Networking

BGP

BGP is the protocol that binds the Internet together. It is what sends one packet across the globe in a few milliseconds and allows you to send email, . Typically, you will see Cisco routers that will handle this sort of heavy lifting and that is the IOS that we will review briefly.

ASN – Starting point
In order to have a BGP connection you will need to have an ASN(Autonomous System Number). You can get one of these through ARIN (American Registry for Internet Numbers). BGP uses ASN’s like VLAN id’s or a higher level view of subnetting. There are private ASN’s if you are planning on using BGP for internal purposes only. The private BPG range is AS64512 through to AS65535.

IOS – Configuration info
Here is the basic output of two connections to two different autonomous systems from one Cisco router.

router bgp 64512
no synchronization
bgp log-neighbor-changes
bgp dampening
network 3.3.3.0
neighbor 1.1.1.1 remote-as AS64513
neighbor 1.1.1.1 description Provider 1 >>Provider 1 Support Line<<
neighbor 1.1.1.1 password 7 09823490822093482F
neighbor 1.1.1.1 update-source Loopback1
neighbor 1.1.1.1 version 4
neighbor 1.1.1.1 route-map Provider1 out
neighbor 2.2.2.2 remote-as AS64514
neighbor 2.2.2.2 description Provider 2 >>Provider 2 Support Line<<
neighbor 2.2.2.2 password 7 09823490822093482F
neighbor 2.2.2.2 update-source Loopback2
neighbor 2.2.2.2 version 4
neighbor 2.2.2.2 weight 50
Let’s walk through the configuration a bit. Here are the same commands but with comments added in at various places

! This line is telling the BGP router which ASN it should advertise.
! A Cisco BGP router can only administer one ASN at a time.
router bgp 64512

! Log the changes when the neighbor goes up and down.
! This way you can see if the other BGP router that you are peering with is stable.
bgp log-neighbor-changes

! This is the network that you are advertising via BGP
network 3.3.3.0
! This is the ASN of your ISP or peered BGP network.
neighbor 1.1.1.1 remote-as AS64513
! While you don’t technically need this line it is important that you use it
! for your own clarification
neighbor 1.1.1.1 description Provider 1 >>Provider 1 Support Line<<
! Encrypted password for transferring your BGP data back and forth with your peer.
! Encrypting your BGP data will ensure that no one hijacks you routers.
neighbor 1.1.1.1 password 7 0934099082282F8234
! Using a loop back interface will ensure that the BGP peer always sees one
! interface that is in the network that you are advertising as being up.
! This will always keep the peering with your ISP up.
neighbor 1.1.1.1 update-source Loopback1
! The version of BGP that you are using. Version 4 is the most widely used and most recent.
neighbor 1.1.1.1 version 4
neighbor 1.1.1.1 route-map Provider1 out
As a final note, BGP is a powerful protocol with lots of features and options. However, most ISP’s don’t support the full suite of options that BGP provides so don’t expect to use all of them in order to shape your traffic.

CoreConfigurator - Graphic Management Tool for Windows Server 2008 Core

The default management for Windows Server 2008 Core is the command line. Yes, the main powerful of Windows Server Core becomes available when using such an approach, but sometimes it’s not so user friendly. This is why I’ve been asking so many times if exist anything more graphic :). Yes, one of the first recommendations to work and manage Windows 2008 Server Core is to use MMC from a remote machine, but MMC cannot do everything. Of course to allow work with remote tools this tool should be allowed passage through the firewall packages Server Core. In addition, this is for many more difficult than editing the registry. Therefore, I would like to have a simple graphical tool for configuring local system. The task of developing such an interface is complicated by that the Server Core has a limited set of graphics API, this is a reason why so beautiful MMC doesn’t work on it.

So, if Microsoft has not established such utilities anybody else did this. Look at the utility CoreConfigurator developed by Guy Teverovsky, MVP from Israel.

