Simulating Network Labs using GNS3 and VMware on your PC: - GeexHQ: Simulate 2 virtual Cisco routers using GNS3 and connect them using Ethernet.
Get the PDF linked at the end of the above article!
12/20/2013
12/16/2013
Searching Active Directory user objects for a values in an attribute
Searching Active Directory user objects for value in an attribute:
The following will look for user objects with any value in "audio" attribute
The following will look for user objects with any value in "audio" attribute
$strFilter = "(&(objectCategory=User)(audio=*))"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.PageSize = 4000
$objSearcher.Filter = $strFilter
$objSearcher.SearchScope = "Subtree"
$colProplist = "name"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults)
{$objItem = $objResult.Properties; $objItem.name}
12/13/2013
ASA SSL VPN
SSL VPN Clients not getting DNS
PROBLEM
- Clients are getting IP assigned from address pool on ASA (not DHCP.)- Connect successfully but do not get name resolution. DNS servers are not being assigned
- NOT doing split tunnel
CHECK
DNS settings are defined all over the place. Confirm the correct DNS server IP numbers are defined in the following locations:Configuration > Remote Access VPN > DNS
Configuration > Remote Access VPN > Network (Client) Access > Group Policies
Select Policy > Edit > Servers > DNS Servers field
This field will only allow 2 server IP#'s
11/21/2013
Website/URL/Link Scanner Safety Check for Phishing, Malware, Viruses [results: DOMAIN.com] - ScanURL.net
Website/URL/Link Scanner Safety Check for Phishing, Malware, Viruses [results: domain.com] - ScanURL.net: Enter a URL/link (web address) or website/domain below, and we'll see if it's been reported for phishing, hosting malware/viruses, or poor reputation.
ALSO - it includes a long list of links to other resources at the bottom of a search.
ALSO - it includes a long list of links to other resources at the bottom of a search.
urlquery.net - Free URL scanner
urlquery.net - Free URL scanner: urlQuery.net is a service for detecting and analyzing web-based malware. It
11/07/2013
Simple Host Time Information
Simple Host Time Information
Get-VMHost | Sort Name | Select Name, ` @{N="NTPServer";E={$_ |Get-VMHostNtpServer}}, `Timezone, ` @{N="CurrentTime";E={(Get-View $_.ExtensionData.ConfigManager.DateTimeSystem) | Foreach {$_.QueryDateTime().ToLocalTime()}}}, ` @{N="ServiceRunning";E={(Get-VmHostService -VMHost $_ |Where-Object {$_.key-eq "ntpd"}).Running}} ` | Format-Table -AutoSize
Exporting all that useful VM information with PowerCLI » WoodITWork.com
Exporting all that useful VM information with PowerCLI » WoodITWork.com: Exporting all that useful VM information with PowerCLI
dvSwitch scripting - Part 13 - Export/Restore Config | LucD notesLucD notes
dvSwitch scripting - Part 13 - Export/Restore Config | LucD notesLucD notes: One of the exciting new dvSwitch features in vSphere 5.1 is the ability to export and restore a dvSwitch configuration.
This article explains how to do that in Powershell
This article explains how to do that in Powershell
InventorySnapshot – VMware Labs
InventorySnapshot – VMware Labs: InventorySnapshot allows a user to “snapshot” a given vCenter inventory configuration and then reproduce it.
11/06/2013
Exchange 2007 Performance Troubleshooting
Exchange 2007 Performance Troubleshooting
the RPC Counters – these counters will show you if the clients are “feeling” a resource issue
the RPC Counters – these counters will show you if the clients are “feeling” a resource issue
- MsExchangeIS\RPCAveraged Latency – should be under 50 (100 if in cached)
- RPC Operations/Sec – Relative (Baseline\Trending
- RPC Requests – Rec under 70
- If you see RPC ops go at around time of latency may be adding too much load
10/15/2013
BGP
Great article:
http://www.netcraftsmen.net/resources/archived-articles/382.html
This entire site looks very good.
http://www.netcraftsmen.net/resources/archived-articles/382.html
UPDATE: It appears netcraftsmen.net is no longer there! http://web.archive.org/web/20121219075610/http://www.netcraftsmen.net/resources/archived-articles/382.html
This entire site looks very good.
10/08/2013
The Cable Guy: Strong and Weak Host Models
The Cable Guy: Strong and Weak Host Models: Strong and Weak Host Models
Multihomed server configuration
Multihomed server configuration
9/25/2013
SPANning ports on Cisco Nexus 5K Switch "brings down network"
DO NOT SPAN PORTS ON NEXUS 5K
Cisco Nexus 5000 Series NX-OS System Management Configuration Guide, Release 5.1(3)N1(1) - Configuring SPAN [Cisco Nexus 5000 Series Switches] - Cisco Systems: If a destination port is oversubscribed, it can become congested. This congestion can affect traffic forwarding on one or more of the source ports.
I'm told this is not an issue on 7K's.
Cisco Nexus 5000 Series NX-OS System Management Configuration Guide, Release 5.1(3)N1(1) - Configuring SPAN [Cisco Nexus 5000 Series Switches] - Cisco Systems: If a destination port is oversubscribed, it can become congested. This congestion can affect traffic forwarding on one or more of the source ports.
I'm told this is not an issue on 7K's.
9/17/2013
Cisco Identity Services Engine (ISE) - Cisco Systems
Cisco Identity Services Engine (ISE) - Cisco Systems: Cisco Identity Services Engine
Cisco ACS - Accounting
Configure a device to log every command to the ACS server:
aaa accounting commands 15 default start-stop group
tacacs+
aaa accounting connection default start-stop group
tacacs+
aaa accounting system default start-stop group
tacacs+
9/10/2013
STP loops strike again
STP loops strike again
this is a very interesting post about a L2 loop experience. The "best practice" I've always been told, isn't enough.
And an interesting solution:
use switchport port-security and limit the number of MAC addresses accepted on the switch port.
this is a very interesting post about a L2 loop experience. The "best practice" I've always been told, isn't enough.
And an interesting solution:
use switchport port-security and limit the number of MAC addresses accepted on the switch port.
9/04/2013
Embedded Packet Capture Configuration Guide, Cisco IOS Release 15M&T - Embedded Packet Capture [Support] - Cisco Systems
Embedded Packet Capture::Cisco IOS
I've never used this and sometimes forget it's an optionhttp://www.cisco.com/en/US/docs/ios-xml/ios/epc/configuration/15-mt/nm-packet-capture.html#GUID-7E23C5F6-7BDF-4D18-A208-34FD726D6789
8/25/2013
PSTerminalServices – PowerShell module for Terminal Services - Shay Levy
PSTerminalServices – PowerShell module for Terminal Services - Shay Levy: PSTerminalServices – PowerShell module for Terminal Services
8/22/2013
8/16/2013
Powershell - prompt for option
$title = "Install Time"
$message = "Select Time For WSUS Install on SATURDAY"
$One = New-Object System.Management.Automation.Host.ChoiceDescription "&1 = 8pm", `
"8 PM"
$two = New-Object System.Management.Automation.Host.ChoiceDescription "&2 = 9pm", `
"9 PM"
$three = New-Object System.Management.Automation.Host.ChoiceDescription "&3 = 10pm", `
"10 PM"
$four = New-Object System.Management.Automation.Host.ChoiceDescription "&4 = 11pm", `
"11 PM"
$options = [System.Management.Automation.Host.ChoiceDescription[]]($one, $two, $three, $four)
$result = $host.ui.PromptForChoice($title, $message, $options, 0)
switch ($result)
{
0 {$tod=20}
1 {$tod=21}
2 {$tod=22}
3 {$tod=23}
}
#"Time of Day for Install = $tod"
Cisco FAQ: How do I reverse telnet out my aux port?
Cisco FAQ: How do I reverse telnet out my aux port?: How do I reverse telnet out my aux port?
8/12/2013
Lock Windows Workstation
Sometimes I'd like to lock a VDI machine but "Windows+L" key combo executes locally -- not on the VDI session.
Create the following shortcut:
rundll32.exe user32.dll, LockWorkStation
8/07/2013
Powershell: Remotely run a script
Run Powershell Script Remotely...
