Thursday, October 21, 2010
Friday, October 15, 2010
Windows 2003 Clustering with EMC -Demo
Windows 2003 Clustering with EMC Celerra VM -Intro from Roggy on Vimeo.
Windows 2003 Clustering with EMC Celerra VM -Part1 from Roggy on Vimeo.
Windows 2003 Clustering with EMC Celerra VM -Part2 from Roggy on Vimeo.
Windows 2003 Clustering with EMC Celerra VM -Part3 from Roggy on Vimeo.
Cortesy of http://roggyblog.blogspot.com/2010/03/windows-2003-clustering-with-emc.html
Labels:
clustering,
san
Saturday, September 18, 2010
Installing a Web and DB servers (CentOS 5.5)
Installing a Web and DB servers (CentOS 5.5)
Create records on dns1 (master) for web and database servers:
rnd freeze mydomain.local
Edit /var/named/chroot/etc/named.conf
Add the following records:
web1 A 192.168.1.112
db1 A 192.168.1.113
112 PTR web1
113 PTR db1
www CNAME web1
rndc thaw mydomain.local
rndc reload
Build Web server web1 using the server package with web server only.
Install php with support for MySQL
yum install php php-mysql
Edit web1 configuration for server name and port:
vi /etc/httpd/confd/httpd.conf
Listen 192.168.1.112:80
ServerName www.mydomain.local:80
Set web service to automatic startup:
/sbin/chkconfig –level 35 httpd on
/sbin/chkconfig –list httpd
Create html and php test pages;
touch /var/www/html/index.html
touch /var/www/html/phpinfo.php
Edit html and php pages
vi /var/www/html/index.html
Add the following code:
hello world!
vi /var/www/html/phpinfo.php
hello world!
vi /var/www/html/phpinfo.php
Add the following code:
phpinfo()
Start web service:
/etc/init.d/httpd start
Test web server for static and dynamic pages. Open web browser and visit the following urls.
note: Ensure that php page displays a section for MySQL.
Configure firewall on web1 to allows web access from clients and to connect to db1
system-config-sevuritylevel-tui
Enable Security Level
Set SELinux to Permissive
Set eth0 as trusted devices (customize button)
Note: SELinix must be set to Permissive or access will be denied.
Build DB server db1 using server package with MySQL only.
Configure server to accept remote connections by adding a bind-address directive that points to the IP address of db1 (this is no needed anymore)
vi /etc/my.cnf
[mysqld]
datadir=/var/lib/mysql
socket=/var/lib/mysql/mysql.sock
user=mysql
# Default to using old password format for compatibility with mysql 3.x
# clients (those using the mysqlclient10 compatibility package).
old_passwords=1
# Disabling symbolic-links is recommended to prevent assorted security risks;
# to do so, uncomment this line:
# symbolic-links=0
# Enabling remote connections
bind-address=192.168.1.113
[mysqld_safe]
log-error=/var/log/mysqld.log
pid-file=/var/run/mysqld/mysqld.pid
Configure DB service for automatic startup:
/sbin/chkconfig –level 35 mysqld on
/sbin/chkconfig –list mysqld
Start Db service:
/etc/init.d/mysqld start
Configure firewall on db1 to accept connections from web1
system-config-sevuritylevel-tui
Enable Security Level
Set SELinux to Enforcing
Set eth0 as trusted devices (customize button)
Test DB server by installing an application that uses php and MySQL.
Installing Wordpress.
On web1
cd /var/www/html/
yum install wget
tar -xzvf latest.tar.gz
mv wordpress blog
On db1
Configure password for mysqld root admin account:
mysqladmin – u root password Passw0rd
Create database for Wordpress:
mysql –u root –p
CREATE DATABASE wordpress;
GRANT ALL PRIVILEGES ON wordpress.* TO “wpuser”@”192.168.1.112” IDENTIFIED BY “Pasw0rd”;
FLUSH PRIVILEGES;
EXIT
Note: 192.168.1.112 is the IP address of web1, the host from where we want to connect to db1. wpuser is the database user and wordpress is the database name.
On web1
Configure installation script for Wordpress:
cd /var/www/html/blog
cp wp-config-sample.php wp-config.php
vi wp-config.php
Edit this file as follows:
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'wordpress');
/** MySQL database username */
define('DB_USER', 'wpuser');
/** MySQL database password */
define('DB_PASSWORD', 'Passw0rd');
/** MySQL hostname */
define('DB_HOST', 'db1.mydomain.local');
/** Database Charset to use in creating database tables. */
define('DB_CHARSET', 'utf8');
/** The Database Collate type. Don't change this if in doubt. */
define('DB_COLLATE', '');
note: db1.mydomain.local points to db1 (192.168.1.113)
Open a web browser and start Wordpress installation by entering the url:
It should display the Wordpress intallation web page that confirms that web1 is communicating with db1 and our servers are working properly.
References:
Wednesday, September 15, 2010
Servers Time Synchronization with ntpd (CentOS 5.5)
Servers Time Synchronization with ntpd (CentOS 5.5)
Install ntpd daemon:
yum install ntp
Configure ntpd for automatic startup:
/sbin/chkconfig ntpd on
Initial time synchronization:”
ntpdate pool.ntp.org
Start ntpd daemon:
/etc/init.d/ntpd start
Install this service on all your servers.
Configuration file looks like this:
/etc/ntp.conf
# Permit time synchronization with our time source, but do not
# permit the source to query or modify the service on this system.
restrict default kod nomodify notrap nopeer noquery
restrict -6 default kod nomodify notrap nopeer noquery
# Permit all access over the loopback interface. This could
# be tightened as well, but to do so would effect some of
# the administrative functions.
restrict 127.0.0.1
restrict -6 ::1
# Hosts on local network are less restricted.
#restrict 192.168.1.0 mask 255.255.255.0 nomodify notrap
# Use public servers from the pool.ntp.org project.
# Please consider joining the pool (http://www.pool.ntp.org/join.html).
server 0.centos.pool.ntp.org
server 1.centos.pool.ntp.org
server 2.centos.pool.ntp.org
#broadcast 192.168.1.255 key 42 # broadcast server
#broadcastclient # broadcast client
#broadcast 224.0.1.1 key 42 # multicast server
#multicastclient 224.0.1.1 # multicast client
#manycastserver 239.255.254.254 # manycast server
#manycastclient 239.255.254.254 key 42 # manycast client
# Undisciplined Local Clock. This is a fake driver intended for backup
# and when no outside source of synchronized time is available.
server 127.127.1.0 # local clock
fudge 127.127.1.0 stratum 10
# Drift file. Put this in a directory which the daemon can write to.
# No symbolic links allowed, either, since the daemon updates the file
# by creating a temporary in the same directory and then rename()'ing
# it to the file.
driftfile /var/lib/ntp/drift
# Key file containing the keys and key identifiers used when operating
# with symmetric key cryptography.
keys /etc/ntp/keys
# Specify the key identifiers which are trusted.
#trustedkey 4 8 42
# Specify the key identifier to use with the ntpdc utility.
#requestkey 8
# Specify the key identifier to use with the ntpq utility.
#controlkey 8
Labels:
ntp,
ntpd,
time synchronization
Tuesday, September 14, 2010
Adding an ISC DHCP server with DDNS (CentOS 5.5)
Adding an ISC DHCP server with DDNS (CentOS 5.5)
BIND (DDNS) server is already in place and running.
Built server with server package only.
Install DHCP package:
yum update dhcp
Create rndc.key:
touch /etc/rndc.key
Edit rndc.key to use the same key being used by BIND:
key "rndckey" {
algorithm hmac-md5;
secret "h7mAgf+HKPCSzBCBW4Wjiw==";
};
Edit dhcpd.conf as follows:
vi /etc/dhcpd.conf
#
# DHCP Server Configuration file.
# see /usr/share/doc/dhcp*/dhcpd.conf.sample
#
authoritative;
ddns-update-style interim;
allow client-updates;
include "/etc/rndc.key";
zone mydomain.local. {
# Set the IP address of the name server whose zone information is to be updated
# 192.168.1.103 == is your primary master bind 9 server
primary 192.168.1.103;
# and the key to use
key rndckey;
}
# update the reverse lookup zone
zone 1.168.192.in-addr.arpa. {
primary 192.168.1.103;
key rndckey;
}
subnet 192.168.1.0 netmask 255.255.255.0 {
# --- default gateway
option routers 192.168.1.1;
option subnet-mask 255.255.255.0;
# option nis-domain "domain.org";
option domain-name "mydomain.local";
option domain-name-servers 192.168.1.103, 192.168.1.104;
option time-offset -21600; # Central Standard Time
# option ntp-servers 192.168.1.1;
# option netbios-name-servers 192.168.1.1;
# --- Selects point-to-point node (default is hybrid). Don't change this unless
# -- you understand Netbios very well
# option netbios-node-type 2;
range dynamic-bootp 192.168.1.10 192.168.1.20;
default-lease-time 21600;
max-lease-time 43200;
# we want the nameserver to appear at a fixed address
# host ns {
# next-server marvin.redhat.com;
# hardware ethernet 12:34:56:78:AB:CD;
# fixed-address 207.175.42.254;
# }
}
Configure DHCP for automatic startup:
/sbin/chkconfig –level 35 dhcpd on
/sbin/chkconfig –list dhcpd
Start dhcpd daemon:
/sbin/service dhcpd start
Test:
tail –f /var/log/messages
Add dhcp A record to dns1 (don’t forget to change serial number)
rndc freeze mydomain.local
vi /var/named/chroot/var/named/slaves/mydomain.local.zone.db
rndc thaw mydomain.local
rndc reload
Labels:
Active Directory,
BIND,
DDNS,
DHCP
Monday, September 13, 2010
Adding slave BIND server + Active Directory
Adding slave BIND server
Build dns2 server
Add dns2 (ns2) NS, A and PTR records to dns1 server zones.
$ttl 86400
@ IN SOA ns.example.local. admin.example.local. (
2010091300 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
IN NS ns.example.local.
IN NS ns2.example.local.
ns IN A 192.168.1.103
ns2 IN A 192.168.1.104
dns1 IN CNAME ns.example.local.
dns2 IN CNAME ns2.example.local.
103 IN PTR ns.example.local.
104 IN PTR ns2.example.local.
Modify dbs1 server name.conf as follows:
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow {127.0.0.1; } keys { "rndckey"; };
inet 192.168.1.103 allow { 192.168.1.0/24; } keys { "rndckey"; };
};
server 192.168.1.103 {
keys { rndckey; };
};
acl DC-mydomain.local {
192.168.1.110;
192.168.1.111;
};
options {
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
pid-file "/var/run/named/named.pid";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
recursion yes;
allow-recursion {
127.0.0.1;
192.168.1.0/24;
};
listen-on {
127.0.0.1;
192.168.1.103;
};
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
query-source address * port 53;
version "REFUSED";
allow-query {
127.0.0.1;
192.168.1.0/24;
};
};
zone "." IN {
type hint;
file "named.root";
};
zone "example.local" IN {
type master;
file "slaves/example.local.zone.db";
allow-update { none; };
allow-transfer { 192.168.1.104; };
};
// put slave zones in the slaves/ directory so named can update them
// put dynamically updateable zones in the slaves/ directory so named can update them
zone "1.168.192.in-addr.arpa" IN {
type master;
file "slaves/mydomain.local.rev.zone.db";
allow-update {DC-mydomain.local; key rndckey; };
allow-transfer { 192.168.1.104; };
};
zone "mydomain.local" IN {
type master;
file "slaves/mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { 192.168.1.104; };
check-names ignore;
};
zone "_msdcs.mydomain.local" IN {
type master;
file "slaves/_msdcs.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { 192.168.1.104; };
check-names ignore;
};
zone "_sites.mydomain.local" IN {
type master;
file "slaves/_sites.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { 192.168.1.104; };
check-names ignore;
};
zone "_tcp.mydomain.local" IN {
type master;
file "slaves/_tcp.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { 192.168.1.104; };
check-names ignore;
};
zone "_udp.mydomain.local" IN {
type master;
file "slaves/_udp.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { 192.168.1.104; };
check-names ignore;
};
zone "ForestDnsZones.mydomain.local" IN {
type master;
file "slaves/ForestDnsZones.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { 192.168.1.104; };
check-names ignore;
};
zone "DomainDnsZones.mydomain.local" IN {
type master;
file "slaves/DomainDnsZones.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { 192.168.1.104; };
