Contact

Subscribe via Email

Subscribe via RSS

Categories

Creative Commons Attribution 4.0 International License
© Rakhesh Sasidharan

Elsewhere

Iron Fist

I want to wrote opinions of stuff I watch, read, or listen. But I am not good at writing verbosely on such stuff – describing, showering praises or finding faults – so I usually refrain. Nevertheless I do want to record my opinions and thoughts somewhere, and if not on this of then where?

Part reason I don’t want to write much is that I know it’s an act of creativity, thinking up and executing and creating something. A TV show, Movie, or a book or anything ‘art’. And however much I might dislike it that’s just my personal opinion and I have no right to blurt it out in public. I can say in private to anyone as it’s a one to one, but having a blog or some social media gives me no right to say bad about something I personally don’t like. (And we’ll if it’s something I enjoy, then the other part of my reason wherein I suck at expressing my praise amd describing why kicks in and so I can’t write good either!)

Anyhow. On that note. I saw Netflix’s Iron Fist this weekend. I had seen up to episode 7 last month on a binge weekend, got bored and left it, but continued today as my daughter (who too binge watched previously) wanted to finish it. 

The second half was better than the first. More fighting. Still a lot of talking, confusion, and personal journey. Reminding me of watching “Batman vs Superman” and thinking how I’d hate to be Superman – such a tortured hero! This was similar. Chap’s got an Iron Fist, not really sure what to do with it except destroy the Hand, filled with guilt and anger and innocence and lied to by nearly everyone around him. If it were me, I would be “no thank you, please keep the iron fist and spare me all the torture!”

I guess my point is that it felt more of a drama than a superhero. If it were a drama genre show and I had signed up to watch it expecting that, I wouldn’t have minded. But I was looking for hero worship and some kick assing here and a plot that’s more “yeah I am the Iron Fist let’s go kick some a$$” than this confusion and lying and family drama. I shouldn’t be surprised I know. That’s how super hero movies are nowadays and especially​ the Marvel Netflix collaborations. 

On an unrelated​ note I am typing this from my Android phone (I never do that usually) and God! it’s such a torture. I hate the keyboard on Android. Keep making mistakes and most of the time the auto correct suggestions are not what I wanted. 

Oh and I almost forgot. Iron Fist has a good score by Trevor Morris. Strangely they don’t mention this in the opening credits but I found the album on Apple Music. Good stuff. 

Citrix breaks after removing the root zone from your DNS server?

Two years ago I had removed the root zone on our DNS servers at work. Coz who needs root zones if your DC is only answering internal queries, i.e. for zone sit has. Right?

Well, that change broke our Citrix environment. :) Users could connect to our NetScaler gateway but couldn’t launch any resource after that. 

Our Citrix chaps logged a call with our vendor etc and they gave some bull about the DNS server not responding to TCP queries etc. Yours truly wasn’t looking after Citrix or NetScalers back then, so the change was quietly rolled back as no one had any clue why it broke Citrix. 

Fast forward to yesterday, I had to do the change again coz now we want our DNS servers to resolve external names too – i.e. use root hints and all that goodness! I did the change, and Citrix broke! Damn. 

But luckily now Citrix has been rolled into our team and I know way more about how Citrix works behind the scenes. Plus I keep dabbling with NetScalers, so I am not totally clueless (or so I’d like to think!). 

I went into the DNS section of the NetScaler to see what’s up. Turns out the DNS virtual server was marked as down. Odd, coz I could SSH into the NetScaler and do name lookups against that DNS virtual server (which pointed to my internal DC basically). And yes, I could do dig +notcp to force it to do UDP queries only and nothing was broken. So why was the virtual server marked as down?!

I took a look at the monitor on the DNS service and it had the following:

Ok, so what exactly does this monitor do? Click “Edit Monitor” – nothing odd there – click on “Special Parameters” and what do I find? 

Yup, it was set to query for the root zone. Doh! No wonder it broke. 

I have no idea why the DNS monitor was assigned to this service. By default DNS-UDP has the ping-default monitor assigned to it while DNS-TCP has the tcp-default monitor assigned to it.  Am guessing that since our firewall block ICMP from the NetScalers to the DCs, someone decided to use the DNS monitor instead and left it at the default values of monitoring for the root zone. When I removed the root zone that monitor failed, the DNS virtual server was marked as down, and the NetScaler could no longer resolve DNS names for the resources users were trying to connect to. Hence the STA error above. Nice, huh!