#############################################################################################################
#
# report.ps1
#
# run a powershell script on a remote computer and copy a result file for viewing locally
#
$computer = "GPM"
"Run GPO Report"
"Executing remotely from $computer"
$username = read-host "Username"
$pw = read-host -AsSecureString "Password"
$pass = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
[Runtime.InteropServices.Marshal]::SecureStringToBSTR($pw))
$cmd = "c:\util\psexec.exe /acceptEula \\$computer -u $username -p $pass -w c:\dev c:\dev\run-report.bat"
invoke-expression $cmd
$file = "\\" + $computer + "\c$\dev\gpostatus.html"
copy $file c:\util
c:\util\gpostatus.html
8/02/2013
Powershell - Report on Group Policy Objects
#########################################################################################################################
#
# GPO-REPORT.PS1
#
# Create a report of the status of all WSUS GPO's
#
import-module grouppolicy
$today = get-date
$outfile = "gpostatus.html"
$key = "HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\au"
$days = @{"0" = "Every Day"; "1" = "Every Sunday"; "2" = "Every Monday"; "3" = "Every Tuesday"; "4" = "Every Wednesday"; "5" = "Every Thursday"; "6" = "Every Friday"; "7" = "Every Saturday"}
$gpobjs = get-gpo -all -domain usa.DOMAIN.com | where {$_.DisplayName -like "Software Update*"}
"<HTML>" | out-file $outfile
"<HEAD>" | out-file $outfile -append
"<TITLE></TITLE>" | out-file $outfile -append
"</HEAD>" | out-file $outfile -append
'<BODY BGCOLOR="#FFFFFF" TEXT="#000000" LINK="#FF0000" VLINK="#800000" ALINK="#FF00FF" BACKGROUND="?">' | out-file $outfile -append
'<H2>WSUS Group Policy Status</H2>' | out-file $outfile -append
'<H4>' + $today + '</H4><table bordercolor=#000000; border=2px; cellspacing=0;>' | out-file $outfile -append
'<tr><td ><b><font face="monospace" size="3"> Policy </font></td>' | out-file $outfile -append
'<td ><b><font face="monospace" size="3"> Modified </font></td>' | out-file $outfile -append
'<td ><b><font face="monospace" size="3"> Enabled/Disabled </font></td>' | out-file $outfile -append
'<td ><b><font face="monospace" size="3"> Configuration </font></td>' | out-file $outfile -append
'<td ><b><font face="monospace" size="3"> Install Day </font></td>' | out-file $outfile -append
'<td ><b><font face="monospace" size="3"> Install Hour </font></td>' | out-file $outfile -append
'</tr>' | out-file $outfile -append
$gpobjs | foreach-object {
$name = $_.DisplayName
write-host $name
$modified = $_.ModificationTime
$enabledvalue = get-gpregistryvalue -name $name -key $key -valuename noautoupdate
if ($enabledvalue.value -eq "0") {
$enabled = "enabled"
}
else {
$enabled = "disabled"
}
$optionvalue = get-gpregistryvalue -name $name -key $key -valuename auoptions
if ($optionvalue.value -eq "2") {
$option = "2-Notify Only"
}
elseif ($optionvalue.value -eq "3") {
$option = "3-Download & Notify"
}
elseif ($optionvalue.value -eq "4") {
$option = "4-Download & Install"
}
else {
$option = $optionvalue.value
}
$dayvalue = (get-gpregistryvalue -name $name -key $key -valuename scheduledinstallday).value | out-string
$dayvalue = $dayvalue -replace "\s+", ""
$day = $days[$dayvalue]
$hour = (get-gpregistryvalue -name $name -key $key -valuename scheduledinstalltime).value
if ($enabled -eq "disabled") {
$option = " "
$day = " "
$hour = " "
}
'<tr><td ><font face="monospace" size="2">' + $name + '</font></td>' | out-file $outfile -append
'<td ><font face="monospace" size="2">' + $modified + '</font></td>' | out-file $outfile -append
'<td ><font face="monospace" size="2">' + $enabled + '</font></td>' | out-file $outfile -append
'<td ><font face="monospace" size="2">' + $option + '</font></td>' | out-file $outfile -append
'<td ><font face="monospace" size="2">' + $day + '</font></td>' | out-file $outfile -append
'<td ><font face="monospace" size="2">' + $hour + '</font></td></tr>' | out-file $outfile -append
}#foreach object
"</TABLE></BODY></HTML>" | out-file $outfile -append
Powershell Group Policy Management
Powershell Group Policy Management
WSUS Policies
#requires Windows 2008 R2 with Group Policy Management Console installed
#install GPM on a Windows 2008 R2
import-module -name servermanager
add-windowsfeature -name GPMC
import-module grouppolicy
#list interesting gpo's
get-gpo -all -domain usa.DOMAIN.com | where {$_.DisplayName -like "Software Update*"} | select displayname
$gpname = "Software Update Services WSUS Asia"
#retrieve an individual object
$gpobj = get-gpo -name $gpo
#When was an object modified?
$modified = $gpobj.ModificationTime
$key = "HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate"
#get specific value assigned by GPO
get-gpregistryvalue -name $gpname -key $key\au -valuename noautoupdate
#get all values beneath a key
get-gpregistryvalue -name $gpname -key $key
####################################################################################################################################
#
# NOTES for WSUS
#
# - Is WSUS enabled?
# Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\au
# Value: noautoupdate = 0 (enabled) or 1 (disabled)
#
# - IF ENABLED, what update option is selected?
# Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\au
# Value: auoptions = 2 (notify before download), 3 (Download & notify), 4 (autodownload and install on scheduled day)
#
# - IF ENABLED, IF OPTION 4, what scheduled day?
# Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\au
# Value: ScheduledInstallDay = 0 (every day), 1 (Sundays), 2 (Mondays), 3 (Tuesdays), 4 (Wednesdays), etc
#
# - IF ENABLED, IF OPTION 4, what schedule time?
# Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate\au
# Value: ScheduledInstallTime = number specifying the hour in a 24 hour day = 14 (2pm)
#
#Set a value
# For example - set day of week for scheduled install to Saturday:
# set-gpregistryvalue -name $gpname -key $key\au -valuename scheduledinstallday -type DWORD -value 7
Managing Windows Servers with Powershell
Powershell: install a windows feature
This is so much simpler than clicking around and waiting for screens to refresh:
import-module -name servermanager
add-windowsfeature -name GPMC
VMware KB: Repointing and reregistering VMware vCenter Server 5.1.x and components
VMware KB: Repointing and reregistering VMware vCenter Server 5.1.x and components: Repointing and reregistering VMware vCenter Server 5.1.x
8/01/2013
Cisco - more VRF stuff
Making stuff work with VRF's.... More
Get to my NTP Server, Get Telnet access workingline vty 0 4
access-class 50 in vrf-also
exec-timeout 60 0
privilege level 15
transport input telnet ssh
!
ntp server vrf [vrf-name] 10.10.10.10
Cisco TACACS+ with VRF
Cisco TACACS+ with VRF
aaa group server tacacs+ [grp-name]
server-private 10.10.10.10 key 7 [key]
ip vrf forwarding [vrf-name]
ip tacacs source-interface [interface-name]
!
aaa authentication login default local group [grp-name]tacacs+
aaa authorization exec default local group [grp-name]tacacs+
Cisco Virtual Routing and Forwarding (VRF) - Misc
Copy to TFTP using VRF
Trying to get into practice of using a separate vrf for management on network stuff.A lot of stuff needs cleaned up. Today's discovery - to make backup scripts work:
ip tftp source-interface vlan109Where VLAN109 is the vrf interface
7/30/2013
Powershell - Change Service Startup Type
Powershell: Change Windows Service Startup Type of Remote Server
Works with Powershell 1.0 & 2.0
#Check Startup Type
($svc = Get-WmiObject Win32_Service -ComputerName $server -Filter "name='wuauserv'") | out-null
if ($svc.StartMode -eq "Disabled") {
"$server WSUS service changed to Automatic"
$result=$svc.changestartmode("Automatic")
}#end if
#Backup Service Registry
$result=([WmiClass]"\\$server\ROOT\CIMV2:Win32_Process").create("c:\windows\regedit /e c:\WSUS.REG HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\wuauserv")
write $server "Backup Service Registry RESULT=" $result.returnvalue
#Set Service as Delayed Start
write $server "configure service"
$key = "SYSTEM\CurrentControlSet\Services\wuauserv"
$reg = [Microsoft.Win32.RegistryKey]::OpenRemoteBaseKey('LocalMachine', $server)
$regKey = $reg.OpenSubKey($key, $true)
$result = $regKey.setvalue("DelayedAutoStart", "1", "DWORD")
7/26/2013
Powershell: Status of Windows Hotfix
Powershell: Check Status of Windows Hotfix
##################################################################################
#
# check-hotfix.ps1
#
# Confirm hotfix has been installed on all Windows2008 servers
#
# Requires admin permission on every server
#
##################################################################################
$hotfix = "KB2520155"
$ServerList = ".\SUCCESS.TXT" #servers where hotfix is installed
$ErrorList = ".\ERRORS.TXT" #servers where hotfix is not installed
$ListFile = ".\SERVERS.TXT" #all the servers I checked
New-Item $ListFile -Type file -Force >$nul
New-Item $ServerList -Type file -Force >$nul
New-Item $ErrorList -Type file -Force >$nul
$today = get-date
$day = $today.Day
$mth = $today.Month
$year = $today.Year
$hour = $today.Hour
$min = $today.Minute
$sec = $today.Second
$date = "$year-$mth-$day-$hour$min$sec"
@"
$date
Servers Responding to PING
--------------------------------------------------------------------------
"@ | out-file -encoding ASCII -filepath $ListFile
@"
$date
Servers with hotfix $hotfix
--------------------------------------------------------------------------
"@ | out-file -encoding ASCII -filepath $ServerList
@"
$date
Servers without hotfix $hotfix
--------------------------------------------------------------------------
"@ | out-file -encoding ASCII -filepath $ErrorList
$List = ""
"Execution in progress..."
# Create $list of AD machine accounts for Windows Servers
$strCategory = "computer"
$strOS = "Windows*Server*2008*"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = ("OperatingSystem=$strOS")
$colProplist = "dnshostname", "operatingsystem"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults) {
$objComputer = $objResult.Properties;
$Server = $objComputer.dnshostname
$OS = $objComputer.operatingsystem
$Server = $Server -replace "\.usa\.DOMAIN\.com", ""
$Server = $Server -replace "\s{2,}", ""
$OS = $OS -replace "$([char]0x00AE)" , "" #remove "registered trademark" symbol
if ($Server) {#skip null
"$Server , $OS"
if (Test-Connection -ComputerName $Server -quiet -count 1) {#PING OK
" Responds to PING"
"$Server , $OS" | out-file -encoding ASCII -filepath $ListFile -append
#Get Hotfix info
$installed = get-wmiobject -class "Win32_QuickFixEngineering" -namespace "root\CIMV2" -computername $strComputer `
-Filter "HotFixID='$hotfix'"
if ($installed) {
" $hotfix INSTALLED!"
write-output "$Server , $OS" | out-file -encoding ASCII -filepath $ServerList -append
}
else {
" $hotfix NOT installed"
write-output "$Server , $OS" | out-file -encoding ASCII -filepath $ErrorList -append
}
}#end if PING OK, do nothing if PING fails
}#if not null, do nothing if null
}#foreach
Untiny API Extract Service
Untiny Extract Service
I am annoyed by "tinyURL" translated links just on principle. But I think they also can present a greater security risk if they are used in a drive-by attack to make a site look less suspicious. -- http://www.untiny.com -- will translate these back to the original. Get text formatted translation: http://untiny.me/api/1.0/extract?url={URL TO TRANSLATE}&format=text. For example: http://untiny.me/api/1.0/extract?url=http://tiny.pl/htk&format=text7/25/2013
Calculating IOPS Requirements
IOPS = input output operations per second
A measure of demand and a measure of capability.
