Best practices for DNS settings on DC and domain members.

/ Konkretor / Leave a comment

ABHIJIT'S BLOG

Information:
The following information explains the Best practices for DNS client settings on Domain Controller and Domain Member.

Domain controller with DNS installed:
On a domain controller that also acts as a DNS server, recommended that you configure the domain controller’s DNS client settings according to these specifications:

IP configuration on domain controller:

  • In single DC/DNS in a domain environment,  DC / DNS server points to its private IP address (not to loopback 127.x.x.) as preferred DNS server in TCP/IP property.
  • If multiple DCs that’s the DNS servers are in a domain environment, recommendation to have all DCs point to ANOTHER/REMOTE DC’s IP address as preferred DNS and then point to it’s private IP address as an alternate DNS.
  • Each DC has just one IP address and one network adapter is enabled (disable unused NICs).
  • IPv6 should not be disabled on DC’s NIC card. Set it to “obtain IPV6 address automatically” and “obtain…

View original post 186 more words

Apache Varnish ssl

/ Konkretor / Leave a comment

You want to use apache with varnish and ssl. Let´s start.


First install Varnish 6

Please Look here for install Varnish on Ubuntu/Debian

https://packagecloud.io/varnishcache/varnish41/install#manual-deb

replace trusty with bionic

root@remote:~# cat /etc/apt/sources.list.d/varnishcache_varnish60.list
deb https://packagecloud.io/varnishcache/varnish60/ubuntu/ bionic main
deb-src https://packagecloud.io/varnishcache/varnish60/ubuntu/ bionic main

 

Install Varnish 6

apt-get install varnish

2018-10-05 09_39_15-root@remote - byobu

 

 

start and enable Varnish as service

sudo systemctl start varnish.service

sudo systemctl enable varnish.service

2018-10-05 09_40_55-root@remote - byobu

Attention look here for more information about Varnish and Systemd

https://docs.varnish-software.com/tutorials/configuring-systemd-services/

Next Step we configure Varnish

 

systemctl edit varnish.service

 

Insert following, feel free do adjust your memory settings

[Service]
ExecStart=
ExecStart=/usr/sbin/varnishd -a :6081 -f /etc/varnish/default.vcl -s malloc,256m -p first_byte_timeout=600

2018-10-05 09_52_54-root@remote - byobu

we create a full replacement of varnish.service

systemctl edit --full varnish.service

Make your changes and save the file. After saving we reloading the systemd config

systemctl daemon-reload

 

You can also adjust /etc/varnish/default.vcl for Browser caching or anything else
https://konkretor.com/2017/05/29/leverage-browser-caching-with-varnish/

 

That´s it for install and adjust Varnish

Install Apache with SSL

apt-get install apache2

 

We create a redirect from http to https

vim /etc/apache2/sites-available/redirect.conf

 

<Virtualhost vhost.example.com>
ServerName vhost.example.com
DocumentRoot /var/www/html
<IfModule mod_rewrite.c>
RewriteEngine On
RewriteCond %{HTTPS} off
RewriteRule (.*) https://%{HTTP_HOST}%{REQUEST_URI} [R=301,L]
</IfModule>
</Virtualhost>

 

We create a new vhost file with rondtrip.conf, we running the static site with port 8080

vim /etc/apache2/sites-available/roundtrip.conf

 

<VirtualHost *:8080>
ServerAdmin webmaster@localhost
DocumentRoot /var/www/html
ErrorLog ${APACHE_LOG_DIR}/error.log
CustomLog ${APACHE_LOG_DIR}/access.log combined
</VirtualHost>

 

We create a new vhost file for ssl

vim /etc/apache2/sites-available/ssl.conf

 

<VirtualHost *:443>
DocumentRoot /var/www/
SSLEngine on
SSLCertificateKeyFile /etc/ssl/private/sslcert.key
SSLCertificateFile /etc/ssl/private/sslcert.crt
# SSLCertificateChainFile /eDigiCertCA.crt
</VirtualHost>

 

we delete the default site, we don´t need it

rm /etc/apache2/sites-enabled/000-default.conf

 

We are enable the apache config

a2ensite redirect.conf
a2ensite ssl.conf
a2ensite roundtrip.conf

We are enable port 8080

vim /etc/apache2/ports.conf

add

Listen 8080

Enable some modules that we need

a2enmod proxy
a2enmod proxy_http
a2enmod headers

Check your Apache Config

apachectl configtest

Restart your Apache

systemctl restart apache

 

That´s it!

Xen vhd to vmdk

/ Konkretor / Leave a comment

Converting from a Xen Server to a VMWARE Server isn´t easy. Normal you can use VMWARE Converter it works fine with Windows. Linux loves Clonezilla but only with one disk. My situation is a Linux vm with multiple disk with LVM.

What we need:

  • QEMU disk image utility for Windows

https://cloudbase.it/qemu-img-windows/

  • enough disk space
  • winscp
  • putty

 

Shutdown your vm. Login to your xen machine and figure out which disk you need.

See  “How to find the disk associated to a VM from XenServer CLI”
https://support.citrix.com/article/CTX217612

xe vm-disk-list vm=test_lvm

xen_list_disk.png

copy the vhd files that you found with vm-disk-list to your migration machine.

 

I have used the powershell to convert my two vhd disk

.\qemu-img.exe convert -f vpc 9438a581-017f-4069-b7cd-09b5e330954c.vhd -O vmdk test_lvm_sda1.vmdk -p

2018-09-27 13_18_28-pc-678 - Remotedesktopverbindung.png

It takes a few minute. After migration copy your new vmdk file to your vmware storage.

Attach the disk to your vm and choose IDE and not SCSI. Note the sequence from your old xen disk. Should be in the same order

fire it up 🙂

 

 

 

vmware converter permission to perform this operation was denied

/ Konkretor / Leave a comment

User Account Control: Run all administrators in Admin Approval Mode

This affects how UAR works and can block remote local admin connections.
This can be changed in Local Computer Policy | Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options
Set it to Disabled, requires a reboot

 

2018-09-07 13_16_33-XenCenter.png

 

found here

https://www.jonathanmedd.net/2013/12/vmware-converter-permission-to-perform-this-operation-was-denied.html

WSUS MMC (Konsole) Reset

/ Konkretor / Leave a comment

Windows SBS and Essentials Blog

Stellt man in der WSUS Konsole unter Update Services / WSUS Servername / Updates / All Updates die Anzeige des Status von Failed or Needed auf Any, kann es dazu kommen das die WSUS Konsole nicht mehr in der Lage ist alle vorhandenen Updates an zu zeigen, was sich in einem Timeout darstellt.

Unglücklicher Weise merkt sich die WSUS Konsole diese Einstellung und so ist es nicht mehr so einfach möglich zur alten Anzeige zurück zu kehren. Daher habe ich mit dem Process-Monitor von Sysinternals mir die WSUS MMC angeschaut und festgestellt, dass die Einstellungen beim beenden der MMC in folgendem Verzeichnis abgelegt werden.

image

Löscht man die Datei wsus im Verzeichnis …

del %USERPROFILE%appdataroamingmicrosoftmmcwsus

… dann startet die WSUS Konsole wieder mit den Standard-Einstellungen.

image

Enjoy it, b!

View original post

Debian upgrade from 7 to 8 syslog-ng.service start request repeated too quickly, refusing to start

/ Konkretor / Leave a comment

You have upgraded from Debian 7 to Debian 8 and you are usign syslog-ng.

You will be in a little bit in trouble with syslog-ng

You can check this with systemctl status syslog-ng.service

syslog-ng.service start request repeated too quickly, refusing to start

syslog-ng service is not starting.

Check your local config file search after ” unix-stream(“/dev/log”);”

People with custom syslog-ng configurations will most likely face upgrade problems due to the unix socket type mismatch between systemd and syslog-ng old configuration file:

  • systemd creates /dev/log as unix-dgram
  • syslog-ng < 3.2.5 expected /dev/log to be unix-stream (configuration file)

If you use ‘unix-stream (“/dev/log”)’ in one of your log messages sources, you will need to manually change it to ‘unix-dgram (“/dev/log”)’.

Found here

https://unix.stackexchange.com/questions/202044/syslog-ng-service-not-starting-with-systemd-but-command-works-fine