Allow KVM/Qemu to use Hyper-V enlightenment settings

2016-03-16 / iPhone, Server, Windows / 0 Comments

Problem:
Slow performance for Windows Servers in KVM/QEMU environments

Solution:

Enable KVM to emulate the Hyper-V settings and allow the guest VMs to take advantage.

sudo virt-xml $VMNAME --edit --features hyperv_relaxed=on,hyperv_vapic=on,hyperv_spinlocks=on,hyperv_spinlocks_retries=8191
sudo virt-xml $VMNAME --edit --clock hypervclock_present=yes
Read More

PowerShell script to logoff user remotely on a list of servers

2015-11-25 / PowerShell, Server, Windows / 0 Comments

Problem:

I needed a PowerShell script to remotely logoff a domain user on multiple servers.

 

Solution:

Using my script with the PowerShell module PSTerminalServices from https://psterminalservices.codeplex.com/
I was able to create a method to disconnect the users remotely

$username = 'jbaldanza'
$filepath = 'c:\temp\servers.txt'

If (!(Get-module PSTerminalServices )) 
{
    try 
    {
        Import-Module PSTerminalServices
        Write-Host "PSTerminalServices Module Loaded" -ForegroundColor Green
    } 
    catch 
    {
        Write-Host "PSTerminalServices module does not exist, please install" -ForegroundColor Red
    }
}

foreach ($server in (Get-Content -Path $filepath)) 
{
    Write-Host "Checking for $username on $server" -ForegroundColor Cyan   
    try 
    {
        $loggedInUsers = get-tssession -ComputerName $server
        if ($loggedInUsers.UserName -contains $username) 
        {

            Write-Host "Found $username connected to $server" -ForegroundColor Green
            $userNameSessionID = $loggedInUsers | Where-Object -Property UserName -eq $username | Select-Object -Property SessionID
            foreach ($sessionID in $userNameSessionID) 
            {
                $currentSessionID = $sessionID.SessionId       
                Write-Host "$username's SessionID is $currentSessionID" -ForegroundColor Cyan
                try 
                {
                    Start-Sleep 2
                    Stop-TSSession -ComputerName $server -Id $currentSessionID -Confirm:$false -Force
                    Write-Host "Disconnected $username's session $currentSessionID from $server" -ForegroundColor Green
                }
                catch 
                {
                    Write-Host "Unable to disconnect $username's session $currentSesionID from $server" -ForegroundColor Red
                }
            }
        }
        else 
        {
            Write-Host "User $username not connected to $server" -ForegroundColor Yellow
        }
    }
    catch 
    {
        Write-Host "Unable to connect to $server" -ForegroundColor Red
    }
}
Read More

PowerShell script to change permission of a certificate’s private key

2015-11-01 / PowerShell, Server / 0 Comments

Problem:
I needed to change the permissions of a certificate’s private key in the windows local computer store on multiple servers. I use the certificate’s thumbprint to find the certificate and then apply the permissions to the user listed.

Solution:

$serviceAccount = 'NETWORK SERVICE'
$certThumbprint = 'x xx xx x xx xx xx dd dd ee ee ff ff gg hh 5e 20 3f 53 52'
$permissionType = 'Read'
    try
    {
        #Clear Existing Variables
        $cert = ''
        $keyFullPath = ''
        Write-Host "--------------------------"
        Write-Host "Server: $env:ComputerName" -ForegroundColor Cyan
        Write-Host "Finding Certificate..." -ForegroundColor Green
        #Get Certificate
        $cert = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object {$_.Thumbprint -eq ($certThumbprint -replace '\s','')}
        If ($cert -ne $null -and $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName -ne $null) 
        {
            # Get Location of the machine related keys
            $keyPath = $env:ProgramData + "\Microsoft\Crypto\RSA\MachineKeys\"; 
            $keyName = $cert.PrivateKey.CspKeyContainerInfo.UniqueKeyContainerName;
            $keyFullPath = $keyPath + $keyName;
            Write-Host "Found Certificate..." -ForegroundColor Green
            Write-Host "Granting access to $serviceAccount..." -ForegroundColor Green
            #Grant Full Control to account listed in $serviceAccount
            $acl = (Get-Item $keyFullPath).GetAccessControl('Access') #Get Current Access
            $buildAcl = New-Object  System.Security.AccessControl.FileSystemAccessRule($serviceAccount,$permissionType,"Allow") #Build Access Rule
            $acl.SetAccessRule($buildAcl) #Add Access Rule
            Set-Acl $keyFullPath $acl #Save Access Rules
            Write-Host "Access granted to $serviceAccount..." -ForegroundColor Green
            Write-Host "--------------------------"
        }
        Else {
            Write-Host "Unable to find Certificate that matches thumbprint $certThumbprint or the private key is missing..." -ForegroundColor Red
            Write-Host "--------------------------"
        }
    }
    catch
    {
        Write-Host "Unable to grant access to $serviceAccount..." -ForegroundColor Yellow
        Write-Host "--------------------------"
        throw $_;
    }
Read More

