Saturday, December 30, 2006

Configure Cisco DSL Routers

I have just finished configuring my Cisco 1720 router with ADSL wic module installed. I'll show you step by step how to do that:

connect your router with the console cable
say 'no' for initial configuration

configure terminal mode
# conf term

change the enable secret password
# enable secret

change the hostname
# hostname adslrouter

assign IP address to the ethernet adapter (private IP address), use NAT
# int fastethernet 0
# ip address 192.168.0.254 255.255.255.0
# ip nat inside
# no shut
# exit

configure ATM interface
# int atm0
# no ip address
# no atm ilmi-keepalive
# dsl operating-mode auto
# no shut
# exit

configure ATM sub-interface
# int atm0.1 point-to-point

! find the PVC from your ISP
# pvc 8/35
# encapsulation aal5mux ppp dialer
# dialer pool-member 1
# exit
# exit

configure dialer interface
# int dialer 1

! if you get IP address from your ISP's DHCP, otherwise assign static address
# ip address negotiated

! access list for inbound traffic
# ip access-group 110 in

# ip nat outside
# encapsulation ppp
# dialer pool 1

! ppp authentication usernamen and password from your ISP
# ppp authentication chap callin
# ppp chap hostname <username@domain.com>
# ppp chap password
# exit

! NAT for internal clients
# ip nat inside source route-map NAT interface Dialer1 overload

! Port fowarding to internal Firewall
# ip nat inside source static tcp 192.168.0.10 22 interface Dialer1 22

# ip classless

! static route to dialer interface
# ip route 0.0.0.0 0.0.0.0 Dialer1

! access list for inbound connection to Dialer 1
# access-list 110 remark Inboud traffic to internal firewall
# access-list 110 remark Allow access to HTTPS from everywhere
# access-list 110 permit tcp any any eq 443
# access-list 110 remark Allow access to SSH only from X
# access-list 110 permit tcp host a.b.c.d any eq 22

! DNS is UDP that is not connection oriented, thus this is needed
# access-list 110 remark Allow DNS inbound
# access-list 110 permit ip host a.b.c.d any

! If you have SMTP server
# access-list 110 permit tcp any any eq smtp

! allow all established connection
# access-list 110 permit tcp any any established
# access-list 110 permit icmp any any

! deny all
# access-list 110 deny ip any any

! access list for route-map, being used by the ip nat
# access-list 150 remark NAT Traffic from Inside
# access-list 150 permit ip 192.168.0.0 0.0.0.255 any

# dialer-list 1 protocol ip permit

# route-map NAT permit 10
# match ip address 150

save it
# wr mem

Wednesday, December 27, 2006

Cisco BSCI Exam Passed!

Yes, today, I've passed the 642-801 BSCI Cisco exam with the score 868!!
BSCI is all about:
  • Routing protocols - RIP, IGRP, OSPF, EIGRP, ISIS, BGP
  • eBGP and iBGP
  • Redistribution of various routing protocols
  • Routes filter, distribute-list, route policy
  • and of course all the CCNA topics

There were 2 simulation questions that took quite a while for me to answer :)
This is the first exam out of four exams need to be done to get CCNP.

Thursday, December 21, 2006

Get the users' memberOf from Active Directory

Sometime you need to do an audit of your Enterprise users and make sure they are a member of the proper security group and distribution list within your Active Directory.

Here is the code in VBScript and talking to AD with LDAP:

On Error Resume Next
Dim OutPutFileDim FileSystem

Set FileSystem = WScript.CreateObject("Scripting.FileSystemObject")
Set OutPutFile = FileSystem.CreateTextFile("users.txt", True)

'-- Number value of the error return by ADSI if the '-- memberOf attribute cannot be found.
'==================================================
Const E_ADS_PROPERTY_NOT_FOUND = &h8000500D

'-- Bind to the Users container'==============================
Set objOU = GetObject("LDAP://OU=Users,dc=domain,dc=com")

'-- Initialize the array for user accounts.
'==========================================
ObjOU.Filter= Array("user")

'-- Control Loop
'===============
For Each objUser in objOU
OutPutFile.WriteLine objUser.cn & " is a member of: "

'-- Use the GetEX method to intialize the array for group
'-- membership. Get method cannot be used as it does not
'-- multivalued attributes (user can be member of many groups.)
'============================================================== arrMemberOf = objUser.GetEx("memberOf")

'-- If the error is not raised from ADSI, then list the
'-- groups that are entries within the arrMemberOf array.
'-- If error is raised, display notification on screen.
'========================================================
If Err.Number <> E_ADS_PROPERTY_NOT_FOUND Then
For Each Group in arrMemberOf
OutPutFile.WriteLine vbTab & Group
Next
Else
Err.Clear
End If
Next

'Clean up
OutPutFile.CloseSet
FileSystem = Nothing

Friday, December 15, 2006

Mindsharp Sharepoint 2007

I was attending the Mindsharp SharePoint 2007 Administrators course last week in Sydney. It was really a very good course for SharePoint 2007, a lot of new stuff with SharePoint 2007 - great design, deployment architecture, DR strategy and flexibility.

The instructor name is Milan Gross. He was showing mostly everything with SharePoint 2007.

