Contact

Subscribe via Email

Subscribe via RSS/JSON

Categories

Creative Commons Attribution 4.0 International License
© Rakhesh Sasidharan

Elsewhere

[Aside] Easily switch between multiple audio outputs using SoundSwitch

Via the always helpful How-To Geek – if you have multiple audio output devices on Windows 10 (e.g. HDMI, regular headphones via the headphone jack, a couple of Bluetooth headphones) like I do, and always right click the volume icon and change default devices and wished there was an easier & faster way to do this, look no far! Check out SoundSwitch. :) Open Source and actively developed too.

The music of “Aravindante Athidhikal”

Once in a while you come across an album where pretty much every song is amazing. “Aravindante Athidhikal” is one such. The first time I heard it I wasn’t impressed. But the next day I found myself humming some of the tunes and went back and listened to the songs again … and been listening to them again and again since then! :) It’s like falling in love with A.R. Rahman songs in the past. I’d never like them on the first listen, but would find myself humming the tune later and go back and listen and love it. (Doesn’t happen that way with A.R. Rahman songs nowadays).

The music is by Shaan Rahman. He is a dependable music director. Always delivers. Most of his soundtracks have at least one or two tracks that are amazing.

Special mention: “Kanne Thaai Malare” by Vineeth Sreenivasan. It’s just him accompanied by Shaan Rahman on keyboard. You won’t forget this song/ tune once you hear it! :)

The Crazy Old Bishop

That’s what my daughter called my bishop today in a game of chess with her and the bishop single-handedly killed pretty much all her pieces and checkmated her king in the end with my king. Funny! She’s 9 years old and I won the game, but it was fun coz of the father daughter bonding and also I think I am playing chess after some 15-20 years (or at least completing a game – I haven’t had the patience to do that since I left school!).

Hadn’t realized my bishop was on a killing spree until I lost my queen to teach her something and she mentioned my crazy old bishop was still around killing people! That’s when I noticed that she was right, this bishop was on a roll and killing most of the opponents even with me losing many of my “more important” pieces. Here’s the crazy old bishop – never underestimate it! :)

“Blackmail” (Hindi movie) – dark comedy, but …

“Blackmail”, starring Irrfan Khan an directed by Abhinay Deo, tries to be a dark comedy. Something like “Fargo” or most Coen brothers movies. But while the latter movies are coherent in terms of the tone or branding, I found “Blackmail” to be confusing.

At times it does the dark comedy well. But also feels like its trying to be cool and shocking and many other things as well. It’s difficult to put into words what I am trying to say here except that I found the message confusing. The movie started off trying to go with a shock/ comedy factor by showing our hero take photos of his colleague’s wives from their office desks to the bathroom so he can masturbate to them. Then it moved on to his unhappy marriage, and him trying to nice to her one day out of the blue by coming home early and discovering she has an affair. At this point it tries to be something else with the loud background music etc. Then it becomes dark with him trying to blackmail his wife’s lover and the subsequent events that happen as a result of that. But while a movie or TV show like “Fargo” sticks to that theme and shows how things can go wrong or the things people can do, that message doesn’t come across clearly in “Blackmail”. I think the writers and director wanted to put across that message but it got muddled with a few other things.

The music and background score were great – Amit Tridevi is unique and amazing as usual! – and yes while they matched the scenes and highlighted the feelings and emotions, I felt they too played a part in detracting from the main theme of “Blackmail”. Not the composer’s fault – I imagine that is what he was asked to provide (the mood I mean) and so he delivered.

Overall, a good movie, worth a watch – I’d give it a 3.5 or 4 /5, but it could easily have been a 5/5 if the mood or message part was sorted. I wish it had been a 5/5 – I had great hopes for it when I realized that after finding his wife having an affair our hero was going to blackmail the lover. So much potential, so many things that can go wrong (and they did) … amazing!

Using PowerShell to change a scope option across multiple scopes & multiple servers

I had to change option 150 (Cisco VoIP) for multiple scopes across multiple servers as we are moving our Call Manager to a new location this weekend, and couldn’t be bothered doing it manually post move.

All my voice scopes have the word Voice or VoIP in them so I match on them. A lot of the code is verbose coz I like to be a bit verbose, but you could probably crunch it all down to a single line or two. :)

Receiver Self-Service: Cannot Contact Store

Was trying to setup receiver self-service in one of our newer sites and it kept error. (This affects receiver for iOS and Android too by the way, which is how I first came to know of this problem). Had a lot of little configuration errors that needed fixing, but the last one (which is the title of this post) had me stumped for a while.

