Sajal Choudhary - Garden

The four diseases leading to slow death

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 14 Apr 2026 11:54:01 GMT

Heart disease
Cancer
Neurodegenerative disease
Type 2 diabetes

Slow death moves very slowly. We need to step in sooner or better yet prevent them altogether.

Generators in python

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 30 Mar 2026 13:27:36 GMT

Generators return iterator objects in Python. Instead of using a return statement, it uses a yield statement to provide a list of results. The iterator object can then be used in a loop.

Generators stop running and save state once a yield statement is reached.

When compared to traditional method, the benefit is that it uses less memory, because it does not load everything in memory. It is ideal for producing sequences lazily.

How to define

# Define function
def sum_upto(n):
    num = 0
    while num < n:
       yield num
       num += 1
       
       
# Generate object
gen = sum_upto(3)

## call
next(gen)

def read_log_lines(filepath):
    """
    Creates a generator that reads a log file, yielding valid, non-comment lines.
 
    Args:
        filepath (str): The path to the log file.
 
    Yields:
        str: A stripped, non-empty, non-comment line from the file.
    """
    # TODO: Implement the generator logic.
    # 1. Open the file safely.
    # 2. Iterate through each line, removing whitespace and checking whether it's valid.
    # 3. If the line is valid, yield it.
   
    with open (filepath, "r") as logfile:
        for line in logfile:
            logline = line.strip()
            if logline:
                if not logline[0] == "#":
                    yield logline

Conditionals in python

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 25 Mar 2026 10:50:38 GMT

if <condition>:
    Code
elif <condition>:
    Code
else:
    Code

Difference between lists tuples and sets

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 25 Mar 2026 10:15:05 GMT

Lists are ordered, mutable and allow duplicates.
Tuples are ordered, immutable and allow duplicates.
Sets are unordered, mutable and do not allow duplicates.

Sets can be used to deduplicate data or performing membership checks.

## Lists
list_name = [“web1”, “web2”]

# Tuples
tuple_name = (“web1”, “web2”)

# Set
set_name = {“web1”, “web2”}

To remove duplicates from a list use sets

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 24 Mar 2026 14:55:58 GMT

# create set using {} or with set keyword

unique_ports = set([80,443,8080,80])
unique_servers = {“web1”, “web2”}

To create a single item tuple add a comma to the end

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 24 Mar 2026 14:50:21 GMT

single_value_tuple = (“single”,)

What does a kernel do

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 18 Mar 2026 09:55:49 GMT

Generally, a kernel manages task in four general areas -

Processes - what process is allowed to run in the CPU
Memory - what is allocated to a process, what is shared, what is free
Device drivers - kernel operates the hardware, acting as interface
System calls and support - Processes use system calls to communicate with the kernel

From How Linux Works.

Coupling and cohesion

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 09 Mar 2026 12:19:56 GMT

In the context of micro-services architecture, from Building microservices.

Cohesion

We want related behaviour to sit together and unrelated behaviour to sit elsewhere. Because when we want to change one behaviour, we want to be able to do it.

Coupling

Systems should be loosely coupled. So that changes to one system does not affect the other systems.

Types of coupling

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 09 Mar 2026 12:18:43 GMT

In the context of micro-services architecture, learned from Building microservices.

Domain coupling

One service needs to interact with a different service. This is mostly unavoidable.

Passthrough coupling

One service passes data to a different service, because the data is needed by the other service further downstream. It can be problematic because if they need it in a different format or need different items, than we may need to make changes as well.

Common coupling

In common coupling two of more services use a common data source. Not desirable.

Content coupling

Very similar to common coupling, the difference is that the external system can directly make changes to the internal state. Should be avoided.

Learning microservices and k8s

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 06 Mar 2026 11:01:56 GMT

Getting reacquainted with k8s and microservices. The goal is CKA at the end of this. Targeting this exam some time in April, perhaps the last week.

Log

2026-03-06 13:00 - Started reading Building microservices by Sam Newman.

Azure AI

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 23 Feb 2026 10:09:48 GMT

This is a certification quest for the next few months. The goal for this is the Azure AI 900 certification.

Primary source for learning is the Microsoft Learning Path with 14 modules for this path.

Log

2026-02-27 13:07 - Started with the module.

Write a letter to your child

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 31 Jan 2026 18:25:30 GMT

From Bird by bird.

When stuck, or unsure what to write, write it as a letter to your child. Tell them whatever you want to tell them, however you want to tell them.

That might just be enough to get you writing and finding the story.

How to craft a story

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 28 Jan 2026 08:49:01 GMT

There are three acts to a story - beginning, middle and end.

Consider a 100K word novel.

You spend 25 K for the beginning, 50 K for the middle and 25 K for the end.

Each scene or chapter should ideally be around 2K words. Why? Because readers can’t quit in the middle of a chapter. 2K words is a good enough length, a potato chip length, where the reader will keep reading one more chapter.

This comes out in terms of scenes - 12 for the beginning, 25 for the middle and 13 for the end - more or less.

There are fifteen scenes that each part needs to have -

Inciting
Complication
Crisis
Climax
Resolution

So that’s 15 scenes done. Now, for the rest of the 35.

Importing Goodreads data to Astro

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 06 Jan 2026 20:18:14 GMT

I pulled my read list from Goodreads to my blog today. There are no notes or reviews for these books on Goodreads.

I love my bookshelf page. But I have had it for this year only and the literature notes since 2021, even then not noting every book I read. All of this is a long way to say there will be missing books.

This is good enough though. Most of the books are from 2013, while I was in my third year at college. I guess that’s when I would have known about Goodreads.

Here’s how I did it -

Export data from Goodreads.
There would be a zip of review.json. This file has your data.
Ask Claude to create a script to pull this info into markdown.
Build the site.

The systems in a Jenkins installation

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 30 Dec 2025 09:55:42 GMT

Master - Has access to all config and options, and full list of jobs. By default jobs run on master if any other system is not specified. However, other systems should be configured to run jobs.
Agent - Any nonmaster system. Managed by master to run jobs. Associated with declarative pipeline.
Node - a generic term for both masters and agents. Associated with scripted pipeline.
Executor - a slot for running a job. No of executors defines how many jobs can run on a node in parallel.

Ultraprocessed food is designed to be irresistible

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 29 Dec 2025 13:39:08 GMT

How?

Bliss point - the amount of an ingredient (salt/sugar/fat) which optimises deliciousness
Texture - soft foods require less chewing, so we eat more food
Marketing - Colourful packaging, cartoons to market to kids, etc.

Ultraprocessed food uses all of these things to be just irresistible. The industry uses many of the items from the cigarette industry playbook - denying addiction, different packaging and so on.

I saw this documentary (Irresistible: Why We Can't Stop Eating) which talked about these points in detail.

How to read

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 26 Dec 2025 20:48:05 GMT

Read anything and everything.

Anything that draws you to it - whether you like the book’s cover or a blurb or its description or the writer.

Have a wide funnel.

But you don’t have to finish every book you start reading. If you don’t like it, drop it.

Have a sharp filter.

This idea - wide funnel / sharp filter - came across it while reading The art of spending money.

Write for one person

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 26 Dec 2025 17:59:24 GMT

Write for one person. It’s difficult to make every one happy. If you try to write that way you will not be able to write anything. So, write for one person - the person you love. Try to make them happy.

Hemingway thought the same (from Ernest Hemingway on writing).

I believe that basically you write for two people: yourself to try to make it absolutely perfect; or if not that, then wonderful. Then you write for who you love, whether she can read or write or not, and whether she is alive or dead.

Limitations mean freedom

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 21 Dec 2025 20:32:54 GMT

I had this thought a couple of days back about time-limits.

I have had this thought a couple of times in the past, mostly with regard to my writing. About having a deadline, a shipping date by which I have to ship a work.

This recent thought I had was with regard to reading, specifically the type of reading I am doing now - using e-kirjasto (e-library). Compared to the traditional books I borrow from Helmet, I borrow e-books or audiobooks from the e-library. Both of those are borrowed for 14 days. That time limit forces me to finish the book in this time. I find myself reading whenever possible. I have mostly stopped listening to podcasts now. I read ebooks while eating lunch or whenever I have time.

I find this applies to other things as well - like figuring out what to learn. It’s good to limit yourself to one or two things, using two or three resources. The technology landscape is huge and limitations are good. This limitation is not the time-limitation I talked about in the last paragraph. It is a different limitation - of choice.

Three types of tests

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 19 Dec 2025 08:03:49 GMT

Unit tests - to test the behaviour of small pieces of app in isolation.
Component tests - to test the behaviour of several components.
Acceptance tests - test the whole application to ensure acceptance set by the org.

How to run powershell as system account

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 Dec 2025 10:32:50 GMT

There are two ways to run your powershell script as the SYSTEM account:

Use PsExec

Psexec.exe -i -s C:\WINDOWS\system32\WindowsPowerShell\v1.0\powershell.exe`

Create a scheduled task that runs it as system, use -User 'NT AUTHORITY\SYSTEM' .

Yubikey Minidriver install

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 Dec 2025 10:32:33 GMT


# Quiet instal
msiexec /i YubiKey-Minidriver-5.0.1.272-x64.msi /quiet

# To verify install
Get-WindowsDriver -Online | where {($_.ProviderName -like "Yubico") -and ($_.ClassName -like "SmartCard") -and ($_.Version -like "*")} | select ProviderName,ClassName,Version

Windows upgrade fails with optional component installation failed

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 Dec 2025 10:32:16 GMT

Error

Setupdiag reports Optional Component installation failed to open the OC package.
Already checked the windows modules installer server and ensure it is automatic and running. Upgrade continues to fail

Issue

Missing foundation packages from the server. This registry key was empty = HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages

Fix

Method 1

Go to a healthy server.
Run the following and check that Microsoft-Windows-Foundation-Package is present.

dism /online /get-packages /format:table

Also check at HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Component Based Servicing\Packages, export the Packages key.
Go to the failing machine, and merge this .reg file.
Verify that the merge was successful.
Retry the upgrade.

Method 2 - In place repair

Some points

In-place upgrade will only replace the contents of the C:\Windows folder.

This is a non-destructive process as it does not alter/delete any user profiles, files and programs.
You do not have to restore anything from the backup. This is because any programs/applications are installed either in C:\ProgramFiles or C:\ProgramFilesx86 which are outside C:\Windows folder. (but taking a backup is recommended)

Please note however, that in-place upgrade will delete all your windows update, and we would have to install the updates again. (Since the update is cumulative, you only need to install the latest one to resolve the issues.)

From In-place upgrade recommendations -

If this is a DC, you need to demote the machine to a domain member.
If you have IIS installed on this, you need to remove IIS and reinstall once the OS is back up.

1. Please prepare and download Window Server 2016 ISO image at: Microsoft 365 admin center or from the original ISO provider you choose to download when first install Window Server 2016.
2. Double click the “Setup” of the mounted WS 2016 image
3. Select Yes to start the setup process.
4. For internet-connected devices, select the Download updates, drivers and optional features (recommended) option, and then select Next.
5. Setup checks your device configuration, you must wait for it to finish, and then select Next.
6. Select the Windows Server 2016 edition you want to install, and then select Next.
7. Select Accept to accept the terms of your licensing agreement, based on your distribution channel (such as, Retail, Volume License, OEM, ODM, and so on).
8. Select Keep personal files and apps to choose to do an in-place upgrade, and then select Next.
9. If you see a page that tells you upgrade isn't recommended, you can ignore it and select Confirm. It was put in place to prompt for clean installations, but it isn't necessary.
10. Setup will tell you to remove Microsoft Endpoint Protection using Add/Remove programs.
11. After Setup analyzes your device, it will prompt you to proceed with your upgrade by selecting Install.
12. The in-place upgrade starts, showing you the Upgrading Windows screen with its progress. After the upgrade finishes, your server will restart.
13. After your upgrade completes, continue to upgrade with the 2019 ISO using the same method.

How to export csv from cis scan

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 Dec 2025 10:31:55 GMT


[xml]$arf = Get-Content 0250803011443.xml


# Define the ARF namespace
$ns = New-Object System.Xml.XmlNamespaceManager($arf.NameTable)
$ns.AddNamespace("arf", "http://scap.nist.gov/schema/asset-reporting-format/1.1")

$reports = $arf.SelectNodes("//arf:report", $ns)
$reports.Count


$rules = $arf.SelectNodes("//*[local-name()='Rule'")

$rules = $arf.SelectNodes("//*[local-name()='Rule']")

$rows = @()

foreach ($rule in $rules) {
    $rows += [pscustomobject]@{
        Title = $rule.Title
        ID = $rule.id
        CISRef = $rule.reference | Where-Object { $_.href -match "cisecurity.org/benchmark/"} | Select-Object -ExpandProperty '#text' -First 1
    }
}

$rows | Export-Csv -Path rules3.csv -NoTypeInformation -Encoding UTF8

How to configure time source using Group Policy

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 Dec 2025 10:30:51 GMT

Can be useful for non-domain joined machines.

Go to Computer Configuration\Administrative Templates\System\Windows Time Service.
Enable NTP Client.
Configure Windows NTP Client
- Double-click Configure Windows NTP Client.
- Set it to Enabled.
- Configure:
  - NTP Server: Enter your NTP server(s), e.g.:
```
0.pool.ntp.org,0x1
```
    (The ,0x1 flag means "special poll" mode.)
  - Type: Set to NTP.
  - CrossSiteSyncFlags: Leave default.
  - ResolvePeerBackoffMinutes: Default is fine.
  - SpecialPollInterval: Common value is 3600 (seconds = 1 hour).
  - EventLogFlags: Default is fine.
Apply and Close
Run gpupdate /force

Create GPO to copy a file in a certain location and create a shortcut to that exe on Desktop

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 Dec 2025 10:30:46 GMT

Copy a file

Run gpmc.msc
Go to Computer Configuration → Preferences → Windows Settings → Files
Right-click → New → File.
Set:
- Action: Create
- Source file: \\YourServer\SharedFolder\App.exe
- Destination file: C:\Program Files\AppFolder\App.exe
  (Create _AppFolder_ if needed)
Optionally, set "Run in logged-on user's security context" if needed.

Create Desktop Shortcut**

Navigate to:
User Configuration → Preferences → Windows Settings → Shortcuts
Right-click → New → Shortcut.
Set:
- Action: Create
- Name: App Shortcut
- Target type: File System Object
- Location: All Users Desktop
- Target path: C:\Program Files\AppFolder\App.exe
- Icon file path: (optional)`

How to write commit messages

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 24 Nov 2025 18:54:37 GMT

The authors of continuous delivery prefer commit messages be multiple paragraph.

The first paragraph being a summary of the change, and the rest of them explaining the commit in detail.

It should also include ID for the project/bug this fixes.

How to renew access token to Threads API

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 24 Nov 2025 18:54:28 GMT

I use a Github workflow to sync content to Threads, Mastodon and Bluesky.

Mastodon and Bluesky do not require any weird things - you set them up once and they are done.

For threads though the access token expires every 60 days.

The steps to renew it are as follows:

Go to the FB developers website. and find the app you created for the integration. Open the app.
On dashboard, there is an option to 'Customize the Access the Threads API use case'. Click that.
Go to settings in the next window.
There is a user token generator at the very end of the page, with an action called 'Generate Access token'.
Click it. It will open a new window, authenticate to Threads and then it will generate a new access token.
Copy this token and add it to the secrets on Github Actions.

The goal of software engineering

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 20 Nov 2025 08:14:14 GMT

Read first in continuous delivery.

To deliver high quality, valuable software in an efficient, fast and reliable manner. We need to achieve low cycle time and high quality.

How?

By making frequent, automated deployments.

Automated deployments are repeatable.
Frequent deployments ensure the delta between changes is low, as is the risk of issues.

Feedback is essential to this goal. There are three criteria for feedback to be useful -

Any change should trigger it
Feedback must be delivered asap
Team must receive the feedback and act on it

Learning Jenkins

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 19 Nov 2025 09:24:25 GMT

Started learning Jenkins.

Resources

Continuous delivery
Jenkins udemy course by Valentin Despa

The CAP principle

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 30 Oct 2025 11:46:10 GMT

From The practice of cloud system administration and other places.

CAP stands for -

Consistency
Availability
Partition resistance

The CAP principle states that a distributed system can have at max two of the three.

Consistency

All nodes see the same data at the same time. It is not necessary that this is achieved. Some delay for replication is considered OK, depending on the use case.

Availability

Whether the system is up or not - that is every request receives a response, whether successful or not.

Partition Resistance

System continues to work despite partial loss of functionality or arbitrary message loss.

This principle leads to three types of systems -

Distributed system design patterns

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 29 Oct 2025 09:11:33 GMT

From The practice of cloud system administration.

These are the three patterns:

Load balancer with replicated backends
1. LB forwards query to backend server.
2. Backend server are replicated, so any backend should give the same response for a certain query.
3. Round-robin or slow start algorithm to assign traffic.
Server with multiple backend
1. Server receives a query and then forward it to different components.
2. The components all send their responses and then combine it to form the response the user gets.
Server tree
1. Root receives the full query and forwards eat to leaf nodes.
2. Each leaf node works on the query.
3. It allows for parallel searching of a large corpus of data for example.

Work at a natural pace

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 26 Oct 2025 20:55:28 GMT

There should be a varying approach to work, periods of rest and celebration, followed by periods of work.

How?

Take longer to do things

Have long terms plans - 5 years or so
Double the time taken for projects
1. Initial time estimates are usually guesses and wrong
Simplify your day to day
1. Schedule fewer meetings - If you block time for meeting, block similar amount of time for work
2. Schedule lesser work - so that you have more time to do things

How to create a simulated pull workflow

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 26 Oct 2025 20:52:38 GMT

Related to Pull vs push method for getting projects. Read about this first in Slow Productivity.

This is especially useful when you don’t have control over how work gets assigned to you.

The core of this system are the two buckets where projects live -

On hold
In progress

Every new work comes to the on hold bucket. Things you are actually working on are in progress bucket. The key point is to ensure a max number of projects in the in progress bucket - three.

Once a project is done we add a new project from the on-hold bucket. If for example, writing a book is a project in the on-hold bucket, what you pull in the in-progress bucket is ‘write chapter 2’.

When a new project request, we need to ingest it properly, by:

Acknowledging the requester
Giving a time line
Giving a list of open projects you have
Any information you need from them

The final step is to ensure proper cleanup of the on hold bucket on schedule.

Obsess over quality

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 26 Oct 2025 20:50:47 GMT

Have pride in what you build. Give it time and the effort it deserves.

Do fewer things

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 26 Oct 2025 20:49:33 GMT

Limiting missions
Limiting projects
Limiting tasks on a daily basis -

How?

By time blocking or doing certain things at certain times
By paying for services that save time and take admin work off your hands.

Pythonic coding conventions

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 21 Oct 2025 12:45:15 GMT

In PEP 8, from The quick python book.

Module/package names - short lower case, underscores only if needed
Function names - all lowercase, underscores for readability
Variable names - all lowercase, underscores for readability
Class names - capitalise each word
Constant names - all caps with underscores
Indentation - 4 spaces, no tabs
Comparisons - don’t compare explicitly to true or false

Learning python

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 21 Oct 2025 08:53:27 GMT

2026-03-31:
Using the Python for DevOps: Mastering Real-World Automation course now. Re-doing the same exercises (create a variable, etc.) feels weird without the context. This course provides important context on how these things matter in a Devops contxt.

Progress - Course 291 modules

Started on 2026-03-24.
Current progress as of 2026-03-31 - 80/291 completed

More like re-learning python.

The first time around I had used the book Learn Python the hard way. It was great, I had created a Pokémon type game and learnt it.

I did not really have a chance to use Python at work outside of a few scripts, so those skills atrophied.

Now I’m relearning Python and additionally pick up some data analysis skills.

Resources - Intro level

Helsinki University Intro to Programming MOOC
[[202509281354 The quick python book]]

Progress - MooC

Completed Part1 on 29th October.
Completed Part2 on 5th November.
Completed Part3 from the Mooc on 19th November.

How to automate something

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 16 Oct 2025 10:31:07 GMT

After you’ve figured out what to automate, follow these steps -

Make sure you know how to do the thing manually.
Document the steps needed for the same
Make sure you can automate each step
Bring it together - add one step after the next and test after each addition, incrementally.

From Time management for system administrators.

What to automate

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 16 Oct 2025 10:26:58 GMT

There are four types of things that we can automate -

Simple things done once
Hard things done once
Simple things done often
Hard things done often

It is better to try to automate simple things done often and hard things done once. We should consider buying tools for hard things done often.

From Time management for system administrators.

A little inefficiency is good

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 16 Oct 2025 07:17:00 GMT

From Same as Ever.

Like in nature, species are not perfect. There are some imperfections.

Small inefficiencies in the work we do are similarly required - especially in knowledge work. We need time to think, to work the problem but seldom get the time to do so. Our days are filled with things - meetings, calls, disruptions.

The 9 to 5 is great if the work is formulaic and repetitive. But it does not work if you have to think.

Progress takes time while destruction is instantaneous

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 16 Oct 2025 07:16:45 GMT

From Same as ever.

Good things take time, they compound and that is difficult to point at and understand. Bad things on the other hand are things that did happen - a market crash, for example.

Creating a good reputation may take twenty years while losing it takes just five minutes.

Construction need engineers and planning while demolition needs someone with a sledgehammer.

Be a rational optimist

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 16 Oct 2025 07:16:34 GMT

From Same as Ever.

A rational optimist is someone who knows that in the short term things will go bad, but over a longer time, things work out.

Being a pessimist or optimist all the times is not optimal. Because life does not work like that.

How to avoid wasting time

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 15 Oct 2025 10:36:55 GMT

Set a timer for the thing that you want to do - for me playing a game
Once the timer rings, stop doing the thing

I have found myself getting lost while playing a game in my playstation. It takes my partner calling me out and telling me to get off my ass, that I think about shutting it off.

Gaming is not bad. It’s entertaining. There should be a limit though.

How to decide what to watch or read

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 15 Oct 2025 10:32:58 GMT

Keep a list
When it comes to pick what to read/watch next just pick the next item in the list
Delete that item from the list

How to handle stress at work

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 14 Oct 2025 12:50:39 GMT

These are the things that work for me. They may or may not work for you.

If feeling overwhelmed with work, add stuff to the planner, see what can be done now, prioritise. Talk to your boss for prioritisation.
The rubber duck hypothesis- if stuck talk to anyone, sometimes just the act of explaining unlocks a problem.
Take vacations - not let me do some chores vacations- actual vacations
Walk. Do yoga. Meditate.

Risk is what you can’t see coming

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 14 Oct 2025 12:50:25 GMT

Like Covid, or any of the great depressions. Sure in hindsight it seems obvious, but for people living the happening, it’s anything but.

There are two things to do then:

Plan for risk without prediction. You will not when it comes but you must plan anyway.
Always plan more than what might seem ok - like in personal finance it should feel like you have saved up more than needed for the emergency fund.

Happiness relies on expectation

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 14 Oct 2025 12:47:26 GMT

By almost every metric, we are better off than we were in an earlier age, still we earn for the golden period we had earlier (supposedly).

The difference is expectation. The delta between expectation and our reality is what causes happiness or sorrow. We should have reasonable expectations and take whatever happens with stoicism.

Expectation comes from looking at what others around us have. That may or may not be what we need or want.

Also expectation is easier to manage than the outcomes.

How to work with your boss

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 12 Oct 2025 18:15:01 GMT

Make your boss’s life easier. Understand the priorities, if they ask for some information or task there may be a bigger ask they are trying to accomplish.
1. If they ask you to do something go to them with solutions, or clearly ask for help.
Make sure your boss knows your career goals. Once a year have a chat. The preferred outcome is that they will tell you what you need to do.
Upward delegate only when it makes sense. When you need your boss’s authority for example to deal with other business units etc.

You can create a web scraper in chatGPT

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 11 Oct 2025 05:57:03 GMT

For the last few days I would see an alert from ChatGPT saying that it has found some new data engineer jobs. I ignored it for most of last week. Today curiosity got the better of me and I opened the chat. Prerna had talked to ChatGPT about the job situation in Finland and for market research regarding data engineer jobs.

I checked the chat and it turns out ChatGPT had told Prerna that it could create a web scraper, she had said yes, and it went ahead and created a web-scraper for her.

Today I told it to create a web scraper for me, scheduled to run at 09:00 each day and report back with any new jobs.

I will know in 5 mins what it finds.

Best practices for presenting things

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 09 Oct 2025 16:26:08 GMT

These are things that I have noticed in presentations given by others. Presentations that I have liked have these qualities.

Less text on the slide. Just pointers not descriptions. A person viewing should be able to skim quickly. This is not a SOP document.
Have a demo. Demos are fun.
If you include diagrams, it should be visible, i.e. the text should be visible.
Consistent design language, don’t jump from one style to a different one. I prefer minimalist styles.
Do not dive too deep technically - depends on the audience actually
Pick a topic accordingly. A super technical presentation will be difficult to pull off. Generally speaking, it’s easier to do overview sort of talks.

How and when do I read

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 06 Oct 2025 18:49:17 GMT

At present, I am mostly consuming audio books now. I listen to them whenever I can, but mostly -

While commuting (a 40 min commute at present)
While walking
While out for groceries, etc.

I love physical books - hardcover and paperback. I used to borrow from my local library and read during my commute which was via the Metro. I miss that.

Inspired by this article on the reading habits of some well-read people.

How to change how a link looks like in Obsidian

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 Sep 2025 11:07:50 GMT

In order to link to an internal link, what I used to do was use the aliases property.

I append the timestamp to each note title (available as the core plugin - unique note creator). But that plugin does not allow you to insert a template to it.

Most of my notes are created on mobile, using Apple shortcuts to fill out the basic template metadata.

I would add an alias to all the notes I created, which in most cases was the title. But in order to reference that note elsewhere in a different note, I would add a different alias each time.

This was not ideal.

TIL that I could just provide whatever I want as the display text and it works. The format is this -
[ display text](#).

Works great!

Ergonomics for sitting at a desk

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 11 Sep 2025 08:57:25 GMT

From this YouTube video and many other articles I’ve read elsewhere.

Adjust chair or table so that elbows and arms are at 90 degrees to your desk
Monitor at arms length, top of the monitor should be at eye level

Curation matters

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 10 Sep 2025 07:45:20 GMT

Or, curation can have long term consequences.

I read about this first in Yuval Noah Harrari’s Nexus: A Brief History of Information Networks from the Stone Age to AI.

The Bible is not one book, but rather a collection of different texts that were canonised over many years.

A committee did this task. The things they decided to add - like how women are somehow inferior and have little rights compared to men - took a lot of time to roll back and fight against in the modern world.

Curation is important. I am thinking about this of course in terms of what I write here. I wrote earlier about writing more and the things I write on my blog. I keep going back to the value that micro posts bring, if any.

I know I don’t need to justify what I write about.

Curation is important though. Especially in this age. And even more so going forward. There is a list of blogs, newsletters and news sites I follow via RSS. What I share after reading things there is my curation.

You may decide to follow me based on that, because you value my taste and curation.

How to set time zone on windows using PowerShell

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 Sep 2025 17:52:04 GMT


# To set time zone
Set-TimeZone -Id 'FLE Standard Time'

# To get IDs
Get-TimeZone -ListAvailable

# To get current timezone
Get-TimeZone

How to configure entra connect sync filtering

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 Sep 2025 17:51:55 GMT

[MSFT has good documentation around this.](Microsoft Entra Connect Sync: Configure filtering - Microsoft Entra ID | Microsoft Learn)

There are a few filtering options available:

Group-based
Domain-based
OU-based
Attribute-based

Our requirement is to not sync some objects having a certain extension attribute. The difference is the cloudFiltered attribute which should be True if you want to filter these objects.

Here are the steps to follow for adding attribute based inbound filtering:

Pre-tasks

Disable the synchronization scheduler.

Import-Module ADSync
Set-ADSyncScheduler -SyncCycleEnabled $False

Enable staging mode.

Activity

Start Synchronization Rules Editor. Make sure inbound is selected and click add new rule.
In description,
1. Add rule name and description.
2. In CS object type, select whatever is required - for example, user.
3. In MV object type, select relevant item - for example, person for user.
4. In Link Type, select Join
5. In Precedence, type a value that isn't currently used by another synchronization rule
In scoping filter,
1. click add group and click Add Clause.
2. Under Attribute, select the appropriate value, example extensionAttribute1
3. Under operator, select the appropriate value, example startswith
4. Under value specify the value, for example A
5. Click Next
Leave Join rules empty
Under Transformations
1. Click Add Transformation,
2. select the FlowType as Constant
3. select cloudFiltered as the Target Attribute.
4. In the Source text box, type True.
5. Click Add to save the rule.

Apply and verification

Do full sync.

Start-ADSyncSyncCycle -PolicyType Initial

After the synchronization, all changes are staged to be exported. Before you actually make the changes in Microsoft Entra ID, you want to verify that all these changes are correct.
Start a command prompt, and go to C:\Program Files\Microsoft Azure AD Sync\bin.
Run the following

csexport "Name of Connector" C:\Temp\export.xml /f:x

Run the following

CSExportAnalyzer 'C:\Temp\export.xml' > 'C:\Temp\export.csv'

The csv contains the changes to be exported.
Verify and proceed if happy with the changes it will make.
Remove staging mode.
Re-enable the sync scheduler

Set-ADSyncScheduler -SyncCycleEnabled $True

Enable or install windows defender on Windows server

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 Sep 2025 17:51:25 GMT

# Get feature status and find Windows-Defender
Get-WindowsFeature

# Intall using
Install-WindowsFeature -Name 'Windows-Defender'

Write more

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 06 Sep 2025 06:56:40 GMT

Should I write more or less has been a constant tension that I have felt over time. Should I write and publish essays like Craig Mod, polished things, which exist on their own. Or should I write more, publishing links as I go along, little thoughts, things I’ve learned and so on. Not super polished, but living documents, which I can edit over time.

Over the course of redesigning the website and ensuring I have a place to do both, I have found myself writing more and more. I used to think what’s the point of a link blog, sure someone else reading it might get some benefit out of it. But what benefit do I get from writing those?

I think two-

As a personal bookmark for things and ideas that I could refer to later
It just contributes to the volume

And this second point is what I have realised recently. Yesterday while walking, in fact.

The more I write, the more I practice this muscle that I have, the easier it gets. I am writing more in the daily note - a journal, more micro posts, more evergreen notes, and so on.

The more I write - the more I write.

Always, write more.

Humans and algorithms think differently when coming to a decision

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Sep 2025 07:25:34 GMT

Humans take one or two factors into consideration when deciding on something. These factors may be reached by further subconscious factors.

While algorithms refer to a multitude of factors. When asked to explain it’s decision an algorithm may point to pages upon pages of reasons why it took a decision.

Algorithms affect what we post on the socials

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Sep 2025 07:25:15 GMT

In order to maximise engagement, algorithms figured out that incendiary things drive more engagement, so they promoted that content.

Once people figured out that that is the stuff more likely to be viral or popular they started making that stuff.

This is also noticed in how YouTubers have to change how they make things - the image for the video for example, based on whatever the YouTube algorithm wants.

When someone has been dead for a while

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 30 Aug 2025 08:50:28 GMT

When someone has been dead for a while, you don’t remember how they look. Their image, in your mind becomes muddied. The image is not that sharp. It feels like you are looking at them through a muddied window or without eyeglasses.

It happens gradually of course. Perhaps because there’s peace in that, peace and a respite from suffering.

In your mind’s eye, this new image, this muddied not-so-sharp image is the correct image. It’s how they looked.

Recently, I got a picture of my mother, cropped, sharpened so I could put it on a wall in my home. The first time I saw that picture, I thought this is not right. This is too sharp. This is artificial. But I just did not remember her face that well.

It had felt that way since the day I had put up her picture on the wall. Something felt wrong all these months.

Today, as I saw her smiling face, I felt recognition. I saw her, and remembered her. I felt glad to have spent the extra money on this picture to get it sharpened.

Someone somewhere had said this once -

Dead people die twice. Once when they die. And the other time when people stop talking about them.

The things I write on my blog

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 30 Aug 2025 08:47:22 GMT

The first step is to figure out the things I write and a brief description of those things. Then, we can move onto how those could be organised.

Links with a little occasional commentary from my end
Notes on something I came across - written in my words with links/quotes where needed
Notes on books I’ve read
Weekly newsletter - nordletter
TILs - notes on things I’ve learned
Short stories
Poems

Why journal

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 30 Aug 2025 08:42:24 GMT

I was not into journaling for a long time. Maybe I would write something if I was feeling particularly sad, or happy, if I had achieved something that I would want to remember. But I wasn’t consistent with it. While reading Derek Sivers’ talk about their daily journaling practice, I felt I needed to be consistent with it. Consistency was the point.

Today, I read Victoria Song talk about journaling, especially this part:

Some days, it’s abundantly obvious what you should write about. A great tragedy, a joyous occasion, an event you’ve been looking forward to — anything that sparks a strong emotion is an obvious prompt. But most days pass without much happening at all, forcing you to sift through mundane minutiae to find anything worth recording. That’s the point. Honing your discernment, exercising your brain, wracking your vocabulary to find the right phrase to express your inner world. These are not things that are supposed to be easy.

I felt motivated to write about my own reasons. Here they are:

As future notes to myself, as random things I might read back on. As things my future self might reference.
As a kind of therapy, a signal to wind down after a long day.
So that one day, if Savya wants to, he could train an AI on these notes and ask the AI, if Dad were here, what would he think, or say.

Principles

Do daily journaling, preferably at the end of the day.
- If it’s not possible to do it at the end of the day, do it early next morning
Write anything
- What I did
- What happened and how it made me feel

The keyboard shortcuts I use in Obsidian

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 30 Aug 2025 08:42:13 GMT

Open daily note - Cmd+D
Create unique note - Cmd+Shift+Z
Show file explorer - Cmd+Shift+E
Insert current date - Cmd+Shift+D
Close current tab/note - Cmd+Shift+X
Move note to different folder - Cmd+M

Configure mobile quick action on Obsidian

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 29 Aug 2025 10:37:58 GMT

I have two shortcuts I use to publish micro blog to my website -

Linkblog - which takes a selection from a url and pastes that url and add the selection as a quote, and,
Publish to Astro - Which moves the note to a folder from where I can run git sync

The Publish to Astro shortcut is available from the share button. To do this was a multi step process:

Click the three dot button
Scroll down
Click share
Then select the Publish to Astro shortcut

Today I update the mobile quick action (pull down in the ios app) to share.
This removes steps 1-3 from the workflow above and makes it simpler to run the publish to Astro shortcut.

To configure:

Go to settings > Toolbar > Configure mobile quick action
Click configure and set it as share.

This can be set to other options also previously I had set it to open the search bar, but that is available by default in the app, so it’s not needed anymore!

Majority of the organisations are not seeing any monetary benefits from deploying AI

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 22 Aug 2025 05:05:43 GMT

Bank Forced To Rehire Workers After Lying About Chatbot Productivity, Union Says - Slashdot

As banks around the world prepare to replace many thousands of workers with AI, Australia's biggest bank is scrambling to rehire 45 workers after allegedly lying about chatbots besting staff by handling higher call volumes

This aligns with a previous study out of MIT with similar findings.

The GenAI Divide: State of AI in Business 2025, a new report published by MIT’s NANDA initiative, reveals that while generative AI holds promise for enterprises, most initiatives to drive rapid revenue growth are falling flat.

Despite the rush to integrate powerful new models, about 5% of AI pilot programs achieve rapid revenue acceleration; the vast majority stall, delivering little to no measurable impact on P&L. The research—based on 150 interviews with leaders, a survey of 350 employees, and an analysis of 300 public AI deployments—paints a clear divide between success stories and stalled projects.

Analogical thinking

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 20 Aug 2025 19:17:51 GMT

Read about this first in Range.

Analogical thinking allows us to use existing things to explain new things.

The more analogies we use to explain something, the better. The more diverse places these analogies are from, the more likelier we are to find a solution.

It is better to look at deeper relations between things than surface level things like category, or domain.

As an example - sweating and fed are both examples of negative feedback loops. If we sweat more, we don't need to sweat that much. The fed controls monetary policy to increase or decrease spending, if spending increases, then it does the opposite.

How to learn effectively

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 20 Aug 2025 19:13:19 GMT

Read about this in Range

Humans are very good at doing the least amount of work to produce a solution. So, in class or while learning, we end up figuring out the rules to get to the solution. If these rules are not what the teacher wants us to learn, then the learning is ineffective.

Getting hints while working on a problem improves short term performance but harms long term learning.

There are three science based methods that one could use to help with long term learning - spacing, testing and making connections problems.

Making connections problems
Spaced repetition - Waiting between practice sessions of the same thing
Testing effect/Retrieval practice/Generation effect - When you are forced to recall something, it helps with further learning, even if you recall it wrong. The act of trying to recall strengthens your memory of that event.

How to check windows upgrade errors

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 12 Aug 2025 14:11:23 GMT

Windows update log filesare present under $Windows.~BT\Sources\Panther. There are two files setupact.log and setuperr.log.

Additionally, during upgrade setupdiag automatically creates logs under %windir%\logs\SetupDiag\SetupDiagResults.xml.

This above file will be useful as it has the appropriate message.

Check at what stage the error occurred, and what is the error code, which can be checked against Win32_Error codes.

For example:

0x00000070 - ERROR_DISK_FULL

ESX update fails with error 15

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 12 Aug 2025 09:59:30 GMT

Check in /var/run/log/esxupdate.log file, better to run the following and let it write the logs to a temporary file.

tail -f /var/log/esxupdate.log > /tmp/esxupdate.log

It will have error like:

> cat /tmp/esxupdate.log | grep -i 'error'  
2025-08-12T09:44:57Z Er(11) esxupdate[2109082]: An esxupdate error exception was caught:  
2025-08-12T09:44:57Z Er(11) esxupdate[2109082]: esxutils.EsxcliError: Errors:  
2025-08-12T09:44:57Z Er(11) esxupdate[2109082]: Error getting data for filesystem on '/vmfs/volumes/67c5a845-d967bb36-da89-0025b502014f': Cannot open volume: /vmfs/volumes/67c5a845-d967bb36-da89-0025b502014f, skipping.  
2025-08-12T09:44:57Z Er(11) esxupdate[2109082]: esximage.Errors.InstallationError: Failed to query file system stats: Errors:  
2025-08-12T09:44:57Z Er(11) esxupdate[2109082]: Error getting data for filesystem on '/vmfs/volumes/67c5a845-d967bb36-da89-0025b502014f': Cannot open volume: /vmfs/volumes/67c5a845-d967bb36-da89-0025b502014f, skipping.

Fix is to remap the LUN. The issue is that the LUN may be in use.

references:

Patching an ESXi host fails with error "esxupdate returned with exit status: 15"

List vmfs volumes along with naa id

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 12 Aug 2025 09:57:30 GMT

This commands lists naa id, vmfs id and datastore name. We can grep to search for a particular vmfs volume.

esxcli storage vmfs extent list

references:

How to show password passed using secure password

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 08 Aug 2025 11:53:48 GMT

Mostly for troubleshooting

# if $ADCreds is the created password credential variable

$ADCreds.GetNetworkCredential().password

references:

Asking Claude to create a calendar entry from a screenshot

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 04 Aug 2025 09:53:07 GMT

I wrote about new updates to claude recently, in which there was a mention of using Claude to create calendar entries.

I tried that today.

I went to ManUtd app. Yes, I’m a United fan.

I took a screenshot of the upcoming games and asked it to convert it to calendar entries.

Worked like a charm!

It created three entries for the upcoming games in August. Ideally the ManUtd app should give an option to add the entire schedule to your calendar but then they would remove one option for people to open the app. So, they don’t.

Anyway.

Forcefully uninstall software from windows

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 29 Jul 2025 18:40:19 GMT

Download tool and run.

references:

Fix problems that block programs from being installed or removed - Microsoft Support

Update esxi with required version of vmware tools

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 28 Jul 2025 12:37:32 GMT

By default each esxi release come bundled with a specific vmware tools release. Automatic upgrade option for VMs checks against this version.

To find VMware tools version on host:

esxcli software component get | grep VMware-VM-Tools -B 1 -A 14

Using baseline method

Download the VMware tools VIB package.
1. Go to VMWare console > Downloads > Log in to the Broadcom Support portal.
2. On the left hand side menu, click My Downloads.
3. In the search bar in the upper right side of the page enter "VMware vSphere"
4. Choose VMware vSphere
5. Under Products tab, select VMware VSphere Enterprise and appropriate version.
6. Click View Group on the right side of the VMware tools item.
7. Use the drop-down in the upper-right to choose the desired version.
Upload VIB package to Lifecycle manager
1. Click actions > Import updates
2. Select vib zip file
After upload is completed, create a new baseline with both esxi host and vmware tools, or,
1. Create different packages.
This does not require reboot

Other ways:

Create a common repository with whatever version you want to maintain
1. This requires a common datastore to be accessible to all hosts, which might not be possible
Using images in VMware Lifecycle management
1. Needs all hosts to be the same hardware, etc.

references:

Options for Updating VMware Tools at Scale - VMware Cloud Foundation (VCF) Blog

Powershell set atrributes for AD groups

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 22 Jul 2025 10:38:02 GMT

Use the -Instance property with set-aduser

The Instance parameter provides a way to update a group object by applying the changes made to a copy of the object. When you set the Instance parameter to a copy of an Active Directory group object that has been modified, the Set-ADGroup cmdlet makes the same changes to the original group object. To get a copy of the object to modify, use the Get-ADGroup cmdlet. The Identity parameter is not allowed when you use the Instance parameter. For more information about the Instance parameter, see the Instance parameter description.

The issue occurs when trying to use -replace with a null value. It fails. In those cases just set the values to an AD object and use the -instance parameter.

references:

Google AI leader

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 21 Jul 2025 08:55:45 GMT

This is a certification quest for the summer. The certification being the Google Generative AI leader certification.

The goal is to learn about GCP AI offerings and how they work in practice.

I cleared this exam on August 21, 2025.

Mixed format books

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 16 Jul 2025 21:44:06 GMT

I have discovered audiobooks recently. Before this, of course I was not a big fan of audiobooks. I was unsure, I was a bit of a purist. I used to feel that if you want to read a book, you know, read a book.

Of course I also used to be someone who wrote everything that they wrote on a keyboard. These days I am asking Wispr Flow what to type and it does that.

Speech is natural and it is fast.

The second thing is about time.

I bought a car recently. And what that has meant is the time I used to have sitting in a metro reading a book is just not there anymore. So I can either listen to songs on my way to work (which is a 30-minute approximately drive one way) or listen to podcasts, or the third thing being listen to audiobooks. I have picked the last thing.

Of course, another factor nudging me in that direction was molly White's YouTube video where she talked about how she was able to read so much. A secret? Audiobooks and reading 3-4 books at a time.

This is something that I have realized as well. There are some books, mostly nonfiction, where you want to be reading it because, at least that's how I think, those books require you to concentrate more and reading a book allows you to concentrate more. What I've found in my limited experience is that fictional books are better as audiobooks or books in which you are telling a story. Those could be like literary nonfiction as well.

Because, with audiobooks, most of the time you are doing something while you are reading the book or listening to it.

Here's the thing. I had this thought today while I was in the break area. It's where I usually have my phone out and I'm reading through my RSS feed on Net News Wire.

And I had this thought today, "Wouldn't it be better if I could just continue reading the book I was listening to while I was driving?"

It's simple: the idea is that I should be able to pick up where I had left off, and if I want to, start reading the book.

I don't think technically it is something that is out of reach for people. Of course, the quality of the voice doing the narration for an audiobook varies. It varies a lot. If you used a simple text-to-speech engine with Whisper and everything else they have gotten good enough, I feel.

Yesterday, I wrote about a Notebook LM launching a new feature. I feel Notebook LM, as a product, has shown that text-to-speech products are good enough. Kindle could add this feature to their app, wherein you could just ask it to read your book. You don't need a separate Audible app for that.

I think it's a simple enough idea and it's easily achievable. The problem, I think, is with the fact that the book companies won't license you the rights. It's about money at the end of the day.

But I think in terms of experience, it's a better thing, a better product that you could consume your book how you want to.

There are two excellent examples for this:

A book I started reading today itself, which is available as a book on the web, as a PDF download, as Mobi, as a podcast, or as a single MP3 file. It's called "Resilient Web Design". That is something that made me think about it.
The second one that I can think of now was Derek Sivers and his idea that once you buy the book, you know just if you want to get a physical book, pay for the print and the other editions come with it. Same for if you just want the digital, you'll get the PDF, EPUB, whatever, all of those in one go.

The technology I think clearly exists to make it happen. Hopefully someone does make it happen. I would love to be able to pick up a book, read, then listen to it on my way back or something, and then pick it up and start reading it again, having it sync automatically through all the states.

I think it would be a great experience.

How to save markdown documents using Apple shortcuts

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 16 Jul 2025 08:13:39 GMT

The Save File component saves file as .txt even if you specify the complete name with .md.

The trick is to use the Rename File component just after the Save File component to rename the created .txt file as .md.

The goal with yoga

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 13 Jul 2025 09:19:43 GMT

I had written sometime back on Mastodon, and I am paraphrasing here, that with yoga it felt like I was trying to get back to how my body was when I was a child.

I had this realisation after looking at Savya doing all the things I was trying to do effortlessly. Savya was able to bend his back, his feet everything and just sit there like that.

The goal with yoga, is to be able to do the poses, effortlessly. Most days I am huffing as I go through the surya-namaskar. The goal is to be able to flow, to not feel minimal effort.

Homes can’t be considered both an investment and affordable enough for everyone to own

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 11 Jul 2025 10:26:50 GMT

Heard about this in Abundance: How We Build a Better Future.

Homes can’t be both investments and affordable enough for everyone to own.

For a home to be a good investment, its price has to increase. For that to happen:
You have to control how many homes can be built
1. If supply is low then price increases
2. With zoning permits and laws you can control which type of homes can be built which would control who can afford those homes

About AI browsers

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 11 Jul 2025 08:50:15 GMT

OpenAI’s next big launch could be an AI web browser

OpenAI is planning to launch an AI web browser in the “coming weeks,” according to a report from Reuters. Sources tell the outlet that OpenAI could build its Operator AI agent into the browser, allowing it to book reservations, fill out forms, and complete other tasks on a user’s behalf as it moves toward an “agentic” future.

Quite a few companies are working on building AI browsers - Perplexity, OpenAI and The Browser Company. I have not tried any by now.

All these companies seem to have the same vision - they will use the browser for us, book stuff, search stuff, etc. I don’t know how I feel about that, tbh.

How to use Policy Analyzer tool to compare GPO settings

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 10 Jul 2025 12:38:27 GMT

gpresult and using Get-GPOreport does not work because it can export output in .xml or html but PolicyAnalyzer wants backup format

Policy Analyzer can ingest four types of GPO files: registry policy files, security templates, audit policy backup files, and backup.xml files that reference Group Policy client side extensions (CSEs) required by settings in the GPO.

There are two ways to do this:

On the DC you can use this snippet to create backup of all GPOs that apply to a specific OU

# Specify the OU  
$OU = ""

# Get GPO links for the OU  
$GPOs = Get-GPInheritance -Target $OU | Select-Object -ExpandProperty InheritedGpoLinks

# Loop through the GPOs and generate reports  
foreach ($GPO in $GPOs) {  
  $Name = $GPO.DisplayName
  Backup-GPO -Name $Name -Path "C:\Temp\GPOBackups\"  
}

On a member server or local server, use LGPO.exe tool

lgpo.exe /b <foldername>

references:

How to increase event log size on Windows server

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 27 Jun 2025 10:38:34 GMT

Through GPO

Computer Configuration\Administrative Templates\Windows Components\Event Log Service\
1. Subordinate folders exist by default, select the appropriate one and set the max log size

PowerShell override

wevtutil sl Security /ms:3145728

How to check log size

wevtutil gl Security | findstr /i "maxSize"

references:

Event Log | Microsoft Learn

ESXi install fails with run time error - disk device does not support osdata

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 06 Jun 2025 09:38:41 GMT

If the disk is too small, then this issue can come.

references:

Changing the default size of the ESX-OSData volume in ESXi 7.0

The biggest change to the partition layout is the consolidation of VMware Tools Locker, Core Dump and Scratch partitions into a new ESX-OSData volume (based on VMFS-L). This new volume can vary in size (up to 138GB) depending on a number of factors including the current ESXi boot media (USB SD-Card, Local Disk) but also the size of the device itself, which is explained in the official documentation.

New Kernel options available on ESXi 7.0

Get list of open shares on Windows server

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 23 May 2025 09:38:46 GMT

Get-SmbOpenFile | select @{Name="Timestamp"; Expression={Get-Date}},Path, ClientUserName | Export-CSV -Path C:\SupportFilesWindows\Logs\openfiles.csv -Append -Encoding UTF8 -NoClobber -NoTypeInformation

references:

How to trigger manual replication in DC

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 14 May 2025 20:38:51 GMT


repadmin /syncall /AdeP

# - `/A` – All partitions
# - `/d` – Identify servers by distinguished name
# - `/e` – Enterprise (cross-site)
# - `/P` – Push replication

GUI

Go to AD sites and services.
Go to site > servers > DC > NTDS settings.
Under that replication links will be present. Right click and sync now.

references:

Install drivers on esxi using vibs

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 08 May 2025 13:38:51 GMT

Copy vib to the esxi.
Run the following command.

# The path has to be absolute, absolute path starts from root. so /tmp/

#for install
esxcli software vib install -v /tmp/MEL_bootbank_nmst_4.14.3.3-1OEM.700.1.0.15525992.vib
esxcli software vib install -d {OFFLINE_BUNDLE}

# For update
esxcli software vib update -v {VIBFILE}
esxcli software vib update -d {OFFLINE_BUNDLE}

references:

Install HPE driver on ESXi 6.7 - Hewlett Packard Enterprise Community

Get ACL for AD object

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 05 May 2025 09:39:14 GMT

Import-Module ActiveDirectory

# Define the distinguished name (DN) of the AD object
$objectDN = "CN=YourObjectName,OU=YourOU,DC=YourDomain,DC=com"

# Get the ACL for the AD object
$acl = Get-ACL -Path "AD:$objectDN"  

# Display the ACL
$acl.Access | Format-Table -Property IdentityReference, ActiveDirectoryRights, AccessControlType, IsInherited, InheritanceFlags, PropagationFlags

references:

How to check replication status on DC

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 30 Apr 2025 20:39:20 GMT

# For summary
repadmin /replsummary

# For specific DC
repadmin /showrepl <DCName>

# To check replication partners
repadmin /showreps <DCName>

references:

Building scdotnetv3 on Astro

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 21 Apr 2025 17:41:49 GMT

I am still building this website on Astro. I think I have an MVP already. The site exists and I have been posting to it continuously. But of course, if you go and look at certain places, and pages, you would know that there is still a lot left to do.

ESXi firmware upgrade baseline fails to apply with incompatible message

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 18 Apr 2025 18:39:37 GMT

In the message, it will show the list of VIBs that are causing problems.

For example, on cisco blade, some hpe related firmware is present.

esxcli software vib list | grep -i hpe
amsd                           701.11.9.0.9-1OEM.701.0.0.16850804    HPE     VMwareAccepted    2023-09-02
amsdv                          701.11.3.0.17-1OEM.701.0.0.16850804   HPE     VMwareAccepted    2023-09-02
fc-enablement                  700.3.9.0.4-1OEM.700.1.0.15843807     HPE     PartnerSupported  2023-09-02
hpe-upgrade                    1.4.1-1OEM.700.1.0.15843807           HPE     PartnerSupported  2023-09-02
ilo                            700.10.8.0.6-1OEM.700.1.0.15843807    HPE     PartnerSupported  2023-09-02
ilorest                        700.4.0.0.0.32-15843807               HPE     PartnerSupported  2023-09-02
sut                            701.4.1.0.8-1OEM.701.0.0.16850804     HPE     VMwareAccepted    2023-09-02
vnic-enablement                700.2.10.10-1OEM.700.1.0.15843807     HPE     PartnerSupported  2023-09-02

Remove these vibs.

 esxcli software vib remove -n amsdv

After removing problematic vibs, reboot and check compliance again.

references:

dcpromo fails with access denied error

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 16 Apr 2025 17:39:48 GMT

This can happen during demotion.

Check that the computer object - prevent object from accidental deletion is not ticked on.
The second thing is to check the GPO > Default domain policy > Windows settings > Security Settings > Local Policies > User Right Assignment > Enable computer and user accounts to be trusted for delegation. Add the Administrator in it . Then run gpupdate.

references:

VMware change NIC order

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 11 Apr 2025 09:40:00 GMT

There is a bug in Cisco Hardware which causes vmnics to get assigned in wrong order after esxi install. As a workaround we can change the vmnic order from esxi level.

localcli --plugin-dir /usr/lib/vmware/esxcli/int/ deviceInternal alias list
esxcfg-nics -l --> check the mac addresses, figure out which vmnic should have which mac
localcli --plugin-dir /usr/lib/vmware/esxcli/int/ deviceInternal alias store --alias vmnic1 --bus-address s00000001:03.01 --bus-type pci - update physical alias.
localcli --plugin-dir /usr/lib/vmware/esxcli/int/ deviceInternal alias store --bus-type logical --alias vmnic1 --bus-address "pci#s00000001:03.01#0" - update logical address

[root@FIESOPLPRTESX13:~] localcli --plugin-dir /usr/lib/vmware/esxcli/int/ deviceInternal alias list
Bus type  Bus address            Alias
--------  ---------------------  --# references:
[How VMware ESXi determines the order in which names are assigned to devices](https://knowledge.broadcom.com/external/article/324534/how-vmware-esxi-determines-the-order-in.html)

Find paths longer than 260 characters

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 08 Apr 2025 18:40:06 GMT

When running Get-ChildItem or Get-Acl, we might come across this issue.

In the Windows API (with some exceptions discussed in the following paragraphs), the maximum length for a path is MAX_PATH, which is defined as 260 characters.


# This gets everything, we can optionally just search for directories as well
Get-ChildItem –Force –Recurse –ErrorAction SilentlyContinue –ErrorVariable AccessDenied

# Then find the paths using this error variable
$AccessDenied |
Where-Object { $_.Exception -match "must be less than 260 characters" } |
ForEach-Object { $_.TargetObject }

references:

Naming Files, Paths, and Namespaces - Win32 apps | Microsoft Learn
Maximum Path Length Limitation - Win32 apps | Microsoft Learn

Hosting shut up & write

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 30 Mar 2025 17:41:49 GMT

One hour uninterrupted sessions in meeting rooms at the libraries.
Started on 6th April, 2025.

How to add custom attributes to AD

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 25 Mar 2025 11:40:33 GMT

Pre-requisites

Make sure you have schema admin rights

Steps

Go to mmc > active directory schema.
- In the Active Directory Schema administrative tool, do a right-click on Attributes and then select Create Attribute…
- Click on Continue (The warning that is displayed is to inform that the creation of a new Active Directory attribute is not a reversible operation and that it cannot be removed once done)

references:

Configure PDC with authoritative Time source

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 25 Mar 2025 10:40:26 GMT

To configure time synchronization through registry edit on the PDC emulator:

Open Registry Editor (regedit.exe).
Navigate to the following registry key: HKLM\System\CurrentControlSet\Services\W32Time\Parameters.
To use a specific NTP source, modify the Type value to NTP.
Modify the NtpServer value to contain the NTP server to synchronize time with followed by 0x8, for example 131.107.13.100,0x8. Multiple NTP servers must be space-delimited, for example 131.107.13.100,0x8 24.56.178.140,0x8
Open an administrative Command prompt and execute the following command: w32tm /config /update.

references:

Recommendation - Configure the Root PDC with an Authoritative Time Source and Avoid a Widespread Time Skew | Microsoft Learn

Set ACL using CLI

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 12 Mar 2025 07:40:41 GMT

There are two options:

icacls
PowerShell

# Path
$Path = ""

# Permissions that need to be set
$identity = "GT-DLPscan-R"
$fileSystemRights = "Read"
$type = "Allow"
$inheritance = "ContainerInherit,ObjectInherit"
$propagation = "None"

# Create rule

$rule = New-Object System.Security.AccessControl.FileSystemAccessRule($identity, $fileSystemRights, $inheritance, $propagation, $type)

## Get ACL
try {
	$Acl = Get-Acl -Path $Folder -ErrorAction Stop
	# Add the new rule to folder rules
	$Acl.SetAccessRule($rule)
	# Set ACL
	$Acl | Set-Acl -Path $Folder -ErrorAction Stop
} catch {
	$Error = "Unable to set acl. Error : $_"
	Write-Host $Error
}

Typical file system rights

Name	Value	Description
ListDirectory	1	Specifies the right to read the contents of a directory.
ReadData	1	Specifies the right to open and copy a file or folder. This does not include the right to read file system attributes, extended file system attributes, or access and audit rules.
CreateFiles	2	Specifies the right to create a file. This right requires the `Synchronize` value.
WriteData	2	Specifies the right to open and write to a file or folder. This does not include the right to open and write file system attributes, extended file system attributes, or access and audit rules.
AppendData	4	Specifies the right to append data to the end of a file.
CreateDirectories	4	Specifies the right to create a folder This right requires the `Synchronize` value.
ReadExtendedAttributes	8	Specifies the right to open and copy extended file system attributes from a folder or file. For example, this value specifies the right to view author and content information. This does not include the right to read data, file system attributes, or access and audit rules.
WriteExtendedAttributes	16	Specifies the right to open and write extended file system attributes to a folder or file. This does not include the ability to write data, attributes, or access and audit rules.
ExecuteFile	32	Specifies the right to run an application file.
Traverse	32	Specifies the right to list the contents of a folder and to run applications contained within that folder.
DeleteSubdirectoriesAndFiles	64	Specifies the right to delete a folder and any files contained within that folder.
ReadAttributes	128	Specifies the right to open and copy file system attributes from a folder or file. For example, this value specifies the right to view the file creation or modified date. This does not include the right to read data, extended file system attributes, or access and audit rules.
WriteAttributes	256	Specifies the right to open and write file system attributes to a folder or file. This does not include the ability to write data, extended attributes, or access and audit rules.
Write	278	Specifies the right to create folders and files, and to add or remove data from files. This right includes the WriteData right, AppendData right, WriteExtendedAttributes right, and WriteAttributes right.
Delete	65536	Specifies the right to delete a folder or file.
ReadPermissions	131072	Specifies the right to open and copy access and audit rules from a folder or file. This does not include the right to read data, file system attributes, and extended file system attributes.
Read	131209	Specifies the right to open and copy folders or files as read-only. This right includes the ReadData right, ReadExtendedAttributes right, ReadAttributes right, and ReadPermissions right.
ReadAndExecute	131241	Specifies the right to open and copy folders or files as read-only, and to run application files. This right includes the Read right and the ExecuteFile right.
Modify	197055	Specifies the right to read, write, list folder contents, delete folders and files, and run application files. This right includes the ReadAndExecute right, the Write right, and the Delete right.
ChangePermissions	262144	Specifies the right to change the security and audit rules associated with a file or folder.
TakeOwnership	524288	Specifies the right to change the owner of a folder or file. Note that owners of a resource have full access to that resource.
Synchronize	1048576	Specifies whether the application can wait for a file handle to synchronize with the completion of an I/O operation. This value is automatically set when allowing access and automatically excluded when denying access.
FullControl	2032127	Specifies the right to exert full control over a folder or file, and to modify access control and audit rules. This value represents the right to do anything with a file and is the combination of all rights in this enumeration.

Useful combined chart

Desired Outcome	Inheritance	Propagate
Subfolders and Files only	ContainerInherit,ObjectInherit	InheritOnly
This Folder, Subfolders and Files	ContainerInherit,ObjectInherit	None
This Folder, Subfolders and Files	ContainerInherit,ObjectInherit	NoPropagateInherit
This folder and subfolders	ContainerInherit	None
Subfolders only	ContainerInherit	InheritOnly
This folder and files	ObjectInherit	None
This folder and files	ObjectInherit	NoPropagateInherit

Inheritance values

To provide combined value, need to add numbers, so Container+Object is 3.

Name	Value	Description
None	0	The ACE is not inherited by child objects.
ContainerInherit	1	The ACE is inherited by child container objects.
ObjectInherit	2	The ACE is inherited by child leaf objects.

Propagation inherit values

Name	Value	Description
None	0	Specifies that no inheritance flags are set.
NoPropagateInherit	1	Specifies that the ACE is not propagated to child objects.
InheritOnly	2	Specifies that the ACE is propagated only to child objects. This includes both container and leaf child objects.

references:

PropagationFlags Enum (System.Security.AccessControl) | Microsoft Learn
InheritanceFlags Enum (System.Security.AccessControl) | Microsoft Learn
FileSystemRights Enum (System.Security.AccessControl) | Microsoft Learn
Directory Security and Access Rules - Damir Dobric Posts - developers.de

Installing remote desktop on standalone server

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 10 Mar 2025 11:40:49 GMT

Basically install Remote Desktop Session Host role.
Note: Might require 2 reboots: 1 after role install, 1 for licensing to look OK on the server.

references:

Install RDS role service without Connection Broker - Windows Server | Microsoft Learn

How to upgrade Domain Controller

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 08 Mar 2025 08:41:01 GMT

In-place upgrade is not suggested. The approach to take is deploy a new server, dcpromo the old one out, rename, give the same IP, dcpromo the new one in.

Steps

Pre-reqs

Steps
Copy or take screenshots of the DNS server settings on old DC server
Copy or take screenshots of the TCS/IP server settings on old DC server
Check domains and trusts module to see if there are any trusts relationships. There should not be any but just validate.
Export tasks in Task Scheduler from old DC server
Import tasks into Task Scheulder in the new DC server
Run command netdom query fsmo and ensure that old DC is not running any FSMO roles - 202412051521 Moving fsmo roles
If old DC is running FSMO roles than transfer them to other existing DC server

Activity

Steps
On day of change run Dcpromo and demote old DC server
Once demotion is completed perform AD validations on old other DC server i.e. dcdiag and repadmin/replsummary
Check and verify that nslookup for kehi.okobank.net shows only old KEHIDC1 IP addresses
Check and see if old KEHIDC3 computer account is still Domain Controller OU or has moved to Computers OU
On old KEHIDC1 you use NTDS util to check and see if KEHIDC1 is still the only DC listed
Once steps 10,11,12 are successful you can shutdown the old KEHIDC3 server
Ensure the TCP/IP server settings on the new Server match that of the old server as per the screenshots taken
Reset the KEHIDC3 computer account in AD and change the name and IP address of the new server to KEHIDC3 and the old IP
Run Dcpromo on the new server and promote it to install all the Active Directory Roles.
Install the AD directories onto the D drive of the server.
Once server installs all the roles and restarts, perform AD validations on both KEHIDC servers i.e. dcdiag and repadmin/replsummary
Check and verify that nslookup for kehi.okobank.net shows both KEHIDC IP addresses
Check and see if KEHIDC3 computer account is now in Domain Controller OU
On old KEHIDC1 you use NTDS util to check and see if both KEHIDC's show are listed
Ensure the DNS server settings match that of the old server as per the screenshots taken
Once steps 18,19,20 are successful ensure all the required agents and their services are running
Drop mail to Solarwinds, Backup, AzureCCC team to ensure that their agents on this new DC are working properly.
Once all above steps are done ensure the imported tasks are running in task scheduler, than server can be handed over to Kauko

Commands

references:

Find out authentication logs in VMware vCenter

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 06 Mar 2025 12:41:09 GMT

Related to 202303211323 VMware logs

Log in to vCenter appliance.
Go to /var/log/vmware/applmgmt-audit.
Check the lgos.

cat applmgmt-audit.log | grep -i <username>

references:

Diagnosing Account Permission Issues in vCenter Server Using Log Analysis

AD Database files location

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 26 Feb 2025 10:41:26 GMT

Check in registry: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\NTDS\Parameters


Database log files path  
DSA Database file

Default: \Windows\NTDS.

references:

Windows Server 2022 permissions on the Active Directory data files must only allow System and Administrators access.

Find KDC

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 26 Feb 2025 07:41:36 GMT

nslookup -type=srv _kerberos._tcp.YOUR-DOMAIN

references:

Disable TLS 1.0

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 22 Feb 2025 09:41:15 GMT


## Get current value. It should be Enabled:0 and DisabledByDefault: 1

Get-ItemProperty 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\'


Enabled           : 0
DisabledByDefault : 1
PSPath            : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client\
PSParentPath      : Microsoft.PowerShell.Core\Registry::HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0
PSChildName       : Client
PSDrive           : HKLM
PSProvider        : Microsoft.PowerShell.Core\Registry

## To disable
New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Server' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

New-Item 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'Enabled' -value '0' -PropertyType 'DWord' -Force | Out-Null

New-ItemProperty -path 'HKLM:\SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL\Protocols\TLS 1.0\Client' -name 'DisabledByDefault' -value 1 -PropertyType 'DWord' -Force | Out-Null

Write-Host 'TLS 1.0 has been disabled.'

references:

Manage SSL/TLS protocols and cipher suites for AD FS | Microsoft Learn

About system volume information

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 18 Feb 2025 08:41:45 GMT

# Take ownership
takeown /f "C:\System Volume information"  

# Grant permission
icacls "C:\System Volume Information" /grant domain\user:F

## Revert
icacls "C:\System Volume Information" /setowner "NT Authority\System"
icacls "C:\System Volume Information" /remove domain\user

System Volume Information drives usually contain snapshot.
Windows delete shadow copies

references:

How to Clean Up System Volume Information Folder on Windows | Windows OS Hub

Windows how to check firewall logs

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 14 Feb 2025 10:41:56 GMT

Run firewall.cpl > Go to advanced settings.
Under monitoring, under logging settings, paths are present. Click and check for any drops.

references:

Update firewall on VMware

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 13 Feb 2025 11:42:15 GMT

ipaddress is a string so can not have multiple items in one go. So need to loop for allowed IP addresses as a PowerShell Arrays, if many.

In case Ip already exists in rule, it gives error: InnerText: Ip address already exist.EsxCLI.CLIFault.summary

$arguments = $EsxCli.network.firewall.ruleset.allowedip.add.CreateArgs()
$arguments.rulesetid = $Service
$arguments.ipaddress = $IP
$EsxCli.network.firewall.ruleset.allowedip.add.Invoke($arguments)

references:

The ESXi host must configure the firewall to restrict access to services running on the host.

VMware List allowed IPs in firewall

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 13 Feb 2025 11:42:07 GMT


Get-VMHost | Get-VMHostFirewallException | Where {$_.Enabled -eq $true} | Select Name,Enabled,@{N="AllIPEnabled";E={$_.ExtensionData.AllowedHosts.AllIP}}

references:

Publish my poetry collection

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 21 Dec 2024 17:41:49 GMT

Working on collecting, editing and then publishing a collection of my poems.
A part of this is reading more poems. Currently reading 100 poems that matter.

Completed on 15th Feb, 2025 - A year of mornings is published and available to purchase.

Import GPO

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 02 Dec 2024 09:30:00 GMT

Take backup if there are any existing GPOs
Create a new GPO as neeeded.
In the list of Group Policy Objects, right-click the new GPO and select Import Settings….

references:

Importing a GPO file to an Active Directory Domain (In Domain)

Delete everything under a folder powershell

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 02 Dec 2024 09:10:00 GMT

Get-ChildItem -Path C:\Temp -Include *.* -File -Recurse | foreach { $_.Delete()}

references:

windows - Delete all files from a folder and its sub folders - Super User

Manually cleaning DFSR folder

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 02 Dec 2024 08:41:00 GMT

Quota can be checked in DFS management > Replication > Staging Quota


# Get folder list
WMIC.EXE /namespace:\\root\microsoftdfs path dfsrreplicatedfolderconfig get replicatedfolderguid,replicatedfoldername

# Clear quota
WMIC.EXE /namespace:\\root\microsoftdfs path dfsrreplicatedfolderinfo where "replicatedfolderguid='<RF GUID>'" call cleanupconflictdirectory

if the above does not work:

Stop the DFSR service.
Delete the contents of the ConflictAndDeleted folder manually (with explorer.exe or DEL).
Delete the ConflictAndDeletedManifest.xml file.
Start the DFSR service back up.

references:

Manually Clearing the ConflictAndDeleted Folder in DFSR | Microsoft Community Hub

Export certificate from certificate store

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 26 Nov 2024 09:22:00 GMT

Export-Certificate command can be used to export certificate in .cer or .p10.
Export-PfxCertificate to export private key


$CertToExport = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object { $_.Subject -like "*$Device*" }
Export-Certificate -Cert $CertToExport -FilePath $CertPath -Type CERT


$SecurePass = '123456' | ConvertTo-SecureString -AsPlainText -Force
    $CertToExport = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object { $_.Subject -like "*$Device*" }
    Export-PfxCertificate -Password $SecurePass -FilePath $CertPrivateKeyPath -Cert $CertToExport

references:

FSMO roles

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 17 Oct 2024 12:35:00 GMT

ADDS is built upon mult-master DB model
Any DC can change configuration and it replicates to everyone
Some activities need to be controlled, so that's where FSMO comes in
Flexible Single Master Operation roles

references:

DNS delegation

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 17 Oct 2024 12:08:00 GMT

We can create a delegated zone and allow app/teams to create entries as needed
This was for example, what is requested for storage appliance

references:

Types of DNS queries

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 17 Oct 2024 11:58:00 GMT

Iterative

DNS server will respond with the best answer it has without querying any additional servers

Recursive

DNS server will work with other DNS servers to find an answer if it can not process by itself

references:

Conditional Forwarders

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 17 Oct 2024 11:55:00 GMT

Forward specific DNS queries (for a domain) to external DNS servers, when it can't be solved internally.
If forwarders are not responding, it will use root hints
Uses recursive queries, which make resolution faster when compared to dns forwarders which use iterative query

references:

Types of DNS Zones

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 17 Oct 2024 11:48:00 GMT

Primary Zone
1. R/W container
2. Standard and AD-Integrated
3. Only zones which can be edited
Secondary Zone
1. Keeps a RO copy of a primary zone
Stub Zone
1. RO copy of master zone but contains only NS and SOA [[202410171442 Types of DNS records|dns records]]
2. Not a replacement of secondary zone
3. Different from [[202410171455 Conditional Forwarders|conditional forwarders]]
Reverse Lookup Zone
1. Contains PTR [[202410171442 Types of DNS records|dns records]]

references:

Types of DNS records

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 17 Oct 2024 11:42:00 GMT

SOA (Start of Authority)
1. Created when a zone is created
2. Has settings like TTL, Primary server, responsible person, Expires after, etc
A and AAAA (Host)
1. Map FQDN to IP address
NS records
1. List all authoritative DNS servers for the zone
MX (Mail exchanger)
1. Specify MX server (Exchange or o365)
CNAME (Canonical/Alias)
PTR (Pointer)
1. IP to FQDN
SRV
1. Specify location of service
2. Helps locate the nearest DC for example

references:

Split brain DNS

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 15 Oct 2024 13:40:00 GMT

Depending on the source IP of the DNS request, DNS server provides different response.

Used when a server has both public and private records.

references:

Split-horizon DNS - Wikipedia

DNS data

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 15 Oct 2024 13:14:00 GMT

In Windows server, DNS data is kept under C:\Windows\System32\dns.

references:

Get account last lockout time

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 14 Oct 2024 08:54:00 GMT

Get-ADUser 'accountname' -Properties * | select accountexpirationdate, accountexpires, accountlockouttime, badlogoncount, padpwdcount, lastbadpasswordattempt, lastlogondate, lockedout, passwordexpired, passwordlastset, pwdlastset | format-list

references:

sshd issues

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 11 Oct 2024 11:43:00 GMT

Run the following:

PS C:\Windows\system32> sshd.exe
__PROGRAMDATA__\\ssh/sshd_config line 72: invalid quotes
__PROGRAMDATA__\\ssh/sshd_config: terminating, 1 bad configuration options



# For troubleshoot
PS C:\Windows\system32> sshd -ddd

# Version

PS C:\Windows\system32> sshd.exe -V
OpenSSH_for_Windows_9.5p1, LibreSSL 3.8.2

references:

How to use certreq to create a cert request

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 24 Sep 2024 10:07:00 GMT

Sample inf file

[Version] 
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=devname.fi.tcsecp.com"
Exportable = TRUE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xf0
RequestType = PKCS10

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=devname.fi.tcsecp.com"

[RequestAttributes]
CertificateTemplate = WebServer

Commands to submit request


certreq -new request.inf certnew.req

**certreq -submit -config "_<ServerName\CAName>_" "_<CertificateRequest.req>_" "_<CertificateResponse.cer>_"**

certreq.exe -accept $CertPath

Commands to export private key


## Export private key
## Provide password for secure cert below before running
$SecurePass = 'TCSlogon98765' | ConvertTo-SecureString -AsPlainText -Force
$CertToExport = Get-ChildItem -Path cert:\LocalMachine\My | Where-Object { $_.Subject -like "*$Device*" }
Export-PfxCertificate -Password $SecurePass -FilePath $CertPrivateKeyPath -Cert $CertToExport

references:

How to Request a Certificate With a Custom SAN | Microsoft Learn
Add SAN to secure Lightweight Directory Access Protocol (LDAP) certificate - Windows Server | Microsoft Learn

VMware set proxy

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 18 Sep 2024 11:58:00 GMT

We can not set noproxy in VAMI UI. It needs to be set in config file located at

/etc/sysconfig/proxy


# Example: NO_PROXY="www.me.de, do.main, localhost"
NO_PROXY="localhost, 127.0.0.1, 10.47.*.*, *.tcsecp.com"

references:

How to configure Proxy Settings for vCenter Server (broadcom.com)

Troubleshoot Entra Connect Issues

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 16 Sep 2024 12:27:00 GMT


Import-Module ADSyncDiagnostics
Invoke-ADSyncDiagnostics -PasswordSync

Example

Issue when password hash synchronization was set as Disabled and Entra connect health was in error state after [[202408271224 Migrate Entra Connect DB|Migrate Entra Connect DB]]

PS C:\Program Files\Microsoft Azure Active Directory Connect> Invoke-ADSyncDiagnostics -PasswordSync
Staging mode is enabled. Password Hash Synchronization does not work when staging mode is enabled.

references:

Troubleshoot password hash synchronization with Microsoft Entra Connect Sync - Microsoft Entra ID | Microsoft Learn

Entra Connect PS Module

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 16 Sep 2024 12:05:00 GMT


# ADSYncTOols
Import-module -Name "C:\Program Files\Microsoft Azure Active Directory Connect\Tools\AdSyncTools"

# Health Agent modules

#Under the following path 
# C:\Program Files\Microsoft Azure AD Connect Health Agent\Modules\

Import-Module 'C:\Program Files\Microsoft Azure AD Connect Health Agent\Modules\AdHealthConfiguration\AdHealthConfiguration.psd1'

references:

Disable SMBv1 on Windows

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 16 Sep 2024 09:36:00 GMT

Remove SMB v1

# Detect
Get-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

# Disable
Disable-WindowsOptionalFeature -Online -FeatureName SMB1Protocol

# SMB v1
# Detect 
Get-SmbServerConfiguration | Select EnableSMB1Protocol

# Disable
Set-SmbServerConfiguration -EnableSMB1Protocol $false

references:

How to detect, enable and disable SMBv1, SMBv2, and SMBv3 in Windows | Microsoft Learn

VMware esxi unable to reach DNS

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 11 Sep 2024 16:20:00 GMT

Check that DNS configuration is correct.
In dcui view, test management network, whether dns resolution works or not
Check the firewall configuration for dns. It needs to be selected in rules, then it will be enabled.

references:

ESXi set syslog

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 05 Sep 2024 08:17:00 GMT

Syslog.global.logDir --> Location where logs will be set
Syslog.global.logHost --> remote servers where logs are sent using the syslog protocol
slog.global.logDirUnique --> bool/whether unique directory will be created in logDir or not

references:

Configuring syslog on ESXi (broadcom.com)

Powershell measure script execution time

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 04 Sep 2024 11:19:00 GMT

# Use measure=command

Measure-Command {(Get-ChildItem -Recurse).Count}

references:

Delete vCLS VMs from ESXI

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 04 Sep 2024 07:33:00 GMT

Useful when trying to remove datastore from ESXi and the vCLS VM is running on it.

Putting esxi in MM just shuts off the VM and not delete it.

Fix

Change vCLS Mode to Retreat mode instead of

references:

Azure Resource Lock

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 02 Sep 2024 10:26:00 GMT

Azure Locks can be applied at [[202404061212 Azure Resources|resource]], [[202404051818 Resource Groups|resource group]] or [[202401101441 Azure subscriptions|subscription]] level
1. No lock at [[202404051803 Management groups|management group]] level
inherited
1. all child resources get the same lock
Types:
1. Ready Only - can not delete or update anything / similar to reader [[202404061316 Azure Roles|role]]
2. Delete - can read/modify but can not delete a resource

references:

Lock resources

How to assign licenses in Entra

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 28 Aug 2024 16:30:00 GMT

Related to [[202312231437 Entra ID editions|Entra ID Licenses]]

[[202401101139 Entra ID users|Entra ID user]] can be assigned licenses from multiple places
- End result is sum of all licenses
- if same license is applied from multiple places, license is consumed once
Licenses can be assigned to dynamic [[202312242245 Entra ID Groups|entra groups]]
- however if rule is changed then removed users lose the licenses
Not possible to delete a [[202312242245 Entra ID Groups|entra group]] which has [[202312231437 Entra ID editions|Entra ID Licenses]] applied to it
Can delete a user who has [[202312231437 Entra ID editions|Entra ID Licenses]] applied
Licenses only apply to following
- Security groups
- M365 groups with securityEnabled=TRUE
Licenses only apply to first level for nested groups. so only direct members in a [[202312242245 Entra ID Groups|entra group]]

Steps

Go to Entra Admin Center.
Go to Identity > Billing > Licenses.
Select License and click Assign.
Select [[202401101139 Entra ID users|Entra ID user]] or [[202312242245 Entra ID Groups|entra group]] and assign.

references:

How to assign licenses to users
Group based licensing
Limitations and issues

Add custom domain to Entra ID

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 28 Aug 2024 16:22:00 GMT

Have a custom domain registered with a registrar
Add a custom domain in [[202404011327 Entra ID|Entra ID]]
Create a custom record with the registrar
1. Entra only supports MX or TXT records
2. Also useful for [[202407271215 Create Azure DNS zone and records|Create Azure DNS zone and records]]/[[202404141450 Azure DNS|Azure DNS]]
After the above is done, come back to [[202404011327 Entra ID|Entra ID]] and verify

references:

Add custom Domain

Entra ID tenant

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 28 Aug 2024 16:18:00 GMT

Dedicated and Trusted instance of [[202404011327 Entra ID|Entra ID]]
Created automatically when org signs up for MSFT digital subscription

references:

Create a tenant

Azure Bastion

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 28 Aug 2024 13:50:00 GMT

Allows RDP/SSH connectivity to your virtual machines directly over TLS from portal or from clients on our machines
Can access [[202404161835 Azure VM Basics|Azure VM]] using their [[202407281228 Azure Private IP Address|Azure Private IP Address]] so no need to assign [[202407271143 Public IP address allows inbound access based on tier in Azure|Public IP Address]]
No need to manage [[202404141419 Network Security Groups|NSG]] each time we add a VM

SKUs

Developer
- No access to peered [[202404121703 Azure VNet|VNets]]
- Connect linux vm with SSH
- connect windows VM with RDP
Basic
- Connect linux vm with SSH
- connect windows VM with RDP
Standard
- In addition to above, connect Linux VM with RDP and Windows VM with SSH
Premium

Subnet Requirements

need to create a subnet in vnet with name ‘AzureBastionSubnet’
Subnet size must be /26 or larger (/24,/25, etc)

references:

Overview

Entra Connect Password hash synchronization skipped in last 120 minutes

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Aug 2024 08:24:00 GMT

Need to restart Microsoft Entra Sync service.

references:

Microsoft Entra Connect Health - Alert Catalog - Microsoft Entra ID | Microsoft Learn

How to create P2S VPN

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 24 Aug 2024 09:55:00 GMT

How it differs from [[202408241251 How to create S2S VPN|S2S VPN]] is around authentication.
There are three types basically:

Certificate Authentication

references:

MS Docs

How to create S2S VPN

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 24 Aug 2024 09:51:00 GMT

From [[202408241243 How to create a VPN Gateway|How to create a VPN Gateway]], till VPN Gateway and then the rest.

Create a [[202404121703 Azure VNet|VNet]].
Create a [[202407151913 Azure VPN|Azure VPN Gateway]] subnet
Create a [[202407151913 Azure VPN|Azure VPN Gateway]].
Create a local network gateway.
Configure VPN device
Create a VPN connection.
Verify the connection.
Connect to a virtual machine.

references:

Create S2S VPN

How to create a VPN Gateway

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 24 Aug 2024 09:43:00 GMT

Related to [[202407151913 Azure VPN|Azure VPN]]

Create a [[202404121703 Azure VNet|VNet]]
Create a Gateway Subnet
1. /27 or larger (/24, /25, etc.)
Create a VPN Gateway
1. Search for Virtual Network Gateway
2. Fill out details and create

references:

Create VPN Gateway

How to assign licenses to user or group in Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 22 Aug 2024 18:40:00 GMT

Licenses can be applied to security or M365 [[202312242245 Entra ID Groups|groups]]
1. M365 [[202312242245 Entra ID Groups|groups]] must be security enabled

references:

MS Docs

azcopy

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 21 Aug 2024 14:08:00 GMT

Auth

Files - SAS only
Blob- Azure AD and SAS only

references:

Window cluster dns registration issue

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 19 Aug 2024 11:42:00 GMT

Error

Cluster network name resource ‘Cluster Name’ failed registration of one or more associated DNS name(s) for the following reason: DNS bad key.

Cluster object OK. Cluster role also OK. DNS entry not present.

Fix

Checked the NIC. No issues there.
Unchecked register DNS option.
Close the network config.
Go again and recheck it.

references:

Convert cis pdf to csv

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 16 Aug 2024 13:19:00 GMT

The script that work is this: https://github.com/serenedeluge/cis-pdf2csv/tree/main

The pdf needs to be title input.txt. Save pdf as text then rename it as input.txt and voila!

references:

Restore VM from Azure backup

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 13 Aug 2024 16:29:00 GMT

Part of [[202408131927 Azure restore from backup|Restore from backups]]

Restore Options

Create a new VM
Restore disk
1. A template is generated where we can specify VM settings.
  1. Disks are copied to the RG we specify
2. Or, attach the disk to existing VM, or create a new VM using powershell and attach the disk to it.
Replace existing disk on existing VM
1. After replace original disk is retained and can be deleted manually

references:

Restore VM

Azure restore from backup

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 13 Aug 2024 16:27:00 GMT

We can either:
[[202408131919 Restore files from Azure backup|Restore files from Azure backup]]
[[202408131929 Restore VM from Azure backup|Restore VM from Azure backup]]

![[Screenshot 2024-08-13 at 7.21.49 PM.png]]

So, for VMs deployed with the [[202404061212 Azure Resources|Azure Resource Manager]] deployment, for un-encrypted disk, we can:

Restore an entire VM to original or alternate location
Restore disks

references:

About Azure VM restore

Restore files from Azure backup

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 13 Aug 2024 16:19:00 GMT

![[Screenshot 2024-08-13 at 7.21.49 PM.png]]

Process

Specify a recovery point and download the script in [[202312231415 Azure Master|Azure]] portal.
Execute the script.

Requirements for file restore

OS

OS must be matching server or client OS for Windows.
For linux, specific version requirements

references:

Restore files
About Azure VM restore

Download inventory from Ansible Automation Platform

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 13 Aug 2024 11:48:00 GMT

We have to use this api:

/api/v2/inventories/{id}/script/

# Where id is the id of the inventory

references:

Create powershell offline repo

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 12 Aug 2024 13:10:00 GMT

Fastest way to install modules on disconnected servers is [[202210111009 Powershell install modules offline|Install powershell modules]].

A better way is to create an offline repo and use it to install the modules.

There are two types of offline repos:

nuget based
fileshare based

This will details steps for file share based offline repo.

Install powershellget

Save OfflinePowerShellGetDeploy

# Save OfflinePowerShellGetDeploy to system which has internet access

Save-Module -Name OfflinePowerShellGetDeploy -Path C:\Users\845874\Downloads\PowerShellGet
Import-Module C:\Users\845874\Downloads\PowerShellGet\OfflinePowerShellGetDeploy


Save-PowerShellGetForOffline -LocalFolder 'C:\Users\845874\Downloads\PowerShellGet\OfflinePowerShellGet'

Copy this folder to the disconnected system.
Install OfflinePowerShellGetDeploy

Import-Module .\OfflinePowerShellGetDeploy

# Register a file share on my local machine 

$registerPSRepositorySplat = @{ 
	Name = 'LocalPSRepo' 
	SourceLocation = '\\localhost\PSRepoLocal\' 
	ScriptSourceLocation = '\\localhost\PSRepoLocal\' 
	InstallationPolicy = 'Trusted' 
}

Register-PSRepository @registerPSRepositorySplat

references:

Working with local PSRepositories - PowerShell | Microsoft Learn

Increase memory allocated to VMware services

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 12 Aug 2024 10:08:00 GMT

Error

PowerShell gives error when running tag related cmdlets

Get-Tag com.vmware.vapi.std.errors.operation_not_found {'messages': [com.vmware.vapi.std.localizable_message {'id': vapi.method.input.invalid.interface, 'default_message': Cannot find service 'com.vmware.cis.data.svc.resource_model'., 'args': [com.vmware.cis.data.svc.resource_model]}], 'data':}

Fix

# Get the current memory allocation value for the vmware-infraprofile service:
cloudvm-ram-size -l | grep vmware-infraprofile
    
# Increase the memory allocated to the infraprofile service: 
cloudvm-ram-size -C _<newMemValue>_ vmware-infraprofile 
    
# Confirm the new memory allocation value:
cloudvm-ram-size -l | grep vmware-infraprofile
    
# Restart the infraprofile service:
service-control --stop vmware-infraprofile && service-control --start vmware-infraprofile

references:

get-tagassignments and get-spbmstoragepolicy powerCLI commands fail with error com.vmware.vapi.std.errors.unauthenticated (broadcom.com)

Cause

When a client (powercli) makes a call to the vapi-endpoint's introspection service (the com.vmware.vapi.std.introspection.provider vapi service), the vapi-endpoint on its turn makes calls to the introspection service of all the vapi providers behind, including the "infraprofile" vapi provider. We make that call in this release through the sidecar proxy at localhost:1080/infraprofile.

The infraprofile service though is not in a healthy state. In fact it is a zombie because it has failed with an Out Of Memory error earlier and does not respond to the requests.
Manually increasing the heap memory on vCenter Server components in vCenter 6.x / 7.x (broadcom.com)

Create activity log alerts in Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 11 Aug 2024 09:55:00 GMT

Alerting can be enabled for:

specific actions (example: vm deleted, adding new rules to users)
service health events

references:

MS Learn

activity log alerts have their own attributes:

Category: Administrative, service health, autoscale, policy, or recommendation

Scope: Resource level, resource group level, or subscription level

Resource group: Where the alert rule is saved

Resource type: Namespace for the target of the alert

Operation name: Operation name

Level: Verbose, informational, warning, error, or critical

Status: Started, failed, or succeeded

Event initiated by: Email address or Microsoft Entra identifier (known as the "caller") for the user

Create a log alert in Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 11 Aug 2024 09:49:00 GMT

first define a log search rule
when it evaluates as positive, an alert is triggered
these are stateless, so everytime threshold is breached it will create an alert regardless of whether alert was created already

How to trigger

Number of logs
- When a certain number of logs are generated, trigger an alert
Metric measurement (similar to [[202408111240 Create an Azure metric alert|Create an azure metric alert]])

references:

MS Learn

Log alerts behave in a slightly different way than other alert mechanisms. The first part of a log alert defines the log search rule. The rule defines how often it should run, the time period under evaluation, and the query to be run.
When a log search evaluates as positive, it creates an alert record and triggers any associated actions.

Log search components:

Log query: Query that runs every time the alert rule fires

Time period: Time range for the query

Frequency: How often the query should run

Threshold: Trigger point for an alert to be created

Create an Azure metric alert

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 11 Aug 2024 09:40:00 GMT

az monitor metrics alert create -n "Cpu80PercentAlert" --resource-group "learn-d04808ef-bd4c-4ae1-b331-0aef3cb9b52b" --scopes $VMID --condition "max percentage CPU > 80" --description "Virtual machine is running at or greater than 80% CPU utilization" --evaluation-frequency 1m --window-size 1m --severity 3

references:

MS Docs
MS Docs metric rule

Create metric rule
Add-AzMetricAlertRuleV2
To disable:
Add-AzMetricAlertRuleV2 -DisableRule

To create a log search alert rule using PowerShell, use the New-AzScheduledQueryRule cmdlet.

To create an activity log alert rule using PowerShell, use the New-AzActivityLogAlert cmdlet.

Azure Monitor Alerts

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 11 Aug 2024 09:24:00 GMT

We can use the [[202408041409 Types of monitoring data in Azure|Types of monitoring data in Azure]] collected in [[202404281601 Azure monitoring old|Azure monitoring]] to create alerts.

Three types of data can be used for alerts:

Metrics - [[202408111240 Create an Azure metric alert|Create an azure metric alert]]
Activity logs (When state changes for an [[202404061212 Azure Resources|Azure resource]])
Logs

Alerts are created based on rules.
When an alert is triggered it is in fired state.
When it is fixed, it is in resolved state.

Action groups define what happens after alert is triggered.
once an action group is created it can be added to multiple alerts.
Use alert processing rules to override common behaviours.

Rule components

Resource
Condition
Actions
Alert Details (Including severity)

Limits

Not more than 1 call/sms every five minutes
Not more than 100 emails per hour

references:

MS Learn
MS Learn - action groups

Powershell rename cluster resource

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 08 Aug 2024 12:17:00 GMT

# Get all resources
Get-ClusterResource

Name                                      State  OwnerGroup        ResourceType   
----                                      -----  ----------        ------------   
Cluster Disk 1                            Online Available Storage Physical Disk  
Cluster Disk 2                            Online Cluster Group     Physical Disk  
Cluster IP Address                        Online Cluster Group     IP Address     
Cluster Name                              Online Cluster Group     Network Name   
GxClusPlugIn (OCIWPFSRCL02) (Instance001) Online Cluster Group     Generic Service

# Get resource you want to rename
Get-ClusterResource -Name 'Cluster Disk 2'

Name           State  OwnerGroup    ResourceType 
----           -----  ----------    ------------ 
Cluster Disk 2 Online Cluster Group Physical Disk


# Rename
(Get-ClusterResource -Name 'Cluster Disk 2').Name='Quorum Disk'

references:

PowerShell for Failover Clustering: Let’s Rename a Few Things - Microsoft Community Hub

How to create scale out file server

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 08 Aug 2024 09:35:00 GMT

How to create [[202407161044 Scale out file server|Scale out file server]] on Windows core.

There are 2 ways to do it:

Through admin center, or
Through powershell

# On both nodes install file services and failover clustering
Add-WindowsFeature –name File-Services,Failover-Clustering -IncludeManagementTools
Add-WindowsFeature –name File-Services -IncludeManagementTools

# Test
Test-Cluster –Node 5ociwpfsrap02 , 7ociwpfsrap01 

# Create cluster
New-Cluster –Name JUMPUPDCLUSTER –Node 5ociwpfsrap02 , 7ociwpfsrap01 

# Add csv
Add-ClusterSharedVolume "ClusterDiskUPD"

# Add sofs ensure cluster object has create computer object permission on the ou
Add-ClusterScaleOutFileServerRole -Name JUMPUPD -Cluster JUMPUPDCLUSTER

# Create folder inside csv/shares path
New-Item -Name "JUMPUPD2019" -ItemType Directory

# Setup shares
New-SmbShare -Name "JUMPUPD2019" -Path "C:\ClusterStorage\Volume1\Shares\JUMPUPD2019" -FullAccess OP\GT-5ociwpfsrap02-ADM,OP\GT-7ociwpfsrap01-ADM,GT-JUMPUPD-Full
Set-SmbPathAcl –ShareName JUMPUPD2022

references:

Azure Network Watcher

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 08 Aug 2024 05:00:00 GMT

regional service (1 per region per subscription)
provides tools to do network related troubleshooting

Network Watcher provides three types of tools

Monitoring

Topology

for looking at entire NW config

Connection Monitor

provides end-to-end monitoring between Azure and hybrid endpoints

To start using Connection monitor for monitoring, follow these steps:

Network Diagnostic Tools

IP flow verify

detect traffic filtering issues at a virtual machine level.
tells which [[202404141419 Network Security Groups|NSG]] or rule allowed or denied traffic

NSG diagnostics

detect traffic filtering issues at a [[202404161835 Azure VM Basics|Azure VM]], [[202404181846 Azure VM scale sets|VMSS]], or [[202407271353 Azure Application Gateway|Azure Application Gateway]] level

Next hop

detect routing issues
what is the next hop (type, ip, route-table ID)

Effective security rules

shows [[202404141419 Network Security Groups|NSG]] rules applied at the [[202404121727 Azure VM NIC|VM NIC]]
shows rules applied at the subnet level
and aggregate of the two

Connection troubleshoot

test a connection between a virtual machine, a virtual machine scale set, an application gateway, or a Bastion host and a virtual machine, an FQDN, a URI, or an IPv4 address
similar to connection monitor but this is point in time whereas monitor is over a duration

Packet capture

remotely create packet capture sessions to track traffic to and from a virtual machine (VM) or a virtual machine scale set

VPN troubleshoot

troubleshoot virtual network gateways and their connections

Traffic

Flow Logs

NSG flow logs
- sent to [[202404091847 Azure Storage Overview|Azure storage]] from where it can be exported
VNET flow logs
- log traffic flowing through [[202404121703 Azure VNet|VNet]]
- sent to [[202404091847 Azure Storage Overview|Azure storage]] from where it can be exported

Traffic Analytics

provides rich visualizations of flow logs data

references:

MS Learn
MS Docs - Overview

Azure Log Analytics Workspace

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 07 Aug 2024 05:03:00 GMT

like a container for logs being collected by [[202408070754 Azure Log Analytics|Azure Log Analytics]]
can send logs from [[202404061212 Azure Resources|azure resources]] to one or multiple workspaces.
it does not matter [[202404061212 Azure Resources|resource]] belongs to which region

references:

Azure Log Analytics

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 07 Aug 2024 04:54:00 GMT

a tool in [[202408041224 Azure Monitoring|Azure Monitoring]] to run queries on collected logs
supports KQL
we can get estimation from [[202312231415 Azure Master|Azure]] regarding how long it would take to patch a server from crowd-sourced data.
Implicitly it has scopes:
- like on a vm we can go and check under Logs tag
- on a [[202404051818 Resource Groups|resource group]] we can go and check logs
Explicitly we have scope picker in [[202408070803 Azure Log Analytics Workspace|Azure Log Analytics Workspace]] or under Logs tab under a [[202404061212 Azure Resources|resource]]
We can query across [[202408070803 Azure Log Analytics Workspace|Azure Log Analytics Workspace]]
pricing is pay-as-you-go
Log data is organised in tables

references:

MS Learn
Regions that support

Clear recycle bin for all users

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 05 Aug 2024 08:32:00 GMT

Clear-RecycleBin -DriveLetter C

references:

Clear-RecycleBin (Microsoft.PowerShell.Management) - PowerShell | Microsoft Learn

Types of monitoring data in Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 04 Aug 2024 11:09:00 GMT

Basically two types:

Metrics - numeric, point-in-time values
Logs - different data, events, traces, etc

references:

Azure Monitoring

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 04 Aug 2024 09:24:00 GMT

Monitoring is available for all [[202404061212 Azure Resources|azure resources]]
- usually a tab
Monitoring starts whenever a resource is created in a subscription

Components

flowchart LR
	Source --> DataStores --> AzureMonitorInsights

Source

Collection of data across the following tiers:

Application
Guest OS
[[202404061212 Azure Resources|Azure resource]]
[[202401101441 Azure subscriptions|Azure subscription]] (Activity log - stored for 90 days)
Tenant (Services like [[202312231420 Microsoft Entra|Entra]])

Data Stores

Azure Monitor Metrics
Azure Monitor Logs

Azure Monitor Insights

Insights performs different functions with the collected data:

Insights
Visualize
Analyze
Respond
Integrate

references:

MS Learn

Get insights: Access the Azure Application Insights extension to Azure Monitor to use the Application Performance Monitoring (APM) features. You can use APM tools to monitor your application performance and gather trace logging data. Application Insights are available for many Azure services, such as Azure Virtual Machines and Azure Virtual Machine Scale Sets, Azure Container Instances, Azure Cosmos DB, and Azure IoT Edge.

Visualize: Utilize the many options in Azure Monitor for viewing and interpreting your gathered metrics and logs. You can use Power BI with the Azure Workbooks feature of Azure Monitor and access configurable dashboards and views.

Analyze: Work with Azure Monitor Logs (Log Analytics) in the Azure portal to write log queries for your data. You can interactively analyze your log data by using Azure Monitor Metrics and the powerful analysis engine.

Respond: Set up log alert rules in Azure Monitor to receive notifications about your application performance. You can configure the service to take automated action when the results of your queries and alerts match certain conditions or results.

Integrate: Ingest and export log query results from the Azure CLI, Azure PowerShell cmdlets, and various APIs. Set up automated export of your log data to your Azure Storage account or Azure Event Hubs. Build workflows to retrieve your log data and copy to external locations with Azure Logic Apps.

Create VNIC in Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 04 Aug 2024 08:16:00 GMT

## Create a network interface for the VM. ##
$nic = @{
    Name = "nic2"
    ResourceGroupName = $RGName
    Location = $Region
    Subnet = $vnet.Subnets[0]
}
$nicVM = New-AzNetworkInterface @nic

references:

Create public ip address in Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 04 Aug 2024 08:11:00 GMT

$ip = @{
    Name = 'sajal-pip-0'
    ResourceGroupName = $RGName
    Location = $Location
    Sku = 'Standard'
    AllocationMethod = 'Static'
    IpAddressVersion = 'IPv4'
}
New-AzPublicIpAddress @ip

references:

Create backup for VMs

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 02 Aug 2024 15:23:00 GMT

Create Recovery services vault
Create backup policy
Apply the backup policy
Run the backup job

references:

MS Learn

Azure Backup Access Tiers

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 01 Aug 2024 16:14:00 GMT

Access tiers for [[202404071559 Azure Backup|Azure backup]]

Snapshot tier
1. backups stored in customer tenant and RG
2. Faster to restore
Vault-Standard tier
1. backups stored in a MSFT tenant (so more secure)
2. Slower to restore
Archive tier
1. for long term archival

references:

What resources can we backup using Azure Backup

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 01 Aug 2024 16:00:00 GMT

Broadly speaking:
[[202404161835 Azure VM Basics|Azure VM]]/[[202408021823 Create backup for VMs|How to backup azure vm]]
[[202404121254 Azure Managed Disks|Azure Managed Disks]]
[[202406291221 Azure Files|Azure Files]]
[[202404271358 Type of Databases|Azure databases]] (VMs basically not the service)
[[202404201210 Azure Kubernetes Service|AKS]]
[[202404121117 Azure Storage Services#Blob]]

references:

MS Learn

Azure VMs

Azure Managed Disks

Azure Files

SQL Server in Azure VMs

SAP HANA databases in Azure VMs

Azure Database for PostgreSQL servers

Azure Blobs

Azure Database for PostSQL - Flexible servers

Azure Database for MySQL - Flexible servers

Azure Kubernetes cluster

Manage VM Templates in VMware content libraries

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 01 Aug 2024 12:53:00 GMT

After [[202407191233 Create VMware Content Libraries|Create VMware Content Libraries]]

Add template to content library

Right click on VM > Clone > Clone as Template to library
Fill out details. It will be added to content library

Once VM template is added to content library, versioning tab becomes live.

Sync vm templates to subscribed library

Create a subscription for subscribed libraryr

references:

The VM Template as a Content Library Item (vmware.com)

f you convert the VM template in the vCenter Server inventory to a virtual machine, the corresponding VM template library item is also deleted.

If you rename the VM template in the vCenter Server, the corresponding VM template library item is also renamed.

If you rename the VM template library item the associated VM template in the vCenter Server inventory is also renamed.

If you delete the VM template in the vCenter Server inventory, the corresponding VM template library item is also deleted.

If you delete the VM template library item, the associated VM template in the vCenter Server inventory is also deleted.

Windows cluster failed with duplicate IP address detected error

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 01 Aug 2024 12:02:00 GMT

Issue

Windows cluster server name and IP down.
When trying to bring it online, it gives duplicate IP detected error.
Unable to ping or find the duplicate IP from outside
Cluster validation does not give anything error

Cause

When we check ipconfig we found that "Microsoft Failover Cluster Virtual Adapter" has the cluster IP assigned to it in addition to APIPA on both nodes.

Tunnel adapter Local Area Connection* 2:

   Connection-specific DNS Suffix  . :
   Description . . . . . . . . . . . : Microsoft Failover Cluster Virtual Adapter
   Physical Address. . . . . . . . . : 02-74-57-21-0C-CB
   DHCP Enabled. . . . . . . . . . . : No
   Autoconfiguration Enabled . . . . : Yes
   Link-local IPv6 Address . . . . . : fe80::9cf7:8358:14c4:d0cd%2(Preferred)
   IPv4 Address. . . . . . . . . . . : 10.128.100.40(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.240.0
   IPv4 Address. . . . . . . . . . . : 169.254.1.32(Preferred)
   Subnet Mask . . . . . . . . . . . : 255.255.0.0
   Default Gateway . . . . . . . . . :
   DHCPv6 IAID . . . . . . . . . . . : 50499581
   DHCPv6 Client DUID. . . . . . . . : 00-01-00-01-25-F3-C7-10-FA-16-3E-18-BB-3C
   NetBIOS over Tcpip. . . . . . . . : Enabled

Fix

Remove the cluster IP from the adapter on both the servers


# Get IP Address
Get-NetAdapter -IncludeHidden -Name 'Local Area Connection* 2' | Get-NetIPAddress -IPAddress '10.128.100.40'

# Remove IP address - need to confirm
Get-NetAdapter -IncludeHidden -Name 'Local Area Connection* 2' | Get-NetIPAddress -IPAddress '10.128.100.40' | Remove-NetIPAddress

After removing the IP, bring the cluster online.

references:

Create Azure Load Balancer

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 28 Jul 2024 11:23:00 GMT

Public [[202407271319 Azure Load Balancer|Azure Load Balancer]]

# Vars
$RGName = ''

# create public ip address

$Location = $(Get-AzureRmResourceGroup -ResourceGroupName $RGName).Location

$publicIP = New-AzPublicIpAddress -ResourceGroupName $RGName -Location $Location -AllocationMethod "Static" -Name "myPublicIP"

# create frontend ip
$frontendIP = New-AzLoadBalancerFrontendIpConfig -Name "myFrontEnd" -PublicIpAddress $publicIP

# Create backend pool
$backendPool = New-AzLoadBalancerBackendAddressPoolConfig -Name "myBackEndPool"

# Create health probe
$probe = New-AzLoadBalancerProbeConfig -Name "myHealthProbe" -Protocol http -Port 80 -IntervalInSeconds 5 -ProbeCount 2 -RequestPath "/"


# Create LB rule
$lbrule = New-AzLoadBalancerRuleConfig -Name "myLoadBalancerRule" -FrontendIpConfiguration $frontendIP -BackendAddressPool $backendPool -Protocol Tcp -FrontendPort 80 -BackendPort 80 -Probe $probe

# Create LB
$lb = New-AzLoadBalancer -ResourceGroupName $RGName -Name 'MyLoadBalancer' -Location $Location -FrontendIpConfiguration $frontendIP -BackendAddressPool $backendPool -Probe $probe -LoadBalancingRule $lbrule

Private [[202407271319 Azure Load Balancer|Azure Load Balancer]]

references:

Network Virtual Appliance

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 28 Jul 2024 11:10:00 GMT

An appliance by security vendors (cisco,etc.)
NVA can also be a windows server with required roles and routes defined in it
They [[202404141404 Control traffic flows|control traffic flow]]
Used in conjunction with [[202407281401 User defined routing|Custom routes]]
- so for example, all incoming public traffic goes to a dmz subnet where you have NVA availability set.

references:

Create custom route

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 28 Jul 2024 11:08:00 GMT

Create a [[202407281401 User defined routing|Custom routes]]

# Create route table
az network route-table create --name publictable --resource-group "learn-62c51ac7-09ba-4d9e-a8f2-0b6f4660c3c0" --disable-bgp-route-propagation false

# create custom route
az network route-table route create --route-table-name publictable --resource-group "learn-62c51ac7-09ba-4d9e-a8f2-0b6f4660c3c0" --name productionsubnet --address-prefix 10.0.1.0/24 --next-hop-type VirtualAppliance --next-hop-ip-address 10.0.2.4

# associate subnet with route-table
az network vnet subnet update --name publicsubnet --vnet-name vnet --resource-group "learn-62c51ac7-09ba-4d9e-a8f2-0b6f4660c3c0" --route-table publictable

references:

User defined routing

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 28 Jul 2024 11:01:00 GMT

A way of [[202404131313 Connecting virtual networks|Connecting virtual networks]]

Can be used to over-ride system defaults created in [[202312231415 Azure Master|Azure]]
Next hop can be:
- NVA
- Virtual network gateway
- [[202404121703 Azure VNet|VNet]]
- Internet
- None (To drop packet)

[[202407281408 Create custom route|Create custom route]]

references:

MS Learn

Azure Private IP Address

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 28 Jul 2024 09:28:00 GMT

Ranges

10.0.0.0/8
172.16.0.0/12
192.168.0.0/16

references:

Azure Networking Basics

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 28 Jul 2024 09:23:00 GMT

When compared to on-prem, on [[202312231415 Azure Master|Azure]] there is no hierarchy to network design.
- There are no physical devices
Everything is virtual
- We can slice it into chunks per our needs
There can be no overlap in IP address between on-prem and [[202312231415 Azure Master|Azure]]

references:

MS Learn

In Azure, you'd typically implement a network security group and a firewall. You'd use subnets to isolate front-end services, including web servers and DNS, and back-end services like databases and storage systems. Network security groups filter internal and external traffic at the network layer. A firewall has more extensive capabilities for network-layer filtering and application-layer filtering. By deploying both network security groups and a firewall, you get improved isolation of resources for a secure network architecture.