IOPS Demand
Servers - perform monitoring, refer to os & app vendor information on requirements
Users (virtual desktop) - about 25 iops for a typical user running multiple apps at once, 2GB RAM, single CPU.
IOPS Capability
IOPS per disk = Rotational latency + Seek Latency / 1000
Disk Speed Est IOPS
7200 rpm 75
10000 rpm 125
15000 rpm 175
SSD 6000 (?)
Read vs Write
Typical average:
40% Read, 60% Write
RAID "Penalty"
Write operations to RAID disk arrays require additional io operations to write parity data.
see more at theithollow.com
RAID Level Write i/o Penalty
0 1
1 2
5 4
6 6
Calculation of required capability to meet demand:
IOPS Required =
(IOPS Demand * Read i/o%) + (Target IOPS * Write i/o% * RAID Penalty)
Unfortunately, I don't find such a scientific way to factor in the affect of caching/etc.
For example
Demand = 25 iops
read% = 40, write% = 60
RAID 5
(25 * 0.40 + 25 * 0.60 / 4) = 70
** Nearly triple!
So for 1000 users generating 25000 iops, we need 70000 iops on the "back end."
70000/175 = 400 15K disks would be required - holy moly also see yellowbricks.com
A measure of demand and a measure of capability.
IOPS Demand
Servers - perform monitoring, refer to os & app vendor information on requirements
Users (virtual desktop) - about 25 iops for a typical user running multiple apps at once, 2GB RAM, single CPU.
IOPS Capability
IOPS per disk = Rotational latency + Seek Latency / 1000
Disk Speed Est IOPS
7200 rpm 75
10000 rpm 125
15000 rpm 175
SSD 6000 (?)
Read vs Write
Typical average:
40% Read, 60% Write
RAID "Penalty"
Write operations to RAID disk arrays require additional io operations to write parity data.
see more at theithollow.com
RAID Level Write i/o Penalty
0 1
1 2
5 4
6 6
Calculation of required capability to meet demand:
IOPS Required =
(IOPS Demand * Read i/o%) + (Target IOPS * Write i/o% * RAID Penalty)
Unfortunately, I don't find such a scientific way to factor in the affect of caching/etc.
For example
Demand = 25 iops
read% = 40, write% = 60
RAID 5
(25 * 0.40 + 25 * 0.60 / 4) = 70
** Nearly triple!
So for 1000 users generating 25000 iops, we need 70000 iops on the "back end."
70000/175 = 400 15K disks would be required - holy moly also see yellowbricks.com
7/19/2013
Powershell - Copy Files to all servers
Using Powershell to copy files to every server
##################################################################################
#
# Copy files to all servers with AD accounts that respond to PING
#
# Requires admin permission on every server
#
##################################################################################
$file1="Windows6.1-KB2520155-x64.msu"
$file2="Windows6.1-KB2520155-x86.msu"
$ServerList = ".\SUCCESS.TXT"
$ErrorList = ".\ERRORS.TXT"
$ListFile = ".\SERVERS.TXT"
New-Item $ListFile -Type file -Force >$nul
New-Item $ServerList -Type file -Force >$nul
New-Item $ErrorList -Type file -Force >$nul
$List = ""
"Execution in progress..."
# Create $list of AD machine accounts for Windows Servers
$strCategory = "computer"
$strOS = "Windows*Server*"
$objDomain = New-Object System.DirectoryServices.DirectoryEntry
$objSearcher = New-Object System.DirectoryServices.DirectorySearcher
$objSearcher.SearchRoot = $objDomain
$objSearcher.Filter = ("OperatingSystem=$strOS")
$colProplist = "dnshostname"
foreach ($i in $colPropList){$objSearcher.PropertiesToLoad.Add($i)}
$colResults = $objSearcher.FindAll()
foreach ($objResult in $colResults) {
$objComputer = $objResult.Properties;
$Server = $objComputer.dnshostname
$Server = $Server -replace "\.usa\.domain\.com", ""
$Server = $Server -replace "\s{2,}", ""
if ($Server) {#skip null
$Server
if (Test-Connection -ComputerName $Server -quiet -count 1) {#PING OK
" Responds to PING"
$Server | out-file -encoding ASCII -filepath $ListFile -append
#Copy Files
copy-item c:\dns-msu -destination ("\\\\"+$Server+"\\C$") -recurse
#Check File1
if (-not(Test-path ("\\\\"+$Server+"\\C$\\dns-msu\\$file1"))) {
" FAIL: $file1"
write-output "$Server - MISSING $file1" | out-file -encoding ASCII -filepath $ErrorList -append
}
else {
" SUCCESS: $file1"
write-output "$Server - OK $file1" | out-file -encoding ASCII -filepath $ServerList -append
}
#Check File2
if (-not(Test-path ("\\\\"+$Server+"\\C$\\dns-msu\\$file2"))) {
" FAIL: $file2"
write-output "$Server - MISSING $file2" | out-file -encoding ASCII -filepath $ErrorList -append
}
else {
" SUCCESS: $file2"
write-output "$Server - OK $file2" | out-file -encoding ASCII -filepath $ServerList -append
}
}#end if PING OK
else {#PING FAIL
" Does not respond to PING"
write-output "$Server - PING Failure" | out-file -encoding ASCII -filepath $ErrorList -append
}#end else PING FAIL
}#if null
}#foreach
How to use BGP to achieve Internet redundancy - TechRepublic
How to use BGP to achieve Internet redundancy - TechRepublic: How to use BGP to achieve Internet redundancy
The general steps for implementing BPG multihoming are:
The general steps for implementing BPG multihoming are:
- Obtain your ASN from ARIN.
- Identify your network block of IP addresses. If you own these, then you have the right to advertise them on the Internet through BGP. If you are borrowing these from your provider, then you must ask your provider for permission before advertising them through another provider.
- If you have a single provider, you are typically using a static route to connect to that provider. That provider is not sending you any BGP routes. Assuming that is true, you will have to request that your provider send you BGP routes. (Your provider will need to know your ASN and your remote router’s neighbor address. The neighbor is the IP address that your BGP process uses to communicate with.) Once you have the provider's BGP routes in your routing table and you are advertising your network to your provider through BGP, you can remove your static route and have your provider remove their static route.
- Next, assuming that you are multihoming on a single router, bring up your secondary provider. They can set it up so that they send you BGP routes. Again, they will need to know your ASN and your neighbor address.
- Within the BGP table (database) on your router, you will see the routes from each of your providers. The best route in BGP is the route with the shortest AS path. (If the AS paths are identical, there is a tiebreaking procedure, but this is normally not the case.) The route that has the shortest AS path will be placed in your router’s routing table.
BGP Route Convergence on the Internet
BGP Internet Route Convergence
If your network is multihomed -- How long does it take routes TO you to converge? These slides are very informative. Wish I was in the classroom during this talk....http://www.cs.northwestern.edu/~ychen/classes/cs450-05/lectures/BGP_Convergence.ppt
Powershell - DNS Check
Check DNS Resolution using Powershell
##########################################################################################
#
# DNS-CHECK.PS1
#
##########################################################################################
$outfile = ".\results.txt"
$list = ".\LIST.TXT"
$names = Get-Content $list
$today = get-date
clear-host
write "==========================================================================="
write " $today"
write " Checking DNS Resolution"
write "$today" | out-file -encoding ASCII $outfile
foreach($name in $names) {
write "---------------------------------------------------------------------------"
write-host " $name"
try {[Net.DNS]::GetHostEntry($name) }
catch {
Write-host $server " ERROR: $name - NOT FOUND IN DNS"
"ERROR: $name - not resolved in DNS" | out-file -encoding ASCII $outfile -append
}
}#foreach server
write "==========================================================================="
#end
7/16/2013
VMWare Powershell NTP Service Setup
VMware Powershell NTP Service Setup
#####################################################################
#
# Setup NTP on a new host
#
$vcs = Read-Host "vCenter"
$user = Read-Host "userid"
$pw = Read-Host "Password for $user" -AsSecureString
#convert $pw to plain text
$pass = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
[Runtime.InteropServices.Marshal]::SecureStringToBSTR($pw))
connect-viserver -Server $vcs -User $user -Password $pass
$pass = " "
clear-host
foreach ($VMHost in (Get-VMHost -Name privh*)) {
" $VMHost"
$ntp=get-vmhostservice -vmhost $VMHost | Where {$_.Key -eq 'ntpd'}
" $ntp"
set-vmhostservice -hostservice $ntp -policy "automatic"
restart-vmhostservice $ntp -confirm:$false
}
disconnect-viserver -confirm:$false
7/12/2013
Redundant Datacenter Connectivity
Datacenter Connectivity
Goals- Create redundant datacenters. For now, 2 of them.
- Redundant, diverse, physical circuits/paths
- Allow simple movement of services between datacenters => support the same IP address ranges in either location
Issues/Discussion Items
Layer 2
to allow the same IP address ranges
- Circuits are different vendors taking very different paths with unknown infrastructure in between the datacenters. A failure could occur within the service provider, but all my ports show "up."
- So, Spanning Tree and Port Channels will not work for "in between" failures
- UDLD, Unidirectional Link Detection, doesn't seem work on a "virtual circuit" over a provider network like Metro Ethernet.
- Cisco's OTV is supposed to accomplish a big part of this, but it seems that a much less overblown solution could at least provide the Layer 2 redundancy.
Routing Redundancy
- For routing to work, the (outbound)default route must be configured to go out through the same datacenter where the inbound traffic will be arriving.
- So any kind of automatic redundancy that fails the inbound route to the secondary datacenter needs to also initiate a change to the default route of all machines in the "shared" networks.
- A compromise would be a "one button push" method to switch inbound and outbound routing to change between datacenters.
- Does OTV address this?
- A traditional solution would possibly involve 2 circuits each with a router at each end. L3 redundancy between the 2 links using HSRP/GLBP, some kind of IP tracking to expose a service provider outage, and somehow create L2 tunnels over each one and use them via a port aggregation at the core switch. The question remains whether this solution can be designed to show a link as down even if the failure is in between.