So without further ado:

  • Ensure that there’s a separate session policy for receiver self-service. More importantly:
    • Ensure that the expression for the policy includes the case for iOS devices too if you are interested in that (i.e. REQ.HTTP.HEADER User-Agent CONTAINS CitrixReceiver || REQ.HTTP.HEADER User-Agent CONTAINS 'CitrixReceiver-iPad' || REQ.HTTP.HEADER User-Agent CONTAINS CFNetwork || REQ.HTTP.HEADER User-Agent CONTAINS Darwin)
    • Not critical, but as a good practice – ensure that your receiver for web policy and receiver self-service policies have equal priority so there’s one less thing to look at when considering these policies.
  • Ensure that the single-sign on domain in the receiver self-service matches the trusted domains you define in the Citrix Storefront.
  • Remember that web authentication uses LDAP as primary & RADIUS as secondary; while self-service authentication uses RADIUS as primary & LDAP as secondary, so double check these are setup accordingly with the correct expression to match web or self-service.
  • Ensure that the receiver self-service policy has the SECONDARY credentials ticked for single-sign on.

If the authentication stuff is incorrect you will keep getting prompts that the login is incorrect. Also, the StoreFront logs might contain errors that the user domain isn’t a trusted one etc.

In my case even after doing all this I was getting an error. I was able to successfully login but then would get a message that receiver cannot connect to the store. This had me stumped for a long while until I re-read this Carl Stalhood article (his blog posts are amazing!) and came across this bit:

If you have multiple Gateways, select one of them as the Default appliance. Note: when you point Receiver to a NetScaler Gateway URL for Discovery, after Discovery is complete, the Default appliance selected here is the Gateway that Receiver uses. In other words, Receiver ignores the Gateway you entered during discovery.

That bit in italics was what was messing up my configuration. As part of testing the deployment we had a separate internal gateway, and that was the current default. So when using receiver self-service that internal gateway was being selected and things broke.

A bit more info on the same from this Citrix blog post:

For web browser-based access, the “default appliance” setting has no impact.

For native Receiver access, this setting is downloaded to Receiver on connection to the Store as part of the Store configuration and that Gateway is used thereafter by default.

If all defined Gateways share the same URL via GSLB, then again, this has no impact (Receiver just uses that Gateway definition to see which URL to query). If the Gateways have different FQDNs and you enable them all for a Store, then whichever one is defined as the default will be used by all Receiver clients on first connect. This is problematic if you have two distinct user communities using different FQDNs that you want to aggregate into the same Store (for management simplicity) and they are using Receiver clients. For example, if you have https://myaps.company.com and https://myvdi.company.com and the Gateway selected as the default for the Store is “myapps.” Any user that enters “myvdi” into Receiver during first time setup will be re-routed to “myapps” as soon as they hit StoreFront and be prompted to authenticate again. The cleanest way therefore to deal with multiple Gateway FQDNs and native Receiver clients is via distinct Stores or via distinct StoreFront server groups. Again, fairly specific scenario, but this is another setting that we find is not very well understood by the field.

TIL: The Exchange PAM can move to another node when the FSW reboots

Didn’t know this. The Exchange PAM (Primary Active Manager) can move to another node when the FSW (File Share Witness) reboots or is offline. There’s no impact, but it’s worth being aware o if you are wondering what could be affected when the FSW server is rebooted.

From this blog post (via this forum post where I found it):

When the File Share Witness host server becomes unavailable, the File Share Witness resource will still fail in cluster and cause the Cluster Core Resources to move between nodes. In this case assuming the File Share Witness host server is still not available, the resource remains in a failed state. If it becomes necessary to utilize the File Share Witness to maintain Quorum, and the witness resource is in a failed state, cluster will attempt to online the witness resource. If the online is successful the witness share is alive and accessible – quorum is maintained. If the online is not successful, the witness share is not alive and accessible – a lost quorum condition is encountered.

Brief background on PAM (via this blog post):

At any given time, in every database availability group (DAG), there is one member that is responsible for the coordination of database actions across the DAG. This member is known as the Primary Active Manager (PAM). The current PAM can be determined by using Get-DatabaseAvailabilityGroup –Status. The cluster group may contain several cluster resources. The PAM does not depend on the state of any of the resources in this group, and the PAM role will always be assigned to the node that owns the Cluster Group. The Cluster Group can be moved between members using the cluster management tools.

Each DAG member that does not own the Cluster Group is a Standby Active Manager (SAM). When the Cluster Group is moved between nodes, a notification process detects that the Cluster Group owner has changed. This triggers detection logic to determine the new PAM. 

Automatic arbitration may occur for a number of reasons including: 

  • The failure of a member
  • The failure of a resource contained within the Cluster Group

In most cases, Exchange administrators should not be concerned with the owner of the Cluster Group or the node designated as the PAM.  This is true even for DAGs that span multiple sites where the PAM may be a node in a distant datacenter.

Some more details regarding PAM  (via this blog post):

Active manager is a role that runs on a mailbox server. A single active manager role “Standalone Active Manager” which runs on a mailbox server that has no high-availability configured. Two active manager roles will be in use when the mailbox server is a member of a DAG; Primary Active Manager (PAM) and Standby Active Manager (SAM). 

PAM is the Active Manager in a DAG that decides which database copies will be active and passive. PAM is responsible for getting topology change notifications and reacting to server failures. 

SAM provides information on which server hosts the active copy of a mailbox database to other components of Exchange that are running an Active Manager client component (for example, RPC Client Access service or Hub Transport server). The SAM detects failures of local databases and the local Information Store. It reacts to failures by asking the PAM to initiate a failover. A SAM does not determine the target of failover, nor does it update a database’s location state in the PAM. SAM runs on all mailbox servers in a DAG except on the one where PAM is running.

Ops Manager – PowerShell script failed

I was getting PowerShell script failed errors for one of our servers being monitored via SCOM. The error was along these lines:

Not having much of an idea as to what the matter is (but having a hunch that it must be to do with performance monitors) I took a look at the events logs on the server and found entries like these:

There were many more like this (I found them all in the Administrative Events). To fix this I rebuilt the performance counters.

One caveat: the instruction in the link above ask us to go to “c:\windows\system32” and run a command “lodctr /R“. This gave me an error: “Error: Unable to rebuild performance counter setting from system backup store, error code is 2”.

From a forum post I learnt that going to “c:\windows\syswow64” instead does the trick. So keep that in mind. :)

Weekend movie updates

Stuff I saw this weekend. :)

Safe

Created by author Harlan Cobden (whose books I haven’t read) and starring Michael C Hall of Dexter fame (ooh loved that!). Not a murder mystery, rather a “girl runs away from home, now why did she do that mystery” meets “father searching for his presumed missing daughter and won’t stop at anything until he finds her thriller”. It was fine. Not amazing or anything but not bad either. The finale was a bit rushed and didn’t explain some of the plot points (esp. who ransacked the Chahal family house) and the explain was a bit stretched as to the sequence of events that led to the girl running away – but well, worth a watch. Beware of all the red herrings though! Too many of them, and it’s irritating.

Ready Player One

Based on the book (which I didn’t enjoy). Good movie. Again, nothing too great (coz I am not into gaming I guess) but a fun watch and one of the better movies I have seen recently. Keeps you hooked and all the special effects and stuff is amazing.

Ordeal by Innocence

Based on the Agatha Christie book (which I haven’t read, but will do now) and starring Bil Nighy, Matthew Goode etc. – a nice old fashioned murder mystery, set in an England of old. I am curious how the book is coz this seems to be a very complicated book and it’s commendable that it got adapted for the screen, so I wonder how the original material was. This was the last show I saw this weekend and it was a pleasure.

Service SIDs etc.

Just so I don’t forget. 

The SCOM Agent on a server is called “Microsoft Monitoring Agent”. The short service name is “HealthService” and is set to run as Local System (NT Authority\System). Although not used by default, this service also has a virtual account created automatically by Windows called “NT SERVICE\HealthService” (this was a change introduced in Server 2008). 

As a refresher to myself and any others – this is a virtual account. – i.e. a local account managed by Windows and one which we don’t have much control over (like change the password etc). All services, even though they may be set to run under Local System can also run in a restricted mode under an automatically created virtual account “NT Service\<ServiceName>”. As with Local System, when a service running under such an account accesses a remote system it does so using the credentials of the machine it is running on – i.e. “<DomainName>\<ComputerName>$“.

Since these virtual accounts correspond to a service, and each virtual account has a unique SID, such virtual accounts are also called service SIDs. 

Although all services have a virtual account, it is not used by default. To see whether a virtual account is used or not one can use the sc qsidtype command. This queries the type of the SID of the virtual account. 

A type of NONE as in the above case means this virtual account is not used by the service. If we want a service to use its virtual account we must change this type to “Unrestricted” (or one could set it to “Restricted” too which creates a “write restricted” token – see this and this post to understand what that means). 

The sc sidtype command can be used to change this. 

A service SID is of the form S-1-5-80-{SHA1 hash of short service name}. You can find this via the sc showsid command too:

Note the status “Active”? That’s because I ran the above command after changing the SID type to “Unrestricted”. Before that, when the service SID wasn’t being used, the status was “Inactive”. 

So why am I reading about service SIDs now? :) It’s because I am playing with SCOM and as part of adding one of our SQL servers to it for monitoring I started getting alerts like these:

I figured this would be because the account under which the Monitoring Agent runs has no permissions to the SQL databases, so I looked at RunAs accounts for SQL and came across this blog post. Apparently the in thing nowadays is to change the Monitoring Agent to use a service SID and give that service SID access to the databases. Neat, eh! :)

I did the first step above – changing the SID type to “Unrestricted” so the Monitoring Agent uses that service SID. So next step is to give it access to the databases. This can be done by executing the following in SQL Management Studio after connecting to the SQL server in question:

The comments explain what it does. And yes, it gives the “NT Service\HealthService” service SID admin rights to the server. I got this code snippet from this KB article but the original blog post I was reading has a version which gives minimal rights (it has some other cool goodies too, like a task to create this automatically). I was ok giving this service SID admin rights. 

Reading Updates

Altered Carbon

Loved it! Not exactly like the TV show, but similar, and good in its own way. The book was able to convey more internal dialogue and Takeshi musings by way of the medium it is. I read this from cover to cover, but cheated towards the end by listening to the audio book (coz I don’t get much time to read and it’s easier to listen to a book while commuting). As I mentioned earlier the audio book quality is poor, but since it was only a few chapters here and there I didn’t mind.

Apart from the musings and such I think I also enjoyed the book because the sci-fi stuff wasn’t presented in an “oh wow this is awesome” kind of way. Richard Morgan (the author) just brings up things as if they naturally are so. Everything has an air of “this is how things are / have always been” so the book didn’t feel too sci-fi to me. Plus the fact that it tended towards noir / mystery also helped. I definitely love noir / mystery books.

To quote a paragraph that I loved a lot from the book:

Suppose you know someone, a long time ago. You share things, drink deeply of each other. Then you drift apart, life takes you in different directions, the bonds are not strong enough. Or maybe you get torn apart by external circumstance. Years later, you meet that person again, in the same sleeve, and you go through it all over again. What’s the attraction? Is this the same person? They probably have the same name, the same approximate physical appearance, but does that make them the same? And if not, does that make the things that have changed unimportant or peripheral? People change, but how much? As a child I’d believed there was an essential person, a sort of core personality around which the surface factors could evolve and change without damaging the integrity of who you were. Later, I started to see that this was an error of perception caused by the metaphors we were used to framing ourselves in. What we thought of as personality was no more than the passing shape of one of the waves in front of me. Or, slowing it down to more human speed, the shape of a sand dune. Form in response to stimulus. Wind, gravity, upbringing. Gene blueprinting. All subject to erosion and change. The only way to beat that was to go on stack forever.

Just as a primitive sextant functions on the illusion that the sun and stars rotate around the planet we are standing on, our senses give us the illusion of stability in the universe, and we accept it, because without that acceptance, nothing can be done. But the fact that a sextant will let you navigate accurately across an ocean does not mean that the sun and stars do rotate around us. For all that we have done, as a civilization, as individuals, the universe is not stable, and nor is any single thing within it. Stars consume themselves, the universe itself rushes apart, and we ourselves are composed of matter in constant flux. Colonies of cells in temporary alliance, replicating and decaying and housed within, an incandescent cloud of electrical impulse and precariously stacked carbon code memory. This is reality, this is self knowledge, and the perception of it will, of course, make you dizzy. […] All and anything you achieve as Envoys must be based on the understanding that there is nothing but flux. Anything you wish to even perceive as an Envoy, let alone create or achieve, must be carved out of that flux.

Broken Angels

The sequel. I didn’t love it as much as Altered Carbon and in fact I left it about 1/3rd (chapter 14 to be precise). I tried listening to the audio book in hopes that it will engross me more, but it didn’t (in spite of being of better quality). I just couldn’t connect with the story or the characters. While Altered Carbon was more personal, Broken Angels was about war and politics and all that abstract sort of stuff which I have no interest in. And I dunno why, I kept getting irritated by how often kept saying “Envoys are this” and “Envoys are that” – too much self praise.

