How to Add New Lookup Domains into Windows DNS Suffixes

Error message:

[server005.intranet.kimconnect.com]: PS E:\Users\kimconnect\Documents> add-localgroupmember -Group 'remote desktop users' -Member 'DMZ/testUser'
add-localgroupmember : Principal DMZ/testUser was not found.
+ CategoryInfo : ObjectNotFound: (WBMD/SVasmatkar:String) [Add-LocalGroupMember], PrincipalNotFoundException
+ FullyQualifiedErrorId : PrincipalNotFound,Microsoft.PowerShell.Commands.AddLocalGroupMemberCommand

# Resolution: Add Entries to DNS Suffixes

$addDomains='dmz.kimconnect.com'
$currentList=(Get-DnsClientGlobalSetting).SuffixSearchList
$newList=@($addDomains)
$newList+=$currentList
Set-DnsClientGlobalSetting -SuffixSearchList $newList

# Use legacy command to add user into local group (in case Windoze OS is dinosaur)

net localgroup 'remote desktop users' DMZ/testUser /add

PowerShell: How To Configure Static IP Address

$nicName='NIC1'
$ipaddress='192.168.0.222'
$cidrPrefix=24
$defaultGateway='192.168.0.1'
$dnsServers=@('8.8.8.8','4.4.2.2')
$disableIpv6=$true

function setNic($nicName,$ipAddress,$cidrPrefix,$defaultGateway,$dnsServers,$disableIpv6=$true ){
	$ifIndex=(get-netadapter|?{$_.Name -eq $nicName}).ifIndex
	New-NetIPAddress -InterfaceIndex $ifIndex -IPAddress $ipaddress -PrefixLength $cidrPrefix -DefaultGateway $defaultGateway
	Set-DnsClientServerAddress -InterfaceIndex $ifIndex -ServerAddresses $dnsServers
	if($disableIpv6){Disable-NetAdapterBinding -Name $nicName –ComponentID ms_tcpip6}
}
setNic $nicName $ipAddress $cidrPrefix $defaultGateway $dnsServers $disableIpv6

Intermittent Ping Request Time Out Due to An Outdated ARP Table Entry of a Ubuntu Server

Scenario:

– Server A and Server B hardware are of the same model and capacity
– Server A and Server B hard drives were been swapped recently, where Server A hard drives had been transferred to be installed in Server B and vice versa
– Server A was running Ubuntu Linux, and Server B’s OS was VMWare
– Server A, which had Server B’s VMWare OS was able to boot without any problems
– Server B, which had Server A’s Ubuntu Server OS was able to boot.
– Other servers on the same VLAN were able to connect to Server B without problems
– Users from different VLANs complained that they could not reach Server B using its original Server A’s Ubuntu Linux IP address, even though that IP was statically configured on Server A prior to the hard drive switching incident
– Ping results to Server B were intermittent successes and failures

From 10.10.140.128 icmp_seq=760 Destination Host Unreachable
From 10.10.140.128 icmp_seq=761 Destination Host Unreachable
From 10.10.140.128 icmp_seq=762 Destination Host Unreachable
64 bytes from 10.10.100.228: icmp_seq=1 ttl=64 time=1.199 ms
From 10.10.140.128 icmp_seq=760 Destination Host Unreachable
From 10.10.140.128 icmp_seq=761 Destination Host Unreachable
From 10.10.140.128 icmp_seq=762 Destination Host Unreachable
From 10.10.140.128 icmp_seq=762 Destination Host Unreachable
64 bytes from 10.10.100.228: icmp_seq=1 ttl=64 time=1.199 ms
Troubleshooting:

– On clients with issues connecting to the server, run the ‘arp -a’ command to discover the MAC address associated with the server’s ip
– It appeared that the MAC address for the original server A’s IP, which now resided in Server B’s chassis, pointed to Server B mac address.
– It was also confirmed on Server B by running either ‘ifconfig’ or ‘ip addr show’

testuser@ubuntu-server:~$ ifconfig
eno1: flags=4163<UP,BROADCAST,RUNNING,MULTICAST> mtu 1500
inet 10.10.100.228 netmask 255.255.255.0 broadcast 192.168.100.255
ether 72:c8:fb:5e:1d:eb txqueuelen 1000 (Ethernet)
RX packets 543498 bytes 634630257 (634.6 MB)
RX errors 0 dropped 5 overruns 0 frame 0
TX packets 118913 bytes 17683157 (17.6 MB)
TX errors 0 dropped 0 overruns 0 carrier 0 collisions 0
device interrupt 16 memory 0xb8a00000-b8a20000
testuser@ubuntu-server:/home/kim# ip addr show
2: eno1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc fq_codel state UP group default qlen 1000
link/ether 72:c8:fb:5e:1d:eb brd ff:ff:ff:ff:ff:ff
inet 10.10.100.228/24 brd 192.168.100.255 scope global dynamic noprefixroute eno1
valid_lft 85514sec preferred_lft 85514sec
Resolution:

Whenever a Ubuntu Server hard drive has been moved to a different server, one must also reconfigure its MAC address to reflect its new host’s network interface.

Here’s the instruction via GUI: click on the network icon > select Edit connections > Select your current network > Edit the selected connection > select the Ethernet tab > set Clone Mac address = {input the desired MAC address}, stable, or Permanent > Disconnect > re-connect the interface

CLI method:

# Edit the interfaces file
sudo vim /etc/network/interfaces
# add this entry for the eth0 interface
iface eth0 inet static
hwaddress ether 00:00:00:00:MAC-ADDRESS-HERE
# restart server
sudo reboot now

Optional: the intermediary routers and switches should automatically update its ARP table with the changes so that clients could be redirected to the desired and correct Server. Here are some commands to flush the ARP table on switch or router running a Linux based OS:

