Author Archives: paularquette

Resetting Domain Controller Computer Object Passwords Twice

There are times when you may need to reset the Domain Controller computer object passwords.

NOTE: You will have to move the PDC role to another DC in order to perform this task on the DC that currently holds this FSMO role.

Steps:

  1. Logon to a Domain Controller as a Domain Admin with an interactive session.
  2. Temporarily Stop the “Kerberos Key Distribution Center” Service and set it’s Startup to Manual
  3. Run the following command:
    “netdom resetpwd /s:DC01 /ud:DOMAIN\DomAdmin /pd:*
    1. Enter the password the account specified above
  4. Restart the “Kerberos Key Distribution Center” Service and set it’s Startup to Automatic

You can pull the pwdLastSet field of the Domain Controllers to verify that the password did actually update.

In certain instances dealing with Cybersecurity & Incident Response you may need to perform this action twice on all Domain Controllers.

“Double-Tap” reset of the krbtgt account

We recently ran a “double-tap” reset of the krbtgt account in our Active Directory and ran into very few problems. We have the default 10 hour Kerberos ticket lifetime configured.

EDIT: The biggest issue was an internal .NET Portal that was federated with ADFS, it needed to be restarted

We ran the script that is out on Microsoft’s github repository.
https://github.com/microsoft/New-KrbtgtKeys.ps1/blob/master/New-KrbtgtKeys.ps1

We ran this first in our test environment and then scheduled the run for our Production environment a week night evening at 10pm to make sure people would be around if there were issues the following morning.

The recommended way to run this script is using the following modes:

  1. Mode 1 – Informational Run Only
  2. Mode 8 – Create bogus krbtgt test account
  3. Mode 2 – Simulation Run to verify replication
  4. Mode 3 – Simuation Run to verify replication and password reset of bogus krbtgt
  5. Mode 4 – Real Run, Modifying Real krbtgt Account
  6. Mode 9 – Cleanup bogus krbtgt test account

We ran Mode 3 and Mode 4 twice, on the second run of Mode 4 you will see some warning text that there could be a major domain impact.

The only major impact that was noticed in our environment was that remote desktop to many of our servers stopped working if using the fully qualified name. A workaround to this would be to use the IP which will use NTLM authentication.

However, after our 10 hour ticket time all machines were back to working as expected.

This script should be run a couple times a year depending on who you ask for only a single-tap reset of the account. I’ve heard recommendations from every 90 days to every 180 days. It should also be run anytime someone who can forge golden tickets leaves the environment (Twice if there is concern).

Server 2022 KMS: error activating Windows 10 2016 LTSB or 2019 LTSC

Leaving breadcrumbs to update this post. Found these two posts on reddit.

https://www.reddit.com/r/sysadmin/comments/plq1hw/heads_up_windows_server_2022_kms_host_keys_seem/

https://www.reddit.com/r/sysadmin/comments/suqn1l/update_fixed_windows_server_2022_kms_host_keys/

The error we were receiving on the client was:

The client has sent an activation request to the key management service machine.
Info:
0x80072AF9, 0x00000000, <redacted>:1688, <redacted>-<redacted>-<redacted>-<redacted>-<redacted>, 2022/07/14 19:42, 1, 1, 258969, <redacted>-<redacted>-<redacted>-<redacted>-<redacted>, 25

Resolution:

Launch Volume Activation on Server 2022 KMS Server and run through the process to install a new key, and just put the same key back in after you apply the current patches. This was done before July 2022 patches were applied.

After performing these tasks verify that the failed requests will now be processed by the KMS server.

Robocopy Excluding Certain Directories with Wildcards

In this blog I’m revisiting Microsoft’s Robocopy with using the “/XD” flag for excluding certain directories.

We are in the process of migrating about 200TB of data from one file cluster to another due to the underlying storage also changing. So robocopy has been our best friend for quite some time when you have to move these large datasets and retain things like Microsoft ACLs.

This particular command will copy from <source> to <destination> with the following options:

robocopy \\uncsource Y:\LocalDest /TEE /MIR /copyall /zb /w:1 /r:2 /xo /MT:16 /XD "?????1" "?????3" "?????5" "?????7" "?????9"

/TEE: Writes the status output to the console window

/MIR: Mirrors directory tree (adds and deletes based on source data)

/copyall: Copies all file information

/zb: Copies files in restartable mode

/w:1: Specifies wait time between retries in seconds (1 second in this example)

/r:2: Specifies the number of retries on failed copies (2 retries in this example)

/xo: Excludes older files

/MT:16: Creates multi-threaded copies with n threads, must be between 1 and 128, default is 8.

