MikroTik wAP – Setup Guide – Multiple APs with Roaming

MikroTik wAP Quick Setup Guide

Hello there, this post will provide instructions configuring a MikroTik wireless access points from start to finish with a quick script. The goal is a wireless network where you can walk around the building and have client devices jump from WAP to WAP via access rules (Min-RSSI).

These principles will work on any Mikrotik device with wireless capability since they all run the same Routerboard software.

wAP

Setting

My company deployed 12 Ubiquiti UAP Pros to a client, we experienced intermittent connectivity with Apple devices (MacBook Air, MBP, and iPhones), Ubiquiti forums were not helpful, firmware upgrades/downgrades didn’t make a difference, and devs shifted the blame to Apple. We decided to try a different vendor, MikroTik, and purchased four RBwAP2nD units (Looks like a rounded, white rectangle).

The Mikrotiks did the job beautifully after proper setup! Not only did they not have issues with Apple devices, but the quality of signal was FAR higher than with Ubiquiti. More capacity, better signal, 1/4 the cost, with granted much harder management than the beautiful UniFi Controller, but in this setting it is acceptable — one location, set it and forget it.

Rather than set up a Wireless Mesh (WDS) or use the CAPsMAN controller, I’m keeping it simple. Set each AP in each corner of the building, use Min-RSSI to kick off clients when their signal is too weak, then they join the strongest signal near them. It’s short-and-sweet roaming, not seamless, but good enough.

The wAP can be powered by PoE or power-plug, between 12v-57v. We are using our already purchased Ubiquiti Toughswitch-8-Pro to power the units, but you could use any standard 24v or 48v PoE switch.

 Initial LoginMikrotik1

By default the WAP runs a DHCP Server, so I made sure to not plug it directly into our existing
network. You can connect directly to the WAP through wireless with a laptop. Once connected, you’ll pull a DHCP IP, usually 192.168.88.254. You can connect to the Mikrotik wAP with Winbox, their management software — very powerful!

 

Click the three dots next to “Connect” and WinBox will search for any Mikrotik devices. You can connect by IP, or direct MAC address (no matching IP/subnet needed!). Default username/password is admin/<blank>.

Mikrotik2

Initial Setup

All of these commands are menu presses. So “/system identity” means click the System button on the left, then the identity drop-down, further commands are tabs or fields. These commands can be entered DIRECTLY into the WAP applying immediately by using “New Terminal” on the left. The terminal lets you rapidly set up units after you’ve got your base commands in a text file. With these codes I’m able to crank out a matching WAP in about 4 minutes.

Name the AP

/system identity set name="NAME"

Wireless / Wired Bridge

Allow the wireless and wired connections to talk to each other. A bridge functions like a switch, it lets different interfaces talk to each other (whether that is a physical port, antenna, or VLAN, it connects them together).

/interface bridge add name="bridge1" 
/interface bridge port add interface=ether1-gateway bridge=bridge1
/interface bridge port add interface=wlan1 bridge=bridge1

LAN Dynamic IP

Force the wired connection to pull a dynamic IP address by turning on the DHCP-Client service.

/ip dhcp-client add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway

Overwrite the existing (192.168.88.1/24) IP Address applied to the wired NIC. This will be an additional  static IP to the wired NIC, the first being by DHCP Client.

Edit the IP
/ip address set address=10.10.10.53/24 interface=ether1-gateway numbers=0

Disable DHCP Server

This is just an access point, no DHCP Server needed.

/ip dhcp-server disable 0

 

Minimum-RSSI (Kickoff when the signal is too weak)

Called Min-RSSI by Ubiquiti, Mikrotik uses an access rule to allow or deny connections. It is almost like a firewall yes/no rule, if your signal is between this range (-84dB through 120dB, written as -84..120), you are allowed to authenticate and to talk to other devices (forward). If your signal is below this range (-120 through -85dB, written as -120..-85), you will be kicked. In reality, it takes about 1-2 seconds of a device having a signal lower than -84dB before the kick happens.

The way signal measurements work, a negative number is a receive number. A positive number is a transmitted or sent number.

Here are some quick dB examples. I have found the Mikrotiks to continue running well at even -85dB because the hardware has such an extremely low/quiet noise floor: -105dB, which is insanely quiet, means you get MUCH better range for the power. 1000mW is a great marketing feature, but it doesn’t mean squat without a good noise floor to compare to. For comparison, Ubiquiti gear (which is usually quite good for the money) signal becomes unusable around -72dB.

General Client Receiving Signal Examples

  • -55dB, this is a great signal quality for a client like a laptop or cell-phone
  • -75dB, we are nearing the limits of usable signal, expect some packet loss or stutters in video/VOIP.
  • -30dB, power is extremely high, you are probably standing within 3 feet of the antenna, or your transmit power is way too high.
## Each of these commands will restart the networking interfaces, so you'll probably be disconnected.

#Configure Min-RSSI Connect
/interface wireless access-list add signal-range=-84..120
#Configure Min-RSSI Kickoff
/interface wireless access-list add authentication=no forwarding=no signal-range=-120..-85

Edit the Wireless Password:WPA or WPA2

####Edit the Password in two places, once for WPA and WPA2####
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" mode=dynamic-keys supplicant-identity=MikroTik wpa-pre-shared-key=MyPassword wpa2-pre-shared-key=MyPassword

Edit the SSID, and set your transmit power in dB

Antenna/Station Transmitting Examples

  • +12dB, low power, usable 40 foot radius with 1 piece of drywall between station and client.
  • +16dB, medium power, usable 60 fo0t radius with 2 drywalls between station and client..
  • +21dB, high power, range is unpredictable, could be 400 foot radius with line of sight, or 120 foot radius with interference.

High transmit power for MikroTiks is 19-21dB, be aware that though your transmitter may be loud, clients may not be loud enough to reply back. You would see this as a client having full bars of signal, but extreme packet loss or “unable to connect”. For comparison, a Ubiquiti running on High power (Auto) is +30dB.

Don’t just turn up the dB to get farther range, it’s possible to burn out amplifiers/antennas if you don’t know what you’re doing, and may make your signal-to-noise ratio worse.

/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=auto l2mtu=1600 mode=ap-bridge name=wlan1-local rx-chains=0,1 ssid=WirelessName tx-chains=0,1 tx-power=16 tx-power-mode=all-rates-fixed wireless-protocol=802.11

Update Packages

I updated each WAP at the end, since it was easier to configure them to a usable state and avoid conflict with DHCP-Servers, so data can be pulled via the ethernet cable once they are hooked into the primary switches.

Winbox > System > Packages > Check for Updates > Download and Install

 

Hopefully this quick start guide was helpful in getting you going on MikroTik WAPs. I’m really amazed by what these units can do for so little money. Harder to configure than most WAPs for sure, but they are extremely reliable — I never have to reboot them, they just take a beating with capacity and handle it like a champ, and don’t even get me started on the reliability of home routers like Netgear, ASUS, or Linksys. Have fun! 😉

Ubuntu 16.04.1 LTS UniFi Beta Controller with Wildcard SSL

This article covers how to install UniFi Beta from a .deb file for Ubuntu Server (so command line only), and how to install a WildCard SSL into UniFi. This article does not cover installing Ubuntu and applying updates.

If you already have a controller, confirm you have a backup of your controller to restore your sites and data!

Controller > Maintenance > Backup > Download

 

 

Obtain Putty, a SSH tool to remote into your server with copy/paste functionality

http://www.chiark.greenend.org.uk/~sgtatham/putty/download.html

Installing UniFi Base Packages

Run the following code to install UniFi. Note that unifi-rapid and unifi-beta are no longer used, Ubiquiti changed to the single release and if you want a specific version you can install it yourself with the .deb file (below)

#Make your session administrative
sudo -i

#Open a text editor to allow UniFi to be downloaded from the repository
nano /etc/apt/sources.list

#Go to the bottom of the list with the arrow keys, and paste in (through putty, it's Right-Click)
deb http://www.ubnt.com/downloads/unifi/debian unifi5 ubiquiti
deb http://www.ubnt.com/downloads/unifi/distros/deb/debian debian ubiquiti
#Save (Ctrl + X, Y for Yes)

#Add the Ubiquiti GPG Signed Keys to allow you to install their software
apt-key adv --keyserver keyserver.ubuntu.com --recv C0A52C50
apt-key adv --keyserver keyserver.ubuntu.com --recv 7F0CEB10

#Refresh the repositories (download sources)
apt-get update

#Install from the repositories
apt-get install unifi

 

Upgrading to UniFi Beta with .DEB Image

Sign up for the UniFi Beta community forums. Check the blog to get the newest update packages.

http://community.ubnt.com/t5/UniFi-Beta-Blog/bg-p/Blog_UniFi_Beta

Find the release you want, most likely the newest, and copy the URL of the .deb file.

 

Putty into your server, and run the following code to install UniFi, then upgrade to the Beta.

#Make your session administrative
sudo -i
#Download your .deb file to the /tmp directory
cd /tmp
wget https://www.ubnt.com/downloads/unifi/5.2.5-6914faba/unifi_sysvinit_all.deb

#Wait for download to complete, then unpackage and install
dpkg -i unifi_sysvinit_all.deb

#Clean up the mess, delete the old .deb file
rm unifi_sysvinit_all.deb

 

Applying the SSL Certificate

The scope of this guide does not cover how to create a CSR and obtain your wildcard certificate. Once you have exported your certificate keychain (with private key) as a PKCS #12, these instruction will APPLY the key to your UniFi controller.

By default, UniFi installs inself to /var/lib/unifi

In here is the file “keystore”, that contains the self-signed “UniFi” SSL certificate.

  1. Download Keystore Explorer
  2. Create a new keystore – JKS (OpenSSL)
  3. Tools > Import Key Pair – PKCS #12 > Browse to PFX Wildcard Cert
  4. Decrypt with private key password
  5. Encrypt NEW keystore with the password “aircontrolenterprise”
  6. File > Save As > “keystore”
  7. FTP file to your UniFi box, I recommend Filezilla to connect via sftp://192.168.1.X on port 22.
  8. Transfer the file to your home directory /home/username, since /var/lib/unifi is protected
  9. Connect via Putty > sudo -i > [password] > cd /var/lib/unifi
  10. Stop the service: service unifi stop
  11. Create a backup file: mv keystore keystore.orig
  12. Move your newly encrypted keystore: cd /home/username > cp keystore /var/lib/unifi/keystore
  13. Reboot the Linux OS, when the UniFi controller starts up it will auto import the file keystore and apply it to web services, giving you that nice shiny HTTP green lock 🙂

 

Dell Open Manage Event ID Monitoring

Monitoring Event IDs with Dell Open Manage

All right, it’s time to set up some kickass event ID monitoring. You’ve installed Dell Open Manage / Server Administrator on all of your physical hosts, and want to make sure you are aware if anything breaks or is about to explode! You’ve been searching for hours trying to find the Event IDs that actually matter — you’re in the right place!

The alerting system you use is up to you, Kaseya, Labtech, Nagios, Pandora FMS, Zabbix, whatever — what matters is getting the correct Event IDs and a matching description filter. Just alerting by Event ID may give you a flood of alerts, there are only so many low ID numbers to go around. The description filter matches only events from OpenManage.

These logs are generated across BOTH Application and System Event Logs, so be sure you are capturing both categories of Event IDs.

I’ve done the hard work of looking through all 500+ of Dell’s individually paged Event ID descriptions — visible here.

Below is a massive list of the ones that matter (or at least, the ones I think matter — any warnings, errors, or critical alerts related to hardware health — anything storage (RAID disks, rebuilds, hot spares, SMART, controller battery, etc), memory (bit errors, ECC failures, failed sticks, etc), CPU (failed processors, temperature, etc), power supplies (redundancy, device failure, cord unplugged, etc). You may want more logs to look at, but I tried to pick anything that could lead to degraded performance or failure.

Open Manage 2

Take my list to get you started. All event descriptions should have wildcards (*), so the description does not require an exact match, otherwise one letter off and you don’t get an alert. Enjoy the code — let me know if it helped you out! 🙂

Dell Open Manage Event ID Cheat Sheet

Event ID	Description Filter
1004		*Thermal shutdown*	
1053		*Temperature sensor*	
1054		*Temperature sensor*	
1104		*Fan sensor*	
1153		*Voltage sensor*	
1154		*Voltage sensor*	
1203		*Current sensor*	
1204		*Current sensor*	
1305		*Redundancy*	
1306		*Redundancy*	
1353		*Power supply*	
1354		*Power supply*	
1403		*Memory*	
1404		*Memory*	
1405		*Memory*	
1501		*AC power*	
1503		*AC power*	
1504		*AC power*	
1505		*AC power*	
1552		*Log size*	
1554		*Log size*	
1555		*Log size*	
1604		*Processor*	
1703		*Battery*	
1704		*Battery*	
1705		*Battery*	
2048		*Device failed*	
2049		*disk removed*	
2051		*disk degraded*	
2056		*Virtual disk failed*	
2057		*degraded*	
2076		*Consistency failed*	
2081		*reconfiguration failed*	
2082		*rebuild failed*	
2083		*rebuild failed*	
2094		*Predictive*	
2100		*Temperature*	
2102		*Temperature exceeded*	
2106		*SMART*	
2107		*SMART*	
2108		*SMART*	
2109		*SMART*	
2110		*SMART*	
2112		*Enclosure was shut down*	
2122		*Redundancy degraded*	
2123		*Redundancy lost*	
2126		*sector reassign*	
2129		*BGI failed*	
2145		*Controller battery*	
2146		*Bad block*	
2146		*DR0*	
2147		*DR0*	
2147		*Bad block*	
2148		*Bad block*	
2149		*Bad block*	
2150		*Bad block*	
2169		*controller battery*	
2187		*ECC error*	
2201		*hot spare failed*	
2203		*hot spare failed*	
2272		*uncorrectable media*	
2273		*punctured*	
2289		*ECC error*	
2290		*ECC error*	
2310		*permanently degraded*	
2312		*power supply*	
2313		*power supply*	
2318		*battery*	
2319		*ECC error*	
2320		*ECC error*	
2321		*ECC error*	
2324		*AC power supply cable*	
2340		*uncorrectable errors*	
2342		*inconsistent parity*	
2346		*Error on PD*	
2347		*rebuild failed*	
2348		*rebuild failed*	
2349		*bad disk block*	
2350		*unrecoverable disk media*	
2367		*Rebuild is not possible*	
2367		*Rebuild is not possible*	
2384		*hot spare*	
2385		*hot spare*	
2387		*bad block medium*	
2396		*uncorrectable multiple medium*	
2397		*uncorrectable errors*	
2402		*Disk Power status*	
2405		*Command timeout*	
2416		*medium error*	
2417		*medium error*	
2434		*wear-out limit*	
2436		*read-only mode*	
2441		*critical temperature*	
2442		*degraded*	
2443		*Data loss*	
2900		*cache device*	
2901		*inaccessible*	
2911		*cached LUN*	
2930		*caching*	
1		*device*	
20		*Device*IO failed*	
4098		*returning error*	
11		*DR0*	
52		*predicted that it will fail*

 

 

 

Easy TCP Port Listener for Network Monitoring

Easy TCP Port Listener for Network Uptime Monitoring

Products like Nagios, Zabbix, or PHP Server Monitor can monitor the uptime of services by performing a TCP port query. In short, “is port TCP 25” open? — its on/offline!

Well what if the server I want to monitor doesn’t have any services to even open up to the public internet for monitoring. Using TCP 135 (Microsoft RPC), TCP 445 (NetBIOS), TCP 3389 (Remote Desktop) built into every Server OS to monitor uptime can be very dangerous. Well I want a program that can listen on a port without massively exposing my servers.

There are two ways to go about this from the scope of this article:

  1. Install an application that hosts a service listener, like a HTTP (TCP 80) server or FTP (TCP 21) server. But you probably don’t want a HTTP or FTP server on say, a Domain Controller or backup machine.
  2. Run a small portable executable that listens on a single port as a scheduled task.

Enter: Port Listener

Made by RJL Software (http://www.rjlsoftware.com/software/utility/portlistener/), it’s a single EXE that can be programmed to listen to any port. It is a simple program, just responding with a TCP-ACK and that’s it!

The Port Listener Code

::It doesn't get simpler than this.
::Change the number "9999" to whatever TCP port you want to listen on.

listener.exe 9999

Port Listener CLI

##Client Query
##Check if the port is being listened on. If there is no output, the port is not being listened on. If you get a response of code, it's open and LISTENING.

netstat -ano | find "9999"

Port TCP LISTENINGPort TCP NOT LISTENING

Task Scheduler

Start > Run > taskschd.msc

Task Scheduler Library > Right-Click > Create Basic Task >

Name:#### Uptime TCP Listener

Right-Click > Properties > Run whether user is logged on or not > enter password.

Also edit Conditions (turn off “only run when idle”) and Settings (Stop if runs longer than 3 days) so it always runs , if task fails, restart every 10 minutes, etc.

Command Line Version:

::Create a Windows Firewall Rule
netsh advfirewall firewall add rule name="9999 Uptime TCP Listener" dir=in action=allow protocol=TCP localport=9999

::Create a Scheduled Task that runs on computer boot (ONSTART)
::Note the use of double quotes (") for the full command, and single quotes (') to isolate the executable so arguments/parameters can be passed through.
schtasks /create /TN "9999 Uptime TCP Listener" /SC ONSTART /RU "NT AUTHORITY\NETWORKSERVICE" /TR "'C:\Scripts\listener.exe' 9999"

::Run scheduled task
schtasks /Run /TN "9999 Uptime TCP Listener"

Port Listener Image

Reboot, see if it’s listening, you should have a port listening indefinitely. Add a firewall rule, add a monitor to Nagios/Your System, you’re done – woohoo!

Run on any Windows Server you want monitored, easy peasy! Have fun!

PHP Server Monitor – Add Ping Functionality

Adding Ping (ICMP) to PHP Server MonitorPHP Monitor ICMP

I love PHP Server Monitor, it is an amazing tool for my business to have a simple, reliable, practical way to ensure which services or devices are online. The only complaint I have with it is that it does not support ping monitors, only services (query Port 3389 for example).

Major thanks to Michele Mariotti and insuman on the PHP Server Monitor forums (Post Link) for writing up some code that allows ICMP functionality, as long as the service is Port 1.

Log in to your server via Putty, make a backup of the StatusUpdater function definitions, and replace the old code that will allow you to use ICMP.

 

# For me, PHP Server Monitor it installed under /var/www/html, your path may be different.
cd /var/www/html/src/psm/Util/Server/Updater

cp StatusUpdater.class.php StatusUpdater.class.php.bak

sudo nano StatusUpdater.class.php

 

#Find the function
Ctrl + W (search)

function updateService

<Enter>

 Old Code in StatusUpdater.class.php

protected function updateService($max_runs, $run = 1) {
    $errno = 0;
    // save response time
    $starttime = microtime(true);

    $fp = fsockopen ($this->server['ip'], $this->server['port'], $errno, $this->error, 10);

    $status = ($fp === false) ? false : true;
    $this->rtime = (microtime(true) - $starttime);

    if(is_resource($fp)) {
      fclose($fp);
    }

    // check if server is available and rerun if asked.
    if(!$status && $run < $max_runs) {
      return $this->updateService($max_runs, $run + 1);
    }

    return $status;
  }

 

Change to New Code in StatusUpdater.class.php

This is hardcoding TCP Port 1 in PHP Monitor, to use ICMP/Ping. The default timeout is 5 seconds, adjust the number 5  in the timeout variable ($timeout) to whatever time in seconds you want.

You can use Ctrl+K in nano to delete an entire line at once, rather than holding the Backspace or Delete keys.

###NEW CODE###
protected function updateService($max_runs, $run = 1) {

        if (($this->server['port']) == 1) {
            /* timeout min: 5 sec */
            $timeout = ($this->server['timeout'] < 5 ? 5 : $this->server['timeout']);
            /* save response time */
            $starttime = microtime(true);
            /* ICMP ping packet with a pre-calculated checksum */
            $package = "\x08\x00\x7d\x4b\x00\x00\x00\x00PingHost";

            $socket = socket_create(AF_INET, SOCK_RAW, 1);
            socket_set_option($socket, SOL_SOCKET, SO_RCVTIMEO, array('sec' => $timeout, 'usec' => 0));
            socket_connect($socket, $this->server['ip'], null);
            $ts = microtime(true);
            socket_send($socket, $package, strLen($package), 0);

            if (socket_read($socket, 255)) {
                $status = true;
            } else {
                /* store error reason */
                $this->error = socket_last_error() .' '. socket_strerror(socket_last_error());
                $status = false; 
            }
            $this->rtime = (microtime(true) - $starttime);
            socket_close($socket);
        } else
        //rest of code
        { 
            $errno = 0;
            // save response time
            $starttime = microtime(true);

            $fp = fsockopen ($this->server['ip'], $this->server['port'], $errno, $this->error, 10);

            $status = ($fp === false) ? false : true;
            $this->rtime = (microtime(true) - $starttime);

            if(is_resource($fp)) {
                fclose($fp);
            }
        }

Ping Monitor Example

PHP Monitor ICMP Server Example

OwnCloud Server 9.0 – Ubuntu 12.04 Installation

OwnCloud Server 9.0 on Ubuntu 12.04 with PHP 5.6

A quick setup guide to setting up a private OwnCloud Server on Ubuntu Server.

From building a fresh machine, to setting static IP, installing dependencies, and taking everything online.

 

Ubuntu 12.04 and PHP 5.6

Current Ubuntu is 14.04, but our AppAssure software threw a fit trying to back up a 14.04 that is apt-get updated to the newest. The lovely error: “Buffer I/O error on device sdb0, logical block #”

Some patch must have broken whatever the backup is using. So I had to install on Ubuntu 12.04, except it by default only installs PHP 5.3…. OwnCloud needs 5.4+

 

OS Setup

Install the OS, check the OpenSSH feature, use Putty to connect over SSH so you can copy/paste.

#Configure a Static IP

#Use nano to edit > Ctrl+X to close
nano /etc/network/interfaces


#Change iface eth0 inet dhcp to:
iface eth0 inet static
address 192.168.1.10
netmask 255.255.255.0
gateway 192.168.1.254
dns-nameservers 192.168.1.4 8.8.8.8

 

Upgrade 12.04 with the newest patches, security fixes, etc. Then add a repository that normally is not in 12.04, to allow the install of php5.6

#Update the OS
apt-get update
apt-get upgrade

#Allow PHP 5.6 to be installed on an older OS
apt-get install python-software-properties
add-apt-repository ppa:ondrej/php5-5.6
apt-get update
apt-get install apache2
apt-get install php5 php5-mysql
apt-get install php5-gd php5-json php5-curl php5-intl php5-mcrypt php5-imagick
apt-get install mysql-server

#Lock down your SQL, remove the anonymous and remote access.
mysql_secure_installation

#Go configure MySQL for OwnCloud
mysql -u root -p
#Enter the DB password prompted when installing.
#Make a table and make priveleges.
CREATE USER 'user'@'localhost' IDENTIFIED BY 'password';
CREATE DATABASE ownclouddb;
GRANT ALL ON ownclouddb.* TO 'user'@'localhost';
FLUSH PRIVILEGES;
exit

Install OwnCloud

#Download the installer, unzip/untar it
cd /var

wget https://download.owncloud.org/community/owncloud-9.0.0.tar.bz2

tar -xvf owncloud-9.0.0.tar.bz2 -C /var/www/html/

 Configure Apache2

#Point Apache to your website directory
cd /etc/apache2/sites-available
#Make a backup
cp 000-default.conf 000-default.conf.bak
nano 000-default.conf
#Change ServerName to your FQDN (files.website.com)
#Change DocumentRoot to your path (/var/www/html/owncloud)
service apache2 restart

#Edit OwnCloud to accept your website URL (FQDN)
cd /var/www/html/owncloud/config
nano config.php
#Change your array to look like:
  array (
    0 => 'files.website.com',
    1 => '192.168.1.10',
  ),
#Change the CLI URL
'overwrite.cli.url' => 'http://files.website.com',

 Configure Data Directory

mkdir /owncloud
mkdir /owncloud/data
chown -R www-data:www-data /owncloud/data/

Go login to your website, http://192.168.1.10, pop the the applicable information, and change the data path to something outside of the www subdirectory (I use /owncloud/data/)

You *may* have a permission error preventing you from changing the maximum file upload size, File Handling > “Missing permissions to edit from here.”
Just edit the hidden .htaccess file permissions

chmod 776 /var/www/html/owncloud/.htaccess
chmod 776 /owncloud/data.htaccess
#Edit Apache2.conf
nano /etc/apache2/apache2.conf
#Change "AllowOverride None" to "AllowOverRide All"
#Import for the /var/www directory.

I recommend updating your OwnCloud installation, located in the Username > Admin > Updater section. There are some bugs such as Internet Explorer 11/Edge getting the error “Could not create folder “<FOLDERNAME>”” that can be fixed with an update.

Good luck, enjoy OwnCloud, beats the heck out of Dropbox 🙂

HyperV Migration – 0x80090303 – Failed to Authenticate

HyperV Live Migration SPNs – 442 Failed to Authenticate (0x80090303)

Good golly, I just want to move, export, or replicate a VM from one HyperV Server to another. Why is it so frustrating? Commonly received is the rror 0x80090303, meaning that a HyperV host is not allowed to make a live migration connection to another HyperV host — It must become delegated.

 

The reasons for why this has to be so much work (at least, per worthless Microsoft Technet articles), are beyond the scope of this article. The fix can be quick and easy. From my personal experience, I’ve only gotten CredSSP to work once after a lot of pain and agony. Kerberos through constrained delegation can work, but only if the SPNs are set correctly. Make sure both servers are joined to the same domain, and the VM to be migrated has it’s Processor expanded Compatibility Settings configured for “Migrate to a physical computer with a different process version” checked.

 

Delegation can be done through Active Directory Users and Computers, but then you have to get the servers to pull their new SPN settings through either a reboot or “gpupdate /force”, which even then only occasionally works.

 

The quick and easy fix

Take the code below, find & replace the SERVERA, SERVERB, and domain.local fields, and punch it into each server. ServerA commands entered into an administrative command prompt on Server A, and ServerB commands for Server B. By reloading the vmms service you force pull the new settings.

If you cannot find the Active Directory Attribute Editor button for “Trust this computer”, don’t worry about it, the SPNs are really what matter.

Punch in the commands, close and re-open HyperV manager on both, and give your move/export/replication another whirl.

=-=-=-=-=-=-= Hyper-V Live Migrations =-=-=-=-=-=-=
Active Directory > Right-Click Machine > Properties > Delegation > Trust this computer for delegation to any service (Kerberos Only)

For SERVERA
setspn -S "Hyper-V Replica Service/SERVERA" SERVERA
setspn -S "Hyper-V Replica Service/SERVERA.domain.local" SERVERA
setspn -S "Microsoft Virtual Console Service/SERVERA" SERVERA
setspn -S "Microsoft Virtual Console Service/SERVERA.domain.local" SERVERA
setspn -S "Microsoft Virtual System Migration Service/SERVERA" SERVERA
setspn -S "Microsoft Virtual System Migration Service/SERVERA.domain.local" SERVERA
net stop vmms && net start vmms
----
For SERVER B
setspn -S "Hyper-V Replica Service/SERVERB" SERVERB
setspn -S "Hyper-V Replica Service/SERVERB.domain.local" SERVERB
Setspn -S "Microsoft Virtual Console Service/SERVERB" SERVERB
setspn -S "Microsoft Virtual Console Service/SERVERB.domain.local" SERVERB
setspn -S "Microsoft Virtual System Migration Service/SERVERB" SERVERB
setspn -S "Microsoft Virtual System Migration Service/SERVERB.domain.local" SERVERB

net stop vmms && net start vmms

 

 

SystemRescueCD Dual Boot with Windows

SystemRescueCD Dual Boot

SystemRescueCD is an incredibly usefulful tool for data recovery.

I run a Windows laptop and continually use Easy2Boot for my ISO booting USB stick. It works well with most ISOs, including SystemRescueCD. However my laptop only has two USB plugs.

USB Port Limits

USB 1 – Mounted external HDD

USB 2 – USB Boot Stick

USB … – Target USBHDD to copy data to. No third plug.

 

Old, Ineffective Solutions

Well drat! This means I need to boot SystemRescueCD off hard-disk, rather than a USB port. After much scrounging on the SystemRescueCD forums, I found some very old, outdated, complicated articles to get dual-boot working.

Old Link 1 – https://www.system-rescue-cd.org/Sysresccd-manual-en_Easy_install_SystemRescueCd_on_harddisk

Old Link 2 – https://www.system-rescue-cd.org/Sysresccd-manual-en_How_to_install_SystemRescueCd_on_harddisk

Old Link 3 – http://www.system-rescue-cd.org/forums/viewtopic.php?t=1700

They involve making a directory, extracting files from the ISO, and editing the BCD bootloader to ham out a rickity boot process. In short —  a nightmare!

 

IT Dual-Boot Bag of Tricks

I got pretty lucky in figuring out a MUCH easier solution.

Configure EasyBCD to boot the ISO, and extract “sysrcd.dat”, the actual chunk of the ISO that matters, to C:\.

 

Step 1 – Install EasyBCD, just snag the free version if it is for personal use.

Step 2 – Download the SystemRescueCD ISO. If the download is going to take a long time (1 hour), try another mirror (1-3 minutes).

Step 3 – Copy your ISO to root C:\

Step 4 – Add a boot entry in EasyBCD for portable media, and point it to the ISO, C:\systemrescuecd-x86.iso

**Note** If you were to boot at this point, you would successfully boot to the SystemRescueCD menus, but wouldn’t be able to fully load the Live OS. It would continually search \dev\sda, \dev\sdb, \dev\sdc, etc for the sysrcd.dat, which it is looking for in a mounted CD drive.

Step 5 – Extra the file “sysrcd.dat” from the root of the ISO into root C:\

 

Upon rebooting you should have another option and be good to go! Woohoo!

Sonicwall SSLVPN Setup Guide

Sonicwall SSLVPN Quick-Start Guide

Alright, exciting! You most likely have a user who travels, but needs to access documents or resources inside the office. This is a quick start guide to get SSLVPN setup on the Sonicwall and users connected in.

 

Enabling VPN

Login to your Sonicwall > SSL VPN module (left) > Server Settings > Confirm WAN light is green. If not, click WAN to flip it on. Confirm your SSLVPN port, by default it is TCP 4433.

Creating VPN Users

Sonicwall > Users module > Local Groups > Users

Add User > Name/Password field.

Needs to be a member of the groups:

  • Everyone
  • Trusted Users
  • SSLVPN Services

VPN Access

  • Pick your subnet. If it’s a simple network, you can do “Firewalled Subnet”. If you have isolated zones/subnets, actually pick the subnet(s) the user needs. Generally your X0 (LAN) will be called “LAN Primary Subnet”

Connecting to the VPN with NetExtender

Enter the DNS (or worst case, direct IP) of your Sonicwall, and browse to https://domain.name.com:4433

If you’re pulling a SSL Version Mismatch (Chrome), you need to upgrade your Sonicwall firmware, or use Internet Explorer, which has no concept of security 😉

 

Previously you had to use GlobalVPN, which is very oldschool and lacked a lot of features built into SSLVPN. Login, download the Windows NetExtender Client.

The quick and dirty installer is NXSetupU.exe. It’s not uncommon for these to be super outdated and have a million bugs, in which case to snag a new version, you need to login to https://mysonicwall.com

I highly, highly, recommend getting the newest version of the SSL NetExtender. Sonicwall actually does a decent job of bug fixes with this program.

The Sonicwall Download Center is kind of vague, I wish it would just say “NetExtender Windows”, but it’s the download just labeled “NetExtender”. Anyways, download and run the .MSI,

Sonicwall SSLVPN NetExtender Client

Sonicwall SSLVPN NetExtender Download

When logging in, note that capitalization does matter for a Sonicwall user. It’s effectively because Sonicwalls run a *nix OS, where everything is case-sensitive.

You’ll need to include the port in your Server path, no https://, an example: vpn.domain.com:4433

Domain is by default, LocalDomain.

Sonicwall SSLVPN NetExtender Client

 

Hopefully that is a decent quickstart, post a comment if you have questions!

Office 2016 – Remote Desktop Shared Licensing

Deploying Office 2016 with Shared or Open-Volume Licensing

Doing this the first time was an absolutely confusing mess back when Office 2013 came out. It’s still just as confusing, except now there is more documentation — like this blog aims to help you.

The process is actually identical for 2013 and 2016, you need to download/build your own installer that is different from a normal Office installer — one with Shared Licensing so it can run on a Remote Desktop Server / Terminal Server.

 

Building the Office 2016 Remote Desktop Server Installer

Office 365 ProPlus / Volume Licensing 2013 – http://go.microsoft.com/fwlink/p/?linkid=282642

Office 365 ProPlus / Volume Licensing 2016 – http://go.microsoft.com/fwlink/p/?linkid=626065

Run the officedeploymenttool_XXXX-XXXX.exe, extract it to a folder like C:\Installers\Office365\2016

Edit the configuration.xml file to match something like the following:

<Configuration>
     <Add SourcePath="C:\Installers\Office365" OfficeClientEdition="32" >
          <Product ID="O365ProPlusRetail">
               <Language ID="en-us" />
          </Product>
     </Add>
     <Updates Enabled="TRUE" />
     <Display Level="Full" AcceptEULA="TRUE" />
     <Logging Path="%temp%" />
     <Property Name="SharedComputerLicensing" Value="1" />
</Configuration>

The big one is that “SharedComputerLicensing” field, which makes licensing act under PER USER PROFILE / PER MICROSOFT ACCOUNT, rather than a single key for the whole server.

Open a command prompt in the directory containing the setup.exe and your configuration.xml file.

 

The command to build your installer really is this simple:

C:\Installers\Office365\2016>setup.exe /download configuration.xml

I recommend going over to the Resource Monitor, where you can track the download speed of your files. You’ll end up with a folder like C:\Installers\Office365\Office, which contains all the .CAB files. A directory above where you ran the installer. You could specify a path, local or UNC share, but in my experience it never works consistently.

 

Installation and Activation

But dagnabit, there is no installer… Gotta run it through command prompt:

Once there is no more network/disk activity coming from setup.exe — it has finished downloading all 1.1GB of files:

#Command Prompt (As Administrator)
#Pop the RDS Server into terminal-install mode:
change user /install

#Once download is done:
C:\Installers\Office365\2016>setup.exe /configure configuration.xml

#Once complete
#Pop the RDS Server into user-run mode:
change user /execute

I highly recommend rebooting, for some reason the program icons in the start menu like to not pin/unpin or maintain their old name (Word 2013, Excel 2013, etc) until a reboot.

office 2016 progress

Office 2016 successfully installed — heck yeah!

office 2016 start menu