Syed Jahanzaib Personal Blog to Share Knowledge !

November 19, 2018

Mikrotik Remote Access via Multiple WAN Links

Filed under: Mikrotik Related — Syed Jahanzaib / Pinochio~:) @ 1:47 PM

how-to-mark-trails-like-a-pro-pin

I wrote about this topic few years back, but forgot where it is now, So adding it again as Note to Self! This solution applies for following particular scenario.


Scenario:

We have 2 wan links configured with policy base routing. As we know that Mikrotik or any device can have only one default route active at a time. So if we will try to access mikrotik via wan2 link it will not work, because when request will arrive on wan2 link, and tries to return to its original requester, it will always route via WAN-1 link dueto default route. At this point remote client will receive packets with a source IP it didn’t initiate traffic with, so it reject that response.

Fair enough !

To sort we need to mark there connections, and make sure every packets should return via same route via which it came IN.

# Mirkotik IP Firewall Mangle Section
/ ip firewall mangle
# Mark traffic coming via WAN-1 link
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_incoming_conn
# Mark traffic coming via WAN-2 link
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_incoming_conn

# Mark traffic routing mark for above marked connection for WAN-1 , so that mikrotik will return traffic via same interface it came in
add chain=output connection-mark=WAN1_incoming_conn action=mark-routing new-routing-mark=to_WAN1
# Mark traffic routing mark for above marked connection for WAN-2, so that mikrotik will return traffic via same interface it came in
add chain=output connection-mark=WAN2_incoming_conn action=mark-routing new-routing-mark=to_WAN2

# Finally Add appropriate routes in ROUTE section
/ ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.2 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=2.2.2.2 routing-mark=to_WAN2 check-gateway=ping

For other scenario’s, you may want to look into prerouting !

Regard’s
Syed Jahanzaib

 

October 24, 2018

ASCI Fun with Mikrotik Terminal Banner

Filed under: Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 3:46 PM

bat banner

To edit Mikrotik Terminal Welcome Banner, Open Terminal & Issue following command,

/system note edit note

Now Design your graphics / or add texts of your choice, or paste your already copied data in this terminal window.

After Done, Press CTRL+O , & it will save/exit.

Now open Terminal again, and this time you will see your MOTD/Banner smiling 🙂

mikrotik temrinal motd banner

More Info here

October 8, 2018

PAKRAD – Reseller,Dealer & Sub-Dealer base ISP Billing System

Filed under: freeradius — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 9:08 AM

pakrad

PAK Radius” is a customized ISP billing system designed in Linux (Ubuntu 16/x64) using Freeradius v 2.2.8 as backend with PHP 7.0.28 as fronted Dynamic & responsive GUI panel. It’s developed to cater local desi market requirements.

It’s built on concept where ISP have Super Admin > Admin / Reseller / Dealer & Sub-Dealer base clientele. This system is continuously under development & new features / enhancements and improvements are begin made on a regular basis.

Some screenshots …

pakrad1

dashboard view.png

free user

 


Workflow ….

workflow.jpg

  • Admin cannot create users directly, Admin first creates reseller , assign him some services with desired rates, & transfer some amount in the reseller wallet/account,
  • Reseller cannot create users directly, Reseller first creates Dealer, assign him some services with desired rates, & transfer some amount in the dealer wallet/account,
  • Dealer can create his users upto the limit of his wallet/account, Dealer can also create his sub dealer and assign him required services and assign there rates to his sub-dealer.

