VPN settings are fairly extensive and this is mostly new tech to me so I’m going to take a look at this within reason. I’m happy to say that I feel that test prep study is coming along nicely. Anyway, lets get back into this VPN stuff. Before posting the questions I’m going to go through the TechNet articles. Lets start with an obvious but helpful one.

VPN Tunneling Protocols

Choosing between tunneling protocols
• PPTP can be used with a variety of Microsoft clients including Microsoft Windows 2000, Windows XP, Windows Vista, and Windows Server 2008. Unlike L2TP/IPsec, PPTP does not require the use of a public key infrastructure (PKI). By using encryption, PPTP-based VPN connections provide data confidentiality (captured packets cannot be interpreted without the encryption key). PPTP-based VPN connections, however, do not provide data integrity (proof that the data was not modified in transit) or data origin authentication (proof that the data was sent by the authorized user).
• L2TP can only be used with client computers running Windows 2000, Windows XP, or Windows Vista. L2TP supports either computer certificates or a preshared key as the authentication method for IPsec. Computer certificate authentication, the recommended authentication method, requires a PKI to issue computer certificates to the VPN server computer and all VPN client computers. By using IPsec, L2TP/IPsec VPN connections provide data confidentiality, data integrity, and data authentication.
• Unlike PPTP and SSTP, L2TP/IPsec enables machine authentication at the IPsec layer and user level authentication at the PPP layer.
• SSTP can only be used with client computers running Windows Vista Service Pack 1 (SP1) or Windows Server 2008. By using SSL, SSTP VPN connections provide data confidentiality, data integrity, and data authentication.
• All three tunnel types carry PPP frames on top of the network protocol stack. Therefore, the common features of PPP, such as authentication schemes, Internet Protocol version 4 (IPv4) and Internet Protocol version 6 (IPV6) negotiation, and Network Access Protection (NAP), remain the same for the three tunnel types.

This is really helpful information that seems really obvious. This information seems really cut and dry however its from 2012 so its quite possible we may run into complications later. The other issue is that win 10 is mentioned no where in this and lets hope that the clients in our domain are supporting win 10.

RAS Gateway High Availability

There are two articles that I have saved on RAS so this one must be important. Ok for starters:

You can deploy RAS Gateway in multitenant mode as an edge gateway to route tenant customer network traffic to tenant virtual networks and resources.

I mean internal VPN is one thing for encapsulating traffic but this literally has ‘remote’ in the name. What else would you do with RAS besides throw it in front of a firewall to rout traffic, securely, to internal resources? Anyway back to the information at hand. There are lots of things going on in this article. Personally, I’m a big fan of the undefined colored clouds connected to Mixed Pool, GRE Pool and IKEv2. There is so much information here that says “A front-end RAS server connects to a gateway after authentication and then passes the traffic to the internal servers.” There are some specifics but its mostly theory that may or may not (most likely) be helpful when comprehending the questions at hand. Lets move on.

RAS Gateway for SDN

Ok, so I’m interested. Basically this one is advising that this exists and its designed for multi-tenant application environments. Assuming they mean docker environs but it could be any thing. The most important thing to me was the definitions towards the end:

RAS Gateway Features
• Site-to-site VPN. This RAS Gateway feature allows you to connect two networks at different physical locations across the Internet by using a site-to-site VPN connection. For CSPs that host many tenants in their datacenter, RAS Gateway provides a multitenant gateway solution that allows your tenants to access and manage their resources over site-to-site VPN connections from remote sites, and that allows network traffic flow between virtual resources in your datacenter and their physical network.
• Point-to-site VPN. This RAS Gateway feature allows organization employees or administrators to connect to your organization’s network from remote locations. For multitenant deployments, tenant network administrators can use point-to-site VPN connections to access virtual network resources at the CSP datacenter.
• GRE Tunneling. Generic Routing Encapsulation (GRE) based tunnels enable connectivity between tenant virtual networks and external networks. Since the GRE protocol is lightweight and support for GRE is available on most of network devices it becomes an ideal choice for tunneling where encryption of data is not required. GRE support in Site to Site (S2S) tunnels solves the problem of forwarding between tenant virtual networks and tenant external networks using a multi-tenant gateway, as described later in this topic.
• Dynamic routing with Border Gateway Protocol (BGP). BGP reduces the need for manual route configuration on routers because it is a dynamic routing protocol, and automatically learns routes between sites that are connected by using site-to-site VPN connections. If your organization has multiple sites that are connected by using BGP-enabled routers such as RAS Gateway, BGP allows the routers to automatically calculate and use valid routes to each other in the event of network disruption or failure. For more information, see RFC 4271.

Theses are actually helpful when trying to sort through answering basic questions. I suppose dealing with PowerShell CMDs are nice too, from the high availability

GRE Tunneling in Windows Server 2016

There is a really good definition in the intro and then some information about plausible uses. Its not marking and its helpful information. The most important part is

GRE tunnels are useful in many scenarios because:
• They are lightweight and RFC 2890 compliant, making it interoperable with various vendor devices
• You can use Border Gateway Protocol (BGP) for dynamic routing
• You can configure GRE multitenant RAS Gateways for use with Software Defined Networking (SDN)
• You can use System Center Virtual Machine Manager to manage GRE-based RAS Gateways
• You can achieve up to 2.0 Gbps throughput on a 6 core virtual machine that is configured as a GRE RAS Gateway
• A single gateway supports multiple connection modes

Really, that’s the only useful info in this.