PowerShell script to modify local account password on multiple remote computers

2015-07-02 / Microsoft, PowerShell, Server / 0 Comments

I had a need to do this for a client.

Problem: Need to change a single user’s account password and flags across multiple systems

Solution:
You can use this script to modify a local user’s password across multiple machines. It will check that the machine is reachable (by ping) and it will set the account to never expire and enabled (userflag 66048)

Modify the $user and $password fields with their desired strings and update the $computers path to the computers.txt file with a list of computers
Run the PowerShell script as someone who is administrator on the machines in the computers.txt file

$computers = Get-Content -path C:\temp\computers.txt
$user = "USER"
$password = "PASSWORD"
Foreach ($computer in $computers)
{
    #Start-Sleep 1
    $ErrorMessage = ""
    $FailedItem = ""
    $localuser = ""
     
    if (Test-Connection $computer -ErrorAction stop -count 3 -Quiet)
    {
        try
        {
            $localuser = [adsi]"WinNT://$computer/$user,user"
             
            if ($localuser.Path -ne $null)
            {
                $localuser.SetPassword($Password)
                $localuser.userflags = 66048
                $localuser.SetInfo()
                Write-Host "Password changed on: $computer" -ForegroundColor Green
            }
            else
            {
                Write-Host "$user not found on: $computer" -ForegroundColor Red
            }
        }
        catch
        {
            Write-Host "Error changing password on: $computer" -ForegroundColor Red
            #$ErrorMessage = $_.Exception.Message
            #$FailedItem = $_.Exception.ItemName
            #Write-Host $ErrorMessage -ForegroundColor Gray
            #Write-Host $FailedItem -ForegroundColor Gray
        }
    }
    else
    {
        Write-Host "Unable to connect, not changing password on: $computer" -ForegroundColor Red
    }
}
Read More

Windows NFS server and issues with php rename() and chown

2014-11-14 / Linux, SAN, Server, Server 2008 R2 / 0 Comments

Problem: Windows NFS has various mount points exported. on a UNIX system you use php and a method to move/rename files using php rename() .

while normally chown is restricted to root access, you can still chown to yourself in linux.

the rename() method in php also does a chown() which changes the owner to itself, not sure why, but it does. This caused problems when connected to our NFS server hosted in windows and we were unable to reproduce it on a local linux storage or a linux NFS server. The problem was due to the nature of Windows NFS server.

“Users accessing NFS shares from a Windows Server 2008 R2 based NFS server may get the error “Permission Denied” while trying to run the ‘chown’ command from UNIX NFS clients. This can happen even though the user is the owner of the files. The UNIX “root” user does not exhibit these issues.”

Solution: Apply recommended registry setting for Windows Server 2008 R2, although we were running Server 2012 this is still relevant
http://support.microsoft.com/kb/2708985

Read More

IIS Reverse Proxy Module 500 error when going to PHP backend

2013-05-13 / IIS, Server / 1 Comments

Problem:
When setting up IIS reverse Proxy to connect back to a linux PHP application the site would not load and IIS would throw a 500 error. When browsing to the PHP site from the IIS server manually no errors and connectivity was working fine.

Solution:
I missed an option in the web.config file for the PHP pattern “pattern=”^text/php”” :

<?xml version="1.0" encoding="UTF-8"?>
<configuration>
    <system.webServer>
      <rewrite>
        <outboundRules>
          <rule name="ReverseProxyOutboundRule1" preCondition="ResponseIsHtml1">
            <match filterByTags="A, Area, Base, Form, Frame, Head, IFrame, Img, Input, Link, Script" pattern="^http(s)?://10.0.xxx.81/(.*)" />
            <action type="Rewrite" value="http{R:1}://www.xxxx.com/{R:2}" />
          </rule>
          <preConditions>
            <preCondition name="ResponseIsHtml1">
              <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/html" />
	      <add input="{RESPONSE_CONTENT_TYPE}" pattern="^text/php" />
            </preCondition>
          </preConditions>
        </outboundRules>
        <rules>
                <clear />
                <rule name="index" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions logicalGrouping="MatchAll" trackAllCaptures="false">
                        <add input="{REQUEST_FILENAME}" matchType="IsDirectory" />
                    </conditions>
                    <action type="Redirect" url="http://www.xxxx.com/xx/slovenia/index.php" />
                </rule>
                <rule name="ReverseProxyInboundRule1" patternSyntax="ECMAScript" stopProcessing="true">
                    <match url="(.*)" />
                    <conditions logicalGrouping="MatchAny" trackAllCaptures="false">
                    </conditions>
                    <action type="Rewrite" url="http://10.0.xxx.81/bd/slovenia/{R:0}" />
                </rule>
        </rules>
      </rewrite>
        </system.webServer>
</configuration>
Read More

Ubuntu 12 LIO iSCSI Target with SCSI-3

2012-08-14 / Linux, SAN, Server / 0 Comments

Problem:
Needed a quick solution to add storage to a failover cluster in a lab environment. LIO iSCSI supports scsi-3 persistent reservation iscsi. I decided to go with this solution.

Solution:

1. Install Ubuntu
install ubuntu
apt-get update
apt-get upgrade
apt-get install lio-utils

2. configure lio

attach additional storage to your ubuntu server. The following configuration can be used via command line first to test. Once everything is working you can make it static by modifying the files listed.

a. setup your devices to be used.

nano /etc/target/tcm_start.sh

tcm_node --block iblock_0/iscsiarray1 /dev/sdb
tcm_node --block iblock_0/iscsiarray2 /dev/sdc
tcm_node --block iblock_0/iscsiarray3 /dev/sdd
tcm_node --block iblock_0/iscsiarray4 /dev/sde

b. setup your iscsi target

nano /etc/target/lio_start.sh

lio_node --addlun iqn.2012.com.linux:iscsi.local:lun1 1 1 iscsi01 iblock_0/iscsiarray1
lio_node --addnp iqn.2012.com.linux:iscsi.local:lun1 1 10.0.0.1:3260
lio_node --disableauth iqn.2012.com.linux:iscsi.local:lun1 1
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun1 1 iqn.2012.com.microsoft:uranus.galaxy.local 1 1
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun1 1 iqn.2012.com.microsoft:neptune.galaxy.local 1 1
lio_node --enabletpg iqn.2012.com.linux:iscsi.local:lun1 1

lio_node --addlun iqn.2012.com.linux:iscsi.local:lun2 2 2 iscsi02 iblock_0/iscsiarray2
lio_node --addnp iqn.2012.com.linux:iscsi.local:lun2 2 10.0.0.1:3260
lio_node --disableauth iqn.2012.com.linux:iscsi.local:lun2 2
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun2 2 iqn.2012.com.microsoft:uranus.galaxy.local 2 2
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun2 2 iqn.2012.com.microsoft:neptune.galaxy.local 2 2
lio_node --enabletpg iqn.2012.com.linux:iscsi.local:lun2 2