I am doing the planning and design with SharePoint 2007 right now. I'll post the basic step-by-step installation from the scratch shortly

Saturday, November 18, 2006

Melbourne Trip

Yes, I am flying to Melbourne Office. Nice!!

I am doing Domain Controller hardware refresh and Proxy server replacement.


















Wednesday, November 15, 2006

Create SSL Certificate

If you want to get a FREE SSL certificate, you can get it from CAcert. All you need to do is to have your CSR ready.

As per my previous blog about creating CSR, all you need to do with openssl (Linux or cygwin) is:

%> openssl req -new -nodes -keyout private.key -out public.csr

Submit the public.csr to the CAcert, it will give you the public key of your SSL certificate (save it as public.cer)

Now you need to convert both your public and private key to PKCS12 format:

%> openssl pkcs12 -export -out cacert.p12 -in public.cer -inkey private.key

You then will have cacert.p12 which you could import to IIS

Wednesday, November 08, 2006

Fix MBR with Linux boot loader

If for some reasons your MBR is corrupted, you won't be able to boot back to your OS.
Boot from the Linux installation CD and type:

%> linux rescue

It starts mounting your linux installation partition to the /mnt/sysimage. Then type:

%> chroot /mnt/sysimage

Now you are in the shell within the parent directory. It depends on your boot loader, if it is GRUB, then do:

%> grub-install /dev/sda

For SCSI disk or

%> grub-install /dev/hda

for IDE disk

If you have LILO, then do:

%> /sbin/lilo

Friday, November 03, 2006

Unload application disabled /greyed out in IIS

In IIS6 application unloading / recycling is handled differently. You may notice that the "Unload" button is greyed out or disabled in the Application Settings area. This is because the application is in native IIS 6 mode using application pools. Synonymous to unloading the application in IIS 5 is the concept of recycling the application pool in IIS6, see the Application Pools folder in IIS manager (inetmgr). The only time the Unload button will work is if the IIS web service is running in IIS 5.0 isolation mode and the Application Protection is set to either Medium or High.

Thursday, November 02, 2006

Microsoft Ready Summit 2006



Yes, Microsoft Ready Summit 2006 today @ Darling Harbour - Sydney.

The keynote was great, Microsoft Australia Managing Director, Steve V, was talking the evo products.

Cool thing about EVO:

Vista Bitlocker
Vista built-in shadow copy
Vista Search Engine - able to save the search result as a dynamic content folder
Vista Deployment Service

Groove Server

Group policy for blocking device installation - get rid of USB drives
Windows Firewall group policy enhancement - 3 profiles: Domain, Private and public

Exchange 2007 Managed folders - automatic archive emails
Exchange 2007 Unified Messaging - voice mail inbox capability

Network Access Protection - quarantine network for un-healthy machine, incorporate IPSec and Health Certificate

Sharepoint 2007 Rocks!!!

www.microsoft.com.au/readysummit

Thursday, October 05, 2006

MCSE Messaging+

Today is the final day for Microsoft certification for me.
I've passed 70-285 and get my MCSE Messaging+ certification.

Tuesday, September 19, 2006

Getting the .spc and .pvk files for Code Signed certificate

Getting code signed
Something that has bothered me for a while is the hassle in putting together all the pieces to sign my download files. I finally got around to looking it all up, and it isn't easy as you have to piece all the things together. I hope that this will give you an insight into how it can really work, since I managed to actually achieve what I wanted and sign my code. This article is a list of the steps I had to take, and you will probably need to review the commands yourself if you have problems.

The process
Get a certificate from http://www.ascertia.com/onlineCA/Issuer/CerIssue.aspx who will do a free code signing certificate. Obviously any alternative is good, but this will prove the concept for you, and you can go buy another from them or elsewhere later. The email address is included in the certificate, so use a sensible one you are happy for the world to see. Accept the installation of the certificate into the browser as it won't be emailed even though they say it will. Make sure you chose exportable.

Then get the Microsoft code signing stuff (codesigningx86.exe) from the MSDN web site (google will find its current location).

Use the certmgr to view your certificate and export it. Export it as a certificate (.cer file), and with the key (.pvk) file.

Use cert2spc to convert the cer file into an spc file. That's the first half of the process done. Now you need a key file compatible with the signcode application.

From http://support.globalsign.net/en/objectsign/transform.cfm:

How to transform your certificate to a pvk + spc combination.

Export your certificate to a pfx file (be sure to check "Include all certificates in the certification path if possible"). (The latter will help ensure it is accepted by more systems.

Install openssl. You can find compiled binaries on www.openssl.org (but get the Windows build from http://www.shininglightpro.com/ http://www.shininglightpro.com/download/Win32OpenSSL-v0.9.7d.exe)

Extract your private key from the pfx file.

->openssl pkcs12 -in -nocerts -nodes -out

The pfx password will be asked.

Download the pvk transform utility. This file can be found at http://support.globalsign.net/en/objectsign/PVK.zip.

-> pvk -in -topvk -out

Extract your certificates from the pfx file.

openssl pkcs12 -in -nokeys -out

The pfx password will be asked.

Transform your pem file to a spc file

->openssl crl2pkcs7 -nocrl -certfile -outform DER -out

Tuesday, September 05, 2006

ESX Server Guest OS NIC 10MB Only

If your guest OS on ESX Server is only using 10 MB NIC, install the VMWare tools and change the network driver to vmxnet from your ESX Management console

Monday, September 04, 2006

MCSE - Finally

I have passed my last elective exam: 70-284 with score 820.
This is it. I am officially a Microsoft Certifiied System Engineer!! what a relief!! After 7 exams.

