How to automatically sign the RRSIG in DNSSEC Zones.
For those who are working with CRON jobs would have realized that */20 for the day place holder in crontab , will be taking the Calendar Days only or in other words 20th of Every month. However , my requirement was to run a batch job every N days since the last run. After several hours of Googling I came across this Blog (https://backreference.org/2013/08/25/run-cron-job-every-n-days/index.html.) which do exactly what I was looking for.
In this post , I will leverage this approach to renew my RRSIG once in every 25 days. Below is the extract from the original website.
====================================================================
Let’s say we want to run a job every N days, or weeks, regardless of month or year boundaries. For example, once every three tuesdays, or once every 17 days, or whatever.
Cron itself (at least the variants I have access to) has no way to specify these time periods, so it would seem this could not be done.
But there’s a simple way to do it. It is based on modular arithmetic and on the fact that we know that measurement of time on Unix starts on a concrete date, which is the well-known January the 1st, 1970 (also known as “the Epoch”). For the remainder, I’m assuming UTC and a running time of midnight for simplicity; it should be easy to consider the appropriate time differences where needed.
With this kind of requirement we need to have an actual starting date for the job, that is, when it has to run for the first time, so we can use it as a starting point for the “every N days” intervals.
Once we have an actual date of first execution for our task (say, 2013-01-15, a Tuesday, at 00:00), we can divide the time passed since the Epoch until our date into groups of N days. For this first example, let’s say N == 14, two weeks. With the following calculation we can see which place our starting day occupies in a period of 14 days (two weeks):
Dividing by 86400 gives the number of days passed since the Epoch, from which the modulo 14 is calculated. The result is 11, which tells us that at any given time, performing the above calculation using the current date will yield 11 only on $startdate, of course, and on every second Tuesday (well, every 14 days, which is the same) starting from $startdate (or going backwards from $startdate, which is not important here). Simple test code to show that it’s true:
Sample run:
So there we have it, every second Tuesday starting from 2013-01-15. The code shown in modcheck.sh can be made generic so that values can be passed from the command line:
Another test: let’s say we want every fifth day starting from 2012-12-02. Let’s calculate the modulo first:
And let’s verify it:
So to use all this in our crons, we need to know the starting date, the frequency (every N days) and calculate the modulo. Once the modulo is known, we run the job if the modulo calculated for “now” (when the job is invoked) matches the modulo we want. So for instance if the period is 13 days and the modulo we want is 6, in our script we do:
Or as usual it can also be done in the crontab itself so the script does not need to have special knowledge (it may not even be a script, so in that case the check would have to be external anyway):
Note: so far, it doesn’t seem to have trouble with DST time changes. Corrections welcome.
====================================================================
Below is a screenshot of my Crontab , I am using to resign the RRSIG once in 25 Days.
That’s it and Let me know your thoughts in the comments section.
Move Exchange mailbox FailedOther stops at 95%
When migrating mailboxes to the newer server , the process may stop or fails at 95% with the message FailedOther.
In these cases ensure you have not set any quota on the target database or other settings. If every thing looks ok and still the migration is failing , you could use the below commands to resolve the failure
Firstly , remove the failed move request
Get-MoveRequest -Identity “Failed Mailbox ID” | Remove-MoveRequest
Then run
New-MoveRequest -Identity “Failed Mailbox ID” -TargetDatabase “DB” -BadItemLimit “200” -AcceptLargeDataLoss
That’s it you could see now the mailbox migration has completed successfully.
Unable to move mailboxes via ECP/EAC
When you are migrating from Exchange 2013 to Exchange 2019 you may notice that you are not able to migrate the mailboxes from the Exchange 2013 to Exchange 2019 via the EAC.
The workaround in this situation is to use the New-MoveRequest or New-MigrationBatch Exchnage Powershell commands. Even though , when you these commands the move request may fail in some cases and may not appear in the EAC. You could refer MS articles on how to create the CSV for migration batches and use it with these command line tools.
In breif:
- Create a CSV file using the EAC
Then modify the CSV file as below:
Run the below commands to initiate the migration and get the statistics
New-MigrationBatch –Name –CSVData ([System.IO.File]::ReadAllBytes(“”)) –Local –TargetDatabase
Get-MigrationUser | Get-MigrationUserStatistics
Let’s go back to the original problem and let’s see how can we fix it. You need to find out the System Mailboxes (especially the Migration mailbox) from the older version of Exchange server and transfer it to a database in the newer version of exchange.
Get-Mailbox -Server “OLD Exchange Server ” -Arbitration | New-MoveRequest -TargetDatabase “”Database in the Newer Exchange”
That’s it you can happily use the EAC to migrate the mailboxes.
The public folder database ‘Public Folder Database 0206806109″ cannot be deleted
If you are migrating from an earlier version of Exchange to a newer version , you may come across a situation where you are not able to decommission the old exchange server due to the inability to delete the Public Folder databases with the below error message.
Public Folder Database 0206806109
Failed
Error:
The public folder database “Public Folder Database 0206806109” contains folder replicas. Before deleting the public folder database, remove the folders or move the replicas to another public folder database. For detailed instructions about how to remove a public folder database, see http://go.microsoft.com/fwlink/?linkid=81409&clcid=0x409.
You may opt to use the ADSI edit to forcibly delete the Public folder. But , I would not recommend this approach as the ADSI Tool there is no error check or validation is performed.
You can use the below powershell commands to safely delete the replicas of the remaining Public folders and System public folders after ensuring all the needed Public Folders are migrated to the new exchange servers.
Get-PublicFolder-ServerExch-2010 "\NON_IPM_SUBTREE"-Recurse-ResultSize:Unlimited | Remove-PublicFolder-ServerExch-2010-Recurse-ErrorAction:SilentlyContinue
Now you could remove the Publice folder dataabsae
Remove-PublicFolderDatabase “Public Folder Database 0206806109”
Source:https://blog.rmilne.ca/2020/09/30/unable-to-remove-exchange-2010-public-folder-database/
Windows server 2022 – Cannot extend C: partition
Those who are installing new Windows 2022 server , may realize that the C: drive cannot be extended . This is due to the recovery partition is created next to the C: drive.
Most of the google search references pointing out to use a 3rd party tool to modify the disk or delete the recovery partition via diskpart utility using the override switch and then extend the C: drive. However , This deletion will lead you to a situation you lose the recovery partition and unable to recover the server via the recovery media or similar methods. Thus I would recommend the below approach to safely transfer the recover partition to C: drive after deleting the original recovery partition.
Step1: Mount the Windows 2022 Image to the C:\Temp folder
DISM /Mount-image /imagefile:D:\sources\install.wim /Index:1 /MountDir:C:\temp/readonly /optimize
Step2: Transfer the recovery media to C: drive
robocopy /MIR C:\temp\Windows\System32\Recovery\ C:\Windows\System32\Recovery
Step3 : Set the recovery partition to C:\Windows\System32\Recovery
reagentc /setreimage /path C:\Windows\System32\Recovery
Step4: Unmount the Windows 2022 Image and verify the recovery partion status
Dism /Unmount-image /MountDir:C:\temp /discard
Run the command reagent /info to verify the Recovery partition Image
How to install a wildcard SSL certificate on the Splunk Web
Hi Guys
If you come across a situation where you need to install / renew a wildcard certificate (*.local.test.net) on the Splunk Web Instance you can follow the below guidelines .The main purpose of this guide is to help fellow splunk engineers on a similar situation. Since , I did not find a proper guide neither in Splunk Portal nor via the Google searches. ,
- If it is a standard SSL certificate please follow the detailed splunk guide line https://docs.splunk.com/Documentation/Splunk/8.2.4/Security/Getthird-partycertificatesforSplunkWeb
- In case if you want to convert it to crt to pem format use the command line “openssl x509 -in cert.crt -out cert.pem”
- My commands are based on openssl utility in a Linux Server.
- Already a CSR has been created on another server (a Windows Server) and the wildcard certificate has been obtained from the SSL vendor .Thereafter ,we have installed certificate on that Server and then exported the SSL certifcate(as .pfx format with the private key) to be imported to all other servers including our Splunk Server.
Now let’s go in to the steps
- Do not create a seperate private key as quoated in the above guide. No need to create a CSR on the Splunk Server as well.
- Copy the Intermediate Root certificate to the Splunk Server and convert it to a pem
openssl x509 -in MyRoot.crt -out MyRoot.pem - Copy the .pfx file to the Splunk Server and extract the private key. , and when it prompts for the password , Enter the password you entered when you created /exported the pfx certificate
#openssl pkcs12 -in certificate.pfx -out privatekey.key -nocerts -nodes - Now extract the Server Key certificate ,and and when it prompts for the password , Enter the password when you created /exported the pfx certificate
#openssl pkcs12 -in certificate.pfx -out certificate.pem -nokeys -clcerts - Now you can verify the MD5 hashes for the above using the below commands. It must match.
#openssl x509 -noout -modulus -in certificate.pem |openssl md5
#openssl rsa -noout -modulus -in privatekey.key |openssl md5
The final step is to combine the server certificate and the root certificate in to a single .pem file.
# cat certificate.pem MyRoot.pem >> MySplunkWebCert.pem
That’s it , now you can point the privatekey.key and MySplunkWebCert.pem(The combined one which will include the Server Certifcate and the Root Certificate) as per the guidelines https://docs.splunk.com/Documentation/Splunk/8.2.4/Security/SecureSplunkWebusingasignedcertificate
NOTE : I have not focused on the paths and the file names . so please ensure you add the file paths and the names according to your environment.
