Tech


NVIDIA GTX 1080 Ti – Turned Up To 11

 

geforce_gtx_1080ti_front

NVIDIA has announced their new top of the line $700 flagship card, the GTX 1080 Ti. It looks like a beast and I hope to capture and let it loose inside my computer soon. NVIDIA has turned things up to 11; 11GB of vRAM running at 11Gbps and pushing 11.3 TFLOPs. That’s almost double the vRAM of the 980 Ti and double the flops, baby!

11GB sounds like a lot and there are those who will ask what you need that much GPU memory for – the same type of person who, back in the day, was quoted as saying, “There is no reason anyone would want a computer in their home.”. Now, 40 years later, we know who wanted computers in their homes and we know why a video card needs 11GB of vRAM; to push VR and more realistic gaming, of course.

There are a few discrepancies, though, like the memory bus running at 352-bit vs 384-bit on the Titan X and 980 Ti respectively. The 1080 Ti also gets only 88 ROPs vs the 96 available on the Titan X. I assume the ridiculously high clock speeds make up for these design decisions, specifically 1480MHz base and 1582 boost clocks! That beats the pants off my 980 Ti with its 1000MHz base and 1075MHz boost clocks.


Hack The TMobile TM-AC1900 Router Into An Asus RT-AC68U

tm-ac1900

WARNING: YOU COULD BRICK YOUR ROUTER BY INCORRECTLY FLASHING. THIS SHOULD ONLY BE PERFORMED ON A SPARE ROUTER, NOT YOUR EXPENSIVE MAIN ACCESS POINT. I AM NOT RESPONSIBLE FOR ANY DAMAGES.

My experience comes from the original Slickdeals forums on this subject. My guide is a simplified, modified version of the various guides found there. I’ve done a few routers, so have simplified the process to what you see below.

  • The older firmware versions and mtd_write can be found here
  • The default router IP out of the box is 192.168.29.1
  • I wound up using IE and clearing its cache every reboot. Clearing the browser cache is optional, but it might save you some time with cached error pages making it seem as though the router is unresponsive.

Download these files first:

  1. Boot the router into restore mode by holding the reset button and then powering on the router.
    1. The router is in restore mode when the front power indicator light is slowly blinking. The rear ASUS logo will blink as well.
  2. In a CMD window, TFTP the older Tmobile firmware, version 1703, to the router (install TFTP via Windows add remove programs if not already installed):
    tftp -i 192.168.29.1 put TM-AC1900_3.0.0.4_376_1703-g0ffdbba.trx
  3. Reboot the router, log into the browser GUI and verify the firmware is now at 376_1703.
  4. Enable SSH under Administration/System.
  5. Putty to router and make a copy of the current CFE:
    cat /dev/mtd0 > original_cfe.bin

    1. By default, you will land in /tmp/home/root in both Putty and WinSCP
  6. Winscp to the router and copy original_cfe.bin to your desktop.
  7. Use a hex edit app to open original_cfe.bin from your desktop and find the 3 MAC addresses and secret_code number and copy to a file for the next step.
    1. The first 2 MACs should be the same. The second is different.
    2. The secret_code is an 8 digit code which is also on the back of the router listed as the WPS Pin Code.
  8. Hex edit the rt-ac68u_1.0.2.0_us.bin file and replace the 3 Mac addresses and secret_code with the ones copied above from your original_cfe.bin.
  9. Save as new_cfe.bin and copy it and mtd_write to the router via Winscp.
  10. Putty to the router and run the command:
    mtd-write -i new_cfe.bin -d boot
  11. Type exit to close the Putty session.
  12. Hold down the WPS button on the side of the router, unplug the power for 5 seconds, then plug it back in while continuing to hold the WPS button for 20 seconds.
  13. Release the WPS button. This clears your nvram, effectively a factory reset.
  14. Optional: Clear your browser cache.
  15. Once the router is back up, log into the browser GUI and verify that the title of the router is now ASUS RT-AC68U and not TM-AC1900.
  16. IMPORTANT: Install the ASUS firmware version 376.3626.
    1. The file is FW_RT_AC68U_30043763626.trx
    2. You can download it from Asus’ support site at:
      https://www.asus.com/us/Networking/RTAC68U/HelpDesk_Download/
    3. You must install this exact version in order to expand the bootfs partition from ~30M to ~60M
      1. Boot into restore mode – see step 1.
      2. Optional: Clear your browser cache.
      3. Navigate to the router GUI.
      4. You should see a ‘CFE MiniWeb Server’ page.
      5. Browse to the 376.3626 firmware and upload it.
      6. The router should upload and install the firmware, then reboot itself.
  17. Putty into the router when it comes up and run two commands:
    mtd-erase2 nvram
    reboot
  18. Optional: Clear your browser cache.
  19. Once the router reboots, log into the browser GUI and re-enable SSH in the Administration/System section.
  20. Putty into the router once more and run the command:
    df -h
  21. Verify that /dev/mtdblock is ~63M
  22. If so, you are done. Download and install the latest firmware from Asus via the GUI or pick another firmware distribution.

Extend CentOS 7 VirtualBox Disk Partition

linux-floppies

I recently had need to extend my Centos 7 volume from 8GB to 16GB. I used the Gparted live CD for this project which made it a little easier.

Use the command df -h to view your current partition. Below is my original 8GB partition, roughly 6.7GB after the swap space and Linux itself.

linux_before_resize

  1. The first step is to increase the size of the VirtualBox VDI file. Shutdown the VM if it’s running and resize the disk. In the below example I increased a 8192MB volume to 16384MB via the Windows CMD.
    • vboxmanage modifyhd "D:\VM\CentOS7\CentOS7.vdi" --resize 16384
  2. Next, attach the Gparted live CD to the VM from within VirtualBox Settings of the VM. Leave the primary VDI attached as SATA. Boot the VM into Gparted and hit Enter to select the default whenever a boot option prompt appears.
    • virtualbox-livecd
  3. Resize the partition by highlighting the /dev/sda2 lvm2 partition and clicking Resize/Move. Click and drag the black triangle to the max size and click Resize. Click Apply to save the new partition and exit out of Gparted.
    • gparted-increase-partition
  4. Shutdown the VM and remove the Gparted live CD from your VM configuration from within settings.
  5. Next, extend the volume from within CentOS. Boot the VM and extend the partition by the difference in the space added, in this case, around 8GB.
    • [root@localhost ~]# lvextend -L+8G /dev/centos/root
  6. Finally, extend the Linux filesystem. In order for the OS to utilize the new space, the filesystem must be extended onto it.
    • [root@localhost ~]# xfs_growfs /dev/mapper/centos-root

Now you should see the new, larger volume from within Linux.

linux_after_resize


Hyper-V Backup Script In Powershell

Hyper-V-logo

This script sets a path variable to your backups folder, recursively deletes any backups older than 1 day, creates a new directory and backs up running VMs to it. Written for Hyper-V 5.0 on Windows 2012 R2 to backup running VMs.

Set backup path variable:

$backups = “C:\HyperVBAK\DAILYBU”

Recursively search the backup path for existing backups more than a day old and delete:

Get-ChildItem $backups -Recurse | Where {$_.creationtime -lt (Get-Date).adddays(-1)} | Remove-Item -Recurse -Force

Create a dated directory for the new backup:

$datepath = new-item -itemtype directory -path $backups\”.\$((get-date).tostring(‘MMddyyyy’))” -Force

Run a backup on running VMs:

get-vm | where {$_.state -eq ‘running’} | export-vm -path $datepath\

Full script:

$backups = "C:\HyperVBAK\DAILYBU"
Get-ChildItem $backups -Recurse | Where {$_.creationtime -lt (Get-Date).adddays(-1)} | Remove-Item -Recurse -Force
$datepath = new-item -itemtype directory -path $backups\".\$((get-date).tostring('MMddyyyy'))" -Force
get-vm | where {$_.state -eq 'running'} | export-vm -path $datepath\

8Bitdo SNES30 Bluetooth Controller

snes30-1

I ordered the 8Bitdo SNES30 controller with slight trepidation. When it arrived I was blown away with its presentation. The quality of the container is maybe half its cost. The printing on the box is excellent. The box itself is sturdy and lined with very protective padding. All in all it is a very professional package with solid construction.

Opening the box and grabbing the controller, I was brought back to my SNES days. The build quality of this thing is excellent. Holding it and pressing its buttons communicated to me that my purchase was not wasted. It is light, yet very sturdy. The buttons deliver very positive and solid feedback. The D-pad is tactile and mashable. The R and L buttons connect with your index fingers. Start and Select are right where they should be – duh.

I’ve traveled with my SNES30 a few times now. I charge it prior to travel and have not yet needed to recharge it. Total play time on my trips has been maybe 6 to 10 hours total. Given the advertised play time of 20 hours, I have maybe hit it’s half life.

Compatibility with devices has been excellent. It pairs well with a Raspberry Pi 3 on RetroPi, Lakka and RecalBox. Windows 10 pairing is flawless. My Nexus 6P accepts it like a sibling. So far, I’ve yet to be disappointed with this controller.

Charging is easy – use the supplied USB to MicroUSB cable in a PC or wall adapter. Updating its firmware is just as easy – download the latest firmware, unzip it, boot up the controller by holding START+L+R, plug in the controller to the PC and run the EXE firmware updater.

Included in the package:

  • 8Bitdo SNES controller
  • 3ft USB Type-A to MicroUSB cable
  • SNES30 metal keychain
  • Mobile device adhesive stand
  • Instruction booklet

Free SSL Certificates

If you need a SSL certificate and don’t have the cash, check out startssl.com. They provide free SSL certs for up to 5 domains – for free!

  1. https://startssl.com
  2. Sign up for a free SSL cert
  3. Provide your email address
  4. You’ll receive a code in an email
  5. Copy this code and paste it into the verification field
  6. Now follow the instructions to install a client cert into your browser
  7. You can now take the StartAPI link to begin your domain verification
  8. Once verified, you can issue certs for the domain(s)

startssl-api


Dedicated NIC on Windows 10 for VirtualBox

After some headaches and trial and error I finally figured out how to provide VirtualBox its own dedicated NIC in Windows 10 without it causing network anomalies with the system.

  • Properties of the dedicated NIC:
    • Uncheck all items except the ‘VirtualBox Bridged Networking Driver’ and IPv4
  • IPv4 properties:
    • Set the IP of the NIC to a different subnet than the host PC
    • Do not set a gateway
    • Do not set DNS servers
  • IPv4 Advanced properties:
    • Uncheck the ‘Register thsi connection’s addresses in DNS’ option

Additionally, if you want to disallow VirtualBox using your default host NIC, uncheck the ‘VirtualBox Bridged Networking Driver’ in the host NIC properties.

Uncheck all but the VirtualBox Bridged Networking Driver & Internet Protocol Version 4

Uncheck all but the VirtualBox Bridged Networking Driver & Internet Protocol Version 4

Set IP Address to a different subnet, leave Default Gateway blank, leave DNS blank

Set IP Address to a different subnet, leave Default Gateway blank, leave DNS blank


Samsung 950 Pro 512GB Benchmarks

 

I’ve done some benchmark comparisons against my Samsung 840 Pro 256GB (AHCI), Samsung 950 Pro 512GB (NVMe) and 1TB Seagate (HDD). All benchmarks were performed using AS SSD Benchmark, CrystalDiskMark and Samsung’s Magician. Real world experience is pretty amazing. Copying a 4GB file from the 840 Pro to the 950 Pro topped out at 2GBps…. yup! That’s 2 GIGABYTES per second! Those kinds of numbers ain’t nothin’ to scoff at. So far I am impressed. Games load significantly faster, although I’ve only tested playing Wolfenstein The New Order and really don’t have any concrete numbers. I would say it takes slightly more than half the time to load levels. Again, nothin’ to scoff at.

