Freeradius: remove VLAN tag when request comes from specific client

I have a RADIUS server which is configured to add VLAN tags based on the LDAP groups the user is a member of. However in my situation I also need my RADIUS to authenticate users who connect to equipment in an other organization. Their organization route the authentication requests from their radius to mine and waits for a response. The problem is that the response still contains the users VLAN tag, this confuses the other organizations RADIUS server.

So here is how i stripped the VLAN tag in the response to the other organizations RADIUS servers.

In this example the radius servers ip’s are 10.0.0.1 and 10.0.0.2

In your sites configuration file (/etc/freeradius/sites-enabled/inner-tunnel) place the code somewhere below where you added the VLAN tags you want to remove for request from specific RADIUS servers.

if ((Packet-Src-IP-Address == "10.0.0.1") || (Packet-Src-IP-Address == "10.0.0.2")) {
 Tunnel-Private-Group-Id -= "%{reply:Tunnel-Private-Group-Id}"
}
Posted in Scripting | Tagged , , , , , , , | Leave a comment

Configure NIC Teaming with PowerShell (Server Core)

This is how to configure NIC teaming with powershell on a server running Windows Server 2012 R2 Server Core.

Basic NIC team

Run the following command to list what network adapters (NICs) are available:

Get-NetAdapter -Physical

In my case the server only got the two NIC’s I want to team:

Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
Ethernet                  HP FlexFabric 10Gb 2-port 534FLB ...#55      12 Up           F0-92-1C-17-0F-E4        10 Gbps
Ethernet 2                HP FlexFabric 10Gb 2-port 534FLB ...#54      14 Up           F0-92-1C-17-0F-E0        10 Gbps

The following command creates a network team named “NIC-team” with the NICs “Ethernet” and “Ethernet 2”:

New-NetLbfoTeam -Name "NIC-team" -TeamMembers "Ethernet", "Ethernet 2"

To verify that the team was created, use the following command:

Get-NetLbfoTeam

My output was:

Name                   : NIC-team
Members                : {Ethernet 2, Ethernet}
TeamNics               : NIC-team
TeamingMode            : SwitchIndependent
LoadBalancingAlgorithm : Dynamic
Status                 : Up

Configure VLAN

In my case the two NICs is both connected to a network trunk with many VLANs. So I need to choose what VLAN the NIC team is going to deliver.

The following command sets the NIC team named “NIC-team” to use VLAN id 123:

Set-NetLbfoTeamNic -Team "NIC-team" -VlanID 123

Configure failover

A NIC team is set to use link aggregation by default, so both NICs will be active by default. If a Active/Standby senario is more wanted, it is very easy to set one NIC to standby. The following command will set the NIC “Ethernet 2” to standby mode.

Set-NetLbfoTeamMember -Name "Ethernet 2" -AdministrativeMode Standby
Posted in Powershell, Windows Server | Tagged , , , , , , , , , , , , , , | Leave a comment

Windows PKI: The request contains no certificate template information 0x80094801

I tried submitting a certificate request for a web server certificate to my Windows PKI via. the GUI and got this error:

The request contains no certificate template information 0x80094801

The solution is to use the command line command certutil and specify what template to use:

certreq -submit -attrib "CertificateTemplate:WebServer" <request file>

Note: this command will sumbit the request AND issue the certificate.

Posted in Uncategorized, Windows Server | Leave a comment

Installing .NET Framework 3.5 on Windows Server 2012 Server Core

Mount or insert the windows 2012 server media, in my case the mount-point is “D:\”. Run the following command from powershell.

PS> import-module servermanager
PS> Install-WindowsFeature NET-Framework-Core -Source D:\sources\sxs

 

 

Posted in Scripting, Windows Server | Tagged , , , , , | Leave a comment

Installing .NET Framework 3.5 on Windows Server 2012

Installing .NET Framework 3.5 on Windows Server 2012 is not so hard, but it can be a little bit confusing if you are used to the traditional dotnetfix35.exe installation. Here is how you do it.

