Windows: Enable LDAP over SSL (LDAPS) using a third-party certificate authority (CA)

Let's consider the option of configuring the LDAPS (LDAP over SSL) protocol using a third-party certification authority for the mydomain.local domain with three controllers: DC1, DC2, DC3:

1. Create a certificate request template in the form of a <name>.inf file for each domain controller. Replace <name> with the FQDN of the controller (for example, DC1.mydomain.local):

[Version]
Signature="$Windows NT$"

[NewRequest]
Subject = "CN=DC1.mydomain.local" ; FQDN of the current controller
KeySpec = 1
KeyLength = 2048
Exportable = TRUE
MachineKeySet = TRUE
SMIME = False
PrivateKeyArchive = FALSE
UserProtected = FALSE
UseExistingKeySet = FALSE
ProviderName = "Microsoft RSA SChannel Cryptographic Provider"
ProviderType = 12
RequestType = PKCS10
KeyUsage = 0xa0

[EnhancedKeyUsageExtension]
OID=1.3.6.1.5.5.7.3.1 ; Server Authentication

[Extensions]
2.5.29.17 = "{text}"
_continue_ = "dns=DC1.mydomain.local&" ; FQDN of the current controller
_continue_ = "dns=DC1&" ; short name of the current controller
_continue_ = "dns=DC2.mydomain.local&" ; FQDN of other controllers
_continue_ = "dns=DC2&"
_continue_ = "dns=DC3.mydomain.local&"
_continue_ = "dns=DC3&"
_continue_ = "dns=ldap.mydomain.local&" ; virtual name for switching
_continue_ = "dns=mydomain.local&" ; FQDN
_continue_ = "dns=MYDOMAIN" ; NetBIOS domain name

Important:
For balancing, you need to add the FQDN of the domain and all domain controllers, as well as their NetBIOS names, to the [Extensions] section. You can also add fault-tolerant DNS records, such as "ldap.mydomain.local".

Save the file on each controller (for example, C:\Cert\DC1.inf).

2. Generate a CSR for each controller. To do this, create certificate requests via the command line (on each controller):
certreq -new C:\Cert\<name>.inf C:\Cert\<name>.csr

3. Now you need to send the CSR to a third-party CA. Transfer the DC1.csr, DC2.csr, DC3.csr files to the administrator of the external CA and get back the signed certificates (DC1.cer, DC2.cer, DC3.cer or DC1.p7b, DC2.p7b, DC3.p7b) from the CA.

4. Install the certificates on the domain controllers. To do this, run the import command on each domain controller:
certreq -accept C:\Cert\<name>.cer

To check the installed certificate, open "mmc", add the snap-in "Certificates (Local Computer)". Make sure that the certificate is displayed in Personal → Certificates and has a private key.

5. To complete the LDAPS configuration on the controllers with the firewall enabled, open port 636:
New-NetFirewallRule -DisplayName "LDAPS" -Direction Inbound -Protocol TCP -LocalPort 636 -Action Allow

6. Restart the LDAP service or reboot the servers:
Restart-Service NTDS -Force

7. Check the operation of LDAPS using "ldp.exe" - connect to the domain controller, specifying port 636 and checking the "SSL" box.

Disabling unencrypted LDAP (optional):

Open "Group Policy Management" and select "Default Domain Controllers Policy".
Go to: "Computer Configuration → Policies → Windows Settings → Security Settings → Domain Controller: Require digital signature for LDAP server".
Set the parameter: "Require digital signature".
Restart the domain controllers to apply the changes.

Windows: Remove recovery partition from disk

Sometimes such a partition prevents you from expanding the system disk with Windows OS in a virtual environment. To remove it, run the console with elevated privileges and run:

1. First, disable the recovery environment:
reagentc /disable

2. Then run:
diskpart
list volume

Pay attention to the volume number for the recovery partition, remember it.

3. Delete the partition:
select volume N
delete volume override
exit

where N - the number of your recovery partition.

As a result of these actions, the recovery partition will be deleted and the space it occupied will be freed up.

Windows: Disabling Azure Arc Setup on Windows Server 2022 and later

Since the end of 2024, a new component "Azure Arc Setup" has been coming with Windows updates, designed to manage Azure resources. If you do not use this functionality, it is recommended to disable it. To do this, open the PowerShell console with elevated privileges and run:

For Windows 2022:
Disable-WindowsOptionalFeature -Online -FeatureName AzureArcSetup
(Also for Windows 2022, you can disable this feature by disabling components using the "Server Manager")

For Windows 2025:
DISM /online /Remove-Capability /CapabilityName:AzureArcSetup~~~~

After this, you will need to reboot the host.

ALT Linux: Different methods of setting up time synchronization via NTP protocol

Accurate time synchronization is critical for distributed systems, event logging, security, and other tasks. The following NTP (Network Time Protocol) configuration methods are available in ALT Linux: chrony, systemd-timesyncd, ntpd. Before configuring, make sure that other time synchronization services are stopped and disabled.


