I use Windows 2012 ADCS and I have a cluster of OCSP responders with 2 nodes.
The OCSP cluster share a single revocation configuration.
I have read into documentation that revocation configuration is synchronized between members of an Array but I cannot found in documentation or on Google if entries into the web proxy cache are also synchronized between members.
Is it the case ?
I have performed a test and I have find a way to obtains a different validity status for a certificate in each web proxy cache of both OCSP nodes (OCSP node 1 = "valid", OCSP node 2 = "revoked").
I have also wait around 2 hours to check if any sync occurs and the result was the same after this delay.
Conclusion on my test on Windows 2012 Active Directory Certificate Services OCSP module:
Revocation configuration is shared and synchronized,
Web proxy entries cache is not shared.
Web proxy entries cache is not synchronized.
Related
I have created 4 Active Directory Domain Controllers both in different locations. One is in Delhi and Another one in Mumbai.
Delhi has 2 domain controllers Primary(DDC01) and Secondary(DDC02).
Mumbai has 2 domain controllers Primary(MDC01) and Secondary(MDC02).
Both have different networks and I can take the RDP of both Domain controllers from different locations.
Now I want to connect all 4 Domain Controllers so they can replicate the data and policies.
I saw this can be done through Active Directory Site and Services.
I Added Subnet's of Both Sites in Mumbai DC i.e. MDC01
I created Sites such as Mumbai-HO and Delhi-BO in MDC01 it got replicated to MDC02.
I could see MDC01 and MDC02 but I cannot see any of the DDC01 or DDC02 showing there.
Am I missing something?
Just FYI... DDC01 and DDC02 are having different gateways due to some reason.
• Please check the active directory site replication ports are open between for communication between the Mumbai and Delhi sites by doing telnet from command prompt on each of the ports. The inbound as well as outbound communication from these to ports to each other sites should be successful. Please find the list of ports as below: -
UDP Port 88 for Kerberos authentication
UDP and TCP Port 135 for domain controllers-to-domain controller and client to domain controller operations.
TCP Port 139 and UDP 138 for File Replication Service between domain controllers.
UDP Port 389 for LDAP to handle normal queries from client computers to the domain controllers.
TCP and UDP Port 445 for File Replication Service
TCP and UDP Port 464 for Kerberos Password Change
TCP Port 3268 and 3269 for Global Catalog from client to domain controller.
TCP and UDP Port 53 for DNS from client to domain controller and domain controller to domain controller.
• Check the replication status of the AD sites through the repadmin utility by running the below command on the replicating DCs in powershell: -
‘ repadmin /syncall /force ’ or ‘ repadmin /syncall /APeD ’ or ‘ repadmin /replsum ’
If the message replied in the powershell states that ‘Syncall terminated with no errors’, then everything is fine and you need not worry about the replication status between sites. Also, you can check the replication topology status in AD Sites and subnets where all the sites are listed whether created automatically or manually as below: -
This will give out the replication status and issues relating to AD site replication. For more detailed information on the replication issues, execute the below command and check for replication issues on site level. This will give out the site wise information in csv format: -
‘ repadmin /showrepl * /csv > showrepl.csv ’
• Also, please check whether Delhi site is automatically created by KCC or not, if not, then wait for at least 24 hours after the above steps revert successful status of replication. The check the ‘Cost’ parameter of replication link in the site details workspace by clicking on it. It defines the priority level of network connection sync level between the two sites. Please find the snapshot below to know the actual cost of your network connection and set it accordingly: -
For more information on AD site replication issues, please refer the link below: -
https://learn.microsoft.com/en-GB/troubleshoot/windows-server/identity/common-active-directory-replication-errors
https://learn.microsoft.com/en-us/troubleshoot/windows-server/identity/diagnose-replication-failures
I deployed a service to GKE on Google Cloud Platform, but unfortunately, Snowflake is blocking the IP Address. I think Snowflake only enables connections to IP Addresses that have been whitelisted, so I tried creating a cluster in the appropriate Network. But when I expose the service, I still run into the error.
I have also created an App Engine instance as well in the appropriate network, and it still doesn't let me connect to Snowflake.
Error Message:
DatabaseError: (snowflake.connector.errors.DatabaseError) 250001 (08001): None: Failed to connect to DB: IP [XXXXXXX] is not allowed to access Snowflake. Contact your local security administrator.\n(Background on this error at: http://sqlalche.me/e/4xp6)\nINFO:snowflake.con! nector.connection:closed\nINFO:snowflake.connector.connection:closed\n
Your snowflake application only accepts requests from whitelisted IPs which means you need to have a specific IP, or a set of specific IPs that are calling snowflake.
By default, GKE will not do this.
When a request from one of your pods tries to reach outside the cluster to contact snowflake, the pod IP is SNATd to use the node's IP address. Both nodes and node IPs are dynamic and stateless so you can't make sure specific IPs are used.
Instead, consider using Cloud NAT with GKE. This will ensure that all requests from your GKE cluster will use the same IP address. You can then just whitelist the Cloud NAT IP on snowflake.
I am having issues with creating a failover cluster with an availabilty group.
I've made a windows failover cluster, and a sql availability group. I also have an azure load balancer with an IP address and a DNS name.
I am trying to follow this guide here
I get to the Configure the Listener, add Client access point, and things fail from there.
Is the name here supposed to be the DNS name in the load balancer? Same for the IP? Or is it supposed to be another object in Active directory.
Steps 5 and 6 seem to conflict, Is the dependency supposed to be a resource or an IP?
If anyone have any advice, I would be appreciative.
I have been using the above guide trying to get things to work in GUI before changing this over to powershell code.
I suspect either there is something I am missing, or this is all the same IP address and dns name used.
When trying to load a text file using the Azure SQL DW Upload Task in SSIS, I get the following error:
Error: 0x0 at Azure SQL DW Upload Task, Azure SQL DW Upload Task:
Failed to upload to blob storage. Unable to create Azure Blob
container. Endpoint: https://[removed].blob.core.windows.net/,
Container Name: [myContainer]. The remote server returned an error: (403)
Forbidden. The remote server returned an error: (403) Forbidden
Tthe SSIS task is failing.I also tried the BLOB upload task and that fails. Any help is appreciated.
Cause
When a client accesses a storage account using a TLS version that does not meet the minimum TLS version configured for the account ( you have configured the minimum TLS version as TLS1.2), Azure Storage returns error code 400 error (Bad Request) and a message indicating that the TLS version that was used is not permitted for making requests against this storage account.
Resolution
The TLS version used by Azure Feature Pack follows system .NET Framework settings. To use TLS 1.2, add a REG_DWORD value named SchUseStrongCrypto with data 1 under the following two registry keys (depend on .net framework version you are using in visual studio- you can find that from help menu in VS):
HKEY_LOCAL_MACHINE\SOFTWARE\WOW6432Node\Microsoft.NETFramework\v4.0.30319
HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft.NETFramework\v4.0.30319
More information
To test that the minimum required TLS version for a storage account forbids calls made with an older version, you can configure a client to use an older version of TLS. For more information about configuring a client to use a specific version of TLS, see Configure Transport Layer Security (TLS) for a client application in this link.
When you enforce a minimum TLS version for your storage account (your storage account configuration sets the minimum TLS version to TLS 1.2) , you risk rejecting requests from clients that are sending data with an older version of TLS.
Reference documentation
https://learn.microsoft.com/en-us/sql/integration-services/azure-feature-pack-for-integration-services-ssis?view=sql-server-ver15#use-tls-12
https://learn.microsoft.com/en-us/azure/storage/common/transport-layer-security-configure-minimum-version?tabs=portal#test-the-minimum-tls-version-from-a-client
For anyone who deosn't want to beat their head against the wall, here was the issue / solution:
I had "PackageProtectionLevel" set to "DoNotSaveSensitive" so I used Package Parameters to configure Password / SecurityToken and then set those as the task values with an expression. SSIS shold have thrown a better error, but at least its solved
I had "PackageProtectionLevel" set to "DoNotSaveSensitive" so I used Package Parameters to configure Password / SecurityToken and then set those as the task values with an expression. SSIS shold have thrown a better error, but at least its solved
Kindly elaborate. I tried changing "PackageProtectionLevel", but no luck.
Apache mod_proxy_balancer
I'm trying to gonfigure apache mod_proxy_balancer to act as HTTP VIP and represent 2 IIS servers behind it.
This how the VIP configured:
<Proxy balancer://appcluster>
BalancerMember http://IP-IIS1:80 route=iis1 max=160 timeout=60
BalancerMember http://IP-IIS2:80 route=iis2 max=160 timeout=60
ProxySet stickysession=SERVERID
Order Allow,Deny
Allow from all
Deny from XXX.XXX.XXX.XXX
Deny from XXX.XXX.XXX.XXX
</Proxy>
Sometimes I have scheduled task that executed on one of the IIS servers. It could be any one of them. Since I can't bind it to one of the servers it can start on any IIS, and here comes the problem:
When the task been executed it causes to one of the servers to be very slow on incoming requests serving so it takes it very long time to serve the requests that forwarded to it by the Apache, more that the timeout configured in Apache 60 sec.
Is there any way to make mod_proxy_balancer to recognize such condition and stop forwarding the requests to the slow server, e.g dynamicaly take it out from the balancing pool?
This module requires the service of mod_status. Balancer manager
enables dynamic update of balancer members. You can use balancer
manager to change the balance factor or a particular member, or put it
in the off line mode.
Thus, in order to get the ability of load balancer management,
mod_status and mod_proxy_balancer have to be present in the server.
To enable load balancer management for browsers from the example.com
domain add this code to your httpd.conf configuration file
SetHandler balancer-manager
Order Deny,Allow Deny from all Allow from .example.com
You can now access load balancer manager by using a Web browser to
access the page http://your.server.name/balancer-manager
-> http://ceviri.belgeler.gen.tr/apache/htdocs/2.2/mod/mod_proxy_balancer.html