azcomputerguru/claudetools
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: Add AD2 WinRM automation and modernize sync infrastructure

Browse Source 
Comprehensive infrastructure improvements for AD2 (Domain Controller) remote
management and NAS sync system modernization.

## AD2 Remote Access Enhancements

**WinRM Configuration:**
- Enabled PowerShell Remoting (port 5985) with full logging
- Configured TrustedHosts for LAN/VPN access (172.16.*, 192.168.*, 10.*)
- Created read-only service account (ClaudeTools-ReadOnly) for safe automation
- Set up transcript logging for all remote sessions
- Deployed 6 automation scripts to C:\ClaudeTools\Scripts\ (AD user/computer
  reports, GPO status, replication health, log rotation)

**SSH Access:**
- Installed OpenSSH Server (v10.0p2)
- Generated ED25519 key for passwordless authentication
- Configured SSH key authentication for sysadmin account

**Benefits:**
- Efficient remote operations via persistent WinRM sessions (vs individual SSH commands)
- Secure read-only access for queries (no admin rights needed)
- Comprehensive audit trail of all remote operations

## Sync System Modernization (AD2 <-> NAS)

**Replaced PuTTY with OpenSSH:**
- Migrated from pscp.exe/plink.exe to native OpenSSH scp/ssh tools
- Added verbose logging (-v flag) for detailed error diagnostics
- Implemented auto host-key acceptance (StrictHostKeyChecking=accept-new)
- Enhanced error logging to capture actual SCP failure reasons

**Problem Solved:**
- Original sync errors (738 failures) had no root cause details
- PuTTY's batch mode silently failed without error messages
- New OpenSSH implementation logs full error output to sync-from-nas.log

**Scripts Created:**
- setup-openssh-sync.ps1: SSH key generation and NAS configuration
- check-openssh-client.ps1: Verify OpenSSH availability
- restore-and-fix-sync.ps1: Update Sync-FromNAS.ps1 to use OpenSSH
- investigate-sync-errors.ps1: Analyze sync failures with context
- test-winrm.ps1: WinRM connection testing (admin + service accounts)
- demo-ad2-automation.ps1: WinRM automation examples (AD stats, sync status)

## DOS Batch File Line Ending Fixes

**Problem:** All DOS batch files had Unix (LF) line endings instead of DOS (CRLF),
causing parsing errors on DOS 6.22 machines.

**Fixed:**
- Local: 13 batch files converted to CRLF
- Remote (AD2): 492 batch files scanned, 10 converted to CRLF
- Affected files: DEPLOY.BAT, NWTOC.BAT, CTONW.BAT, UPDATE.BAT, STAGE.BAT,
  CHECKUPD.BAT, REBOOT.BAT, and station-specific batch files

**Scripts Created:**
- check-dos-line-endings.ps1: Scan and detect LF vs CRLF
- convert-to-dos.ps1: Bulk conversion to DOS format
- fix-ad2-dos-files.ps1: Remote conversion via WinRM

## Credentials & Documentation Updates

**credentials.md additions:**
- Peaceful Spirit VPN configuration (L2TP/IPSec)
- AD2 WinRM/SSH access details (both admin and service accounts)
- SSH keys and known_hosts configuration
- Complete WinRM connection examples

**Files Modified:**
- credentials.md: +91 lines (VPN, AD2 automation access)
- CTONW.BAT, NWTOC.BAT, REBOOT.BAT, STAGE.BAT: Line ending fixes
- Infrastructure configs: vpn-connect.bat, vpn-disconnect.bat (CRLF)

## Test Results

**WinRM Automation (demo-ad2-automation.ps1):**
- Retrieved 178 AD users (156 enabled, 22 disabled, 40 active)
- Retrieved 67 AD computers (67 Windows, 6 servers, 53 active)
- Checked Dataforth sync status (2,249 files pushed, 738 errors logged)
- All operations completed in single remote session (efficient!)

**Sync System:**
- OpenSSH tools confirmed available on AD2
- Backup created: Sync-FromNAS.ps1.backup-20260119-140918
- Script updated with error logging and verbose output
- Next sync run will reveal actual error causes

## Technical Decisions

1. **WinRM over SSH:** More efficient for PowerShell operations, better error
   handling, native Windows integration
2. **Service Account:** Follows least-privilege principle, safer for automated
   queries, easier audit trail
3. **OpenSSH over PuTTY:** Modern, maintained, native Windows tool, better error
   reporting, supports key authentication without external tools
4. **Verbose Logging:** Critical for debugging 738 sync errors - now we'll see
   actual SCP failure reasons (permissions, paths, network issues)

## Next Steps

1. Monitor next sync run (every 15 minutes) for detailed error messages
2. Analyze SCP error output to identify root cause of 738 failures
3. Implement SSH key authentication for NAS (passwordless)
4. Consider SFTP batch mode for more reliable transfers

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
This commit is contained in:
Mike Swanson
2026-01-19 14:28:24 -07:00
parent 3faf09c111
commit ba2ed379f8
29 changed files with 2864 additions and 17 deletions
Download Patch File Download Diff File Expand all files Collapse all files

386
VPN_QUICK_SETUP.md Normal file
View File

@@ -0,0 +1,386 @@
# Peaceful Spirit VPN - Quick Setup Guide
## One-Liner Setup (Run as Administrator)
### Basic VPN Connection with Split Tunneling
```powershell
Add-VpnConnection -Name "Peaceful Spirit VPN" -ServerAddress "98.190.129.150" -TunnelType L2tp -L2tpPsk "z5zkNBds2V9eIkdey09Zm6Khil3DAZs8" -AuthenticationMethod MsChapv2 -EncryptionLevel Required -AllUserConnection -RememberCredential -SplitTunneling $true
Add-VpnConnectionRoute -ConnectionName "Peaceful Spirit VPN" -DestinationPrefix "192.168.0.0/24" -AllUserConnection
```
### Complete Setup with Saved Credentials
```powershell
# Create connection with split tunneling
Add-VpnConnection -Name "Peaceful Spirit VPN" -ServerAddress "98.190.129.150" -TunnelType L2tp -L2tpPsk "z5zkNBds2V9eIkdey09Zm6Khil3DAZs8" -AuthenticationMethod MsChapv2 -EncryptionLevel Required -AllUserConnection -RememberCredential -SplitTunneling $true
# Add route for CC network (192.168.0.0/24)
Add-VpnConnectionRoute -ConnectionName "Peaceful Spirit VPN" -DestinationPrefix "192.168.0.0/24" -AllUserConnection
# Configure DNS
Set-DnsClientServerAddress -InterfaceAlias "Peaceful Spirit VPN" -ServerAddresses "192.168.0.2"
# Save credentials
rasdial "Peaceful Spirit VPN" "pst-admin" "24Hearts$"
rasdial "Peaceful Spirit VPN" /disconnect
# Enable pre-logon access
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "UseRasCredentials" -Value 1 -Type DWord
```
---
## Full Script Method
**Setup-PeacefulSpiritVPN.ps1** - Ready-to-run with actual credentials:
```powershell
.\Setup-PeacefulSpiritVPN.ps1
```
**Create-PeacefulSpiritVPN.ps1** - Interactive with parameters:
```powershell
# Interactive (prompts for all details)
.\Create-PeacefulSpiritVPN.ps1
# With parameters
.\Create-PeacefulSpiritVPN.ps1 -VpnServer "98.190.129.150" -Username "pst-admin" -Password "24Hearts$" -L2tpPsk "z5zkNBds2V9eIkdey09Zm6Khil3DAZs8" -RemoteNetwork "192.168.0.0/24" -DnsServer "192.168.0.2"
```
---
## Tunnel Types
| Type | Description | When to Use |
|------|-------------|-------------|
| **L2tp** | L2TP/IPSec with Pre-Shared Key | Most common, secure, requires PSK |
| **Pptp** | Point-to-Point Tunneling | Legacy, less secure, simple setup |
| **Sstp** | Secure Socket Tunneling | Windows-only, uses HTTPS |
| **IKEv2** | Internet Key Exchange v2 | Mobile devices, auto-reconnect |
| **Automatic** | Let Windows choose | Use if unsure |
---
## Split Tunneling and Routes
**Split tunneling** routes only specific traffic through the VPN, while other traffic uses your local internet connection.
### Enable Split Tunneling
```powershell
# Add -SplitTunneling $true when creating connection
Add-VpnConnection `
-Name "Peaceful Spirit VPN" `
-ServerAddress "98.190.129.150" `
-TunnelType L2tp `
-L2tpPsk "z5zkNBds2V9eIkdey09Zm6Khil3DAZs8" `
-AuthenticationMethod MsChapv2 `
-EncryptionLevel Required `
-SplitTunneling $true `
-AllUserConnection `
-RememberCredential
```
### Add Route for Specific Network
```powershell
# Route traffic for 192.168.0.0/24 through VPN
Add-VpnConnectionRoute -ConnectionName "Peaceful Spirit VPN" -DestinationPrefix "192.168.0.0/24" -AllUserConnection
```
### Configure DNS for VPN
```powershell
# Set DNS server for VPN interface
Set-DnsClientServerAddress -InterfaceAlias "Peaceful Spirit VPN" -ServerAddresses "192.168.0.2"
```
### Peaceful Spirit CC Network Configuration
**UniFi Router at Country Club:**
- Remote Network: 192.168.0.0/24
- DNS Server: 192.168.0.2
- Gateway: 192.168.0.10
**Traffic Flow with Split Tunneling:**
- Traffic to 192.168.0.0/24 → VPN tunnel
- All other traffic (internet, etc.) → Local connection
### View Routes
```powershell
# View all routes for VPN connection
Get-VpnConnectionRoute -ConnectionName "Peaceful Spirit VPN" -AllUserConnection
# View routing table
route print
```
### Remove Route
```powershell
# Remove specific route
Remove-VpnConnectionRoute -ConnectionName "Peaceful Spirit VPN" -DestinationPrefix "192.168.0.0/24" -AllUserConnection
```
---
## Manual Commands
### Create VPN Connection
```powershell
Add-VpnConnection `
-Name "Peaceful Spirit VPN" `
-ServerAddress "98.190.129.150" `
-TunnelType L2tp `
-L2tpPsk "z5zkNBds2V9eIkdey09Zm6Khil3DAZs8" `
-AuthenticationMethod MsChapv2 `
-EncryptionLevel Required `
-AllUserConnection `
-RememberCredential `
-SplitTunneling $true
```
### Add Route and DNS
```powershell
# Add route for CC network
Add-VpnConnectionRoute -ConnectionName "Peaceful Spirit VPN" -DestinationPrefix "192.168.0.0/24" -AllUserConnection
# Configure DNS
Set-DnsClientServerAddress -InterfaceAlias "Peaceful Spirit VPN" -ServerAddresses "192.168.0.2"
```
### Save Credentials for Pre-Login
```powershell
# Method 1: Using rasdial (simple)
rasdial "Peaceful Spirit VPN" "username" "password"
rasdial "Peaceful Spirit VPN" /disconnect
# Method 2: Using Set-VpnConnectionProxy
Set-VpnConnectionProxy -Name "Peaceful Spirit VPN" -AllUserConnection
```
### Enable Pre-Login VPN (Registry)
```powershell
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "UseRasCredentials" -Value 1 -Type DWord
```
### Verify Connection
```powershell
# List all VPN connections
Get-VpnConnection -AllUserConnection
# Check specific connection
Get-VpnConnection -Name "Peaceful Spirit VPN" -AllUserConnection
# Test connection
rasdial "Peaceful Spirit VPN"
# Check connection status
Get-VpnConnection -Name "Peaceful Spirit VPN" -AllUserConnection | Select-Object Name, ConnectionStatus
```
---
## Connection Management
### Connect to VPN
```powershell
# PowerShell
rasdial "Peaceful Spirit VPN"
# With credentials
rasdial "Peaceful Spirit VPN" "username" "password"
# Using cmdlet
(Get-VpnConnection -Name "Peaceful Spirit VPN").Connect()
```
### Disconnect from VPN
```powershell
# PowerShell
rasdial "Peaceful Spirit VPN" /disconnect
# All connections
rasdial /disconnect
```
### Check Status
```powershell
# Current status
Get-VpnConnection -Name "Peaceful Spirit VPN" -AllUserConnection | Select-Object Name, ConnectionStatus, ServerAddress
# Detailed info
Get-VpnConnection -Name "Peaceful Spirit VPN" -AllUserConnection | Format-List *
```
### Remove Connection
```powershell
Remove-VpnConnection -Name "Peaceful Spirit VPN" -AllUserConnection -Force
```
---
## Pre-Login Access Setup
### Requirements
1. VPN must be created with `-AllUserConnection` flag
2. Credentials must be saved at system level
3. Registry setting must be enabled
4. User must be able to see network icon at login screen
### Steps
```powershell
# 1. Create connection (all-user)
Add-VpnConnection -Name "Peaceful Spirit VPN" -ServerAddress "vpn.server.com" -TunnelType L2tp -L2tpPsk "PSK" -AllUserConnection -RememberCredential
# 2. Save credentials
rasdial "Peaceful Spirit VPN" "username" "password"
rasdial "Peaceful Spirit VPN" /disconnect
# 3. Enable pre-logon
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "UseRasCredentials" -Value 1 -Type DWord
# 4. Modify rasphone.pbk (if needed)
$pbk = "$env:ProgramData\Microsoft\Network\Connections\Pbk\rasphone.pbk"
(Get-Content $pbk) -replace "UseRasCredentials=0", "UseRasCredentials=1" | Set-Content $pbk
```
### Verify Pre-Login Access
1. Lock computer (Win+L)
2. Click network icon (bottom right)
3. VPN connection should be visible
4. Click "Connect" - should connect without prompting for credentials
---
## Troubleshooting
### VPN Not Appearing at Login Screen
```powershell
# Verify it's an all-user connection
Get-VpnConnection -AllUserConnection
# Check registry setting
Get-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "UseRasCredentials"
# Re-enable if needed
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" -Name "UseRasCredentials" -Value 1 -Type DWord
```
### Credentials Not Saved
```powershell
# Save credentials again
rasdial "Peaceful Spirit VPN" "username" "password"
rasdial "Peaceful Spirit VPN" /disconnect
# Check connection settings
Get-VpnConnection -Name "Peaceful Spirit VPN" -AllUserConnection | Format-List *
```
### Connection Fails
```powershell
# Check server reachability
Test-NetConnection -ComputerName "vpn.server.com" -Port 1723 # For PPTP
Test-NetConnection -ComputerName "vpn.server.com" -Port 500 # For L2TP/IPSec
Test-NetConnection -ComputerName "vpn.server.com" -Port 443 # For SSTP
# Check Windows Event Log
Get-WinEvent -LogName "Microsoft-Windows-RemoteAccess/Operational" -MaxEvents 20
```
### L2TP/IPSec Issues
```powershell
# Enable L2TP behind NAT (if VPN server is behind NAT)
Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\PolicyAgent" -Name "AssumeUDPEncapsulationContextOnSendRule" -Value 2 -Type DWord
# Restart IPsec service
Restart-Service PolicyAgent
```
---
## Security Best Practices
### Use Strong Pre-Shared Keys
```powershell
# Generate random PSK (32 characters)
-join ((48..57) + (65..90) + (97..122) | Get-Random -Count 32 | ForEach-Object {[char]$_})
```
### Use Certificate Authentication (if available)
```powershell
Add-VpnConnection `
-Name "Peaceful Spirit VPN" `
-ServerAddress "vpn.server.com" `
-TunnelType L2tp `
-AuthenticationMethod MachineCertificate `
-EncryptionLevel Required `
-AllUserConnection
```
### Disable Split Tunneling (force all traffic through VPN)
```powershell
Set-VpnConnection -Name "Peaceful Spirit VPN" -SplitTunneling $false -AllUserConnection
```
---
## Batch Deployment
### Create VPN on Multiple Machines
```powershell
# Save as Create-VPN.ps1
$computers = @("PC1", "PC2", "PC3")
$vpnConfig = @{
Name = "Peaceful Spirit VPN"
ServerAddress = "vpn.peacefulspirit.com"
TunnelType = "L2tp"
L2tpPsk = "YourPreSharedKey"
Username = "vpnuser"
Password = "VpnPassword123"
}
foreach ($computer in $computers) {
Invoke-Command -ComputerName $computer -ScriptBlock {
param($config)
# Create connection
Add-VpnConnection -Name $config.Name -ServerAddress $config.ServerAddress `
-TunnelType $config.TunnelType -L2tpPsk $config.L2tpPsk `
-AuthenticationMethod Pap -EncryptionLevel Required `
-AllUserConnection -RememberCredential
# Save credentials
rasdial $config.Name $config.Username $config.Password
rasdial $config.Name /disconnect
# Enable pre-login
Set-ItemProperty -Path "HKLM:\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon" `
-Name "UseRasCredentials" -Value 1 -Type DWord
} -ArgumentList $vpnConfig
}
```
---
## Quick Reference Card
```
CREATE: Add-VpnConnection -Name "Name" -ServerAddress "server" -AllUserConnection
CONNECT: rasdial "Name"
DISCONNECT: rasdial "Name" /disconnect
STATUS: Get-VpnConnection -Name "Name" -AllUserConnection
REMOVE: Remove-VpnConnection -Name "Name" -AllUserConnection -Force
PRE-LOGIN: Set-ItemProperty -Path "HKLM:\...\Winlogon" -Name "UseRasCredentials" -Value 1
SAVE CREDS: rasdial "Name" "user" "pass" && rasdial "Name" /disconnect
```
---
## Common VPN Server Addresses
- **Peaceful Spirit Production:** vpn.peacefulspirit.com
- **By IP:** 192.168.x.x (if internal)
- **Azure VPN Gateway:** xyz.vpn.azure.com
- **AWS VPN:** ec2-xx-xx-xx-xx.compute.amazonaws.com
---
**Last Updated:** 2026-01-19
**Tested On:** Windows 10, Windows 11, Windows Server 2019/2022