Fix is simple. Change the query in the DNS monitor to a zone your DNS servers. Preferably the zone your resources are in. Easy peasy. Made that change, and Citrix began working. 

As might be noticeable from the tone of the post, I am quite pleased at having figured this out. Yes, I know it’s not a biggie … but just, it makes me happy at having figured it coz I went down a logical path instead of just throwing up my hands and saying I have no idea why the DNS service is down or why the monitor is red etc. So I am pleased at that! :)

 

[Aside] NetScaler newnslog files

Some links to myself on the newnslog files (these are binary log files; high precision; need a tool called nsconmsg to view them). 

A typical format of the command is like this:

The <operation> can be one of these (this is just a copy-paste from nsconmsg -?):

The newnslog files are rotated every 2 days (or a certain number of events if I remember correctly). The older ones can be accessed by putting a path to that file (e.g. /var/nslog/newnslog.28.tar.gz in the command above). This will extract the file and show the logs. The Citrix page says we have to extract the logs first, but am guessing that’s old info. 

That’s all for now. Will add more to this post later …

NetScaler/ Exchange RPC – TCP syn sent, reset received

At work one of my colleagues is setting up NetScalers as load balancers for our new Exchange environment. He is replicating the existing setup but found that the RPC 60001 & 60002 Service Groups on the NetScalers were being marked as down. Curious, I took a look.

After SSH-ing into the NetScaler I could see the following via show serviceGroup <serviceGroupName>:

My colleague too had seen this and pointed me to a good blog post from Citrix on what the reset codes mean. That blog post is a good one (that’s why I am linking it here, as a reference to myself) but I don’t think he was looking at the trace via a NetScaler trace so we had no idea of the codes. (Speaking of which, here’s a good post on NetScaler and Wireshark. Here’s a KB article on how to collect traces from NetScaler. And here’s a KB article on how to collect traces from the CLI. Whilst I have briefly read them, I haven’t tried them out currently). 

Back to the issue at hand. I could see that the individual servers (Exchange 2010 Client Access) were up on RPC 135 and HTTPS, but only RPC 60001 & 60002 were down. I decided to do a portQry against a server in the older environment and compare against the new. Here’s the relevant bits from an older server:

As expected, something is listening on ports 60001 and 60002. When I tried the same against the new server, however, there was nothing listening on either of these ports. I searched the output based on the UUIDs and found the port numbers were different:

So that’s why the NetScalers were getting a reset. Nothing was listening on those ports! Solution is simple. Configure these RPC ports as static.

That’s all! :)

[Aside] NetScaler SSL

Just putting in these links as bookmarks to myself for future. I kinda followed them while I was trying to change my NetScaler certs (kinda followed, coz I didn’t find these links when I Googled initially, so I just went ahead and figured it out by trying; but later I came across these and thought it would be a good idea to link them here). 

Notes on DNS servers & NetScaler

I must begin with a link to this forum post where someone explains the various DNS types on a NetScaler. A must-read. 

Now on to a bunch of screenshots and notes from me as I was just looking around with NetScalers and DNS. I have realized over time that my way of picking up stuff is by just doing it. A typical approach of reading about something and then trying it out doesn’t seem to work for me. (a) I get sleepy during reading and (b) that results in me never getting to the trying out stage. Instead, I seem to work better by just trying to begin with, succeed or break stuff in the process, and then go back and read or blog etc. about it. No hubris here that I am one of a kind :) am sure there’s more people who work this way – just that I too am like them. 

A negative with this approach is that I must have a test lab where I can try things out. So there’s the additional effort required from me in terms of having a place where I can just break stuff. That’s probably the only negative thing I can think of about my approach. Oh, and it also takes up additional time when I want to pick up something – because first I have to set the environment up (e.g. when I was trying to pick up NSX last month) and then spend time just doing things and making/ breaking stuff in the process. 

Anyways – end of digression. Back to NetScalers and DNS. 

On a NetScaler, under the Traffic Management > DNS > NameServers is where you define DNS servers. 

 

You create names servers by clicking on the “Add” button. That gives a new screen like thus:

I’ll start off the with the “Local” checkbox because it’s a very important one. Funny how it’s just there as a checkbox but it completely changes everything else! 

If you tick “Local” what it means is that the NetScaler acts as a DNS server responding to queries from clients. 

