Archive for the ‘Networking’ Category

15 Minute Beeps

I was asked to look into a beeping in a server room which no one could find. 

It was understandably difficult as there were three server racks with modems, routers, switches, servers, PCs, UPSs, CCTV, and audio equipment.  To add to that they were single beeps, quite wide spread apart, and within a noisy, concrete room.  I determine after a little while they were single beeps and exactly 15 minutes apart.  Typically first suspicions are the UPS units, but 15 minutes is not typical of APC UPS devices.  To make a long story short, it turns out in a far corner where 2 fiber internet connections entered there were small UPSs units supplied by the service provider.  One of the UPS units showed a failed battery.  Being behind the open steel door, no one had seen the light. 

This seems like a trivial post and an obvious solution but I am posting as there are many forums on the Internet with people not being able to locate a device creating a beep every 15 minutes.  This is common with FIOS, Verizon, and Bell equipment.  One story goes as far as to explain a fellow turning everything off in the server room, one device at a time, every 15 minutes, till everything was shut down and unplugged, but could still hear the beeps.


Access a resource using the same internal and external FQDN

For simplicity there are many reasons you may want a single URL or FQDN to access a resource internal or external to your corporate domain.  If the internal and external domain names are the same it can sometimes cause DNS issues resolving the public domain name from the corporate network.  I am often asked about this in reference to web sites; “why is our website accessible from anywhere but our buisiness network””?”   For example you want to access from a network that uses the internal domain net-works.local.  The internal DNS server manages DNS for net-works so it doesn’t pass on the request to the forwarder, but it also doesn’t have a DNS record for the www Host.  The simple solution is to create an internal zone for the host name you are trying to access. SBS 2008/2011 did this automatically for “remote” so that the same URL could be used internally and externally.  This technique can be used for access ing websites, dvr systems, or anything you like that uses a FQDN.

To do so open the DNS management console, expand the folders under your server name, right click on the “Forward Lookup Zones folder, and select New Zone.  A wizard starts, click next and you can select the zone type.  Accept the defaults, Primary Zone and next.


Select “To all DNS servers running on domain controllers in this domain”.


In this case I am going to set up a universal URL for access to a DVR system, so I will enter  This could be www, remote, or what ever meets your needs.  Keep in mind for external access you must set up the DVR, or matching,  Host record with whichever service manages DNS for your public domain.


Again accept defaults, and click next, and finish.


Now right click on the new zone folder and choose “New Host (A or AAAA)” record. Finally, again accept defaults except insert the IP address.  In this case it is an internal IP.  There should be no need for a PTR record creation.


When complete it should look similar to this:


Cisco/Linksys Bad Gateway

Recently after installing a new Linksys (Cisco) EA6300 router we received a “502 – Bad Gateway” error message when trying to access the web management page.


(Note: the IP in the image is correct for this site, but the default of course is

Installation of the router and configuring went as expected, and internet access by client machines was fine, but after completion and reboot the Bad Gateway message appeared when trying to log back into the router. This seems to be a common issue with numerous models not just the EA6300, but also the EA6500, EA4500, EA2700, E4200, E1200, and more.  There are numerous posts about this issue on many blogs and message boards, all of which suggest starting to resolve by pressing the reset button.  If you have a detailed configuration with custom IP configurations, port forwards, DDNS and more, that would be quite a nuisance and time consuming.

We discovered simply disconnecting the WAN / Internet connection to the router and refreshing the web management page allowed access and log in.  Once logged on the WAN connection could be reconnected.  Logging out and back in reproduced the problem.  The solution was to gain access as described and then using the built-in utility update the router’s firmware.  Once updated there were no further problems.

Windows Phone 8 App for my Blog

I am pleased to announce my Windows Phone 8 Blog app has been published.  As of yet it is not compatible with Windows Phone 8.1 but should be by the time of “official” release.  The app, which is free,  can be downloaded from:   image

Multiple RDP Sessions on a PC –legal or not

There are many web sites outlining how to reconfigure windows XP, Vista, and Windows 7 to allow multiple concurrent Remote Desktop Sessions, basically making a desktop PC a terminal server. On many occasions I have pointed out doing so is a licensing violation, however I confess I have never seen this specifically stated in any ELUA.  I have been privy to discussions with Microsoft where this has been discussed, and Microsoft employees and support site personnel have often posted it is not permitted on various  sites.

Having been asked to verify this I reviewed various EULAs (End User Licensing Agreements) and it seems Microsoft more often explains in detail what is allowed than what us not.  Much like your insurance company doesn’t state in your home owners policy you are not permitted to have bonfires in your basement.  Some ELUAs such the one for Windows 7 mentions; “The single primary user of the licensed computer may access a session from any other device using Remote Desktop”, but does not state you can have multiple sessions.  It does however state you can have multiple users sharing a single session using NetMeeting or Remote Assistance, which means both users are sharing the same desktop and application, not separate sessions.  The intent with this is to assist an end user.

The modification is promoted as a patch, but a patch would be provided by Microsoft. This ‘patch’ was created by someone named DeepXW who on their own web page refers to it as “Crack termsrv.dll, remove the Concurrent Remote Desktop sessions limit”.

Most of the reputable sites explaining the hack also include a disclaimer explaining it is a violation.  I have posted some examples at the end of my ramblings . Sites such as Experts-Exchange have even banned posting the hack as they have confirmed it is a licensing violation.

We also need to consider if this hack were legal, you would also require buying RDP/RDS CALs (Client Access Licenses), and if Office were installed you would only be legit if you purchased volume licensing with one license for each user. The latter two are requirements on any multi-session Microsoft O/S.  The Office 2013 ELUA does clearly state that you cannot have multiple sessions: “Remote access. The user that primarily uses the licensed computer is the “primary user.” The primary user may access and use the software installed on the licensed device remotely from any other device, as long as the software installed on the licensed device is not being used non-remotely by another user simultaneously.”  This same issue applies to third party software which in many cases has the same limitations.

Granted the hack does work, with some occasional Winsock issues, and though the chances of being caught are minimal, if discovered in a Microsoft audit, which does happen, the penalties are stiff.  I strongly encourage folk to approach this in a more secure, manageable, and legitimate way by using a Microsoft Remote Desktop Services Server (formerly called Terminal server).

Sample comments from various sites outlining the hack:

However, be warned. Before you begin, I need to warn you that patching the file and allowing more than one concurrent Remote Desktop session will violate a few lines in the Windows XP EULA. Proceed with caution and at your own risk. I shall not be liable for any damage caused to you, your computer, your data or your dog/cat because of this.  From <>

Desktop, which basically only allows the single primary user of the licensed computer to access a session of the computer. And that essentially tells us that the trick we revealed to enable multiple concurrent user in remote desktop in Windows 7 isn’t a legally licensed, despite that it’s really a good useful hack.  From <

I think you find it is a license violation, as win 7 is single user at time OS.
As with all version of windows you need a license for all current users.
If you “hack it” you have violated the TOS and have voided the windows license.  From <>

A quick note: enabling multiple concurrent RDP users may be against the Windows 7 End User Licensing Agreement (EULA). Please be sure to check the EULA beforehand and know that we do not recommend making these changes in cases where they may violate the EULAFrom <>

Regardless of what solution you come up with, concurrent desktop access (if you are not sharing a single session) is in violation of the desktop Windows EULA.   From <

RASdial (automate VPN connections)

In the past I wrote a couple of articles explaining how to connect to a business network using a Windows VPN prior to logon, so that domain authentication takes place and group policies and logon scripts are applied.  See:  Win 7 and earlier and Win 8

As pointed out in the articles, this only works for domain joined computers.  It has been brought to my attention that some folks would like to automate the VPN connection process on non domain joined machines.   .

Automate VPN connection – AFTER logon:

Basically you need a one line batch file and add it to the startup folder, but in detail:

  • Open a text editor such as Notepad and enter the lines below, substituting the name of your VPN connection for Acme, and inserting your user name and password

rem   Batch file to establish a VPN connection
rasdial  acme  username  password

    • Substituting  *  (an asterisk)  for the password, will prompt for the password during the connection.  This is more secure as the password is stored in clear text in the batch file.
    • Save the file to a location such as the desktop, but when doing so save using a .bat extension and enclose the name in quotes such as;  “VPN_Connect.bat”.  Notepad will add a txt extension if you do not use the quotes.
    • Saving to the desktop allows the user to double click on the file to establish the VPN connection.
    • If you want to automate the connection add the batch file to the startup folder and it will run after logon to the PC has completed.  The startup folder can be found in the following locations:

XP: Documents and Settings\All Users\Start Menu\ Programs\Startup
Win7:  C:\ProgramData\Microsoft\Windows\Start Menu\Programs\StartUp

Remote Site Monitoring Alert

On occasion there may be a need to be notified if a remote server is off-line due to an Internet outage, router issue, power outage, or server down.  There are many excellent services that will monitor and alert you, but most are intended for multi-site and/or multi-server configurations and require a monthly fee.  You might just want to monitor a single site and be notified if it fails.

I had this situation and therefore decided to write a simple script to accomplish the task.  I am not a programmer so I am sure this could be improved upon, but it works.  Feel free to add suggestions or alternatives in the comments section, I am sure we would all be interested.

Basically there is a batch file that makes use of a free little utility called http-ping by which runs every ‘X’ minutes using a scheduled task and verifies if the site is accessible.  If not, a simple VBS script sends an e-mail alert.

Http-ping does need to be able to access an http or https server, which could be a web server, Exchange (OWA), a router management page, or one of many other possibilities.

To configure simply create a folder such as C:\SiteMonitor and place in it; the batch and VBS script below, and http-ping .  You will have to download http-ping from

Batch file:

@echo off
:: Enter the directory location (e.g. C:\SiteMonitor\)
Set Directory=C:\SiteMonitor
:: Enter the address of the site to ping (e.e. or
:: (The first example should be used if you need to know if the public IP has changed)
Set Site=
If Exist %Directory%\PingResult.txt Del %Directory%\PingResult.txt
%Directory%\http-ping.exe %Site% >> %Directory%\PingResult.txt
findstr /M "Reply" %Directory%\PingResult.txt
If %errorlevel%==1 GoTo EMAIL
cscript %Directory%\SendAlert.vbs

VBS script:

' VBS script to send an alert via e-mail
Dim SMTPserver, Sender, Recipient, Subject
' Set client specific variables
SMTPserver = ""
Sender = ""
Recipient = ""
Subject = "Alert off-line"
Message = "An automated script has determined the server at is currently off-line."
' Send E-mail
       set objMessage = CreateObject("CDO.Message")
       objMessage.Subject = Subject
       objMessage.Sender = Sender
       objMessage.To = Recipient
       objMessage.TextBody = Message
       objMessage.Configuration.Fields("") = SMTPserver
       objMessage.Configuration.Fields("") = 2
       set objMessage = Nothing

Customize scripts:

When complete save the batch file as something similar to SiteMonitor.bat.  In the batch file you need to set two variables; the “Directory” where you saved the files, and the “Site” htpp-ping is to test.  The site can be a FQDN or an IP, and needs to point to a server  or router.  In some cases you need to add the port number. Some examples include:  (router)   (Exchange port 80)

In my case the site I wanted to monitor had a dynamic IP.  I needed to be alerted if the public IP changed due to a service used by the site that would not work with a DDNS service.  Therefore I used the last example above.

The VBS script needs to be saved as SendAlert.vbs or change the name used within the batch file to match.  In the VBS script you need to set the following 5 variables as per the examples in the script; SMTPserver, Sender, Recipient, Subject, Message.


Finally, you need to schedule a task to run the batch file every half hour (or your time frame).   The following is an example as to how to do so with Vista/Server 2008 and newer.  Similar can be done under Control Panel, Scheduled Task in XP/Server 2003 and earlier.

Open the Task scheduler under Control Panel / Administrative tools, click on Task Schedule Library, and on the right select Create a Basic Task.  Assign the task a name and you can enter a description if you like.  Make sure you also select “Run whether the user is logged on or not”.


Configure the “Trigger” options as per the following image:


In the “Actions” pane choose to start a program, and point to your batch file:


You can then complete the wizard accepting defaults.  Your monitoring service should now be complete.  If you want to test, change the “Site” variable in the batch file to a non existent IP or FQDN, and you should get an alert the next time it runs.  Note if troubleshooting the results of the last http-ping are recorder in the directory you created as a text file named PingResult.txt

Convert SBS 2003 to a virtual server

I recently needed to virtualize an SBS 2003, that is to say convert it from a physical machine to a virtual machine on a Hyper-V host.  I have done SBS conversions to VMware hosts in the past with with little or no problem, but converting to Hyper-V, my preference , was a little more involved.  I first Googled the task and found many suggestions which based on the various articles and instinct, using Microsoft’s disk2vhd was the simplest solution.  I was wrong.  The first run on a test machine using a single disk worked well but did require several ‘tweaks’, and then when I added the data drives, which may have been unrelated, I ran into many problems, especially when I tried installing the Integration Services components.  Though disk2vhd has worked well for me with other operating systems in the past, for some reason the HAL in this case caused problems.

I am not suggesting the following is the best method, or even a good method, but perhaps it will be of some help to those attempting the same task.   I have posted the steps that worked flawlessly for me on a test server, trail run, and final move.  All of the following was done remotely.

Note: The process will require re-activation of the SBS license.  If SBS is an OEM version; it is a licensing violation to install on different hardware or virtualize, the activation will probably fail, and if it does Microsoft will not assist.

  • If working remotely you will need to maintain access at least to the Hyper-V host throughout entire process.  You can use RDP, VPN, LogMeIn, or any of a dozen other alternatives, but make sure it is in place and working, your existing RWW is about to stop functioning until complete.
  • Clean up the initial machine:  Remove the second/WAN NIC if present (not the LAN NIC) and run the CEICW (Configure e-mail and Internet Connection Wizard). Note that making network changes remotely can be risky, you can loose access.
  • Run the SBS 2003 Best Practices Analyzer and resolve any problems. 
  • Presumably you do not want e-mail delivered to the server, or remote users accessing the server,  during the move, so log onto the router and disable port forwarding on the necessary SBS ports 25, 443, 444, 1723 and 4125, for now.
  • Download and run the free VMware converter tool.   When running the tool make sure you right click on the program icon and choose “run as administrator”, if not you will receive an error; “A general system error occurred: Crypto Exception: error:02001005:system library:fopen:Input/ output error:unable to load C:\ProgramData\VMware\VMware vCenter Converter Standalone\ssl\rui.crt”. 


  • Clicking Next will deploy the conversion agent


  • In the “Destination System” window choose destination type as “VMware Workstation or other VMware virtual machine” and “VMware Server 2.x”.  The destination file location path must be to a network share, even if on the local machine.  I also found if running VMware Converter on the Hyper-V server, due to limited name resolution services running and not being a domain member, using the IP in conjunction with the user name worked best, such as\UserName, even if it is the local machine.  This was a simple workaround for the common credential error received by many; “The operation could not be completed for username due to incorrect user credentials”


  • Review the specifications for the resulting VM as to how much RAM is to be assigned (SBS 2003 is limited to 4GB), number of processors, and if you want to change/increase disk sizes.



  • In my experience the tool took less than 3 hours to convert about 100GB of files on 2 drives using a 10/100 mbps network, a relatively small site.
  • Next download and run the Starwind’s free V2V conversion tool . This will allow you to convert the vdmk file, or files, created by the VMware converter to vhd files which will be compatible with Hyper-V.  If you have more than one vdmk, you will need to convert one at a time. You only need the vdmk’s, the other config file/s created by the VMware converter are not necessary.


  • When running the tool, point to the vdmk file and choose to convert to “MS Virtual PC” format.  You can also choose whether the resulting vhd (Hyper-V disk) is to be a “pre-allocated” or “growable” image.  These are Starwind’s terms for a “fixed size” or “dynamically expanding” disk.  The former, “fixed” is recommended on domain controllers, but not a requirement on recent Hyper-V servers.


