System and Network Administration – Collection of Information So I Don't Forget
Problem:
Slow performance for Windows Servers in KVM/QEMU environments
Solution:
Enable KVM to emulate the Hyper-V settings and allow the guest VMs to take advantage.
sudo virt-xml $VMNAME --edit --features hyperv_relaxed=on,hyperv_vapic=on,hyperv_spinlocks=on,hyperv_spinlocks_retries=8191 sudo virt-xml $VMNAME --edit --clock hypervclock_present=yes
Problem:
I needed a PowerShell script to remotely logoff a domain user on multiple servers.
Solution:
Using my script with the PowerShell module PSTerminalServices from https://psterminalservices.codeplex.com/
I was able to create a method to disconnect the users remotely
$username = 'jbaldanza'
$filepath = 'c:\temp\servers.txt'
If (!(Get-module PSTerminalServices ))
{
try
{
Import-Module PSTerminalServices
Write-Host "PSTerminalServices Module Loaded" -ForegroundColor Green
}
catch
{
Write-Host "PSTerminalServices module does not exist, please install" -ForegroundColor Red
}
}
foreach ($server in (Get-Content -Path $filepath))
{
Write-Host "Checking for $username on $server" -ForegroundColor Cyan
try
{
$loggedInUsers = get-tssession -ComputerName $server
if ($loggedInUsers.UserName -contains $username)
{
Write-Host "Found $username connected to $server" -ForegroundColor Green
$userNameSessionID = $loggedInUsers | Where-Object -Property UserName -eq $username | Select-Object -Property SessionID
foreach ($sessionID in $userNameSessionID)
{
$currentSessionID = $sessionID.SessionId
Write-Host "$username's SessionID is $currentSessionID" -ForegroundColor Cyan
try
{
Start-Sleep 2
Stop-TSSession -ComputerName $server -Id $currentSessionID -Confirm:$false -Force
Write-Host "Disconnected $username's session $currentSessionID from $server" -ForegroundColor Green
}
catch
{
Write-Host "Unable to disconnect $username's session $currentSesionID from $server" -ForegroundColor Red
}
}
}
else
{
Write-Host "User $username not connected to $server" -ForegroundColor Yellow
}
}
catch
{
Write-Host "Unable to connect to $server" -ForegroundColor Red
}
}
Problem:
I needed to change the permissions of a certificate’s private key in the windows local computer store on multiple servers. I use the certificate’s thumbprint to find the certificate and then apply the permissions to the user listed.
Solution:
$serviceAccount = 'NETWORK SERVICE'
$certThumbprint = 'x xx xx x xx xx xx dd dd ee ee ff ff gg hh 5e 20 3f 53 52'
$permissionType = 'Read'
try
{
#Clear Existing Variables
$cert = ''
$keyFullPath = ''
Write-Host "--------------------------"
Write-Host "Server: $env:ComputerName" -ForegroundColor Cyan
Write-Host "Finding Certificate..." -ForegroundColor Green
#Get Certificate
$cert = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq ($certThumbprint -replace '\s','')}
If ($cert -ne $null -and $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName -ne $null)
{
# Get Location of the machine related keys
$keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys";
$keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName;
$keyFullPath = $keyPath + $keyName;
Write-Host "Found Certificate..." -ForegroundColor Green
Write-Host "Granting access to $serviceAccount..." -ForegroundColor Green
#Grant Full Control to account listed in $serviceAccount
$acl = (Get-Item $keyFullPath).GetAccessControl('Access') #Get Current Access
$buildAcl = New-Object System.Security.AccessControl.FileSystemAccessRule($serviceAccount,$permissionType,"Allow") #Build Access Rule
$acl.SetAccessRule($buildAcl) #Add Access Rule
Set-Acl $keyFullPath $acl #Save Access Rules
Write-Host "Access granted to $serviceAccount..." -ForegroundColor Green
Write-Host "--------------------------"
}
Else {
Write-Host "Unable to find Certificate that matches thumbprint $certThumbprint or the private key is missing..." -ForegroundColor Red
Write-Host "--------------------------"
}
}
catch
{
Write-Host "Unable to grant access to $serviceAccount..." -ForegroundColor Yellow
Write-Host "--------------------------"
throw $_;
}
I had a need to do this for a client.
Problem: Need to change a single user’s account password and flags across multiple systems
Solution:
You can use this script to modify a local user’s password across multiple machines. It will check that the machine is reachable (by ping) and it will set the account to never expire and enabled (userflag 66048)
Modify the $user and $password fields with their desired strings and update the $computers path to the computers.txt file with a list of computers
Run the PowerShell script as someone who is administrator on the machines in the computers.txt file
$computers = Get-Content -path C:\temp\computers.txt
$user = "USER"
$password = "PASSWORD"
Foreach ($computer in $computers)
{
#Start-Sleep 1
$ErrorMessage = ""
$FailedItem = ""
$localuser = ""
if (Test-Connection $computer -ErrorAction stop -count 3 -Quiet)
{
try
{
$localuser = [adsi]"WinNT://$computer/$user,user"
if ($localuser.Path -ne $null)
{
$localuser.SetPassword($Password)
$localuser.userflags = 66048
$localuser.SetInfo()
Write-Host "Password changed on: $computer" -ForegroundColor Green
}
else
{
Write-Host "$user not found on: $computer" -ForegroundColor Red
}
}
catch
{
Write-Host "Error changing password on: $computer" -ForegroundColor Red
#$ErrorMessage = $_.Exception.Message
#$FailedItem = $_.Exception.ItemName
#Write-Host $ErrorMessage -ForegroundColor Gray
#Write-Host $FailedItem -ForegroundColor Gray
}
}
else
{
Write-Host "Unable to connect, not changing password on: $computer" -ForegroundColor Red
}
}
Problem: Windows NFS has various mount points exported. on a UNIX system you use php and a method to move/rename files using php rename() .
while normally chown is restricted to root access, you can still chown to yourself in linux.
the rename() method in php also does a chown() which changes the owner to itself, not sure why, but it does. This caused problems when connected to our NFS server hosted in windows and we were unable to reproduce it on a local linux storage or a linux NFS server. The problem was due to the nature of Windows NFS server.
“Users accessing NFS shares from a Windows Server 2008 R2 based NFS server may get the error “Permission Denied” while trying to run the ‘chown’ command from UNIX NFS clients. This can happen even though the user is the owner of the files. The UNIX “root” user does not exhibit these issues.”
Solution: Apply recommended registry setting for Windows Server 2008 R2, although we were running Server 2012 this is still relevant
http://support.microsoft.com/kb/2708985
Problem:
When setting up IIS reverse Proxy to connect back to a linux PHP application the site would not load and IIS would throw a 500 error. When browsing to the PHP site from the IIS server manually no errors and connectivity was working fine.
Solution:
I missed an option in the web.config file for the PHP pattern “pattern=”^text/php”” :
<?xml version="1.0" encoding="UTF-8"?>
<configuration>
<system.webServer>
<rewrite>
<outboundRules>
<rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
<match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://10.0.xxx.81/(.*)" />
<action type="Rewrite" value="http{R:1}://www.xxxx.com/{R:2}" />
</rule>
<preConditions>
<preCondition name="ResponseIsHtml1">
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
<add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/php" />
</preCondition>
</preConditions>
</outboundRules>
<rules>
<clear />
<rule name="index" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAll" trackAllCaptures="false">
<add input="{REQUEST_FILENAME}" matchType="IsDirectory" />
</conditions>
<action type="Redirect" url="http://www.xxxx.com/xx/slovenia/index.php" />
</rule>
<rule name="ReverseProxyInboundRule1" patternSyntax="ECMAScript" stopProcessing="true">
<match url="(.*)" />
<conditions logicalGrouping="MatchAny" trackAllCaptures="false">
</conditions>
<action type="Rewrite" url="http://10.0.xxx.81/bd/slovenia/{R:0}" />
</rule>
</rules>
</rewrite>
</system.webServer>
</configuration>
Problem:
Needed a quick solution to add storage to a failover cluster in a lab environment. LIO iSCSI supports scsi-3 persistent reservation iscsi. I decided to go with this solution.