  • Thus the IP address you specify will be a Virtual IP on the NetScaler, where you can query for DNS replies. 
  • The records you can query are what will be defined on the NetScaler, under the Records section. 
  • The NetScaler can only act as a UDP based nameserver.

If you don’t tick “Local” then the NetScaler acts as a client. It won’t respond to any DNS queries. 

  • Thus the IP address you specify are what the NetScaler will contact for its own DNS queries. 
    • From the forum post I linked to above: NetScaler will monitor this IP address via ping from the NSIP (and not the SNIP).
  • Note: These IP address do not belong to the NetScaler. 
  • The IP addresses + DNS port combo cannot be defined on the NetScaler in the Load Balancing > Services section. You’ll get a “Resource already exists” error in that case. 
  • The IP addresses + DNS port combo can be defined in Service Groups. And can thus be used in load balancing etc. But as pointed out above, they cannot be defined as services. 

When creating a name server it is possible to use an existing DNS virtual server if one is already defined. The caveat with this is that only UDP is allowed. It is not possible to add a TCP or UDP/ TCP entry. In fact, the only options one gets in the drop down menu are UDP only DNS load balancer virtual services. (From the forum post: in this case the NetScaler will monitor the virtual server from its SNIP). 

It’s good to have TCP (or UDP/ TCP) servers in case of larger responses. In fact, when the NetScaler is acting as a load balancer for other DNS servers (this mode is called DNS proxy) it’s pretty much recommended to have TCP as an option too. 

If, say, the NetScaler is defined with only a UDP based DNS server (as in the screenshot below) then queries will fail if the DNS responses are large and require a TCP connection. 

This brings me to one more point. If we are creating a virtual server DNS just for the NetScaler’s internal use, we don’t need to define an IP address for it. The Name Server I have above actually does not have any virtual IP on the NetScaler. 

So – to summarize: 

  • In the Name Servers section we can set the NetScaler to act as a DNS server for a zone it has.
    • This is UDP only. 
    • This is not load balancing. i.e. not a virtual server. 
  • In the Name Servers section we can also point the NetScaler to other DNS servers the NetScaler itself can use. 
    • If an IP address is specified, it can be both UDP and TCP, and the NetScaler monitors it via ping from the NSIP.
    • If a virtual server (see next point) is specified, it is UDP only, and the NetScaler monitors it via ping from the SNIP.
      • The virtual server created for such internal use can be set in non-addressable mode (i.e. not IP address).
  • In the Virtual Servers section it is possible to define a DNS service. The NetScaler will then act as a DNS server. 
    • This is load balancing. The NetScaler doesn’t host any zones. 
    • The NetScaler will cache results though and serve from those if required.
    • The NetScaler does not use this internally. But it can be set to use this internally, if thus defined in the Name Servers section.
    • This is for both UDP and TCP. 
    • This is also known as a DNS proxy. 

I think that’s about the gist of it. I have skipped GSLB for now. Once again, pointing to the useful forum post. It’s a great one! 

Toggl, Todoist, Trello, Workflowy, KanbanFlow, etc.

Just a quick shout out to Toggl. It’s a time tracking app that I used to use a while back and have started using again now. 

I am an IT person. So why would I need to track my time? It’s not that I have to bill it to anyone, unlike say if I were a lawyer.

Reason I decided to start keeping track of my time is because I felt it might improve my productivity. And even if it doesn’t, at least I’d have a better understanding of where my time is going and how. Currently I get to work and start doing my tasks and whatever keeps coming my way, but I feel I am not getting a hang of the big picture. There’s no overall feel to what I am doing during the day. $hit just keeps coming my way, I deal with it. There’s a lot of other (non task related) stuff I want to do, but I lose track of that. Then when I get home I try and spend time taking care of those non task related stuff, and by the end of the day I have no idea where my time went. No sense at all.

I use Todoist to keep track of my tasks. I have been a fan of Todoist for years now. I was previously on Wunderlist (way before Microsoft bought it and re-released it earlier this month) but I moved to Todoist as I felt it better fit my needs (I don’t remember now how Todoist was better). I am actually a paid subscriber. Never thought back when I signed up that I’d actually pay money for a reminder app, much less continue doing it! :o) The good thing about Todoist is that it has extensions for Chrome and Firefox, apps for iOS and Android, and even a desktop version for Windows. So I have access to Todoist pretty much wherever I am. Even during my team meetings or 1-2-1’s with my manager, when I am giving a task I quickly note it in Todoist so it’s there. In short I am a fan! I use it to keep track of both personal and work related tasks. 

