RSAT MMC CA “Install CA Certificate” Bug

I plan on releasing a 3 part series blog post on configuring a new CA infrastructure, in an existing one where an Enterprise root CA has already been configured. In my series I decided to utilize core servers, these provide an additional layer of issues as managing them is a little more difficult as it usual requires more cmd based knowledge or better yet PowerShell whenever there are such options available. Turns outs in this case even more so then ever.

I won’t go over too much details here, as I’ll save that for my series. Basically one step requires me to import the signed certificate into the Sub Enterprise CA, being core I have to use the RSAT MMC CA snap-in (funny enough even if you have desktop experience it’s the same tool and snap-in used).

What I discovered is when I’d use the RSAT tool on and remote client system loading my actual CA server when loading the nap-in, it would never actually load the input wizard.

I’d right click my CA, select the option to install a CA certificate:

Then it simply act as if it’s reloading the snap-in…

Then nothing… So I asked about it on Technet. Lucky for me Mark Cooper the Master PKI guy came to my rescue.

The solution: On the Sub CA

certutil -installcert <your certificate file name here>

Get your Free ESXi here!

Get ’em while they’re hot. Fresh from the bunnums of the internet!

Now I love my ESXi, and I recently converted my old gaming rig into a hypervisor with non other than my favorite beast ESXi! I first played with 6.5, and don’t get me wrong the fact it was a direct login to the host right from a fresh install is such a thing of beauty. With a plugin available for a smoother console experience from the web driven one. While the HTML5 based web interface is very slick, the console isn’t exactly 100% real time. With the plugins it’s a nice way around that, however the host management tasks are all locked down to the hosts HTML 5 web interface. So long goes any chance of using the old phat (.Net based) client. I have to say thats sad cause I LOVE the phat client, it is by far the smoothest of all management interfaces, in my experience.

Anyway, logging into my personal host… I see this

This of course doesn’t surprise me. However believe it or not you can continue to run ESXi completely free. It’s generally enough for most peoples needs, there however some limitations.

  • No support
  • Free ESXi cannot be added to a vCenter Server
  • 2 physical CPUs
  • Unlimited cores per CPU
  • Unlimited physical Memory
  • max. 8 vCPU per VM

I won’t go over the details too much but the basics steps are as follows:

  1. Sign up to VMware.com
  2. Goto the vSphere Download Center 6.5 or 5.5.
  3. Register, Download your ISO and grab your Key.

Free ESXi 6.5 – How to Download and get License Keys

 

USB 3.0 Support on Windows 7 Guest VM

In Short, it’s not supported. If you’re running Workstation 9 or above, there’s this trick.

Now this guy goes into the real nitty gritty, and I love that! I however was working with ESXi 5.5 u3b. Now VMware did the same thing with the ESXi hypervisor and introduced USB 3.0 support via the xHCI controller. However the exact same limitation apply.

1) Drivers of USB 3.0 Host Controller are not provided by VMware Tools.

2) VMware USB 3.0 Host Controller will work only if your Virtual Machine OS has Native USB 3.o Support. Examples of such OS are – Windows 8, Windows Server 2012 and Linux Kernel 2.6.31 and above.

He goes on to say he’s screwed, but I’ve found the older EHCI +UHCI controller works for USB 1.1 and 2 devices I haven’t fully tested all case scenarios however. .For a Windows Server 2016 VM, on a HP Gen9 server with ESXi 5.5. My findings were as follows:

  1. Installed xHCI usb controller, via VM settings.
  2. Guest OS picked up hardware change and installed driver without issue.
  3. Plugged in USB 2.0 device, showed up in Host, as USB device became available to add to VM via VM settings, so added device.
  4. Guest OS didn’t see the USB device connected.
  5. Removed device via VM settings, then disconnected from host.
  6. Connected USB 3.0 Stick into host, added to VM via VM settings.
  7. Device was seen on Guest VM, and performance was equal to that of the sticks specs. (18~20 MB/s write, 100+MB/s Read)

I wasn’t sure why the USB 2.0 Device didn’t show up, so I simply removed the xHCI USB controller, and instead installed the EHCI +UHCI. Re-Connected the USB 2.0 devices and added it to the VM, this time the device did show up. I can’t remember the exact performance counters. I’ll update this post when I do some better analysis. My plan is to script some I/O tests using diskspd and PowerShell. Stay tuned. 😀

I’m also going to see if I can connect the same USB device via hardware pass-through instead of utilizing the USB controllers and Devices VM settings options. I’ve manly done this with RDM’s and storage controllers with storage type VM’s (FreeNas mostly).

As for the main point of this post… I figured the main link I posted and this one here as well form the VMware forms that I’d be able to get a way to make the xCHI controller work on the Windows 7 VM guest. The answer is basically grab the Intel xCHI drivers for Windows 7/2008R2 from Intel and install it manually, not via the setup.exe.

To my dismay I couldn’t get it to work, the wizard simply couldn’t locate the device (since the hardware IDs didn’t match) and installing the otherwise the device wouldn’t start.

I even decided to try and use double driver (extracts drivers) against a newer guest OS. This also failed. I simply couldn’t get it to work.

Lame mans V2V

Quick V2V’s

There are multiple ways to do a V2V depending on your migration/conversion.

See here, here and here for some source examples and more in depth reviews of alternative tools/products, or even V2P as unlikely as that maybe 😛

VMDK to VHDX

This one will be short n sweet.
V2V a VMDK to a VHDX

Get this.

DO this:

Import-Module ‘C:\Program Files\Microsoft Virtual Machine Converter\MvmcCmdlet.psd1’

ConvertTo-MvmcVirtualHardDisk -SourceLiteralPath (Drive):\VM-disk1.vmdk -VhdType DynamicHardDisk -VhdFormat vhdx -destination (Drive):\vm-disk1

This was nice, but after a good amount of time, I realized I don’t like using Hyper-V much…. so how do you convert back from VHDX to a VMDK?

VHDX to VMDK

I used Linux open source tool;

Using qemu-img in Linux

Ubuntu Linux is used in this example for running qemu-img.

First, install qemu-img from the online software repositories:

sudo apt-get install qemu-utils

*Note if using Ubuntu live you will need to enable the community (*Universe) repository (outside the scope of this post)

Go to the directory where virtual disk images are stored (in this example VHD and VHDX virtual disk files are stored in /media/user1/data/):

cd /media/user1/data/

Check the VHDX file

Get the root privileges (with the sudo su command) and view the VHD image information:

qemu-img info test-disk.vhd

How to convert VHD to VMDK with qemu-img – checking the VHD info

Similarly, you can check the information about the VHDX virtual disk:

qemu-img info /media/user1/data/WinServer2016.vhdx

Check the VHDX info before you convert VHDX to VMDK with qemu-img

Convert VHD to VMDK in Linux

In order to convert VHD to VMDK with qemu-img in Linux, run the command as root:

qemu-img convert /media/user1/data/WinServer2016.vhdx -O vmdk /media/user1/data/WinServer2016qemu.vmdk -p

Where:

-O – define the output file format

-p – show the progress bar

Wait until the conversion process is finished.

Using qemu-img in Windows

Download qemu-img from the official web site (32-bit and 64-bit installers are available to download). In the current example, qemu-img-win-x64-2_3_0 is used. Extract files form the downloaded archive, for example, to C:\Programs\qemu-img\. Then launch the Windows command line (CMD) – Press Windows+R to open the “Run” box. Type “cmd” into the box and press Ctrl+Shift+Enter to run the command as an administrator.

Go to the qemu-img directory:

cd C:\Programs\qemu-img

Commands of qemu-img in Linux and Windows are identical.

Convert VHD to VMDK in Windows

Run CMD as administrator and go to the directory where qemu-img is installed.

View the virtual disk information:

qemu-img.exe info c:\Virtual\Hyper-V\test-disk.vhd

Convert the VHD disk image to the VMDK format:

qemu-img.exe convert -p c:\Virtual\Hyper-V\test-disk.vhd -O vmdk c:\Virtual\Hyper-V\test-disk.vmdk

Where:

-p – show progress

-O – the output file

Wait until the conversion process is finished.

How to convert VHD to VMDK – using qemu-img as VHD to VMDK converter

Now the main thing to note is this conversion will be of a “type” that will only work with VMware Workstation… so if you need to mount this VMDK to a ESXi VM, you’ll need to “import it” basically convert it to the proper type… I’m usually a fan of VMware but this one is kind of lame.

Don’t Squat on my Name

I found this interesting, I was checking out my DNS server to make some new static host records for my newly networked Test environment/sandbox. To my surprise I found these weird new records DHCID (Dynamic Host Configuration Identifier) I wasn’t sure what was up with these but I did notice them paired along with an A host record (same name, different value). A quick google search revealed this nice old MS gem.

While it states “Name squatting occurs when a non-Windows-based computer registers in Domain Name System (DNS) with a name that is already registered to a Windows-based computer.” and even Susie Long pretty much states the same thing from this TechNet Post.

What I found in my case was it was created for only a couple users and it was from their iPhones after I had renewed them with new iPhones and updated their phones by using iTunes to make a backup and copy their contents to their new phones. I’m assuming cause the same name already existed in DNS from the old phones DHCP request, and the new phone had the same device name after the restore. In my case I knew they weren’t important records since noone would ever need to access their phones via DNS name, lol. So I simply deleted them. We’ll see if they come back.

I already knew all about DHCP and DNS scavenging but this was a new one for me. 😀

SharePoint User Full Control – Site has not been shared with you

I’ll keep this one short. After my recent SharePoint migration (ahem, 1 web app out of 6 I have yet to complete), I noticed my standard user account was not able to add pages to my new 2016 site. A little different then this Blog post about unable to edit, however the fix was exactly the same.

  1. First ensure you have site collection admin rights on the site collection in question.
  2. Load the site with this account (I noticed there’s only logout, and no longer sign in with another user under the user hamburger menu, so open a browser as the user with site collection admin rights).
  3. Go to Site Settings -> Master pages and page layouts
  4. In his case, as well as mine then library had unique permissions (not sure why I have yet to log into my old SharePoint page and see if it was like this from before the migration). Simple make it inherent permissions from the root site.

I was able to find this info from TechNet. I’m on there quite frequent, feel free to check out some of my posts. 😀 Maybe there’s a way I can add my TechNet profile to the word press social links. 😀 stay tuned.

Spectre Meltdown

If you’re reading this then chances are more than likely you’re looking up information on the two biggest vulnerabilities to be announced since Heartbleed.

Now there is just a ton of people talking about these vulnerabilities, I’m going to try and avoid all the real technical mumbo jumbo.

First things first… are you affected?!

*Shakes 8 ball* Most Likely.

Now you might be wondering, “How can that be?!” Well first let’s talk about Meltdown. Meltdown apparently affects Intel chips only. In short it’s a weakness in memory handling with the CPU. Do you have an Intel chip running your computer? chances are more than likely, running Windows? Well you’re in luck, Microsoft is making sure your OS is safe, but at what cost? Maybe a slower system than ever… no AMD then? well OK you may be safe from Meltdown, but you’re still vulnerable to Spectre, and guess what? Microsoft isn’t able to help you get patched either, well apparently if you happen to be running an old AMD chipset.

Not sure how well Intel will do following this, but the odd shares sales by the CEO def don’t look like good signs…

Alright, now back to Spectre.

Well to start off, to say it simply… never assume, it makes an ass of of you and me. Now you’ve probably heard this saying before, and you probably might be wondering why I’m even saying it. Well this vulnerability revolves around the CPU’s algorithm (Speculative Execution) to assume a result based on repetition of previous outcomes of the same operation.

Crazy how these are totally physical based vulnerabilities (At the CPU chip) which affects them all going back super far.. how far back? Well i had to dig a lil deeper into the interwebs via google. (So they know what I’m all about lol). and discovered that the Pentium Pro was the first. Now I’m simply going on the authors words here, but finding sources from so long ago even today can be rather difficult so I’ll simply take his word for it. The blog is actually a great read and covers the aspect of the vulnerability very well. However he goes on to say it’s all about Meltdown, when it might be about Spectre?

Either way… it’s a Spectre Meltdown.

If anyone’s running a HP Spectre laptop with an Intel chipset, and it starts melting down. That be quiet the coincidence. 😛

Happy hacking! Start writing some javascript based if code to exploit these assuming chips 😉

Adding a static host record to PiHole

Adding a record:

pihole -a hostrecord home.consto.com 192.168.1.10

Removing a record:

pihole -a hostrecord

*UPDATE* This only adds one record, and doing this command a second time removes the old record. For multiple records hosting on a PiHole, here’s the main deets as provided by llauren:

With a little configuration, you can use your pi-hole as the DNS server for your LAN, if, for example, your router isn’t doing a very good job serving local names. Here’s how:

Create a second dnsmasq configuration file:

% echo "addn-hosts=/etc/pihole/lan.list" | sudo tee /etc/dnsmasq.d/02-lan.conf

(that % is for whatever your system prompt is; don’t type it out :wink: )

After this, create a “hosts file” for your network /etc/pihole/lan.list with the format ipaddress fqdn hostname, eg

192.168.1.40     marvin.your.lan  marvin
192.168.1.41     eddie.your.lan   eddie
192.168.1.42     hactar.your.lan  hactar

…substituting “your.lan” for whatever you want your domain name to be.

On your DHCP server (most likely your router, though pi-hole indeed can be configured into one), you’ll also need to set your search domain to whatever “your.lan” corresponds to.

Finally, restart your name server:

% sudo pihole restartdns

Additional thoughts

  • If all this domain name stuff confuses you, you can leave it out and live a domain-less life on your LAN.
  • While you certainly can serve any name, also of hosts outside of your LAN, you probably can’t outsmart Netflix to play shows from outside your geographical area :slight_smile: . Drop that thought. It’s probably against their TOS and you might end up losing your Netflix account.
  • The dnsmasq manual page 765 suggests the configuration option hostsdir, but this didn’t work on my raspi. Possibly i was just incompetent.”

Clearing the DNS cache

This one will be nice and short. I was working on a DNZ zone migration, from one domain to another. Since the zone wasn’t the parent zone of the AD domain it was in I had two options.
One make the new domain authorative for the zone, once trust is established they would take over for the zone.
Or in this case since there were only a few records and the new AD domain was already created with the same domain anem as the zone I was attempting to migrate, I figured I’d simply recreate the records manually.
Basically setup your conditional forwarders to the new domain DC’s which will be authorative for the new zone. Generally allow UDP (TCP as well if you want to be extra safe) on port 53 through the firewall, and records should resolve just fine.
In this case you’ll clearly notice that resolving the record for the transferred zone from the orginal domain now replies with non-authorative answer.
This is to be expected as the domain’s DC that you are associated with (and generally your DNS settings configured to via DHCP of course) are no longer controlling the zone (adding/removing/editing records).
Again as to be expecting these are now managed via the new domain which teh zone was transferred to.

So low and behold I messed u one of the records IP addresses. So sure it’s super fast to adjust and force replication, however replication would be domain/forest wide. Which even though I did on both domains i found my previous DC’s would update the non-authorative answer.
I tripple checked all systems in teh new domain could get the proper reply from the DC/DNS servers. So what gives why were the old DC’s DNS servers replying with the old IP address, when the conditional forwarders were setup to query the proper DNS servers and they were 100% holding the correct IP address?
The answer? Cache? yup the lovely blessing and nightmare that is cache. so what does any regular workstation admin try… yeah you guessed it “ipconfig /flushdns” (cmon were talking AD here which is Microsoft specific AFAIK). Do a query from your old domain DC’s and yet the record is still the old IP adress?!?!
What gives? Well… in this case ipconfig /flushdns is only used for clients. You maybe wondering isn’t the old DC a client in this case? Yes/No It’s still a DNS server, and it still needs to answer queries it recieves, the command provided would help if simply doing a query (yes we are doing a query but for a record it needs to hold a record for to reply with).
Just to stop beating around the bush, as a DNS server it needs to clear its own cache, the records to retains to provide to requesting clients. this is a different command. in this case it’s dnscmd /clearcache.
That’s it, do another lookup and find your old DC DNS servers showing a non-authorative answer of the new IP address. Of course you could have also simply waited for cache to clear and replication to occur naturally… but ain’t no body got time for that!

 1) To Clear Dns from a client system (Windows): ipconfig /flushdns
 2) To clear non-authoritative DNS servers cache:	 dnscmd /clearcache

Exit, Break, and Return

The Break, The Return, and the Exit are all well break dance moves even the newest of new comers knows about.
Hahaha, Nah I’m just making that shit up. They are however great tools for powershell scripting.
However, do you know what the difference in all of them are, and when best to use them?

For a longer answer and some explainations visit this site. 😀
If not whatever here’s the quick low down so you can save going to that day of class. 😛

1) Break terminates execution of a loop or switch statement and hands over control to next statement after it.
2) Return terminates execution of the current function and passes control to the statement immediately after the function call.
3) Exit terminates the current execution session altogether. It also closes the console window and may or may not close ISE depending on what direction the wind is facing.