Create a new Mac Administrator account using Single User Mode

If you ever need to recreate admin account on your Mac, this is the quickest and safest way to do it without breaking your Mac:

  1. Boot into Single User Mode by pressing ⌘ + S before you hear the Apple chime.
  2. Mount the drive by typing /sbin/mount –uw / then ↩ enter.
  3. Remove the Apple Setup Done file by typing rm -v /var/db/.AppleSetupDone then ↩ enter.
  4. Reboot by typing reboot then ↩ enter.
  5. Complete the setup process, creating a new admin account.

This will force macOS to redo the initial first account creation, and doing so will not affect the current user profiles (they will remain intact) – so, if you prefer to make them as admin later, you can do that as well by logging in using the newly created admin account, then go to System Preferences, then Users & Groups, select the existing user, and tick “Allow user to administer this computer.

I tested on macOS 10.14 Mojave and it worked:

ark:db andy$ pwd
/var/db
ark:db andy$ ls -al .AppleSetupDone
-r--------  1 root  wheel  0 Apr  4  2017 .AppleSetupDone
ark:db andy$ uname -a
Darwin ark.local 18.0.0 Darwin Kernel Version 18.0.0: Wed Aug 22 20:13:40 PDT 2018; root:xnu-4903.201.2~1/RELEASE_X86_64 x86_64
ark:db andy$

If you have any questions or comments, please feel free to post down below. Cheers!

Access Ubuntu Linux using Remote Desktop Connection

In this brief tutorial, I’m going to show you how to use Windows’ own remote desktop connection protocol to connect to Ubuntu Linux 16.04 / 17.10 and 18.04 / 18.10 desktops using Xrdp.

Xrdp is an open-source remote desktop protocol server which uses RDP to present a GUI to the client. It provides a fully functional Linux terminal server, capable of accepting connections from rdesktop, freerdp, and Microsoft’s own terminal server / remote desktop clients including copy + paste content/file, etc.

Step 1: Install Xrdp Server

To get Ubuntu Desktop accepting RDP connections, you must install and enable the Xrdp tool, here are the commands to install and enable the Xrdp tool:

sudo apt install xrdp
sudo systemctl enable xrdp

Step 2: Connect from Windows PC

Now that Xrdp server is installed, go and open Windows Remote Desktop Connection (%windir%\system32\mstsc.exe)

And connect to the server’s IP or hostname.

Type your username in Ubuntu desktop.

Click ‘Connect’ to initiate remote desktop connection to the Ubuntu desktop, you will be warned something like this, but don’t worry that’s perfectly normal:

You can also tick that ‘Don’t ask me again for connection to this computer.’ so it will not warn you again in the future.

Type in your password in Ubuntu desktop.

If your credentials are correct, you should now logged on to your Ubuntu desktop from Windows.

This tutorial should works with other Linux variants as well, especially Debian Linux derivatives, I actually made this tutorial on Kali Linux:

andy@kali:~# lsb_release -a
No LSB modules are available.
Distributor ID: Kali
Description: Kali GNU/Linux Rolling
Release: kali-rolling
Codename: kali-rolling
andy@kali:~#

Troubleshooting:

  • If you have followed all the steps above but couldn’t logon, make sure you’re not already logged on to the Ubuntu desktop. Best thing is to restart your Ubuntu and don’t logon directly.
  • If you try Xorg session and it quickly disconnect. Select the X11rdp from the drop-down list, it will hang and not fully logon, close the session and try the Xorg session again. Now it should work…
  • But if it keeps prompting you to authenticate, you can cancel the prompt windows… and restart again if the above step doesn’t work right away.

Let me know by commenting down below if you have any question or comments.

Disable Red Hat Graphical Boot on CentOS 7

Prefer to see what’s actually happening in the background when our CentOS Linux booting up?

Edit /etc/default/grub with your favourite editor, such as nano or vi.

[andy@av ~]# cat /etc/default/grub
GRUB_TIMEOUT=5
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos_ba-eraappl-v/root rd.lvm.lv=centos_ba-eraappl-v/swap rhgb quiet net.ifnames=0 biosdevname=0"
GRUB_DISABLE_RECOVERY="true"
[andy@av ~]#

Basically we want to remove both rhgb and quiet above.

If you are curious what are them:

  • rhgb is the red hat graphical boot – This is a GUI mode booting screen with most of the information hidden while the user sees a rotating activity icon spining and brief information as to what the computer is doing.
  • quiet hides the majority of boot messages before rhgb starts. These are supposed to make the common user more comfortable. They get alarmed about seeing the kernel and initialising messages, so they hide them for their comfort.

I personally prefer a faster bootloader wait time, hence I lowered my GRUB_TIMEOUT from 5 seconds to 1 seconds.

