Working on a Server 2012 Standard R2 today that had an initial SSL self signed certificate. I needed to replace that certificate, so IIS and Remote Desktop would stop warning users about the security issue. In Server 2008, you could select which certificate you wanted Remote Desktop connections to use. In Server 2012 that GUI has been removed. It took me a little while to get everything down for Server 2012, but these are the steps I took. Hope this helps out someone else later on!

Get the Thumbprint of the SSL certificate you want Remote Desktop to use
Windows + R
Type in mmc and hit enter
Control + M (or File -> Add/Remove Snap In)
Click on “Certificates” in the “Available snap-ins:” section
Click the “Add >” button
Select “Computer account”
Click Next
Select “Local Computer:”
Click the “Finish” button
Click “OK” button
Open the “Certificates (Local Computer)” then, “Personal” and then “Certificates” sub folder.
Double click the certificate you want Remote Desktop to use
Click the “Details” tab
Select “All” under “Show:” and scroll down to the “Thumbprint” field and select the “Thumprint” field.
Copy the text of the hash.
Remove all spaces from your copied hash
Open “Power Shell” as an Administrator

Run these power-shell commands (replace YOUR HASH HERE with your thumbprint you copied from step 1 above). You can run each line one after the other.

$TSGeneralSetting = Get-WmiObject -class "Win32_TSGeneralSetting" -Namespace root\cimv2\terminalservices -Filter "TerminalName='RDP-tcp'"
$Hash = "YOUR HASH HERE"
$TSGeneralSetting.SSLCertificateSHA1Hash = $Hash
$TSGeneralSetting.put()

PowerShell should prompt you that everything went over successfully. Connect to the server again with Remote Desktop or RemoteApp, and it should be using the new SSL configuration!

$newips = @("1.2.3.4/24", "1.2.3.5/24", "1.2.3.6/24")
$ips = (Get-NetFirewallRule -DisplayName "RuleName" | Get-NetFirewallAddressFilter ).RemoteAddress
$add = $ips + $newips
Get-NetFirewallrule -DisplayName 'RuleName'|Set-NetFirewallRule -RemoteAddress $add

for vm_name in `acli vm.list power_state=on | grep -v ^’VM name’ | awk ‘{print $1}’`; do acli vm.shutdown $vm_name; done

i change acli command from acli vm.force_off to acli vm,shutdown

this command will excute safely shutdown

base on acli parameter:
Initiates a Guest level Reboot of the VMs :
code:
vm.guest_reboot
Initiates a Guest level Shutdown of the VMs :
code:
vm.guest_shutdown
Force VM into the powered off state :
code:
vm.force_off
Lists all VMs :
code:
vm.list
Powers off the specified VMs :
code:
vm.off
Powers on the specified VMs :
code:
vm.on
Power cycles the specified VMs :
code:
vm.power_cycle
Initiates a reboot by issuing an ACPI event :
code:
vm.reboot
Resets the specified VMs :
code:
vm.reset
Initiates a shutdown by issuing an ACPI event :
code:
vm.shutdown

Improve your security and privacy by blocking ads, tracking and malware domains.

https://hblock.molinero.dev

Type these commands using SSH on one CVM of your cluster :

allssh ~/cluster/bin/genesis stop cluster_health
allssh ~/cluster/bin/genesis stop hyperint
allssh ~/cluster/bin/genesis stop prism
allssh ~/cluster/bin/genesis stop arithmos
allssh rm -Rf ~/data/arithmos/arithmos_per*
cluster start

Reconnect to prism and check the health status.
Note: these commands keep your cluster alive

Open PowerShell and run it:

New-NetFirewallRule -DisplayName “BlockDiagTrack” -Name “BlockDiagTrack” -Direction Outbound -Program “%SystemRoot%\System32\utc_myhost.exe” -Action block

curl checkip.amazonaws.com
curl ifconfig.me
curl icanhazip.com
curl ipecho.net/plain
curl ifconfig.co

or

dig +short myip.opendns.com @resolver1.opendns.com

or

#!/bin/bash
MYIP=$(wget -O - -q icanhazip.com);
echo $MYIP;

You’ll need LAPM and both the GitHub core and Python GitHub packages installed, so if required

sudo apt-get install python-git git

1 Download the GIT package to a working directory (eg your home dir)

git clone http://git.whoc.org.uk/git/password-manager.git

2 Change directory into the download and build a deployable version

cd password-manager

./scripts/build clean install debug --frontends beta delta gamma --backends php

3 Move the contents of target/php to your web directory

mv target/php /var/www/html/clipperz

4 Create database

mysql -u root -p
CREATE DATABASE clipperz;
GRANT ALL PRIVILEGES ON clipperz.* TO 'clipperz'@'localhost' IDENTIFIED BY 'clipperz';

5 Update the config with your database details

vi /var/www/html/clipperz/configuration.php

6 Initialise the database – Browse to

<your-site>/setup/index.php

and click on POG me up, then Proceed
The POG interface will allow also a very basic access to the DB data that may be useful to check that the application is actually writing something on the DB (even if you will not be able to make much sense out of the data you will see, as they are all encrypted!)
More information about building the PHP backend may be found in the doc/install.php.txt file.
7 Remove the ability to access the database via the web

rm -fr /var/www/html/clipperz/setup

8 Browse to website and start using, eg

<your-site>/beta/index.html

gitHub link: https://github.com/clipperz/password-manager

Settings

Domain is : domain.local
windows 2008R2 hostname : srv-dc-01
omv hostname : omv

Check IP configuration

Openmediavault has a DHCP assigned IP address. You should check its hostname and name resolution

omv:/# host domain.local
domain.local has address 192.168.0.10
omv:/# hostname -f
omv.domain.local

Check time and NTP

The LAB environment runs ESXi : time is synced on each VM boot and is sufficient for testing purpose. In production environment use VMware Tools and time sync agains the ESXi host or use NTP.

Install required packages

apt-get update
apt-get install krb5-user krb5-clients libpam-krb5 winbind libnss-winbind

You will asked for kerberos default domain : DOMAIN.LOCAL

Kerberos configuration

Runs out of the box with default configuration. However you may edit /etc/krb5.conf as the following

[libdefaults]
        default_realm = DOMAIN.LOCAL
        ticket_lifetime = 600
        dns_lookup_realm = yes
        dns_lookup_kdc = yes
        renew_lifetime = 7d
;       allow_weak_crypto = true

# The following krb5.conf variables are only for MIT Kerberos.
;       krb4_config = /etc/krb.conf
;       krb4_realms = /etc/krb.realms
;       kdc_timesync = 1
;       ccache_type = 4
;       forwardable = true
;       proxiable = true

# The following encryption type specification will be used by MIT Kerberos
# if uncommented.  In general, the defaults in the MIT Kerberos code are
# correct and overriding these specifications only serves to disable new
# encryption types as they are added, creating interoperability problems.
#
# Thie only time when you might need to uncomment these lines and change
# the enctypes is if you have local software that will break on ticket
# caches containing ticket encryption types it doesn't know about (such as
# old versions of Sun Java).

      # Pour Windows Server 2008 R2 (seems not required)
;      default_tgs_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;      default_tkt_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5
;      permitted_enctypes = aes256-cts-hmac-sha1-96 rc4-hmac des-cbc-crc des-cbc-md5

      # Pour Windows Server 2003 (not tested agains windows 2003 server yet, and this server is deprecated)
;      default_tgs_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;      default_tkt_enctypes = rc4-hmac des-cbc-crc des-cbc-md5
;      permitted_enctypes = rc4-hmac des-cbc-crc des-cbc-md5


[kdc]
        profile = /etc/krb5kdc/kdc.conf

[logging]
        kdc = FILE:/var/log/krb5kdc.log
        admin_server = FILE:/var/log/kadmin.log
        default = FILE:/var/log/krb5lib.log

Test kerberos settings

kinit -V administrator (at) DOMAIN.LOCAL

Give administrator password

Test you got a ticket: klist
(Sample-)Output:

Ticket cache: FILE:/tmp/krb5cc_0
Default principal: administrator (at) DOMAIN.LOCAL
 
Valid starting     Expires            Service principal
01/28/13 13:28:58  01/28/13 13:38:58  krbtgt/DOMAIN.LOCAL (at) DOMAIN.LOCAL

Destroy all tickets (and check with klist): kdestroy

SAMBA settings

In OMV webGUI :
enable SAMBA
set Workgroup : DOMAIN
tick “Enable user home directories”. You may also tick “Set browseable”.
add extra options :

password server = *
realm = DOMAIN.LOCAL
security = ads
allow trusted domains = no
idmap config * : range = 9400-59999
winbind use default domain = true
winbind offline logon = false
winbind enum users = yes
winbind enum groups = yes
winbind separator = /
winbind nested groups = yes
;winbind normalize names = yes
winbind refresh tickets = yes
template shell = /bin/bash
template homedir = /home/%U

#  Performance improvements
socket options = TCP_NODELAY SO_RCVBUF=8192 SO_SNDBUF=8192
client ntlmv2 auth = yes
client use spnego = yes

Test samba configuration: testparm

This step is not required

If you wish to view your AD users and groups in OMV webinterface include UIDs and GIDs into non-system users and groups in /etc/login.defs. Find UID_MAX and change UID_MAX and GID_MAX as the following

UID_MAX                 60000
GID_MAX                 60000

Editing AD users and groups using the OMV webinterface will fail because they are not stored in /etc/passwd and /etc/group.

Join the domain

Argument createcomputer allows you to create the computer’s account in an organisational unit (OU) and is not required.

omv:/# net ads join -U administrator createcomputer=servers/linux
Enter administrator's password:
Using short domain name -- DOMAIN
Joined 'OMV' to realm 'domain.local'

Enable authentication with winbind

edit /etc/nsswitch.conf

passwd: compat winbind 
shadow: compat
group: compat winbind

Enable authentication with winbind

edit /etc/nsswitch.conf

passwd: compat winbind 
shadow: compat
group: compat winbind

ldconfig

Check users and groups enumeration

getent passwd (you get local and AD users lists)
getent group (you get local and AD groups lists)

Enable mkhomedir and umask

create the file /usr/share/pam-configs/my_mkhomedir with the following content

Name: Activate mkhomedir
Default: yes
Priority: 900
Session-Type: Additional
Session:
	required	pam_mkhomedir.so umask=0077 skel=/etc/skel

umask argument for mkhomedir didn’t worked for me. pam_umask.so seems be a better option. Create the file /usr/share/pam-configs/umask with the following

Name: Activate umask
Default: yes
Priority: 800
Session-Type: Additional
Session:
	optional	pam_umask.so umask=0077

Fix domain folder permission

In SMB/CIFS, extra confguration the special variable %D is used to distinguish domain users from OMV’s local users. A folder will becreated upon first domain user connexion. However the folder will not allow domain users to traverse the folder and access their home directory. This need a fix. Create the folder where template homedir expects to find it, and adjust the owners and permissions. If your active directory contains a white space, ensure to escape it with a backslash.

mkdir /home/DOMAIN
chmod 0755 /home/DOMAIN
chown root:domain\ users DOMAIN

SSH login for AD users

In OMV webGUI enable SSH, disable root login (prefer su and sudo) and add this in Extra Options :

AllowGroups root ssh "domain users"

Please check “domain users is enclosed by double quotes and check this is the group name available in windows 2008 R2 (I’m french and I’m using a french windows 2008R2 : groups and users names are localized)

Login against SMB or SSH

don’t prefix username with domain. (eg: not DOMAIN.LOCAL/administrator; use administrator only)

Losing/Forgetting your ISPConfig 3 administrator password is annoying, but can happen to anyone! To reset the password, you need to follow the few steps below.

You will need the root login for MySQL, you can find that information a ISPConfig 3 config file.

cat /usr/local/ispconfig/server/lib/mysql_clientdb.conf

$clientdb_host = ‘localhost’;
$clientdb_user = ‘root’;
$clientdb_password = ‘VerySecurePassword’;

?>

You can now log into you MySQL server with the information extracted from mysql_clientdb.conf:

mysql -h localhost -p dbispconfig

Then run:

UPDATE sys_user SET passwort = md5('YourNewPassword') WHERE username = 'admin';
FLUSH PRIVILEGES;
quit;

You can now log into your ISPConfig 3 web interface with your new admin password.