Samsung 950 Pro 512GB

Samsung 840 Pro 256GB

Seagate 1TB HDD

I’m including the ancient HDD technology here for the sake of comparison. The highest end HDD cannot dream of even approaching the performance of the lowest end SSD.

Box pics and installed image


Upgrade for Fallout 4

In celebration of Fallout 4 I’ve upgraded my PC. Aside from a slight performance upgrade, this build is a significant feature upgrade, mainly in the realm of PCIe lanes and M.2 SSD support. Once Samsung’s 950 Pro is released, this new build will be complete. Mainly I went with Haswell-e for the extra 2 cores over the 6700K. The performance gain from the 6700k is very minor, but the extra cores in the 5820k are overall more significant to me, particularly with multi-threaded apps which should only become more ubiquitous in the next year.

This upgrade includes:

  • ASRock X99 Extreme4 motherboard
  • Intel i7 5820K
  • Crucial 32GB Kit (8GBx4) DDR4-2133 RDIMM (CT4K8G4RFS4213) overclocked to DDR4-2400 @ stock timings

Idle temps are around 34c. Prime95 full load FFTs temps are around 67c. Cooling is thanks to the CoolerMaster Hyper 212 Evo and Arctic Silver.

5820K benchmark comparison

5820K benchmark comparison

Intel 5820K @ 3.3GHz

Intel 5820K @ 3.3GHz

Corsair 32GB DDR4 2133 CT4K8G4RFS4213

Corsair 32GB DDR4 2133 CT4K8G4RFS4213

5820k_idle_temps


Time To Upgrade To M.2 SSD NVMe

950pro

We all should know by now that a 6G SSD drive is fast, right? My gaming desktop cold boots to Windows 8.1 in 7 seconds. Well, M.2 will hopefully cut that back even further with Samsung’s upcoming 950 Pro 512GB SSD drive. The specs on this beast will blow you away. With up to 1500 MBps sequential reads and 300,000 IOPS random reads, this thing will slap yo mama. Compare that to the 850 Pro 512GB which hits 550MBps sequential reads and 100,000 IOPS random reads and you can see the significance.

The 950 Pro is built on Samsung’s V-NAND architecture and utilizes the PCIe 3.0 x4 NVMe (non-volatile memory express) bus on M.2 motherboards which support it. The combination of specs and the benchmarks I’ve seen of its predecessor, the 951-nvme, seem to point to a level of performance that is almost as significant as going from spinning HDDs to SSD 6G. Specs and benchmarks are one thing, but if Samsung’s track record holds true, this might be a game changer or at least a game energizer.

I’m going with the established Intel i7 5820K (28 PCIe lanes vs 16 with the  4790K and 20 on the 6700K) and 32GB DDR4 RAM for my new build. I like the higher clocks of the Skylake 6700K, but prefer to have the 2 extra cores with the Haswel-E 5820K. Crucial has a 32GB kit of DDR4 2133 for $170 which is outstanding considering you can easily overclock it to 2400 MHz running at stock timings and voltage. The Asrock X99 Extreme4 is a great budget mobo with high-end features, too.


VirtualBox Guest VM Headless Mode

vbox1

 

VirtualBox is a great free virtual server and can be even cooler when you run guests in Headless mode. Headless mode will allow a VM to run in the background on your machine without having the VirtualBox application windows open. Neither the VBox Manager nor the guest’s console window need be open. Here’s how to do it.

 

Set a system path to VirtualBox’s command line exe

  1. Find the path to your installation of VirtualBox. Mine is at C:\Program Files\Oracle\VirtualBox, so I will create a path to that directory.
  2. From Start, type in SystemPropertiesAdvanced.exe and hit enter to run the advanced system properties.
  3. Click the Environment Variables button.
  4. Under System variables, scroll down to Path and click the Edit button.
  5. Hit the End key to move to the end of the Variable value field, add a semi-colon ( ; ) and paste the path from step 1 after the semi-colon.
    1. Note that this path will open up all exe files in this directory to run from the command prompt.
  6. OK out of the advanced system properties. If you have any CMD windows open, you must first close them for the path to take affect.
  7. Open a CMD window and type vboxmanage to verify your path is set. You should see a list of commands.

 

Create a headless batch file to run your guest VM

The location for my VM guests is E:\VM, so my scripts point here. You will need to find the path(s) to your guests and substitute E:\VM with it including the correct .vbox guest name.

VBoxManage startvm "E:\VM\Windows\Windows.vbox" --type headless
VBoxManage startvm "E:\VM\Linux\Linux.vbox" --type headless

The above lines run 2 VM guests in headless mode. You can test each of these commands in a CMD or Powershell window. In order to administer these guests, you will need to either SSH in if it’s Linux or RDP if Windows. There will be no guest VM console window. To force kill one of these, you will need to run Windows Task Manager as administrator (right-click, run as administrator). Task Manager is located under your %systemroot% directory. When running TaskMan as admin, you can mouse over the VBoxSVC.exe process and see the path to the VM. If you do not run as admin and have multiple guests running, you will not see distinguished names, i.e., you will have multiple vboxsvc.exe processes, but not be able to tell which guest each is.

 

Create an optional save state shutdown batch file

If you want your guests to have a clean stop in the event of a system reboot/shutdown, create a script to save the state before Windows goes down. The below script will save the state of the 2 guests from the headless script above. Note that you need to put the name of the guest in quotes below, not the path or .vbox name as in the headless script. You can get the name of the instance of the guest from mousing over your VirtualBox.exe task in TaskMan and notating the –comment section or via VirtualBox Manager.

vboxmanage.exe controlvm "Windows" savestate
vboxmanage.exe controlvm "Linux" savestate

 

Create a scheduled task to run the above files at startup and shutdown

To bring this all together, create a scheduled Windows task to automatically start your guests at boot and save their states on shutdown.