check-names ignore;
};
On dns2, create named.conf as follows:
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow {127.0.0.1; } keys { "rndckey"; };
inet 192.168.1.103 allow { 192.168.1.0/24; } keys { "rndckey"; };
};
server 192.168.1.103 {
keys { rndckey; };
};
acl DC-mydomain.local {
192.168.1.110;
192.168.1.111;
};
options {
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
pid-file "/var/run/named/named.pid";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
recursion yes;
allow-recursion {
127.0.0.1;
192.168.1.0/24;
};
listen-on {
127.0.0.1;
192.168.1.103;
};
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
query-source address * port 53;
version "REFUSED";
allow-query {
127.0.0.1;
192.168.1.0/24;
};
};
zone "." IN {
type hint;
file "named.root";
};
zone "example.local" IN {
type slave;
file "slaves/example.local.zone.db";
masters { 192.168.1.103; };
};
// put slave zones in the slaves/ directory so named can update them
// put dynamically updateable zones in the slaves/ directory so named can update them
zone "1.168.192.in-addr.arpa" IN {
type slave;
file "slaves/mydomain.local.rev.zone.db";
masters { 192.168.1.103; };
};
zone "mydomain.local" IN {
type slave;
file "slaves/mydomain.local.zone.db";
masters { 192.168.1.103; };
check-names ignore;
};
zone "_msdcs.mydomain.local" IN {
type slave;
file "slaves/_msdcs.mydomain.local.zone.db";
masters { 192.168.1.103; };
check-names ignore;
};
zone "_sites.mydomain.local" IN {
type slave;
file "slaves/_sites.mydomain.local.zone.db";
masters { 192.168.1.103; };
check-names ignore;
};
zone "_tcp.mydomain.local" IN {
type slave;
file "slaves/_tcp.mydomain.local.zone.db";
masters { 192.168.1.103; };
check-names ignore;
};
zone "_udp.mydomain.local" IN {
type slave;
file "slaves/_udp.mydomain.local.zone.db";
masters { 192.168.1.103; };
check-names ignore;
};
zone "ForestDnsZones.mydomain.local" IN {
type slave;
file "slaves/ForestDnsZones.mydomain.local.zone.db";
masters { 192.168.1.103; };
check-names ignore;
};
zone "DomainDnsZones.mydomain.local" IN {
type slave;
file "slaves/DomainDnsZones.mydomain.local.zone.db";
masters { 192.168.1.103; };
check-names ignore;
};
Copy rndc.key from dns1 server to dns2 server (must use the same key)
No need to create zone files in dns2 server, they will be copied down when starting named daemon on dns2 server.
Make sure two put zone files to be transferred on slaves folder on dns1 server.
Restart named on dns1 and dns2 servers. Check syslog for zone transfers.
Labels:
Active Directory,
BIND,
DDNS
Sunday, September 12, 2010
Adding W2K8 server core (domain controller) to 2003 AD + BIND (DDNS)
Adding W2K8 server core (domain controller) to 2003 AD + BIND (DDNS)
CentOS 5.5
References:
Current infrastructure :
Windows Server 2003 AD with BIND as DDNS server (No Windows DDNS)
1 W2K3 domain controller = dc1
Domain name = mydomain.local
Project Goal:
Add second domain controller running Windows Server 2008 server core to 2003 AD domain.
1 W2K8 domain controller = dc2
Preparation:
Raise forest and domain levels to Windows Server 2003 on dc1
Run adprep from W2K8 CD on dc1
adprep /forestprep
adprep /domainprep /gpprep
On BIND (DDNS)Add IP address of dc2 to acl in /var/named/chroot/etc/named.conf
Build W2K8 domain controller (server core)
Configure tcp/ip settings using netsh
IP address
Subnet Mask
Gateway
DNS server
Add primary dns suffix and connection specific dns suffix using regedit.
HKLM/System/CurrentControlSet/Services/TcpIP/Parameters/Domain = primary dns suffix(mydomain.local)
HKLM/System/CurrentControlSet/Services/TcpIP/Parameters/Interfaces/Domain = connection specific dns suffix(mydomain.local)
Enable ddns using netsh.
netsh interface ip set dns name=”2” source=static addr=IP Address of dc2 register=primary
Rename server.
Netdom RenameComputer %COMPUTERNAME% /newname:dc2
Restart server.
Shutdown /r /t 0
Build answer file:
Type notepad and add the following:
[DCINSTALL]
UserName=Administrator
UserDomain=mydomain.local
Password=*
SiteName=Default-First-Site-Name.
ReplicaOrNewDomain=replica
ReplicaDomainDNSName=mydomain.local
DatabasePath="%SYSTEMROOT\NTDS%"
LogPath="%SYSTEMROOT%\NTDS"
SYSVOLPath="%SYSTEMROOT%\SYSVOL"
InstallDNS=NO
ConfirmGC=yes
SafeModeAdminPassword=*
RebootOnCompletion=yes
Run DCPromo
Dcpromo /unattend:answer.txt
Test
After reboot login to dc2 and check BIND (tail –f /var/log/messages) for successful ddns updates.
Logging to dc1 and open Computer Managemet mmc and connect to dc2 and check the event logs.
