Mantis is a well developed and supported web based bug tracking system. The benefit of Active Directory Authenticaion is obvious but there is the added benefit that it can pull in the primary email address from Active Directory therefore ensuring the email address will allways correct for accounts that you have in mantis.
First Mantis needs php5-ldap installed
apt-get install php5-ldap
Then we need to modify /var/www/config_inc.php to add the LDAP authentication settings.
# --- AD Auth ---
$g_login_method = LDAP;
$g_ldap_server = "ldap://domaincontroller1";
$g_ldap_port = 389;
$g_ldap_root_dn = "OU=Users,DC=Domain,DC=local";
$g_ldap_bind_dn = "CN=Mantis Service Account,OU=Service Accounts,DC=Domain,DC=local";
$g_ldap_organization = "";
$g_ldap_protocol_version = 3;
$g_ldap_uid_field = "sAMAccountName";
The setting that pulls in the emails from Active Directory is:
Accounts are still manually created in Mantis but it uses LDAP for authentication. Therefore the usernames need to match up correctly. When a member of staff leaves you can simply disable / delete the Active Directory account but the details will still be availible in Mantis.
The Task Scheduler in Windows 2008 is vastly improved from previous versions of Windows Server. One feature that I really like is that you can trigger tasks from events showing up in the logs. Since account lockouts are listed as Event-ID 4740 we can create a task that emails the IT department or helpdesk as soon as that ID enters the security log. The IT department therefore are aware there is an issue and can pre-empt the user asking for help. It can also assist in being notified when there is a brute force attack being made.
First we need a Powershell script that can email the information from the Security log about the lockout to the IT department.
$Event=Get-EventLog -LogName Security -InstanceID 4740 -Newest 1
$MailSubject= "User Account locked out"
$SmtpClient = New-Object system.net.mail.smtpClient
$SmtpClient.host = "smtp.domain.com"
$MailMessage = New-Object system.net.mail.mailmessage
$MailMessage.from = "AccountLockout@domain.com"
$MailMessage.IsBodyHtml = 1
$MailMessage.Subject = $MailSubject
$MailMessage.Body = $MailBody
Save this powershell script in a script directory that is accessible from your server and then simply create a task within the Task Scheduler. The Trigger is On an event
Using the Secuirty log and Event ID 4740. The Action is then to run the powershell script to find the information in the log and to email it to the IT department. For starting powershell scripts you need to tell the task scheduler to Start a Program and to start Powershell with the argument being the location for where the script is saved.
Now simply create a test user in Active Directory and try and login to a computer with incorrect password. When the amount of failed logins are reached depending on your account lockout policy you will then shortly see the email alert come in to notify that an account has been locked out.
For a remote (very remote – the other side of the world to where I was) ESXi host I recently had issues using the option to “Use Windows Session Credentials” in vSphere and it would complain that ‘Windows session credentials cannot be used to log into this server’. The strange thing was this was working correctly before I shipped the Esxi server and it would accept the credentials if I manually entered domain/username and then password. First thing to check was there was a valid PTR record in DNS since vSphere checks the host by doing a ptr lookup. This was all correct so I had to do a bit more digging to find the problem. Logging in via SSH with a local account I discovered that Esxi uses Likewise Open to enable the host to join a windows domain. Looking at the config files and especially /etc/likewise/krb5-affinity.conf it had listed a stale Domain Controller entry. I therefore simply edited out the stale entry and ensured the local DC was first in the list:
After editing and saving the file the likewise server needs restarted by the command
After this I was able to use Windows Session Credentials again to connect to this remote ESXi host.
Racktables is a mature and robust solution for datacenter and server room asset management. It helps document hardware assets, network addresses, space in racks, networks configuration and more.
To enable Active Directory authentication you need to edit secret.php and add the LDAP option along with the Base DN to search for.
/* This file has been generated automatically by RackTables installer.
* you shouldn't normally edit it unless your database setup has changed.
$pdo_dsn = 'mysql:host=localhost;dbname=racktables';
$db_username = 'DBusername';
$db_password = 'DBpassword';
// Default setting is to authenticate users locally, but it is possible to
// employ existing LDAP or Apache userbase. Uncommenting below two lines MAY
// help in switching authentication to LDAP completely.
// More info: http://sourceforge.net/apps/mediawiki/racktables/index.php?title=RackTablesAdminGuide
$user_auth_src = 'ldap';
$require_local_account = FALSE;
// This is only necessary for 'ldap' authentication soure
$LDAP_options = array
'server' => 'domaincontroller1.domain.com domain.controller2.domain.com',
'domain' => 'domain.com',
'search_attr' => 'sAMAccountName',
'search_dn' => 'OU=Users,OU=MyBusiness,DC=domain,DC=com',
'displayname_attrs' => 'givenname sn',
'options' => array (LDAP_OPT_PROTOCOL_VERSION => 3, LDAP_OPT_REFERRALS => 0),
The important lines to notice are $user_auth_src = ‘ldap’; which states to use ldap as the authentication source and the line – $require_local_account = FALSE; that states that there does not need to be a local user in the database. Our preference was to have this as false and instead let the person access racktables if authenticated. Permissions in racktables then handle what the person can or cant see.
You will also want to run racktables over https if you are using LDAP authentication since the passwords could possibly be sniffed.
Now that you have setup the LDAP authentication you need to go into Configuration then permissions in Racktables and set what you want to access.
If you were to simply want any authenticated user admin access you would simply add the line:
If you were to want a specific user admin access you would add the line:
and finally for a member of a specific group you would use:
You will want to restrict access depending on what group membership a person uses but by having AD authentication means it is simple and quick to grant a user access. Simply put them in the relevant group and they can login straight away.
If you have a Domain and Forest functional level of 2008 you should be able to create DFS Namespaces that are enabled for Windows 2008 mode. However when creating a DFS I noticed that this option was greyed out. I checked again in Active Directory to confirm the Forest and Domain was running at a 2008 Functional Level and it was. It turns out that this option to enable Windows Server 2008 Mode does not appear until the DFS Namesspace service and the DFS Replication Service have been restarted on the Namespace server and the Domain Controller that holds the Operations Master FSMO role.
After restarting these services try and create a new namespace and the option to Enable Windows Server 2008 Mode should be availible.
I needed to export and delete a few mailboxes from an Exchange 2010 server. I normally export these mailboxes using the command:
New-MailboxExportRequest -Mailbox auser -FilePath "\\server\share\auser.pst"
However today I was presented with the error – There are no availible servers running the Microsoft Exchange Mailbox Replication Service.
Mailbox move requests are handled by the Microsoft Exchange Mailbox Replication service which is part of the Client Access role. In order for a move request to be successfully created at least one Client Access server within the Active Directory site must have a running Mailbox Replication service. With this specific site there was only the 1 Exchange server that held all the roles, Therefore I had to confirm the service “Microsoft Exchange Mailbox Replication” was running. In this case it was not so I simply started it and retried the command to export the mailbox which worked after this service had started.
Using repadmin.exe it is really easy to quickly force a replication across all Domain Controllers.
Simply use the command:
Repadmin /syncall DCName /APed
An explanation of the switches – /syncall obviously syncs all DCs. APed is the parameters A(ll partitions) P(ush) e(nterprise, cross sites) d(istinguished names)
Repadmin is a very handy tool you can even see the queue of items waiting to be synced by running
With having completed a migration from SBS 2003 to seperate Domain Controllers and Exchange 2010 I noticed that when starting DHCP administrative tool from my workstation that when selecting the authorized DHCP server it still listed the old server along with the new server where DHCP was now running. Whilst this did not cause any real problems I wanted to clean it up and reduce confusion by only showing valid authorised DHCP server.
shows the authorised servers.
Netsh DHCP delete server ServerFQDN ServerIP address
should remove the server from the list however I recieved the error:
- “There is no such object on the server”
To get around this I had to use the very handy (but potentially dangerous) tool ADSI Edit. To remove the old dhcp server reference you need to :
1. Start Adsiedit.msc.
2. Open the configuration Container.
3. Expand Services.
4. Expand Net Services.
In here I saw a reference to the server that was the old DHCP server and was now decomissioned and removed from the network. Therefore I selected the old server and deleted. A quick check again running
showed the correct servers. Using the DHCP administrative tool it also showed the correct authorised server. A small point but keeping Active Directory clean is an important task.
Exchange 2010 service pack 2 has been released today. It doesnt seem as big a jump as SP1 but still good to see this release.
Major changes just now appear to be
- Outlook Web App (OWA) Mini: A browse-only version of OWA designed for low bandwidth and resolution devices. Based on the existing Exchange 2010 SP1 OWA infrastructure, this feature provides a simple text based interface to navigate the user’s mailbox and access to the global address list from a plurality of mobile devices.
- Cross-Site Silent Redirection for Outlook Web App: With Service Pack 2, you will have the ability to enable silent redirection when CAS must redirect an OWA request to CAS infrastructure located in another Active Directory site. Silent redirection can also provide a single sign-on experience when Forms-Based Authentication is used.
- Hybrid Configuration Wizard: Organizations can choose to deploy a hybrid scenario where some mailboxes are on-premises and some are in Exchange Online with Microsoft Office 365. Hybrid deployments may be needed for migrations taking place over weeks, months or indefinite timeframes. This wizard helps simplify the configuration of Exchange sharing features, like: calendar and free/busy sharing, secure mailflow, mailbox moves, as well as online archive.
- Address Book Policies: Allows organizations to segment their address books into smaller scoped subsets of users providing a more refined user experience than the previous manual configuration approach. We also blogged about this new feature recently in GAL Segmentation, Exchange Server 2010 and Address Book Policies.
- Customer Requested Fixes: All fixes contained within update rollups released prior to Service Pack 2 will also be contained within SP2. Details of our regular Exchange 2010 release rhythm can be found in Exchange 2010 Servicing.
Outlook Web App Mini could be intersting. Please note that Installing Exchange 2010 SP2 requires updating the schema in Active Directory.
I cant believe in all my time in IT and supporting Windows machines I have not hear of PSR before. PSR is a tool availible to Windows 7 and 2008 that records the steps a user takes and presents each step as a screen grab with information on the application that is being used along with detailed information on the programs that are bing used. I can see this being a really handy tool for supporting remote users since sometimes it can be difficult and timeconsuming to find out exaclty what the user is doing and what steps they are taking when describing a problem.
The text description for the above step is:
Problem Step 2: User left click on "All Programs (menu item)" in "Start menu"
Program: Windows Explorer, 6.1.7600.16385 (win7_rtm.090713-1255), Microsoft Corporation, EXPLORER.EXE, EXPLORER.EXE
UI Elements: All Programs, All Programs, Button, Desktop More Programs Pane, Start menu, DV2ControlHost
When the recording is stopped the user is then asked to save a Zipped mht file. Simply ask the user to forward this on to you and you can then easily review the recorded steps.
A sample output from PSR can be found here.