Reading this book made me doubt (again) whether I like sci-fi or not. When reading Altered Carbon I had gotten over that doubt coz I enjoyed it a lot, but Broken Angels for all its military sci-fi and Martians and all that bored me.

Woken Furies

I had thought of skipping this one – the third book in the trilogy – but am going to give it a chance in case it’s different. Mustn’t judge a trilogy by an unpleasant second book. :) Apparently it’s got a younger Takeshi hunting down an older (present day) Takeshi – can’t say no to that sort of a story!

A good thing about these books is that each one is independent. No relation to the events of the previous books.

Update [24th June]: Nope, skipped it after 4 chapters. The prologue was amazing and had me hooked but subsequent chapters sounded more like “Broken Angels”. I am not a fan of adventure sci-fi I guess. Although “adventure” is not the right word to use. I guess it’s more like a gaming sci-fi or military sci-fi or action sci-fi. Dunno. Anyways, left the book. I might have tried harder but I read this Goodreads blog post recently containing tips from readers who read 100+ books in a year, and most of them said it’s not worth it to stick with a book if you don’t like it/ it’s genre. At the end of the day we read books for fun or coz it hooks us – not to just suffer through it. “Woken Furies” wasn’t worth it for me.

Full Dark No Stars

Since I loved “1922” the movie, I decided I had to read/ listen to the book. I tried listening to the audio book early this year but didn’t like the narration. So I returned the audio book and when I saw the physical book recently I purchased it. Read “1922” – loved it! – and also “Big Driver”. Good stuff! Got two more short stories to go.

Update [24th June]:”Fair Extension” was short but evil! Hah. Loved it. I was waiting for some twist like stories of its sort tend to have, but there was none. Fun! One of those stories where you get away with the robbery – you can have your cake and eat it too. Good stuff. Now onto “A Good Marriage”.

Update [28th June]: Finished “A Good Marriage” and the Afterword and the bonus short story too. Loved them all! “Full Dark No Stars” has been a great read. As I was reading the last story I realized I enjoy reading these stories and my mind is much more at ease slipping into the imaginary worlds of these stories. Unless say “Broken Angels” or “Woken Furies” where I have to concentrate coz it’s so dense with information and new worlds.

[Aside] Quote

Listening to “The End of the Affair” narrated by the amazing Colin Firth (a pleasure so far to listen to! wow). This sentence caught my attention:

How twisted we humans are, and yet they say a God made us; but I find it hard to conceive of any God who is not as simple as a perfect equation, as clear as air.

[Aisde] Random Stuff

Changing the colors in Vim so it looks better in PuTTY. I live with this usually (as I don’t spend much time in Linux nowadays) until I Googled today and found an easy fix for this. Thanks to this post: “:color desert” (where desert is an example color).

Testing SSL in SMTP (thanks to):

That link is a good reference on Postfix SSL too.

NSX Edge application rules to use a different pool

Coming from a NetScaler background I was used to the concept of a failover server. As in a virtual server would have a pool of servers it would load balance amongst and if all of them are down I can define a failover server that could be used. You would define the failover server as a virtual server with no IP, and tell the primary virtual server to failover to this virtual server in case of issues.

Looking around for a similar option with NSX I discovered it’s possible using application rules. Instead of defining two virtual servers though, here you define two pools. One pool for the primary servers you want to load balance, the other pool for the failover server(s).

Then you create an application rule this:

Once again, the syntax is that of HAProxy. You define an ACLadfs_pri_down is what I am defining for my purposes as this is for load balancing some ADFS servers – and the criterion is nbsrv(pool-adfs-https-443) eq 0. The nbsrv criterion checks the pool you pas on to it (pool-adfs-https-443 in my case) and returns the number of servers that are up. So the ACL basically is a boolean one that is true if the number of usable servers is 0.

Next, the use_backend rule switches to using the backup pool I have defined (pool-bkpadfs-https-443 in this case) if the ACL is true.

That’s all. Pretty straightforward!

[Aside] Various ADFS links

No biggie, just as a reference to myself:

Update 16 July 2018: Needed to make a claim rule yesterday that converted the email address from an incoming claim to Name ID of an outgoing claim. The default GUI provided rule didn’t work, so I made a custom one:

I think I’ll add more such snippets here later.

Btw note to self: custom claim rules are useful if you want to combine multiple incoming claims – i.e. for an AND operation. If you don’t want to combine – i.e. you want to OR multiple claims – just add them as separate rules.