This is what it can:

• Product Activation Product Activation
• Configuration of display resolution Configuration of display resolution
• Clock and time zone configuration Clock and time zone configuration
• Remote Desktop configuration Remote Desktop configuration
• Management of local user accounts (creation, deletion, group membership, passwords) Management of local user accounts (creation, deletion, group membership, passwords)
• Firewall configuration Firewall configuration
• WinRM configuration WinRM configuration
• IP configuration IP configuration
• Computer name and domain/workgroup membership Computer name and domain / workgroup membership
• Installation of Server Core features/roles Installation of Server Core features / roles

To setup this utility use MSI package and then run the CoreConfigurator. exe file. The following interface will appear.

Just in case, it’s not necessary to install CoreConfigurator, we can simply copy its files into the system. The result will be the same. The video settings look like this:

Setting “Show window content while dragging” may very markedly improve display window objects, if you work with the server via terminal connection. Please note that the setting affects only the current user. According to the picture, to change the time zone, the developer did not reinvent the wheel, and just call to standard timedate.cpl

Remote Desktop Options look like this:

All would be good, but in this version you still have to allow RDP connections in the firewall manually using netsh. Hopefully, in the next version this will be fixed. Management of local users and groups is done through the following windows.

Installation of Roles and Features became a more visual :

Instantly, functionality of firewall management is very limited, but at least he had already to incorporate all necessary rules for the remote control.

Configuring your network interfaces habitually looks fairly.

To set the activation key and Activate the OS is also very simple and all this done via GUI

In addition, let me show winrm interface, interface to rename computer and join it to domain:

It is understandable that CoreConfigurator is not officially supported by Microsoft. Many IT professionals probably have any doubts, whether to trust manufacturer of the software. As usual choice, set its server utility or not is up to you.

Windows 2003 Loses Network Connections

If you have a server, with Windows 2003, one day you can find your server disconnected from network :).

It’s exactly what I get. Simple reboot and server lost network connectivity.
Event log full with system errors like:

Event iD: 12291, SAM failed to start the TCP/IP or SPX/IPX listening thread

Event iD: 7023, The IPSEC Services service terminated with the following
error: The endpoint mapper database entry could not be created.

When you check MS Knowledgbase for those errors you will find the following articles, the very popular is those:

http://support.microsoft.com/kb/930220
http://support.microsoft.com/kb/912023
http://support.microsoft.com/default.aspx?scid=kb;en-us;870910

BTW, apparently it’s not caused by SP1. So, if you implemented all WORKAROUNDs mentioned in those articles, and server still disconnected from the network, try VERY simple solution :), changed RPC to start with localsystem instead of network service. Of course, remember to reboot your server :).

VMware Workstation v6.0.3 Build 80004 Released

New features in VMware Workstation include:
Windows Vista support: Users can deploy Windows Vista as a guest or host operating system, facilitating re-hosting of legacy systems, enabling upgrade and migration projects with minimal end-user disruption and simplifying Windows Vista evaluations.
Multiple monitor display: Users can configure one virtual machine to span multiple monitors or multiple virtual machines to each display on separate monitors with this industry-first capability, enhancing desktop productivity.
USB 2.0 support: Users can take advantage of high-performance peripherals such as Apple iPods and fast storage devices.
ACE authoring capabilities: As a companion to VMware Workstation 6, VMware now offers a VMware ACE Option Pack, which enables VMware Workstation 6 users to create secure, centrally manageable virtual machines. Mobility is one of the primary benefits of this Option Pack, as it allows users to securely transport virtual machines on portable media devices such as USB memory sticks.
Integrated Physical-to-Virtual (P2V) functionality: Users can create a virtual machine in minutes by “cloning” an existing physical computer.
Integrated virtual debugger: Users can deploy, run and debug programs inside a virtual machine directly from their preferred integrated development environments (IDE’s), accelerating debugging with this industry-first integra-tion with Eclipse and Microsoft Visual Studio.
Background virtual machine execution: Users can run virtual machines in the background without the VMware Workstation user interface for an unclutte-red user experience.
Automation APIs: Users can write scripts and programs that automate and help quicken virtual machine testing with support for VIX API 2.0.

In addition, VMware Workstation 6 advances the state of the art in virtualization technology with groundbreaking new capabilities including:
Continuous virtual machine record and replay (experimental): Users can record the execution of a virtual machine, including all inputs, outputs and decisions made along the way. On demand, the user can go “back in time” to the start of the recording and replay execution, guaranteeing that the virtual machine will perform exactly the same operations every time and ensuring bugs can be reproduced and resolved.
Virtual Machine Interface (VMI) support (experimental): VMware Workstation 6 is the first virtualization platform to allow execution of para-virtualized guest operating systems that implement the VMI interface.
VMware Workstation 6.0.3 Release Notes.

Windows SharePoint Services 3.0 (WSS 3.0) and Form Base Authentication

I believe that these days it is not necessary to explain what SharePoint is.  Everyone at least heard the name. I would like to talk about how to install Windows SharePoint Services 3.0 and how to configure it to work in Form Base Authentication mode. You can ask me why Form Base Authentication Mode? There are several reasons for choosing it. One of them was to provide a Web Hosting with SharePoint enabled service. By using Form Base Authentication mode Webmaster can manage users directly through web interface. In this mode all users stored in MS SQL database, so webmaster does not need to have any permission on server or entire network.

So, let’s start from scratch, step by step.
The first step is to Install Internet Information Service (IIS). To do this I really recommend using “Manage Your Server” from Administration Tools and add a new role, Application server (IIS, ASP.NET). Please keep in mind NOT to do all this stuff on Domain Controller, please install WSS 3.0 on Member server.  After IIS successfully installed, start installation of Microsoft .NET Framework Version 2.0 Redistributable Package. If Microsoft .NET Framework Version 2.0 Redistributable Package was already installed, please reinstall it after IIS installation. When we finish with Microsoft .NET Framework Version 2.0 Redistributable Package, we have to install Microsoft .NET Framework 3.0 Redistributable Package. If Microsoft .NET Framework Version 3.0 Redistributable Package was already installed, please reinstall it after IIS installation. So far, so good. We are ready to start MS SQL 200x installation process. It is really straight forward process, so I’m not going to explain how to press NEXT NEXT NEXT :).

By this point, we already have IIS 6 and MS SQL Server installed on our server. Before we continue, PLEASE install last windows updates, at least for IIS and MS SQL.
When all new updates installed we are ready to start installation of Windows SharePoint Services (WSS 3.0). On “Chose the installation you want” screen select “Advance”.

On the next screen make selection according to the following picture:

When setup process completed, make sure to leave checkbox selected on the “Run the SharePoint Products and Technologies Configuration Wizard” and click ‘Close” button.

The “SharePoint Products and Technologies Configuration Wizard” should start immediately. On one of the next screens make selection about “farm” settings. In my case, I selected according to the following picture.

OK, now we have to provide information about our SQL server. You can see what I set on my server:

Make sure to check the next screen:

By clicking on “Advance” button on the next screen you will see some information necessary for setting up “Active Directory Account Creation Mode”, but we will speak about this in another article, right now just remember about this. So, we are not going to click on “Advance” button we just click on NEXT button and relax for a next few minutes until wizard completed.

OK, now we have to create our first “Web Application”. To do this we should start “SharePoint 3.0 Central Administration“ and go to the “Application Management” tab. On this tab we have to select “Create or extend Web application“.

On the next screen click on the “Create a new Web application”. Fill out all necessary information. Be careful in “Application Pool” section. Take a look at my application:

Of course, you can use other user account, not Administrator, but when I make a configuration, I prefer not to waste time on security issues and use Administrator account. When I get a working system I’m starting a hardening process and perform a security tasks. When Application created, we need to create a new site collection.  This process is straight forward, so I don’t what to provide any additional information about it. After all stuff that we did we can start IE and navigate to the http://localhost. We should gate something like this one:

At this point we can start setting up Form Base Authentication mode. Let’s allow the Anonymous access to our web site. We need to come back to our “SharePoint 3.0 Central Administration” and go to “Application Management” tab. On that tab go to Application Security section and click on “Authentication providers” link. On the next screen select your Web Application, and under “Anonymous Access” section select “Enable anonymous access” check box and then click on SAVE button. Now, when we turned on anonymous access we have to go back to our default SharePoint web site (http://localhost) and from “Site Actions” select “Site Settings”.

On the next screen click on “Advanced permissions” link and from “Settings” select “Anonymous Access”

On the “Change Anonymous Access Settings: WSS 3.0” window select “Entire Web site” and click on OK button. We have enabled an Anonymous Access and we can continue to the most interesting part of this article. On the next step I recommend to install “Microsoft Visual Web Developer 2008 Express Edition” on SharePoint Server, it’s absolutely  free and could be downloaded from Microsoft. We will use “Microsoft Visual Web Developer 2008 Express Edition” later on.

One more time let’s go to the directory “C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727” and run file aspnet_regsql.exe. After a few seconds you will see “ASP.NET SQL Server Setup Wizard” window. Click NEXT button, and on the appeared window select “Configure SQL Server for application services” and YES, click NEXT again. Now we have to provide a server name where our SQL server installed and click NEXT. On the next window, you will see that wizards going to create a database aspnetdb, confirm this by clicking NEXT button and then click on FINISH button. Now, let’s open an Application Pool on our SharePoint Server and check what user we are using on “Application pool identity” screen. To do this open IIS manager, expend SERVER, Application Pools and select the pool used in SharePoint configuration. Right click on this pool and select Properties. Switch to the Identity tab. You should see a screen similar to this one:

Keep in mind, that the user used to run SharePoint application pool (On IIS server) must have permissions db_datareader and db_datawriter on just created aspnetdb database.
Now, let create a new directory, name it “UserManagement”. I created it on the following path:

C:\Inetpub\UserManagement

Inside UserManagement create a file web.config. To skip a long explanation about what should be inside this file I just show you what I have inside my:

<?xml version=”1.0″?>
<configuration>
<appSettings/>
<connectionStrings>
<clear/>
<add name=”LocalSqlServer”
connectionString=”Server=WSS3-1;Database=aspnetdb;Integrated Security=SSPI;”
providerName=”System.Data.SqlClient”/>
</connectionStrings>
<system.web>
<compilation debug=”false”>
</compilation>
<authentication mode=”Forms” />
</system.web>
</configuration>

Remember to provide a correct name of your server on the following line:

           connectionString=”Server=WSS3-1;Database=aspnetdb;Integrated Security=SSPI;”

When we done with this, we need to create a new “Virtual Directory” inside our SharePoint website. Open IIS Manager, find your SharePoint website, and right click on it, select NEW and then “Virtual Directory”.

On the “Virtual Directory Access Permissions” window allow “Read” and “Run scripts (such as ASP)” permissions. Don’t forget to go to the Properties of this virtual directory and be sure that you use the same application pool as a main SharePoint.

OK, now is time to start a “Microsoft Visual Web Developer 2008 Express Edition”. Now from directory C:\WINDOWS\Microsoft.NET\Framework\v2.0.50727\CONFIG we need to open machine.config file. Inside machine.config find the following string:

“AspNetSqlMembershipProvider”

Few lines up you could see a line with following string:

“add name=”LocalSqlServer” connectionString=”

Please change this line according to the following example:

<add name=”LocalSqlServer” connectionString=”Server=WSS3-1;Database=aspnetdb;Integrated Security=SSPI;” providerName=”System.Data.SqlClient”/>

Ok, now we are going to File > Open Web site…, select Local IIS and UserManagement virtual directory:

Now, we need to start “ASP.net Web Site Administration Tool“. From the menu go to Website and select “ASP.NET Configuration“:

On the “ASP.net Web Site Administration Tool” window click on the Security link

On the next screen click on the “Select authentication type” link. Be sure that “From the internet” option selected

Now we can press DONE button. If we go to the Security tab and click on the “Create user” link we could create a new user.

All users created trough this interface will be stored inside aspnetdb database.
Now let’s open a web.config from our main SharePoint. In my case this file located at C:\Inetpub\wwwroot\wss\VirtualDirectories\80 directory. Right after line </configSections> and before <SharePoint> add the following section:

<connectionStrings>
<clear />
<add name=”LocalSqlServer” connectionString=”Server=WSS3-1;Database=aspnetdb;Integrated Security=SSPI;”
providerName=”System.Data.SqlClient” />
</connectionStrings>

Finally we have to go back to our SharePoint. Start “SharePoint 3.0 Central Administration”. Inside the SharePoint 3.0 Central Administration go to “Application Management”. Now we have to choose “Authentication providers” by clicking on the “Authentication providers” link from “Application Security” section. Pick the current Web Application and click on provider right here. Now we able to switch the Authentication Type to the Forms:

After switch to FORM we have to provide a Membership provider name. Set it to AspNetSqlMembershipProvider like I did this:

Of course, by the end click on SAVE button.

So, now we can go back to our home site and if we did all staff correctly we will be able to login by using Form Base Authentication.

Before I finish this article I’d like to show you one more thing.
By default “ASP.net Web Site Administration Tool” works ONLY locally. Here is what I did to allow using “ASP.net Web Site Administration Tool” remotely. Inside C:\Inetpub\ I created a directory ASP.NETWebAdminFiles and copy inside all content of %WINDIR%\Microsoft.NET\Framework\v2.0.50727\ASP.NETWebAdminFiles directory. Now, open a file App_Code\WebAdminPage.cs and change line:

return WebConfigurationManager.OpenMappedWebConfiguration(fileMap, path);

to the:

return WebConfigurationManager.OpenMappedWebConfiguration(fileMap, path,”Default Web Site”);

In the same file found the following block:

if (!application.Context.Request.IsLocal) {
SecurityException securityException = new SecurityException((string)HttpContext.GetGlobalResourceObject(”GlobalResources”, “WebAdmin_ConfigurationIsLocalOnly”));
WebAdminPage.SetCurrentException(application.Context, securityException);
application.Server.Transfer(”~/error.aspx”);
}
And remark it.

Now, create a new website that runs on port 8080 and home directory of this site should be C:\Inetpub\TEMP (without any file inside this directory). Under current website, create a new Virtual Directory (ASPADMIN) with a home directory C:\Inetpub\ASP.NETWebAdminFiles. Be sure that you use the same application pool that we use on our SharePoint website. Also, remember to check that ASP.NET version on the properties of this website and Virtual Directory. It should be 2.0.50727. In this case, I really recommend remove Anonymous access on this website.
Now, from remote computer we can use “ASP.net Web Site Administration Tool” by browsing to the following address:

http://192.168.32.10:8080/aspadmin/default.aspx?applicationPhysicalPath=C:\Inetpub\UserManagement\&applicationUrl=/UserManagement

Note: Remember to put IP address or FQDN name of your server.

At this point, I can say “The End”.

Group Policy Settings Reference for Windows Server 2008

Windows Server 2008 delivered with Administrative template files (.admx/.adml) policy settings for computer and user configurations. The policy settings included in this spreadsheet cover Windows Server 2008, Windows Vista, Windows Server 2003, Windows XP Professional and Windows 2000.

To configure these policy settings we need use Group Policy objects (GPOs). In addition, this spreadsheet includes the following categories of security policy settings:

• Account Policies (Password Policy, Account Lockout Policy, and Kerberos Policy)
• Local Policies (Audit Policy, User Rights Assignment, and Security Options)
• Event Log
• Restricted Groups
• System Services
• Registry
• File System policy settings

Download here

Universal TCP/IP Network Bootdisk - Version 6.02 Released!