Solution:
1. Install Ubuntu
install ubuntu
apt-get update
apt-get upgrade
apt-get install lio-utils
2. configure lio
attach additional storage to your ubuntu server. The following configuration can be used via command line first to test. Once everything is working you can make it static by modifying the files listed.
a. setup your devices to be used.
nano /etc/target/tcm_start.sh
tcm_node --block iblock_0/iscsiarray1 /dev/sdb tcm_node --block iblock_0/iscsiarray2 /dev/sdc tcm_node --block iblock_0/iscsiarray3 /dev/sdd tcm_node --block iblock_0/iscsiarray4 /dev/sde
b. setup your iscsi target
nano /etc/target/lio_start.sh
lio_node --addlun iqn.2012.com.linux:iscsi.local:lun1 1 1 iscsi01 iblock_0/iscsiarray1 lio_node --addnp iqn.2012.com.linux:iscsi.local:lun1 1 10.0.0.1:3260 lio_node --disableauth iqn.2012.com.linux:iscsi.local:lun1 1 lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun1 1 iqn.2012.com.microsoft:uranus.galaxy.local 1 1 lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun1 1 iqn.2012.com.microsoft:neptune.galaxy.local 1 1 lio_node --enabletpg iqn.2012.com.linux:iscsi.local:lun1 1 lio_node --addlun iqn.2012.com.linux:iscsi.local:lun2 2 2 iscsi02 iblock_0/iscsiarray2 lio_node --addnp iqn.2012.com.linux:iscsi.local:lun2 2 10.0.0.1:3260 lio_node --disableauth iqn.2012.com.linux:iscsi.local:lun2 2 lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun2 2 iqn.2012.com.microsoft:uranus.galaxy.local 2 2 lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun2 2 iqn.2012.com.microsoft:neptune.galaxy.local 2 2 lio_node --enabletpg iqn.2012.com.linux:iscsi.local:lun2 2 lio_node --addlun iqn.2012.com.linux:iscsi.local:lun3 3 3 iscsi03 iblock_0/iscsiarray3 lio_node --addnp iqn.2012.com.linux:iscsi.local:lun3 3 10.0.0.1:3260 lio_node --disableauth iqn.2012.com.linux:iscsi.local:lun3 3 lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun3 3 iqn.2012.com.microsoft:uranus.galaxy.local 3 3 lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun3 3 iqn.2012.com.microsoft:neptune.galaxy.local 3 3 lio_node --enabletpg iqn.2012.com.linux:iscsi.local:lun3 3 lio_node --addlun iqn.2012.com.linux:iscsi.local:lun4 4 4 iscsi04 iblock_0/iscsiarray4 lio_node --addnp iqn.2012.com.linux:iscsi.local:lun4 4 10.0.0.1:3260 lio_node --disableauth iqn.2012.com.linux:iscsi.local:lun4 4 lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun4 4 iqn.2012.com.microsoft:uranus.galaxy.local 4 4 lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun4 4 iqn.2012.com.microsoft:neptune.galaxy.local 4 4 lio_node --enabletpg iqn.2012.com.linux:iscsi.local:lun4 4
Problem:
Needed to enable Microsoft Active Directory authentication to our internal mediawiki site.
Solution:
enable Ldapauthentication.php extension. modify localsettings.php file to include the following:
require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );Replace “ADSITE” with the name of your domain. It is currently setup for clear text authentication. After you get clear text authentication working you should enable tsl or ssl authentication if need be.
the setting $wgLDAPRequiredGroups is optional and is used to allow only certain groups to login the wiki. in this case “Information Technology”
Problem:
We had some issues with some users accessing the DFS shares.
Solution:
Turns out that our main filesystem went down so DFS was routing everyone to our DR file server. However, the DR file server was in read only mode for users. We were able to track which DFS server the clients were connecting to by using
dfsutil /pktinfo
this assisted us in finding out the root cause of the strange errors. Even though the DFS MMC showed the DR site referral status as disabled the dfsutil showed us stuff was still connecting to it and using it actively.
Copyright © Jamie's Blog 2023 | Jamie's Blog is proudly powered by WordPress and idiandong.