# flush Mac Table of a Linux based router/switch
admin@test-switch:~$ sudo ip -s -s neigh flush all
[sudo] password for kim:
10.10.100.100 dev eno1 used 1420/1495/1417 probes 6 FAILED
10.10.100.50 dev eno1 lladdr 00:0c:29:27:3b:13 used 2599/2159/2099 probes 6 STALE
10.10.100.2 dev eno1 used 1026/1338/1023 probes 6 FAILED
10.10.100.1 dev eno1 lladdr 74:83:c2:df:f9:8b ref 1 used 2617/0/2617 probes 4 REACHABLE
10.10.100.11 dev eno1 used 971/2677/969 probes 6 FAILED
10.10.100.5 dev eno1 lladdr 00:11:32:e4:c5:ca used 137/132/108 probes 1 STALE

*** Round 1, deleting 6 entries ***
*** Flush is complete after 1 round ***

PowerShell: Check IP Conflicts of Computers in Active Directory

We have ran into issues where a group of virtual machines living on a DHCP subnet get rebooted due unexpected events. Upon restarting, those machines would receive IP assignments from the DHCP server. In an ideal environment where Admins follow the strict procedure of creating IP reservations for each VM, using its MAC Address, everything would work fine. However, in the real world, human errors caused by skipping the IP Reservation steps would lead to instances where a DHCP server would assign duplicated IP addresses to certain machines. This is even more evidenced when IPs have already been set as static on machines that are in scope of DHCP. In such scenarios, IP conflicts would ensue. As many Windows machines are Active Directory & DNS integrated, erroneous a-records and reverse lookup results would also be incorrect. Here’s a quick script to detect those anomalies on a short list of known machine. Future versions would enable the program to scan a whole subnet to gather these machine names automatically. Until then…

$computernames=@(
    'server001',
    'server002',
    'server003'
)

function checkIpConflicts($computerNames){
  $results=@()
  foreach ($computer in $computernames){
    $ipAddress=[System.Net.Dns]::GetHostAddresses($computer)
    $ipReverseLookup=[System.Net.Dns]::GetHostEntry($ipAddress).HostName
    $isMismatched=$computer.split('.')[0] -ne $ipReverseLookup.split('.')[0]
    $dnsRecordMac=if($isMismatched){
      try{
        (Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration -Filter "IPEnabled='True'" -ComputerName $ipReverseLookup -EA Stop).MacAddress
      }catch{
        write-warning $_
        'ConnectionError'
      }
      }else{'N/A'}
    $results+=[pscustomobject]@{
      computerName=$computer
      ipAddress=$ipAddress
      ipReverseLookup=$ipReverseLookup
      macAddress=(Get-CimInstance -ClassName Win32_NetworkAdapterConfiguration -Filter "IPEnabled='True'" -ComputerName $computer).MacAddress
      isMismatched=$isMismatched
      dnsRecordMac=$dnsRecordMac
    }
  }
  return $results
}

checkIpConflicts $computerNames
Sample Output:

computerName    ipAddress       ipReverseLookup                macAddress                             isMismatched dnsRecordMac
------------    ---------       ---------------                ----------                             ------------ ------------
server00001   {x.x.x.x}  server00008        00:15:5D:xx:xx:xx                              True ConnectionError
server00002      {x.x.x.x} server00002.kimconnect.com      00:0C:29:xx:xx:xx                             False N/A

IpConfig Shows Static IP Address Status as Duplicate

Just the other night, I’d received a call from the guys about NetApps changes affecting virtual machines in Hyper-V that has caused automatic migrations to be triggered. There was a lot of confusions, and our Hyper-V clusters had proven to be be mostly resilient. Most guest virtual machines (VMs) were back online after 10 minutes of confusion. However, there were some that still showed as unreachable by Nagios. I’d manually consoled into each VM to fix them. Generally there were two main issues causing machines to remain offline:

  1. Windows 7 blue screens
  2. Windows 7 automatic repair wizard causing reboots to become stuck
  3. Windows 10 machines with static IP addresses shown as duplicate due to a conflict with another machine on the network. Per protocol, the NIC would render itself as offline if it detect IP conflicts. In my case, I’ve traced the collisions and forcefully set 1 machine to be authoritative toward its assigned IP. Here is the command to reset the ARP count so that it will refresh the ARP table and not mark that IP address as a duplicate.
    Set-ItemProperty "REGISTRY::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" -name "ARPRetryCount" -value 1; restart-computer

Linux: How To Use Dig

Checking Name Server(s)

kim@kim-linux:~$ dig @8.8.8.8 microsoft.com

; <<>> DiG 9.16.1-Ubuntu <<>> @8.8.8.8 microsoft.com
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 47352
;; flags: qr rd ra; QUERY: 1, ANSWER: 5, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;microsoft.com.			IN	A

;; ANSWER SECTION:
microsoft.com.		816	IN	A	104.215.148.63
microsoft.com.		816	IN	A	40.76.4.15
microsoft.com.		816	IN	A	40.112.72.205
microsoft.com.		816	IN	A	40.113.200.201
microsoft.com.		816	IN	A	13.77.161.179

;; Query time: 4 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Oct 29 09:41:15 PDT 2021
;; MSG SIZE  rcvd: 122

Looking Up TXT Records (Including SPF)

kim@kim-linux:~$ dig @8.8.8.8 microsoft.com txt

; <<>> DiG 9.16.1-Ubuntu <<>> @8.8.8.8 microsoft.com txt
; (1 server found)
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 42064
;; flags: qr rd ra; QUERY: 1, ANSWER: 16, AUTHORITY: 0, ADDITIONAL: 1

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 512
;; QUESTION SECTION:
;microsoft.com.			IN	TXT

