Authentication with PHP and MySQL

To keep this from being a book, I am not going to explain everything in this post.  There will be three files included to make this bad boy work, two supporting and one with the meat.  The first supporting file will contain the database login information:

The second supporting file with contain a custom class with some functions:

Finally we have the meat of it. Do note that in this example I am taking the posted values from a form and using those as my variables:

NetGear ReadyNAS Inaccessible After Firmware Upgrade

Recently I logged into my NetGear ReadyNAS and it prompted me that there was a firmware update (version 6.7.2 to 6.7.3). I had some time to kill so I said “What the heck” and let it do its thing. After it restarted, it lost all network connection. When I went down to the rack where we have the unit, all the drive IO lights were on but there was a red light next to a caution symbol. Uh oh. I also noticed that the link lights on my network card were good and blinking, yet I could not find the dang thing on the network. After waiting for a couple hours (that hopeful thinking that it might resolve itself) I gave the unit the good ol’ reboot to no avail. I put the unit in Tech Support Mode and used NetGear’s RAIDar application (found here) to find the joker…Both NICs were assigned a 192.168.168.168 IP address. Yeah that wasn’t my network. I found this strange considering there was DHCP enabled on the network it was connected to, so even if the NICs lost their IP config they should have just grabbed one from the pool. So I disconnected one of the NICs so that it didn’t have a duplicate IP and rebooted it. I then added a second IP address to my machine on the 192.168.168.0/24 network so I could talk to the thing. I still could not hit the web GUI and I’ll be honest, I’m no Linux expert with these custom kernels so I wasn’t going to start fiddling with that. You know what time it is? Time to call NetGear support…

After what can only be described as a terrible experience making it through tier 1, 2, and 3 support I finally got in touch with an engineer after 4 hours of struggling. Long story short, this guy SSH’d into the unit and discovered that the boot partition was completely full, and therefore could not complete the upgrade. Makes sense, but you would think they would code some logic in there to recognize that prior to beginning the upgrade. Regardless, the engineer cleaned up a bunch of old image files on the boot partition so that it was only around 40% full and wah-lah we have an operational ReadNAS again after a reboot.

Naturally, I picked this engineers brain on how to avoid this from happening again and luckily he gave me more information than I even asked for! For starters, you can check the usage on any of your partitions without having to get the thing in Tech Support Mode. To do this, you have to enable SSH on the unit via the web GUI. Disclaimer: if you make any changes via SSH, you void all support until it is Factory Reset (which will wipe all of your data). Once you’ve made it in, login as root using your admin password and run the following command:

This will output all of your volumes and their usage statistics. Basically a quick way to check if you have space in your boot volume for an upgrade. He also shared the following wisdom on how your volumes are effected as they grow:
80% Full – Degraded performance | 90% Full – Stability issues begin to occur | 95% Full – The volume becomes RO
Another thing to note that he shared was that the Logs section of the web UI only shows part on one log. If you select the download option you get them all. Found in this download is a disk_info.log file that has a whole bunch of info on your installed disks. He told me the thresholds that are normal for disks, and if I were to see abnormalities that that disk is more than likely beginning to fail. I will list these thresholds below:

ATA Error Count: 1-2 | Current Pending Sector Count and Uncorrectable Sector Count: 50, but if they begin suddenly rising rapidly that drive is on its way out

All in all the engineer I got me up and running and gave me some good info on how to avoid issues with my unit. Moving forward, I’ll be checking my volume capacity before upgrade!!

Remove Users from AD Groups with PowerShell

I often find myself needing to audit group membership for various reasons (mostly just to clean up disabled users…turnover is a pain).  Typically when I’m doing anything in scale I like to loop through an array to make my life easier, like I do in the following script to remove users from AD groups.  In this particular instance, I usually receive an array of UPN’s that someone wishes to have removed from a group.  Given that I do a split so that I only grab the sAMAccountName.

 

Windows Server 2012R2 Pending Reboot Status Won’t Clear

Recently I was setting up a new RDS deployment and when I went to install one of the roles (in this case the RD Gateway) it would not let me do so saying that the server was still pending reboot.  This isn’t uncommon with new deployments as I’m doing many things at once so I gave it the good ol’ reboot, but the issue still persisted.  Confuzzled I consulted Uncle Google for some advice and found the answer in a pesky reg key.  Once I deleted the “PendingFileRenameOperations” reg key from the location below and gave the box a good reboot everything worked as normal.

Path to reg key: HKLM\System\CurrentControlSet\Control\Session Manager

Google credit found here.

Transfer/Seize FSMO Roles and Remove DC from AD

As our journey continues, sadly we will need to decommission DC’s along the way.  Doing this comes with some considerations, such as moving your FSMO roles off of the DC you are decommissioning.  Don’t know if it has any FSMO roles assigned to it?  Run the following:

Now the internet will show you many other ways to find this out, but this is by far the easiest method.  Great now we know what roles we need to move off of the DC, but how do we do it?  Logon to the DC you wish to transfer the FSMO roles to and do the following:

Should you not be able to transfer the roles (Server holding them is lost to the world), you can seize them.  You do this by doing the following:

Yes I realize there is only one difference, but it’s an important difference!

Now, assuming you have all your other marbles accounted for we can remove the DC from AD and all the other nonsense.  Start by deleting the computer account out of the Domain Controllers OU in AD.  It’ll give you a bunch of warning, read them if you like.  Next head over to Sites and Services and delete it out of there.  Once that is done, hit DNS and delete it from both the Forward and Reverse Lookup Zones.  Once you have all of that done, you should be good to go!  Sync up your still existing DC’s (assuming more than one) by running the following command:

Finally, just for that warm and fuzzy feeling, run the following command on a Domain Controller:

All of the tests should pass.  If not, get troubleshooting!  Best of luck!!

Change Office 365 UPN from onmicrosoft.com with PowerShell

Ran into an issue recently that was a little tricky.  I have a DirSync environment and two of my users for some reason decided that their UPN was going to be username@domain.onmicrosoft.com rather than username@domain.com.  There was no issues on the AD side.  All the attributes for the account were set appropriately, but the UPN in particular was just not making it up to O365 appropriately anymore.  I used the following bit of PowerShell to resolve the issue.

 

Redirect Email Using Postfix

The other day my mentor taught me a nifty trick for re-routing email using Postfix from a public facing Linux Server (we use Ubuntu Server LTS), as long as you have control over the DNS for the domain’s email you want to re-route.  This can be used for a number of reasons, but in our case we just use it to verify our domains for SSL Certs.

Since DNS most recently came up, let’s start there.  All you have to do here is login to whoever is controlling the DNS for the domain you wish to re-route (GoDaddy, AWS, CloudFlare, etc.) and point the MX record to your Postfix public ip/domain name.  Simple, now let’s move on to the Postfix box.

I’m just going to assume that you already have the Linux box all set up correctly with Postfix installed for the sake of my fingers.  The initial Postfix install prompts you for a couple pieces of information, but they are pretty self explanatory.  One thing I will mention is that you will need to add an allow rule to the ufw firewall if you are using that to lock everything down.  You can do this by running the following:

Now that that is handled we can dig into the meat of this operation.  First navigate to /etc/postfix/ directory and edit the main.cf file found there.  Make the following changes to the file:

Notice that we pointed the alias maps to a file called virtual.  A quick ls will reveal that does not yet exist, so let’s make it!

Next we run the following commands to set up the lookup and restart the postfix service:

Notice this creates a virtual.db file in the same directory as virtual.  Anywho, with that we are ready to rock and roll!  If you want to see the traffic move through your postfix box you can run the following command to see the traffic as it comes and goes:

 

Specific Windows 7 Computer Unable to Access File Share

Ran into a bit of a weird one today.  Had one of my Help Desk guys call me up saying that no matter what a particular user cannot access a specific file share on a certain computer, always receiving an Access Denied message.  On any other computer this issue is not occurring.  He tells me he has checked all group assignments, removed the profile, removed and re-added it to the domain to no avail.  Quite the weird one.

