Change published FQDN for Server 2012-2019 RDWeb 2021-09-28 02:22:21
This cmdlet will allow you to change the published FQDN that clients use to connect to a Server 2012, 2012 R2, 2016 or 2019 Remote Destkop Services deployment. Often this will correct certificate name mismatch errors when a private TLD such as .local is used internally.

https://mylifeiscomedygold.com/files/Set-RDPublishedName.ps1


Tested as compatible with Windows Server 2019.  Script now updates WorkspaceID which provides better experience to end users of deployment.

This cmdlet allows you to change the published Fully Qualified Domain Name (FQDN) that clients use to connect to a Windows Server 2019/2016/2012R2/2012 Remote Desktop Services deployment.  This FQDN is included in .rdp files published via RD Web Access and the RemoteApp and Desktop Connections feed.

A common scenario where the ability to change the published name is useful is when your internal domain is .local, .private, .internal, etc.  For instance, you purchase and install a wildcard certificate (*.yourdomain.com) for use with RDS, but when your users connect they receive a name mismatch error because they are attempting to connect to rdcb.yourdomain.local.  This cmdlet allows you to change the FQDN they will use to a name that will match your certificate (rdcb.yourdomain.com).

Syntax

Set-RDPublishedName [-ClientAccessName] <String> [[-ConnectionBroker] <String> ]


Example
In this example the cmdlet is run directly on the RD Connection Broker and we would like to change the published name to remote.contoso.com. We are making this change in order to match our installed wildcard certificate which has a subject of *.contoso.com:

Set-RDPublishedName "remote.contoso.com"


(content taken from https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 - URL removed)

local vhosts on irc network 2018-12-15 08:25:18

letsencrypt with irc round-robin dns; 2018-11-25 08:38:42
If you run an IRC network and make it secure, you might run into issues. You can create self-signed certificates, but these aren't trusted by all clients and do pose issues. You can use a wildcard SSL, but this won't work if you use anything other than servername.your.net. You can purchase legitimate a legitimate SSL for your network, or each server, but this cost does add up, even if it's an el'cheapo.

I've recently run into this issue with the network I'm a part of, irc.austnet.org. Up until recently we have been a domestic chat network and most of our users wouldn't even know what SSL is or how to use it, now we are getting more tech savvy users who want to use SSL but our servers were set up very poorly, using a self-signed certificate which expired almost a decade ago and only had one FQDN/hostname on it, not ideal!

I started messing around with LetsEncrypt, for free SSL certificates which last 90 days, however the way they work mean that if you're using a round-robin DNS, which nearly all IRC networks do, you will run into issues where the method you're using to authenticate your server will jump to the wrong server and fail. An option we have is to use DNS updates, but we didn't want to leave ourselves open to attack if our certificate vendor was compromised.

A workaround for this is to set up a web server on all of the IRCd hosts which redirect back to a common certificate vendor. Here's what I did.

On all of the servers, I installed nginx and redirected the /.well-known/acme-challenge/ folder to our web server by doing the following:

Install nginx using your distribution manager, or source. For Ubuntu:
sudo apt-get install nginx

Allow port 80 through your firewall, if required. For Ubuntu:
sudo ufw allow http comment 'Open HTTP for LetsEncrypt SSL'

Edit the nginx default server. For Ubuntu:
sudo pico /etc/nginx/sites-enabled/default

Modify the file so it reflects below, really this just needs to add in the first rewrite line. I added the second rewrite line just so all other traffic that goes to our IRCd hosts gets redirected to our main website:
server {
  listen 80 default_server;
  listen [::]:80 default_server;
 
  # push acme challenge to certificate generator
  rewrite ^/(.well-known/acme-challenge/.*)$ http://yoursslhost.your.net/$1 redirect;
 
  # push all other traffic to website
  rewrite ^/.*$ http://www.your.net/ redirect;
}

Restart the nginx service. For Ubuntu:
sudo service nginx restart

Now that we have the redirections set up, I ran certbot, the below command is what I used. In this case, /var/www/ is where my default websites sit, this will need to change if you have a different than default configuration:
sudo certbot certonly --preferred-challenges http --webroot -w /var/www/ -d irc.your.net,name1.region1.your.net,name2.region2.your.net

After this, I then had some working certificates in /etc/letsencrypt/archive/irc.your.net/, but how can we get these onto all of the servers?! LetsEncrypt requires renewals of the certificates every 90 days and I didn't want to have to copy the certificates over to all of the servers every three months! I did a quick script to copy the new certificates into a common place I could access from scp.