I might do the 70-285 to get the MCSE+messaging and Citrix or SQL2005 after that :)

(or Checkpoint or CCNP or Ethical hacker)?

Thursday, August 24, 2006

IIS Integrated Windows Authentication

Have you ever encounter a pop-up windows asking for username and password when you try to access an intranet site hosted on IIS with Integrated Windows Authentication even though you are login to your windows with domain account?

IE determines the URL address whether it is local or not by checking the URL if it is contain a dot (.) or not. If the URL contains a dot, it assumes the URL is not local, thus it won't pass the user domain credential to the server (what for?).

You can avoid this issue by putting the URL in your IE setting's Local Intranet Sites

Tuesday, August 22, 2006

MCSE - 1 more to goooooo

I've done 70-297 today. The score was 870!!
The nightmare is almost over :)

Monday, August 21, 2006

Change IIS Compression with C#

With Exchange SP2 on your front-end Exchange server, you might need to disable the dynamic and static compression with IIS to support GPRS for Windows Mobile Direct Push email.

You can either edit the Metabase.xml file and change the configuration directly like here or you can edit the configuration on the fly using the C#

Here is the code:

cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/Microsoft-Server-ActiveSync/DoDynamicCompression false

cscript C:\Inetpub\AdminScripts\adsutil.vbs set w3svc/1/root/Microsoft-Server-ActiveSync/DoStaticCompression false

Tuesday, August 08, 2006

Monday, August 07, 2006

Squid Reverse Proxy Redirect HTTP to HTTPS

To redirect HTTP traffic to HTTPS traffic when use Squid as the reverse proxy, use the following ACL in your squid.conf

acl httpPort myport 80
http_access deny httpPort
deny_info https://url.domain.com httpPort

Squid Proxy using parent with SSL

Squid can use cache_peer as the parent of the connection and uses SSL as the protocol. If the SSL certificate is self signed, you can use sslflags to bypass the verification:

cache_peer webmail.infomedia.com.au parent 443 0 no-query default ssl sslflags=DONT_VERIFY_PEER

Tuesday, August 01, 2006

Problems with Exchange server Activesync and Windows

Workaround - Problems with Exchange server Activesync and Windows
Mobile 5.

Facts:

Windows Mobile 5.0 ActiveSync connection to Exchange 2003 via Orange or O2 GPRS network in the UK (may also be seen on other networks)

Error code 0x8503001A appears during sync and sync fails Exchange SP2 applied Sync works fine locally using Wifi or remotely via cradle/usb/internet link
Windows Mobile 2003 works fine in all cases Forms Based Authentication has been enabled at some point, with http compression.

After many hours of troubleshooting, I have found a workaround to the 0x8503001A sync problem that many people are experiencing.

The answer is that HTTP compression is enabled for Activesync in the IIS Metabase when SP2 is installed, and in conjunction with a (presumed) bug in Exchange where the IIS Metabase configuration is not
restored to previous settings after turning off FBA High compression,
causes the above problem.

These instructions will restore Activesync functionality for those
experiencing the issue.

First make a backup of the MetaBase:

Open IIS Manager Right click on server->AllTasks->Backup/Restore Configuration...
Click Create Backup
Give the backup a name (e.g. 'Backup before fix')
Click OK, Close

Then enable direct Metabase Edit

Open IIS Manager Right click on server and go to Properties
Check "Enable Direct Metabase Edit"
Click OK

Load notepad and open C:\WINDOWS\SYSTEM32\INETSRV\METABASE.XML

Look for

IIsWebVirtualDir Location="/LM/W3SVC/1/ROOT/Microsoft-Server-ActiveSync"
and just below it, you will see:

DoDynamicCompression="TRUE"
DoStaticCompression="TRUE"

Change both of these to FALSE (NB there are more of these throughout the METABASE.XML file, be sure only to change these two)

Save the Metabase.xml file back and restart IIS: Start->Run->IISRESET

Enjoy!

------------

Further information... In Metabase.xml, SP2 changes the above settings from FALSE to TRUE for ActiveSync. Presumably Compression is disabled overall until you enable FBA with Compression. The following line in
the METABASE.XML file acts as an overall ON/OFF switch for compression and also has the effect of providing a workaround (at the expense of losing http compression elsewhere, e.g. for OWA):

Look for the line HcNoCompressionForHttp10="FALSE"
Change FALSE to TRUE (the setting before enabling FBA with compression)

If you don't want OWA/FBA with any compression, I would safely assume you want to change the above line.

In fact, I would suggest that the Compression setting under Forms Based Authentication should be independently settable (not as a sub-option to FBA!)

There is a bug in all versions of Exchange which means once that
compression is enabled, disabling via the FBA screen doesn't reverse
the changes completely (as an SP2 install on a system that NEVER had FBA/compression enabled, will still function correctly).

The question for Microsoft is, how are compressed HTML packets getting corrupted by the mobile networks - obviously some NAT/Transparent Proxy in the way, but it's a weird one... And needs fixing (as well as the
"disabling compression doesn't actually do it" bug)!