- There seems to be little in the way of configuration help or reference material for GRE/MGRE tunnels. Even less for L2 tunneling. I suppose the motivation for helping users do that is even less now that there is a nebulous thing called OTV that involves a big spend on monster Nexus 7K core switches.
- I haven't been able to get into the guts of this and do any testing. Thinking it through on paper I always get bogged down with the L2 tunnel. A possible example L2TP configuration is:
Router A:
pseudowire-class test
encapsulation l2tpv3
protocol none
ip local interface Loopback0
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/1
description LAN
no ip address
speed 100
full-duplex
xconnect 2.2.2.2 1 encapsulation l2tpv3 manual pw-class test
l2tp id 1 2
Router B:
pseudowire-class test
encapsulation l2tpv3
protocol none
ip local interface Loopback0
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!interface FastEthernet0/1
no ip address
duplex auto
speed auto
xconnect 1.1.1.1 1 encapsulation l2tpv3 manual pw-class test
l2tp id 2 1
pseudowire-class test
encapsulation l2tpv3
protocol none
ip local interface Loopback0
!
interface Loopback0
ip address 1.1.1.1 255.255.255.255
!
interface FastEthernet0/1
description LAN
no ip address
speed 100
full-duplex
xconnect 2.2.2.2 1 encapsulation l2tpv3 manual pw-class test
l2tp id 1 2
Router B:
pseudowire-class test
encapsulation l2tpv3
protocol none
ip local interface Loopback0
!
interface Loopback0
ip address 2.2.2.2 255.255.255.255
!interface FastEthernet0/1
no ip address
duplex auto
speed auto
xconnect 1.1.1.1 1 encapsulation l2tpv3 manual pw-class test
l2tp id 2 1
Windows 8 Help
Thanks to: *the* Mark Minasi, http://www.minasi.com/newsletters/nws1307.htm
shortcut keys
- Start Screen: to get there, press the key on your keyboard with the "Windows" flag. I'll type that as "[w]" from now on.
- Desktop: [w]+d
- Charms: [w]+c
- Settings, the Metro-ish Control Panel: [w]+I
- Lock Orientation so it doesn't jump between portrait and landscape with [w]+O
- Explorer is a pain to get more than one window open at a time but [w]+E always brings up a new Explorer window
- Many administrative tools can be accessed more quickly with [w]+x
- The new Metro modern apps have a wonky menu structure so to see every option all at once, [w]+z
7/11/2013
How to: Set a Fixed Amount of Memory (SQL Server Management Studio)
How to: Set a Fixed Amount of Memory (SQL Server Management Studio): How to: Set a Fixed Amount of Memory (SQL Server
7/10/2013
Powershell: Count datastores on VMWare Hosts
Powershell: Count datastores on VMware Hosts
All the LUN mappings & datastore names need to match on all hosts in a cluster. I hope to someday script a more comprehensive comparison of datastores & names. However, a quick and dirty confirmation is to count the datastores that are connected on every host in each cluster. If they match, it at least gives me a warm feeling.
#####################################################################
#
#
# Gather count of LUNs/Datastores connected to all hosts
#
$vcs = Read-Host "vCenter"
$user = Read-Host "userid"
$pw = Read-Host "Password for $user" -AsSecureString
#convert $pw to plain text
$pass = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
[Runtime.InteropServices.Marshal]::SecureStringToBSTR($pw))
connect-viserver -Server $vcs -User $user -Password $pass
$pass = " "
$today = get-date
$day = $today.Day
$mth = $today.Month
$year = $today.Year
$hour = $today.Hour
$min = $today.Minute
$sec = $today.Second
$date = "$year-$mth-$day-$hour$min$sec"
$outfile = ".\datastores-"+$vcs+"-"+$date+".csv"
clear-host
"Host-Name,Datastore-Count" | out-file $outfile -encoding ascii
foreach ($VMHost in (Get-VMHost -Location $Cluster)) {
" $VMHost"
$dstores = $VMHost | Get-Datastore
$ds = $dstores.count
" $ds"
"$VMHost,$ds" | out-file $outfile -encoding ascii -append
}
disconnect-viserver -confirm:$false
Powershell: VMware guest inventory
Powershell: VMware Guest Inventory
Gather information from vCenter server about VM's. In this case I was looking for machines that were connected to more than one network or datastore.
$vcs = Read-Host "vCenter"
$user = Read-Host "userid"
$pw = Read-Host "Password for $user" -AsSecureString
#convert $pw to plain text
$pass = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
[Runtime.InteropServices.Marshal]::SecureStringToBSTR($pw))
#$vcon = Disconnect-VIServer * -Confirm:$False
$vcon = connect-viserver -Server $vcs -User $user -Password $pass
$pass = " "
$outfile = ".\"+$vcs+"-info.csv"
$reportedvms=New-Object System.Collections.ArrayList
$vms=get-view -viewtype virtualmachine | Sort-Object -Property {$_.Config.Hardware.Device | where {$_ -is [VMware.Vim.VirtualEthernetCard]} | Measure-Object | select -ExpandProperty Count} -Descending
foreach($vm in $vms){
$status = $vm.name
" $status"
$reportedvm = New-Object PSObject
$ipnum = ($vm.guest.net | select IPaddress).IPaddress| out-string
$path = $vm.name
$current = get-view $vm.parent
do {
$parent = $current
if($parent.Name -ne "Datastore*"){$path = $parent.Name + "\" + $path}
$current = Get-View $current.Parent
} while ($current.Parent -ne $null)
Add-Member -Inputobject $reportedvm -MemberType noteProperty -name Path -value $path
# Add-Member -Inputobject $reportedvm -MemberType noteProperty -name Guest -value $vm.Name
Add-Member -Inputobject $reportedvm -MemberType noteProperty -name Networks -value $($vm.network.count)
Add-Member -Inputobject $reportedvm -MemberType noteProperty -name Network -value $((get-view $vm.network).name)
Add-Member -Inputobject $reportedvm -MemberType noteProperty -name IP -value $ipnum
Add-Member -Inputobject $reportedvm -MemberType noteProperty -name Datastores -value $($vm.datastore.count)
Add-Member -Inputobject $reportedvm -MemberType noteProperty -name Datastore -value $((get-view $vm.datastore).name)
$networkcards =$vm.guest.net
Add-Member -Inputobject $reportedvm -MemberType noteProperty -name Nics -value $($networkcards.count)
Add-Member -Inputobject $reportedvm -MemberType noteProperty -name Disks -value $($vm.guest.disk.count)
$reportedvms.add($reportedvm) |Out-Null
}
$reportedvms|Export-Csv $outfile
Disconnect-VIServer * -Confirm:$False
7/05/2013
vmware customization: sysprep issues
sysprep /generalize /reboot /oobe
c:\windows\system32\sysprep\panther\setuperr.log
"SYSPRP WinMain:Hit failure while processing sysprep cleanup external providers; hr = 0x8007001f"
"SYSPRP RunExternalDlls:An error occurred while running registry sysprep DLLs, halting sysprep execution. dwRet = -1073425657"
slmgr /dlv
regedit: set the value of GeneralizationState under HKEY_LOCAL_MACHINE\SYSTEM\Setup\Status\SysprepStatus to 7
start > run: msdtc -uninstall
start > run: msdtc –install
delete any extra folders under c:\windows\system32\sysprep
On SOURCE machine:
Set the following to 1: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\WindowsNT\CurrentVersion\SoftwareProtectionPlatform\SkipRearm
**be sure the administrator user does NOT have "user cannot changed password" checked.
7/03/2013
Powershell: Compellent SAN configuration
Add Servers, Create boot volumes, map volumes to servers.
Requires the right version of Compellent Storage Center and the Compellent plugin for Powershell
$user = Read-Host "userid"
$pw = Read-Host "Enter Password for $user" -AsSecureString
$san1 = get-scconnection -HostName san1 -User $user -Password $pw
$san2 = get-scconnection -HostName san2 -User $user -Password $pw
#$pass ='' #erase plain txt pw
#remove-scserver -connection $san1 $server
$inputfile = ".\test.csv"
$profiles = get-content $inputfile
foreach ($line in $profiles) {
$line
$line = ($line -split',')
$profile = $line[0]
$wwn1 = $line[1]
$wwn2 = $line[2]
#Create Server
$s1server = new-scserver -connection $san1 -name $profile
$s2server = new-scserver -connection $san2 -name $profile
#Set WWNs
add-scserverport -connection $san1 -scserver $s1server -worldwidenames $wwn1
add-scserverport -connection $san1 -scserver $s1server -worldwidenames $wwn2
add-scserverport -connection $san2 -scserver $s2server -worldwidenames $wwn1
add-scserverport -connection $san2 -scserver $s2server -worldwidenames $wwn2
#Set Server OS Type
$s1ostype = get-SCOSType -index 35 -connection $san1
$s1server = get-SCServer -connection $san1 -name $profile
$s2ostype = get-SCOSType -index 35 -connection $san2
$s2server = get-SCServer -connection $san2 -name $profile
set-scserver $s1server -connection $san1 -SCOSType $s1ostype
set-scserver $s2server -connection $san2 -SCOSType $s2ostype
#Create Boot LUN
#use "Boot LUNs" storage profile
$storageprofile = get-scstorageprofile -connection $san2 -name "Boot LUNs"
$volname = $profile+"_boot"
$folder = get-scvolumefolder -connection $san2 -name "BOOT LUNS"
$volume = new-scvolume -connection $san2 -name $volname -parentfolder $folder -scstorageprofile $storageprofile -size 10g
#map volume
$map = new-scvolumemap -scvolume $volume -scserver $s2server -connection $san2
}#end foreach profile
Remove-SCConnection $san1
Remove-SCConnection $san2
Powershell: VMWare Automation
Kick-Start Your VMware Automation with PowerCLI
https://www.simple-talk.com/sysadmin/virtualization/10-steps-to-kick-start-your-vmware-automation-with-powercli/
https://www.simple-talk.com/sysadmin/virtualization/10-steps-to-kick-start-your-vmware-automation-with-powercli/
vCheck (Daily Report) | Virtu-Al.Net
vCheck (Daily Report) | Virtu-Al.Net: vCheck (Daily Report)
VMware powershell resources
VMware powershell resources
7/02/2013
Powershell: Cisco MDS Fibre Channel Switch Zone Configuration Builder
Create Commands to configure zones on Cisco MDS 91xx switch
####################################################################################################