Configuring Chrony:

Chrony is a modern solution for synchronization with support for unstable networks. In ALT Linux it is enabled by default. To set it up, follow these steps:

1. Install the package, configure autoload and start the service:
sudo apt-get update && sudo apt-get install chrony
sudo systemctl enable --now chronyd

2. Open the file "/etc/chrony.conf" and specify NTP servers or pools:
server ntp1.example.com iburst
server ntp2.example.com iburst

or
pool pool.ntp.org iburst

where:
iburst — speed up initial synchronization;
server — use separate servers;
pool — use a pool of servers.

3. Restart the service:
sudo systemctl restart chronyd

4. Check the status and view the log:
chronyc sources -v
chronyc tracking
journalctl -u chronyd


Configuring systemd-timesyncd:

systemd-timesyncd is a lightweight client integrated into systemd. To configure, follow these steps:

1. Install the package:
sudo apt-get update && sudo apt-get install systemd-timesyncd

2. Enable the service:
sudo timedatectl set-ntp true

3. Edit "/etc/systemd/timesyncd.conf":
[Time]
NTP=ntp1.example.com ntp2.example.com

4. Apply the changes:
sudo systemctl restart systemd-timesyncd

5. Test:
timedatectl show-timesync


Configuring ntpd (legacy method):

NTPd is the classic NTP implementation. To configure this method, follow these steps:

1. Install the package:
sudo apt-get update && sudo apt-get install ntp

2. Edit the configuration file "/etc/ntp.conf":
server ntp1.example.com
server ntp2.example.com

3. Configure autoload and start the service:
sudo systemctl enable ntpd && sudo systemctl start ntpd

4. Perform a check:
ntpq -p

ALT Linux: Setting up SSH connection for user "root"

To configure, follow these steps:

1. Install or verify that the "openssh" package is installed:
sudo apt-get install openssh

2. Edit the configuration file:
sudo nano /etc/openssh/sshd_config
Uncomment and set the "PermitRootLogin" parameter to "yes".

3. Restart the daemon:
sudo systemctl restart sshd

If the service was not running, enable and run:
sudo systemctl enable --now sshd

4. Try to establish a connection via SSH as the "root" user.

ALT Linux: Different ways to configure network interfaces

To view network adapter drivers, run:
lspci -k | grep -A2 Ethernet
You can see the list of network interfaces with the command:
ls /sys/class/net
Let's say our interface is called "ens33".


Interface settings using the "ip" utility.

ip link show   #View network connections
ip -s l   #View statistics on sent/received packets
ip address show   #View TCP/IP configuration
ip link set dev ens33 up   #Enable the interface if it was disabled
ip address flush dev ens33   #Reset interface configuration
ip addr add 192.168.0.5/24 broadcast + dev ens33   #Set IP and mask
ip addr del 192.168.0.5/24 dev ens33   #Delete IP and mask (in case of error)
ip route show   #View routing table
ip route add default via 192.168.0.1 dev ens33   #Set default gateway
ip route delete default   #Delete default gateway
ip route add 192.168.10.0/24 via 192.168.0.254 dev ens33   #Add route
ip route del 192.168.10.0/24 dev ens33   #Delete route
echo "nameserver 192.168.0.1 8.8.8.8" | sudo tee /etc/resolv.conf   #Add DNS

These settings are temporary and will work until the OS is rebooted.


Setting up the "Etcnet" network subsystem.

1. Install the package and start the service:
sudo apt-get install etcnet
sudo systemctl enable --now network

2. To set up the interface, you need to create or edit existing files in the "/etc/net/ifaces/ens33/" directory, where "ens33" is the name of the network interface.
Configure the following parameters in the "options" file:

For DHCP:

BOOTPROTO=dhcp #Use DHCP
TYPE=eth
CONFIG_WIRELESS=no
SYSTEMD_BOOTPROTO=dhcp4
CONFIG_IPV4=yes #Enables IPv4 support for the interface
DISABLED=no #Yes - when Etcnet is not used
NM_CONTROLLED=no #Yes-when NetworkManager is used
SYSTEMD_CONTROLLED=no #Yes-when Systemd-Networkd is used
ONBOOT=yes #Activates the interface when the system boots


For static IP:

BOOTPROTO=static #Use static IP
TYPE=eth
CONFIG_WIRELESS=no
SYSTEMD_BOOTPROTO=static
CONFIG_IPV4=yes #Enables IPv4 support for the interface
DISABLED=no #Yes - when Etcnet is not used
NM_CONTROLLED=no #Yes-when NetworkManager is used
SYSTEMD_CONTROLLED=no #Yes-when Systemd-Networkd is used
ONBOOT=yes #Activates the interface when the system boots

Create a file next to it called "ipv4address" with the following content:
192.168.0.5/24 #IP and mask

Create a file next to it called "ipv4route" with the following content:
default via 192.168.0.1 #Default gateway
192.168.10.0/24 via 192.168.0.254 #Static routes

Create a file next to it called "resolv.conf" with the following content:
nameserver 192.168.0.1 #DNS1
nameserver 8.8.8.8 #DNS2

3. Restart the interface:
sudo ifdown ens33 && sudo ifup ens33
or the service:
sudo systemctl restart network

4. Perform configuration checks:
ip address show
ip route show
resolvconf -l


If you need to remove "Etcnet" components, run:
sudo apt-get remove etcnet
sudo rm -f /etc/net
sudo rm -f /etc/resolv.conf   #Remove symlink


Setting up the "NetworkManager" network subsystem.

1. Install NetworkManager:
sudo apt-get install NetworkManager

2. Enable and start the service:
sudo systemctl enable --now NetworkManager

3. Configure the network interface using the terminal utility "nmtui" ("sudo apt-get install NetworkManager-tui") or in the command line with the utility "nmcli":

View:
nmcli con show   #View network connections
nmcli dev show ens33   #View active connection on "ens33"
nmcli con show 'Wired connection 1'   #View connection parameters

Settings for DHCP:
nmcli con mod 'Wired connection 1' ipv4.method auto
nmcli con mod 'Wired connection 1' ipv4.addresses "" ipv4.gateway ""
nmcli con mod 'Wired connection 1' ipv4.dns ""
nmcli con mod 'Wired connection 1' ipv4.routes ""
nmcli con up 'Wired connection 1'

Settings for static IP:
nmcli con mod 'Wired connection 1' ipv4.addresses 192.168.0.5/24
nmcli con mod 'Wired connection 1' ipv4.gateway 192.168.0.1
nmcli con mod 'Wired connection 1' ipv4.dns "192.168.0.1 8.8.8.8"
nmcli con mod 'Wired connection 1' +ipv4.routes "192.168.10.0/24 192.168.0.254"
nmcli con mod 'Wired connection 1' ipv4.method manual
nmcli con up 'Wired connection 1'

4. Perform configuration checks:
ip address show
ip route show
resolvconf -l


If you need to remove the "NetworkManager" components, run:
sudo apt-get remove NetworkManager openresolv
sudo rm -rf /etc/NetworkManager/   #Remove basic settings
sudo rm -rf /var/lib/NetworkManager/   #Remove service data
sudo rm -f /etc/resolv.conf   #Remove symlink


Setting up the network subsystem "systemd-networkd".

1. Install the services "systemd-networkd" and "systemd-resolved", add them to autorun: sudo apt-get install systemd-networkd
sudo systemctl enable --now systemd-networkd
sudo systemctl enable --now systemd-resolved

2. Create a configuration file (the extension ".network" is required):
sudo nano /etc/systemd/network/20-wired.network

For DHCP:

[Match]
Name=ens33
[Network]
DHCP=ipv4

For static IP:

[Match]
Name=ens33
[Network]
Address=192.168.0.5/24
Gateway=192.168.0.1
DNS=192.168.0.1 8.8.8.8
[Route]
Destination=192.168.10.0/24
Gateway=192.168.0.254
Metric=10   #Optional

3. Restart the service:
sudo systemctl restart systemd-networkd

4. Perform configuration checks:
ip address show
ip route show
resolvectl


If you need to remove "systemd-networkd" components, run:
sudo systemctl stop systemd-networkd systemd-resolved
sudo apt-get remove systemd-networkd
sudo rm -rf /etc/systemd/network/*   #Remove network interface configurations
sudo rm -f /etc/resolv.conf   #Remove symlink


General recommendations!!!
For simple server and virtual machine configurations, use "systemd-networkd", all other modules are recommended to be removed in this case:
sudo apt-get remove etcnet NetworkManager openresolv dhcpcd
sudo rm -rf /etc/net   #Remove Etcnet settings
sudo rm -rf /etc/NetworkManager/   #Remove basic NM settings
sudo rm -rf /var/lib/NetworkManager/   #Remove NM service data
sudo rm -f /etc/resolv.conf   #Remove symlink

Arch Linux: Changing locale, console russification

To Russify the console in Arch Linux to display messages in Russian, as well as correctly display Cyrillic, follow these steps to configure:

1. Configure the system locale configuration:
sudo nano /etc/locale.gen
Uncomment:"ru_RU.UTF-8 UTF-8"

2. Generate a new list of locales:
sudo locale-gen

3. Set the default locale:
sudo nano /etc/locale.conf
Specify:
LANG=ru_RU.UTF-8
LC_CTYPE=ru_RU.UTF-8

4. Install a font with Cyrillic support (for example, "terminus-font"):
sudo pacman -S terminus-font

5. To test the font display, change the current console font to a new one (for example, "ter-v22b"; symbols: 22 - size, b - bold, n - normal):
sudo setfont ter-v22b

6. Display the character table of the new font:
sudo showconsolefont

7. Add the font to startup:
sudo nano /etc/vconsole.conf
Specify:
FONT=ter-v22b   #Terminus font (Cyrillic)
KEYMAP=ru   #Keyboard layout: Russian
FONT_MAP=8859-5   #Use ISO 8859-5 encoding

8. Update initramfs:
sudo mkinitcpio -P

9. Configure kernel parameters for boot type "systemd-boot":
sudo nano /boot/loader/loader.conf
Add parameters to the end of the file:
vconsole.font=ter-v22b
vconsole.keymap=ru