ukstokes.com

tech stuff from a tech bloke

• Install RHEL with Kickstart and no DHCP

  Jun 25th 2009

  By: ben

  No comments

  I've been installing 16 RHEL 5.3 servers on a DR site, owned by our sister company. There is no DHCP server on the subnet which has stopped us using HP Rapid Deployment Pack to roll out the servers, but it was still possible to use Kickstart, by specifying the IP information as a parameter when booting from the RHEL CD (disk 1). The syntax goes like this:

  boot: linux ks=http://server/kickstart.cfg ksdevice=eth0 ip=xx.xx.xx.xx netmask=xx.xx.xx.xx gateway=xx.xx.xx.xx dns=xx.xx.xx.xx

  DNS servers can be comma separated if you want to specify more than one.

  Enterprise Linux

  Enterprise Linux, kickstart, RHEL

• Scripts to make en mass changes to profile paths

  Jun 11th 2009

  By: ben

  No comments

  We've been migrating shares on our main file server to a DFS share to give us some flexibility with our storage. Part of these changes involve migrating Profile Paths and Terminal Server Profile Paths to the new DFS share location. After the data was being synchronised by DFS we needed a way to change the Profile Path and TS Profile Path attribute on all accounts in part of our Active Directory. This cannot be done using AD Users and Computers - if you bulk select users in ADUC and bring up the collective properties, you will notice the TS Profile Path is not available for editing. There are a few free tools that can do this, notibly ADModify.NET, but we needed a way to script it so it could be run overnight, and also only make changes to the paths if one existed already.

  ChangeProfilePaths.vbs.txt
  ChangeTerminalServerPaths.vbs.txt

  The scripts are pretty much identical, the only bits you need to change are these lines at the top:

  SMTPServer = "mail.ukstokes.ad"
  Set domain = GetObject("LDAP://OU=Company Users,DC=ukstokes,DC=ad")
  NewTSPath = "\\ukstokes.ad\data\profiles$\users\"

  The LDAP string needs to be changed to the starting point in your AD tree. Every OU underneath will be affected.

  Also these 2 lines at the bottom:

  objEmail.From = "ben@------.ad"
  objEmail.To = "ben@------.ad"

  The script will send an email at the end with a summary of the changes so you will need to change the From and To addresses accordingly.

  Before making any mass changes like remember the golden rule to test it in an isolated environment first.

  Scripting

  Active Directory, Scripting, Windows

• Set up a ‘honeypot’ router using Netfilter (iptables)

  Jun 4th 2009

  By: ben

  No comments

  We're in the process of moving all servers from a legacy flat network to a new server VLAN. Each time a server is moved and is assigned a new IP address, there is a risk that some applications in the building might still try and connect to the server's old IP address rather than the DNS name. To log any attempts to reach the old IP address I've set up a 'honeypot' router using iptables and CentOS (as a small VMware machine). Each time a server is moved, the old server IP is added to the CentOS machine and and 2 rules are added in the iptables firewall to drop and log the incoming IP connections. The failed connections would usually logged to the console and the 'messages' log file, but alternatively these could be sent to a remote syslog server by specifying:

  kern.*        @xx.xx.xx.xx

  in the syslog.conf. In our case we're logging to our Cacti server and using the Cacti syslog plugin (from here) to view our Linux server and network switch syslogs in a central location.

  iptables configuration
  In a default installation of CentOS, iptables is already installed and running by default. There are only 2 changes to make; The first is to bind your additional IP address to your network card (usually eth0). This is done by creating a virtual device called eth0:1, by inserting this text into new file etc/sysconfig/network-scripts/ifcfg-eth0:1 (10.10.2.17 is the destination address of the incoming traffic that I want to log):

  IPADDR=10.10.2.17
  NETMASK=255.255.0.0

  And then bringing up the virtual device using:

  ifconfig eth0:1 up

  In the iptables config file (etc/sysconfig/iptables) I added these lines in the RH-Firewall-1-INPUT chain:

  -A RH-Firewall-1-INPUT -d 10.10.2.17 -j LOG --log-level 4 --log-prefix "OLD SRV1"
  -A RH-Firewall-1-INPUT -d 10.10.2.17 -j DROP

  Any traffic to 10.10.2.17 will now be logged in messages and the lines will be prefixed with "OLD SRV1".

  Note about file paths: I'm getting an odd error when posting Linux file paths in WordPress - putting a leading / in the path gives a 404 error. The paths I mentioned above should have a leading forwardslash "/".

  Enterprise Linux

  CentOS, iptables, netfilter, routing

• Test post

  May 25th 2009

  By: ben

  No comments

  Just a quick test so see if posting and collection via RSS is working since I have migrated to a new webhost. 

  

  A cat selected at random

  Blogging, Random stuff

• Configure alerting for a Symantec Brightmail appliance

  May 20th 2009

  By: ben

  No comments

  I wanted to configure email alerts from our Brightmail gateway (formally Symantec 8300 series appliance) so that we would be notified when message queues were over certain thresholds. This is a missing feature on the appliance, so as a workaround I've done it using Cacti instead. We already monitor CPU and memory usage of the appliance using Cacti by configuring it as a 'ucd/net SNMP device', and this week I discovered Symantec also publish templates for Cacti for graphing MTA queues (inbound, outbound and delivery). There are 2 graphs, one showing number of messages, and the other showing the MTA sizes in megabytes. 

