Charles Gardner’s Effective IT Blog

I recently found a little gem that needs listing in the Is Your Friend series.  I really appreciate single discrete tools that do a job and do it well.  OldCmp from joeware.net is a great example.  OldCmp is a command line tool to cleanup old accounts from Active Directory.  Within that function the tool has quite a strong set of features to slice and dice through the discovery and disposal of old accounts.

Here is a basic run of the tool to find and list computer accounts that haven’t been accessed in a year:

oldcmp.exe -report -age 365 -llts -sh

When working with a client I am very cautious to delete, so I would disable those accounts and move them to an Archive OU in AD:

oldcmp.exe -disable -age 365 -llts -newparent “ou=Archive,dc=xxxxxxxx,dc=local” -excldn “Archive” -safety 10

If everything looks OK with that, add the -forreal flag to actually do the work and adjust the -safety flag to a reasonable value:

oldcmp.exe -disable -age 365 -llts -newparent “OU=Archive,DC=xxxxxxxx,DC=local” -excldn “Archive” -safety 20 -forreal

If after a couple months no one has squawked about problems, it is probably safe to delete those accounts.

Once the initial disable and move to Archive is done, you can run this to find accounts that may need attention:

oldcmp.exe -report -age 180 -llts -excldn “Archive”

Is Your Friend, Windows

Microsoft’s Hyper-V Server 2008 R2 can be a great hypervisor choice for a small business with just one or two servers.  In this environment though the common power protection scheme is going to be a single, direct-connected UPS with a USB signaling cable.  In this scenario we need to be able to safely shutdown the hypervisor and guests before power gives out.

I claim no original thoughts here, but I did want to preserve a link to a good answer I found and have implemented.  The original thread is here on the Technet Forums.

First create ups-shutdown.vbs and load it with:

set wmi = GetObject(“winmgmts:{impersonationLevel=impersonate,(Shutdown)}!\\.\root\cimv2″)
set batteryColl = wmi.ExecQuery(“select * from Win32_Battery”)
set osColl = wmi.ExecQuery(“select * from Win32_OperatingSystem”)

while true
for each battery in batteryColl
battery.Refresh_
if battery.batteryStatus = 1 and battery.EstimatedChargeRemaining <= 40 then
for each os in osColl
os.Win32Shutdown 1
next
end if
next
wscript.Sleep 15000
wend

Schedule this to run at startup using the Task Scheduler.  (Connect from another machine and set this up.)

Next create ups-monitor.ps1 and insert:

# Initialize Variables
# Shutdown threshold at 50% of remaining UPS capacity
$threshhold = 40
$interval = 60
$OnBattery = 0
$Event = 0

$hostname = hostname

# Create SMTP client
$Server = “mail.xxxxxxxxxxxx.com”
$Port = 25
$Client = New-Object System.Net.Mail.SmtpClient $Server, $Port

$Client.Credentials = [System.Net.CredentialCache]::DefaultNetworkCredentials

$To      = “admin@xxxxxxxxxxxx.com”
$From    = “hyperv@yyyyyyyyyyyy.com”

# Loop on Battery Query
while (1)
{
$bat = get-wmiobject -class CIM_Battery -namespace “root\CIMV2″
$batstatus = $bat.batterystatus
$batcapacity = $bat.estimatedchargeremaining
$timetoshutdown = $bat.estimatedruntime/2

if ($batstatus -eq 1)
{
$Event = 1
$OnBattery = 1
# “On Battery”

$Subject = “Utility Power Failure: {0} is running On UPS Battery” -f $hostname
$Body   = “UPS at {0} % remaining capacity, approximately {1} minutes before {2} shutdown.” -f $batcapacity, $timetoshutdown, $hostname

if ($batcapacity -lt ($threshhold +5) )
{
$Body = “Shutdown imminent at {0} %, with ” -f $threshhold + $Body
}

}

elseif (($batstatus -eq 2) -and ($OnBattery -eq 1))
{
$Event = 1
$OnBattery = 0
# “Power Restored”

$Subject = “Utility Power Restored to {0}.” -f $hostname
$Body   = “Battery at {0} % capacity. UPS charging… ” -f $batcapacity
}

if ($Event -eq 1) # Create mail message
{
$Event = 0
$Message = New-Object System.Net.Mail.MailMessage $From, $To, $Subject, $Body
$Message.Priority = [System.Net.Mail.MailPriority]::High
try {
$Client.Send($Message)
# “Message sent successfully”
}
catch {
“Exception caught in UPS_Monitor.ps1″
}
}

sleep $interval
}

Change the mail server, to and from address, and you’re in business.

Create ups-monitor.cmd with the following:

powershell -command c:\path\to\your\script\ups-monitor.ps1

Again using Task Scheduler, schedule ups-monitor.cmd to run at startup, and you’re set.

Make sure you have your VMs set to save at shutdown and autostart, and then go pull the plug on that UPS just to make sure things work to your liking.

Also from the above referenced thread, you can check the battery condition using powershell with this:

PS$ get-wmiobject -class CIM_Battery -namespace “root\CIMV2″

Have fun.

Hyper-V, Virtualization, Windows Server 2008

I was just setting up a Hyper-V Server 2008 R2 box and wanted to get backup running to an external drive.  I installed the Windows Server Backup role via the Core Configurator tool, but then the backups need to be configured and run via the wbadmin command line tool.

This command line reference for wbadmin was helpful so I wanted to mark it in case I need it again in the near future.

Hyper-V, Virtualization, Windows

I just upgraded the main perl port on a FreeBSD box from 5.8.8 to 5.8.9 and a perl based service promptly died, complaining of problems locating dependencies.  D’Oh!!  That’s not good.

After a bit of crunching away I found that each perl module port (each p5-* port) needed a ‘make deinstall && make reinstall’ to align with the new perl version.  The only bugger is that this machine has 54 p5-* ports installed.  Now I’m basically lazy so I wanted a better way than manually reinstalling each port or even writiing a script to handle these specific ports.

Thankfully a little deeper google exercise turned up pearl-after-upgrade.  From the man page:

The standard procedure after a perl port (either lang/perl5 or lang/perl5.8) upgrade is to basically reinstall all other packages that depend on perl. This is always a painful exercise. The perl-after-upgrade utility makes this process mostly unnecessary.

The tool goes through the list of installed packages, looks for those that depend on perl, moves files around, modifies shebang lines in those scripts in which it is necessary to do so, tries its best to adjust dynamically linked binaries that link with libperl.so in the old path, and updates the package database.

Brilliant!! Just what I was looking for.

I ran perl-after-upgrade followed by perl-after-upgrade -f, and it did all the heavy lifting of getting things straight.  Just for good measure I ran a rebuild on mimedefang (portmaster mimedefang), and it was back off to the races for that system.

So I must say….  perl-after-upgrade is your friend!

FreeBSD, Is Your Friend

In late October, Microsoft released a software patch to address a problem in Windows operating systems.  Every month Microsoft releases new software patches on the second Tuesday of the month, aka Patch Tuesday.  For most companies Patch Tuesday is followed by Reboot Wednesday which is when the most important of these updates are installed and  systems rebooted.  In larger companies, Patch Tuesday is the beginning of a process to prioritize, test, and stage these updates as needed.

So what’s the big deal about October?  Microsoft released an out-of-cycle patch (MS08-067) for Windows on October 23rd, nine days after Patch Tuesday.  Typically patches are queued up until the next second Tuesday, but this one was so important that Microsoft released it immediately.  The urgency about this patch was directly related to the potential damage that could be caused by the flaw it fixes.  In theory the flaw could be exploited by a worm that would blow through networks like wildfire, causing severe damage along the way.

To be fair, Microsoft’s mistake was the flaw in Windows; their handling of the situation has been very good.

How can you benefit from this?  It’s now over a month past the release of this patch, and it’s time to look at how your business handled the situation.  You can use this event as one method to evaluate your overall IT posture.  If you are in management, this may require digging in with the technical folks to get the details.  Specifically, look at the following areas:

• Awareness
  • When – When did your organization first become aware this out-of-cycle patch had been released?  Was it within hours, days, a week, or more?
  • How – This is important.  How did your company learn about this?  Was it picked up from active reading of email, blogs, news?  Was it just luck that someone noticed it, or do you have an active process to stay informed?
• Attention
  • Did this event garner the proper amount of attention from the proper people?  If awareness was high, but the appropriate people were so busy “putting out fires” that they didn’t get to it for a week, you have a problem.
• Application
  • How quickly was this patch applied?  Given the unplanned nature of it, did this patch take longer than normal to go from awareness to actually being installed?
• Audit
  • Has the installation of this patch been audited?  You need to know that the patch was actually installed.  Setting a patch management system to deploy the patch isn’t enough.  You must be able to verify that computers have actually installed the patch, and have a plan to deal with any problems.

Take a look at how your business responded.  Use this opportunity to identify any shortcomings and work to fix them.  Oh, and if you look around and see that this was handled well, give your IT people the credit they deserve.

