Managing starleaf users via cloud api and powershell

As I didn’t find any examples online I thought I would share some code to manage users via the starleaf cloud API via powershell.

You can find the necessary information from Starleaf here: https://support.starleaf.com/integrating/cloud-api/using-the-starleaf-cloud-api/

You will need to create an access token, this is done on the portal with an admin user account. https://portal.starleaf.com/#page=integrations

After that you are all set and you can use the following code in your startup script for your employees. (If you want to fill in more details you can adjust the $body following these https://support.starleaf.com/integrating/cloud-api/request-objects/#user_set )

$token = "your-token-from-the-portal"
 $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
 $headers.Add("X-SL-AUTH-TOKEN", $token)
 $URI_getID = "https://api.starleaf.com/v1/users"

 $NewUser = Read-Host "New Username"
 $firstname = Read-Host "First Name"
 $lastname = Read-Host "Last Name"

 $emaildomain = "@yourdomain.tld"

#fill json body with variables from the first questions of the script 
 $body = @{
 firstname = $firstname
 lastname = $lastname
 email = "$NewUser$emaildomain"
 }

$json = Invoke-RestMethod -Method Post -Uri $URI_getID -Body (ConvertTo-Json $body) -Headers $headers -ContentType 'application/json'

$json

To delete users you can use the following script:

 $token = "your-token"
 $domain = "@yourdomain"
 $headers = New-Object "System.Collections.Generic.Dictionary[[String],[String]]"
 $headers.Add("X-SL-AUTH-TOKEN", $token)
 $URI_getID = "https://api.starleaf.com/v1/users"
 $URI_delID = "https://api.starleaf.com/v1/users/"
 $identity = Read-Host -Prompt "Type username of user you want to remove"

#first get the correct user_id based on email address
 $json = Invoke-RestMethod -Method Get -Uri $URI_getID -Headers $headers
 $userID = $json.users | Where email -eq "$identity$domain" | Select -expand user_id

#delete the user from the starleaf cloud
 Write-Host "Deleting user with ID: $UserID from starleaf cloud"
 Invoke-RestMethod -Method Delete -Uri $URI_delID$userID -Headers $headers
 Write-Host "Done"

Disable and enable PoE ports on a Cisco SG300-10MPP PoE+ Managed Switch via automated script.

Recently I was in the need to restart several access points powered via PoE+ on a regular and automated basis. There are some options, via snmp or ssh, I chose the latter because I couldn’t get the snmpset working.

Prerequisites:

• A Linux management server where you can install the automation  language “expect” on and create the cronjob that will execute your expect script.
• SSH enabled on the Cisco switch, preferably with public key authentication.
• Knowing on which ports the AP’s are patched.

Topology:

• Switch IP: 10.1.0.5

Install “expect” and create keypair on management server

• Apt-get install expect
  • this will install expect, you can type “which expect” to see the path, normally this will be /usr/bin/expect
• ssh-keygen
  • this will create your keypair, I do not use a passphrase, so leave it blank
  • Bij default your identification has been saved in /root/.ssh/id_rsa.pub.
• cat ~/.ssh/id_rsa.pub
  • this will display your public key that you can copy paste into a text file or paste buffer for later on the swicht config.

Enabling SSH on the switch

Login to the management interface, go “Security -> SSH server -> SSH user auth” and enable SSH auth via password and/or via public key. Also enable automatic login.

I prefer public key, so you wont have to leave a plain-text password in your script later on, but for testing and troubleshooting you can enable both.

Add a user and key under “SSH User authentication table”. In my case this is cisco and the public key you created earlier on the management server.

Enable the SSH service is under “Security -> TCP/UDP service”.

Save your config and head back to your linux server and test the SSH connection. From the management server you now should be able to execute the following command:

• ssh cisco@10.1.0.5

This would give you a prompt on the cisco switch without entering a password.

Create your script

In my case I just needed the disable and enable some PoE ports to force a reboot on certain PoE powered access points. But the possibilities are endless, you can also create a script to download/upload the configuration of the switch, set the hostname, etc… you get my drift.

Note: this is a quick and dirty script with no error handling but it worked for me. My access points are on port 3, 4 and 5, the sleep commands are to not overload the switch, but aren’t necessary.

• vim /root/scripts/reboot-ap.sh

#!/usr/bin/expect -f

# Set variables
set IPaddress “10.1.0.105”
set username “cisco”
# set password “noplaintextpwplz”
set Directory “/root/scripts”

# Log results
log_file -a $Directory/config-$IPaddress[exec date].log

# Announce device & time
send_log “### /START-SSH-SESSION/ IP: $IPaddress @ [exec date] ###\r”

# Don’t check keys and login with public key pair
spawn ssh -o StrictHostKeyChecking=no $username\@$IPaddress

#if you would really like to login via password and not via public key uncomment

#expect “*assword: ”
#send “$password\r”

# disable and enable PoE port on switch SG300
expect {
“*#” {
send “conf t\r”
expect “*config)#”
send “interface GigabitEthernet 3\r”
expect “*config)#”
send “power inline never\r”
expect “*config)#”
sleep 5
send “power inline auto\r”
expect “*config)#”
sleep 10
send “interface GigabitEthernet 4\r”
expect “*config)#”
send “power inline never\r”
expect “*config)#”
sleep 5
send “power inline auto\r”
expect “*config)#”
sleep 10
send “interface GigabitEthernet 5\r”
expect “*config)#”
send “power inline never\r”
expect “*config)#”
sleep 5
send “power inline auto\r”
expect “*config)#”
sleep 5
send “end\r”
expect “*#”
send “copy run start\r”
expect “*Overwrite*”
send “Y\r”
expect “*(please wait)…”
send “exit\r”
}
}

Schedule your script with cron

• crontab -e

10 06 * * * /usr/bin/expect /root/scripts/reboot-ap.sh

this will execute the script everyday ay 06:10 in the morning.

 

 

 

 

 

Windows 2012 R2 Hyper-V replication with two NIC’s and self signed SSL certificate

Sometimes you want to separate the replication traffic from your regular LAN NIC so it won’t eat that precious bandwidth.

So if you want to enable replication between two Windows 2012 R2 hyper-v host servers using a dedicated separate NIC and a self signed SSL certificate, read on!

The reason we are using SSL certificates is because kerberos (domain auth) would not work on our dedicated NIC because it is not present in our domain network (LAN).

In short, these are the steps necessary to accomplish this:

1. Configure your two NIC’s and connect them directly to each other with a crossed or straight UTP cable.
   1. If you are using this to replicate your servers over a WAN link or another site, it is the same principle but they need to be able to reach each-other.
2. Create self signed certificates on each host server
3. Import the self signed certificates from one host server into the other
4. Make modifications to your hosts file so the servername.fqdn are resolved to the IP’s you configure in step 1.
5. Enable replication in the Hyper-V server using a certificate instead of kerberos
6. Test

1): In this example I have two hyper-v servers, HV01.fqdn and HV02.fqdn, both domain joined. HV01 is using 172.16.0.1/24 as IP address and HV is using 172.16.0.2/24 for their dedicated replication NIC. Both are directly connected with a crossed cable.

2): To create the SSL cert you need to install the Windows Software Development Kit (SDK) for Windows 8, that includes the makecert.exe utilty. Install this on both hyper-v host servers.

You can download it here: https://msdn.microsoft.com/en-us/windows/desktop/hh852363.aspx  You only need the Windows Software Developtment Kit (about 80Mb):

On HV01 open an elevated command prompt and navigate to C:\Program Files (x86)\Windows Kits\8.0\bin\x64 and run the following commands:

• makecert -pe -n “CN=HV01RootCA” -ss root -sr LocalMachine -sky signature -r “HV01RootCA.cer”
• makecert -pe -n “CN=HV01.yourFQDN” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “HV01RootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 HV01-replication.cer
• both certificates will be in C:\Program Files (x86)\Windows Kits\8.0\bin\x64 and are also imported in the appropiate certifica stores on the local computer

On HV02 open an elevated command prompt and navigate to C:\Program Files (x86)\Windows Kits\8.0\bin\x64 and run the following commands:

• makecert -pe -n “CN=HV02RootCA” -ss root -sr LocalMachine -sky signature -r “HV02RootCA.cer”
• makecert -pe -n “CN=HV02.yourFQDN” -ss my -sr LocalMachine -sky exchange -eku 1.3.6.1.5.5.7.3.1,1.3.6.1.5.5.7.3.2 -in “HV01RootCA” -is root -ir LocalMachine -sp “Microsoft RSA SChannel Cryptographic Provider” -sy 12 HV02-replication.cer
• both certificates will be in C:\Program Files (x86)\Windows Kits\8.0\bin\x64 and are also imported in the appropiate certifica stores on the local computer

Copy HV01RootCA.cer into C:\Program Files (x86)\Windows Kits\8.0\bin\x64 on HV02 and HV02RootCA.cer into HV01.

3): Import of the certificates:

ON HV01, still in the same elevated prompt, issue the following command:

• certutil -addstore -f Root “HV02RootCA.cer”
• reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
  • if you get an error: invalid key name, just change it manually via regedit, the value should be 1
• reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

ON HV02, still in the same elevated prompt, issue the following command:

• certutil -addstore -f Root “HV01RootCA.cer”
  • reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\Replication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f
    • if you get an error: invalid key name, just change it manually via regedit, the value should be 1
  • reg add “HKLM\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Virtualization\FailoverReplication” /v DisableCertRevocationCheck /d 1 /t REG_DWORD /f

4): Modify your host files (c:\windows\system32\drivers\etc\hosts) on both servers:

On HV01 this should be:

172.16.0.2 HV02.yourfqdn
172.16.0.2 HV02

On HV02 this should be:

172.16.0.1 HV01.yourfqdn
172.16.0.1 HV01

5): Setup Hyper-v replication between the two servers:

Go to you Hyper-V setiings on HV01, under the replication configuration do the following config:

• Enable this computer as a replica server
  • use cert
  • click on select cert, and now you will be prompted with the following, click OK:
  • 

Do the same on HV02.

Now you can enable replication for a particular VM, right click VM -> replication -> follow the wizard and watch the traffic flow over your dedicated NIC instead of you LAN NIC.

PANIC Error While Reading File – 3, VPXA VGZ (esxi free 4.0.0)

After a power-loss in our DC, one esxi server was not able to boot anymore. I was greeted with the following error message:

PANIC Error While Reading File – 3, VPXA VGZ

After some googling I found that the solution was to repair the esxi install. The problem is that you will need the exact same version, or at least the same major version (4 or 5 or 6).

Since the release of version 5, the downloads for version 4.x are very hard or impossible to find. I did find this link:

https://my.vmware.com/group/vmware/details?dlg=hypervisor_41_installable_free&baseCode=ZCV0YmRoaHBiZHdldA#product_downloads

But the regular download link will bring you to the evaluation page of version 6.

Luckily you have a tab with “custom iso”, where you can download special iso’s from particular vendors. Since my server was a Fujitsu I could download that version (they still work).

https://my.vmware.com/group/vmware/details?dlg=hypervisor_41_installable_free&baseCode=ZCV0YmRoaHBiZHdldA#custom_iso

I burned this iso to a cd, booted from cd selected the “repair” option. My esxi was installed on a seperate USB stick, so the datastores were not touched.

Keep in mind that you will lose all of you configuration for the esxi host (IP, hostname, vswitch settings, license). It will however retain the vm settings (amount of ram, disk, cpu, etc..)

After 10 minutes the repair was successful, I configured it with the old IP and was able to connect to it with vpshere client.

I re-installed the license (i had a backup of the license code) and re-registered the vm’s into the esxi. (go to the datastore, right click the virtual server file and choose “add to inventory”).

After that I was able to start my vm’s and lived happily after all.

Note: after thinking about this, I guess you could also use a brand new usb stick and install the latest esxi (6) on it. According to this link the virtual machines versions from esxi 4 are supported on 6. http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=2007240

Find and replace attributes in Active Directory

Recently I had to modify the email addresses of 2350 contacts located in Active Directory that were accessible by an address list in exchange 2010.

After doing a quick google I only found the http://www.dovestones.com/active-directory-find-and-replace/ utility which was too expensive.

Therefor I created the following powershell script, please run it as administrator and Set-ExecutionPolicy Unrestricted in your powershell.

All credits go to http://henrysluiman.blogspot.be/2013/02/change-profilepath-in-active-directory.html for the initial script, but I had to modify it a little to fit my needs.

# Search and replace email address for contacts in Active Directory
# Change the old.tld and new.tld too your own domain names

$RootDN = [ADSI] ”

$Searcher = New-Object System.DirectoryServices.DirectorySearcher($RootDN)

$Sorter = New-Object System.DirectoryServices.SortOption
$Sorter.PropertyName = “sAMAccountName”

#allowing more than 1000 (default) records to be searched.
$Searcher.PageSize = 3000;

#if you change objectClass=contact to objectClass=user you can use this script for AD users.
$Searcher.Filter = “(&(objectCategory=person)(objectClass=contact))”
$Searcher.Sort = $Sorter

$Users = $Searcher.FindAll()

Write-Host “There are” $Users.Count “contacts in the Active Directory”

ForEach ($User in $Users) {

$UserDN = [ADSI]$User.Path
$ContactMail = $UserDN.mail.ToString()
#$ContactAccountName = $UserDN.sAMAccountName.ToString()

If ($ContactMail.ToLower().Contains(‘old.tld’.ToLower())) {

Write-Host “Found: “$UserDN.displayName”,”$ContactMail
Write-Host

$NewMailAddress = $UserDN.mail.ToString().ToLower()
$NewMailAddress = $NewMailAddress.Replace(“old.tld”, “new.tld”)

Write-Host “Changing “$ContactMail “to “$NewMailAddress

# NB: Only uncomment the lines below when you are absolutely
# sure you wish to run the script.
#$UserDN.Put(“mail”, “$NewMailAddress”)
#$UserDN.SetInfo()
Write-Host “Done.”
Write-Host

}
$Response = “”
}

 

Ofcourse you have to modify the contacts inside the exchange environment also.

changemail.ps1:

$contacts = Get-MailContact -resultsize unlimited | Where {$_.PrimarySmtpAddress –like “*@old-domain.tld”}

foreach($contact in $contacts){
$newmail = $contact.primarysmtpaddress.tostring()
$newmail = $newmail -replace “old-domain.tld”,”new-domain.tld”
Get-MailContact $contact | Set-MailContact -ForceUpgrade -primarysmtpaddress $newmail -externalemailaddress $newmail }

Synology and PRTG monitoring

We monitor our hardware with PRTG monitor from Paessler.

After an upgrade on our Synology to the latest DSM the free disk sensor via ssh was not working anymore.

The error was: “Error: Server does not support diffie-hellman-group1-sha1 for keyexchange”

To solve this i unchecked the “use only hardware accelerated ciphers” under control panel -> terminal -> ssh settings

and added the following to the /etc/ssh/sshd_config on the Synology NAS.

KexAlgorithms diffie-hellman-group1-sha1,curve25519-sha256@libssh.org,ecdh-sha2-nistp256,ecdh-sha2-nistp384,ecdh-sha2-nistp521,diffie-hellman-group-exchange-sha256,diffie-hellman-group14-sha1
Ciphers aes128-cbc,blowfish-cbc,3des-cbc,aes128-ctr,aes192-ctr,aes256-ctr,aes128-gcm@openssh.com,aes256-gcm@openssh.com,chacha20-poly1305@openssh.com

After restarting the ssh deamon (via enable / disable ssh access) our monitoring system was happy to read out the values by ssh.

Access to RAID manager on a Fujitsu server and Esxi 5.5 free

Situation:

Fujitsu server RX300 S7 with Esxi 5.5 free installed on a USB stick. Image comes from the vmware site and is not the customized version of Fujitsu. Now you face the problem that you cannot view or configure the RAID status on this host.

Beware that you will need to put your esxi host in maintenance mode later in this guide, this means that you need to power off your VM’s before going into maintenance mode.

Solution:

1. Install Fujitsu serverview raid manager on a server in your network. This can be a vm on the esxi host or any other server.
2. On this server, open a cmd and go to C:\Program Files\Fujitsu\ServerView Suite\RAID Manager\bin

   1. cd “C:\Program Files\Fujitsu\ServerView Suite\RAID Manager\bin”

3. Execute the following command to add the esxi host to the raid manager:

   1. amCLI -e 21/0 add_server name=ip_esxi port=5989 username=root password=your_root_password

      1. if you are having trouble with the command, dont copy paste it but type it word for word, i’ve had cases where it didn’t work when I copy pasted this command.

   2. amCLI -e 21/0 show_server_list

      1. will show you something like this:
         1. <ServerList>
            <Server Name=”192.168.254.105″ Port=”5989″ UserName=”root” HostType=”ESXi”/>
            </ServerList>
4. Restart the serverview raid manager service now.
5. Download the latest offline bundle from the fujitsu website, for example: http://support.ts.fujitsu.com/Download/ShowDescription.asp?SoftwareGUID=93B3C4AA-1E2B-4EFF-A4FF-9FD562246B29&Info=FTS&lng=COM
6. Transfer the content (VMware-ESXi-5.5.0.update02-2143827-Fujitsu-v320-1-offline_bundle.zip) of this zip file to your datastore
7. Enable SSH acces to your esxi server via the vsphere client
   1. 
8. It’s now time to put your esxi host in maintenance mode, so first shut down your VM’s and put your host in maintenance mode.
9. Login via ssh to your esxi  host server
10. Execute the following commands to install the CIM provider from Fujitsu and LSI (if you’re using another raid card select the proper CIM)

    1. esxcli software vib install -d /vmfs/volumes/TEST-DB/VMware-ESXi-5.5.0.updat e02-2143827-Fujitsu-v320-1-offline_bundle.zip -n lsiprovider

    2. esxcli software vib install -d /vmfs/volumes/TEST-DB/VMware-ESXi-5.5.0.updat e02-2143827-Fujitsu-v320-1-offline_bundle.zip -n FTS-Configuration-VIB

    3. esxcli software vib install -d /vmfs/volumes/TEST-DB/VMware-ESXi-5.5.0.updat e02-2143827-Fujitsu-v320-1-offline_bundle.zip -n svscimprovider

11. Reboot your esxi server
12. Exit maintenance mode and start your vm’s.
13. You are now able to see the health of the storage array in your vsphere client and your raidmanager
14. 
15. 

Discount for everything (webhosting, shutterstock, domainname, website themes)

This is no advertisement but just a tip. It seems logical but i didn’t think of it before.

Recently i had to build a corporate website with a fairly limited budget, and the things I needed were:

• Hosting-plan
• Domain-name
• Hi-res images with copyright
• A website-theme (i’m not a designer)

On http://www.retailmenot.com you can find a coupon for everything:

• coupon for servage.net (my preferred shared hosting provider)
• coupon for godaddy.com (domainname)
• coupon for shutterstock.com (because it was a corporate website i couldn’t just take images from the web)
• coupon for mojo-themes.com (it was a WordPress build)

This saved me like 100$ for the total picture, which is nice.

SystemState Recovery on Windows Server 2012 (DC) with exchange 2013 installed

I’m just writing this down for anyone that has the pleasure to administer a windows 2012 server which is also the only domain controller and has exchange 2013 installed on it.

I did a serious fuck-up by joining a member server to this domain with the same name as the primary domain controller. Don’t ask why.

This resulted in a massive crash of the exchange services and a domain that was not usable anymore. Apparently, when joining a second device to a windows domain with a duplicate name, the SID of the first joined device is replaced/overwritten by the second joined device. So if you do this with your primary domain controller, you can imagine the havoc it caused.

My only solution was a full system-state restore from backup on the same server. Luckily I had one, which was made by the builtin windows backup utility.

I’m documenting this because I could not find any guide or story that confirmed this was possible AND fixed the AD errors and did not wreck my exchange installation. As this was my last option I had no other choice then just do it.

1. reboot your server in drsm mode
   1.  prerequisite: you have to know your drms password! If you don’t know this you can reset it first following this guide: http://blogs.technet.com/b/meamcs/archive/2012/05/29/reset-the-dsrm-administrator-password.aspx 
   2. in an elevated prompt type: “shutdown -o -r”
   3. After the system has rebooted, it will display the following screen, instead of the normal boot screen:Choose Troubleshoot – Refresh or reset your PC, or use advanced tools.

      The Advanced options screen will appear:

      Choose Startup Settings – Change Windows startup behavior.

      The Startup Settings screen will appear:

      Click Restart.

      The server will restart a second time. This time it will display the Advanced Boot Optionsscreen:

      On this screen, select Directory Services Repair Mode.

   4. If the logon screen appears you have to login with the dsrm password you provided upon the dcpromo wizard when you initialy installed your server (so .\administrator and this pasword)
2. Start the Windows Backup Utiliy located in C:\Windows\System32\wbadmin.msc
3. follow the steps and choose “System state restore” on the original location
4. Click next and confirm (i’ve selected reboot server after restore)
5. This will take some time depending on where your backup set is located (for me it was on a usb disk shared on my laptop, not that fast…) my system writer portion was 8 GB for a C partition of 200 GB
6. After 45 minutes this was successfully completed and the server rebooted
   1. the first reboot took some time, don’t worry and don’t interrupt it.
7. After this i was able to start the exchange services, open the DNS .msc, etc…
8. I checked the eventviewer for errors, there were a few of them but after waiting a bit, I could access the OWA again and Outlook users started to get connected again.

I hope this assures someone that’s it possible to do this.

error: too many titles for menuentry: when upgrading Ubuntu server 12.04 LTS to 14.04 LTS

After the distupgrade the machine needs a reboot.

I was then greeted with this pleasant error message “error: too many titles for menuentry”.

I found the following to be a real life saver: http://sourceforge.net/p/boot-repair-cd/home/Home/

Just follow the instructions and my server was life again in 10 minutes.