Monday, March 19, 2012

Windows DNS Zone transfer's not working (non-AD)

My Scenario is this, NS1 (primary zones) is in Colo #1 in Portland, NS2 (secondary zones) is in Colo #2 in Colorado.  I host a variety of zone files, some big, some small for different groups, all internet facing, none of these are AD integrated zones..  I had to re-ip NS2 due to an ISP acquisition.  After changing the IP's and updating the records, 2/3 of the domains work great, but 1/3 are giving 2003 Event ID 6523 "Zone failed zone refresh check.  Unable to connect to master DNS server at x.x.x.x to receive zone transfer.  Check that the zone contains correct IP address for the master server or if network failure has occurred.

For the most part the zone files that were working were small, and the ones that were not were larger, however that wasn't always true.  Doing an nslookup from NS2's console to NS1, doing a ls was also not working as expected.

I noticed that in the logs outbound from NS2 that UDP DNS requests were working, but TCP DNS requests were failing.  I had the firewall of NS1 opened to both TCP and UDP, and now everything is syncing just fine.

HINT: I also learned using a test address in a DNS zone with the IP of makes Windows DNS think the zone file is invalid, so don't use that as a lazy address for testing.

How to make vCloud keytool Self Signed Certificates that last more than the default of 120 days

For my testing lab, I get tired of replacing the SSL self signed cert every 4 months, this should make it last for 9999 days, or 27 years.  It also assumes you installed Java jre version 1.6.0_29 .  Obviously you may need to modify this to fit your environment, using a self signed cert is bad for security, plus as I’m doing below using the same cert for both http and consoleproxy is also bad for security.  And using a password of password isn’t something I do even in my lab.

Step 1: Create New Certs

./usr/java/jre1.6.0_29/bin/keytool –keystore /opt/vmware/certificates.ks -storetype JCEKS -storepass password -validity 9999 -genkey -keyalg RSA -alias http

./usr/java/jre1.6.0_29/bin/keytool -keystore /opt/vmware/certificates.ks -storetype JCEKS -storepass password -validity 9999 -genkey -keyalg RSA -alias consoleproxy

Step 2: Stop vCloud Service

service vmware-vcd stop

Step 3: Go through configure wizard to replace certificates


Step 4: Service should restart at end of the configure command, so there really is no step 4 other than to bring up your vCloud web page and examine the certificate to see your new extended certificate.

Friday, March 16, 2012

Setting up MRTG for bits instead of bytes

I always have to look this up, so I’m blogging the cfgmaker command I like to use for windows.

perl cfgmaker community@ -–global "WorkDir: c:\MRTG\MRTGDATA" --global "options[_]: growright,bits" --output FW1.cfg

Initially only the last 24 will show bits, but as data grows the other charts converts from bytes to bits.

If you use a Scheduled Tasks

Run:    C:\Perl64\bin\perl.exe mrtg FW1.cfg

Start in:   C:\MRTG\mrtg-2.xx.x\bin

Advanced settings to run ever 5 minutes for 23 hours and 55 minutes

If you already have MRTG setup and working and you want to move from bytes to bits, you can always just modify your .cfg file and remove the comment marks on the second line.

#  to get bits instead of bytes and graphs growing to the right
# Options[_]: growright, bits

So it should look like

#  to get bits instead of bytes and graphs growing to the right
Options[_]: growright, bits

Thursday, March 8, 2012

Quick and Dirty Junos for dummies I learned today while configuring my SRX240

1) If you don’t have the commands on your device you expect, update your junos.

2) If you login as root over the serial port, type “cli” to get out of linux mode and into junos.

3) To reboot type “request system reboot”

4) Transparent mode on Junos is painful.  You need to configure a management IP on a irb interface and a “bridge-domains” to make it all work.

5) When in configure mode, type “run ping” to execute commands

6) Type show | display set if you want your commands piped into a command line friendly format.

7) When in configure mode, type “sho” to show the config, or “sho interfaces” to display only that sections information.