This is my /etc/default/grub output after I removed both rhgb and quiet option:

[andy@av ~]# cat /etc/default/grub
GRUB_TIMEOUT=1
GRUB_DISTRIBUTOR="$(sed 's, release .*$,,g' /etc/system-release)"
GRUB_DEFAULT=saved
GRUB_DISABLE_SUBMENU=true
GRUB_TERMINAL_OUTPUT="console"
GRUB_CMDLINE_LINUX="crashkernel=auto rd.lvm.lv=centos_ba-eraappl-v/root rd.lvm.lv=centos_ba-eraappl-v/swap net.ifnames=0 biosdevname=0"
GRUB_DISABLE_RECOVERY="true"
[andy@av ~]#

After removed rhgb and quiet option, we need to update our grub2 boot configuration file by issuing this command:

[andy@av ~]# grub2-mkconfig -o /boot/grub2/grub.cfg
Generating grub configuration file ...
Found linux image: /boot/vmlinuz-3.10.0-862.14.4.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-862.14.4.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-514.2.2.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-514.2.2.el7.x86_64.img
Found linux image: /boot/vmlinuz-3.10.0-327.36.3.el7.x86_64
Found initrd image: /boot/initramfs-3.10.0-327.36.3.el7.x86_64.img
Found linux image: /boot/vmlinuz-0-rescue-06d71e1cb34f47898c320b96609134c6
Found initrd image: /boot/initramfs-0-rescue-06d71e1cb34f47898c320b96609134c6.img
done
[andy@av ~]#

Restart your system and you will notice that your system is now booting faster as well as you will be able to see all the boot processes in detailed.

Clone from Larger HDD to Smaller SSD

In this post we will learn how to clone Windows from Larger Disk to Smaller Disk, in most cases we do this when we want to do HDD to SSD Upgrade, the hard disk drive usually has a larger size than our solid-state drive.

  1. We need to make sure that our C drive will fit into our SSD drive.
  2. Click here to download the Renee Becca software, it’s 100% free (no hidden charges or anything like that)
  3. The software requires a license, but don’t worry, a valid free license code will be mailed to your email after you enter your email address. Click here to obtain that free license (you can also use some temporary mail to get the license)
  4. Now install the software and open it, activate the software by entering the key you received in your email.
  5. Click on Clone and then select System Redeploy like shown in the picture below:
  6. Choose the Destination and it should be your SSD. The source is your system drive containing Windows files and boot images, etc. Please refer to the picture below:
  7. Now click the Redeploy button and select Yes as shown in the picture above.
  8. The software will then start the process and will complete the data transfer depending on your source disk size. Your partition will be automatically adjusted to fit with your new destination drive.
  9. Physically swap the old drive with the new drive. You can uninstall the software if you prefer not to keep it.

I hope this works for you. Let me know if you have any question by commenting down below. Cheers!

Disable Boot Splash Screen on Ubuntu Desktop Linux

Prefer to see what’s actually happening in the background when Ubuntu Desktop Linux booting up?

  • Wait for Ubuntu to boot, then login and start a Terminal application
  • Edit /etc/default/grub as root, for example: sudo nano /etc/default/grub
  • Remove splash from GRUB_CMDLINE_LINUX_DEFAULT
  • Save the file and close the editor
  • Run sudo update-grub to regenerate the grub config files

Here’s my /etc/default/grub configuration file looks like after I disabled the splash screen:

GRUB_DEFAULT=0
GRUB_TIMEOUT_STYLE=hidden
GRUB_TIMEOUT=3
GRUB_DISTRIBUTOR=`lsb_release -i -s 2> /dev/null || echo Debian`
GRUB_CMDLINE_LINUX_DEFAULT=""
GRUB_CMDLINE_LINUX=""

I tested this on:

andy@computestick:~$ lsb_release -a
No LSB modules are available.
Distributor ID: Ubuntu
Description: Ubuntu 18.04.1 LTS
Release: 18.04
Codename: bionic
andy@computestick:~$

And this is my GRUB version:

andy@computestick:~$ grub-install --version
grub-install (GRUB) 2.02-2ubuntu8.4
andy@computestick:~$

If you have any questions, let me know by commenting down below and I’d happy to answer.

MikroTik Fasttrack with IPsec

Fasttrack is a new feature introduced in RouterOS v6.29 that allows you to forward packages in a way that they are not handled by the Linux Kernel which greatly improves the throughput of your router as well as lowering the CPU load.

Fasttrack allows all packages that have the state Established or Related to bypass the Kernel and be directly forwarded to the target. So, once a connection is marked as established or related, it won’t go through any firewalling or processing and will directly forwarded to the target. Of course – a connection gains the state of established or related once it went through the firewall so it will still be secure.