I hop on and confirm all that needs confirming and see that there was definitely not an access issue.  Tried to hit it from a different profile with some administrator creds with no change.  Here’s the kicker though, I could UNC to the actual drive that held the share and manually navigate to access it no problem.  Okay time to talk to Uncle Google, this doesn’t make any sense.  Long story short I finally stumbled upon the solution from Microsoft (found here).  It has to do with the local CSC (offline files) database on the computer, and you fix it by wiping that joker.  You do this by adding the registry key found below and bouncing the box.

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\CSC\Parameters

DWORD (32-bit)Value – FormatDatabase – Value = 1

After the box finishes restarting, log in and wa-lah!  You can access all shares normally again.  Yay!  You can also do this via batch/cmd if you wish with the following:

 

WSUS Trials and Tribulations

Recently I have been working on a WSUS deployment with 2012R2.  Let’s just say it isn’t the smoothest deployment of a feature/role that I have ever done.  With that fun little preface, let’s dig into the challenges that I have faced with this.

For starters, the initial installation of the WSUS role and it’s additional features went off without a hitch.  I synced the server up with Microsoft, did my initial approvals, and set my GPO’s as needed.  It wasn’t until I realized that I had no client machines in my Unassigned/All Computers OU that something was up.  And down the rabbit hole I went for a frustrating amount of time.  The first issue I came across and resolved was my GPO settings.  For record, you need the following two GPO’s applied:

•Configure Automatic Updates

•Specify intranet Microsoft update service location

My issue was with the latter.  I had the format of “Set the intranet update service for detecting updates: ” and “Set the intranet statistics server” as “http://server>”.  This should have included the port number (8530 for non SSL) “http://server:8530“.

Following getting this GPO change applied I finally started (albeit be quite slow) getting client machines connecting.  Great!  Except all the Windows 10 machines in my environment were showing as Windows Vista…how insulting!  So after some digging all over I found a Windows update to correct that little oversight (KB3095113), which you can download here.

We seem to be getting somewhere eh?  Nope!  I saw that my WSUS server had grabbed some updates since I installed the role, so I figured why not install it right?  Might be a useful patch (which in reality, it was).  But naturally it broke stuff.  Post installing the update (KB3159706) I could no longer connect to the WSUS server via the WSUS Console.  Yay!  After digging through Event Viewer logs and hating all things Microsoft, I found the error that led me to the solution: ID 507 “Update Services failed its initialization and stopped.”  I did some Googling and found out that there were manual configuration steps to complete the update (Maybe a little notification for something like that next time Microsoft?  Please?).  Below is the manual steps required to complete the installation for the update:

•Open an elevated CMD and run the following command:

It will take a little while, but eventually you will see “Post install has successfully completed.”

•Add the “HTTP Activation” feature found at “.NET Framework 4.5 Features > WCF Services > HTTP Activation.”

•Restart the WSUS service and you should be able to connect with the WSUS Console again.

After all that heartache, I finally have a functioning WSUS deployment.

Creating an ADMX/ADML Central Store

As time goes on, Microsoft releases new features to be controlled with Group Policy.  You add these new GPO’s by downloading .admx and .adml files from Microsoft and adding them to your Domain Controller.  You do this by first creating a Central Store for your admx/adml files, assuming that you do not already have one in place.  Note that this process is unnecessary if you have a single Domain Controller as they are all pulled from from the local PolicyDefinitions folder.  When you have multiple Domain Controllers in your environment you want them to share the same PolicyDefinitions so there are not any discrepancies.

To do this, login to your Primary Domain Controller (or the DC with the highest version of Windows Server) and navigate to C:\Windows.  You will find a directory name PolicyDefinitions here.  Copy that directory and paste it in the following directory C:\Windows\SYSVOL\domain\Policies.  This pasted PolicyDefinitions folder will now be the central store that all DC’s will grab its admx/adml files from (aka a central storage location for all GPOs for your domain).  After this you simply download the admx/adml files that you wish to add from Microsoft and paste them into your newly pasted PolicyDefinitions folder and the corresponding language folder(s).  For example, if I wanted to add GPO’s for controlling Microsoft Office 2016, I could do so by downloading the admx/adml files from here and then adding them to the appropriate folders.  Easy peasy!