Protected: Jakes new sandpit

Posted on May 6, 2013 by admin

This content is password protected. To view it please enter your password below:

<span class="entry-utility-prep entry-utility-prep-cat-links">Posted in</span> Jake | Enter your password to view comments.

Powershell script to get users profile path (RDS and Roaming)

Posted on April 17, 2013 by admin

Copy and paste the following into a powershell script.  Be sure to run this on a 2008R2 DC or equiv, or else the RDS profile is not available

Import-Module ActiveDirectory
Get-ChildItem -Filter “(&(objectclass=user)(objectcategory=user))” -Path ad:\”CN=Users,DC=horodc,DC=local” -Recurse |
foreach {
$user = [adsi]”LDAP://$($_.DistinguishedName)”
$user | select @{N=”Name”; E={$_.name}},
@{N=”ProfilePath”; E={$_.profilepath}},
@{N=”RDSProfilePath”; E={$_.psbase.invokeget(“TerminalServicesProfilePath”)}}
} | export-csv c:\test.csv

<span class="entry-utility-prep entry-utility-prep-cat-links">Posted in</span> Uncategorized | Leave a comment

SCOM 2012 SP1 Error when displaying dashboards

Posted on March 13, 2013 by admin

Had an issue where after upgrading SCOM 2012 to SP1, all appeared to be OK, but when trying to display a dashboard, it would error out with Login account failed.  This was caused by specifying a domain account through the upgrade for the SDK account.

Changed both services back to be run as LocalService, restarted the services and all appears to be back to be normal.

<span class="entry-utility-prep entry-utility-prep-cat-links">Posted in</span> System Centre | Leave a comment

WDS, TFTP open timeout

Posted on March 1, 2013 by admin

When trying to boot with WDS and gets a TFTP TIMEOUT error, this article is for you.

In case this happens to anyone else (just happened to me after installing an update on the server and a couple of clients i rebuilt wouldnt boot as they just hung waiting for a tftp offer)

has happened to me after a windows update on server 2008 r2 (aparantly happens on straight 2008 as well) basically its due to having dns server on the same machine as wds dns pinches the ports the tftp service needs. This can leed to pcs not booting at all just sitting there failing to tftp if their boot order has lan set higher than hdd.

2008r2 fix

run regedit

go to HKEY_LOCAL_MACHINE\System\CurrentControlSet\Servic es\WDSServer\Parameters

Right-click UdpPortPolicy, and then click Modify.
In the Value data box, type 0, and then click OK.
On the File menu, click Exit to exit Registry Editor.
Restart the Windows Deployment Services service.

2008 r1

Click Start Collapse this imageExpand this image, click Administrative Tools, and then click Windows Deployment Services. If there is no server that is listed under the Servers node, right-click the Servers node, and then click Add Server to add the local computer.
In the navigation pane of the Windows Deployment Services MMC snap-in, expand the list of servers.
Right-click the server for Windows Deployment Services, and then click Properties.
Under Network, increase the UDP Port range. For example, if the current port range is 3,000 ports, increase the port range to 4,000 ports

<span class="entry-utility-prep entry-utility-prep-cat-links">Posted in</span> Uncategorized | Leave a comment

MDT – Finding and removing local security policies

Posted on February 12, 2013 by admin

Had a customer where we were doing a standard deployment with MDT 2012.  However, what they were experiencing was everytime they went to log in, it cleared the username.  After a bit of sleuthing, there is a step in MDT standard sequence called Apply Local GPO Package.

This sets local security policies on the workstation.  The templates for this are in templates\GPOPacks\…

<span class="entry-utility-prep entry-utility-prep-cat-links">Posted in</span> GDS 3.5 Documentation | Leave a comment

Samba with AD and Local User Mapping

Posted on February 3, 2013 by admin

This post documents how to get Samba to work with both AD and local authentication, while mapping AD users to local Unix users.  In the scenario I had, we wanted local AD users to be mapped to the already existing linux accounts.  We will check with the local SMB database, and then use AD as a secondary account store.  The following was performed with the following machines

  1. Centos 6, Samba 3.5
  2. Windows 2008 R2, AD

STEPS

  1. Backup your configurations before starting.
  2. Ensure that the latest version of Samba and kerberos is installed (ensure Samba is version >= 3.5.10) 
    yum install samba samba-winbind krb5-workstation
  3. Because we need to use kerberos, edit /etc/krb5.conf 
    default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
dns_lookup_realm = true

[realms]
  EXAMPLE.COM = { 
     default_domain = example.com 
  } 

[domain_realm] 
.example.com = EXAMPLE.COM 
example.com = EXAMPLE.COM

    NOTE:  Change example.com to be you domain name.  Note that capitalization.  It IS important.

  4. Check to make sure we can connect to the domain controller 
    root# kinit administrator@EXAMPLE.COM

    and enter the password when prompted.  If all goes well, it will return back to the # prompt.

  5. Confirm that kerberos succeeded 
    [root@vc6 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@EXAMPLE.COM
Valid starting     Expires            Service principal
12/19/12 21:02:28  12/20/12 07:02:32  krbtgt/EXAMPLE.COM@EXAMPLE.COM
                renew until 12/26/12 21:02:28
  6. Edit /etc/samba/smb.conf and modify the following parameters 
            security = ADS
        auth methods = sam winbind
        realm = EXAMPLE.COM
        machine password timeout = 0
        idap domains = ALL
        idmap backend = nss
        winbind use default domain = true
        winbind trusted domains only = yes
        winbind offline logon = false
        winbind nested groups = yes
        winbind separator = +
        encrypt passwords = yes
        template homedir = /home/%U
        username map = /etc/samba/smbusers
  7. Ensure that Samba will start with the system 
    chkconfig smb on
  8. Start SMB (restart in this case) 
    service smb restart
  9. Join the machine to the domain 
    net ads join –U username

    If it complains about unable to update DNS, this is OK.  Ensure that it says Joined ‘VC6’ to realm ‘EXAMPLE.COM’

  10. Configure WinBind to start 
    chkconfig winbind on
  11. Start winbind 
    service winbind restart
  12. Now the moment of truth.  See if we can look up some groups of users 
    wbinfo -g

    What should be returned are all the domain groups from the AD

  13. Need to edit /etc/samba/smbusers to map AD users to local users 
    user1 = EXAMPLE+user1
  14. Restart smb service to reload smbusers file 
    service smb restart
  15. Test with both user and AD accounts to confirm working
<span class="entry-utility-prep entry-utility-prep-cat-links">Posted in</span> Uncategorized | Leave a comment

LM335 Temperature Sensor Level Converter

Posted on January 12, 2013 by admin

Recently on a project, I was using a DS18B20 one wire temperature sensor, but it appears to be reading the temperature incorrectly.  After checking the code and online, I gave up and put a LM335 precision temperature sensor next to the DS18b20 to compare temperature readings.  As a control, I used a $5 thermometer also situated next to the two sensors.  I even coupled the DS18B20 and LM335 together using blue-tack to ensure that they were reading the same piece of air.  It turned out that over a range of temperature, the LM335 followed the thermometer most accurately.  I Found that the DS18B20 would either be under, or over the thermometer temperature, and sometimes by a degree or two.

So, I decided that I would make a daughter board to replace the DS18B20 from the circuit.  However, the LM335, while can be directly interfaced to the A/D converter means that I can only read 0.5’C changes on the device, although it can do 0.1.  This is because the LM335 reads at 10mV ‘C and works relative to absolute zero (-273 ‘C).  Therefore, 0’C is output at 2.73v.  The range that I was interested in was 0-40’C.  This meant a voltage change of 3.13 – 2.73= 400mV.  I was already using the A/D converter with a reference of 5V for humidity, so the built in A/D converter of the ATMega AVR chip was capable of measuring in (5/1024) 4.8mV steps.  This meant that there were only 83 steps that represent the whole range.  So, how to increase the number of steps?

I decided that I wanted to have a 0-40’C range.  So, we need to shift the level such that around 0’C (2.73v) is seen as zero.  Then we want to amplify anything above this by 10, such that each tenth of a degree is 10mV, and each degree is 0.1V.  To do this, we need to use a differencing amplifier with a gain of 10.  The following circuit was created in LTSpice to test the parameters before actual construction.

From the diagram, V2 represents that input from the LM335.  V3 is the power supply for the circuit.  When modifying the circuit, note the following:

R3=R4 and R1 = R2
Gain (Amplification) is determined by R3 and R1.

The formula for the output voltage, given the above is V_o=(\tfrac{R3}{R1})(v_2-v_1).  V1 is the junction between R5 and R6.  This is effectively the voltage  v2 will be at which the output of the op-amp start going above zero.  If V2 goes above this value, then the output will increase from 0.  Because I am using a single supply op-amp, if V2 is below V1, then the op-amp will stay a 0v.

So, since I wanted to give a gain of 10, R3 must be 10 times larger than R1.  R3 and R1 are significantly larger than R5 and R6 as these resistors do actually affect gain, but since they are relatively small, it will not affect too much and has been omitted.

V1 is derived by the following formula (and substituting for our scenario)

v_1 = \frac{v_s_u_p_p_l_y * R_6}{R_5+R_6} = \frac{5*2700}{2700+2200} = \frac{13500}{4900} = 2.76v

2.76v = 2.76/0.01=276’K.

276 – 273 = 3’C which is fine as if the room gets that cold, then the central heating is not working!

So, what is the resolution of the A/D converter now?  Since we multiplied the output of the LM335 by 10, so 1’C now equals 0.1 volt, we have (5v/0.1) = 50’C range (it is actually less than that because an op-amp cannot swing to either rail fully, which is why you must ensure that the temperature range that you want to measure can be output by the op-amp).  As we have increased the gain of the amplifier by 10, 4.8mV now represents 0.05’C instead of 0.5’C which is the range I was wanting.  I could have set the gain to 5 and then each step of the A/D would represent 0.1’C.

The LM335 does have an adjustment leg for calibrating the sensor, however, I have decided to do the calibration in software.  You could put a potentiometer on the adjustment leg and have a manual adjustment (as well as software if desired) if that is required.  I didn’t bother as the range that the circuit covers is wider that I really do need (10-25’C)

Related information

 

 

<span class="entry-utility-prep entry-utility-prep-cat-links">Posted in</span> AVR | Leave a comment

Configuring SMC DSCP values

Posted on December 20, 2012 by admin

Played around with a SMC SMCGS26C-Smart switch testing the DSCP tagging functionality prior to implementing.  From what I have found you need to enable DSCP Egress rewriting for this to occur once it has been tagged into the queue.

So, the basics (overview) from what I have learned

Advanced > QOS > Port Classification defines the default for the port in terms of how it classifies packets coming into the switch.

As can be seen by this picture, it is configurable via each port.  Basically, you are determining what default queue, drop priority is used for a packet that is untagged.  If DSCP based is ticked, then packets are checked for DSCP values and mapped to desired class and checked to see if they are trusted (configure via Advanced>QoS > DSCP-Based QoS)

QoS class of 0 has the lowest priority

Advanced > QoS > Port Policing is used to limit the amount of traffic entering the port.  Packets that exceed the rate defined are dropped.

Advanced > QoS > Port Scheduler shows show the port traffic is monitored and queued.

Strict priority requires that all traffic in a higher priority queue is processed before a lower priority queue.    Deficit Weighted Round-Robin specifies a scheduling weight for each queue.  Note that the schedule priority only shows 6 queues?  This is because queue 6 and 7 or strict mode.

Port scheduling and Port Shaping are two views into the same information.  Port Schedulars show how the scheduling is done for each port in terms of servicing the queues of the port.

Port Shaping shows bandwidth limitations that may be being imposed to the queues.

Advanced > QoS > DSCP-Based QoS allows the administrator to determine which DSCP values arriving at the switch are to be trusted, and to which queue the traffic should be put into inside the switch.

Advanced > QoS > DSCP Control List is where classification of packets into queues is performed.  Create rules to classify packets into correct queues and set DSCP values as required.

Now for the crutch of the matter:

To set DSCP values on a packet, configure DSCP Control List to classify packets into the queues that you want to use.  Additionally, set the DSCP value for the outgoing packet.

On the Port DSCP page, set the Egress Rewrite to an enable setting for the DSCP value of the packet to be written in outgoing packets.  Failure to do so WILL result in packets not being tagged with DSCP values from the queues.

Point to note:  When is a port mirror not a port mirror?
A. When it is an SMC!!  If you enable port mirroring on the switch (locally), ensure that you have Egress DSCP rewriting enabled otherwise it will not have the DSCP value in the packet.

<span class="entry-utility-prep entry-utility-prep-cat-links">Posted in</span> Uncategorized | Leave a comment

Samba with AD and Local Authentication

Posted on December 19, 2012 by admin

This post documents how to get Samba to work with both AD and local authentication.  Initially we will check with the local SMB database, and then use AD as a secondary account store.  The following was performed with the following machines

  1. Centos 6, Samba 3.5
  2. Windows 2008 R2, AD

The basic configurations required to get SAMBA to do what we want from a vanilla install is as follow

[global] 
   workgroup = DOMAIN 
   security = ADS 
   auth methods = sam winbind 
   realm = DOMAIN.EXAMPLE.COM 
   machine password timeout = 0 
   server string = SERVER 
   idmap domains = ALL 
   idmap config ALL:backend = lwicompat_v4 
   idmap config ALL:default = yes 
   idmap config ALL:readonly = yes 
   idmap uid = 10000-33554431 
   idmap gid = 10000-33554431

However this does not detail joining the machine to A/D, so lets go through it step by step from a vanilla installation.

  1. Ensure that the latest version of Samba is installed (ensure Samba is version >= 3.5.10) along with kerberos 
    yum install samba samba-winbind krb5-worksation
  2. Because we need to use kerberos, edit /etc/krb5.conf 
    default_realm = EXAMPLE.COM
dns_lookup_realm = true
dns_lookup_kdc = true
ticket_lifetime = 24h
renew_lifetime = 7d
forwardable = yes
dns_lookup_realm = true

[realms]
  EXAMPLE.COM = { 
     default_domain = example.com 
  } 

[domain_realm] 
.example.com = EXAMPLE.COM 
example.com = EXAMPLE.COM

    NOTE:  Change example.com to be you domain name.  Note that capitalization.  It IS important.

  3. Check to make sure we can connect to the domain controller 
    root# kinit administrator@EXAMPLE.COM

    and enter the password when prompted.  If all goes well, it will return back to the # prompt.

  4. Confirm that kerberos succeeded 
    [root@vc6 ~]# klist
Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator@EXAMPLE.COM
Valid starting     Expires            Service principal
12/19/12 21:02:28  12/20/12 07:02:32  krbtgt/EXAMPLE.COM@EXAMPLE.COM
                renew until 12/26/12 21:02:28
  5. Edit /etc/samba/smb.conf and modify the following parameters 
    workgroup = example 
realm = EXAMPLE.COM 
security = ads 
auth methods = sam winbindidmap uid = 10000-500000 
idmap gid = 10000-500000 
idmap domains = ALL 
idmap config ALL:backend = lwicompat_v4 
idmap config ALL:default = yes 
idmap config ALL:readonly = yes
template shell = /bin/bash winbind use default domain = true 
machine password timeout = 0
server string = SERVER
winbind offline logon = false winbind nested groups = yes
encrypt passwords = yes
  6. Ensure that Samba will start with the system 
    chkconfig smb on
  7. Start SMB (restart in this case) 
    service smb restart
  8. Join the machine to the domain 
    net ads join –U username

    If it complains about unable to update DNS, this is OK.  Ensure that it says Joined ‘VC6’ to realm ‘sc.local’

  9. Configure WinBind to start 
    chkconfig winbind on
  10. Start winbind 
    service winbind restart
  11. Now the moment of truth.  See if we can look up some groups of users 
    wbinfo -g

    What should be returned are all the domain groups from the AD

  12. Config file SMB differences
  13.         security = ADS
    auth methods = sam winbind
    realm = SC.LOCAL
    machine password timeout = 0
    server string = Centos 6 Server
    idap domains = ALL
    idmap config ALL:backend = lwicompat_v4
    idmap config ALL:default = yes
    idmap config ALL:readonly = yes
    idmap uid = 10000-20000
    idmap gid = 10000-20000
    template shell = /bin/bash
    winbind use default domain = true
    winbind offline logon = false
    winbind nested groups = yes
    winbind separator = +
    encrypt passwords = yes
    template homedir = /home/%U
  14. Edit /etc/nsswitch.conf file and add winbind as per following 3 lines from the config file

    passwd:     files winbind
    shadow:     files winbind
    group:      files winbind

  15. Create a mkhomedir.sh file
    [root@centos6 home]# cat /usr/local/sbin/mkhomedir.sh
    #!/bin/bash

    if [ ! -e /home/$1 ]; then
    mkdir /home/$1
    chown $1:”Domain Users” /home/$1
    chmod 0700 /home/$1
    touch /home/$1/newfile
    fi
    exit 0

    chmod u=rwsx,g=rwx,o-rwx /usr/local/sbin/mkhomedir.sh

  16. Restart SMB,NMB,Winbind services and a home directory should be automatically created.

 

 

ns_lookup_realm = true
<span class="entry-utility-prep entry-utility-prep-cat-links">Posted in</span> Uncategorized | Leave a comment

Setting up Configuration Manager 2012

Posted on December 16, 2012 by admin

Setting up Config Manager is straight forward.  However, when setting up with a remote SQL server, some additional work is required – Mainly…..

http://blogs.technet.com/b/configurationmgr/archive/2012/05/03/fix-unable-to-connect-cas-or-primary-to-the-sql-database-during-the-system-center-2012-configuration-manager-setup.aspx

<span class="entry-utility-prep entry-utility-prep-cat-links">Posted in</span> Uncategorized | Leave a comment