I've been installing 16 RHEL 5.3 servers on a DR site, owned by our sister company. There is no DHCP server on the subnet which has stopped us using HP Rapid Deployment Pack to roll out the servers, but it was still possible to use Kickstart, by specifying the IP information as a parameter when booting from the RHEL CD (disk 1). The syntax goes like this:
boot: linux ks=http://server/kickstart.cfg ksdevice=eth0 ip=xx.xx.xx.xx netmask=xx.xx.xx.xx gateway=xx.xx.xx.xx dns=xx.xx.xx.xx
DNS servers can be comma separated if you want to specify more than one.
We've been migrating shares on our main file server to a DFS share to give us some flexibility with our storage. Part of these changes involve migrating Profile Paths and Terminal Server Profile Paths to the new DFS share location. After the data was being synchronised by DFS we needed a way to change the Profile Path and TS Profile Path attribute on all accounts in part of our Active Directory. This cannot be done using AD Users and Computers - if you bulk select users in ADUC and bring up the collective properties, you will notice the TS Profile Path is not available for editing. There are a few free tools that can do this, notibly ADModify.NET, but we needed a way to script it so it could be run overnight, and also only make changes to the paths if one existed already.
ChangeProfilePaths.vbs.txt
ChangeTerminalServerPaths.vbs.txt
The scripts are pretty much identical, the only bits you need to change are these lines at the top:
SMTPServer = "mail.ukstokes.ad"
Set domain = GetObject("LDAP://OU=Company Users,DC=ukstokes,DC=ad")
NewTSPath = "\\ukstokes.ad\data\profiles$\users\"
The LDAP string needs to be changed to the starting point in your AD tree. Every OU underneath will be affected.
Also these 2 lines at the bottom:
objEmail.From = "ben@------.ad"
objEmail.To = "ben@------.ad"
The script will send an email at the end with a summary of the changes so you will need to change the From and To addresses accordingly.
Before making any mass changes like remember the golden rule to test it in an isolated environment first.
We're in the process of moving all servers from a legacy flat network to a new server VLAN. Each time a server is moved and is assigned a new IP address, there is a risk that some applications in the building might still try and connect to the server's old IP address rather than the DNS name. To log any attempts to reach the old IP address I've set up a 'honeypot' router using iptables and CentOS (as a small VMware machine). Each time a server is moved, the old server IP is added to the CentOS machine and and 2 rules are added in the iptables firewall to drop and log the incoming IP connections. The failed connections would usually logged to the console and the 'messages' log file, but alternatively these could be sent to a remote syslog server by specifying:
kern.* @xx.xx.xx.xx
in the syslog.conf. In our case we're logging to our Cacti server and using the Cacti syslog plugin (from here) to view our Linux server and network switch syslogs in a central location.
iptables configuration
In a default installation of CentOS, iptables is already installed and running by default. There are only 2 changes to make; The first is to bind your additional IP address to your network card (usually eth0). This is done by creating a virtual device called eth0:1, by inserting this text into new file etc/sysconfig/network-scripts/ifcfg-eth0:1 (10.10.2.17 is the destination address of the incoming traffic that I want to log):
IPADDR=10.10.2.17
NETMASK=255.255.0.0
And then bringing up the virtual device using:
ifconfig eth0:1 up
In the iptables config file (etc/sysconfig/iptables) I added these lines in the RH-Firewall-1-INPUT chain:
-A RH-Firewall-1-INPUT -d 10.10.2.17 -j LOG --log-level 4 --log-prefix "OLD SRV1"
-A RH-Firewall-1-INPUT -d 10.10.2.17 -j DROP
Any traffic to 10.10.2.17 will now be logged in messages and the lines will be prefixed with "OLD SRV1".
Note about file paths: I'm getting an odd error when posting Linux file paths in Wordpress - putting a leading / in the path gives a 404 error. The paths I mentioned above should have a leading forwardslash "/".
Recent Comments