;; ANSWER SECTION:
microsoft.com.		2127	IN	TXT	"docusign=d5a3737c-c23c-4bd0-9095-d2ff621f2840"
microsoft.com.		2127	IN	TXT	"v=spf1 include:_spf-a.microsoft.com include:_spf-b.microsoft.com include:_spf-c.microsoft.com include:_spf-ssg-a.microsoft.com include:spf-a.hotmail.com include:_spf1-meo.microsoft.com -all"
microsoft.com.		2127	IN	TXT	"google-site-verification=Zv1IvEEZg4N9wbEXpBSSyAiIjDyyB3S-fzfFClb7D1E"
microsoft.com.		2127	IN	TXT	"adobe-sign-verification=c1fea9b4cdd4df0d5778517f29e0934"
microsoft.com.		2127	IN	TXT	"docusign=52998482-393d-46f7-95d4-15ac6509bfdd"
microsoft.com.		2127	IN	TXT	"google-site-verification=8-zFCaUXhhPcvN29EVw2RvtASDCaDPQ02L1HJ8Om8I0"
microsoft.com.		2127	IN	TXT	"adobe-idp-site-verification=8aa35c528af5d72beb19b1bd3ed9b86d87ea7f24b2ba3c99ffcd00c27e9d809c"
microsoft.com.		2127	IN	TXT	"d365mktkey=4d8bnycx40fy3581petta4gsf"
microsoft.com.		2127	IN	TXT	"8RPDXjBzBS9tu7Pbysu7qCACrwXPoDV8ZtLfthTnC4y9VJFLd84it5sQlEITgSLJ4KOIA8pBZxmyvPujuUvhOg=="
microsoft.com.		2127	IN	TXT	"google-site-verification=1TeK8q0OziFl4T1tF-QR65JkzHZ1rcdgNccDFp78iTk"
microsoft.com.		2127	IN	TXT	"d365mktkey=3uc1cf82cpv750lzk70v9bvf2"
microsoft.com.		2127	IN	TXT	"facebook-domain-verification=fwzwhbbzwmg5fzgotc2go51olc3566"
microsoft.com.		2127	IN	TXT	"apple-domain-verification=0gMeaYyYy6GLViGo"
microsoft.com.		2127	IN	TXT	"google-site-verification=pjPOauSPcrfXOZS9jnPPa5axowcHGCDAl1_86dCqFpk"
microsoft.com.		2127	IN	TXT	"fg2t0gov9424p2tdcuo94goe9j"
microsoft.com.		2127	IN	TXT	"t7sebee51jrj7vm932k531hipa"

;; Query time: 4 msec
;; SERVER: 8.8.8.8#53(8.8.8.8)
;; WHEN: Fri Oct 29 09:39:39 PDT 2021
;; MSG SIZE  rcvd: 1261

How to Cramp For a Test

From my experience, the trick to memorizing 10,000+ questions and answers at the 90% accuracy level was to read and perform hands-on practice on all questions the first time (took about 10-hour per day x 6 days x 19 weeks). Then, at the second time, I marked any questions that were recalled inaccurately. Third time, I only read the marked questions and reiterated until all the last batch could be recalled at 100% accuracy. On the test day, I would still miss some items and be surprised by a few more. I might have to retake the test more than once to pass at the scores of 85%+.
 
The trick is to trigger my brain to pay attention to only mistakes, not everything. It’s easy to do because we humans are natural at learning from mistakes. This is how proper planning can beat a genius.

Domain Name Records Overview: A-record, MX, DKIM, SPF, SRV

A RECORD (A-host):

– What: address record (A-record) specifies the IP address(es) of a given domain. In the case of IPv6, this is called an AAAA record.
– Why: name to address translation is necessary for users to type in a name to get to an IP address of the web server
– Who: domain admin sets these up, and these affect all users of the domain
– How:
kimconnect.com record type: value: TTL
@ A x.x.x.x 14400

MX (Mail Exchange):

– What: mail exchange (MX) records direct emails toward designated mail servers. These are like CNAME records for name servers with the difference in their marking as designated for mailings
– Why: these entries control how email messages should be routed in accordance with the Simple Mail Transfer Protocol (SMTP)
– Who: domain admins can edit these records
– How: below is an example of setting mail records of a domain toward 2 mail servers with different priorities
kimconnect.com record type: priority: value: TTL
@ MX 10 mail1.kimconnect.com 45000
@ MX 20 mail2.kimconnect.com 45000

SPF (Sender Policy Framework):

– What: Sender Policy Framework (spf) is a type of TXT record in your DNS zone
– Why: SPF records help identify which mail servers are permitted to send email on behalf of your domain. These records prevent spammers from sending emails with a forged ‘From’ addresses of your domain
– Who: domain admins can make these changes. Users benefit from not receiving forged emails, and would correctly receive emails being sent from company servers.
– How (examples):
a. Simple:
- v=spf1 include:_spf.google.com ~all (Google)
- v=spf1 include:spf.protection.outlook.com ~all (Microsoft)
b. Complex:
- v=spf1 ip4:IP.ADDRESS.HERE/NETMASK include:_spf.google.com ~all (Google)
- v=spf1 ip4:IP.ADDRESS.HERE/NETMASK include:spf.protection.outlook.com ~all (Microsoft)
- v=spf1 ip4:IP.ADDRESS.HERE/NETMASK include:spf.protection.outlook.com include:_spf.google.com include:aem.autotask.net include:customers.clickdimensions.com ~all (Google, Microsoft, ClickDimensions, Autotask)

Explanations

  • v=spf1 : marks spf protocol version (version 1 is the most commonly used protocol by email servers as of this writing)
  • ip4 or ip6 : specifies the IP address versioning. A single IP or a summarized subnet/supernet are acceptable
  • mx : allows the MX servers to send mail
  • include : allows a third-party to send emails on your domain’s behalf
  • a : allows the current IP to send mail
  • +all : allows any IP to send emails on this domain’s behalf
  • -all : allows no other IP’s to send emails on the domain’s behalf
  • ~all : allows all IP’s to send emails on your domain’s behalf, while messages would be marked
DKIM  (DomainKeys Identified Mail):

– What: it’s an email record associated with certain domains. These are composed of a selector and a public key. There is a private key that is installed on the email server, and is its alternate hashes are attached to email headers. Only the public key is added as the domain’s DNS record. The receiving email server performs keys matching to determine if the email is legitimate (not spam)
– Why: to prevent email spoofing
– Who: domain admins make these changes
– How: (source: Google)