  I added the templates to our Cacti and configured them against our Brightmail gateway and they work very nicely. 

  
  Queue sizes as graphed by Cacti

  Just to explain the queue above - we always have a fair amount of transient garbage stuck in the delivery queue due to malformed domain names, typos in email addresses and other random stuff stuck in a retry queue for a few days.

  For alerting we already have the threshold plugin 'thold' installed on Cacti so I set up 2 new threshold templates for the inbound and outbound delivery queues. If a queue now goes over 150 messages we will receive an alert - it will also send an email when the value goes back under the 150 value. 

  
  My thresholds

  The email alerts also contain a copy of the graph as an attachment which is a very nice feature. It pretty much tells you what time your queues started building up, and this is a valuable clue in helping you find out what has caused the problem.

  Messaging

  Cacti, Messaging

• Update DMZ servers using WSUS

  Apr 20th 2009

  By: ben

  No comments

  If you have a server in the DMZ that requires Windows Updates but does not have Internet connectivity, it's actually quite easy to configure it to receive automatic updates from a WSUS server on your network.

  1. Firewall config: Open tcp/80 (or tcp/443 if you have configured SSL) on the firewall between your DMZ server and your WSUS server.

  2. On your DMZ server open gpedit.msc. Go into Computer Configuration - Administrative Templates - Windows Components - Windows Update.

  
  Configure Windows Update using gpedit.msc

  3. Enable "Configure automatic updates" and configure the schedule of your choice.

  4. Enable "Intranet Microsoft Update Service Location". Specify your WSUS server in both fields using the http://server format.

  5. Enable "Client side targetting" and enter the name of your Target Group into the box.

  That's it - the updates will now flow in.

  Windows Servers

• Configure automatic login on OCS 2007

  Apr 11th 2009

  By: ben

  5 comments

  

  Here's the scenario: You have a single OCS 2007 standard edition server on your network. Your Active Directory uses a DNS suffix that is not available externally, for example ocs.internal.ad. You are using a certificate issued by your domain CA on your OCS server (this is recommended) and automatic logon works fine while your clients are on the internal network.

  You have also deployed an OCS 2007 Edge Access Server. The server's name in external DNS is sip.yourdomain.com.

  The goal is to enable clients to log in automatically. This is a nice to have - and I think even nicer when they can log in automatically from both within the corporate LAN and the outside of your network.

  The problem
  If you change your users OCS sign-in names to their email addresses (i.e. user@yourdomain.com), the automatic logon works fine on the outside but not from the inside (providing your Edge Access server and supporting DNS records are set up correctly). Meanwhile from outside of your network if your users have sign-in names using your internal AD namespace (i.e. user@internal.ad), automatic logon fails - this is because the internal.ad DNS suffix does not exist on the outside and your OCS client cannot find an SRV record in DNS to locate the OCS server.

  The solution!
  There are several components that need to be in place for this to work.

  1. DNS Configuration
  For this to work you are required to set up a copy of your external DNS as a primary zone in your Active Directory DNS. Then in your internal DNS configure an A Record for sip.yourdomain.com pointing to the IP address of your internal OCS server. In addition, set up some SRV records:

  _tcp._sipinternal.yourdomain.com -- sip.yourdomain.com (0 0 5061)
  _tcp._sipinternaltls .yourdomain.com -- sip.yourdomain.com (0 0 5061)

  2. Certificate configuration
  For authenticating external clients, you will need an SSL certificate on your Edge Access server. Choosing the right sort of certificate is vital for the Edge Access role. You have to select one from this list for federation and public IM connectivity to work properly.  Other certificates may work, but have not been approved for use with OCS 2007 by Microsoft.

  For authenticating internal clients, Microsoft recommend you use a certificate from the CA on your domain. From your standard edition server, run setup on the OCS CD and go through the certificate wizard. When configuring the certificate, specify ocs.internal.ad (insert your internal server name here) as the primary name of your server and sip.yourdomain.com (your external namespace) as the alternative name on the certificate.

  3. Sign-In names
  Last thing is to configure sign in names, these will need to be changed to use your external DNS suffix, i.e. user@yourdomain.com. One word of warning on this - if you change sign-in names while the users are logged on, they will be kicked off the system and receive an error about invalid credentials. Instead, make the changes while the users are logged off and they will then be picked up automatically the next time the computers are booted up on the network.

  After making this change users should then be able to log in automatically from both the corporate network and the Internet.

  This is one area IMHO where the OCS 2007 documentation does not go into enough detail.

  Windows Servers

• Get system stats automatically on SSH login

  Apr 10th 2009

  By: ben

  No comments

  I noticed in recent versions of Ubuntu you get some system stats in a banner message when you connect using SSH. I thought this was pretty useful so have implemented my own version on our Red Hat servers at work.

