Updates from March, 2013 Toggle Comment Threads | Keyboard Shortcuts

  • duncanbowring 17:56 on March 27, 2013 Permalink | Reply
    Tags: ip4 to ip6, ipv4 to ipv6, port forward, port redirection, portproxy, proxy ports windows, server 2008 r2, , windows port redirection, xinetd   

    Port forward/proxy/redirect – Windows – Just like Xinetd. 

    So, if you have an issue where you need to forward a port to a different location with Windows, you’re in luck. Whilst you don’t have xinetd, you don’t have to use a third party tool or service.

    SYSTEM A – 10.0.0.10

    SYSTEM B – 192.168.0.10

    SYSTEM C – 172.16.0.10

    If you cannot directly route SYSTEM A to SYSTEM C but need to hit a service running on port 25/tcp on SYSTEM C from SYSTEM A, you can use portproxy. Let’s say both sides can hit SYSTEM B. You can use portproxy to set up SYSTEM B to forward your request to SYSTEM C, yet access the same service from SYSTEM A by hitting SYSTEM B.

    Simply at the command prompt on SYSTEM B, type:

    netsh

    interface portproxy

    add v4tov4 listenport=25 connectaddress=172.16.0.10 connectport=25 protocol=tcp

    This means when you now hit 192.168.0.10 on port 25, you’ll receive the data from SYSTEM C’s socket. Simple port proxying or forwarding.

    You can also do this from IPv4 to v6, or v6 to v6.
    Best of all, you can use DNS names.. !!

    Simply add this in as a startup script via a group policy object, and you’ve got your own cross-network router for specific ports.

    Port Proxy documentation at Microsoft:

    http://technet.microsoft.com/en-us/library/cc776297%28WS.10%29.aspx

    Advertisements
     
  • duncanbowring 17:39 on January 17, 2013 Permalink | Reply
    Tags: 82579V, Asus Rampage, Intel 82579V 2008 R2, Rampage IV Extreme, Windows server on X79   

    How To: Intel 82579V Gigabit Network Connection – Windows Server 2008 R2 

    Clearly Intel doesn’t want us to install server OS onto desktop motherboards nowadays.

    Look at your driver CD. Navigate to the PRO1000 folder; depending on whether you have 32bit or 64bit OS, you will then want either Win32 or Winx64 (not Win64 which is for Itanium).
    The choice for the next folder will depend on your OS; NDIS5x is Server2003 or XP, NDIS61 is Server2008 or Vista, NDIS62 is Server2008R2 or 7, I presume NDIS63 is for Windows 8, Server 2012.

    Copy the correct folder to your desktop.

    In either case once you have chosen the correct folder you need to find the .inf starting e1c ; so for Server 2008 R2 64bit it will be called e1c62x64.inf. Ensure you are doing this on the copy that now exists on your desktop.

    Open the file in notepad;

    ;******************************************************************************
    ; e1c62x64.INF (Intel 64-bit extension Platform Only,
    ; Windows 7 64-bit extension and Windows Server 2008 R2 64-bit extension)
    ;
    ; Intel(R) Gigabit Network connections
    ;******************************************************************************
    ;
    [Version]
    Signature = "$Windows NT$"
    Class = Net
    ClassGUID = {4d36e972-e325-11ce-bfc1-08002be10318}
    Provider = %Intel%
    CatalogFile = e1c62x64.cat
    DriverVer = 06/21/2012,11.16.96.0
    [Manufacturer]
    %Intel% = Intel, NTamd64.6.1, NTamd64.6.1.1, NTamd64.6.2
    [ControlFlags]
    ExcludeFromSelect = \ 
     PCI\VEN_8086&DEV_1502,\ 
     PCI\VEN_8086&DEV_1503
    [Intel]
    [Intel.NTamd64.6.1.1]
    ; DisplayName Section DeviceID
    ; ----------- ------- --------
    %E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502
    %E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502&SUBSYS_00011179
    %E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502&SUBSYS_00021179
    %E1502NC.DeviceDesc% = E1502.6.1.1, PCI\VEN_8086&DEV_1502&SUBSYS_80001025
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00011179
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00021179
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_80001025
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_04911025
    [Intel.NTamd64.6.1]
    ; DisplayName Section DeviceID
    ; ----------- ------- --------
    %E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502
    %E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502&SUBSYS_00011179
    %E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502&SUBSYS_00021179
    %E1502NC.DeviceDesc% = E1502, PCI\VEN_8086&DEV_1502&SUBSYS_80001025
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00011179
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_00021179
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_80001025
    %E1503NC.DeviceDesc% = E1503.6.1.1, PCI\VEN_8086&DEV_1503&SUBSYS_04911025

