Sunday, January 16, 2011

Migrating security certificate from IIS 6.0 to IIS 7.0

Hi,

We have a security certificate configured in IIS 6.0 on our old server. We are migrating to a new server. How do I migrate the security certificate of our website from IIS 6.0 to IIS 7.0?

From serverfault rboorgapally

  • You'll need to export the certificate to a pfx file (go through the certificate wizard, and export should be one of the options). Them import this certificate into IIS 7 on the Windows 2008 machine.

    From mrdenny

  • The Certificates snap-in isn't in Administrative Tools like you may assume. From your Run prompt type "MMC" then add a snap-in for Certificates. You'll likely find your certificate under "Personal". Export that that and import it to IIS7. In IIS7 you can do the import at the top level of IIS. You don't need to use the Certificates snap-in.

    Dscoduc : Why not just use the IIS Management Console to export the certificate?
    Scott Forsyth - MVP : You can do that too. I tend to do it in the MMC snap-in directly, but IIS Manager can do an export well too. Both will accomplish the same for a simple export.
    From Scott Forsyth - MVP

  • See http://www.sslshopper.com/move-or-copy-an-ssl-certificate-from-a-windows-server-to-another-windows-server.html

    From Robert
Posted by Mu Cat at 5:13 AM 0 comments

Enabling external accounts on Snow Leopard.

Hello , I have a mac running snow leopard and I would like to create an external account (i.e. one which resides on a usb drive and shows up on the login screen when the usb drive is inserted ) . I tried using /System/Library/CoreServices/ManagedClient.app/Contents/Resources//createmobileaccount but to no avail . My machine is not connected to os x server . Do you have any suggestions ?

From serverfault cavver

  • I would create a normal account then move the home folder to the usb stick and change the home path.

    To change the home path, go to System Preferences -> Accounts -> (if the locker bottom left is close, click on it then enter your password) -> right click on the freshly created remote account -> Advanced options … -> Click on the button to choose the new home folder on the USB key.

    From Studer
Posted by Mu Cat at 5:13 AM 0 comments

How to benchmark openvpn server.

Ive successfully setup a tunnel between my home ubuntu desktop(Japan) and my remote server(UK) using openvpn. Ive set it so that i can have the server fetch pages for me hiding my desktop ip to bypass geo restrictions (tv, radio etc) whilst im abroad.

Sometimes the playback is very choppy and i want to pinpoint why. Is it my configs? is the location of the server? Is it just that the webpage being accessed is very busy at that time of day? Would switching the server location to london instead of maidenhead make a difference?

Im wondering how best to go about this? Any ideas? Tools tips etc? I am a server newb but not to stuff like programming so not afraid of console etc.

From serverfault adam

  • I'd start with one of the available network benchmarks (google results).

    You can try one of the web-based ones, like Speedtest, too :)

    • Also, how fast is your connection?
    • How fast are the intervening connections?
    • Does the VPN sometimes route/connect across faster pipes than others?
    From warren

  • I would check some things:

    • Bandwidth between the client and server.
    • Bandwidth between the server and the internet.
    • Latency between the client-server, client-internet (using the vpn), client-internet (not using the vpn). Compare.
    • When the connection slows down, you need to check which other traffic is using the server. Is this server also working as proxy/router to other clients?. iftop would be a useful tool.
    From HD

  • most probably it's the network latency between the two ends of the tunnel; if you feel artistic, use some graphical tools (cacti, for example, if not plain rrdtool) to keep track of various issues - latency, traffic, etc

    James : Smokeping (http://oss.oetiker.ch/smokeping/) is great for visualizing latency. Written by the rrdtool author too!
    petre : forgot about this one ... it suits better for this particular situation, indeed
    From petre
Posted by Mu Cat at 5:13 AM 0 comments

Openvpn : Vista client and Linux Server. All internet traffic is not being directed through vpn

EDITED - Just added push "redirect-gateway def1"

push "dhcp-option DNS 10.254.1.1"

and it works fine for vista now.. not sure if it will mess it up for my linux client though. Can anyone explain the difference between the linux and windows client setup?

END EDIT

I got openvpn to work for my destop ubuntu and linux reomte server and am able to redirect all my internet traffic through the remote server thanks to this communities help in this post

However im now trying to do the same with my vista desktop acting as client. But when I use the client settings from my ubuntu client in vista with some small modifications it connects successcfully, pings fine but doesnt direct all tracffic. Are there some differences between windows and linux client configs?

here are my vista configs

client
dev tun
proto tcp
remote xxx.xxx.xx.xxx  1194
resolv-retry infinite
nobind
;user nobody
;group nogroup
persist-key
persist-tun
ca ca.crt
cert adamvista.crt
key adamvista.key
ns-cert-type server
cipher BF-CBC
comp-lzo

verb 3

heres the server conf

port 1194
proto tcp
dev tun
ca ca.crt
cert server.crt
key server.key  # This file should be kept secret
dh dh1024.pem
server 10.254.1.0  255.255.255.0
ifconfig-pool-persist ipp.txt
push "redirect-gateway"
keepalive 10 120
comp-lzo
user nobody
group nobody
persist-key
persist-tun
status openvpn-status.log
log openvpn.log
verb 3

ive noticed that some tutorials mention in the server configs to use

push "redirect-gateway local def1"
push "dhcp-option DNS 10.8.0.1"

whereas my server.conf for my linux server to linux client only had this int the linux sample i adopted

push "redirect-gateway"

Whats the difference here? is it windows / linux thing?