  1. Open Windows Task Scheduler in Windows 8 or Scheduled Tasks in 7
  2. Create a new task
  3. Set it to run when the computer starts
  4. Point to your headless batch file as the program to start/run
  5. Complete the task, then edit its properties
  6. Set it to run whether logged on or not. This will allow the system to run the tasks without you even needing to login after boot.
  7. Set the option to allow the task to be run on demand so you can run the task manually

Create another task, but set it to run when a system event is logged. This will run when the computer receives a shutdown/reboot command. Set the options for the task as below.

  • Log: System
  • Source: Kernel-Power
  • Event ID: 109

Cloned Virtualbox VM Network Issues

I spent hours trying to figure out why my cloned VM was not saving its ifconfig changes. Even though you can tell Virtualbox to regenerate the network ID when cloning, you still won’t have a working VM if you create a new one later using the cloned image. It turns out that you must delete the persistent network rule and apply a new MAC address. Thanks, Oracle, for making this completely clear utterly baffling.

1. Generate a new MAC in Virtualbox and notate it.

Generate a new MAC address for the VM

2. Run the following to delete all persistent net rules:

rm -f /etc/udev/rules.d/70*net*

3. Edit the /etc/sysconfig/network-scripts/ifcfg-eth0 file and replace the MAC address with the one you generated above, then save:

vi /etc/sysconfig/network-scripts/ifcfg-eth0
Replace the MAC address in /etc/sysconfig/network-scripts/ifcfg-eth0

Replace the MAC address in /etc/sysconfig/network-scripts/ifcfg-eth0

4. Run sys-unconfig. This command will reset system settings and force a shutdown. When you reboot you will be presented with root password reset, network configuration and services autostart setup screens.

You should now be able to configure eth0 with a new IP address which will not be overwritten and lost. It seems that iptables is unaffected, so that’s good.

 

Reset SSHD (SSH) config

In CentOS, the SSHD service will not work from a cloned VM, either. This is because the /etc/ssh/sshd_config file is still configured with the old IP address. Edit this file and save it, then restart the SSHD service (service sshd restart).

Change the ListenAddress in the /etc/ssh/sshd_config file

Change the ListenAddress in the /etc/ssh/sshd_config file


Secure Your WordPress Site

EnigmaMachine3

Logging into your WordPress site is all fun and games… until you wind up on an unprotected wireless access point which is being sniffed by nefarious noses. Then you might have a problem. You see, on your home LAN you are protected (or should be) by your router. Hopefully you have a strong passphrase protecting you from the outside world. If not, well, you should apply one soon.

Once you step outside of your network you are trusting that any wireless access points beyond your control are secure. This is where SSL comes in handy. Normally, connecting to your website on port 80 (http://) is perfectly fine. An issue arises, though, when you want to log in to your site. Once you enter your username and password all that information is transmitted in clear text to your server or web hosting company. Any malicious user sitting on the same network can sniff that traffic and acquire your URL and subsequently your IP address, your username and your password. If that account has admin permissions on your WordPress server, you can practically say goodbye to it because now the aforementioned malicious user has everything they need to log in to your account and indiscriminately destroy all your hard work.

SSL encrypts all traffic to and from a website. Applying a SSL certificate to your site and logging in via HTTPS is all you need to feel warm and fuzzy that if there is someone out there watching your traffic they cannot see when you log in. Although normal traffic to your site may not need encryption, logging in certainly does.

 

startssl2

Begin by acquiring a free SSL certificate from StartSSL.com

StartSSL has guides for requesting a cert and applying it to your server as do other sites on the interwebs. I might write a guide in the future.

 

Apply your SSL cert to your Apache/HTTPd webserver

I am on CentOS, so your directory and file locations may differ on other Linux flavors.

Copy your private key file to:

/etc/pki/tls/private

Copy your SSL key, the CA root and CA chain to:

/etc/pki/tls/certs

Open your  /etc/httpd/conf.d/ssl.conf file and edit the following sections to enable SSL on your server.

ServerName yourdomain.com:443

 

qualysA

Enforce high encryption in Apache and ace the Qualys SSL Test

Disable SSLv2 and SSLv3. These protocols are now considered weak, vulnerable, pathetic.

SSLProtocol All -SSLv2 -SSLv3

Add the ‘SSLHonorCipherOrder On‘ directive:

SSLHonorCipherOrder On

Enable a strong cipher suite:

SSLCipherSuite ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-ECDSA-AES256-SHA384:ECDHE-RSA-AES256-SHA384:ECDHE-ECDSA-AES128-GCM-SHA256:ECDHE-RSA-AES128-GCM-SHA256:ECDHE-ECDSA-AES128-SHA256:ECDHE-RSA-AES128-SHA256:!ECDHE-ECDSA-RC4-SHA:!ECDHE-RSA-RC4-SHA:!ECDH-ECDSA-RC4-SHA:!ECDH-RSA-RC4-SHA:ECDHE-RSA-AES256-SHA:!RC4-SHA:!MD5:!aNULL:!EDH

Set the path to your SSL certificate:

SSLCertificateFile /etc/pki/tls/certs/yourdomain.com-cert.txt

Set the path to your SSL private key file:

SSLCertificateKeyFile /etc/pki/tls/private/yourdomain.com-prikey.txt

Set the path to the CA chain and root certs:

SSLCertificateChainFile /etc/pki/tls/certs/CA-chain.pem
SSLCACertificateFile /etc/pki/tls/certs/CA-bundle.crt

Restart the webserver:

service httpd restart

or

systemctl restart httpd

 

Enable SSL through your Linux server firewall

I edited my iptables file with the below 443 rule:

-A INPUT -p tcp -m state -m tcp --dport 443 --state NEW -j ACCEPT

 

Force SSL on the admin wp-login page

You can force SSL via the wp-config.php file as well. Doing so will force any requests on port 80 to the admin login page to 443. Add the below line to the very top of your wp-config.php file. Make sure you applied a valid SSL cert before doing this.

define( 'FORCE_SSL_ADMIN', true );

 

Change your MySQL database root username

Another hardening step is to change your MySQL root username to something else. This will protect against brute force attacks where all standard usernames are tried, especially root.

UPDATE mysql.user SET user="newusername" WHERE user="root";

 

Disable wrong username/password messages on login page

When you enter a wrong username or password on the login page, the system informs you of this. Disabling this may not be a super security measure, but it is certainly part of the security by obscurity motto which can be part of an overall policy to protect your site.

Add this line to your wp-content/themes/themename/functions.php file for your selected theme:

add_filter('login_errors',create_function('$a', "return null;"));

 

Secure Apache

  1. Edit your /etc/httpd/conf/httpd.conf
  2. Disable directory browsing by deleting ‘Indexes‘ from the section ‘Options Indexes FollowSymLinks‘.
  3. Remove access to xmlrpc.php by adding the following to the ALIAS directive section:
    1. redirect 404 /xmlrpc.php
  4. Hide versioning of Apache by adding the following at the very end:
    1. ServerTokens ProductOnly
    2. ServerSignature Off
  5. Restart Apache
    1. systemclt restart httpd

Hide PHP versioning

Edit your PHP.ini file, located at /etc/PHP.ini, and modify the line for expose_php = on to off.

expose_php = off

Patching Exchange 2010 DAG Clusters

exchangelogo

  • Tip: Download and manually install rollups and service packs via an administrative command line. Soooo many problems can come from updating these via WSUS or automatic updates. Run these first, then reboot if need be and install the remaining patches. This can save you many hours of heartache.

Prerequisites

Patch your servers

  1. Run Exchange Management Shell as administrator.
  2. Put the server into maintenance mode (must be run on the server being placed in maintenance mode):
    1. maintenancewrapper –server <servername> –action start
  3. Run one of the following to verify that the server is in maintenance mode and that the PAM and database have been moved:
    1. This script will give you quite a few stats for the cluster and servers:
      1. checkpam
    2. This command will list the PAM and any servers in maintenance along with the server containing the mounted database:
      1. get-databaseavailabilitygroup <dagname>-status | fl name,primaryactivemanager,serversinmaintenance;get-mailboxdatabase | fl server,name
  4. Once the server is in maintenance mode and the PAM and database are active on the other server, patch and reboot.
  5. Once patches complete run the following to remove the server from maintenance mode, then verify using the checkpam script:
  6. Stop maintenance mode:
    1. maintenancewrapper –server <servername> –action stop
  7. Run checkpam to get health and status of the DAG:
    1. checkpam
  8. If the server you want to does not take over as cluster manager, run this command:
    1. cluster <dagname> group “cluster group” /moveto:<servername>
  9. If the database does not activate on the server, follow these steps:
    1. Open the management console
    2. Expand ‘Organization Configuration’
    3. Highlight ‘Mailbox Database number’ in the top pane
    4. Right-click the same database name in the bottom pane and select ‘Activate Database Copy’
    5. Choose the default option of ‘NONE’ and click OK

Troubleshooting

The cluster file share witness will not come back online
  1. Go to Server Manager → Features → Failover Cluster Manager
  2. Highlight <dagname.fqdn>
  3. In the right hand Actions pane, click on More Actions → Configure Cluster Quorum Settings
  4. Click Next and copy the path to the share, then paste it somewhere for later.
  5. Click Previous and choose Node Majority, then Next and finish
  6. The cluster will then be in Node Majority, meaning that if either server goes down, the cluster is dead and so, too, is the Exchange database. So do not reboot.
  7. Once done, go back into Configure Cluster Quorum Settings and choose Node and File Share Majority
  8. Click Next, paste in the path to the share copied in step 4, click Next and finish
  9. Under Cluster Manager, you should now see 2 shares listed. Highlight the file share that has failed. It should have a red X next to it. Remove this resource.
  10. The cluster should now show healthy. Determine this by running checkpam on either server.
  11. Manually move the active database to another server
Mailbox database won’t move to server
  • move-activemailboxdatabase -identity ‘mailbox database number’ -activateOnServer <servername> -mountdialoverride ‘none’
  • This can be accomplished through the Exchange Management Console as well via step #9 above

Draining Netscaler 9.1 Services

It took me a while to figure this one out. In order to safely and effectively drain connections from a service or services on a Netscaler virtual server, follow this procedure. The services must not have infinite cookies, i.e., if your service is set for COOKIEINSERT with a timeout of 0, this may not work effectively.

Two default settings on LB services and virtual servers to note are ‘Down state flush‘ on the Advanced tab and the ‘Weight‘ value on the LBVS Services tab.

  • Disabling ‘Down state flush’ on a service and/or LBVS allows active sessions to remain active in the event that a service is in the ‘out of service’ state. The default for the Netscaler is enabled (checked).
    • If enabled, all sessions to a service are severed if it goes out of service.
    • Unchecking this option will allow active sessions to timeout before being kicked. When this option is not enabled and you disable a service, you will be prompted to specify a timeout in seconds. The service will be set to ‘Out of service’ at which time subsequent sessions are created on the higher weighted services in the LBVS.

Remember that a higher value weight gets more connections than a lower value. Depending upon which method you are using (least connection, round robin, etc.) connections will be sent using the Netscaler’s algorithm; the higher value will get a higher percentage of connections.

  1. Load Balancing -> Services:
    • Uncheck the ‘Down state flush’ option in the Advanced tab of the services assigned to your load balancing virtual server.
  2. Load Balancing -> Virtual Servers:
    • Open the LBVS that contains the services from step 1.
      • In the Services tab, set the weight of the service to disable to 1 and the weight of the service to remain in the pool to 100, then OK to save the config.
      • In the Advanced tab, uncheck the ‘Down state flush’ option.
  3. Load Balancing -> Services:
    • Right-click the service you want to disable and click Disable.
    • Enter the time in seconds before the service goes down, then click Enter.

Once you click Enter the service should show as ‘Out of service’. Sessions will begin to drain from it as they time out and the service weighted 100 should begin to accept more connections.

 

lbweights

Set weight values. Higher values get higher priority for connections.

 

lbns_dsf

Disable ‘Down state flush’

 

 

lbwaittime

Set desired time in seconds before service is disabled.


Batch File for New Windows Server

I use this batch file to deploy new servers, whether it be 2003, 2008 or 2012. I run it after the initial Windows install and before joining a domain. It includes various ‘fixes’ such as disabling all SSL versions and weak ciphers for IIS, Installs the Telnet client for 2008 and above, allows joining to a single label domain, properly disables the Windows firewall, etc.

Updated to restrict more weak cipher suites and enable TLS1.0 through TLS1.2.

Modify 1.1.1.1 IPs to preference.

@echo off
echo:
echo ======================================================================
echo DO NOT RUN THIS SCRIPT ON A DOMAIN MEMBER SERVER!
echo USE WSUS-REINSTALL SCRIPTS INSTEAD TO RESET WSUS CLIENT.
echo ======================================================================
PAUSE
echo:
:: Install Telnet client
echo Installing Telnet client...
pkgmgr /iu:"TelnetClient"

echo:
:: Allow single label domain name (i.e., domain vs domain.com)
echo ----------------------------------------------------------------------
echo Setting 'Allow single label domain name'...
reg add "HKLM\SYSTEM\CurrentControlSet\services\Netlogon\Parameters" /v "AllowSingleLabelDnsDomain" /t reg_dword /d 00000001 /f

echo:
:: Disable subcategory logging for event IDs 5156, 5757, 4963
auditpol /set /subcategory:"Filtering Platform Packet Drop" /success:disable /failure:disable
auditpol /set /subcategory:"Filtering Platform Connection" /success:disable /failure:disable

echo:
:: Set Windows Firewall to OFF for all profiles - only if behind hardware firewall
echo ----------------------------------------------------------------------
echo Disabling Windows Firewall...
net start MpsSvc
netsh advfirewall set allprofiles state off
sc config "MpsSvc" start= demand

echo:
:: Set RDP to enabled from its default setting of not allowed
echo ----------------------------------------------------------------------
echo Enabling RDP...
reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v "fDenyTSConnections" /t reg_dword /d 00000000 /f

echo:
:: Set NTP client - for non-domain servers only
echo ----------------------------------------------------------------------
echo Syncing with NTP server...
sc config w32time start= auto
net start w32time
tzutil /s "Central Standard Time"
RunDLL32.exe shell32.dll,Control_RunDLL timedate.cpl,,/Z Central Standard Time
w32tm /config /manualpeerlist:"1.1.1.1" /syncfromflags:manual /update
net stop w32time && net start w32time
w32tm /resync

echo:
:: Enable Telnet and SNMP
echo ----------------------------------------------------------------------
dism /online /enable-feature /featurename:TelnetClient /featurename:SNMP /featurename:Server-RSAT-SNMP

echo:
:: Reinstall WSUS client and clear potentially corrupt files
echo ----------------------------------------------------------------------
echo Setting up WSUS client...
net stop bits && net stop wuauserv
ipconfig /flushdns
del "C:\Users\All Users\Application Data\Microsoft\Network\Downloader\*.*" /Q
del "C:\Documents and Settings\All Users\Application Data\Microsoft\Network\Downloader\*.*" /Q
reg delete HKLM\SOFTWARE\Policies\Microsoft\Windows\WindowsUpdate /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "BalloonTime" /f
reg delete "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\WindowsUpdate\Auto Update" /v "BalloonType" /f
net start wuauserv
net stop bits && net stop wuauserv
regsvr32 wuaueng.dll /s
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "WUServer" /t reg_sz /d "http://1.1.1.1" /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "WUStatusServer" /t reg_sz /d "http://1.1.1.1" /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "TargetGroupEnabled" /t reg_dword /d 00000001 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate /v "TargetGroup" /t reg_sz /d "WSUS Servers" /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "UseWUServer" /t reg_dword /d 0000001 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "NoAutoUpdate" /t reg_dword /d 00000000 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "AUOptions" /t reg_dword /d 00000002 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "ScheduledInstallDay" /t reg_dword /d 00000000 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\windows\WindowsUpdate\AU /v "ScheduledInstallTime" /t reg_dword /d 00000003 /f
net start bits && net start wuauserv
wuauclt.exe /detectnow

echo:
:: Set ArpRetryCount registry entry for IP conflict issue on 2008
echo ----------------------------------------------------------------------
echo Setting ArpRetryCount registry entry...
reg add "HKLM\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters" /v "ArpRetryCount" /t reg_dword /d 00000000 /f

echo:
echo ----------------------------------------------------------------------
echo Disabling weak SSL ciphers...

reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel" /v "EventLogging" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\NULL" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 40/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 56/56" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 56/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC2 128/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 40/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 56/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 64/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\RC4 128/128" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Ciphers\Triple DES 168" /v "Enabled" /t reg_dword /d 00000000 /f

:: Disable PCT 1.0
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Client" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\PCT 1.0\Server" /v "Enabled" /t reg_dword /d 00000000 /f

:: Disable SSLv2
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Client" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 2.0\Server" /v "Enabled" /t reg_dword /d 00000000 /f

:: Disable SSLv3
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Client" /v "Enabled" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\SSL 3.0\Server" /v "Enabled" /t reg_dword /d 00000000 /f

:: Enable TLS1.0, TLS1.1, TLS1.2
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Client" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.0\Server" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Client" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.1\Server" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Client" /v "Enabled" /t reg_dword /d 00000001 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server" /v "DisabledByDefault" /t reg_dword /d 00000000 /f
reg add "HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\Schannel\Protocols\TLS 1.2\Server" /v "Enabled" /t reg_dword /d 00000001 /f

echo:
:: Rename default Administrator account, rename & disable Guest account
echo ----------------------------------------------------------------------
echo Renaming Administrator and Guest accounts...
wmic useraccount where name='Guest' call rename name='NewGuest'
wmic useraccount where name='NewGuest' set disabled='True'
wmic useraccount where name='Administrator' set passwordexpires='False'
wmic useraccount where name='Administrator' call rename name='NewAdmin'
net accounts /maxpwage:90
echo ======================================================================
echo If Admin account was renamed, log out before making further changes.
echo ======================================================================
set ask==none
set /p ask=Log out now? Type YES, NO or hit ENTER to exit:
if %ask%==y goto logoff
if %ask%==yes goto logoff
if %ask%==YES goto logoff
if %ask%==n goto exit
if %ask%==no goto exit
if %ask%==NO goto exit
if %ask%==none goto exit
:logoff
echo Logging off...
logoff
:exit
echo ======================================================================
echo Remember to log off if Admin account has been renamed.
echo ======================================================================
timeout 5 > nul
exit

 


Dual Boot on Windows 8.1

WinDualBoot

I remember the old days of spending hours trying to finger out how to dual boot Windows. With Windows 7 and 8 it is as simple as running a few commands from the command prompt. Follow along, out loud if you like, to create an entry in your current boot manager to allow choosing an OS to boot from, whether it be Windows, *nix or even 2 or 3 different physical HDDs.

Create a new boot loader using BCDEDIT

  1. In Windows 8, run command prompt as administrator (Right-click -> Run as Administrator)
    • Powershell will not work for this task.
  2. Open DISKPART:
    • diskpart
  3. Display a list of all volumes:
    • list volume
  4. Determine which disk is the volume containing your Windows 7 OS and make a note of its Ltr (drive letter).
  5. Type EXIT to close DISKPART.
  6. Make a backup of your current boot manager:
    • bcdedit /export d:\bootmgrbak
      • To restore your original config, run the following:
        • bcdedit /import d:\bootmgrbak
  7. Run the below command to list your current boot configuration:
    • bcdedit
      • The first section is your bootmgr
      • The second is the 8.1 boot loader. We’ll make a copy of this section and modify it.
  8. Run the below to copy the {current} boot loader and create a second entry. Type or copy the below exactly as it appears… no need to modify any part of it unless you want a name other than ‘Windows 7’.
    • bcdedit /copy {current} /d “Windows 7”
      • /d sets the name for the copied config to what is in quotes and sets it as a boot menu choice.
  9. Now let’s modify the config to point to our other volume/drive:
    • bcdedit
      • Note that you now have a 3rd entry with its description set to ‘Windows 7’.
      • Copy the ‘identifier’ string including the brackets {} and replace the bracket section in each command below and replace the partition value with your volume letter:
        • bcdedit /set {xxx} device partition=e:
        • bcdedit /set {xxx} osdevice partition=e:
        • bcdedit /set {xxx} systemroot \Windows
          • This should be the same whether 8 or 7 and you shouldn’t need to change it, but I’ve included it just in case.
        • bcdedit /set {xxx} path \windows\system32\boot\winload.exe
          • This should be the same whether 8 or 7 and you shouldn’t need to change it, but I’ve included it just in case.

That’s it. Reboot and you should see the fancy new Windows 8 bootloader screen with a choice between Windows 8.1 or Windows 7.

Avoid rebooting twice when you load the Windows 7 boot loader

If you choose Windows 7, your machine will reboot again to load the 7 boot loader. If you want to be able to make a choice without rebooting, run the following to change to the legacy boot screen… that old, familiar black and white, text-only screen. Once this is set to legacy, either choice will throw you straight into the selected OS without having to wait out another reboot and POST.

  • bcdedit /set “{current}” bootmenupolicy legacy
    • To reverse this, run the above, but replace ‘legacy’ with ‘standard’

Edit the timeout for the menu selection screen

  • From within Windows
    • Run msconfig from the command prompt or open Administrative Tools -> System Configuration.
    • Click on the Boot tab and set a timeout in seconds.
  • From an administrative command prompt:
    • bcdedit /timeout X
      • Substitue a time in seconds for X

Install Windows 8.1 From USB

Create a bootable Windows 8.1 USB installation disk via Diskpart. Simply simple.

NOTE: See end of post for a screenshot that sums up these steps. You can use it instead, just make sure to choose the correct disk so you don’t lose any data!

Prerequisites

  • Windows 8.1 ISO file or DVD
  • 4GB or larger USB stick
  • Whiskey (optional)

Get started

  1. Plug in your USB stick.
  2. In Windows 7 open a command line.
  3. Run diskpart:
    • diskpart
  4. Determine which disk is your USB drive:
    • list disk
      • In the next step, make sure to choose your USB stick and not another volume that you need such as your boot volume.
  5. Select the USB drive:
    • select disk 1
      • Where ‘1’ is the number of your USB drive.
  6. Wipe the drive:
    • clean
  7. Create a partition:
    • create partition primary
  8. Select the partition:
    • select partition 1
  9. Make the new partition active:
    • active
  10. Format the partition:
    • format fs=ntfs quick
  11. Assign a drive letter:
    • assign
  12. Once you see the drive in Explorer you can copy the contents of the Windows ISO/DVD to your USB drive. You now have a bootable 8.1 USB stick. Installing from a class 10 USB stick to my Samsung 840 Pro SSD took about 7 minutes up to the time I was requested to name my installation. 🙂

 

diskpart


IBM Connect:Direct Installation on Windows 2012 R2

Connect:Direct is such an easy installation and just a fun application to work with, so I’ve decided to detail my experience during a recent migration from version 4.5.0.1 to 4.6.01 on Windows 2012. Obviously, I’m being facetious. Connect:Direct is a mainframe FTP application that was ported to Windows similar to a console game ported to PC; it still has controls based upon a controller, but now you get to use a keyboard to control it. Yay.

