Home » Networking
David Solomon Technet Spotlight (2005)
By Travis 2 Comments
Feel like beefing up your understanding of threads, processes and memory management in Windows NT? David Solomon, Co-Author of Windows Internals presents at a Microsoft Technet Spotlight in 2005. Focusing on understanding processes, threads, memory management in Windows. Even though these videos are almost 20 years old, the material is so fundamental that it still applies today, and to every operating system on Earth. David is a bonafide and certified “genius” whom is able to thoroughly explain complex subjects broken down in a simple manner where even the novice might mistake himself for an expert after watching these videos 10-20 times. His co-author is Mark Russinovich, current CTO of Microsoft Azure and founder of the famous Sysinternals suite.
Processes and Thread Troubleshooting – Part 1
Processes and Thread Troubleshooting – Part 2
Understanding and Troubleshooting Memory Problems – Part 3
NextCloud Talk Bot Custom Commands
By Travis Leave a Comment
Offical nextcloud documentation is at https://nextcloud-talk.readthedocs.io/en/latest/commands/
The Talk add-on allows returning information when the user invokes a command preceded with a forward-slash.
I have created 3 custom commands that help NextCloud admins know certain server information that would otherwise have to come from other tools ie: monitoring/graphing software:
- Disk space used, available, and percent used via
df
utility - Latency related info via common
ping
utility (install if not exists for you, normally net-utils pkg or similar) - Listing server-side mounts via standard
mount
command
Using Help
For help simply type /help
and you should see something similar to below:
talk-bot/wiki - A simple command to find wikipedia articles for a term/hackernews - A simple command to list the Top 5 top, new or best stories/calc - A basic calculator for Nextcloud Talk based on gnu BC/ping - Usage: /ping <domain/ip address> or use it without domain/ip parameter/diskspace - Returns disk space information from the server you are connected. Alias=/df/mount - Returns mount information from the server you are connected
The first 3 bot commands are defaults, and the following 3 are custom commands described in this Github Gist.
Docker Exec into NextCloud Container
If you are running NextCloud in a Docker container you will need to enter a pseudo bash shell using this syntax:
docker exec -it bash
OCC:List
Once you are inside your containers shell we will invoke the OCC NextCloud utility using the syntax occ talk:command:list
and occ talk:command:add
.
sudo -u abc /config/www/nextcloud/occ talk:command:list# sudo -u abc /config/www/nextcloud/occ talk:command:listResponse values: 0 - No one, 1 - User, 2 - AllEnabled values: 0 - Disabled, 1 - Moderators, 2 - Users, 3 - Guests+----+-----+-------------+------------+----------------------------------------------------------------------------------+----------+---------+| id | app | name | command | script | response | enabled |+----+-----+-------------+------------+----------------------------------------------------------------------------------+----------+---------+| 1 | | talk | help | help | 1 | 3 || 2 | | Wikipedia | wiki | php /config/www/nextcloud/apps/spreed/sample-commands/wikipedia.php {ARGUMENTS} | 2 | 3 || 3 | | Hacker News | hackernews | php /config/www/nextcloud/apps/spreed/sample-commands/hackernews.php {ARGUMENTS} | 2 | 3 || 4 | | Calculator | calculator | /config/www/nextcloud/apps/spreed/sample-commands/calc.sh {ARGUMENTS} | 1 | 3 || 5 | | Calculator | calc | alias:calculator | 2 | 3 || 8 | | Ping | ping | /config/www/scripts/ping.sh {ARGUMENTS} | 1 | 2 || 12 | | Disk Space | diskspace | /config/www/scripts/df.sh {ARGUMENTS} | 1 | 2 || 13 | | Disk Space | df | alias:diskspace | 1 | 2 || 17 | | Show Mounts | mount | /config/www/scripts/mount.sh | 1 | 2 |+----+-----+-------------+------------+----------------------------------------------------------------------------------+----------+---------+
OCC:Add
sudo -u abc /config/www/nextcloud/occ talk:command:add diskspace "Disk Space" "/config/www/scripts/df.sh {ARGUMENTS}" 1 2sudo -u abc /config/www/nextcloud/occ talk:command:add ping "Ping" "/config/www/scripts/ping.sh {ARGUMENTS}" 1 2sudo -u abc /config/www/nextcloud/occ talk:command:add mount "Show Mounts" "/config/www/scripts/mount.sh {ARGUMENTS}" 1 2sudo -u abc /config/www/nextcloud/occ talk:command:add df "Disk Space" "alias:diskspace" 1 2
df.sh
#!/usr/bin/env bashBIN_DF=$(which "df")if ! [ -x "$BIN_DF" ]; thenecho "df (coreutils package) not installed."echo "See the official documentation for more information"exit 1ficase "$1" in--help)echo -e '/diskspace - Returns disk space information from the server you are connected. Alias=/df';echo -e 'Example: /diskspace\nAlias: /df';exit 0;;"")df -hT / /data;;esacexit 0
