Change published FQDN for Server 2012-2019 RDWeb | 2021-09-28 02:22:21 |
This cmdlet will allow you to change the published FQDN that clients use to connect to a Server 2012, 2012 R2, 2016 or 2019 Remote Destkop Services deployment. Often this will correct certificate name mismatch errors when a private TLD such as .local is used internally.https://mylifeiscomedygold.com/files/Set-RDPublishedName.ps1 Tested as compatible with Windows Server 2019. Script now updates WorkspaceID which provides better experience to end users of deployment. This cmdlet allows you to change the published Fully Qualified Domain Name (FQDN) that clients use to connect to a Windows Server 2019/2016/2012R2/2012 Remote Desktop Services deployment. This FQDN is included in .rdp files published via RD Web Access and the RemoteApp and Desktop Connections feed. A common scenario where the ability to change the published name is useful is when your internal domain is .local, .private, .internal, etc. For instance, you purchase and install a wildcard certificate (*.yourdomain.com) for use with RDS, but when your users connect they receive a name mismatch error because they are attempting to connect to rdcb.yourdomain.local. This cmdlet allows you to change the FQDN they will use to a name that will match your certificate (rdcb.yourdomain.com). Syntax Set-RDPublishedName [-ClientAccessName] <String> [[-ConnectionBroker] <String> ] Example In this example the cmdlet is run directly on the RD Connection Broker and we would like to change the published name to remote.contoso.com. We are making this change in order to match our installed wildcard certificate which has a subject of *.contoso.com: Set-RDPublishedName "remote.contoso.com" (content taken from https://gallery.technet.microsoft.com/Change-published-FQDN-for-2a029b80 - URL removed) |
local vhosts on irc network | 2018-12-15 08:25:18 |
letsencrypt with irc round-robin dns; | 2018-11-25 08:38:42 |
If you run an IRC network and make it secure, you might run into issues. You can create self-signed certificates, but these aren't trusted by all clients and do pose issues. You can use a wildcard SSL, but this won't work if you use anything other than servername.your.net. You can purchase legitimate a legitimate SSL for your network, or each server, but this cost does add up, even if it's an el'cheapo. I've recently run into this issue with the network I'm a part of, irc.austnet.org. Up until recently we have been a domestic chat network and most of our users wouldn't even know what SSL is or how to use it, now we are getting more tech savvy users who want to use SSL but our servers were set up very poorly, using a self-signed certificate which expired almost a decade ago and only had one FQDN/hostname on it, not ideal! I started messing around with LetsEncrypt, for free SSL certificates which last 90 days, however the way they work mean that if you're using a round-robin DNS, which nearly all IRC networks do, you will run into issues where the method you're using to authenticate your server will jump to the wrong server and fail. An option we have is to use DNS updates, but we didn't want to leave ourselves open to attack if our certificate vendor was compromised. A workaround for this is to set up a web server on all of the IRCd hosts which redirect back to a common certificate vendor. Here's what I did. On all of the servers, I installed nginx and redirected the /.well-known/acme-challenge/ folder to our web server by doing the following: Install nginx using your distribution manager, or source. For Ubuntu:
Allow port 80 through your firewall, if required. For Ubuntu:
Edit the nginx default server. For Ubuntu:
Modify the file so it reflects below, really this just needs to add in the first rewrite line. I added the second rewrite line just so all other traffic that goes to our IRCd hosts gets redirected to our main website:
Restart the nginx service. For Ubuntu:
Now that we have the redirections set up, I ran certbot, the below command is what I used. In this case, /var/www/ is where my default websites sit, this will need to change if you have a different than default configuration:
After this, I then had some working certificates in /etc/letsencrypt/archive/irc.your.net/, but how can we get these onto all of the servers?! LetsEncrypt requires renewals of the certificates every 90 days and I didn't want to have to copy the certificates over to all of the servers every three months! I did a quick script to copy the new certificates into a common place I could access from scp. So this is where I decided to use scp to pull the certificates to each of the servers. All that's required is an SSH key and you're sweet. I decided to use a common key for all of the servers, as all this has access to is the certificates themselves and nothing else. From one of my servers, I created a new SSH key:
By default, this will prompt you for a location, the default location can be used if you don't already have a default key configured for connections, if you do then choose somewhere else. Once the key is generated, move them into the ~/.ssh/ folder on all of your servers as id_rsa and id_rsa.pub. After that was done, I put the content from the id_rsa.pub into the ~/.ssh/authorized_keys file on the certificate vendor, on a restricted account. Then I set up a cronjob on all of the servers to pull the file, using the following command:
And once you've done that, you're sweet! SWEET I SAY! Maybe I'll configure a script to automatically rehash the IRCd every 24hrs or something as well from the command line, just so the certificates are updated. |
use iis ssl on apache2; | 2018-04-24 05:04:09 |
Every single time I have to import a new SSL for work I get stuck, so I'm writing down the process. First off, we need to export the SSL from your Windows IIS.
Once you have your your_domain.pfx file, copy it over to Linux where you convert it into the parts you need using the following commands: openssl pkcs12 -in your_domain.pfx -clcerts -nokeys -out your_domain.crt This will convert our PFX into a few files without an encrypted key or something, probably a little insecure but I only use internal servers. You only need the your_domain.crt and your_domain.pem. Once you have all of your parts, you can update your Apache configuration, just for reference the configuration you need is: SSLEngine On And then restart Apache and you're done! |
linux upgrades; | 2014-07-31 18:19:38 |
So I ran into a bit of an issue over the last day or so, where I’ve done a ‘do-release-upgrade’ on my linux system, only to have it crack the shits and not boot anymore. After investigation, I found that the /boot partition of the disk was corrupted somehow! These are the basic steps I took to get it working again, in case I need it again. I didn’t find any one article which put all of these together, so quite a bit of research and chatting to TJ- in #Ubuntu on Freenode later, the issue was fixed (with a few bugs). Basically after the upgrade, Ubuntu booted indo the grub rescue, which looks something like this: error: invalid arch-independant ELF magic. From here, I wasn’t able to do very much as I didn’t understand the console at all (very limited commands, created just to boot Linux by the looks). So I ended up booting into rescue mode from an install disc and attempting to do a grub-install to my /boot partition. However! Due to the way the rescue mode works, it found my boot and used it, meaning I couldn’t touch it. Anyway, I ended up booting into rescue mode and not detecting my disks at all, I had to blow away the partition: fdisk /dev/sda Once I had this sorted, I could go ahead and boot (again without my disks) and then install grub with the following: grub-install /dev/sda At this point I started talking to TC- who took me through attempting to boot Linux manually – this didn’t work. I eventually realised that due to /boot going, my linux kernel had been removed, so time to reinstall it, configure grub and update everything: apt-get install –reinstall linux-image-3.13.0-32-general Once this was done, the system booted; she still has a couple of issues, but all in all she’s doing good. |
unbind visual studio source control; | 2014-04-22 12:33:09 |
When you are using a Team Foundation Server (TFS) you need to authenticate to the server every time you open a solution located on it. Unfortunately, if you try and pick this solution up and send it to someone else, or even if you want to develop on another computer without access to the TFS, you’re going to get errors saying it can’t locate the server. In my case, I used to use a TFS and now I don’t (it’s not worth it for the amount of projects I create). Every time I would open up one of the solutions I added to the TFS it would error saying it couldn’t connect, which got quite annoying. After a quick Google search I found this nice little application made by saveenr on CodePlex. It basically runs through your solution and removes all links to the TFS – very handy. The application is called VS Unbind Source Control and does exactly as the name suggests. Alternative link to the (at the moment) current version is located at mylifeiscomedygold.com |
exchange 2010 pst import; | 2014-04-05 22:36:38 |
Every time I need to do this I have to look it up, so here’s one just to make my life a little easier. Whenever I need to do a cross-domain migration and don’t want to actually join the domains, I do a PST Export using EXMERGE or Outlook from an Exchange 2003 or similar system, then do a PST Import with Exchange 2010+ console, here’s how. First, configure the management roles for your Administrative user from the Exchange Management Shell: New-ManagementRoleAssignment –Role “Mailbox Import Export” –User Administrator Quit the EMS and open it back up, this will make the changes take affect. Next just import your files like so: New-MailboxImportRequest -Mailbox Username –FilePath \\server\path.to\file.pst This will create a new import request. If you’re unsure if the PST is corrupt, or has bad items, use the -BadItemLimit to raise the bar before failure of an item. To check the stutus of your imports, you can use: Get-MailboxImportRequest |
wsus manual uninstall; | 2013-03-02 20:42:21 |
I recently (four months ago ..) upgraded the hardware on my Windows 2008 R2 server, instead of 1 x 250GB HDD it has 2 x 1TB in RAID1. In order to transfer the data across I used a backup/restore utility ShadowProtect (which is an awesome product). Unfortunately during the backup/restore process one of the partitions I had was corrupted and I couldn’t restore all of the data. In any case, the \WSUS\* folder was destroyed and I couldn’t restore it, which left me without WSUS working and with a lot of errors in the event logs! I was unable to uninstall WSUS through Server Manager either, it just errored out. After some searching I came across Lawrence Garvin who posted this Uninstall procedure (WSUS Uninstall), which looked like it was on the right track, however the MSIZap application isn’t built into Windows 2008 R2 and isn’t readily downloadable, also the GUID for WSUS has changed (and more than likely will continue to), so here’s the steps I took.