Azure Application Gateway

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 27 Jul 2024 10:53:00 GMT

When compared to [[202407271319 Azure Load Balancer|Azure Load Balancer]] this uses app layer routing as mentioned in [[202404131219 External Access]]
can add firewall etc

Routing

path based routing : based on url send to different backend servers
Multi-site routing: different web apps on the same [[202407271353 Azure Application Gateway|Azure Application Gateway]]
- example: contoso.com and sajal.net
can redirect traffic
- redirect http traffic to https for example
can rewrite http headers
create custom error messages

Components

front-end ip
- receives the request
- only 1 public and 1 private ip
web application firewall (optional)
- checks for threats based on owasp
listener
- accepts traffics and routes to backend pools based on routing rules
back-end pools
health probes
- response between 200 and 399 considered healthy
- default probe waits for 30 sec

references:

MS Learn

Azure Load Balancer

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 27 Jul 2024 10:19:00 GMT

provides high availability
uses 5-tuple hash by default to forward traffic (source ip/port, destination ip/port, protocol)
frontend connects to LB. LB connects to backend based on rules and health checks.
can be used for inbound or outbound scenarios
[[202407281423 Create Azure Load Balancer|Create Azure Load Balancer]] / needs:
- frontend ip
- backend pool
- health probe
- LB rules

Types

public
internal

Distribution methods

5 tuple hash
source ip affinity
- 2-tuple hash (source ip, destination ip)
- 3-tuple hash (source ip, destination ip, protocol)

SKUs

basic
- open by default
- inbound only
- http/tcp probes
- upto 300 backend pools
- vms in a single availability set or [[202404181846 Azure VM scale sets|VMSS]]
- supports basic [[202407271143 Public IP address allows inbound access based on tier in Azure|Public IP Address]]
standard
- closed by default
- inbound/outbound
- http/https/tcp probes
- upto 1000 backend pools
- vms in a [[202404121703 Azure VNet|VNet]]
gateway
- high performance
- with NVAs

Backend pools

Health probes

http probe
- pings every 15 seconds
- http 200 response means healthy within timeout period (default 31 sec)
tcp probe
- creates a tcp session.

LB rules

Stickiness

By default traffic can go to any VM
With persistence we can set which requests go to the same vm:
- none
- client ip
- Client IP and protocol

references:

MS Learn

To implement a load balancer, you configure four components:

Front-end IP configuration

Back-end pools

Health probes

Load-balancing rules

To configure a probe, you specify values for the following settings:

Port: Back-end port

URI: URI for requesting the health status from the backend

Interval: Amount of time between probe attempts (default is 15 seconds)

Unhealthy threshold: Number of failures that must occur for the instance to be considered unhealthy

MS Learn

Create Azure DNS zone and records

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 27 Jul 2024 09:15:00 GMT

[[202404141450 Azure DNS|Azure DNS]]

# Create a public zone
New-AzDNSZone



# Create a private zone
$RGName = 'user-hnbymdftfrzr'
$Zone = New-AzPrivateDnsZone -Name "sajalkc.net" -ResourceGroupName $RGName

references:

Command ref
MS Docs - Public Zone
MS Docs- Private Zone

Public IP address allows inbound access based on tier in Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 27 Jul 2024 08:43:00 GMT

Public IP address in Azure have 2 SKUs:

Standard
Basic (will be retired in 2025)

Standard SKU is secure by default, does not allow any inbound traffic.
Basic allows traffic by default. [[202404141419 Network Security Groups|NSGs]] can be used to control access.

If we do not specify SKU, Public IP takes Basic SKU.

Faced this issue when doing the exercise for network routing.

Bicep

Name	Description	Value
name	Name of a public IP address SKU.	'Basic' 'Standard'
tier	Tier of a public IP address SKU.	'Global' 'Regional'

sku: { name: 'string' tier: 'string' }

[[202408041111 Create public ip address in Azure|Create public ip address in Azure]]

references:

MS Docs
Bicep docs

Cluster validation causes alerts

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 24 Jul 2024 10:57:00 GMT

Windows creates account clitest2 during cluster validation.
SoC might get alerts about this.

references:

Cluster validation account causes events or messages - Windows Server | Microsoft Learn

Bicep dependencies

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 20 Jul 2024 12:12:00 GMT

implicit
Explicit

Explicit definition

Using dependsOn

dependsOn: [ dnsZone ]

references:

MS Docs

Bicep functions

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 20 Jul 2024 11:33:00 GMT

Get ID of resources

ResourceID to get ID of Resources.
To get subnetid:

resourceId('Microsoft.Network/virtualNetworks/subnets/', virtualNetworkName, subnetName)

references:

MS Docs

Bicep loops

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 19 Jul 2024 16:39:00 GMT

for keyword to create a loop
can loop based on:
- array [[202407191859 Bicep parameters|Bicep parameters]]
- based on number

for i in range(1,4)

Access the iteration index

name: 'sqlserver-${i+1}'

Filter items with loops
- using : and if

for sqlServer in sqlServerDetails: if (sqlServer.environmentName == 'Production')

Use nested loop, for example for creating subnets in a vnet
We can create [[202407191900 Bicep variables|Bicep variables]] loops
can also create output loops

Example

param storageAccountNames array = [
  'saauditus'
  'saauditeurope'
  'saauditapac'
]

resource storageAccountResources 'Microsoft.Storage/storageAccounts@2021-09-01' = [for storageAccountName in storageAccountNames: {
  name: storageAccountName
  location: resourceGroup().location
  kind: 'StorageV2'
  sku: {
    name: 'Standard_LRS'
  }
}]

references:

MS Learn
MS Docs

Bicep conditionals

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 19 Jul 2024 16:32:00 GMT

if keyword
- define a bool param and if needed, then only deploy the resource
check using operators
- ==
- better to create a [[202407191900 Bicep variables|Bicep variables]] for the evaluation

Example

[[202404061212 Azure Resources|ARM]] evaluates the property expressions before the conditionals on the resources.

resource auditingSettings 'Microsoft.Sql/servers/auditingSettings@2021-11-01-preview' = if (auditingEnabled) {
  parent: server
  name: 'default'
  properties: {
    state: 'Enabled'
    storageEndpoint: environmentName == 'Production' ? auditStorageAccount.properties.primaryEndpoints.blob : ''
    storageAccountAccessKey: environmentName == 'Production' ? listKeys(auditStorageAccount.id, auditStorageAccount.apiVersion).keys[0].value : ''
  }
}

references:

MS Learn

Use Azure Key Vault with bicep

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 19 Jul 2024 16:25:00 GMT

In [[202407191915 Bicep parameter files|parameter file]]

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "sqlServerAdministratorLogin": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/f0750bbe-ea75-4ae5-b24d-a92ca601da2c/resourceGroups/PlatformResources/providers/Microsoft.KeyVault/vaults/toysecrets"
        },
        "secretName": "sqlAdminLogin"
      }
    },
    "sqlServerAdministratorPassword": {
      "reference": {
        "keyVault": {
          "id": "/subscriptions/f0750bbe-ea75-4ae5-b24d-a92ca601da2c/resourceGroups/PlatformResources/providers/Microsoft.KeyVault/vaults/toysecrets"
        },
        "secretName": "sqlAdminLoginPassword"
      }
    }
  }
}

For module

resource keyVault 'Microsoft.KeyVault/vaults@2022-07-01' existing = {
  name: keyVaultName
}

module applicationModule 'application.bicep' = {
  name: 'application-module'
  params: {
    apiKey: keyVault.getSecret('ApiKey')
  }
}
# existing keyword tells it not to deploy as it exists already

references:

MS LEarn

Azure Key Vault

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 19 Jul 2024 16:23:00 GMT

references:

Bicep parameter files

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 19 Jul 2024 16:15:00 GMT

created in json
specify all [[202407191859 Bicep parameters|Bicep parameters]] values in one go
good idea to include the name of the environment in the name of the [[202407191915 Bicep parameter files|parameter file]]

How to use

New-AzResourceGroupDeployment -TemplateFile main.bicep -TemplateParameterFile main.parameters.json

Example

{
  "$schema": "https://schema.management.azure.com/schemas/2019-04-01/deploymentParameters.json#",
  "contentVersion": "1.0.0.0",
  "parameters": {
    "appServicePlanInstanceCount": {
      "value": 3
    },
    "appServicePlanSku": {
      "value": {
        "name": "P1v3",
        "tier": "PremiumV3"
      }
    },
    "cosmosDBAccountLocations": {
      "value": [
        {
          "locationName": "australiaeast"
        },
        {
          "locationName": "southcentralus"
        },
        {
          "locationName": "westeurope"
        }
      ]
    }
  }
}

references:

MS Learn

Bicep variables

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 19 Jul 2024 16:00:00 GMT

var Identifier =

# Examples
var appServicePlanName = 'toy-product-launch-plan'

variable loops which can then be used later in the template

var items = [for i in range(1, 5): 'item${i}']

references:

Bicep parameters

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 19 Jul 2024 15:59:00 GMT

auto-complete for resources in vs code
Parameters can be added with param block
- Decorators can be added with @ (Things like min/max length)
  - @allowed
  - description can also be added
  - @secure - for passwords/secure strings, etc
    - Don't use [[202407191915 Bicep parameter files|Parameter files]] for secrets
    - use [[202407191923 Azure Key Vault|Azure key vault]]
Implicit dependency between resources by using the id of a resource created earlier, example id of [[202404201400 Azure App service#App service plan]] when defining [[202404201400 Azure App service|app service]]
output keyword to send output
param types : string, int, bool, object and array
3 ways to define parameters (in order of priority least->most)
- default
- [[202407191915 Bicep parameter files|parameter file]]
- command-line

param Identifier Type = DefaultValue

# Examples
param appServiceAppName string
param appServiceAppName string = 'toy-product-launch-1'

@allowed([
  'nonprod'
  'prod'
])
param environmentType string

## Based on the above, create a var which will set sku based on environment
# ? is if else , true then first things, false then after : thing
var storageAccountSkuName = (environmentType == 'prod') ? 'Standard_GRS' : 'Standard_LRS'
var appServicePlanSkuName = (environmentType == 'prod') ? 'P2V3' : 'F1'

Expressions

When writing templates we don't want to hard-code anything. So use expressions.

# Example
param location string = resourceGroup().location

# Another Example
param storageAccountName string = uniqueString(resourceGroup().id)

Unique string will give unique string but it will not be so readable. So string extrapolation.


param storageAccountName string = 'toylaunch${uniqueString(resourceGroup().id)}'

Objects

create an object type param to specify structured data together

param appServicePlanSku object = {
  name: 'F1'
  tier: 'Free'
  capacity: 1
}

can be used in dot notations

resource appServicePlan 'Microsoft.Web/serverfarms@2022-03-01' = {
  name: appServicePlanName
  location: location
  sku: {
    name: appServicePlanSku.name
    tier: appServicePlanSku.tier
    capacity: appServicePlanSku.capacity
  }
}

Useful for specifying tags

Array

list of things. strings, or objects

# List of objects
param cosmosDBAccountLocations array = [
  {
    locationName: 'australiaeast'
  }
  {
    locationName: 'southcentralus'
  }
  {
    locationName: 'westeurope'
  }
]

references:

Bicep Modules

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 19 Jul 2024 15:32:00 GMT

Use the module keyword to reference a module file

module Identifier Path = {
	name:
}

Specify parameters with param keyword
purpose should be clear
can include different types of resources
should not output secrets
use visualizer in VSC to see how it can be broken down into modules

references:

Storage Spaces

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 17 Jul 2024 11:35:00 GMT

Limitations

not as boot or system volumes
all drives in pool must use same [[202407161309 Sector and allocation units|Sector size]]
FC and iscsi not supported
Failover clusters limited to SAS

references:

List the functionalities, benefits, and use cases of Storage Spaces - Training | Microsoft Learn

Storage layers that abstract the physical disks aren't compatible with Storage Spaces, including:

Pass-through disks in a virtual machine (VM).

Storage subsystems deployed in a separate RAID layer.

Fault tolerance and storage efficiency on Azure Stack HCI and Windows Server clusters - Azure Stack HCI | Microsoft Learn

Deep Dive: The Storage Pool in Storage Spaces Direct - Microsoft Community Hub

Storage Spaces Direct automatically creates one storage pool, which grows as your deployment grows. You do not need to modify its settings, add or remove drives from the pool, nor create new pools.

Storage Spaces does not keep whole copies of volumes – rather, it divides them into tiny 'slabs' which are distributed evenly across all drives in all servers. This has some practical consequences. For example, using two-way mirroring with three servers does not leave one server empty. Likewise, when drives fail, all volumes are affected for the very short time it takes to repair them.

Leaving some unallocated 'reserve' capacity in the pool allows this fast, non-invasive, parallel repair to happen even before you replace the drive.

The storage pool is 're-balanced' whenever new drives are added, such as on scale-out or after replacement, to equilibrate how much data every drive is storing. This ensures all drives and all servers are always equally "full".

Storage Spaces Direct Calculator (s2dcalc.blob.core.windows.net)

Types of operations in Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 16 Jul 2024 18:20:00 GMT

These are used elsewhere like in [[202404051739 Governance Overview|azure governance]]
- So in [[202404061249 Azure RBAC|RBAC]] what [[202404061316 Azure Roles|azure roles]] apply to which plane - control or data
- Someone might not have access to manage a VM, but they might have access to login to the OS

Control Plane

To manage resource in [[202312231415 Azure Master|Azure]]
In [[202406151100 How to interact with Azure|How to interact with Azure]], everything goes through [[202404061212 Azure Resources|ARM]]
- All requests go to a resource manager url
- ARM knows what exists and what does not exist and does not create duplicate resources

Data Plane

To access features exposed by the [[202404061212 Azure Resources|resource]]
Requests go to specific endpoint for the Azure [[202404061212 Azure Resources|resource]]

references:

Learn - ARM

Sector and allocation units

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 16 Jul 2024 10:09:00 GMT

Sector

Minimum amount of data that can be read or written to HD
Traditionally 512Bytes, now different options are there
Optimal sector size should be used
- example if database that writes 8,192-byte records, then sector size should be configured as 8KB, so that complete entries are written in one allocation unit
- If size is 4 KB then record gets split

references:

Windows file systems

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 16 Jul 2024 09:59:00 GMT

FAT

FAT not larger than 4GB
FAT32 not larger than 64GB
exFAT for removable drives

NTFS

supports ACL, encryption, etc.
Formatting:
- MBR (upto 2TB)
- GPT

ReFS

Introduced with Server 2012
Has enhanced resiliency to data corruption
Not feature-parity with NTFS
Not suitable for boot volumes and removable media

references:

Powershell get ad group details

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 16 Jul 2024 08:52:00 GMT

Get-ADGroup -Filter * -SearchBase 'OU=Finland,DC=fi,DC=tcsecp,DC=com' -Properties * | select Name, Description, @{Name='MemberCount';Expression={$_.Members.Count}} | Export-Csv -Path 'C:\Users\845874.adm.FI\Desktop\test.csv' -NoClobber -NoTypeInformation -Force

references:

Create VNet Peering in Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 15 Jul 2024 16:43:00 GMT

After [[202407141408 Create VNet in Azure|Create VNet in Azure]]

We can create [[202407151908 VNet Peering|VNet Peering]] between the two using [[202207181612 Powershell|Powershell]] : Add-AzVirtualNetworkPeering

# Variables
$VNet1 = 'sajalvnet-0'
$VNet2 = 'sajalvnet-1'
$VNet3 = 'sajalvnet-2'
$RG = 'user-kmgvzllojmll'

# Get VNets
$AZVNet1 = Get-AzVirtualNetwork -ResourceGroupName $RG -Name $VNET1
$AZVNet2 = Get-AzVirtualNetwork -ResourceGroupName $RG -Name $VNET2
$AZVNet3 = Get-AzVirtualNetwork -ResourceGroupName $RG -Name $VNET3

# Add peering
Add-AzVirtualNetworkPeering -Name 'LocalPeering' -VirtualNetwork $AZVNet1 -RemoteVirtualNetworkId $AZVNet2.id
Add-AzVirtualNetworkPeering -Name 'LocalPeering' -VirtualNetwork $AZVNet2 -RemoteVirtualNetworkId $AZVNet1.id


# Add regional
Add-AzVirtualNetworkPeering -Name 'VNet1ToVNet3' -VirtualNetwork $AZVNet1 -RemoteVirtualNetworkId $AZVNet3.id
Add-AzVirtualNetworkPeering -Name 'VNet3ToVnet1' -VirtualNetwork $AZVNet3 -RemoteVirtualNetworkId $AZVNet1.id

references:

Azure VPN

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 15 Jul 2024 16:13:00 GMT

IP Sec tunnel
Encrypted
Not preferred as traffic goes through the internet
[[202408241243 How to create a VPN Gateway|How to create a VPN Gateway]]
- [[202408241255 How to create P2S VPN|P2S VPN]]
- [[202408241251 How to create S2S VPN|S2S VPN]]
If any [[202404121703 Azure VNet|VNet]] changes, for example new [[202407151908 VNet Peering|VNet Peering]] etc, need to reinstall VPN client with new config downloaded from [[202312231415 Azure Master|Azure]]

Types

P2S VPN - Connects a specific device to a virtual network
S2S VPN - Connects a network to a virtual network
S2S VPN gateways enable multiple VPN connections to different networks if route not policy based

High availability scenarios

Active/Standby
1. Default
2. Automatic failover in case of issues or planned maintenance
Active/Active
1. Get 2 [[202407271143 Public IP address allows inbound access based on tier in Azure|Public IP Address]]
2. Uses BGP routing
[[202404141339 Azure ExpressRoute|Express Route]] failover
1. Gateway as secure failover for [[202404141339 Azure ExpressRoute|Express Route]]
Zone-redundant gateways
1. [[202407151913 Azure VPN|Azure VPN]] and [[202404141339 Azure ExpressRoute|Express Route]] as zone-redundant deployments, where supported

references:

MS Learn
MS Docs
P2S VPN
S2S VPN
High availability scenarios for VPN

VNet Peering

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 15 Jul 2024 16:08:00 GMT

One of the options for [[202404131313 Connecting virtual networks|Connecting virtual networks]] / the best option
Peered traffic goes on Azure Backbone network and is private
When Networks are peered, we can use [[202407151913 Azure VPN|Azure VPN Gateway]] in the peered network for [[202404131337 Connecting to Onprem|Connecting to Onprem]]
- Gateway transit makes it so, that I don't have to setup a [[202407151913 Azure VPN|Azure VPN Gateway]] in the peer [[202404121703 Azure VNet|VNet]]
[[202407151943 Create VNet Peering in Azure|Create VNet Peering in Azure]]
- When creating [[202407151908 VNet Peering|VNet Peering]] with az cli or [[202207181612 Powershell|Powershell]] only one side of peering gets created. We need to create both sides.
Typical topology is hub and spoke
- VNET2 below is hub
- Typically you will put the [[202407151913 Azure VPN|Azure VPN Gateway]] in this hub network and let other networks use it. Same for other things like NVAs
Not transitive i.e. VNET1 can not talk to VNET3 / Need to create peering relationship between them
- Without peering, I could add Azure Firewall or Network virtual appliance in Hub network (VNET2) and tell:
  - VNET3 if you want to talk to VNET1, next hop is IP of that forwarder
  - VNET1 if you want to talke to VNET3, next hop is IP of that forwarder
- This above thing is UDR (User defined routing)
If we add a new ip address space to one vnet, we just need to sync peering not re-create peering or anything

flowchart LR
VNET1 --> |Peer| VNET2 --> |Peer| VNET3
VNET1 --- |NotTransitive|VNET3

Types

global ([[202404121703 Azure VNet|VNet]] in different regions)
regional ([[202404121703 Azure VNet|VNet]] in same region)

references:

MS Learn

To enable gateway transit, configure the Allow gateway transit option in the hub virtual network where you deployed the gateway connection to your on-premises network. Also configure the Use remote gateways option in any spoke virtual networks.

Add rules to NSG in Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Jul 2024 11:33:00 GMT

In continuation to [[202407141419 Create NSG in Azure|Create NSG in Azure]] about adding rules to [[202404141419 Network Security Groups|NSG]]


# Variables
$RGName = "user-fiahxmxusscf"
$Region = "eastus"
$port=3389 
$rulename="Allow-RDP" 
$nsgname="sf-vnet-security"
$NICName = "nic2"

# Get the NSG resource 
$nsg = Get-AzNetworkSecurityGroup -Name $nsgname -ResourceGroupName $RGname 

# Add the inbound security rule. 
$nsg | Add-AzNetworkSecurityRuleConfig -Name $rulename -Description "Allow RDP" -Access Allow ` -Protocol * -Direction Inbound -Priority 3891 -SourceAddressPrefix "*" -SourcePortRange * ` -DestinationAddressPrefix * -DestinationPortRange $port

# Update the NSG. 
$nsg | Set-AzNetworkSecurityGroup

references:

Create NSG in Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Jul 2024 11:19:00 GMT


# Variables
$RGName = "user-fiahxmxusscf"
$Region = "eastus"
$port=8081 
$rulename="allowAppPort$port" 
$nsgname="sf-vnet-security"
$NICName = "nic2"


# Create NSG
New-AzNetworkSecurityGroup -Name $nsgname -ResourceGroupName $RGName  -Location $Region

# Attach NSG to VM NIC
## Get NIC
$VMNIC = Get-AzNetworkInterface -Name $NICName -ResourceGroupName $RGName

## Get NSG
$NSG = Get-AzNetworkSecurityGroup -Name $nsgname -ResourceGroupName $RGName

##Attach NSG
$VMNIC.NetworkSecurityGroup = $NSG

## Set NIC
$VMNIC | Set-AzNetworkInterface

references:

Create VM in Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Jul 2024 11:12:00 GMT

Resources

A [[202404051818 Resource Groups|resource group]]
A [[202404121703 Azure VNet|VNet]] in the [[202404051818 Resource Groups|resource group]]
A [[202404121727 Azure VM NIC|VM NIC]] in the [[202404121703 Azure VNet|VNet]]
Public IP (Needs to be added in nic resource in bicep)

VM Config

VM Size
VM Image
Admin credential

az vm create --resource-group "learn-c165c4fd-2e56-45a2-ace8-195a1095e650" --no-wait --name ResearchVM --location westeurope --vnet-name ResearchVNet --subnet Data --image Ubuntu2204 --admin-username azureuser --admin-password <password>

# Variabels
$RGName = "user-fiahxmxusscf"
$Region = "eastus"
$VMName = "vm1"

# Set the administrator and password for the VM. ##
$cred = Get-Credential

## Place the virtual network into a variable. ##
$vnet = Get-AzVirtualNetwork -Name 'vnet1' -ResourceGroupName $RGName

## Create a network interface for the VM. ##
$nic = @{
    Name = "nic2"
    ResourceGroupName = $RGName
    Location = $Region
    Subnet = $vnet.Subnets[0]
}
$nicVM = New-AzNetworkInterface @nic

## Create a virtual machine configuration. ##
$vmsz = @{
    VMName = $VMName
    VMSize = 'Standard_DS1_v2'  
}
$vmos = @{
    ComputerName = $VMName
    Credential = $cred
}
$vmimage = @{
    PublisherName = 'MicrosoftWindowsServer'
    Offer = 'windowsserver'
    Skus = '2022-datacenter-azure-edition'
    Version = 'latest'    
}
$vmConfig = New-AzVMConfig @vmsz | Set-AzVMOperatingSystem @vmos -Windows | Set-AzVMSourceImage @vmimage | Add-AzVMNetworkInterface -Id $nicVM.Id

## Create the VM. ##
$vm = @{
    ResourceGroupName = $RGName
    Location = $Region
    VM = $vmConfig
}
New-AzVM @vm

references:

Create VNet in Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Jul 2024 11:08:00 GMT

Create [[202404121703 Azure VNet|VNet]] in [[202312231415 Azure Master|Azure]]

# Variables
$VNetName = 'vnet1'
$VNetRange = '10.0.0.0/24'
$RGName = 'user-fiahxmxusscf'
$Location = 'eastus'
$SubnetName = 'default'
$SubnetRange = '10.1.0.0/22'


# Create vnet
$vnet = @{
    Name = $VNetName
    ResourceGroupName = $RGName
    Location = $Location
    AddressPrefix = $VNetRange
}
$virtualNetwork = New-AzVirtualNetwork @vnet

# Add subnet
$subnet = @{
    Name = $SubNetName
    VirtualNetwork = $virtualNetwork
    AddressPrefix = $SubnetRange
}
$subnetConfig = Add-AzVirtualNetworkSubnetConfig @subnet

# Set vnet
$virtualNetwork | Set-AzVirtualNetwork

references:

Application Security Groups

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Jul 2024 11:03:00 GMT

ASGs allow VMs to be grouped together based on application role
This allows to architect network around app architecture
[[202407141403 Application Security Groups|ASG]] can be added as source or destination in [[202404141419 Network Security Groups|NSG]]
- [[202407141403 Application Security Groups|ASG]] on its own is nothing, just a grouping it needs to be added via [[202404141419 Network Security Groups|NSG]]

references:

Get Azure VM Images

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Jul 2024 10:33:00 GMT


# Get Offers
Get-AzVMImageOffer -Location "East Us" -PublisherName "MicrosoftWindowsServer"

# Get SKus
Get-AzVMImageSku -Location "East Us" -PublisherName "MicrosoftWindowsServer" -Offer "windowsserver"

# Get VM Image
Get-AzVMImage -Location "East Us" -PublisherName "MicrosoftWindowsServer" -Offer "windowsserver" -Skus "2022-datacenter-azure-edition"

references:

Azure custom script extension

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 12 Jul 2024 14:45:00 GMT

downloads and runs a script on an [[202404161835 Azure VM Basics|Azure VM]]

references:

VMware disable warning for esxi ssh service

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 12 Jul 2024 11:03:00 GMT

UserVars > UserVars.SuppressShellWarning.
Set value from 0 to 1.

references:

Cluster warning for ESXi Shell and SSH appear on an ESXi 5.x and 6.x host (broadcom.com)

VMware set SSH service

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 12 Jul 2024 10:40:00 GMT

# Start service
get-vmhost hostname | get-vmhostservice | where-object {$_.key -eq "TSM-SSH"} | start-vmhostservice -confirm:$false

# Stop service
get-vmhost hostname | get-vmhostservice | where-object {$_.key -eq "TSM-SSH"} | start-vmhostservice -confirm:$false

# Set startup policy
# Automatic = Start automatically if any ports are open, and stop when all ports are closed
# On = Start and stop with host
# Off = Start and stop manually
get-vmhost hostname | get-vmhostservice | where-object {$_.key -eq "TSM-SSH"} | set-vmhostservice -policy "On"

references:

Manage ESXi SSH Using PowerCLI - Cloudy Future

Update

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 10 Jul 2024 11:42:00 GMT

Registry:

Get-Item 'HKLM:\Software\Microsoft\Windows Nt\CurrentVersion\Winlogon'

cachedlogonscount            : 4

Set the following GPO

references:

Interactive logon Number of previous logons to cache (in case domain controller is not available) - Windows 10 | Microsoft Learn

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options

Powershell get certs on system

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 09 Jul 2024 13:31:00 GMT

PS C:\Users\845874.adm> Get-ChildItem Cert:\ -Recurse | Where-Object { $_.PSIsContainer -eq $false} | Where-Object { $_.Subject -like "*solar*"}

references:

PowerTip: Get all your local certificates by using PowerShell - Scripting Blog [archived] (microsoft.com)

Disable autoplay for all devices

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 09 Jul 2024 11:58:00 GMT

Registry

Registry Hive: HKEY_LOCAL_MACHINE
Registry Path: \SOFTWARE\Microsoft\Windows\CurrentVersion\policies\Explorer\

Value Name: NoDriveTypeAutoRun

Value Type: REG_DWORD
Value: 0x000000ff (255)

GPO

Computer Configuration >> Administrative Templates >> Windows Components >> AutoPlay Policies >> "Turn off AutoPlay" to "Enabled:All Drives".

references:

Autoplay must be disabled for all drives. (stigviewer.com)

Run powershell command as scheduled task

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 Jul 2024 09:01:00 GMT

Define action as:

# Action as:
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

# Arguments as : -Command &{} 
-command &{get-process >> c:\fso\ServiceProcessBios.txt; get-service | where{$_.Status -eq ‘Running’} >> c:\fso\ServiceProcessBios.txt; Get-WmiObject Win32_bios >> c:\fso\ServiceProcessBios.txt}

references:

Use Scheduled Tasks to Run PowerShell Commands on Windows - Scripting Blog [archived] (microsoft.com)

Remove child items skipping one

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 Jul 2024 08:59:00 GMT


Get-ChildItem -Path "C:\Windows\System32\winevt\Logs\*" -File -Include Archive-Sec* | Sort-Object LastWriteTime -Descending | Select-Object -Skip 1 | Remove-Item -Force

references:

Set advanced setting vmware

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 05 Jul 2024 12:34:00 GMT

.Set-AdvancedSetting can be used to set it.

Get-AdvancedSetting -Entity (Get-Cluster -Name Cluster) -Name SettingName | Set-AdvancedSetting -Value NewValue

Set-VmHostAdvancedConfiguration

Obsolete:

references:

Set-AdvancedSetting Command | Vmware PowerCLI Reference (broadcom.com)

Enable or disable lockdown mode on vcenter

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 05 Jul 2024 07:22:00 GMT

#To enable Lockdown mode using PowerCLI, run this command:  
 
(get-vmhost <hostname> | get-view).EnterLockdownMode() | get-vmhost | select Name,@{N="LockDown";E={$_.Extensiondata.Config.adminDisabled}} | ft -auto

  
#To disable Lockdown mode, run this command:  
  
(get-vmhost _<hostname>_ | get-view).ExitLockdownMode()  
  
#To batch modify Lockdown mode using PowerCLI, save this text in a *.PS1 file and run with PowerCLI:

$vCenter = '_vCenterServer_Name_or_IP_address_'

Connect-VIServer $vCenter

$Scope = Get-VMHost #This will change the Lockdown Mode on all hosts managed by vCenter

foreach ($ESXhost in $Scope) {

(get-vmhost $ESXhost | get-view).ExitLockdownMode() # To DISABLE Lockdown Mode

#(get-vmhost $ESXhost | get-view).EnterLockdownMode() # To ENABLE Lockdown Mode

}

Disconnect-VIServer -Server $vCenter -Confirm:$false

references:

Enabling or disabling Lockdown mode on an ESXi host (broadcom.com)

Replace CNO for cluster

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 03 Jul 2024 13:20:00 GMT

Issue

CNO which was created was deleted on AD side, and new computer object was created.
Cluster validation fails with "Unable to find computer object"

Fix

Create a new computer node. Ignore if CNO already exists.
Get objectGUID attribute in hexadecimal. Remove spaces and convert in lower case.
On the cluster nodes, use Regedit and view HKLM\Cluster and identify the value of ClusterNameResource. It will be a long ugly number and is the Cluster Name Resource GUID.
Go to HKLM\Cluster\Resources\ClusterNameResourceGUID\Parameters
Edit the ObjectGUID key and replace the value with the value you copied in step 3. This tells the cluster to use the new CNO.
Edit on all nodes.
Try cluster repair.

references:

Field Notes of a Computer Geek: Replace Missing Cluster Name Object for DAG (byronwright.blogspot.com)

Azure Import Export

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 29 Jun 2024 11:58:00 GMT

To import/export large amount of data to and from Azure using physically shipping drives etc
- Recommendation to use Azure Data Box to import to Azure
WAImportExport tool prepares drive to write data to
- formats, checks for errors, encrypts disk
- creates journal file
- V1 - for blob
- V2 - for [[202406291221 Azure Files|Azure Files]]

references:

MS Learn
https://learn.microsoft.com/en-us/azure/import-export/storage-import-export-service
Import data to Azure Files

Modify the dataset.csv file in the root folder where the tool is. Depending on whether you want to import a file or folder or both, add entries in the dataset.csv file
Modify the driveset.csv file in the root folder where the tool is. Add entries in the driveset.csv file similar to the following examples. The driveset file has the list of disks and corresponding drive letters so that the tool can correctly pick the list of disks to be prepared.

Migrating between redundancy types in Azure Storage

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 29 Jun 2024 11:41:00 GMT

Related to [[202404091908 Azure Storage Redundancy]]

Switching From	...to LRS	...to GRS/RA-GRS	...to ZRS	...to GZRS/RA-GZRS
LRS	N/A	Use Azure portal, PowerShell, or CLI to change the replication setting	Perform a manual migration OR Request a live migration	Perform a manual migration OR Switch to GRS/RA-GRS first and then request a live migration
GRS/RA-GRS	Use Azure portal, PowerShell, or CLI to change the replication setting	N/A	Perform a manual migration OR Switch to LRS first and then request a live migration	Perform a manual migration OR Request a live migration
ZRS	Perform a manual migration	Perform a manual migration	N/A	Use Azure portal, Power Shell, or CLI to change the replication setting
GZRS/RA-GZRS	Perform a manual migration	Perform a manual migration	Use Azure portal, Power Shell, or CLI to change the replication setting	N/A

references:

Azure Files

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 29 Jun 2024 09:21:00 GMT

Type of [[202404121117 Azure Storage Services|Azure storage service]].

Using NFS/SMB
Simultaneously mount to cloud or on-prem
Can be used for storing:
- Config files
- Logs/metrics
- Tools/utilities
Files are true directory objects
[[202404121239 Azure File Sync|Azure File Sync]] in case we have on-prem Fileservers and want to cache content on-prem for faster access

Types

Premium (SMB/REST/NFS)
Standard (SMB/REST)
Can't go from premium to standard

Access Tiers

Can switch between the tiers

Standard
1. Transaction Optimized
2. Hot
3. Cool
Premium
1. Premium

Snapshots

On File Share level
Incremental
Need only the latest copy for restore
If you delete a file share, all snapshots are gone as well

Soft delete

Not for NFS
retention between 1 and 365 days after deletion
At [[202404091859 Azure Storage Account|Azure storage account]] level

references:

VMware not possible to forward only auth logs to splunk

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 27 Jun 2024 10:02:00 GMT

We can either forward all logs to splunk. Or no logs.

references:

Configuring syslog on ESXi (broadcom.com)

Convert etl to pcap packet capture

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 24 Jun 2024 10:08:00 GMT

Use the ETL2PCAPNG tool.

Github repo

Etl2pcapng.exe file.etl newfile.pcapng

references:

Converting ETL Files to PCAP Files - Microsoft Community Hub

Create windows firewall with gpo

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 20 Jun 2024 13:11:00 GMT

Configure firewall service

Computer Configuration > Policies > Windows Settings > Security Settings > System Services. Find Windows Firewall in the list of services and change the startup type to Automatic (Define this policy setting -> Service startup mode Automatic).
Computer Configuration > Policies > Administrative Templates > Network > Network Connections > Windows Defender > Firewall > Domain Profile and enable the policy Windows Defender Firewall: Protect all network connections.
Computer Configuration > Windows Settings > Security Settings section. Right-click Windows Firewall with Advanced Security and open the properties. Make sure to enable the Firewall State to On(Recommended) on each of the profiles you will be using (enabling on all is best practice).

Configure firewall rules

Computer Configuration > Policies > Windows Settings > Security Settings > Windows Firewall with Advanced Security.

You can use custom to specify port and remote address and app as well.

We need the following information:

Remote Address,App,Protocol,Port,Purpose

App can be any (basically .exe path needs to be provided)

references:

How To Manage Windows Firewall with GPOs | Blumira

Difference between Entra ID and ADDS

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 15 Jun 2024 14:43:00 GMT

Property	ADDS	Entra
Structure	hierarchical: OUs, GPOs.	flat
Computer objects	Has	Does not have
Query/Manage	LDAP	REST over HTTP/HTTPS
Protocol	Kerberos	HTTP and HTTPS protocols such as SAML, WS-Federation, and OpenID Connect for authentication, and uses OAuth for authorization
Federation	Trusts for delegation	Can be Federated with 3rd parties

references:

MS Learn

ARM Bicep

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 15 Jun 2024 09:19:00 GMT

[[202405011242 ARM template|ARM JSON]] is complex
Bicep abstracts away this JSON so that it is simpler to define what we want.
Bicep is domain specific language, so can only be used to create [[202405011242 ARM template|ARM template]]
There is no state management, [[202404061212 Azure Resources|ARM]] knows what resources are present
Might not be useful in multi-cloud setups or if we have a different tool already, like [[202407162143 Terraform|Terraform]]
By default [[202404061212 Azure Resources|resources]] are deployed in parallel
- we can control this by using @batchSize

# Convert to json
bicep compile

# Convert from json
bicep decompile

How to install

# Add the tap for bicep 
brew tap azure/bicep 

# Install the tool 
brew install bicep

Also add to VSCode from extensions

How to deploy

# deploy resource

az deployment group create --template-file main.bicep --resource-group storage-resource-group

New-AzResourceGroupDeployment -TemplateFile main.bicep -ResourceGroupName zyz

Use VS Code extension to simplify development

[[202407191859 Bicep parameters|Bicep parameters]]
[[202407191925 Use Azure Key Vault with bicep|Use Azure Key Vault with bicep]]
[[202407191900 Bicep variables|Bicep variables]]
[[202407191832 Bicep Modules|Bicep Modules]]
[[202407191939 Bicep loops|Bicep loops]]
[[202407191932 Bicep conditionals|Bicep conditionals]]

references:

MS Learn for Bicep
Learn module
MS Learn syntax

Azure Resource Graph

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 15 Jun 2024 08:33:00 GMT

Querying [[202404061212 Azure Resources|ARM]] can be slow and expensive. There is a quota. So we use [[202406151133 Azure Resource Graph|Azure Resource Graph]]
- 12000 per hour
Provides a Read only database
- periodically does a full scan and overwrites as needed
- also gets notified in case of changes. allows for change tracking.
- is up-to-date
Use KQL to find info from [[202406151133 Azure Resource Graph|Azure Resource Graph]]
Also has quota but it resets very fast
- 15, resets every 5 seconds

references:

VMware find out when vmotion happened

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 13 Jun 2024 11:58:00 GMT

Go to VM logs. This is where VM folder is created. You can check on vmware console and then find the datastore where vmware.log file is present. Usually there will be older archives also.
Login to esxi.
Go to appropriate datastore.

cd /vmfs/volumes/

# Then go to specific datastore, and vm
# Example

/vmfs/volumes/619f4a5d-3c47f70a-e703-0025b502024e/ctmhecp

cat to find instances. Note there might be duplicates so check logs accordingly.

cat vmware*.log | grep -i MigrateSetInfo

references:

Troubleshooting vMotion - VMware vSphere Blog

Virtual Machine log file entries
The virtual machine log file resides in the virtual machine home folder that also includes the vmx file and the vmdk files. Using root access on your ESXi host, you can go to appropriate folder. My test VM resides on vSAN, so I would look for the virtual machine home directory using symlink /vmfs/volumes/vsanDatastore. Using the following command shows even more information about the live-migration like the source and destination IP addresses:

Well Architected Framework

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 08 Jun 2024 09:05:00 GMT

[[202312231415 Azure Master|Azure]] Well Architected Framework provides a set of guidelines around how to design a workload. This framework concerns itself with architecture and not implementation.

It consists of:

Pillars | [[202406011159 Five pillars of Azure well architected framework|Five pillars of Azure well architected framework]]
- Each pillar has set of design principles
- Next there are checklists.
- Next Tradeoffs
- Next Recommendations (which are just patterns)
Workloads
Service Guides (Azure specific)

references:

Windows clear all events

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 06 Jun 2024 10:02:00 GMT

Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }

references:

Five pillars of Azure well architected framework

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 01 Jun 2024 08:59:00 GMT

Cost effectiveness

traditionally, costs associates were upfront, considered capex
moving to cloud, it is considered opex
so can be cost effective just showing this.
pay less for services
related to [[202404061425 Azure Cost Management|cost]]

how?

plan and estimate: design and then use cost-estimation to figure out how much you will pay
- get discounts where possible by using reserved instances for example. also for licenses, etc.
optimization: design with cost optimization at the center.
- PaaS is better than IaaS. choose service levels, etc based on usage requirements.
- optimize consumption based pricing: compare prices for dedicated vs consumption based pricing for apps.
- optimize HA: active-active or active only is better than active-passive
- clean unused apps/services
monitoring: related to above. monitor and figure out. and then resize/optimize.
efficiency: related to above. ensure everything is utilized effectively. reduce waste.
- examples: VM utilization (should not be free). storage utilization (data not required to be read often, not kept in archive) etc.

Operational excellence

full visibility into how your applications is working

how?

devops practices to ensure agility. ci/cd containers. or legacy. does not matter.
effective monitoring - identify cost wastes and troubleshooting, etc.
automation - reduce human errors. easier management.
testing - reduce issues with releases.

Performance Efficiency

matching available resources with the demands being put on the app

how?

scaling up and out
- up/vertical - make something larger
- out/horizontal - add similar resources
- ideally, use autoscaling
optimize network
- add message layer, so that requests keep flowing
optimize storage
- partitioning to access/manage data differently
- caching
  - placing static content closer to users, i.e. CDNs
identify poorly performing code or bottlenecks
- performance monitoring

Reliability

how to handle failures
- hardware failures
- data loss
including ha in our design

how?

build ha systems dependent of the sla we are committing
recoverability/ once the below are defined, we can design accordingly
- related to [[202404071556 Disaster Recovery|Disaster Recovery]]
- [[202404081931 Recovery Point Objective|RPO]]
- [[202404081933 Recovery Time Objective|RTO]]

Security

protecting data
[[202404051739 Governance Overview|azure governance]] i.e. shared responsibility model depending on what you're using

how?

increase security in layers/ so that attacker has to do more work
- data - exposing encryption key or using weak encryption can cause issues
- apps - code injection and execution - eg sql injection and cross site scripting
- vm/compute - malwares
- networking - unnecessarily open ports are a problem
- perimeter - ddos attacks
- policies and access - exposure of creds. limit access. monitoring to see where logins are coming from.
- physical - security badge stealing. door drafting, etc.

references:

MS Learn - Well architected Framework
MS Learn Docs - WAF

Delete IPs from existing subnet in Solarwinds IPAM

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 30 May 2024 07:22:00 GMT

Go to Manage Subnets and IP Address
Select the subnet
In the view to the right, there is Select IP range option. Give the starting IP Address and Ending IP Address.
Then Select + Delete

references:

Remove monitored IP addresses from a subnet (solarwinds.com)

Ansible VMware module does sysprep by default

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 28 May 2024 12:30:00 GMT

When using community.vmware.vmware_guest module – Manages virtual machines in vCenter — Ansible Community Documentation

It uses syprep by default when it recognises it is a windows image

This is an issue because after running [[202209261330 Windows sysprep reference|Sysprep]] we need to relogin to set things like time zone, etc.

references:

community.vmware.vmware_guest module – Manages virtual machines in vCenter — Ansible Community Documentation

Uses SysPrep for Windows VM (depends on ‘guest_id’ parameter match ‘win’) with PyVmomi.

PowerShell Training Overview

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 22 May 2024 10:15:00 GMT

Introduction
1. PowerShell - Shell + Scripting and how to run it
2. extensible
3. Check version
4. Running with VS code
Help System
1. -online tag
2. about topics
Running commands - Day1
1. execution policy
2. Cmdlets / form / convention
3. using parameter names
  1. positional
  2. required
4. shortcuts
Providers (How to use files and folders)
1. PSProviders - maps things to powershell for use
2. Using wildcards
3. Registry things
Pipeline
1. Connecting
2. Export
3. Killing processes
4. How powershell passes data down the pipeline | pipeline parameter binding --> Day2
  1. First ByValue
  2. Then ByPropertyName
5. Select with Name and Expression
Extensions
1. Modules
Objects
1. What and why?
2. Get-member
3. How to use
Formatting - Day 3
1. ft (with Name and expression)
2. fl
3. out
4. out-gridview
Filtering and comparison
1. Filter left (as close to the first cmdlet as possible)
2. Comparison Operators
3. Where-Object
Remote control - Day 4
1. WinRMGet
2. -ComputerName
3. Enter-PSSession/ Exit-PSSession
4. Invoke-Command/Invoke-Scriptblock
5. Diff between remote and local commands
  1. lack methods (readonly copy)
6. New-PSsession / Remove-PSSession
Variables - Day 5
1. Types
2. Quotes
3. Arrays
  1. how to access object
  2. how to access one property for multiple objects
4. $() - subexpression
5. specify type using []
6. Best practices
  1. No space
  2. Name properly with description
  3. define type
Input/Output
1. Read-Host
2. Write-Host
3. Write-Output
4. Otherways
5. -verbose
Scripting - Day 6
1. Parameterization (help about_functions_advanced_parameters)
  1. [CmdletBinding()]
  2. Mandatory
  3. aliases
  4. validate
  5. Setting default parameter values
2. Comments and stuff
3. Scopes
4. Functions
  1. begin
  2. process
  3. end
Logic and loops - Day 7
1. foreach
2. foreach-object - pipeline
  1. alias %
  2. -parallel
3. While
4. do while
Error handling - Day 8
1. Error variables
2. Error action
3. Error action preference (when -erroraction is not available)
4. try catch finally blocks
Debugging
Random
1. different versions of powershell
2. Operators : -in, -contains, -join and -split, -replace, -as and -is
3. Handling text
4. Handling date
  1. WMI dates - ConvertDateTime and ConvertToDateTime
5. Script blocks
  1. & operator - to run commands
6. WMI and cim
7. $null/empty strings/zero
  1. how to compare

references:

Linux schedule a task to run at specific time

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 22 May 2024 07:30:00 GMT

Use the at command

at 02:30
> sosreport --batch

## Ctrl+D to get out of it

references:

Windows cluster packet loss causing failover

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 03 May 2024 08:58:00 GMT

Windows Failover Diagnostic logs might have error 2051.

[RES] SQL Server <SQL Server (OPSQL19C1VS1)>: [sqsrvres] Failure detected, diagnostics heartbeat is lost

To check use perfmon to add counter for "Network Interface\Packets Received Discarded"
If it has non-zero value, then we have an issue.

To fix, we can increase:

Click Small Rx Buffers and increase the value (The maximum value is 8192).
Click Rx Ring #1 Size and increase the value (The maximum value is 4096)

The settings ensure that packets which are not getting used, can get stored in buffer and processed when they can be. There can be a small performance impact.

These settings do not require reboot but may have small drop. So should be done during maintenance hours.

references:

Nodes being removed from Failover Cluster membership on VMWare ESX? | Microsoft Learn
Large packet loss in the guest OS using VMXNET3 in ESXi (2039495) (vmware.com)
windows - VMXNET3 receive buffer sizing and memory usage - Server Fault

Azure Alerting

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 02 May 2024 15:49:00 GMT

From all the logs captured in [[202404281601 Azure monitoring old]] we could create a dashboard

references:

Entra Self Service Password Reset

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 02 May 2024 15:35:00 GMT

If user is logged in, they can reset their passwords
If user is not logged in, or they forgot their password, with [[202405021835 Entra Self Service Password Reset|SSPR]] they can reset their passwords.

How it works

Portal checks users location and renders [[202405021835 Entra Self Service Password Reset|SSPR]] in appropriate language
User enters username and captcha --> to ensure its not a bot
User answers security questions | Authentication step
Password reset
Notification

Authentication options

Mobile app auth
Mobile app code
Email a code
Mobile phone --> SMS or call
Office phone
Security questions

In free and trial Microsoft Entra organizations, phone call options aren't supported.

We can specify how many auth methods: 1 or 2
- Recommended 2: Mobile app primary, also email or office phone
Mobile phone not recommended as SMS can be spoofed
Security questions least recommended
For admins:
- Always 2 methods
- security questions disabled

License

P1/P2 or Microsoft 365 Apps for business or Microsoft 365.
For hybrid deployments, password write-back option to be enabled P1/P2 license or Microsoft 365 Apps for business.

references:

ARM template

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 01 May 2024 09:42:00 GMT

Related to [[202404061212 Azure Resources|azure resources]]

ARM template is a JSON file that specifies what resources to deploy. Kind of like an IaC. This allows one to redeploy similar things with consistency and speed.
Resources are deployed in parallel
Preview with whatif options in [[202207181612 Powershell|Powershell]] or CLI
Testing/validation with [[202406151219 ARM Bicep|Bicep]] linter
Breakup into smaller files and link later
Extension: run powershell/bash from inside the template
deployment mode
- incremental
  - default
  - does not destroy
- complete - exactly match whatever is there in template
  - so it can destroy existing resources if they are not in the template

references:

Arm templates docs

The template has the following sections:

Parameters - Provide values during deployment that allow the same template to be used with different environments.

Variables - Define values that are reused in your templates. They can be constructed from parameter values.

User-defined functions - Create customized functions that simplify your template.

Resources - Specify the resources to deploy.

Outputs - Return values from the deployed resources.

MS Learn

Azure monitoring old

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 28 Apr 2024 13:01:00 GMT

[[202312231415 Azure Master|Azure]] is shared responsibility model
As we go from IaaS to PaaS to SaaS, we are responsible for less stuff
I might not be responsible ([[202404281600 RACI matrix|RACI]]) for something, but I might be accountable for it. Might be a regulatory requirement.
- [[202404281601 Azure monitoring old|Azure monitoring]] allows for us to do that.
Monitoring is available for all resources, usually a tab under the resource

Monitoring [[202404011327 Entra ID|"Entra ID"]] - 7/30 days retention

Sign-in logs
Audit logs
Provisioning logs
30 days for premium license

Monitoring subscription - 90 days retention

Activity log (Control plane logs for everything under the subscription)
Service health

Monitoring [[202404061212 Azure Resources|resources]] (ARM) - 93 days

Metrics (Numerical value with Time)
- Like CPU utilization
Logs (Need to be configured)
- Different for different resources

Host logs - OS, IIS, etc

Azure Monitor agent - needs to be deployed to capture these logs
You configure Data Collection Rules
- what needs to be captured

k8s logs

AMA --> Log Analytics Workspace
Prometheus metrics --> Azure Monitor Workspace

Applications

Metrics and Logs
App Insight

Rest API

Diagnostic Settings

Where do the logs go to? And what log is captured?