Some major Features …

Exclusive.jpg

billing dept.png

  • Dynamic , responsive & appealing web design (advance responsive PHP designing)
  • With Open source codes, you cam modify it as per your requirements
  • Just one time license cost & you get Life time license
  • Unlimited number of users / NAS support
  • Generalized information on front panel for each manager, a glance window 
  • Specially customized designed for local Internet Cable Services providers , with TO THE POINT options only, no hanky panky
  • Purely Designed as a Reseller base system, Example – Admin > Reseller > Dealer / Sub-dealer base system
  • Profit calculation for view purposes
  • Free ID’s assignment for dealer for there Test purposes.
  • Different services rates assignment for different re-sellers / dealers / sub-dealers
  • Each Manager can view there dealer/sub-dealer billing easily.Good Financial modules for tracking all sort of transactions for dealer / sub-dealers
  • Cash base system for reseller/dealer/sub-dealer charging
  • `Get Back Cash` System to pull back cash sent to the managers
  • Dynamic day & night bandwidth configuration available , compatible with all version of mikrotik routers
  • Quota base packages configuration available
  • Prevention of user DELETE action to prevent any misuse, user can be disabled only!
  • Users unsuccessful dialing attempts for each manager
  • Users connecting devices information recorded in user table , example tplink/tenda etc
  • Reports for Package wise consumption
  • Good reporting section for Users usage reports / graphs reports / User charges reports 
  • Managers last login information
  • Email/SMS Alerts for various actions & multiple users email/sms alert example expiry / renewal / general notification sending to active users etc [currently its being done via bash scripts, but soon they will be added in GUI]
  • Strong Bug Free Back-end design, capable of connecting thousands of users in just few seconds ! 
  • Years of experiences compiled in one single package ~

Many other features added based on local operators feedback to suite local market requirements !


Demo link: 

demo.png


Regard’s
Syed Jahanzaib 

October 2, 2018

September 27, 2018

DNSMASQ Short Notes to self

Filed under: Linux Related — Tags: , , , , — Syed Jahanzaib / Pinochio~:) @ 10:15 AM

dnsmasq.jpg

Dnsmasq is a lightweight, easy to configure DNS forwarder, designed to provide DNS (and optionally DHCP and TFTP) services to a small-scale network.

As compared to `​BIND`​, which is a bit complex to configure for beginners, `DNSMASQ` is very easy and requires minimum configuration. This post is just a reference guide for myself.


Install DNSMASQ in Ubuntu !

sudo apt-get install dnsmasq

After this edit /etc/dnsmasq.conf file , I modified only 2 options as defined below

# Specify your interface
interface=eth1
# Cache size
cache-size=10000

 

After every change in the config, make sure to restart DNSMASQ service.


Forwarding Queries to Upstream DNS

By default, DNSMASQ forwards all requests which are not able to be resolved in /etc/hosts to the upstream DNS servers defined in /etc/resolve.conf like below

cat /etc/resolv.conf

nameserver 8.8.8.8

Add DNS Records (static dns entries if required for local servers like media sharing etc)

Adding customized domain entries, dns spoofing i guess. Add the records in /etc/hosts file

cat /etc/hosts

127.0.0.1 localhost

1.2.3.4 mynetwork.com

 


Restart DNSMASQ Service

After every change in the config, make sure to restart dnsmasq service.

service dnsmasq restart

Monitor DNS traffic

DSNTOP is your best friend. for full details read

http://dns.measurement-factory.com/tools/dnstop/dnstop.8.html


# ACL / Secure you DNS from open relay / flooding

To allow only specific ip series to query your dns server, you can use following bash script.

We have multiple ip pools, and we have made a small text file , we can small bash script to read from the file and add iptables rules accordingly

Sample of localips.txt

10.0.0.0/8
172.16.0.0/16
192.168.0.0/16

Now you can execute the bash script manually or add it in /etc/rc.local file to execute on every reboot.

cat /etc/fw.sh

#!/bin/sh
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
# Very Basic Level of Firewall to allow DNS only for some ip range
# Script by Syed Jahanzaib
# 26-SEP-2018
#set -x

# Setting various Variables

#Local IP files which contains ip/ranges
IPFILE="/temp/localip.txt"

#Destination Port we want to restrict
DPORT="53"

#Destination Port type we want to restrict
DPORT_TYPE1="udp"
DPORT_TYPE2="tcp"

# Flush all previous iptables Rules
iptables -F
iptables -X
iptables -t nat -F
iptables -t nat -X
iptables -t mangle -F
iptables -t mangle -X

# Allow localhost access to query DNS service
iptables -A INPUT -s 127.0.0.1 -p $DPORT_TYPE1 --dport $DPORT -j ACCEPT
iptables -A INPUT -s 127.0.0.1 -p $DPORT_TYPE2 --dport $DPORT -j ACCEPT

# LOOP - Read from localip.txt file , and apply iptables rules
for IP in $(cat $IPFILE); do echo "Allowing $IP for $DPORT_TYPE1 $DPORT Server queries access ..."; iptables -A INPUT -s $IP -p $DPORT_TYPE1 --dport $DPORT -j ACCEPT; done
for IP in $(cat $IPFILE); do echo "Allowing $IP for $DPORT_TYPE2 $DPORT Server queries access ..."; iptables -A INPUT -s $IP -p $DPORT_TYPE2 --dport $DPORT -j ACCEPT; done

# DROP all other requests going to DNS service
iptables -A INPUT -p $DPORT_TYPE1 --dport $DPORT -j DROP
iptables -A INPUT -p $DPORT_TYPE1 --dport $DPORT -j DROP

# Script ends here
# Syed Jahanzaib

add this in /etc/rc.local so that it can run on every reboot!

Also note that if you have large ip pool, its better to use IPSET which is more efficient


Regard’s
Syed Jahanzaib

September 24, 2018

FREERADIUS WITH MIKROTIK – Part #20 – Enforcement of lowercase in username

Filed under: freeradius — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 9:43 AM

uppwer lower logo

FREERADIUS WITH MIKROTIK – Part #1 – General Tip’s Click here to read more on FR tutorials …


Disclaimer! This is important!

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.

If anybody here thinks I am an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others.

Regard’s
Syed Jahanzaib~


Scenario:

  • We have a generic FreeRADIUS Version 2.2.8 as a billing system in Ubuntu 16.04.3 LTS Server.
  • Freeradius is installed by apt-get default repository.
  • Mikrotik ver 6.43.x is being used as NAS.

Problem:

By default freeradius allows upper/lowercase in username, so If user configures  username in upper/lower mix case in his dialer/router then it will be logged same in RADACCT table. This is not a problem by design, but since we are using some external bash scripts to perform various operations like sending COA for bandwidth change on the fly/disconnection etc & the script is picking usernames from our user able which has all lowercase , the NAS does not recognize it for user who have uppercase defined.

Task:

We would like to restrict that all usernames must be entered in lowercase at user side , if not then reject the authentication to enforce our policy forcefully.

Solution:

Edit dialup.conf

nano /etc/freeradius/sql/mysql/dialup.conf

& search following … Comment below lines, this code allows upper/lower case in user names …

# The default queries are case insensitive. (for compatibility with
# older versions of FreeRADIUS)
authorize_check_query = "SELECT id, username, attribute, value, op \
FROM ${authcheck_table} \
WHERE username = '%{SQL-User-Name}' \
ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op \
FROM ${authreply_table} \
WHERE username = '%{SQL-User-Name}' \
ORDER BY id"

Now UN-COMMENT following …

# Use these for case sensitive usernames.
authorize_check_query = "SELECT id, username, attribute, value, op \
FROM ${authcheck_table} \
WHERE username = BINARY '%{SQL-User-Name}' \
ORDER BY id"
authorize_reply_query = "SELECT id, username, attribute, value, op \
FROM ${authreply_table} \
WHERE username = BINARY '%{SQL-User-Name}' \
ORDER BY id"

So after editing it would be something like …

case sensitive.PNG

Now restart freeradius service one time

service freeradius restart

After this all users authentication with uppercase will be rejected by freeradius. Use it with caution !

This is all done by default in v3…
Alan DeKok.


 

September 7, 2018

COA with Radclient workaround for RM 4.1 with Mikrotik 6.4x

Filed under: freeradius, Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 1:12 PM

dealing-with-dynamic-change-2

Scenario:

  • Dmasoftlab Radius Manager 4.1 with multiple services. Some of services have dynamic dynamic bandwidth scheduling for day & night. Example some services have double up mode for day , some for evening, and some for night.
  • Mikrotik 6.42.7 server with hotspot or pppoe authentication services for LAN users

Problem:

DMA Radius Manager 4.1 ‘s API functionality is broken for Mikrotik RouterOS newer versions. The 4.1 code is relying on modifying dynamic queues which had worked on 5.x version (& in some 6.2x series as well e.g: v6.29) . Any circumstances where that was doable were bugs that MikroTik has since fixed. And relying on bugs is generally a bad practice. This can be solved by using CoA instead of modifying dynamic queues which I have used in this post.

It is highly recommended that you must upgrade radius manager to latest 4.2 version which works good with new ROS.


Workaround for RM 4.1:

If for some reasons you want to stick with 4.1 version for whatsoever reason, example 4.2 version have some strict licensing policies so if still wants to use ROS latest series like 6.42.7 (as of writing this post)  , , & if you still wants to avail dynamic bandwidth changes on the fly for particular services , you can schedule following script which will run on hourly basis and will send bandwidth change request to mikrotik according to the service time.



Limitations of the Script:

  • This is a lab testing version of the script. You must modify and tune it for production use. Example the script is doing lots of sql queries, you can minimize it by creating single combined query to fetch all data from the tables, and then read values in next cmd from local file which will be much faster then querying from MySQL.
  • The service must have single time schedule. example from 08:00:00 to 20:00:00 , Multiple times for single service is not supported.
  • The time must consists of single day, it cannot overlap to next day,
  • Script will run as per cron schedule , despite you have selected specific days or not.
  • In lab I have configured it to run every hour , It will query services and its associated users. If the Start time matches , it will send bandwidth change request to the NAS, and if end time matches it will send user original package values to NAS. You can overcome repeating issue by adding additional column in the respective table and update it every time script runs which will check if it have already sent or not.
  • You should disable echoing the outputs, it will save some resources.

the Scheduler!

Either use @hourly in CRONTAB or make separate file under /etc/crond

Create new file name bw in /etc/crond/ with following contents

touch /etc/cron.d/bw
nano /etc/cron.d/bw

& add following line in it,

0 * * * * root /temp/bw.sh

Save & Exit …


the Script!

mkdir /temp
touch /temp/bw.sh
chmod +x /temp/bw.sh
nano /temp/bw.sh

& add following …

#!/bin/bash
# Following script is made specifically for Dmasoftlab radius manager 4.1.x for New Mikrotik 6.3x.x+ , 6.4x.x
# It will check "rm_specperbw" table, and if found any service entry,
# It will query that service and make list of users attached to this service,
# Then it will query next package , start/end time, and will perform actions accordingly
# Syed Jahanzaib
# Created: 6-SEP-2018
# Last Modified : 1-NOV-2018
# Tested on Ubuntu OS Only
#set -x
PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin
#################
# CHANGE these
SQLID="root"
SQLPASS="MYSQL_ROOT_PASS"
NAS_COA_PORT="1700"
DB="radius"
SRV="mysql"
#################

#DATE TIME FUNCTIONS
currenttime=$(date +%H:%M:%S)
# Add Script start execution entry in the /var/log/syslog to see if the script got executed or not
logger "Bandwidth poller Last executed @ $currenttime by the CRON scheduler ... Powered by SYED.JAHANZAIB"
echo "- Script Start Time - $currenttime
"
export MYSQL_PWD=$SQLPASS
CMD="mysql -u$SQLID --skip-column-names -s -e"
#Table which contain main users information
USER_TABLE="rm_users"
SRV_BW_DB="rm_services"
#Table which contains service name id which will be scanned for user and packages
DYN_BW_TABLE="rm_specperbw"
USER_SERVICE_TABLE="rm_services"
# Temp file where services/users list will be saved
TMP1="/tmp/bwsch_srv.txt"
TMP2="/tmp/bwsch_users.txt"
TMP3="/tmp/bwsch_users_final.txt"
RADCLIENT="/usr/local/bin/radclient"
> $TMP1
> $TMP2
> $TMP3
# Check if $SRV (in this case mysql) is running or not, if NOT, then exit the script
SRVSTATUS=$(pgrep $SRV | wc -l);
if [ "$SRVSTATUS" -ne 1 ];
then
echo "- $SRV service is down. Pleasec check your $srv service first.
- Exiting ...";
exit 1
else
echo "- INFO: $SRV service is accessible. Proceeding further ... OK"
fi
# Check if DB (in this case radius ) is accessible or not, if NOT, then exit the script
RESULT=`$CMD "SHOW DATABASES LIKE '$DB'"`
if [ "$RESULT" == "$DB" ]; then
echo "- INFO: $DB database exist. Proceeding further ... OK"
else
echo "- ERROR: $DB database does not exist! Sending EXIT signals ..."
exit 1
fi