/XD: Exclude directories

Directories are listed after XD in quotes and wildcards can be specified. A question mark (?) can be used for any character and an asterisk (*) can be used to fill in anything else.

For example if you wanted to exclude any directories that started with “ADM”, you could use:

/XD "ADM*"

For example if you wanted to exclude any directories that start with anything and have a 1, 3, 5, 7, or 9 in them:

 /XD "*1" "*3" "*5" "*7" "*9"

The original first example above (copied again below this paragraph) is saying there can be any character for the first five characters and then if the last character is a 1, 3, 5, 7, 9 than exclude it and do not copy it.

robocopy \\uncsource Y:\LocalDest /TEE /MIR /copyall /zb /w:1 /r:2 /xo /MT:16 /XD "?????1" "?????3" "?????5" "?????7" "?????9"

Windows Server 2022, IIS Certificate Authentication not working. (Connection Reset)

I was working with a colleague of mine the other day on this issue. If you are using WIndows Server 2022 with IIS to setup a website that will use client certificate authentication and notice that you are not prompted for a certificate….. the issue is probably TLS 1.3.

Windows Server 2022 IIS by default uses TLS 1.3. If you check the box to disable TLS 1.3 which will fall back to TLS 1.2 everything works.

Still not sure at this moment who is to blame, Microsoft, or the web browsers.

EDIT: Update from the Microsoft Article

https://docs.microsoft.com/en-us/answers/questions/654803/err-connection-reset-if-asking-client-certificate.html

Yes, I got answer: Microsoft implemented TLS 1.3 in most secure way by RFC. IIS wants to perform post-handshake authentication. Unfortunately common browsers do not support it in default configuration. You can enable it only with Firefox (when I last checked, maybe samething changed in near past). So, de facto IIS default configuration for two-way SSL with common browsers do not work with IIS when TLS 1.3 only is enabled.

You can enable IIS and TLS 1.3 only configuration by enabling in-handshake method for IIS instead on post-handshake method.

Macbook Pro (16-inch, 2019) Left Side Popping/Cracking Noise

I have a 16-inch Macbook Pro laptop that recently started this popping/cracking noise on the left-hand side, but only when I was using VMware Fusion.

After looking around online this is apparently a thing and it sounds like it has been going on for quite some time. This sounded to me like an actual hardware problem and I was worried I was going to have to get my Mac in for service.

On one of the forums I came across they said it was a software issue and they provided a temporary work-around. I was intrigued.

The Fix:

Launch “Quicktime Player” and click close on the Open File dialog that pops up. Then go up to the top toolbar and select “File -> New Audio Recording”.

Once the Quicktime Player shows up you can simply push the yellow button to minimize it! That’s it! You should notice that your audio issues go away.

This is clearly a software issue and I hope Apple works on getting it fixed soon but at least there is a reliable easy work-around to bypass this annoying popping sound.

Pop OS! 22.04 LTS – Pop Shop Crashing on Installing Apps

If you notice that Pop Shop is crashing when you are trying to install an application check your free space! There is a very real chance that you are running low on space. The OS will not notify you it will just crash the app.

A colleague of mine was running into this problem. His home directory was on a separate partition and there was not enough free space.

You can run Pop Shop in the terminal by running: io.elementary.appcenter 

By running it in the terminal you should be able to see any output if there are errors when you are trying to perform certain tasks.

Django 4.0 Install on Ubuntu 20.04

These are my notes for bringing up Django Install on a Production Server. These notes were written on a fresh install of Ubuntu 20.04. Most of my notes are coming from this Digital Ocean article with a few changes: https://www.digitalocean.com/community/tutorials/how-to-set-up-django-with-postgres-nginx-and-gunicorn-on-ubuntu-20-04

NOTE: Once this step is completed and you make changes you will need to restart gunicorn to see the changes on the production server.

sudo systemctl restart gunicorn

Install Packages for Python3 (Include Git if its not already installed and venv)

sudo apt update
sudo apt install python3-pip python3-dev python3-venv libpq-dev postgresql postgresql-contrib nginx curl git

Create PostgreSQL Database & User

Login to Postgres Session:

sudo -u postgres psql

Create Database & User:

CREATE DATABASE myproject;
CREATE USER myprojectuser WITH PASSWORD 'password';

Change settings for Django:

Set default encoding to UTF-8
Block uncomitted transactions
Set timezone to UTC

ALTER ROLE myprojectuser SET client_encoding TO 'utf8';
ALTER ROLE myprojectuser SET default_transaction_isolation TO 'read committed';
ALTER ROLE myprojectuser SET timezone TO 'UTC';

Grant all privs on database to user:

GRANT ALL PRIVILEGES ON DATABASE myproject TO myprojectuser;

Quit PostgreSQL:

\q

Create Home Directory for Django Apps & Install Django

mkdir djangoweb
mkdir djangoweb/myprojectdir
python3 -m venv /home/<user>/djangoweb/myprojectdir/env

Activate Virtual Environment & Install Django/Gunicorn

source ~/djangoweb/myprojectdir/env/bin/activate
pip install django gunicorn psycopg2-binary

Start Django Project

django-admin startproject myproject ~/djangoapps/myprojectdir

Edit settings.py

Add DNS Name(s), IP(s), and localhost to the “ALLOWED_HOSTS” area. Put in single quotes:

ALLOWED_HOSTS = ['dns1.dns.org','xxx.xxx.xxx.xxx.','localhost']

Add PostgreSQL Database Information

DATABASES = {
    'default': {
        'ENGINE': 'django.db.backends.postgresql_psycopg2',
        'NAME': 'myproject',
        'USER': 'myprojectuser',
        'PASSWORD': 'password',
        'HOST': 'localhost',
        'PORT': '',
    }
}

Add static file location, needed for nginx (bold items). This tells django to place them in a directory called static in the base project directory:

STATIC_URL = '/static/'
import os
STATIC_ROOT = os.path.join(BASE_DIR, 'static/')

Complete Project Setup

#Create Default Database Migrations
python manage.py makemigrations
python manage.py migrate

#Create Administrative User
python manage.py createsuperuser

#Collect All Static Material into Defined Static Folder
python manage.py collectstatic

#Deactivate your virtual instance
deactivate

Configure GUnicorn

Create a GUnicorn systemd socket

sudo nano /etc/systemd/system/gunicorn.socket

/etc/systemd/system/gunicorn.socket

[Unit]
Description=gunicorn socket

[Socket]
ListenStream=/run/gunicorn.sock

[Install]
WantedBy=sockets.target

Create GUnicorn systemd service file

sudo nano /etc/systemd/system/gunicorn.service

/etc/systemd/system/gunicorn.service

[Unit]
Description=gunicorn daemon
Requires=gunicorn.socket
After=network.target

[Service]
User=<user>
Group=www-data
WorkingDirectory=/home/<user>/myprojectdir
ExecStart=/home/<user>/myprojectdir/myprojectenv/bin/gunicorn \
          --access-logfile - \
          --workers 3 \
          --bind unix:/run/gunicorn.sock \
          myproject.wsgi:application

[Install]
WantedBy=multi-user.target

Start and enable GUnicorn Socket. This will create the socket file at: /run/gunicorn.sock now and at boot time. When a connection is made it will automatically start the service.

sudo systemctl start gunicorn.socket
sudo systemctl enable gunicorn.socket

Configure Nginx to Proxy Pass to Gunicorn

sudo nano /etc/nginx/sites-available/myproject

/etc/nginx/sites-available/myproject

server {
    listen 80;
    server_name server_domain_or_IP;

    location = /favicon.ico { access_log off; log_not_found off; }
    location /static/ {
        root /home/<user>/myprojectdir;
    }

    location / {
        include proxy_params;
        proxy_pass http://unix:/run/gunicorn.sock;
    }
}

Enable File by linking it to sites-enabled

sudo ln -s /etc/nginx/sites-available/myproject /etc/nginx/sites-enabled

Check for Errors

sudo nginx -t

If no errors restart nginx

sudo systemctl restart nginx

Punch a hole in UFW for Nginx

sudo ufw allow 'Nginx Full'