So here’s a question I want you to try answering off the top of your head – Which certificate is your domain controller using for Kerberos & LDAPS and what happens when there are multiple certificates in the crypto store?
The answer is actually pretty obvious if you already know the answer, however this was the question I faced recently, and ended up having to do a little bit of poking around to answer the question.
The scenario in question for me is having built a new multi-tier PKI in our environment I have reached the point of migrating services to it, including the auto-enrolling certificates templates used on Domain Controllers.
Dell EMC OpenManage Enterprise has now been available available as a Tech Release for a couple of months now, and I have recently had a opportunity to sit down and do some evaluation of the product at work.
The following thoughts and comments are made based on the version 1.0.0 (build 543) appliance.
OpenManage Enterprise (OMEnt) is described by Dell EMC as the next generation of their Open Manage Essentials (OMEss) platform. At face value it has some really good features going for it:
System is now deployed from an appliance template (OVF, VHD etc). No more having to customise a host build for the application, and no more licensing considerations.
The UI is now HTML5. I can’t begin to describe how happy I am to see the end of silverlight…
I’m sure many of you realise that for systems with high value in terms of information held or impact to business due to outage or data breach, you would probably want to crank up the monitoring of such systems. Best practices say you should pretty much monitor all activity associated with local users and groups, but today I want to focus on interactive logins to servers.
This has mainly come about from my own need recently to provide the ability to notify on any interactive login to a particular server, be it using remote desktop or a console session.
My first thought was to create a SCOM Rule that would report on Security Log EventID 4624 and if the Logon Type was 3 (console logon) or 10 (RDP Logon), send an email. As it turned out, this was much harder than I expected, as I found that Logon Type was not getting consistently passed as a parameter, and doing a text search on the entire message is not good practice.
iDRAC firmware 2.40.40 was released on 17th Oct 2016. Details can be found by following this link.
We have recently had the need to upgrade our iDRAC firmware to 2.40.40 on one of our servers while troubleshooting another issue with Dell and found shortly after that this particular server was no longer able to be discovered by Dell OpenManage Essentials.
We found that the TLS protocol the iDRAC set after updating was set to version 1.2, which is not supported by Windows operating systems less than Server 2012 R2 (Our OME server runs on Windows Server 2012). There is a patch available to fix this. This is all covered in the driver release notes.
The other alternative, which we have chosen to do for now as this firmware is only on one device is to set the iDRAC to use the older TLS protocol, which can be found under the iDRAC Network Settings in the services tab:
I’ll apply the Microsoft patch to the system, and then set the TLS back to v1.2
A couple of weeks ago SAGE-AU announced that it was undergoing a name change and rebrand, to become the IT Professional Association, ITPA.
As a long time SAGE-AU and now ITPA member, this has come as little surprise. This has been something that has been on the cards for close to 4 years now. It does however mean good things for the organisation.
What I will say though is that if you are an IT Professional in Australia, your representation to government and industry is weak. Only 5% of people who identify as IT Professionals in Australia are members of a professional body like ITPA, ACS or AISA compared to say, accountants, who have near 100% membership to CPA or ICAA.
One of the tasts I am working on is the configuration of our fleet of Dell servers to use Dell’s Open Manage Essentials monitoring and management platform. One of the servers however had been unwilling to have it’s SNMP configuration changed using the VSphere CLI tools and was generating the following error:
Changing notification(trap) targets list to: myserver.local@162/DELLOME…
Use of uninitialized value $sub in string eq at C:/Program Files (x86)/VMware/VMware vSphere CLI/Perl/lib/VMware/VIMRuntime.pm line 81.
Use of uninitialized value $package in concatenation (.) or string at C:/Program Files (x86)/VMware/VMware vSphere CLI/Perl/lib/VMware/VIMRuntime.pm l
Undefined subroutine &Can’t call method “ReconfigureSnmpAgent” on an undefined value at C:\Program Files (x86)\VMware\VMware vSphere CLI\bin\vicfg-snm
p.pl line 297.
::fault_string called at C:\Program Files (x86)\VMware\VMware vSphere CLI\bin\vicfg-snmp.pl line 299.
Hrm OK fine. Lets try logging in to the Host’s ESX Shell and use esxcli to set the trap:
Community string was not specified in trap target: myserver.local
Clearly something is broken with the SNMP configuration. Luckily the VMware forums were quick to supply a solution.
The SNMP settings for ESX are stored in the XML file /etc/vmware/snmp.xml. You can either clear this file (cat /dev/null > /etc/vmware/snmp.xml) or if you know what the setting should be, modify it. in my case I needed to update the <targets></targets> XML Tag to have a community string: