Search This Blog

Sunday, July 31, 2011

Setup server to accept SMB v1 connections on DNS address (disableStrictNameChecking)

I have been tidying up a clients infrastructure, and in doing this I have been creating dns entries for certain services. For example I want to take the backup location away from the server name and to a more generic backup name dns address.

note: the environment is isolated and all servers standalone there is no active directory setup. If you are in a windows domain environment you may have to look at setting SPNs. I include some links at the bottom that may help you here.

i.e.

Now I thought I could just create a new dns entry and point it to the server ip, then using the dns entry in the unc. Now this worked fine for windows 2008 and windows 7 machines and it turns out this is because they are happily using smb v2.

What I found was that the windows 2000 / windows 2003 server then failed to connect to the windows 2008 server. \\<ipAddress> and \\<servername> worked fine but the newly created dns entry would not work. It would resolve fine on the 2003 server but trying to connect via explorer using the unc with the new dns address just failed to connect.

In the end I found that this is because the communication is trying to use SMB v1. To allow this connectivity you have to change a registry setting on the server you are trying to connect to.

So on my windows 2008 server I had to change the following.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\LanmanServer\Parameters

Value name: DisableStrictNameChecking
Data type: REG_DWORD
Radix: Decimal
Value: 1

Once the server had been restarted, I was able to connect to the server using the dns address.

Below I try to visualise the problem

note: the disableStrictNameCheck will need to be disabled on every server you want to connect to that using smb1. So in essence unless everything is win2k8 and win7 you will have to do this.

image

References

http://support.microsoft.com/kb/281308

http://support.microsoft.com/kb/870911

http://homeworksblog.wordpress.com/2010/08/06/connecting-smb-share-with-cname/

http://technet.microsoft.com/en-us/library/cc773257(WS.10).aspx

http://technet.microsoft.com/en-us/library/cc961723.aspx


Share/Bookmark

Wednesday, July 27, 2011

IIS 7–resetting site to root inheritance

I wanted to reset some sites, on a multiple site IIS server, to pick up their logging settings from the root.

After some digging around I have found that you have to edit the “applicationhost.config” to achieve this.

The file can be found here

%windir%\System32\inetsrv\config

Site information is held within this XML file, find the site section with the corresponding site name you are looking for. In this example “Default Web Site”.

<site name="Default Web Site" id="1" serverAutoStart="true">
<application path="/">
<virtualDirectory path="/" physicalPath="C:\inetpub\wwwroot\defaultwebsite" />
</application>
<bindings>
<binding protocol="http" bindingInformation="*:80:testy.test.commy" />
</bindings>
<logFile logFormat="W3C" directory="E:\weblogs" />
</site>


Now just delete the <logfile ….> entry completely and save.



You should now find in the IIS gui that the logging settings are now picking up the root settings. Hoorah!


Share/Bookmark

Monday, July 25, 2011

Linking Folders (mklink)–(Or adding adding a remote folder within another folder ;o) )

Sounds easy right? Just copy or move it! Buts that's not what I wanted.

I had a server where it had some usb attached storage that I wanted to be available within an existing shared folder… ok let me try and make it clearer..

I had a share on a server called “pictures”, which was a share of a local folder d:\pictures, i could access this share with a unc address

\\servername\pictures

This would show me the content of d:\pictures.

Now I had a lot of archive pictures on a usb drive and ideally I would of like them to be all accessible via the share (i did not really want to have to created another share).

So how do I do this in windows. Well from Vista / Windows 2008 server there is a command called mklink. This command allows you to add a reference to another folder within a folder.

So we have d:\pictures and in there we have a range of folders and files. Now out usb drive is attached and using the drive letter z:\. So I want to allow the contents of z:\ to be visible within d:\pictures. So I use the following command form the command prompt within the d:\pictures folder.

mklink /D /J externalStorage1 Z:\

Now if I dir in the d:\pictures folder, I will see a new folder called externalStorage1 and if I change directory to externalStorage1 I can see the contents of the z:\ drive. In addition if I browse the share remotely

\\servername\pictures

you will find that you can see and access externalstorage1.

excellent.

Note: You must use /J to create what they call a directory junction (a hard link to a folder), there are hard and soft links and I will leave you to work out the differences. However I will say that if you don’t use /J and you will find that the link will not work when viewing across the network share.


Share/Bookmark

WD LiveWire Powerline Device – Connect multiple devices (more than original 2)

I have not actually tried this but I have just brought 2 of these devices and I want to eventually connect more.

