Monday, 12 December 2016

Windows Cluster 2016 Without Active Directory

You can have a cluster without a domain is not something that is common however if you need to put a cluster into a DMZ lets say and you don't want to expose any domain credentials or cause a denial of service by constant wrong passwords against a user then this could be the solution you are looking for.

Before we start there are a few things you should do
Create an account that can be used to sync the services and this should be a member of the Administrators group and import the PowerShell modules we will be using.

First the user creation, you will need to run this on each server
net user /add ClusterAdmin Super!SecurePa22Word
net localgroup administrators ClusterAdmin /add

Naming servers is something that you should consider in my case that was CL for cluster and node1-2 as names like WIN-LNF6MLM119B are kind of hard to remember later on.

Renaming the server via PowerShell and restarting is easy.
Rename-Computer -NewName "CL-NODE1"  -Restart
Rename-Computer -NewName "CL-NODE2"  -Restart

If you wanted to do this remotely then use something like this.
Rename-Computer -ComputerName "WIN-LNF6MLM119B" -NewName "CL-NODE1" -LocalCredential -Restart

Just remember you will need Enable-PSRemoting enabled first.

Next, we have to change the local policy on the servers to allow a non-active directory cluster to be created
new-itemproperty -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -Name LocalAccountTokenFilterPolicy -Value 1

Now that is done we can proceed with creating the cluster, now I recommend that you check the shared disks and other things you plan to use in your cluster before starting.

new-cluster -Name <clustername> -Node <servername> -AdministrativeAccessPoint DNS

new-cluster -Name MySQLCluster -Node CL-NODE1,CL-NODE2 -AdministrativeAccessPoint DNS

after passing this command you will have one of three outputs a failure, and i recommend you recheck your steps, a cluster message telling you it's done or a cluster setup with some warnings, this could be missing best practices and worth fixing.



Tuesday, 6 December 2016

SQL Server on Ubuntu Server First Look

I have to say SQL server as always been one of Microsoft better products and seeing it make the transition to Linux can only be a good thing.

However, at the same time, I am little disappointed that the current build has such large limitations even for a public preview.

There is no working SQL Management Studio for Linux so all command are either by a windows PC over the network or SQLCMD, SQL Agent services doesn't yet work and even always on groups are not yet available.

That said you can see that the framework is there and even the Active Directory authentication is almost working, however, you will get an error if you try to add a user.

The install process is simple enough with just adding the repository and then making sure you SA password is complex enough.

curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -

curl https://packages.microsoft.com/config/ubuntu/16.04/mssql-server.list | sudo tee /etc/apt/sources.list.d/mssql-server.list


sudo apt-get update && sudo apt-get install -y mssql-server

sudo /opt/mssql/bin/sqlservr-setup


Once you have your server up you'll need some tools unless you plan to manage it over the network using SQL Management Studio

Installing BCP and SQLCMD is also a quick and painless activity.

curl https://packages.microsoft.com/keys/microsoft.asc | sudo apt-key add -

curl https://packages.microsoft.com/config/ubuntu/16.04/prod.list | sudo tee /etc/apt/sources.list.d/msprod.list

sudo apt-get update && sudo apt-get install mssql-tools

There is also a docker package available and if you are using docker in your environment already this is a perfect way to go, or even if you are just testing for development uses.

sudo docker run –e 'ACCEPT_EULA=Y' –e 'SA_PASSWORD=<YourStrong!Passw0rd>' -p 1433:1433 -d microsoft/mssql-server-linux

Sadly I was left with the feeling it will be many more months before a fully working version will be released and that is a shame given the hype that was put into this by Microsoft.

Monday, 5 December 2016

Using PSEXEC and Batch to remotely patch servers

I have written before about the power of using PSEXEC to patch servers and run a query against them however nothing is more powerful then when you use PSEXEC combination with batch scripts.

So today I'm going to show you how to patch all your servers, first I'm going to assume you have a list of servers and that you are going to run PSEXEC against them.

for /f %i in (c:\list1.txt) do psexec -c -d \\%i c:\batchfile.bat

Seems easy so far right? now in that batch file it's going to have to find out if the server is x86 or x64 it can do this very quickly and easily using the if "%PROCESSOR_ARCHITECTURE%"=="AMD64" this returns a true or false statement value because either you have x64 or you don't and since we don't have 128bit servers yet we won't have to worry about a third option just yet.