  • I found the V2V conversion took about 60-70% as long as the previous P2V step. Once completed if you need the drive space you can delete the .vdmk and other files created by the VMware Converter tool.
  • Using the Hyper-V management console you can now create a new VM using the wizard.  When doing so  presumably you want the maximum RAM, so set to 4000 MB, leave the network adapter as “not connected”, under “Connect Virtual Hard Disk” choose “Use an existing virtual hard disk” and select your system disk (disk containing the C: partition) created by the P2V/V2V steps above, under “Installation Options” select “Install an operating system later”, and click finish.
  • Next, open the settings console for the newly created VM.  It will have added a network adapter, remove it and add a legacy network adapter but again if the existing SBS is still powered up on the same network segment choose “not connected”, if you have multiple physical or virtual processors (cores) adjust the number of processors, if you have multiple disks add the others, and review the remaining settings.


  • You are ready to start up the new VM.  Boot the Virtual SBS and log in.  Ignore any offers to discover and add new hardware.  You will be a notice you have 3 days to activate.  I recommend waiting until complete before doing so.  As mentioned do not install any hardware, but you may be prompted at different stages to reboot which you should do.  Note that you will have no mouse for this or the next 4 steps.
  • Manually configure the server’s NIC with the LAN IP, Gateway, and DNS pointing to its LAN NIC IP.  You can keep the same IP as the previous server if using the steps I have outlined.
  • Run the “Change Server IP Wizard” located under Server Management / Internet and E-mail, and keep the same IP as you just set.  The wizard will likely tell you it failed and you should run again due to inaccessibility to the LAN.  You can ignore.
  • Run the CEICW (Configure E-mail and Internet Connection Wizard) angin located under Server Management / Internet and E-mail, and make no changes, just accept the existing configurations.
  • Install the Hyper-V Integration Services by clicking “Insert Integration services Start Up Disk” under “Action” on the menu bar.  Allow this to complete and reboot as requested.  This can take a little while to run sometimes.
  • After reboot you may want to do some tweaking such as changing display size settings. 
  • You may also receive a message after rebooting; “At least one service or driver failed during system startup”.  Though this could be anyone of a dozen services, reviewing the event logs may show a parallel port service error.  To resolve this, on the VM from a command line run;  sc config parport start= disabled
  •   If not automatically removed, uninstall the VMware vCenter Converter Standalone Agent, using add/remove programs in the contol panel.
  • Flush the DNS, NetBIOS, and arp cache to be safe using  “ipconfig  /flushdns”, “nbtstat  –R”, and “arp  –d  * “
  • At this point you should be able to shut down the old server.  You may want to verify WakeOnLan is enabled and record the MAC address if you think you might have to remotely restart.  If so, you can download Solarwind’s Wake-On-LAN tool.
  • You can now enable the Virtual NIC on the SBS by choosing the physical NIC (Virtual Switch) to which you want to associate the Virtual NIC, in the settings configuration of the VM.
  • Perform any internal testing such as access to other LAN resources, Internet access, printer availability, services by clients are working such as redirected My Documents, and anything else with which you might be concerned.
  • Assuming all is well you can now forward the ports on the router to the new Virtual SBS to allow incoming e-mail and remote access by users.
  • Test e-mail reception, and finally activate the server through windows Activation process.

Deploy Windows VPN using GP Preferences

With the addition of Group Policy Preferences, released with Server 2008 and newer, it is possible to easily and automatically deploy a Windows VPN client to domain joined computers.  You might want to do so for a specific group of computers such as mobile users with notebooks.

  • First, within the Active Directory Users and Computers console, create an OU in which you will place the computers to which you wish to deploy the VPN client. This would normally be a sub-OU of your Computers OU.  For our Example I’ll call it Mobile Computers
  • Next open the Group Policy Management console, locate the OU, right click on it and choose “Create a GPO in this Domain and Link it here”


  • Name the new GPO


  • Then right click on the new GPO and choose edit


  • Browse to Computer configuration | Preferences | Control Panel Settings | right click on Network Options | choose New, VPN Connection


  • Group Policy Preferences will allow you to create a PPTP or L2TP/IPSec connection, but not SSTP.  For simplicity this will outline PPTP.  Under the “New VPN properties” you will want to configure as follows:
  • Action: I recommend “Replace”.  If no connection exists on the client it will “Create”  a new one and if you modify your policy, it will automatically replace the existing one.
  • All Users connection.  This is important if the user wants to connect the VPN before logon so that authentication can take place and policies and logon script be applied.  For details see: Connect to a Windows VPN at Logon
  • Connection Name: Can be anything you like and will be displayed under connections on the user’s PC
  • Address: You can enter the IP or check the box “Use DNS name” and enter the public FQDN of your site
  • Icon:  I would also check the box “Show icon in notification area when connected” to allow the user to view the status of the VPN connection


  • Next  under Options there are no requirements to configure any features but you may wish to set redial attempts, idle time settings, or other options.
  • Under Security choose Advanced, Use these other protocols, MS-Chap v2, the default protocol used with Server 2008 and newer


  • Networking: Automatic is fine, but in a few cases folk have reported they needed to set this to PPTP
  • Nothing needs to be configured under Common
  • Click OK and your new Policy will be complete and appear in the list of Network Options


  • The only remaining step is to run GPupdate /force on the client, while connected to the domain, or at some point reboot.

There is one other parameter you may wish to configure.  When you manually create a VPN connection it automatically enables the “Use Remote Default Gateway” option.  This is a security feature that blocks local network access while connected to the corporate network by VPN.  For more information about the default gateway option please see Access local and VPN network Simultaneously .  You cannot configure this within the policy we created above but you can using a different GP Preference and an .ini file.  Peter Frederiksen has explained this nicely in the following TechNet forum:

There are other ways to automatically create a VPN client:

Windows 8 connect to VPN before logon

Last year I did an article entitled “Connect to a Windows VPN at logon”.  Rather than duplicate, please refer to that article for details, but It has been pointed out the method outlined is not available in Windows 8.  Actually it is but Win 8 by default alters the standard domain logon that was present since Win NT of pressing “Ctrl+Alt+Del”.  Restore that and you will again have the option to connect to a VPN prior to logon so you authenticate to the domain, and have group policy and logon scripts applied.

To re-enable “Ctrl+Alt+Del” either open the Local Security Policy under Control Panel, Administrative Tools, or open the local Group Policy editor by entering in the “Run” box gpedit.msc.  The location of the policy is in pretty much the same location in both, and setting in one will update the other.

  • In the Local Security Policy editor (control panel) it is located under; Security Settings | Local Policies | Security Options | Interactive logon: Do not require CTRL+ALT+DEL
  • In the local Group Policy editor (gpedit.msc) it is located under; Computer Configuration | Windows Settings | Security Settings | Local Policies | Security Options | Interactive logon: Do not require CTRL+ALT+DEL

The default state of the policy in Win 8 is “Not Defined” which on a domain joined computer effectively results in enabled.  You need to set the policy to disabled which will force the use of “Ctrl+Alt+Del”.   After doing so, I recommend running from an elevated command prompt  gpupdate /force, though it should not be necessary when editing the local policy.  On that note; you can enforce the use of “Ctrl+Alt+Del” domain wide by creating a GPO on your Domain Controller and editing the same policy.


Once you do so, and log off, you will see the familiar “Press Ctrl+Alt+Delete to sign in” message in the top left corner of the logon screen.


After pressing “Ctrl+Alt+Del” there will be a small network icon in the lower left corner


Click on the network icon and you will be presented with any VPN connection created on that computer.  Note these VPN connections must have been created using the “Allow other people to use this connection” option.  This discussion also applies only to domain joined computers.



Enter you domain credentials, the VPN will connect, authentication to the domain will be processed, and group polices and logon scripts, including your mapped drives, will be pushed to the client.


UPDATE:  Should the PC not be domain joined and you wish to automate the VPN connection, please see:

Tag Cloud