  1.  Generate the domain key for your domain (For Google: https:// support.google.com/a/answer/174126?hl=en&ref_topic=2752442)
  2.  Add the public key to your domain’s DNS records
    • Example: kimconnect.com. 300 IN TXT "v=DKIM1; k=rsa; p=SOMEHASH" "MOREHASH"
  3.  Add DKIM onto email server(s) to start adding a DKIM signature to all outgoing messages
    • Example: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed;
      d=kimconnect.com; s=google;
      h=sender:mime-version:from:to:date:subject:message-id
      :x-original-sender:x-original-authentication-results:precedence
      :mailing-list:list-id:list-post:list-help:list-archive
      :list-unsubscribe;
      bh=SOMELONGHASH
SRV (Service Records):

– What: service (SRV) records specify hosts and ports for services such as VoIP, instant messaging, domain proof of ownership, etc.
– Why: these records include IP address and port information that other type of DNS records do not have the option. Some Internet protocols require the use of SRV records in order to function.
– Who: domain admins manage these at DNS zone control panels
– How: SRV records must point to an A record (in IPv4) or an AAAA record (in IPv6), not CNAME. Below are some examples
_sip._tls.@ 100 1 443 sipdir.online.lync.com. (Microsoft Lync)
_sipfederationtls._tcp.@ 100 1 5061 sipfed.online.lync.com. (Microsoft Lync)
_xmpp._tcp.kimconnect.com. 86400 IN SRV 10 5 5223 xmpp.kimconnect.com. (xmpp server)

How to List All DNS Servers in a Domain

CMD Method:

PS C:\Windows\system32> nslookup
Default Server:  dc02.intranet.kimconnect.com
Address:  10.20.10.10

> set type=ns
> intranet.kimconnect.com
Server:  dc05.intranet.kimconnect.com
Address:  10.50.10.10

intranet.kimconnect.com   nameserver = dc02.intranet.kimconnect.com
intranet.kimconnect.com   nameserver = dc03.intranet.kimconnect.com
intranet.kimconnect.com   nameserver = dc01.intranet.kimconnect.com
intranet.kimconnect.com   nameserver = dc04.intranet.kimconnect.com
intranet.kimconnect.com   nameserver = dc05.intranet.kimconnect.com
intranet.kimconnect.com   nameserver = dc06.intranet.kimconnect.com
dc01.intranet.kimconnect.com      internet address = 10.10.10.10
dc02.intranet.kimconnect.com      internet address = 10.20.10.10
dc03.intranet.kimconnect.com      internet address = 10.30.10.10
dc04.intranet.kimconnect.com      internet address = 10.40.10.10
dc05.intranet.kimconnect.com      internet address = 10.50.10.10
dc06.intranet.kimconnect.com      internet address = 10.60.10.10
> exit

PowerShell Method:

PS C:\Windows\system32> Resolve-DnsName intranet.kimconnect.com -type ns|?{$_.ip4address}

Name                                           Type   TTL   Section    IPAddress
----                                           ----   ---   -------    ---------
dc01.intranet.kimconnect.com                      A      3600  Additional 10.10.10.10
dc02.intranet.kimconnect.com                     A      3600  Additional 10.20.10.10
dc03.intranet.kimconnect.com                      A      3600  Additional 10.30.10.10
dc04.intranet.kimconnect.com                         A      3600  Additional 10.40.10.10
dc05.intranet.kimconnect.com                     A      3600  Additional 10.50.10.10
dc06.intranet.kimconnect.com                      A      1200  Additional 10.60.10.10

PowerShell: Remove A-record in Bluecat

$bluecatUri='https://bluecat.kimconnect.com/Services/API'
$bluecatUsername='bluecat-service-api'
$bluecatPassword='SOMECOMPLEXPASSWORD'
$hostRecord='testrecord.kimconnect.com'

function loginBluecat{
    param(
        $username,
        $password,
        $uri
    )
    $proxy = New-WebServiceProxy -Uri "$($uri)?wsdl"
    $proxy.url = $uri
    $cookieContainer = New-Object System.Net.CookieContainer
    $proxy.CookieContainer = $cookieContainer
    $proxy.login($username, $password)
    return $proxy
} 

function confirmation($content,$testValue="I confirm",$maxAttempts=3){
  $confirmed=$false
  $attempts=0
  clear-host  
  write-host $($content|out-string).trim()
  write-host "`r`nPlease review this content for accuracy.`r`n"
  while ($attempts -le $maxAttempts){
      if($attempts++ -ge $maxAttempts){
          write-host "A maximum number of attempts have reached. No confirmations received!`r`n"
          break;
          }
      $userInput = Read-Host -Prompt "Please type in this value => $testValue <= to confirm. Input CANCEL to skip this item";
      if ($userInput.ToLower() -eq $testValue.ToLower()){
          $confirmed=$true;
          write-host "Confirmed!`r`n";
          break;                
      }elseif($userInput -like 'cancel'){
          write-host 'Cancel command received.'
          $confirmed=$false
          break
      }else{
          clear-host
          $content|write-host
          write-host "Attempt number $attempts of $maxAttempts`: $userInput does not match $testValue. Try again or Input CANCEL to skip this item`r`n"
          }
      }
  return $confirmed
}

function pickItem($list){
  do {
      try {
          $flag = $true
          clear-host
          for($i=0;$i -lt $list.count; $i++){
            write-host "$i`: $(($list[$i]|out-string))"
          }
          [int]$pick=Read-Host -Prompt "`n--------------------------------------------------------`nPlease type the number corresponding to the desired item`n--------------------------------------------------------"
      }catch{
        $flag = $false
      }
    }
  until ($pick -lt $list.count -and $pick -ge 0 -and $flag)
  $pickIndex=$pick
  $pickedItem=$list[$pickIndex]
  clear-host
  write-host "Selected item:`n--------------------------------------------------------`n$($pickedItem|out-string)"
  return $pickedItem
}

function removeAhostRecordInBluecat{
  param(
    $proxy,
    $hostRecord
  )
  $confirmed=$false
  try{
    $property=$proxy.searchByCategory($hostRecord,'RESOURCE_RECORD',0,10)
    $deleteItem=if($property.count -gt 1){
      pickItem $property
    }else{
      $property
    }
    $null=clear-host
    $confirmed=confirmation "Delete this record?`r`n`r`n$(($deleteItem|out-string).trim())"
    if($confirmed){
      $proxy.delete($deleteItem.id)
      return 0
    }else{
      write-host "User cancelled operation. Record '$($deleteItem.name)' NOT removed."
      return 1
    } 
  }catch{
    write-warning $_
    return -1
  }   
}

$proxy=loginBluecat -Uri $bluecatUri -Username $bluecatUsername -Password $bluecatPassword
removeAhostRecordInBluecat $proxy $hostRecord

PowerShell: Remove IP Address Assignment Using Bluecat API

$bluecatUri='http://bluecat.kimconnect.com/Services/API'
$bluecatUsername='svc-bluecat-api'
$bluecatPassword='PASSWORD'
$configId=17
$ipv4Address='10.10.162.54'
$marker='toBeDeleted-'

function confirmation($content,$testValue="I confirm",$maxAttempts=3){
  $confirmed=$false;
  $attempts=0;        
  $content|write-host
  write-host "Please review this content for accuracy.`r`n"
  while ($attempts -le $maxAttempts){
      if($attempts++ -ge $maxAttempts){
          write-host "A maximum number of attempts have reached. No confirmations received!`r`n"
          break;
          }
      $userInput = Read-Host -Prompt "Please type in this value => $testValue <= to confirm. Input CANCEL to skip this item";
      if ($userInput.ToLower() -eq $testValue.ToLower()){
          $confirmed=$true;
          write-host "Confirmed!`r`n";
          break;                
      }elseif($userInput -like 'cancel'){
          write-host 'Cancel command received.'
          $confirmed=$false
          break
      }else{
          cls;
          $content|write-host
          write-host "Attempt number $attempts of $maxAttempts`: $userInput does not match $testValue. Try again or Input CANCEL to skip this item`r`n"
          }
      }
  return $confirmed;
}
function loginBluecat{
  param(
    [Parameter(Mandatory=$true)]$uri,
    [Parameter(Mandatory=$true)]$username,
    [Parameter(Mandatory=$true)]$password
  )
  $proxy = New-WebServiceProxy -Uri "$($uri)?wsdl"
    $proxy.url = $uri
    $cookieContainer = New-Object System.Net.CookieContainer
    $proxy.CookieContainer = $cookieContainer
    $proxy.login($username, $password)
  return $proxy
}

function removeIpv4Assignment{
  param(
    [Parameter(Mandatory=$true)]$proxy,
    [Parameter(Mandatory=$true)]$configId,
    [Parameter(Mandatory=$true)]$ipV4Address,
    [string]$marker='toBeDeleted-'
  )
  
  $erroractionpreference='stop'
  try{    
    $record=$proxy.getIP4Address($configId,$ipV4Address)
    if($record.id -eq 0){
      write-host "IP Address $ipv4Address does not exist in config ID $configId"
      return -1
    }else{
      $markedRecord=$marker+$record.name
      $record.Name=$markedRecord
      $proxy.update($record)
      $property=$proxy.searchByObjectTypes($markedRecord, "IP4Address", 0, 1)
      $confirmed=confirmation "Delete this record:`r`n$(($property|out-string).trim())"
      if($confirmed){
        $proxy.delete($property.id)
        return 0
      }else{
        write-host "User cancelled operation. IP Address $ipv4Address NOT removed."
        return 1
      }      
    }
  }catch{
    write-warning $_
    return 1
  }  
}

$bluecatProxy=loginBluecat -Uri $bluecatUri -Username $bluecatUsername -Password $bluecatPassword
removeIpv4Assignment -proxy $bluecatProxy -configId $configId -ipv4Address $ipV4Address

Ping Command’s First Packet Toward LDAP Server(s) Takes 2 Seconds to Start

Case 1: Are DNS servers working?
  • dig returns results right away => defined dns servers are working
  • dig returns results with a 2+ seconds delay or timeout => defined dns servers are NOT working

Recommendations:

  1. Test configuring client to use a different DNS server
    dig @dnsServer1.kimconnect.com ldapServerName
  2. Verify that routing and firewall rules are passing traffic from client to DNS servers
  3. Cleanup invalid DNS records in AD
Case 2: Is localhost able to cache hardware address?
  • apr -a command returns results right away, and the ldap server IP mac address is present => ARP is working fine
  • apr -a command takes awhile to populate => indication that localhost arp table is having issues, so it’s not caching mac to ip for fast lookups

Recommendations:

a. Add a static arp entry into localhost

Command:

arp -s ip-address-of-ldap-server hardware-address-of-ldap-server
# Example:
sudo arp -s 10.10.10.10 aa:11:bb:22:cc:44

# How to reverse the change:
sudo arp --delete 10.10.10.10

# How to check the ARP Table:
sudo arp -avn # more verbose
sudo arp -n # simple view

b. Clear ARP cash & DNS cache

ip -s -s neigh flush all
arp -n
service nscd restart

How to configure Ubiquiti EdgeRouter to send logs to a Syslog Server

Method 1: using text editor

# Edit the syslog config
sudo vi /etc/rsyslog.d/vyatta-log.conf

# Change the @ = udp symbol to @@ = tcp
# add :PORTNUMBER after node name or IP if necessary
admin@EdgeRouter-4:~$ cat /etc/rsyslog.d/vyatta-log.conf
*.err	@graylog.kimconnect.com
*.notice;local7.debug	-/var/log/messages

Method 2: use sed to update texts

# Change from udp to tcp
sudo sed 's/@/@@/' -i /etc/rsyslog.d/vyatta-log.conf
cat /etc/rsyslog.d/vyatta-log.conf

# Change from tcp to udp
sudo sed 's/@@/@/' -i /etc/rsyslog.d/vyatta-log.conf
cat /etc/rsyslog.d/vyatta-log.conf

# Restart syslogd
sudo service rsyslog restart

PowerShell: Initiate Tests on Certain Ports

This appears to be a duplicate of another post.

function initTestPort($portNumber=5985,$maxTests=3){

  function getIndexDifference {
    param(
      [String] $string1,
      [String] $string2
    )
    if ( $string1 -ceq $string2 ) {
      return -1
    }
    for ( $i = 0; $i -lt $string1.Length; $i++ ) {
      if ( $string1[$i] -cne $string2[$i] ) {
        return $i
      }
    }
    return $string1.Length
  }  

  $baseLine=(netstat -ano -p tcp|select-string "$portNumber"|out-string).trim()
  if(!$baseline){
      write-warning "$env:computername doesn't have any service listening on port $portNumber"
      exit
  }else{
      write-host "$env:computername is now listening on port $portNumber"
      do{
          $status=(netstat -ano -p tcp|select-string "$portNumber"|out-string).trim()
          if($status -ne $baseline){
            $maxTests--  
            $matchIndex=getIndexDifference $status $baseline
            $difference=$status.Substring($matchIndex).Trim()
            write-host "$maxTests remaining => $difference"
            $status=$baseline
            $null=ping 127.0.0.1 -n 1
          }
      }until(!$maxTests)
  }
}
# Test reachability from a client machine
$server='nameOrIpHere'
$port=5985
(new-object Net.Sockets.TcpClient).Connect($server, $port)

PowerShell: How To Test A Server Ephemeral Port

# Setup a listening port on server
# This session will automatically terminates after a number of test counts

function initTestEpheralPort{
  param(
    $port=59848,
    $testCount=3
  )
  $cmdlet="(new-object Net.Sockets.TcpClient).Connect('$env:computername', $port)"
  write-host "$env:computername is now listening on port $port"
  write-host "Please run this function at the client side:`r`n$cmdlet"
  $listener=[System.Net.Sockets.TcpListener]$port;
  $listener.Start();
  while($testCount) 
  {    
      $clientAccepted=$listener.AcceptTcpClient();
      if($clientAccepted){
          write-host "$((netstat -ano -p tcp|select-string "$port"|out-string))"
          $testCount--;
          Write-Host "Connection test $testCount remains!";   
      }
      $clientAccepted.Close();
      if(!$testCount){
          # Stop listening on the server
          $listener.Stop();
          write-host "Tests have completed."  
      }
  }
}

initTestEpheralPort 59848
# Test reachability from a client machine
$server='nameOrIpHere'
$port=59848
(new-object Net.Sockets.TcpClient).Connect($server, $port)

Some Useful Windows Networking Commands

# Checking WinRM connections
PS C:\Windows\system32> netstat -ano|select-string ":5985"
  TCP    0.0.0.0:5985           0.0.0.0:0              LISTENING       4
  TCP    192.11.0.7:5985        192.12.128.106:63603   SYN_RECEIVED    4  ==> indicates normal working status from within the OS
  TCP    192.11.0.7:5985        192.13.64.44:51589     SYN_RECEIVED    4

# Search MAC table on localhost
$macAddress="xx:xx:xx:xx:xx:xx"
arp -a | findstr $macAddress

# Checking network configs
PS C:\Windows\system32> Get-NetIPConfiguration
InterfaceAlias       : Ethernet 2
InterfaceIndex       : 3
InterfaceDescription : Microsoft Hyper-V Network Adapter #2
NetProfile.Name      : kimconnect.com
IPv4Address          : 192.12.134.21
IPv6DefaultGateway   :
IPv4DefaultGateway   : 192.12.134.1
DNSServer            : 192.12.130.100
                       192.12.130.101
# List adapters
PS C:\Windows\system32> Get-NetAdapter
Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
NIC2                      Broadcom NetXtreme Gigabit Ethernet #2       29 Not Present  xx-xx-xx-xx-xx-xx          0 bps
NIC4                      Broadcom NetXtreme Gigabit Ethernet #4       26 Not Present  xx-xx-xx-xx-xx-xx          0 bps
NIC Team1 - TESTLAB...     Microsoft Network Adapter Multiple...#4      25 Up           xx-xx-xx-xx-xx-xx        40 Gbps
NIC Team1                 Microsoft Network Adapter Multiplexo...      23 Up           xx-xx-xx-xx-xx-xx        40 Gbps
Ethernet 5                Intel(R) Ethernet Converged Networ...#2      21 Up           xx-xx-xx-xx-xx-xx        40 Gbps
Ethernet 4                Intel(R) Ethernet Converged Network ...      15 Up           xx-xx-xx-xx-xx-xx        40 Gbps
NIC3                      Broadcom NetXtreme Gigabit Ethernet          13 Not Present  xx-xx-xx-xx-xx-xx          0 bps
NIC1                      Broadcom NetXtreme Gigabit Ethernet #3       11 Not Present  xx-xx-xx-xx-xx-xx          0 bps
NIC Team1 - TESTLAB...     Microsoft Network Adapter Multiple...#2       8 Up           xx-xx-xx-xx-xx-xx        40 Gbps
Ethernet 2                Remote NDIS Compatible Device                 5 Not Present  xx-xx-xx-xx-xx-xx          0 bps
NIC Team1 - TESTLAB...     Microsoft Network Adapter Multiple...#3       4 Up           xx-xx-xx-xx-xx-xx        40 Gbps

# List Physical adapters
PS C:\Windows\system32> Get-NetAdapter -Physical
Name                      InterfaceDescription                    ifIndex Status       MacAddress             LinkSpeed
----                      --------------------                    ------- ------       ----------             ---------
Ethernet 5                Intel(R) Ethernet Converged Networ...#2      21 Up           xx-xx-xx-xx-xx-xx        40 Gbps
Ethernet 4                Intel(R) Ethernet Converged Network ...      15 Up           xx-xx-xx-xx-xx-xx        40 Gbps

# Get advanced properties of a NIC
$nicName="Ethernet 2"
Get-NetAdapter -Name $nicName | Get-NetAdapterAdvancedProperty

PS C:\Windows\system32> Get-NetAdapter -Name $nicName | Get-NetAdapterAdvancedProperty
Name                      DisplayName                    DisplayValue                   RegistryKeyword RegistryValue
----                      -----------                    ------------                   --------------- -------------
Ethernet 2                IPv4 Checksum Offload          Rx & Tx Enabled                *IPChecksumO... {3}
Ethernet 2                IPSec Offload                  Auth Header and ESP Enabled    *IPsecOffloadV2 {3}
Ethernet 2                Jumbo Packet                   Disabled                       *JumboPacket    {1514}
Ethernet 2                Large Send Offload Version ... Enabled                        *LsoV2IPv4      {1}
Ethernet 2                Large Send Offload Version ... Enabled                        *LsoV2IPv6      {1}
Ethernet 2                Max Number of RSS Processors   16 Processors                  *MaxRssProce... {16}
Ethernet 2                Network Direct (RDMA)          Disabled                       *NetworkDirect  {0}
Ethernet 2                Maximum Number of RSS Queues   16 Queues                      *NumRssQueues   {16}
Ethernet 2                Packet Direct                  Disabled                       *PacketDirect   {0}
Ethernet 2                Recv Segment Coalescing (IPv4) Enabled                        *RscIPv4        {1}
Ethernet 2                Recv Segment Coalescing (IPv6) Enabled                        *RscIPv6        {1}
Ethernet 2                Receive Side Scaling           Enabled                        *RSS            {1}
Ethernet 2                RSS Base Processor Number      0                              *RssBaseProc... {0}
Ethernet 2                Maximum RSS Processor Number   15                             *RssMaxProcN... {15}
Ethernet 2                RSS Profile                    NUMA Scaling Static            *RSSProfile     {4}
Ethernet 2                TCP Checksum Offload (IPv4)    Rx & Tx Enabled                *TCPChecksum... {3}
Ethernet 2                TCP Checksum Offload (IPv6)    Rx & Tx Enabled                *TCPChecksum... {3}
Ethernet 2                UDP Checksum Offload (IPv4)    Rx & Tx Enabled                *UDPChecksum... {3}
Ethernet 2                UDP Checksum Offload (IPv6)    Rx & Tx Enabled                *UDPChecksum... {3}
Ethernet 2                Forwarding Optimization        Disabled                       ForwardingOp... {0}
Ethernet 2                Hyper-V Network Adapter Name                                  HyperVNetwor... {--}
Ethernet 2                Network Address                --                             NetworkAddress  {--}
Ethernet 2                Receive Buffer Size            8MB                            ReceiveBuffe... {8192}
Ethernet 2                Send Buffer Size               1MB                            SendBufferSize  {1024}
Ethernet 2                VLAN ID                        0                              VlanID          {0}

PS C:\Windows\system32> get-netadapter -name 'NIC Team1 - VLAN101' | Get-NetAdapterAdvancedProperty
DisplayName                    DisplayValue                   RegistryKeyword RegistryValue
----                      -----------                    ------------                   --------------- -------------
NIC Team1 - HyperV...0001 Encapsulated Task Offload      Enabled                        *Encapsulate... {1}
NIC Team1 - HyperV...0001 Header Data Split              Enabled                        *HeaderDataS... {1}
NIC Team1 - HyperV...0001 IPv4 Checksum Offload          Rx & Tx Enabled                *IPChecksumO... {3}
NIC Team1 - HyperV...0001 IPsec Offload                  Auth Header & ESP Enabled      *IPsecOffloadV2 {3}
NIC Team1 - HyperV...0001 Large Send Offload Version ... Enabled                        *LsoV2IPv4      {1}
NIC Team1 - HyperV...0001 Large Send Offload Version ... Enabled                        *LsoV2IPv6      {1}
NIC Team1 - HyperV...0001 Recv Segment Coalescing (IPv4) Enabled                        *RscIPv4        {1}
NIC Team1 - HyperV...0001 Recv Segment Coalescing (IPv6) Enabled                        *RscIPv6        {1}
NIC Team1 - HyperV...0001 Receive Side Scaling           Enabled                        *RSS            {1}
NIC Team1 - HyperV...0001 TCP Checksum Offload (IPv4)    Rx & Tx Enabled                *TCPChecksum... {3}
NIC Team1 - HyperV...0001 TCP Checksum Offload (IPv6)    Rx & Tx Enabled                *TCPChecksum... {3}
NIC Team1 - HyperV...0001 UDP Checksum Offload (IPv4)    Rx & Tx Enabled                *UDPChecksum... {3}
NIC Team1 - HyperV...0001 UDP Checksum Offload (IPv6)    Rx & Tx Enabled                *UDPChecksum... {3}
NIC Team1 - HyperV...0001 Virtual Machine Queues         Enabled                        *VMQ            {1}
NIC Team1 - HyperV...0001 Virtual Machine Queues - Sh... Enabled                        *VMQLookahea... {1}
NIC Team1 - HyperV...0001 Virtual Machine Queues - VL... Enabled                        *VMQVlanFilt... {1}
NIC Team1 - HyperV...0001 MAC Address                    --                             NetworkAddress  {--}

# Check hardware information
PS C:\Windows\system32> Get-NetAdapterHardwareInfo
Name                           Segment Bus Device Function Slot NumaNode PcieLinkSpeed PcieLinkWidth Version
----                           ------- --- ------ -------- ---- -------- ------------- ------------- -------
NIC0                                 0   1      0        2             0      5.0 GT/s             8 1.1
NIC1                                 0   1      0        1             0      5.0 GT/s             8 1.1
NIC2                                 0   1      0        0             0      5.0 GT/s             8 1.1
NIC3                                 0   1      0        3             0      5.0 GT/s             8 1.1

# Set Mac address of an adapter
$macAddress2="xx-xx-xx-xx-xx-xx"
Set-NetAdapter -Name "vEthernet" -MacAddress $macAddress2

Installing IBM VPN Client

On a Linux Machine

# Install VPN Client
shellScript=https://support.arraynetworks.net/prx/001/http/supportportal.arraynetworks.net/downloads/pkg_9_4_0_385/MP_Linux_1.2.9/MotionPro_Linux_Ubuntu_x64_build-8.sh
cd Desktop
wget $shellScript
sudo ./MotionPro_Linux_Ubuntu_x64_build-8.sh

# Start VPN daemon
sudo /usr/bin/vpnd

# Connecting
remoteHost=vpnserver.kimconnect.com
username=adminguy
password=PASSWORDHERE
sudo /usr/bin/MotionPro --host "$remoteHost"

# Stopping the VPN daemon
sudo pkill vpnd

On a Windows Machine

# Download
$fileUrl='https://support.arraynetworks.net/prx/000/http/supportportal.arraynetworks.net/downloads/pkg_9_4_0_327/SSLVPN_9.0.1.115/ArraySSLVPNSetup.msi'
$outFile='C:\Temp\ArraySSLVPNSetup.msi'
Invoke-WebRequest -Uri $fileUrl -OutFile $outFile

# Install - this doesn't work as of this writing
$dateStamp = get-date -Format yyyyMMddTHHmmss
$logFile = '{0}-{1}.log' -f $outFile,$dateStamp
$MSIArguments = @(
    "/i"
    ('"{0}"' -f $file.fullname)
    "/qn"
    "/norestart"
    "/L*v"
    $logFile
)
Start-Process "msiexec.exe" -ArgumentList $MSIArguments -Wait -NoNewWindow

PowerShell: Improve Network Speed of Windows on 20 Mbps or Faster Connections

This has been tested on Windows 10 – will not work on a Server OS:

$networkRegistry='REGISTRY::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters'
$keyName='IRPStackSize'
$keyValue=32
$previousValue=(Get-ItemProperty -Path $networkRegistry -Name $keyName).$keyName
if($keyValue -ne $previousValue){
    set-itemproperty -path $networkRegistry -Name $keyName -Value $keyValue
    $setValue=(Get-ItemProperty -Path $networkRegistry -Name $keyName).$keyName
    write-host "$keyName previous value $previousValue has been changed to $setValue"
}else{
    write-host "$keyName current value of $previousValue is already matching the intended set value."
}

Setup PXE Client Booting for Microsoft Deployment Toolkit with Multiple VLANs

Part A: Configure Clients

Ensure that machines on the network would boot on a predetermined order of priorities such as:
1. Internal hard drive
2. USB Thumb drive or CD ROM
3. Network PXE Boot

Moreover, there are Legacy BIOS vs Unified Extensible Firmware Interface (UEFI) booting modes. The former is straightforward as it’s applicable to older equipment that has support for a maximum of 2.2 terrabytes of storage. The latter, UEFI mode will embed drivers to support drives up to 9 zettabytes (or 9216 terrabyes). This is most likely the mode where newer devices would boot.

As mentioned above, when a machine has exhausted its boot options, such as CD Roms and local hard drives, it would then search for a Preboot Execution Environment (PXE) Server on the network, which is usually a directory entry given by a DHCP Server.

Part B: Configure Router

In an environment with multiple virtual local area networks (VLANs), a DHCP Server may not reside on the same subnet as all of its clients. Therefore, an ip helper-address is required to be set at each VLAN. For most networking vendors, this is the command:

L3 Switch$ enable
L3 Switch(config)$ configure
L3 Switch(config)# vlan X
L3 Switch(vlan-X)# ip helper-address x.x.x.x
Part C: Configure DHCP Server

Here’s an example on setting directory pointers on a Microsoft DHCP Server:

Dhcpmgmt.msc > right-click DHCP > Add Server > select the correct DHCP Server with the IP Helper-Address being set on various VLANs > right-click IPv4 > DHCP Vendor Classes > create these three (3) entries as definitions for vendor classes:

1. Name = PXEClient (UEFI x86) | value = PXEClient:Arch:00006
2. Name = PXEClient (UEFI x64) | value = PXEClient:Arch:00007
3. Name = PXEClient (BIOS x86 & x64) | value = PXEClient:Arch:00000

Expand DHCP > select the scope of the VLAN subnet where PXE Clients would reside > right-click Policies > New Policy > set name = PXEClient (UEFI x86) > Next > click Add > select the Values drop-down menu > pick PXEClient (UEFI x86) > put a check mark next to Append wildcard(*) > click Add > OK > Next > select ‘No’ as the answer for ‘Do you want to configure and IP address range for the policy’ > Next > set these three (3) options on the Configure settings for the policy window:

1. option 060 = PXEClient (set this option ONLY if the DHCP server is same as the PXE Server. Otherwise, do NOT add this)
2. option 066 = FQDN or IP-Address of PXE Server
3. option 067 = boot\x86\wdsmgfw.efi for WDS (or ipxe32.efi if using FOG Server)

Repeat for PXEClient (UEFI x64)

1. option 060 = PXEClient (set this option ONLY if the DHCP server is same as the PXE Server. Otherwise, do NOT add this)
2. option 066 = FQDN or IP-Address of PXE Server
3. option 067 = boot\x64\wdsmgfw.efi for WDS (or ipxe.efi if using FOG Server)

Repeat for PXEClient (BIOS x86 & x64)

1. option 066 = FQDN or IP-Address of PXE Server
2. option 067 = boot\x64\wdsmgfw.efi for WDS (or undionly.pkxe if using FOG Server)

Click Next > OK when done > Navigate to Scope Options to verify the results:

Linux DNS Networking

DNS client on Linux:
  • /etc/resolv.conf specifies the nameservers for resolver lookups. The order of lookup is sequential and accordance to DNS protocol. Local and global DNS entries are added here. Please be advised that these settings could be overwritten by system updates and even reboots. The proper way of inserting persistent DNS records onto resolv.conf is
    vim /etc/resolvconf/resolv.conf.d/head >> insert a record such as: nameserver [LOCAL_DNS_IP] >> save file: wq + enter >> Regenerate resolv.config with: sudo resolvconf -u
  • /etc/hosts file is typically used for only administrative purposes and internal network functions of limited scope. Singular entries associating names with IPs are sometimes added here.
  • /etc/nsswitch.conf specifies the lookup order, to be used in conjunction with the hosts entry.
  • /etc/network/interfaces is the manual IP Address configuration method (typically for servers). Here is a sample of an edit of this file:
    iface eth0 inet static
        address 10.10.30.X
        netmask 255.255.255.0
        gateway 10.10.30.1
        dns-search kimconnect.com
        dns-nameservers 10.10.20.1 10.10.20.2
Lastly, any changes to network configurations should be followed by this command: service network-manager restart