So this is what our batch file might look like using else to specify the response if the server is not x64

net use X: \\server\share\
@echo off 
setlocal 
set PATHTOFIXES=x:\update 


if "%PROCESSOR_ARCHITECTURE%"=="AMD64" GOTO X64 else GOTO X86
:X64
:X86
:END


%PATHTOFIXES%\SQLServer2014SP2-KB3171021-x64-ENU.exe /quiet /norestart 

goto END

%PATHTOFIXES%\SQLServer2014SP2-KB3171021-x86-ENU.exe /quiet /norestart 

goto END

net use x: /d


Now you might be thinking this is great and can now use this to patch my 32bit and 64bit windows, and you'd be right you can, however, since more than 90 percent of use have to work with more than one version of windows you'll quickly realise this solves only half the problem as how do you patch windows 2008 and 2012 in the same file right?

Well not to worry we have a way around that as well, all we have to do is find the OS version and then knowing what that version is pass it to the correct line in the batch file.
For version numbers, you can get this from the Microsoft pages https://msdn.microsoft.com/en-us/library/ms724832(VS.85).aspx

So here is a simple example, I know that version 6.3 is Windows 2012R2 so I can run that and get either a yes or no value if yes do this if not continue.

ver | findstr /i "6\.3\." > nul
if %ERRORLEVEL% EQU 0 (
GOTO W2K12R2 )

this works great but can lead to really long scripts when using more than two or three OS version, as you can imagine that's a lot of typing for simple get version.  So a quicker version is to create one check that can run against all the version,

echo off
for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j
if "%version%" == "10.0" echo Windows Server 2016
if "%version%" == "6.3" echo Windows Windows 2012R2
if "%version%" == "6.2" echo Windows Windows 2012
if "%version%" == "6.1" echo Windows Windows 2008R2
if "%version%" == "6.0" echo Windows Windows 2008

So now we can determine the windows version we can use that without is true or false x64 statement and create simple patching, I won't lie to you this will still be a big batch file however you can make it easy to read by filling up the empty space with comments.

Remember that for every OS you will have two version x86 and x64 so the more version of windows the bigger the batch file will be.

net use X: \\server\share\
@echo off 
setlocal 
set PATHTOFIXES=x:\update 

for /f "tokens=4-5 delims=. " %%i in ('ver') do set VERSION=%%i.%%j
if "%version%" == "10.0" GOTO W2K16
if "%version%" == "6.3" GOTO W2K12R2
if "%version%" == "6.2" GOTO W2K12
if "%version%" == "6.1" GOTO W2K8R2
if "%version%" == "6.0" GOTO W2K8

#WINDOWS 2008 PATCHING GOES HERE
:W2K8
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" GOTO W2K8X64 else GOTO W2K8X86

#Patches for windows 2008 x64
:W2K8X64
%PATHTOFIXES%\Windows2008-KB######-x64-LLL.exe /quiet /norestart 
GOTO END

#Patches for windows 2008 x86
:W2K8X86
%PATHTOFIXES%\Windows2008-KB######-x86-LLL.exe /quiet /norestart 
GOTO END


#WINDOWS 2008R2 PATCHING GOES HERE
:W2K8R2
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" GOTO W2K8R2X64 else GOTO W2K8R2X86

#Patches for windows 2008R2 x64
:W2K8R2X64
%PATHTOFIXES%\Windows2008R2-KB######-x64-LLL.exe /quiet /norestart 
GOTO END

#Patches for windows 2008R2 x86
:W2K8R2X86
%PATHTOFIXES%\Windows2008R2-KB######-x86-LLL.exe /quiet /norestart 
GOTO END


#WINDOWS 20012 PATCHING GOES HERE
:W2K12
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" GOTO W2K12X64 else GOTO W2K12X86

#Patches for windows 2012 x64
:W2K12X64
%PATHTOFIXES%\Windows2012-KB######-x64-LLL.exe /quiet /norestart 
GOTO END

#Patches for windows 2012 x86
:W2K12X86
%PATHTOFIXES%\Windows2012-KB######-x86-LLL.exe /quiet /norestart 
GOTO END


#WINDOWS 20012R2 PATCHING GOES HERE
:W2K12R2
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" GOTO W2K12R2X64 else GOTO W2K12R2X86

#Patches for windows 2012R2 x64
:W2K12R2X64
%PATHTOFIXES%\Windows2012R2-KB######-x64-LLL.exe /quiet /norestart 
GOTO END

#Patches for windows 2012R2 x86
:W2K12R2X86
%PATHTOFIXES%\Windows2012R2-KB######-x86-LLL.exe /quiet /norestart 
GOTO END


:W2K16
echo OS = Windows 2016 I don't have patches for that
if "%PROCESSOR_ARCHITECTURE%"=="AMD64" GOTO W2K16X64 else GOTO W2K16X86

:W2K16X64
echo I wish I had patches for that :)
GOTO END

:W2K16X86
echo still don't have patches for that
GOTO END

:END
net use x: /d

As you can see that can be quite large and that's without putting each and every patch that you'd need to add to the list, however if you are doing this once a month adding the patch names to this batch file is going to be allot easier than creating lists by OS and then lists by processor architecture.