So this is where I decided to use scp to pull the certificates to each of the servers. All that's required is an SSH key and you're sweet. I decided to use a common key for all of the servers, as all this has access to is the certificates themselves and nothing else.

From one of my servers, I created a new SSH key:
ssh-keygen -t rsa

By default, this will prompt you for a location, the default location can be used if you don't already have a default key configured for connections, if you do then choose somewhere else. Once the key is generated, move them into the ~/.ssh/ folder on all of your servers as id_rsa and id_rsa.pub.

After that was done, I put the content from the id_rsa.pub into the ~/.ssh/authorized_keys file on the certificate vendor, on a restricted account. Then I set up a cronjob on all of the servers to pull the file, using the following command:
scp -i ~/.ssh/id_rsa account@yoursslhost.your.net:/path.to/cert.pem /home/ircd/inspircd/conf/cert.pem
scp -i ~/.ssh/id_rsa account@yoursslhost.your.net:/path.to/privkey.pem /home/ircd/inspircd/conf/priv.pem

And once you've done that, you're sweet! SWEET I SAY! Maybe I'll configure a script to automatically rehash the IRCd every 24hrs or something as well from the command line, just so the certificates are updated.

use iis ssl on apache2; 2018-04-24 05:04:09
Every single time I have to import a new SSL for work I get stuck, so I'm writing down the process.

First off, we need to export the SSL from your Windows IIS.

  1. Go to MMC

  2. Open up Certificates for the local computer

  3. Go to Personal > Certificates

  4. Export with the following detail:

    1. Yes, export the private key

    2. Include all certificates in the certificate path if possible




Once you have your your_domain.pfx file, copy it over to Linux where you convert it into the parts you need using the following commands:
openssl pkcs12 -in your_domain.pfx -clcerts -nokeys -out your_domain.crt
openssl pkcs12 -in your_doman.pfx -nocerts -out key.pem
openssl rsa -in key.pem -out your_domain.pem

This will convert our PFX into a few files without an encrypted key or something, probably a little insecure but I only use internal servers. You only need the your_domain.crt and your_domain.pem.

Once you have all of your parts, you can update your Apache configuration, just for reference the configuration you need is:
SSLEngine On
SSLCertificateFile /var/www/.ssl/your_domain.crt
SSLCertificateKeyFile /var/www/.ssl/your_domain.pem

And then restart Apache and you're done!

linux upgrades; 2014-07-31 18:19:38
So I ran into a bit of an issue over the last day or so, where I’ve done a ‘do-release-upgrade’ on my linux system, only to have it crack the shits and not boot anymore. After investigation, I found that the /boot partition of the disk was corrupted somehow! These are the basic steps I took to get it working again, in case I need it again. I didn’t find any one article which put all of these together, so quite a bit of research and chatting to TJ- in #Ubuntu on Freenode later, the issue was fixed (with a few bugs).

Basically after the upgrade, Ubuntu booted indo the grub rescue, which looks something like this:
error: invalid arch-independant ELF magic.
Entering rescue mode…
grub rescue>

From here, I wasn’t able to do very much as I didn’t understand the console at all (very limited commands, created just to boot Linux by the looks). So I ended up booting into rescue mode from an install disc and attempting to do a grub-install to my /boot partition. However! Due to the way the rescue mode works, it found my boot and used it, meaning I couldn’t touch it.

Anyway, I ended up booting into rescue mode and not detecting my disks at all, I had to blow away the partition:
fdisk /dev/sda
(d)eleted /dev/sda1
created a (n)ew partition in place 1

Once I had this sorted, I could go ahead and boot (again without my disks) and then install grub with the following:
grub-install /dev/sda
update-grub

At this point I started talking to TC- who took me through attempting to boot Linux manually – this didn’t work. I eventually realised that due to /boot going, my linux kernel had been removed, so time to reinstall it, configure grub and update everything:
apt-get install –reinstall linux-image-3.13.0-32-general
update-initramfs -uvk all
update-grub

Once this was done, the system booted; she still has a couple of issues, but all in all she’s doing good.

unbind visual studio source control; 2014-04-22 12:33:09
When you are using a Team Foundation Server (TFS) you need to authenticate to the server every time you open a solution located on it. Unfortunately, if you try and pick this solution up and send it to someone else, or even if you want to develop on another computer without access to the TFS, you’re going to get errors saying it can’t locate the server.

In my case, I used to use a TFS and now I don’t (it’s not worth it for the amount of projects I create). Every time I would open up one of the solutions I added to the TFS it would error saying it couldn’t connect, which got quite annoying. After a quick Google search I found this nice little application made by saveenr on CodePlex. It basically runs through your solution and removes all links to the TFS – very handy.

The application is called VS Unbind Source Control and does exactly as the name suggests.

Alternative link to the (at the moment) current version is located at mylifeiscomedygold.com

exchange 2010 pst import; 2014-04-05 22:36:38
Every time I need to do this I have to look it up, so here’s one just to make my life a little easier. Whenever I need to do a cross-domain migration and don’t want to actually join the domains, I do a PST Export using EXMERGE or Outlook from an Exchange 2003 or similar system, then do a PST Import with Exchange 2010+ console, here’s how.

First, configure the management roles for your Administrative user from the Exchange Management Shell:
New-ManagementRoleAssignment –Role “Mailbox Import Export” –User Administrator

Quit the EMS and open it back up, this will make the changes take affect. Next just import your files like so:
New-MailboxImportRequest -Mailbox Username –FilePath \\server\path.to\file.pst

This will create a new import request. If you’re unsure if the PST is corrupt, or has bad items, use the -BadItemLimit to raise the bar before failure of an item.

To check the stutus of your imports, you can use:
Get-MailboxImportRequest

remote sql server connections; 2013-03-09 13:42:54
This one is more a note for me because I always forget how to do it, but you may come across a time when you need it.

When you install SQL Server you do your testing locally on the machine it’s installed on, then when you go and try whichever application or connection remotely, it just won’t work! It’s more than likely just because you’ve not enabled the remote availability. There are a couple of parts to this.

First – Within SQL Server Management Studio
You will want to go to the SERVER properties (not the database..), then Connections and ensure that ‘Allow remote connections to this computer’ is enabled, like below.



Also while you’re in Management Studio, ensure that your authentication method is set to both SQL Server and Windows Authentication mode, like below.

Capture

Second – Within SQL Server Configuration Manager (previously Network Configuration)
Find your SERVER, in this case it’s an Express database ‘SBSMONITORING’, find the TCP/IP setting and Enable it, like below.

AllowTCP

 

Third – Within Windows Services
Find the SQL Server Agent in the list of services and make sure it’s set to Automatic. If this isn’t the case, chances are nothing will be able to authenticate.
AllowService

There are a range of different errors that can come up if these aren’t correct, anywhere from Authentication, to connection timeouts, so be careful. After this you just have to make sure your ACTUAL Authentication on the server / databases are correct and you’re set.

wsus manual uninstall; 2013-03-02 20:42:21
I recently (four months ago ..) upgraded the hardware on my Windows 2008 R2 server, instead of 1 x 250GB HDD it has 2 x 1TB in RAID1. In order to transfer the data across I used a backup/restore utility ShadowProtect (which is an awesome product). Unfortunately during the backup/restore process one of the partitions I had was corrupted and I couldn’t restore all of the data.

In any case, the \WSUS\* folder was destroyed and I couldn’t restore it, which left me without WSUS working and with a lot of errors in the event logs! I was unable to uninstall WSUS through Server Manager either, it just errored out. After some searching I came across Lawrence Garvin who posted this Uninstall procedure (WSUS Uninstall), which looked like it was on the right track, however the MSIZap application isn’t built into Windows 2008 R2 and isn’t readily downloadable, also the GUID for WSUS has changed (and more than likely will continue to), so here’s the steps I took.

  1. Download the MSIZap from MyLifeIsComedyGold!

  2. Run REGEDIT and browse to HKLM\Software\Microsoft\Windows\CurrentVersion\Uninstall

  3. In the list, you will find a GUID with the DisplayName of ‘Windows Server Update Services 3.0 ..’, in my case WSUS 3.0 SP2 is {77846B52-14C9-4FC4-BE63-FE06AF501442}

  4. Run MSIZap T {77846B52-14C9-4FC4-BE63-FE06AF501442}

  5. Run SC DELETE WSUSService

  6. Run MSIZap T {77846B52-14C9-4FC4-BE63-FE06AF501442} again

  7. Reboot your server

  8. Run ASPNET_IISREG -I (usually located in C:\Windows\Microsoft.NET\Framework64\v2.0.50727)

  9. Run IISRESET
    10: Check Registry Key HKLM\Software\Microsoft\Update Services – delete it if it’s there

  10. Check %ProgramFiles%\Update Services – again, delete it if it’s there

  11. In my case the entire WSUS folder was gone, however Lawrence says to delete the ~\WSUSContent\UpdateServicesDbFiles\* content (all database / log files)

  12. Reboot your server again


Once you’ve rebooted, you should notice that WSUS is now gone from Server Manager! There’s just once more essential thing you need to do, change your server so it updates from Microsoft instead of locally (otherwise it will just fail when it tries to get updates for installing WSUS..)

