OpenLDAP Migration


# Compress ldap directory on WEB01.PROD
tar -C /home/webadmin/pkg/var/openldap -czvf /tmp/kimconnect-com.gz kimconnect-com
chmod 777 /tmp/kimconnect-com.gz
# Make a backup of ldap files
cd /home/webadmin/pkg/var/openldap
dateString=$(date +”%m_%d_%Y”)
mv kimconnect-com kimconnect-com_$dateString
# Pull files from WEB01.PROD while logon to WEB02.PROD as webadmin
scp -P{port-number} webadmin@WEB01:/tmp/kimconnect-com.gz /home/webadmin/pkg/var/openldap
# Untar
cd /home/webadmin/pkg/var/openldap && tar xvzf kimconnect-com.gz

Useful Linux Commands

# Create dump from WEB01
mysqldump -uroot -p\!PASSWORD\! –databases kimconnect | gzip > /tmp/kimconnect.gz
chmod 777 /tmp/kimconnect.gz
# Pull kimconnect from WEB01 while login WEB02
scp -P{port-number} webadmin@web01:/tmp/kimconnect.gz /home/webadmin/pkg/share/httpd/htdocs
# Import DB
nohup gunzip < kimconnect.gz | mysql -uwebadmin -pPASSWORD –socket=/home/webadmin/pkg/var/run/mysqld/mysqld.sock &
# Put files to NAS
cd /home/webadmin/
#sftp -oStrictHostKeyChecking=no webadmin@nas:/mnt/array1/operations/BackUps/kimconnect
sftp -oStrictHostKeyChecking=no webadmin@nas:/mnt/array1/operations/BackUps/kimconnect
put kimconnect_baseline.gz exit
# Pull file from NAS
cd /home/webadmin/
#sftp -oStrictHostKeyChecking=no webadmin@web01:/mnt/array1/operations/BackUps/kimconnect_CLONES
sftp -oStrictHostKeyChecking=no webadmin@nas:/mnt/array1/operations/BackUps/kimconnect_CLONES
get pkgsrc_baseline.gz exit
# Compress folder and save in /tmp directory
tar -C /directory/of/folder -czvf /tmp/folder-name.gz folder-name
chmod 777 /tmp/folder-name.gz
# Run mysql command from shell
mysql -uwebadmin -pPASSWORD –execute=”{command-here};”
# Push files to Remote while login to Local with non-standard port (remove option ‘z’ for no compression)
rsync -trvz -e ‘ssh -p {port-number}’ –progress /local/folder webadmin@{remote-ip}:{/remote/folder}
# Pull files from Remote to Local with non-standard port (remove option ‘z’ for no compression)
rsync -chavzP -e ‘ssh -p {port-number}’ webadmin@{remote-ip}:/path/to/copy /local/path
# Show memory & cpu:
cat /proc/meminfo
cat /proc/cpuinfo
# Show linux version:
uname -a
# Show history of commands:
# Run as admin user and then sudo to root shell
su – %admin-user%
sudo -s
# Check to see who you are:
# Shell symbols:
# = root
$ = non-root user
# Network:
ip addr
ip link
# Install CentOS7 networking tools to run ifconfig:
yum install net-tools
ifconfig -a
dhclient -r  #renew ip all interfaces
dhclient  #check dhcp client status
ifconfig #restart network services similar to /etc/init.d/network restart
shutdown now
# Firewalld
firewall-cmd –permanent –direct –add-rule ipv4 filter INPUT 0 -p icmp -s X.X.X.X -j ACCEPT
# How to terminate processes:
ps -A #list all running processes
ps aux | grep [APPNAME]
pidof [APPNAME] #find PID of an app by name
kill [PID]
kill -9 [PID] #forcefully kill PID
killall [APPNAME] #terminate all related processes
pkill [APPNAME] #alternative kill process command
# Searching
find /home/webadmin/webserver -name “*.log”
# Ports and Daemons:
netstat -tlnp
# Add text at end of file
cat << EOF > /path/to/filename
line 1
line 2
# Check OS
uname -a
cat /etc/redhat-release #specific to Redhat/CentOS
# check IP
ip addr
ip addr show eth0
# Check services running on ports
sudo netstat -tulpn
# Check service by name
service mysql status        #old command
systemctl status mysql        #systemd (newer command)
ps aux | grep mysql
pgrep mysql
# View services by cpu/mem consumption
# Disk free
df -ah         #all human readable
# Size of a directory
du -sh /usr    #disk usage size human readable
# How to mount
mount     #check existing
mount /dev/sda2 /mnt    #mount sda2 to /mnt
# check disk partitions
# View disks and mount points
sudo fdisk -l
# Insert line to file after matching pattern
sed -i ‘/PATTERN-TO-MATCH/a NEW-LINE’ /path/to/file
# Check OS Versions
[webadmin@server01 ~]$ lsb_release -a
LSB Version:    :core-4.0-ia32:core-4.0-noarch
Distributor ID:    Fedora
Description:    Fedora release 14 (Laughlin)
Release:    14
Codename:    Laughlin
[webadmin@server02 ~]$ cat /proc/version
Linux version 2.6.32-028stab118.1 (root@kbuild-rh5-x64) (gcc version 4.1.2 20080704 (Red Hat 4.1.2-46)) #1 SMP Thu Feb 12 16:43:22 MSK 2015
[webadmin@server03]$ cat /etc/redhat-release
CentOS release 6.5 (Final)
– pwd – show current directory
– cd – change current directory
– ls – list directory contents
– chmod – change file permissions
– chown – change file ownership
– cp – copy files
– mv – move files
– rm – remove files
– mkdir – make directory
– rmdir – remove directory
– cat – dump file contents
– less – progressively dump file
– vi – edit file (complex)
– nano – edit file (simple)
– head – trim dump to top
– tail – trim dump to bottom
– echo – print/dump value
– env – dump environment variables
– export – set environment variable
– history – dump command history
– grep – search dump for strings
– man – get help on command
– apropos – show list of man pages
– find – search for files
– tar – create/extract file archives
– gzip – compress a file
– gunzip – decompress a file
– du – show disk usage
– df – show disk free space
– mount – mount disks
– tee – write dump to file in parallel
– hexdump – readable binary dumps

List all running processes:
# ps axu |more

List ssh processes, hung sessions:
# ps aux | grep ssh

list active processes:

# top

Check to see who else is logged on:

# who
Find an application:

# which [appname]

Shutdown immediately:

# shutdown -h now

# shutdown -r now  (reboot)

Find out who owns a file or folder:

# stat [path-to-file-or-folder]

Change access permissions:

chown [user]:[group] [path-to-file-or-folder]

chmod [666/755/775/777] [path-to-file-or-folder]

check disk space:

# df

# hostname: to display name of server

# domainname: to display the domain name where server resides

Clear sendmail dir:

# cd /var/spool/mqueue

# rm -rf *

Yum install sendmail
service sendmail start
echo “Subject: test” | sendmail -v
Commands to backup database:
/opt/lampp/bin/mysqldump -u root -p sexcenter > /home/sexcenter.sql
/opt/lampp/bin/mysqldump -u sexcenter -p gallery2 > /home/gallery2.sql
database files location:
Backup Pertinent files:
cp -r /opt/lampp/htdocs/sexcenter /home/sexcenter
cp -r /opt/lampp/gallery69 /home/gallery69
Use GZip:
cd /home
gzip sexcenter.sql gallery2.sql
gzip -r sexcenter gallery69
gzip sexcenter.sql.gz gallery2.sql.gz sexcenter.gz gallery69.gz > backup.gz
GunZip decompress:
gunzip backup.gz
gunzip -r sexcenter
gunzip -r gallery69
TAR: create
tar cvzf backup.tar.gz sexcenter gallery69 gallery2.sql.gz sexcenter.sql.gz
UNTAR: extract
tar xvzf backup.tar.gz
Most often you find Tar and Gzip used in concert to create “gzipped archives” with .tar.gz extensions (or its abbreviated form, .tgz). While you can obviously use the commands separately, tar’s -z option feeds the archive through gzip after packing and before unpacking, Thus:
% tar -czvf archive.tar.gz file1 file2 dir/
Creates a gzipped archive, archive.tar.gz.
% tar -xzvf archive.tar.gz
Extracts all files from the gzipped archive and,
% tar -tzvf archive.tar.gz
Lists the contents of the gzipped archive without extracting them. (You can also have tar use other compression tools such as bzip2 [-j] and compress [-Z])
chown -hR nobody /opt/lampp/htdocs
cp -rf /home /media/KT_EXTERNAL/website
tcpdump not tcp port 22
shutdown -h now         #force shutdown
shutdown -r                # reboot
Set the clock:
hwclock –set –date=’09/27/07 21:08:40′ –utc
hwclock –hctosys

Implement Docker & Portainer

OS: base image Centos 7

Create network bridge from command line:

# Network: x.x.x.128/26 Range: x.x.x.128-190 broadcast: x.x.x.191
docker network create -d macvlan \
–subnet= \
–gateway= \
–ip-range= \
-o parent=enp3s0f0 \
# show result
docker network ls

Install Portainer:

# Create persistent volume
docker volume create portainer_data
# check created volumes
ls /var/lib/docker/volumes/
# Generate certs (optional and assuming no HAProxy)
openssl genrsa -out portainer.key 2048
openssl ecparam -genkey -name secp384r1 -out portainer.key
openssl req -new -x509 -sha256 -key portainer.key -out portainer.crt -days 3650
# Input these values
#Country Name (2 letter code) [XX]:US
#State or Province Name (full name):California
#Locality Name (eg, city) [Default City]:Long Beach
#Organization Name (eg, company) [Default Company Ltd]:kimconnect
#Organizational Unit Name (eg, section):Cloud
#Common Name (eg, your name or your server’s hostname)]
# move files into /local-certs
mkdir /var/lib/docker/volumes/portainer_data/certs
mv ~/portainer.crt /var/lib/docker/volumes/portainer_data/certs
mv ~/portainer.key /var/lib/docker/volumes/portainer_data/certs
# SELinux configuration – Enable IP forwarding
sysctl net.ipv4.conf.all.forwarding=1
sudo iptables -P FORWARD ACCEPT
# Run portainer with priviledged mode, SSL, persistent volume and company logo
docker run -d –privileged -p 9000:9000 –name portainer –restart always -v /var/lib/docker/volumes/portainer_data/certs:/certs -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/portainer_data portainer/portainer –ssl –sslcert /certs/portainer.crt –sslkey /certs/portainer.key –logo “”
# Configure firewall to open port 9000
# First discover the active zone of current machine
firewall-cmd –get-active-zones
# Open port 9000 to the public zone and reload firewalld
firewall-cmd –zone=public –add-port=9000/tcp –permanent
firewall-cmd –reload

Access Portainer via browser at the host’s IP

Manage Endpoints:

LDAP Integration:
Assuming that LDAP is already available in the environment. Portainer can be configured to use LDAP authentication as follows:
{Settings} > {Authentication} > {LDAP}
Reader DN: cn=root,dc=kimconnect,dc=com
Password: standard
Use TLS: true
Skip verification: true
base DN: dc=kimconnect,dc=com
Username attribute = uid
Filter: (objectClass=*)
Group Base DN: ou=people,dc=kimconnect,dc=com
Group Membership: memberOf
Group Filter: (objectClass=*)
Click {Test Connection} > {Save settings} > use a different browser to test login with an LDAP account to verify access

Dockerfile (Sample)

  • vim ~/Dockerfile
FROM ubuntu:16.04
RUN apt-get update && apt-get install -y curl vim ntp ntpdate cvs rsync git wget openssh-server tar iputils-ping tzdata
ENV TZ=America/Los_Angeles
RUN ln -snf /usr/share/zoneinfo/$TZ /etc/localtime && echo $TZ > /etc/timezone
RUN mkdir /var/run/sshd
RUN echo ‘root:[insert-password-here]’ | chpasswd
RUN sed -i ‘s/PermitRootLogin prohibit-password/PermitRootLogin yes/’ /etc/ssh/sshd_config
# SSH login fix
RUN sed ‘s@session\s*required\s* optional’ -i /etc/pam.d/sshd
ENV NOTVISIBLE “in users profile”
RUN echo “export VISIBLE=now” >> /etc/profile
CMD [“/usr/sbin/sshd”, “-D”]
  • docker build -t ubuntu16_baseline .

Working with Repos

# Change into webadmin as that account has been given sudo access as required to build images
su – webadmin
# Check to see if ssh key is available
cat .ssh/
# If not, generate ssh key
ssh-keygen -t rsa
# view the ssh key
cat .ssh/
# Copy the output (key string) and paste it into
# Gitlab profile keys:
# Prepare projects folder and clone the git repo
mkdir /home/webadmin/projects
cd /home/webadmin/projects
git init
git clone
cd app1/
# build the image
sudo docker build -t app1 .
# After image named “app1” is built
# Access Portainer UI to create a container with that image

Working with Docker via CLI

Creating a Baseline Image of Ubuntu 16
# Download Ubuntu 16.04 LTS
[root@docker]# docker pull ubuntu:16.04
# Check Image_ID of Ubuntu
[root@docker]# docker images
ubuntu 16.04 b9e15a5d1e1a 29 hours ago 115MB
portainer/portainer latest 6827bc26a94d 5 weeks ago 58.5MB
alpine latest 11cd0b38bc3c 2 months ago 4.41MB
# Clone the Ubuntu image by initiate its Image_ID to obtain a new instance_ID
[root@docker]# docker run -i -t b9e15a5d1e1a /bin/bash
root@77fc4f0f4910:/# exit
[root@docker ~]# docker ps -a
77fc4f0f4910 b9e15a5d1e1a “/bin/bash” 2 minutes ago Exited (0) About a minute ago    dreamy_fermi
172eae6e386a portainer/portainer “/portainer –ssl –…” 33 minutes ago Up 33 minutes>9000/tcp portainer
de82f3306700 alpine:latest “/bin/sh” 2 hours ago Up 31 minutes            alpine-test
# Modify cloned Ubuntu container and merge changes to the downloaded Ubuntu 16.04 image
docker start 77fc4f0f4910
docker attach 77fc4f0f4910
apt-get update
apt-get upgrade
apt-get install -y curl vim ntp ntpdate cvs rsync git wget openssh-server tar
ntpdate -u -s
# Set root password
root@77fc4f0f4910:/# passwd
Enter new UNIX password:
Retype new UNIX password:
passwd: password updated successfully
# enable ssh-root-login
sed -i ‘s/prohibit-password/yes/’ /etc/ssh/sshd_config
service ssh reload
# Setup OpenSSH to autostart (this settting doesn’t persist)
systemctl enable ssh
docker commit 77fc4f0f4910 ubuntu:16.04
# Check to verify that the modified Ubuntu image has been committed
[root@docker ~]# docker image ls
ubuntu 16.04 0a7e4f1e1fdc 19 minutes ago 304MB
ubuntu <none> b9e15a5d1e1a 29 hours ago 115MB
portainer/portainer latest 6827bc26a94d 5 weeks ago 58.5MB
alpine latest 11cd0b38bc3c 2 months ago 4.41MB
Frequently Used Commands
# Check running containers
docker container ls -a
# How to stop an running VM
docker stop container_name
# Remove a container
docker container rm container_id
# Connect portainer to qa-vlan
docker network connect qa-vlan container_name
# Run a test container based on Alpine Linux (very small)
docker run -itd \
–network qa-vlan \
–name alpine-test \
# Inspect alpine-test and look for “Networking” node to copy its MAC address
docker container inspect alpine-test
# Discover what the container’s interfaces are showing and check its route
docker exec alpine-test ip addr show eth0
docker exec alpine-test ip route

Working with Portainer GUI

Home > click on an Endpoint > {Containers} > {Add container} > input these variables:
Create container:
Name = remote_automation
Image = ubuntu16_baseline:latest
Always pull the image = true
Publish all exposed ports = true
Enable access control = false
Console = Interactive & TTY
volume = remote_automation (writeable)
network = qa-vlan
Hostname = remote-automation
Domain Name =
IPv4 Address =
Restart Policy:
Restart policy = always

Set Memory & CPU limits:

Finally, click {Create container} > wait a few seconds to be redirected back to the Containers List

Old Notes:

# Install docker
yum install -y docker
systemctl enable docker
systemctl start docker
# Run docker
# docker volume create portainer_data
docker run –privileged –restart always –name=portainer -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v portainer_data:/data portainer/portainer
# Check running containers
docker ps -a
# Hide container
docker run -d –label owner=acme portainer
# Change container name
docker rename CONTAINER NEW_NAME
#### Delete all Containers and Images ####
#### Warning: this is irreversible ####
# Delete all containers
docker rm $(docker ps -a -q)
# Delete all images
docker rmi $(docker images -q)
# Create persistent volume
# Remove all unused networks
docker system prune -f
# Remove all unused volumes
docker system prune –volumes -f
# Remove all stopped containers
docker container prune -f
# Remove all unused images
docker image prune -f
# Stop and remove all containers
docker container stop $(docker container ls -aq)
docker container rm $(docker container ls -aq)
docker volume create portainer_data
cd /var/lib/docker/volumes/
mkdir portainer_data
# mkdir cert && cd cert
# Run portainer
docker run -d –privileged -p 9000:9000 –name=portainer –restart always -v portainer_data:/portainer_data portainer/portainer -v /var/run/docker.sock:/var/run/docker.sock
docker run -d –privileged -p 9000:9000 –name=portainer –restart always -v portainer_data:/portainer_data portainer/portainer -v /var/run/docker.sock:/var/run/docker.sock -v /var/lib/docker/volumes/portainer_data/certs:/certs
# Set the Admin username and password:
# Troubleshooting firewall – use as needed
iptables -A INPUT -i docker0 -j ACCEPT
iptables -I INPUT 4 -p tcp -m state –state NEW -m tcp –dport 9000 -j ACCEPT
iptables -A INPUT -p tcp -m tcp –dport 9000 -j ACCEPT
# Enable IP forwarding
sysctl net.ipv4.conf.all.forwarding=1
firewall-cmd –permanent –zone=public –add-port=9000/tcp
# Test SSL connection
openssl s_client -connect -prexit | less
# Stop/remove all running containers
docker stop $(docker ps -aq)
docker rm $(docker ps -aq)
# Remove all images
docker rmi $(docker images -q)
# Check logs
docker logs –tail 50 –follow –timestamps CONTAINERNAME
#################################################### OLD INFO #################################################
#### Install Docker ####
# Cleanup yum
yum clean all
# List repos
yum repolist
# enable Extras
vim /etc/yum.repos.d/CentOS_Base.repo
# Add enabled=1 into the Extras repos section
yum -y update
# Install prerequisites
sudo yum install -y yum-utils device-mapper-persistent-data lvm2
# Add Docker repo
yum-config-manager –add-repo
# Install Docker-CE
yum -y install docker-ce docker-ce-cli
# Start Docker
systemctl start docker
# “Mount Drive” driver
curl -fsSL | sudo bash
#### General SSL cert and key ####
openssl x509 -outform der -in /etc/letsencrypt/live/
-out /etc/letsencrypt/live/
openssl pkey -in /etc/letsencrypt/live/ -out /etc/letsencrypt/live/
#### Install Portainer ####
docker volume create portainer_data
ls /var/lib/docker/volumes
mkdir /var/lib/docker/volumes/portainer_data/certs
docker run -d –privileged -p 9000:9000 –name portainer –restart always -v “/var/run/docker.sock:/var/run/docker.sock” -v ~/local-certs:/certs -v portainer_data:/data portainer/portainer:latest –ssl –sslcert /etc/letsencrypt/live/ –sslkey /etc/letsencrypt/live/
docker run -d –privileged -p 9000:9000 –name portainer –restart always -v “/var/run/docker.sock:/var/run/docker.sock” -v portainer_data:/data portainer/portainer:latest  -l owner=acme
# With Logo
$ docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock portainer/portainer –logo “”
# mypassword is plaintext here
$ echo -n mypassword > /etc/letsencrypt/live/
$ docker run -d -p 9000:9000 -v /var/run/docker.sock:/var/run/docker.sock -v /tmp/portainer_password:/tmp/portainer_password portainer/portainer –admin-password-file /tmp/portainer_password
# Firewall stuff
firewall-cmd  –permanent –zone=public –add-port=9000/tcp
firewall-cmd  –permanent –zone=public –add-port=80/tcp
firewall-cmd  –permanent –zone=public –add-port=443/tcp
firewall-cmd –reload
firewall-cmd –permanent –zone=trusted –change-interface=docker0
firewall-cmd –permanent –zone=trusted –add-port=8000/tcp
firewall-cmd –reload
# Remove container by name
docker container ls
docker stop {instance_ID}
docker rm /portainer
# Resolve maxconnections issue
–ulimit nofile=65536:65536
# OR run at command
ulimit -u unlimited
### Optional Section ###
# optional: add a user into the Docker group
usermod -aG docker kimconnect
# optional: remove and cleanup docker
yum remove docker-ce
rm -rf /var/lib/docker
# Remove older versions of Docker
yum remove docker docker-client docker-client-latest docker-common docker-latest docker-latest-logrotate docker-logrotate docker-engine

Restricting Access to Directory in Windows Shares

– Only allow Admins write access to root folders
– NTFS permissions at root directory for the “Everyone” group: Traverse Folder, List Folder
– Enable access based enumeration on the share to allow users to view ONLY folders in which they can access
– Create and apply security domain local groups with explicit permission semantics such as:
— FILESERVER1_Global_Accounting_ReadOnly or SHAREPOINT_Accounting_ReadOnly
FILESERVER1 _Global_Accounting_Modify
FILESERVER1 _Global_Accounting_FullControl
– Create a Global Deny group and add all disabled accounts into it
– Apply Global Deny group to root directory with Deny Full control permissions

How to Setup Microsoft Failover Cluster with PowerShell

First-time Setup:

New-Cluster -Name {CLUSTERNAME} -Node SERVER1,SERVER2 -NoStorage -StaticAddress IP1,IP2

# Add CLUSTERNAME$ into the NTFS permissions list of \\FILESERVER1\SHARE1 before this next command

Set-ClusterQuorum -NodeAndFileShareMajority “\\FILESERVER1\SHARE1”
Remove Cluster:Get-Cluster    #Check clustername on a particular host$nodes=”SERVER1″,”SERVER2″foreach ($node in $nodes){Remove-ClusterNode -Name $node -Force}

# Run this command on each node SERVER1 and SERVER2

Clear-Clusternode #on each node
Rebuild cluster:

New-Cluster -Name CLUSTER1-Node SERVER1,SERVER2,SERVER3-NoStorage -StaticAddress IP1,IP2

# Run this command on a DC to replicate changes immediately:  

repadmin /syncall on DC2

# Add CLUSTERNAME$ into the NTFS Permissions List of: \\FILESERVER1\ QUORUM

Set-ClusterQuorum -NodeAndFileShareMajority “\\FILESERVER1 \QUORUM”

# Place all nodes into same AD OU

# Check CLUSTERNAME to ensure that it has IPs for each subnet of its nodes.

# Add SecondIP to ClusterAdd-ClusterResource -Name SecondIP -ResourceType “IP Address” -Group “Cluster Group”

# Manually configure this new item using Failover Cluster Manager# On Dependencies tab of CLUSTERNAME, set OR conditions to depend on both IPs

# Edit each IP on Advanced Properties with appropriate owner(s) that are in the correct subnet

# Test Failover:

Move-ClusterGroup “Cluster Group” -node SERVER1

Move-ClusterGroup “Cluster Group” -node SERVER2

Move-ClusterGroup “Cluster Group” -node SERVER3

DD for Ubuntu & Windows

  • DD on Ubuntu

kdoan-admin@kdoan-laptop:~$ sudo dd if=’/home/kdoan/Downloads/CentOS-7-x86_64-Minimal-1804.iso’ of=/dev/sdb[sudo] password for kdoan-admin:1855488+0 records in1855488+0 records out950009856 bytes (950 MB, 906 MiB) copied, 294.921 s, 3.2 MB/s

  • How to Use Windows Disk Partition:

Microsoft DiskPart version 6.1.7601Copyright (C) 1999-2008 Microsoft Corporation.On computer: GAMING-PC
DISKPART> list disk
Disk ### Status Size Free Dyn Gpt——– ————- ——- ——- — —Disk 0 Online 238 GB 0 B* Disk 1 Online 1898 MB 1897 MB
DISKPART> select disk 1
Disk 1 is now the selected disk.
# Note: sometimes disk must be cleaned several times for OS to recognize it
DiskPart succeeded in cleaning the disk.
DISKPART> create partition primary
DiskPart succeeded in creating the specified partition.
DISKPART> active
DiskPart marked the current partition as active.
DISKPART> format fs=fat32 quick
100 percent completed
DiskPart successfully formatted the volume.
DISKPART> assign
DiskPart successfully assigned the drive letter or mount point.
Leaving DiskPart…