Now I got the 2 units working straight from the box and they are great, I cannot knock them.

However so I am led to believe, to add more devices you will need to configure the devices. This is done with a utility on the cd you get supplied with the units.

You are going to configure the device plugged to the computer (you install the software on) as the “Local Device” device. The others will then become remote devices.

  1. Click “ADD”, to add new devices. 
    image
  2. You will have to locate the password for the additional units, which are marked P/W on the bottom of each device.
  3. You will have to enter the password and give the device a name. 
    image
  4. Then hit the “OK” button.
  5. All the devices should reboot, and within 60 seconds, the utility should scan and locate all the devices on your system.
  6. note: If the utility does not locate all the devices within 60 seconds, it means that the devices did not reboot. You will then have to unplug ALL the devices, and then re-plug them into the wall, and then close and reopen the utility. It should now work.

References:

http://westerndigitalreviews.com/western-digital-wd-livewire-powerline-av-network-kit-2/


Share/Bookmark

Wednesday, July 20, 2011

Installing multiple certificates on multiple remote servers

note: While doing this I had a strange issue where the certutil (running via psexec ) started complaining about arguments “Expected no more than 1 args, received x”). The command was running fine before, it just stopped working and returning this error. In the end I wiped the certutil command file (CertUtilCommands.bat) and built it from scratch, running certutil –f initially which got a dump output, then built up to the full command, doing this got the whole process working again. Its a strange one and I cannot explain it but this got it working again)

Disclaimer: While I believe all will work below, I cannot guarantee it. Please ensure you test before trying anything (which is of course what everyone does).

In my first article about installing certificates to multiple servers I used ps exec to install one certificate in pfx format.

The time arose that I had to renew this certificate, but the supplier had also changed one of their upstream server certificate so I had to install that to. So what I have done is reworked my first article and built a mechanism that allows the certutil commands to be contained in one file.

Now I wanted to attach a file to this blog post with all the necessary files, however that was not possible as blogger will not allow me to attach files… Sad smile

So below I show the folder structure, describe folder purpose and then I give the file contents for all the batch files.

Folders

image

  • pstools is available from Microsoft here
  • CertutilFiles, this folder contains the certuil files needed to be copied to the remote machine. These files should be from a Win2k3 server (see image below).

image

  • CertFiles – This is where to put the certificate files (*.crt, *.pfx) etc that you want to install.
  • reports – this is an empty folder that will contain outputs of stdout for the commands run. May help if issues encountered.

Files

serverlist.txt – a basic list of the servers you want to run the commands on. This will obviously need to be changed to your server list.

server1
server2


cc.bat – this is the primary file (run cc from the command prompt). It will prompt you for information.



ECHO OFF
:InputServerList
SET /p vserverList=Please enter filename of server list (default="serverlist.txt") :-

IF "%vserverList%"=="" (
SET vserverList=serverlist.txt
)

SET voptions=

SET /p vuser=Please enter username (default="<system account - will not have network access on remote machine>") :-

IF NOT "%vuser%" == "" (
SET voptions=-u %vuser%
) ELSE (
GOTO nouser
)

SET /p vpassword=Please enter password :-

SET voptions=%voptions% -p %vpassword%
GOTO userset

:noUser
SET voptions=-s

:userset


MD reports

FOR /F "eol=# tokens=1 delims=," %%A IN (.\%vserverList%) DO START CMD /C "startcerts.bat %%A %voptions% %vuser%>reports\output_command_%%A.txt"



startcerts.bat – This sets up a windows share on the local machine, this will allow the remote server to copy the files. The local computer IP is passed to the remote server, (IP passed only if nslookup works locally resolving the computer name to an IP), if this fails the computer name is passed. (If the computername is passed to the remote server then it will need to be resolvable at the remote server.).


The share will be removed at the end of the process.




note: I have found that psexec has issue with some antivirus software (returning all pipes busy error). If you encounter this then you should stop the antivirus software for the duration of the script. I include a net stop and net start command in the batch file, you will need to add the service name.



note:the script had issue trying to connect back to itself so I have now catered for that scenario by removing the credentials, in the psexec command, if the machine is connecting to itself.




