Setting up the lab environment – DNS resolution puzzle

I would prefer to have access from my local vlan and wireless vlan to the servers.
But didn’t want to all dns traffic into the VM’s (and depend on a testing environment)

Basically I want host resolution, and being able to utilizing the domain services in the testing environment, without interruption of my other services.

This is the solution in went for was using Conditional Forwarders

First the Hyper-V host:

I Installed the DNS Server role within Windows Server 2016.
Setup forwarders to google dns:

 

 

 

 

 

 

 

After that i will add the Conditional Forwards for my testing domain
I  in my previous post I created 2 Domain controllers, both hosting DNS.

 

 

 

 

 

 

 

I will then add my Hyper-V hosts IP to the DNS server of my router/dhcp on the needed vlans.
When clients send requests for the testing domain, they will get forwarded to the Hyper-V guests (DCs) and all other requests will go to the Google DNS (8.8.8.8, 8.8.4.4) – more info: Getting started with Google Public DNS

I did want a backup as well, so I installed Synology DNS on my Synology DS1511+
Synology DNS supports forwarding zones, with up to 2 forwarders per zone.
That’s perfect for my setup, added the 2 Hyper-V guest DC’s.
The Synology DNS would of course also need Resolution services enabled, so we can forward requests to the Google DNS (8.8.8.8, 8.8.4.4)

 

 

 

 

Then I will go ahead an update the DNS servers handed out by my DHCP on my normal client network and wireless clients.
This configuration offers failover/backup, because both the Hyper-V hosts and the Synology will be able to handle DNS requests and forwarding.

Where is my cloud key?

During vlan configuration for my new lab (see previous post Home Data Center)
I had to change some vlans, for some reason my  Hybrid Cloud Device Management controller got “lost in translation”

The setup:
1 x Mikrotik CCR1036-12G-4S-EM
1 x UniFi switch 16 150w
1 x UniFI Cloud Key

It all starts with the adoption of devices onto the cloud key – no problems there.
But when your Cloud Key is lost in a vlan with no connectivity or access to other devices, then its back to basics.

My problem was that I deleted the valid networks/vlans added on ports – BIG mistake!
So nothing really works and you can’t change anything, but tuning a bit on the vlans on the router seemed to open up a bit.

I was able to SSH into the switch (It’s running BusyBox)

 

 

 

From there we can SSH to localhost on port 2222
Click anykey to get the Warning!: The changes may break controller settings and only be effective until reboot.

It will not give a response and will be awaiting a key stroke before your ready to go

Keep in mind all configurations will be lost, once connected back and provisioned by the cloud key.

To enter user privilege mode type: Enable
To enter Global Config mode type: Configure

And now we can configure the entire switch (also without the controller and more advanced settings.

In this case,
Selecting an interface (port 2): interface 0/2
adding a vlan to the interface (port 2): interface vlan participation include 22
and your lost Cloud Key should now be back on the correct vlan.
If you just need to bring back to management network on the switch, you can use: network mgmt_vlan 1
Note: 1 being the vlan you want to participate in.

NOTE:
If you need multiple vlan on 1 port – maybe with a UniFi AP AC Pro, you will see that the AP doesn’t have a configuration for management vlan, so we need to configure the native LAN for the device. It only requires 3 steps, it can be a bit confusing configuring and adding a bit more complexity.

– Defined Netowrk/VLANs in Controller Settings
– Manage or Create Network Profiles for the switch in the Switch Configuration
– Assign Networks/VLANS or Profiles to the Port(s)

There is a nice explanation here: A-non-expert-Guide-to-VLAN-and-Trunks-in-Unifi-Switches

Setting up the lab environment – Deduplication

The next step for the lab or so-called home data center: Installing and Configuring Deduplication

I was going to use a USB stick for the Windows Server 2016 OS.
The main reason for this: DEDUPLICATION.

I did start out with a USB stick, but due to performance issues this was changed – read the follow-up post (https://blog.thomasmarcussen.com/follow-up-on-the-home-datacenter-hardware/)

The reason for having the OS on a separate volume: Deduplication is not supported on system or boot volumes. Read more about Deduplication here: About Data Deduplication

Let’s get started

Installing and Configuring Deduplication

  1. Open an elevated PowerShell prompt
  2. Execute: Import-Module ServerManager
  3. Execute: Add-WindowsFeature -Name FS-Data-Deduplication
  4. Execute: Import-Module Deduplication

Installing Deduplication

Now we installed data Deduplication and it’s ready for configuration.

My Raid 0 volume is D:
The volume will primarily hold Virtual Machines (Hyper-V)
I’m going to execute the following command: Enable-DedupVolume D: -UsageType HyperV

Enable Deduplication for volume

You can read more about the different usage types here: Understanding Data Deduplication

Some quick info for the usage type Hyper-V:

  • Background optimization
  • Default optimization policy:
    • Minimum file age = 3 days
    • Optimize in-use files = Yes
    • Optimize partial files = Yes
  • “Under-the-hood” tweaks for Hyper-V interop

You can start the optimization job and limited (if needed) the amount of consumed memory for the process: Start-DedupJob -Volume “D:” -Type Optimization -Memory 50

 

 

 

You can get the deduplication status with the command: Get-DedupStatus

 

 

 

 

The currently saved space on my volume is 46.17 GB
That is for a 2 ISO files and a reference machine for Windows Server 2016 and the reference disks copied to separate folder.

More usefull powershell cmdlets here: Deduplication Cmdlets in Windows PowerShell

I do love deduplication especially for virtual machines, hence most of the basic data is the same.
The disks are also rather expensive so getting the most out of them is preferred.

 

Follow up on the home datacenter hardware

It’s time for a small update – the previous post is available here: https://blog.thomasmarcussen.com/new-lab-home-datacenter/

The datacenter has been running for about a week now – quite good…. but…..

I’ve been using the Samsung USB as OS drive – Samsung USB 3.0 Flash Drive FIT 32GB
It does have fast read, and a not that slow write, according to Samsung: Up to 130 MB/s

The week passed with setting up and installing VMs – using the actual VMs etc.
But when installing Windows Updates on the Hyper-V host, installing Features/Roles or anykind of configuration, it seems to slow down to useless/freeze.

Running a full Windows Update took about 2 days to reach fully patched level.
During that time it was useless as in no respondig.

I ran a WinSat drive test on the Samsung USB Flash Drive:

Random 16.0 Read: 8.87 MB/s
Random 16.0 Write: 5.45 MB/S

Random reads and writes seems pretty low.

The sequential seems a bit better:

Sequential 64.0 Read: 76.89 MB/s
Sequential 64.0 Write: 86.95 MB/s

The Commands used with winsat:
Winsat disk -drive C: -ran -write (Random 16.0 Write)
Winsat disk -drive C: -ran -read (Random 16.0 Read)
Winsat disk -drive C: -seq -write (Sequential 64.0 Read)
Winsat disk -drive C: -seq -read (Sequential 64.0 Write)

So I decided to replace to Samsung USB 3.0 Flash Drive FIT as a OS Drive.

The new hardware choosen ended up being:

1 x StarTech.com USB 3.0 to M.2 SATA External SSD Enclosure with UASP
1 x Samsung 850 EVO M.2 2280 SSD – 250GB

SM2NGFFMBU33 - StarTech.com USB 3.0 to M.2 SATA External SSD Enclosure with UASPMZ-N5E250BW - Samsung 850 EVO M.2 2280 SSD - 250GB
NOTE: the StarTech.com enclosure does not support NVMe, so did choose a m.2 SSD.

I know that StarTech also have USB 3.1, but i really do want to keep the USB 3.1 port free for an additional RAID enclosure when/if needed. Properly a StarTech enscloure but not sure yet.. (USB 3.1 (10Gbps) External Enclosure for Dual 2.5″ SATA Drives) still looking for a nice USB 3.1 enclosure that supports m.2 NVMe…

Samsung states the specs for the new disk as:

  • Up to 500MB/s Sequential Write
  • Up to 540/s Sequential Read

The actual performance test on the Samsung 850 EVO M.2 2280 SSD:

Random 16.0 Read: 276.51 MB/s
Random 16.0 Write: 271.37 MB/S

Sequential 64.0 Read: 388.85 MB/s
Sequential 64.0 Write: 383.71 MB/s

So in any case it’s quite a performance boost for the OS disk.

 

The new LAB and home datacenter

Finally i managed to setup the new lab and home-datacenter.

Due to several home limitations (cost of power, space and noise)

The decision was clear:

1 x Intel NUC Skull Canyon NUC6i7KYK

2 x G.Skill Ripjaws4 SO DDR4-2133 DC – 32GB

1 x USB 3.0 to Dual Port Gigabit Ethernet Adapter NIC w/ USB Port

2 x Samsung NVMe SSD 960 EVO 1 TB

1 x Samsung USB 3.0 Flash Drive FIT 32GB

The NUC can run RAID 0 and 1 on the internal NVMe drives, i’m going for RAID 0 (Stripe)
This is where it gets a bit interesting.. Mostly i’m going to run VM’s within Hyper-V.
Hyper-V and deduplication that is… of course.

I needed to move the OS to another disk, for maximum storage.
Keep in mind, deduplication will not run on OS/System disk.

This is where the USB Flash Drives comes in handy, Windows Server 2016 can run directly on that, leaving me with 2 full NVMe drives in RAID 0 and deduplication – YAY!

that’s the hardware part 🙂

 

 

 

The follow up post is here: https://wp.me/p8YLCL-aL

Protect Yourself Against Petya Ransomware

The malware requires administrator rights to the local computer. Standard users should not have this in permission. Consider restricting who has local admin rights to prevent execution of exploit code within organisations. Home users should also consider using a Standard User Account for day-to-day operations.

Access Director can help you by removing permanent local admins.