ping.sh
#!/usr/bin/env bashBIN_PING=$(which "ping")if ! [ -x "$BIN_PING" ]; thenecho "Ping (inetutils package) not installed."echo "See the official documentation for more information"exit 1ficase "$1" in--help)echo "/ping - Usage: /ping <domain/ip address> or use it without domain/ip parameter"exit 0;;"")ping -4 -c 5 travisflix.com;;*)ping -4 -c 5 "$1";;esacexit 0
mount.sh
#!/usr/bin/env bashcase "$1" in--help)echo -e '/mount - Returns mount information from the server you are connected\n';echo -e 'Example: /mount';exit 0;;"")mount;;esacexit 0
How to Enable ICMP in Windows Server 2022 Server Core
By Travis 1 Comment
This guide will show you how to enable/disable ICMP ping responses referred to as Echo Request
in Windows Server 2022 (should work with any recent version–2008 R2, 2012 R2, 2016, 2019, 2022). Enabling ping will help you to monitor and troubleshoot network issues on your network. Prior to making any changes it would be a good idea to make sure you’re not violating any department policies, although I have never gotten my hand slapped by enabling ICMP echo requests, however it has been for…get this…having client drive redirection enabled on my remote desktop session to a non-critical Windows box. Jesus H. Christ, sorry but that still irks me.
Since the Server Core variant of Windows doesn’t have a GUI, here is the command you can run in order to allow responses to ICMP echo requests: [Read more…]
Tor Browser Disable Letterboxing
By Travis Leave a Comment
Follow these instructions in order to disable Tor Browser letterboxing only if you understand the implications of doing so and are willing to accept the potential risks:
- In the Tor Browser address bar enter the address:
about:config
- Click the button Accept the Risk and Continue
- In the top search field, search for
letterboxing
- Toggle this option to false for the name
privacy.
resistFingerprinting. letterboxing
Tor Browser Config Settings Address Bar
By Travis Leave a Comment
Trying to get to the advanced settings of the Tor Browser? Type in the address bar about:config
If you are interested in disabling the annoying option called privacy.resistFingerprinting.letterboxing
which limits your viewable browsing space, visit blog.travisflix.com/tor-browser-disable-letterboxing/.
ECC ECDSA SSL/TLS Certificates
By Travis Leave a Comment
We talk about ECC all the time, but let’s be honest. It can all seem a little bit abstract, which is probably not helping its adoption-rate. The majority of the SSL/TLS certificates being issued today use RSA public key encryption. We know because we sell a lot of them.
And as far as I can tell, a large part of that can be attributed to the fact that people still think that Elliptic Curve-based cryptosystems still aren’t widely supported by end users’ browsers and operating systems.
Well, that’s not true.
So today we’re going to talk a bit about the misnomer that ECC isn’t supported, then we’ll talk a bit about ECC itself, its strengths, and why you should be using it with your SSL/TLS certificates.
Let’s hash it out.
All modern Operating Systems and Browsers support ECC
The SSL/TLS industry has always been hamstrung by conventional wisdom that no longer holds true. Everything from the idea thatHTTPS is slowerto the myth thatwebsites that don’t collect personal information don’t need SSL. While there was a time that all of these things were true (to some extent), that’s not the case today.
Add the idea that ECC isn’t widely supported by end users to that list.
While server support may vary. Here’s a breakdown of support from popular operating systems:
Operating System | Minimum Version Required |
Apple OS X | OS X 10.6 |
Microsoft Windows | Windows Vista |
Red Hat Enterprise Linux | 6.5 |
iOS | iOS 7.x |
Android OS | 3.x |
Microsoft Windows Phone | 7.x |
And here’s the breakdown for the four most popular browsers:
Browser | Minimum Version Required |
Apple Safari | 4 |
Google Chrome | 1.0 |
Microsoft Internet Explorer | 7 |
Mozilla Firefox | 2.0 |
Sure, Windows XP users and some very old legacy devices might have a difficult time with ECC, but that actually serves as a perfect segue to our next point.
Look forward, not backwards – don’t prioritize interoperability over security
RSA is on its last legs, just in the past two few months we’ve detailed a couple ofexploits that can be used against RSAandmany outdated SSL/TLS implementations. The common theme was that by continuing to support older, more vulnerable cryptosystems and ciphers, organizations were inviting undue risks in the name of interoperability.