Where?	Why?	Pay For
Storage	Cheap, long-term storage
Event Hub	External SIEM
Log Analytics Workspace (Logs)	Storage + Analyze	ingestion + retention
Azure Monitor Workspace	Storage + Analyze / for k8s

Log Analytics Workspace (Logs)

has 2 years max retention
configurable retention

Types of Logs

i could search and restore to analytics logs to perform richer searches, etc. from [[#Basic Logs]] or [[#Archive Logs]]
Export table to storage or event hub periodically
- for custom filters need to create app/serverless

Analytics Logs

searchable, etc.
costliest

Basic Logs

8 days retention (fixed)
limited queries

Archive Logs

upto 7 years

references:

MS Learn - monitoring

Types of analysis

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 27 Apr 2024 12:18:00 GMT

Descriptive

What happened?

Diagnostics

Why?

Predictive

Will something happen?

Prescriptive

WHAT TO DO?

COGNITIVE

Conclusions

references:

Extract Transform Load

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 27 Apr 2024 12:03:00 GMT

Related to [[202404261946 Data flow|How data flows]] in the context of enterprise apps.

references:

Types of data related roles

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 27 Apr 2024 11:07:00 GMT

Database Admin

Design, implement and manage DB

Tools they use - #todo

Data Engineer

Understand data flow/lifecycle
Designs data pipeline

Tools they use - #TODO

Data Analyst

Explore data, find relationships
Create models that are then used by business

Tools they use - #TODO

references:

ACID

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 27 Apr 2024 11:00:00 GMT

Atomic

references:

Type of Databases

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 27 Apr 2024 10:58:00 GMT

OLTP

Transactional processing
Need to update what is happening
High volume of small transactions
Fast access
Normalised DB
- De-duplication
- Other things, basically things need to fit in a table
[[202404271400 ACID|ACID]]

OLAP

Analytical Processing
Large data volume
Historical data
Mainly read only
[[202404261931 Azure Data warehouse and analytics]]

references:

Data flow

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 26 Apr 2024 16:46:00 GMT

Data flows in [[202404271503 Extract Transform Load|ETL]] or [[202404271503 Extract Transform Load|ELT]] form.
Azure Data factory is a solution to give this control

flowchart LR
Source --> Extract --> Transform --> Load

flowchart LR
Source --> Extract --> Load --> Transform --> Load2

Data source

Data source is either in:

Batch
1. Data is gathered somewhere and then processed in one go.
2. Interval processing
3. Large volume of data
4. Some latency will be there
Serial
1. Data keeps coming. We process it as it arrives
2. We will usually have some hub which collects it and then passes it along. like IoT hub, etc.
3. Low latency

ETL

Extract Transform Load
ETL used to be in earlier days when storage was costlier
So we would transform the data and then go to load stage
Transform is either
- Mapping
- Wrangling
- Complex (HD insights, etc)
Load is stored in DB, or [[202404261931 Azure Data warehouse and analytics]]
And then finally analyze phase

ELT

Storage is cheap now.
So we store it in something like [[202404121149 Azure Data Lake]]
The benefit is that in future we may want to transform it in some new way
- But if we transform like in ETL then that data is lost and we can't do anything
- Now we have loaded it in [[202404121149 Azure Data Lake]] so we can use it later as needed

references:

Azure Data warehouse and analytics

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 26 Apr 2024 16:31:00 GMT

large amount of data.
mostly at the end of some pipeline/historical data // storage + analytics
read access.
mostly an analytics thing where you want to draw patterns out of this massive corpus of data

references:

Azure Cosmos DB

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 26 Apr 2024 16:04:00 GMT

This was built for the cloud / designed for global distribution / multi-write [[#Variable consistencies]]
All types of NoSQL data can be stored in it

Variable consistencies

Because distance is large, there will always be drawbacks
A tension between performance and consistency

STRONG | BOUNDED STALENESS | SESSION | CONSISTENT PREFIX | EVENTUAL

Strong means everyone will see the same read.
Session means everyone in the same session will see the same thing. (Most common)
Eventual means eventually everyone will see the same thing.

What we choose depends on the type of app we are building.

references:

Search ADAccount Timespan for AccountInactive

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 25 Apr 2024 13:12:00 GMT

Search-ADAccount uses LastlogonTimeStamp for -TimeSpan when used with -AccountInactive

references:

Search-ADAccount (ActiveDirectory) | Microsoft Learn

When doing chassis replacement decommission chassis first

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 24 Apr 2024 16:08:00 GMT

When doing chassis replacement decommission chassis first
Otherwise old chassis remains.

New chassis comes as chassis +1

references:

Azure Open source DB

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 24 Apr 2024 14:15:00 GMT

Supports many different options
fully managed
Based on community editions

DB for

postgres (great for oracle)

all [[#Modes]]

mysql

mode : single and flexible

mariadb

mode: single only

Modes

single (legacy)
flexible (the one which is better going forward)
hyperscale
- basic (1 node) / can upgrade at any time
- standard (1 controller + 2 workers)

references:

Azure SQL

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 23 Apr 2024 16:33:00 GMT

SQL VM

IaaS option - SQL server running on a VM in the cloud.
You manage patching, etc.
Agent extension to move it closer to Paas/Can be upgraded to full later on
- Lightweight mode (Inventory/Change SKUs)
- Full mode
  - Auto patch
  - storage
  - azure backup
  - key vault for secret management
  - HA

SQL Managed Instance

PaaS offering
In your [[202404121703 Azure VNet|VNet]]
Multiple DBs per instance

SQL DB

Full PaaS - serverless
Deployment Modes
- Single DB
- Elastic Pool
  - collection of single DBs with shared resources like CPU, etc.
Purchasing models
- vCore based
  - Tiers:
    - General purpose
    - Enterprise
    - Hyperscale
- DTU based (older style)
  - Tiers:
    - Basic
    - Standard
    - Premium

Service tiers

For both managed and azure sql db
For both we can specify zone-
Lives under a logical DB server
- We can specify network, auditing, etc. in there

Standard

primary (data is stored separately)
if primary goes down, secondary is brought online connects to the data source and starts working
expected to be a bit of downtime

Premium/Business critical

primary (data and logs are stored with it)
primary replicates to a set of secondaries

references:

Azure SQL overview
SQL VM and Agent extension
Feature comparison

Download host metrics report from Ansible Automation Platform

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 23 Apr 2024 08:54:00 GMT

# To get output in csv
awx-manage host_metric --csv

# To download a tarball
awx-manage host_metric --tarball

API

https://taapservice.op-palvelut.fi/api/v2/host_metrics/?format=api&page_size=200

references:

Automation Controller User Guide Red Hat Ansible Automation Platform 2.4 | Red Hat Customer Portal

How to decommission an ESXi

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 22 Apr 2024 10:46:00 GMT

General steps are these:

1.       Put the ESXi host in maintenance mode - Compute
2.       Remove host from vDS switch - Compute
3.       Unmount and detach data LUNs / DO NOT DELETE DATA LUNS - Compute
4.       Remove host from the cluster (Remove from inventory) - Compute
5.       Delete boot LUN for the host, and remove host from the cluster – Storage
6.       Delete the service profile from UCS end - Compute
7.       Remove host from monitoring – SolarWinds
8.       Cleanup IPAM reservation, AD object and DNS reservation – Compute Windows
9.       Mark ESXi as decommissioned in CMDB – SNOW team

There might be some changes based on whether full cluster needs to be decommissioned.
In this case, the data luns can be deleted.

references:

How to properly decommission a VMware ESXi Host - The Tech Journal (stephenwagner.com)

Process in Short:
Enter Maintenance Mode
Remove Host from vDS Switches
Unmount and Detach iSCSI LUNs
Move host from cluster to datacenter as standalone host
Remove Host from Inventory

Azure Static Web App

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 20 Apr 2024 11:40:00 GMT

globally distributed content for static websites/pre-rendered content
Types: Free or standard
can integrate with managed [[202404201427 Azure Functions|Azure Functions]]
- for some server side stuff if needed
can integrate with gitops

references:

Azure Logic Apps

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 20 Apr 2024 11:38:00 GMT

Runs on top of [[202404201427 Azure Functions|Azure Functions]]
no code or low code
- gives gui to design things

references:

Azure Functions

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 20 Apr 2024 11:27:00 GMT

serverless (can run with [[202404201400 Azure App service#App service plan]])
- I just write the code
many languages supported
Event driven such as HTTP, schedule, event grid, blob creation
Binds to additional inputs and outputs

Serverless

flowchart LR
Event -.-> |Trigger| Work
Work <--> |BindingOrConnection| Services

Point of serverless is there is some work you want to do
Which is triggered by some event (schedule, message, api, etc)
- Can be many event sources (blob,app,etc)
- Which can be difficult to poll, etc.
- So what we get is Event grid
  - which talks to all these sources and pushes the event to the event handler
  - Event handlers for example [[202404201427 Azure Functions|Azure Functions]], webhooks, etc.
That work is integrated with services

references:

Azure App service

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 20 Apr 2024 11:00:00 GMT

original paas
hosts web applications (http/gRPC)
can scale up or out
provides different [[202404121703 Azure VNet|VNet]] integration options
- private endpoint for inbound requests
- delegated subnet in our [[202404121703 Azure VNet|VNet]] for outbound requests to other Azure resources
- compared to [[202404201400 Azure App service#App service environments]] which are integrated to [[202404121703 Azure VNet|VNet]] and don't require these things
Can use App service for authentication and authorization
Can backup
- requires a [[202404091847 Azure Storage Overview|Azure storage]] container in the same sub
- requires premium/standard
Can monitor using Azure insights

Which OS supports what

az webapp list-runtimes --os linux
dotnetcore
node
python
php
java
jbosseap
tomcat

az webapp list-runtimes --os windows
dotnet
aspnet
node
java
tomcat

App service plan

You pick an App service plan. Based on the plan you get access to certain resources (certain number of nodes).
On app service plan your apps run. So 2 apps in same service plan for example.
You can move apps from one app service plan to other, but it has to be in same webspace (region+os+RG)

Deployment slots

For new deployment, it can be put in staging
When ready, with a VIP swap, staging can be made production
If any issues, with VIP swap we can put it back.
Avoid cold start during deployment slots
You can clone settings to new slot but not content
Swap with preview breaks the process in two halves:
- slot specific settings are copied in phase 1
  - we can check if for example db connection string breaks
- in phase 2, it would remove temporary changes and proceed with swap

App service environments

v3 used with v2 Isolated plans
provides isolation
- this is deployed in your [[202404121703 Azure VNet|VNet]] when compared to App service which is shared
- control plane is separate Azure subnet
- Data plane is in our vnet
apps are deployed in app service plans

Scaling

Scale out has two options
- Azure app service autoscaling (based on rules we define)
- Metric (on all the nodes a certain threshold should be reached)
- Scheduled
- Azure App Service automatic scaling
- avoid cold start issues

Best practices

Enough margin between scale out and scale in values
Use proper metric
Different thresholds for scale out and in

How does it work

Suppose:

scale up when cpu >=80
scale down by 1 when cpu <=60

you have 2 nodes. utilization in both goes above 80. so it scales up to 3 nodes.
now assume utilization comes down to 60. it calculates after scale what will happen.
current 60x3 = 180.
after scale : 180/2 = 90. so it will not scale as 90 > 80
later, utilization comes down to 50.
current 50x3=150.
after scale: 150/2 = 75. which is less than 80.
so now it will scale down.

references:

App service overview
Settings which get copied during app clone

Swapped settings	Slot-specific settings
General settings, such as framework version, 32/64-bit, web sockets App settings *** Connection strings * Handler mappings Public certificates WebJobs content Hybrid connections ** Service endpoints ** Azure Content Delivery Network **** Path mapping	Custom domain names Nonpublic certificates and TLS/SSL settings Scale settings Always On IP restrictions WebJobs schedulers Diagnostic settings Cross-origin resource sharing (CORS) Virtual network integration Managed identities Settings that end with the suffix _EXTENSION_VERSION
App service plans
App service pricing

Feature	Free	Shared	Basic	Standard	Premium	Isolated
Usage	Development, Testing	Development, Testing	Dedicated development, Testing	Production workloads	Enhanced scale, performance	High performance, security, isolation
Web, mobile, or API applications	10	100	Unlimited	Unlimited	Unlimited	Unlimited
Disk space	1 GB	1 GB	10 GB	50 GB	250 GB	1 TB
Auto scale	n/a	n/a	n/a	Supported	Supported	Supported
Deployment slots	n/a	n/a	n/a	5	20	20
Max instances	n/a	n/a	Up to 3	Up to 10	Up to 30	Up to 100
Azure app scaling

Azure Spring Apps

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 20 Apr 2024 10:57:00 GMT

Runs on top of [[202404201210 Azure Kubernetes Service|AKS]], for java applications
Deploys a spring cloud
- Open source
- VMware Tanzu (separate VMware license)
Three tiers

references:

Azure Container Apps

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 20 Apr 2024 10:48:00 GMT

Built on top of [[202404201210 Azure Kubernetes Service|AKS]], abstracts away the AKS layer. We focus on the application
Brings envoy, dapr, keda
- Dapr - Distributed Application Runtime
  - Event drivent runtime
  - Runs a sidecar container
  - basically an api that can be used by our app to call any dapper component
- KEDA - Kubernetes Event Driven Autoscale
Built-in AuthN and AuthZ
- Restrict Access setting to control
Versioning using revisions
- which is immutable snapshot of container app version
You can set environment variables and secrets
- Secrets once defined at app level are available in containers as environment variables

Container Apps Environment

individual apps deployed to app environment which acts as security boundary
Apps deployed in the same environment are deployed to same [[202404121703 Azure VNet|VNet]] and write logs to the same log analytics workspace.

references:

Dapr overview
https://learn.microsoft.com/en-us/azure/container-apps/ingress-overview?tabs=bash
https://learn.microsoft.com/en-us/azure/container-apps/overview
MS Learn

Azure Kubernetes Service

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 20 Apr 2024 09:10:00 GMT

[[202404201203 Azure Container Instance|Azure Container Instace]] is OK. But mostly we need more than one container.
[[202404211433 Kubernetes|Kuberenetes]] is the orchestrator of choice.
Two types: free and standard
- Standard has SLA / that is what we would use for production
We pay for the VMs (or nodes) which can auto-scale

Features

Can use [[202404201203 Azure Container Instance|ACI]] for cheap via virtual kubelet // need to specify in our manifest file
Stop/start aks cluster
Automatic healing
Automatic upgrade
- Not to be used in prod as it might break things
Gitops
- Make changes to your repo, that gets deployed to AKS
Managed ID use
- Create a user [[202312231441 Entra ID Managed Identities|MI]]
- Tag that to a service account created in AKS
- Then stuff happens and we can use IDs
User node pools can use spot instances

Structure

When we run commands (kubectl) it talks to API server. Other [[Kubernetes Components]] like etcd (DB), scheduler, etc talk to API server. All this is control plane.
Then we have node pools, where basically the worker nodes run.
- There is type system which basically has things that [[Kubernetes]] needs to run.
- In node pools we have nodes.
  - On each node we have [[Kubernetes Components]] like kubelet (which talks to api server for management), kubeproxy (for network stuff) and container runtime.
  - Additionally, then we have our pods. Which are you know our services.
Namespaces allow for isolation.

Autoscaling

For pod scaling

Horizontal pod auto-scaling
1. If it sees it needs more pods it will autoscale.
Kubernetes Event driven autoscaling (KEDA)
1. It will look at advanced metrics (queue, etc) to see if it needs more pods and then autoscale
  But, if after seeing that it needs more pods, and it is not able to scale then it goes for

Cluster scaling

Basically, if pod is in waiting state, it will autoscale to add a node.

Networking

Max pods can be set as high as 250 at deployment time, otherwise you get defaults per below.

kubenet (default) (basic) Not for production

Nodes get IP from subnet
internal IP space for pods (NAT so that they can reach external resources/vice-versa)
Max 110 pods per node (default)

Azure CNI (advanced)

pods get ips from the same subnet
needs to be planned in advance
30 (default)/ 110 from portal (default)

Dynamic CNI

Pod IPs from a different subnet

CNI overlay

Like kubenet, gets IPs from a different private subnet (which can be reused in a different cluster)

Storage

Containers can be created/re-created whenever.
But there is a need for persistent storage.
So pod makes a persistent volume claim (pvc) which goes to a persisten volume (pv) which can be on blob, disk, files, netapp, etc.

flowchart LR
pod --> pvc --> pv --> azureFiles & Blob & Disk & Netapp

references:

Core concepts
Network concepts

Azure Container Instance

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 20 Apr 2024 09:03:00 GMT

Basic container as service
Can be windows or linux
- But some features are linux specific
Can be useful for one-off things/burst
Multi-container groups on same host
- only for linux based containers
Can be deployed in vNet
can mount additional storage
- azure file share

Container group

top level resource
deployed on one VM
containers in a group share same resources
similar to pod in kubernetes
Environment variables can be set with --environment-variables
- passwords etc with secureValue
when deploying multi-container groups
- yaml for only containers
- arm templates in case volumes need to be attached as well

az container create


New-AzContainerGroup

references:

MS Learn

UCS The password encryption key has not been set

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 19 Apr 2024 10:13:00 GMT

In the Navigation pane, click Admin.
Expand All > User Management > User Services > Locally Authenticated Users
Fill out the Password Encryption Key field.
After filling it and saving, Password Encryption Key Set will become Yes.

references:

Cisco UCS Manager Administration Management Guide 4.2 - Password Management [Cisco UCS Manager] - Cisco

Azure VM scale sets

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 Apr 2024 15:46:00 GMT

VMSS allows you to scale VMs in and out based on certain rules (utilization or queue) / helps with [[202404071304 Resiliency Overview|resiliency]]
- For example: if cpu utilization goes above 70% add 2 more VMs
- max: 1000
These are just [[202404161835 Azure VM Basics|Azure VM]]s so nothing special in that way. You can interact with them whichever way you want.
- These are not special. Or should not be special. So if one has any issue, it should be able to get deleted and recreated.
this scale set is kept behind a LB.
There are two modes: flex and uniform. But use flex. Uniform is legacy.
- Uniform means all vms of same size
  - for large scale stateless
- Flex can include different sizes
You can get termination notification
You can look at the logs to see what has happened in the past
When creating an [[202404161835 Azure VM Basics|Azure VM]] you can specify if you want to add it to an existing scale set.
use [[202404171828 Azure Spot can help reduce prices for Azure VMs|Azure Spot can help reduce prices for Azure VMs]]
- but vm can be removed at any time, so architect accordingly
- policies:
  - deallocate - remove compute, but disks are saved
  - delete - delete everything
upgrade policy
- automatic
- rolling - so any changes to image or profile is not done for the whole scale set in one go.
- manual

Types of scaling

scheduled
automatic - based on metrics

some faqs

# create
az vmss create --resource-group myResourceGroup --name webServerScaleSet --image Ubuntu2204 --upgrade-policy-mode automatic --custom-data cloud-init.yaml --admin-username azureuser --generate-ssh-keys

# Scale
az vmss scale --name webServerScaleSet --resource-group MyResourceGroup --new-capacity 6

references:

VMSS Overview

Use Azure VMware solution if an org wants to move to cloud quickly

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 Apr 2024 15:44:00 GMT

If an organization needs to leave their DC quickly, i.e. don't have time to retool they can use the Azure VMware offering.
Use existing skills

references:

Azure Compute Gallery

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 Apr 2024 15:29:00 GMT

Azure Compute Gallery allows to store images and VM apps.

It allows for

Replication (to other regions, subscriptions, etc.)
Versioning (specify a source,)
1. Some services in Azure see that a new version is available and they auto-update.

Images and VM apps both have

a definition which tells it what source to use.
a version which is what is used when running install/creating a vm
In case of images source can be a shutoff VM, an image from marketplace, etc.
In case of VM app, it is packages kept on a blob somewhere + commands to install and uninstall, update, etc.

references:

John's VM course
Compute Gallery Overview

Curl gives a handshake failure when trying to use ntlm to talk to Windows server

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 Apr 2024 13:41:00 GMT

This can happen if NTLM v1 is disabled on the target Windows environment.

Issue

Using curl to access a resource on Windows IIS (sharepoint, for example) gives "NTLM handshake rejected" error
NTLM v1 can be disabled either via GPO or directly in the registry (details below)
The default install of curl on RHEL does not support NTLMv2

GPO

Network security > LAN manager authentication settings (among other settings)

Registry:

Under 
HKEY_LOCAL_MACHINE\System\CurrentControlSet\control\LSA\MSV1_0

Value Name: NtlmMinClientSec  
Data Type: REG_WORD  
Value: one of the values below:

- 0x00000010- Message integrity
- 0x00000020- Message confidentiality
- 0x00080000- NTLM 2 session security
- 0x20000000- 128-bit encryption
- 0x80000000- 56-bit encryption

Resolution

Upgrade curl on RHEL to enable the httpd24-curl.

# yum install httpd24-curl

# scl enable httpd24 bash

Curl versions will be different before and after.

Before:
# curl -V
curl 7.29.0 (x86_64-redhat-linux-gnu) libcurl/7.29.0 NSS/3.36 zlib/1.2.7 libidn/1.28 libssh2/1.4.3
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smtp smtps telnet tftp 
Features: AsynchDNS GSS-Negotiate IDN IPv6 Largefile NTLM NTLM_WB SSL libz unix-sockets

After:
# curl -V
curl 7.47.1 (x86_64-redhat-linux-gnu) libcurl/7.47.1 NSS/3.28.4 zlib/1.2.7 libidn/1.28 libssh2/1.4.3 nghttp2/1.7.1
Protocols: dict file ftp ftps gopher http https imap imaps ldap ldaps pop3 pop3s rtsp scp sftp smb smbs smtp smtps telnet tftp 
Features: AsynchDNS IDN IPv6 Largefile GSS-API Kerberos SPNEGO NTLM NTLM_WB SSL libz HTTP2 UnixSockets

references:

Enable NTLM 2 authentication - Windows Client | Microsoft Learn

Windows gives Continue dialog box even if we have existing permissions

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 Apr 2024 13:35:00 GMT

This is a known issue.

Issue description

You have permission to the share/folder as admin
However when you go and try to access the folder in explorer, it gives a dialog to click continue to permanently get access
This modifies NTFS permissions and adds your individual ID to the permissions.
This can overwrite NTFS permissions so not a good thing.

Workaround:

Using PowerShell for example it is possible to get acl or delete any files or directories without adding your ID.

references:

Continue dialog box for folder access in Windows Explorer when user only has access with elevated token - Windows Server | Microsoft Learn

Instance Metadata service

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 17 Apr 2024 16:36:00 GMT

Special IP: 169.254.169.254

From inside the [[202404161835 Azure VM Basics|Azure VM]], one can reach out to this and get info from ARM.

references:

Create entries in reverse lookup zone through PowerShell

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 17 Apr 2024 13:50:00 GMT

Add-DNSServerResourceRecordPTR -ZoneName $ZoneName -Name $ipAddress -PTRDomainName $hostname -ComputerName $dnsServer

This is the command. Name Needs to be in reverse order. so for example, for 10.45.32.23. Name will be 23.32 for zone "45.10.in-addr.arpa".

This can be done in excel. Split by "." and then concat.
Or it can be done in PowerShell as well. Maybe a TODO for future.

references:

Azure VM Basics

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 16 Apr 2024 15:35:00 GMT

IaaS service
1. Everything inside the VM is our responsibility and under our control
  1. Things like patching, AV, etc.
Building block of lots of azure services
Different SKUs (based on ratio of CPU vs Memory)
1. In a SKU different sizes (how much cpu and memory)
As physical hardware improves, different versions of virtual machines might come forward
1. Different versions so that we have consistency, we can choose what we want to do.
VM needs to be Stopped (deallocated) for no charge. Shutting from guest does not de-provision it.

[[202404161906 How do we think about VM sizes or types on Azure|How do we think about VM sizes on Azure]]

Commands

[[202407141333 Get Azure VM Images|Get Azure VM Images]]
[[202407141412 Create VM in Azure|Create VM in Azure]]

references:

John's YT

Azure DNS

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Apr 2024 11:50:00 GMT

[[202404121703 Azure VNet|VNet]] can use Azure DNS or custom/private DNS
Azure DNS - 168.63.129.16
From a [[202404121703 Azure VNet|VNet]] auto-register to one private DNS zone (check-box in [[202404141442 Azure Private Link|Private Link]])
- Can resolve to upto a 1000 DNS zones
Each private DNS zone can link to a 1000 [[202404121703 Azure VNet|VNet]]s
Types:
- Private
  - Create a [[202404141442 Azure Private Link|Private Link]] to [[202404121703 Azure VNet|VNet]] which needs DNS resolution
- Public
NS record for delegating a sub-domain
[[202407271215 Create Azure DNS zone and records|Create Azure DNS zone and records]]
For [[202404011327 Entra ID|"Entra ID"]] only TXT or MX records
For [[202404201400 Azure App service|app service]] to register dns TXT or CNAME record

Private DNS Resolver service

Inbound (just an IP) and Outbound endpoint
My on prem DNS can forward to inbound endpoint (which is just an IP)
Forwarding rule sets can be created to resolve in [[202312231415 Azure Master|Azure]] my onprem DNS
- Can be linked to different [[202404121703 Azure VNet|VNet]]s

Dangling DNS

Create an alias to a resource
After time resource is deleted
But alias still points to it
Bad actor can create a service with the same record name
So now my alias points to bad actor's service

split horizon scenario

[[202404161835 Azure VM Basics|Azure VM]] has [[202407271143 Public IP address allows inbound access based on tier in Azure|Public IP Address]] and [[202407281228 Azure Private IP Address|Azure Private IP Address]]
We create 2 zones - public and private
Configure the associated [[202404121703 Azure VNet|VNet]] to register to dns automatically
Then private dns zone will have A record with private ip
Public dns zone will have public ip

references:

MS Learn

A is the host record, and is the most common type of DNS record. It maps the domain or host name to the IP address.

CNAME is a Canonical Name record that's used to create an alias from one domain name to another domain name. If you had different domain names that all accessed the same website, you'd use CNAME.

MX is the mail exchange record. It maps mail requests to your mail server, whether hosted on-premises or in the cloud.

TXT is the text record. It's used to associate text strings with a domain name. Azure and Microsoft 365 use TXT records to verify domain ownership.

Additionally, there are the following record types:

Wildcards

CAA (certificate authority)

NS (name server)

SOA (start of authority)

SPF (sender policy framework)

SRV (server locations)

Enable Auto-registration

Azure Private Link

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Apr 2024 11:42:00 GMT

When an externally facing [[202312231415 Azure Master|Azure]] PaaS service is accessed from a resource in a [[202404121703 Azure VNet|VNet]] the traffic stays on the Azure network
The PaaS service still has an external facing endpoint that some companies do not want even with firewall/authentication lockdown
[[202404141442 Azure Private Link|Private Link]] enables PaaS services to have a private endpoint for a service instance created in a virtual network that is an avatar for that specific service instance
Can also project custom services that are behind a standard load balancer using a Private Link Service
Resources in the [[202404121703 Azure VNet|VNet]] can interact via the private endpoint directly to the service using the most efficient path
Because it is instance specific helps stop data exfiltration
Removes the need to peer [[VNET]]s which can be important where [[202404121703 Azure VNet|VNet]]s may have overlapping IP ranges
Mostly used in place of [[202404141435 Azure Service Endpoints and Service Endpoint Policies|Service Endpoints]]

references:

MS Learn

Azure Service Endpoints and Service Endpoint Policies

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Apr 2024 11:35:00 GMT

[[202404141419 Network Security Groups|NSGs]] are focused on traffic into and out of the virtual network
Many Azure PaaS offerings have their own firewall capabilities to lock down access
It is often required to restrict a service to only specific subnets of specific virtual networks
[[202404141435 Azure Service Endpoints and Service Endpoint Policies|Service Endpoints]] make a specific subnet known to a specific Azure service and add optimal path to service
The virtual firewall on the service can then be configured to allow only that specific subnet
Service Endpoint Policies allow specific instances of services to be allowed from a virtual network which is not possible with NSG service tags

Benefits

Improved security (point 3 above/restrict Internet access and allow access only from specific subnet)
Optimal routing for services
- NVA force every internet going thing through the same route
- With [[202404141435 Azure Service Endpoints and Service Endpoint Policies|Service Endpoint]], Azure traffic goes through different route
Direct traffic to MSFT
- Use Azure backbone network
Low maintenance/easy config

references:

MS Learn

Azure Virtual WAN

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Apr 2024 11:31:00 GMT

Provides a managed hub
hub and spoke architecture
- Each region within the WAN instance gets a hub
Two SKUs - Basic and Standard
- Basic - S2S VPN only
- Standard - S25 VPN, P2S VPN, ExpressRoute, inter-hub, VNet transitive and more

references:

Virtual WAN Overview

Network Security Groups

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Apr 2024 11:19:00 GMT

Can be used to [[202404141404 Control traffic flows|control traffic flow]]
[[202404141419 Network Security Groups|NSGs]] can be applied at the subnet or NIC level but are always enforced at the NIC
- so apply at subnet level, easier to manage
- each subnet can have max 1 [[202404141419 Network Security Groups|NSG]] assigned to it
- each NIC can have 0 or max 1 [[202404141419 Network Security Groups|NSG]] associated with it

Security Rules consist of:

Source
Destination
Protocol
Port
Action
Priority
1. Lower priority number has higher priority

Source and destination

can be CIDR
can be service tags
[[202407141403 Application Security Groups|ASG]] (Application Security Group) (Tags basically)

Default rules

VNet, Internet, etc are service tags.

Inbound

AllowVNetInBound
AllowAzureLoadBalancerInBound
DenyAllInbound

Outbound

AllowVnetOutBound
AllowInternetOutBound
DenyAllOutBound

How it works if both vnet and subnet have nsg

In terms of precedence. Whichever is the first thing traffic encounters. So,

Incoming

Subnet wins

Outgoing

VM NIC NSG wins

[[202407141419 Create NSG in Azure|Create NSG in Azure]]

references:

NSG
MS Docs processing of NSG

Azure Firewall

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Apr 2024 11:13:00 GMT

Can be used to [[202404141404 Control traffic flows|control traffic flow]]

Can do a bunch of things.
It has

Rules
1. Application L7
2. Network L4
Intrusion detection

Tiers

Standard
Premium
Basic

references:

Azure Firewall Overview

Control traffic flows

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Apr 2024 11:04:00 GMT

By default traffic can freely flow within a virtual network and to any connected network
To segment and control traffic within a [[202404121703 Azure VNet|VNet]], between networks and/or external a number of approaches can be utilised
- [[202404141413 Azure Firewall|Azure Firewall]] or [[202407281410 Network Virtual Appliance|NVA]]
- [[202404141419 Network Security Groups|Network Security Groups]], [[202407141403 Application Security Groups|Application Security Groups]] and Service Tags
[[202404141419 Network Security Groups|NSGs]] can be applied at the subnet or NIC level but are always enforced at the NIC
- so apply at subnet level, easier to manage
- each subnet can have max 1 [[202404141419 Network Security Groups|NSG]] assigned to it
- each NIC can have 0 or max 1 [[202404141419 Network Security Groups|NSG]] associated with it
[[202404141419 Network Security Groups|NSGs]] are made up of rules based on IP ranges/tags, ports and actions
[[202407141403 Application Security Groups|ASGs]] are tags applied to NICs which can be used instead of IP ranges in rules which may be easier to utilize.

references:

Azure ExpressRoute

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 14 Apr 2024 10:39:00 GMT

ExpressRoute lets you extend your on-premises networks into the Microsoft cloud over a private connection with the help of a connectivity provider.

flowchart LR
CustomerNetwork --> PartnerNetwork --> ExpressRouteCircuit --> MSFTEdge

Private but not encrypted
Has redundant connections i.e. [[202404071304 Resiliency Overview|resiliency]]

ExpressRoute Peering Locations or MeetMe

ExpressRoute fast path

A key component for private peering at the gateways that run in the net which have numerous functions
- BGP
- Part of the data path from the MSEE at the peering location to the target resource
Fastpath removes the gateways as part of the data path enabling higher throughput

references:

ExpressRoute overview
Peering Locations

Connecting to Onprem

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 13 Apr 2024 10:37:00 GMT

Many Azure services have external, Internet facing endpoints however often private connectivity is required
There are a number of options to connect to virtual networks
- P2S VPN - Connects a specific device to a virtual network
- S2S VPN - Connects a network to a virtual network
- S2S VPN gateways enable multiple VPN connections to different networks if route not policy based
- ExpressRoute Private Peering - Connects a network to a virtual network via peering location and ExpressRoute Gateway (or at least mostly)
- ExpressRoute circuits enable multiple virtual networks to be connected to a single circuit but net to vnet better via peering where practical
Most enterprises will leverage ExpressRoute which has the benefit of not going over the Internet, consistent latency and can also provides optional Microsoft peering via route filter

[[202407151913 Azure VPN|Azure VPN]]

[[202404141339 Azure ExpressRoute|Express Route]]

Private but not encrypted
MSFT don't provide connection from meet me to your dc/location

references:

ExpressRoute Locations
ExpressRoute overview

Connecting virtual networks

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 13 Apr 2024 10:13:00 GMT

If you wish to have multiple subscriptions and/or use multiple regions you will have multiple virtual networks
In the past we could connect virtual networks using S25 VPN or by connecting to the same ExpressRoute circuit but both approaches have problems
[[202407151908 VNet Peering|VNet Peering]] enables [[202404121703 Azure VNet|VNets]] to be connected via the Microsoft backbone in the same or different regions (global peering)
There is a small ingress and egress charge for traffic via network peering
IP address spaces CANNOT overlap

[[202407151908 VNet Peering|VNet Peering]]

Best option
Can span subscriptions and tenants
Not transitive i.e. VNET1 can not talk to VNET3 / Need to create peering relationship between them
- Without peering, I could add Azure Firewall or Network virtual appliance in Hub network (VNET2) and tell:
  - VNET3 if you want to talk to VNET1, next hop is IP of that forwarder
  - VNET1 if you want to talke to VNET3, next hop is IP of that forwarder
- This above thing is [[202407281401 User defined routing|UDR]]
- There is also border gateway protocol

flowchart LR
VNET1 --> |Peer| VNET2 --> |Peer| VNET3
VNET1 --- |NotTransitive|VNET3

[[202404131337 Connecting to Onprem|Express Route]]

Bad idea because of latency
Traffic goes from VNET1 to express route MeetME and then from there to VNET2

flowchart LR
	VNET1 --> ExpressRoute --> VNET2	
	ExpressRoute --> MeetME --> ExpressRoute

[[202408241251 How to create S2S VPN|S2S VPN]]

VPN is basically encrypting traffic
Bad idea because of bad throughput and bandwidth

flowchart LR
VNET1 <--> |S2SVPN| VNET2

Priority

More specific subnet chosen
- Between, 10.0.0.0/16 and 10.0.0.0/24, /24 route will be chosen

Between different route types for the same prefix:

User-defined routes
BGP routes
System routes

references:

ExpressRoute Locations
MS Learn

External Access

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 13 Apr 2024 09:19:00 GMT

There is no special "DMZ" subnet where resources get a public IP
By default Azure provides outbound SNAT/PAT enabling resources to access the Internet and receive responses
To provide services to the Internet either
- Give the IP configuration an instance level public IP (not a good idea)
- Place the instances behind an [[202407271319 Azure Load Balancer|Azure Load Balancer]], [[202407271353 Azure Application Gateway|Azure Application Gateway]] or [[202407281410 Network Virtual Appliance|NVA]] which has a [[202407271143 Public IP address allows inbound access based on tier in Azure|Public IP Address]] in the front-end configuration
- Use a network virtual appliance with a public IP
Care should be taken to only expose the ports required, e.g. 443
DO NOT enable SSH/RDP to internet

SNAT // Outbound

Source Network Address Translation
Internal IPs can not be used to talk to Internet
So, we basically have a public IP for resources and a range of ports (max 1024 ports)
SNAT can say for this port using the public IP resource 1 talk to internet
For this other port using the same public IP resource 2 talk to internet and so on

flowchart BT
	resources --> |PublicIP| Internet
	subgraph VNET
		resources
	end

Connectivity Methods

Implicit

When a VM is created it gets a public IP for default internet access
IP not fixed
Not recommended/not so secure

Explicit

#	Method	Type of port allocation	Production-grade?	Rating
1	Use the frontend IP address(es) of a load balancer for outbound via outbound rules	Static, explicit	Yes, but not at scale	OK
2	Associate a NAT gateway to the subnet	Dynamic, explicit	Yes	Best
3	Assign a public IP to the virtual machine (Don't want to use this)	Static, explicit	Yes	OK

NAT // Inbound

used to forward traffic from a load balancer frontend to one or more instances in the backend pool.
Don't use direct public IP to instance

Regional

L4 - [[202407271319 Azure Load Balancer|Azure Load Balancer]] (TCP/UDP)
L7 - [[202407271353 Azure Application Gateway|Azure Application Gateway]] (HTTP/HTTPS/HTTPS2)

Global

L7 - Front Door
L4 - Global LB, Traffic Manager - DNS based

references:

https://learn.microsoft.com/en-us/azure/load-balancer/load-balancer-outbound-connections
Default Outbound access in azure
Inbound NAT rules

Azure VM NIC

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 12 Apr 2024 14:27:00 GMT

IP always comes via fabric (OS using DHCP)
IP can be reserved in ARM
VMs can be configured with multiple NICs
Each NIC can be in same or different virtual subnet but always in same [[202404121703 Azure VNet|VNet]]
Many VM types support accelerated networking
- Reduce latency, jitters, etc.
Multiple IP configurations per NIC
- more than one IP on 1 NIC

IPv6

Dual stack : IPv4 and IPv6
can not only be IPv6
Can enable IPv6 for existing [[202404061212 Azure Resources|resources]]

references:

Azure VNet

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 12 Apr 2024 14:03:00 GMT

A virtual network exists
- Within a specific subscription
- Within a specific region
  - spans multiple [[202404081830 Azure Availability Zones|AZs]] in that region
- It cannot span subscriptions nor regions
A virtual network consists of one or more IP ranges
- IP address type:
  - [[202407271143 Public IP address allows inbound access based on tier in Azure|Public IP Address]]
  - [[202407281228 Azure Private IP Address|Azure Private IP Address]]
- Allocation can be static or dynamic
- Typically from RFC 1918 but not exclusively
- The address space is broken up into subnets with the smallest subnet possible being a /29 which will give 3 usable IP addresses
- From every subnet we lose 5 IPs
  - .0 - NW
  - .1 - GW
  - .2-.3 - DNS
  - .255 - broadcast
- Can be ipv6 as well/ but not only ipv6
Subnets are regional and span Availability Zones
- All subnets within a [[202404121703 Azure VNet|VNet]] can talk to each other by default
- we can use [[202404141419 Network Security Groups|NSG]] to deny traffic as needed
Ingress is free, Egress costs money

Supported types of traffic

Standard IP-based protocols supported including:
- TCP
- UDP
- ICMP (Ping)
Multicast, broadcast, IP-in-IP encapsulated packets and Generic Routing Encapsulation (GRE) blocked
- Can not deploy DHCP server
You cannot ping the Azure gateway or use tools such as tracert
Traditional Layer 2 VLANs are not supported

Commands

[[202407141408 Create VNet in Azure]]

az network vnet create --name vnet-1 --resource-group test-rg --address-prefix 10.0.0.0/16 --subnet-name subnet-1 --subnet-prefixes 10.0.0.0/24

references:

Azure Managed Disks

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 12 Apr 2024 09:54:00 GMT

As the name suggests provides a managed disk experience by abstracting the storage account
Disks are created with no visibility of storage account removing worries around IOPS per storage account
Disks and snapshots become ARM resources
Price based on provisioned capacity
Can be dynamically expanded for data disks (not Ultra/Premium v2)
- never shrink
No [[202404091908 Azure Storage Redundancy#Geo-redundant storage (GRS)]] option
- ZRS for Std/Premium SSDv1
SSD and Ultra disk have maxShares property
Can have CMK (Customer Managed Key)
- configure disk encryption set

Types

Standard HDD
Standard SSD
Premium SSD (v1 and v2)
Ultra

Premium SSD v2 and Ultra we can pick IOPS and Throughput separately. And pay accordingly.

references:

Azure Netapp Files

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 12 Apr 2024 09:46:00 GMT

First-party offering using NetApp hardware in
Azure datacenters
Provides different performance tiers
SMB and NFS support (also dual for single volume)
Uses delegated subnet of VNet
Cross-region replication

references:

Azure File Sync

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 12 Apr 2024 09:39:00 GMT

You might have [[202406291221 Azure Files|Azure Files]]
But the on-prem file server might still be there.

It enables:

Single cloud endpoint per sync group
- A change detection job is initiated for a cloud endpoint only once every 24 hours
- On windows server sync is automatic when file is changed
can not have more than one server endpoint from the same server in the same sync group
Up to 100 servers per sync group
Replicates between via the cloud endpoint
Enables cloud tiering of data off local storage to cloud endpoint to optimize local capacity

You create a sync group in [[202312231415 Azure Master|Azure]] which. allows sync between on-prem and [[202406291221 Azure Files|Azure Files]]

flowchart TB
AzureFileShare <--> OnPremFS1 & OnPremFS2

Does not overwrite any files
Appends conflict number and keeps both files.
- The latest file keeps the original name
Upto 100 conflicts per file

Deploy

Prepare Windows server
1. Disable internet enhanced security protection
Deploy Storage sync service
Deploy Azure File Sync Agent to on-prem server
Register on-prem server with storage sync service
Create a sync group and a cloud endpoint
Create a server endpoint

references:

MS Learn
MS Docs
Planning for an Azure File Sync deployment
File sync FAQ

To immediately sync files that are changed in the Azure file share, the Invoke-AzStorageSyncChangeDetection PowerShell cmdlet

Azure Data Lake

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 12 Apr 2024 08:49:00 GMT

ADLSGen2 builds on [[202404121117 Azure Storage Services#Blob]]
Provides a data lake which is common as raw store for pipelines
Regular blob is flat with any structure being virtual
ADLSGen2 has true directory structure
POSIX and AAD data plane RBAC
If goal is analytics, use data lake

references:

Azure Storage Services

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 12 Apr 2024 08:17:00 GMT

Extension of [[202404091847 Azure Storage Overview]]
Related to [[202404091859 Azure Storage Account]]

Blob
FileShares
Queues
Table
Disks

Blob

We have:

Blob Indexes for [[202404051739 Governance Overview|azure governance]]
Blob inventory
- Go over what all you have

flowchart RL
block & page & append --> container --> blob

Uses 3 things to store stuff:

Storage account
Containers in storage account\
Blobs

flowchart LR
account --> container --> blob
XYZ --> pictures & movies 
pictures --> abc.png & abc2.ping & abc3.png
movies --> xyz.png

Types

Block (ADLSGen2 (hierarchical namespace)(NFS/SFTP))
- By default these are flat (might show folders etc, but are not actually folders)/ but we can enable hierarchical namespace
Page (Random - For OS/VM data disks,etc.)
Append (for logs)

Table

flowchart RL
Entities-Key:Value --> Table

Queue

flowchart RL
Messages --> Queue

Used for some event driven things.
Like: App writes to blob. It also puts a message in queue. A function reads the message in queue, then reads from the blob and does whatever

flowchart LR
App ---> |Image| Blob 
App ---> |Message|Queue --> |Event| Function 
Blob -.-> |ReadBlob|Function

Not guaranteed fifo

Files

flowchart RL
FoldersAndFiles --> Share-SMBorNFS --> Files

references:

Remote Desktop Master

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 10 Apr 2024 11:29:00 GMT

Logs

Logs are under Applications and Services Logs -> Windows

Port requirements

RDSH to Licensing server

TCP 135 - RPC  for License Server communication and RDSH
TCP 49152 - 65535 (randomly allocated) -  This is the range in Windows Server 2012,  Windows Server 2008 R2, Windows Server 2008

TCP on port number 135. This is the main port where communication occurs.
TCP on 49152–65535 i.e. RPC dynamic address range. A dynamic port is assigned from this range for validation-related communication.

references:

RDS 2012: Which ports are used during deployment? | Microsoft Learn
Connectivity Requirements for RDP Licensing Server Connectivity and Firewall Rules :: Harvesting Clouds

Azure Storage Redundancy

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 09 Apr 2024 16:08:00 GMT

Related to [[202404091859 Azure Storage Account]] and [[202404071304 Resiliency Overview|resiliency]]

Talks about redundancy for [[202404091859 Azure Storage Account|Azure storage account]]

Primary Region

Locally redundant storage (LRS)

3 copies in the same stamp/[[202404081830 Azure Availability Zones|AZ]]

Zone-redundant storage (ZRS)

3 copies in different [[202404081830 Azure Availability Zones|AZs]]

Secondary Region

Geo-redundant storage (GRS)

3 copies in a single location/[[202404081830 Azure Availability Zones|AZ]]
and then 1 async copy in a different location in secondary region
In secondary region, using LRS 3 copies.
Also Read Access (RA-GRS)

Geo-zone-redundant storage (GZRS)

3 copies in 3 [[202404081830 Azure Availability Zones|AZs]] and 1 async copy to different location in secondary region/In secondary region, using LRS 3 copies.
Also RA-GZRS

Block blob only object level replication

You can specify a different region to replicate to. Not just the secondary region.

references:

https://learn.microsoft.com/en-in/azure/storage/common/storage-redundancy

Azure Storage Account

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 09 Apr 2024 15:59:00 GMT

Account name has to be globally unique
Exists in a region
Can have different types of [[202404071304 Resiliency Overview|resiliency]].
1. Can impact intractability (SLA for storage accounts)
2. Can impact durability ( [[202404091908 Azure Storage Redundancy]])
  1. LRS 11 9s
  2. ZRS 12 9s
  3. GRS 16 9s
  4. GZRS 16 9s
Has API access
Have 2 all powerful access keys (Protect them or disable them)
1. Can be rotated if key is compromised
Performance varies based on tier

Types of storage Accounts

Type of storage account	Supported storage services	Redundancy options	Usage
Standard general-purpose v2	Blob Storage (including Data Lake Storage1), Queue Storage, Table Storage, and Azure Files	LRS, GRS, RA-GRS GRS,GZRS,RA-GZRS	Standard storage account type for blobs, file shares, queues, and tables. Recommended for most scenarios using Azure Storage. If you want support for network file system (NFS) in Azure Files, use the premium file shares account type.
Premium block blobs	Blob Storage (including Data Lake Storage1)	LRS ZRS	Premium storage account type for block blobs and append blobs. Recommended for scenarios with high transaction rates or that use smaller objects or require consistently low storage latency. Learn more about example workloads.
Premium file shares	Azure Files	LRS ZRS	Premium storage account type for file shares only. Recommended for enterprise or high-performance scale applications. Use this account type if you want a storage account that supports both Server Message Block (SMB) and NFS file shares.
Premium page blobs	Page blobs only	LRS ZRS	Premium storage account type for page blobs only. Learn more about page blobs and sample use cases.

Types based on performance tier

Standard - good for most scenarios
Premium - required for low latency
1. Block blobs
2. File shares
3. Page blobs

Types based on access tier

Premium is just premium.
For General purpose v2 :
For blobs:

Hot (Pay more to store/Pay less to retrieve)
Cool (Pay less to store/Pay more to retrieve)
Archive (Offline)
For files:
Transaction optimized
Hot
Cool

[[202404121117 Azure Storage Services]]

Money

For standard cost is consumption-based
For premium cost is provision-based
[[202404121254 Azure Managed Disks|Managed Disks]] are always provision-based
Operations and data transfer cost money too
1. GRS etc will cost money too

Access

Use [[202404011327 Entra ID|AAD]] (Preferred approach)
1. Dataplane [[202404061249 Azure RBAC|RBAC]]
Access keys (Do not use)
Shared Access Signatures
1. Types: Account and Service
2. Can create adhoc
3. Policy can be created by service
4. Signed by Access Keys
  1. If access key disabled, then this does not work
5. Can do time limit, ip limit, operations restrictions.

Encryption

Encrypted at rest
You can use your own key
Cross-tenant CMK supported (if you are a SaaS service and customer wants to own the key)
Encryption scopes enable container/blob level

Lifecycle management

Based on [[202404091859 Azure Storage Account#Types based on performance tier]]
1. you can decide to remove stuff after 90days for example
Create rules and let it automatically remove stuff as needed based on when it was last modified, etc.
1. Maybe regulatory requirement

Native Protection

Snapshot
Versioning for block blobs
Change feed
Soft delete
Point-in-time-restore {Replacement for snapshots}
1. Above 3 combine to form this

references:

Storage redundancy
Create an account SAS
Types of Azure Storage Accounts

Azure Storage Overview

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 09 Apr 2024 15:47:00 GMT

DNS is used for namespace/URIs are used:

Of the form: - http(s)://<account>.<service>.core.windows.net/<partition>/<object>

Structure

3 tier structure

Tiers
Front-end layer
Partition layer	Looks at structures like blobs etc
Stream layer

Data replication

Intra-stamp replication (stream layer) - Synchronous and keeps data durable within the stamps
Inter-stamp replication (partition layer) - Asynchronous replication of data across stamps

references:

Types of data

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 09 Apr 2024 15:45:00 GMT

Relational/Structured (Data has schema/fixed type of data)
1. Relational DB is stored as row (i.e. one identity)
2. Columnar is stored as columns
Unstructured (media/blob)
Non-relational/Semi-Structured (json, yaml, xml, etc.)
Graph
1. Has nodes
2. Relationships between different types of nodes (entities)

references:

Set alias for cluster resource record

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 09 Apr 2024 11:51:00 GMT

# This resource needs to be Network Name
Get-ClusterResource "MyClusterName" | Get-ClusterParameter Aliases

Get-ClusterResource "MyClusterName" | Set-ClusterParameter Aliases AliasName

After setting it, need to stop and start the role.

Note:

For SQL server with added FS role. Fileserver resource does not have any alias property. It needs to be set for the SQLserver role.

references:

How to Configure an Alias for a Clustered SMB Share with Windows Server 2012 - Microsoft Community Hub

Recreate Resources

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 Apr 2024 16:37:00 GMT

Related to [[202404071556 Disaster Recovery|Disaster Recovery]] and [[202404071304 Resiliency Overview]]

Most probably we are using deployment pipelines. We can rerun the pipeline to create new resources in the secondary area.
Which means what we have to ensure is whatever gets pulled into the pipeline is available in secondary locations.

Code repository (Geo-distributed)
Container registry (If using containers)

Creating things takes time so it depends on [[202404081933 Recovery Time Objective|RTO]]. If [[202404081933 Recovery Time Objective|RTO]] is less then we have to have something running in the secondary region. But it will cost more. If RTO is more we can [[202404081937 Recreate Resources|recreate]].

references:

Recovery Time Objective

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 Apr 2024 16:33:00 GMT

How long (maximum amount of time) before I can be operational in case of any disaster?

references:

Recovery Point Objective

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 Apr 2024 16:31:00 GMT

Related to [[202404071556 Disaster Recovery|Disaster Recovery]]

This basically talks about how much data (maximum) can I lose in case of any unplanned scenarios.

references:

Azure Availability Zones

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 Apr 2024 15:30:00 GMT

Related to [[202404071304 Resiliency Overview]]
Related to [[202404071420 Azure resiliency concepts]]

Things within a 2ms boundary
Isolation based on (Power, Cooling, Networking) from other [[202404081830 Azure Availability Zones|AZs]]
Minimum of 3 zones in every region. Even if there are more, in your subscription you will see 3.
There is no guaranteed distance between AZs/Not a [[202404071556 Disaster Recovery|DR]] mechanism

references:

Winrm troubleshooting

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 Apr 2024 13:05:00 GMT

Related to [[202309181318 Powershell second hop problem]]

# Check credssp setting
## Working example:
Get-WSManCredSSP

The machine is configured to allow delegating fresh credentials to the following target(s): wsman/*

This computer is configured to receive credentials from a remote client computer.


## Not working

Get-WSManCredSSP

The machine is not configured to allow delegating fresh credentials.

This computer is configured to receive credentials from a remote client computer.

## Check winrm status
winrm get winrm/config

references:

Multi-Hop Support in WinRM - Win32 apps | Microsoft Learn
Installation and configuration for Windows Remote Management - Win32 apps | Microsoft Learn

Azure Backup

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 07 Apr 2024 12:59:00 GMT

Part of [[202404071304 Resiliency Overview]]

We backup because we want to restore. Service backups are different like SQL.

Backup Center provides single pane of glass focused on the protected workload
At the simplest level Azure also provides backup services via recovery vaults & backup
These can be used by backup applications and many Azure components (including VMs via extension) in addition to hybrid
Data can then be recovered when needed / [[202408131927 Azure restore from backup|Restore from backups]]
Delta-based storage with many recovery points
Retention settings enable day, week, month and year retention goals
- Default: snapshots kept for 2 days
- Default: VM for 30 days
Integration layer
- storage - snapshots for vms or files etc
- stream - for databases
Availability and security
- [[202404061249 Azure RBAC|Azure RBAC]] and encryption
- Vaults can have local, zone-redundant or geo-redundant configuration
- soft-delete feature (deleted data stored for 14 days)
can be used for-
- onprem (agent based)
- azure (built-in)
Microsoft Azure Recovery Services (MARS) agent for backing up files or specific disks etc
[[202408011914 Azure Backup Access Tiers|Azure Backup Access Tiers]]
Recovery services vault must be in the same region as the resources you want to backup
Scheduled backups still run even if vm is shutdown
Upto 100 VMs can be attached to a single backup policy

Protecting backups

Use [[202401121503 Entra Privileged Identity Management|pim]] maybe for JIT access for Backup admins. But assume they will have access.
Create a resource guard
1. in different subscription, maybe different aad
For any critical operation they have to use [[202401121503 Entra Privileged Identity Management|pim]] to go up to resource guard level. So someone has to approve.
Also have immutable vaults/can't be deleted before expiry time

references:

Backup intro

Disaster Recovery

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 07 Apr 2024 12:56:00 GMT

Disaster Recovery is moving things from one location to another when the active one is not available for any reason.
DR should be part of change activity. That is if we are making any change how does that work with our DR plan.

Options for protection

[[202404081937 Recreate Resources|recreate]]
Backup Restore
[[202404071441 Replication|replication]]

Metrics

[[202404081931 Recovery Point Objective|Recovery Point Objective]]
[[202404081933 Recovery Time Objective|Recovery Time Objective]]

Replication Options

[[202404071545 Preference for replications]]

Types

Planned
1. should be no data loss
Unplanned
1. no clean failover - bigger outage
2. data loss will be there
Testing

references:

Preference for replications

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 07 Apr 2024 12:45:00 GMT

Related to [[202404071441 Replication|replication]] and [[202404071556 Disaster Recovery|Disaster Recovery]]

Think in this order/ best will be first/ but cost will be more as well. Think in terms of what is required. For example for app level replication app needs to be available in both places. That means vm needs to be running both places. Ideally things with state should be replicated (Remember from [[202404071304 Resiliency Overview#Understand services and dependent services]]). Others just create on-demand. Git repo/artifacts should be available wherever we are creating using IaC.

Native application/service multi-master
Native app to standby
Hyper V replica at VM level
In-OS replication
Storage replication that is used by Failover cluster
Restoring a backup VM

references:

VM replications

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 07 Apr 2024 12:43:00 GMT

Related to [[202404071441 Replication|Replication]]

On-prem to azure via Azure Site Recovery
Azure to Azure via ASR
Crash and app consistent recovery points
1. App consistent recovery points will have a little performance impact as everything needs to be dumped to disk / so that there is no data in transit/ then snapshot

references:

Multi-region deployments

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 07 Apr 2024 12:18:00 GMT

Mostly active-passive setups but can be active-active too
1. because: latency
2. because: data consistency
Deploy to at least 2 regions
Ensure all core elements are present in both regions
Some resources can not move between regions (example: public IPs)
Need to balance between regions
1. Azure traffic manager is a solution for this/DNS based
2. Azure front door
  1. creates any cast IP in edge locations
  2. when client makes request initial sessions it can do in edge
  3. when request is made it goes to closest region
3. Cross region global LB

references:

How do Azure resources use resiliency

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 07 Apr 2024 11:51:00 GMT

Some resources are global and resilient against regional failure
1. Azure AD, Front Door, Traffic Manager, DNS zones
Most are deployed to specific region where services might differ
1. Regional - don't know where anything is
2. Zone-Redundant --> [[202312231415 Azure Master|Azure]] takes care of resiliency across different AZs
3. Zonal --> exists in a specific zone/benefit is I know where it is

references:

Replication

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 07 Apr 2024 11:41:00 GMT

Two types:

Asynchronous
Synchronous

Asynchronous

Transactions committed on primary as created and then transferred as soon as possible
1. no real impact to primary performance
2. risk of data loss in case of unplanned failure

Synchronous

Transactions are not committed on primary until acknowledged on secondary
1. Can impact primary performance
2. No risk of data loss

Because of distance between regions, its usually asynchronous.

references:

Azure resiliency concepts

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 07 Apr 2024 11:20:00 GMT

1. Fault domains

common set of hardware that has a SPoF like a rack

2. Update Domains

group of nodes that are upgraded together

2. Availability sets (99.95%)

Protection against rack level failures.

Logical grouping of nodes so that they are deployed over different racks.
So that if 1 goes down, other is available
Don't mix functionalities. Example 1 for DCs. 1 for sql for example.

3. [[202404081830 Azure Availability Zones|Availability Zones]] (99.99%)

Racks live in a DC set (separate power, cooling, network)
This provides protection again DC level failures.
Minimum of 3 zones in every region. Even if there are more, in your subscription you will see 3.

4. Regions and Pairs

Set of DC sets becomes a region. 2ms latency roundtrip window between DC sets/ Availability Zones.
Paired regions - main thing is azure does not update both regions at the same time

references:

https://learn.microsoft.com/en-us/training/modules/configure-virtual-machine-availability/5-review-availability-zones

Resiliency Overview

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 07 Apr 2024 10:04:00 GMT

What are we protecting against

Software failure(App/OS,etc) - Replication
Hardware failures - Replication
Corruption - Backup/Snapshot
Attack/DoS - Isolated backups
Regulatory requirements - Backup
Humans - Processes

Protection from Infrastructure Failures

[[202404071441 Replication|Replication]]
1. Stateless systems can run from different places, So things like web frontends, etc.
2. For stateful systems,
  1. async copy to a different region
[[202404071559 Azure Backup|Backup]]
1. Point-in-time copies
2. For stateful systems, it does not protect against hardware failure as it runs on the same disk. But if there is some logical issue or something, we can revert with this.
[[202408041224 Azure Monitoring|Monitoring]]
1. How are things being used
2. so that we know when things are not working as they should

Protection from human errors

Little contact with production systems
Orchestration tools should be human proof
Automated deployments from version control systems. Automated testing.

Understand services and dependent services

Basically understand architecture.

What are critical services for my business - must protect - where is state? (critical)
1. stateless things can be recreated
2. In example below: state is at DB level. so that is critical. Rest can be recreated.

flowchart LR
	subgraph stateless
	LB1 --> WEB1 & WEB2 & WEB3 --> LB2 --> APP1 & APP2
	end
	subgraph state
	APP1 & APP2 --> DB -.-> replicaDB
	end

what are the services these critical services depend on - must protect
nice to have things

Understand requirements for availability and architect accordingly

Need to architect to meet or exceed agreed SLA
Depending on criticality of service you will have certain availability requirement
Balancing between price of improving SLA vs cost of downtime
For overall SLA is there a AND relationship or an OR relationship

Testing

Application testing (testing with different types of input data for example)
Load testing (testing with number of users)
Deployment process testing (How you deploy)
Failover testing
Restore testing

references:

John's course

Azure Tagging

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 06 Apr 2024 11:55:00 GMT

Part of [[202404051739 Governance Overview|azure governance]]
Adjacent to [[202404061451 Azure Naming|azure naming]]

name:value pair
identify attribute/metadata for resource
Have standards for tags used and values
Can enforce through [[202404061356 Azure Policy|azure policy]]
1. deny is scary
2. better to tell if tag is not there, copy from resource group for example
Can be used for search, filter, and billing
not inherited but could be copied via [[202404061356 Azure Policy|policy]]
1. should be applied at [[202404061212 Azure Resources|resources]] level for better visibility
2. [[202404061212 Azure Resources|resources]] don't inherit [[202404061455 Azure Tagging|tags]] from [[202404051818 Resource Groups|resource group]]
can be applied at [[202404061212 Azure Resources|resource]], [[202404051818 Resource Groups|resource group]] or [[202401101441 Azure subscriptions|subscription]] level
1. not all [[202404061212 Azure Resources|resources]] support tagging
[[202404061425 Azure Cost Management]] enables inheritance use only for billing usage records

references:

Naming and tagging
Guidance and Limits
Tag support for resources

Azure Naming

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 06 Apr 2024 11:51:00 GMT

very important
Applies to all resources and OS
Apply common naming to onprem and cloud

references:

Azure Naming
Naming Convention

Azure Cost Management

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 06 Apr 2024 11:25:00 GMT

Part of [[202404051739 Governance Overview|azure governance]]

Provides insight and control of Azure (and AWS) spend
1. cost analysis
2. cost anomaly alerts
3. budgets
Estimate costs with Azure Pricing Calculator
Always optimize costs
Costs can be based on tag, [[202401101441 Azure subscriptions|subscription]], [[202404051818 Resource Groups|resource groups]]

License

Cost Allocation with Enterprise Agreement or Customer Agreement

How to split cost for shared services

Use cost allocation.
Split can be :

even
custom
proportional (based on overall usage, compute usage, network usage, etc.)
So a team will see accumulated costs (whatever they use) + cost allocation (cost for shared resource)

How to optimize costs

Plan better /correct SKUs etc
- autoscale, serverless, shutdown, etc.
Reserved instances (1 or 3 year plan) offer discounts, etc (super-specific which sku which region)
Azure savings plan (not super-specific) / lower discount than reserved.
Azure Hybrid Initiative allows one to use existing licenses in Azure

references:

CRUD

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 06 Apr 2024 10:58:00 GMT

Create
Read
Update
Delete

references:

Azure Policy

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 06 Apr 2024 10:56:00 GMT

Part of [[202404051739 Governance Overview|azure governance]]

Sits at top of ARM and any [[202404061358 CRUD|CRUD]] operations have to go through it
Can be used for enforcement and audit
Start with audit (to figure out how things are being used)
1. then later you can move to enforcement
Uses json format to form the logic
Can create a compliance report
Historically focused around resource
1. Recently focusing on actions (DenyActions, e.g. Delete) that one can take on resources
Does not apply to existing [[202404061212 Azure Resources|resources]] (need to update resource)

How

flowchart LR
	policy --> initiative --> scope

Policy is business rules defined in json
Set of policies can be grouped into an initiative
which is then assigned to a scope ([[202401101441 Azure subscriptions|subscription]],[[202404051818 Resource Groups|resource groups]],[[202404051803 Management groups|management group]] or [[202404061212 Azure Resources|resources]])

Example Policy Definition

{
  "properties": {
    "displayName": "Allowed locations",
    "description": "This policy enables you to restrict the locations your organization can specify when deploying resources.",
    "mode": "Indexed",
    "metadata": {
      "version": "1.0.0",
      "category": "Locations"
    },
    "parameters": {
      "allowedLocations": {
        "type": "array",
        "metadata": {
          "description": "The list of locations that can be specified when deploying resources",
          "strongType": "location",
          "displayName": "Allowed locations"
        },
        "defaultValue": [
          "westus2"
        ]
      }
    },
    "policyRule": {
      "if": {
        "not": {
          "field": "location",
          "in": "[parameters('allowedLocations')]"
        }
      },
      "then": {
        "effect": "deny"
      }
    }
  }
}

references:

Azure Policy
Azure Policy JSON reference

Azure ABAC

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 06 Apr 2024 10:23:00 GMT

Part of [[202404051739 Governance Overview|azure governance]]
Attribute based access control

Why?

[[202404061249 Azure RBAC|RBAC]] may not be granular enough or we start to hit [[202404061249 Azure RBAC#Limits]]
Adds conditions to roles assignments based on attributes of resources and principal accessing

Where

Currently restricted to roles that have blob storage or queue storage data actions.

How to assign conditions

On user level, we could create and add custom attributes for users in [[202404011327 Entra ID|"Entra ID"]]
In the role (in-built or custom) you can add a condition

references:

ABAC overview

Azure Roles

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 06 Apr 2024 10:16:00 GMT

Different from [[202401072001 Entra ID Roles|entra roles]]

Roles consist of actions that are assigned to security principal at a certain scope
Scope can be at [[202401101441 Azure subscriptions|subscription]] or [[202404051818 Resource Groups|resource groups]]
Ideally apply it to a group / can be applied to individual user also but that is cumbersome
Leverage [[202401121503 Entra Privileged Identity Management|pim]] for just in time

Types of Roles

Built-in
1. Owner - full access to manage resources and assign roles
2. contributor - access to manage resources
3. reader - can see, not make any changes
4. etc.
[[202401072038 Azure RBAC custom roles|custom roles]]

references:

Azure roles, Microsoft Entra roles, and classic subscription administrator roles
Azure Built in roles reference

Azure RBAC

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 06 Apr 2024 09:49:00 GMT

Part of [[202404051739 Governance Overview|azure governance]]

Role based access control / giving something permissions at a certain scope when needed

Applies to all items in control plane ([[202404051803 Management groups|management groups]],[[202404051818 Resource Groups|resource groups]], [[202404061212 Azure Resources|resources]])
can apply to some storage roles in data plane
Inherited

License

free to use

Limits

4000 per [[202401101441 Azure subscriptions|subscription]]
500 per [[202404051803 Management groups|management group]]
5000 per tenant for [[202401072038 Azure RBAC custom roles|custom roles]]

[[202404061316 Azure Roles]]
[[202401072038 Azure RBAC custom roles]]

references:

RBAC overview
RBAC Limits

Create diagrams in obsidian

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 06 Apr 2024 09:23:00 GMT

Using mermaid code-block, we can create diagrams.

Example:

flowchart TD
    Start --> Stop

Use subgraph to create box.

references:

https://help.obsidian.md/Editing+and+formatting/Advanced+formatting+syntax#Diagram
Mermaid flowchart reference

Azure Resources

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 06 Apr 2024 09:12:00 GMT

Resource structure

flowchart LR
	ResourceProviders --> Resources --> Properties & Actions

Azure Resource Manager (ARM) replaced Azure Service Manager
ARM Resource providers have n number of resources under them
Resources have properties and actions
Querying ARM can be slow and expensive. There is a quota. So we use [[202406151133 Azure Resource Graph|Azure Resource Graph]]
1 [[202404061212 Azure Resources|resource]] can be a member of only 1 [[202404051818 Resource Groups|RG]]
1 [[202404061212 Azure Resources|resource]] and [[202404051818 Resource Groups|resource groups]] is tagged to a single [[202401101441 Azure subscriptions|subscription]]

references:

Resource Groups

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 05 Apr 2024 15:18:00 GMT

Another construct for grouping together [[202404061212 Azure Resources|resources]]. Things that run together, might get decommissioned together, policies, etc.

I can create n number of [[202404061212 Azure Resources|resources]] under a [[202401101441 Azure subscriptions|subscription]]
Can not nest resource groups i.e. can't put one RG in another RG.
It is not a boundary for access
1 [[202404061212 Azure Resources|resource]] can be a member of only 1 [[202404051818 Resource Groups|RG]]
created in an Azure region

references:

Management groups

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 05 Apr 2024 15:03:00 GMT

a hierarchy that can be created for better management of subscriptions
1. All [[202401101441 Azure subscriptions|subscriptions]] under a management group inherit the conditions applied to the [[202404051803 Management groups|management group]]
A management group can have 6 levels of depth. It does not include the root MG. root MG has the same ID as tenant AAD ID.
by default all subscriptions get added to root MG.
1 MG can have only 1 parent, but multiple children

references:

Governance Overview

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 05 Apr 2024 14:39:00 GMT

Governance is about a set of rules that need to be followed.
In cloud, the way of doing things is different.
Governance in cloud consists of:
[[202404061356 Azure Policy|policy]] - What can you do?
[[202404061249 Azure RBAC|RBAC]] - Who?
[[202404061425 Azure Cost Management|budget]] - How much?

[[202312231415 Azure Master|"Azure"]] is shared compliance model.

How to use constructs for governance

flowchart LR
	ManagementGroup --> Subscription --> ResourceGroup --> Resource

The closer you get to the resource, the stricter the policies can be.
At root [[202404051803 Management groups|management group]] level for example, you want broad policies that need to apply. Least restrictive. And so on.

references:

https://www.youtube.com/watch?v=eLSjnF6Crlw&list=PLlVtbbG169nGlGPWs9xaLKT1KfwqREHbs&index=12
Azure Governance

Azure

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Apr 2024 17:41:49 GMT

This will be my main focus for this year.

Working to get my second cert AZ-104.

Completed on 3rd Sep, 2024

Conditional Access

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Apr 2024 12:57:00 GMT

How

Once authentication is done, Entra ID creates Refresh Token and Access Token.
It sends RT and AT to user
User sends AT to App
ATs are time-bombed
After time is done, new RT and AT generated
If a new app requires authentication, user can use the same AT
Every ask for token goes through [[202404011557 Conditional Access|conditional access]]

Overview

Allows you to set conditions for access
1. device
2. location
3. apps
Access controls (make multiple selections)
1. use MFA, FIDO2, etc.
2. password policy etc
Session controls
1. continuous access evaluation
2. cap

references:

Entra MFA

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Apr 2024 12:32:00 GMT

Passwords on their own are bad
MFA is from [[202404011414 Authentication and Authorization]] 2 or more items
1. I know
2. I have
3. I am
Example:
1. Password + SMS/Phone
2. Password + Auth app
You want to prompt sparingly otherwise it becomes muscle memory and they don't read the message/ they will keep saying yes
Requires P1 license or use Security defaults (Ideally want to use conditional access if you don't have P1) or global admin

Authentication context and number matching

In auth app, shows location and asks to enter the number
not phishing attack proof

Phishing resistant

Provided by machine so considered phishing resistant

Hello for business
FIDO2
CBA (Certificate based authentication)

Passwordless

Above 3 + MFA app.

Temporary access pass

For new users/to bootstrap onboarding

references:

Authentication and Authorization

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Apr 2024 11:14:00 GMT

Authentication (AuthN) is who you are
- I know
- I have (device)
- I am
- [[202404011532 Entra MFA|Entra MFA]]
Authorization (AuthZ) is what you can do

AuthZ is always against [[202404011327 Entra ID|"Entra ID"]].

Ways for authentication

There are different ways for authentication, as listed below. After authentication is done then in all cases [[202404011327 Entra ID|"Entra ID"]] creates a token.

Password hash synchronization (cloud)

Best option/always recommended even if using others as primary (see pt. 4)
AD has password hash.
Hash of this password hash is synced to [[202404011327 Entra ID|"Entra ID"]] which is then used for AuthN
can compare if any creds are leaked on dark web
can't do things like locked accounts/logon hours/expired password

Pass through AuthN (hybrid)

If you want to use your onprem DCs for authentication
Sending cred to [[202404011327 Entra ID|"Entra ID"]], but it checks with onprem

Federation (hybrid)

Not recommended
Could be ADFS or third-party thing
Different flow:
1. Cred to federation service
2. Federation service will check with DC
3. Create token and share with user
4. User will use that token to get token from [[202404011327 Entra ID|"Entra ID"]]

references:

Entra ID objects

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Apr 2024 10:43:00 GMT

[[202401101139 Entra ID users]]
[[202312242245 Entra ID Groups]] (Static/Dynamic)
Applications/Resources [[202312231440 Azure Entra ID App Identity]] (Service Principals)
[[202312231441 Entra ID Managed Identities]] (Service Principals)
Devices
- registered (Known) / Auth as MSFT account
- join / auth as Azure AD
- hybrid (joined to onprem AD and register with Azure AD)

references:

Entra ID

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Apr 2024 10:27:00 GMT

Entra ID is the identity provider for MSFT clouds
1. [[202312231415 Azure Master|"Azure"]]
2. M365
3. Dynamics 365
Entra ID is not AD in the cloud.
1. Has flat structure/ No OUs
2. Has administrative units
We can create additional tenants
By default it will <>.onmicrosoft.com
1. Can create/add custom domains
When assigning license to groups only license applied to first level works not to members of nested groups

[[202208041136 Entra Connect sync|"Entra connect"]] to sync between on-prem AD and [[202404011327 Entra ID|"Entra ID"]]
Active directory is always the source of truth.
Even if HR system is connected to Azure. Entra ID talks to on-prem to create object, which then replicates to Entra ID.

references:

Decentralised identities

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Apr 2024 09:58:00 GMT

gaining momentum
User is in centre instead of ID provider
user or other identity owns the identity
rooted in some trust system as IdProvider was the trusted system earlier
issuer can issue credentials to subject which subject can share with verifier

references:

Why is identity needed

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Apr 2024 09:45:00 GMT

For any service, its critical to apply principle of least privilege
1. With shared accounts we don't know who did what
2. we can't give granular permissions because for shared id it needs to have sum of all required permissions
this requires granted security principals certain actions (roles) in a certain scope
a central store is required where identities are saved

references:

Multiple addresses to same gmail

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 30 Mar 2024 12:11:00 GMT

Gmail + address

Create account like sajal.choudhary+aws@gmail.com. This will go to sajal.choudhary@gmail.com

Gmail dot blindness

saja.l.choudhary@gmail.com and sajal.choudhary@gmail.com are same to google. But other services might see it differently.

references:

https://www.labnol.org/internet/email/gmail-email-alias-two-separate-gmail-address/2388/

NPS related

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 28 Mar 2024 11:33:00 GMT

Logs

Logs are present in event viewer (Custom views > Server roles > Network Policy and Access Services)

references:

Guidance for troubleshooting Network Policy Server - Windows Server | Microsoft Learn

Type of machine learning

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 25 Mar 2024 20:00:00 GMT

Supervised

Training data includes both features and known labels. Follows the process of train, validate and evaluate.
In training phase dataset is split randomly. Choose an algorithm to create a model using half the data. Then it is validated on the remaining half, i.e. how accurate it is. Compare the known actual labels against the predicted values.
Usually data engineer will go through multiple iterations of this. And chose the one which gives the best results (evaluation metric).

[[202403252313 Regression models|regression]]

The label is a numerical value. Like number of ice cream sold on a day.

Classification

Label represents a categorisation or class.

Binary classification

Label is Yes/No. True/False. Sort of a thing. Does the patient have diabetes given the features (age/background,etc.)

Multi-class classification

Label is mutually exclusive different things. Types of dogs for example.
Also can be multilabel classification models where one observation can have more than one labels.

Unsupervised

No lables. Algorithm figures out relations between features of observations.

Clustering

identifies similarities between observations based on their features, and groups them into discrete clusters.

references:
https://learn.microsoft.com/en-in/training/modules/fundamentals-machine-learning/3-types-of-machine-learning

Machine Learning

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 25 Mar 2024 19:44:00 GMT

What is ML?

Basic idea is to use data from the past to predict unknown outcomes.

Steps involved

Training

Training data has past observations.
This includes: features and label.
Feature is basically what you are observing (x).
And label is the thing you want to train for (y).

Algorithm

An algorithm is applied to the training data to determine relation between features and label.

Result

Result is a model. The so called f in y=f(x).

Inferencing

After training is completed, it can be used to get output given x.

references:
https://learn.microsoft.com/en-in/training/modules/fundamentals-machine-learning/2-what-is-machine-learning

Delegate permission to restore deleted ad objects

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 25 Mar 2024 09:47:00 GMT

You need to delegate Reanimate tombstones permission on the Domain level and make it applied to This object and all descendant objects. You can the Security tab in your Domain properties to do that:

Using ADUC, grant user/group rights to reanimate tombstone:

Right-click domain root and select Properties
On the Security tab, click Advanced
Click Add and select user/group account
Allow the Reanimate Tombstones permission and click OK

references:

How to Delegate the Restoration of Objects from Active Directory Recycle Bin | Microsoft Learn

Use managed service account for scheduled task

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 25 Mar 2024 08:52:00 GMT

Pre-requisites

Add managed service account to groups/provide access on server as needed
Add service account to Logon as batch job

Add service account to Logon as batch job

Go to gpedit
Computer Configuration > Windows Settings > Security Settings > Local Policies > User Rights Assignment
Add account to Logon as a batch job

Steps

Add service account to server

Install-AdServiceAccount <gMSA>

Test-AdServiceAccount <gMSA>

Add service account to scheduled task

This needs to run as powershell. It is not possible to set it in UI.

> $principal = New-ScheduledTaskPrincipal -UserID domain\account$ -LogonType Password  
  
> Set-ScheduledTask -TaskName "DNS monitoring" -Principal $principal  
  
TaskPath TaskName State  
-------- -------- -----  
\ DNS monitoring Ready

references:

SMB share does not work for cluster

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 13 Mar 2024 10:11:00 GMT


## Workaround
Get-ClusterResource"resource name"| Set-ClusterParameter EnableNetBIOS 1
Stop-ClusterResource"resource name"
Start-ClusterResource"resource name"

references:

NetBIOS and WINS don't bind to cluster IP address resources - Windows Server | Microsoft Learn

vMotion does not work

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 11 Mar 2024 11:27:00 GMT

Error:

The vMotion failed because the destination host did not receive data from the source host on the vMotion network. Please check your vMotion network settings and physical network configuration and ensure they are correct.

Check ping

vmkping -I vmkX x.x.x.x  
  
#where x.x.x.x is the hostname or IP address of the server that you want to ping and vmkX is the vmkernel interface to ping out of.

references:

Troubleshooting vMotion fails with network errors (1030264) (vmware.com)
Testing VMkernel network connectivity with the vmkping command (1003728) (vmware.com)
Troubleshooting vMotion network connectivity issues (65184) (vmware.com)

Windows logoff user after period of inactivity

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 08 Mar 2024 10:08:00 GMT

Can be done through GPO

ComputerPoplicy > Computer Configuration > Administrative Templates > Windows Components > Remote Desktop Services > Remote Desktop Session Host > Session Time Limits > set values as follows:  
Set time limit for disconnected sessions: Enabled  5 minutes  
Set time limit for active but idle Remote Desktop Services sessions: Enabled  5minutes

references:

Logoff Idle Users | Microsoft Learn
How can I log users off after a period of inactivity, rather than merely locking the workstation? Is there a "logoff" screen saver? - The Old New Thing (microsoft.com)

Raise Savya

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 18 Feb 2024 17:41:49 GMT

2026-03-05

Savya is at the age now, where he wants to speak so many things, but just doesn’t have the vocabulary to do so. Whenever he passes the photo fall, he starts pointing and naming his grandpa, bua, mom, dad and so on. He calls me papa first, and then if I don’t respond after 3-4 times, he will say - saja, saja, and so on.

Savya is my child. He is going to päiväkoti now. Raising him continues to be the best thing in my life.

Windows cluster Tuning Network Thresholds

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 14 Feb 2024 12:38:00 GMT

> get-cluster | fl *subnet*
CrossSubnetDelay          : 1000
CrossSubnetThreshold      : 20
PlumbAllCrossSubnetRoutes : 0
SameSubnetDelay           : 1000
SameSubnetThreshold       : 20

Heartbeat timeout is SameSubnetThreshold.

SameSubnetDelay is in millisecond.
So along with SameSubnetThreshold what this means is it will ping every 1 second 20 times till it gives an error. So for 20 seconds if there is no response, then it will give heartbeat timeout.

Update

(get-cluster).SameSubnetThreshold = 30

references:

Tuning Failover Cluster Network Thresholds - Microsoft Community Hub

PowerShell registry key related

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 06 Feb 2024 11:38:00 GMT

Get single key

Get-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion -Name DevicePath -Name DevicePath

## or
(Get-ItemProperty -Path HKLM:\Software\Microsoft\Windows\CurrentVersion).DevicePath

Delete key

Remove-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion -Name PSHome
Remove-ItemProperty -Path HKCU:\SOFTWARE\Microsoft\Windows\CurrentVersion -Name PowerShellPath


> $Path = 'HKLM:\SYSTEM\ControlSet001\Control\Session Manager\Environment'
> Remove-ItemProperty -Path $Path -Name Cloud_Setting_repositories

references:

Working with registry entries - PowerShell | Microsoft Learn

Event viewer logs location

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 30 Jan 2024 10:12:00 GMT

%SystemRoot%\System32\winevt\Logs

references:

Windows event viewer logs location

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 30 Jan 2024 10:12:00 GMT

%SystemRoot%\System32\winevt\Logs

references:

VMware VM serial number

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 29 Jan 2024 10:30:00 GMT

$VM = Get-VM 7ocilpipaap01
$VM.ExtensionData.Config.UUid

This has the serial number.

references:

WSUS troubleshooting

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 25 Jan 2024 08:45:00 GMT

Get-WindowsUpdateLog

Troubleshooting steps - client

Check hard drive space

Check connectivity

Test-NetConnection -ComputerName <WSUS_Server> -Port 8530

WSUS settings

Get-ItemProperty HKLM:\Software\Policies\Microsoft\Windows\WindowsUpdate

Check event log

Application Event log as well as App and Service Logs > Microsoft > Windows > WindowsUpdateClient

Reregister client with wsus

gpupdate /force
wuauclt /detectnow

## Sometimes
wuauclt.exe /resetauthorization /detectnow

Troubleshooting problems - server

IIS Logs location

c:\inetpub\logfiles

references:

WSUS Troubleshooting Steps | Arnaud Loos
Common Windows Update errors - Windows Client | Microsoft Learn
WSUS Messages and Troubleshooting Tips | Microsoft Learn
Troubleshoot software update scan failures - Configuration Manager | Microsoft Learn

VMware ESXi upgrade using baselines

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 22 Jan 2024 08:53:00 GMT

Build numbers and versions of VMware ESXi/ESX (broadcom.com)
VMware ESXi 7.0 Update 3q Release Notes

Download a zip file for patches

For Full ISO

Log in to the Broadcom Support portal.
On the left hand side menu, click My Downloads.
In the search bar in the upper right side of the page enter "VMware vSphere"
Choose VMware vSphere
Under Products tab, select VMware VSphere Enterprise and appropriate version.
Click View Group on the right side of the VMware vSphere Hypervisor (ESXi) item.
Use the drop-down in the upper-right to choose the desired version.

For patches

Direct Link

Log in to the Broadcom Support portal.
On the left hand side menu, click My Downloads.
In the search bar in the upper right side of the page enter "VMware vSphere"
Choose VMware vSphere
Under Solutions tab, select VMware VSphere Enterprise and appropriate version.
From the list download the appropriate version.

For HW drivers

How to find

Log in to the Broadcom Support portal.
On the left hand side menu, click My Downloads.
In the search bar in the upper right side of the page enter "VMware vSphere"
Choose VMware vSphere
Under the Products Tab, choose the user entitlement for VMware vSphere (e.g. click on VMware vSphere - Enterprise).
Select the major version of vSphere required.
Select the Custom ISOs or OEM Addons tab.
Click on the desired Custom ISO or Addon by OEM name and ESXi version.

Upload updates to Lifecycle Manager

Go to vcenter > Lifecycle Manager
Select the vcenter.
Go to Actions > Import Updates.
Browse and provide the zip. Let it import.

Create baseline

In Lifecycle Manager, go to baselines tab.
Click new > Baseline
Select Patch
In select patches automatically screen, uncheck the option.
In select patches manually, select the appropriate release.
1. Filter id . Esxi7.
2. Select bugfix (it has bugfix+security)

references:

Create a Fixed Patch Baseline (vmware.com)

Broadcom Link

Entra Access Reviews

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 12 Jan 2024 12:18:00 GMT

Kinds

Review active and eligible assignments for:

Teams and Groups (Identity Governance)
Applications (Identity Governance)
Azure RBAC (PIM)
Entra ID Roles (PIM)

Overview

Access Review
- Use the portal (ID Gov/PIM) to create an access review
- Example: App admin (Role)
Timing
- Duration, frequency and end date for review
Reviewers
- Specify who will review

references:

Entra Privileged Identity Management

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 12 Jan 2024 12:03:00 GMT

Features

Just-in-Time access
Time-Bound Access
Activation Approval
Activation with MFA
Audit Trail
Access Reviews

Overview

Identity
- user/group/app
Assignment
- Permanent or time-bound
Activation
- privileges must be activated (requires approval/mfa)

references:

Entra ID Entitlement Management

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 10 Jan 2024 17:57:00 GMT

Part of [[202401101559 Entra ID Governance]]

helps enterprises perform access management at scale
licenses are required for those who request, approve or are assigned a package.
Access packages are created in portal
User access is managed through myaccess.microsoft.com
Permissions required: Full (Identity Governance Admin)

Overview

Identities
- user (internal or external)
Access Package
- created for a particular role (like HR management)
Resource : Role
- provide access to resources: share, security group, etc.
- add roles required for their work
Collection
- used to organize access package and resources (like a logical container)

references

Entra ID Governance

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 10 Jan 2024 12:59:00 GMT

A suite of tools that helps with access management etc. for organizations at scale.

Features available

[[202401102057 Entra ID Entitlement Management]]

helps enterprises perform access management at scale

[[202401121503 Entra Privileged Identity Management]]

just in time access

[[202401121518 Entra Access Reviews]]

checks/ what access was provided is still needed or not

Lifecycle workflows

processes around people joining, moving or leaving.

Terms of use

usage policies
Consent

Licenses

P1 , P2, Identity Governance Package

references

Azure subscriptions

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 10 Jan 2024 11:41:00 GMT

each service belongs to a subscription
Each subscription can have different billing details
Multiple subscriptions can be linked to same account
More than one azure account can be linked to the same subscription
Billing is on per sub basis
programmatic operations require subscription ID

Common Types

free
Pay-as-you-go
Enterprise Agreement
Student

references

Entra ID users

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 10 Jan 2024 08:39:00 GMT

Types

cloud identity

defined in entra id

Directory-synchronised identity

defined in on-Prem and synced to entra

Guest user

defined outside azure
Source is invited user

references

Entra External IDs

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 Jan 2024 17:57:00 GMT

AuthN happens in guest [[202408281918 Entra ID tenant|tenant]]
But AuthZ happens in my [[202408281918 Entra ID tenant|tenant]]
User type will be guest
Cross tenant access settings control on collaboration and inbound mfa trust
User flow can be designed/ask for things at the time of signup
Licensing is based on MAU (Monthly Active Users) - first 50,000 free
To bulk add CSV requires email address and redirection url

B2B Collaboration

Actually creating a guest account in your tenant
User can use their own credentials and use it to access resources in our tenant
Invite External User option

B2B Direct connect

Content can only be shared as Teams shared channels.
Between 3 entra IDs on Azure

B2C

create separate AAD of type B2C
They are my customers
maybe they have their own id and we don't want to use new
or they can create their ID in this AAD/local account

references

https://learn.microsoft.com/en-gb/entra/external-id/external-identities-pricing

Entra Domain Services

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 Jan 2024 17:52:00 GMT

Previously known as Azure AD DS.

To provide features that might be required for legacy on-prem applications, etc.

Entra ID is modern solution.

Features

AD Domain join
AD Group policy
Legacy protocols (LDAP,kerberos/NTLM, etc)

Key Components

Managed domain (Managed by MSFT)
Sync (one way sync from Entra ID)
Virtual Network (Resources can only interact with managed domain through virtual network (same network or network which has access to this network where managed domain is deployed))

references

Entra Connect

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 Jan 2024 17:40:00 GMT

Use it if we have on-prem AD.

Hybrid Identities.

Entra connect for syn between on-prem and Azure Entra ID.

references

Entra ID custom roles

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 07 Jan 2024 18:11:00 GMT

Similar to [[202401072038 Azure RBAC custom roles]]

Permissions start with microsoft.directory/

requires P1 license
use powershell or microsoft graph api for more control over permissions not in azure portal
need global admin or privileged role admin

references:

Azure RBAC custom roles

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 07 Jan 2024 17:38:00 GMT

created using role definition

Consists of

Metadata

name, description

Permissions

for management/data operations
Actions
- allowed control plane actions
- no deny needed as only allowed permissions are given, nothing else
NotActions
- Deny specific things under something allowed above (example: give permission to everything under virtual machines under actions, then deny delete vms actions here)
DataActions
- allowed data plane actions
NotDataActions
- not allowed data plane actions

Scopes

Defines where roles can be used
AssignableScopes
Examples:
- Root - /*
- Management Groups
- Subscriptions
- Resource Groups

To create a custom role, following things are required:

{
  "Name": "",
  "Description": "",
  "Actions": [],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": []
}

Sample:

{
  "Name": "Reader",
  "Id": "acdd72a7-3385-48ef-bd42-f606fba81ae7",
  "IsCustom": false,
  "Description": "Lets you view everything, but not make any changes.",
  "Actions": [
    "*/read"
  ],
  "NotActions": [],
  "DataActions": [],
  "NotDataActions": [],
  "AssignableScopes": [
    "/"
  ]
}

references

https://learn.microsoft.com/en-us/azure/role-based-access-control/custom-roles

Entra ID Roles

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 07 Jan 2024 17:01:00 GMT

Different from [[202404061316 Azure Roles|azure roles]] (they apply to [[202312231415 Azure Master|Azure]] [[202404061212 Azure Resources|resources]])

Overview

Permissions applied for [[202404011327 Entra ID|Entra ID]]
Always think least privilege

Security Principal

Who or what is being assigned access?
[[202401101139 Entra ID users|Entra user]]
[[202312242245 Entra ID Groups|entra group]] (requires p1) /
- needs to be setup as such at creation time (Entra ID roles can be assigned to the group)
- isAssignableToRole property
- immutable so only at setup
app

Role Definition

What are the permissions being given?
types: built-in or custom - [[202401072111 Entra ID custom roles|Entra custom roles]]

Built-in Entra roles

Global Administrator
User Administrator
Billing Administrator

Scope

Where will the permissions apply?
Hierarchy
Traditionally used to be global
Can be:
1. [[202408281918 Entra ID tenant|tenant]]
2. [[202401061515 Entra ID Administrative Units|Entra Administrative Units]]
3. Entra resource
  1. Microsoft Entra groups
  2. Enterprise applications
  3. Application registrations
If role is assigned on container level role is applied to items contained in it
If role is applied at resource level it applies to the resource
1. In particular does not extend to members of the [[202312242245 Entra ID Groups|groups]]

references

Entra RBAC
Use groups to manage Entra roles
Builtin Roles

Entra ID Administrative Units

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 06 Jan 2024 12:15:00 GMT

Help manage permissions for managing Entra ID
Can include a mix of users, devices and groups
- roles added to AU will not apply to members of the group
- users need to be added directly to AU
Membership can be assigned or dynamic
Objects can exist in multiple AUs - one user in 2 AUs
Nesting is not possible - one AU under a different AU - No structure
Not for B2C

Restricted admin units will not have inherited permissions from directory level for example. Only users who are explicitly given permissions to managed the AU will have access to do so.

references

UCS keyring fix

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 04 Jan 2024 13:00:00 GMT

Issue:
default Keyring's certificate is invalid, reason: expired.

Fix:

scope security
scope keyring default
set regenerate yes
set modulus mod2048
commit-buffer

references:

Cisco UCS clear any errors which are not actually there

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 03 Jan 2024 21:42:00 GMT

Go to Service Profile > General > Recover Server > Reset CIMC (Server Controller)

This does not affect the server and just verifies everything.
This is useful when NIC might show down but actually no issues observed for the server.
flogi-table might have missing entries.
Happened after an infrastructure firmware upgrade.

references:

Windows server unable to patch

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 02 Jan 2024 09:41:00 GMT

Install servicing stack patch.

For 2016: KB5023788

references:

KB5023788: Servicing stack update for Windows Server 2016: March 14, 2023 - Microsoft Support

Entra ID Groups

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 24 Dec 2023 19:45:00 GMT

[[202401072024 Entra ID roles]] can be assigned

Types

security
Microsoft 365 groups

When adding members

assigned (manual)
Dynamic users
Dynamic devices (only security groups)

Dynamic groups

user or device
Dynamic groups require at least P1 license.
Members are added based on rules.
Members can't be changed.
Group can be changed to normal after creation.

references:

Entra ID Managed Identities

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 23 Dec 2023 11:41:00 GMT

Provides identity for a resource which is hosted on [[202312231415 Azure Master|"Azure"]], when compared against [[202312231440 Azure Entra ID App Identity]] which can be used for both on-prem and azure.
Authentication is managed by [[202312231415 Azure Master|"Azure"]].

Two types:

System-Assigned: for a single resource, as long as it is in use. If resource is deleted, identity is gone.
user-assigned: can be shared between different resources. created by you. Deleting the resource does not delete the identity. one UAMI can be added to multiple resources. Also one resource can have many UAMI.
- Example - farm of web servers can have on UAMI. Give permission to this UAMI once and it will have permission for all resources.

Benefits

Here are some of the benefits of using managed identities:

You don't need to manage credentials. Credentials aren’t even accessible to you.
You can use [[202312231441 Entra ID Managed Identities|Managed Identity]] to authenticate to any resource that supports Microsoft Entra authentication, including your own applications.
Managed identities can be used at no extra cost.

Why?

Resource hosted in [[202312231415 Azure Master|"Azure"]] needs to talk to other stuff in [[202312231415 Azure Master|"Azure"]]. Application needs identity to have roles applied to itself so that it can access other resources.

Traditionally

When we do app registration, it creates a service principal for it in the same tenant. Once SP is there it can use secret, cert-based, etc to authenticate. Challenge is how to store it, etc.

Managed Identity

We can add a [[202312231441 Entra ID Managed Identities|Managed Identity]] for an app. There is no secret, nothing that I have to worry about storing. [[202312231441 Entra ID Managed Identities|MI]] can only exist in the tenant it is created.

How is [[202312231441 Entra ID Managed Identities|MI]] managed

Managed Identity Resource Provider manages [[202312231441 Entra ID Managed Identities|MI]]. MIRP issues the cert and rolls the cert.

If a resource has System assigned [[202312231441 Entra ID Managed Identities|MI]] it will always use it to authenticate
If a resource has no SA-MI but only 1 UA-MI it will use that UA-MI to authenticate
If a resource has no SA-MI but multiple UA-MI, we need to specify which one it will use to authenticate

How resource gets token

For a VM,

VM talks to Instance Meta Data Service, I need a token.
IMDS talks to MIRP
MIRP gives SP + Cert for the [[202312231441 Entra ID Managed Identities|MI]]
IMDS goes to AAD, and asks for token.
[[202404011327 Entra ID|AAD]] creates access token and sends it back to IMDS, which gives it to resource

Other services have similar methods.

references

https://www.youtube.com/watch?v=rC1TV0_sIrM&list=PLlVtbbG169nGlGPWs9xaLKT1KfwqREHbs&index=10
MI overview
Services that use MI
How MI works
How to use MI token

Azure Entra ID App Identity

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 23 Dec 2023 11:40:00 GMT

references

Entra ID editions

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 23 Dec 2023 11:37:00 GMT

Four editions:

Free (upto 500,000 directory objects, rest all are unlimited)
Microsoft 365 apps
Premium P1
Premium P2

P1 and P2 are enterprise focused. P2 has things like PIM and JIT access.
License is set on per user basis. Directly assigned or assigned via groups.

references

Microsoft Entra

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 23 Dec 2023 11:20:00 GMT

Entra is the overall umbrella for identity and access solution in [[202312231415 Azure Master|"azure"]].

Overview

[[202404011327 Entra ID]]
[[202408281918 Entra ID tenant]]

[[202408281922 Add custom domain to Entra ID|How to add a custom domain to Entra ID tenant]]
[[202406151743 Difference between Entra ID and ADDS]]
[[202312231437 Entra ID editions]]

Concepts

[[202404011414 Authentication and Authorization]]

[[202404011532 Entra MFA]]
[[202404011343 Entra ID objects]]
[[202408281930 How to assign licenses in Entra|How to assign licenses in Entra]]
[[202401082057 Entra External IDs]]
[[202401061515 Entra ID Administrative Units]]

Roles

[[202401072001 Entra ID Roles]]

[[202401072111 Entra ID custom roles]]

Sync

[[202208041136 Entra Connect sync]]

Misc

Governance

[[202401101559 Entra ID Governance]]

[[202401102057 Entra ID Entitlement Management]]
[[202401121503 Entra Privileged Identity Management]]
[[202401121518 Entra Access Reviews]]

[[202404011557 Conditional Access]]
[[202405021835 Entra Self Service Password Reset]]

references:

John Savill course

Azure Master

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 23 Dec 2023 11:15:00 GMT

Fundamentals

[[202207262308 Cloud Computing Fundamentals]]
[[202406151100 How to interact with Azure]]

[[202408141906 How to do a deployment in azure]]
[[202404061212 Azure Resources]]
[[202405011242 ARM template|ARM JSON]]
[[202406151219 ARM Bicep|Bicep]]
[[202407162120 Types of operations in Azure|Types of operations in Azure]]

Identity

[[202404011245 Why is identity needed]]
[[202404011258 Decentralised identities]]
[[202312231420 Microsoft Entra]]

Governance

[[202404051739 Governance Overview]]

[[202404061356 Azure Policy]]
[[202404061249 Azure RBAC]]
- [[202404061316 Azure Roles]]
- [[202401072038 Azure RBAC custom roles]]
[[202404061425 Azure Cost Management]]

Constructs/Hierarchy

[[202404051803 Management groups]]
[[202401101441 Azure subscriptions]]
[[202404051818 Resource Groups]]
[[202404061212 Azure Resources|Azure resource]]

Other things

[[202404061323 Azure ABAC]]
[[202404061451 Azure Naming]]
[[202404061455 Azure Tagging]]
[[202409021326 Azure Resource Lock]]

Resiliency

[[202404071304 Resiliency Overview]]

[[202404071441 Replication]]
[[202408041224 Azure Monitoring|Azure Monitoring]]
[[202404071559 Azure Backup|Azure backup]]
[[202404071420 Azure resiliency concepts]]
[[202404071451 How do Azure resources use resiliency]]
[[202404081830 Azure Availability Zones]]
[[202404071518 Multi-region deployments]]
[[202404071545 Preference for replications]]
[[202404071543 VM replications]]
[[202404071556 Disaster Recovery]]
MSFT AZ services
Move Azure resources

Storage

[[202404091847 Azure Storage Overview]]
[[202404091859 Azure Storage Account]]
[[202404091908 Azure Storage Redundancy]]
[[202404121117 Azure Storage Services]]

[[202406291221 Azure Files|Azure Files]]
- [[202404121239 Azure File Sync|Azure File Sync]]
[[202404121149 Azure Data Lake]]
[[202404121246 Azure Netapp Files]]
[[202404121254 Azure Managed Disks]]

Networking

[[202407281223 Azure Networking Basics]]
[[202404121703 Azure VNet]]

[[202407141408 Create VNet in Azure|Create VNet in Azure]]
[[202407271143 Public IP address allows inbound access based on tier in Azure|Public IP Address]]
[[202407281228 Azure Private IP Address|Azure Private IP Address]]
[[202404121727 Azure VM NIC]]
[[202404141450 Azure DNS]]
[[202404131219 External Access]]
[[202407271319 Azure Load Balancer]]
[[202407271353 Azure Application Gateway]]
[[202404131313 Connecting virtual networks]]
[[202407151908 VNet Peering|VNet Peering]]
[[202407281401 User defined routing|User defined routing]]
[[202404131337 Connecting to Onprem]]
[[202404141339 Azure ExpressRoute|Express Route]]
[[202407151913 Azure VPN|Azure VPN]]
- [[202408241251 How to create S2S VPN|S2S VPN]]
- [[202408241255 How to create P2S VPN|P2S VPN]]

Network Security

[[202404141404 Control traffic flows]] via [[202404141413 Azure Firewall|Azure Firewall]] or [[202404141419 Network Security Groups|NSG]]/[[202407141403 Application Security Groups|ASG]]
[[202404141431 Azure Virtual WAN]]
[[202404141435 Azure Service Endpoints and Service Endpoint Policies]]
[[202404141442 Azure Private Link]]

VMs and VMSS

[[202404161835 Azure VM Basics]]

[[202404161906 How do we think about VM sizes or types on Azure]]
[[202404171828 Azure Spot can help reduce prices for Azure VMs|Azure Spot can help reduce prices for Azure VMs]]
[[202407121745 Azure custom script extension]]
[[202404181846 Azure VM scale sets]]
[[202404181829 Azure Compute Gallery]]
[[202404181844 Use Azure VMware solution if an org wants to move to cloud quickly]]
[[202408281650 Azure Bastion|Azure Bastion]]

App services

[[202404191840 Containers]]

[[202404201203 Azure Container Instance|Azure Container Instance]]
[[202404201210 Azure Kubernetes Service]]
[[202404201348 Azure Container Apps|Azure Container Apps]]
[[202404201400 Azure App service]]
[[202404201427 Azure Functions]]
[[202404201438 Azure Logic Apps]]
[[202404201440 Azure Static Web App]]

Database and AI

[[202404091845 Types of data]]
[[202404271358 Type of Databases]]
[[202404271407 Types of data related roles]]
[[202404261946 Data flow]]

OLTP (Online Transactional Processing)

[[202404231933 Azure SQL]]
[[202404241715 Azure Open source DB]]
[[202404261904 Azure Cosmos DB]]

Analytical Processing

[[202404261931 Azure Data warehouse and analytics]]

Backups

[[202404071559 Azure Backup]]

[[202408021823 Create backup for VMs|How to backup azure vm]]
[[202408011914 Azure Backup Access Tiers|Azure Backup Access Tiers]]
[[202408011900 What resources can we backup using Azure Backup|What can we backup using Azure Backup]]
[[202408131927 Azure restore from backup|Restore from backups]]
[[202408131929 Restore VM from Azure backup|Restore VM from Azure backup]]
[[202408131919 Restore files from Azure backup|Restore files from Azure backup]]

Monitoring and Security

[[202404281601 Azure monitoring old]]
[[202408041224 Azure Monitoring|Azure Monitoring]]

[[202408041409 Types of monitoring data in Azure|Types of monitoring data in Azure]]
[[202408070754 Azure Log Analytics]]
[[202408080800 Azure Network Watcher]]
[[202408111224 Azure Monitor Alerts]]
[[202408111240 Create an Azure metric alert|Azure metric alert]]
[[202408111249 Create a log alert in Azure|Log alerts]]

IaC and Devops

[[202406151100 How to interact with Azure]]
[[202405011242 ARM template]]
[[202406151219 ARM Bicep]]
[[202407191832 Bicep Modules]]

Architecture

[[202406081205 Well Architected Framework|Azure Well Architected Framework]]
[[202406011159 Five pillars of Azure well architected framework|Five pillars of Azure well architected framework]]

Key Documents

Azure Architecture Centre
Azure Landing Zone
Azure Governance
Cloud Adoption Framework
Well-architected Framework
Applied Skills
Azure Resource Limits

Learn

John's Az 104 learning path

To do

Azcopy
Storage explorer
Recovery services vault

references

John's AZ-104

UCS Port Licensing related

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 14 Dec 2023 11:39:00 GMT

Check how many ports are licensed

For FI each model comes with certain number of ports activated by default, others need to be purchased separately.

Default for 6332-16UP is
10G - 8
40G - 4

Go to Admin > License Management >

Select FI > General Tab

Select the License,
scroll down
it should show Total Quantity, Used Quantity

To check how many license are there

Go to Cisco Software Central > https://software.cisco.com/software/swift/lrp/#/pak
Traditional licenses > Access LRP
PAKs or Token > Show Filter
Under Order Number put Cisco SO. It will show available license

references:

Remove for recursive objects in AD fails

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 07 Dec 2023 12:15:00 GMT

Issue is because of additional child-objects for an object : user or computer

For user it can be devices etc.
Object class: msExchActiveSyncDevices, for example

## Remove fails with - The directory service can perform the requested operation only on a leaf object

## Below to get the list of all objects
Get-ADObject -SearchBase $DN -Filter *

## Remove-ADObject with -recusrsive to delete
Get-ADObject -SearchBase $DN -Filter * | Remove-ADObject -Recursive -ErrorAction Stop

references:

openssl read csr

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 05 Dec 2023 08:26:00 GMT

openssl req -text -noout -verify -in CSR.csr

references:

UCSM firmware upgrade

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 15 Nov 2023 12:34:00 GMT

Firmware Image Management

Cisco delivers firmware updates to UCS in bundles.

Infrastructure bundle (A)
B-series bundle
C-series bundle

Infrastructure bundle

This includes:

UCSM software
Kernel and system firmware for FI
I/O module firmware

B-series bundle

This includes

CIMC firmware
BIOS firmware
Adapter firmware
Board controller firmware
Third-party firmware images required by the new server

4 things need to be checked:

Hardware and OS compatibility
Cross-version firmware support
Upgrade path
Any open caveats in the release

Hardware and OS compatibility

You can search on Cisco UCS Hardware Compatibility List using either option: servers / os /products.
You can go to products and search by the vic card we have for example.