SET Sharename=installcerts2%1
SET localserverip=

FOR /F "skip=4 tokens=2 delims=:" %%A IN ('2^>NUL nslookup %COMPUTERNAME%') DO (
SET localserverip=%%A
)

IF "%localserverip%" == "" (
SET localserverip=%COMPUTERNAME%
)

REM if localmachine name = remote machine reset options to run on local machine
IF /I "%1" == "%COMPUTERNAME%" (
SET voptions=
)

net share %Sharename%=%CD% /GRANT:everyone,READ

REM stop antivirus service, have found on win2k8 servers that this will prevent psexec from running, returning all pipes busy error.
net stop "<antivirus service>"

CALL .\PsTools\psexec \\%1 %voptions% -f -c certRemoteSetup.bat %localserverip% %Sharename%

CALL .\PsTools\psexec \\%1 -s -f -c CertUtilCommands.bat

CALL .\PsTools\psexec \\%1 %voptions% -f -c certRemoteClearUp.bat

REM stop antivirus service, have found on win2k8 servers that this will prevent psexec from running, returning all pipes busy error.
net start "<antivirus service>"

openfiles
/disconnect /A %3

net share %Sharename% \\%COMPUTERNAME% /DELETE


certRemoteSetup.bat – This copies the files in the folders certutilfiles and certfiles to the local windows temp folder (%windir%/temp). Only issue I have found here is that if the computer name of the local machine cannot be resolved from the remote server then the copy will fail as it cannot find the files to run.



xcopy /Y \\%1\%2\CertutilFiles\*.* %windir%\Temp\CertInstall\
xcopy /Y \\%1\%2\CertFiles\*.* %windir%\Temp\CertInstall\


CertUtilCommands.bat – This is the file that will need to be edited for your specific requirements.



C:
CD %windir%\Temp\CertInstall\

Certutil -f -addstore Authroot
.\<certificate1filename>.crt

Certutil -f -addstore CA
.\<certificate2filename>.crt

certutil -f -p
<password> -importpfx .\<certificate3filename>.pfx


certRemoteClearUp.bat – Delete all copied files and remove directory



DEL /Q /S %windir%\Temp\CertInstall\*.*
RD /Q /S %windir%\Temp\CertInstall

Share/Bookmark

IIS full url redirection

I had to recently redirect a renamed site in IIS.

IIS provides some easy to use options to configure this. However what I found was that it would lose the query string part of the url.

However I have found that to keep the URL you set a URL permanent redirection to an exact URL, but include $S$Q on the end of the URL string.

i.e. http://siteurl$S$Q

This will redirect to the exact siteURL but append the complete query string.

Cheers


Share/Bookmark

Monday, July 18, 2011

Installing multiple certificates to specific stores on remote machines

I won’t go into how I loop through and pass the commands to remote servers as I do that in this article. All I do he is add more certutil info, and also some info about navigating the certificate store from within powershell.

So in my case I needed to import a certificate into the Intermediate Certification Authorities Store. Now I knew I could use this command

Certutil –f –addstore <store Name> <intermediate CA name>.crt

However I needed to know the programmatic name for the store (not the one nicely listed in windows), in the end I worked it out but using PowerShell and the cert: drive. Browsing around until I came across some certificates that I knew where in the store.

As it turns out the CA store is the “Intermediate Certification Authorities” store. So the command will be

Certutil –f –addstore CA <intermediate CA name>.crt

Powershell: Cert Drive

Within PowerShell you can actual change to a directory called cert:, this is in fact a representation of the certificate store. (example below

PS C:> cd cert:

PS cert:
>

Location : CurrentUser
StoreNames : {SmartCardRoot
, UserDS, AuthRoot, CA...}

Location : LocalMachine
StoreNames : {SmartCardRoot
, AuthRoot, CA, Trust...}

PS cert:
>cd localmachine

PS cert:
\localmachine> dir

Name : SmartCardRoot

Name : AuthRoot

Name : CA

Name : Trust

Name : Disallowed

Name : My

Name : Root

Name : TrustedPeople

Name : TrustedDevices

Name : Remote Desktop

Name : TrustedPublisher

Name : REQUEST

Share/Bookmark

Monday, July 11, 2011

Multiple Standalone Windows Servers: DNS Suffix List

note: I am not sure what causes windows to reload this list, but I currently believe if you run ipconfig /flushdns and gpupdate /force this seems to reload the values. OK, in addition to this if they don’t work I have found that if disable and enable one your network adapters this will force the change to be picked up. I had teamed NICs, so was able to disable/enable a secondary adapter so not losing connectivity.

Recently I wanted to add a dns suffix to a range of windows servers, whilst this would have been easy had the servers existed in a domain. All the servers had were standalone so Group policy was not an option.

After searching the internet for a while I was still no clearer in what was the best option for configuring standalone servers. I did not want to mess with primary dns suffixes or have to setup specific connection specific dns suffixes.

I wanted a solution that would apply to all connections on the servers, and a solution I was able to apply remotely to all servers.

After messing with local policies, manual settings and registry settings. The best solution I found was a registry entry.

  • Key: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient
  • String Value (REG_SZ): SearchList=dnssuffix1,dnssuffix2,dnss……

So I created a registry file with the necessary entries (see below)

Windows Registry Editor Version 5.00
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows NT\DNSClient]
"SearchList"="dnssuffix1,dnssuffix2,dnssuffix3"


So a quick script using psexec and this was run on all servers.



Job Done…


Share/Bookmark

Thursday, July 07, 2011

SQL Server- Creating Multiple logins at one time for multiple databases

I recently had to create a whole number of logins for a range of databases. So I developed this script that would loop through all the user databases on a server and create a login based on database name, create a random password for that login, assign the login to the appropriate database (user) and assign appropriate database roles.

It can be run multiple times and will only create logins/users that don’t exist. It will however apply the database roles to every user it is specified to create. (i.e it will apply to users it created in previous runs).

In addition the script creates a custom database role, to allow execute permissions for running stored procedures and functions.

The script will output username and passwords created

 

DECLARE @username varchar(50)
DECLARE @dbRole varchar(50)
DECLARE @vpassword varchar(8)
DECLARE @SQL varchar(max)
DECLARE @DatabaseName varchar(MAX)
DECLARE @output varchar(max)
SET @output = ''
DECLARE @uniquepassword uniqueidentifier
SET @uniquepassword = NEWID()
SET @dbRole = 'db_executor'
DECLARE my_cursor CURSOR FOR
SELECT CAST([Name] AS varchar(MAX)) AS databasename
FROM sys.sysdatabases
--only user databases
WHERE DBID>4 AND [NAME] NOT LIKE '$'
OPEN my_cursor
FETCH NEXT FROM my_cursor
INTO @DatabaseName
WHILE @@FETCH_STATUS = 0
BEGIN
	SELECT @uniquepassword = NEWID()
	SELECT @vpassword = LEFT(@uniquepassword, 8)
--Check if login exists, if not create login for server
	IF NOT EXISTS(SELECT name FROM master.dbo.syslogins WHERE name = @DatabaseName)
	BEGIN
		SET @SQL = 'USE MASTER; CREATE LOGIN ' + @DatabaseName + ' WITH PASSWORD = ''' + @vpassword + ''', DEFAULT_DATABASE=[' + @DatabaseName + '], DEFAULT_LANGUAGE=[English], CHECK_EXPIRATION=OFF, CHECK_POLICY=OFF';
		EXECUTE(@SQL);
		SET @output = @output + CHAR(13) + CHAR(10) + 'LOGIN:' + CHAR(9) + CHAR(9) + @DatabaseName;
		SET @output = @output + CHAR(13) + CHAR(10) + 'PASSWORD:' + CHAR(9) + @vpassword;
	END
--Check if user exists, if not create user in database
	SET @SQL = 'USE ' + @DatabaseName + ';
	IF NOT EXISTS(SELECT ' + @DatabaseName + '.sys.database_principals.name FROM ' + @DatabaseName + '.sys.database_principals WHERE ' + @DatabaseName + '.sys.database_principals.name = ''' + @DatabaseName + ''')
	BEGIN
		USE ' + @DatabaseName + ';
		CREATE USER ' + @DatabaseName + ' FOR LOGIN ' + @DatabaseName + '
	END'
	EXECUTE(@SQL);
--Check if db_executor role exists, if not create role in database and then assign execute permissions
	SET @SQL = 'USE ' + @DatabaseName + ';
	IF NOT EXISTS(SELECT 1 FROM ' + @DatabaseName + '.sys.database_principals WHERE ' + @DatabaseName + '.sys.database_principals.name = ''' + @dbRole + ''' AND [TYPE] = ''R'')
	BEGIN
		CREATE ROLE ' + @dbRole + ';	
	END
	GRANT EXECUTE TO ' + @dbRole + ';'
	EXECUTE(@SQL);
	SET @SQL = 'USE ' + @DatabaseName + '; EXEC sp_addrolemember @rolename = ''db_datareader'' , @membername = ''' + @DatabaseName + '''';
	EXECUTE(@SQL);
	SET @SQL = 'USE ' + @DatabaseName + '; EXEC sp_addrolemember @rolename = ''db_datawriter'' , @membername = ''' + @DatabaseName + '''';
	EXECUTE(@SQL);
	SET @SQL = 'USE ' + @DatabaseName + '; EXEC sp_addrolemember @rolename = ''db_executor'' , @membername = ''' + @DatabaseName + '''';
	EXECUTE(@SQL);
	