For a while I experimented with Trello for my work related task management. It was good but I absolutely hate the fact that I can’t delete my boards etc. All I can do is archive, and I don’t like that. It feels very limited. That’s when I started using Todoist for my work tasks – I just made multiple projects in that for stuff in progress etc. Today I came across another tool – KanbanFlow – which is similar to Trello but doesn’t seem limited like it, so I might give it a shot. I like the idea of having my tasks as a board. I guess there’s more sense of accomplishment when you see all your tasks as “Completed” or “In Progress” as a bunch of cards, as opposed to with Todoist where completed tasks get removed of the list. Not a big deal I know, and I might just stick to Todoist for work related tasks too, but I hope to give KanbanFlow a whirl. 

I must also give a shoutout to WorkFlowy – an amazing tool for making lists and keeping track of stuff. Before there was Trello and Todoist in my life, it was WorkFlowy. :o) And yes, I was a paid subscriber to them too for a few years. The best thing about WorkFlowy is its tags system and the way you can jump across lists – it’s simply amazing! I don’t remember why I reducing using WorkFlowy. I guess the transition was that I needed something to organize my work related tasks and Trello let me do that in a more visual style; and from there I could jump to Todoist as it let me add reminders and keep both personal and work tasks together. 

Back to Toggl. Found this page with a list of productivity tools that Toggl integrates with. I don’t know most of them – must check them out sometime. Also while on Toggl, here’s two funny cartoons from them. :o) On IT jobs. And how to save the princess in various programming languages. 

Going to hit ‘Publish’. I can see from my Toggl timer that I spent 29 mins typing this post up!

[Aside] https://127.0.0.1 Citrix Store SSL discovery error

Due to a goof up on my part in my test lab, I was encountering this error. Found this forum post which helped me fix it; after which I realized the error was happening coz of a configuration error on my part. No point going into what my mistake was (in short – I have two servers that act as both StoreFront and Delivery Controller; the base URL of the StoreFront is one of the servers but I was also trying to access the StoreFront via the other and it worked but kept erroring (it worked coz the IIS website is there; and it errored coz I am not supposed to access it via that URL) so that was me being silly). 

Thank you Internet!

Time to setup NetScalers in my test environment so I can access the StoreFront via them. Which is what I should have done in the first place to load balance between these two servers. 

More Random Thoughts…

Came across an old Bollywood song on radio today. Well not thaaaat old :) but old as in from my school/ college days. “Badi Mushkil Hai” by Abhijeet from the movie “Anjaam”. 

Whenever I think of my school/ college days I keep thinking they were much simpler and easier than now. I don’t want to sound like some old man reminiscing his past, nor am I a technology hater who wishes for the past when there were less technological advances etc; but those times just “feel” a lot better. Simpler music.  Simpler movies/ stories. Even when I was watching 11.22.63 and Maigret last weekend I had the same feeling – life just feels more complicated now. Like we are somehow out of touch with reality. 

I guess these thoughts are because of those two TV shows plus the fact that I am listening (audiobook) to a Raymond Chandler novel and before that to “Slaughter House 5” – all stuff from an older time, and especially two of them with lot of time travel references. Puts you in that frame of mind I think. 

I guess the past feels simpler because we had less choices then. Either coz there were only less choices, or we were only given less choices. The number of choices you have in school or college are less. Similarly the number of choices 20 years ago in terms of career or place or even stuff you can buy were less – so it just feels simpler that way. Plus societal ways too were limited. Relationships were more straightforward and simpler. Now we have a choice in everything. You can choose how you want your life to be, what you want to be, what you want to do, who you want to be with (not just in terms of “a person from the opposite sex” but even which sex you want to be with). There’s choices everywhere. Gives you more freedom but also gives an impression that the past was simpler. That’s what I think at least. 

“Anjaam” was a good movie by the way. Shah Rukh Khan had a lot of good movies in his initial days. I was a huge fan of this and his movies. I guess I am partial to the anti-hero sort of character. And nearly all these characters he portrayed had an intensity to them. His characters still have intensity – but back then (a) they weren’t just heroes like his characters now and (b) because they were quite negative the intensity gave them an edge. And many of his characters were the obsessive types. Flawed, one could say. I felt they were more in tune with reality. Real life does not have on screen hero characters. We are all flawed. Some just a lot more than others. Even the good characters he played (like in “Yes Boss”, a favorite) we different. You could relate to them. And they were flawed in their own way. 