    Open the file in notepad;

    If you look in [ControlFlags], you see that there are two device IDs listed. DEV_1502 and DEV_1503.
    If you go back to the new computer you built (with no NIC driver installed ūüôā ), in Device Manager, you should see “Ethernet Adapter” listed as an unknown device. Go into the Properties of that, then Details, Hardware Ids. Now, you see that the device should be DEV_1503. Great.

    Go back to the notepad file you have open, you can see that under the second section within [Intel] you don’t have anything listed for DEV_1503 under [Intel.NTamd64.61]. Ironically, every other section has Server 2008 R2 provided for. Sneaky Intel, sneaky.

    Anyway, copy and paste the two lines that provide for DEV_1503 in the [Intel.NTamd64.6.1.1] section to the new section, like above. Save the file.

    Go back to the other computer that still has device manager open (it might be the same computer..), click Driver -> Update Driver, then manually select the desktop location of your NDIS62 directory you copied and then edited.

    Driver should install successfully. Hit me up if your mileage varies.

     
  • duncanbowring 14:27 on August 8, 2012 Permalink | Reply
    Tags: 2008 R2, , , Microsoft DNS, MSDNS, Windows Server   

    DNS and Subnet Priortization & DNS Round Robin 

    If you have any subnets other than a Class C in the environment, Subnet Priortization may not work as expected due to this reason. I included a separate section explaining this in further detail, and how to set a DNS server to take this into acccount, which of course must be set on all DNS servers in the environment.

    DNS and Subnet Priortization & DNS Round Robin – Which one Supercedes?

    This has been a question that arises from time to time. I thought to provide some information on how it works to understand what is at play with these two DNS features.

    Preface on Subnet Priortization and Round Robin:

    Subnet priortization works by default. No other action is required. If you have multiple identical A records, then Round Robin will supercede.

    If Round Robin is not needed, it can be disabled in order to take full advantage of Subnet Priortization, otherwise, Round Robin will superceded.

    In scenarios involving ISA Enterprise, because ISA Enterprise is AD enabled, you can either publish the ISA records in AD, and if AD SItes are configured, the client site will be used first by the AD client side extension disregarding Round Robin and Subnet Priortization, unless there were multiple records in each AD Site.

    Some have asked regarding if an ISA Array will work. It is possible to configure an ISA Array with multiple ISA Enterprise servers which will share their web cache, however this will nothelp Subnet Priortization or Round Robin, since the Array is considered as a single logical entity and published as such.

    Nslookup is a good tool to test Round Robin, and will give you a general response purely based on DNS, but the results are as expected in a non-AD Site scenario, since it can’t test AD Sites responses.

    You can also create an IE GPO for each Site. In the GPO, you would state the Proxy address for them to use.

    Subnet Priortization and Round Robin Logic:

    Keep in mind, Subnet Priortization and Round Robin work hand in hand, however, not necessarily so if an AD Site aware service is querying (such as the client side GetDcList function). If there are more than on in the same subnet, Round Robin will kick in, which DNS performs.

    If there are more than one record, DNS will re-order the response with an IP that is in the same client subnet.

    However, if Round Robin and Subnet Priortization is enabled, Round Robin wins.

    If you do not want this default action to occur, that is you want to use Subnet Priortization, and AD Sites are not involved, you will need to disable Round Robin, otherwise, if both Round Robin and Subnet Prioritization are enabled, the server rotates among the A resource records. You may wish to check how it works if you disable the round robin if you have multiple separate subnets and you want a client to respond to a subnet closest to it’s own subnet.