But there’s a known issue that Fasttrack will not work with IPsec connections, it will result in a rather wonky experience or very unstable IPsec connection. So if you have IPsec connections in your MikroTik but want to take the advantages of Fasttrack, here’s the resolution for you!

Firstly, we want to mark all IPsec connections:

/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=out,ipsec new-connection-mark=ipsec
/ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections" ipsec-policy=in,ipsec new-connection-mark=ipsec

Secondly, we want to create a new Fasttrack rule but excluding all IPsec connections that we have marked with the two mangle rules above:

/ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec
/ip firewall filter add chain=forward action=accept connection-state=established,related

Don’t forget to delete your old Fasttrack rule if any.

I’ve been using this rule in my live IPsec site-to-site tunnel and the result is just simply amazing!

Let me know if you have any question or comment by posting down below. Cheers!

MikroTik Site-to-Site IPsec Tunnel

Easy Guide on how to setup MikroTik Site-to-Site IPsec Tunnel

If one of MikroTik’s WAN IP address is dynamic, set up that router as the initiator (i.e. dial-out)

If you are working from WAN, don’t forget to enable Safe Mode.

Let’s go to Winbox -> IP -> IPsec -> Proposals, and this is the IPsec proposal I usually use:

It compatible with DrayTek Routers as well, see the picture below:

IPsec Policy

Let’s go to IP -> IPsec -> on Policies, click on + and on the Action tab, fill in the following:

<tick> Tunnel if it’s not ticked.

SA Src. Address: <WAN IP Address of this MikroTik> (this can be blanked, if this MikroTik has dynamic WAN IP address)
SA Dst. Address: <WAN IP Address of the other MikroTik>
Proposal: Select the proposal we created before (i.e. proposal-younameit)

Then click on General tab, and fill with the following:

Src. Address: <Internal LAN IP of this MikroTik
Dst. Address: <Internal LAN IP of the other side>
<untick> Template if it’s ticked.

IPsec Peers

Now let’s go to peers tab to setup the other phase:


If the initiator has dynamic WAN IP, set Generate Policy = port strict on the responder side. Port strict will generate policies and use ports from peer’s proposal, which should match peer’s policy. This is also useful when remote peer’s IP address is unknown at the configuration time, basically allowing the peer to establish SA for non-existing policies.

Setup the same (just reverse the SRC/DST) on the other side of tunnel, if your tunnel works, you will see on IPsec -> Installed SAs.

Last but not least, we need to setup a Firewall NAT rule that allows LAN IP in our MikroTik goes through the tunnel:

On the Action tab, set Action: accept.

Click Apply then OK and put this rule above the masquerade srcnat rule.

I hope this guide works for you, but if you have any question or comment please don’t hesitate to write down below, and I would happy to respond.

How to upgrade or migrate Active Directory server

A quick walkthrough on how to upgrade or migrate an Active Directory Server.

In this guide, the old server is Windows Server 2008 R2 Standard, and the new server is Windows Server 2016 Essentials.

This guide should work on other Windows Server version as the concept would be pretty much the same.

Firstly, we would install Active Directory (AD) role on the new server.

If AD role can’t be installed, we can safely remove the Active Directory Certificate Services first.

The we would join the new server to the domain.

Then type this on the new domain controller:

C:\Windows\system32> netdom query fsmo
Schema master ws-2008-r2-std.saputra.local
Domain naming master ws-2008-r2-std.saputra.local
PDC ws-2008-r2-std.saputra.local
RID pool manager ws-2008-r2-std.saputra.local
Infrastructure master ws-2008-r2-std.saputra.local
The command completed successfully.

That means all of the domain role still being handled by the old server.

Let’s go to Active Directory Users and Computers
Right click on saputra.local and select Operations Masters
Change operation masters to new server for all RID, PDC, and Infrastructure

After we changed three roles above, the condition should be like this:

C:\Windows\system32> netdom query fsmo
Schema master ws-2008-r2-std.saputra.local
Domain naming master ws-2008-r2-std.saputra.local
PDC ws-2016-ess.saputra.local
RID pool manager ws-2016-ess.saputra.local
Infrastructure master ws-2016-ess.saputra.local
The command completed successfully.

Go to Active Directory Domains and Trusts
On the left pane, right click on Active Directory Domains and Trusts
Select Operations Masters (there’s Raise Forest Functional Level as well, completely optional)

And the role should now become like this:

C:\Windows\system32> netdom query fsmo
Schema master ws-2008-r2-std.saputra.local
Domain naming master ws-2016-ess.saputra.local
PDC ws-2016-ess.saputra.local
RID pool manager ws-2016-ess.saputra.local
Infrastructure master ws-2016-ess.saputra.local
The command completed successfully.