	FETCH NEXT FROM my_cursor
	INTO @DatabaseName
END
CLOSE my_cursor
DEALLOCATE my_cursor
/*This output statement will contain the usernames and passwords created for the users*/
SELECT @output

Share/Bookmark

Wednesday, July 06, 2011

Win2k8: Change primary dns suffix from command line

A quick one here,  I needed to add dns suffix to some servers that were not in a domain. The servers were all in a WORKGROUP.

I was adding a dns entry to the dns server, so I could get rid of the legacy dependence on host files, which were a nightmare to manage.

So I needed a command that allowed me to do this, and I could then run remotely. The command is netdom, and does other things but below I show how to use it to change the primary dns suffix. The primary dns suffix can be manually changed in windows by going to

  • Control Panel
  • System
  • “Change Settings” (under Computer Name section)
  • “Change”
  • “More”

Example:

    • Servername: TestServer
    • DNS Suffix: testsub.test

netdom computername TestServer /add:TestServer .testsub.test

netdom computername TestServer /makeprimary:TestServer .testsub.test


Share/Bookmark

Tuesday, July 05, 2011

ColdFusion: Quick email test page

I have to occasionally look at email on a ColdFusion server. I wanted a way to quickly test email addresses so I built the following page.

It allows To, From, Subject, Message and the SMTP server address to be manipulated. It is one page as it posts to itself. The code is very much hacked to together as I just want this as a test page and I had to create it quickly. You should be able to easily modify it to add additional features.

email.cfm

<html> 
<head> 
    <title>CFM Email</title> 
</head> 
<body>
    
<cfparam name="Form.Message" default="">
<cfparam name="Form.To" default="">
<cfparam name="Form.Subject" default="">
<cfparam name="Form.From" default="">
<cfparam name="Form.SMTPServer" default="">
<cfif Form.SMTPServer is not "" and Form.To is not "" and Form.From is not "">
<CFMAIL
    server="#Form.SMTPServer#"
    TO="#Form.To#" 
    FROM= "#Form.From#"
    SUBJECT= "#Form.Subject#"
>
#Form.Message#
</CFMAIL> 
Email sending is being attempted using <br/>
<CFOUTPUT> 
SERVER: #Form.SMTPServer#<br/>
TO: #Form.To#<br/>
FROM: #Form.From#<br/>
SUBJECT: #Form.Subject#<br/>
MESSAGE: #Form.Message#<br/>
</CFOUTPUT>
<cfelse>
Email sending not attempted as parameters currently incorrect please change<br/>
To, From and Server must be filled in.<br/>
</cfif>
<CFFORM METHOD="POST" action="email.cfm"> 
<table border="1" cellpadding="0" cellspacing="0" width="750" bordercolor="#000000"> 
<tr> 
<td width="250"><b><i>To:</i></b></td>
<td width="500"><input type="text" name="To" size="100" Required="Yes" "Please enter to email address." value="<cfoutput>#Form.To#</cfoutput>"></td> 
</tr>  
<tr> 
<td width="250"><b><i>From:</i></b></td> 
<td width="500"> <input type="text" name="From" size="100" Required="Yes" Message="Please enter from email address." value="<cfoutput>#Form.From#</cfoutput>"> 
</td> 
</tr> 
<tr> 
<td width="250"><b><i>SMTP Server:</i></b></td> 
<td width="500"> <input type="text" name="SMTPServer" size="100" Required="Yes" Message="Please enter from SMTP Server URL or IP." value="<cfoutput>#Form.SMTPServer#</cfoutput>"> 
</td> 
</tr>
<tr> 
<td width="250"><b><i>Subject</i></b></td> 
<td width="500"><input type="text" name="Subject" size="100" REQUIRED="YES" MESSAGE="Subject" value="<cfoutput>#Form.Subject#</cfoutput>"> 
</td> 
</tr>  
<tr> 
<td width="250"><b><i>Message</i></b></td> 
<td width="500"> 
<p><textarea rows="10" name="Message" cols="77"><cfoutput>#Form.Message#</cfoutput></textarea> 
</table> 
<br> 
<input type="submit" value="Submit"><input type="reset" value="Reset"></p> 
</cfform> 
</body> 
</html>

Share/Bookmark