lio_node --addlun iqn.2012.com.linux:iscsi.local:lun3 3 3 iscsi03 iblock_0/iscsiarray3
lio_node --addnp iqn.2012.com.linux:iscsi.local:lun3 3 10.0.0.1:3260
lio_node --disableauth iqn.2012.com.linux:iscsi.local:lun3 3
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun3 3 iqn.2012.com.microsoft:uranus.galaxy.local 3 3
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun3 3 iqn.2012.com.microsoft:neptune.galaxy.local 3 3
lio_node --enabletpg iqn.2012.com.linux:iscsi.local:lun3 3

lio_node --addlun iqn.2012.com.linux:iscsi.local:lun4 4 4 iscsi04 iblock_0/iscsiarray4
lio_node --addnp iqn.2012.com.linux:iscsi.local:lun4 4 10.0.0.1:3260
lio_node --disableauth iqn.2012.com.linux:iscsi.local:lun4 4
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun4 4 iqn.2012.com.microsoft:uranus.galaxy.local 4 4
lio_node --addlunacl iqn.2012.com.linux:iscsi.local:lun4 4 iqn.2012.com.microsoft:neptune.galaxy.local 4 4
lio_node --enabletpg iqn.2012.com.linux:iscsi.local:lun4 4
Read More

Configure mediawiki for LDAP authentication with Microsoft active directory

2011-08-15 / Linux, Random, Server / 3 Comments

Problem:

Needed to enable  Microsoft Active Directory authentication to our internal mediawiki site.

Solution:

enable Ldapauthentication.php extension. modify localsettings.php file to include the following:

require_once( “$IP/extensions/LdapAuthentication/LdapAuthentication.php” );
$wgAuth = new LdapAuthenticationPlugin();
$wgLDAPDomainNames = array( “ADSITE” );
$wgLDAPServerNames = array( “ADSITE”=>”wcp01xdc.ADSITE.local”  );
$wgLDAPBaseDNs = array( “ADSITE”=>”dc=ADSITE,dc=local” );
$wgLDAPSearchStrings = array(“ADSITE” => “ADSITE\\USER-NAME”);
$wgLDAPSearchAttributes = array( “ADSITE”=>”sAMAccountName” );
$wgLDAPLowerCaseUsername = array( “ADSITE”=>true );
$wgLDAPRequiredGroups = array( “ADSITE”=>array(“cn=information technology,ou=users,ou=information technology,ou=ADSITE,dc=ADSITE,dc=local”) );
$wgLDAPGroupUseFullDN = array( “ADSITE”=>true );
$wgLDAPGroupsUseMemberOf = array( “ADSITE”=>true );
$wgLDAPGroupObjectclass = array( “ADSITE”=>”group” );
$wgLDAPGroupAttribute = array( “ADSITE”=>”member” );
$wgLDAPGroupSearchNestedGroups = array( “ADSITE”=>true );
$wgLDAPGroupNameAttribute = array( “ADSITE”=>”cn” );
$wgLDAPPreferences = array( “ADSITE”=>true );
$wgLDAPDisableAutoCreate = array( “ADSITE”=>false );
$wgMinimalPasswordLength = 1;
$wgLDAPUseSSL = false;
$wgLDAPEncryptionType = array( “ADSITE”=>”clear” );
$wgUseLocal = false;
#$wgLDAPDebug = 99;
#$wgDebugLogGroups[“ldap”] = “/tmp/wikildapdebug.log” ;

Replace “ADSITE” with the name of your domain. It is currently setup for clear text authentication. After you get clear text authentication working you should enable tsl or ssl authentication if need be.

the setting $wgLDAPRequiredGroups is optional and is used to allow only certain groups to login the wiki. in this case “Information Technology”

Read More

DFS issues on some DCs only

2011-07-27 / Server / 0 Comments

Problem:

We had some issues with some users accessing the DFS shares.

Solution:

Turns out that our main filesystem went down  so DFS was routing everyone to our DR file server. However, the DR file server was in read only mode for users. We were able to track which DFS server the clients were connecting to by using

dfsutil /pktinfo

this assisted us in finding out the root cause of the strange errors. Even though the DFS MMC showed the DR site referral status as disabled the dfsutil showed us stuff was still connecting to it and using it actively.

Read More
Read More