Labels:
Active Directory,
BIND,
domain controller,
server core
Windows 2003 AD using BIND 9 as DNS server (CentOS 5.5)
This configuration uses BIND as DDNS server for AD. No need for Windows DDNS.
References:
There are six subdomains to control the process:
_msdcs, _sites, _tcp and _udp, ForestDnsZones and DomainDnsZones.
Domain controllers insert SRV records into these subdomains.
Create six subdomains and allow dynamic updates from domain controllers
to these 6 specific zones. In your /var/named/chroot/etc/named.conf put:
include "/etc/rndc.key";
controls {
inet 127.0.0.1 allow {127.0.0.1; } keys { "rndckey"; };
inet 192.168.1.103 allow { 192.168.1.0/24; } keys { "rndckey"; };
};
server 192.168.1.103 {
keys { rndckey; };
};
acl DC-mydomain.local {
192.168.1.110;
};
options {
// Put files that named is allowed to write in the data/ directory:
directory "/var/named"; // the default
pid-file "/var/run/named/named.pid";
dump-file "data/cache_dump.db";
statistics-file "data/named_stats.txt";
memstatistics-file "data/named_mem_stats.txt";
recursion yes;
allow-recursion {
127.0.0.1;
192.168.1.0/24;
};
listen-on {
127.0.0.1;
192.168.1.103;
};
// Those options should be used carefully because they disable port
// randomization
// query-source port 53;
// query-source-v6 port 53;
query-source address * port 53;
version "REFUSED";
allow-query {
127.0.0.1;
192.168.1.0/24;
};
};
zone "." IN {
type hint;
file "named.root";
};
zone "example.local" IN {
type master;
file "data/example.local.zone.db";
allow-update { none; };
allow-transfer { none; };
};
// put slave zones in the slaves/ directory so named can update them
// put dynamically updateable zones in the slaves/ directory so named can update them
zone "1.168.192.in-addr.arpa" IN {
type master;
file "slaves/mydomain.local.rev.zone.db";
allow-update {DC-mydomain.local; key rndckey; };
allow-transfer { none; };
};
zone "mydomain.local" IN {
type master;
file "slaves/mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
zone "_msdcs.mydomain.local" IN {
type master;
file "slaves/_msdcs.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
zone "_sites.mydomain.local" IN {
type master;
file "slaves/_sites.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
zone "_tcp.mydomain.local" IN {
type master;
file "slaves/_tcp.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
zone "_udp.mydomain.local" IN {
type master;
file "slaves/_udp.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
zone "ForestDnsZones.mydomain.local" IN {
type master;
file "slaves/ForestDnsZones.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
zone "DomainDnsZones.mydomain.local" IN {
type master;
file "slaves/DomainDnsZones.mydomain.local.zone.db";
allow-update { DC-mydomain.local; key rndckey; };
allow-transfer { none; };
check-names ignore;
};
Download root hints (named.root) to:
/var/named/chroot/var/named
Create the 6 zone files with this configuration:
$ttl 86400
@ IN SOA ns.mydomain.local. admin.mydomain.local. (
2010091200 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
IN NS ns.mydomain.local.
Create forward lookup zone:
$ttl 86400
@ IN SOA ns.mydomain.local. admin.mydomain.local. (
2010091200 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
IN NS ns.mydomain.local.
ns IN A 192.168.1.103
dc1 IN A 192.168.1.110
dns1 IN CNAME ns.mydomain.local.
110 IN PTR dc1.mydomain.local.
103 IN PTR ns.mydomain.local.
Create reverse lookup zone:
$ttl 86400
@ IN SOA ns.mydomain.local. admin.mydomain.local. (
2010091200 ; Serial
10800 ; Refresh after 3 hours
3600 ; Retry after 1 hour
604800 ; Expire after 1 week
86400 ) ; Minimum TTL of 1 day
IN NS ns.mydomain.local.
103 IN PTR ns.mydomain.local.
110 IN PTR dc1.mydomain.local.
Build DC:
Build Windows Server 2003 AD controller and configure tcp/ip setting to use the BIND server for dns, test dns and run dcpromo. Make sure to configure dns suffix for server and enable registering dns in tcp/ip properties of DC’s nic.
Test:
Test dns from domain controller with dcdiag.exe (dcdiag /test:DNS)
Check syslog in CentOS (tail –f /var/log/messages) for jnl files (ddns updates) creation.
Labels:
Active Directory,
BIND,
DDNS,
dns,
domain controller
Subscribe to:
Posts (Atom)