#
# fc-cfg-bldr.ps1
#
# Create cmd file for Cisco MDS fibre channel switch to create zones for new servers
# INPUT: CSV file containing list of server names and WWN's.
# OUTPUT: 2 TXT files containing commands to create zones in Fabric A and Fabric B.
#
$inputfile = ".\test.csv"
#$inputfile = ".\servers.csv"
$outfile = ".\fc-cmds.txt"
$tempA = ".\\configA.txt"
$tempB = ".\\configB.txt"
$profiles = get-content $inputfile
$today = get-date
$day = $today.Day
$mth = $today.Month
$year = $today.Year
$hour = $today.Hour
$min = $today.Minute
$sec = $today.Second
$date = "$year-$mth-$day-$hour$min$sec"
clear-host
"------------------------------------------------------------------------------"
write "! $date Fabric A Configuration" | out-file $tempA -encoding ascii
write "! $date Fabric B Configuration" | out-file $tempB -encoding ascii
$zonesetA = @"
zoneset name SAN1-SAN2-FAB-A vsan 2
"@
$zonesetB = @"
zoneset name SAN1-SAN2-FAB-B vsan 3
"@
foreach ($profile in $profiles) {
"!------------------------------------------------------------------------------" | out-file $tempA -encoding ascii -append
"!------------------------------------------------------------------------------" | out-file $tempB -encoding ascii -append
$profile
$server = ($profile -split',')
$name = $server[0]
" $name"
$wwn1 = $server[1]
" $wwn1"
$wwn2 = $server[2]
" $wwn2"
$zoneA1 = $name+"_hba_A_to_cmp1"
$zoneA2 = $name+"_hba_A_to_cmp2"
$zoneB1 = $name+"_hba_B_to_cmp1"
$zoneB2 = $name+"_hba_B_to_cmp2"
#create commands
" Generate Commands"
#Create Zones in Fabric A
" Fab A Zones"
$configA = @"
zone name $zoneA1 vsan 2
member pwwn 50:00:d3:10:00:0c:80:03
member pwwn 50:00:d3:10:00:0c:80:09
member pwwn 50:00:d3:10:00:0c:80:11
member pwwn 50:00:d3:10:00:0c:80:17
member pwwn $wwn1
zone name $zoneA2 vsan 2
member pwwn 50:00:d3:10:00:0c:82:03
member pwwn 50:00:d3:10:00:0c:82:0b
member pwwn 50:00:d3:10:00:0c:82:13
member pwwn 50:00:d3:10:00:0c:82:1b
member pwwn $wwn1
"@
write $configA | out-file $tempA -encoding ascii -append
#Add to zonesetA
" Add to ZonesetA"
$configA = @"
member $zoneA1
member $zoneA2
"@
$zonesetA = $zonesetA + $configA
#Create Zones in Fabric B
" Fab B Zones"
$configB = @"
zone name $zoneB1 vsan 3
member pwwn 50:00:d3:10:00:0c:80:0d
member pwwn 50:00:d3:10:00:0c:80:05
member pwwn 50:00:d3:10:00:0c:80:1b
member pwwn 50:00:d3:10:00:0c:80:13
member pwwn $wwn2
zone name $zoneB2 vsan 3
member pwwn 50:00:d3:10:00:0c:82:0f
member pwwn 50:00:d3:10:00:0c:82:05
member pwwn 50:00:d3:10:00:0c:82:1f
member pwwn 50:00:d3:10:00:0c:82:15
member pwwn $wwn2
"@
write $configB | out-file $tempB -encoding ascii -append
#Add to zonesetB
" Add to ZonesetB"
$configB = @"
member $zoneB1
member $zoneB2
"@
$zonesetB = $zonesetB + $configB
"-------------------------------------------------------------------------------"
}#end foreach
"!------------------------------------------------------------------------------" | out-file $tempA -encoding ascii -append
"!------------------------------------------------------------------------------" | out-file $tempB -encoding ascii -append
#Config zonesets
write $zonesetA | out-file $tempA -encoding ascii -append
write $zonesetB | out-file $tempB -encoding ascii -append
#Activate & Save
" Complete Configs"
$configA = @"
zoneset activate name SAN1-SAN2-FAB-A vsan 2
zone commit vsan 2
copy run start
"@
write $configA | out-file $tempA -encoding ascii -append
$configB = @"
zoneset activate name SAN1-SAN2-FAB-B vsan 3
zone commit vsan 3
copy run start
"@
write $configB | out-file $tempB -encoding ascii -append
"-------------------------------------------------------------------------------"
" COMPLETE - Configuration commands saved to $tempA, $tempB"
"-------------------------------------------------------------------------------"
SYSPREP on cloned Windows Server 2008 R2 Fails
Trouble with sysprep not running when vmware runs customization after deploying a Win2K8R2 template.
-> SID for all the clones is the same.
Supposedly this matters much less these days but some odd stuff happened that we couldn't explain when we attempted to join to AD domain
(NEWSID doesn't work past Win2003)
SYSPREP logs are located at: c:\windows\system32\sysprep\panther
log files: setupact.log, setuperr.log
Apparently sysprep will not run when it thinks Windows has been upgraded in place.
This particular template they were copying had several applications installed on it for which we don't know the owner so rebuilding fresh was not an option.
The following worked to allow sysprep to run:
- Remove the machine from the domain
- Registry export: HKLM\SYSTEM\Setup (as backup)
- Delete from the registry: HKLM\SYSTEM\Setup\Upgrade
- Run: c:\windows\system32\Sysprep\Sysprep.exe /oobe /generalize
7/01/2013
Cloning Windows Server 2008 R2: Use Sysprep (no more NewSID) - Ray Heffer
Cloning Windows Server 2008 R2: Use Sysprep (no more NewSID) - Ray Heffer: Cloning Windows Server 2008 R2: Use Sysprep (no more NewSID)
VMware KB: Cannot run Sysprep on a Windows virtual machine that was upgraded to a later version
VMware KB: Cannot run Sysprep on a Windows virtual machine that was upgraded to a later version: Cannot run Sysprep on a Windows virtual machine that was upgraded
Powershell: Bulk Creation of HP-BL Virtual Connect Profiles
Powershell: Bulk Creation of HP-BL Virtual Connect Profiles
####################################################################################################
#
# clone-profile.ps1
#
# Copy a template and associate with physical server
# INPUT: CSV file containing list of profile names, IP# of enclosure, and Bay
#
$vcuser = "admin"
$inputfile = ".\servers.csv"
$pw = Read-Host "Enter Password for $vcuser" -AsSecureString
$profiles = get-content $inputfile
$tempfile = ".\\cmdfile.txt"
$today = get-date
$day = $today.Day
$mth = $today.Month
$year = $today.Year
$hour = $today.Hour
$min = $today.Minute
$sec = $today.Second
$date = "$year-$mth-$day-$hour$min$sec"
$logfile = ".\create-profile-$date.log"
write "$date Create HP BL Profiles" | out-file $logfile -encoding ascii
clear-host
foreach ($profile in $profiles) {
"--------------------------------------------------------------------------------" | out-file $logfile -encoding ascii -append
$profile
$profile | out-file $logfile -encoding ascii -append
$server = ($profile -split',')
$name = $server[0]
$vcip = $server[1]
$bay = $server[2]
if ($vcip -eq "10.2.9.147") { $template = "Template01" }
if ($vcip -eq "10.2.9.177") { $template = "Template_2" }
#create command file
write "copy profile $template $name" | out-file $tempfile -encoding ascii
write "poweroff server $bay -force" | out-file $tempfile -encoding ascii -append
write "assign profile $name $bay" | out-file $tempfile -encoding ascii -append
#convert $pw to plain text
$pass = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
[Runtime.InteropServices.Marshal]::SecureStringToBSTR($pw))
$result = (./plink.exe -batch -ssh -l $vcuser -pw $pass $vcip -m $tempfile) | out-string
$pass ='' #erase plain txt pw
$result
$result | out-file $logfile -encoding ascii -append
}#end foreach
"--------------------------------------------------------------------------------" | out-file $logfile -encoding ascii -append
6/30/2013
Gathering List of HP Blade Server WWN's
Powershell - Gather list of HP Blade Server WWN's
####################################################################################################
#
# server-list.ps1
#
# Gather inventory of profiles, bay assigned, and WWN's
#
$vcips = ("10.2.1.10","10.2.1.11")
$vcuser = "admin"
$outfile = ".\hpbl-wwns.csv"
$pw = Read-Host "Enter Password for $vcuser" -AsSecureString
$alldevicebays=@{}
$allprofiles=@()
$wwn1=@{}
$wwn2=@{}
clear-host
foreach ($vcip in $vcips) {
$profiles=@() #the profiles on this enclosure
$devicebays=@{}
$vcip
#convert $pw to plain text
$pass = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
[Runtime.InteropServices.Marshal]::SecureStringToBSTR($pw))
$go = "show profile" # Command Line
$result = (./plink.exe -batch -ssh -l $vcuser -pw $pass $vcip $go) | out-string
$pass ='' #erase plain txt pw
$list = ($result -split'[\n]')
if ($list.Length -lt 2) { break }
write-host " Getting Profile List"
foreach ($item in $list) {
if ($item.Length -gt 0) {
if (!$item.Contains("===============================================================")) {
if (!$item.Contains("---------------------------------------------------------------")) {
if (($item.Substring(0,1) -ne " ")) {
$name = $item.Substring(0,12)
$name = $name.Trim()
$bay = $item.Substring(12,14)
$bay = $bay.Trim()
if ($name -ne "Name") {
$profiles = $profiles + $name
$allprofiles = $allprofiles + $name
$devicebays[$name] = $bay
$alldevicebays[$name] = $bay
}
}#end if
} #end if
}#end if
}#end if
}#end foreach
write-host " Finding WWN's"
foreach ($profile in $profiles) {
write-host " "$profile
if ($devicebays[$profile] -ne "") {
#Port 1
$port = 1
write-host " port "$port
$go = "show fcoe-connection "+$profile+":"+$port
$pass = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
[Runtime.InteropServices.Marshal]::SecureStringToBSTR($pw))
