimeout from 30 to 300, change rtpkeepalive from 0 to 30