And believe me, I understand why interoperability is desirable. Businesses are loathe to lock anyone out of their websites. But by continuing to abide that logic you’re only robbing yourself of several of the biggest benefits offered by ECC.
- ECC keys are smaller, meaning better performance with less overhead
- ECC scales better, RSA gets cumbersome as keys grow bigger
- ECC is less vulnerable to Quantum Computing, which is kind of a big deal
So, let’s give a real cursory explanation of how ECC works and then we’ll get into the benefits that should have you opting for ECC over RSA almost anytime you get an SSL/TLS certificate issued.
Elliptic Curve Cryptography 101
A long time ago, Vincent Lynch – who has now moved on to DigiCert – wrotean excellent summary of ECC that was designed to teach you everything you need to know in just five minutes. If you can spare the time, I highly recommend it. But here’s the abridged version:
Elliptic Curve Cryptography, as the name so aptly connotes, is an approach to encryption that makes use of the mathematics behind elliptic curves. I mentioned earlier that this can all feel a little bit abstract—this is the portion I was referring to.
Let’s start with what an X-axis is. And before you laugh, this is actually pretty critical to understanding ECC. Every point of the elliptical curve that’s being mapped is reflected across the X-axis – the horizontal line on the graph – which is what gives an elliptic curve its symmetry.
![Networking Archives - blog.travisflix.com (10) Networking Archives - blog.travisflix.com (10)](https://i0.wp.com/www.thesslstore.com/blog/wp-content/uploads/2019/02/elliptic-curve-crypt-image00.png)
Ok, now let’s talk about dotting. Let’s take that beautiful elliptic curve from above and let’s draw on it a little bit to illustrate what I’m talking about. Two values are chosen, known only by the owner of the private key. Those points, A and B, are plotted on the elliptic curve.
![Networking Archives - blog.travisflix.com (11) Networking Archives - blog.travisflix.com (11)](https://i0.wp.com/www.thesslstore.com/blog/wp-content/uploads/2019/02/ECC-1.jpg)
Now let’s draw a line through point A & B. That line is going to intercept the elliptic curve in a third location. That’s the point we care about. It’s reflected across the X axis and becomes the next subsequent point in the sequence. So here, you can see we plot points A & B, find where it intersects for the third time and plot the inverse on the other side of the X-axis as C.
![Networking Archives - blog.travisflix.com (12) Networking Archives - blog.travisflix.com (12)](https://i0.wp.com/www.thesslstore.com/blog/wp-content/uploads/2019/02/ECC-2.jpg)
Now do it again, only this time draw a line between point A and point C, find the third point of interception on the elliptic curve and plot its inverse on the other side of the X-axis.
![Networking Archives - blog.travisflix.com (13) Networking Archives - blog.travisflix.com (13)](https://i0.wp.com/www.thesslstore.com/blog/wp-content/uploads/2019/02/ECC-3.jpg)
This is called dotting. And the number of intersection points, or dots, is known only to the private key holder making it impossible for anyone else to decrypt it without that knowledge.
Obviously, this is a Public Key cryptosystem, used for key symmetric key exchange, similar to RSA. But rather than using prime factorization for key generation it uses to elliptic curves. Both accomplish the same thing, but ECC has some decided advantages.
ECC Keys are Smaller
RSA keys are unwieldy. The industry standards is2,048bits though some organizations go with bigger keys. That has one major disadvantages, owing to the size of the keys and the computational resources required for RSA encryption that can cause your website’s performance to lag. We’ll get into that a little bit more when we discuss RSA’s scaling issues, but the bigger problem for RSA is that the key size isn’t commensurate to its security. As the keys grow larger the strength of the security doesn’t improve at the same pace.
And despite being considerably smaller, ECC keys are much harder to crack. For instance, per aUniversal Securitystudy, the amount of energy exerted for a computer to crack a 228-bit RSA key would be about enough to boil a teaspoon of water. An ECC key of the same size, 228-bit, would require more energy than it would take to boil all of the water on Earth.
That’s substantial.
Here’s a rundown of ECC key sizes and what their RSA equivalent would be:
ECC Key Size | RSA Key Size |
160-bit | 1024-bit |
224-bit | 2048-bit |
256-bit | 3072-bit |
384-bit | 7680-bit |
521-bit | 15360-bit |
For a little bit of context, the US National Security Agency (NSA) requires all Top Secret files and documents to be encrypted with 384-bit ECC keys. That would be a 7,680-bit RSA key, which would be absolutely unwieldy.