Do the increased choices we have now reflect an increased free will? I don’t think so. I have been thinking of this too past few days. I think ever since I read “Slaughter House 5”. I liked all that was expressed there about time. They have been constantly in my head since then. I used to think of the past and choices as something I make, something I have control over. Now I think less so. Like Kurt Vonnegut wrote I feel it’s just a limitation of us now being able to see in the time dimension. Everything has already happened and will happen. To us it seems like it’s unfolding and we are making choices, but what if the choices have already been made (or rather, there is no choice to be made really) and we are just exactly where we have to be. Such a line of thinking does not make life any less worth living or exciting. We still don’t know what is going to happen – so that curiosity factor is still there. We just stop deluding ourselves that there’s some actual choosing we are doing. Yes, we make choices. Yes, we decide to do this or that. All that happens and all that will happen will continue as it always had – and it will appear that it’s a conscious decision from our side due to x, y, z reasons. None of that changes. What changes is wishful thinking that we could have made different choices or that our present could be different/ better. We are exactly where we have to be. Every one of us. It has all already happened. 

A cube is a cube to us because we can perceive three dimensions. If all we could perceive were two dimensions then it would be a square to us; and if all we could perceive were one dimension then it would be a line. But irrespective of what we can perceive the cube is always there. And it appears as a cube because three dimensions is all we can perceive. If we could perceive time too as a fourth dimension then the cube won’t appear like it does for us now. It would be something else altogether. And that object would be just as static as a cube does for us now. This structure will encapsulate the entirety of the choices the cube would have made in time – if it moved places for instance. That object is static. The cube’s journey is a tableau in that. From the cube’s point of view it made choices; but there really is nothing to choose. The 4D cube just exists and is there. 

Yeah I am taking gibberish I know. :o) Most of it doesn’t make concrete sense to me either. But I am fascinated by the alternate point of view that it’s all fixed/ pre-determined. That there really are no choices. That whatever is happening, happened, and will happen has all already happened. I am just a passenger going with the motions and making my choices. Sometimes I choose good, sometimes I screw up. Sometimes I am good. Sometimes (most times haha!) I am a screw up. But it has all already happened. 

Over and out!

Random Thoughts…

Reading about Kurt Gödel the other day. Intentionally Googled for him actually. He fascinates me ever since I (half-)read “Godel, Escher, Bach”. A genius. Especially his Incompleteness Theorem. I vaguely remember him being a severely depressed person (I think I had read a biography of his, or at least kind of read). Surprised that such a genius person would be depressed. What would depress a genius?

Generally Googling on this I got the impression it’s not uncommon for geniuses to be depressed. It shouldn’t be surprising to me yet I a kind of surprised. Am curious what would make a genius depressed. I just imagined that they would be so wrapped up in their own world that they wouldn’t have worldly things to be worried about and be depressed for. But turns out I am wrong. There seems be a lot of correlation between being a genius and being depressed. The link seems to be that such people obsess over the smallest of things and when that seeps into other areas it can have depressing effects. (Not being a genius myself, but a person obsessed with details and prone to thinking a lot on absurd things and getting disturbed by that I understand that). 

Not all geniuses are depressed though. 

Which brings me to this post. I am listening to Raymond Chandler’s books nowadays and was thinking he’s so smart. The whole noir detective genre that he introduced. His writing, the characters, the plots. So smart and creative. I don’t know if he was depressed – I didn’t Google that. Would be surprised if he were considering the wit in his writing. (But then, comedians are depressed people. I wasn’t surprised when I read Robin Williams was depressed. I get that too. So maybe I shouldn’t be surprised if I Google and find Chandler to be depressed. Anyhow – I am digressing…)

Now I am listening to some music. Classical music and film scores etc. Currently listening to the Mission Impossible 3 score actually, as I write this. A great score by Michael Giacchino. I would call him a genius. Don’t think he’d be depressed though. Or other great composers. Hand Zimmer etc. 