    The following passage on the specific logic was quoted from:
    Configuring Subnet Prioritization
    http://technet.microsoft.com/en-us/library/cc961422.aspx

    [Begin Quote]
    ============

    • If Enable round robin is selected (the default) and the value of LocalNetPriority is 1:
    • The server rotates among the A resource records that it returns in the order of their similarity to the IP address of the querying client.
    • If Enable round robin is deselected and the value of LocalNetPriority is 1:
    • The server returns the records in local net priority order. It does not rotate among available addresses.
    • If Enable round robin is selected and the value of LocalNetPriority is 0 (the default):
    • The server rotates among the available records in the order in which the records were added to the database.
    • If Enable round robin is deselected and the value of LocalNetPriority is 0 (the default):
    • The server returns the records in the order in which they were added to the database. The server does not attempt to sort them or rotate the records it returns.

    ============
    [/End Quote]

    Subnet Priortization and Round Robin Example:

    The following example was quoted from:
    Configuring IP Addressing and Name Resolution
    http://technet.microsoft.com/en-us/library/bb457118.aspx

    [Begin Quote]
    ===
    For example, suppose there are three Web servers that all host the Web
    page for http://www.reskit.com and they are all located on different subnets.
    The DNS name server for the network contains the following resource records:

    http://www.reskit.com.IN A172.16.64.11
    http://www.reskit.com.IN A172.17.64.22
    http://www.reskit.com.IN A172.18.64.33

    When a Windows XP Professional‚Äďbased
    computer’s DNS resolver (client) receives a response to the query for
    the A record of http://www.reskit.com, it returns A records in order,
    starting with the IP addresses from subnets to which the computer is
    directly connected.

    For example, if a computer with the IP address
    172.17.64.93 is queried for http://www.reskit.com, the resolver returns the
    resource records in the following order:

    http://www.reskit.com.IN A172.17.64.22
    http://www.reskit.com.IN A172.16.64.11
    http://www.reskit.com.IN A172.18.64.33

    Subnet prioritization prevents the
    resolver from choosing the first IP address returned in the DNS query
    and using the DNS server’s round robin feature (defined in RFC 1794.)
    With round robin enabled, the server rotates the order of resource
    records returned when multiple A resource records exist for a queried
    DNS domain name.

    Thus, in the example described earlier, if a user
    queried for http://www.reskit.com, the name server replies to the first
    client request by ordering the addresses as follows:

    172.16.64.11
    172.17.64.22
    172.18.64.33

    It replies to the second client request by ordering the addresses as follows:

    172.17.64.22
    172.18.64.33
    172.16.64.11

    It replies to the third client request by ordering the addresses as follows:

    172.18.64.33
    172.16.64.11
    172.17.64.22

    With round robin enabled, if clients are configured to use the first
    IP address in the list that they receive, different clients will use
    different IP addresses, thus balancing the load among multiple network
    resources with the same name. However, if the resolvers are configured
    for subnet prioritization, the resolvers reorder the list to favor IP
    addresses from networks to which they are directly connected, reducing
    the effectiveness of the round robin feature.

    Although subnet prioritization does reduce network traffic across
    subnets, in some cases you might prefer to have the round robin
    feature work as described in RFC 1794. If so, you can disable the
    subnet prioritization feature on your clients by adding the registry
    entry PrioritizeRecordData with a value of 0 (REG_DWORD data type) in
    the following registry subkey:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\
    DnsCache\ Parameters

    […]
    ===========
    [/End Quote]

     Windows 2003 and newer Operating Systems Subnet Priortization Feature Defaults to a Class C Subnet

    Yep, that’s correct! We need to note and keep in mind, Windows 2003 and newer, will automatically assume it’s a Class C subnet, well more accurately, it’s set by default to look for a Class C subnet. If the environment is anything other than a Class C, all DNS servers must be configured with the correct mask used.

    The process involves understanding a little binary math. We need to take into account by defining the Hosts part of the mask that is relative for netmask ordering for the subnet in the environment, otherwise DNS will not reorder it correctly and expected results will be incorrect when testing the feature.

    This can be accomplished with the DNSCMD command.

    For example, using DNSCMD to set the default settings for a 255.255.255.0 subnet, is:
    Dnscmd /Config /LocalNetPriorityNetMask 0x000000FF

    For anything other than a Class C, we need to alter the “/LocalNetPriorityNetMask” value to the environment’s subnet.

    The last two characters in the value used for a Class C subnet (“0x000000FF”) is “FF.” This indicates the number of hosts bits (opposite of what some may think when looking at a mask in binary). Therefore the last two digits in the value is actually Hex. Hex FF, converted to Binary, is actually equal to 1111 1111, which is equal to “FF” in Hex.

    Taking that into account, we can view a simple table with the base Class subnets:

    For the base Classes, the values are:

    Netmask  LocalPriorityNet
    255.255.255.0      0x000000ff
    255.255.0.0         0x0000ffff
    255.0.0.0             0x00ffffff

    To set it for something other than the default classes, such as for example a /22 (255.255.252.0 or 11111111.11111111.11111100.00000000), we see there are 10 bits for the hosts. Now change only the 0’s to 1’s and you get 1111111111. Convert that to hex, and you get 3FF. Therefore the command will be:
    Dnscmd /Config /LocalNetPriorityNetMask 0x000003FF

    Another example, if you have a /27 (255.255.255.224 or 11111111.11111111.11111111.11100000), convert the 0’s to 1’s –> 11111, convert that as a binary number to Hex, and we get 1F, therefore the command will be:
    Dnscmd /Config /LocalNetPriorityNetMask 0x0000001F

    Keep in mind, whatever the setting is, it MUST be set on ALL DNS servers in the environment.

    Table: NetMasks broken down by CIDR to the necessary LocalPriorityNet Value
    Note: Of course, some of the values can’t be used in the table, but I created the table to show all possible binary values.

    NetMask                Binary                                                   CIDR    Comments                     LocalPriorityNet Value

    255.255.255.255   11111111.11111111.11111111.11111111    /32      Host (single addr)          0x00000000
    255.255.255.254   11111111.11111111.11111111.11111110    /31      Unuseable                     0x00000001
    255.255.255.252   11111111.11111111.11111111.11111100    /30      2  useable                     0x00000003
    255.255.255.248   11111111.11111111.11111111.11111000    /29      6  useable                     0x00000007
    255.255.255.240   11111111.11111111.11111111.11110000    /28     14  useable                    0x0000000F
    255.255.255.224   11111111.11111111.11111111.11100000    /27     30  useable                    0x0000001F
    255.255.255.192   11111111.11111111.11111111.11000000    /26     62  useable                    0x0000003F
    255.255.255.128   11111111.11111111.11111111.10000000    /25     126  useable                  0x0000007F
    255.255.255.0¬†¬†¬†¬†¬† ¬†11111111.11111111.11111111.00000000¬† ¬† /24 ¬†¬†¬† “Class C” 254 useable¬†¬† 0x000000ff

    255.255.254.0¬†¬†¬†¬† ¬†11111111.11111111.11111110.00000000¬† ¬† /23¬†¬†¬†¬† ¬†¬†2¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x000001FF
    255.255.252.0¬†¬†¬†¬† ¬†11111111.11111111.11111100.00000000¬† ¬† /22¬†¬†¬†¬†¬† ¬†4¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x000003FF
    255.255.248.0¬†¬†¬† ¬† 11111111.11111111.11111000.00000000¬† ¬† /21¬†¬†¬†¬† ¬†¬†8¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x000007FF
    255.255.240.0¬†¬†¬† ¬† 11111111.11111111.11110000.00000000¬† ¬† /20¬†¬†¬† ¬†¬†16¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x00000FFF
    255.255.224.0¬†¬†¬† ¬† 11111111.11111111.11100000.00000000¬† ¬† /19¬†¬† ¬†¬† 32¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 0x00001FFF
    255.255.192.0¬†¬†¬† ¬† 11111111.11111111.11000000.00000000¬†¬†¬† /18¬†¬†¬†¬† ¬†64¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x00003FFF
    255.255.128.0¬†¬†¬† ¬† 11111111.11111111.10000000.00000000¬†¬†¬† /17¬†¬†¬† ¬†128¬† Class C’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 0x00007FFF
    255.255.0.0¬†¬†¬†¬†¬†¬†¬† ¬† 11111111.11111111.00000000.00000000¬† ¬† /16¬†¬†¬† ¬† “Class B”¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x0000ffff

