Saturday, July 18, 2015

Microsoft SCCM 2012 R2 - Dual SUPs, Same Site

Had to cobble together some information to get this working. As usual, I try to center my posts around information that I had to spend some time researching...to hopefully save someone else the trouble.

I wanted to setup two SCCM 2012 R2 SUPs within the same Site. One is for Intranet clients, the other for Internet clients (IBCM). To mitigate the "change WSUS server sync penalty" Microsoft recommends setting the two SUPs up with the same SQL and same content directory per this article. Well, they don't truly explain how to do that clearly, especially on Windows Server 2012 R2. Here are the collection of technet articles I pooled together to get this right:

TechNet Blog - Describes this exact thing! (without much detail!)
Configure WSUS for NLB - Ignore the NLB parts, no need for NLB with SCCM, gives some better detail on several of the steps

Here is a quick and dirty step outline on how I got this working:

1) Create a domain service account for IIS to reach the contentdir network share - ill use wsususer for the remainder of this blog entry.

2) Create a folder for the WSUS content and share it (you can do DFS if you want, I just did standard share) Any server can host it, I chose my "first" WSUS server. This may not be precise, but it worked for me...set the permissions as follows:
  • NETWORK SERVICE - Full Control
  • wsususer - Read
  • WSUSCOMPUTERACCOUNT-1 - Full Control
  • WSUSCOMPUTERACCOUNT-2 - Full Control
3) Server #1 - Install WSUS on the first server: (powershell makes it easy)
Install-WindowsFeature -Name UpdateServices-Services,UpdateServices-DB -IncludeManagementTools
 4) Server #1 - Run postinstall on the first server, specifying the remote SQL DB but leaving content directory at default (we'll move it after the install, an important point)

.\wsusutil.exe postinstall SQL_INSTANCE_NAME="DBSERVER\INSTANCE"
5) Server #1 - Run the wsustuil movecontent to the newly created share. Its located in C:\Program Files\Update Services\Tools
  .\wsusutil.exe movecontent \\networkshare.fq.dn\sharename C:\movecontent.log

6) Server #1 - Open IIS and navigate to the WSUS Administration Site and the Content Directory. Edit the "basic settings" to point to the network share (if not already done) and edit the "connect as" account to the wsususer account. Run a test to make sure permissions are correct.

7) Server #1 is now "done". I recommend restarting WSUS services and watch the event log for any automatic health alarms that pop up.

8) Repeat steps 3-4 on server #2. The WSUSutil on Windows 2012 R2 will auto detect the exsting database and use it. It appears older versions of WSUS needed an extra flag set (see TechNet article I linked above)

9) On Server #2, we will not run the movecontent utility, we will simply edit the ContenDir registry key to tell WSUS to store updates on the network share. This key is located here:
HKLM\SOFTWARE\Microsoft\Update Services\Server\Setup
10) On Server #2, repeat steps 6-7

11) Install SUP role on server #1, watch the WCM.log for any errors in configuring it. If all good, install SUP role on server #2. Now SYNC!!!



Wednesday, March 11, 2015

AIA-Enabled Certificate Chains

UPDATE: Cisco has written a very similar, more spelled out version of this blog entry, check it out!
http://blogs.cisco.com/security/where-is-my-intermediate-tls-certificate

Have you ever wondered why your nice publicly-signed certificate displays just fine on your workstation but your mobile device shows a certificate error?

First, in review, all of your browsers trust an authority such as Verisign, so they have the Verisign Root in their trusted store. In the case of www.cisco.com's certificate, its authority chain looks like so:



In order to fully trust the www.cisco.com certificate, your browser must not only trust its built-in root (Baltimore CyberTrust Root), but the Intermediate certificate in-between. Your server should be configured to send all certificates in the chain to every HTTPS client.

If not presented by the server, most desktop browsers use AIA to dynamically download the Intermediate certificate, using the www.cisco.com certificate's AIA field seen here:




If AIA works, no certificate error appears, because your desktop browser was able to complete the chain dynamically.

Mobile browsers, however, do not use the AIA extension. This is due to bandwidth/overhead of querying other websites to find the upstream Intermediate CAs. Desktops can handle this query process seamlessly, mobile browsers simply do not.

My recommendation is to send the full chain to everyone. This ensures no errors for mobile devices, and theoretically quicker load times because this AIA parsing does not need to be processed by any browsers. Inserting the Intermediate certificate in your webserver's CA configuration is the way to include this. Review your apache/IIS/other documentation on how to do this.

You can test your certificate chain with OpenSSL using the following command:
openssl s_client -showcerts -connect host.domain.tld:443

Everything is 100% right if you see the following at the bottom:
Verify return code: 0 (ok)

Friday, August 10, 2012

Cisco WLC and OpenSSL Madness

I was trying to convert a PFX file to be used for webauth on a Cisco WLC running the latest 7.x code. I've done this several times before in past lives and expected no resistance, but I could not get the WLC to accept the PEM certificate converted by OpenSSL 1.0 from a CentOS 6.3 server.

The WLC kept reporting a "private key decode failed".

However, one stroke of luck I found this post: https://supportforums.cisco.com/thread/340194

The forum member recommended using OpenSSL for windows at a version <1.0. One attempt and it went beautifully, the WLC accepted the certificate!

Does anyone have any ideas? Hopefully this helps someone else.

Thursday, August 2, 2012

IPv6 Application Support in a state of Flux

Lots of people go on and on about IPv6. Some heralding its arrival (see World IPv6 Launch Day) and some gnashing their teeth (every server admin out there who loves doing everything by address). I'm not going to get into that. Its coming, and it will be a great thing once it gets here, but he growing pains are going to hurt.

I'm going to talk through two recent headaches caused by having IPv6 enabled.

First, Windows Server 2008 R2. IPv6 is enabled by default, and when recently building a new domain controller, having IPv6 on (and more importantly, what it does by default) gave me a world of hurt.

By default, the IPv6 stack is preferred over IPv4. This means that for any outbound connection, if the system thinks it can use IPv6, it will (try to) do so. Additionally, by default, the IPv6 stack uses the ::1 IPv6 loopback address as its default nameserver on my Windows 2008 R2 server. (I can't find any documentation as to why or if this is normal)

Microsoft themselves say never to configure a DC running the DNS role to use itself as the first/primary DNS server, it can lead to a race condition of sorts.

So the combination of these two default behaviors gave me a killer headache when adding the AD DS and DNS roles to a 2008 R2 server. The AD DS was unable to replicate the AD databases, including the DNS zones, due to failed DNS lookups against an empty server. I was only able to find this by nslookup defaulting to ::1 as the nameserver to search against when I was troubleshooting.

Secondly, like Windows 2008 and Windows 7, Java 7 also prefers IPv6 over IPv4. However, poor little Java has no indication service to know if the IPv6 stack is functioning properly or not. (Windows 7/2008, outside of Java, does this quite well, Java should pay attention to how MS tracks it). So if you are having issues (like me) running Java Applications or launching Web Starts, this blog points out the ever-so-graceful solution in Windows. You can also try adding these to the startup arguements to the java command line calling your jnlp or jar files, but I don't recommend it for Java Web Start applications, they are usually meant to be launched on-demand from a browser.

-J-Djava.net.preferIPv4Stack=true

PS, if you are running AnyConnect like the blogger was, you must sign out of your current session and reconnect before the change is picked up.

Thursday, February 9, 2012

IGMP Snooping-Enabled NLB on Cisco IOS

Microsoft NLB. What can I say...its free, and its Microsoft, you're not getting a premo solution. In a virtual environment, where a NLB member can move from physical server to physical server, some real fun begins. Many HOWTOs, including Cisco's own, will have you placing static CAM entries everywhere. BLEH! I hope to show you how to avoid that.

The MS rundown of NLB as a whole:
http://technet.microsoft.com/en-us/library/bb742455.aspx

Cisco's HOWTO (needs work as you'll see below):
http://www.cisco.com/en/US/products/hw/switches/ps708/products_configuration_example09186a0080a07203.shtml

There's a problem with this HOWTO from Cisco, its a bit messy. I want to give some credit first, I gathered some of this data from this forum post, I wouldn't have pieced it together otherwise.

Lets begin.

Microsoft NLB, when running in IGMP-enabled multicast mode(at least in 2008 R2), uses a IANA multicast MAC address, not a non-IANA one. This is an important point that I think has been overlooked by Cisco in their guide...because with this, you don't need the static CAM entry, you just need IGMP Snooping.

IGMP snooping won't work without IGMP joins being seen from the servers (virtual or otherwise). So you need a IGMP router on that VLAN/segment to advertise its presence so the Windows servers respond, and the snooping is performed. To do that, you need to either A) Enable PIM (and therefore IGMP) on the interface or B) Simply enable the interface to be a "IGMP Querier". I'll leave it up to the reader to find their own platform's Multicast configuration guide to find the commands, but I will warn you of two things:

1) Make sure multicast-routing is turned on(in the VRF your interface is on if you're doing VRFs)
2) You will not see any "joined groups" in your show ip igmp command output

Finally, Cisco's note about process switching. Bug CSCsw87563 addresses it for the 6500 platform, not sure about the others. In my environment, I've added zero CAM entries because the bug is "fixed" for my platform, if you're in the same boat, good for you. If not...you really should, process switching is terrible. Even if you are affected by this, you only need to put the static cam on the switch with the SVI. All downstream switches will snoop and L2 switch with ease.

>>>>>A quick bug toolkit search revealed nothing on the popular 3560/3750 and 4500 lines. I am very interested if anyone can find more info this process switch thing on other platforms....even NX-OS!

Finally, all my work has been around avoiding the use of tying a static CAM entry to a physical interface everywhere (to avoid switch flooding). You still need a single static ARP entry.

Monday, April 19, 2010

Disable NETBIOS with dhcpd

This was a difficult item to find...thanks to the dd-wrt wiki for the proper vendor string!!

NETBIOS is ancient...disabling NETBIOS altogether on networks(provided you are sure you want to do this) can be a good thing for both your network and your windows workstations.

For those of you using the default node-type, you will basically eliminate all netbios broadcasts on your network,and your workstations will ONLY use DNS for resolution, instead of DNS then WINS then NBT broadcasts.

Disadvantage is that you can no longer use tools like nbtstat to query machines on your network for their hostname (shouldn't you be using DDNS?) and connectivity using some 'short names' may be lost...but you should be using FQDNs whenever/wherever possible.

DHCP Option 43, value is "01:04:00:00:00:02"

The line in your ISC dhcpd config should be:

option vendor-encapsulated-options 01:04:00:00:00:02;

Tuesday, April 13, 2010

Infoblox API Scripting

Infoblox makes a pretty sweet little appliance, providing DNS(ISC BIND), DHCP(ISC DHCPD), TFTP/HTTP File distribution for your enterprise. More or less its a Linux appliance with a decent GUI on top of it for the aforementioned features.

One of my favorite features about it is its API, and I wanted to share some of my experience with it. Its entirely Perl based, and getting it setup was painful with me with CPAN, but their binary package on my CentOS box worked a treat. While (in my opinion) the API's documentation isn't the best, it has some very vague descriptions of many of the functions, and the examples they give aren't much for mass-modification purposes, but for creating new networks/ranges.

I'm not going to do a starter guide, you'll have to read their docs for that....I'll just provide some of my coding to supplement their existing documentation.

First of all, check out "ibcli", I used it as MY supplement to figure out the right data structure/method to use when writing this script.

The purpose of my script was to help facilitate moving from a single Infoblox HA pair to a failover set of geographically separated "Grid Member" HA pairs for even more DHCP fault-tolerance for our WAN users in case of a large network outage.

When moving to this setup, you must reconfigure every network and every DHCP range to "point" to the "failover set" consisting of a pairing between the two failover Infoblox Grid Members.
Since we have several hundred, DHCP Networks, my script was designed to dump to STDOUT all Networks and Ranges on the appliance before the change, then change all Networks/Ranges (save a few special setups I exempted) to point to the failover set, and then dump the "post operation" configuration to STDOUT for verification.

Please keep in mind that this script could definitely use a lot more catch statements for error handling, but I kept this pretty lean just to do this one job for me.

Without further adieu, see attached. Rename it from the .txt extension to .pl.

IBConvert Script