Monday, July 31, 2006

RPC Server is unavailable

If you have event id: 1219 on your Windows 2003 Server

Logon rejected for domain\user. Unable to obtain Terminal Server User Configuration. Error: The RPC server is unavailable

and you could not connect your server remotely with remote desktop session.

Make sure your RPC service and TCP/IP NetBIOS Helper service is up and running

Friday, July 14, 2006

LDAP Query to Active Directory

To make your life easier when trying to find the objects in AD:

Password never expired set:
(objectcategory=user)(userAccountControl:1.2.840.113556.1.4.803:=65536)

Users never login:
(&(&(objectCategory=person)(objectClass=user))((lastLogon=0)(!(lastLogon=*))))

Users almost locked up:
(&(objectCategory=user)(badPwdCount>=2))

Find a particular email address:
(&(mail=*)(proxyAddresses=smtp:email@domain.com))

Thursday, July 13, 2006

BartPE + VMWare Plugin

I've been working on servers consolidation with P2V implementation with various tools:

Those tools are great, but they are very expensive!!

Found this website: Ultimate P2V - details
Excellent stuff!! Build your own boot CD, install the plugin, boot the CD, wallaaa... NO COST!!

I've got very old server, tried to boot it with VMWare P2V software. It did not recognise the SCSI controller card!! However, the Ultimate P2V works!! That's because you can inject your own hardware drivers to the boot CD

Tuesday, July 04, 2006

Proxy setting for Debian/Ubuntu apt-get

If you need to do apt-get and need to get out to the Internet via proxy, you need to configure either /etc/apt/apt.conf or /etc/apt/apt.conf.d/proxy and put the following entry to the file:

Acquire::http::Proxy "http://MYDOMAIN\MYNAME:MYPASS@MY.PROXY.COM:MYPORT/";

Thursday, June 29, 2006

Saturday, June 10, 2006

Automatic Outlook Profile Generator With Multiple Exchange Servers

Have you ever encountered about making an automatic Outlook profile for your users with PRF file? How about if you have multiple Exchange servers accross diffirent sites? and publish it on your Citrix Presentation Server? It's fun...

Ok, let's started:
  • Generating PRF file
Download the Office 2003 Resource Kit - microsoft
Install and run Custom Installation Wizard
Choose Outlook Customize Default Profile
Configure the profile based on your Exchange server information
For each of your Exchange Server - generate the profile
  • Find the user mailbox
To find where the mailbox of the user based on username only, we need VBScript to help us - UserMailbox.vbs

optional - if you want to rename the profile name of the Outlook, use this VBScript to change the profile name (PRF File) - prfMod.vbs
  • Publish on Citrix
To publish the Outlook, instead of publishing the Outlook.exe, you need to publish a batch script which uses the VBScripts above and import the PRF file if the user profile does not exist - UserMailbox.bat

Have fun!

Wednesday, May 31, 2006

Certificate Request Generator with Cygwin

To generate Certificate Request for SSL, we can use cygwin with openssl package and send the CSR file to any trusted CA (e.g. Verisign or Thawte).

To generate it:

openssl req -new -nodes -keyout privateKeyFilename -out certRequestFilename

for example:

openssl req -new -nodes -keyout private.key -out public.csr

Then you will have 2 files, the private key file and the csr file, send the csr file to the trusted CA. Once you've got the certificate signed by the trusted CA, you can use it as your SSL certificate along with the private key

If you need to convert the certifate with X509/DER format to PEM format:

openssl x509 -in certFile -inform DER -outform PEM -out convertedCertFile

Tuesday, May 30, 2006

Citrix Solutions Conference 2006

Yes,

Access Tomorrow's Technology Today

it's the motto of Citrix Solutions Conference 2006 which I attended today. It was about promoting their new product line: Citrix Access Gateway.

Citrix Access Gateway is a great solution for remote access, especially with the End-Point analysis. Integrated with Advanced Access Control, it provides granular policy to control the user access based on their conditions.

Citrix Solutions






Monday, May 01, 2006

Microsoft Windows 2003 Cluster

Setup a cluster node is not as hard as you think. It is a powerful feature to have more than 2 nodes to make a cluster. I setup the cluster nodes with Microsoft Virtual Server 2005 based on Technet.

Try the following and you will learn a new thing :)

Microsoft

Friday, April 28, 2006

MTU Size

To check the MTU size between your PC and server, do the following in DOS:

ping mail.internode.on.net -f -l 1500

Pinging mail.internode.on.net [203.16.214.182] with 1500 bytes of data:

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.

Ping statistics for 203.16.214.182:
Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

It means the packet is to big for the MTU size, reduce the size of the packet until you find out what is the optimum size:

ping mail.internode.on.net -f -l 1473

Packet needs to be fragmented but DF set.
Packet needs to be fragmented but DF set.
...

ping mail.internode.on.net -f -l 1472

Reply from 203.16.214.182: bytes=32 time=6ms TTL=64
Reply from 203.16.214.182: bytes=32 time=3ms TTL=64
...

as you can see the optimum packet size is 1472. Now set your MTU size on your network adapter to: 1472 + 28 (You add 28 bytes because 20 bytes are reserved for the IP header and 8 bytes must be allocated for the ICMP Echo Request header).

Yes, it is 1500 MTU size. That is because I am using ADSL with PPPoA, which by default has MTU size of 1500.

Note: for Linux, the command is:

[root@fedora postfix]# ping -s 1480 -c 100 yahoo.com.au -M do
PING yahoo.com.au (203.84.217.26) 1480(1508) bytes of data.
ping: sendmsg: Message too long
ping: sendmsg: Message too long

--- yahoo.com.au ping statistics ---
2 packets transmitted, 0 received, 100% packet loss, time 1000ms

reduce the size of the packet to 1472

[root@fedora postfix]# ping -s 1472 -c 100 yahoo.com.au -M do
PING yahoo.com.au (203.84.217.26) 1500(1528) bytes of data.
1508 bytes from i1.aunz.vip.aue.yahoo.com (203.84.217.26): icmp_seq=0 ttl=248 time=298 ms
1508 bytes from i1.aunz.vip.aue.yahoo.com (203.84.217.26): icmp_seq=1 ttl=248 time=390 ms
1508 bytes from i1.aunz.vip.aue.yahoo.com (203.84.217.26): icmp_seq=2 ttl=248 time=294 ms

--- yahoo.com.au ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2001ms
rtt min/avg/max/mdev = 294.271/327.895/390.728/44.468 ms, pipe 2

Thursday, April 27, 2006

Exchange 12 ROCKS!!

I can't wait for this one coming out!! The new Microsoft Exchange Server -
code name Exchange 12 is massive and very flexible. Check the following
features:

Automatic Client Configuration
Today, configuring the Outlook desktop or mobile clients prior to first use
is complicated, requiring users to enter confusing technical information.
Exchange 12 includes a new automatic discovery and configuration feature
that Outlook 12 and next generation mobile devices will use to configure
themselves completely, including all appropriate corporate policies. End
users will not be required to enter Exchange server names or other technical
information. This capability will spare the IT staff from having to create
complicated deployment or configuration scripts that help users set up
Outlook to connect to Exchange. Additionally, mailbox moves will not require
manual reconfiguration of clients, and if a disaster occurs, clients will
automatically connect to moved or failed-over mailboxes on different
Exchange servers with no manual editing of Outlook or device connection
settings required

Mailboxes Etcetera
Users already rely on their mailboxes as repositories for every work
message they've ever received and even for actual deliverables. As mailbox
sizes have grown to accommodate user needs, the costs associated with
backup, restore, and migration have skyrocketed. Users need larger mailboxes
to handle this workload, but IT is hesitant to supply more space because of
the time and cost associated with managing a large mailbox. As a native
64-bit application (compatible with x64 servers), Exchange 12 lets an
organization keep all of its users' mail and calendar data on the server
where it can be reliably secured, backed up, and made available on a range
of devices. The 64-bit performance allows Exchange to address more memory,
it increases cache sizes, and it helps reduce disk I/O operations. As a
result, Exchange 12 makes more efficient use of each spindle (physical disk
drive) in existing Storage Area Network (SAN) systems while also enabling
inexpensive high-capacity disk drives to be used.
To address the high cost of backup associated with most messaging systems,
Exchange 12 introduces continuous replication features that use log file
shipping to keep a "rolling backup" of a mailbox database either on a local
disk set or on a disk set attached to a second, clustered server. In the
event of a disaster, a replica can be brought online and attached to any
Exchange 12 server in the network. These capabilities will allow many
organizations to move from expensive nightly tape backup procedures to
less-frequent tape or archival backups.

One Inbox
Users aren't just worried about e-mail, of course; they have to deal with
e-mail, faxes, voicemail, and documents-all of which have to be checked
constantly. But most users don't have the level of access they need away
from the office. Exchange 12 will provide a new unified messaging (UM)
solution that will enable end users to receive e-mail messages, faxes, and
voicemails in one Inbox (see Figure 3). Because in some cases the telephone
may be available when other clients are not, UM will support PIM access over
the phone. Users will be able to access their Inbox from any touch-tone
phone using either touch-tone commands or speech recognition. And via
text-to-speech translation, users can listen to their main Inbox items
(including e-mail, calendar, tasks, and contacts) read back to them. Users
can also interact with messages (reply, forward, and so on) and call other
users when appropriate. Corporate directory access will also be supported.

Flexible Server Roles
The next release of Exchange is being designed as a distributed system of
five server roles (see Figure 1). These roles-Mailbox, Hub Transport, Edge
Transport, Client Access, and Unified Messaging-allow Exchange 12 systems to
be installed with exactly the components organizations need, aiding
performance and reducing the surface area for attacks. Server roles are
deployed within the corporate network, with Active DirectoryR access, and
can also be deployed on a single server if needed. The only exception to
this is Edge Transport, which is deployed in the perimeter network with no
Active Directory access.

Sunday, April 23, 2006

Internet Explorer Corrupted!!

I had a problem with IE6 installed on Windows XP SP2. It was complaining about Visual C++ error on iexplorer.exe and close the browser once you clicked OK.

I run this command to restore IE to its original state:

rundll32.exe setupapi,InstallHinfSection DefaultInstall 132 %windir%\Inf\ie.inf

it needs a CD for Windows XP SP2 as well as Windows XP to get the original files.

It doesn't really fix the issue, then I downloaded Hijack This:


http://www.majorgeeks.com/download3155.html

Run the scan and paste the log to:

http://www.hijackthis.de/

and remove the Nasty item from the computer. Reboot and aha!! fixed!!

Wednesday, April 19, 2006

Netbios over TCP/IP

If you have issue with Netbios over TCP/IP (e.g. can not browse computers on the network) you need to check and make sure the "TCP/IP Netbios Helper" is started.

If it could not start, make sure you have "Enable Netbios over TCP/IP" selected on your TCP/IP advanced setting.

However, if that setting has been selected but the service could not be started, go to your device manager, view hidden devices and Enable Netbios over TCP/IP, and restart.

original link: microsoft

Friday, April 07, 2006

Windows Event Triggers email notification

Tired of watching your Windows server event log? try with this VB Script to send email notification once Windows writes event to its event log.

How to setup the event triggers to notify you by email
=======================================================
1. Modify the eventSystemError.vbs and eventApplicationError.vbs script to suit your need (e.g. Computer name and email address )
2. Put your scripts on any folder (e.g. c:\tools )
3. Create the eventtriggers with the following syntax:

This will create eventtriggers called System Error, monitor the system log for any error and run the event.vbs
-------------------------------------------------------------------------------
eventtriggers /create /tr "System Error" /l system /t error /tk c:\tools\eventSystemError.vbs

This will create eventtriggers called Application Error, monitor the application log for any error and run the eventSystemError.vbs
-------------------------------------------------------------------------------
eventtriggers /create /tr "Application Error" /l application /t error /tk c:\tools\eventApplicationError.vbs


4. Please refer to this website if you need more options (e.g. domain\username authentication):
microsoft

Files:

Application
System

Thursday, April 06, 2006

Dual Daemon Postfix log rotate

With dual daemons Posftix, you might want to separate the log file for each daemon.

Let's say the 1st daemon logs to /var/log/maillog and the 2nd daemon logs to /var/log/maillog2, and you want to rotate the log files. I encountered issue when tried to rotate the second log file because maybe the pid of the daemons.

Anyway, I created the second logrotate file /etc/logrotate.d/maillog2 with the following content:

/var/log/maillog2
{
notifempty
daily
rotate 7
compress
postrotate
/bin/kill -HUP `cat /var/run/syslogd.pid 2> /dev/null` 2> /dev/null true
/etc/init.d/postfix reload > /dev/null
/etc/init.d/postfix2 reload > /dev/null
endscript
}

Tuesday, March 28, 2006

Linux World Expo and Conference

Today I attended Linux World Expo and Conference at Sydney Darling Harbour. It was great, I met Jon "Maddog" Hall - Linux International and Andrew "Tridge" Tridgell - the author of Samba.

A lot of exibitors there, like: Redhat, HP, Novell, VMWare and many more.

Jon 'maddog' Hall
Andrew 'Tridge' Tridgell
Andrew 'Tridge' Tridgell
Linux Bag
Linux Redhat
Linux SuSE
Linux Penguins
Darling Harbour

Tuesday, March 07, 2006

I've got CCDA today!!!

I've got CCDA Today!!!!!

It was really difficult, after long long long time of study... I managed to get it done!

Next target: CCNP or CCDP!!
Or maybe CCA or RHCA or MCSE? arrghh!!!!

Thursday, March 02, 2006

Password change reminder for VPN Users

Set a schedule task on one of the servers to run the VBScript.

The script is running by querying LDAP (Active Directory) for the members of a particular group (e.g. VPN Users) and check the password expire age. If the password is almost expired, send the email to remind them to change the password

The script:

[attached vbs file]
password reminder.zip

Friday, February 03, 2006

PC-DUO problem

When you install PC-DUO on your windows xp system, you won't be able to do remote desktop to that machine anymore. It is because PC DUO modify the registry not to use msgina.dll. It uses PCIgina.dll. To remedy this issue, edit the registry:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon

find: GinaDLL and change the entry to msgina.dll

ref:
http://support.microsoft.com/default.aspx?scid=kb;en-us;829715&Product=winxp

Wednesday, January 04, 2006

Clone OS - ESX Server

I found this article how to clone virtual OS within ESX server:

* Don't forget uuid.action = "keep", especially if this is a Win32 system.


The added step for what goes on below is that you'll need to move the VM "personality data" (.vmx, .nvram, etc...) using scp (secure copy, aka copy over SSH) to the remote target system.


I can't recall offhand if I posted this before, so... What follows is a detailed process of how one would clone (and in the process relocate) a VM.


The "uuid.bios" value is used in some cases by the Guest OS (via a DMI/SMBIOS query to the VM's BIOS) as part of determining its unique identity. You should only allow the "uuid.bios" value to change in cases where you wish to trigger a change in personality. In Microsoft Windows-ese, this would be when you intend to run things like SysPrep or NewSID on the Guest OS.



The "uuid.location" value is used to determine the uniqueness of a VM at the VMKernel level, and will change any time the VM's .vmx is renamed or relocated. The "uuid.bios" and "uuid.location" values start off identical, but may differ at some later point in time (per the above conditions).



*****

The basic steps involved in cloning a VM on a standalone ESX Server chassis are as follows:
1) Produce "master" VM image
From this point on, leave the "master" VM image in a powered off state to preserve it.



2) Copy "master" to "clone master"
Preferrably, make a copy of the .dsk file, and create a new directory for copies of the .vmx and nvram files. Adjust the .dsk pointer and description data as appropriate in the .vmx file.
ADD the following line to the .vmx file:



uuid.action = "keep"



This will force the "uuid.bios" value to remain consistent, even if the VM's .vmx file has been relocated or renamed.

It is equivalent to answering the UUID question with "Keep Always".



3) Register "clone master" VM



vmware-cmd -s register /path/to/clone/file.vmx



4) Depersonalize the VM as appropriate for the Guest OS (Win32 SysPrep, etc...)



5) Copy "clone master" for deployment

Make a copy of the .dsk file, and create a new directory for copies of the .vmx and nvram files. Adjust the .dsk pointer and description data as appropriate in the .vmx file.
REMOVE the following lines from the .vmx file:



Ethernet0.generatedAddress = "....."

Ethernet0.generatedAddressOffset = "....."

uuid.location = "....."

uuid.bios = "....."

uuid.action = "keep"



6) Register new VM



vmware-cmd -s register /path/to/new/file.vmx



7) Power on new VM from the MUI directly

A fresh "uuid.location" and "uuid.bios" set will be populated into the .vmx file at this point. These values are then used as part of the hashing algorithm to generate the new ethernet MAC for the VM.

The SMBIOS inside the VM will have a "system serial number" with the new UUID as well, allowing repersonalization as a new unique entity.



**

Steps involving a "clone master" as a copy are to preserve the "master" VM in case errors are encountered during depersonalization.



*****

Note, you may want to also set and/or adjust two other bits of data:



suspend.directory = "....."

checkpoint.cptConfigName = "....."




These two values are concatenated together in order to determine a unique location to store the .vmss VM Saved State file during a "Suspend" operation. The default value (if unset) for "suspend.directory" is the VMFS2 Volume where the lowest numbered virtual disk is stored (scsi0:0 typically). The default value (if unset) for "checkpoint.cptConfigName" will be an arguably-unique hash based on the Virtual Machine's "displayName" variable and ten hexadecimal digits.



*****

If you find yourself in a situation where you cannot "Suspend" an already running VM due to disk-space constraints based on the "suspend.directory = *" mapping in the .vmx configuration file, a workaround exists:


While the VM is running, query for current suspend.directory state:



vmware-cmd /path/to/your/VM.vmx getconfig suspend.directory



Determine where you have sufficient space in a VMFS2 volume to provide for the .vmss VM Saved State file (it will be slightly larger than max mem allocated to that VM).

Things like `vdf -h` will be useful.

Set the new path based on your discovery above:



vmware-cmd /path/to/your/VM.vmx setconfig suspend.directory "/vmfs/VMFS2VolNameHere"



Suspend your VM. Wait until the suspend operation has completed successfully. Detach the VMware Remote Console session(s) for this VM at this time.

Adjust the "suspend.directory" in the .vmx configuration file to match the new value used above.



Reconnect to your VM using the VMware Remote Console and resume the VM at your leisure. Note, reversing to the original "suspend.directory" value requires another suspend/resume cycle, using the same procedure as above.


*****

*****

*****

Relocating a VM from one directory to another (be it on the same physical chassis or not) is reasonably straightforward. The big caveats are that you should be well aware of the risks (re: UUID warnings) and to reconfirm the configuration and device mappings for the VM if it is being moved between chassis.

A single example snippet of shellscript is included below. This example assumes that 'root' will own all VMs. Optimally you should use a 'role account' (or VMware VirtualCenter) rather than 'root' on the ESX Server, so you can better manage access controls / permissions across your pool of Virtual Machines.
Details on structuring 'role accounts' for running in a non-VirtualCenter environment follows below.

*****

*****



The process for splitting .VMX files off into individual directories in your environment is as follows:

* Shut down the VM you are going to move. Perform a clean, Guest-OS level shutdown, letting the VM power down completely.

* Run the bit of shellscript /as root/ on the Console OS for that particular VM (see bottom of email). You will be prompted for the root PW twice (unregister, register). A result code of "1" from the unregister and register commands means "success". The shellscript makes a permissions-matched copy of the configuration (.vmx) file, rather than moving it.
This allows you to maintain a "clean" copy of the .vmx file in case your migration process is interrupted before the unregister/register cycle is completed.

* Start up the VM from the /MUI/ using the Green Triangle "play" button. You will see the VM's status change to "Waiting for Input...".

* Click on "Waiting for Input...", and answer "Always Keep". This will fix the UUID data in the .vmx file to reflect the new location for the configuration file (uuid.location=...), but will -NOT- change the UUID/SMBIOS data for the VM on the Guest OS side (uuid.bios=...).
This is precisely the behavior that you want.

* Confirm that the VM has started up correctly. You'll notice that each VM now has 'vmware.log' and 'nvram' files in their respective directories.

* Optionally, delete the original .vmx file from the original location.