    255.254.0.0¬†¬†¬†¬†¬† ¬†¬†¬† 11111111.11111110.00000000.00000000¬† ¬† /15¬†¬†¬†¬† ¬†2¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x0001FFFF
    255.252.0.0¬†¬†¬†¬†¬†¬†¬† ¬† 11111111.11111100.00000000.00000000¬†¬† ¬†/14¬†¬†¬† ¬†¬†4¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 0x0003FFFF
    255.248.0.0¬†¬†¬†¬†¬† ¬† ¬† 11111111.11111000.00000000.00000000¬† ¬† /13¬†¬†¬† ¬†¬†8¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x0007FFFF
    255.240.0.0¬†¬†¬†¬†¬†¬† ¬†¬† 11111111.11110000.00000000.00000000¬†¬† ¬†/12¬†¬†¬† ¬†16¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 0x000FFFFF
    255.224.0.0¬†¬†¬†¬†¬†¬† ¬†¬† 11111111.11100000.00000000.00000000¬† ¬† /11¬†¬†¬† ¬†32¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 0x001FFFFF
    255.192.0.0¬†¬†¬†¬†¬† ¬†¬†¬† 11111111.11000000.00000000.00000000¬† ¬† /10¬†¬†¬† ¬†64¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† 0x003FFFFF
    255.128.0.0¬†¬†¬†¬†¬† ¬†¬†¬† 11111111.10000000.00000000.00000000¬† ¬† /9¬†¬†¬† ¬† 128¬† Class B’s¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†0x007FFFFF
    255.0.0.0¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†¬† ¬†11111111.00000000.00000000.00000000¬† ¬† /8¬†¬†¬†¬†¬† ¬†“Class A”¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬†¬† ¬†0x00ffffff

    254.0.0.0              11111110.00000000.00000000.00000000    /7                                               0x01FFFFFF
    252.0.0.0              11111100.00000000.00000000.00000000    /6                                               0x03FFFFFF
    248.0.0.0              11111000.00000000.00000000.00000000    /5                                               0x07FFFFFF
    240.0.0.0              11110000.00000000.00000000.00000000    /4                                               0x0FFFFFFF
    224.0.0.0              11100000.00000000.00000000.00000000    /3                                               0x1FFFFFFF
    192.0.0.0              11000000.00000000.00000000.00000000    /2                                               0x3FFFFFFF
    128.0.0.0              10000000.00000000.00000000.00000000    /1                                               0x7FFFFFFF
    0.0.0.0                  00000000.00000000.00000000.00000000    /0    IP subnet definition         0xFFFFFFFF

    You can use the Dnscmd /Config /LocalNetPriorityNetMask 0x000000FF Dnscmd.exe command to restore Windows Server 2003 settings to the default settings.

    More info on this value and setting:

    Description of the netmask ordering feature and the round robin feature in Windows Server 2003 DNS
    http://support.microsoft.com/kb/842197

    Windows Vista, Windows 7 and Windows 2008 Behave Differently Compared to Older Operating Systems

    Windows Vista, Windows 7¬†and Windows 2008 behaves a bit differently,¬†than XP or 2000. With Windows Vista, Windows 7 and Windows 2008 and Windows 2008 R2, it changes the way it handles Subnet Priortization a bit. Here’s more info, and keep in mind in mind it doesn’t mention Windows 7 or WIndows 2008 R2 directly, unless Microsoft updates the KB, but it applies to Windows 7 and WIndows 2008 R2 and future operating systems:

    Windows Vista and Windows Server 2008 DNS clients do not honor DNS round robin by default
    http://support.microsoft.com/kb/968920

    Please check the following registry entry. This key with a value of 1, will disable NetMaskOrdering. Is it enabled?
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    DWORD = OverrideDefaultAddressSelection
    Value data: = 1

    DNS Round Robin and Destination IP address selection (talks about differences with Vista and 2008 non R2)
    http://blogs.technet.com/b/networking/archive/2009/04/17/dns-round-robin-and-destination-ip-address-selection.aspx

    However, AD Sites¬†should prevail in an AD environment. An AD client’s GetDcList functions¬†will use¬†Sites to determine which DC or GC to communicate with.

    Therefore, basically:

    Set the registry entry to 0 and the newer operating systems will behave like the older operating systems. If you leave the entry blank, such as the default with no entry, it results in the same effect as an entry equal to 1, that means no subnet mask preference.

    To see the subnet mask ordering work on a Windows 7 client, you need to set up the following entry :

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters
    DWORD = OverrideDefaultAddressSelection
    Value data: = 0

    Summary:

    If Active Directory Sites Are Involved with AD Aware Services:

    AD Sites provide two basic things: Logon & Authentication control to
    limit the auth request to only a GC/DC in it’s own site, and
    replication traffic control between Sites. Replication is compressed
    in Site to Site communications. Good for the WAN link. AD enabled apps
    also use AD Sites.

    You would first create a new Site giving it a unique Site Name. Then
    create an IP Subnet Object that represents the subnet or subnets of
    the location (you may and can create multiple IP SUbnet Objects if
    needed), then associate the IP Subnet to the Site Name.

    In the Site link, you will notice the default replication period is 3
    hours. You can chop that down to as low as 15 minutes. You can’t go
    lower, because that is the max time allotted for all DCs within a site
    to be able to replicate changes between each other. If DCs are added,
    the KCC jumps in and re-evaluates the intra site connection objects
    between DCs to optimize and keep within the 15 minute alotment.

    A standalone would rely simply on DNS’ ability to provide responses
    either as Subnet prioritized, or Round Robin.

    However, with AD Sites, and this works for AD enabled services and
    entities (such as Exchange, client machines, etc). So AD aware apps
    and services adds an extra twist and can be used to your advantage.
    That was why I was asking if you are using ISA. ISA can be published
    into AD, and set by GPO. This way a client in SiteA will always use
    the ISA in SiteA.

    However, if standalone servers are in use, and  you can disable Round Robin.

    Thank you!!! Source: http://msmvps.com/blogs/acefekay/archive/2010/05/29/dns-and-subnet-priortization-amp-dns-round-robin.aspx

    Update:

    You need to enable this individually on each domain controller. This setting is not replicated. I pushed this setting via GPO using the corresponding registry entries:

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\LocalNetPriority

    ^ DWORD; Value: 0√ó00000001 (decimal 1)

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\DNS\Parameters\LocalNetPriorityNetMask

    ^ DWORD; Value: 0x0000ffff (decimal 65535) ‚ÄĒ for /16 subnet; use 0x00ffffff for /8 or 0x000000ff for /24, etc.

     

     
  • duncanbowring 17:58 on January 17, 2012 Permalink | Reply
    Tags: Licensing, Microsoft, SCCM, SCOM, Software Assurance, System Center   

    System Center – SCOM, SCCM – All change! 

    • Summary of Changes
      • Individual point products will no longer be available (SCCM, SCOM, etc.). All System Center Products will only be available as one cohesive suite.
      • Only Client Management Licenses and Server Management licenses will be available, the management servers themselves will no longer require licensing.
      • Software Assurance will be required across all System Center products.
      • There will be price increases across the board, with the largest financial impact being to organizations that had planned to implement this technology a la carte.
      • These changes are going into effect on February 1st, after which you will no longer be able to buy under the old licensing model.
     
  • duncanbowring 01:42 on July 22, 2009 Permalink | Reply
    Tags: Exchange 2010, Windows Server 2008 R2   

    Windows Server 2008 R2 RC and Exchange 2010 Beta 

    Well. This is just a short update.
    I tried to install Exchange 2010 Beta onto Windows Server 2008 R2 RC today. It gave me some garbage – MICROSOFT EXCHANGE SERVER 2010 BETA IS NOT SUPPORTED ON THIS VERSION OF WINDOWS. INSTALL SERVER 2008 R2 BETA 7000.
    Of course, RC is 7100.

    Workaround: Edit the registry and alter HKEY_LOCAL_MACHINE\Software\Microsoft\Windows NT\CurrentVersion\

    BuildLab, BuildLabEx, CurrentBuild, CurrentBuildNumber

    .. to reflect 7000 instead of 7100.

    Summary: 10 item(s). 10 succeeded, 0 failed.

    OK. Seems that there are various errors when using the management tools on the server.
    The actual Exchange services themselves seem to be running OK.
    Unfortunately, I don’t have an x64 desktop OS, so I can’t install the mangement tools at this time. I will verify when I can.

    An example of one of these errors:

     
    • Ian 06:30 on July 24, 2009 Permalink | Reply

      I just finished trying to install it then. I have the same problem with the console. Haven’t found a work around yet! If you manage to find one will appreciate it if you posted it on your blog ūüėÄ

  • duncanbowring 01:40 on July 22, 2009 Permalink | Reply
    Tags: Multiple domains, OCS, Office Communications Server   

    Office Communications Server 2007 R2 (OCS) – Multiple domain forest 

    Hello!
    Well, I’ve been wanting to install Exchange 2007 and OCS 2007 R2 into a multi domain environment for a wee while now. When I say multiple domains, I mean parent and children.

    Exchange 2007 was a doddle. No problems there at all. Each user can be assigned to their own logon domain and everything seamlessly works. Presuming your DNS configuration is sane.

    I’ve finally got this working 100% seamlessly. Sadly, under the hood it’s a little bit messy – but no different to the way it had to be done to get Exchange 2003 working in a similar environment.

    Unfortunately, at this moment in time, Office Communications Server (all versions) doesn’t really support multiple domains well, at all. If this lives in the parent domain, such as parent.com and your users live in child1.parent.com and child2.parent.com then the user logging into OCS technically has to be parent.com.

    The one thing that OCS does provide is an ADSI variable that lets you link the SID (security identifier) of the user on child.parent.com to the user on the parent domain. This user doesn’t even have to be enabled.

    Whilst this is a welcomed workaround that at least allows you to ‘seamlessly’ authenticate, it does pose a few other problems around managing your users and any Active Directory data that you may utilise – such as job title, manager, phone number.. you get the drift.

    To get around these and calm down the nightmare a little, I wrote a script that will basically keep things in sync for the admins. Unfortunately, I cannot post the script here as my employer technically owns it.
    What I can do, is tell you what variables are involved:

    1. msRTCSIP-PrimaryUserAddress
    2. msRTCSIP-OriginatorSid
    3. msRTCSIP-PrimaryHomeServer
    4. msRTCSIP-UserEnabled
    5. msRTCSIP-OptionFlags
    1. The primary user address is basically the sip address. It’s possible to populate this from the sAMAccountName plus the parent domain suffix. Remember the sip: prefix.
    2. The originator SID has to match up with the actual SID from the user in the child domain.
    3. Primary home server is the distinguished name of your OCS server. Kinda.
      Example: CN=LC Services,CN=Microsoft,CN=ServerName,CN=Pools,CN=RTC Service,CN=Services,CN=Configuration,DC=parent,DC=com
    4. UserEnabled: This generally should be set to TRUE. ūüôā
    5. OptionFlags: For some strange reason, I kept getting errors about the server being temporarily unavailable until I set this to 256.

    Now these are just the required variables specific to OCS. You can also add things in such as mail, title, telephoneNumber, sn, givenName and so on.. you know the script.

    It’s probably a good idea to scan all the domains and delete any ghost/dead users that no longer exist on the children as well as creating new ones that do.

     
    • guruleenyc 20:23 on April 9, 2010 Permalink | Reply

      I am implementing OCS 2007 R2 and I have one AD 2003 native domain and a secondary non-AD domain which is being used as for our primary email addresses.

      for example:
      AD Domain: newyorkcity.org
      Secondary Domain: nyc.org

      Is there a way to allow for auto-sign in for Communicator over the second domain?