I think there’s two sort of geniuses. Those with a bit more intensity are the ones who get depressed. In fact, the key thing is intensity I think. (All geniuses are creative but it’s the intense + creative combo that’s deadly). Geniuses with intensity are one notch above other geniuses. And this intensity is what increases their chances of being depressed. This intensity is also how I am able to explain my own thought processes. Intensity is good. But it’s a double edged sword. It’s like one of these X-Men mutant powers – and not the good kind that you can hide or somehow meld into society with. Intensity is the sort where you will be outcast for sure and you are already set up to be depressed. 

That’s all. Stopping before I ramble on. Wanted to put these thoughts somewhere and since they came out in flow thought this blog would be the best place. :)

[Aside] How to quickly get ESXi logs from a web browser (without SSH, vSphere client, etc)

This post made my work easy yesterday – https://www.vladan.fr/check-esxi-logs-from-web-browser/

tl;dr version:  go to https://IP_of_Your_ESXi/host

Bug in Server 2016 and DNS zone delegation with CNAME records

A colleague at work mentioned a Server 2016 DNS zone delegation bug he had found. I found just one post on the Internet when I searched for this. According to my colleague Microsoft has now confirmed this as a bug in the support call he raised. 

DNS being an area of interest I wanted to replicate the issue and post it – so here goes. Hopefully it makes sense. :)

Imagine a split-DNS scenario for a zone rockylabs.zero

  • This zone is hosted externally by a DNS server (doesn’t matter what OS/ software) called data01
  • This zone is hosted internally by two DNS servers: a Server 2012R2 (called DC2012-01), and a Server 2016 (called DC2016-01). 

Now say there’s a record rakhesh.rockylabs.zero that is the same both internally and externally. As in, we want both internal and external users to get the same (external) IP address for this record. 

What you would typically do is add this record to your external DNS server and create a delegation from your two internal DNS servers, for this record, to the external DNS server. Here’s some screenshots:

The zone on my external DNS server. Notice I have an A record for rakhesh.rockylabs.zero.  

Ignore the rakhesh2.rockylabs.zero record for now. That comes in later. :)

Here’s a look at the delegation from my Server 2012R2 internal DNS server to the external DNS server for the rakhesh.rockylabs.zero record. Basically I create a delegation within the rockylabs.zero zone on the internal server, for the rakhesh domain, and point it to the external DNS server. On the external DNS server rakhesh.rockylabs.zero is defined as an A record so that will be returned as an answer when this delegation chain is followed. 

In my case both the internal DNS servers are also DCs, and the rockylabs.zero zone is AD integrated, so a similar delegation is automatically created on the other DNS server too. 

As would be expected, I am able to resolve this A record correctly from both internal DNS servers.

Now for the fun part!

Notice the rakhesh2.rockylabs.zero record on my external DNS server? Unlike rakhesh.rockylabs.zero this one is a CNAME record. This too should be common for both internal and external users. Shouldn’t be a problem really as it should work similarly to the A record. Following the chain of delegation when I resolve rakhesh2.rockylabs.zero to a CNAME record called rakhesh.com, my DNS server should automatically resolve the A record for rakhesh.com and give me its address as the answer for rakhesh2.rockylabs.zero.  It works with the Server 2012R2 internal DNS server as expected – 

But breaks for the 2016 internal DNS server!

And that’s it! That’s the bug basically. 

Here’s the odd bit though. If I were to query rakhesh.com (the domain to which the CNAME record points to), and then try to resolve the delegated record, it works!

If I go ahead and clear the cache on that 2016 internal server and try the name resolution again, it’s broken as before.

So the issue is that the 2016 DNS Server is able to follow the delegation for rakhesh2.rockylabs.zero to the external DNS server and resolve it to rakhesh.com, but it is doesn’t then go ahead and lookup rakhesh.com to get its A record. But if the A record for rakhesh.com is already cached with it, it is sensible enough to return that address. 

I dug a bit more into this by enabling debug logging on the 2016 server. Here’s what I found.

The 2016 server receives my query:

It passes this on to the external server (10.10.1.11 is data01 – external DNS server where rakhesh2.rockylabs.zero is delegated to). FYI, I am truncating the output here:

It gets a reply with the CNAME record. So far so good. 

Now it queries the external DNS server (data01 – 10.10.1.11) asking for the A record of rakhesh.com! That’s two wrong things: 1) Why ask the external DNS server (who as far as the internal DNS server knows is only delegated the rakhesh2.rockylabs.zero zone and has nothing to do with rakhesh.com) and 2) why ask it for the A record instead of the NS record so it can find the name servers for rakhesh.com and ask those for the IP address of rakhesh.com

It’s pretty much downhill from there, coz as expected the external DNS server replies saying “doh I don’t know” and gives it a list of root servers to contact. FYI, I truncated the output:

The 2016 internal DNS server now replies to the client with a fail message. As expected. 