# Look for services that have Dynamic bandwidth change (and remove duplicate entries as well becasue of multipel time definitiosn ins ingle service)
$CMD "use $DB; select srvid from $DYN_BW_TABLE" | sort -u >> $TMP1
TOTSRV=`cat $TMP1 | wc -l`
echo "- INFO: Total number of services with Dynamic bandwidth enabled = $TOTSRV / No.s ... OK"
if [ ! -s $TMP1 ]
then
endtime=$(date +%H:%M:%S)
echo "- WARNING: No SERVICES found to check for bandwdith changing in $DYN_BW_TABLE
- Script Ends Here

- EXITING peacefully...
- Script End Time - $endtime
"
exit 1
fi

# If required service found then look for Users
num=0
cat $TMP1 | while read srvid
do
num=$[$num+1]
SRVID=`echo $srvid |awk '{print $1}'`
$CMD "use $DB; select username from $USER_TABLE where srvid ='$SRVID';" >> $TMP2
done
TOTUSR=`cat $TMP2 | wc -l`
echo "- INFO: Total number of users with Dynamic bandwidth enabled = $TOTUSR / No.s ..."

# Remove duplicate users , If any (it was dueto the fact if the service have multiple time defined)
if [ ! -s $TMP2 ]
then
endtime=$(date +%H:%M:%S)
echo "- WARNING: No User found for bandwidth upgrade in DMA RADIUS MANAGER TABLE '$DYN_BW_TABLE' , Sending EXIT signals ...

- Script Ends Here...
- EXITING peacefully...
- Script End Time - $endtime
"
exit 1
fi

# Run loop forumla to run CMD for single or multi usernames
echo "- INFO: Checking for Dynamic Bandwidth Policies and implemnt change on the fly for online users , if any ...

"
num=0
cat $TMP2 | while read users
do
num=$[$num+1]
USERNAME=`echo $users |awk '{print $1}'`
SRVID=`$CMD "use $DB; select srvid from $USER_TABLE where username ='$USERNAME';"`
DN_ST=`$CMD "use $DB; select starttime from $DYN_BW_TABLE where srvid ='$SRVID';" |awk 'FNR == 1'`
DN_ET=`$CMD "use $DB; select endtime from $DYN_BW_TABLE where srvid ='$SRVID';" |awk 'FNR == 1'`

#######################
##### UP-GRADE SECTION
#######################
if [[ "$currenttime" > "$DN_ST" ]] && [[ "$currenttime" < "$DN_ET" ]]; then
#If time matches then take upgrade action
# If user is Online UPGRADE its package
ACCTSESID=`$CMD "use $DB; select acctsessionid from radacct where username ='$USERNAME' AND acctstoptime is NULL;"`
if [ ! -z "$ACCTSESID" ]; then
NAS_IP=`$CMD "use $DB; select nasipaddress from radacct where username ='$USERNAME' AND acctstoptime is NULL;"`
NAS_SECRET=`$CMD "use $DB; select secret from nas where nasname = '$NAS_IP' ;"`
USER_IP=`$CMD "use $DB; select framedipaddress from radacct where username ='$USERNAME' AND acctstoptime is NULL;"`
dlrate_c=`$CMD "use $DB; select dlrate from $DYN_BW_TABLE where srvid ='$SRVID';" |awk 'FNR == 1'`
ulrate_c=`$CMD "use $DB; select ulrate from $DYN_BW_TABLE where srvid ='$SRVID';"|awk 'FNR == 1'`
ulrate=$(echo $(( $ulrate_c / 1024 )))k
dlrate=$(echo $(( $dlrate_c / 1024 )))k
DN_BWPKG="$ulrate/$dlrate"
echo "- UPGRADE ***** - $USERNAME / $USER_IP / $ACCTSESID is online, and eligible for package UPGRADE to new package $DN_BWPKG @ $currenttime ..."
#for pppoe, enable following line
echo User-Name=$USERNAME,Acct-Session-Id=$ACCTSESID,Framed-IP-Address=$USER_IP,Mikrotik-Rate-Limit=\"$DN_BWPKG\" | $RADCLIENT -q -x $NAS_IP:$NAS_COA_PORT coa $NAS_SECRET
#for hotspot, enable following line
#echo Framed-IP-Address=$USER_IP,Mikrotik-Rate-Limit=\"$DN_BWPKG\" | radclient -q -x $NAS_IP:$NAS_COA_PORT coa $NAS_SECRET
if [ -z "$ACCTSESID" ]; then
echo "- INFO: UPGRADE ***** - $USERNAME is eligible for package UPGRADE to new package $DN_BWPKG @ $currenttime BUT NOT ONLINE , no need to take action ..."
fi
fi
else
#######################
##### DOWNGRADE SECTION
#######################
# If package DOWNgrade time is matched in services & packages have not changed already, then do it now - zaib
ACCTSESID=`$CMD "use $DB; select acctsessionid from radacct where username ='$USERNAME' AND acctstoptime is NULL;"`
if [ ! -z "$ACCTSESID" ]; then
NAS_IP=`$CMD "use $DB; select nasipaddress from radacct where username ='$USERNAME' AND acctstoptime is NULL;"`
NAS_SECRET=`$CMD "use $DB; select secret from nas where nasname = '$NAS_IP' ;"`
USER_IP=`$CMD "use $DB; select framedipaddress from radacct where username ='$USERNAME' AND acctstoptime is NULL;"`
dlrate_c=`$CMD "use $DB; select downrate from $USER_SERVICE_TABLE where srvid ='$SRVID';" |awk 'FNR == 1'`
ulrate_c=`$CMD "use $DB; select uprate from $USER_SERVICE_TABLE where srvid ='$SRVID';"|awk 'FNR == 1'`
ulrate=$(echo $(( $ulrate_c / 1024 )))k
dlrate=$(echo $(( $dlrate_c / 1024 )))k
DN_BWPKG="$ulrate/$dlrate"
echo "- INFO: DOWNGRADE ***** - $USERNAME / $USER_IP / $ACCTSESID is online, and eligible for package DOWNGRADE to old package $DN_BWPKG @ $currenttime ..."
#for pppoe, enable following line
echo User-Name=$USERNAME,Acct-Session-Id=$ACCTSESID,Framed-IP-Address=$USER_IP,Mikrotik-Rate-Limit=\"$DN_BWPKG\" | $RADCLIENT -q -x $NAS_IP:$NAS_COA_PORT coa $NAS_SECRET
#for hotspot, enable following line
#echo Framed-IP-Address=$USER_IP,Mikrotik-Rate-Limit=\"$DN_BWPKG\" | radclient -q -x $NAS_IP:$NAS_COA_PORT coa $NAS_SECRET
if [ -z "$ACCTSESID" ]; then
echo "- INFO: DOWNGRADE ***** - $USERNAME is eligible for package DOWNGRADE to OLD package $DN_BWPKG @ $currenttime BUT NOT ONLINE , no need to take action ..."
fi
fi
fi
done
endtime=$(date +%H:%M:%S)
echo "
- Script Ends Here
- EXITING peacefully ...
- Script End Time - $endtime
"
# Add Script end execution entry in the /var/log/syslog to see if the script got ended
currenttime=$(date +%H:%M:%S)
logger "Bandwidth poller script ended @ $currenttime ... Powered by SYED.JAHANZAIB"
# Script for dma 4.1.x COA for new Mikrotik 6.3+ - Designed by Syed Jahanzaib

Results:

radius bw poller result.PNG

 

Regard’s
Syed Jahanzaib

August 29, 2018

SystemState Backup failing under Windows Server 2016

Filed under: Microsoft Related — Tags: , , , , , — Syed Jahanzaib / Pinochio~:) @ 9:55 AM

We recently migrated our domain controller to Windows server 2016 edition. the DC is virtualized under vmware esxi 6.5 with vmware tools ver 10.1.x. I have schedule systemstate backup by using wbadmin command line tool. Example:

wbadmin start systemstatebackup -backuptarget:d: -quiet

After migration to 2016, I observed following error …

Error in backup of C:\windows\\systemroot\ during enumerate: Error [0x8007007b] The filename, directory name, or volume label syntax is incorrect.

After some searching , we found that this error is related to vmware tools version 10.1.x which sets incorrect path for some driver location.

To exactly find what file is causing, use following

  • Open command prompt [Run as Administrator] , type below and press ENTER.
DiskShadow /L writers.txt
  • The prompt will point to DISKSHADOW>
  • Now Type
list writers detailed

and press ENTER

  • After a while, this will list all of the writers and affected volumes. After completion, EXIT.

Open the writers.txt file in notepad or any text editor, then a search for windows\\ text , it should find the following:

File List: Path = c:\windows\\systemroot\system32\drivers, Filespec = vsock.sys

So the culprit was VSOCK.SYS To sort this we need to correct the path in the windows REGISTRY.

  • Run REGEDIT , then navigate to

HKLM\SYSTEM\CurrentControlSet\Services\vsock

  • Then change the ImagePath value string data from the incorrect
\systemroot\system32\DRIVERS\vsock.sys

to

System32\DRIVERS\vsock.sys

As showed in the image below …

BEFORE …

before

AFTER …

after path change

  • No need to reboot/log off. Simply run the backup again & this time you should see SUCCESSFUL report.

successfull backup after erg modifcation.JPG


 

Regard’s
Syed Jahanzaib

August 27, 2018

WSUS 2016 – Short Notes

Filed under: Microsoft Related — Tags: , , , , , , — Syed Jahanzaib / Pinochio~:) @ 10:58 AM

wsus-portfolio-1200x500

Recently we upgraded our infrastructure from windows 2003/2008 to 2016 servers. We have 2 DC’s on 2003/2008 and migrated them to 2016, afterwards when we added WSUS, it had many issues and it took almost 8-10 days to sort every thing. the reason why it took so many time that I tried my best NOT to re install the windows server again because this server was activated with valid license and we had limited license count on MS portal. Fixing messed up windows is far more time take taken process but yes you learn lot of new things in fixing old one, even if its not able to sort out.

I am adding few of the most annoying issues and there methods to sort them in this post. I will keep posting more.


1# Remove WSUS completely from 2016 Server

Sometimes when all sort of troubleshooting fails to restore WSUS, its better to install Fresh Windows, and add WSUS again. But in my case, this server was hosting WDS also & I really didn’t wanted to re install server OS (also to avoid licensing increment count on Microsoft Portal as we have limited license counts).

Following are steps to remove WSUS completely,

  1. Remove WSUS / IIS / Windows Internal Database (WID) Roles, (If you don’t remove the WID role and its files on a reinstall, it will re-attach to the same database)
  2. Reboot the server
  3. Now Remove following Folders
    C:\WSUS (or where ever the WSUSContent folder resides)
    C:\inetpub folder
    C:\Program Files\Update Services
    C:\Windows\WID
    C:\windows\system32\inetsrv  [Or rename this folder]
  4. Restart the server
  5. Re-add the WSUS And WID Roles (It will auto add the IIS role auto)
  6. Let it install, and then restart the Server again.
  7. Launch the WSUS console,

 


2# Post install Fatal Error: WsusPool does not exist

Please check the IIS, check Application Pools, check for WsusPool entry. If it’s not there, Add it manually as showed in the image below …

wsus pool does not exists.JPG

then run post-installation step again.


3# MMC console crashing

In one particular situation, when I added the WSUS role again, I was getting following error whenever I tried to open WSUS console …

wsus crashing.png

Since it was not a real production server, therefore I removed the WSUS (following all steps showed in Point # 1 of this guide, then executed

sfc /scannow

afterwards a reboot , & WSUS MMC worked well 🙂


4# Identify & approved required updates only

For good overview, read following

https://www.tecknowledgebase.com/43/how-to-identify-and-decline-superseded-updates-in-wsus/

.

August 20, 2018

Windows Server 2016 – Reference Notes

Filed under: Microsoft Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 11:27 AM

.


1- Start Button Doesn’t Works !

When you click on Start button, it doesn’t popup.

  • Press Windows+RUN , and type
ms-settings:personalization-start

Uncheck following two options,

  1. Show more tiles
  2. Use start full screen

 

win2016 start button not working.JPG

That’s it !


2- Show icons on Desktop

Right click on Desktop

Select Personalize

Select Themes

On Right Window, Click on Desktop Icon Settings

allow desktop icons on desktop.JPG

If you receive following error

error on desktop icon setting.JPG

then you have to enable following setting in Domain controller default group policy policy, reboot client to take changes immediately or gpupdate /force

policy for runddl32 exec error.JPG


 

Older Posts »

%d bloggers like this: