Monday, June 29, 2015

How to Sysprep Windows Server 2012R2


1. Open CMD Prompt as an administrator (Run As Administrator)



2.  Open SysPrep and run it. Change into the directory and run the sysprep.exe file and reboot.


3. When you get done. Make sure you "Quit" so that it doesn't keep popping up after reboots.


Thursday, March 5, 2015

Trendmicro Deep Security 9.5. Failed to download VIB. ESXi can't connect to DSM Port 4119

Ok. This error is experienced when using Trendmicro Deep Security 9.5 (seems to be other versions also). The problem is that the Trendmicro Deep Security manager isn't resolving DNS queries to the ESXi host. Don't get crazy with it...it really is that simple.

"Failed to download VIB. ESXi can't connect to DSMP Port 4119." This error happens when your trying to upgrade ESX Filter Driver's from one version to a later and more current version. (This is when you see the error window pop up.)

1. Don't try to manually install the VIB file in ESXi through vCLI or any other direct means.

2. Just check the DNS settings on each VMware ESXi host and confirm that your DNS settings are correct. If your getting this error, it's because something is not resolving DNS or (worst case scenario). You have some networking issues.

3. Check your vCenter settings for each ESXi host first before getting hardcore into troubleshooting. (NOTE: Yes. This is the windows vCenter client screenshot. I will only use the horrible new web client when I am absolutely forced to use that junk.)


4. Now that you have re-verified and "fixed" your DNS IP addresses and FQDN's for the domain suffix. Right-click on the "Upgrade Recommended" and run "Upgrade Filter Driver" again.


5. Now the host will enter maintenance mode, reboot and then come up as "Prepared". Be patient. Sometimes it takes a few minutes for the ESXi hosts to boot.

Thursday, August 14, 2014

How to Configure HP ILO 4 for Active Directory Login

1. Make sure that your Windows Active Directory Domain Controller has an SSL Certificate to support port 636 (HP's authentication doesn't like 389)

2. Use Softerra LDAP Administrator (or whatever is your preferred tool to get the OU path) if you don't know how to do it by heart (which...um...sometimes its better to verify).

3. Make sure that you have a way to authenticate users by adding in the OU where your restricted accounts are located. You don't want anyone in the domain to be able to login to the server.

ILO Login > Administration > User Administration - Click New and Add the Group DN Only:



Click Add Group and then you will see your group added. (*Make sure it's a security group)


4. Add in your Windows Active Directory DC to authenticate against (Verified against 2008R2):

ILO Login > Administration > Security - Directory (*Make sure it's the OU where the security group is)


5. Sign Out (Log off) and then Log Back in (If you don't see Directory or..., something is wrong):



Tuesday, August 12, 2014

How to Create a Red Hat Enterprise Linux 7.0 VMware Template

If you are using Chef, Puppet, Active System Manager or OpenStack their are more automations you can script and include.

References:
Red Hat (VMware Cloning Precautions) - https://access.redhat.com/site/solutions/271643
Red Hat (Register VMware for unlimited RHEL VM's) - https://access.redhat.com/site/solutions/659563
Red Hat (Register VMware for Virtual Subscriptions) - https://access.redhat.com/site/solutions/543333
The Lone SysAdmin - http://lonesysadmin.net/2013/03/26/preparing-linux-template-vms/
Mfariso1 - https://www.suse.com/communities/conversations/creating-standard-server-template-sles-11-sp1-vmware/
NSA - (RHEL hardening guide) -
http://www.nsa.gov/ia/_files/factsheets/rhel5-pamphlet-i731.pdf
CIS Benchmark Guide for RHEL 7.0 - CIS Bechmark Red Hat Enterprise Linux 7.0
CIS Benchmark Guides (Other OS/Cisco/etc) https://benchmarks.cisecurity.org/downloads/latest/

1. Upload the ISO to your datastore. Create a Linux virtual machine (Remove the floppy disk and boot into the BIOS and Disable anything you don't need or won't need) with only the packages you actually need and will use.

2. vi /etc/motd (This is the security banner message for your company).

2a. VMware Specific configurations: VMware Tools & Other
http://partnerweb.vmware.com/GOSIG/RHEL_7.html

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1014294

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2075048



3. Antivirus/Malware Software: (Trendmicro, Sophos, Symantec, SELinux...freaking something) - Do not believe that just because the server is Linux based it doesn't need malware software; that being said, depending on your environment, don't enable what you won't use and don't install what your never going to use...EVER. It's a fools gamble in 2014. Security should be in layers, nothing is 100% full proof unless you disconnect the LAN cable and lock the server in a closet and remove the hard drives/SD cards, crush them, from the server. If you're not going to do that...harden and secure your server and remove any services or .rpm packages/applications/services you do not specifically need.

3a. Don't forget visudo if your using Active Directory. This way you don't have to add it later manually
%DOMAIN\\SECURITYGROUP
Note: If your using spaces in your AD security groups. Just change it to a "-" or "_" make life easier with a dash or an underscore.
http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1027766

4. Clean out your temporary files and log files
/usr/bin/yum clean all
/usr/sbin/logrotate –f /etc/logrotate.conf
/etc/ssh/sshd_config (configure to your hearts content)
/tmp/ (be careful completely blowing away /tmp on VMware for VMware Tools, etc)

5. Blow away the current NIC configurations:
 /bin/sed -i '/^\(HWADDR\|UUID\)=/d' /etc/sysconfig/network-scripts/ifcfg-ens19 (*whatever ens is)
(ens32 is new and different from eth0. Go Here is you want to know what changed)

6. Remove SSH Keys
/bin/rm –f /etc/ssh/*key*

7. Remove Root's History
/bin/rm -f ~root/.bash_history
unset HISTFILE

8. Shutdown and convert to template
init 0 
(*VMware/RHEV/OpenStack Convert it to a template)

Monday, August 11, 2014

How to Configure BGInfo for Windows Server 2012 R2

FYI: It's not hypervisor specific and works fine for physical servers also.

Download BGINFO from Microsoft Downloads Only
http://technet.microsoft.com/en-us/sysinternals/bb897557

1. Create a folder named bginfo under C:\bginfo
2. Extract all of the contents of bginfo to that folder.
3. Open Bginfo and setup your configurations.


*Custom configurations can be found here thanks to Shay Levy: http://blogs.microsoft.co.il/scriptfanatic/2008/07/22/bginfo-custom-information/

4. Once you have completed your custom configurations. Click on File Save As and save your .bgi configuration to C:\bginfo (Don't bother saving to C:\Windows\System32\* SysPrep and Imaging will strip and mess up any settings so don't bother) *Do NOT just clone your VM's!!


5. After you have saved your configuration. Create a batch file named whatever and add the following to the first line (*whatever you named the .bgi file is what you put second after the bginfo.exe path):



6. In case you forgot how. Enable the ability to see the extensions on folders when you created the file in Notepad (NOTE: Make sure you disable it after you're done!)


7. Go to Regedit (Type regedit in PowerShell) and configure the string for Run (HKLM\Software\Microsoft\Windows\CurrentVersion\Run):


8. Finish configuring your template for your physical server or your virtual image (VMware/OpenStack/RHEV/Hyper-V/OracleVM).