 

PREREQUISITES

  • Configure a local or domain user and set it as an administrator on the host machine.
  • Login to the server with the new user.
  • Install Connect:Direct by running the installer as administrator.
    • Select Custom Setup.
    • Import the USER or NETMAP files at this time.
      • You can import these later instead via a CMD window by doing the following:
        • CD to the C:\Program Files (x86)\Sterling Commerce\Connect Direct v4.6.00\Server directory
        • Copy your map.cfg and user.cfg files here.
        • Run the following commands to import each cfg:
          • cdconfig /Q /I /Fmap.cfg
          • cdconfig /Q /I /Fuser.cfg
    • Configure a SMTP server if you have one.
    • Set the following files to run as administrator for all users by selecting Properties -> Compatability -> Change settings for all users -> Run this program as an administrator

CONFIGURATION

  • Open CD Requester
  • There will nothing configured.
  • Select Node -> Connection Settings -> Insert Node
  • Enter the new node’s name, select Windows as the Operating System, set its IP Address and check the Set as the default node option
  • Hit OK to populate the node in the Requester.
  • Right-click the node name -> Connection Settings -> Edit Userids
  • Click Insert
    • Name: <new admin user from prerequisites>
      • Check Remember password
    • Password: <password>
      • Check Set as the default user
  • Ok and close the window
  • Open Netmap and configure all nodes for 10 concurrent sessions or however many you need.
  • Initial configuration is complete.

CONFIGURE SECURE+

  • Open CD Secure+ Admin Tool
  • File -> Sync with Netmap
  • Select Add All
  • Skip the next step
  • You should now see all Netmap entries within the Secure+ Admin Tool list
  • Double-click .Local to open its properties
  • Under Security Options select Enable SSL Protocols and Enable Override
  • Under TLS/SSL Protocol
    • Browse to the directory with your CA certificate authority file and apply it to the Trusted Root Certificate File field
    • Browse to the directory with your host’s keyfile cert and apply it to the Key Certificate File field
    • Enable the following cipher suites
      • TLS_DHE_RSA_WITH_AES_256_CBC_SHA
      • TLS_RSA_WITH_AES_256_CBC_SHA
      • TLS_DHE_RSA_WITH_AES_128_CBC_SHA
      • TLS_RSA_WITH_AES_128_CBC_SHA
      • SSL_RSA_WITH_RC4_128_SHA
      • SSL_RSA_WITH_RC4_128_MD5
      • SSL_DHE_RSA_WITH_3DES_EDE_CBC_SHA
      • SSL_RSA_WITH_3DES_EDE_CBC_SHA
      • SSL_DHE_RSA_WITH_DES_CBC_SHA
      • SSL_RSA_WITH_DES_CBC_SHA
    • Leave the following cipher suites disabled in the Available window
      • SSL_RSA_EXPORT_WITH_RC4_40_MD5
      • SSL_RSA_EXPORT_WITH_DES40_CBC_SHA
      • SSL_RSA_EXPORT_WITH_RC2_CBC_40_MD5
      • SSL_RSA_WITH_NULL_SHA
      • SSL_RSA_WITH_NULL_MD5
  • Click OK to save this entry
  • Now you must disable Secure+ on all other nodes that do not use it. Open each node and configure as Disable Secure+ and Enable Override.
  • Secure+ is configured

CHANGE IP ADDRESS OF AN EXISTING NODE

You can change the IP address on a node, but you cannot change the node name without reinstalling Connect:Direct.

  • Modify Connect:Direct IP address:
    1. Select Start -> Programs -> Connect:Direct -> Admin Tools
    2. Stop the Connect:Direct service
    3. Right click on the Connect:Direct Node name and select Initialization Properties
    4. Go to the TCP/IP tab and correct the IP address for the API and Host
    5. Start the service
    6. Start CD Requester
    7. Highlight the Connect:Direct server
    8. Right click the node and select properties
    9. Type the new IP address and click OK
    10. Open Netmap
    11. Double click the local node name
    12. Correct the IP address and hit OK
    13. Right click in the Netmap window and select Apply.
    14. Select the local node and hit OK.
    15. Close Netmap.

Exchange 2010 DAG Cluster Health Check

exchangelogo

I’ve created a few Powershell scripts to help with my DAG, but this one is a great assist when patching host machines. Save the below as a .ps1 file and run from within an Exchange Management Shell.

 

# Import the FailoverClusters PowerShell module
# Needed to run the get-clustergroup command
# Must run each time a new shell is opened
write-host Importing FailoverClusters module, please wait...
import-module failoverclusters
write-host
write-host ------------------------------------------
# Lists the PAM server
write-host -nonewline PAM AND SERVERS IN MAINTENANCE...
get-databaseavailabilitygroup -status | fl name,primaryactivemanager,serversinmaintenance
write-host ------------------------------------------
# Lists server with active cluster group
write-host -nonewline CLUSTER GROUP OWNER...
get-clustergroup | ? {$_.State -eq "online"} | fl name,ownernode,state
write-host ------------------------------------------
# Lists server with active database
write-host -nonewline MOUNTED DATABASE LOCATION...
get-mailboxdatabase | fl server,name
write-host ------------------------------------------
# Lists mailbox, mailbox copy and index status
write-host -nonewline DATABASE INDEXING STATES...
get-mailboxdatabasecopystatus *\* | fl name,activedatabasecopy,*index*
write-host ------------------------------------------
# Lists status of replication between cluster servers
write-host CLUSTER HEALTH...
test-replicationhealth
write-host
write-host
write-host ------------------------------------------
# Lists details of any queue with more than 5 messages
#write-host QUEUE STATUS...
#get-transportserver | get-queue | ? {$_.messagecount -gt 5}