Tiernan's Comms Closet

Geek, Programmer, Photographer, network egineer…

Domain Joining a machine over VPN and Password Resets/Changes with Azure AD

October 15, 2020
0 Comments

With the whole Work From Home thing probably becoming more and more normal in the years to come (I can count on 2 hands how many times I have physically been in my main office in the last 7 months) there are a couple of certainties in that people will come up against. One is passwords expiring and needing to be changed, one is password resets being required and finally laptops or desktops needing to be domain joined or connected to the domain before they can be fully provisioned. As the (currently only) IT guy in our office, I have had to deal with these first hand, and decide to write this post, helping both my fellow employees, and possibly other IT Admins stuck in this challenge.

So, as the IT person, there are a couple of assumptions:

  • You have on premises AD
  • You have Azure AD (P1 and above seems to be required if users are mixed AD and on prem. Free allows just Cloud users).
  • Azure AD Sync installed and enabled

If all above are set, you will need to follow the steps to Enable Azure Active Directory Self Service Password Reset. I have enabled this on our domain. Next, you need to get your users to setup their secondary authentication for backup. All our users have a 2FA requirement, so most of them had that already. New users need to go though those setups. Finally, if a user needs to change or reset their password, they can do so though https://aka.ms/sspr. If all is done well, that reduces the amount of support calls I (and you) get.

Now, the next task: domain joining over VPN. This is a bit more “fun” to play with.

First, you need a VPN connection. We use Meraki gear using Active Directory for RADIUS auth. I wont go into too much details on setting that part up, but the script we use to build the VPN connections for users is below. This will probably be different for different VPNs, but this is our starting point.

Lines you need to change are at 8, 9, 10 and 47. Line 39 can also be modified to change from Split Tunneling (only sending traffic to internal subnets) or full Tunneling (all traffic over VPN). If you have multiple internal subnets, Line 49 can be copied with more.

The most important part we need though is line 34. The -AllUserConnection allows the connection to be available to all users on the machine, but also on the start screen. This is important.

So, with all that in place, you will need to connect to the VPN

you should now be able to join the domain as if you where on your local network.

Enter Domain details and change name of machine if required
when asked enter your domain username and password
You will be welcomed to the domain
and then asked to reboot

reboot your machine as usual and when it boots, you should see a new option on the login screen

VPN login option

Click this icon and if you only have one VPN connection the screen below will show up. If you have more than one, you will be given a list of options to use.

Login to VPN at the login screen

Enter your domain credentials. Since our AD and VPN use the same credentials, it will automatically log you in aswell.

Machine is now domain joined and logged in, and in my case, finishing setup

So, there you have it. How to domain join a machine outside the network. Now, in reality, Azure Active Directory and Intune would probably be the better option, but that’s future work…

Apple event October 2020

October 13, 2020
0 Comments

[NOTE] This post was done entirely on iPhone XS Max and a iPad Pro. Photos taken on the iPhone. Some edited on iPhone, some on the iPad. I have edited some text on the iPad with the keyboard, but if i missed anything, all was written mostly live, so apologies… Will add extra links to places like Engadget, etc, below.

Homepod mini. $99 available 16 November. The feature of intercom sounds good… When they mentioned the list of extra service, Spotify was very missing… [NOTE] I missed some stuff on this cause I was in a late meeting… This does look cool though.

iPhones. 5g available. 5g ultra wide band. 4gb down and 250mbs down ideal conditions. MmWave Support. Low latency support. But that’s normal for 5g. Verizon expanding their network to 60 cities by year end for ultra wide and and all cities for normal 5g. And it’s avail be on ALL models. Not just the high end. Very handy. Rumours had suggested it would be limited to either high end, or that mmWave would be available only on pro.

IPhone 12. First one announced. 5g support. New design. Looks very iphone 4 like. Bigger camera bump with 2 cameras. 6.1inch display. Smaller border. Super Renta XDR display. 2 million to 1 contrast ratio… 460ppi. Dolby vision hdr10 and hgl support too. 1200 nits. Ceramic shield on the screen to increase toughness. Tougher than any smartphone scree.

Most 5g bands in any smartphone. Even iOS core is modified to make 5g faster. When lower speeds will do, it can drop to LTE. Has been tested and gets up to 3.5Gb/s max and best conditions. 4Gb/s down on mmWave and best conditions and 1Gb/s in normal conditions.

A14 bionic. 5nm process. 11.8 billion transistors. 6 cores. 4 core gpu. Neural engine goes from 8 to 1y cores and 11 trillion operations per second.

Gaming stuff. Something called league of legends. I’m not a gamer, so… Hmm…. [I took this time to try upload photos for this post…]

Camera looks very cool. Larger aperture for better low light photos. video looks cool too…

MagSafe for iPhone. Qi charging with magets. 15w charger. NFC support too… New cases and wallet. And charger has magnet. Apple has a duo charger for both iPhone and Watch. Belkin have a car dock and a multi device charger too. I like the sound of the car dock, and a duo charger for iPhone and Apple Watch could be useful…

Recycling stuff. Lots of important stuff here… But very big words for trying to type live. But they are removing chargers and headphones from the box. Smaller box, which means they can get more on a shiping pallet, which reduces CO2. And by removing the headphones and charger, they can save 2 million metric tones of CO2 or 450k cars off the road. USB C to lightning cable included in the box.

Iphone 12 mini. Same spec as the full 12, just smaller.

12 mini starts at $699. 12 non mini is $799. More details of availability later in this post.

“There is simply nothing like iPhone 12”… Think that’s about to change now…

Pro line. They… Multiple… 12 pro. Still reminds me of the 4…

Pro camera also looks very cool. 12 pro max has better camera.

Pro raw option. Raw with some processing. Available later in the year. Works on all 4 cameras. Flexibility of raw with apples computational photography. Edit photos in photos app or in other professional apps. Wonder when light room gets it.

Pro video. Hdr shooting. Dolby vision Hdr recording in camera too. And the internet just went missing… Give me a sec…

Shoots the Hdr video at 4k 60fps. And it can be edited on the phone… Nice.

Lidar scanner. Interesting for ar objects but could be interesting. It was in the iPad pro. It can see in the dark too… 6x faster auto focus.

To finish up, a quick Gallery of the photos taken.

ESXi on Arm (and Raspberry Pi!)

October 11, 2020
0 Comments

A few days back (October 6th 2020) VMWare announced a new “Fling”: ESXi Arm Edition. Not completely sure what a Fling is, but anyway, I started reading, liked the idea and managed to download a copy for testing. I have 2 Pi 4s in the house, both 4Gb Models, and I wanted to play around with the new tech.

So, after some messing with UEFI stuff, formatting Micro SD cards correctly, copying files and some limitations, I managed to get 2 new ESXi servers running on Raspberry Pi!

There is a walk though Video showing everything I did to get up and running. Its embedded below. Some of the hardware I used is also mentioned below.

Equipment list:

  • 2 x 4G Raspberry Pi 4s
  • 2 x 16Gb Micro SD Cards (you could probably get away with 1Gb cards… You only need a small 256MB partition for the UEFI stuff)
  • 2 x 64GB Kingston DataTravler USB 3 Sticks (This is where ESXi is installed, plus the rest of the storage, if configured correctly, can be used for VMs).
  • 2 X POE to USB C Splitters. I used these so I can power both Pi’s though POE and can reboot them using the switch. You could use a USB Power Adapter like the Anker PowerPort 60W which would give you 6 ports to run your Raspberry Pi’s. I would probably limit it to running 4 Pi’s though, since the Pi 4 needs a bit more power…
  • Some way of installing the ISO to the Pi. I used an iodd Mini 256Gb for the task. I also did a video review of that here.
  • About an hour of your time.

As mentioned above, the USB key is used for storing ESXi when its installed. It can also be used for storing VMs. There is a command you run when installing to partition the drive in 2: 8GB for ESXi and the rest for storage. I managed to run this correctly on one, but missed it on the second. I might reinstall that Pi and get it up and running again soon. You also have the option of installing to iSCSI. That might be useful too…

Storage wise, VMWare recommend using usb3 or fast iscsi or nfs storage for vms. I’m using nfs on my workstation which seems to work OK. but you are still limited to 1Gb/s of the Raspberry Pi. They say it is possible to use extra USB network cards. Could be interesting to try that out.