So how could we improve on this? well how about having a dynamic list of patches that will get created every time the batch file runs, how this can work as long as you maintain a folder structure for the patches for example \\server\share\windows2012\x64 and all the x64 patches are under that folder.

We could use a dir /b *.exe command to grab all the exe files and run them like so.
chdir /d x:\windows2012\x64
dir /b *.exe >c:\install.txt
for /f %i in (c:\install.txt) do %i /quiet /norestart 
del c:\install.txt

The result of this would be four lines per option, however, you would not need to change the batch file only add the downloaded patches to the folders on the share.

Saturday, 3 December 2016

Joining Ubuntu Server to Active Directory

Adding an ubuntu server to your Active Directory is perhaps one of the most interesting things these days, as the partnership with Microsoft grows.

So I'm going to walk you throw the steps needed to get you connected.

Step One Basic Connectivity

First of we need to make sure you can resolve the domain

sudo nano /etc/network/interfaces

In my lab domain the server addresses are 172.16.1.6 and 172.16.1.16 so I changed the config of the to read as below.

nameservers 172.16.1.6 172.16.1.16

After saving the file I pinged the FQDN of a server in the domain to see if the name was resolved.
ping dom.lab.local

Since the name was resolved I moved onto the next step.

Step Two Installing Packages

Next we are going to need four packages

  • NTP - Network Time Protocol
  • SSSD - System Security Services Daemon
  • Samba - Open Source/Free Software suite that provides seamless file and print services to SMB/CIFS clients
  • krb5 - Kerberos is a network authentication protocol. It is designed to provide strong authentication for client/server applications
If you find this too much reading you can alway follow along with youtube video's



From the terminal window run the following command to install all four packages.
sudo apt install krb5-user samba sssd ntp

Step Three Configuring Kerberos

Now we are going to need to configure them, first up is the Kerberos, you have most likely been asked for the name of the domain during the package install, however, you will need to add few more lines.

sudo nano /etc/krb5.conf

Below is an example of what is in my configuration.
[libdefaults]

default_realm = LAB.LOCAL
ticket_lifetime = 24h
renew_lifetime = 7d

[realms]
LAB.LOCAL = {
kdc = DOM.LAB.LOCAL
 kdc = DOM2.LAB.LOCAL
admin_server = DOM.LAB.LOCAL
}

Step Four Configuring NTP

Configure Time so that all computer account and packets sent in Kerberos are not timed out due to time mismatch between servers.
sudo nano /etc/ntp.conf

Simply add one new line with your time server
server dom.lab.local

Step Five Configuring Samba

Next, up we are going to edit samba
sudo nano /etc/samba/smb.conf

Nothing too hard here, however, you will need to add few more lines to the global config.

[global]

workgroup = LAB
client signing = yes
client use spnego = yes
kerberos method = secrets and keytab
realm = LAB.LOCAL
security = ads

Step Six Configuring SSSD

Configure SSSD is both the hardest and the easiest at the same time, as there is no template file provided by the package you'll have to create a new one.

sudo nano /etc/sssd/sssd.conf

You'll need to use the at least the config below, please note I use simple because of nested groups.

[sssd]
services = nss, pam
config_file_version = 2
domains = LAB.LOCAL

[domain/LAB.LOCAL]
id_provider = ad
access_provider = simple

# Note that this config only allows 2 users and 2 groups to gain access.
# simple_allow_users = joker@lab.local,chrissy@lab.local
# simple_allow_groups = linux-admin,linux-users

# Use this if users are being logged in at /.
# This example specifies /home/DOMAIN-FQDN/user as $HOME.  Use with pam_mkhomedir.so
override_homedir = /home/%d/%u


After closing and saving the file do not forget to set the permissions.
sudo chown root:root /etc/sssd/sssd.conf
sudo chmod 600 /etc/sssd/sssd.conf

Step Seven Updating Localhost File

last but not least don't forget to update the local host file with the IP and FQDN of the server that it's about to be.

sudo nano /etc/hosts

127.0.0.1 myserver.lab.local myserver
172.16.1.8 myserver.lab.local myserver


Step Eight Restarting Services and Joining Domain.

Finally, you'll need to restart the services to take effect and also tell Linux what account to use for joining the domain,


sudo systemctl restart ntp.service
sudo systemctl restart smbd.service nmbd.service

Select the user to join the domain with
sudo kinit Administrator

Join the domain
sudo net ads join -k
sudo systemctl start sssd.service

If you get errors during the join check your config and rerun the net ads join command.