Author Archives: arne

Exchange, Smarthosts, Basic Auth and TLS

Exchange server has the capability to use TLS to encrypt email in transit to another mail server.

When used for receiving, it checks that it trusts the root certificate (so a chain of trust is established) and the CRL (Certificate Revocation List) to make sure that the certificate has not been revoked in the CDP (CRL Distribution Point).

Therefore, if you want to use a certificate from a private CA, as well as importing the private root certificate to the trusted root certificates on both sides, you also need to publish a CRL on each side that the other side can check.

When you want a better filter for Windows event logs

The built in filtering in windows event logs is fine for when you want to find a specific event, but if you want to find when a specific service started or stopped, it’s not up to the job. Luckily there is the capability to use XML filters which I use in a custom view


 <Query Id="0"> 
  <Select Path="System"> 
  *[EventData[Data[@Name='param1'] and (Data='Hyper-V Time Synchronization Service')]] 

Deleting Shadow Copies

If you need to delete shadow copies, you can either delete them in explorer, or use vssadmin, or use wmic

To delete using vssadmin

vssadmin Delete Shadows /For=C: /Oldest
vssadmin Delete Shadows /For=C: /All

for a full list of options

To delete using wmic

shadowcopy delete

Boot 2012r2 from USB

Windows Server 2012r2 introduced tiered storage spaces. Storage spaces works best when you have shelves of JBOD HDD and SSD, but there are also benefits for smaller deployments for servers with 6+ disk slots. There is however an issue that Windows cannot boot from a storage space, therefore you would need to dedicate at least one disk slot for a boot disk, there is a solution for this issue. Since Windows Server 2008r2, Windows has had the capability of boot (and run, as opposed to boot and install) from a UFD (USB Flash Drive). This then allows for example, a six disk slot server, to have two SSDs and four HDDs in a two way mirrored Tiered Storage Space, ideal for a lab Hyper-V server.

There are some downsides, a UFD in a USB2 port is not as fast as a SSD on a SAS/SATA port, however for the use case, an increased boot time might not be an issue. Also there is no redundancy in a single UFD, however there are no moving parts. If the UFD is suitably sized, the wear leveling of the UFD should provide a reasonable lifespan. Microsoft suggested a 16GB UFD for 2008r2, I would suggest a 64GB UFD.

Following on from the Microsoft information, I used a Kingston DataTraveler Ultimate 64 GB UFD.

The Microsoft instructions for 2008r2 use a .vhd file, but it is possible to use a .vhdx with only a few small changes.

Install the Windows 8.1 ADK on a suitable computer. As I don’t use Windows 8 or 8.1, I used a 2012r2 server.

Either mount a 2012r2 ISO, or extract the the install.wim, I have presumed that an ISO has been mounted to E:

From an elevated command prompt

list disk
select disk <USB disk number>
create partition primary
format quick fs=ntfs 
assign letter=v

The letter isn’t important, just something that doesn’t conflict with existing drive letters

I am quite happy with multiple command windows open and switching between them, so open another elevated command prompt.

mkdir c:\HYPERV2012r2
create vdisk file=c:\HYPERV2012r2\HYPERV2012r2.vhdx maximum=20480 type=fixed
select vdisk file=c:\HYPERV2012r2\HYPERV2012r2.vhdx
attach vdisk
create partition primary
format quick fs=ntfs label=HYPERV2012r2
assign letter=r

Again, the letter isn’t important, just something that doesn’t conflict.

To “build” the OS in the mounted .vhdx, open an elevated Deployment and Imaging Tools environment prompt. This will open in C:\Program Files (x86)\Windows Kits\8.1\Assessment and Deployment Kit\Deployment Tools\

cd amd64\DISM
dism.exe /apply-image /Imagefile:E:\sources\install.wim /Index:1 /ApplyDir:R:\

When booting and running from USB with a core install, a page file should not be required, and for maximum life of the UFD, you should not use a page file on the UFD, the following disables the page file.

reg load HKLM\HyperVTemp r:\windows\system32\config\system
reg add "HKLM\HyperVTemp\ControlSet001\Control\Session Manager\Memory Management" /v PagingFiles /t REG_MULTI_SZ /d "" /f
reg delete "HKLM\HyperVTemp\ControlSet001\Control\Session Manager\Memory Management" /v ExistingPageFiles /f
reg unload HKLM\HyperVTemp

Now return to the diskpart window, and unmount the .vhdx

select vdisk file=c:\HYPERV2012r2\HYPERV2012r2.vhdx
detach vdisk

and copy the .vhdx to the UFD

copy c:\HYPERV2012r2\HYPERV2012r2.vhdx v:\

Now mount the .vhdx on the UFD

mkdir c:\HYPERV2012r2
select vdisk file=v:\HYPERV2012r2.vhdx
attach vdisk

Create a boot sector.

cd ..\BCDBoot
bootsect /nt60 v: /force /mbr

And create a BCD

bcdboot r:\windows /s v:

When the BCD has finished, you should be able to eject the UFD and boot from it. The first boot would be as if you have completed an install where you need to set the Administrator password.

Tomcat7 on Ubuntu 14.04 with Oracle Java running on port 80

Start with installing Oracle Java

sudo add-apt-repository ppa:webupd8team/java
sudo apt-get update
sudo apt-get install oracle-java8-installer

Now install tomcat7

sudo apt-get install tomcat7

To run on ports below 1024, authbind needs to be enabled

sudo nano /etc/default/tomcat7

change #AUTHBIND=no to AUTHBIND=yes

sudo touch /etc/authbind/byport/80
sudo chmod 500 /etc/authbind/byport/80
sudo chown tomcat7 /etc/authbind/byport/80


sudo nano /etc/default/tomcat7

Add JAVA_HOME=/usr/lib/jvm/java-8-oracle

You should now be able to start tomcat7

Managing time (NTP) on standalone Windows Servers, Domain Controllers, or desktops

On standalone Windows servers (servers not members of a domain) the time service only checks the time against an NTP server on startup as a triggered action. If the server is on hardware with a “reliable” hardware clock, this is usually not a problem as clock drift on most modern hardware is minimal, if however the hardware clock is not reliable, or the Computer is running in a virtual environment, it may take incorrect clock data from the VM host (if the host has an unreliable or “wrong” hardware clock, or it may just drift more than expected.

First of all I like to set the time service to be automatic

sc triggerinfo w32time delete

Start the time service

net start w32tm

Configure a suitable set of NTP servers, I use the pool project.

ww32tm /config /manualpeerlist:"" /syncfromflags:manual /update

and force the time service to resync against the configured time servers

w32tm /resync

Using a PFX formatted certificate on Cisco IOS

Rather than converting from pfx to pem format, why not just use a pfx?

With the way that pfx files are formatted, copying and pasting from a terminal is not possible, however if you can get the certificate transferred over FTP, it becomes much simpler :-)

The certificate has to have the full chain in it, and a passphrase.

conf t
ip ftp username <ftp username>
ip ftp password <ftp password>
copy ftp flash:

enter server name
enter source file name
enter destination file name

conf t
crypto pki trustpoint <trustpoint name>
fqdn <f.q.d.n>
subject-name cn=<f.q.d.n>
revocation-check crl
rsakeypair <trustpoint name>
crypto pki import <certificate.pfx> pkcs12 flash:<certificate> <passphrase>
wri mem

to show the certificate

show crypto pki trustpoints status

Allowing RDP on on Windows 2012r2 core

On Windows 2012r2 server core, the firewall is enabled with the public profile on installation, so just enabling RDP in sconfig does not allow RDP access.

You can enable RDP to pass through the firewall with the following powershell command

netsh advfirewall firewall set rule group="remote desktop" new enable=yes

Alternatively, you can enable RDP and configure the firewall with the following

cscript C:\Windows\System32\SCRegEdit.wsf /AR 0

Disabling IPv6 on Windows 2012 core

one simple powershell command

New-ItemProperty -Path HKLM:\SYSTEM\CurrentControlSet\services\TCPIP6\Parameters -Name DisabledComponents -PropertyType DWord -Value 0xffffffff

Install tt-rss with nginx and Percona on Ubuntu 12.04

Starting with a base install of Ubuntu 12.04 with openssh installed

Install the Percona repo

import the Percona gpg key

sudo gpg --keyserver hkp:// --recv-keys 1C4CBDCDCD2EFD2A
sudo gpg -a --export CD2EFD2A | sudo apt-key add -

now edit /etc/apt/sources.list and add these lines

# for percona
deb precise main
deb-src precise main

now install percona

sudo apt-get update
sudo apt-get install percona-server-common-5.5 percona-server-server-5.5 libmysqlclient18 libmysqlclient16

Now install the rest of the pre-reqs

sudo apt-get install nginx php5-mysql php5-xmlrpc php5-curl php5-cli php5-fpm php5-gd php5-mcrypt php-apc git

Stop nginx

sudo service nginx stop

Create the directory for tt-rss

sudo mkdir -p /var/www/tt-rss

Create a suitable config for nginx in sites-available and link it to sites-enabled

server {
        listen [::]:80;
        server_name tt-rss;
        access_log  /var/log/nginx/tt-rss.access.log;
        error_log /var/log/nginx/tt-rss.error.log;
        root   /var/www/tt-rss;
 index index.php;
 client_max_body_size 20M;
 # while setting up I set an allow for the local network and deny all others, this prevents automatic logon to setup pages etc before default passwords have been set
        location / {
               # allow the local net
               # deny everything else
               deny all;
 # Lock out access to some folders that contains files that should not be world readable (not fully tested)
 location ~* (include/|lock/|utils/|locale/|classes/*) {deny all; }
 location = / { } # Needed for index.* to work
 # location ~* \.(txt|css|js|png|gif|ico|jpg|svg)$ { } # Allow these file endings
        location ~ \.php$ {
                # Filter out arbitrary code execution
 fastcgi_index index.php;
                # location ~ \..*/.*\.php$ {return 404;}
                include fastcgi_params;
 fastcgi_param SCRIPT_FILENAME /var/www/rss/$fastcgi_script_name;
 location ~* .(?:ico|css|js|gif|inc|txt|gz|xml|png|jpe?g) {
 expires max;
 access_log        off;
 log_not_found     off;

Now grab the source and change the owndership

sudo git clone /var/www/tt-rss
sudo chown -R www-data:www-data /var/www/tt-rss

Create the database and the user

mysql -u root -p 
GRANT ALL ON tt-rss.* TO ttrss-user IDENTIFIED BY "Password";

Import the schema

mysql -u root -p tt-rss < /var/www/tt-rss/schema/ttrss_schema_mysql.sql

Now start nginx and browse to the URL to complete the configuration

Once the configuration has been completed, create an executable upstart .conf script in /etc/init to update the feeds

description "tt-rss upstart script"
start on (runlevel [!2345] local-filesystems and net-device-up IFACE!=lo and started mysql)
stop on stopping mysql
respawn limit 2 1
setuid www-data
setgid www-data
exec /var/www/tt-rss/update_daemon2.php