14: Run GUPDATE /FORCE – this will reset the policy update timer and buy you some time.
15: Change the Registry Key HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServerto ’0′ – this will actually make it update from Microsoft
16: Restart the Windows Update Service – remember to do this, I forgot and it frustrated me! hahah.

From here you should be able to reinstall WSUS through Server Manager. You will need to direct the installation to a new database and overwrite the default website, but it should work after that.

cisco srp527w vs vpn; 2013-02-12 12:10:45
Alright, so I didn’t get very much sleep last night, so this may be a very simple thing that everyone knows that my brain just couldn’t work out.

Cisco Small Business SRP527W(-U) devices come with the ability to create a site-to-site VPN connection between themselves (and other Cisco devices, if required). However in my environment I’ve been using SRP527W’s (firmware 1.1.x), to which I’ve just add an SRP527W-U (firmware 1.2.x) – some fundamental differences in the Firmware although effectively the same device.

Two SRP527W’s VPN’ng together is quite simple, configure the two sites, point them at each other, authenticate, blamo!

When introducing the third -U device, I ran into a hiccup with some of the extra information, which is probably VPN/Cisco common knowledge. They come with ID’s! Remote-ID and Local-ID! Where the old device only had Remote-ID (and you didn’t have to set it), the ID can be an IP Address (it doesn’t tell you what kind..) or a MyCisco login. I figured these were just a naming scheme which meant nothing towards anything as long as both ends of the VPN were the same.

I set Remote-ID to 192.168.0.1, I set Local-ID to 192.168.2.1, nothing! I couldn’t find a fault with this configuration! I called Cisco, they couldn’t find a fault with this configuration!

After a while of poking, prodding and probably making the devices quite angry I decided to change the ID’s to the real world IP addresses of each device and BLAMO! Everything just WORKED!

Moral of the story? Poke more before you call Cisco technical support on a small business device. Also, remember to set your ID’s to the remote IP address of the device :)

lost windows 7/8 password; 2012-12-24 09:54:22
Have you ever installed a new computer, set the default username and password only to realise that your fingers might not have been in the right place on the keyboard? Brand new computer and you’re locked out of it, simply because your brain wasn’t necessarily working at the time of install.

I had a similar such problem recently, a user installed Windows and forgot the password they set on the main user, after five minutes of fiddling around I had fixed thanks to the following.

Please note that you will be messing around with the computer Registry here and I’m not putting in fool-proof instructions (for obvious reasons) – you must know what you’re doing before you attempt this.

  1. To start off with, boot from your Windows 7/8 installation media, then go into your recovery mode and open Command Prompt.

  2. Once you’re in command prompt, run regedit.exe to open the Registry Editor.

  3. Once you have the Registry open, browse to HKEY_LOCAL_MACHINE, then go to File, Load Hive…

  4. From here, you need to select the Hive / Registry tree that has your computer settings in it, usually located in C:\Windows\System32\config\ as ‘SYSTEM’ – Make sure you back this file up BEFORE you modify it (can be done with a simple copy/paste within the file open dialog). Select your file and call it whatever you want, I simply use ‘TMP’.

  5. Go to HKEY_LOCAL_MACHINE\TMP\SYSTEM\Setup

  6. Locate the key ‘SetupType’ and change the value to ’2′

  7. Locate the key ‘CmdLine’ and change the value to ‘cmd.exe’

  8. Once you’ve made the changes to your registry, simply go to File, Unload Hive.. and save the registry.

  9. Reboot your computer and boot as normal, before the login screen appears you will get a command prompt (which is what the couple of registry changes enabled). From here you can simply use the NET USER command to modify a user password.


NET USER damian mynewpassword

10. Exit the command prompt and you will be presented with the standard login screen, to which you can log in with your new password.

I hope this helps, previously I have had to reinstall operating systems because the password has been lost, this is a couple of minutes and you’ve regained access to your new machine. I wrote this off the top of my head, so please let me know if there are any issues so I can update accordingly :)

website configuration; 2012-12-23 01:32:40
I’ve finally had enough time to actually get this website up and running, working out how WordPress works (which it works pretty damn well..). I guess what you’ll hope to find here is a range of different things; random thoughts from myself, technical documentation and how-to’s, a random news post, or simply something that’s happened that I thought was mildly amusing!

That’s enough for the first post, more of just an entry-filled post really.