jueves, 28 de diciembre de 2023

Searching shutdown logs

Linux

grep -iva ': starting\|kernel: .*: Power Button\|watching system buttons\|Stopped Cleaning Up\|Started Crash recovery kernel' /var/log/messages /var/log/syslog /var/log/apcupsd* | grep -iw 'recover[a-z]*\|power[a-z]*\|shut[a-z ]*down\|rsyslogd\|ups'


Windows

Event IDDescription
41The system has rebooted without cleanly shutting down first.
1074The system has been shutdown properly by a user or process.
1076Follows after Event ID 6008 and means that the first user with shutdown privileges logged on to the server after an unexpected restart or shutdown and specified the cause.
6005The Event Log service was started. Indicates the system startup.
6006The Event Log service was stopped. Indicates the proper system shutdown.
6008The previous system shutdown was unexpected.
6009The operating system version detected at the system startup.
6013The system uptime in seconds.

PS C:\> Get-EventLog System -Newest 10000 | `
        Where EventId -in 41,1074,1076,6005,6006,6008,6009,6013 | `
        Format-Table TimeGenerated,EventId,UserName,Message -AutoSize -wrapdasd

References



en No hay comentarios:
Etiquetas:

jueves, 21 de diciembre de 2023

Remove credentials from SYSTEM context via credential manager

  1. Download PsExec and copy to %WINDIR%\system32
  2. run: rundll32 keymgr.dll,KRShowKeyMgr
Remove items.

Related to EventID 14 

Log Name:      System
Source:        Microsoft-Windows-Security-Kerberos
...
Event ID:      14
....
Description:
The password stored in Credential Manager is invalid. This might be caused by the user changing the password from this computer or a different computer. To resolve this error, open Credential Manager in Control Panel, and reenter the password for the credential Email removed for privacy.
...

en No hay comentarios:
Etiquetas:

lunes, 4 de diciembre de 2023

Rename AD Domain name

  1.  rendom /list
  2. notepad Domainlist.xml 
  3. (edit file and save)
  4. rendom /showforest (show changes)
  5. rendom /upload 
  6. rendom /prepare
  7. rendom /execute
  8. Domain controllers restarts themselves
  9. Workstations and servers must be rebooted twice to change their names
  10. Rename manually domains controllers 
    • netdom computername DC01.dominio.com /add:DC01:newdomain.com 
    • netdom computername DC01.dominio.com /makeprimary:DC01:newdomain.com 
  11. Reboot domain controllers to apply changes
  12. gpfixup /olddns:dominio.com /newdns:newdomain.com
  13. rendom /clean
  14. rendom /end

Create a new zone for the domain name:
  • Create whatever the domain name is called, nedomain.local or newdomain.com (whatever the new AD DNS domain name is).
  • Make the zone AD integrated.
  • For the replication scope select the center button (To all DNS servers running on domain controllers in the domain), and allow Secure and Unsecure Updates.

Then create the _msdcs zone:

  • Create an _msdcs.newdomain.local or _msdcs.newdomain.com zone (as above, whatever the new AD DNS domain name is.
  • Make the zone AD integrated.
  • For replication scope, select the top button (To all DNS servers running on domain controllers in the forest), and allow Secure and Unsecure updates.

Then either restart the DC, or run the following (which is my usual option):

  • ipconfig /registerdns
  • Net stop netlogon
  • net start netlogon

en No hay comentarios:
Etiquetas: ,
Suscribirse a: Entradas (Atom)

L2TP Ipsec Windows to Mikrotik eror 789

 Add this to registry REG ADD HKLM\SYSTEM\CurrentControlSet\Services\PolicyAgent /v AssumeUDPEncapsulationContextOnSendRule /t REG_DWORD /d...