Forwarded requests using wrong source IP on Kemp LM-X3
by lunarg on December 9th 2020, at 11:02
I had an issue where a forwarder service would not work even though all settings were correctly configured (firewall/LM/real server). When troubleshooting using on the LM itself (using tcpdump), I noticed that forwarded requests (from the LB to the real server) were been sent out using the right interface but with the wrong source IP, causing return traffic not to work. As it was a migration from an older Kemp LM, I established the configuration was indeed correct but there was another reason why it was not working.

After some more troubleshooting and comparing against the backup from the original LM (backup files are in fact TGZ-archives and can be unpacked), and found these settings to be  ...
 
Required minimal permissions to backup Microsoft SQL Server using Veeam
by lunarg on December 9th 2020, at 10:27
To backup Microsoft SQL Server, the account used for VM-side processing (application aware processing) requires certain permissions. Veeam recommends assigning the sysadmin role on the SQL Server but it is also possible to assign minimal permissions on the databases it needs to backup, which is the preferred method for security hardening.

The User Guide for VMware vSphere outlines the required permissions as well but for convenience, I've listed them here as well.

Instance-level roles:

Assign these roles:public

dbcreator

Database-level roles:

Assign these roles:

System databases master and model:db_backupoperator

db_datareader

public



System database msdb:db_backupoperator

db_dat  ...
 
Replace the SSL certificate of a VMware Horizon View Composer
by lunarg on December 8th 2020, at 11:52
If the SSL-certificate on your VMware Horizon View Composer server is about to expire, it will have to be replaced. The process is pretty straight forward.

Import the new certificate (in PFX-format) in the Computer certificate store. You can use the MMC snap-in or certutil to accomplish the task. If it's not a publicly signed certificate, you will also need to make sure the intermediate and trusted root CA is imported.

Open an elevated command prompt.

Stop the VMware Horizon Composer service:net stop svid



Navigate to the install location of View Composer. The default location is C:\Program Files (x86)\VMware\VMware View Composer. On a 32-bit machine, leave out "(x86)".

Run t  ...
 
Mass-unblock files via Powershell
by lunarg on December 3rd 2020, at 21:21
When downloading files from the internet or copying them from a (foreign) server, these files will be marked as blocked by default.



Each file can be unblocked by right-clicking the file and manually selecting unblock, but what if you have a whole bunch of files to unblock? In that case you can use Powershell:

Get-Item -Path "$env:windir\Fonts\*" -Stream "Zone.Identifier" -ErrorAction SilentlyContinue | % { Unblock-File -Path $_.FileName }

The oneliner above consists of two parts:

The flag that says whether or not a file is blocked is stored in a hidden NTFS-stream called Zone.Identifier, which is stored for each individual file. By looking for those hidden streams,   ...
 
GPO not applying on Windows 10 machines due to UNC hardening
by lunarg on November 30th 2020, at 16:45
A long standing issue (it goes back as far as Windows 10 1511) exists where GPOs are not (or not always) applied on Windows 10 machines, even though the entire setup checks out (correct GPO links, network in working order, domain controllers functional). Back in Windows 10 1511, there was a certain update introducing something called UNC hardening which caused this behaviour. Although it was expected that this has since been resolved in another Cumulative update, there are still numerous reports of users encountering this issue all the way up to Windows 10 2004.

Should you be affected by this issue, the symptoms are as follows:

You are able to succesfully log on using a domain account you'  ...
 
Verifying the syntax of a Powershell script
by lunarg on November 25th 2020, at 10:12

There are many ways to verify the syntax of a Powershell script (other than running it of course), but the most simple and useful is this one:

Get-Command -Syntax 'path\to\script.ps1'

If the syntax is valid, it will simply return the name of the script. If there are errors, it will provide a detailed syntax error report.

 
Verify AD replication using Powershell
by lunarg on November 16th 2020, at 15:31

Using Powershell, you can quickly verify the status of the replication between domain controllers in Active Directory. This can be used in monitoring to verify a healthy AD replication. This can be run on any domain controller or on another system with RSAT or ActiveDirectory Powershell module.

Get-ADReplicationPartnerMetadata -Target "$env:USERDNSDOMAIN" -Scope Domain | FT -Auto Server,LastReplication*

To see forest-wide replication, replace -Scope Domain with -Scope Forest.

 
Turn off trial and other offers in Adobe Reader DC via Registry/GPO
by lunarg on November 13th 2020, at 16:52
By default, Adobe Reader DC pummels you with all kinds of offers for trial versions and cloud accounts, which can be annoying for yourself and your users. Luckily, it can be turned off through a few well-placed registry keys, as described in the Enterprise Toolkit.

Create the following key(s):HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM

HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Policies\Adobe\Acrobat Reader\DC\FeatureLockDown\cIPM (for 32-bit app on 64-bit Windows)



Create these DWORD-values and set them to zero:bDontShowMsgWhenViewingDoc (DWORD) = 0

bShowMsgAtLaunch (DWORD) = 0

bAllowUserToChangeMsgPrefs (DWORD) = 0



Note that the value for bDontSh  ...
 
 
 
« January 2021»
SunMonTueWedThuFriSat
     12
3456789
10111213141516
17181920212223
24252627282930
31      
 
Links
 
Quote
« Stripes on a tiger are hard to change. »
The Noisettes