  • First you need to mount the Windows Server 2012 iso. My mount point is D:\
  • The next step is enable the feature from the source. To do this open a command promt and run the following command (replace D:\ with your mount point):
    dism /online /enable-feature /featurename:NetFX3 /all /Source:D:\sources\sxs /LimitAccess
  • Go to Server Manager -> Manage -> Add roles and features
  • Skip to features in the wizard and choose “.NET Framework 3.5 Features”.
  • Click next and click on “Specify an alternative source path” as shown in the picture below:
  • Write the path for your source, in my case “D:\sources\sxs” and click OK
  • Click Install.
Posted in Uncategorized, Windows Server | Tagged , , , , , , , | Leave a comment

Solution for powershell remoting error “It cannot determine the content type of the HTTP response from the destination computer…”

I tried to set up powershell remoting on a server and kept getting this error:

Enter-PSSession : Connecting to remote server failed with the following error message : The WinRM client cann
ot process the request. It cannot determine the content type of the HTTP response from the destination comput
er. The content type is absent or invalid. For more information, see the about_Remote_Troubleshooting Help to
pic.

After a bit of troubleshooting I discovered that the problem was that the authentication packets was to big (over 16k), this will cause WinRM to reject the request. The reason for authentication packets getting too big can be because the user is member of very many security groups or in my case because of the SidHistory attribute.

The solution was to increase the MaxFieldLength and MaxRequestBytes keys in the registry under HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\HTTP\Parameters

If the keys does not exists you can create them, be sure to use the DWORD type.

I sat MaxFieldLength to DEC value 40000 and MaxRequestBytes to DEC value 32768 and rebooted the server. Problem solved.

Posted in Uncategorized, Windows Server | Tagged , , , | 13 Comments

Remove KMS host license key from a server that should not be a KMS host.

I came over this message in the event viewer on a server today:

Event 12293: Publishing the Key Management Service (KMS) to DNS in the ‘domain.company.com’ domain failed. Info: 0x80072338

It seems like a KMS host license key has been applied to the server even thou it should not be a KMS host. To verify this I checked the license information using slmgr.vbs:

PS C:\Windows\system32> .\cscript.exe slmgr.vbs /dli
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Name: Windows Server(R), ServerStandard edition
Description: Windows Operating System - Windows Server(R), VOLUME_KMS_R2_B channel
Partial Product Key: XXXXX
License Status: Licensed

Key Management Service is enabled on this machine
    Current count: 0
    Listening on Port: 1688
    DNS publishing enabled
    KMS priority: Normal

Key Management Service cumulative requests received from clients
    Total requests received: 0
    Failed requests received: 0
    Requests with License Status Unlicensed: 0
    Requests with License Status Licensed: 0
    Requests with License Status Initial grace period: 0
    Requests with License Status License expired or Hardware out of tolerance: 0
    Requests with License Status Non-genuine grace period: 0
    Requests with License Status Notification: 0

Yup, that’s an KMS Host license.

So I removed the KMS Host key:

PS C:\Windows\system32> .\cscript.exe slmgr.vbs /upk
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Uninstalled product key successfully.

Now that the key is removed its time to install a default KMS client key. Find the correct key in this document: http://technet.microsoft.com/en-us/library/ff793421.aspx

In this case it is a Windows Server 2008 R2. So the key is YC6KT-GKW9T-YTKYR-T4X34-R7VHC

Install it using slmgr.vbs:

PS C:\Windows\system32> .\cscript.exe slmgr.vbs /ipk YC6KT-GKW9T-YTKYR-T4X34-R7VHC
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Installed product key YC6KT-GKW9T-YTKYR-T4X34-R7VHC successfully.

Activate the license:

PS C:\Windows\system32> .\cscript.exe slmgr.vbs /ato
Microsoft (R) Windows Script Host Version 5.8
Copyright (C) Microsoft Corporation. All rights reserved.

Activating Windows Server(R), ServerStandard edition (...) ...
Product activated successfully.

 

 Extra

If for some reason the server managed to register itself as a KMS Host at the DNS server you have to remove the entry.

On your Windows DNS server, check if there is registered a _VLMCS record which is pointing to this server. The record should be located here: Forward Lookup Zonez -> domain.company.com -> _tcp

If the _VLMCS record points to the server which should not be a KMS host, change it to point to the real KMS host server.

Posted in Uncategorized, Windows Server | Tagged , , , , , , , , , | 1 Comment

Use Powershell to check if Windows Update patch is installed

Here is a powershell function to check if a windows update patch is installed or not. It will return $True if it is installed and $False if it is not installed.

function Check-IsPatchInstalled {
	#Øyvind Nilsen, oyvindnilsen.com
	PARAM (
       [Parameter(Mandatory=$false,ValueFromPipeline=$false)][String]$computer = "127.0.0.1",
       [Parameter(Mandatory=$true,ValueFromPipeline=$false)][String]$id
	)

    $patches = Get-WmiObject -Class Win32_QuickFixEngineering -ComputerName $computer | select description,hotfixid,installedon

    if ($patches | ? { $_.Hotfixid -like $id }) {
        return $true
    } else {
        return $false
    }
}

#Example 1, check if patch KB982018 is installed on the local computer.
Check-IsPatchInstalled -id "KB982018"

#Example 2, check if patch KB982018 is installed on a computer named Client01.
Check-IsPatchInstalled -compuer "Client01" -id "KB982018"

 

 

Posted in Scripting | Tagged , , , , , , , , , , , , | 1 Comment

Running ESXi from SD cards

Benefits of running ESXi from SD Cards

ESXi 5.1 got a very small footprint, less than 150 MB. This  in the combination that ESXi does not write very much to disk makes it a great OS to boot from SD cards. The benefits of running ESXi from SD cards is that you don’t need to spend money on expensive hard drives, does not generate as much heat as hard drives do and they are completely silent.

HP BL460c Blades does have a SD card slot on the top of the blade. On the right, two BL460c blades running ESXi from SD cards, no HDDs.

 Possible errors to run into when running ESXi from SD cards.

Logs on non-persistent storage

“system logs on host are stored on non-persistent storage”

This means that the system logs for the servers will be stored on a RAM-disk and therefore they will be deleted if the server looses its power. This may or may not be a problem.

If you don’t care that the logs are whiped when the server looses power, you can ignore the warning.

How to create persistent storage with PowerCli:

The solution is to store the logs on a datastore which is connected to the host.

  1.  Connect to the host with PowerCli:
    Connect-VIServer <host ip or dns>
  2. Get a list of the datastores available to the host
    Get-Datastore
  3. Create a psdrive to access the datastore you chose to use
    New-PSDrive -Name "DS" -Root \ -PSProvider VimDatastore -Datastore (Get-Datastore "<DATASTORE_NAME>")
  4. Browe into the mounted datastore
    Set-Location DS:\
  5. Create a directory for the persistent storage. PS: Do not use the same directory for more than one host.
    New-Item ".locker-hostname" -ItemType directory
  6. Configure the host to use the new directory for persistent storage
    Set-VMHostAdvancedConfiguration -Name "ScratchConfig.ConfiguredScratchLocation" -Value "/vmfs/volumes/DATASTORE_NAME/.locker-hostname"
  7. Set the host to maintenance mode and reboot it
    Set-VMHost -State "Maintenance"
    Restart-VMHost

 

Posted in vmware | Tagged , , , , , , , , , , , , , , , | Leave a comment

Vmware Update Manager fails to download patches from patch store

I ran in to this error when I sat up a new ESXi blade.

“Host cannot download files from VMware vSphere Update Manager patch store. Check the network connectivity and firewall setup, and check esxupdate logs for details.”

 

It turned out that the problem was that I had forgot to set up an reverse dns lookup record for the ESXis IP address.

 

Posted in vmware | Tagged , , , , , , , , , , | Leave a comment