Can anyone help on these matters?

I also have a lot of tunnel adaptors when i do ipconfig. Perhaps they are creating a problem???? heres the output whilst im connected (excuse the japanese os printout )

Windows IP 構成

   ホスト名 . . . . . . . . . . . . : Adam-PC
   プライマリ DNS サフィックス . . . . . . . :
   ノード タイプ . . . . . . . . . . . . : ハイブリッド
   IP ルーティング有効 . . . . . . . . : いいえ
   WINS プロキシ有効 . . . . . . . . : いいえ

イーサネット アダプタ ローカル エリア接続 2:

   接続固有の DNS サフィックス . . . :
   説明. . . . . . . . . . . . . . . : TAP-Win32 Adapter V9
   物理アドレス. . . . . . . . . . . : 00-FF-D5-B0-0B-B7
   DHCP 有効 . . . . . . . . . . . . : はい
   自動構成有効. . . . . . . . . . . : はい
   リンクローカル IPv6 アドレス. . . . : fe80::9cc0:63ff:d412:e553%16(優先)
   IPv4 アドレス . . . . . . . . . . : 10.254.1.10(優先)
   サブネット マスク . . . . . . . . : 255.255.255.252
   リース取得. . . . . . . . . . . . : 22 September 2009 19:15:36
   リースの有効期限. . . . . . . . . : 22 September 2010 19:15:36
   デフォルト ゲートウェイ . . . . . :
   DHCP サーバー . . . . . . . . . . : 10.254.1.9
   DNS サーバー. . . . . . . . . . . : fec0:0:0:ffff::1%1
                                       fec0:0:0:ffff::2%1
                                       fec0:0:0:ffff::3%1
   NetBIOS over TCP/IP . . . . . . . : 有効

イーサネット アダプタ ローカル エリア接続:

   接続固有の DNS サフィックス . . . :
   説明. . . . . . . . . . . . . . . : Atheros AR8121/AR8113/AR8114 PCI-E Ethernet Controller
   物理アドレス. . . . . . . . . . . : 00-23-54-0D-37-61
   DHCP 有効 . . . . . . . . . . . . : はい
   自動構成有効. . . . . . . . . . . : はい
   リンクローカル IPv6 アドレス. . . . : fe80::ed4d:1531:62a3:ab2e%8(優先)
   IPv4 アドレス . . . . . . . . . . : 192.168.11.2(優先)
   サブネット マスク . . . . . . . . : 255.255.255.0
   リース取得. . . . . . . . . . . . : 22 September 2009 18:11:35
   リースの有効期限. . . . . . . . . : 24 September 2009 18:11:34
   デフォルト ゲートウェイ . . . . . : 192.168.11.1
   DHCP サーバー . . . . . . . . . . : 192.168.11.1
   DNS サーバー. . . . . . . . . . . : 192.168.11.1
   NetBIOS over TCP/IP . . . . . . . : 有効

Tunnel adapter ローカル エリア接続* 6:

   メディアの状態. . . . . . . . . . : メディアは接続されていません
   接続固有の DNS サフィックス . . . :
   説明. . . . . . . . . . . . . . . : Microsoft ISATAP Adapter
   物理アドレス. . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP 有効 . . . . . . . . . . . . : いいえ
   自動構成有効. . . . . . . . . . . : はい

Tunnel adapter ローカル エリア接続* 7:

   接続固有の DNS サフィックス . . . :
   説明. . . . . . . . . . . . . . . : Teredo Tunneling Pseudo-Interface
   物理アドレス. . . . . . . . . . . : 02-00-54-55-4E-01
   DHCP 有効 . . . . . . . . . . . . : いいえ
   自動構成有効. . . . . . . . . . . : はい
   IPv6 アドレス . . . . . . . . . . . : 2001:0:cf2e:3096:c01:3e32:3f57:f4fd(優先)
   リンクローカル IPv6 アドレス. . . . : fe80::c01:3e32:3f57:f4fd%9(優先)
   デフォルト ゲートウェイ . . . . . : ::
   NetBIOS over TCP/IP . . . . . . . : 無効

Tunnel adapter ローカル エリア接続* 11:

   メディアの状態. . . . . . . . . . : メディアは接続されていません
   接続固有の DNS サフィックス . . . :
   説明. . . . . . . . . . . . . . . : Microsoft ISATAP Adapter #2
   物理アドレス. . . . . . . . . . . : 00-00-00-00-00-00-00-E0
   DHCP 有効 . . . . . . . . . . . . : いいえ
   自動構成有効. . . . . . . . . . . : はい
From serverfault adam

  • Translation through Google (Hope it's still correct):

    Windows IP Configuration 

    Host Name............: Adam-PC 
Primary DNS Suffix.......: 
Node Type............: Hybrid 
IP Routing Enabled........: No 
WINS Proxy Enabled........: No

    Ethernet adapter Local Area Connection 2: 

    Connection-specific DNS Suffix...: 
Description...............: TAP-Win32 Adapter V9 
Physical Address...........: 00-FF-D5-B0-0B-B7 
DHCP Enabled............: Yes 
Enable automatic configuration...........: Yes 
Link-local IPv6 Address....: Fe80:: 9cc0: 63ff: d412: e553% 16

    (preferred) IPv4 Address..........: 10.254.1.10 (preferred) Subnet Mask........: 255.255.255.252 Obtaining a lease............: 22 September 2009 19:15:36 Expiration of the lease.........: 22 September 2010 19:15:36 Default Gateway.....: DHCP Server..........: 10.254.1.9 DNS server...........: Fec0: 0:0: ffff:: 1% 1 fec0: 0:0: ffff:: 2% 1 fec0: 0:0: ffff:: 3% 1 NetBIOS over TCP / IP.......: Enabled

    Ethernet adapter Local Area Connection: 

    Connection-specific DNS Suffix...: 
Description...............: Atheros AR8121/AR8113/AR8114 PCI-E

    Ethernet Controller Physical Address...........: 00-23-54-0D-37-61 DHCP Enabled............: Yes Enable automatic configuration...........: Yes Link-local IPv6 Address....: Fe80:: ed4d: 1531:62 a3: ab2e% 8 (Preferred) IPv4 Address..........: 192.168.11.2 (Preferred) Subnet Mask........: 255.255.255.0 Obtaining a lease............: 22 September 2009 18:11:35 Expiration of the lease.........: 24 September 2009 18:11:34 Default Gateway.....: 192.168.11.1 DHCP Server..........: 192.168.11.1 DNS server...........: 192.168.11.1 NetBIOS over TCP / IP.......: Enabled

    Tunnel adapter Local Area Connection * 6: 

    State of the media..........: Media is not connected 
Connection-specific DNS Suffix...: 
Description...............: Microsoft ISATAP Adapter 
Physical Address...........: 00-00-00-00-00-00-00-E0 
DHCP Enabled............: No 
Enable automatic configuration...........: Yes

    Tunnel adapter Local Area Connection * 7: 

    Connection-specific DNS Suffix...: 
Description...............: Teredo Tunneling Pseudo-Interface 
Physical Address...........: 02-00-54-55-4E-01 
DHCP Enabled............: No 
Enable automatic configuration...........: Yes 
IPv6 Address...........: 2001:0: cf2e: 3096: c01: 3e32: 3f57: f4fd

    (preferred) Link-local IPv6 Address....: Fe80:: c01: 3e32: 3f57: f4fd% 9 (Preferred) Default Gateway.....::: NetBIOS over TCP / IP.......: Disabled

    Tunnel adapter Local Area Connection * 11: 

    State of the media..........: Media is not connected 
Connection-specific DNS Suffix...: 
Description...............: Microsoft ISATAP Adapter # 2 
Physical Address...........: 00-00-00-00-00-00-00-E0 
DHCP Enabled............: No 
Enable automatic configuration...........: Yes
    adam : wow never thought about using google for that. Nice one!
    From Workshop Alex

  • In the linux server you're using "redirect-gateway", it means that the default gateway of the clients has been overriding and is pointing to the VPN. Try using "redirect gateway" and check the results of:

    route -n (linux client)
route print (windows client)

    And compare the default routes for both clients. I think that in Windows there is a conflict between routes and that's why using "redirect-gateway local def1" works, because this command doesn't remove the default gateway instead it routes all the traffic through the VPN with 0.0.0.0/1 and 128.0.0.0/1 routes. Check the "route print" results after using "redirect-gateway local def1" to see the differences. Linux clients must not have problems with this config.

    adam : Will try this out. Actually i made a typo above. There should be no "local" in the redirect gateway command. But ill give this a shot to see if it helps me understand further whats going on under the hood.
    From HD
Posted by Mu Cat at 5:13 AM 0 comments

Find's -true option: what for?

GNU find (and others?) has a -true test along with the normal -name, -mode, -user and so on. From the man page:

-true Always true.

Every time I see the man page I notice this and wonder when it'd be useful. So, give me some examples of when it's useful :~)

From serverfault markdrayton

  • When you want to list all files in find format to pipe into another program ?

    I guess it must be more efficient than using -name "*" or something similar.

    Dennis Williamson : `find` with no arguments at all does that.
    Julien Tartarin : Sure, but it's more explicit and has the same syntax with `-true`
    Dennis Williamson : How so?
    From Julien Tartarin

  • Might useful for debuging when you are ANDing or ORing statements. So if you have a long command with a complex chain of arguments with lots of AND / OR between the statements, and something that isn't working like you expect, you could replace parts of it with -true to check your logic.

    However, I am not sure if this is why it is there, but seems like a legitimate use.

    From Kyle Brandt

  • Consider find -delete -o -true -print. It's not too useful, but it's a pointer that you can think of -true or -false as means to override an in-expression result of some command with side effects.

    From diunko
Posted by Mu Cat at 5:13 AM 0 comments

postgres stats and opennms

What is the best (or easiest?) to monitor postgres 8.4 stats in OpenNMS 1.76?

SNMP? How?

From serverfault robbyt
Posted by Mu Cat at 5:13 AM 0 comments

SBS2003 R2 - certificates

I get a log error OAL GENERATOR 9323.

Seems some users have invalid certificates, however, when opening the tab in the user properties under the Global Adress lists preview option. Active directory reports that it cannot op the certificate archive.

ERROR --- Source: MSExchangeSA Category: OAL Generator Event-id: 9323

Entry '###### ######- Search & Co Groep' has invalid or expired e-mail certificates. These certificates will not be included in the offline address list for '\Global Address List'.
- Default Offline Address List

How can I resolve this when I cannot delete the certs? Anyone? :)

From serverfault Sniek NL
Posted by Mu Cat at 5:13 AM 0 comments

Dedicated server in Tokyo

I'm looking for a dedicated web server in the Tokyo metropolitan area with at least 2 cores (preferably 4) and 4GB RAM. Also, I need to run Linux. I don't have any connections in Tokyo, but I thought that someone here might have a good suggestion from past experience.

From serverfault $pageUsers[$entry.posts[0].author].name
Posted by Mu Cat at 5:13 AM 0 comments

What do you use for your SAN (iSCSI)?

Hi, all!

I want to know what SAN solutions do the most people use.

It can be something preconfigured from storage vendors (EMC CLARiiON, HP EVA, HP Modular Smart Array) or custom-built systems running OpenFiler, NexentaStor, OpenSolaris Storage, StarWind Server, etc.

Thanks in advance.

From serverfault Sergius

  • Why have you got iSCSI in the title, are you only interested in iSCSI solutions as SAN can encompass more than just that.

    I'm a bit of a storage geek and have used HDS boxes and their HP XP equivilants, HP EVA extensively, HP MSAs quite a lot (love their new'ish 2000fc G2 model btw), a few NetApps and the odd EMC box. Also worked a bit with Openfiler and LeftHand too.

    It all comes down to what you need to achieve and what support resources you have available. If you need as close to 100% availability or the best performance under load then I think it's hard to beat top-end FC boxes, of course these need some fairly specialist skills and don't come cheap. If you're after the best bang for the buck then some of these software/VM based solutions can't be beat, they're cheap and fast but not as reliable as others. For most a compromise is perfectly adequate and in that case you can't really go wrong with EVAs or NetApps (with MSAs useful if the space/power/cash budget is low). Most people with a sensible amount of experience will naturally lean towards one model or another, I'm no exception and like EVAs as they're plenty fast enough and very simple to manage indeed.

    Best of luck.

    Sergius : Yes, I am interested only in iSCSI. Thanks for your reply.
    From Chopper3

  • for test storage mostly RHEL5.4 with tgtd

    for production - NetApp and Dell MD3000i

    From dyasny

  • Ive tested FreeNAS and Open-E. Now Im using StarWind. I'm fully satisfied with their product and service.

    From LasseRenz

  • Were mainly using a somewhat expensive Compellent SAN solution with both FC and iSCSI for our core services, and some old MSA 1000's in our production colosites for some cluster services. Were looking at some other SANS for our production enviroments tough.

    Compellent got some nice features as Tier based storage, volume delta replication, "Phone Home" where the controller sends all its config and raid array config to co-pilot(compellent support) as a security measure in case of controller failure. ans secure tunneling for the support personell from co-pilot to login to your controller and perform actions for you and healthchecks n stuffs.

    From MrTimpi

  • I used Openfiler. Soon after year of receiving errors from Openfiler, I realized that I should choose another iSCSI, and it Failed Fatally:)

    MrTimpi : this is a bit thin, please explain what failed and why we should or should not use Openfiler?
    From $pageUsers[$post.author].name

  • If you want to pay for manual $60 - use Openfiler. My storage is <2TB, so I`m using StarWind Free.

    From ErickSweyn

  • We've currently got:

    • HP Lefthand P4500 (2 nodes)
    • NetApp FAS270c (which the HP Lefthand replaced)

    Looked at FalconStor, Compellent, HP Eva, EMC and a bigger NetApp before going for the Lefthand, which did most of what the NetApp/EMC did but at half the price. We wanted something with good 'enterprise' grade 24x7 4 hour response support for when it hit the fan so this ruled most of the freebies/low cost solutions out.

    A drawback of using iSCSI if you're not aware of it, VMWare do not support MicroSoft Clustering Services on iSCSI/NFS storage under ESX/vSphere. This may change in the future. This was a bummer as we were looking at clustering our SQL Server's on to VMWare/Lefthand.

    lukecyca : +1 for Lefthand
    From

  • We've had success using a variety of NetApp filers to host iSCSI LUNs.

    From David Mackintosh

  • We have two Dell Equallogic PS6000. One is our master SAN replicating to another unit in a different part of the building. Especially the integration with Citrix XenServer (Volume creation, snapshots, Thin-Provisioning, Desaster-Recovery) caught our interest.

    Those are very nice pieces of hardware. You get dual power-supplies, dual-controllers (firmware upgrades without downtime!), each controller has 4 gigabit Ethernet connections, a webbased platform-independent management, SNMP, replication, stackability (up to twelve? units, doesn't need to be the same models), SATA, SAS or SSD drives (hot-swappable), different RAID-levels (including RAID6) ...

    Our service-plan is 24x7x4 and the units have a phone-home feature (which can be turned off), which alerts Dell/Equallogic in case a drive is failing.

    Only drawback (apart from the price) which we encountered is snapshots not being replicated from one unit to another. Other than that, we are extremely satisfied with performance, reliability and usability.

    From smichaelis

  • We use an HP MSA 2012i, storing roughly 2TB of data and lots VM images.

    Horrible unit, we've had nothing but trouble, including 100s of GB of data loss after installing a required firmware upgrade (had to hire a consultant to fix it, but we didn't get our data back).

    In retrospect I would have been better served by something like FreeNAS, and lots of commodity hard drives in a very redundant RAID.

    I have been impressed by Dell's Equallogic offerings but they are unfortunately over our budget, especially since we've already thrown away $10,000 on the MSA.

    From Seth
Posted by Mu Cat at 5:13 AM 0 comments

Move site collection

Hi,

is it possible to move a site collection from one web application to another ?

I currently have a site collection developped in a web application called ABC. We need to transfer this site collection to another web application called DEF.

These 2 web apps are on the same MOSS server. Does stdadm can do this ?

Thanks !

From serverfault $pageUsers[$entry.posts[0].author].name
Posted by Mu Cat at 5:13 AM 0 comments

How can I start multiple programs simultaneously?

I have 4 programs that I'd like to start by using only 1 script or shortcut. How can I achieve this? Is Powershell able to do that? I tried to do it using a .bat file but the script pauses until the program is stopped...

From serverfault Julien Poulin

  • You can start multiple applications in a batch file without pausing using start:

    start /d "C:\Program Files (x86)\Internet Explorer\" iexplore.exe
    start /d "C:\Program Files (x86)\Mozilla FireFox\" firefox.exe

    The above in a batch file will start both IE and FireFox together.

    The /d indicates the working folder for the command and the last part is the command name.

    If you specifically want to use Powershell you will need to call the System.Diagnostics library in .Net to launch the external process as follows:

    [Diagnostics.Process]::Start('yourapplication','arguments')

    From Diago
Posted by Mu Cat at 5:13 AM 0 comments

Keep having to run aspnet_regiis

Not sure if this belongs here or in SO but here goes anyway...

We have a CruiseControl.NET server that performs nightly builds on or applications and then publishes the resulting output to the IIS instance on the same box - this acts as out test deployment for QA.

Everything has been running fine for months until we moved to a new server (Win2003 R2 SP1) - actually a VM.

Now, whenever the nightly build publishes to IIS we get an error in the browser stating The compiler failed with error code 128. This never happened on the old server!

Running aspnet_regiis -i will get the site back online but I'm baffled as to why IIS seems to have forgotten all about .NET as the result of a simple file copy.

I've reviewed the publish stage of the build process and moved from the good old-fashioned batch script to a 'cleaner' nAnt script but the problem remains.

If I run the above command, clear out the events logs and then access the site a new event appears:

The configuration information of the performance library
"C:\WINDOWS\system32\infoctrs.dll" for the "InetInfo" service does not match 
the trusted performance library information stored in the registry. 
The functions in this library will not be treated as trusted.

But the site does still load without any problems. If I then run either of the publish scripts (.bat or .build) then access the site another identical event appears and the compilation error is displayed (running aspnet_regiis fix it though).

If I manually delete the old files and copy across the new ones then once again the Compiler Error is displayed in the browser.

Now the quick fix is to run aspnet_regiis as part of the build script but frankly that just smells to bad.

[Edit 12/11/09]: I've been kicking this around for a little while now and still don't really know why it is happening. I've reinstalled IIS and .NET 2.0 & 3.0 (3.5 is not needed!) but the problem persisted. Finally I tried deploying the application using files built via a 'Release' build (as opposed to 'Debug') and this appears to have resolved the problem - but I don't know why.

I'll find out tomorrow morning after the nightly builds have run in anger so hopefully I have some good news waiting for me. Assuming this is the problem, why should it make a difference? This process was running fine for months on the physical server - why should it be causing problems on the VM.?

Anyone have any ideas, suggestions or solutions..? Thanks in advance

From serverfault DilbertDave

  • It could be related to the default framework of a web site, 1.1 or 2.0. aspnet_regiis sets the framework version.

    If you:

    • Install windows
    • Run all windows updates
    • Add application role

    OR

    • Install windows
    • Add application role
    • Run all windows updates

    Then the default framework is not the same. It could also be that you install is setting the framework version.

    DilbertDave : Not heard of that before but then I'm a Dev not a SysAdmin ;-) I'll check when I get into work tomorrow
    DilbertDave : Didn't get to it as quickly as I'd hoped - now the dev manager wants to demo from the test servers it's a priority, so I'm looking now. Will post updates back here if i get to the bottom of it :-\
    From Shiraz Bhaiji

  • The VM itself isn't being rolled back, is it?

    DilbertDave : The VM is backed up on a regular basis but not rolled back. It just seems to happen whenever I publish the build, i.e. not related to backup times etc.
    From andrewbadera
Posted by Mu Cat at 5:12 AM 0 comments

IE security alert on SSL

Hi All,

We have a website hosted on IIS 6.0 with SSL. When we visit the website, it alerts the user with the usual security warning with "Yes" "No" and "View certificate" button. we click "Yes" and view the page. The page has some hyperlinks that points to the same site. After sometime(may be 20 to 35 mins) if i click any hyperlink it is poping up the security alert again. Is this a default behaviour ? Is ther any workaround to change the way it works..meaning, we are ok with altert message for the first time and we need to suppress it whne we visit some link after sometime when the IE window is kept open..

Thanks in advance!

From serverfault $pageUsers[$entry.posts[0].author].name

  • Yes this is the default behaviour for IE and cannot be suppressed, if it could then unscrupulous users could use this to suppress warnings for their Phishing sites etc. The only way to get round it is to buy a valid certificate, they are quite cheap nowadays.

    From Sam Cogan

  • this is all due to the fact that you're using a self signed certificate. what you can do is: 1. buy a proper certificate from a certificate vendor (verisign is one) and use that cert instead of the self signed one 2. set up your own internal CA and publish your self signed cert in there for all the LAN users to verify against 3. install the certificate locally on all your users (rather tedious, but if your configuration is static, it might be enough)

    MrTimpi : If it is an enterprise CA from ms and you run Active directory internally you can push both user and computer certificates. tough external users would still get the problem with certificate warnings
    JohnyD : Install certificate to 'trusted root certificate authority'.
    From dyasny
Posted by Mu Cat at 5:12 AM 0 comments

Can SharePoint local drafts folder be eliminated as an option at check out?

When checking out documents using Office 2007 from a SharePoint library, the user is offered to copy the document to their local drafts folder. Is there a way to disable this option? I want all documents to stay on the SharePoint server and avoid local copies. I am using Windows SharePoint Services 3.0. Thanks.

From serverfault $pageUsers[$entry.posts[0].author].name

  • You can make it unchecked by default. According to this forum post there an option on the client. Change the Save / Configure option from "The server drafts location on this computer" to "The web server".

    There is also a registry key that appears to achieve the same thing mentioned here:

    [HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Offline\Options]
"Local"=dword:00000000

    I don't think you can remove the checkbox from the dialog altogether. Another registry key described on that page hides the check out dialog completely. Test thoroughly before deploying this as it may have unintended side effects:

    [HKEY_CURRENT_USER\Software\Microsoft\Office\Common\Offline\Options]
"ShowCheckOutDialog"=dword:00000000
    Alex Angas : @Steve: Yes, it's all tied up with the ActiveX controls installed with Office 200x (the "Windows SharePoint Services support" option in client setup).
    From Alex Angas
Posted by Mu Cat at 5:12 AM 0 comments

Automating the creation of a virtual machine from a template

What's the best way to go about creating a (Virtual PC/Server) virtual machine from a VHD template? Specifically, what's the best way to change the name of a virtual PC so that it is unique on a network, preferably without loading the the VM?

From serverfault Richard Szalay

  • reseal the VM with sysprep before you create the template. this will make every VM derived from the sysprepped template unique

    MrTimpi : just leave the computername field empty in the sysprep file n you'll be able to set the name @ the minisetup
    From dyasny
Posted by Mu Cat at 5:12 AM 0 comments

.htaccess: Transparently adding a name to the request

I've read this tutorial about how to modify your .htaccess in order to server many web2py applications but it doesn't seem to work. Here is my .htaccess

RewriteEngine On

RewriteRule ^dispatch\.fcgi/ - [L]
RewriteRule ^(.*)$ dispatch.fcgi/$1 [L]

RewriteCond %{HTTP_HOST} =www.moublemouble.com [NC, OR]
RewriteCond %{HTTP_HOST} =moublemouble.com [NC]
RewriteRule ^/(.*) /moublemouble/$1 [PT,L]

All I get is a 500 Internal Error and .htaccess is not my strong point. Any clues?

From serverfault $pageUsers[$entry.posts[0].author].name

  • The syntax for RewriteCond uses regular expressions that are matched against some string. You are trying to use some x = y syntax that is completely unsupported.

    Thus your last three lines should look something like this:

    RewriteCond %{HTTP_HOST} ^www.moublemouble.com$ [NC,OR]
RewriteCond %{HTTP_HOST} ^moublemouble.com$ [NC]
RewriteRule ^/(.*) /moublemouble/$1 [PT,L]

    But please note that I only looked at the syntax and not the semantics of your rules.

    innaM : With what syntax? Mine or yours?
    innaM : I've removed the space between "NC," and "OR". The list of flags is comma-separated, not comma-space-separated.
    From innaM
Posted by Mu Cat at 5:12 AM 0 comments

Where should I modify the PATH var on OS X?

I recently installed MySQL on a new Mac OS 10.6.1 Snow Leopard system. MySQL seems to be running according to the control panel and the output of ps aux | grep mysql. However, on the command line the mysql command is not available because (I think) the dir /usr/local/mysql/bin is not in the PATH.

I could add this to /etc/bashrc...

export PATH=$PATH:/usr/local/mysql/bin

Yes, OK that worked.

But is that the right way to do it? Should I add it to /etc/profile instead? Or something else?

From serverfault Ethan

  • That is the correct way to do it. /etc/profile is for login or non-interactive shells

    From Dennis Williamson

  • Another option is to set PATH in ~/.MacOSX/environment.plist. You can use RCEnvironment to edit environment.plist. One downside of environment.plist is that it doesn't expand environment variables, so you can't append to a variable. The upside is that it works for all applications, not just those run from a terminal.

    From outis
Posted by Mu Cat at 5:12 AM 0 comments

Economical Way of Hosting 150gb of data (about 253,000 images)

I've spent a large of portion of this fine day searching for economical ways of hosting 253,000 images. Does anyone have any recommendations?

There is a little bit of legal adult content amidst the images. I'm not about to go through a quarter million images and find which ones have boobies.

I am a poor college student and I am doing this simply for the fun of it, but I would like to stay cheap. I heard fantastic stories of Amazon S3 and the wonders of it's hosting capabilities. Has anyone used it for large-scale media hosting? If not, where else could I host these files?

Thanks for the read!

From serverfault $pageUsers[$entry.posts[0].author].name

  • Amazon S3 isn't bad, and if you really just want to fire-and-forget, it could be a winner, although you'll pay more than if you did it right yourself.

    Plenty of web hosts, though, especially in the virtual and dedicated servers line, will give you 150GB of storage. If you're not serving too many of them real quickly, that will probably suffice. If you want to wrap a large website around it and do all sorts of other interesting things you might need to think harder about how you go about the hosting.

    If you give more details about what you're looking to do with the images beyond just "host them", you'll get more detailed answers about what would be appropriate.

    From womble

  • I work there, so obviously I'm biased, but Rackspace offers Cloud Files: linky Rackspace and Amazon are basically the two biggest cloud providers right now. Something like 15cents/GB/mo storage, 22cents/GB/mo bandwidth, or something like that.

    I don't think DreamHost's "unlimited hosting" would be allowed for a photo distribution site, because of this:

    What's not allowed in "Unlimited"? Basically, sites whose essential purpose is to use disk or bandwidth.

    From phoebus

  • Yup, I've used S3 for 'large scale media hosting'--nearly a terabyte of videos. No real complaints.

    (We no longer use S3 like this, though. Our bandwidth usage was great enough to justify going with a CDR (Constant Data Rate) line to our servers.)

    You'll get effectively unlimited storage and unlimited bandwidth for your content, which is nice. Amazon's capacity in both those metrics is mind boggling. If your content gets popular then you'll start to notice the costs. S3 is down right cheap regarding storage space, unlike many more 'traditional' CDNs (Content Delivery Network). It amazes me to this day that companies can get away with charging > $1/GB of traffic for static content, when S3 is in the game.

    Lothar : I have to say that i find amazon S3 expensive compared to the usual dedicated webservers. So if the OP does not have a huge service eating up CPU speed like crazy then a simple dedicated would be best.
    Stu Thompson : *Expensive?* 150GB is $22.50/mo + traffic (to which the OP has not quantified.) *CPU?* The OP is not talking about hosting an application, just media. Maybe you are confused and thinking of EC2?
    From Stu Thompson

  • Dreamhost offers "unlimited" hosting space for about $10 a month. I can't see anything in their T&C that would disallow your images, provided you have the right to use said images.

    (No affiliation other than as a currently-satisfied customer)

    From mlp
Posted by Mu Cat at 5:12 AM 0 comments

HOWTO Change Drive Letter of DVD Drive on Windows Server 2008 Server Core

Hi,

I am configuring an HP Proliant DL580 G5 Server to run Microsoft Windows Server 2008 Enterprise Server Core with Hyper-V.

The storage configuration is as follows

RAID1 2x36GB Two RAID5 arrays - RAID0 and RAID1 - 4x300GB

After installation the drive letters assigned to the disks were C: (system), D: (RAID0), E: (RAID1), F: (SWAP) and G: for the DVD drive. Using DISKPART.EXE, I changed the drive letter assignments to C: (system), E: (RAID0), F: (RAID1), X: (SWAP) respectively.

How do I change the DVD drive from G: to D:?

Any help greatly appreciated.

James

From serverfault $pageUsers[$entry.posts[0].author].name

  • Do you get an error message when you try using Diskpart to change the DVD drive's letter too? There shouldn't be anything stopping this.

    mh : +1; I've done this successfully using Diskpart many times in the past.
    From CodeByMoonlight
Posted by Mu Cat at 5:12 AM 0 comments

Which is better for performance a minimal virtual machine or full install?

I just started experimenting with ubuntu server. I have a minimal virtual machine ubuntu server 9.04 64bit running on my macbook. It's great for testing.

In actual practice, would a full install virtual machine be better performing? Or would the minimal machine perform better because of no gui or extra hardware requirements?

Thanks

From serverfault CT

  • The smaller the OS footprint the better the machine will perform. This is the same for VMs or for physical servers.

    sysadmin1138 : If anything, this effect is magnified on VM's.
    From mrdenny

  • How large of an install you do doesn't have much of an effect on performance, IMO. It just depends on which services you enable or disable, and the overhead of those services. A bunch of apps sitting on disk aren't going to hit you performance wise unless you're actually running them.

    From Kamil Kisiel

  • The difference is also more noticeable when there is a lot of disk activity: Virtual Machines are not great at writing to a disk, while silicon and metal are excellent.

    From HalfBrian
Posted by Mu Cat at 5:12 AM 0 comments

Connect to Cisco VPN using Shrew

I'm using Vista 64 and could not set up the Cisco 32 bit VPN client. I saw in one of the posts that you could use Shrew instead. I need some guidance on setting up Shrew to connect to my office network. I know the IP and group authentication details but do not have a pcf file or a security certificate

From serverfault Gayan

  • If you need the pcf file. Get a machine that has the same connection group policy as you, and has the 32 bit cisco client installed, and grab the .pcf file off that machine. It's normally in the program files\cisco systems\vpnclient\profiles directory. Maybe you can get what you need from there.

    I'm not familiar with Shrew but deploying the cisco client here i just copy the .pcf file into that directory and then give the user their login/password.

    From

  • I would highly recommend getting away from the "old school" vpn client and pcf's and use the AnyConnect client. The password hashed password embedded in the pcf is easily cracked. Are you connecting to an ASA?

    From GregD

  • Maybe you don't know that the Cisco client will not run under 64 bit and that Cisco is planning to discontinue it. The AnyConnect client is cool IF YOU ARE NOT USING IPSEC. AnyConnect will NOT connect to it. Nor will any future Cisco products. Because they are the number 1 supplier of hardware and has the largest base of IPSEC hardware, they want eeryone to move to their new platform and buy new stuff. In our group we estimate that it will cost between eight and ten MILLION DOLLARS to change out the hardware. Are we? No. Are we buying any more Cisco hardware......NO

    From $pageUsers[$post.author].name
Posted by Mu Cat at 5:12 AM 0 comments

SSH remote access vpn tunnel

Hi All, I have two machines both running CentOS linux, one is public facing machine with a real ip address (foo). The other is at a client's site behind a very restrictive firewall and with no real ip and no possibility of natting or opening an port to it (bar).

I can ssh from bar to foo, however obviously not the other way round.

Ideally I would like to be able to ssh from foo to bar so I am able to send file, work remotely, etc. Would really appreciate any help or advice on how best to get this working, have seen various tutorials on the internet which suggest it should be possible to setup a VPN connection over ssh but can't quite seem to figure it out.

Jona

From serverfault Jona

  • There are several options and lots of answers can be found on this site if you search. You can forward ports. You can use ssh as a socks proxy. Or you can actually tunnel ip over ssh using something like ppp.

    From Zoredache

  • Sounds like you are looking for something that works like Wippien or Remobo, which are inspired by the costly Hamachi client.

    From djangofan

  • This ought to do it for you (from bar):

    ssh -R2222:localhost:22 foo

    Then, on foo:

    ssh localhost -p 2222

    The first connection opens a remote port forward, which makes port 2222 on foo forwarded to port 22 on bar. So, if you ssh to port 2222 on foo, you are really connecting to bar. You can then add whatever forwards you need to through that ssh connection, to forward any other ports.

    Jona : Hi there, this is exactly what I want to do however these specific syntax don't seem to work. One difference I notice is that I need to use ssh -p 2222 localhost. But obviously something else isn't working as this command outputs connection refused.
    pkaeding : Oops, yeah I made a mistake with the syntax. I fixed it now. Do you see anything interesting in in the ssh session on bar? You can get information about open connections by hitting ~# (in sequence, not at the same time). Does that give back anything interesting?
    From pkaeding

  • Under Centos the answer appears to be as follows:

    on bar (the restricted machine) run the following command:

    ssh -N -R 1234:localhost:22 foo.theinternet.com

    then on foo (the open machine) run:

    ssh -p 1234 localhost

    I suspect there are refinements to be made to this, but hopefully it will be enough to get any googlers started.

    Thanks to pkaeding for putting me on the right track.

    From Jona

  • You can create tun device, that is a full tunnel. Requirements are: probably root access in both client and server, and recent versions of SSH.

    server /etc/ssh/sshd_config

    PermitRootLogin yes PermitTunnel yes

    client /etc/ssh/ssh_config

    Tunnel yes

    Connect with: ssh -w any:any ...

    That will create a tun0 device on both client and server. You must set up IP:

    server

    ifconfig tun0 192.168.55.1 pointopoint 192.168.55.2

    client

    ifconfig tun0 192.168.55.2 pointopoint 192.168.55.1

    Now routes, NAT, whatever...

    Anyway i wouldn't recommend this method for connecting from bar to foo automatically, ie. in a non-interactive fashion. If the TCP session dies it won't respawn automatically. Well, maybe you can make it respawn: http://www.deer-run.com/~hal/sysadmin/SSH-SyslogNG.html

    There should be a way to create a VPN between the two hosts, not neccesarily based on SSH.

    Jona : Will this work when one of the machines is private so I can only ssh in one direction?
    From $pageUsers[$post.author].name
Posted by Mu Cat at 5:12 AM 0 comments
Subscribe to: Posts (Atom)