So far i have managed to install a single VM on one of the Pis. I plan on migrating from a Physical PiHole instance to a virtual one. I also plan on getting a few 8Gb Pis and see where this rabbit hole gets me. It can also be managed with VSphere. Let’s see if I can get that working… Stay tuned!

If anyone has any questions, comments, etc., just shout. And if your interested in videos like these, subscribe and like the video!

Nexdock Touch Videos

October 11, 2020
0 Comments

A few months back, I pre ordered a Nexdock Touch. The Nexdock Touch is a laptop without the laptop components… its essentially a screen (1920×1080 touch) with a keyboard, battery, touch pad, a 3 USB C ports (one for charging, one for phones only and one for connecting other devices) a Full USB A port (for plugging in other stuff, more on that in a sec), a Micro SD Card and a full HDMI port. Interestingly, the HDMI port is not for output, like you would think it is, but for input.

This is the Nexdock’s party piece: plug in a compatible phone (I have a Samsung Galaxy A90 5G that works), Raspberry Pi (I tried with a Pi 4) or any other device that takes USB input and HDMI output (I also tried with an Intel Nuc) and that machine becomes a laptop… Well, within reason; the Phone and the Pi will both get charged or powered by the Nexdock’s built in batter, but for the Nuc, it needs to be powered externally.

I have recorded some videos and uploaded them to YouTube. There are some unboxing videos, showing you it working with Samsung Dex and the Galaxy A90 5G, a Raspberry Pi 4 and also the Intel Nuc. The full playlist is embedded below, or you can visit the playlist on Youtube here.

I am planning on releasing more Videos in the same kind of format over the next while, so, as they say “Like and Subscribe” on YouTube if your interested!

Back running WordPress

October 10, 2020
0 Comments

I have moved my blog back over to WordPress. It is running in house, on one of my workstations, using Cloudflare’s Argo tunnel to protect it on the internet. You might be asking “why?!” Well, its a couple of things.

  • Easier to blog and post from anywhere in the world.
  • I can blog on pretty much anything
  • No having to worry about upgrading my copy of Hugo breaking my site…

That last one is the reason I haven’t blogged in a while. Seems there was a major change in the versioning of Hugo, somewhere between the release I was on (0.55.6) and the latest one I tried (0.73.0 or something… 0.76.3 is out now) and my index.html pages just would not create, and I got many warnings when building… I spent a few hours trying to figure it out, but in the end, I gave up.

I ended up using Chris Salzman’s blob post explaining how he moved from Hugo to WordPress, spent a hour or so tweaking the imported files, built a Docker-Compose file (I will post this somewhere soon, if anyone wants it) and was off to the races. Few tweaks later, a copy of CloudflareD and some DNS tweaks, and everything was back online.

There are some disadvantages to WordPress:

  • Comment Spam
  • Performance
  • Maintenance
  • Security

But even so, I am willing to worry about these and be able to blog easier.

Fixing CID (Caller ID) on incoming calls with 3CX

July 4, 2019
0 Comments

In a previous post i talked about going all in on VoIP in the house. Its been nearly a year now, and other than some minor issues related to the VoIP Server being turned off accidentally, or a screw up on my end, all is going well. But, one thing i did notice was related to incoming calls and caller Id, specifically on my SIP2SIM card. Essentially, the country code was wrong: for example: Incoming calls from the Virgin Media trunk just show as local numbers (for Dublin, for example, it would so 01xxxxxxx). Using the CID reformatting feature in 3CX, I managed to change this.

All calls that come in starting with 0 are “fixed” and changed to +353 without the 0. When the call comes in though the SIP2SIM card, it does no longer show as a call from the UK, but now shows as a call in Ireland, or where it is coming from, so all the contact details show correctly! Happy days!

Network Update Info April 2019

April 18, 2019
0 Comments

So, this post has been a long time coming! A load of different things to talk about, so lets get started!

GodBox V3

So, for a long time, I have been thinking about GodBoxV3, the replacement to GodBoxV2. And when planning this, i had some ideas of what it should be:

  • Minimum of 2×16 cores (double godboxv2)
  • About the same RAM, if not more
  • FAST STORAGE!
  • Is able to run my twin 30" 4K monitors
  • Would like 10Gb/s NICs

Well, It finally happened! I got the machine, built it and, well, its impressive! How did i do with specs? Well…

All is good! Photos, more details and benchmarks coming soon… stay tuned!

Finally 10Gb/s Networking!

Since GodBoxV3 had a few 10Gb nics, i needed to upgrade the network to support it. I ended up with a Ubiquiti Networks EdgeSwitch-XG. 16 ports (12 SFP+ and 4 RJ45). The SubperMicro board has 2xRJ45 ports. Due to lack of RJ45 ports, GodBoxV3 is connected to 1, GodBoxV2 is getting a 10Gb card soon, which will be connected to 1 port, and a new Sun Microsystems server (details below) will be getting the last 2… Of the SFP+ ports, 2 are connected to the EdgeSwitch Lite, 2 to the Synology (it got a 10Gig NIC reciently too!) and 2 to the new NAS (again, more details below!)

Good bye Mikrotik, Hello EdgeRouter 4

Since i was going all Ubiquiti gear (Wifi is Unifi gear) i got rid of the old Microtik and replaced it with a Ubiquiti ER4. Happy days! Got some plans for this, more details coming soon…

Updates to BGP Stuff, including IPv6

I lost one VPS in London, but replaced it with a new one from HostUS. I still use Vultr, Packet and VServer.Site as providers too. I am also adding more and more IPv6 stuff too… There is a post on AS204994 explaining a lot of this.

New NAS and more storage!

New NAS got purchased: QNAP TS-932X. I have 5X8TB spinny disks (shucked from 5 WD My Book 8TBs) + 4 X 500GB WD Blue SSDs.

New Servers and cooling updates

Moved lots of stuff around the room… Servers run cooler, and less noisy! happy days! I also got my hands on a very nice looking Sun Server X3-2. Its a Dual Xeon E5 (currently got quad cores, going to upgrade it to 8 cores) and i think its got 16GB ram and 4x300GB SAS Disks. It also has 4X10Gb nics! ESXi will probably go on here!

VMWare in the house

Up till recently, I ran Hyper-V all round. Its still on GodBox V2 and V3 (v1 has a HDD issue, so its off…), but the main VM hosts (the C6100’s) are being migrated to VMWare ESXi… Why? Its a learning exercise… We see how it goes…

So, long update… Any questions, comments, etc… shout!

Adding a Netgear LB2120 to the homelab

September 6, 2018
0 Comments

A few months back, Three Ireland came out with an LTE broadband offer: Unlimited* LTE broadband for EUR30 per month. It did come with a 18 month contract, but I pulled the trigger and got it as a backup link. I picked this up in the local Three store, and they had a couple of options for modems: a couple of Huawei mobile Wifi hotspots (E5573 or E5577) or a Huawei B525 Modem, which is designed for home use. Alternatively, there was a Sim only option, but given the modem was free with the contact, i went with the B525.

The B525 is not a bad router, don’t get me wrong, but its a Router… i already have a few of them, including my Mikrotik RouterBoard CCR1016-12G, an EdgeRouter POE, a Ubiquiti USG 3 and some virtual ones too… yea, don’t ask… What i wanted was a modem; no WiFi, no routing, and give me a full, non NATted IP to the internet. There was some mention of some of the Huawei modems being able to be put into bridge mode, but i could not find out how to do it… That’s where the Netgear LB2120 comes in.

The LB2120 (there are a few different models, but mine is the Europe edition) has a Micro SIM Slot,a WAN and a LAN port (both GigE), Power in, Power button and 2 inputs for Aerials.

The home page is fairly basic, and gives you all you need: how much data you’ve used, how much you have left, when the data plan resets, etc.

There is also an alerts option, so you can get it to send you an SMS when something happens:

But the relay handy stuff is under Advanced setting/LAN:

You have the option of using it as a router, or using it in a Bridge. Needless to say, i bridged it and got a fully public IP. Currently, mine is hooked up to the second WAN port of the USG, and is currently serving about 30-40% of the traffic on that network (mostly media devices, IOT stuff, etc). Speed wise, its not bad.

Not as good as a hardwired connection, but its only getting 4 bars, and its about 1km to the nearest cell tower. I do want to get some external aerials for it, to see if i can boost the download/upload speed, but we will see. Also, i plan on changing out the Mikrotik for something else… lets see what i end up with!