Once you’ve rebooted, you should notice that WSUS is now gone from Server Manager! There’s just once more essential thing you need to do, change your server so it updates from Microsoft instead of locally (otherwise it will just fail when it tries to get updates for installing WSUS..) 14: Run GUPDATE /FORCE – this will reset the policy update timer and buy you some time. 15: Change the Registry Key HKLM\Software\Policies\Microsoft\Windows\WindowsUpdate\AU\UseWUServerto ’0′ – this will actually make it update from Microsoft 16: Restart the Windows Update Service – remember to do this, I forgot and it frustrated me! hahah. From here you should be able to reinstall WSUS through Server Manager. You will need to direct the installation to a new database and overwrite the default website, but it should work after that. |
cisco srp527w vs vpn; | 2013-02-12 12:10:45 |
Alright, so I didn’t get very much sleep last night, so this may be a very simple thing that everyone knows that my brain just couldn’t work out. Cisco Small Business SRP527W(-U) devices come with the ability to create a site-to-site VPN connection between themselves (and other Cisco devices, if required). However in my environment I’ve been using SRP527W’s (firmware 1.1.x), to which I’ve just add an SRP527W-U (firmware 1.2.x) – some fundamental differences in the Firmware although effectively the same device. Two SRP527W’s VPN’ng together is quite simple, configure the two sites, point them at each other, authenticate, blamo! When introducing the third -U device, I ran into a hiccup with some of the extra information, which is probably VPN/Cisco common knowledge. They come with ID’s! Remote-ID and Local-ID! Where the old device only had Remote-ID (and you didn’t have to set it), the ID can be an IP Address (it doesn’t tell you what kind..) or a MyCisco login. I figured these were just a naming scheme which meant nothing towards anything as long as both ends of the VPN were the same. I set Remote-ID to 192.168.0.1, I set Local-ID to 192.168.2.1, nothing! I couldn’t find a fault with this configuration! I called Cisco, they couldn’t find a fault with this configuration! After a while of poking, prodding and probably making the devices quite angry I decided to change the ID’s to the real world IP addresses of each device and BLAMO! Everything just WORKED! Moral of the story? Poke more before you call Cisco technical support on a small business device. Also, remember to set your ID’s to the remote IP address of the device |
lost windows 7/8 password; | 2012-12-24 09:54:22 |
Have you ever installed a new computer, set the default username and password only to realise that your fingers might not have been in the right place on the keyboard? Brand new computer and you’re locked out of it, simply because your brain wasn’t necessarily working at the time of install. I had a similar such problem recently, a user installed Windows and forgot the password they set on the main user, after five minutes of fiddling around I had fixed thanks to the following. Please note that you will be messing around with the computer Registry here and I’m not putting in fool-proof instructions (for obvious reasons) – you must know what you’re doing before you attempt this.
NET USER damian mynewpassword 10. Exit the command prompt and you will be presented with the standard login screen, to which you can log in with your new password. I hope this helps, previously I have had to reinstall operating systems because the password has been lost, this is a couple of minutes and you’ve regained access to your new machine. I wrote this off the top of my head, so please let me know if there are any issues so I can update accordingly |
website configuration; | 2012-12-23 01:32:40 |
I’ve finally had enough time to actually get this website up and running, working out how WordPress works (which it works pretty damn well..). I guess what you’ll hope to find here is a range of different things; random thoughts from myself, technical documentation and how-to’s, a random news post, or simply something that’s happened that I thought was mildly amusing! That’s enough for the first post, more of just an entry-filled post really. |