  • duncanbowring 01:37 on July 22, 2009 Permalink | Reply
    Tags: ADMT, Domain migration   

    ADMT computer migration to new domain. 

    When using ADMT 3.1 (Active Directory Migration Tool) to migrate a computer from a domain to a new domain you may experience the error – “The security database on the server does not have a computer account for this workstation trust relationship.”

    My environment is 2003 forest -> 2008 forest and 2008 child domain at 2003 native. I think this is irrelevent in this instance though.

    However, it’s pretty important that if you ARE migrating between domains that you update (or set manually on the computer’s nic) DHCP server so that the DNS points at the new DNS server. If you have trusts and DNS configured properly this shouldn’t matter too much, but it certainly is best practice.

    Also, probably more importantly. If you have any group policy configuration that sets the primary DNS suffix to OLDDOMAIN then this will stay in effect after the migration and probably cause the breakage discussed here.

    Anyway, onto the fix.

    If you fire up ADSIEdit.msc on the target domain after migration, check out properties of the computer object that you migrated and look for the variable – servicePrincipalName

    You need to make sure that there are values in there of:
    HOST/THECOMPUTERNAME
    HOST/THECOMPUTERNAME.NEWDOMAIN
    TERMSRV/THECOMPUTERNAME
    TERMSRV/THECOMPUTERNAME.NEWDOMAIN

    .. chances are only the TERMSRV records will exist.

    This solved the trust issues here.

     
  • duncanbowring 01:30 on July 22, 2009 Permalink | Reply
    Tags: , VPN, Windows XP   

    DNS issue over VPN – Windows XP 

    There’s a problem when connected to a VPN using Windows XP.
    If a hostname whatever.domain.com resolves internally to an IP that differs from what the same hostname resolves to externally then you’re going to hit this issue.

    The first thing you would generally do is make sure that the Remote Access connection is at the top of the binding order in advanced network settings.

    However, this doesn’t work!!! This is a known bug to Microsoft and has NEVER been fixed!
    You basically need to make the same change, but do it via the registry.

    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Linkage

    Change the key called ‘Bind’… ensure that the value “\Device\NdisWanIp” is at the top of the list.

    Reference: http://support.microsoft.com/default.aspx?scid=kb;en-us;311218

     
  • duncanbowring 11:25 on July 21, 2009 Permalink | Reply
    Tags: Calendar, Exchange 2003   

    Give read permissions for all calendars Exchange 2003 

    Hi!
    It may be the case that your users are fed up of sharing their calendars manually when they start working for you.. or when they need to.

    There’s a tool called PFDavAdmin that will let you do this centrally. There’s also a tool called SetPerm which I *think* is command-line driven which I’ll document at some stage in order to automate this process..

    Anyway, if you use PFDavAdmin.

    1. Open PFDavAdmin.
    2. Click File -> Connect.
    3. Enter Exchange server name and the Global Catalog server you wish to use.
    4. Select All Mailboxes, click OK.
    5. If you want to verify a single user’s calendar permission at the moment then expand any mailbox -> Top of Information Store -> Calendar -> [Right mouse button] Select folder permission.
    6. To go on and set all users: At the top of the treelist view, click Mailboxes.
    7. Click Tools Menu -> Set Calendar Permissions.
    8. Click OK at – “In the following folder permissions dialog, please configure the permissions you would like to set on the Calendar folders”.
    9. New permissions window opens, click Add.
    10. Choose a user window operns, click Browse.
    11. Select your domain then scroll to the bottom and select Everyone. Click OK.
    12. Select Permissions -> [Dropdown listbox] Reviewer, click OK.
    13. A dialog appears to remove permissions, just click OK.
    14. A progress bar will appear and the permissions will be set.

    Please note: This will only work with English languages as the Calendar entry needs to be called ‘Calendar’.

    I will update this with a command line solution at some point.

     
c
Compose new post
j
Next post/Next comment
k
Previous post/Previous comment
r
Reply
e
Edit
o
Show/Hide comments
t
Go to top
l
Go to login
h
Show/Hide help
shift + esc
Cancel
%d bloggers like this: