LonnieBest's questions

I've generated a single self-signed SSL certificate (that expires in 5000 years). The purpose of the cert is to simply encrypt the https traffic of a trusted deno application that is accessed by a variety of web browsers on multiple corporate intranet sites.

In a comment, of my prior question, someone advised me that it is possible to distribute my self-signed public SSL key to all computers within an Active Directory environment using Group Policy on the domain controller.

My goal, is to prevent users from having to manually accept this self-sign certificate.

This application's security is not the top priority. The top priority is the automatic acceptance of the self-signed certificate. So that even if a new user is using Chrome or Firefox to access this application for the first time, they will not have to manually accept the certificate to see a page within the App.

If you're wondering why I'm not just using http (instead of https), it is only because there are features in the web standards that are not available unless your protocol is https. The Notification API is one example.

Does there exist a full tutorial for my use case?

I right-clicked here:

That brought me to the Group Policy editor, and I actually succeeded in importing my self-signed public key here:

However, this had no effect. For example, I logged into a few workstation on the LAN, and from both Firefox and Chrome I was still prompted to manually permit the certificate.

Where can I find thorough instructions for my exact use-case and goals. How can I do this in a way that both Chrome and Firefox will auto-receive the pre-authorization of the certificate I'm trying to distribute?

This is something I need to accomplish for multiple installations at multiple company intranet sites. At each install-location, I need to get active directory to distribute this cert, so that all browsers on each workstation will accept it.

Logged in as the domain admin of an Active Directory environment, I'm attempting to run this command to reboot a workstation:

@start /b cmd /c shutdown -r -f -t 1 -m \\COMPUTER-NAME

I'm getting this error:

COMPUTER-NAME: Access is denied

Why would the domain admin be denied access to execute this command?

I tried to change the computer-name on a Windows 10 (1803) workstation and got this error:

The link mentioned goes here.

What's the best way to handle this (in a way where I won't see this again) on our Active Directory 2008R2 network?

On a windows 2008 R2 server, in the Event Viewer under Applications and Services logs > Directory Service

I'm getting the following error twice an hour:

Invocation ID of source directory server:
227ee97b-3a70-49b9-acdc-afb2ecb6a872 
Name of source directory server:
c92d88b9-2d7d-555b-9cf5-973e98c76226._msdcs.subdomain.domain.com 
Tombstone lifetime (days):
180 

The replication operation has failed.


User Action:
  The action plan to recover from this error can be found at http://support.microsoft.com/?id=314282.

 If both the source and destination DCs are Windows Server 2003 DCs, then install the support tools included on the installation CD.  To see which objects would be deleted without actually performing the deletion run "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC> /ADVISORY_MODE". The eventlogs on the source DC will enumerate all lingering objects.  To remove lingering objects from a source domain controller run "repadmin /removelingeringobjects <Source DC> <Destination DC DSA GUID> <NC>".

 If either source or destination DC is a Windows 2000 Server DC, then more information on how to remove lingering objects on the source DC can be found at http://support.microsoft.com/?id=314282 or from your Microsoft support personnel.

 If you need Active Directory Domain Services replication to function immediately at all costs and don't have time to remove lingering objects, enable replication by setting the following registry key to a non-zero value:

Registry Key:
HKLM\System\CurrentControlSet\Services\NTDS\Parameters\Allow Replication With Divergent and Corrupt Partner

 Replication errors between DCs sharing a common partition can prevent user and compter acounts, trust relationships, their passwords, security groups, security group memberships and other Active Directory Domain Services configuration data to vary between DCs, affecting the ability to log on, find objects of interest and perform other critical operations. These inconsistencies are resolved once replication errors are resolved.  DCs that fail to inbound replicate deleted objects within tombstone lifetime number of days will remain inconsistent until lingering objects are manually removed by an administrator from each local DC.  Additionally, replication may continue to be blocked after this registry key is set, depending on whether lingering objects are located immediately.


Alternate User Action:

Force demote or reinstall the DC(s) that were disconnected.

Despite this error, replication of "all the things I need" seems to be working fine between the two domain controllers. For example, I've verified the following things are replicating:

1) Adding a new computer to the domain
2) Adding a new user to the domain
3) Deleting a user from the domain
4) Deleting a computer from the domain

If I do any of the above tasks on one of the domain controller, the other domain controller almost instantly shows the change. This is my understanding of replication succeeding.

Yet I get the above error twice an hour. Neither of these domain controller have ever been offline longer than 30 minutes and their clocks are in perfect sync.

I can't understand what has really caused this, because what it states doesn't seem to be true.

I've combed both directories object for object, and they seem to be identical. The error says replication is not allowed, but replication is occurring in every practical way I can see.

The only error I see it the error-alert itself. What am I'm I missing? What's really going on?

Other than memorizing and documenting each user's credentials, is there way that I can use the Windows Domain Administrator credentials to login to a workstation-user's desktop as if I were them?

I think this is called impersonation, but my searches are finding articles dedicated to running scripts as a particular user, while I need this ability for non-script-administrative purposes.

Sometimes, after hours (for example), I need to see desktops from the User's perspective, and make modifications to aid their work-flows. I have some users who can't find an application unless it is a desktop shortcut! So I need this for stuff like this, and other things too.

Update: I found this question on Server Fault:

Using admin credentials to log on as a user vs. storing passwords

None of the answers offered much hope. I guess I'll just have to change the user's password if I don't know what it is an tell them what I changed it to next work-day?

As an admin, I wish I could just login with my admin-credentials to any non-admin user. In Linux, I can do this using the su command.

I've ordered a new hard drive to replace a bad one in a Dell Power Edge R515.

The manual covers obvious topics regarding physical replacing of hard drives, but I've never done this before on a production server where RAID is involved.

I've heard people talk about this topic, and I've heard that some servers have RAID controllers that are smart enough to allow you to just put in the new drive (hot swap), and then the server will know automatically how to rebuild that drive to be what the old one was to the system.

Where do I find the proper procedure for replacing a failed hard drive on a live production Dell Power Edge R515?

Can someone with experience tell me how easy or hard this usually is?

I have an Ubuntu server where I'm automounting an external hard drive each boot.

To do this, I've created an empty folder on the root partition, and the drive gets mounted "inside" this folder.

However, what if I perform a backup to this path when the drive isn't properly mounted? The backup would instead fill up my root partition!

I can ensure that the drive is mounted each time by performing:

sudo mount -a

... before each backup.

However, what are the best practices to ensure that data is never written to the empty mount-folder (except when the external hard drive is truly mounted)?

Can this be solved without scripting? Say with permissions for example? What are the best practices?

I want to run Hyper-V manager on a virtual machine running Windows 2012 Server essentials.

I've seen videos of others using the Server Manager to add this feature to their Windows 2012 Servers, but when I follow their steps, I'm missing the selectable entry (that they are choosing) that would allow me to add this feature to my virtual server.

I only need the Hyper-V manager tools (not the service), but these aren't listed features for me to add. (Screenshot below)

How should I proceed?

I've read how it is possible to disable password authentication on an Ubuntu server. However, is it possible to disable this for remote users only?

I'm afraid that, if I enable this both locally and remotely (as designed), I will ultimately lose the key and lock myself out (over time). If I were able to disable password authentication for remote users only, losing the key wouldn't be so tragic; I could simply go to the LAN and login with a password and create a new key.

For the sake of this post, lets assume I have a folder called "misc" that has 100 sub-folder named 001 to 100. Each folder has many sub-folders and files.

I want to write one rsync command that recursively backs up only the folders named 009, 053, and 087.

This command works fine for backing up the entire "misc" folder:

rsync -v --progress --recursive /home/user/misc /home/user/backup/misc

I've made several attempts to use include and exclude parameters (to only backup the particular sub-folders I want), but each attempt has resulted in /home/user/backup/misc being an empty folder after the command is run successfully.

Could someone add to this command (above) the proper use of include and exclude parameters to achieve what I'm attempting?

I'm remotely accessing a network where I'm testing two separate dhcp servers where:

1) Both dhcp servers are on the same subnet.
2) The dhcp servers do not have overlapping ip pools.
3) Each dhcp server has its own static ip address. 

My testing will require me to do the following numerous times:

1) Turn off dhcp service 1 on server 1, which currently has several leases
2) Turn on dhcp service 2 on server 2
3) Remotely login to a workstation and 
   a) release current dhcp lease
   b) obtain new lease from active dhcp service
4) Repeat these steps several times (going back and forth between dhcp services).

So far, I've only killed one workstation :) with this command:

ipconfig /release && ipconfig /renew

Before that, I also tried just doing:

ipconfig /renew

But, instead of renewing with the currently active dhcp server, it instead complained that it couldn't reach the previous dhcp server at its ip address (where I've turned off dhcp).

If I were physically on-site, I could unplug the network cable and then plug it back in, and therefore consume the active dhcp server (I've just turned on), but I'm working remotely and do not know a command that's equivalent to reseating the connection.

By the way, it is off hours at this company, so there is no concern for users losing connectivity. I'm just trying to avoid travelling on-site to perform these tests.

Please advise.

I have a Hyper-V host running on a Windows 2008 server that does not have a desktop GUI.

This server is currently joined to a domain that no longer exists and there are no domain controller for that old domain still on the network.

Using a local admin account, at the windows command prompt, I'm trying to unjoin from the non existing domain.

I've tried this command:

netdom remove /d:DomainThatNoLongerExist.COM HYPERVComputerName

I get this:

The specified domain either does not exist or could not be contacted.

The command failed to complete successfully.

Instead of "unjoining first", I've tried just joining to the new existing domain, but each time I try, it says it is already joined, but it really isn't already joined; because the name of the new domain is a subdomain of the previous domain, it assumes it is already joined, and that false presumption is causing me a lot trouble.

So, can someone please tell me how I can un-join this non-longer-existing domain?

BTW, this especially important because I can't access any of the currently running virtual machines via Hyper-V manager because it automatically authenticates using the client's windows-login-credentials which are for another domain than the hyper-v host's non-existing domain. The only access I have is a local admin account, and I cannot figure out how to use those credentials in Hyper-V Manager from a remote machine (and I know no way to launch Hyper-V Manager on the Host machine after logging in as a local admin).

I have a manager that has legitimate reasons for wanting to view a user's Remote Desktop session with Windows 2003 server.

Logged into that same server (as Administrator), how can you discreetly view a regular user's Remote Desktop Session?

How can I ensure that I can always have Hyper-V Manager access to a Hyper-V server, even in the event that the Active Directory Server is down (in a domain-login environment)?

Background:

The person who managed infrastructure before me set up the company's servers as virtual machines on top of a host running Hyper-V Server 6.1 (7601) Service Pack 1.

To manage Hyper-V, he installed Windows 7 onto a virtual machine (run on the same host) with Hyper-V Manager installed.

When the (virtual) Active Directory server (run on this same host) is rebooted, during that reboot, I'm unable to RDP into the Windows 7 virtual machine, and I'm therefore unable to access Hyper-V Manager when the Active Directory server is down. I suspect I can't login because I can't authenticate with the Active Directory Server.

I'm going to install Hyper-V Manger onto some addition manager's workstations, but how can I ensure they'll have access in a catastrophe where Active Directory authentication isn't possible?

I have access to a linux server that is acting as the gateway to an internal network.

There is a MagicJack Plus device plugged into this network via CAT5.

The MagicJack gets its ip via DHCP from the linux server, and I've determined which IP address it was issued.

I've nmaped that ip, but I couldn't discover any open ports on the MagicJack Plus device.

I'm curious about how it communicates, especially which ports it actually uses. I'd like to monitor which ports it uses during a 24 hour period. I'd be very interested in seeing if it tries to communicate with any other computers that it doesn't need to (on the local network).

Ultimately, I want to lock that device down, so that it only has access to what it needs and nothing more.

The linux server only has a web app gui and commandline, how can I monitor and log the network activity of the "IP of this device" to discover what ports it actually uses, what it tries to access, and how much bandwidth it uses?

In Ubuntu 12.04 Desktop, USB devices can be plugged in, and they just work for the most part.

In Ubuntu 12.04 Server, when I plug in a USB device it does nothing.

How can I setup server do act like desktop when it comes to adding USB devices such as printers, scanners, and thumb-drives?

Ultimately I will be forwarding this USB devices to a VirtualBox virtual machine. However, if Ubuntu server doesn't mount them in some way, I can't get VirtuaBox to see them either.

Please advise me on how I can ensure that remote desktop users cannot install software onto the Active Directory Server they are logging into remotely.

Some Background:

I have a client whose Server Security is very screwed up. I'm typically more of a programmer than an Admin, so I need some help.

They are using their Active Directory Server to allow remote sales people to Remote Desktop into their network, essentially allowing that Active Directory Server to double as a desktop for 4 remote employees. This alone seems like a bad idea to me. I'd prefer setting up a separate server for these remote users.

However, what's worse, is I just logged in using the credentials of one of the sales people, and I was able to install firefox, using their credentials! So, essentially, each outside sales person has administrative privileges for installing applications onto the Active Directory Server!

Last week I removed a virus from the server that essentially took the business down. Today, there is another virus sending out mass emails (getting their company blacklisted).

I do intend to reinstall this server and try to lock it down, but until the weekend, I'm trying to at least figure out how to make it to where these remote sales people cannot install software onto the server.

The truth is, I don't have much experience with Active Directory. I've mostly locked down Windows Servers that do not have Active Directory (through the 'Computer Management > Users' console).

When I go into "Active Directory User's and Computers". I do not see that the sales person is a member of an administrator's group. And when I look at each group (that they are a member of), I'm not able to locate any permission setting that reveals why they are able to install software on the server.

Could you please direct me a bit. I must be over-looking something essential. Please advice.

Edit:

Here are the groups, the user is a memember of:

Name:           ActiveDirectoryFolder
Custom Sales All        domain.com/Users
Domain Users        domain.com/Users
Remote Desktop Users    domain.com/Builtin
Remote Users        domain.com/Builtin

Is there a linux command, that works like "top" (like top does for monitoring processor utilization), but shows network activity of users and applications realtime?

I want something that shows everything going on, where I don't have to specify each and everything to get an overview. Anything like this?

Using Ubuntu server, I need to create some user accounts that have the following limitations:

(1) User may only view and manipulate files in their home directory.

(2) User may only execute commands related to rsync and sftp.

I want users to be able to backup files using rsync, and I want them to be able retrieve files using an sftp client like FileZilla.

Other than this, I don't want users to be able to view other files on the system, or execute any commands that might mess with the system.

I'm more of an Ubuntu Desktop user, and have very little experience administering a linux server. Most tutorials I've found assume I know things that I don't know. So I'm having difficulty setting this up.

When restoring files (using rsync over cygwin) from Linux to Microsoft Windows XP (and probably to all version of windows), each file restored has permissions so strict, that only the "SYSTEM" account may access these restored files.

I know how to change the permissions, but I'm looking for a solution that makes rsync-restored files inherit permissions of the parent folder to which the files are sync/restored. Or, simply modifies the files without changing their current permissions on the windows machine. Or something similar that ultimately restores the files in a manner in which I don't have to manually adjust permissions after each restore / sync.