So now we know why the 2016 server is failing. 

Until this is fixed one workaround would be to create a CNAME record directly in the internal DNS server to whatever the external DNS server points to. That is, don’t delegate to external – just create the same record internally too. Only for CNAME records; A is fine. Here’s an example of it working with a record called rakhesh3.rockylabs.zero where I simply made a CNAME on the internal 2016 DNS server. 

That’s all for now!

Refresher to myself StoreFront and Delivery Controller authentication

In a previous post I had written about the flow of communication between Citrix Storefront and Delivery Controllers during user authentication. Here’s some more based on a Citrix blog post I am reading. 

Here’s what I had written in my previous post:

There’s a couple of steps that happens when a user logs in to access a Citrix solution. First: the StoreFront authenticates the user against AD. Or if the user is accessing remotely, the NetScaler gateway authenticates the user and passes on details to the StoreFront. Then the StoreFront passes on this information to the Delivery Controller so the latter can give a list of resources the user has access to. The Delivery Controllers in turn authenticate the user AD. The Delivery Controller then sends a list of resources the user has access to, to the StoreFront, which sends this on to the user’s Citrix Receiver or Browser. This is when the user sees what is available to them, and can select what they want.

When the user selects what they want, this is information is passed on to the StoreFront, which then passes the info to the Delivery Controller – who then finds an appropriate host that can fulfill the requirement and sends this information to the StoreFront. 

Emphasis mine. The Storefront communicates with the Delivery Controller using the XML Service. 

Here’s a list of authentication methods supported by the Storefront. 

When the Storefront communicates the user authentication information to the Delivery Controller, it may or may not include the password too (sent in clear-text) in this communication. If “User name and password” or “Pass-through from NetScaler” is selected, then the password is included. If “Domain pass-through” or “Smart card” is selected, then the password is not. The blog post doesn’t say anything about these, but I think “SAML Authentication” (used for ADFS) will not include the password, while “HTTP Basic” will. 

The StoreFront and Delivery Controller communicates twice (the two times I emphasized above). The first time is when the user authenticates and the StoreFront sends this information to the Delivery Controller to get a list of resources. The second time is when the user makes a selection and this information is passed on to the Delivery Controller so that an appropriate host can be selected. In both instances the password could be sent from the StoreFront to the Delivery Controller.

A nice quote from Maigret “Night at the Crossroads”

On men. I liked it. Found it to be very insightful and true. 

I liked Michonnet. 

He didn’t want to protect me or kiss me, or own me. He just saw a scheme where he could make some money. 

Men aren’t usually that honest with themselves. Women are a fantasy, or a path to redemption, or a way they can escape their life. 

Maybe all men want to trap you in the end. And I was sick of that. 

Binge watching updates…

After a long time I spent the past two days (today & yesterday) doing nothing but binge watch. Family gone over to India for a few days, I am all to myself. Didn’t do any NSX or Citrix or study – simply plonked my feet up on the coach, hogged food, and watched TV. 

Legion

First up was Legion, which I had high expectations from coz it’s by Noah Hawley (of Fargo TV series fame). It was good but I wasn’t too impressed mainly coz I had high hopes I guess. Think I expected something like Fargo, while this was different. It’s visually stunning – the way the scenes are taken, the music, the performances – but wasn’t entirely my cup of tea. I know it’s a “me” thing so please don’t take this as a review/ comment on the show itself. I can’t even imagine what sort of a creative mind someone must have to imagine and execute the stuff on that show. It’s simply mind blowing!

I didn’t realize the lead character Dan Stevens was the same whose voice I knew from audiobooks. I had listened to him in the Agatha Christie audiobook “And Then There Were None”, loved his voice in that and searched for more audiobooks, found he’s also done Mary Shelley’s “Frankenstein” (downloaded, not listened to yet) and the first James Bond book “Casino Royale” in the celebrity recordings (loved that performance!). Only when Dan Stevens began talking with the British accent did I feel that hmm this sounds familiar and realize that I had heard his voice in Audible. 

Anyways. Nice show. Very well taken. Wasn’t entirely my cup of tea. (Like for instance, Stranger Things or The OA – which are similar of a similar mood and I loved and associated with a lot more). 