Source:
https://trustzone.com/knowledge-base/split-pfx-file-into-pem-key-files-openss-windows-linux/
How to migrate a File Server to another server with the latest operating system.
In this article I am going to explain about a recent project that we took over to migrate a Windows 2003 File Server to Windows 2022 Server.
In the past , we use to perform these kind of migration via manual file transfer , or backup and restore methods. However , Microsoft has released a new feature call Storage Migration Service that could be enabled via Windows Admin Center Web Console(WADC). This tool can be installed in any of the machine or you can install it on the destination file server. The storage migration service will take care of the share and security permission on the destination file server as per the original settings.
After installing the WADC you need to enable the Storage Migration Service extension and reload the interface.
Thereafter , you can configure a migration job by mapping the source and destination file servers. The other benefit is that you can sync the differences to cover the delta or changes after the initial migration. During , the cutover (using the same wizard ) the source file server can be assigned with a different IP and the original IP can be assigned to the new server
For a detailed walk through of the procedure please refer the https://4sysops.com/archives/windows-server-2019-storage-migration-service/.
Good Luck.
A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses
Recently , we were working with one of our customer to build the Exchange 2019 DAG. When we add the 2 Exchange Nodes to the DAG , the process got failed with the error “A server-side database availability group administrative operation failed. Error The operation failed. CreateCluster errors may result from incorrectly configured static addresses – Error: Windows Failover Clustering isn’t installed on ‘xxxxxx’.. [Server: xxxxxxxxx] – Restart the server to complete the failover cluster installation also check for the duplicate mac , incorrect IP address, if it is a VM make sure you have done sysprep.”
However , we were pretty sure that the servers were created using a fresh installation instead of syprepped images. Also , we noticed that the Server Manager on both the servers were displaying a message ” Restart is Pending”.
Therefore , we simply restarted the server , and thereafter we were able to add the 2 exchange servers to the DAG.
How to migrate the AAD Connect to a new Server
For those who running AAD Connect to Synchronize their On-Premise AD , may come across a requirement to upgrade the OS on the AAD connect server. In this situation , the safest approach would be to install a new server with latest OS version and then migrate the AAD connect with the below mentioned steps safely without facing lengthy outages.
- Prepare a new server with the Operating System.
- Install the AAD Connect (Preferably the same version as the existing or the latest version available).
- Now , Prior to proceed with the migration you need to ensure two things.
– Take a backup of existing configuration using the AAD Connect –> View or Export configuration
–>Click on Export Settings. This will create a json file in X:\Program Data\AADConnect. (Copy it to the new server)
– Secondly use the Azure AD Sync Configuration Documenter to collect the existing configuration in HTML format.(https://github.com/Microsoft/AADConnectConfigDocumenter/releases) . The Installation instruction can be found in https://github.com/Microsoft/AADConnectConfigDocumenter/wiki.
Thereafter , proceed with the installation of AADC on the new server , select the Customize option (instead of Express) –> Import Synchronization settings ,and import the configuration using the json filed copied in the above step and press Next.
In the last screen of the AADC Installation wizard , select the below options.
– Start the synchronization process when the configuration completes.
– Enable staging mode.
Now , you using the AADC configuration documenter capture the settings on the new AADC server. Then run the below command to compare both the configuration.(Refer the wiki for instructions) after copying both the files in the same location.
AzureADConnectSyncDocumenterCmd.exe “AADC-SERVER-OLD” “AADC-SERVER-NEW”
After reviewing the output and confirming the configuration are identical proceed with the final steps in the migration.
– Enable the staging mode on the Old AADC server.(by running the AADC – Tasks- Configure Staging mode).
– Disable the staging mode on the New AADC server.
– Perform a test and confirm the synchronization is working as expected.
– Uninstall the AADC from the old server and proceed with the decommission.
The trust relationship between this workstation and the primary domain has failed
Very frequently , you may have faced the above error while trying to login to domain from your PC / Server login. Additionally ,when you review the Event viewer the NETLOGON Event ID 3210 , 130 & 8019 would have been logged as well.
In this case(Incase , if you have credentials for the local administrator).
– Login as Local Administrator
– Open the Powershell
– Run the PS command Test-ComputerSecureChannel ( The output will be false)
This will prove the Secure channel to the AD is broken, unlike earlier , whereas we need to disjoin the workstation/station from the domain and rejoin it , we can use the same PS command to fix the issue.
– Type : $cred=Get-Credential (Enter the username and the password of domain administrator or any user who has rights to add computers to the domain)
– Test-ComputerSecureChannel -Credential $cred -Repair (You will get the output as True).
Restart the computer and everything should be working as normal.
NOTE: – Incase if you skip the credential variable and try to enter the credentials manually , the command will fail.
Hope you like it.. 