*Unlimited is mobile network speak for 750GB per month… which does not sound very unlimited to me… but, anyway…

Finally going all in on VoIP

July 24, 2018
0 Comments

After many years, I am finally trying to move to a proper VoIP system for the house. This post will explain what I am using, how I am setting it up, and some other details you might (or might not) find useful.

First, backstory. I have been interested in VoIP for many years. The first post I wrote about Ito this site was here back in 2012, but I had posted about it on my other site back in 2008. It got my attention years ago as a way of saving money on calls, but in recent times, that has changed a little, mainly because most providers gives you calls for free (my mobile and land lines both come with unlimited calls and with my mobile, I can make them anywhere in Europe). The new reason I am interesting in VoIP is consolidation: I currently have 3 mobile phone numbers, at least 1 landline dedicated to me in the house, plus a work landline. I want to be able to pick up any phone and make a call, and it show as coming from my main number. Or a call comes in and i can pick it up from any of my phones… And that is what i am trying to do here… I (will) have some of it working, but some parts are still missing…

The parts I have (or will have) working are as follows:

  • my land line number in the house is being ported to Virgin Media’s VoIP service. So, thats not stuck in an analog world any more!
  • The house phone now has a VoIP adapter allowing the standard analog phone make VoIP Calls

  • There is a company in the Netherlands called ZeroPlex who have a VoIP over GSM service. Essentially, the SIM they give is connected to your own SIP trunk. You can set it up to allow all calls to go though your SIP trunk, only incoming or only out going. I found their contact though Reddit but they may be able to help if you drop them an email.
  • All VoIP traffic in the house is routed though 3CX.

  • I have a couple of SIP trunks hooked up to 3CX: Virgin Media, Zeroplex (they redirect the NL number is sent over this, and i can make calls though this trunk too), Twilio, which i use for transient numbers, and Sip Discount which offers really cheap calls.
  • Phone wise, i use a Ubiquiti UVP-Executive desk phone, the SIM card, and the 3CX client on mobile (Either iPhone or Android).

So, all in, Im about 50% of the way there… As of the time of this post, the SIM is still in the mail and the phone numbers are not ported to Virgin Media… yet… Tomorrow they should be, and over the next few days there will be some tweaking to get it working correctly… I will probably have some updates over the coming week…

Auto deploying to multiple servers with GitHub and Webhooks

July 5, 2018
0 Comments

In yesterdays post, i mentioned that i wanted to try get an auto deploy working for this site. It already builds auto-magically using Forestry and puts the static HTML into a Github repo, but i needed to manually update the servers hosting the site… Well, not any more!

using the magic of Github’s Web hooks, the Webhook project and a small piece of bash shell script, i have managed to get this auto deploying…

First, Download the Webhook project (its a Go application, so it works pretty much anywhere). Copy it somewhere on your machine. Next, you need a config. I used the Github sample config from the project site and made tweaks to what script to run and what i was passing in.

next, the script to pull from Github was simple enough:

The repo should already be cloned into the folder, /var/www/localfolder and your web server should be pointing at that also. Then, its just a matter of running the command:

./webhook --hooks github.json --verbose

The --verbose tag gives you lots of info, so its handy for testing. and then your app is running and listening on the default port, 9000.

next, head over to your project on Github and go to settings:

select webhooks and add new web hook

Fill in the required details on the page, and click save.

Github will go out and have a chat with the webhook and verify it can send and receive stuff from the hook. You can see this in the deliveries section:

Clicking on these will show you the headers that were sent, along with the payload, and you can also see the response from your server. Finally, you have the option of re sending the payload, just in case anything goes wrong.

So, there you have it. A complete automated deploy across multiple servers! Any questions, leave a comment below!

[UPDATE] yesterday i mentioned i had to modify the sample that was included on the webhook site. Well, i noticed something this morning. The reason i needed it modified was the trigger rule was checking the header and the reference for the branch, but any time i ran it, it would not trigger… The reason was simple: the webhook app is expecting application/json but i had it set to application/x-www-form-urlencoded which is the default… the webhook app then couldn’t parse it correctly… changing that fixes the problem! happy days!

  • My Mastodon Instance

    Buy Me A Coffee

  • Recent Posts

  • Archives

    • DevDmBootstrap4 Created by Danny Machal (DevDm.com)