$result = (./plink.exe -ssh -l $vcuser -pw $pass $vcip $go) | out-string
$pass=""
$list = ($result -split'[\n]')
foreach ($item in $list) {
if ($item.Length -gt 0) {
$items = ($item -split': ')
$field = $items[0]
$field = $field.Trim()
$data = $items[1]
$data = $data.Trim()
if ($field -eq "Port WWN") {
$wwn1[$profile] = $data
}#end if
}#end if null
}#end foreach item
#port 2
$port = 2
write-host " port "$port
$go = "show fcoe-connection "+$profile+":"+$port
$pass = [Runtime.InteropServices.Marshal]::PtrToStringAuto(
[Runtime.InteropServices.Marshal]::SecureStringToBSTR($pw))
$result = (./plink.exe -ssh -l $vcuser -pw $pass $vcip $go) | out-string
$pass=""
$list = ($result -split'[\n]')
foreach ($item in $list) {
if ($item.Length -gt 0) {
$items = ($item -split': ')
$field = $items[0]
$field = $field.Trim()
$data = $items[1]
$data = $data.Trim()
if ($field -eq "Port WWN") {
$wwn2[$profile] = $data
}#end if
}#end if null
}#end foreach item
#end port 2
}#end if UNASSIGNED
}#end foreach profile
}#end foreach enclosure
$profiles = $profiles | sort-object
#create report
write-host "generating output file: " $outfile
#delete output file if it exists
if ( test-path $outfile ) { remove-item $outfile }
get-date -format g | out-file $outfile -encoding ascii
"Profile, Bay, hbaA, hbaB" | out-file $outfile -encoding ascii -append
write-host "Profile, Bay, hbaA, hbaB"
foreach ($profile in $allprofiles) {
$bay = ($alldevicebays[$profile])
$wwnA = ($wwn1[$profile])
$wwnB = ($wwn2[$profile])
write-host $profile "," $bay "," $wwnA "," $wwnB
write "$profile,$bay,$wwnA,$wwnB" | out-file $outfile -encoding ascii -append
}#end foreach
6/28/2013
Using PLINK through Powershell
Using PLINK through Powershell
$User =
$Pswd =
$Computer =
$plink = \plink.exe"
$plinkoptions = " -v -batch -pw $Pswd"
$cmd1 = '/usr/sbin/vdf -h'
$remoteCommand = '"' + $cmd1 + '"'
$command = $plink + " " + $plinkoptions + " " + $User + "@" + $computer + " " + $remoteCommand
$msg = Invoke-Expression -command $command
$msg
6/24/2013
6/11/2013
Monitoring RID Pool
http://blogs.technet.com/b/askds/archive/2011/09/12/managing-rid-pool-depletion.aspx
dcdiag /TEST:RidManager /v /n:[domain.com]
dcdiag /TEST:RidManager /v /n:[domain.com]
5/24/2013
5/06/2013
4/26/2013
copy ntfs permissions from one folder to another folder
I just wanted to copy the permissions from one folder to another. This powershell worked:
get-acl \\SOURCE/FOLDER | set-acl \\TARGET\FOLDER
Cisco MDS switch cmdline
Saved 30 minutes of click, click, drag, click, commit, drag, commit, activate, blah blah in Fabric Manager:
zone name privh08_hba_B_to_vnx vsan 3
member pwwn 50:06:01:64:3e:e0:04:7d
member pwwn 50:06:01:6c:3e:e0:04:7d
member pwwn 20:00:00:25:b5:11:bf:0f
zone name privh09_hba_B_to_vnx vsan 3
member pwwn 50:06:01:64:3e:e0:04:7d
member pwwn 50:06:01:6c:3e:e0:04:7d
member pwwn 20:00:00:25:b5:11:bf:1f
zone name privh10_hba_B_to_vnx vsan 3
member pwwn 50:06:01:64:3e:e0:04:7d
member pwwn 50:06:01:6c:3e:e0:04:7d
member pwwn 20:00:00:25:b5:11:bf:df
zone name privh11_hba_B_to_vnx vsan 3
member pwwn 50:06:01:64:3e:e0:04:7d
member pwwn 50:06:01:6c:3e:e0:04:7d
member pwwn 20:00:00:25:b5:11:bf:ef
zone name privh12_hba_B_to_vnx vsan 3
member pwwn 50:06:01:64:3e:e0:04:7d
member pwwn 50:06:01:6c:3e:e0:04:7d
member pwwn 20:00:00:25:b5:11:bf:bf
zoneset name SAN1-SAN2-FAB-B vsan 3
member privh08_hba_B_to_vnx
member privh09_hba_B_to_vnx
member privh10_hba_B_to_vnx
member privh11_hba_B_to_vnx
member privh12_hba_B_to_vnx
zoneset activate name SAN1-SAN2-FAB-B vsan 3
zone commit vsan 3
copy run start
4/24/2013
4/09/2013
Virtual Disconnect: Migrating from HP BladeSystem to Cisco UCS | M. Sean McGee
Virtual Disconnect: Migrating from HP BladeSystem to Cisco UCS | M. Sean McGee: Virtual Disconnect: Migrating from HP BladeSystem to Cisco UCS
vSphere DvSwitch caveats and best practices! - Eric Sloof - NTPRO.NL
vSphere DvSwitch caveats and best practices! - Eric Sloof - NTPRO.NL: The distributed Virtual Switch corresponding to the proxy switches d5 6e 22 50 dd f2 94 7b-a6 1f b2 c2 e6 aa 0f bf on the host does not exist in vCenter or does not contain the host
4/01/2013
Newsletter #106:Solving the "How Do I Change My Firewall Profile in Windows 8?" Puzzle
Newsletter #106:Solving the "How Do I Change My Firewall Profile in Windows 8?" Puzzle: Changing a NIC's Firewall Profile Between "Private" and "Public"
Problems with file shares on VM's
Symptoms
==========
When you try to access files located on a share, hosted on a disk that is a non-system operating disk, you receive Access Denied.
This issue occurs when you are using Machines hosted on a VMware virtualized environment.
This issue occurs when you remotely access shares located on a USB disk
Causes
==========
Auditing for file and system objects is Enabled and the disk is a Hot Plug-able disk
Resolution
==============
Disable Auditing for file and system objects or do not use Hot Plug-able disks.
Here is the workaround from VMWare:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012225
==========
When you try to access files located on a share, hosted on a disk that is a non-system operating disk, you receive Access Denied.
This issue occurs when you are using Machines hosted on a VMware virtualized environment.
This issue occurs when you remotely access shares located on a USB disk
Causes
==========
Auditing for file and system objects is Enabled and the disk is a Hot Plug-able disk
Resolution
==============
Disable Auditing for file and system objects or do not use Hot Plug-able disks.
Here is the workaround from VMWare:
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1012225
3/28/2013
3/21/2013
Isi Blogging?: Job Engine
Isi Blogging?: Job Engine:
There is a single Isilon node that is the job coordinator.
Find out which node is is with:
isi job status -r
example-output:
coordinator.connected=True
coordinator.devid=1
coordinator.down_or_read_only=False
There is a single Isilon node that is the job coordinator.
Find out which node is is with:
isi job status -r
example-output:
coordinator.connected=True
coordinator.devid=1
coordinator.down_or_read_only=False
Isilon Performance Stats
Summary
isi statistics drive --nodes=all --orderby=busy --type=sas,sata --top
or
isi statistics drive --nodes=all --orderby=busy --type=sas,sata | head -n 30
Drive Queue
isi statistics drive --nodes=all --orderby=queued --type=sas,sata --top
Cluster Performance Snapshot
isi statistics pstat
List files in use
isi statistics heat --nodes=all --orderby=ops --top
List of client connections
isi statistics client --nodes=all --orderby=ops --top
isi statistics drive --nodes=all --orderby=busy --type=sas,sata --top
or
isi statistics drive --nodes=all --orderby=busy --type=sas,sata | head -n 30
Drive Queue
isi statistics drive --nodes=all --orderby=queued --type=sas,sata --top
Cluster Performance Snapshot
isi statistics pstat
List files in use
isi statistics heat --nodes=all --orderby=ops --top
List of client connections
isi statistics client --nodes=all --orderby=ops --top
Get rid of "pseudo nics"
HKLM\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters for a REG_DWORD entry called DisabledComponents.
If it's not there, create it in Parameters. Set its value to 1
3/15/2013
Re: How do you calculate usable capacity for Isilon?
Clear as mud:
Re: How do you calculate usable capacity for Isilon?
Here is the general accepted formula used when sizing:
1) Find total raw TB in base 10
2) Multiply that result by (1000^4/1024^4) to get base 2 TB
3) Subtract 1 GB per drive for the OS partitions
4) Subtract 0.0083% of that result to account for the filesystem format
5) Subtract the protection overhead from that result
As for the protection overhead that you are planning to use, look to the "OneFS User Guide" on support.emc.com. Skip to the section: "OneFS data protection" where it will talk about N+M data protection, protection schemes such as N+1, N+2:1 (default), 2x, etc and the associated cost/parity overhead. Also, you will see a very good matrix listing the percent overhead which begins by reminding us: "The parity overhead for each protection level depends on the file size and the number of nodes in the cluster."
Re: How do you calculate usable capacity for Isilon?
Here is the general accepted formula used when sizing:
1) Find total raw TB in base 10
2) Multiply that result by (1000^4/1024^4) to get base 2 TB
3) Subtract 1 GB per drive for the OS partitions
4) Subtract 0.0083% of that result to account for the filesystem format
5) Subtract the protection overhead from that result
As for the protection overhead that you are planning to use, look to the "OneFS User Guide" on support.emc.com. Skip to the section: "OneFS data protection" where it will talk about N+M data protection, protection schemes such as N+1, N+2:1 (default), 2x, etc and the associated cost/parity overhead. Also, you will see a very good matrix listing the percent overhead which begins by reminding us: "The parity overhead for each protection level depends on the file size and the number of nodes in the cluster."
3/11/2013
3/08/2013
ESXi Remote Administration
Remotely managing ESXi servers has turned into such a pain in the butt.
From VCS:
- Software > Security Profile
- Check firewall and check box for SSH client & server if needed.
- Open Services and start the SSH service.
- SSH to server
- you can type DCUI to get the same user interface as if you are on the console of the physical server.
- or you can do the following to restart all the services:
- cd /sbin
- services.sh restart
2/25/2013
Configure NAT in the VRF lite scenario
Configure NAT in the VRF lite scenario
But, why would you do a VRF and then decide you wanted to route from that VRF to your global routing instance? And why on earth would you want to NAT between two interfaces in different VRF's.
Well, I did end up needing to and this article was very helpful.
But, why would you do a VRF and then decide you wanted to route from that VRF to your global routing instance? And why on earth would you want to NAT between two interfaces in different VRF's.
Well, I did end up needing to and this article was very helpful.
ip vrf MyVRF
exit
interface
(no switchport) ! make routed port
ip vrf forwarding MyVRF ! associate interface with MyVRF
ip address A.B.C.D M.M.M.M
interface
switchport
switchport trunk encapsulation dot1q
(switchport nonegotiate)
switchport mode trunk
vlan 10
name WAN-VLAN
interface Vlan10
ip vrf forwarding MyVRF
ip addr E.F.G.H M.M.M.M
ip nat enable
! now the VRF-aware NAT config:
interface
ip nat enable
interface Vlan10
ip nat enable
ip access-list standard LAN-to-NAT
permit
ip nat source list LAN-to-NAT interface Vlan10 vrf MyVRF overload
! finally the def. route
ip route vrf MyVRF 0.0.0.0 0.0.0.0
2/17/2013
2/12/2013
Openfiles
Openfiles: From the cmdline, query what files are open and disconnect them.
http://technet.microsoft.com/en-us/library/cc732490(v=ws.10).aspx
http://technet.microsoft.com/en-us/library/cc732490(v=ws.10).aspx
Windows 2008 Stuff
- Disable Hybernate on servers: powercfg -h off- RDP Sessions from CMD line if you register query.dll like this: regsvr32 query.dll
query session /server:servername [enter]
reset session # /server:servername [enter]
-What files are open? (anything more than query may require settings change & reboot.)
openfiles /query
Active Directory Stuff
- list all the groups and the members in those groups
dsquery group -limit 0 | dsget group -members –expand
- list fsmo role holders
netdom query fsmo
- Show domain account policy
net accounts
- Start AD synchronization
repadmin /syncall
- Group policy troubleshooting
gpupdate /force => reapply group policy now
gpresult => show what policies apply
Microsoft Network Stuff
- built in sniffer...netsh trace start capture=yes tracefile=c:\capture.etl
netsh trace stop
http://blogs.msdn.com/b/canberrapfe/archive/2012/03/31/capture-a-network-trace-without-installing-anything-works-for-shutdown-and-restart-too.aspx
- What groups am I a member of?
whoaim /groups
- reset interface IP configuration
netsh int ip reset all
- show all connections and refresh every 10 seconds
netstat –ano 1
VMware KB: Troubleshooting transaction logs on a Microsoft SQL database server
VMware KB: Troubleshooting transaction logs on a Microsoft SQL database server: Troubleshooting transaction logs on a Microsoft SQL database server
Prevent logs from filling up the server:
Prevent logs from filling up the server:
- Log in to the Microsoft SQL 2005/2008 Server as an administrator.
- Open up SQL Management Studio.
- Right-click the database that VirtualCenter is using.
- Click Properties.
- Click the Options link.
- Set the Recovery Model to Simple
- Click OK.
- Once this is complete, right click on the database again.
- Click Tasks>Shrink>Files.
- On the Shrink Database window select the file type as 'Log' . The file name appears in the filename drop down as databasename_log
- The space used versus the space allocated displays. After you set the recovery model to Simple, the majority of the space in the transaction log released.
- Ensure that the Release unused space radio button is selected.
- Click OK on this window to shrink the transaction log.
2/06/2013
1/30/2013
How do I secure a Cisco router from the Internet? Cisco Forum FAQ | DSLReports.com, ISP Information
How do I secure a Cisco router from the Internet? Cisco Forum FAQ | DSLReports.com, ISP Information: secure a Cisco router from the Internet?
Recommended Global and Interface Configurations •Disable all non-essential services and features no service pad no ip finger no ip bootp server IOS versions 12.x and higher auto disable certain features like no tcp-small-servers; no udp-small-servers; and ip http-server no ip source-route Enable global security features service password-encryption (automatically encrypts configured passwords) service timestamps debug datetime msec localtime show-timezone service timestamps log datetime msec localtime show-timezone service tcp-keepalives-in logging buffered <50000> debugging logging console warnings (if you don't log, you can't trace problems) enable secret (enables the strongest password encryption on the enable password) no cdp run (if you don't need cdp at all) Disable the following features per interface no ip redirects no ip unreachables no ip directed-broadcast no ip proxy-arp no cdp enable (for exterior facing interfaces) make sure all other interfaces not being used are administratively shutdown Enabling additional features ip subnet-zero (enables networks on the 0 boundary) ip classless (allows for CIDR netmasks) enable access-lists per interface as necessary to restrict the traffic to only required communication (see the links above for info regarding access-list configuration) interface fastethernet 1/0ip access-group 101 outip access-group 102 in clock timezone (an accurate clock makes security logs more useful with timestamps) clock summer-time recurring NTP is the key to a synchronized clock which is highly recommended for accurate timestamping of log entries ntp masterntp update-calendarntp server snmp-server community RO 10 (secures snmp control by access list 10) Add ip addresses of only the hosts that need snmp access to the router to access-list 10 Use the banner command to state the obvious precuations upon login as a legal disclaimer banner motd ^CC You Access Restricted Equipment All Activities are Monitored and Logged Unauthorized Use Prohibited By Accessing, You Are Agree Your Activities to be Monitored and Logged ^C Console configuration - use exec-timeout to logout idle users after 5 minutes line con 0 exec-timeout 5 0 password 7 <######> login authentication no_tacacs transport input noneline aux 0 exec-timeout 5 0 password 7 <#######> login authentication test modem InOut transport input all stopbits 1 speed 19200 flowcontrol hardwareline vty 0 4 exec-timeout 5 0 password 7 <########> login authentication test transport input telnet IOS version Make sure you are running a version of IOS that is stable and is patched for all of the most latest network bugs, especially the recent SSH and SNMP vulnerabilities. Cisco Internet Inbound Access List The following is a commented example of an Access List configuration for a router that acts as a "choke" device on the inside or outside of a true firewall device. The ! signifies a commented line in Cisco's notation. Non-commented lines are the actual configuration syntax as it would be entered on the Cisco router. The information supplied in this configuration is in no way guaranteed or supported by the author to "secure" your network. This is meant to provide an example of generally accepted configuration practices when securing routers that provide access to untrusted networks. This access-list should be applied inbound on your choke router to what is considered your external or outside interface. In most cases, for routers outside your firewall this will be some sort of WAN interface like a serial port, BRI interface, frame relay sub-interface, or ATM PVC. This filters traffic that is coming from the Internet or untrusted network "inbound" on the external interface connecting to the Internet. -------------------------------------------------------------------------------- ! Deny all standard external spoofing attacks and log all attempts ! from illegal addresses, your external block, and reserved space ! For obvious reasons, non-routable Internet addresses should not be allowed to ! come inbound. A favorite of hackers is to spoof private source addresses or ! even masquerade as public addresses on your own external networks. !deny ip 192.168.0.0 0.0.255.255 any log-inputdeny ip 172.16.0.0 0.15.255.255 any log-inputdeny ip 10.0.0.0 0.255.255.255 any log-inputdeny ip 127.0.0.0 0.255.255.255 any log-inputdeny ip 255.0.0.0 0.255.255.255 any log-inputdeny ip 224.0.0.0 31.255.255.255 any log-inputdeny ip host 0.0.0.0 any log-inputdeny ip any log-inputdeny ip host any log-input !Deny any abusive networks here... !deny ip xxx.xxx.xxx.xxx 0.0.0.255 any log-input ! The commands below are all for routers being used as a firewall device. ! If you plan on using another device for a firewall, then do not add any other ! configuration lines except for the following: ! permit ip any any ! If you plan on using your router as your only firewall device you can permit ! or deny particular services as outlined below. The following are only examples. ! There are hundreds of services and non-standard configurations you may need to ! allow based on your indivdual requirements. If you do not have the budget ! for a true firewall such as a PIX, Checkpoint or Netscreen, you should still use ! a router that is sized properly to do the job you need. A Cisco 2620 or 2640 ! should have plenty of CPU for Reflexive Access lists and Content Based Access ! Control for a full T-1 worth of traffic. The other key component is RAM. Allow for ! a minimum of 32MB or 64MB if possible. If your budget is still an issue, you are ! probably better off building a firewall using a PC server (under $1000) with 2 ! network cards using Linux or NetBSD and IPChains firewall software. You can get a ! lot more mileage out of a machine like that than a low-end Cisco router which ! really wasn't designed for that purpose anyway. ! ! Include the inbound Reflexive Access-Lists if you are using this function ! ! *WARNING* Reflexive Access Lists are CPU and memory intensive on your router. ! Make sure that your hardware is properly sized to support your volume of traffic. ! ! For further explanation of these services and port numbers please refer to ! documentation for the specific protocols. !evaluate alliptraffic ! If you need to host any inbound services behind your router then the following ! config may help you out with some example setups. ! Allow outside ftp sessions inbound !permit tcp any host eq 21 ! Allow ftp to work from inside your network (requires port 20 to be open ! for incoming data session) !permit tcp any eq 20 host gt 1024 ! Allow auth/identd traffic for smtp mail and for other client apps !permit tcp any host eq 113permit tcp any host eq 113 ! Allow smtp traffic inbound to mail servers !permit tcp any host eq smtp ! Allow http traffic inbound to all web servers !permit tcp any host eq www ! Allow SSL traffic inbound to all SSL servers !permit tcp any host eq 443 ! Allow Microsoft PPTP/VPN sessions to connect inbound and log control channel ! permit tcp any host eq 1723 log-input permit tcp any host eq 1731 permit gre any host ! Allow only certain remote addresses to perform tcp DNS transfers from ! specific DNS servers for secondary DNS service and log each connection !permit tcp host host eq domain log-input ! Allow inbound client DNS requests to all DNS servers !permit udp any host eq domain ! Allow DNS resolution from the router's serial port for testing purposes !permit udp any eq 53 host ! Allow time synchronization to occur on router from ISP !permit udp any eq ntp host eq ntp ! Allow only particular types of icmp packets inbound to ! maintain integrity of data flow and sanity and for troubleshooting etc. !permit icmp any net-unreachablepermit icmp any host-unreachablepermit icmp any port-unreachablepermit icmp any packet-too-bigpermit icmp any administratively-prohibitedpermit icmp any source-quenchpermit icmp any ttl-exceededpermit icmp any echo-reply ! Deny all other ICMP explicitly so it isn't logged !deny icmp any any ! Deny all other ip traffic explicitly and log it. !deny ip any any log-input Cisco Internet Outbound Access List The following is a commented example of an Access List configuration for a router that acts as a "choke" device on the inside or outside of a true firewall device. The ! signifies a commented line in Cisco's notation. Non-commented lines are the actual configuration syntax as it would be entered on the Cisco router. The information supplied in this configuration is in no way guaranteed or supported by the author to "secure" your network. This is meant to provide an example of generally accepted configuration practices when securing routers that provide access to untrusted networks. This access-list should be applied inbound on your choke router to what is considered your internal or inside interface. In most cases, this will be some sort of ethernet interface. This filters traffic that is going towards the Internet or untrusted network "inbound on that interface. -------------------------------------------------------------------------------- ! Deny RFC 1918 private source addresses from going outbound. It is not wise ! to let packets leak outside your network with your internal address information. ! This is the primary way that hackers learn about the configuration of private ! networks. These packets can not be responded to anyway, since these networks are ! not routable on the Internet. they would only be reachable if you are using NAT on a ! device beyond this point in the network to translate to a publicly routable address. !deny ip 192.168.0.0 0.0.255.255 any log-inputdeny ip 172.16.0.0 0.15.255.255 any log-inputdeny ip 10.0.0.0 0.255.255.255 any log-input ! Keep any errant request for private addresses inside your network ! Just in case your internal routing table for some reason does not contain a route ! that should be internal, and clients follow your default route toward the Internet ! for requests that should stay inside your network. This is another way that hackers ! can find out about your internal network is watching for internal requests that ! accidentally get routed out to a public device that they can capture traffic from. !deny ip any 192.168.0.0 0.0.255.255 log-inputdeny ip any 172.16.0.0 0.15.255.255 log-inputdeny ip any 10.0.0.0 0.255.255.255 log-input ! Deny all netbios traffic going outbound since this is one of the top 3 most hacked ! or attacked protocols on the Internet. Users should not access netbios services on ! the Internet since it can very easily compromise NT Domain security and architecture. !deny udp any any eq netbios-nsdeny udp any any eq netbios-dgmdeny udp any any eq netbios-ss ! Permit everything else from the "external network" and build the ! reflexive access list alliptraffic with a timeout of 120 seconds ! ! This command allows all other traffic to pass through the interface and ! uses an IOS feature set called Reflexive Access Lists to build a dynamic ! access list for return traffic coming inbound from the Internet. That way a ! command can be appended to an inbound access list to evaluate inbound packets against ! "allowed" return traffic to sessions started from inside your network. ! ! *WARNING* This command is CPU and memory intensive on your router depending on the ! volume of traffic flowing through the interface. I recommend at least a 2610 series ! router with 32MB RAM minimum to support a full T-1 with this configuration. !permit ip any reflect alliptraffic timeout 120deny ip any any log ! If this router is not being used as a firewall but more for just a choke device ! to enhance the security in front of or behind a firewall the following commands should ! replace the above commands... You should specifically define your networks that should ! be allowed to go outbound and then deny everything else explicitly. !permit ip anydeny ip any any log
Cisco Guide to Harden Cisco IOS Devices - Cisco Systems
Cisco Guide to Harden Cisco IOS Devices - Cisco Systems: Cisco Guide to Harden Cisco IOS Devices
1/28/2013
Exchange 2013 Server Role Architecture - Exchange Team Blog - Site Home - TechNet Blogs
Exchange 2013 Server Role Architecture - Exchange Team Blog - Site Home - TechNet Blogs: Exchange 2013 Server Role Architecture
PART#1
PART#1
1/23/2013
Cisco UCS Networking Best Practices (in HD)
Cisco UCS Networking Best Practices (in HD): Cisco UCS Networking Best Practices
RDP connection to Remote Desktop server running Windows Server 2008 R2 may fail with message 'The Local Security Authority cannot be contacted'.
RDP connection to Remote Desktop server running Windows Server 2008 R2 may fail with message 'The Local Security Authority cannot be contacted'.: the remote computer that was reached is not the one you specified
To resolve the issue, change the remote desktop security on the RD server to RDP Security Layer to allow a secure connection using Remote Desktop Protocol encryption. Below are the steps:
1. Navigate to Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration.
2. With RD Session Host Configuration selected view under Connections.
3. Right click RDP Listener with connection type Microsoft RDP 6.1 and choose Properties.
4. In general tab of properties dialog box under Security, select RDP Security Layer as the Security Layer.
5. Click OK.
To resolve the issue, change the remote desktop security on the RD server to RDP Security Layer to allow a secure connection using Remote Desktop Protocol encryption. Below are the steps:
1. Navigate to Start > Administrative Tools > Remote Desktop Services > Remote Desktop Session Host Configuration.
2. With RD Session Host Configuration selected view under Connections.
3. Right click RDP Listener with connection type Microsoft RDP 6.1 and choose Properties.
4. In general tab of properties dialog box under Security, select RDP Security Layer as the Security Layer.
5. Click OK.
1/10/2013
Using the “secret” Windows 7 Problem Steps Recorder to Create Step by Step Screenshot Documents - Pat's Windows Development Blog - Site Home - MSDN Blogs
Using the “secret” Windows 7 Problem Steps Recorder to Create Step by Step Screenshot Documents - Pat's Windows Development Blog - Site Home - MSDN Blogs: Using the “secret” Windows 7 Problem Steps Recorder to Create Step by Step Screenshot Documents
Very useful.
Very useful.
1/09/2013
Some code playing around with sending mail with an attachment from a powershell script.
Also launching a packet capture from another process so I can asynchronously
repeat a test while doing a capture.
-> Although I was able to execute an external command that included variables (to build the command line with a custom value for delay and output file) I was not able to start a job to do that same thing. I resorted to creating a custom batch file for this script and defining tshark duration and output file in that BAT file. -- not as flexible as I was trying to be.
#INSTANCE 1
# - Capture command: C:\WORK\CAP1.BAT
# - Output file: CAP1OUT.CAP
$temp = "c:\work"
$test = "\\fs05\users\admin\test"
$threshold = 10
$SmtpServer = "mail.usa.domain.com"
$emailfrom = "no-reply-monitor@domain.com)"
$emailto = "administrator@domain.com"
$emailsubject = "folder count monitor output"
$emailbody = "Folder: $test contains less than $threshold items"
$emailattachment="c:\temp\file.txt"
$emailfrom = ""
$emailto = ""
$emailsubject = "Monitoring Output"
function send_email {
$mailmessage = New-Object system.net.mail.mailmessage
$mailmessage.from = ($emailfrom)
$mailmessage.To.add($emailto)
$mailmessage.Subject = $emailsubject
$mailmessage.Body = $emailbody
$attachment = New-Object System.Net.Mail.Attachment($emailattachment, 'text/plain')
$mailmessage.Attachments.Add($attachment)
#$mailmessage.IsBodyHTML = $true
$SMTPClient = New-Object Net.Mail.SmtpClient($SmtpServer, 25)
#$SMTPClient.Credentials = New-Object System.Net.NetworkCredential("$SMTPAuthUsername", "$SMTPAuthPassword")
$SMTPClient.Send($mailmessage)
}#end-function
if ((Get-ChildItem $test).Count -lt $threshold){
"capturing for 30 s"
####################################################
# CAPTURE COMMAND
$job = start-job {&cmd "/c","C:\WORK\CAP1.BAT"}
####################################################
start-sleep 10
"Testing Folder $test"
Get-ChildItem $test | out-null
"waiting 30 s"
Start-Sleep 30
wait-job $job
remove-job $job
"sending CAP file to $emailto"
####################################################
# OUTPUT FILE
$emailattachment = "c:\work\cap1out.cap"
####################################################
send_email
}
1/08/2013
8 Wireshark Filters Every Wiretapper Uses to Spy on Web Conversations and Surfing Habits « Null Byte
8 Wireshark Filters
http://null-byte.wonderhowto.com/inspiration/8-wireshark-filters-every-wiretapper-uses-spy-web-conversations-and-surfing-habits-0134508/
http://null-byte.wonderhowto.com/inspiration/8-wireshark-filters-every-wiretapper-uses-spy-web-conversations-and-surfing-habits-0134508/
ip.addr ==x.x.x.x
Find packets with IP address as either source or destination
ip.addr ==x.x.x.x && ip.addr ==x.x.x.x
conversation filter between the two IP addresses
http or dns
filter based on protocol
tcp.port==xxx
filters based on TCP port numbers
tcp.flags.reset==1
filters to show all TCP resets. A TCP reset basically kills a TCP connection instantly.
http.request
Sets a filter for all HTTP GET and POST requests. This will show webpages being accessed for the most part.
tcp contains xxx
Find TCP packets containing string.
(arp or icmp or dns)
filter out protocols. The example hides ARP, ICMP, and DNS packets.
Subscribe to:
Posts (Atom)