The Universal TCP/IP Network Bootdisk is a DOS bootdisk that provides TCP/IP networking support. It’s designed for use in Microsoft networking environments, on either peer-to-peer or domain based LANs. Currently 94 different network card drivers all included, all on the single 1.44MB disk!

Change Log:
* Added Attansic L2 Driver
* Added Agere ET1310B driver
* Updated Broadcomm B57 Driver + 2 more autodetection ID’s
* Updated Broadcomm NetXtreme II Driver
* Updated Intel Pro 1000 Driver + 6 more autodetection ID’s
* Updated RealTek 8168 Driver
* Updated RealTek 8169 Driver
* Updated Yuken Driver + 16 more ID’s
* Added Nvidia autodetection 0268
* Disabled Ultra DMA on CD-ROM Driver - should prevent freezing issues
* Fixed Set=Drv bug in MakeDisk.bat build file

Note: Take a look at Microsoft Article ID : 811497 to resolve a problems logging on to a Windows 2000-based server or a Windows 2003-based server
Download

PXE, aka Pre-Execution Environment and Acronis - Part 2

Since I’ve published article “PXE, aka Pre-Execution Environment - Part 1” I’ve got a lot of emails with the same question - ‘Where is a Part 2?”. So, here it is.

I know many Network Administrators who work with Acronis products and i also sometime work with those good products. This week i did a project for one of my clients in Seattle, WA. The main idea was to deploy an Acronis image on new servers and configure those servers according to system requirements. So, again, those servers came without floppy drive and CD/DVD and as all of you know, to restore Acronis image on a new machine we have to use Bootable Rescue Media, aka Bootable CD with Acronis on it. Yes, i know, that Acronis provides a products with PXE integrated, but i don’t have it and I’ve used my own PXE server.

The first step I did was create Bootable Rescue Media. Then I took 2 files, kernel.dat and ramdisk.dat  from Acronis’s directory and put them into C:\PXEServer\TFTPRoot\Boot directory. Well, now was the time to make a small changes to our “default” file (default file located in C:\PXEServer\TFTPRoot\Boot\pxelinux.cfg\ directory). After all those changes my “default” file now looks as follow:

DEFAULT menu.c32

LABEL MemTest
MENU LABEL ^Memory Test
kernel memdisk
append initrd=W98_MemTest.IMA

The next steps were pretty simple ;), Boot, Select Acronis from the menu, Select Image for recovery and…..

Thanks to time PXE saved me I was able to spend some time in very beautiful city Seattle.

Relaited Articles
PXE, aka Pre-Execution Environment - Part 1

PXE and Boot Disk which created at Windows XP

Few month ago I published an article “PXE, aka Pre-Execution Environment - Part 1“. In this article, I talked about a problem to use boot disk which created at Windows XP for PXE boot. I’d like to say thanks to Michael Bridge. He found a way to make the Windows XP floppy image of the netbootdisk work.

Under \ pxelinux.cfg \ default

edit the default to

append initrd=.IMA raw

(add “raw” after the image name)
According to this http://syslinux.zytor.com/memdisk.php it allows access to protected mode memory. Michael Bridge, told me that he managed to get the solution on this web site:
http://syslinux.zytor.com/archives/2007-July/008918.html

System Center Virtual Machine Manager 2007 Scripting Guide

Microsoft, exactly for me created a good white paper that I’d like to read:

System Center Virtual Machine Manager 2007 Scripting Guide

A very nice guide of useful script samples for SCVMM - which highlights common tasks:

Adding new Virtual Server hosts.
Configuring new Virtual Server hosts.
Deploying and configuration new virtual machines from the library.
Moving virtual machines between different hosts.

If you are working with Virtual Machine Manager, Must read!