To transfer the last role, type:

C:\Windows\system32> regsvr32 schmmgmt.dll

Then:

C:\Windows\system32> mmc.exe

Load snap-in Active Directory Schema
It will then connect to the old AD server first
Right click ‘Connect to Schema Operations Master’ and select the new server
Then select Operations Master and change the role with the new server:

C:\Windows\system32> netdom query fsmo
Schema master ws-2016-ess.saputra.local
Domain naming master ws-2016-ess.saputra.local
PDC ws-2016-ess.saputra.local
RID pool manager ws-2016-ess.saputra.local
Infrastructure master ws-2016-ess.saputra.local
The command completed successfully.
Demoting old server

Obviously, go to the old server;
Use dcpromo.exe, it will say AD is a Global Catalog server;
Go to Active Directory Users and Computers (this can be done from either new server or old server);
Expand the domain and select Domain Controllers;
Select the old server and click on NTDS Settings;
Untick Global Catalog;

And now we should be able to demote the old server.

If you have any questions or comments, please write down below and I would happy to answer 🙂

 

Setup MikroTik as L2TP/IPSec VPN Server

This is a brief guide on how to implement an L2TP/IPSec VPN server on Mikrotik RouterOS and use it as a gateway.

Change these to fit your setup:

  • This router’s local IP address: 172.31.1.1/20
  • WAN connection is PPPoE with the name ether1-GTW.
    If you use PPPoE, use the name of your PPPoE connection. If you use static configuration or DHCP client as WAN, use the name of that interface.
  • Pool name for VPN clients is vpn-pool and gives addresses 172.31.2.1-172.31.2.9
  • VPN profile: vpn-profile
  • VPN username: remoteuser
  • VPN password: yourpassword
  • L2TP secret: yourl2tpsecret

Remember that it’s always a good practice to use a strong password and secret.

Let’s create a pool of addresses that VPN clients will get once connected:

/ip pool add name=vpn-pool ranges=172.31.2.1-172.31.2.9

Then create a VPN profile that will determine the IP addresses of the router, VPN clients, and DNS server. You can set it to be outside of the local subnet, but make sure that your firewall allows the connection:

/ppp profile add change-tcp-mss=yes local-address=172.31.1.1 name=vpn-profile remote-address=vpn-pool dns-server=172.31.1.1 use-encryption=yes

We can now create VPN users:

/ppp secret add name="yourusername" password="yourpassword" profile=vpn-profile service=any

Configure IPSec settings, i.e. encryption standards, L2TP secret, who can connect, NAT traversal:

/ip ipsec peer add address=0.0.0.0/0 exchange-mode=main-l2tp nat-traversal=yes generate-policy=port-override secret="yourl2tpsecret" enc-algorithm=aes-128,3des
/ip ipsec proposal set [ find default=yes ] enc-algorithms=aes-128-cbc,3des

Now that everything is in place, we can simply enable the VPN server and choose the right profile:

/interface l2tp-server server set authentication=mschap2 default-profile=vpn-profile enabled=yes max-mru=1460 max-mtu=1460 use-ipsec=yes

If you have a firewall rule that blocks all traffic, you can add these additional rules to allow L2TP/IPSec to pass through the WAN interface:

/ip firewall filter
add chain=input action=accept comment="VPN L2TP UDP 500" in-interface=ether1-GTW protocol=udp dst-port=500 
add chain=input action=accept comment="VPN L2TP UDP 1701" in-interface=ether1-GTW protocol=udp dst-port=1701
add chain=input action=accept comment="VPN L2TP 4500" in-interface=ether1-GTW protocol=udp dst-port=4500
add chain=input action=accept comment="VPN L2TP ESP" in-interface=ether1-GTW protocol=ipsec-esp
add chain=input action=accept comment="VPN L2TP AH" in-interface=ether1-GTW protocol=ipsec-ah

[Optional Configurations]

To use MikroTik VPN Server as Gateway so the VPN clients will have MikroTik’s public IP, you can simply masquerade:

/ip firewall nat add chain=srcnat out-interface=ether1-GTW action=masquerade

Allow DNS Remote Requests:

/ip dns set allow-remote-requests=yes

I tested this on Amazon Elastic Compute Cloud (EC2), using t2.micro instance and it worked perfectly fine for me.

I hope this guide works for you, feel free to post any questions or comments down below.

Download and Get the Windows 10 Fall Creators Update

Earlier Microsoft released a Windows 10 Fall Creators Upgrade Assistant, but it’s hard to find now. Just in case you’re missing it, you can download from the link below:

https://files.saputra.org/installers/Windows10Upgrade9252.exe

andy-mac:Downloads andy$ md5 Windows10Upgrade9252.exe 
MD5 (Windows10Upgrade9252.exe) = da222f3519e7387892a7afea30b1cb65
andy-mac:Downloads andy$