Recommendations for Enterprises

  • Deploy the latest Microsoft patches, including MS17-010 which patches the SMB vulnerability.
  • Consider disabling SMBv1 to prevent spreading of malware.
  • Educate end-users to remain vigilant when opening attachments or clicking on links from senders they do not know.
  • Ensure you have the latest updates installed for your anti-virus software.
  • Ensure you have backup copies of your files stored on local disks. Generally, user files on local drives are replicated from a network share
  • Prevent users from writing data outside of designated areas on the local hard disk to prevent data loss if attack occurs.
  • Operate a least privileged access model with employees. Restrict who has local administration access.

Petya does not encrypt files. it encrypts the Master File Table, which is the index of where all the files are stored on a hard disk drive.

“Petya uses the NSA Eternalblue exploit but also spreads in internal networks with WMIC and PSEXEC. That’s why patched systems can get hit.”
Mikko Hypponen confirms, Chief Research Officer at F-Secure.

PT Security, a UK-based cyber security company and Amit Serper from Cybereason, have discovered a Kill-Switch for Petya ransomware. According to a tweet, company has advised users to create a file i.e. “C:\Windows\perfc” to prevent ransomware infection.

 

Installing PHP for IIS Using Microsoft Web Platform Installer Offline

You may need to install PHP for IIS using the offline installer

  1.  Download and install the Microsoft Web Platform Installer to a computer that has Internet access and to the server where PHP is to be installed. from http://php.iis.net
  2. Create a local folder for the WebInstallerCache
  3. WebPICMD.exe /List /ListOption:All >C:\TEMP\WebPIOffline\Products.txt
  4. Review the Products.txt for needed products to install.
    I needed PHP54, PHPManager and SQLDriverPHP54IIS
  5. Run the following commands from the computer with internet access
    1. WebPICMD.exe /Offline /Products:PHP54 /Path:C:\TEMP\WebPIOffline
    2. WebPICMD.exe /Offline /Products:PHP54 /Path:C:\TEMP\WebPIOffline
    3. WebPICMD.exe /Offline /Products:PHP54 /Path:C:\TEMP\WebPIOffline
  6. Copy the WebPIOffline folder to the server without internet access
  7. Run the following commands from the computer without internet access to install the products
    1. WebPiCmd.exe /Install /Products:PHP54 /XML:C:\WebPIOffline\feeds\latest\webproductlist.xml
    2. WebPiCmd.exe /Install /Products:PHPManager /XML:C:\WebPIOffline\feeds\latest\webproductlist.xml
    3. WebPiCmd.exe /Install /Products:SQLDriverPHP54IIS /XML:C:\WebPIOffline\feeds\latest\webproductlist.xml

Products should now be installed and you can continue with your configuration

Install Spotify for Kodi (Krypton Jarvis)

I prefer to use Kodi on my Raspberry pi, its simple and running very well.
Unfortunately there is no native support for Spotify – Marcel van der Veldt to the rescue.

Marcel put up a nice music add-on for Spotify, it even works very will with Spotify Connect/Streaming devices.

  1. Download and copy the Marcelveldt Repository zip file to your Kodi box
  2. Open Kodi -> System -> Add-ons – > Install from zip file (if you copyed to another folder then the repository folder, the use “browse in root file system”)
  3. Install and wait for add-on enabled notification
  4. Go to install add-on from repository and select Marcelveldt’s Beta Repository.
  5. Select Music Add-ons
  6. Select Spotify
  7. Select Install
  8. Wait for add-on enabled notification
  9. Select Spotify
  10. Select Configure
  11. Add your Spotify username and Password
  12. Reboot

..And you’re done! 🙂

You can access your Spotify playlists from music add-ons.
Your device will also be visible for streaming to/from – I tested it from my iPhone 7, works great! 🙂

 

 

 

Multiple subdomains with LetsEncrypt? YES!

Need to add multiple subdomains with LetsEncrypt?
maybe Certificate for WWW and non-WWW?

do a dry run, to test it

./certbot-auto certonly -d originaldomain.com -d www.originaldomain.com -d new.originaldomain.com -d new2.originaldomain.com -d new3.originaldomain.com –dry-run

I tested it with apache2 works great!

Windows 10 hangs after patches May/17 (Windows Defender & Trend Micro)

There seems to be an issue with Trend Micro and Windows Defender after Windows/ Defender patches has been applied.

The quick workaround is to deploy are registry key:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows Defender
The dword value should be 1: DisableAntiSpyware


In case it does not exist, go ahead and create it.
Restart and you should see things start working again.

If you have the issue, you should be able to deploy it using Group Policy Preferences.

NOTE: You can also enter safe mode and create the needed key.

Reference links:

https://technet.microsoft.com/en-us/library/cc749126(v=ws.10).aspx

https://docs.microsoft.com/en-us/windows/threat-protection/windows-defender-antivirus/deploy-manage-report-windows-defender-antivirus

https://support.microsoft.com/en-us/help/12376/windows-10-start-your-pc-in-safe-mode