  • How use DD for Windows

# Find the removable media path:C:\Windows\system32>dd –listrawwrite dd for windows version 1.0beta1 WIN64.Written by John Newbigin <>This program is covered by terms of the GPL Version 2.
Win32 Available Volume Information\\.\Volume{679e0884-4c68-11e5-b15e-806e6f6e6963}\link to \\?\Device\HarddiskVolume1fixed mediaNot mounted
\\.\Volume{2ea37b2c-9a5a-11e8-92dd-7824af3a405d}\link to \\?\Device\HarddiskVolume3removeable mediaMounted on \\.\d:
\\.\Volume{679e0885-4c68-11e5-b15e-806e6f6e6963}\link to \\?\Device\HarddiskVolume2fixed mediaMounted on \\.\c:

NT Block Device Objects\\?\Device\Harddisk0\Partition0link to \\?\Device\Harddisk0\DR0Fixed hard disk media. Block size = 512size is 256060514304 bytes\\?\Device\Harddisk0\Partition1link to \\?\Device\HarddiskVolume1\\?\Device\Harddisk0\Partition2link to \\?\Device\HarddiskVolume2\\?\Device\Harddisk1\Partition0link to \\?\Device\Harddisk1\DR1Removable media other than floppy. Block size = 512size is 1990197248 bytes\\?\Device\Harddisk1\Partition1link to \\?\Device\HarddiskVolume3Removable media other than floppy. Block size = 512size is 1990131712 bytes
Virtual input devices/dev/zero (null data)/dev/random (pseudo-random data)- (standard input)
Virtual output devices- (standard output)/dev/null (discard the data)
# Write onto D volumeC:\Windows\system32>dd if=C:\Users\Adrian\Desktop\CentOS-7-x86_64-Minimal-1804.iso of=\\.\d: bs=512rawwrite dd for windows version 1.0beta1 WIN64.Written by John Newbigin <>This program is covered by terms of the GPL Version 2.

Installing Team Foundation Server

1. Installation
a. All in one
b. Separate TFS and database (advanced)

2. Setup reporting
a. Warehouse database
b. Analysis servicesc. Reports

3. Configure Extension for Sharepoint
TFS Administration Console > {servername} > Application Tier > Extensions for Sharepoint Products > Grant Access > URL for TFS = http://{servername}:8080/tfs , Sharepoint web application = http://{sharepointservername}/ > OK

4. Configure TFS Build Service
Run tfs_server.exe > Configuration Center opens > select Configure Team Foundation Build Service > Start Wizard > Next > Select Team Project Collection = browse toward the correct Team Project Collection > Next > Build Services opens, User the default setting > Next > Run Team Foundation Service as User a user account = {Domain_Name}\{Service_Account} > Next > Next > Configure

5. Create Team Project Collection
TFS Administration Console > Team Project Collections > DefaultCollection would appear > Click Create Collection > give new collection a name do describe its purpose > fill in Description > Next > Enter the data tier where Team Project Collection will reside > Create a new database for this collection > Next > click Next to accept the predefined Reports configuration > Next > Verify > Complete > Close

How to Install SSL Certificate(s) on Various Web Servers

Public facing websites often become become targets of attacks such as eavesdropping, denial of service, spoofing, etc. In the case of eavesdropping, an SSL certificate can be installed so that the hosting server and each client browser can reasonably form a secure communication channel. Hence, it is becoming a common practice for web administrators to implement this technology.

IIS 5 & 6Legacy OS such as Windows 2000 & 2003 are still being serve as production servers today. Thus, it would serve an administrator’s interest to know how to assign an SSL cert into these machines.
Step 1: obtain a publicly signed certificateThere are many public SSL certificate providers on the Internet. An example of a free service would be from StartSSL, and a paid subscription would be from GeoTrust. The formats of a certificate should be with the extension of *.key, *.crt, *.der, *.pem, or *.pfx (IIS-5’s default).
Step 2: Apply the certificate to a websiteStart >> All Programs >> Administrative Tools >> Internet Information Service (IIS) Manager >> browse to {server_name} >> Web Sites >> right-click on the correct {website_name} >> properties >> select the Directory Security tab >> click on Server Certificate >> Next >> select the radio button next to Assign an existing certificate >> Next >> select the correct certificate (one may choose to add a new certificate to this server if this list does not present a valid item) >> Next >> input the port number as 443 >> Next >> Next >> Finish >> click on Edit >> put a check mark next to “Require secure channel (SSL)” and “Require 128-bit encryption” >> select any or all item(s) if there is pop-up list >> click OK >> Apply >> OK

IIS 7 & 7.5There are two type of certificates that could be installed on an IIS: a site certificate or an intermediate certificate. The former is a normal cert that should be applied directly on the server hosts contents, while the latter should be installed on an IIS that behaves as a relay or proxy to complete the chain of trust between a web host, a proxy, and a client browser.
Start >> Internet Information Services (IIS) Manager >> expand to select the correct server >> double-click on Server Certificates >> click Complete Certificate Request from the right hand side panel >> click … to browse toward the location of the certificate file >> click Open >> input a Friendly Name for this cert >> to bind this new cert, navigate back to the server where the cert has been installed within the Internet Information Services (IIS) Manager >> expand Sites >> select the desired site to be secured with SSL >> click Bindings from the Action Panel on the right hand side >> Add >> a Site Binding window appears >> select HTTPS as type, choose Select All Unassigned as IP Address, input 443 as port the port number or type, and pick the correct cert that has been installed previously >> OK >> OK

IIS 8 & 8.5Windows Server 2012 is bundled with IIS 8, and Windows 2012 R2 comes with IIS 8.5. The administration process between these two versions are very similar. 
Right-click on the Windows icon >> Run >> INETMGR.exe >> Enter >> locate the desired server by its icon >> double-click “Server Certificates” >> click Complete Certificate Request from the right side (Actions Menu) >> click … >> browse to the path of the cert >> OK >> input the Friendly name such as {} >> click on the drop-down menu to choose the certificate store type (i.e. Web Hosting) >> OK >> to bind this new cert, navigate back to the server where the cert has been installed within the Internet Information Services (IIS) Manager >> click on Bindings from the right side Action Menu >> Add >> choose HTTS as Type, All Unassigned as IP address, and {} as SSL certificate >> OK >> repeat this process to install additional certificates for other sites being hosted by this server

Step 1: Edit the server block to enable SSL support. Please note that if NGINX has been manually compiled, it must be compiled with the option to support SSL.(A) stop NGINX with this command: killall -9 nginx(B)  Add the following sample script into the server blockserver {listen 443;server_name <FQDN>;ssl on;ssl_certificate <Path_to_Certificate>;ssl_certificate_key <Path_to_SSL_Key>;root <EMPTY DIRECTORY>location / {…}}
Step 2: Restart NGINX with one of these commands, depending on the Linux flavor and NGINX installation method/usr/local/nginx/sbin/nginx -s reload/etc/init.d/nginx restartservice nginx restartsudo service nginx restartsudo /etc/init.d/nginx restartnginx -s reload

Step 1: Copy the file to the server as a *.crt file name extension. Two types of certs are required. Those are the Intermediate and the Primary certificates. There is also a private key file being required. Thus, the total number of files to be transferred are three (3). FTP, SFTP, SAMBA, or SCP could be used to transfer these files. For instance, this is a syntax of the SCP method
To copy a file from B to A while logged into B:scp /path/to/file username@a:/path/to/destination
To copy a file from B to A while logged into A:scp username@b:/path/to/file /path/to/destinationStep 2: edit the httpd.conf or httpd-ssl.conf (depending on the server’s predisposition)(A) Locate the SSL Configurationgrep -i -r “SSLCertificateFile” /etc/httpd/                          # where /etc/httpd/ is the base directory of Apache(B) Edit the file by adding the following block<VirtualHost 443>DocumentRoot /var/www/htmlServerName www.domain-name.comSSLEngine onSSLCertificateFile /path/to/primary-cert.crtSSLCertificateKeyFile /path/to/ssl-private.keySSLCertificateChainFile /path/to/intermediate-cert.crt</VirtualHost>
Step 3: reload ApacheVarious Linux flavors have different commands to accomplish this task. Also, whether Apache has been compiled from source would affect the actual command line to restart HTTPD. The Linux server administrator would know which of these commands to be used:apachectl restart/sbin/service httpd restartsudo restart apache2/usr/sbin/rcapache2 restart

IIS Mime Types

One of the features of IIS security is to enforce file access by its associated extensions. As such, objects that are not set in IIS with a specific type association such as .zhp (Swiftview proprietary extension) would not be rendered by a client browser. To resolve such quirk, one would need to manually add a new entry onto the “MIME types” using the convention as recommended by the software vendor. The procedure to accomplish similar task is as follows:

Step 1: open IIS >> browse to the specific “site” such as the one below >> double-click on the “MIME Types” icon

Step 2: click on the “Add” button from the right hand side of Actions menu >> type in the information below

Step 3: on a Windows client, open Internet Explorer and browse toward the site via its FQDN to verify the application’s successful execution

Arrays and Objects

Array.prototype– Allows additional properties of all array objects
Array.from– Creates a new array from an array-like object- newArr = Array.from(arrX);
Array.isArray– Return true or false as test result of an object- Format: Array.isArray(objectX);
Array.of– Creates a new instance basing of the original object- Format: Array.of(arrX);
Array.prototype.toString– Since the Array type is a derivative of the Object type, this method overrides the Object.prototype.toString one. The function is as named.- Format: Array.prototype.toString(arr);
Array.prototype.values()–  Returns a new Array Iterator object that contains the values for each index in the array.
find– Returns the value of the first found element in the array. Result equals undefined if not found.- Format: arr.find(callback[, thisArg])- Available in ES6- Returns one element value
findIndex– Returns the found index in the array, if an element in the array satisfies the provided testing function or -1 if not found.
indexOf– Find the matching item in the array and return its index position- Format: arr.indexOf(searchItem)
lastIndexOf– Return the index position of the last matching item- Format: arr.lastIndexOf(searchElement, fromIndex)
include– Return true of false value indicating a matching element in the array- Format: arr.include(searchItem);
some–  Returns true if at least one element in this array satisfies the provided testing function.
keys– Returns index positions of the elements in the array- Format: Object.keys(arr)  or arr.keys()- The first format ignore holes, while the second format doesn’t
filter– Creates a new array with all of the elements of this array for which the provided filtering function returns true.
reduce– Creates a new array with the results of calling a provided function on every element in this array.- Format: (function(accumulator, currentElement, indexOfCurrentElement) {}, startingIndex)- The return of the function above will become the value of the accumulator
reduceRight–  Apply a function against an accumulator and each value of the array (from right-to-left) as to reduce it to a single value.
exec– Execute RegExp statement toward an object- Format: specialChars.exec(object)    where specialChars=/d(b+)(d)/i;  and testObj={[‘abcd’],[‘effasd’]}
call– Calls the object, parses it into the method with a provided function- This method is generic, and it is being phased out in newer versions of Javascript. Thus, Array.prototypes,method can be called directly into (object,function) without using call.- Format: Array.prototype.{method}.call(object,function)- Example: if (, function isLetter (char) {return char >= ‘a’ && char <= ‘z’; })) {  console.log(“The string ‘” + str + “‘ contains only letters!”);}
apply– Used as “Array.prototype.{method}.apply(objects)” where method shall be applied toward the inside objects- This method is also generic, which will disappear.- 
forEach– This is very useful to replace for loops to make the codes more clean.- Reference to original collection- Default ‘this’ value in the callback- Returns ‘undefined’- Each iteration of this method has an immediate impact on the elements of the affected array.- Format: arr.forEach(function(item,index,array){ some codes})- Example of usage:  arr2.forEach(function(newItem){    var flag=0;    // Loops through current inventory to update inventory. If item is new, set the flag    arr1.forEach(function(existingItem){      if (newItem[1]===existingItem[1]) {existingItem[0]+=newItem[0]; flag=1;}   });      // item[0] holds the value and item[1] holds the label    // Insert item if it’s new    if (flag===0){      arr1.push(newItem);    }     });
every– Returns true if every element in this array satisfies the provided testing function.
slice– Extracts elements of an existing array into a new copy- Format: arr.slice(begin,end)- The begin position is included, while the end marker element will not be included in the extraction
splice– Format: splice(startingIndex, removeItemCount, addItem1…)- If the starting index is a negative number, that is interpreted as the element index counting from the last item of the array- How to remove an element and its index from the array:    arr.splice(arr.indexOf(elementToRemove),1,NaN);- How to remove last two elements of an array: arr.slice(-2);- How to remove first two elements of an array: arr.slice(2);
concat– Concatenate the result or elements into base array-  Format: arr1.concat(arr2)
join– Joints all elements within the array into a string- Format: arr.join(separator);- The separator is often “” (no-space), ” ” (space), ‘-‘ (dash), ‘\n’ (new line)
map– Calling a provided function on every element in this array.- Different from the ‘forEach’ method in the way the this function returns the results of all iterations into a new array of the same size as the original.- Example of an alternative to running two ‘for’ {    return {      if (item1[1] === item2[1]) {   item1[0] = item1[0] + item2[0];  }    });  });
pop– remove the last element in the array- Format: arr.pop()
push– insert an element into the last position of the array- arr.push(newElement)
shift– Remove the first item in the array- Format: arr.shift()
unshift– Add an item to the front in the array- Format arr.unshift(item)
reverse– Reverse the elements of an array- Format: arr.reverse();
sort– Sort elements within an array- Example of sorting numerical values:arr.sort(function (a,b){return a-b;});- Example of sorting by alphabets:items.sort(function(a, b) {  var nameA =; // ignore upper and lowercase  var nameB =; // ignore upper and lowercase  if (nameA < nameB) {    return -1;  }  if (nameA > nameB) {    return 1;  }  return 0; // when names are equal});- Example sorting nested arrays, where arr[…][0] contains the labels to be sortedarr.sort(function(currItem, nextItem) {     return currItem[0] > nextItem[0];   });
length– return a number representing the count of array elements

Useful lines:

  • Convert arguments into array:   var arr =;
  • Remove duplicates within an array:   .filter(function(elem, index, self) { return index == self.indexOf(elem);})
  • Sum values in a one-dimensional array: .reduce(function (a, b) {return a + b;}, 0)     OR    .reduce((a, b) => a + b, 0).toFixed(2);  where 2 is the #’s of trailing digits desired
  • Flatten nested arrays: var flattened = [].concat.apply([], nestedArrays);
  • Remove all non-numerical values from an array: .filter(function(element) {return !isNaN(parseFloat(element)) && isFinite(element );});
  • Remove an element and its index from the array:    arr.splice(arr.indexOf(elementToRemove),1,NaN);


  • To access an object inside an array, one must use notations inside a brackets such as: USA[‘California’] NOT USA[California]
  • […{object}] — the “spread operator” gathers up all elements within the object


position: absolute | relative
This is referencing the first parent element. Absolute means it’s removed from the normal flow of contents, while relative can float elsewhere while its reserved space remains intact

float: left | right; (There are only two options for an element to be floated)


float: right;
margin-left: 10px;
width: 100;

float: left;
width: 100;

If both elements ‘img’ and ‘p’ are to float side by side, they should have the same width. The float properties should be opposite, and the ‘img’ margin should be set to that element ‘p’ doesn’t get too close.

How to clear float settings:

float: right | left;
.clearFloat {
clear: both | left | right;

Note: Since float will affect elements after its

marker, a
breaker can be issued to protect the downstream elements from the floats

Handling the overflow of content:

div {
width: 100px;
height: 100px;
overflow: visible (default) | scroll | hidden | auto (only show scroll bars if overflowing)


Works when elements are set with position

width: 100px;
height: 100px;
color: blue;
z-index: 5;
position: relative;
width: 100px;
height: 100px;
color: red;
z-index: 4;
position: relative;


– The match() method retrieves the matches when matching a string against a regular expression. Returns a Array of matches or null of none is found.
– Format: str.match(regex)
– Same as RegExp.exe() if regexp doesn’t have the /g flag
– Example:
var regex = /(.)\1+/g;
var str = “aab”;

logs [ ‘aa’, index: 0, input: ‘aab’ ]

Kerberos “Second Hop” Problem


Sometimes, there’s a need to run WinRM into a “Jump Box” (trusted host in the domain) to run commands from that machine. What would happen if those commands are to issue executions to other machines (2nd hops)? By default this error would be raised:

# Error caused by Kerberos “second hop” problem: 1st hope is the invoke, 2nd hop is the connection to target server

ERROR: Access is denied.
+ CategoryInfo : NotSpecified: (ERROR: Access is denied.:String) [], RemoteException
+ FullyQualifiedErrorId : NativeCommandError
+ PSComputerName : localhost

NotSpecified: (:) [], RemoteException


This prohibition is by design. Imagine a Windows domain where one can hop from one host to the next without any traces. That would be very insecure. To selectively enable the ability for 2nd hops, there are a few alternatives:

1. The permanent solution is to configure Constrained Delegations on Windows Server 2012 or new (

2. Credential Security Service Provider (CredSSP) protocol

Run this command on JUMPBOX01 to delegate CredSSP to DC01

JUMPBOX01 #> Enable-WSManCredSSPRole ClientDelegateComputer -Force

Run this command on DC01 to enable the CredSSP role

Enable-WSManCredSSPRole Server -Force

Enter-PSSession from the JumpBox01 with as Zero Hop

# Credentials section
$username= "KIMCONNECT\"+Read-Host -Prompt "Input the username"
$password = Read-Host -Prompt "Input the password for account $username" -AsSecureString
$cred = New-Object -TypeName System.Management.Automation.PSCredential -ArgumentList $username,$password

# Authenticate to the CredSSP server
$elevate = Enter-PSSession
ComputerName -Credential $credAuthentication CredSSP

This is effective in elevating the current shell privilege level, without running into the constraint of not being able to run commands on 2nd hop target machines. Hence, this elevated session can be issued such as:

# Elevate PowerShell Session to collect Scheduled Tasks information from a target server
Invoke-Command -session $elevate -ScriptBlock{
schtasks.exe /query /s $target /V /FO CSV | ConvertFrom-Csv | Where { $_.TaskName -ne "TaskName"}

Network Zones

Corporate Head-Quarter:

  1. Extranet: Vendors
  2. Web: Front-end Sites (a) Web (b) Application (c) Data
  3. Public: Public, satellite VPN connections 


  1. Warehouse: (a) scanners ( b) guests (c) 
  2. Offices (departmental VLAN seggregation): (a) Executives (b) Accounting (c) Sales-Marketing (d) Customer-Service (e) IT-Infrastructure (f) DEV (g) InfoSec (h) Returns (j) R-and-D (k) Production
  3. Servers: (a) Data (b) Application (c) Front-End
  4. Printers

Cloud Amazon Web Services & Microsoft Azure:       
1. Web Tier: Availability Zone 1 & 2
2. App Tier:  Availability Zone 1 & 2      
3. Data Tier Availability Zone 1 & 2

Fixing ‘RPC Server Not Available’

Overview: RPC requires these follow ports to function properly:

  • RPC TCP 135
  • RPC randomly allocated high TCP ports¹ TCP 1024 – 5000 | 49152 – 65535²
  • SMB (RPC dependency) TCP 445

Troubleshooting Sequence:

Use wbemtest to perform layer-7 validation of RPC functionality:
Run > Start > wbemtest.exe > click Connect > Input the value for Server Name in this format: {serverName}\root\cimv2 > Connect

Alternatively, we can also use Perfmon for this validation:
Run > Start > perfmon.exe > press Enter > right-click Performance node > click on “Connect to another computer…” > input {serverName} > OK > if there’s no error in connectivity, we may generalize that WMI Access for RPC is accessible from this current client to the remote server

Another useful tool from Systernals:
RDP or VNC into target Server > click on Run > Start > tcpview.exe > press Enter > sort “Local Port” numerically to locate connectivities on the RPC port numbers as cited previously

Test connectivity to server at specified port using psping utility. Below is a true-positive result:
C:\WINDOWS>psping {serverName}:135
TCP connect to ::1:135:
5 iterations (warmup 1) ping test:
Connecting to ::1:135 (warmup): from ::1:7496: 0.26ms
Connecting to ::1:135: from ::1:7497: 0.35ms
Connecting to ::1:135: from ::1:7498: 0.27ms
Connecting to ::1:135: from ::1:7499: 0.31ms

Configure Server’s Windows Firewall to allow RPC services:

Set Windows Firewall to allow some static ports:
netsh advfirewall firewall add rule name=”RPC” dir=in action=allow protocol=tcp localport=135
netsh advfirewall firewall add rule name=”SMB” dir=in action=allow protocol=tcp localport=445

Set Windows Firewall to allow some dynamic ports:
netsh int ipv4 set dynamicport tcp start=1024 num=5000
netsh int ipv4 set dynamicport tcp start=49152 num=65535
netsh int ipv4 show dynamicport tcp #verify

Alternative method: use PowerShell Commands to open appropriate static ports:
Net-NetFirewallRule -DisplayName “RPC” -Direction Inbound -Action Allow -Protocol TCP -LocalPort 135
Net-NetFirewallRule -DisplayName “SMB” -Direction Inbound -Action Allow -Protocol TCP -LocalPort 445
New-NetTransportFilter -SettingName “RPC-Dynamic-Range1” -LocalPortStart 1024 -LocalPortEnd 5000 -RemotePortStart 0 -RemotePortEnd 65535
New-NetTransportFilter -SettingName “RPC-Dynamic-Range2” -LocalPortStart 49152 -LocalPortEnd 65535 -RemotePortStart 0 -RemotePortEnd 65535

Up to now, this instruction only applies to the SysAdmin side. On the Network Admin side, enterprise firewalls would need to allow Ingress traffic of the aforementioned ports to the target host. Most likely, Egress traffic would already be unfiltered from the Zone where this target server resides toward the Zone(s) where its clients exist.

Symantec Antivirus 10.1: How to delete a Quarantined file

  Double-click on the SAV shield icon in your Notification Area (lower right-hand corner of screen).
From the View menu choose Quarantine.
Select the file you want to delete.
NOTE: If in.mbx is listed Do NOT delete this file. This is your Eudora inbox. Contact Computer Support.
To select all files, click on the first file. Scroll to the end of the Quarantined files list. Hold down the SHIFT key and click on the last file.
Click the Delete button in the toolbar (looks like a red x).
In the take action dialog box, click Start Delete.
When status has changed to succeeded click Close button.
If more documents appear in the list, repeat steps 3 - 6 until finished.
When done, click Close. Click Exit to exit SAV.

Symantec Antivirus 11 Installation Notes

- Endpoint protection manager is dependent on IIS, make sure that the "Default Website" "Directory Security" "IP Address and Domain Name Restrictions" are set to "Granted Access" to all. Also, authentication and access control allows "anonymous access"
- For manual reconfiguration of clients to connect to Endpoint Protection Manager, use SylinkDrop.exe and browse to the Sylink.xml file located inside of " C:\Program Files\Symantec\Symantec Endpoint Protection Manager\data\outbox\agent\{some code here}"
- 12-month subscriptions license is automatically applied - there's no need to install any licensing file

How to increase the database size limit on Exchange 2003 SP2

Connect to the Server that is running Exchange 2003 SP2
Click Start > Run > type regedit > input Admin credentials > click OK
Click one of the following registry subkeys, as appropriate for the store that you want to increase:
For a mailbox store, edit the following registry subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Server name\Private-Mailbox Store GUID
For a public folder store, edit this subkey: HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\MSExchangeIS\Server name\Public-Public Store GUID
The following sequence would set Exchange database size to its allowable maximum of 75 Gigabytes: Edit > New > DWORD > name the new key as "Database Size Limit in Gb" > set value = 75 > OK
Restart the Microsoft Exchange Information Store service: Start > Run > type "cmd" > press Enter > type in these lines...
net stop msexchangeis
net start msexchangeis
Examine the Application log to verify that the database size has been set successfully. To do this, follow these steps: Start > Run > type "eventvwr.exe" > press Enter > navigate to the Application hive > locate event ID 1216 > verify that the database size has been set as configured within the registry