##### ##### #####



cd /root/vmware/



mkdir ./myVMsNewHome



chmod 0755 ./myVMsNewHome



cp --preserve /root/vmware/myVMsOldHome/MyVM.vmx ./myVMsNewHome



/usr/bin/vmware-cmd -U root -s unregister /root/vmware/myVMsOldHome/MyVM.vmx


/usr/bin/vmware-cmd -U root -s register /root/vmware/myVMsNewHome/MyVM.vmx



##### ##### #####

This may not be relevant for this specific chassis, but may be of use for singly deployed chassis. The basic information you're looking for can be found here in the "Authenticating Users" section:

http://www.vmware.com/support/esx25/doc/esx25admin_service-console4.html



I'll provide you a real world example so you can see how it gets put to use:

First, this example assumes you are using the regular Unix permissions model, with users and groups defined locally on the Console OS.



You have one SuperUser (root). This user should not be used to add Virtual Machines. It may be used to delete Virtual Machines, and make system-wide changes. Unix model: SuperUser.



You have (at least) one 'role' account which handles addition/modification/deletion of the _Virtual Machine_ layer. This 'role' account is rarely used.

Unix model: read-write-execute-own. You have several users who are allowed to control VMs owned by their group's role account as though it were a system on their desk. They can change power state, connect/disconnect devices, etc.... They may not however modify the hardware connected to that VM, which includes modifying what the CDROM and Floppy drives point at. Unix model: read-execute-group.



If you add the 'write' permission as well to the .vmx file, they can modify the VM. You may also have a third category of everyone else (people outside of that group) who are allowed to check system configuration/health data on the Web Management Interface, but are not allowed to make any changes (power state, devices, etc...). Unix model: read-only-other.

This follows the standard Unix model of: User Group Other (root is a special case)



Assuming your shared space is in /home/vm/...

Create a 'role' account (ex: vmadmin). The command is all one line, I've wrapped it for readability. In this example, role type accounts are in the 5xxx range for UID/GID.



useradd -c "VMware Admin Account" -d "/home/vmadmin" -u 5001 -m vmadmin



Set that role account's password:



passwd vmadmin



Add the control users (ex: susan, james, terry). You'll disable their shell access unless they need direct access to the Console OS side. In this example, regular user accounts are in the 6001+ range for UID/GID.



useradd -c "Susan P." -d "/home/susan" -u 6001 -G vmadmin -s "/bin/false" -m susan

useradd -c "James R." -d "/home/james" -u 6002 -G vmadmin -s "/bin/false" -m james useradd -c "Terry F." -d "/home/terry" -u 6003 -G vmadmin -s "/bin/false" -m terry



Then set their passwords... Assuming you have VMs already created, you may need to perform a bit of ownership/permissions shuffling.



chown -R vmadmin.vmadmin /home/vm

chmod 0755 /home/vm chmod 0750 /home/vm/*/.

chmod 0750 /home/vm/*/*.vmx



Then finally add the read-only rights to VMs that you want visible to anyone who can authenticate in the Web Management Interface.



chmod 0755 /home/vm/some-public-vm/.

chmod 0754 /home/vm/some-public-vm/some-public-vm.vmx




Origianal URL: http://www.vmware.com/community/thread.jspa?threadID=28438&tstart=0

Tuesday, January 03, 2006

Windows 2003 Group Policy

3 days after installing brand new DC, I have heaps of event errors on my DC:

Windows cannot access the file gpt.ini for GPO CN={31B2F340-016D-11D2-945F-00C04FB984F9},CN=Policies,CN=System,DC=X,DC=local. The file must be present at the location <\\X.local\sysvol\X.local\Policies\{31B2F340-016D-11D2-945F-00C04FB984F9}\gpt.ini>. (Configuration information could not be read from the domain controller, either because the machine is unavailable, or access has been denied. ). Group Policy processing aborted.


This is very annoying for me. However, I found solution from Google:


This is one problem with Multihomed DCs in order to cure this you need to do
a couple of things.

1. Set the binding order, by going into network properties Control panel, in
the Advanced menu select Advanced Settings. Make sure the internal NIC is at
the top of the connections list and the Client for MS networks and File
sharing are only bound on the internal interface.

2. You will need to make registry entries to stop the creation of the blank
records for the external interface for both the domain name and the global
catalog record. You will then have to manually create these two blank
records. There is a KB describing this but I'm unable to find it but here is
the reg entry, you must use regedt32 to make this entry.
HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Netlogon\Parameters

Registry value: DnsAvoidRegisterRecords
Data type: REG_MULTI_SZ

LdapIpAddress
GcIpAddress

3. On the Interfaces tab of the DNS server properties set the DNS listener
address to the internal IP.

4. On an XP Client you need to upgrade the GPO by following this KB article
Upgrading Windows 2000 Group Policy for Windows XP
http://support.microsoft.com/?id=307900

What happens is DNS returns the IP of the external interface and file
sharing is not enabled on the interface and LDAP won't pass NAT.

Full Article: http://www.mcse.ms/message395201.html

My DC has dual NICs card btw, one for Internal LAN, the other one for DMZ (only for Virtual machines)

Monday, January 02, 2006

VMware diskmount utility

VMWare disk mount utility, claimed by VMWare, able to mount virtual disk to local (host) operating system file system. In fact, this utility corrupted one of my VMware snapshots which in turn unable to boot the OS.

The error was:

Unable to open disk "F:\Virtual\Windows XP Pro\Windows XP Pro-000002.vmdk": The parent virtual disk has been modified since the child was created. (18).


Luckily I have more than 1 snapshots, thus rolling back to earlier version bring the OS alive again.