Cross-Version Firmware Support

Table 11 on Release Notes for Cisco UCS Manager, Release 4.2 - Cisco page for the particular version has details. which infra bundle (A) supports which host version (B or C). Look for your F5 device in the cross-section. If it is listed there then support is there.

Upgrade path

Table 5 on the release page has those details.

Open caveats

Any issues identified in the target release version.

references:

Cisco UCS Manager Firmware Management Guide, Release 4.2 - Manage Firmware through Cisco UCS Manager [Cisco UCS Manager] - Cisco
Software Download - Cisco Systems
https://software.cisco.com/download/home/283612660/type/283655658/release/4.2(3g)
https://ucshcltool.cloudapps.cisco.com/public/https://software.cisco.com/download/home/283853163/type/283655681/release/4.2(3e)

Cisco UCS Manager Upgrade/Downgrade Support Matrix
Cisco UCS Manager Upgrade and Downgrade Support Tool

How to check ldaps is working or not - ldp.exe

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 06 Nov 2023 09:52:00 GMT

Run ldp.exe
Connect >
1. give dc fqdn
2. port = 636
3. select ssl
Bind >
1. Give user details
If connect is OK, then things are OK.

references:

Which Certificate is my Domain Controller using for LDAPS? - Mostly Technical (torivar.com)

Windows delete shadow copies

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 03 Nov 2023 09:19:00 GMT


##  List
vssadmin list shadows

### List with powershell
Get-WmiObject Win32_Shadowcopy

## Delete with powershell
Get-WmiObject Win32_Shadowcopy |  ForEach-Object {$_.Delete();}

references:

An Underrated Technique to Delete Volume Shadow Copies - DeviceIoControl (picussecurity.com)

On Vmware tools

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 03 Nov 2023 07:25:00 GMT

VMware tools check happens with respect to the Host. Each ESXi host has a storage location for VM Tools installers, which is a configurable option and visibly referenced by the /productLocker symlink. The target can be either local to each host or point to a centralized repository of VM Tools on a shared datastore.
One possible solution is to add a shared storage as the location for the VMware tools version for all the hosts.

Type of VMware tools

Tools ISO for supported OS
For linux: Operating System Specific Packages, or OSPs (Not managed by vSphere)
For Linux: Open VM Tools (OVTs) (Not managed by vSphere)

Upgrading VMware tools

Automatic update on VM boot
Through vSphere UI
VMware update manager
In guest update - control to server owners
Mass updates through powerCLI
Native Linux package management processes
API

List of VMware tools

Build numbers and versions of VMware Tools (86165)

Deploying through SCCM

references:

VMware Tools Lifecycle: Why Tools Can Drive You Crazy (and How to Avoid it!) - VMware vSphere Blog
Understanding the Three Types of VM Tools - VMware vSphere Blog
Installing and upgrading VMware Tools in vSphere (2004754)
Six Methods for Keeping VM Tools Up to Date – VMware vSphere Blog

Security guidelines

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 30 Oct 2023 07:52:00 GMT

references:

Security baseline (FINAL) for Windows 10 v1903 and Windows Server v1903 | Microsoft Learn

VMware MOB reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 27 Oct 2023 08:45:00 GMT

Access the url

https://hostname.yourcompany.com/mob

Enable MOB on ESXi

Select the host in the vSphere Client and go to Advanced System Settings.
Find Config.HostAgent.plugins.solo.enableMob and enable the MOB

How to access stuff

Click on the content property.
Under the Name column, locate rootFolder and click its corresponding value, this being a Data Center Folder object.
Under root > datacenter
Under datacenter > hostfolder
Under hostfolder > childEntity (Select appropriate cluster)\
Under that find host (select appropriate host)
Under that storage

For storage

content --> rootFolder --> childEntity --> hostFolder --> childEntity --> host --> config --> HostStorageDeviceInfo --> Select appropriate lun

Host -> config -> storageDevice -> scsiLun [selected interested lun from list] -> standardInquiry

references:

Using the MOB to Explore the Object Model (vmware.com)
Exploring the vSphere API with Managed Object Browser (altaro.com)

VMware powercli reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 24 Oct 2023 13:46:00 GMT

Get-VM filters

## To get only non linux vms
$Cluster | Get-VM | Where-Object { $_.Guest.OSFullName -notlike "*Linux*" }

references:

Update and refresh a manifest

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 24 Oct 2023 08:19:00 GMT

Go to Red Hat Customer Portal
Click on Subscriptions
Go to Subcription Allocations
Edit as needed.

references:

How to create and use a Red Hat Satellite manifest
How to create and upload or update and refresh a manifest to the Red Hat Satellite 6 server? - Red Hat Customer Portal

svchost troubleshooting

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 19 Oct 2023 15:18:00 GMT

references:

Getting Started with SVCHOST.EXE Troubleshooting - Microsoft Community Hub

Windows host file

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 18 Sep 2023 11:32:00 GMT

c:\Windows\System32\Drivers\etc\hosts

references:

Powershell second hop problem

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 18 Sep 2023 10:18:00 GMT

To fix issue

Add fi server entry in etc/hosts so that resolution works
Two policies need to be enabled Local Computer Policy -> Computer Configuration -> Administrative Templates -> System -> Credentials Delegation. This cannot be with IP address:
1. Enable Allow delegating fresh credentials and set value
2. Enable Allow delegating fresh credentials with NTLM-only server authentication and set value

references:

Making the second hop in PowerShell Remoting - PowerShell | Microsoft Learn

Windows cluster troubleshooting

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 13 Sep 2023 09:26:00 GMT

Get-ClusterLog

## with timespan for last 5 mins
Get-ClusterLog -Timespan 530

## Use local server time
Get-ClusterLog -Destination C:\Users\A714359\Desktop\ -TimeSpan 30 -UseLocalTime

Log location

C:\Windows\Cluster\Reports

Cluster hive

Located under HKLM > Cluster or 0.Cluster (loaded on node which has quorum disk)

Computer object guid

references:

Get-ClusterLog (FailoverClusters) | Microsoft Learn

The Cluster and 0.Cluster Registry Hives - Working Hard In ITWorking Hard In IT

PowerShell check empty string

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 12 Sep 2023 16:57:00 GMT


# Use the IsNullOrEmpty/IsNullOrWhiteSpace string method
[string]::IsNullOrEmpty(...)
[string]::IsNullOrWhiteSpace(...)

## Example to check string
if ([string]::IsNullOrWhiteSpace($User))

Remove leading and trailing space


# Use the .Trim() method

references:

.net - How can I check if a string is null or empty in PowerShell? - Stack Overflow
PowerTip: Remove Leading and Trailing Spaces with PowerShell - Scripting Blog (microsoft.com)

Azure AD Connect Get current Configuration

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 30 Aug 2023 17:38:00 GMT

Option 1

Export configuration settings json.

Option 2

Open Azure AD connect
Click Configure
Click Customize Synchronization Options.
Provide credentials.
Take screenshots

![[Pasted image 20230830204132.png]]

references:

How to check Azure AD Connect settings for Attributes filtering - Microsoft Q&A

VMware ESXi upgrade using ESXCLI

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 29 Aug 2023 14:11:00 GMT


## Run this to get the name
esxcli software sources profile list -d /vmfs/volumes/datastore1/ESXi7-bundle/VMware-ESXi-7.0U2d-18538813-depot.zip

## Update name after -p
esxcli software profile update -p ESXi-7.0U2d-18538813-standard -d /vmfs/volumes/datastore1/ESXi7-bundle/VMware-ESXi-7.0U2d-18538813-depot.zip


Example:
esxcli software sources profile list -d /vmfs/volumes/5da0
ab35-50b8c2e8-de81-08f1eaf4b402/VMware-ESXi-7.0.3-21424296-HPE-703.0.0.11.3.0.5-Apr2023-depot\ \(1\).zip
Name                               Vendor                      Acceptance Level  Creation Time        Modification Time
---------------------------------  --------------------------  ----------------  -------------------  -----------------
HPE-Custom-AddOn_703.0.0.11.3.0-5  Hewlett Packard Enterprise  PartnerSupported  2023-03-24T05:15:11  2023-03-24T05:15:11

esxcli software profile update -p HPE-Custom-AddOn_703.0.0.11.3.0-5 -d /vmfs/volumes/5da0
ab35-50b8c2e8-de81-08f1eaf4b402/VMware-ESXi-7.0.3-21424296-HPE-703.0.0.11.3.0.5-Apr2023-depot\ \(1\).zip

references:

Upgrade or Update a Host with Image Profiles (vmware.com)

Ansible Automation Platform Upgrade

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 29 Aug 2023 11:32:00 GMT

Upgrade assistant here:

Ansible Automation Platform Upgrade Assistant | Red Hat Customer Portal Labs

Steps:

The step to step guide is provided here please Follow this for upgrade from 2.3 to 2.4. https://access.redhat.com/labs/aapua/

is it fine will use same inventory file which was used at the time of installation
should we add the automation hub parameter in same inventory file as we installed separately
--> You can add the data to the new Inventory file referring to the old and you can add the automation hub details as well if the database of Controller and the automation hub is same.
any validation script/playbook is there to validate AAP platform before/after of upgrade
incase upgrade failed in that case how we can recover it back using AAP script/playbook.
--> There is no validation scripts everything is taken care by the setup.sh script itself. if in case the upgrade fails you can always uninstall the AAP

Step 1) How to uninstall Red Hat Ansible Controller(Ansible Automation Platform 2.x)?
https://access.redhat.com/solutions/6733721

Step 2 ) Re install the older version of AAP

Step 3) Restore the database taken before starting the upgrade mentioned: https://access.redhat.com/labs/aapua/

while upgrading AAP platform will be available/what will impact for end user.
--> While doing the upgrade the services get's stopped so take a proper downtime before proceeding with the upgrade and also do the upgrade in the test environment first.

references:

Azure portal url list

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 29 Aug 2023 11:15:00 GMT

Refer to the link below.

references:

Allow the Azure portal URLs on your firewall or proxy server - Azure portal | Microsoft Learn

VMware connecting through winscp gives ftp error

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 09 Aug 2023 07:40:00 GMT

![[Pasted image 20230809104044.png]]

Go to Advanced > SFTP

Paste this:

shell /usr/libexec/sftp-server

references:

vCenter VCSA Received too large sftp packet max supported packet size is with WinSCP - DailySysAdmin | For all things IT!

Vmware get list of rebooted servers by HA

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 02 Aug 2023 07:20:00 GMT

# Update the following

$VIServer = "fieslpvcs01.fi.tcsecp.com"  
$ClusterName = "FIES-SQL-PROD-Trusted"

Import-Module -Name VMware.PowerCLI  
Set-PowerCLIConfiguration -InvalidCertificateAction Ignore -Confirm:$false  
Connect-VIServer -Server $VIServer  
$Cluster = Get-Cluster $ClusterName

$Events = $Cluster | Get-VM | Get-VIEvent | where {$_.FullFormattedMessage -match "vSphere HA restarted virtual machine"}

$Events | select ObjectName, CreatedTime

Disconnect-VIServer -Server $VIServer -Force -Confirm:$false

references:

Powershell pass variables to Invoke-Command

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 13 Jul 2023 13:54:00 GMT

Refer to local variable with $using

Use the '$using:' scope

$Using:variablename

references:

about Scopes - PowerShell | Microsoft Learn
PowerShell: Passing variables to remote commands (powershellexplained.com)

UCS FI modes

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 10 Jul 2023 12:23:00 GMT

Default : End host mode

Everything in ucs domain as a single thing.

MAC learning on specific ports only
- Uplink ports (No MAC learning)
- Unconfigured - NO
- Server ports - Yes
No spanning tree
Server traffic is pinned

references:

UCS IOM pinning

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 10 Jul 2023 09:54:00 GMT

Can be done in 1,2,4,8

Direct pinning to FI

If any link goes down, config shifts to lowest common denominator.

Pinning to port channel

If we lose one link, it will still be one connection to Port channel.

![[Pasted image 20230710125701.png]]

references:

Windows how to tell if user group modification event is triggered due to group policy

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 06 Jul 2023 11:51:00 GMT

references:

windows - How can I tell if a user group modification event is triggered due to group policy instead of manual action? - Server Fault

UCS manager

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 30 Jun 2023 10:14:00 GMT

UCS manager runs on FI.
For clustered FI, cluster IP is the UCS manager IP.

Manages upto 20 chassis or 160 servers.

Access

UI
SSH
- R/O nxos
- Local mgmt
XML/API

references:

UCS IOM or Fabric Extenders

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 30 Jun 2023 09:48:00 GMT

Fit on the left side of the chassis.
IOM A and IOM B.

IOM A goes to FIA.
IOM B goes to FIB.

This is how we communicate from chassis to FI.

We have UCS 2304. (2nd number is the generation/ last 2 numbers are the no of ports)
40gig interconnects

references:

UCS chassis

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 30 Jun 2023 08:58:00 GMT

B-series:

Chassis is where the servers go.
Usually 8 servers. (half width)
Or 4 large ones. (full width)

Below the servers is the powersupply.

Servers don't have ports. They connect to backchannel ports on the [[202306301248 UCS IOM or Fabric Extenders]] module.

references:

UCS FI

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 30 Jun 2023 08:52:00 GMT

Fabric Interconnects are like the brains.
FIs should be in cluster.
Cluster links between them.

Now we have Unified Ports.

We have Gen3. 40Gig
UCS 6332 16UP. UP is unified ports.

16 unified ports
24 40-Gigabit Ethernet and Fibre Channel over Ethernet (FCoE)
16 1- and 10-Gbps and FCoE or 4-,8-, and 16-Gbps Fibre Channel unified ports

Ports assigned in even.

references:

Windows what are current control sets

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 29 Jun 2023 11:48:00 GMT

CurrentControlSet is an alternating symbolic link to either ControlSet001 or ControlSet002. The other key is kept as a backup for the Load Last Known Good Configuration boot option.

current ControlSet number is set by Current under HKLM\System\Select.

references:

windows - How does CurrentControlSet differ from ControlSet001 and ControlSet002? - Stack Overflow

Windows get last boot time

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 28 Jun 2023 11:25:00 GMT

Get-CimInstance -ClassName win32_operatingsystem | select csname, lastbootuptime

references:

PowerTip: Get the Last Boot Time with PowerShell - Scripting Blog (microsoft.com)

Install offline plugin notepad ++

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 28 Jun 2023 07:19:00 GMT

x64 plugin list

Dowload the plugin and extract the plugin dll file.
Place the plugin.dll file under plugin folder of notepad++ installation. For me it was : C:\Program Files\Notepad++\plugins
Start Notepad++ as an elevated administrator and then go to: Settings -> Import -> Import plugin(s)... (import the plugin).
Notepad++ will show the restart message. / Sometimes it may not show it.
Restart the notepad++.
Should see new plugin under the Plugins menu. ALL DONE!!

references:

How to install a Notepad++ plugin offline? - Stack Overflow

Azure AD sync SSO disable RC4

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 27 Jun 2023 12:12:00 GMT

Enforcing AES256 for the Azure AD SSO Account in Active Directory

Go to computer OU.
Right click on the Azure sync account AZUREADSSOACC. Go to attribute editor.
Update msDS-SupportedEncryptionTypes to 16 (AES 256) and confirm OK

Roll-Over of the Kerberos Decryption Key (to enable SSO again)

on the Azure AD Connect server:

Run powershell as Admin. And run the following commands:
cd to $env:programfiles"\Microsoft Azure Active Directory Connect"
Import-Module .\AzureADSSO.psd1
New-AzureADSSOAuthenticationContext
In popup enter credentials.
Get-AzureADSSOStatus | ConvertFrom-Json
This command provides you the list of AD forests (look at the "Domains" list) on which this feature has been enabled.
$creds = Get-Credential
Enter credentials in jty\AID format. Domain Admin credentials.
Update-AzureADSSOForest -OnPremCredentials $creds
This command updates the Kerberos decryption key for the AZUREADSSO computer account in this specific AD forest and updates it in Azure AD.

references:

Secure Active Directory + Azure AD SSO and disable RC4 HMAC - azuregeek.io
Roll over Kerberos decryption key for Seamless SSO computer account - Azure Cloud & AI Domain Blog (azurecloudai.blog)
Azure AD Connect - Microsoft Entra | Microsoft Learn
Decrypting the Selection of Supported Kerberos Encryption Types - Microsoft Community Hub

Openssh on Windows failing with 0x80072ee2

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 21 Jun 2023 14:51:00 GMT

Download from https://github.com/PowerShell/Win32-OpenSSH/releases/

Error:

PS C:\Windows\system32> Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
Add-WindowsCapability : Add-WindowsCapability failed. Error code = 0x80072ee2
At line:1 char:1
+ Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
    + CategoryInfo          : NotSpecified: (:) [Add-WindowsCapability], COMException
    + FullyQualifiedErrorId : Microsoft.Dism.Commands.AddWindowsCapabilityCommand

Cause: Required files are not present.

Fix/Steps to install

Attach ISO.
Run powershell per below

Get-WindowsCapability -Online | Where-Object Name -like 'OpenSSH*'

Add-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0 -LimitAccess -Source Z:\LanguagesAndOptionalFeatures

# Start the sshd service
Start-Service sshd

# OPTIONAL but recommended:
Set-Service -Name sshd -StartupType 'Automatic'

Uninstall

# Uninstall the OpenSSH Client
Remove-WindowsCapability -Online -Name OpenSSH.Client~~~~0.0.1.0

# Uninstall the OpenSSH Server
Remove-WindowsCapability -Online -Name OpenSSH.Server~~~~0.0.1.0

Configuration

Configuration file is created here

%programdata%\ssh\sshd_config

Port and IP binding

1. Open the file and uncomment Port and provide the custom port required.
2. Uncomment ListenAddress and provide clustered role IP. This binds the SSH to that IP.

Default directory

1. Set ChrootDirectory to whatever default location is needed.

Authorized groups

1. Use AllowGroups to allow whatever group needs access. By default add Administrators.

Additional configuration is not in scope of this document. Refer to man page for the list of configuration and how to setup authentication.

references:

Get started with OpenSSH for Windows | Microsoft Learn

Openstack disintegration

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 20 Jun 2023 09:38:00 GMT

Restart of VMs to update managed by openstack to managed by VMware
shared Disk allocated by Openstack / Same DC
replicated disks moved
svmotion for the shared disk
backup/restore option not pursued
Rebuilding VMs from vmx file

--> Cluster/shared disk can be remapped without downtime by storage team

references:

Windows set proxy

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 15 Jun 2023 12:41:00 GMT

set proxy myproxy
set proxy myproxy:80 "<local>bar"
netsh winhttp set proxy proxy-server="http=myproxy;https=sproxy:88" bypass-list="*.contoso.com"

# Remove proxy
netsh winhttp reset proxy

references:

Netsh Commands for Windows Hypertext Transfer Protocol (WINHTTP) | Microsoft Learn

UCS General

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 13 Jun 2023 12:01:00 GMT

UCS helps with stateless computing
Done through service profiles.
Abstract identifying information (wwpn,mac,etc) from physical host to service profile. Policies, boot policy, etc.

What this allows us to do, is in case of hardware failure, we can attach this service profile to a new physical host.

Also simplifies cabling.

references:

Learning Cisco Unified Computing System - UCS (udemy.com)

Managed service account does not work

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 09 Jun 2023 09:33:00 GMT

Error:
Install-ADServiceAccount : Cannot Install service account. Error Message:  ‘The provided context did not match the target’

The Test-ADServiceAccount cmdlet gives us a little more to go on:

WARNING: Test failed for Managed Service Account SQLServerGMSA. If standalone Managed Service Account, the account is linked to another computer object in the Active Directory. If group Managed Service Account, either this computer does not have permission to use the group MSA or this computer does not support all the Kerberos encryption types required for the gMSA. See the MSA operational log for more information.

Cause

Windows server is configured not to use RC4. AES should be configured explicitly for service accounts.

Set-ADServiceAccount -Identity <account name> -KerberosEncryptionType AES128,AES256

references:

Cannot install service account. The provided context did not match the target (rssing.com)
Group Managed Service Accounts Overview | Microsoft Learn

Yoga

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 01 Jun 2023 17:41:49 GMT

I can touch the ground in the forward bend while doing surya-namaskar, fairly easily now. It does not happen in one smooth motion still. There is still a long way to go. I wrote about the goal with yoga . I continue to work toward that goal.

Ports to be opened for Ansible Automation Platform

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 26 May 2023 06:11:00 GMT

Job executions for managed nodes from hybrid/execution nodes
- external cloud service to retrieve inventory information : 443/tcp (REST API in HTTPS)
  - Amazon EC2
  - Google Compute Engine
  - Microsoft Azure Resource Manager
  - VMware vCenter
  - Red Hat Satellite
  - Red Hat OpenStack
  - Red Hat Insights
  - etc.
- RHEL : 22/tcp (SSH)
- Windows Server : 5986/tcp (HTTPS), 5985/tcp (HTTP), 88/tcp,udp (Kerberos)
- Network : 22/tcp (SSH), 443/tcp (HTTPS), etc.

references:

What Ports Need To Be Opened In The Firewall For Ansible Automation Platform 2 Services? - Red Hat Customer Portal

Check which ansible collections are installed in image

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 May 2023 11:27:00 GMT

# From one of the controller system:
podman run -it --rm registry.redhat.io/ansible-automation-platform-21/ee-supported-rhel8 ansible-galaxy collection list

references:

What all certified collections are included in the Execution Environments(EE's) provided by Ansible Automation Platform 2.x? - Red Hat Customer Portal

Windows Cluster disk reserved error 170

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 10 May 2023 09:52:00 GMT

Error:

Node is not able to join after reboot, goes in quarantine

In cluster logs:
[Verbose] 00000f44.00000a58::2023/05/08-11:55:37.173 WARN  [CORE] Node 7ogbwtsqldb08 attempted to bring online the witness resource at time 2023/05/08-08:49:35.935 with result (5038) Failed to bring quorum resource 97b68097-a457-4539-b315-c3cd433a5e01 online, status 5038
[Verbose] 00000f44.00000a58::2023/05/08-11:55:37.173 WARN  [QUORUM] An attempt to form cluster failed due to insufficient quorum votes. Try starting additional cluster node(s) with current vote or as a last resort use Force Quorum option to start the cluster. Look below for quorum information,
[Verbose] 00000f44.00000a58::2023/05/08-11:55:37.173 WARN  [QUORUM] To achieve quorum cluster needs at least 2 of quorum votes. There is only 2 quorum votes running
[Verbose] 00000f44.00000a58::2023/05/08-11:55:37.173 WARN  [QUORUM] List of running node(s) attempting to form cluster: 7ogbwtsqldb08, 5ogbwtsqldb09,
[Verbose] 00000f44.00000a58::2023/05/08-11:55:37.173 WARN  [QUORUM] List of running node(s) with current vote: 7ogbwtsqldb08, 5ogbwtsqldb09,
[Verbose] 00000f44.00000a58::2023/05/08-11:55:37.173 WARN  [QUORUM] Attempt to start some or all of the following down node(s) that have current vote: Quorum Disk,
[Verbose] 00000f44.00000a58::2023/05/08-11:55:37.173 WARN  FatalError: join/form timeout (status = 258)

Further:


[Verbose] 00002344.000016a4::2023/05/08-11:56:49.325 WARN  [RES] Physical Disk <Quorum Disk>: HardDiskpPRArbitrate: Failed to preempt reservation, new key bce033420001734d, old key 4dda28d90002734d, status 170
[Verbose] 00002344.000016a4::2023/05/08-11:56:49.602 ERR   [RES] Physical Disk <Quorum Disk>: ResHardDiskArbitrateInternal: PR Arbitration for disk Error: 170

5038 is

5038 (0x13AE)

A cluster resource failed.

170 is

ERROR_BUSY

170 (0xAA)

The requested resource is in use.

Resolution:
Shared RDMs must be perennially reserved. Issue fixed after that.

references:

VC appliance connect through winscp

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 10 May 2023 09:46:00 GMT

Error:

Received too large (1433299822 B) SFTP packet. Max supported packet size is 1024000 B

This command changes the default shell from /bin/appliancesh to /bin/bash

chsh -s /bin/bash root

Users can connect with WINSCP without getting the too large packet error.

To return to the Appliance Shell, run this command:

chsh -s /bin/appliancesh root

references:

Connecting to vCenter Server Virtual Appliance 6.0 using WinSCP fails with the error: Received too large SFTP packet (2115983) (vmware.com)

Vmware check rdm details

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 May 2023 12:33:00 GMT

To check if disk is perennialy reserved

esxcli storage core device list -d naa.id

references:

ESXi host takes a long time to start during rescan of RDM LUNs (1016106) (vmware.com)

Windows cluster on vmware

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 08 May 2023 12:12:00 GMT

The WSFC cluster heartbeat time-out must be modified at least to the values listed below:
(get-cluster -name ).SameSubnetThreshold = 10
(get-cluster -name ).CrossSubnetThreshold = 20
(get-cluster -name ).RouteHistoryLength = 40
The virtual hardware version for the WSFC virtual machine must be version 11 and later

You can also adjust other properties to control the workload tolerance for failover. Adjusting delay controls how often heartbeats are sent between the clustered node. The default setting is 1 second and the maximum setting is 2 seconds. Set the SameSubnetDelay value to 1. Threshold controls how many consecutive heartbeats can be missed before the node considers its partner to be unavailable and triggers the failover process. The default threshold is 5 heartbeats and the maximum is 120 heartbeats. It is the combination of delay and threshold that determines the total elapsed time during which clustered Windows nodes can lose communication before triggering a failover. When the clustered nodes are in different subnets, they are called CrossSubnetDelay and CrossSubnetThreshold. Set the CrossSubnetDelay value to 2 and the CrossSubnetThreshold value to 20.

references:

Winsocket reset

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 28 Mar 2023 13:14:00 GMT

Error:
The TransportManager failed to listen on the supplied URI using the NetTcpPortSharing service: the service failed to listen.

references:

VMware logs

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 21 Mar 2023 10:23:00 GMT

ESXi Log File Locations (vmware.com)

System: /var/log/syslog.log
Auth : /var/log/auth.log

vCenter server agent log: /var/log/vpxa.log

references:

VMware upgrade license

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 31 Jan 2023 09:50:00 GMT

Go to Manage Licenses. (Products and Accounts >Account > Manage Licenses)
select license, actions will show upgrade option

references:

How to Upgrade or Downgrade License Keys in Customer Connect with troubleshooting steps (81665) (vmware.com)

infoblox ip reservation csv import

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 30 Jan 2023 13:39:00 GMT

These fields required:

header-fixedaddress,ip_address*,mac_address*,name,comment  
FixedAddress,10.45.48.1,00:00:00:00:00:00,,Gateway

If no existing data, then if you chose modify as the import mode, it fails. As existing record is not there.

So, if data does not exist, it needs to be Add when doing import.

references:

IPv4 Fixed Address/Reservation - NIOS CSV Import Reference - Infoblox Documentation Portal

Infoblox ip status

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 30 Jan 2023 09:08:00 GMT

Unused: An IP address that has not been detected and is not associated with any network device or active host on the network.
Conflict: An IP address that has either a MAC address conflict or a DHCP lease conflict detected through a network discovery.
Used: An IP address that is associated with an active host on the network. It can be a resource record, fixed address, reservation, DHCP lease, or host record.
Pending: An IP address that is associated with a scheduled task or approval workflow, and the associated operation has not been executed yet. This IP address is not considered when using the next available IP address function.
Selected IP Address: The IP address that you selected.
DHCP Range: The IP addresses within a DHCP range in the network. The appliance highlights the cells using a green background.
Reserved Range: A range of IP addresses that are reserved for statically configured hosts. They are not served as dynamic addresses. You can allocate the next available IP from the reserved range when you create a static host.

references:

OSI Model

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 25 Jan 2023 18:03:00 GMT

Physical

physical shared medium.
protocols on how to transfer and receive from common shared medium.
no access control, device ids, or device --> device comms.

Data Link

Network
Transport
Session
Presentation
Application

references

Wiki

AAP about credentials

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 20 Jan 2023 10:57:00 GMT

Types:

Private credential (any user can create it/owner and sys admins can use it/sys auditors can see it)
Organization credential (sys admin and admins can create it/can be assigned to users and teams)

The automation controller Admin user can assign an organization to an existing private credential, converting a private credential into an organization credential.

Once credential is created/saved, no way to get the password in plain text. It is encrypted and then saved in DB.

Credentials can be configured to prompt for password.

references:

AAP about hosts licensing

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 20 Jan 2023 10:45:00 GMT

If you have multiple hosts in your inventory that have the same name, such as webserver1, they count for licensing purposes as a single node. Note that this differs from the Hosts count on the Dashboard, which counts hosts in separate inventories separately. Note that this behavior is case-sensitive; webserver1 and WebServer1 are treated as different nodes.

In the automation controller web UI, click Settings in the left pane and select Subscription settings from the Settings page to verify how many hosts your license supports and how many are remaining.

references:

AAP install

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 20 Jan 2023 09:23:00 GMT

Download bundled installer from Bundled installer
Move the installer bundle to controller node.
Untar the setup.

tar zxvf ansible-automation-platform-setup-2.1.0-1.tar.gz

Change directory into untared folder.
Backup existing inventory file

cp inventory inventory.bkup

Install ansible core.

sudo dnf install ansible-core --assumeyes

Modify inventory file

references:

AAP controller rbac

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 20 Jan 2023 08:47:00 GMT

Users

Three types of users:

System Administrator (superuser/provides read/write permission on all objects in all organizations on the automation controller)
System Auditor (has read-only access to the entire automation controller installation)
Normal User (starts with no access/granted access based on org/team)

Users are system wide.
A team belongs to exactly one organization.
An admin user can assign the team roles on resources that belong to other organizations

Teams

Roles in a team:

Admin (full control on team/can manage membership/can manage roles on resources if team has admin role on the resource)
Member (gets roles assigned to team/can see other team users and their roles)
Read (can see other team users and their roles)

In practice, most organizations do not use team roles other than Member. Instead, team membership is managed through an external authentication source, or the Organization Administrator and System Administrator roles are used for administrative purposes and System Auditor for auditing requirements instead of Read on individual teams.

Organizations

Roles in an org:

Execute (execute job templates/workflow job templates)
Admin (full access on everything in an org)
Project Admin (full access incl. create on all projects)
Inventory Admin (full access on inventories, inc. create)
Credential Admin (manage all credentials)
Workflow Admin (manage all workflows)
Notification Admin (manage all notifications)
Job Template Admin (can make changes to non-sensitive fields)
Execution Environment Admin (manage all execution environments)
Auditor (RO access to the org)
Read (read permission to org only/see users and their roles/does not inherit roles on objects)
Approve (approve/deny workflow approval)

Project + Inventory Admin --> Create job templates
Project + Inventory + Job Template Admin --> Full control over job templates

references:

8. Users — Automation Controller User Guide v4.3 (ansible.com)
7. Organizations — Automation Controller User Guide v4.3 (ansible.com)

Ansible Import

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 18 Jan 2023 14:17:00 GMT

Previous versions used include directive. Which had issues (confusing and error-prone).
So, it was deprecated.

There are two things we can do:

include (dynamic)
import (static)

Play related

import_playbook

the import_playbook feature can only be used at the top level of a playbook and cannot be used inside a play. If you import multiple playbooks, then they will be imported and run in order.

Task related

include_tasks, import_tasks

Plays/tasks can be variablized for reuse.
For example, instead of

---
  - name: Install the httpd package
    yum:
      name: httpd
      state: latest
  - name: Start the httpd service
    service:
      name: httpd
      enabled: true
      state: started

It can be variablized as

---
  - name: Install the {{ package }} package
    yum:
      name: "{{ package }}"
      state: latest
  - name: Start the {{ service }} service
    service:
      name: "{{ service }}"
      enabled: true
      state: started

And variables set like so:

tasks:
    - name: Import task file and set variables
      import_tasks: task.yml
      vars:
        package: httpd
        service: httpd

references:

Windows DNS issue

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 04 Jan 2023 08:46:00 GMT

Error

Resolution has multiple canonical names. Resolves couple of hops, but fails on 3rd/4th step.

** server can't find example.example.example.com : NXDOMAIN

Example:
Non-authoritative answer:
insights.viva.office.com        canonical name = vi-prod-afd-gca7e3d5gcbzf0c7.z01.azurefd.net.
vi-prod-afd-gca7e3d5gcbzf0c7.z01.azurefd.net    canonical name = region-azurefd-prod-ts1.trafficmanager.net.
region-azurefd-prod-ts1.trafficmanager.net      canonical name = dual.part-0017.t-0009.t-s1-msedge.net.
dual.part-0017.t-0009.t-s1-msedge.net   canonical name = part-0017.t-0009.t-s1-msedge.net.
Name:   part-0017.t-0009.t-s1-msedge.net
Address: 13.107.229.28
Name:   part-0017.t-0009.t-s1-msedge.net
Address: 13.107.228.28
Name:   part-0017.t-0009.t-s1-msedge.net
Address: 2620:1ec:4b::28
Name:   part-0017.t-0009.t-s1-msedge.net
Address: 2620:1ec:4a::28

Resolution

Forwarder does not exist for this 3rd/4th domain. So create conditional forwarder for this domain to the external/dmz dns server.

references:

VMware convert eager zeroed disk to lazy zeroed

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 02 Jan 2023 12:15:00 GMT

Conversion to lazy zeroed might not work, so better to convert disk to thin. and then do vmotion to lazy zeroed.

vmkfstools -i /vmfs/volumes/datastoreName/VMName/VMName.vmdk /vmfs/volumes/datastoreName/VMName/temp/VMName.vmdk -d zeroedthick


vmkfstools -i /vmfs/volumes/myVMFS/templates/gold-primary.vmdk /vmfs/volumes/myVMFS/myOS.vmdk -d thin

references:
Solved: clone virtual disk eager zero to lazy zeroed - VMware Technology Network VMTN
Cloning or Converting a Virtual Disk or RDM (vmware.com)

Ansible configuration

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 22 Dec 2022 11:14:00 GMT

Default config file locations in order of precedence

ANSIBLE_CONFIG environment variable
./ansible.cfg
~/.ansible.cfg
/etc/ansible/ansible.cfg (Only used if no other config file found)

references:

Ansible inventory

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 22 Dec 2022 10:08:00 GMT

Host groups

Two host groups always exist:

The all host group contains every host explicitly listed in the inventory
The ungrouped host group contains every host explicitly listed in the inventory that is not a member of any other group.

Nested groups

Specified by using :children suffix.
Example:

[usa]
washington1.example.com
washington2.example.com

[canada]
ontario01.example.com
ontario02.example.com

[north-america:children]
canada
usa

Default location

/etc/ansible/hosts

To override use the -i switch.

Commands

# To list ungrouped hosts
ansible ungrouped --list-hosts

references:

Ansible way

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 22 Dec 2022 08:48:00 GMT

simple
readable
declarative (i.e. not like scripting language, but rather states you want)

Full text

Complexity Kills Productivity

Simpler is better. Ansible is designed so that its tools are simple to use and automation is simple to write and read. You should take advantage of this to strive for simplification in how you create your automation.

Optimize For Readability

The Ansible automation language is built around simple, declarative, text-based files that are easy for humans to read. Written properly, Ansible Playbooks can clearly document your workflow automation.

Think Declaratively

Ansible is a desired-state engine. It approaches the problem of how to automate IT deployments by expressing them in terms of the state that you want your systems to be in. Ansible's goal is to put your systems into the desired state, only making changes that are necessary. Trying to treat Ansible like a scripting language is not the right approach.

references:

Ansible execution behaviour

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 22 Dec 2022 08:42:00 GMT

module defines the state in which something should be.
when used in a task, following things happen

if system is not in the required state, task should put it in that state
if system is in the required state, it does nothing
if task fails, default behaviour is to abort the rest of the playbook for the hosts that had a failure

references:

Windows disable ipv6

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 21 Dec 2022 12:01:00 GMT

Powershell

Get-NetAdapterBinding | Where-Object ComponentID -EQ 'ms_tcpip6'

Disable-NetAdapterBinding -Name 'Ethernet' -ComponentID 'ms_tcpip6'

Registry

Location: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\
Name: DisabledComponents
Type: REG_DWORD
Min Value: 0x00 (default value)
Max Value: 0xFF (IPv6 disabled) Decimal 255

New-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\Tcpip6\Parameters\" -Name DisabledComponents -Value 255 -PropertyType DWORD -Force

references:
How to Disable IPv6 on Windows (adamtheautomator.com)
Configure IPv6 for advanced users - Windows Server | Microsoft Learn

diskpart

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 20 Dec 2022 09:36:00 GMT

Online/Offline disk

list disk
select disk 1
offline disk

or 

online disk

references:

Disable firewall with powershell

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 20 Dec 2022 08:27:00 GMT

Get status

Get-NetFirewallProfile | Format-Table Name, Enabled

Disable

Get-NetFirewallProfile | Set-NetFirewallProfile -Enabled False

references:

Install VMware tools on Windows server core

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 20 Dec 2022 08:18:00 GMT

Click Install VMware tools on vCenter/Mount the iso.
gwmi win32_logicaldisk to find the vmware disk.
cd to vmware directory.
Run setup64.exe. Window will come up, Next, Next.

references:

Import csv data into infoblox

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 14 Dec 2022 06:38:00 GMT

references:
Importing and Exporting Data using CSV Import - Infoblox NIOS 8.4 - Infoblox Documentation Portal

Powershell exe location

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 09 Dec 2022 15:06:00 GMT

C:\Windows\System32

# For scheduled task

C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe

references:

ESXi hosts showing out of sync with distributed switch

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 05 Dec 2022 12:21:00 GMT

Fix:

Move all attached virtual machines to another host or to a standard switch.
1. A new standard switch can be built using one of the physical adapters that passes the correct VLANs from the vDS. See the note below on Load Balancing information.
Move all vmkernels from the vDS to a standard switch.
1. Again, a new standard switch can be built using one of the physical adapters that passes the correct VLANs from the vDS. See the note below on Load Balancing information.
Remove any remaining physical adapters from the vDS.
Remove the host from the vDS. Click Home > Networking. Right click the vDS, click Add and Manage Hosts > Remove Hosts, and follow the wizard.
Add the host back to the vDS along with its vmkernels, physical adapters, and VMs.

references:
ESXi hosts showing out of sync with distributed switch (76959) (vmware.com)

Windows extend volume blocked by partition

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 05 Dec 2022 09:20:00 GMT

Run diskpart

list disk

select disk *

list partition

select partition *

delete partition override

references:
Fixed: Cannot Extend Volume Blocked by a Recovery Partition on Windows 10 (diskpart.com)

Curl

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 25 Nov 2022 11:56:00 GMT

curl -H "Content-Type: application/json" --data @body.json http://localhost:8080/ui/webapp/conf

From postman, this can be exported as well. the curl command.

references:
rest - How do I POST JSON data with cURL? - Stack Overflow

Run powershell as admin

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 24 Nov 2022 10:20:00 GMT

Start-Process powershell -Verb RuAs

references:

Windows corrupt profile issue

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 24 Nov 2022 08:47:00 GMT

Event: Windows has backed up this user profile. Windows will automatically try to use the backup profile the next time this user logs on.

Fix

Requires reboot

Get your SID from whoami /user command.
Go to the following path: HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\ProfileList.
If sid exists with sid and sid.bak. Delete both the folders, one after the other. Logout and login.
1. Delete sid folder.
2. Rename sid.bak to sid.
3. Double-click ProfileImagePath to modify its value name, enter the correct path of the user profile folder and select OK.
4. Verify that the State DWORD value of the SID key is 0 and then close the Registry Editor.

references:
How to Fix a Corrupt User Profile in Windows 10 (helpdeskgeek.com)

Ansible Automation Platform

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 23 Nov 2022 11:12:00 GMT

Automation controller

types: control, hybrid, execution, and hop

Automation mesh

Control plane

Instances in the control plane run persistent automation controller services such as the the web server and task dispatcher, in addition to project updates, and management jobs.

Hybrid nodes

default. responsible for automation controller runtime functions and ansible-runner task operations.

Control nodes

execution capabilities disabled.

Execution plane

The execution plane consists of execution nodes that execute automation on behalf of the control plane and have no control functions

Execution nodes

default. Execution nodes run jobs under ansible-runner with podman isolation.

Hop nodes

redirect traffic to execution nodes/

references:
Chapter 1. Planning your Red Hat Ansible Automation Platform installation Red Hat Ansible Automation Platform 2.2 | Red Hat Customer Portal
Chapter 1. Planning for automation mesh in your Red Hat Ansible Automation Platform environment Red Hat Ansible Automation Platform 2.2 | Red Hat Customer Portal
Deploying Ansible Automation Platform 2.1 Reference Architectures 2021 | Red Hat Customer Portal
7. Clustering — Automation Controller Administration Guide v4.3.0 (ansible.com)
7. Installing Ansible Automation Platform — Ansible Tower Installation and Reference Guide v3.8.6

Vmware interop matrix

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 11 Nov 2022 13:43:00 GMT

Product Interoperability Matrix (vmware.com)

Can be used to compare interop between:

vCenter and esxi

Product Interoperability Matrix (vmware.com)

Upgrade Path

Product Interoperability Matrix (vmware.com)

references:
Product Interoperability Matrix (vmware.com)

Eventcomb tool Account lockout

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 09 Nov 2022 10:03:00 GMT

Steps

On the Searches menu, point to Built In Searches, and then click Account Lockouts.

All domain controllers for the domain appear in the Select To Search/Right Click To Add box. Also, in the Event IDs box, you see that event IDs 529, 644, 675, 676, and 681 are added.
In the Event IDs box, type a space, and then type 12294 after the last event number

4740 event ID on DC for account lock.

references:
How to use the EventCombMT utility to search event logs for account lockouts - Windows Server | Microsoft Learn

vCenter upgrade

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 07 Nov 2022 08:47:00 GMT

Overview

Verify plugin compatibility
Backup
Upgrade vCenter
Upgrade ESXi
Upgrade VMs

references:
vCenter Server Upgrade Options (vmware.com)
Overview of the vCenter Server Upgrade Process (vmware.com)

Windows enable quota

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 03 Nov 2022 09:14:00 GMT

Open the disk properties window, on which you want to enable quotas, go to the Quota tab. Then click Show Quota Settings:
To enable the quotas for this volume, check Enable quota management.
Deny disk space to users exceeding quota limit – prevent users who have exceeded the quota limit from writing to disk;
Limit disk space to — set a limit on the total size of files for one user;
Click on the Quota Entries button. You will see a resulting table showing quotas and the current size of the space used by each user (whose files are found on file system)
You must disable quotas for the system accounts NT Service\TrustedInstaller and NT AUTHORITY\SYSTEM, otherwise Windows may not work correctly.

references:
How to Enable and Configure User Disk Quotas in Windows? | Windows OS Hub (woshub.com)

Run remote command cmd

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 03 Nov 2022 09:09:00 GMT

Open cmd, admin.

WMIC /node:<computername> process call create “cmd.exe /c GPUpdate.exe /force”

references:
Run a command on a remote computer - Windows Forum - Spiceworks

keytab

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 01 Nov 2022 07:50:00 GMT

Keytab is a file that contains user account and an encrypted hash of that user account's password.

When you want to integrate Unix systems to AD, you can

type the password (in clear text) into a configuration file somewhere and maybe encrypt that
store an encrypted hash of the password in a keytab file

Option 2, is more secure.

How to create a keypass (using ktpass.exe)

The ktpass command must be run on either a member server or a domain controller of the Active Directory domain. Must be run as admin.
Note: if you re-create a keytab using the same SPN, you will need to (1) first ensure the application server config is pointed to the new keytab file name (if you've changed it) and (2) you will also need to restart the application service engine.

references:
Active Directory: Using Kerberos Keytabs to integrate non-Windows systems - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)

SamAccount Name limit

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 01 Nov 2022 06:56:00 GMT

The sAMAccountName attribute is a logon name used to support clients and servers from previous version of Windows, such as Windows NT 4.0, Windows 95, Windows 98, and LAN Manager. The logon name must be 20 or fewer characters and be unique among all security principal objects within the domain.

references:
User Naming Attributes - Win32 apps | Microsoft Learn

Clean reboot a windows cluster

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 26 Oct 2022 11:37:00 GMT

Shutdown one node.
Reboot the other node.
Bring the first node up.

references:

Send a message to all logged in users

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 11 Oct 2022 12:00:00 GMT

msg * "Hallo, this is a test!"`

references:

Powershell install modules offline

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 11 Oct 2022 07:09:00 GMT

Download module and put it in below path on a VM that does not have internet access.

Save-Module -Name <modulename> -Path <localpath>

C:\Program Files\WindowsPowerShell\Modules

references:
Save-Module (PowerShellGet) - PowerShell | Microsoft Learn

Powershell install packages offline

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 11 Oct 2022 07:09:00 GMT

Download module and put it in below path on a VM that does not have internet access.

Save-Module -Name <modulename> -Path <localpath>

C:\Program Files\WindowsPowerShell\Modules

references:
Save-Module (PowerShellGet) - PowerShell | Microsoft Learn

Powershell search ad for a user

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 07 Oct 2022 16:01:00 GMT

$ADFilter = "*345" #anything which has 345 at end
Get-ADUser -Server $Domain -Filter { SamAccountName -like $ADFilter } -Properties *

references:

Grep Reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 29 Sep 2022 09:33:00 GMT

# n lines after searchterm
grep -An

# n lines before searchterm
grep -Bn

references:

PowerShell create custom object

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 29 Sep 2022 07:29:00 GMT


#Example create hash, create ps custom object and export
# Useful for ceating outputs
$DSProperties = @{
	ClusterName = $DSClusterName
	DataStore = $DSName
	StorageTag = $DSTag
	CapacityGB = $TotalSpaceGB
	FreeSpaceGB = $FreeSpaceGB
	ProvisionedSpaceGB = $ProvisionedSpaceGB
	NumberOfVMs = $NumberOfVMs
}

$DSUtilReport = New-Object -TypeName PSCustomObject -Property $DSProperties
$DSUtilReport | 
	Select-Object ClusterName, DataStore, StorageTag, CapacityGB, FreeSpaceGB, ProvisionedSpaceGB, NumberOfVMs |
	Export-Csv -Path $DSReportPath -NoTypeInformation -NoClobber -Append -Encoding ASCII -Force

references:
PowerShell: Creating Custom Objects - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)

Windows sysprep reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 10:30:00 GMT

Located: %WINDIR%\system32\sysprep\sysprep.exe

%WINDIR%\system32\sysprep\sysprep.exe /generalize /shutdown /oobe

Sysprep will remove language location settings, etc.
So let the server boot up, select region. Then shutdown and convert it to template.\

After bootup:

Select region
Remove IP
Remove any groups from local groups
Also cleanup all logs

Get-EventLog -LogName * | ForEach { Clear-EventLog $_.Log }

references:
Sysprep (Generalize) a Windows installation | Microsoft Learn
Boot Windows to Audit Mode or OOBE | Microsoft Learn

Windows local time change

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 10:27:00 GMT

w32tm /query /source
w32tm /config /syncfromflags:domhier /update
net stop w32time && net start w32time

references:

Windows activation

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 10:26:00 GMT

slmgr.vbs /skms <serverfqdn>
slmgr.vbs /ato

references:

Cscript.exe is not recognised

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 10:24:00 GMT

references:
http://triplescomputers.com/blog/casestudies/solution-cant-find-script-engine-vbscript-for-script/

Windows rpc server is unavailable

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 10:23:00 GMT

Issue: The RPC server is unavailable while trying to take Remote Desktop of 2003

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
Create a new key selecting Dword and name it as IgnoreRegUserConfigErrors
now double click it and give a value as 1

references:

AD join fails with The Revision Level is Unknown

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 10:17:00 GMT

When trying to join to workgroup, or join domain, we get the message:
"The Revision Level is Unknown"

To workaround this behavior:

Log on locally with Administrator privileges.
Use the registry Editor to grant the your account Full Control of the HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets$MACHIN E.ACC registry key.
Delete the HKEY_LOCAL_MACHINE\SECURITY\Policy\Secrets$MACHIN E.ACC registry key.
Shutdown and restart your computer.
Log on locally with Administrator privileges.
Join a WORKGROUP and restart your computer.
Log on locally with Administrator privileges.
Join your domain.
Shutdown and restart your computer.
Logon to your domain.

Note:

The registry HKEY_LOCAL_MACHINE\SECURITY might not have anything visible with the local account you use to login. In order to workaround that:

Download PSTools (https://download.sysinternals.com/files/PSTools.zip)
Extract.
Run:

psexec -i -s c:\windows\regedit.exe

Then do the above workaround.

references:

VSS writers in failed state

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 10:15:00 GMT

Restart services based on below:

VSS Writer        Service Name        Service Display Name
ASR Writer        VSS        Volume Shadow Copy
BITS Writer        BITS        Background Intelligent Transfer Service
COM+ REGDB Writer        VSS        Volume Shadow Copy
DFS Replication service writer        DFSR        DFS Replication
DHCP Jet Writer        DHCPServer        DHCP Server
FRS Writer        NtFrs        File Replication
FSRM writer        srmsvc        File Server Resource Manager
IIS Config Writer        AppHostSvc        Application Host Helper Service
IIS Metabase Writer        IISADMIN        IIS Admin Service
Microsoft Exchange Writer        MSExchangeIS        Microsoft Exchange Information Store
Microsoft Hyper-V VSS Writer        vmms        Hyper-V Virtual Machine Management
NTDS        NTDS        Active Directory Domain Services
OSearch VSS Writer        OSearch        Office SharePoint Server Search
OSearch14 VSS Writer        OSearch14        SharePoint Server Search 14
Registry Writer        VSS        Volume Shadow Copy
Shadow Copy Optimization Writer        VSS        Volume Shadow Copy
SPSearch VSS Writer        SPSearch        Windows SharePoint Services Search
SPSearch4 VSS Writer        SPSearch4        SharePoint Foundation Search V4
SqlServerWriter        SQLWriter        SQL Server VSS Writer
System Writer        CryptSvc        Cryptographic Services
TermServLicensing        TermServLicensing        Remote Desktop Licensing
WINS Jet Writer        WINS        Windows Internet Name Service (WINS)
WMI Writer        Winmgmt        Windows Management Instrumentation

references:
https://support.arcserve.com/s/article/209606286?language=en_US

Windows make disk active

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 10:14:00 GMT

After migration if VM does not boot:

diskpart
list disk
select disk #
list partition
select partition #
active

references:

Windows Alternate Keys

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 10:13:00 GMT

How to right click

Shift + F10

Alt-Tab inside RDP

Alt+Shift+Tab

references:

Compare two directories

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 10:10:00 GMT

dir /s /b > flatfile.txt

Compare pre and post files with fc (file-compare) or powershell using

$File1 = Get-Content file1.txt
$File2 = Get-Content file2.txt
Compare-Object $File1 $File2

Powershell script

Use powershell script for comparisons.

$Dir = "C:\Users\smigmgmt\Desktop\checks"
$Drive = ""
$PrePath = $Dir + "\$Drive" + "pre.txt"
$PostPath = $Dir + "\$Drive" + "post.txt"
$OutPutPath = $Dir + "\$Drive" + "diff.txt"
$Pre = Get-Content -Path $PrePath
$Post = Get-Content -Path $PostPath
Compare-Object -ReferenceObject $Pre -DifferenceObject $Post |
    Select-Object InputObject, SideIndicator |
    Out-File -FilePath $OutPutPath -Width 1000

references:

Windows make link

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 10:09:00 GMT

mklink /d \MyFolder <Share Path>

references:
mklink

Platespin iperf to check connectivity

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 10:04:00 GMT

Download iperf from:

To start any port using iperf:

iperf -s -p <port>

On target vm

![[lperf_platespin.png]]

references:

Platespin FIPS Error

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 10:00:00 GMT

Error:
Exception has been thrown by the target of an invocation.
This implementation is not part of the Windows Platform FIPS validated cryptographic algorithms.

You can enable PlateSpin Migrate to suppress errors for non-compliant FIPS algorithms.

In a text editor, open the ofxcontrollerexecution.exe.config file found in this folder:

<install folder>\PlateSpin Migrate Server\Controller\Packages\0\C863075B-8130-4d29-893B-70FF2AD9308C\1

Add the following element to the runtime section of the file:

<configuration>
    <runtime>
         ...
        <enforceFIPSPolicy enabled="false"/>
    </runtime>
</configuration>

Save your changes.

references:
https://www.microfocus.com/documentation/platespin/platespin-migrate-2019-11/migrate-user/bug1125663.html?view=print

Platespin scheduling target machine for provisioning fails

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:59:00 GMT

Scheduling target machine for provisioning fails with
NPART Error: code=28 msg=Device sdb does not have enough free space. (No space left on device)

On the target VM, press:
Alt F2
or
CTRL ALT F2.
At the prompt press 0 to go to a shell. Once you are at the shell run the following commands:

dd if=/dev/zero of=/dev/sda  bs=512M count=1 conv=sync
dd if=/dev/zero of=/dev/sdb  bs=512M count=1 conv=sync
dd if=/dev/zero of=/dev/sdc  bs=512M count=1 conv=sync

Once that is complete please reboot the target, run the discovery again and let me know if you still are running into a problem partitioning the target volumes.

references:

Platespin SQL queries

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:57:00 GMT

USE protection;
SELECT Id, SourceMachineDisplayName, discoverySourceAddress
FROM Workloads;

DELETE
FROM Workloads
WHERE Id = '';

references:

Platespin install

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:55:00 GMT

Automated

If proxy is enabled. Then run the powershell script.

Manual

Installing Visual C++ 2013. To install VC++ 2013 on the planned Migrate server:
1. Extract the PlateSpinMigrateSetup-2019.5.0.x.exe to a location on the planned server host for PlateSpin Migrate.
2. In a file browser, navigate to the ..\Migrate-2019_5\PlateSpinImage\VCruntime-x64 folder.
3. Run vcredist_x64.exe as Administrator.
Installing SQL Server Native Client
1. Download: https://www.microsoft.com/en-us/download/details.aspx?id=50402
2. And install.
Install dot net core
1. Download: https://download.visualstudio.microsoft.com/download/pr/a46ea5ce-a13f-47ff-8728-46cb92eb7ae3/1834ef35031f8ab84312bcc0eceb12af/dotnet-hosting-2.2.3-win.exe
2. And install.
Now run the script for pre-requisite to install everything.

references:
https://www.microfocus.com/documentation/platespin/platespin-migrate-2019-5/migrate-install/install-prereq-sw.html#silent-install-vcplusplus](https://www.microfocus.com/documentation/platespin/platespin-migrate-2019-5/migrate-install/install-prereq-sw.html#silent-install-vcplusplus)

Velero install

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:54:00 GMT

Fresh install

Extract the tarball.


tar -xvf velero-v1.6.0-linux-amd64.tar.gz

Move the velero* file from velero directory to /usr/local/bin/


mv velero /usr/local/bin/

Configure velero

Refer compatibility matrix to figure out which version of plugin goes with which version of velero.


velero install --provider aws --bucket velero --secret-file ./credentials-velero  --use-volume-snapshots=false --backup-location-config region=minio,s3ForcePathStyle="true",s3Url=http://10.47.19.232:9000  --use-restic --plugins velero/velero-plugin-for-aws:v1.0.0 –wait

velero install --provider aws --bucket velero --secret-file ./credentials-velero  --use-volume-snapshots=false --backup-location-config region=minio,s3ForcePathStyle="true",s3Url=http://10.47.20.119:9000  --use-restic --plugins velero/velero-plugin-for-aws:v1.0.0 –wait

Check install Status


kubectl logs deployment/velero -n velero

Annotate pods.


python pod_vol_restic_scan.py -n cisco

Create backup.


velero backup create backup-20220621 --include-namespaces=cisco --wait --ttl 48h0m0s

List backups.


velero backup get

velero backup create backup-20220308 --include-namespaces=cisco --wait

velero restore create --from-backup

04 Op Ccs Velero

Create backup schedule

14 days = 336 hrs

10 days = 240 hrs

07 days = 168 hrs


velero schedule create ccs-prod --schedule="@every 24h" --include-namespaces=cisco --ttl 192h0m0s

Velero backup list


velero backup get

Velero take backup


velero backup create backup-20210819 --include-namespaces=cisco --wait --ttl 48h0m0s

Delete backup


velero backup delete [backup_name]

kubectl delete namespace/velero clusterrolebinding/velero

cp velero-v1.3.2-linux-amd64.tar.gz /home/restore/

tar -xvf velero-v1.3.2-linux-amd64.tar.gz

cd velero-v1.3.2-linux-amd64

mv velero /usr/local/bin/

velero install --provider aws --bucket velero --secret-file ./credentials-velero --use-volume-snapshots=false --backup-location-config region=minio,s3ForcePathStyle="true",s3Url=http://10.47.20.119:9000 --use-restic --plugins velero/velero-plugin-for-aws:v1.0.0 –wait

references:

CloudRemote docker related

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:53:00 GMT

## Docker get exited containers count

docker ps -a -q -f status=exited | wc -l

## Docker remove exited containers

docker rm -v $(docker ps -a -q -f status=exited)

docker logs -v $(docker ps -a)

references:

Install cliqr agent for vmware cloud

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:51:00 GMT

.\cliqr_installer.exe /CLOUDTYPE=vmware /CLOUDREGION=defau1t

Download from agents file the cliqr_installer.exe

references:

Upgrade cloud remote

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:50:00 GMT

To upgrade Cloud Remote (script available in the Cloud Remote artifact file mentioned in the section above) in your Workload Manager or Cost Optimizer
system, follow this procedure for each instance of Cloud Remote.
Locate the Cloud Remote upgrade script at software.cisco.com and copy it to a directory in your Cloud Remote instance.
Establish a terminal session to the Cloud Remote instance and navigate to the directory containing the upgrade script.
Run the following commands from the Cloud Remote command prompt.

chmod +x UPGRADE_FILE
sudo ./ UPGRADE_FILE

Confirm the successful execution of the script.

references:

Extend volume

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:49:00 GMT

lvextend -L +2G <FS> -r

references:

Remove vmware tools

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:47:00 GMT

Remove from all three locations:

HKLM \Software\Microsoft\Windows\CurrentVersion\uninstall
HKLM\Software\Classes\Installer\Products
HKEY_CLASSES_ROOT\Installer\Products

references:
https://www.vladan.fr/how-to-remove-vmware-tools-manually-if-uninstall-or-upgrade-finish-with-error/

VMware increase max NFS on an ESXi

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:41:00 GMT

Default number is 8.
ESXi 6.0/6.7/7.0 : Set NFS.MaxVolumes to 256

references:
KB2239

VMware SNMP troubleshooting

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:36:00 GMT

Tcpdump command to capture outgoing packets

tcpdump-uw -v -i vmk# -n -T snmp udp and port 161
# typically port 162; if custom ports are configured use those

references:
VMware KB

Velero does not delete expired backups automatically

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:35:00 GMT

When scheduled backup reach their TTL, the deletion process is started but gets stuck in status Deleting. The contents are properly deleted, while volume snapshots stay (causing space issue).
To manually delete backups that are stuck in Deleting state:


kubectl delete backups.velero.io -n velero <backup_name>

references:

UCS CLI reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:34:00 GMT

Ucs Cheatsheet

show interface trunk
show service-profile circuit server 3/3

UCS nxos/network/troubleshooting

connect nxos

# show npv flogi-table

# show mac address-table

UCS NIC related

## For overview
# show interface brief


## For particular interface status

# show interface fc1/2

## To check utilization

Shows if anything is on the interface which has issue
# show npv flogi-table
--------------------------------------------------------------------------------
SERVER                                                                  EXTERNAL
INTERFACE VSAN FCID             PORT NAME               NODE NAME       INTERFACE
--------------------------------------------------------------------------------
vfc711    1    0x15070e 20:00:00:25:b5:01:b0:8f 20:00:00:25:b5:01:00:ff fc1/4
vfc747    1    0x150601 20:00:00:25:b5:01:b0:0f 20:00:00:25:b5:01:00:6f fc1/3
vfc753    1    0x150402 20:00:00:25:b5:01:b0:2f 20:00:00:25:b5:01:00:8f fc1/1
vfc759    1    0x15043b 20:00:00:25:b5:01:b0:1f 20:00:00:25:b5:01:00:7f fc1/1
vfc815    1    0x15043d 20:00:00:25:b5:01:b0:6f 20:00:00:25:b5:01:00:ef fc1/1
vfc821    1    0x150710 20:00:00:25:b5:01:b0:7f 20:00:00:25:b5:01:00:bf fc1/4
vfc827    1    0x150705 20:00:00:25:b5:01:b0:ff 20:00:00:25:b5:01:00:4f fc1/4
vfc839    1    0x150704 20:00:00:25:b5:01:b0:ef 20:00:00:25:b5:01:00:2f fc1/4

references:

UCS Commands

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:34:00 GMT

Ucs Cheatsheet

show interface trunk
show service-profile circuit server 3/3

references:

Install terraform on ubuntu

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:33:00 GMT

Install terraform on Ubuntu server

Add the HashiCorp GPG key.


curl -fsSL https://apt.releases.hashicorp.com/gpg | sudo apt-key add -

Add the official HashiCorp Linux repository.


sudo apt-add-repository "deb [arch=amd64] https://apt.releases.hashicorp.com $(lsb_release -cs) main"

Add the official HashiCorp Linux repository.


sudo apt-get update && sudo apt-get install terraform

export HTTP_PROXY=http://172.21.21.5:3128

export HTTPS_PROXY=https://172.21.21.5:3128

Terraform Azure Examples

VM Config

Extend LVs

Check physical volumes.

pvs

Extend partition to fill available space. Use growpart.


growpart /dev/sda 3

Resize physical volume. Use pvresize


pvresize /dev/sda3

List logical volumes.

lvs

Extend logical volumes.


lvextend ubuntu-vg/homelv -L 3GB -r

references:

Solarwinds IPAM reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:32:00 GMT

Python

Powershell

Concurrent calls return the same IP

Thwack Reference

When making concurrent calls, i.e. concurrent find first IP and reserve it, it will always have a chance of returning the same result, as these call are without transactional support.

Hence, we use StartIpReservation/FinishIpReservation/CancelIpReservation trio of verb calls on IPAM.SubnetManagement to make sure that this does not happen.

Alternate approach is to use a random sleep in the command such that concurrent calls don't go in. But it doesn't make sense to put in longer than 10 sec sleep. And the more the number of VMs in the deployment (10 for example) the higher the chances of two random sleeps being the same, and hence the same issue.

So, we decided to go with the 1st method. The official method.

CRUD updates references

https://github.com/Wyko/DeployACI/blob/85e1988232ca66fbecfcebad5eb97758b06c1cf6/deployaci/swipam.py#L132

IPAM reference

Example:


Set-SwisObject $swis -Uri 'swis://localhost/Orion/IPAM.Subnet/SubnetId=100,ParentId=2' -Properties @{VLAN='test'}

references:
SWIS REST API Port Deprecation, did you know? - Orion SDK - The Orion Platform - THWACK (solarwinds.com)

Robocopy reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:31:00 GMT

robocopy-command

net use "" /user:<domainid>
robocopy "" "" /E /COPYALL /R:0 /W:0 /FP /ZB /LOG+:C:\Robologs\F.txt /TEE /MT:128

# Create folder structure only.  
robocopy "source" "target" /e /xf *

# Copy 
Get-ChildItem -Path $Path -Recurse -File | Copy-Item -Destination "\\opflttru16-52.op.okobank.com\RMK\Burana\Ad-hoc_History_Load\LOAD" -Exclude 'buranaout_*'

references:
Robocopy and a Few Examples - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)
itprolink
online link

Linux disable ipv6

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:30:00 GMT

RHEL-disable-ipv6

vi /etc/sysctl.d/ipv6.conf
net.ipv6.conf.all.disable_ipv6 = 1
sysctl -p /etc/sysctl.d/ipv6.conf
dracut -f

references:

Remove cloud-init

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:29:00 GMT

Remove-cloud-init

Stop services

systemctl stop cloud-init.service
systemctl disable cloud-init.service
systemctl stop cloud-init-local.service
systemctl disable cloud-init-local.service
systemctl stop cloud-config.
systemctl stop cloud-config.service
systemctl disable cloud-config.service
systemctl stop cloud-final.service
systemctl disable cloud-final.service

Remove cloud-init

### Find cloud-init pakage
rpm -qa | grep cloud-init

### Remove the package found in step above
rpm -e <cloud-init*>

references:

Powershell Issues with Returned Values from Remote Sessions

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:27:00 GMT

Issue Description

In case of using Get-Child/Get-ChildItem to return registry values, the returned output is formatted according to the local system even if you ran the command remotely. [^1]

This behaviour is because of the fact that PowerShell returns a calculated Property value alongside the Get-Item/Get-ChildItem values. This is useful when running the command locally, but when running the command remotely, the returned output is compared against the local copy of the registry. This causes issues, as referenced in [1] and also when developing the script to get proxy details.

Cause

The root cause is a bug in the formatting instructions for registry keys (as of Windows PowerShell 5.1.18362.125 and PowerShell Core 7.0.0-preview.2) leading to the unexpected mix of remote and local information - see this GitHub issue.

From the bottom of $PSHOME\Registry.format.ps1xml for type Microsoft.Win32.RegistryKey:


<ScriptBlock>

  $result = (Get-ItemProperty -LiteralPath $_.PSPath |

      Select * -Exclude PSPath,PSParentPath,PSChildName,PSDrive,PsProvider |

      Format-List | Out-String | Sort).Trim()

  $result = $result.Substring(0, [Math]::Min($result.Length, 5000) )

  if($result.Length -eq 5000) { $result += "..." }

  $result

</ScriptBlock>

Fix/Work-around

When returning output, you can either return only the values you require as a custom PS custom object.
Use | fl*
In my case, run all the queries as part of script block. Create a PS Custom object with values I require, and then return it after everything is done.

references:
[1]: (StackOverflow Post)https://stackoverflow.com/questions/57400948/invoke-command-on-remote-session-returns-local-values

PowerShell DNS reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:07:00 GMT

Powershell General Commands

Find DNS record

Get-DnsServerResourceRecord -ZoneName "kehi.okobank.net" | Where-Object {$_.HostName -eq 'devopstester'}

# DNS record based on type

Create DNS record

references:
PowerShell-DNS-Reference
Add-DnsServerResourceRecord (DnsServer) | Microsoft Learn

Powershell Centos Reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 26 Sep 2022 09:05:00 GMT

Linux Directories

$PSHOME is /opt/microsoft/powershell/7/
User profiles are read from ~/.config/powershell/profile.ps1
Default profiles are read from $PSHOME/profile.ps1
User modules are read from ~/.local/share/powershell/Modules
Shared modules are read from /usr/local/share/powershell/Modules
Default modules are read from $PSHOME/Modules
PSReadLine history is recorded to ~/.local/share/powershell/PSReadLine/ConsoleHost_history.txt

references:

Platespin Windows PreReqs

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 22 Sep 2022 07:05:00 GMT

PlateSpinPrechecks

• Disable UAC
• .Net 3.5
• 1 GB free on OS drive
• Admin$ IPC$, C$ Share enabled and shoudl be accessible from Platespin server
• Verify WMI is enabled - Start -> Run -> wbemtest
• Verify DCOM installed and running on all servers in Migrate - Start -> Run -> dcomcnfg
• VSS Service (Snapshot) to be enabled
• Make sure there is 10% free space (In all the partitions / Volumes / LVMs) and VSS Snapshot enabled
• Dependency (Firewall, IP Filters) " Refer to KB Article to https://www.netiq.com/support/kb/doc.php?id=7920341
• Ensure hostname is responding back on Prod IP

Cluster Specific pre checks

Discover the active node as a Windows Cluster
All the instances to be on single node and secondary node to be paused in failover cluster so that during the platespin copy instances should not failover to other node
Minimum 10% free space should be available
On the source server, we would require volume details with drive letters
Screenshot of failover cluster, instances and quorum details required.
On the target server once server is up, team to validate the volume and drive letters and rectify the change in case there is a change
To open the failover cluster, we require domain rights and reconfigure the cluster with proper volume and drive letters.

• On PlateSpin Server DiscoverActiveNodeAsWindowsCluster=False (default is True)
• Domain Account to access the Failover cluster Manager to check source settings like Disk Order, other dependency
• Ensure resources are running on one node

references:

Openstack cheat sheet

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 22 Sep 2022 07:02:00 GMT

Openstack Cheat Sheet

Volume

openstack volume create --size 25 --description 7OCIWPPOCAP01_DATA_DISK1 --type OP-ES-OPPT-T2 7OCIWPPOCAP01_DATA_DISK1

nova volume-attach 7OCIWPPOCAP01 58fdd51a-e3bc-4d80-983d-e8d9f2828094

Compute

nova interface-list {hostname}
nova interface-detach {hostname} {port-id}

Network

gbp group-list
openstack port list
openstack port delete {port-id}
openstack port show {port-id}

Remove interface

nova interface-list 7OGBWPCENAP01
nova interface-detach 7OCIWPSWAPE16 8e4237df-9dec-4f59-9316-89a56ce97ddc
neutron port-delete 52a02dbb-36d8-4ac6-8042-28a48dd9a98a
nova interface-attach --port-id 93610a8b-4003-473f-a9b0-64e403f123e7 7OGBWPSAPAP02

Reserve IPs

epg-Trusted-Devops-Test


gbp policy-target-create --policy-target-group epg-Trusted-Devops-Test --fixed-ip subnet_id=8996ed17-fff7-4742-84cb-b4466102cc4e,ip_address=10.45.59.252 SWIPAM_rsrvd_ip

epg-Trusted-Devops-Prod


gbp policy-target-create --policy-target-group epg-Trusted-Devops-Prod --fixed-ip subnet_id=f4861689-8893-4934-8662-9b1835581cd2,ip_address=10.45.59.252 SWIPAM_rsrvd_ip

  
  

gbp policy-target-create --policy-target-group epg-Trusted-Devops-Prod 7OGBWPMCIAP01_rsrvd_ip

nova interface-attach --port-id 03294e0d-3eb0-40da-a55b-d072459dd7e1 7OGBWPMCIAP01

nova interface-detach 7OGBWPMCIAP01 39beb2a3-93ec-441d-bfcd-84abfde63c44

neutron port-delete 39beb2a3-93ec-441d-bfcd-84abfde63c44

epg-Heartbit-L2-Vlan-267


gbp policy-target-create --policy-target-group epg-Heartbit-L2-Vlan-267 --fixed-ip subnet_id=e2377dc9-9f69-462e-9e8f-0f60f7464cf1,ip_address=10.45.181.119 5OCIWTEXGAP02_rsrvd_ip

nova interface-attach --port-id fa474fa4-5955-41ec-9224-af544e337e3f 5OCIWTEXGAP02

gbp policy-target-create --policy-target-group epg-Heartbit-L2-Vlan-267 --fixed-ip subnet_id=e2377dc9-9f69-462e-9e8f-0f60f7464cf1,ip_address=10.45.181.120 7OCIWTEXGAP01_rsrvd_ip

nova interface-attach --port-id f1b00083-c2b3-4fc9-8b21-fa696c87393e 7OCIWTEXGAP01

epg-Audit-Zone


gbp policy-target-create --policy-target-group epg-Audit-Zone --fixed-ip subnet_id=76eedfa2-6362-4bae-9a0d-e334e196e4f2,ip_address=10.45.128.47 5OCILPBCTAP01_rsrvd_ip

gbp policy-target-create --policy-target-group epg-Audit-Zone --fixed-ip subnet_id=76eedfa2-6362-4bae-9a0d-e334e196e4f2,ip_address=10.45.128.48 5OCILPBCTAP02_rsrvd_ip

epg-OP-Trusted-Devops-Prod-VLAN3262


gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=10.129.102.210

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

gbp policy-target-create --policy-target-group epg-OP-Trusted-Devops-Prod-VLAN3262 --fixed-ip subnet_id=c5c6c497-707f-4ca5-b18d-b47155c96c66,ip_address=

epg-OP-Trusted-Test2-VLAN3083


gbp policy-target-create --policy-target-group epg-OP-Trusted-Test2-VLAN3083 --fixed-ip subnet_id=5b943a39-0f06-4524-8253-eeee1a9dfcb2,ip_address=10.128.100.144 OGBWTAVACL01_rsrvd_ip

nova interface-attach --port-id cc615e5c-2558-4e0a-8225-58893988aa6b 7ogbwtdocap01

nova interface-detach 7ogbwtdocap01 58c53acd-135e-4dd8-a894-3112701b1630

neutron port-delete 58c53acd-135e-4dd8-a894-3112701b1630

epg-OP-Control-Zone


gbp policy-target-create --policy-target-group epg-OP-Control-Zone --fixed-ip subnet_id=2f04a7cb-c676-412b-9183-02122c8a4be8,ip_address=10.45.99.233 7oczlpecsap01_rsrvd_ip

epg-Trusted-FLT


gbp policy-target-create --tenant-id 0ecd949fad4f4c6781515574ea37ba18 --policy-target-group epg-Trusted-FLT --fixed-ip subnet_id=fb88cf28-91eb-400c-a10a-f04616e67346,ip_address=10.45.39.198 PRDISAM01_rsrvd_ip

epg-DMZ-FLT


gbp policy-target-create --tenant-id 0ecd949fad4f4c6781515574ea37ba18 --policy-target-group epg-DMZ-FLT --fixed-ip subnet_id=f2cecd7e-1bef-4610-82f9-307ec9a372ff,ip_address=10.45.4.150 7OGBLPIAMAP01_rsrvd_ip

epg-DMZ-Dev


gbp policy-target-create --tenant-id 0ecd949fad4f4c6781515574ea37ba18 --policy-target-group epg-DMZ-Dev --fixed-ip subnet_id=3686f7a3-7755-4d4f-80ce-2a5011ad735b,ip_address=10.45.23.201 5OGBLDIAMAP01_rsrvd_ip

epg-DMZ-Test 10.45.16.0/22


gbp policy-target-create --tenant-id 0ecd949fad4f4c6781515574ea37ba18 --policy-target-group epg-DMZ-Test --fixed-ip subnet_id=d1413a33-7a81-4563-a63f-fa0e0c9d4f02,ip_address=10.45.19.151 5OGBLTIAMAP01_rsrvd_ip

epg-trusted-test 10.45.48.0/22


gbp policy-target-create --policy-target-group epg-trusted-test --fixed-ip subnet_id=34c45edd-4e9b-4620-8efe-faef869aab9f,ip_address=10.45.51.235 OCIWTFTIFS01_rsrvd_ip

epg-trusted-test


gbp policy-target-create --tenant-id 0ecd949fad4f4c6781515574ea37ba18 --policy-target-group epg-trusted-test --fixed-ip subnet_id=0b3bf2dc-6d58-409e-8ece-ff36f4ade038,ip_address=10.45.244.234 MIFID2NTP03_rsrvd_ip

epg-Trusted-Dev


gbp policy-target-create --policy-target-group epg-Trusted-Dev --fixed-ip subnet_id=af8fcf51-42d4-455d-b3bb-061829db3652,ip_address=10.45.55.210 rhel79_rsrvd_ip

epg-OP-Trusted-FLT2-VLAN3100


gbp policy-target-create --policy-target-group epg-OP-Trusted-FLT2-VLAN3100 --fixed-ip subnet_id=8fea6f7f-b724-40ae-8fbd-f95f192c7fd1,ip_address=10.140.16.145 7ocilpmqaap01_rsrvd_ip

  

nova interface-attach --port-id cb8f7b39-fba8-4277-9d3d-10d6cded2a7d 7ogbwpft3ap01

nova interface-detach 7ogbwpft3ap01 97ddb931-3d4f-42fe-a34b-65094d21af8b

neutron port-delete 97ddb931-3d4f-42fe-a34b-65094d21af8b

epg-OP-FLT-Restricted-VLAN3225


gbp policy-target-create --tenant-id 0ecd949fad4f4c6781515574ea37ba18 --policy-target-group epg-OP-FLT-Restricted-VLAN3225 --fixed-ip subnet_id=667a81b0-67cb-40e6-b5ff-12cdf901d8a3,ip_address=10.128.175.156 7ocilpmdbdb01_gbpui

nova interface-attach --port-id 9381a2ce-09c9-4d90-a8a3-f07cbe772430 7ocilpmdbdb01

nova interface-detach 7ocilpmdbdb01 25dcba60-f09d-4bf9-92b9-2129fc51e4ca

neutron port-delete 25dcba60-f09d-4bf9-92b9-2129fc51e4ca

epg-OP-FLT-Trusted-VLAN3306


gbp policy-target-create --policy-target-group epg-OP-FLT-Trusted-VLAN3306 --fixed-ip subnet_id=c3f5b87d-c251-440b-9e9d-ab061686f398,ip_address=10.243.111.15 7OCILPHCPAP01_gbpui

epg-OP-Trusted-Tuki-VLAN3128


gbp policy-target-create --tenant-id 0ecd949fad4f4c6781515574ea37ba18 --policy-target-group epg-OP-Trusted-Tuki-VLAN3128 --fixed-ip subnet_id=97cd8e88-fd2f-4b26-81f3-cbcd2c49f0e1,ip_address=10.140.49.67 7OGBWPSAPAP02_gbpui

epg-OP-Trusted-Dev-VLAN3292


gbp policy-target-create --tenant-id 0ecd949fad4f4c6781515574ea37ba18 --policy-target-group epg-OP-Trusted-Dev-VLAN3292 --fixed-ip subnet_id=23ee9d7e-d711-4cbe-adce-e6c017853f12,ip_address=10.132.182.120 7ogbwddocap01_gbpui

nova interface-attach --port-id 7f603f40-79d4-491e-8846-62e251a6ed72 7ogbwddocap01

nova interface-detach 7ogbwddocap01 5e39b4a2-cb98-4273-b328-19c0a00bcc81

neutron port-delete 5e39b4a2-cb98-4273-b328-19c0a00bcc81

epg-Backup-Client


gbp policy-target-create --policy-target-group epg-Backup-Client 5OCIWPDLPAP01_gbpui

Create Volume


openstack volume create --size 50 --description 5OCILISSAP02_DATA_DISK1 --type OP-HE-LOPTT-T2 5OCILISSAP02_DATA_DISK1

openstack server add volume 7OGBWPCENAP01 6a34d3fb-bb38-4092-8682-867c39319c8c

openstack volume show 6a34d3fb-bb38-4092-8682-867c39319c8c

references:

VMware offline snapshots

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 22 Sep 2022 06:36:00 GMT

Why?

When using multiple vCenters in the same Single Sign on Domain (Enhanced Linked Mode), there is high potential of corruption of the domain if no offline snapshots are taken of all nodes before the changes.

Revert

If a change must be reverted, all nodes of the Enhanced Linked Mode domain have to be restored back to this offline/consistent snapshot. All nodes must be reverted to the snapshots first, before powering any on.

Examples when this must be done

vCenter Server Updates (Full Version, Update Release, or Patch Release).
Using the lsdoctor tool to make any changes.
Adding a new vCenter Server to an existing SSO domain.
Retiring a vCenter Server from an existing SSO domain.
Certificate Replacement (Machine, CA, STS, etc).

Caution

Disable VCHA before taking snapshot backups.

references:
VMware vCenter in Enhanced Linked Mode pre-changes snapshot (online or offline) best practice (85662)

VMware using lsdoctor tool

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 22 Sep 2022 06:30:00 GMT

Options

Trustfix

This option corrects SSL trust mismatch issues in the lookup service. The lookup service registrations may have an SSL trust value that doesn’t match the MACHINE_SSL_CERT on port 443 of the node. This can be caused by a failure during certificate replacement, among other failures.

Steps

Before running this tool, need to take offline snapshots.
Unzip.

unzip lsdoctor.zip

Launching the tool.

# Trustfix option
python lsdoctor.py -t

Restart all services

service-control --status

## Stop all
service-control --stop --all

## Start
service-control --start --all

references:
Using the 'lsdoctor' Tool (80469) (vmware.com)

Kubernetes Pods Certificate Related

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 21 Sep 2022 09:51:00 GMT

Rabbitmq Cert health status - should be ok for both

kubectl -n cisco exec -t cloudcenter-shared-rabbitmq-0 -- bash -c "openssl verify -verbose -CAfile /secrets/c2ssl/ca/ca_certificate.pem /secrets/c2ssl/cert/certificate.pem"

To check duration for certificates


kubectl get certs --all-namespaces  -o=custom-columns=NAME:.metadata.name,SECRET:.spec.duration

To check expiry date for certificates, sorted earliest expiry to latest

kubectl get cert -A -o jsonpath='{range .items[*]}{.status.notAfter}{"\t"}{.metadata.namespace}{"\t"}{.metadata.name}{"\n"} {end}' | sort -n

kubectl -n cisco get secret -o wide | grep 'kubernetes.io/tls' | awk '{print $1}' | xargs -i sh -c "printf '%-50s; %-5s' {}; kubectl -n cisco get secret {} -o jsonpath='{.data.tls\.crt}' | base64 -d | openssl x509 -noout -enddate"

To check for expiry date for certificates


for s in `kubectl get secrets -n cisco | grep  "kubernetes.io/tls" | awk '{ print $1 }'`; do dend=`kubectl get secret $s -n cisco -o json | jq -r '.data."tls.crt"' | base64 -d | openssl x509 -enddate -noout`; echo $s\t$dend; done;

Instructions to perform activity for setting cert duration

There are actually 2 more things we will need to do, note that it will require a downtime.

Recreate the “duration” variable which was deleted from the certificate by the old (now removed) cert-manager.
Regenerate the certificate. Regarding this second point (steps 3 and 4 below), it should normally be done automatically, but the engineering team couldn’t give the guarantee that it will happen so they suggested to regenerate manually the certificates, which requires a downtime to restart the pods.

Here are script format of the different activities this will require.

Collect a backup of all the certificates and secrets in case something goes wrong (create a script and execute it):


#!/bin/bash

namespace="cisco"

mkdir -p $namespace

for n in $(kubectl -n $namespace get secrets -o custom-columns=:metadata.name | grep -v 'service-account')

do

    echo "Saving $namespace/secret_$n..."

    kubectl -n $namespace get secret $n -o yaml > $namespace/secret_$n.yaml

done

for n in $(kubectl -n $namespace get cert -o custom-columns=:metadata.name)

do

    echo "Saving $namespace/cert_$n..."

    kubectl -n $namespace get cert $n -o yaml > $namespace/cert_$n.yaml

done

Update the duration field in all the certificates (create a script and execute it):


#! /bin/bash

for s in $(kubectl -n cisco get certs -o=custom-columns=NAME:.metadata.name,SECRET:.spec.secretName | tail -n +2 | awk '{print $1}')

do

    kubectl patch cert $s --patch '{"spec": {"duration": "19680h"}}' --type=merge -n cisco

done

Delete the secrets storing the old certificates (run the command), ignore the error “error: resource(s) were provided, but no name, label selector, or --all flag specified”:


kubectl -n cisco get cert -o jsonpath='{range .items[*]}{.spec.secretName}{"\n"}' | awk '{cmd="kubectl -n cisco delete secret "$1; system(cmd)}'

Restart all the pods to regenerate the certificates (this generates a downtime of several minutes).


kubectl delete --all pods -n=cisco

Step 2 is required and can be performed whenever you want (I suggest to do it as soon as possible).

Regarding steps 3 and 4, either plan at your earliest convenience or first monitor the certificates to see if they get automatically renewed using the command below. This second option has the advantage to probably require no downtime, but require some monitoring.


kubectl get cert -A -o jsonpath='{range .items[*]}{.status.notAfter}{"\t"}{.metadata.namespace}{"\t"}{.metadata.name}{"\n"} {end}' | sort -n

The backup taken in step 1 can be restored using this script:


#!/bin/bash

namespace=cisco

echo "Restoring Opaque Secrets via YAML.."

for n in $namespace/*.yaml; do

        [ -f "$n" ] || break

        if [[ $n =~ "secret_" ]]; then

                echo "Restoring Secret via yaml file $n..."

                kubectl apply -f "$n"

        fi

done

echo "Restoring Certs via YAML"

for n in $namespace/*.yaml; do

        [ -f "$n" ] || break

        if [[ $n =~ "cert" ]]; then

                echo "Restoring Cert via yaml file $n..."

                kubectl apply -f "$n"

        fi

done

  

echo "Restarting all CCS Pods..."

kubectl delete --all pods --namespace=$namespace

references:

Kubernets certificate expiry fix

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 21 Sep 2022 09:49:00 GMT

Cisco documentation

Kubernetes documentation

Kubernetes Alpha Kubeadm Documentation

Log in to a master node, and sudo su - to become root.
Backup your old certificates and keys. This is not required but recommended. Make a backup directory and copy these files to it.

$ sudo cp -a /etc/kubernetes/ .

Use kubeadm alpha certs to renew the certificates:


admin@ccs-52-rcdn-74601e81-d5f0-4178-mg-1-1201e401a1:/etc/kubernetes$ sudo kubeadm alpha certs renew all --v=5

Regenerate the kubernetes .conf files by kubeadm alpha kubeconfig:


kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin > /etc/kubernetes/admin.conf

kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf

kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf

kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf

If there is a file /etc/kubernetes/node.conf in the system, replace it with a copy of the new admin.conf file and edit it to replace the VIP with the local IP of the node:


cp /etc/kubernetes/admin.conf /etc/kubernetes/node.conf

vi node.conf

Export your new admin.conf file to your host.


cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

chown $(id -u):$(id -g) $HOME/.kube/config

chmod 777 $HOME/.kube/config

export KUBECONFIG=.kube/config

Reboot the master node via shutdown -r now.
Perform above steps for all master nodes.
Verify kubernetes status using kubectl get nodes.
Only do steps 19-25 on each worker IF they show as NotReady and having issues. On later clusters you might not have to do this. On one master, generate a new join token via kubeadm token create --print-join-command. Copy that command for later use.


[root@cx-ccs-prod-master-d7f34f25-f524-4f90-9037-7286202ed13a1 k8s-mgmt]# kubeadm token create --print-join-command

kubeadm join 192.168.1.14:6443 --token m1ynvj.f4n3et3poki88ry4

 --discovery-token-ca-cert-hash

sha256:4d0c569985c1d460ef74dc01c85740285e4af2c2369ff833eed1ba86e1167575

references:

Install stuff on alpine linux using apk

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 21 Sep 2022 09:48:00 GMT

Command to install using local .apk file

apk add --no-cache --no-network --repositories-file=/dev/null --allow-untrusted /tmp/ca-certificates-20190108-r0.apk

references:

VMware remove datastores

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 21 Sep 2022 09:47:00 GMT

Power down all VMs on the datastore you wish to remove.
Unregister all powered down VMs from inventory.
Unmount the datastore from all hosts.
Detach the device from all hosts.
Rescan for storage devices.

references:

Handling Reboots in Workload Manager

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 21 Sep 2022 09:45:00 GMT

Reboots in CCS Workload manager are of two types:

Internal reboot, which happens during initialization
External reboot, which can be triggered by user.

There are separate workflows for both.

For reboots, during node initialization, the agent performs reboot after coming across the .cliqrRebootResumeInit file in OSMOSIX_HOME directory. We do not directly write to this file present in OSMOSIX_HOME directory, instead we write to the files present in tmp directory, present at root.

In the approach we are using, we create two files in the tmp directory, .cliqrRebootResumeInit (which the agent copies over to the OSMOSIX_HOME directory) and the .step file which keeps track of the number of reboots.

The .cliqrRebootResumeInit file contails the #!CliQrReboot: header flag which basically tells the agent which lifecycle flow to go to next.


Some options:

#!CliQrReboot:Current --> to resume the current lifecycle action

#!CliQrReboot:Next to resume to next step in the lifecycle actions

#!CliQrReboot:Deploy to resume from deploy service lifecycle actions

To use the .#!CliQrReboot: header, you must use ASCII encoding

references:

Remove IP from cluster NIC

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 21 Sep 2022 09:43:00 GMT

To remove IP from the microsoft cluster nic

netsh interface ip set address “Local Area Connection” dhcp

references:

Assigning Multiple IPs to Single NIC

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 21 Sep 2022 09:29:00 GMT

Issue:

When adding multiple IPs to a single NIC, DNS entry keep getting updated with the IPs which are not primary.

Fix:

To list IPs

Get-NetIPAddress -AddressFamily IPv4 | ft IPAddress, InterfaceAlias, SkipAsSource

Add new IP

New-NetIPAddress –IPAddress "10.45.38.22" –PrefixLength 22 –InterfaceAlias “Prod” –SkipAsSource $True

Set skip as source property

Get-NetIPAddress 192.168.1.92 | Set-NetIPAddress -SkipAsSource $False

references:
Online reference

Ucs Changing Mtu Value Results in Esxi Not Booting and Other Issues

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 21 Sep 2022 09:26:00 GMT

Related to the following bug:
Cisco Link

Conditions

Issue is specific to UCS-FI-6332-16UP.

Only impacted on firmware >= 4.0. Earlier versions (3.2(3) and below) are NOT impacted.

Other Fabric Interconnect models are not affected

Issue occurs after change of System QOS from default values when FC ports were up/enabled from most recent boot.
Issue does not occur if System QOS has been changed from default values and Fabric Interconnect has been rebooted previously

Note: Default System QOS has only FC and Best Effort Ethernet enabled, with 50% weight each, with Normal MTU for Best Effort Ethernet.

Any System QOS configuration which differs from this is not a default configuration.

Most common trigger is to change Best Effort MTU to 9216 to allow Jumbo frames, however any System QOS change can trigger issue.

Immediately reverting the change does not recover the environment.

Workaround

If the domain has no FC workload (e.g. UCS domain is having initial setup done), then:

Disable all FC ports

Make System QOS changes

Enable all FC ports

If System QOS changes need to be made after FC ports are configured and being used, then to have minimal impact:

Reduce FC IOPS as much as possible

Make System QOS changes

Disable FC ports

Enable FC Ports

If immediate recovery is needed, disable/enable of all configured FC ports will recover the issue.

Avoid changing back to Default System QOS setting in the future until on a fixed release

QoS system class requires FI reboots as per this document: Cisco UCS Manager Network Management Guide, Release 4.0 - Quality of Service [Cisco UCS Manager] - Cisco

references:

Terraform azure reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 21 Sep 2022 09:24:00 GMT

Details

DB Name - sbwehcmsqldb_poc
Server Name - sbwehcmsqldbserver_poc
Region - West Europe
Compute - Basic, 2 GB storage

Terraform VM

Azure

SP login


az login --service-principal -u 562ee4ba-6359-4e5d-a4d6-83de64a445f2 -p \_hvmAThuf7R\_41J2hF05HLr.34v-CpFFOg --tenant 0fadfa8b-6e6e-44b1-a381-6203bfe1a199

List all az groups


 az group list --subscription "bf1dbcea-044c-4e6d-ad6c-d54cecf69616"

Get resource group: Sandbox RG: WE-HCM-RG-POC


$ az group show --name WE-HCM-RG-POC --subscription "bf1dbcea-044c-4e6d-ad6c-d54cecf69616"                                         {

  "id": "/subscriptions/bf1dbcea-044c-4e6d-ad6c-d54cecf69616/resourceGroups/WE-HCM-RG-POC",

  "location": "westeurope",

  "managedBy": null,

  "name": "WE-HCM-RG-POC",

  "properties": {

    "provisioningState": "Succeeded"

  },

  "tags": {

    "ApplicationName": "HCM PoC",

    "BusinessUnit_CostCenter": "74170",

    "Environment": "Development",

    "HPNumber": "HPNumber",

    "TCSCloudOps_Scope": "YES"

  },

  "type": "Microsoft.Resources/resourceGroups"

}

export ARM_CLIENT_ID="562ee4ba-6359-4e5d-a4d6-83de64a445f2"

export ARM_CLIENT_SECRET="_hvmAThuf7R_41J2hF05HLr.34v-CpFFOg"

export ARM_SUBSCRIPTION_ID="bf1dbcea-044c-4e6d-ad6c-d54cecf69616"

export ARM_TENANT_ID="0fadfa8b-6e6e-44b1-a381-6203bfe1a199"

export TF_LOG="DEBUG"

subscription_id = "0fadfa8b-6e6e-44b1-a381-6203bfe1a199"

client_id = "562ee4ba-6359-4e5d-a4d6-83de64a445f2"

client_secret = "_hvmAThuf7R_41J2hF05HLr.34v-CpFFOg"

tenant_id = "0fadfa8b-6e6e-44b1-a381-6203bfe1a199"

terraform import azurerm_resource_group.WE-HCM-RG-POC /subscriptions/bf1dbcea-044c-4e6d-ad6c-d54cecf69616/resourceGroups/WE-HCM-RG-POC

DB Name - sbwehcmsqldb_poc

Server Name - sbwehcmsqldbserver_poc

Region - West Europe

Compute - Basic, 2 GB storage

Please update the Firewall of SQL Database with below IP address (TCS ECP Datacenter IP)

91.232.248.247

^Dq&eyECA#hnXZT

terraform destroy -target=azurerm_sql_database.sbwehcmsqldbpoc

terraform destroy -target=azurerm_sql_server.sbwehcmsqldbserverpoc

terraform destroy -target=azurerm_sql_firewall_rule.sbwehcmsqldbfw

references:

Velero command reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 21 Sep 2022 09:07:00 GMT

Create backup schedule

14 days = 336 hrs
10 days = 240 hrs
07 days = 168 hrs

velero schedule create ccs-prod --schedule="@every 24h" --include-namespaces=cisco --ttl 192h0m0s

Velero backup list

velero backup get

Velero take backup

velero backup create backup-20210819 --include-namespaces=cisco --wait --ttl 48h0m0s

Delete backup


velero backup delete [backup_name]

references:

AWS Storage Gateway

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 18 Aug 2022 06:49:00 GMT

Pre-stage computer object before attempting AD join.
Or,
Grant permission to the service account to create computer object.

references:
https://aws.amazon.com/premiumsupport/knowledge-center/storage-gateway-domain-join-error/

Powershell AD recover deleted objects

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 10 Aug 2022 11:05:00 GMT


# Get deleted object
Get-ADObject <userid> -IncludeDeletedObjects

## Restore
Get-ADObject <userid> -IncludeDeletedObjects | Restore-ADObject

references:

Docker logs for all containers

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 10 Aug 2022 09:48:00 GMT

For getting all IPs given on cloud remote

docker ps -aq -f status=exited | xargs -L 1 docker logs | grep -i nicIP_0

references:

AWS IAM

sajal@sajalchoudhary.net (Sajal Choudhary) — Sun, 07 Aug 2022 10:27:00 GMT

![[202208012318 AWS IAM Basics]]

IAM Users

IAM users are an identity used for long term access to any resource, i.e. people, applications or service accounts.

5000 users per account. User can be member of 10 groups.
IAM Roles and Identity Federation fix this for large orgs or internet orgs.

Principal --> Authentication --> Authenticated identity
Authentication done using:

Username and passwor
Access keys

ARN (Amazon Resource Name)

Uniquely identify resources within AWS

IAM Groups

IAM groups are containers for IAM users.
Groups are not a true identity. They can't be referred as a prinicipal in a policy.

IAM Roles

references:

VMware security certificates

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 04 Aug 2022 18:57:00 GMT

Create template

Create template using Creating a Microsoft Certificate Authority Template for SSL certificate creation in vSphere 6.x/7.x (2112009) (vmware.com)

VMware does not recommend replacing either solution user certificates or STS certificates, nor using a subordinate CA in place of the VMCA. If you choose either of these options, you might encounter significant complexity and the potential for a negative impact to your security, and an unnecessary increase in your operational risk.

With the “hybrid” approach, custom certificates are used for the Machine SSL certificates of the Platform Services Controller and vCenter Server VMs and then the VMCA is left to manage the Solution Users and ESXi host certificates.

NOTE:
HA is disabled during activity, so disable HA manually. And take snapshot.
Certificates must be base64 encoded.

Overview

Generate a Certificate Signing Request for the externally-facing vSphere Web Client login page (The Machine SSL certificate)
Submitted the CSR to the Microsoft Certificate Authority and downloaded the newly generated certificate and root CA certificate
Using the Certificate Manager utility we replaced the Machine SSL certificate with the certificate generated by the Microsoft CA
Verify that the vSphere Web Client login page is now using the Microsoft CA-issued certificate

Steps

Create a folder on appliance which you will be able to download: /tmp/sslcerts
Generate CSR
1. Utility is present at: /usr/lib/vmware-vmca/bin/certificate-manager
2. Run the utility and select Option 1
3. Select Option 1 again, to generate the CSR and provide the output directory path (created above) to write out the files created
4. Download the created csr file and key
Submit csr to CA

certreq -attrib "CertificateTemplate:WebServer" <nameofcert.cer>

If you don’t have an export of the root certificate start a elevated command prompt on the CA server and run this command.

certutil -ca.cert root_certificate.cer

Copy the .cer, key and root.cer to the VCSA.
Open up the Certificate Manager Utility and select Option 1, Replace Machine SSL certificate with Custom Certificate. Provide the password to your administrator@vsphere.local account and select Option 2, “Import Custom Certificate(s) and key(s) to replace existing Machine SSL certificate”
Select “Y” to continue the operation. This may take a few minutes, depending on how your systems are configured.

references:
Replacing a vSphere 6.x /7.x Machine SSL certificate with a Custom Certificate Authority Signed Certificate (2112277) (vmware.com)

Replacing vCenter 6.0’s SSL Certificate (vmware.com)
VMware vCenter Replace Machine Certificate With Custom CA - Virtualblog.nl
VMware vCenter Certificate Replacement - Dasher
vSphere Security Certificates (vmware.com)
New Product Walkthrough - Hybrid vSphere SSL Certificate Replacement - VMware vSphere Blog

Export configuration of existing Azure AD Connect server

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 04 Aug 2022 12:57:00 GMT

Open the Azure AD Connect tool, and select the additional task named View or Export Current Configuration.
By default, the settings are exported to %ProgramData%\AADConnect.
Settings are exported by using the JSON file format and should not be hand-created or edited to ensure logical consistency.

references:
How to import and export Azure AD Connect configuration settings - Microsoft Entra | Microsoft Docs

Azure AD Connect Upgrade from old version to new version

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 04 Aug 2022 11:39:00 GMT

Methods

Automatic Upgrade
In-place upgrade
Swing migration (Complex deployment/upgrade windows OS)

Swing Migration

Needs at least 2 servers: one active, one staging.

Active server responsible for production load.
Staging server prepared with new release. When ready this is made active.
Previous active server becomes staging and is upgraded.

Steps

Export configuration of existing server
Install the new Azure AD Connect server with the imported settings (Staging Mode)
Verify Staging Sync
Set the Old Azure AD Connect server to staging mode (Optional)
Uninstall Old Azure AD Connect server

references:

Azure AD Connect Pre-Reqs

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 04 Aug 2022 08:37:00 GMT

Azure AD V2 pre-reqs

An Azure AD tenant
An on-premises or cloud-hosted (on an Infrastructure as a Service virtual machine) Windows Server running as an AD domain controller (older versions of Windows Server work but some features like password writeback will require 2016 or later)
Your domain controller must be writable, read-only domain controllers (RODC) are not supported
Ideally, Azure AD Connect should be installed on a dedicated domain-joined server, but you can also install it on your domain controller (Windows Server 2016 or later with Desktop Experience is required for Azure AD Connect V2)
AD and AAD accounts for your Azure AD Connect server. Microsoft differentiates accounts used for operating Azure AD Connect and those used for its installation and configuration.

Install pre-reqs

domain-joined Windows Server 2016 or later
.Net Framework version required is 4.6.2, or newer
Windows Server standard or better
Azure AD Connect server must have a full GUI installed

references:
Azure AD Connect: Prerequisites and hardware - Microsoft Entra | Microsoft Docs

Azure AD Connect

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 04 Aug 2022 08:36:00 GMT

[[202208041137 Azure AD Connect Pre-Reqs]]
[[202208041557 Export configuration of existing Azure AD Connect server]]
[[202208041439 Azure AD Connect Upgrade from old version to new version]]

references:
Azure AD Connect: Version release history - Microsoft Entra | Microsoft Docs

Entra Connect sync

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 04 Aug 2022 08:36:00 GMT

AD is source of truth
Entra ID instance can sync from only one Entra connect sync
One AD can sync to multiple Entra IDs

Types

Entra connect sync (deployed in Windows VM)
Entra connect cloud sync (Agents are deployed where needed/runs in cloud)

License requirements

Architecture

[[202208041137 Azure AD Connect Pre-Reqs]]
[[202208041557 Export configuration of existing Azure AD Connect server]]
[[202208041439 Azure AD Connect Upgrade from old version to new version]]

references:

Azure AD Connect: Version release history - Microsoft Entra | Microsoft Docs
Technical Concepts
Topologies for Entra Connect

Route 53 Basics

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 02 Aug 2022 20:31:00 GMT

Global service, single database. Globally resilient.

Two functions:

Register domain
Host zones, manage Nameservers

Hosted Zones

Can be public or private (linked to VPCs).

references:

High Availability vs Fault Tolerance vs Disaster Recovery

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 02 Aug 2022 19:55:00 GMT

HA is about minimizing failure.
FT is about minimizing failure + operating through failures

High Availability (HA)

Aims to ensure an agreed level of operational performance, usually uptime, for a higher than normal period
Instead of diagnosing the issue, if you have a process ready to replace it, it can be fixed quickly and probably in an automated way.
Spare infrastructure ready to switch customers over to in the event of a disaster to minimize downtime
User disruption is not ideal, but is allowed
- The user might have a small disruption or might need to log back in.
Maximizing a system's uptime
- 99.9% (Three 9's) = 8.7 hours downtime per year.
- 99.999 (Five 9's) = 5.26 minutes downtime per year.

Fault-Tolerance (FT)

System can continue operating properly in the event of the failure of some (one or more faults within) of itscomponents
Fault tolerance is much more complicated than high availability and more expensive. Outages must be minimized and the system needs levels of redundancy.
An airplane is an example of system that needs Fault Tolerance. It has more engines than it needs so it can operate through failure.

Example: A patient is waiting for a life saving surgery and is under anesthetic. While being monitored, the life support system is dosing medicine. This type of system cannot only be highly available, even a movement of interruption is deadly.

Disaster Recovery (DR)

Set of policies, tools and procedures to enable the recovery or continuation of vital technology infrastructure and systems following a natural or human-induced disaster.
DR can largely be automated to eliminate the time for recovery and errors.

references:

Shared Responsibility Model

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 02 Aug 2022 19:45:00 GMT

AWS: Responsible for security OF the cloud
Customer: Responsible for security IN the cloud

references:

Linux Stress Utility

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 02 Aug 2022 19:42:00 GMT

Can be used to artificially stress a system

Steps on Amazon Linux

sudo amazon-linux-extras install epel -y 
sudo yum install stress -y

references:

AWS CloudWatch Basics

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 02 Aug 2022 19:22:00 GMT

Collects and manages operational data
Three things:

Metrics: data relating to AWS products, apps, on-prem solutions
Logs
Events : AWS services and schedules

Namespace

Container for monitoring data. Naming can be anything so long as it's not AWS/service such as AWS/EC2. This is used for all metric data of that service

Metric

Time ordered set of data points such as:

CPU Usage
Network IN/OUT
Disk IO

This is not for a specific server. This could get things from different servers.

Anytime CPU Utilization is reported, the datapoint will report:

Timestamp = 2019-12-03
Value = 98.3

Dimensions could be used to get metrics for a specific instance or type of instance, among others. They separate data points for different things or perspectives within the same metric.

Alarms

Has two states ok or alarm. A notification could be sent to an SNS topic or an action could be performed based on an alarm state. Third state can be insufficient data state. Not a problem, just wait.

references:

CloudFormation Basics

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 02 Aug 2022 18:52:00 GMT

IAC product.
Can be written in yaml or json.

references:
https://docs.aws.amazon.com/AWSCloudFormation/latest/UserGuide/aws-template-resource-type-ref.html

AWS S3 Basics

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Aug 2022 20:42:00 GMT

Global service, accessible from anywhere.
Public service, unlimited data, multi-user.

S3 objects

Like file.
Key: koala.jpg (like file name)
value: content being stored (0-5TB)

S3 buckets

Created in separate region. Needs to be globally unique. 3-63 chars, all lower case, no underscore. starts with number or lower case. can't be like ip address (1.1.1.1)
Buckets (100 per account/1000 hard limit)
Unlimited objects in bucket.
Bucket created in region never leaves that region. Data sovereignty. Rules/Laws of that particular region apply.
Flat structure (Everything stored at root level)
Folder structure can be named like and S3 shows it like so:
/old/koala.jpg
koala1.jpg

references:

AWS IAM Basics

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Aug 2022 20:18:00 GMT

Global service/No cost
IAM lets us create three type of identities:

User
Group
Roles

references:

AWS VPC Basics

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Aug 2022 20:16:00 GMT

Regional service. VPC = virtual network inside AWS.
Private and isolated by default.

Default VPC

max 1 per region. can be deleted and recreated. 1 per region created automatically.
gets 1 default cidr (172.31.0.0/16)
cidr split into subnets for different azs. (/20 subnets) Subnets assign public IPv4 address.
InternetGW , SG and NACL. Security features SG and NACL.

Custom VPCs

created manually. more flexible. can have multiple cidrs.

references:

EC2 Basics

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Aug 2022 20:14:00 GMT

AZ resiliant. Instance fails if AZ fails. IAAS.
Private by default. Instance launched in a VPC.
Pay as you go.
Based on state, billing happens. Pricing based on CPU,Memory,Storage,Networking.

Running

Charged for all 4.

Stopped

Only charged for storage.

Terminated

No charge.

AMI

Like server image. Can be used to deploy instances.
Contain the following:

Permissions
1. Public - Everyone can use it
2. Owner - Implicit
3. Explicit - Specific AWS accounts can use it
Root Volume
Block Device Mapping (Links volume to device id/ So which is boot, which is data vol)

Connecting to EC2

RDP: 3389, SSH: 22
Authenticate using SSH key-pair. Private key can be seen only once. AWS has the public key.
For Windows, use key to get admin password, and with that admin password, you can login.

references:
EC2 basics

Kubernetes certificate expiry fix

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Aug 2022 12:18:00 GMT

Check cert status

$ sudo kubeadm alpha certs check-expiration
CERTIFICATE                EXPIRES                  RESIDUAL TIME   EXTERNALLY MANAGED
admin.conf                 Aug 01, 2023 11:47 UTC   364d            no
apiserver                  Aug 01, 2023 11:47 UTC   364d            no
apiserver-etcd-client      Aug 01, 2023 11:47 UTC   364d            no
apiserver-kubelet-client   Aug 01, 2023 11:47 UTC   364d            no
controller-manager.conf    Aug 01, 2023 11:47 UTC   364d            no
etcd-healthcheck-client    Aug 01, 2023 11:47 UTC   364d            no
etcd-peer                  Aug 01, 2023 11:47 UTC   364d            no
etcd-server                Aug 01, 2023 11:47 UTC   364d            no
front-proxy-client         Aug 01, 2023 11:47 UTC   364d            no
scheduler.conf             Aug 01, 2023 11:47 UTC   364d            no

New Method

Download ccp-utils-aa166c3.tar to master nodes.
Untar.
On all the master nodes, run the following:

python3 renew_certs.py -s

Reboot the master nodes one at a time

shutdown -r now

run the following script: ./renew_kubeconfig_secret.sh. It creates a script in /tmp location (/tmp/update_kubeconf_secret.sh) which needs to be updated with correct secret name.
Get the secret name using:

$ kubectl get secret -n ccp | grep kubeconfig
fit-ba52bfdd-4bc5-4307-b788-b4f0620ec7f8-kubeconfig     Opaque                                10     2y19d

Update the /tmp script with -n ccp and the name of the cert, like so

kubectl -n ccp get secret "fit-ba52bfdd-4bc5-4307-b788-b4f0620ec7f8-kubeconfig" -o yaml >  "fit-ba52bfdd-4bc5-4307-b788-b4f0620ec7f8-kubeconfig".bak
kubectl -n ccp patch secret "fit-ba52bfdd-4bc5-4307-b788-b4f0620ec7f8-kubeconfig" --type="json"

After updating it, run the script.
Verify node status using get nodes, get pods, etc.

Old Method

Cisco documentation

Kubernetes documentation

Kubernetes Alpha Kubeadm Documentation

Log in to a master node, and sudo su - to become root.
Backup your old certificates and keys. This is not required but recommended. Make a backup directory and copy these files to it.


$ sudo cp -a /etc/kubernetes/ .

Use kubeadm alpha certs to renew the certificates:


admin@ccs-52-rcdn-74601e81-d5f0-4178-mg-1-1201e401a1:/etc/kubernetes$ sudo kubeadm alpha certs renew all --v=5

Regenerate the kubernetes .conf files by kubeadm alpha kubeconfig:


kubeadm alpha kubeconfig user --org system:masters --client-name kubernetes-admin > /etc/kubernetes/admin.conf

kubeadm alpha kubeconfig user --client-name system:kube-controller-manager > /etc/kubernetes/controller-manager.conf

kubeadm alpha kubeconfig user --client-name system:kube-scheduler > /etc/kubernetes/scheduler.conf

kubeadm alpha kubeconfig user --org system:nodes --client-name system:node:$(hostname) > /etc/kubernetes/kubelet.conf

If there is a file /etc/kubernetes/node.conf in the system, replace it with a copy of the new admin.conf file and edit it to replace the VIP with the local IP of the node:


cp /etc/kubernetes/admin.conf /etc/kubernetes/node.conf

vi node.conf

Export your new admin.conf file to your host.


cp -i /etc/kubernetes/admin.conf $HOME/.kube/config

chown $(id -u):$(id -g) $HOME/.kube/config

chmod 777 $HOME/.kube/config

export KUBECONFIG=.kube/config

Reboot the master node via shutdown -r now.
Perform above steps for all master nodes.
Verify kubernetes status using kubectl get nodes.
Only do steps 19-25 on each worker IF they show as NotReady and having issues. On later clusters you might not have to do this. On one master, generate a new join token via kubeadm token create --print-join-command. Copy that command for later use.


[root@cx-ccs-prod-master-d7f34f25-f524-4f90-9037-7286202ed13a1 k8s-mgmt]# kubeadm token create --print-join-command

kubeadm join 192.168.1.14:6443 --token m1ynvj.f4n3et3poki88ry4

 --discovery-token-ca-cert-hash

sha256:4d0c569985c1d460ef74dc01c85740285e4af2c2369ff833eed1ba86e1167575

references:

Installing cliqr agent for vmware cloud

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Aug 2022 10:07:00 GMT

Linux

./worker_installer.bin vmware worker_basic

## fORMAT
./worker_installer.bin <ostype> <cloudtype> worker_basic

Windows

Download the artifacts.zip file from software.cisco.com and unzip it to obtain the installer package (cliqr_installer.exe) Or get it from cloud repo.

cliqr_installer.exe /CLOUDTYPE=vmware /CLOUDREGION=default

references:
CCS-WM-5-4 (cisco.com)

Installing cloudcenter agent

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 01 Aug 2022 10:07:00 GMT

Linux

./worker_installer.bin vmware worker_basic

## fORMAT
./worker_installer.bin <ostype> <cloudtype> worker_basic

Windows

Download the artifacts.zip file from software.cisco.com and unzip it to obtain the installer package (cliqr_installer.exe) Or get it from cloud repo.

cliqr_installer.exe /CLOUDTYPE=vmware /CLOUDREGION=default

references:
CCS-WM-5-4 (cisco.com)

AWS Fundamentals

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 26 Jul 2022 20:54:00 GMT

AWS Public vs Private services

Refers to networking only
Three internet zones:
Public Internet Zone (Open internet)
AWS Public Zone (Things like S3 for AWS public services. Requires access.)
AWS Private zone (VPCs: isolated unless configured otherwise. Stuff can be placed inside VPCs like EC2. Access can be enabled by using things like VPN/Direct Connect for on prem, for public access things like internet gateway)

AWS Global Infrastructure

Regions

An area AWS says has full deployment of AWS services (Ohio,Mumbai, etc.)

Edge locations

Edge computing, CDNs, type of things. Allows for fast, efficient data transfer.
Some services are global (IAM/DNS)
Some are regional (EC2, etc)

Region benefits

Geographical separation (isolated fault domain)
Geopolitcal separation (Different governance)
Location control (Performance)

Regions and AZs

Each region has between 2 and 6 AZs. Isolated infra inside a region. AZ is not one DC. It can have more than one DC.

Service Resilience

Globally Resilient (If a region fails, no issues. Examples: IAM, Route 53)
Regionally Resilient (Regionally, data is same. Region fails, service will fail)
AZ Resilient (very prone to failure)

AWS CLI

Create profile

aws configure --profile iamadmin-general

![[202208012318 AWS IAM Basics]]

![[202208012316 AWS VPC Basics]]

![[202208012314 EC2 Basics]]

references:

Cloud Computing Fundamentals

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 26 Jul 2022 20:08:00 GMT

Cloud Computing provides:

1. On-Demand Self-Service

Create resources without requiring human interaction

2. Broad Network Access

Capabilities available over network and standard mechanisms (http/https,ssh,etc.)

3. Resource Pooling

Location independence.. no control or knowledge over exact location of resources
resources are pooled to serve multiple customers using multi-tenant model

4. Rapid Elasticity

Capabilities can be elastically provisioned and released to scale rapidly
To the consumer, it looks like unlimited capacity is there

5. Measured Service

Resources can be monitored, controlled, reported and billed

Public vs Private vs Hybrid vs Multi Cloud

Multi cloud strategy uses multiple vendors (more than one public clouds)
Private Cloud is basically on-prem. But it still needs to meet the five characteristics we mentioned above. But, dedicated to a single customer.
Private + Public = Hybrid Cloud (Only if both act as a single cloud, i.e. same tools, processes, etc.)
Hybrid Environment/Network (private and public exist separately)

Cloud Service Models

Infra stack contains of following components:
Application
Data
Runtime
Container
O/S
Virtualization
Servers
Infrastructure
Facilties

Different models

In Infra stack, some things are managed by you, some by vendor, which leads to different models:
On-Prem controls the entire stack and staff costs.
DC-Hosted vendor controls facilites and staff for the HW.
IAAS you control O/S onward.
PAAS you control Runtime onward.
SAAS you consume application

When to use public cloud

shift responsibility - focus on what matters most to business
operate dc cheaper/more efficiently on cloud
resiliency/proximity requirements
charged based on usage
- predictable bursting (scale up and down based on time)
- growing fast (new company/app - don't know how much i need)
- unpredictable bursting
- on and off - stop start as needed

Key scenarios

test and dev in cloud
disaster recovery
dmz scenarios (public facing things in cloud)
special projects (initial cost (might be large) vs operating cost in cloud is less)
many orgs are all in (maybe cheaper/but also provides lots of services/don't want to be in dc business)

references:

Cantrill, Adrian - SAAC02_03

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 26 Jul 2022 20:05:00 GMT

Adrian's Course
This note will just act as a placeholder for all the stuff I learn as part of Adrian's SAA course.

Basics

[[202207262308 Cloud Computing Fundamentals]]
[[202207262354 AWS Fundamentals]]
[[202208012318 AWS IAM Basics]]
[[202208012316 AWS VPC Basics]]
[[202208012314 EC2 Basics]]
[[202208022152 CloudFormation Basics]]
[[202208022222 AWS CloudWatch Basics]]
[[202208022245 Shared Responsibility Model]]
[[202208022331 Route 53 Basics]]

references:
https://learn.cantrill.io/courses/730712/lectures/14040936

Powershell convert Int64 TimeStamp to DateTime

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 20 Jul 2022 09:09:00 GMT

we can use the .Net function FromFileTime and convert the output to DateTime format.

$timestamp = "131099683087123361"
[DateTime]::FromFileTimeutc($timestamp)

Example with aduser report

Get-ADUser -Server $Domain -Properties * | Select DisplayName,DistinguishedName,Description,PasswordNeverExpires,@{n="PwdLastSet";e={[datetime]::FromFileTime($_."PwdLastSet")}}

references:

VMware restart ui services

sajal@sajalchoudhary.net (Sajal Choudhary) — Sat, 16 Jul 2022 17:44:00 GMT

Done in seconds.

# Stop ui
service-control --stop vsphere-ui

# start ui
service-control --start vsphere-ui

# check status
service-control --status --all

references:
https://kb.vmware.com/s/article/81792?lang=en_US

Terraform use custom providers

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 13 Jul 2022 07:49:00 GMT

In .terraformrc file provide the location of the local mirror from where provider should be installed

provider_installation {
  filesystem_mirror {
    path    = "/home/c3admin/ipamTest/.terraform.d/plugins/"
    include = ["hashicorp.com/*/*"]
  }
}

references:
https://www.terraform.io/cli/config/config-file#provider-installation

VAMI interface on VMWare

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 08 Jul 2022 06:12:00 GMT

How to access

postfix :5480 to the IP address or URL of your VCSA

references:
Accessing VAMI Web UI (vmware.com)

CCS API get

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 23 Jun 2022 07:19:00 GMT

Get instance types

HE5_ECP_VM_OPCloud

https://10.47.19.169/cloudcenter-cloud-setup/api/v1/tenants/2/clouds/8/regions/21/instanceTypes?size=0

HE7_ECP_VM_OPCloud

https://10.47.19.169/cloudcenter-cloud-setup/api/v1/tenants/2/clouds/7/regions/20/instanceTypes?size=0

references:

Take postgres dump

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 22 Jun 2022 14:37:00 GMT

Take a postgres db dump -
Find cloudcenter-shared-postgres pod -
kubectl get pods -n cisco | grep postgres
Get into the pod's shell -
kubectl exec -it -n cisco cloudcenter-shared-postgres-0 -- bash
#pg_dump -U cliqr cliqrdb | gzip > /tmp/.gz
Exit the pod -
#exit
Copy the dump to the host -
kubectl cp cloudcenter-shared-postgres-0:/tmp/.gz ~/.gz

references:

Add SAN to cert request inf file method

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 21 Jun 2022 10:33:00 GMT

Template:

[NewRequest]
Subject = "CN=devname.fi.tcsecp.com"
Exportable = TRUE
KeyLength = 2048
KeySpec = 1
KeyUsage = 0xf0
RequestType = PKCS10

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=devname.fi.tcsecp.com"

[RequestAttributes]
CertificateTemplate = WebServer

For SAN, tried using the following which did not work. So, use the [Extensions] format mentioned above.

[RequestAttributes] ; If your client operating system is Windows Server 2003, Windows Server 2003 R2, or Windows XP ; and you are using a standalone CA, SANs can be included in the RequestAttributes ; section by using the following text format. SAN="dns=www01.fabrikam.com&dns=www.fabrikam.com&ipaddress=172.31.10.130"

references:
How to Request a Certificate With a Custom SAN | Microsoft Docs

HCP install

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 16 Jun 2022 15:32:00 GMT

Notes

Do not provide vlan id when doing os config

references:

Ansible directory structure

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 16 Jun 2022 06:35:00 GMT

production                # inventory file for production servers
staging                   # inventory file for staging environment

group_vars/
   group1                 # here we assign variables to particular groups
   group2                 # ""
host_vars/
   hostname1              # if systems need specific variables, put them here
   hostname2              # ""

library/                  # if any custom modules, put them here (optional)
module_utils/             # if any custom module_utils to support modules, put them here (optional)
filter_plugins/           # if any custom filter plugins, put them here (optional)

site.yml                  # master playbook
webservers.yml            # playbook for webserver tier
dbservers.yml             # playbook for dbserver tier

roles/
    common/               # this hierarchy represents a "role"
        tasks/            #
            main.yml      #  <-- tasks file can include smaller files if warranted
        handlers/         #
            main.yml      #  <-- handlers file
        templates/        #  <-- files for use with the template resource
            ntp.conf.j2   #  <------- templates end in .j2
        files/            #
            bar.txt       #  <-- files for use with the copy resource
            foo.sh        #  <-- script files for use with the script resource
        vars/             #
            main.yml      #  <-- variables associated with this role
        defaults/         #
            main.yml      #  <-- default lower priority variables for this role
        meta/             #
            main.yml      #  <-- role dependencies
        library/          # roles can also include custom modules
        module_utils/     # roles can also include custom module_utils
        lookup_plugins/   # or other types of plugins, like lookup in this case

    webtier/              # same kind of structure as "common" was above, done for the webtier role
    monitoring/           # ""
    fooapp/               # ""

references:
Best Practices — Ansible Documentation

PowerShell AD group management

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 10 Jun 2022 07:46:00 GMT

Add custom property

$Group = Get-ADGroup <group-name> -Properties * -Server <domain>
$Group | Set-ADGroup -Add @{ gidNumber = '3000999999' }

Update existing entry

$Group = Get-ADGroup <group-name> -Properties * -Server <domain>
$Group | Set-ADGroup -Replace @{ gidNumber = '300099999' }

Find groups based on a property

Get-ADGroup -Filter "gidNumber -eq 300099999" -Server <domain> -Properties *

Add member to group

Add-ADGroupMember -Server <domain> -Identity <groupname> -Members <userid>

references:

PowerShell numbers

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 10 Jun 2022 07:44:00 GMT

Int32

Int is the default numeric data type in Windows PowerShell. It is a 32-bit signed integer. The .NET Framework class is System.Int32. Because it is the default numeric data type, I can use [int32] or [int].
To get max and min values:

[int]::MaxValue
2147483647
[int]::MinValue
-2147483648

references:
Understanding Numbers in PowerShell - Scripting Blog (microsoft.com)

Windows Time service

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 09 Jun 2022 08:40:00 GMT

Sync from domain

w32tm /config /syncfromflags:domhier /update 
net stop w32time 
net start w32time

Sync from local

w32tm /config /syncfromflags:manual /update 
net stop w32time 
net start w32time

references:
Windows Time service tools and settings | Microsoft Docs

Powershell run commands on remote servers

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 08 Jun 2022 08:11:00 GMT

Use Invoke-Command to run one off commands, if no output is needed.

$Servers | Invoke-Command -ScriptBlock { Get-Service }

Invoke-command can be used with New-PSSession. This can be useful when running multiple commands and you want to use the same session. Like so:

$s = New-PSSession -ComputerName Server02 
Invoke-Command -Session $s -ScriptBlock {$p = Get-Process PowerShell}
Invoke-Command -Session $s -ScriptBlock {$p.VirtualMemorySize}

references:
Invoke-Command (Microsoft.PowerShell.Core) - PowerShell | Microsoft Docs

PowerShell set custom properties for AD Users

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 08 Jun 2022 07:56:00 GMT

Set-ADUser can be used to modify AD users.
We can edit values of other user attributes (including extensionAttribute and custom attributes) in AD using these Set-ADUser options:

Add – adds an attribute value
Replace – replaces an attribute value
Clear – clears an attribute value
Remove — removes one of the attribute values

Add a custom attribute

Set-ADUser C.Bob -Add @{extensionAttribute5 = "Test1"}

# Replace
Set-ADUser

Update AD SamAccountName

$NewSAMAccountName = $User.SamAccountName.ToUpper()  
$User | Set-ADUser -Server $Domain -Replace @{samaccountname=$NewSAMAccountName}

Update msds-AllowedToDelegateTo


## Add something
$User | Set-ADUser -Add @{'msDS-AllowedToDelegateTo'='MSSQLSvc/JTYSQL19C1VS2.jty.okobank.net:1433'}


## Remove something
*## THis removes that particular value only.
$User | Set-ADUser -Remove @{'msDS-AllowedToDelegateTo'='MSSQLSvc/jtysql10vs4.jty.okobank.net:1663'}*

Service principalnames

Set-ADComputer -ServicePrincipalNames @{Add='WSMAN/Mycomputer','WSMAN/Mycomputer.MyDomain.Com'}

Add multiple properties in one go


$Properties = @{
	extensionAttribute2 = $UserData.extensionAttribute2
	extensionAttribute5 = 'S;'
	extensionAttribute7 = $UserData.extensionAttribute7
	extensionAttribute11 = '592106'
}
$ADUser | Set-ADUser -Add $Properties -ErrorAction Stop

references:
Set-ADUser Modify Active Directory Users with PowerShell (bobcares.com)

Snmpwalk

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 07 Jun 2022 13:53:00 GMT

Download

From solarwinds: http://downloads.solarwinds.com/solarwinds/Release/PreRelease/SolarWindsSnmpWalk.zip

references:
snmpwalk Examples & Commands (Windows & Linux) Step-by-Step Guide (comparitech.com)
https://support.solarwinds.com/SuccessCenter/s/article/Run-SolarWinds-SNMPWALK?language=en_US

Ansible parallelism

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 07 Jun 2022 11:55:00 GMT

By default, Ansible runs each task on all hosts affected by a play before starting the next task on any host, using 5 forks.

Batch size( forks )

Batch size can be configured using serial.

serial: 3

references:
Controlling playbook execution: strategies and more — Ansible Documentation

UCS snmp settings

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 07 Jun 2022 08:50:00 GMT

Admin > Expand All > Communication Management > Communication Services

SNMP area has the appropriate settings.

references:
Cisco UCS Manager System Monitoring Guide, Release 3.1 - SNMP Configuration [Cisco UCS Manager] - Cisco

Ansible Error handling

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 06 Jun 2022 14:08:00 GMT

Ignore failed commands

ignore_errors can be used to continue even in case of failures.

Defining failure

failed_when can be used to specify what causes failure.

- name: Fail task when the command error output prints FAILED
  ansible.builtin.command: /usr/bin/example-command -x -y -z
  register: command_result
  failed_when: "'FAILED' in command_result.stderr"

Aborting a play on all hosts

On first error, any_errors_fatal: true will stop play execution.
max_fail_percentage can be used to abort after a percentage has failed

any_errors_fatal: true

Recovering from errors

rescue section can be used for error handling.

references:
Error handling in playbooks — Ansible Documentation

Windows RDP issue

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 03 Jun 2022 06:47:00 GMT

Error: No Remote Desktop License Servers available


1. Navigate to "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server\RCM\GracePeriod" as shown in below window and select the GracePeriod Key. If the ‘GracePeriod’ key exists you will need to delete it.
2. Reboot the server or Restart Remote desktop services,

references:
Solution: No Remote Desktop License Servers Available To Provide License (devitpl.com)

VMware remove host from inventory

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 31 May 2022 14:38:00 GMT

Put host in maintenance mode.
Remove the host from distributed switch
Right-click the appropriate host in the inventory pane, and select Remove from Inventory from the pop-up menu

Step 2 might cause issues.
Unable to Remove a Host from a vSphere Distributed Switch (vmware.com)
The resource 'Port-ID' is in use error when removing a host from VDS (2015435) (vmware.com)
Better to just Right click the ESXi host from the Inventory and select Connection > Disconnect
And after host is disconnected remove from inventory will remove it.

references:
Remove a Host from vCenter Server (vmware.com)

VMware packet capture using pktcap

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 31 May 2022 12:38:00 GMT

Confirm port details using command below, grep the port details for the vm we need to run it for.

$ net-stats -l

Get list of datastores, and select one which has space to store the network capture.

esxcli storage vmfs extent list
ls /vmfs/volumes

Double ssh to the esxi which has the server and run commands for incoming and outgoing over 2 sessions (see example below)

pktcap-uw --switchport <portnumber> --dir {0|1|2} --tcpport <TCP_port> -o <capture_location>

dir {0|1|2} 0 stands for incoming traffic, 1 for outgoing traffic, and 2 for bidirectional traffic.

Use following command to kill the process on all servers once spike is observed

kill $(lsof |grep pktcap-uw |awk '{print $1}'| sort -u)

To list:

lsof |grep pktcap-uw |awk '{print $1}'| sort -u

Example

VM1: 25903-web-ryd

Host: fiesopprdesx03.fi.tcsecp.com

net-stats -l | grep 25903-web-ryd
50331688 5 9 DvsPortset-0 fa:16:3e:74:9b:20 25903-web-ryd (68c5b741-1ce4-4637-8186-41d3c7352403).eth1
50331689 5 9 DvsPortset-0 fa:16:3e:f9:2a:94 25903-web-ryd (68c5b741-1ce4-4637-8186-41d3c7352403).eth0 (Prod)

/vmfs/volumes/5f6388f0-300d4730-0a0c-0025b501014f/pktcap

pktcap-uw --switchport 50331689 --dir 0 --tcpport 2036 -o /vmfs/volumes/5f6388f0-300d4730-0a0c-0025b501014f/pktcap/capin14.pcap
pktcap-uw --switchport 50331689 --dir 1 --tcpport 2036 -o /vmfs/volumes/5f6388f0-300d4730-0a0c-0025b501014f/pktcap/capout14.pcap

VM2: 25903-lptl-epm

Host: fiespalaprtesx08.fi.tcsecp.com

net-stats -l | grep 25903-lptl-epm
50331694 5 9 DvsPortset-0 fa:16:3e:01:ec:7f 25903-lptl-epm (66fbb177-2dd2-4d06-91fb-df119945cb81).eth1
50331695 5 9 DvsPortset-0 fa:16:3e:b8:75:65 25903-lptl-epm (66fbb177-2dd2-4d06-91fb-df119945cb81).eth0 (Prod)

esxcli storage vmfs extent list

/vmfs/volumes/620a7fad-ea2a095e-bc75-0025b50502cf

pktcap-uw --switchport 50331695 --dir 0 --tcpport 2036 -o /vmfs/volumes/620a7fad-ea2a095e-bc75-0025b50502cf/pktcap/capin14.pcap
pktcap-uw --switchport 50331695 --dir 1 --tcpport 2036 -o /vmfs/volumes/620a7fad-ea2a095e-bc75-0025b50502cf/pktcap/capout14.pcap

references:

VMware unable to unmount datastore

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 31 May 2022 11:53:00 GMT

Error

The resource '0200fe0000624a9370f25b6296a38b4191000d2851466c61736841' is in use.

logdir is present

Go to Manage -> Settings -> Advanced System Settings. Find ScratchConfig.CurrentScratchLocation and Syslog.global.logDir
If these mention datastores, change that.

vCLS VMs are present

Go to the cluster
Under Configure > vSphere Cluster Services, select General
click on EDIT VCLS MODE
1. In the Edit vCLS Mode pop up window, click on the second radio option Retreat Mode.

Through CLI

Find the UUID for datastore to be removed.

esxcli storage filesystem list

Unmount

esxcli storage filesystem unmount [-u _UUID_ | -l _label_ | -p _path_ ]

Note: If the VMFS filesystem you are attempting to unmount has active I/O or has not fulfilled the prerequisites to unmount the VMFS datastore, you see an error in the VMkernel logs similar to:

WARNING: VC: 637: unmounting opened volume ('4e414917-a8d75514-6bae-0019b9f1ecf4' 'LUN01') is not allowed.
VC: 802: Unmount VMFS volume f530 28 2 4e414917a8d7551419006bae f4ecf19b 4 1 0 0 0 0 0 : Busy

verify that the datastore is unmounted, run this command:

esxcli storage filesystem list

references:

Convert a dynamic dns record to static

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 25 May 2022 11:14:00 GMT

dnsmgmt.msc
Enable advanced view.
Find the record. Right click > Properties. Disable Delete this record when it becomes stale check box and then click on OK

references:
How to Convert a Dynamic Resource Record to a Static One Without Re-Creating it in DNS - TechNet Articles - United States (English) - TechNet Wiki (microsoft.com)

Install go

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 25 May 2022 10:06:00 GMT

Download tar file from https://go.dev/doc/install
Create /usr/local/go if fresh install.
Remove any previous Go installation by deleting the /usr/local/go folder (if it exists), then extract the archive you just downloaded into /usr/local, creating a fresh Go tree in /usr/local/go:

## Existing install
$ sudo rm -rf /usr/local/go && tar -C /usr/local -xzf go1.18.2.linux-amd64.tar.gz

## New install
$ sudo tar -C /usr/local -xzf go1.18.2.linux-amd64.tar.gz

Add /usr/local/go/bin to the PATH environment variable.Both /etc/profile and /etc/bashrc

export PATH=$PATH:/usr/local/go/bin

Verify that you've installed Go by opening a command prompt and typing the following command:

$ go version
go version go1.18.2 linux/amd64

references:

go install

Linux Add path to $path

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 25 May 2022 08:25:00 GMT

Gotcha

The /etc/profile is executed only for interactive shells and the /etc/bashrc is executed for both interactive and non-interactive shells. In fact in Ubuntu the /etc/profile calls the /etc/bashrc directly.

Temporarily

export PATH=/home/dave/work:$PATH

For your self only

Add the export command above to .bashrc or .profile

Permanent for all users

Add export to /etc/profile file and /etc/bashrc

export PATH=$PATH:/usr/local/bin

references:

Understanding a little more about /etc/profile and /etc/bashrc - Benjamin Cane (bencane.com)

Windows Force logoff users

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 24 May 2022 07:48:00 GMT

query session

logoff <id>

references:
How to force logoff local users with status disconnected (microsoft.com)

Terraform bundle

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 23 May 2022 09:58:00 GMT

Terraform bundle tool install

Pre-requisites

git
go / [[202205251306 Install go]]

Install

# Clone v0.15 branch
$ git clone --single-branch --branch=v0.15 --depth=1 https://github.com/hashicorp/terraform.git

$ cd terraform

$ go build -o ../terraform-bundle ./tools/terraform-bundle

Terrform bundle creation

references:

Raise a certificate request on Windows

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 20 May 2022 06:55:00 GMT

Script

Ensure that you have the configuration name correct. Just run certutil and copy the CA Config name from the output.
Multi cert script developed.

Manual

Open mmc. File > Add/Remove Snapin. Add Certificates. Select Computer Account.
Go to Certificates > Personal.
Right Click > All Tasks > Advanced Operations > Create Custom Request.
Next. Next.
On Custom Request page, Select Web Server as template. Next.
On Certificate Information page, expand by clicking icon next to Details. Click on Properties.
In Subject tab. Subject Name: select type as Common Name. In value field, put the required DNS value (fitcs.fi.tcsecp.com). Click Add.
In Alternative Name, select DNS and as value put the same thing as above (fitcs.fi.tcsecp.com). Click Add.
In General tab, put Friendly name, and description.
In Private key tab, expand Key options, select "Make Private key exportable" option. Click apply. Click OK.
Click Next. Select a location for the generated file. Name the file. Click Save. Click Finish. File will be generated at the location you selected.
If you need private key as well, go to Certificate Enrollment Requests > Certificates. You will find the cert here.
Right click on the cert. All Tasks > Export. Next.
Select Yes, Export the private key. Next.
Click on the Password option, provide the password. Click Next.
Select the location for the private key and press next.
Verify the details on the page and click finish. Key will be generate at the mentioned location.

references:
How to generate Certificate Signing Request using Microsoft Management Console (MMC) on Windows 2012 (entrust.com)

Terraform custom worker image

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 17 May 2022 12:19:00 GMT

Commands

# To build image from dockerfile
docker build -t tcs/customworker:1.0.1 . 

# To build from existing image
# Run an ephemeral container and bash into it
docker run --rm -it hashicorp/build-worker:now /bin/bash

Dockerfile

Idea is to use the existing terraform worker image and then copy the required files to it and then that's it.
Terraform default worker image is based on ubuntu.


FROM hashicorp/build-worker:now

# Include all necessary CA certificates.
ADD chain.crt /usr/local/share/ca-certificates/

# Create provider directory
RUN mkdir /usr/share/terraform
RUN mkdir /usr/share/terraform/providers
RUN mkdir /usr/share/terraform/providers/registry.terraform.io

# Add providers to the image
ADD providers/* /usr/share/terraform/providers/registry.terraform.io

# Add init script
ADD init_custom_worker.sh /usr/local/bin/init_custom_worker.sh

# Update the CA certificates bundle to include newly added CA certificates.
RUN update-ca-certificates

Initialization script

Script must be kept at /usr/local/bin/init_custom_worker.sh
This basically adds the custom provider location.
To do testing add a sleep command to the end of init script and run docker exec to use bash.

#!/bin/bash

cat >> /tmp/cli.tfrc <<EOF
provider_installation {
 filesystem_mirror {
   path    = "/usr/share/terraform/providers"
   include = ["*/*"]
 }
}
EOF

Configure TFE to use custom worker

Make sure that Terraform Enterprise is configured to use the custom worker image by opening the installer dashboard at port 8800 of the installation and choosing Settings > Terraform Build Worker Image > Provide the location of a custom image.

references:

CloudRemote add user

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 16 May 2022 14:21:00 GMT

First we needed to access the remote MQ by browsing the IP and to port 15672 on the CloudRemote VM

Example: http://10.45.99.206:15672/#/users

Next login using "cliqr" user and find the password in the content of /etc/rabbitmq/password in the rabbitmq container found in the docker running in the same MQ server
Next proceeded to add the cliqr_worker with password cliqr_worker in the users
Next we added full permissions on the vhost root for the cliqr_worker user (for both / and ).

VMW cloud remotes

![[Pasted image 20220517092204.png]]

![[Pasted image 20220517092234.png]]

![[Pasted image 20220517092240.png]]

![[Pasted image 20220517092250.png]]

references:

Cloud Remote bootstrap procedure

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 16 May 2022 14:11:00 GMT

Go to path: /opt/cisco/pilot/builds/pilot_release-5.5.2/bin
Run bootstrap.sh
Update the user settings according to:

![[202205161721 CloudRemote add user]]

references:

Terraform scaling VMs

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 04 May 2022 17:02:00 GMT

Define a var file with a list of objects, e.g. VMname, cpu, etc.
Define resource block for VM.
Upon apply, VMs are deployed in an order like : web[0], web[1], web[2]
![[Pasted image 20220504200506.png]]
You can scale up/down from the end, i.e. specify web[3], web[4]. But removal will be LIFO, so web[4], web[3] and so on.

references:

Certificate reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 02 May 2022 08:47:00 GMT

![[202205021140 openssl convert pkcs to pem]]
![[202204281255 Compare private key and ssl]]
![[202204291221 Openssl generate csr]]
![[202204291133 Certificate output in plaintext]]
![[202204281257 Certificate remove password from private key]]
![[202204281255 Compare private key and ssl]]
![[202204271226 How to create stacked certificates]]

references:

openssl convert pkcs to pem

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 02 May 2022 08:40:00 GMT

openssl pkcs7 -print_certs -in certificate.p7b -out certificate.cer

references:

How to convert PKCS #7 (.p7b) to PEM certificate format using OpenSSL (digicert.com)

Openssl generate csr

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 29 Apr 2022 09:21:00 GMT

Command

openssl req -out fitcsecp.csr -new -newkey rsa:2048 -nodes -keyout fitcsecp_private_key.key -addext "subjectAltName = DNS:domain-name.com"

Fill out details

Country Name (2 letter code) [XX]:
State or Province Name (full name) []:
Locality Name (eg, city) [Default City]:
Organization Name (eg, company) [Default Company Ltd]:
Organizational Unit Name (eg, section) []:
Common Name (eg, your name or your server's hostname) []:
Email Address []:

Please enter the following 'extra' attributes
to be sent with your certificate request
A challenge password []:
An optional company name []:

references:

How to create Certificate Signing Request with OpenSSL (ibm.com)

Certificate output in plaintext

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 29 Apr 2022 08:33:00 GMT

Issue

“x509: certificate relies on legacy Common Name field” error

Fix

cert needs to be reissued to include the subjectAltName property, and should be added directly when creating an SSL self-signed certificate using openssl command, by specifying an -addext flag.

-addext "subjectAltName = DNS:domain-name.com"

openssl x509 -in server.crt -noout -text

references:

GENERAL: What should I do if I get an "x509: certificate relies on legacy Common Name field" error? (jfrog.com)

Three-tier CA setup

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 28 Apr 2022 11:21:00 GMT

Architecture

PowerShell Commands

Install

Install-WindowsFeature ADCS-Cert-Authority

Install-AdcsCertificationAuthority -CAType "EnterpriseSubordinateCA" -CACommonName "vKernelRO Issuing Certification Authority 01" -CADistinguishedNameSuffix "DC=vKernelRO,DC=RO" -KeyLength 4096 -HashAlgorithmName SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"  -DatabaseDirectory "D:\CAdb"  -LogDirectory "D:\CALogs"Implementing a three-tier CA Hierarchy

Uninstall

Uninstall-WindowsFeature ADCS-Cert-Authority

Uninstall-AdcsCertificationAuthority

Create CAPolicy.inf in C:\Windows

[Version]
Signature=$Windows NT$"

[certsrv_server]
Renewalkeylength=2048
RenewalvalidityPeriodUnits=20
RenewalvalidityPeriod=years

CRLPeriod=Years
CRLPeriodUnits=2
CRLOverlapPeriod=Years
CRLOverlapUnits=1
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days

DiscreteSignatureAlgorithm=1

Install AD Certificate services role.

![[Pasted image 20220428143118.png]]

![[Pasted image 20220428143029.png]]

Root CA

Create CAPolicy.inf under C:\Windows

[Version]
Signature=$Windows NT$"

[certsrv_server]
Renewalkeylength=2048
RenewalvalidityPeriodUnits=20
RenewalvalidityPeriod=years

CRLPeriod=Years
CRLPeriodUnits=2
CRLOverlapPeriod=Years
CRLOverlapUnits=1
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days

DiscreteSignatureAlgorithm=1

Install AD CS role.

Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

Configure ADCS .

Install-AdcsCertificationAuthority -CAType "StandaloneRootCA" -CACommonName "Finland TCSECP RootCA" -CADistinguishedNameSuffix "DC=fi,DC=tcsecp,DC=com" -KeyLength 2048 -HashAlgorithmName SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"  -DatabaseDirectory "D:\CA\CertDB"  -LogDirectory "D:\CA\CertLogs"  -ValidityPeriod Years  -ValidityPeriodUnits 20

Configure publication points and certificates validity period for the Root CA.
1. Open the Certification Authority console, right-click the CA name and choose Properties.
2. Once the Properties window opens, go to the Extensions tab and remove all the locations from the list except the first one, by selecting them one by one and clicking the Remove button.
3. Then add the url (http://pki.fi.tcsecp.com/crl/RootCA.crl) for the web server as publication point. Never use the HTTPS protocol for CRT/CRL file retrieval because is not going to work. CryptoAPI will permanently fail to fetch HTTPS URLs. check the box Include in the CDP extension of issued certificates.
4. Move to the AIA extension by clicking the Select extension drop-down box. As before, remove all the locations in the list except the first one, then hit the Add button to add the new location (http://pki.fi.tcsecp.com/crl/RootCA.crt) for the root CA certificate. Once added, don’t forget to check the box Include in the AIA extension of issued certificates. Click OK then Yes to restart the Certificate Services service.
Make our root CA issue certificates valid for 10 years

certutil -setreg ca\ValidityPeriodUnits 10
certutil -setreg ca\ValidityPeriod "Years"
net stop certsvc
net start certsvc

Copy certs from %Windir%\System32\Certsrv\Certenroll to the Webserver path mentioned in the step above. Rename as needed to Root.crl and Root.crt.

Policy CA

Create CAPolicy.inf under C:\Windows

[Version]
Signature=$Windows NT$"
 
[certsrv_server]
Renewalkeylength=2048
RenewalvalidityPeriodUnits=10
RenewalvalidityPeriod=years
 
CRLPeriod=Years
CRLPeriodUnits=2
CRLOverlapPeriod=Years
CRLOverlapUnits=1
CRLDeltaPeriodUnits=0
CRLDeltaPeriod=days
 
DiscreteSignatureAlgorithm=1

copy the root CA certificate in the policy CA server certificates store. This needs to be imported in the Trusted Root Certification Authorities folder. Verify the same via mmc>certificates.
Install AD CS role.

Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

Configure ADCS .

Install-AdcsCertificationAuthority -CAType "StandaloneSubordinateCA" -CACommonName "Finland TCSECP PolicyCA" -CADistinguishedNameSuffix "DC=fi,DC=tcsecp,DC=com" -KeyLength 2048 -HashAlgorithmName SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"  -DatabaseDirectory "D:\CA\CertDB"  -LogDirectory "D:\CA\CertLogs"  -ValidityPeriod Years

Copy the .req file created in step a to the root ca.
open the Certification Authority console, right-click the CA name and choose All Tasks > Submit New Request. Select the .req file.
Inside the Pending Request folder we should have a certificate request in a pending state. Right-click it and choose All Tasks > Issue.
Now click the Issued Certificates folder and open the certificate we just issued. Go to the Details tab and click the Copy to File button. Export the certificate by following the wizard.
Back on the policy CA server, open the Certification Authority console, right -click the CA name and choose All Tasks > Install CA Certificate.
Search for the certificate we just exported from the root CA, select it and click Open. The certificate installation will take a few seconds to complete and once it’s done click the green arrow button from the Tools menu to start the Certificate Services service; which should start successfully.
Configure publication points and certificates validity period for the Root CA.
1. Open the Certification Authority console, right-click the CA name and choose Properties.
2. Once the Properties window opens, go to the Extensions tab and remove all the locations from the list except the first one, by selecting them one by one and clicking the Remove button.
3. Then add the url (http://pki.fi.tcsecp.com/crl/InterCA.crl) for the web server as publication point. Never use the HTTPS protocol for CRT/CRL file retrieval because is not going to work. CryptoAPI will permanently fail to fetch HTTPS URLs. check the box Include in the CDP extension of issued certificates.
4. Move to the AIA extension by clicking the Select extension drop-down box. As before, remove all the locations in the list except the first one, then hit the Add button to add the new location (http://pki.fi.tcsecp.com/crl/InterCA.crt) for the root CA certificate. Once added, don’t forget to check the box Include in the AIA extension of issued certificates. Click OK then Yes to restart the Certificate Services service.
Set cert duration to 5 years.

certutil -setreg ca\ValidityPeriodUnits 5
certutil -setreg ca\ValidityPeriod "Years"
net stop certsvc
net start certsvc

Copy certs from %Windir%\System32\Certsrv\Certenroll to the Webserver path mentioned in the step above. Rename as needed to InterCA.crl and InterCA.crt.

Issuer CA

Add gpo to enable root and inter ca certs for all machines.
Go to issuer vms and run gpupdate /force. Verify in mmc>certs.
Create CAPolicy.inf under C:\Windows

[Version]
Signature=$Windows NT$"
 
[certsrv_server]
Renewalkeylength=2048
RenewalvalidityPeriodUnits=5
RenewalvalidityPeriod=years
 
CRLPeriod=Days
CRLPeriodUnits=7
CRLDeltaPeriod=Hours
CRLDeltaPeriodUnits=24
CRLOverlapUnits=2
CRLOverlapPeriod=Days
CRLDeltaOverlapUnits=Hours
DeltaOverlapPeriod=6
 
DiscreteSignatureAlgorithm=1
LoadDefaultTemplates=0

Install AD CS role.

Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

User should be enterprise admin. Configure ADCS .

Install-AdcsCertificationAuthority -CAType "StandaloneSubordinateCA" -CACommonName "Finland TCSECP PolicyCA" -CADistinguishedNameSuffix "DC=fi,DC=tcsecp,DC=com" -KeyLength 2048 -HashAlgorithmName SHA256 -CryptoProviderName "RSA#Microsoft Software Key Storage Provider"  -DatabaseDirectory "D:\CA\CertDB"  -LogDirectory "D:\CA\CertLogs"  -ValidityPeriod Years

Copy the .req file to intermediary ca.
open the Certification Authority console, right-click the CA name and choose All Tasks > Submit New Request. Select the .req file.
Inside the Pending Request folder we should have a certificate request in a pending state. Right-click it and choose All Tasks > Issue.
Now click the Issued Certificates folder and open the certificate we just issued. Go to the Details tab and click the Copy to File button. Export the certificate by following the wizard.
Copy the file to the issuer node. open the Certification Authority console, right -click the CA name and choose All Tasks > Install CA Certificate. Start after install is completed.
Backup the CA
1. 1. On the Action menu, click All Tasks, and then click Backup CA.
2. On the Welcome page of the CA backup wizard, click Next.
3. Select Private key and CA certificate and provide a directory name where you want to temporarily store the CA certificate and optionally the key. Click Next.
4. Provide a password to protect the CA key and click Next.
5. Click Finish.
Shutdown the CA to release disk.
1. While the CA is selected in the left pane, on the Action menu, click All Tasks, and then click Stop Service.
Copy the backup created to the second node.
Open mmc --> certificates. expand the Certificates (Local Computer) node and select the Personal store.
Create CAPolicy.inf under C:\Windows

[Version]
Signature=$Windows NT$"
 
[certsrv_server]
Renewalkeylength=2048
RenewalvalidityPeriodUnits=5
RenewalvalidityPeriod=years
 
CRLPeriod=Days
CRLPeriodUnits=7
CRLDeltaPeriod=Hours
CRLDeltaPeriodUnits=24
CRLOverlapUnits=2
CRLOverlapPeriod=Days
CRLDeltaOverlapUnits=Hours
DeltaOverlapPeriod=6
 
DiscreteSignatureAlgorithm=1
LoadDefaultTemplates=0

Install AD CS role.

Install-WindowsFeature ADCS-Cert-Authority -IncludeManagementTools

User should be enterprise admin. Configure ADCS .
1. Select Use existing private key, choose Select a certificate and use its associated private key, then click Next.
2. Select the CA certificate that was generated on the first node and click Next.
3. Change the default paths for the database. In the dialog box stating that an existing database was found, select Yes to overwrite it.
4. Logoff from the node.
Setting up the failover cluster.
1. Create cluster
2. Configure cluster as generic service, and click Next.
3. In the list of services and applications, select Generic Service and click Next.
4. In the list of services, select Active Directory Certificate Services and click Next.
5. Mark the disk storage that is still mounted to the node and click Next.
6. To configure a shared registry hive, click Add, type SYSTEM\CurrentControlSet\Services\CertSvc and then click OK.
7. Click Next twice.
8. Click Finish to complete the failover configuration for certificate services.

Configuring publication points and certificates validity period for the Root CA

http://pki.fi.tcsecp.com/RootCA.crl

Root server

http://pki.fi.tcsecp.com/crl/RootCA.crl
http://pki.fi.tcsecp.com/crl/RootCA.crt

Install clustered issuing CAs

User should be enterprise admin
root and inter certs applied as gpo
gpupdate /force
install ca role and configure.
1. Install-WindowsFeature ADCS-Cert-Authority
Configuration:
1. FITCSECP-IssuerCA

DN to use
CN = FITCSECP-RootCA
CN = FITCSECP-InterCA
CN=FITCSECP-IssuerCA
DC=fi
DC=tcsecp
DC=com

references:

Certificate remove password from private key

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 28 Apr 2022 09:57:00 GMT

Remove Private key

openssl rsa -in [file1.key] -out [file2.key]

references:
Remove private key password using openSSL – Tricks and Picks (wordpress.com)

Compare private key and ssl

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 28 Apr 2022 09:55:00 GMT

openssl x509 -noout -modulus -in cert.crt | openssl md5  
openssl rsa -noout -modulus -in privkey.txt | openssl md5

where:
cert.crt is your certificate
privkey.txt is your private key.

references:

How to verify if a Private Key Matches a Certificate? (ibm.com)

Ansible Jinja2 reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 28 Apr 2022 07:49:00 GMT

Filters - file

basename

win_basename

win_splitdrive

references:

Jinja2 Reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 27 Apr 2022 13:56:00 GMT

Jinja2 is used for templating.

String manipulation

Substitution

The name is {{ name }}

Upper case

The name is {{ name|upper }}

Title Case

{{ book_name|title }}

Replace

{{ dialogue | replace("Bourne","Bond") }}

Array

Highest number in an array

{{ numbers | max }}

Last number in an array

{{ numbers | last }}

Join

{{ words | join(' ') }}

Number of words

{{ words | wordcount }}

Loops

{% for name_server in name_servers -%}
nameserver {{ name_server }}
{% endfor %}

Input:

{
  "hosts": [
    {
      "name": "web1",
      "ip_address": "192.168.5.4"
    },
    {
      "name": "web2",
      "ip_address": "192.168.5.5"
    },
    {
      "name": "web3",
      "ip_address": "192.168.5.8"
    },
    {
      "name": "db1",
      "ip_address": "192.168.5.9"
    }
  ]
}

{% for host in hosts -%}
{{ host.name }} {{ host.ip_address }}
{% endfor %}

IF

{% for host in hosts -%}
  {% if "web" in host.name %}
{{ host.name }} {{ host.ip_address }}
  {% endif %}
{% endfor %}

references:
Jinja | The Pallets Projects
Jinja — Jinja Documentation (3.1.x) (palletsprojects.com)

Windows unable to take RDP

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 27 Apr 2022 09:32:00 GMT

Server 2003 The RPC server is unavailable while trying to take RDP

Go to HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server
Create a new key selecting Dword and name it as IgnoreRegUserConfigErrors
now double click it and give a value as 1

references:

vmdk based migration

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 27 Apr 2022 09:29:00 GMT

If NFS only RO

Upload vmdk/vmx files to datastore, based on free space. Create the folder with VMNAME.
Register the vmx file. Specify all the disks.
We can look at the vmx file to view all the paths. No need to edit anything.

If NFS has RW access

Map the NFS to VMware.
Register the VM using the .vmx file.
After registration, update the vmdetails (network should exist on target)
Perform storage migration.

references:

How to create stacked certificates

sajal@sajalchoudhary.net (Sajal Choudhary) — Wed, 27 Apr 2022 09:26:00 GMT

Stacked cert should be in this order:

Server --> intermediary --> root

references:

Windows Event ID reference

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 26 Apr 2022 13:12:00 GMT

Member removed from local group

Event ID: 4733

references:

4733(S) A member was removed from a security-enabled local group. (Windows 10) - Windows security | Microsoft Docs

Ansible Variable Precedence

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 25 Apr 2022 14:17:00 GMT

In the order:

Extra vars
Play vars
Host vars
Group vars

references:

Setup password less ssh

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 25 Apr 2022 12:55:00 GMT

Create SSH pair

ssh-keygen -f /home/thor/.ssh/maria

Copy public key to remote server

ssh-copy-id -i ~/.ssh/tatu-key-ecdsa user@host

references:

VM deployment to VMware

sajal@sajalchoudhary.net (Sajal Choudhary) — Mon, 25 Apr 2022 11:31:00 GMT

Disk

One of datastore_id or datastore_cluster_id must be specified.
Use of datastore_cluster_id requires vSphere Storage DRS to be enabled on the specified datastore cluster.
The datastore_cluster_id setting applies to the entire virtual machine resource. You cannot assign individual individual disks to datastore clusters. In addition, you cannot use the attach setting to attach external disks on virtual machines that are assigned to datastore clusters.

references:

vsphere_virtual_machine | Resources | hashicorp/vsphere | Terraform Registry

kubectl cheat sheet

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 22 Apr 2022 08:32:00 GMT

Get nodes and IP details

kubectl get nodes -o wide --no-headers | awk '{ print $1 ,$7}'

references:

Terraform variables

sajal@sajalchoudhary.net (Sajal Choudhary) — Fri, 22 Apr 2022 08:19:00 GMT

Precedence

Terraform loads variables in the following order, with later sources taking precedence over earlier ones:

Environment variables
The terraform.tfvars file, if present.
The terraform.tfvars.json file, if present.
Any *.auto.tfvars or *.auto.tfvars.json files, processed in lexical order of their filenames.
Any -var and -var-file options on the command line, in the order they are provided. (This includes variables set by a Terraform Cloud workspace.)

references:

Input Variables - Configuration Language | Terraform by HashiCorp

Linux ping multiple ips

sajal@sajalchoudhary.net (Sajal Choudhary) — Thu, 21 Apr 2022 11:58:00 GMT

for i in `cat ips.txt`; do if [ "`ping -c 1 $i`" ]; then echo $i,pinging; else echo $i,failed; fi; done >> output.txt

#!/bin/bash  
for ips in $(cat ip-list.txt); do  
if ping -c 1 $ips &> /dev/null  
then  
echo $ips",pinging"  
else  
echo $ips",notpinging"  
fi  
done

references:

PowerShell Arrays

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 12 Apr 2022 12:31:00 GMT

How to create arrays

An empty array can be created by using @()

Example array:

$ExampleArray = @(
	"C:\test",
	"C:\test2"
)

references:

Everything you wanted to know about arrays - PowerShell | Microsoft Docs

VB script run

sajal@sajalchoudhary.net (Sajal Choudhary) — Tue, 12 Apr 2022 06:53:00 GMT

Issues

Cscript.exe is not recognised

Open regedit.
Go to HKCR\CLSID{B54F3741-5B07-11cf-A4B0-00AA004A55E8}\InprocServer32
Within it, there is a registry value called (Default) which should carry a Data value of:

C:\Windows\system32\vbscript.dll

If it's anything else, we need to change it to the above.

references:

cscript.exe not recognised