Commentary, Other, Security, Windows

I just loaded up Windows Server 2008 into a VM under VMWare Server. I’ve installed one VM as a full load of the OS, and I’m preparing to install a second VM as the “server core” load of 2008 (basically no GUI). To my surprise, it’s gone very well so far. There was only one snafu, and that was easily fixed with a trip to the Google oracle. When the VM first came up, it had no recognized network card. To get a working NIC, add the following to your .vmx file:

ethernet0.virtualDev = “e1000″

Restart the VM, and you’re off to the races.

VMWare, Windows, Windows Server 2008

FreeBSD 6.3 has been released, so I want to start by upgrading one of my test machines from 6.2 to 6.3. To accomplish this, I followed the directions from Daemonic Dispatches.

• mkdir /root/freebsd-update
• cd /root/freebsd-update
• fetch http://www.daemonology.net/freebsd-update/freebsd-update-upgrade.tgz
• fetch http://www.daemonology.net/freebsd-update/freebsd-update-upgrade.tgz.asc
• gpg –verify freebsd-update-upgrade.tgz.asc freebsd-update-upgrade.tgz
• tar -xzf freebsd-update-upgrade.tgz
• sh freebsd-update.sh -f freebsd-update.conf -r 6.3-RELEASE upgrade
• yes to “Does this look reasonable?
• sh freebsd-update.sh -f freebsd-update.conf install
• init 6
• sh freebsd-update.sh -f freebsd-update.conf install
• init 6

That was painless enough to be very, very encouraging to me. Now I’ll have to go hit a loaded box and see how well it works….

FreeBSD

It’s happened. I looked around yesterday and realized I’ve switched from Linux to FreeBSD. I didn’t wake up one morning and decide to switch. It just seems that as projects came up I would find some compelling reason to choose FreeBSD over Linux. Now that I look around, I see the pattern. It wasn’t purposeful, but I’m happy with where it’s going.

You need to understand that I started using Linux about eight years ago and got serious with it over the last five years or so. Actually I have my friend Todd to thank for turning me on to Linux as part of his infatuation with integration. It started off innocently enough with some Linux firewalls (the LRP project to be exact) that I could make work, but it was still mostly black magic. Over time I got to using Sendmail, iptables/Shorewall, Samba, LAMP, and all manner of Linux goodness.

By this time I was settled in with SuSE as a distro of choice. SuSE was running in my office, most of my cilents in some fashion, and in my data center rack. Life was good. Then Novell entered the picture. They bought SuSE up, and as usual sucked the life out of something good. Dang. Actually it took a couple of releases before the fears were confirmed and I left SuSE. Over time I played around with a list of distros that I liked for some reasons and hated for others. Nothing ever seemed to fit well for the many scenarios I had used SuSE for.

Over the last couple years I’ve been reading Richard Bejtlich’s TaoSecurity blog, and his general endorsement of FreeBSD interested me. Then, my friend Todd pointed out pfSense, a BSD based firewall distribution running pf. After running shorewall on Linux hosts, pfSense was somewhat constrictive though. The logical extension was running pf directly on FreeBSD, and now my firewalls and many of my customers’ firewalls are on FreeBSD.

So now I am running FreeBSD on as many hosts as Linux, and I expect to convert most of what remains to FreeBSD as boxes age out. As a matter of fact, one of my next project will be to replace my office Samba server with new hardware running FreeBSD and Samba.

So far I like what I’ve learned, and I can foresee using FreeBSD as an OS of choice for quite some time.

FreeBSD, pfSense

Having recently acquired a Windows Vista PC for my own personal learning, I find that my Windows XP box is now irrelevant. It is a Dell Optiplex GX 280 (about 2 years old) that I would like to use as a MythTV back-end server and a VMWare Server host. To facilitate this, I picked up a 500GB Western Digital SATA drive. My intention is to install Kubuntu 7 Feisty Fawn, setup an LVM partition to carve out storage for video and VM images, install VMWare Server, and install MythTV.

The first step to getting the base OS up and running is to simply boot the Kubuntu live CD and then kick off the installer. I pretty much ran the defaults except for the disk setup. I setup a 50GB / partition with ext3 and a 2GB swap. I left the other ~450GB unpartitioned to hold an LVM volume later.

After the first reboot I noticed the video wasn’t optimum – 1024×768 from an ATI Radeon X300. I followed this wiki entry to get it running right.

Next on the docket would be LVM. First I need to install LVM:

• sudo apt-get install lvm2

Also, I would like to have XFS support for use where I store video files.