  This runs every 5 minutes as a cron job and updates the file /etc/motd (Message Of The Day) which is shown when a user logs in. Our servers already have a 5 line banner message with information including the server name and purpose of the server, hence the first 5 lines being saved and readded into a new /etc/motd each time.

  
  #!/bin/bash
  cat /etc/motd | head -n 5 > /tmp/file && cat /tmp/file > /etc/motd
  
  CPUTIME=$(ps -eo pcpu | awk 'NR>1' | awk '{tot=tot+$1} END {print tot}')
  CPUCORES=$(cat /proc/cpuinfo | grep -c processor)
  
  echo "System summary (collected `date`)
  
   - CPU Usage (total average) = `echo $CPUTIME / $CPUCORES | bc`%
   - Memory free (real)        = `free -m | head -n 2 | tail -n 1 | awk {'print $4'}` Mb
   - Memory free (cache)       = `free -m | head -n 3 | tail -n 1 | awk {'print $3'}` Mb
   - Swap in use               = `free -m | tail -n 1 | awk {'print $3'}` Mb
  " >> /etc/motd
  

  Now when we log in we get a summary like this:

  

  Enterprise Linux, Scripting

  Bash scripting, Enterprise Linux, Linux

• Identify computer type using VB Script

  Apr 6th 2009

  By: ben

  No comments

  I required some VB which would run as a shutdown script and run some specific commands if the computer was not a laptop. Luckily this was simplified by the naming convention on our corporate network - all laptops have an L in the computer name. Here is one way this can be done - using a regular expression to find the number of L's in the computer name (and then take specific action if it is less than 1): 

  Option Explicit
  
  Dim objNTInfo, ComputerName, myRegExp, myMatches
  
  Set objNTInfo = CreateObject("WinNTSystemInfo")
  ComputerName = lcase(objNTInfo.ComputerName)
  
  'Prepare a regular expression object
  Set myRegExp = New RegExp
  myRegExp.IgnoreCase = True
  myRegExp.Global = True
  myRegExp.Pattern = "l"
  
  Set myMatches = myRegExp.Execute(computerName)
  If myMatches.Count > 0 Then
   MsgBox ComputerName & " is a laptop" , vbInformation , "Results ... "
  else
   MsgBox ComputerName & " is not a laptop" , vbInformation , "Results ... "
  End If 

  Scripting

  Scripting, VBScript

• Meaningless errors

  Apr 6th 2009

  By: ben

  2 comments

  If you have an OCS 2007 deployment with an Edge Access server, a user attempting to log on from the outside may receive the following error: 

  Cannot sign in to Communicator. You may have entered your sign-in address, user name, or password incorrectly, or the authentication service may be incompatible with this version of the program. If your sign-in information is correct and the problem persists, please contact your system administrator. 

  One quick thing you can check is on the Communications tab on the user properties. Under "additional options: Configure", check that "Enable remote user access" is ticked. If this is not ticked, the user will receive the error above (instead of a USEFUL message like "This account is not enabled for remote access .... ").

  OCS
• • <
  • 1
  • 2
  • 3
  • 4
  • ...
  • 9
  • >

• Subscribe

  

  

• Recent Posts

  • Connect Skydrive as a Windows mapped drive
  • D-Link DWA-131 and Ubuntu
  • Configure a non-enterprise Blackberry handset for Exchange
  • Upgrading bugzilla from 3.0.x to 3.4.6
  • Compile your own droid – Part 1a

• Spam Blocked

  12,952 spam comments blocked by
  Akismet

• Recent Comments

  • Andrew Montague on How to purge an orphaned mailbox
  • Orval Eske on Configure automatic login on OCS 2007
  • ben on Vista: Run a script at shutdown
  • Jakob G on Vista: Run a script at shutdown
  • Jakob G on Vista: Run a script at shutdown

• Categories

  • Android
  • Blackberry
  • Blogging
  • Desktop Linux
  • Enterprise Linux
  • Exchange
  • Messaging
  • Mobile
  • News
  • Nintendo
  • OCS
  • Random stuff
  • Rants
  • Scripting
  • Technology
  • VMware
  • Windows Servers
  • Windows Vista

• Tags

  Active Directory Android Bash scripting BES Blackberry Bugzilla Cacti CentOS Citrix Desktop Linux DivX Dr DivX Enterprise Linux Google iptables K2 Wordpress 2.5 kickstart Linux Logical Volumes LVM Messaging Mobile N95 netfilter networking Open Source Performance Putty Random Rant Red Hat Red Hat Summit RHEL routing Scripting SSH thin client Ubuntu VBScript Video Encoding VMware Windows Windows Vista wireless

• Tweets

  • @THErealDVORAK filezilla 2010/07/30
  • Office 2007 tip of the day. Ctrl+F1 hides the ribbon! Useful on a laptop screen. 2010/07/29
  • @Danielsaan what's demob? 2010/07/28
  • @Jedipottsy I haven't tried opendesire for about 3 weeks. Been using Pays froyo rom and it rocks. How about you? 2010/07/28
  • @Jedipottsy mythreed loads faster I think, there's not much in it though. Nice work btw! 2010/07/28

© Copyright ukstokes.com. All rights reserved.

Theme designed by Nischal Maniar