That leads us perfectly into our next point.
ECC scales better than RSA
As we just mentioned, RSA is more expensive than ECC in terms of the resources required. Factorization requires quite a bit of computation. And as the threats to modern encryption grow, it’s only going to get more expensive as those RSA keys continue to get bigger and bigger.
That will ultimately be what buries RSA.
But in the meantime, there’s a more imminent problem. Especially for larger corporations and enterprises. When you get big enough, the cost of all thoseSSL/TLS handshakesand all of that decryption can become a major burden on your network. This is why a lot of Enterprises practiceSSL offloadingas part of their overall SSL/TLS implementation. By offloading those processes to dedicated devices, it frees up resources on their application servers and improves the overall performance of their websites.
Now let’s apply what we know about ECC vs. RSA: that RSA keys scale poorly compared to their ECC counterparts. As threats grow and keys need to be bigger, that’s more and more of a strain on your network. ECC, on the other hand, scales well and requires less resources in the first place.
For smaller companies this might be less of a concern, but as you grow it does become more of a consideration. One that ECC helps to mitigate.
ECC is more quantum-resistant
Before we get started and someone comes screaming in the comments section, ECC in its most common iteration is not quantum-resistant. It can be beaten with a modified variant of Shor’s algorithm. But there is a form of Elliptic Curve-based cryptography that has shown promise: supersingular elliptic curve isogeny cryptography.
We’re not going to get into supersingular elliptic curve and isogeny graphs because quantum computing isn’t viable yet and I am not a math major. But SIDH, as it’s been dubbed, has two big advantages over its competitors: smaller key sizes and perfect forward secrecy.
A quick word about perfect forward secrecy. This is a practice that’s popular with privacy advocates where even if a private key is cracked the session keys it generated won’t be compromised. It’s technically possible with RSA, but it requires short-lived keys, which means regular key rotation and, as we covered, generating new RSA keys is expensive. ECC lends itself to this model given the smaller key sizes and the ease with which they can be rotated.
This could have been its own section, but we’re going to cover PFS a little more in-depth later this Spring so we’ll get into it more then.
Source: https://www.thesslstore.com/blog/you-should-be-using-ecc-for-your-ssl-tls-certificates/
Windows Static Route Recovery
By Travis Leave a Comment
If you have messed up the routing table on a remote Windows Server, this network adapter recovery method may help you or inspire one even better. Since my particular issue happened over 5 years ago I’m honestly having a hard time remembering the exact scenario, but obviously there was a communication problem due to accidental static route deletion. The remote computer still needs to have layer 3 connectivity with your own client machine which might entail putting yourself in the same broadcast domain if that is do-able.
psexec.exe \\ServerName -s powershell Enable-PSRemoting -ForceInvoke-Command -ComputerName ServerName -ScriptBlock {route add -p 0.0.0.0 mask 255.255.255.0 <Gateway here>}c:\>netsh int ipv4 show address "Ethernet"Configuration for interface "Ethernet"DHCP enabled: NoIP Address: 10.0.1.90Subnet Prefix: 10.0.1.0/24 (mask 255.255.255.0)IP Address: 10.0.1.92Subnet Prefix: 10.0.1.0/24 (mask 255.255.255.0)IP Address: 10.0.1.91Subnet Prefix: 10.0.1.0/24 (mask 255.255.255.0)Default Gateway: 10.0.1.1Gateway Metric: 256InterfaceMetric: 10c:\>netsh interface ipv4 add address "Ethernet" 10.0.1.93 255.255.255.0c:\>netsh int ipv4 show address "Ethernet"Configuration for interface "Ethernet"DHCP enabled: NoIP Address: 10.0.1.90Subnet Prefix: 10.0.1.0/24 (mask 255.255.255.0)IP Address: 10.0.1.92Subnet Prefix: 10.0.1.0/24 (mask 255.255.255.0)IP Address: 10.0.1.93Subnet Prefix: 10.0.1.0/24 (mask 255.255.255.0)IP Address: 10.0.1.91Subnet Prefix: 10.0.1.0/24 (mask 255.255.255.0)Default Gateway: 10.0.1.1Gateway Metric: 256InterfaceMetric: 10c:\>netsh interface ipv4 add address "Ethernet" 10.0.1.200 255.255.255.0c:\>netsh int ipv4 show address "Ethernet"Configuration for interface "Ethernet"DHCP enabled: NoIP Address: 10.0.1.90Subnet Prefix: 10.0.1.0/24 (mask 255.255.255.0)IP Address: 10.0.1.92Subnet Prefix: 10.0.1.0/24 (mask 255.255.255.0)IP Address: 10.0.1.93Subnet Prefix: 10.0.1.0/24 (mask 255.255.255.0)IP Address: 10.0.1.200Subnet Prefix: 10.0.1.0/24 (mask 255.255.255.0)IP Address: 10.0.1.91Subnet Prefix: 10.0.1.0/24 (mask 255.255.255.0)Default Gateway: 10.0.1.1Gateway Metric: 256InterfaceMetric: 10c:\>netsh interface ipv4 delete address "Ethernet" 10.0.1.93
This is what I wrote at the top of my text file, so it must have been an improvised fix that actually worked for my scenario:
when-you-f*cked-your-ip.txt
# very first line of this recovery method is a last ditch effort and if it fails nothing else will work.# if this works then it was thought of by travis, if not then I found it somewhere else.psexec.exe \\SERVERNAME -s powershell Enable-PSRemoting -Force# use ps-remoting to add a static route to one of the network adapters specified as the last argumentInvoke-Command -ComputerName SERVERNAME -ScriptBlock {route add -p 0.0.0.0 mask 255.255.255.0 10.0.0.1}
Best Free Public Usenet News Server for NZBGet
By Travis Leave a Comment
If you are looking for the best free public usenet news server in active operation then you are in luck. Recently I have been delving into the wonderful world of Usenet, and with that comes NZBGet and the like. You will need to register an account, but once you do it really is 100% free without the normal monthly billing. You do not need to enter a credit card.
The best free Usenet news service that I could find is called XS Usenet. Once you’ve signed up, the news server hostname you will put into your client is free.xsusenet.com
and the username they provide you with is a 12-digit integer such as 471970276921. The password is also provided to you at the same time and is a 10-digit alphanumeric password. The server does not require “Join Group”-command, not do they require TLS/SSL, you can leave the Cipher field blank and use the default TCP port of 119or choose one of the supported ports: 23, 80, 81, 119, 443, 8080, 2323, 8181
.
While downloading I’m averaging 350 KB/s (I know it’s not a lot, but what do you expect for free), and there is a 25GB per month max you need to be aware of as well. This is still the best free Usenet service you’re going to get, so you might as well take it. Use the available bandwidth wisely only for things you actually need, and use the Bittorrrent network for the rest. If you’d like to grab my list of current active public torrent sites then click here.
After testing the connection you should see:
Usenet(/ˈjuːznɛt/) is a worldwide distributed discussion system available on computers. It was developed from the general-purposeUnix-to-Unix Copy (UUCP)dial-upnetwork architecture.Tom TruscottandJim Ellisconceived the idea in 1979, and it was established in 1980.[1]Users read and post messages (calledarticlesorposts, and collectively termednews) to one or more categories, known asnewsgroups. Usenet resembles abulletin board system(BBS) in many respects and is the precursor toInternet forumsthat are widely used today. Discussions arethreaded, as with web forums and BBSs, though posts are stored on the server sequentially. The name comes from the term “users network”.[2][3]
A major difference between a BBS or web forum and Usenet is the absence of a central server and dedicated administrator. Usenet is distributed among a large, constantly changing conglomeration of servers that store and forward messages to one another via “newsfeeds”. Individual users may read messages from and post messages to a local server, which may be operated by anyone.
Usenet is culturally and historically significant in the networked world, having given rise to, or popularized, many widely recognized concepts and terms such as “FAQ“, “flame“,Sockpuppet, and “spam“.[4]In the 1990s, before access to the Internet became commonly affordable, Usenet connections viaFidonet‘s dial-upBBSnetworks made long-distance or worldwide discussions and othercommunicationwidespread, not needing a server, just (local) telephone service.[5]
UUCP/Usenet Logical Map — June 1, 1981 / mods by S. McGeady November 19, 1981 (ucbvax)+=+===================================+==+| | | || | wivax | || | | | || | microsoft| uiucdcs | || | genradbo | | | | | | (Tektronix)| | | | | | | purdue | || decvax+===+=+====+=+=+ | | | || | | | | | | pur-phy | | tekmdp| | | | | | | | | | |+@@@@@@cca | | | | | | | | || | | | +=pur-ee=+=+=====+===+ | || csin | | | | | || | +==o===+===================+==+========+=======+====teklabs=+| | | || | | pdp phs grumpy wolfvax || | | | | | | || | cincy unc=+===+======+========+ || | | bio | || | | (Misc) | | (Misc) || | | sii reed | dukgeri duke34 utzoo || | | | | | | | | || +====+=+=+==+====++======+==++===duke=+===+=======+==+=========+ || | | | | | | | | | u1100s| bmd70 ucf-cs ucf | andiron | | | | || | | | | | || red | | | | | pyuxh| | | | zeppo | | | || psupdp---psuvax | | | | | | || | | | alice | whuxlb | utah-cs | | houxf| allegra | | | | | | | | | || | | | | | | | | +--chico---+| +===+=mhtsa====research | /=+=======harpo=+==+ | || | | | | | / | | || hocsr | | +=+=============+=/ cbosg---+ | || ucbopt | | | | | esquire || : | | | cbosgd | || : | | | | || ucbcory | | eagle==+=====+=====+=====+=====+ | || : | | | | | | | | | +-uwvax--+| : | | | mhuxa mhuxh mhuxj mhuxm mhuxv | || : | | | | || : | | | +----------------------------o--+| : | | | | || ucbcad | | | ihpss mh135a || : | | | | | || : \--o--o------ihnss----vax135----cornell || : | | | | |+=+==ucbvax==========+===+==+=+======+=======+=+========+=========+ (UCB): | | | | (Silicon Valley) ucbarpa cmevax | | menlo70--hao : | | | | ucbonyx | | | sri-unix | ucsfcgl | | | |Legend: | | sytek====+========+------- | | | |- | / \ + = Uucp sdcsvax=+=======+=+======+ intelqa zehntel= "Bus" | | |o jumps sdcarl phonlab sdcattb: Berknet@ Arpanet
UUCP/Usenet Logical Map, original by
Steven McGeady.Copyright© 1981, 1996
Bruce Jones,Henry Spencer, David Wiseman. Copied with permission from
The Usenet Oldnews Archive: Compilation.[38]
Source [1]: https://en.wikipedia.org/wiki/Usenet
Bittorrent IP Blocklists
By Travis 1 Comment
What is a Torrent IP Blocklist?
A torrent IP blocklist is simply a giant database of IP addresses that you tell your torrent client (uTorrent, Vuze…) not to connect to. There many different blocklists, and IP’s tend to get included in a blocklist for a variety of reasons:
- Non-Residential IP address
- Schools/Universities
- Known torrent monitoring companies
- ‘Suspicious’ activity from an IP address
The idea behind torrent blocklists is if you can create a list of all the ‘BAD’ IP addresses, then you can only connect to ‘safe’ peers.
Any connection from a ‘blocked’ peer will be refused, and they won’t be able to connect to you to download/seed torrent files.
Visit the BitTorrent page for a centralized listing of various torrent links and downloads that I’ve cherry picked.
How to Reset Secure Channel On Active Directory Domain Controller
By Travis Leave a Comment
When you’re a little too careless about virtualizing your domain controllers, cloning, migrating, backing up and restoring, returning from vacation and deciding that having a single box holding all the FSMO roles is dangerous to the network, you will inevitably find yourself in the same situation I’ve found myself in.
A tell-tale sign that you need to manually reset the KDC secure channel on your problematic domain controller can be diagnosed with the following symptoms:
- Any mechanism that relies on Kerberos authentication tickets will fail
- Practically all subsystem services and listening endpoints will cease to function (non KDC-related services like DNS and DHCP aren’t affected)
- Active Directory replication will fail on the affected DC (you can view this with
repadmin /replsummary
andrepadmin /showrepl
nltest /sc_query:domain.local
andnltest /sc_verify:domain.local
writes standard error access denied- Being fired for incompetence
Strangely enough, Microsoft tells you exactly what the issue is. However even though this is strictly Kerberos and Security related, the event source “Security-Kerberos” ID 4 only shows up in the System event log for some reason. Who was the genius behind that logic?
How to Reset Secure Channel On Active Directory Domain Controller
- Open an administrative command prompt directly on the affected controller
- Run the following commands in the same sequence:
NET STOP KDCKLIST PURGENETDOM RESETPWD /Server:<YourGoodDomainController> /UserD:<domain\username> /PasswordD:<YourPassword>NET START KDC
- Once again we have backwards Microsoft logic, so pay attention to input your known good and functional DC after the
/Server:
parameter - Remember to run these commands on the broken domain controller, I don’t care if you use a PS-Session/CIM/WinRM or RDP direct to a cmd
Before:
C:\>repadmin /replsummaryReplication Summary Start Time: 2019-04-21 06:46:35Beginning data collection for replication summary, this may take awhile: .....Source DSA largest delta fails/total %% error WIN2016CORE-1 19d.14h:05m:37s 5 / 5 100 (2148074274) The target principal name is incorrect.Destination DSA largest delta fails/total %% error WIN2016CORE-2 19d.14h:05m:39s 5 / 5 100 (2148074274) The target principal name is incorrect.Experienced the following operational errors trying to retrieve replication information: 8341 - win2016core-1.ad.blog.travisflix.comC:\>repadmin /showreplRepadmin: running command /showrepl against full DC localhostSite1\WIN2016CORE-1DSA Options: IS_GCSite Options: IS_GROUP_CACHING_ENABLEDDSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622aDSA invocationID: 00cd928c-063f-439d-a13a-9183ac18e684==== INBOUND NEIGHBORS ======================================DC=ad,DC=sysinfo,DC=io Site1\WIN2016CORE-2 via RPC DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431 Last attempt @ 2019-04-21 04:46:06 failed, result -2146893022 (0x80090322): The target principal name is incorrect. 1422 consecutive failure(s). Last success @ 2019-04-03 01:11:03.CN=Configuration,DC=ad,DC=sysinfo,DC=io Site1\WIN2016CORE-2 via RPC DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431 Last attempt @ 2019-04-21 04:46:06 failed, result -2146893022 (0x80090322): The target principal name is incorrect. 1423 consecutive failure(s). Last success @ 2019-04-03 01:09:26.CN=Schema,CN=Configuration,DC=ad,DC=sysinfo,DC=io Site1\WIN2016CORE-2 via RPC DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431 Last attempt @ 2019-04-21 04:46:06 failed, result -2146893022 (0x80090322): The target principal name is incorrect. 1423 consecutive failure(s). Last success @ 2019-04-03 01:09:26.DC=DomainDnsZones,DC=ad,DC=sysinfo,DC=io Site1\WIN2016CORE-2 via RPC DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431 Last attempt @ 2019-04-21 04:46:06 failed, result 1256 (0x4e8): The remote system is not available. For information about network troubleshooting, see Windows Help. 1423 consecutive failure(s). Last success @ 2019-04-03 01:09:26.DC=ForestDnsZones,DC=ad,DC=sysinfo,DC=io Site1\WIN2016CORE-2 via RPC DSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431 Last attempt @ 2019-04-21 04:46:06 failed, result 1256 (0x4e8): The remote system is not available. For information about network troubleshooting, see Windows Help. 1423 consecutive failure(s). Last success @ 2019-04-03 01:09:26.Source: Site1\WIN2016CORE-2******* 1422 CONSECUTIVE FAILURES since 2019-04-03 01:11:03Last error: -2146893022 (0x80090322): The target principal name is incorrect.C:\>nltest /sc_query:ad.blog.travisflix.comI_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIEDC:\>nltest /sc_verify:ad.blog.travisflix.comI_NetLogonControl failed: Status = 5 0x5 ERROR_ACCESS_DENIED
After:
NET stop kdc && klist purge && netdom resetpwd /Server:win2016core-1 /UserD:SYSINFO\visualblind /passwordD: && net start kdcThe Kerberos Key Distribution Center service was stopped successfully.Current LogonId is 0:0x298f46b Deleting all tickets: Ticket(s) purged!The machine account password for the local machine has been successfully reset.The command completed successfully.The Kerberos Key Distribution Center service is starting.The Kerberos Key Distribution Center service was started successfully.C:\>repadmin /replsummaryReplication Summary Start Time: 2019-04-21 08:27:02Beginning data collection for replication summary, this may take awhile: .....Source DSA largest delta fails/total %% error WIN2016CORE-1 04m:10s 0 / 5 0 WIN2016CORE-2 10m:55s 0 / 5 0Destination DSA largest delta fails/total %% error WIN2016CORE-1 10m:55s 0 / 5 0 WIN2016CORE-2 04m:10s 0 / 5 0C:\>repadmin /showreplRepadmin: running command /showrepl against full DC localhostSite1\WIN2016CORE-2DSA Options: IS_GCSite Options: IS_GROUP_CACHING_ENABLEDDSA object GUID: ed395e8a-a14e-4b16-9fa2-23f950720431DSA invocationID: 51035491-a911-4e10-8704-5c4f69d4a54c==== INBOUND NEIGHBORS ======================================DC=ad,DC=sysinfo,DC=io Site1\WIN2016CORE-1 via RPC DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a Last attempt @ 2019-04-21 08:26:47 was successful.CN=Configuration,DC=ad,DC=sysinfo,DC=io Site1\WIN2016CORE-1 via RPC DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a Last attempt @ 2019-04-21 08:22:52 was successful.CN=Schema,CN=Configuration,DC=ad,DC=sysinfo,DC=io Site1\WIN2016CORE-1 via RPC DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a Last attempt @ 2019-04-21 08:22:52 was successful.DC=DomainDnsZones,DC=ad,DC=sysinfo,DC=io Site1\WIN2016CORE-1 via RPC DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a Last attempt @ 2019-04-21 08:22:52 was successful.DC=ForestDnsZones,DC=ad,DC=sysinfo,DC=io Site1\WIN2016CORE-1 via RPC DSA object GUID: 3232aee1-2114-4233-94af-7ff6df73622a Last attempt @ 2019-04-21 08:22:52 was successful.
References:
https://glennopedia.com/2016/02/25/how-to-reset-secure-channel-on-a-domain-controller/
Force Delete Windows Server DHCP Failover Relationship
By Travis Leave a Comment
If you’ve found yourself here then chances are you messed up one of your domain controllers or at least one of your DHCP Servers. I admit I did. More than once. And I’m tired of querying for the elusive Remove-DhcpServerv4Failover
PowerShell script to force delete the Windows Server DHCP failover relationship. The way content makes its way onto this site is usually split into two categories: Repetition, and one time specialized content not found on the internet (at least difficult).
- Pick the server you want to keep. Look at your DHCP leases and determine which might be the most complete.
- Stop the partner DHCP server so only one server is responding to DHCP requests
- Try to assign clients from the partner DHCP server back to the server you want to keep. Renew leases so to prevent potential conflicts.
- You are going to force the removal of the DHCP failover relationship. Because there is no communication the partner server won’t transmit the latest changes and the scope won’t be removed from it. Execute the following command in order to remove the relationship:
# Command syntax:Remove-DhcpServerv4Failover -ComputerName <ServerName> -Name <DHCPFailoverRelationshipName> -Force# Example:Remove-DhcpServerv4Failover -ComputerName Win2016core-1 -Name "win2016core-1.ad.blog.travisflix.com-win2016core-2.ad.blog.travisflix.com" -Force
- You will get a warning that says:
Failed to delete the failover relationship <Name of the relationship> on the partner server <Name of partner server>.
- As I mentioned this is the expected behavior as you cannot communicate with the partner server.
- Manually delete the scope from the partner server to ensure no conflicts arise if it accidentally becomes active.
And that should do the trick. If you wanted you could form again the relationship in case the issue was a problem with the server names or you could form a new relationship with a new server. Either way just make sure you don’t have 2 DHCP servers assigned to the same IP scope that are not in a failover relationship.
In the event you have network communication with the partner in the relationship you can use the GUI instead:
De-configure DHCP Failover Using Server Manager
Step 1.Open DHCP console. From server manager dashboard,clickTools -> DHCP.
Step 2. In DHCP console, expand IPv4 node. Right-click the scope you want to de-configure failover and then click Deconfigure Failover.
Step 3.Ignore the warning and clickOK.
Step 4.ClickOK.
Step 5.Click Close when you are done. You won’t be able to see a scope on partner server.
Determine Your Upstream DNS Resolver
By Travis Leave a Comment
The following one-liner Bash will output your upstream DNS resolver. You will need to install the whois package for this to work. Akamai is deprecating whoami.akamai.net and succeeding it with whoami.ds.akahelp.net so if you have a choice of what to count on in the future, I’d go with those.
whois $(dig whoami.akamai.net +short) | grep -i 'organization:'DNS=$(dig whoami.ds.akahelp.net +short TXT | awk '{print $2}');whois $(sed -e 's/^"//' -e 's/"$//' <<<"$DNS") | grep -i 'netname:'DNS=$(dig whoami.ds.akahelp.net +short TXT | awk '{print $2}');whois $( echo $DNS|tr -d '"' ) | grep -i 'netname:'
My results:
sysinfoio:~$ DNS=$(dig whoami.ds.akahelp.net +short TXT | awk '{print $2}');whois $(sed -e 's/^"//' -e 's/"$//' <<<"$DNS") | grep -i 'netname'netname: CLOUDFLARE_2400_CB00_0000_36sysinfoio:~$ DNS=$(dig whoami.ds.akahelp.net +short TXT | awk '{print $2}');whois $( echo $DNS|tr -d '"' ) | grep -i 'netname:'netname: CLOUDFLARE_2400_CB00_0000_36sysinfoio:~$ whois $(dig whoami.akamai.net +short) | grep -i 'organization:'Organization: Cloudflare, Inc. (CLOUD14)
- 1
- 2
- 3
- Next Page »