• sudo apt-get install xfsprogs

With LVM support installed, I used the article Learning Linux LVM, Part 2 to help go through the following:

• sudo sfdisk -l turned up this:

Disk /dev/sda: 60801 cylinders, 255 heads, 63 sectors/track
Units = cylinders of 8225280 bytes, blocks of 1024 bytes, counting from 0

Device Boot Start End #cyls #blocks Id System
/dev/sda1 0+ 6078 6079- 48829536 83 Linux
/dev/sda2 6079 6327 249 2000092+ 82 Linux swap / Solaris
/dev/sda3 6328 60800 54473 437554372+ 8e Linux LVM

That looks right. I’ve got a 50GB / partition on sda1, a 2GB swap on sda2, and the rest in sda3 set as LVM type. Let’s get using it.

• sudo su
• pvcreate /dev/sda3
• vgcreate -s 32M main /dev/sda3
• lvcreate -L150G -nvm main
• lvcreate -L250G -nvideo main
• mkreiserfs /dev/main/vm
• mkfs.xfs /dev/main/video
• mkdir /vm
• mkdir /video
• mount /dev/main/vm /vm
• mount /dev/main/video /video

Next, add the two new partitions to the /etc/fstab file to mount at startup. A reboot confirms that all is well with the new partitions.

Next, we move on to getting VMWare Server installed and running on this box. During this portion, I used How To Install VMware Server On Unbuntu 7.04 (Feisty Fawn) as a good reference to getting this done.

First, we do some prep:

• sudo aptitude install linux-headers-`uname -r` build-essential
• sudo aptitude install xinetd

Then grab the current VMWare Server tar ball. (This was done with VMware-server-1.0.3-44356.tar.gz.) Also, grab this patch file vmware-any-any-update109.tar.gz.

• cd /usr/src
• tar -xzf VMware-server-1.0.3-44356.tar.gz
• cd vmware-server-distrib/
• ./vmware-install.pl
• Accept the defaults until the prompt to run vmware-config.pl to which you answer no
• tar -xzf vmware-any-any-update109.tar.gz
• cd vmware-any-any-update109
• ./runme.pl
• Let it run the vmware-config.pl script
• Accept the EULA and the defaults unless you want an override.
• For example, this install I answered No to NAT networking as I just want a bridged connection.
• I changed the directory for keeping virtual machine files from /var/lib/vmware/Virtual Machines to just /vm to use the LVM volume
• Enter a serial number for VMWare Server
• Verify the script successfully starts the services
• Launch the VMWare Server Console via the vmware command

At this point, the system should be ready to create new virtual machines, but that’s a topic for another post.

Next, we will tackle installing MythTV on this system. I have previously setup a freestanding MythTV box to test it out. That system was an old spare PC when I started, but it did run successfully for a year and a half as my home DVR. Eventually it gave out, and now I would like to setup a replacement for it. This time I intend to setup this system as a MythTV backend system to do the recording and then setup another system as a front-end for viewing.

As a guide in this process I used this page from the Ubuntu Community Documentation.

This system has a Hauppauge PVR-250 tuner card in it, and it looks to be correctly loaded by default.

As the documentation page I’m referencing points out, we only need one package for this configuration — mythtv.

• sudo su
• apt-get install mythtv
• vi /etc/mysql/my.cnf
• comment out the bind-address 127.0.0.1 line
• :wq
• /etc/init.d/mysql restart
• exit (to drop out of root context)
• mythtv-setup
• Click Yes to be added to the mythtv group
• Enter password for sudo
• Click Yes to restart your session
• Login again
• mythtv-setup
• Click Yes
• Enter password for sudo
• Choose English
• General
• Set IP address of local system
• Set directory to hold recordings to /video
• Increase max simultaneous jobs to 2
• Enable auto-commercial flagging jobs when the recording starts
• Capture Cards
• New capture card
• Card type: MPEG-2 encoder card (for my PVR-250)
• Video Sources
• New video source
• Source name: Bright House Cable
• Enter username and password for zap2it labs account
• Input Connections
• Setup Tuner1 for CableTV
• Channel Editor
• No changes
• Exit mythtv-setup
• Click Yes to run mythfilldatabase
• mythfrontend

That’s it. At this point, the system is up and running Kubuntu 7, VMWare Server, and MythTV. Stay tuned for more posts about putting this platform to use.

Kubuntu, Linux, MythTV, VMWare

If you don’t know, the coming change in the start of daylight savings time (DST) may pose quite a problem for some. Because the date of the change has moved up by four weeks this year, Windows doesn’t know the correct date to shift without patching. Microsoft has released a patch for Windows 2003 and Windows XP, but there is no public patch for Windows 2000 because it has passed the end of its support life.

Now, what does this mean for YOU?

Well, if you deploy no patches to any systems, it means things will work but that for four weeks your clocks will be off by an hour. Sort of a pain, but not a show stopper.

What if you do deploy patches but may not be reliably reaching 100% of your systems? That is a problem. If you are like some small businesses I deal with, the servers are updated regularly (if not immediately), but the clients may or may not be. In this scenario, your servers will shift DST on March 11th like they should. Any unpatched workstations will not shift, and those stations will not be able to login to an Active Directory domain because of the embedded time stamps in Kerberos authentication. Uh oh. Problem. This is further compounded by the fact that there is no official Microsoft update for Windows 2000.

So, what are you to do? Here are some thoughts on how to handle this:

• Patch! – Any Windows 2003 or XP machines should be getting Microsoft patches via Automatic Update. In this way, they should get patched to know about the change.
• WSUS – Now, given the advice to patch, I will confess that I don’t like to allow an entire network of clients to go to Microsoft for updates. I would recommend the deployment of Microsoft’s WSUS (Windows Server Update Services). This will give you positive control over what patches are deployed, when they are deployed, and how they are deployed. Even better, it gives you a picture of which systems have received which patches.
• Manual patching – For Windows 2000 it seems you have two options that I know of: pay Microsoft for the Windows 2000 patch (since it’s outside its support life) or roll your own. Without going off on a rant, let’s just say I would prefer to solve this myself rather than pay Mr. Bill any more $$.

I spent a few minutes of research and a few more of script development and have gotten what should be a working solution for patching Windows 2000 (and XP too). Now bear in mind the standard disclaimers: This is barely tested code. Your mileage may vary. Actual use of this code may cause abdominal pains and other unpleasant side effects. In other words, like any code you get off the internet, test the snot out of this before using it. That being said, this solution has both a .reg registry file and a .vbs script for deployment. This is specific to the Eastern time zone, although it would be trivial to change the one registry entry to apply to a different time zone.

Here is the .reg file contents:

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Time Zones\Eastern Standard Time]
“TZI”=hex:2c,01,00,00,00,00,00,00,c4,ff,ff,ff,00,00,0b,00,00,00,01,00,02,00,00,\
00,00,00,00,00,00,00,03,00,00,00,02,00,02,00,00,00,00,00,00,00

[HKEY_LOCAL_MACHINE\SOFTWARE\ServerGuys\Patches\DST2007]
@=”True”

[HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\TimeZoneInformation]
“StandardStart”=hex:00,00,0b,00,01,00,02,00,00,00,00,00,00,00,00,00
“DaylightStart”=hex:00,00,03,00,02,00,02,00,00,00,00,00,00,00,00,00

As with any .reg file you could deploy this in a number of ways. One of my favorite ways to reach out and touch my clients is via a login script. Here is a script that will deploy this patch. Two notes: Obviously you don’t need the HKLM\Software\ServerGuys key in the .reg file for the DST patch; it’s used in the following code. Also, I know this is poor code, but it was quick to write and seems to work.

‘=============================
‘ Domain Login.vbs
‘=============================
On Error Resume Next

‘Get a reference to the WSH Network object
set WSHNetwork = CreateObject(“WScript.Network”)

‘Get a reference to the WSH Shell object
set WSHShell = CreateObject(“WScript.Shell”)

‘Windows DST 2007 Patch
‘======================
if fn_RegKeyExists(“HKLM\Software\SII\Patches\DST2007″) then
if WshShell.RegRead(“HKLM\Software\SII\Patches\DST2007\”) <> “True” then
WSHShell.Run “regedit /s \\SERVER\SHARE\DST-2007.reg”
end if
else
WSHShell.Run “regedit /s \\SERVER\SHARE\DST-2007.reg”
end if

‘=============================
‘ Functions
‘=============================
Function fn_RegKeyExists(ByVal sRegKey)
fn_RegKeyExists = True
sRegKey = Trim (sRegKey)
If Not Right(sRegKey, 1) = “\” Then
sRegKey = sRegKey & “\”
End If

On Error Resume Next
WSHShell.RegRead “HKEYNotAKey\”
sDescription = Replace(Err.Description, “HKEYNotAKey\”, “”)

Err.Clear
WSHShell.RegRead sRegKey
fn_RegKeyExists = sDescription <> Replace(Err.Description, sRegKey, “”)
On Error Goto 0
End Function

This script is just a slicing out of the relevant pieces from a rather large login script I use, but it should point you in the right direction.

See a problem? Have a beef? Feeling abdominal pains? Shoot me an email and tell me what you think: charles@serverguys.com.

Security, Windows