Network Function Virtualization

Virtual appliance benefits
• A virtual appliance is dynamic and easy to change because it is a pre-built, customized virtual machine. It can be one or more virtual machines packaged, updated, and maintained as a unit. Together with software defined networking (SDN), you get the agility and flexibility needed in today’s cloud-based infrastructure. For example:

This is awesome! I’ve been wondering what an appliance was and I haven’t seen solid information on it. There is a lot of info on this topic. Highlight, when the hit the “But wait! There’s more!” lick haha. As I haven’t seen much in terms of questions on appliances I think we are good here. Lets get into the MeasureUp questions.

<

This one is pretty much definitonal and straight forward. The answers are clear and we have covered all this above.

The only thing I found here to be interesting was the L3 being the preferred method for datacenter to cloud architecture. Anyway, that’s all for the night. Time to go to to bed wake up, go straight to work and come home and start working on this again!

There is so much to IPAM that I need to cover for my self. In this post im looking at administrative roles and configurations. There are two questions that I’m looking and I think I’ll start with the easier of the two.

This question specifically looks at all the roles and features of ASM admin however there are also a few more potentially assigned roles along with a way to set an access scope (as previously discussed) by setting an IP range. I’m starting to kind of understand the concept but I would like to take a closer look at this as this granular scope of definition question was not quickly answerable to me. It’s quite possible I’ve covered this in a previous post but its not quickly memorable to me so I’m going to go over the entire thing again for my own sake.

IPAM roles

This is the most helpful thing I’ve found so far. This was not on the 2012 test, that I recall but MesureUp keeps going over this and so far hasn’t even mentioned Sysvol replication or that GP exists, really.

Address Space Management

Multi-Server Management and Monitoring
• Key features of MSM include the following:
• Discovery of Microsoft DHCP and DNS servers automatically across an Active Directory forest
• Manual addition or removal of managed servers
• End-to end configuration and management of DHCP servers and scopes
• Support for advanced constructs to enable add, delete, overwrite, or find and replace operations on multiple DHCP scopes and servers
• Simultaneous update of common settings across multiple DHCP scopes or DHCP servers
• Availability monitoring for DHCP and DNS services and DNS zones
• Management of Microsoft DHCP and DNS servers running Windows 2008 or later operating systems
• Addition of custom information to servers enabling visualization using logical groups based on business logic
• Monitoring of DHCP scope utilization
• Automatic and on-demand retrieval of server data from managed DHCP and DNS servers
• DNS zone status monitoring based on DNS zone events
• Classify discovered servers and roles as managed or unmanaged

Network Audit
• Key features of network audit include the following:
• Query the event catalog for DHCP configuration changes across multiple servers from a single console
• Track users, devices, and IP addresses for specified intervals with advanced queries using DHCP lease logs and logon events from domain controllers and network policy servers
• Track and report changes made to the IPAM server
• Export audit findings and create reports
• Quickly resolve configuration problems and track service level agreements

I suppose there isn’t really much else to discuss about this. It’s memorization of what each can do. Lets move on to the next one, shall we. Not feeling super sassy tonight to be honest so you may find this one less colorful than usual. I went to bed early and I guess took a nap and woke up fairly late at night and decided to spend some time with this ol’ thing.

This one is a little trickier than the pervious question. There are two Micosoft links however the layout isn’t quickly helpful for pointing at a bulleted list concerning the specifics of this question. I’m currently trying to watch a silent film in the back ground with a truly insane soundtrack so forgive me if my ‘comments from the peanut gallery’ are not quite as up to par as usual on this one.

IP Address Management (IPAM) Overview

This one is alot of hooplah about about what it could do without telling you. It’s like ‘Billy Maze here! You’ve heard of DNS well now theres IPAM and we do all the work for you! Look a graph! But wait there’s more!’ Honestly, not completely roasting it as there is some useful information here, mostly under the header of ‘IPAM deployment options’ also with a helpful flow chart. I give the town names Hyderabad and Bangalore for very clear normal places that people would have remote offices (hoping they are using slow link detection on this amazing global escalator). This thing is like a real syphonmy.

Ok, so the IPAM specifications might be really helpful but its still not detailed enough to really answer this question.

Multiple Active Directory forest support in IPAM

This one is actually specific as to discussing its possible to use IPAM over a two way forest trust in different forests but its not super clear on the specifics. I suppose having one server to manage multiple forests is helpful. The only tricky part of the question is that ever so important ‘,’ between ‘domain controllers DHCP servers, and DNS servers’ as the material specifies that DHCP servers and DNS servers will be accounted for but given the, at times, questionable language involving specifics I could see them wording DCs running DHCP as one thing, which would be discoverable by default.

This took entirely too long to write but I think I’m sort of starting to understand this. However there is one last thing thats worth reading:

Configure IPAM VMM Integration

Seems fairly straight forward, as per the documentation, don’t forget to create a user account for VMM though. However, in the real world, who knows if it works that eaisy. It quite possibly does but you never can tell.

Im going to go through some DNS stuff tonight. I understand the concept but like anything in IT its a never ending hellscape of ideas as to how it works and eventually you get a feel for it and learn that there are almost never completely hard and fast rules. Funny how the real world works like that too. Anyway, I’m reading to seek some answers that having meaning rather than this goes here. I want to why. Memorization for the sake of memorization has always been and will always be boring to me.

Without futher ado, here are string of articles that are linked by MesureUp. As of this point I haven’t read them but I’m assuming this will work like the last post where the MSFT links where not exactly helpful.

Use DNS Policy for Split-Brain DNS in Active Directory

Use DNS Policy for Applying Filters on DNS Queries

DNS Policies in Windows Server 2016 Tech Preview 2

Use DNS Policy for Application Load Balancing

DNS Policies Overview

There are 2 more but they are on the general networking blog which means that they may or may not load correctly. Generally they don’t. Regardless, that’s a lot to read. I’m going to get back to that as, to be honest, im not super familiar with the basic concepts and usually the TechNet articles assume that you are familiar with the basic concepts. So lets outline those.

Traffic Management

Wow that was short and sweet and to the point and they even used “round robin.” So its a weighted solution that takes into geographical traffic management that accounts for outage to provide the lowest latency response. Very helpful.

DNS Forensics

Honestly, its a pretty straight forward thing that’s analysis of where traffic was routed to and what caused it. Obviously its not a simple as that but that’s a basic overview. If your familiar with any bit of infosec at all you are aware of what the term forensics means.

Split-Brain DNS

The MSFT article linked above is the first google result so I went ahead and read that. It wasn’t helpful toward understanding the basic concept. Here we have the basic concept lined out.

Split-Brain DNS, Split-Horizon DNS, or Split DNS are terms used to describe when two zones for the same domain are created, one to be used by the internal network, the other used by the external network (usually the Internet).

I can handle that concept fairly easily. So, if im understanding this right, you have internal and external servers hosting the same site or application and the DNS server points to the correct version based on being an internal or external client. I like this concept. They drop some words in here that are not exactly the same type of technology but are making a comparison so before you start saying “its like a secondary zone” be aware that it is not the same thing and you should look up what a Secondary Zone is. Slightly confusing if your not up to date on all your definitions. A read only copy of the same zone will not point you to an internal server for resource access. As to all the granular specifics of how the traffic is resolved in split-brain DNS, we will leave that alone for now. You will find that no matter what vector of information technology you pursue there are always more birds to chase down after you’ve figured out the first
one and at some point you have to say “ok for now all I need is this concept”.

How Does DNS Filtering Work?

This seems pretty straight forward but dear god is this link annoying. Basically its like access control that says certain websites are blocked. The question that the answer to involves this is much more complicated than something as simple as blocking traffic to a website that your company doesn’t want users to have access to. Expectantly given the source client information which is an indicator that this is not a network wide solution. This kind of has me thinking about granular policies and the implications there in. Clearly they are indicating that this has to be fairly specific and in the experience I have with the 3rd party proxy my company uses and how the internal proxies we can set up direct traffic I can assure you this can involve an immense amount of administrative overhead. However, the question then becomes confusing again because what they are describing sounds very similar to split-brain DNS. I’m very close to chalking this up to arbitrary memorization based on a preferred flavor.

DNS Responses Based on Time of Day with an Azure Cloud App Server

When you google this one this is the first thing that comes up. Honestly it seems pretty apparent. At this point they are not asking how to implement it and with that, I’ll take the explanation hence forth which says ‘it changes what server your pointing at based on the time of day.’ Clearly I did not grasp that concept based on the name.

<pApplication load balancer>

This seems like instance balancing for containers and all the documentation points at AWS stuff, which I found amusing. Obviously AWS tech isnt going to be tested and MSFT has their own balancing tech built into the networking fabric.

So I guess I should read the MSFT stuff now. Ok, I have read through them and honestly the only helpful one, in this case, is the application load balancing one and even that one has a really terrible diagram that makes 0 sense. Like ok, the client is asking for a resource which goes to a DMZ server (I’mm assuming) which is in front of them and then the load hosting servers are not behind that server but rather behind the client asking for access to the resource. lol, perfect. The most confusing thing to me for this one is traffic management. I’m not clear on how this helps sort through geographical resolution however its
quite clear that DNS resolution is a giant time sink so I’m going to leave it at that. I feel good about the terms ‘forensic’ and ‘split-brain DNS’ though.

That’s all for tonight. Nick Barnes signing off. Thanks for your time if you read this, hopefully it was helpful, in some manor of speaking.

Tonight I’m going to dig through some authentication stuff. There are so many types of authentication from front end to back, from federated Kerberos to pass through using NTLM. There are so many options and to be honest the TechNet articles do a better job of confusing that explaining the scenarios and possibilities. I get that when your technical this is kind of funny but, darn it, I’m just not to that level yet. I guess I’ll watch one of those study guide videos on YouTube by such and such academy that totally prep you or order one of those books with the light houses on it. Any way lets get into the one question I’m posting and then a flurry of TechNet articles.

ok, lol so there are 5 listed and we still have to talk about pass-though auth and NTLM is at least worth mentioning. I’m sure there is more I could talk about but ill be sure and draw a diagram to insert with a real nice Spaghetti copter filled with Papas Promise!

Publishing Applications with SharePoint, Exchange and RDG

Publishing Applications using AD FS Preauthentication

Planning to Publish Applications Using Web Application Proxy

Publish Applications using Pass-through Preauthentication

Step 5: Plan to Publish Applications using Pass-through Preauthentication

So MeasureUp has ‘kindly’ provided us with 3 very specific scenarios related to the question which don’t really help to get a general idea of how authentication works. Thankfully I’ve come up with a (sarcastic) diagram

You know, to be honest its probably best to read everything in the network subheading of TechNet. At least for me because there is so much to know. Its kind of baffling to be honest.

windows-server-supported-networking-scenarios

Honestly though, if your looking for a good time, dig through there for some quality networking diagrams.

Network Policy Server (NPS)

Im not sure if that looks like a robot or if its telling me that the remote requires two 9 volts in the side compartments and then 4 underneath it and then also due to the fact that this remote is so powerful it might be a good idea to use rechargeable batteries? I think that’s where its going anyway. Back to the task at hand, obviously I’m not going to go through every networking scenario and need to get back to the question but I will give the advice that its very worth while to be familiar with anything having to do with radius. At least it was in the past. Unclear on the deprecation factor at this point. May have to check back in on that. Anyway, lets read some stuff that isn’t the suggested Microsoft stuff that deals specifically with the topics at hand. At this point you may be thinking, ‘Why on earth would we need to check sources that are not Microsoft? Why wouldn’t we look at these hella complicated things when we don’t really know the basics?” Im just going to leave this meme here for your perusal (then links):

HTTP Basic

That seems simple enough but honestly, I have no idea what the fuck happens in that exchange. So I’ve called in my buddy, who is an expert.

Ok so its just basic user name and password authentication, if im understanding it right. I didn’t got to school for that sort of thing. In fact I dropped of Security + study because it got boring. I’m sure I’m pretty close to being able to pass. I do that sometimes though. Get real close to finishing something and then on the home stretch be like ‘nahh fuck it.’ Only with personal things though, to be honest. I’m sure I’m going to pick it back up but as I started getting into the groove I got real bad excited to start studying Microsoft stuff again. Anyway. That’s how it goes, lets move on, now that we think we know, meaning we probably have no idea and are arrogant, what we are doing.

MS-OFBA

To be honest, this seems like basic HTTP but with more steps thus making it more exploitable. I could be wrong on that. I’ve been wrong on things before, though I don’t remember them. However, its not that hard to figure out basic HTTP, honestly it seems like the same thing but they added ‘cookies’ for some reason. This makes absolutely 0 sense and I have no idea whats going on. Obviously they want you to read white papers for further info. Surprise fuckers! I’m absolutely not reading that shit because I will have 0 understanding.

OAuth 2

Lol this is surprisingly helpful. It explains how it works without giving away the amount of information needed to easily break it. Which either means its good or these people are drunkenly posting on the internet. Which, for the record is not what im doing while drinking Kyle Juice tm and cheap vodka. (dieting and we are coming up on two weeks without a cigarette and for someone that was a pack a day smoker its a big deal). It looks like this one has a lot of back and forth stuff internally and I’m not exactly clear on how the client is interacting with this that makes it more secure than http basic but I feel comfortable with the idea at least. This isnt used in the question from MeasureUp that I can tell you with 90% certainty will not be on the test due to Microsoft’s propensity toward testing only on proprietary information however I can also tell you with some degree of certainty that kerberos most definitely influenced this authentication model and bits of it where definitely harvest to produce this. Would have to call in an expert to confirm tho.

Azure SSO marketing for Pass-through

Pass-Through basic

Through these two, the first one being ‘look how easy this is for end users’ and the second one being a basic overview, are helpful but they dont shed any light on top how Pass-Through as a basic concept is any different that OAuth. That’s thing with sign on and security protocols, they have names but its sort of meaningless. I can assure, as a person that works for a company that doesn’t exactly have SSO figured out, at least in my department, its not that easy. Like ok so I sign in using a user name and password and then a front end server connects with a back-end server which is completely transparent to me as an end user? I don’t understand why this is any different than basic HTTP. You have a server, you auth to it and then it internally access the resources it needs. On a conceptual level I understand that it isn’t safe to have a front end server in a DMZ area with easy access to a back-end server housing data full time but its still slightly confusing to me. I’m starting to grasp the ideas but there is so much to learn about authentication. I feel like it would be much like what I’ve learned so far about Windows server though, once you get the basics every thing else is kind of seasoning. However, I can say at this point, when I look at the question I’m far less confused. I really think I should get back to Security + at some point and blog about all the confusing stuff as its really helpful for me to write the ideas out. CompTIA certs don’t exactly seem to be taken seriously though so It’s a bit rough for me to sink the money into one as you have to continually renew it now.

Now that I feel I kind of understand the question, I guess that’s all for tonight. Kind of bummed it took a day and a half to write this and feel like It should have been done yesterday and now its midnight but I had a few things to take care of today. I’ll get through this eventually.

This might be fairly short, which is good because its getting late and I have to work tomarrow. There is a thing called Cluster Node Fairness which is new for server 16. Basically it works the same way, from what im understanding (psst, thats a hyperlink) it will migrate VMs from overloaded machines to less resource started machines via live migration. At least according to the following exter from that website:

What is Node Fairness for Hyper-V? Node Fairness is a feature of Fail over Clustering (not Hyper-V) that will automatically Live Migrate guests away from an overloaded cluster node. Even though it is a Fail over Clustering feature, it only operates on Hyper-V virtual machines.

There is a question for this, hence the reason that I decided to blog like 10 words about it so lets get to that. I tried to find some YouTube videos but there wasn’t really anything useful that I could dig up. Any way, question as follows:

As you can tell, or at least to me, the wording in the answer dialog is not super clear. Its like this thing exists and so it exists jargon jargon jargon. So all it really does is this, if you have a fail over Hyper-V cluster it will drain and live migrate an entire VM to another node. This is a super cool feature but as you would have to have an entire farm of Hyper-V machines I highly doubt I will see this in production. Really at this point I would like to do any thing on Server. Create user accounts that leave room for privilege escalation and see if they can figure out their domain rights and exploit it.
Just kidding that’s a terrible idea and a very bad infrastructure policy. Ethics aside, I really think that one link is all im getting out of this. I could post some TechNet links but they are fairly vanilla and not able to help as much as I would like for them to. However, I will leave you with this little nugget about Server 2019:

Failover-Clustering/Windows-Server-2019-Failover-Clustering-New-Feature

The best part is the guys hand gesture in the screen cap for every video. I have no idea whats going on there.

I’m slightly confused about some clustering things so I’m going to go over that tonight. Primarily Cluster OS rolling upgrade and Cluster-aware updating. I’m not terribly sure why this is so confusing to me but apparently it is. Cluster OS rolling upgrade is exactly what it sounds like but I’m a little hazy on the specifics and its new tech so I want to take a look at it. Here is the question followed by some relevant links.

Cluster operating system rolling upgrade

Cluster aware upgrading is cool. Does what it says it should. Drains roles, removes the node, updates the node re-installs the node and re adds rolls. Its fail over clustering for upgrades. Seems effective but would like to see it in practice but probably wont because hard work isn’t really the key to success but none the less in enjoy learning and have learned to despise the questionably motivated social habits of most. Thus embracing a fatalistic sense of existence that I find entertaining while others stress over their lack of a sense of control of focusing on their own existence by worrying about making someone else realize they are better for some arbitrary reason that’s absolute absurdity. lol personal tangent about people who only have people in their lives for the purpose of making them feel more important. Any way. Lets move on to cluster aware updating.

Cluster Aware Updating

This is important for a few reasons but mainly high availability and transparency for highly available/mission critical applications, as described in the following:

For many clustered roles in the cluster, the automatic update process triggers a planned failover. This can cause a transient service interruption for connected clients. However, in the case of continuously available workloads, such as Hyper-V with live migration or file server with SMB Transparent Failover, Cluster-Aware Updating can coordinate cluster updates with no impact to the service availability.

Cluster storage spaces I’m really unclear on and I’m not sure why. It’s not a new feature but I don’t think I really hit it too hard in the last exam.

Storage Spaces direct

There is a lot to unpack there and I’m familiar with this. Apparently its an issue with nomenclature but the SAS and SOFS should be a dead give away for the Cluster 2. Anyway, I suppose that’s not too complicated. The storage spaces direct stuff is a lot to sort through but the article is pretty helpful and upon sorting through it quickly it would appear that not much has changed since the last time I looked at it. It’s getting late and I have to work in the morning so that’s all for now. I do have to say I’m finding that I’m picking up on this material pretty quickly. Meaning, I feel fairly comfortable with most of the MeasureUp stuff.

We are not done with containers yet. There are also Windows containers that are docker images running Windows as the host OS, from what I’m gathering and to add to the confusion you can throw Hyper-V in the mix, for some reason. I thought avoiding the resource usage of spinning up complete host images in a hypervisor was the entire point of containers? Currently, I’m not really sure but I’m excited to find out why you would use Hyper-V with a container. There are several questions on the MeasureUp info that are aliened with this but i’m going to quickly point out one for the sake of brevity. Ok maybe 2.

Ok, … a Hyper-V container but like aren’t we talking about Docker a whole bunch? Ok, right.

Windows containers

Please click the link and then check this MSFT trainers apparent literal installation of a ‘MSFT Kitchen’ haha. He is awesome by the way. He was also very instrumental in me learning so much foundational knowledge for Server 2012. However, I’m starting to wonder if there is any foundational knowledge on this test. Regardless, at least they haven’t asked any sub-netting questions yet. Please don’t do that, in the future. Math is not for people that are really proficient at installing server roles and features.

ok, any way. This seems like a good place to start. Meaning the link, before I started rambling. Noted that the video is full of what I call ‘Papa’s Promise’. For those unfamiliar with food chain advertising its full of nonsense that makes people feel like its quality. I’m not saying its not a good product but like these rubik’s cube situations in the video really got me. The other thing is they try to stay away from admitting that they didn’t invent this technology like ‘Container orchestrator’ and ‘Docker’ are clearly not the same thing. They go to go great lengths to prove this….

never gets old

Ok, so I have to say, I was on twitter the entire time it was playing, but the second video in this was immensely helpful as there some that actually does dev explaining this and the more I hear about it, its clear that some dev (well, this is the case with literally every thing in computers) was like ‘what if’ then followed up with a ‘hold my beer’ and gutted OS’s to bare bones and figured out a way to strip a VM down the bare bones for the hell of it. Honestly, who cares if company’s have to buy more hardware resources than they need to. I promise you the people that decided to do this did this because they thought it was fun. Or it was someone at a start up. Anyway, I mean, I don’t know much about ‘computer man’ culture but just taking a stab in the dark here. Ok, now to finish that first sentence with the hold my beer, so yeah like lets strip a VM down and make it run without the use of a hypervisor on a baseline application that runs faster and uses less resources because we have to get to 88 mph. Man, im starting to sound like the nomenclature when trying to listen to dev talk about ‘you see what we did here was strap this jownson outboard on the back of this there wheel barrow and on account of having more room in the main spot ‘dare we went ahead and put this turbo on it that Steve had done welded up the exhawst plumin for this thing on account of it being sat-er-dee and being bored. I know your thinking ‘you cant put a turbo on a damn 2 stroke’ but i tell uns what, we did’ kind of thing. Then the MSFT guy comes in and is like ‘and we here are msft are mad that we didnt think of putting a johnson outboard motor in a wheel barrow so we went ahead a bought a really fancy one. the two stroke with the turbo might be a bit much but we have this ‘proven’ motor that we may be able to repackage as its been tested for commercial use’ kind of thing. Ok, so I like containers. This is fun. And no, I did not grow up around red necks that would do that sort of thing in the out skirts of Atlanta in somewhat rural area with a father that worked on cars for a living, thanks for asking. Anyway, besides the initial excitement of hearing someone who builds these things discuss implementing and testing hot fixes in a sandbox type environment with an even lighter weight product than a virtual machine to blow up and rebuild, I still have no idea what Hyper-V is doing in this. Using Nano server and so forth to build a container image upon makes sense but i’m still in for more reading as to not, why (we figured that one out…), but how we are using Hyper-V with…containers…which are supposed to avoid having a complete VM. So, lets get to that.

Hyper-V container

Hyper-V isolation – multiple container instances can run concurrently on a host, however, each container runs inside of a special virtual machine. This provides kernel level isolation between each container as well as the container host.

So basically what your saying is its, plausibly more armored (its not) but uses more resources? Ok, I’ll go with it and memorize the answers. My favorite part is that examples are PowerShell cmds in the article haha ok. There is also the factor of using Hyper-V makes people think these are VMs, a highly confusing thing, which they are not. Thinking in that fashion will do you no favors.

Windows Server 2016: Windows Containers vs. Hyper-V Containers

Now they want to get specific. Good. Lets check out this applesauce, I hope it has cinnamon in it because that’s the best kind.

This is now starting to make sense as it provides kernel isolation with Hyper-V to ensure that OS updates don’t break the code. However, this can be mitigated easily by sand-boxing OS updates and updating code accordingly. Which is common practice. Besides if you update and break it apparently takes less time to spin up an new instance of the same container. So I’m not exactly clear on specific instances of why one would actually need to use this in production. MSFT is starting to see that, “starting” (lol), to see that Linux servers are easier to maintain as web servers and not to mention cheaper. It’s an important market share to not miss out on however most of the people that are actually building things out like this cannot afford to buy a server data center license for their home brew shit. I feel like there is an apple joke about monitor stand coming into play. Right about, now.

Its an important market share and I understand it. I’m honestly not convenienced on the need for the tech tough.

So this is an interesting link that is one this second question that I’m finally getting around to posting. Now that I have successfully discussed every thing but the actual answer to the previous question. Its sort of what I do, sorry. Oh, its also somewhat related to the other question. Any way here is that link

Windows container requirements

Specifically the table in that article basically contains the answers. Now that we have figured out the why, knowing the answer without know why isn’t fucking annoying. The interesting part is that they very clearly state the difference in sizes of the containers I’m realizing that compared to a file size of well over a gig for a full VM this isnt that bad.

Nano Server (os only) 40 MB (Hyper-V install) 130 MB + 1 GB Pagefile

Until you get to that paging file bullshit. Come on, really? There is some further information thats interesting but I’m not that clear on actual app building and dlls and slimmed down versions of .NET (lol) so I’m going to stick with what we’ve got. I do honestly feel like I now understand the differences and am happy to memorize answers to things that I have a grasp on the concept of the technology.

Docker storage is beyond confusing. There is more jargon and nonsense technical terms than a football locker room. I’m not sure if that makes sense but lets just go with it. I’ve been reading articles all week and I think I sort of understand this “persistent memory” thing. Most of the videos are related to actually spinning up containers for use by developers. And lets be honest, who wants to be a developer? I mean typing shit out all day because you think its fun and then seeing it run in production and being like ‘I made that’ and having no one know that bit of code was you or care. Sounds fucking awful. Any way lets get into some stuff.

Ok, so first of all I keep hearing this thing about persistance and I have no idea what this is. So I watched a bunch of YouTube videos, none of which where helpful, so I’m going to link some articles that I found helpful in understanding that all of this documentation surrounding pulling a fucking file from an HD and writing to ram when using containers is full of so much nonsense jargon its almost insufferable. Like ok, i can write shit to ram in Linux but not windows. Right.

The other thing about this, a lot of what i’m finding that’s useful for conceptualizing is marketing material that’s requiring to read through product specific jargon.

Persistent Storage Strategies for Containers

This is basically marketing material as its for a coporate blog. As I read it I realize that I should probably spin up docker and build a bullshit website to spin up however, to be quite frank, obviously writing two lines of HTML and using different color backgrounds is way outside my scope. I go into server manager and click around until it does what I need it to lol. Ok, I could do this but im not sure it would be work the time for me. I mean, this isn’t a super cool CTF so why would I learn anything about it. It too me 6 months to figure out how to exit VIM. Build several containers that host a local site and use clustering with source code stored for each? That sounds like its outside of my wheelhouse. I guess I should also mention that this has nothing to do with the question I posted above. No worries…we will get to not finding an answer for that and discussing the hella meta ideas presented about Docker storage that seem like they are clearly designed to put the ball in devs court and confuse the ever loving hell out of management. Honestly, I’m absolutely ‘pro’ this concept. Like lets take every thing you know about computing and pretend is all absolutely false because we have just reinvented the wheel by figuring out a way to have services run in containers (that somehow have OS kernels but are not VMs) and use a shared source for serving up applications or use info contained in the container. I realize that contained in the container sounds absurd and to be honest, there are a lot of things that sound real dumb boiled down which plausibly led to over complicated lingo. That said, the spaghetti monster is alive and well in containers. So, here is my favorite thing from this article, this all makes sense:

as always, the devil is in the details. In the case of containers and persistent storage:
• The practical need for some kind of storage for use by the container. Many common software tasks use temporary storage. While it may be possible to design programs that perform those tasks without the need for persistent storage, doing so introduces unnecessary complications.
• Prolonged use of individual containers. In practice, some containers remain in use for hours, or even longer. The longer a container remains in use, the greater the likelihood that it will need storage (as a scratchpad, to save state information, or for more complex purposes).
• The need for containers to share data. This is a big one. Containers frequently need to work together, and working together generally means sharing data. The easiest and best way to share data is often by means of shared storage. Lack of such storage makes data sharing difficult.

So here is thing about this, what are each of these states of storage called? I’m not sure. At this point it seems like ‘persistant storage’ means avalible data. Like, wtf. Every application needs
this. Why are you confusing me with this new word. I’m still not clear on what it means and I think they made it up so that ‘kind ol’ southern folks’ such as myself would be confused. I’m pretty sure thats
true because devs are going to look at it and go lol you mean applications need to have access to data to serve things up? Wow, I did not know that. So then comes in this whole bit of what the hell they are
talking about at any given moment.

Docker storage types
• Docker Data Volumes
• For storage by individual containers, Docker offers data volumes. These allow a container to use a kind of virtualized persistent storage abstracted from the host system’s storage. This virtualized storage is integrated into the standard container file structure, which makes access easy. Data volumes are, however, limited to an individual instance of a single container. The data can’t be shared with other containers, and it can’t be accessed by later instances of the same container.
• Using the Host File System
• There are other methods of persistent storage which make much more direct use of the host file system, setting aside some of the host system’s storage for use by the container without the layers of abstraction imposed by data volumes. This can, depending on the method used, allow data to be shared with other containers, or with later instances of the same container. If file and storage management are not fully coordinated between the container and the host system, however, data may be overwritten or corrupted

This information is immensely helpful. Unlike the 4-5 hours of YouTube videos I watched while trying to figure out what they where talking about. It seems really obvious and I’m not sure why this isn’t present in the articles linked from MeasureUp. This is why I pay you MeasureUp. I could have bought these sick shoes, mostly

Thats neither here nor there. But those shoes are sooo sick. So you should pay me so much money so I can be your offices Server High Roller. I’m sure this is extremely convincing as well as appealing. Jody has quality tastes. If your not familiar already, there isnt much point in this exercise in absurdity and modern art. Yes, I legit think he is a walking bit of modern art and commentary on peoples responses to things they are unclear on.

Ok, so now that ive informed you that the linked Docker documentation is garbage, that YouTube videos are for starter devs or execs pretending to be learning, and that (holy shit) applications require back-end data to be able to do anything, what the hell is going on in the linked question.

Glad you asked, Lets find out!

tmpf mount

ok so i said this was useless but really its just confusing as fuck with no baseline. Like what the fuck, no where in this does it mention Linux and I have to be running a linux kernel in the container to use this. That’s crazy but ok. the best part is its insisting that its writing to ram and not a HD. Like ok, so I can write to ram in Linux but not in windows. You guys are fucking with me aren’t you. Yep. Ok, that’s fine, that’s how it works. There are a lot of cmds here to use with docker around thing but we don’t really care. I want to be able to answer the question and know the why. At this point the how is outside my scope. Wait, but it says ‘not persisted’ what the fuck, it seems like all this is persisted. Ignore that, its a red herring. That’s my thought at least. I could be wrong here but we shall see haha. Any way the next part about being removed when its stopped, that’s important. This is a unique identifier to tmpfs mounts as its written to ram.

Volume mount

This is literal normal application storage on a hard disk that can be accessed by multiple docker containers or to put in other words, instances of your app server. The host core functionality bit is slightly confusing but again, I think this is red herring. The important part is its managed on the host. Obviously the services are going to be isolated from the host. That’s literally the entire point of containers. So the important part of this question is “in a directory on the host” and basically ignore any thing else. However, this bit is the difference between the last two answers “While bind mounts are dependent on the directory structure of the host machine, volumes are completely managed by Docker” I know what your thinking, why would they be so cruel? Welcome to server tests. Honestly, I enjoy the logic torture.

Bind mount

Basically this somehow calls on OS local APIs to be able to serve the data into the application and a volume mount does not otherwise its the same thing. Well, that’s my understanding.

So all that is clear as mud right? I don’t know what to say, its kind of a lot to wrap your brain around but its good stuff. Just read, stop obsessing over terminology your not familiar with and realize that maybe you understand a few things about computes. Perhaps the terms are tools more for communication than practical things.

There is a lot to cover with Software Defined Networking (SDN) and I mean a lot. And after messing with VMs for a while and learning that setting up a simple pass-thru configuration or setting up an internal network on a hypervisor between two VMs using various hypervisior platforms, I can only imagine how complicated this gets in real world scenarios. Today we are just talking about MSFT stuff, thankfully. So we can dive into all kinds of theory without having to get into the practical application of this tech and seeing it fail because I don’t have way to simulate a full SDN that would require a load balancer and multiple apps. Super excited to learn about this stuff in theory though and be able to answer questions about installing this tech using PowerShell though. Gib me seber job plaz. I mean, I have a server job but I mean Windows Server administration. Anyway, so here is one question about this. I’m sure there are more….actually wait. First, a video….What is SDN in Server 2016…. lets find out!

I found this one helpful on account of skee ball machine and spray art. I’m assuming that if you get enough tickets on the skee ball machine you can hire and authentic spray artist to come and tag the side of your garage. On account of being urban. No seriously though this is one is really helpful. I’m slightly worried that the guy on the left might be murderous. (says the guy in the black metal shirt)

This one is also helpful al though he looses me a bit when completely circumvents the entire point of having a SLB by saying that a router in the VMS is going to do that. I mean he didn’t say a switch right? I’m not making this up right? Ok, good. Because he also talks about the outbound traffic skipping MUX SLB by going directly back the gateway. I mean, is there a reason why it wouldn’t go directly back to the gateway. Also, when you start watching the video your going to think “at any moment now I’m expecting this man to rip his shirt off and start punching a hole through that thing hes writing on.” Unfortunately, hes not really the punching type and every thing other than the MUX SLB stuff that I found a touch confusing in the later part of the video, I found it very helpful so I’m putting that in here as well.

So after spending like two hours or so of your day (didnt tally up the times on those bad bois) you now sort of have an idea of what they are talking about. It seems super complicated however when you start considering the amount of commerce that is done through web traffic its really completely reasonable and im starting to see a picture here of a solution for web applications hosting from the point of entry into your DMZ all the way through serving up data from back-end servers in a reasonably efficient manor. We consistently have this drive in the tech world to get the most out of our machines, for several reasons, but the end result is always this incredibly well orchestrated picture. Ok, enough with romance Barnes. Lets get into TechNet. Wait, is now a good time to link this question. Nahhh

Software Load Balancing (SLB)

Software Defined Networking in Server 2016

Ok, now maybe we have an idea of what is going on. I should consider making that last bit of two links an order list with cute little bullet points, for the sake of professionalism. If you have any thing to do with job acquisition and you’ve read this be sure and pat the top of your left ear twice and that way ill know your in my cool club for cool people. Lame people only get to do lame stuff and then we say ‘those lames do lames for cool’. Just trust me on the variables on this, I’ve done the math and every bit of it checks out. Wait, I might be getting a head of my self and posting all the good stuff before im supposed to. Anyway, uhha yeah here is the question I was talking about:

So the question is a touch confusing and it doesn’t have much to do with a lot of what we talked about however one important note is that you do have to have network controllers installed, which seems very fucking obvious but ok. Really, this is basically memorization. I feel there is a way to do this through the server manager, oh look someones made a YouTube video and that someone is none other than STONE COLD STEVE AUSTIN

So its important to know this stuff about PowerShell and it looks like this guy runs some stuff in PS that’s much more complicated than whats implied in the MeasureUp material but i think the point is learning and familiarizing your self with the material through research. Or you can memorize answers for stuff that you don’t understand which is terrifically boring to me. I love conceptual learning.

That is all for tonight.

On this episode of Diner’s, Drive-ins and Dives! Its time to figure out whats going on with iPAM administrations, roles and role creation. I’ve seen several questions about this and im going to hit the overview. I was real mixed up as to the difference between MSM and ASM, as I had never heard of that. Then there is also this thing where you can define a scope for someone to administer but at the start of writing this blog I’m not sure what role you assign them in iPAM and then define a subset or rule of defining a scope for them to administer rather than an entire farm or specific roles on a server. So hopefully by the time I’m done rambling I’ll figure out what I’m doing with that situation

So anyway, as we get faded on TechNet articles and Nipsey Hustle (RIP) videos playing in the background, maybe we can learn some stuff. Lets get into the questions. The first one is pretty straight forward. Thankfully, so lets get into it.

This is fairly straight forward, the question includes a TechNet link (this is the major benefit of MeasureUp) that details everying.

iPAM roles

here is the important part
• IPAM Administrators: IPAM administrators can view all IPAM data and manage all IPAM features.
• IPAM ASM Administrators: IPAM address space management (ASM) administrators can manage IP address blocks, ranges, and addresses.
• IPAM IP Audit Administrators: IPAM IP audit administrators can view IP address tracking data.
• IPAM MSM Administrators: IPAM multi-server management (MSM) administrators can manage DNS and DHCP servers.
• IPAM Users: IPAM users can view information in IPAM, but cannot manage IPAM features or view IP address tracking data.

Seeing as how I’ve seen that on both platforms, I’m pretty sure I need to know it. MSM, ASM and Audit are the important ones according to what I’ve seen so far. Obviously, there is no need for me to re-explain this as I literally just reposed info from an article that I linked.

So anyway whats this bit about assining a subnet to a specific person to manage.

So this literally makes almost sense. There isn’t enough steps here, or so it would seem. Dont I have to assign the user some form of iPAM administration and then define a scope? How does that happen?

I keep trying to find further information on this but I’m not finding anything. It clearly says the DHCP admin role but is that using the principle of least privilege? It would appear that this is something you would have to install Server and iPAM to deal with. I may do that at some point but it wont be tonight.