11.22.63

Honestly, I thought this must be some horror show considering it’s Stephen King. Didn’t realize it was about time traveling and preventing the JFK assaination. It was wonderful! I loved this show. And James Franco was awesome. 

Interesting aside on James Franco – I am nowadays listening to his performance of “Slaughter House 5” by Kurt Vonnegut. He’s great in that. It’s a great book and James Franco has done an amazing job of it. Interesting how that book also has time traveling and talk of how everything just is and we are all in amber and questions of cause & effect & why are just human limitations etc. And then I see 11.22.63 which touches on similar stuff, especially with the pash pushing back etc. 

Also, the 60s set and simpler culture was a pleasure to watch. At the same time sad to see some of the stuff like treatment of women and blacks. Every age has its pluses and minus. :-/

Anyhoo. 11.22.63. Nice show. And loved James Franco!

Maigret’s Dead Man

Came across this by mistake. Checked it out coz it’s got Rowan Atkinson in it. Enjoyed it. Didn’t realize it’s actually the second episode of a reboot show. Got to watch the other episodes now. 

This show too is set in an older time. Was fun to see that. A very well taken movie/ episode over all. 

Maigret: Night at the Crossroads

Managed to watch this later on. This is the first episode in the second season. The previous one I had seen was the second episode in the first season. I haven’t managed to get hold of the first episode of the first season; and I believe there’s one more episode in this second season. 

Anyways. It was a good watch. I thoroughly enjoyed it. It also reminded me a lot of “Foyle’s War” – which is a show I had similarly enjoyed. Both shows have similar pacing and music. Slow procedural mysteries with a main detective and his subordinates. 

Maigret sets a trap

Hurray, managed to watch this one too! I actually saw this and “Night at the Crossroads” after “Split” but thought I’d put them together with the first Maigret episode I watched. 

Am surprised “Maigret sets a trap” was the first episode of the reboot. It’s very different from the rest. Maigret is under pressure, his superiors want him off the case coz they believe he is not delivering, Maigret is moody himself due to this and clutching at straws, even his subordinates are a bit unsure if Maigret can pull this one off. The case itself is a very odd one. No clues, no connections, and we the viewers are left in suspense till the end as to whether Maigret caught the wrong man. It’s all kind of flimsy after all. But no – Maigret did catch the right man, and it’s all explained very well actually. A different but very nice episode. Fitting, in a way, for me to have ended my binge watching with this one. This is the kind of episode I’d have put across as a season finale. 

Looking forward to the next episode!

Split

Ok so this one wasn’t how I expected it to be. I was expecting some psychological thriller or more focus on the personalities themselves. Totally didn’t expect The Beast to actually appear in the end! It’s sort of like how I never expected aliens in Shyamalan’s “Signs” and boom! they make an appearance. Great performances by James McAvoy and a well taken movie over all. 

Oh. And the “Unbreakable” reference in the end? Totally didn’t expect that. Ooooh. “Unbreakable” is one of my favorite Shyamalan movies (THE favorite movie I’d say). 

I have to stop thinking of Shyamalan as a director with a twist in the end. It’s all coz of “The Sixth Sense” and “Unbreakable” and “Signs”. Got to keep in mind that one can expect monster and aliens all that stuff. He is more into the horror thrill genre now. 

Miss Sloane

I started watching this movie thinking it would be action thriller like the Bourne movies or something. ;-) After I realized it was about lobbying and senate hearings and bill passing etc I had a good mind to stop watching … but for the character of Miss Sloane! Boy she was something. What a character. An odd, cold, personality … it was something! A great movie. More than that, a great character. And a good insight into the kind of stuff that happens as part of lobbying (most of which made no sense to me and was of no interest). 

That’s all for now!

Update:

The Dressmaker

Saw this the next day but thought I’d add it with the rest anyways. God, what a bore of a movie. The synopsis mentioned this being a revenge story or something, so I imagined something alone the lines of “The Count of Monte Cristo”. There’s some revenge alright – towards the end – but it’s a drag until then with some nice moments interpresed here and there. The movie’s nearly 2 hours long. Think I could have done something way useful with that time! Bleh. 

Hugo Weaving’s character was quite good by the way. Very different to his other roles. The story is good; the movie is good too, am sure, for others – just wasn’t my cup of tea. This is a revenge story with a lot of drama. I want a revenge story with a lot more action and speed.