How can I add CALs to my SBS 2003, or SBS 2008

May 10, 2012

SBS 2003 CAL’s and SBS 2008  are no longer available for purchase, however there are still many of these servers in use and some in growing companies in need of additional CAL’s.  The solution is to buy SBS 2011 CAL’s and exercise downgrade rights.  Microsoft does have very good documentation available for doing so, but based on questions in the forum it seems to be very difficult to find, partially because the links have changed several times.  This article is by no means authoritative, you should refer to the current Microsoft documentation, but it is pulled, word for word, from the most recent documents I was able to find;   SBS 2011_Licensing_FAQ

The following outlines the options for purchasing, the downgrade rights available, and how to install the SBS 2003 CAL’s.  SBS 2008 of course does not require the CAL’s to be installed, you just have to maintain documentation for your CAL licensing for any potential audits.

Q. How do I obtain CALs for earlier versions of Windows Small Business Server when they are no longer offered on price lists?
A. It depends on what editions you need CAL for:

  • If you need additional SBS 2008 or SBS 2003 Standard CALs; you will need to acquire Windows Small Business Server 2011 CAL Suites and exercise your downgrade rights.
  • If you need additional SBS 2008 Premium CALs, they will remain available on the Open price lists for a period of time. This is due to the fact that the SBS 2011 Premium Add-on does not include the same components that are in 2008 Premium and therefore the SBS 2011 Premium Add-on CAL Suites do not offer downgrade rights.

Customers who acquire SBS 2011 CALs or SBS 2011 Premium Add-on CALs are eligible for the following CAL downgrades:

image

Q. How will SBS 2003 CAL activation work in that scenario since SBS 2011 [Edit: and 2008] does not require CAL activation but SBS 2003 does?
A. If you have acquired SBS 2011 CALs through the Volume Licensing (VL) channel, you can obtain SBS 2003 CAL product keys through the Volume Licensing Service Center (VLSC); these keys can then be used to downgrade to SBS 2003 (R2) CAL’s. For customers who have acquired SBS 2008 and 2011 CALs from channels other than VL, such as FPP and OEM, please use the following product keys to activate SBS 2003 Standard CALs.

A product key can only be used once to activate the designated number of CALs for that given key. Therefore a combination of keys may need to be used to activate all of your 2003 CALs. We have provided 3 keys that will activate 5 CALs each and 3 keys that will activate 20 CALs each. This is so customers can activate anywhere from 5 to the maximum number of 75 CALs supported with SBS 2003. It is recommended that you use the 20 CAL Keys first and then use the 5 CAL keys to avoid a situation where adding the 20 CAL key(s) last may put you over the 75 CAL limit when you have existing CALs.

image

Category:

SBS, SBS 2003, SBS 2008, Uncategorized

11 Comments

Tagged with:

Ping command…..needs to close

May 2, 2012

I had a client today advise they were unable to send or receive e-mail using Outlook.  Upon initial inspection this was the case and Outlook showed as disconnected (using Exchange).  There were no other obvious issues, web browsing and all network services “seemed” to be working properly.  However, there were frequent pop-ups with the message:   

TCP/IP ping command has encountered a problem and needs to close

Pinging did work fine, for the record. While doing a quick search for possible solutions I came across many others with a similar problem, so I thought I would take a moment to post my findings. 

The Event logs had additional errors the key one being:  Event ID: 4226,  Source: Tcpip,  TCP/IP has reached the security limit imposed on the number of concurrent TCP connect attempts.

Though there could be other causes, this usually indicates some sort of malware, as confirmed by EventID.net 

Kaspersky’s Anti-rootkit utility TDSSKiller located 2 viruses, and AVG a third as shown in the image below. Keep in mind other viruses could present themselves in the same way.  Clearing all temp folders and a full scan by multiple other malware detection apps did not reveal any other issues, but one must always be concerned that “once infected, always suspected”.   Outlook now worked properly with no repairs required to the application or networking.

image

Category:

Networking, Troubleshooting, Uncategorized

Leave a comment

Tagged with:

Connect to Windows VPN at Logon

April 29, 2012

The internet is littered with questions about VPN connection and authentication issues as a result of using cached credentials.

  • How can I automatically connect my Windows VPN at start up?
  • Why do I have to re-enter my user credentials when connecting my corporate VPN?
  • How do I get Group Policy to apply to VPN connected users?
  • How do I use my work domain user account when I work from home using a VPN?
  • Why won’t my logon script run when connecting by VPN?

You can connect from any PC using a VPN, but in most cases you do so after having logged onto the PC first. If this is a “domain joined” corporate PC, when you logon without the domain controller present, you are not authenticating to the domain but rather using the credentials cached on the local computer from a previous logon.  As a result Group Policy cannot be updated, logon scripts are not applied, and most often you have to re-enter your user credentials when you do choose to connect to the office via VPN.

It is possible to connect to the VPN at logon resulting in an experience similar to that of the office, except of course for the reduced file transfer speed,  However, there are few conditions that must be met to do so:

  1. This applies only to the Windows VPN client. Newer Cisco VPN clients and a few others do offer methods to connect the VPN before logon, but they use different processes.
  2. The computer must be a member of the domain, and therefore Pro, Ultimate, or Enterprise versions of the operating system.  At logon you will be providing domain credentials which are automatically passed to the local logon, thus they must be the same.  Using the same username and password is not enough as logon credentials include domain or computer names.  Domain\JDoe is not the same as LocalPCname\JDoe.  If the computer is not already a member of the domain, it is possible to join a remote domain using the VPN connection.  To do so please see:  https://blog.lan-tech.ca/2012/07/25/how-to-join-a-windows-domain-using-a-vpn/
  3. Should the PC not be domain joined and you wish to automate the VPN connection, after logon, please see: https://blog.lan-tech.ca/2013/06/08/rasdial-automate-vpn-connections/
  4. When you create the VPN connection you must check the box “allow other people to use this connection”.

image

Having met these conditions, at logon there is now an option to connect using the VPN during logon.

Windows Vista and Windows 7:

At logon select “Switch User” and a new blue icon will appear in the lower right next to the familiar red Shut Down icon.

image

Clicking the icon will allow you to use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC

image

Windows XP:

At logon after pressing ctrl+alt+del, if you click the “Options” button there will new be a check box “Logon using Dial-up connection” which will use the VPN connection, and simultaneously connect and authenticate to the corporate domain, and log on to your local PC

image

Windows 8:

Please see the more recent post to enable on a Win 8 PC

Slow Links:

Depending on the performance of the VPN connection, it is sometimes necessary for the network administrator to “tweak” a few Group Policies for slow network detection.  The following policies can assist with this:

Server 2008 / 2008 R2 / SBS 2008 / SBS 2011:

  • Computer Configuration | Policies | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Policies | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Policies | Administrative Templates | Network | Offline Files | Configure slow link speed

Server 2003 / SBS 2003 / SBS 2003 R2:

  • Computer Configuration | Administrative Templates | System | Logon | Always wait for the network at computer startup and login
  • Computer Configuration | Administrative Templates | System | Group Policy | Group Policy slow link detection
  • Computer Configuration | Administrative Templates | System | Scripts | Run logon scripts synchronously
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow-link mode
  • Computer Configuration | Administrative Templates | Network | Offline Files | Configure slow link speed

Client Deployment:

Network administrators may also want to considered creating a deployable VPN client for consistency, security, and with a company logo.  An earlier post outlines how to do so in detail:

https://blog.lan-tech.ca/2012/01/30/windows-vpn-client-deployment/

Category:

DNS, Networking, RRAS/VPN, SBS, Troubleshooting, Uncategorized, VPN, Windows 7

19 Comments

Tagged with:

Configuring Hyper-V Core

April 28, 2012

There are already dozens of articles relating to configuring Microsoft’s Hyper-V Server 2008 R2 (the free core version), however a colleague’s intimidation of command line server management inspired me to post my notes to ease his mind and perhaps those of a few readers as well.  Yes, it is a command line only version of server 2008 R2, with only a 15 line/option GUI to assist with the most basic configurations……..

image

Yet, after some minor configuration and enabling some basic services, you can manage the server in a very similar way you would manage others servers with; Hyper-V Manager, administrative tools, remote access, a file explorer, and even a web browser.

It is worth noting that there are definite advantages to using this version of Hyper-V.  It is free, it supports more than 32GB of RAM (server 2008 R2 standard does not, you need Enterprise or Datacenter editions), smaller footprint, and a somewhat limited attack surface.

Notes:

  • I am assuming Hyper-V core is successfully installed and you are at the point of configuring, if not the following links may help you get to this point Test Hyper-V compatibility, Step-by-Step Guide to Getting Started with Hyper-V
  • The assumption in this configuration is the Domain Controller and DNS server will be a virtual machine on the Hyper-V host. As a result it is recommended the Hyper-V host is not joined to the domain as no domain logon server will be available until after the guest VM has been started.
  • “Management PC” refers to the PC, or server, from which you wish to manage the Hyper-V host
  • All command line entries below, on both server and management PC, must be done from an elevated command prompt. On the server the default is elevated, which is confirmed by the “Administrator” on command window title bar

Server Configurations (Hyper-V host):

Run native Hyper-V GUI configuration tool:

  • The configuration tool (as in image above, should automatically start at logon but if not, from a command line, enter sconfig
  • Item #1: Leave as a workgroup
  • Item #2: Enter the computer name
  • Item #8: Configure the network: Use a static IP.  I recommend at least primary server be an internal DNS server, secondary an ISP. (Keep in mind on a domain joined server/PC you should not combine internal and public DNS servers, but this is not domain joined).  Best practices suggests 2 NIC’s should be enabled, one for management and the other for use by VM’s, though this is not necessary.
  • Item #9: Set date and time
  • Item #5: Set Windows update settings auto or manual.
  • Item #6: Download and install all updates, reboot as necessary
  • Item #3: Add any local admin accounts. I recommend adding new account with a name matching the login account of the remote management PC.  The names must match for some services to work.
  • Item #4: Configure remote management by enabling sub-options 1 to 3
  • Item #7: Enable remote desktop access (note this is still command line only)
  • Item #15 Exit to a command line

DNS:

As stated the Hyper-V machine is not a member of the domain, therefore it is recommended the following additions be made to assist with name resolution

Use the Hosts file to allow the Hyper-V host to resolve the name of the management PC.  From an elevated command prompt , open the Hosts file using Notepad by entering: notepad c:\Windows\System32\drivers\etc\hosts .  Add a record in the Hosts file for your management PC/s using

IP <tab> Pc’s DNS name <tab> # a note (optional) <enter>
eg: 192.168.123.123     PCname.MyDomain.local    # management PC

(Note: it is very important hit return, after every entry including the last line, and then save. For more information about Hosts and Lmhosts files, and their syntax see: https://blog.lan-tech.ca/2012/04/26/hosts-and-lmhosts-files/

Add the domain suffix to the domain search list within the registry to further assist with DNS name resolution.  Start the registry editor using regedit and locate the following registry key:

     HKLM\System\CurrentControlSet\Services\TCPIP\Parameters\SearchList

Then add your domain suffix such as mydomain.local (separate multiple suffixes, if needed, with commas)

Permissions:

To configure additional permissions on the Hyper-V host download Hvremote.wsf from:   http://archive.msdn.microsoft.com/HVRemote  to a USB drive or CD.  Then from a command line copy HVremote to local directory such as Temp folder.  DOS commands are as follows (assume HVremote is on a USB drive labeled D:

cd\
md Temp
copy D:\FolderName\hvremote.wsf  C:\Temp\hvremote.wsf

Run the following commands from the directory where hvremote is located to grant Hyper-V administrators the necessary permissions to do so.  This asdds the admin to the “Distributed COM User’s group”. Again from an elevated command prompt, run the following command using the user you created under Item #3 above in the initial configuration GUI.

     Cscript hvremote.wsf /add:user

If this is the first time hvremote has been used to add a user a reboot may be required

Firewall:

The necessary firewall exceptions should have been enabled by Item #’s 3 & 7 above.  You may also want to be able to ping (IPv4) the server for testing. To do so from a command line enter:

netsh firewall set icmpsetting 8

Or use the new command for “Windows Firewall with advanced Security”

     netsh advfirewall firewall add rule name=”ICMP Allow incoming V4 echo request” protocol=icmpv4:8,any dir=in action=allow

(Note: if cutting and pasting the above command, you will have to substitute the quotation marks using your keyboard.  This site’s/font’s quotation marks are not standard ascii characters)

For additional firewall information relating to pings see:  http://dpotter.net/technical/2010/02/enable-ping-on-windows-server-2008-2/

Management PC Configurations:

DNS:

If the PC is a member of a domain, you can add a Host (A) record to the DNS management console for the Hyper-V host, or you can make an entry in the management PC’s Hosts file similar to the instructions for the server. This will ‘point’ this to the server such as:

IP <tab> Server’s DNS name <tab> # a note (optional) <enter>
eg: 192.168.123.123     HVServerName.MyDomain.local     # Hyper-V host

Permissions:

As on the Hyper-V host, download HVremote from http://archive.msdn.microsoft.com/HVRemote  or copy from your USB Key to a local directory as below:

     cd\
md Temp
copy D:\FolderName\hvremote.wsf C:\Temp\hvremote.wsf

Using an elevated command prompt run the following commands from the directory where HVremote is located.  Where the Hyper-v host is not part of the domain you must enable anonymous DCOM access using:

     Cscript hvremote.wsf /mode:client /anondcom:grant

This one command must be run from an non-elevated command line:

Cmdkey /add:ServerComputerName /user:ServerComputerName\UserName /pass:UserPassword

Firewall:

There are 4 Hyper-V Management Client firewall exceptions that need to be enabled.  Running the following command, from an elevated command prompt, will do so:

     Cscript hvremote.wsf /mode:client /FirewallHyperVClient:Enable

You also need allow rules for MMC exceptions (management consoles) which can be applied with:

    Cscript hvremote.wsf /mode:client /mmc:enable

If you have other 3rd party firewall software installed, you need to manually configure it with the same exceptions.

If you wish to use the Disk Management component of the Computer Management MMC for the remote host, you need to enable the inbound “Remote Volume Management – Virtual Disk Service Loader (RPC)” exception with:

     netsh advfirewall firewall set rule name=”Remote Volume Management – Virtual Disk Service Loader (RPC)” new enable=yes

You also have to set the “Virtual Disk service” on the Hyper-V server to Automatic and start it.

sc config vds start= auto
sc start vds    (not needed if rebooting – will automatically start)

Reboot:

To apply all changes a reboot of the PC is recommended.

Testing connectivity:

When complete test and review the output using the commands below.  For details and troubleshooting download the documentation for HVRemote from:  http://archive.msdn.microsoft.com/HVRemote

From the server:

     Cscript hvremote /mode:server /show /target:clientcomputername

From the client PC:

Cscript hvremote /mode:client /show /target:ServerComputerName

Remote Management Tools:

RSAT tools:

Download and install RSAT (Remote Server Administration Tools) on the management PC making sure you have the RSAT version compatible with that PC’s operating system. The link for Win7 SP1 is below.  With these tools you can now connect the Hyper-V host and manage it from a PC using  all those familiar tools like Computer Management, Disk Management, Windows Firewall with Advanced security, Task Sheduler, etc., and of course the most important; Hyper-V manager which will allow you to create and manage your VM’s the same as you would if you had the full GUI version of Server 2008 R2 as a host.

http://www.microsoft.com/download/en/details.aspx?id=7887

Remote Console (RDP):

You can access the Hyper-V console (still command line only) using a standard RDP connection. You can also install “Portable Apps” which you can then run from an RDP session.  See further down in this list of Remote management tools.

     Mstsc -v:<Hyper-V host name>

Portable Apps:

You can run standard “portable apps” on the console, or during a remote desktop session such as:

Windows Explorer Equivalent A43:

http://www.alterion.us/a43/index.html

Firefox Web Browser (for security reason web browsing from the host is not recommended):

http://portableapps.com/apps/internet/firefox_portable

Others:

http://www.portablefreeware.com/all.php

Powershell:

To remotely run PowerShell you will need Powershell 2. which is available from Windows updates. To install and enable please see the following article http://geekswithblogs.net/twickers/archive/2009/11/04/136013.aspx  With it from the Host console, or remotely, you can manage many services using scripts/cmdlets from:

http://pshyperv.codeplex.com/

Others:

http://www.portablefreeware.com/all.php

PSExec:

PSExec is a tool developed by Sysinternals, now Microsoft that allows you to run DOS commands on remote machines:

http://technet.microsoft.com/en-us/sysinternals/bb897553

Hyper-V Monitor Gadget:

A great desktop gadget for monitoring the status of your Hyper-V servers, status and perfomance, as well as the ability to start and stop.  Requires permissions and services as outlined earlier.

http://hypervmonitor.codeplex.com/

Additional Resources:

Configure Hyper-V Remote Management in seconds

http://blogs.technet.com/b/jhoward/archive/2008/11/14/configure-hyper-v-remote-management-in-seconds.aspx

Full HVRemote documentation and download:

http://archive.msdn.microsoft.com/HVRemote/Release/ProjectReleases.aspx?ReleaseId=3084

Install and Configure Hyper-V Tools for Remote Administration

http://technet.microsoft.com/en-us/library/cc794756(WS.10).aspx

How to use the “netsh advfirewall firewall” context

http://support.microsoft.com/kb/947709

How to Enable Remote Administration of Server Core via MMC using NETSH

http://blogs.technet.com/b/askds/archive/2008/06/05/how-to-enable-remote-administration-of-server-core-via-mmc-using-netsh.aspx

Category:

DNS, Firewalls, Hyper-V, Networking, Troubleshooting, Windows 7

18 Comments

Tagged with:

Hosts and LMHosts files

April 26, 2012

Though rare, there still is an occational need or advantage to using Hosts and LMHosts files.  Though simple text files, the syntax used is critical.  The following is a repost from an older blog of mine.  I have done so in hopes that it may be helpful to some folk, and also it will be useful in and upcoming post regarding Hyper-V configuration and management.

There are two files in the %systemroot%\system32\drivers\etc directory that can be used for name resolution. The Hosts file, used for DNS name resolution, and the LMHosts.sam file used for NetBIOS name resolution. In an age where DNS dominates your network both locally and throughout the Internet, these two files are seldom ever used, but they can be very useful in a few situations. Both are simple text files that match names to IP addresses, and are very easy to create and implement. Most people are familiar with these files, but are often frustrated when they do not work as expected. This is usually due to the fact that they have some very simple, but specific requirements, for them to work at all.

LMHosts (NetBIOS names):

The primary use today for an LMHosts file, is for name resolution over a VPN. If DNS is configured on the host and client machines there should be no need of static text files for resolving names, but it does work well, and many folks uses them as a dependable simple solution. The catch is there are a few gotcha’s you need to be aware of:

  • The LMHosts file in it’s default form, is named lmhosts.sam The .sam represents sample. If you are planning on using this file it needs to be saved without a file extension – lmhosts. Be careful if using a text editor like NotePad as it will add a .txt file extension to the name. The safest method is to save the file using quotes, “lmhosts” to assure no extensions are added.
  • Text following a # in the LMHosts file is a comment and can be ignored or deleted.
  • A typical entry would look like:

192.168.100.101 COMPUTERNAME #PRE #my notes

  • When making a new entry you must hit enter at the end of the line, which adds a “carriage return”
  • Use the Tab key between items in each line rather than spaces (recommended but not necessary), but there must be a space.
  • Though it is not needed, adding the #PRE parameter or extension will load the entry into the local NetBIOS name cache when the computer boots. This allows for a slightly faster resolving of the name, before it has been added to the cache.
  • Most entries such as #PRE, #DOM, DOMAIN names and such are case sensitive. Always use uppercase to be safe.
  • It is a good idea to add the domain name as well. This requires two lines, and uses extremely critical formatting. A sample would be:

192.168.100.10 DCNAME #PRE #DOM:YOUR-DOMAIN
192.168.100.10 “YOUR-DOMAIN x1b” #PRE

There must be exactly 20 characters, including spaces, between the quotes in “YOUR-DOMAIN x1b”, and the spaces need to be between the domain name and the x1b. The domain name used is the NetBIOS name, not the FQDN. If your domain name exceeds 15 characters, you must truncate it at the 15th character, it will still work.

If you find this last step tedious, the University Of Sait Louis has a little Java script that will create these two lines for you: http://bflinux.slu.edu/LSI/tools/lmhosts.html

Hosts (DNS names):

The Hosts file today seems to be more used for blocking unwanted web sites. This is done by simply entering the website address and substituting the IP address with the localhost IP address such as:

127.0.0.1 www.unwantedsite.com#advertising site

There are subscription services that will actually update your Hosts file, according to a schedule, with a list of known unwanted sites.

Another handy use of the Hosts file is to create abbreviations for your own use. For example quick access to a website like Google can be achieved adding an abbreviation like ‘G”, or your firewall with ‘F”, or I frequently uses it for accessing client sites with remote desktop using 3 letter acronyms such as ACL for Acme Corp Ltd. :

64.233.187.99 G #Google

192.168.100.254 F #my firewall

123.123.123.123 ACL #Acme Corp Ltd

Most of the rules that apply to the LMHosts file, apply to the Hosts file as well:

  • The Hosts file already has no file extension, so there is no need to change it like the LMHosts file. Just be careful when editing you don’t accidentally add one such as .txt when using NotePad or a similar editor.
  • Text following a # in the Hosts file is a comment, and can be ignored or deleted
  • A typical entry would look like:

123.123.123.123 ftp.acme.com#company FTP site

  • When making a new entry you must hit enter at the end of the line, which adds a “carriage return”
  • Use the Tab key between items in each line rather than spaces (recommended but not necessary), but there must be a space.

Keep in mind when editing these files you can run into conflicts, or ineffective changes if you do not reboot or purge the local name caches. To clear the NetBIOS cache ( and PREload), at a command line enter (R is case sensitive):

nbtstat -R

To clear the DNS cache, at a command line enter:

ipconfig /flushdns

For the record, the Hosts file can also be used for IPv6 addressing. Vista for example includes the IPV6 localhost entry, by default:

::1 localhost

Category:

DNS, Networking, RRAS/VPN, Uncategorized, VPN

1 Comment

Tagged with:

Rogue DHCP Servers

April 23, 2012

On occasion you may be consulted about network issues which suggested a rogue or unknown DHCP server present on the network.  This can show up is several ways including the discovery of a PC with incorrect IP addressing, most often the wrong DNS server, or in an SBS environment the SBS DHCP service has shut down due to the presence of another DHCP server.  The dilemma is how to locate it.  There are a few tools that can be helpful with the process.

You may also have a case of an unknown device in the DHCP management console under address leases.  Some of these tools can be useful in isolating those as well.

Determine the DHCP server’s IP:

The first step is to locate the DHCP server’s IP.  You may be fortunate and have discovered the incorrect addressing on a PC.  In this case the DHCP server will be listed in the IPconfig /all results.  Alternatively you can use two different tools.

The first is Microsoft’s DHCPloc.exe (DHCP locator).  It can be downloaded as an individual executable from http://www.petri.co.il/download_free_reskit_tools.htm or as part of the Server Support Tools on the server’s installation CD.

Warning:  DHCPloc should not be run on the DHCP server itself.  Doing so can cause the DHCP server to stop responding to DHCP requests.

At a command line, from the directory where you have saved DHCPloc enter
  DHCPloc.exe <the workstation’s IP>
You may have to hit enter twice. You will be prompted to enter d, q, or h. Enter d for discover, and again you may have to hit enter twice.  It should return the IP of the DHCP server, or servers, and an offered DHCP address.
DHCPloc syntax:
http://technet.microsoft.com/en-us/library/cc778483.aspx

You may want to temporarily disable the network’s default DHCP service while running these tests.

image

The second method is to use Wireshark, from http://www.wireshark.org, a network packet analyzer and a much a more powerful tool.  Install Wireshark on a workstation, start a scan, and run an ipconfig /release and /renew to force a DHCP request.  Once complete you can filter the log by protocol and locate the DHCP related packets.  Do this quickly as Wireshark collects a substantial amount of data very quickly.  There are tutorials available to become familiar with Wireshark.

image

 

Find the MAC Address:

With any luck you now have the IP of the DHCP server.  Next is to find the device’s MAC address.  By now it should have been recorded in the arp table, but if not try pinging the IP.  Then from a command line run  arp –a  or arp –a |find “IP address”  to recover the MAC address of the device.

image

 

Determine the Manufacturer:

The fist 6 characters of the MAC address are assigned to the manufacturer, therefore we may be able to determine the make of the device in question.  In the example above we would use 00-15-5d  in conjunction with a site such as  http://standards.ieee.org/develop/regauth/oui/public.html and determine the registered manufacturer/vendor was Microsoft Corporation.  This may or may not be helpful since in this case it simply indicates it is a Virtual machine.  Often it will provide results such as Cisco-Linksys, D-Link Corp., Apple Inc. which may give you a better indication as to the type of device, perhaps a Linksys router installed by an employee to add wireless to his or her office.

image

 

Locate the device:

Physical location is much harder to establish, especially if it has been intentionally hidden.  It is always best practice to keep a floor plan with all network drops and to disconnect any unused network drops at the patch panel, but it doesn’t do much to protect you.  If you have managed switches you can locate the port to which the IP or MAC address is connected and start tracing from there.  However, if you do not have managed switches you are best to run a continuous ping  (ping  –t 192.168.19.21) and start unplugging cables at the patch panel until you have dropped packets .  A little crude, but effective.

I will publish an article in the near future to more proactively address this issue using DHCP filtering.

Category:

Firewalls, Networking, SBS, Troubleshooting, Uncategorized

5 Comments

Tagged with:

Windows 8, Hyper-V, and SLAT

March 11, 2012

Windows 8 desktop O/S will include Hyper-V support, however there seems to be some confusion about hardware requirements.

Hyper-V server has always required:

“Processor : x64 compatible processor with Intel VT or AMD-V technology enabled.
Hardware Data Execution Prevention (DEP), specifically Intel XD bit (execute disable bit) or AMD NX bit (no execute bit), must be available and enabled.”  (from http://www.microsoft.com/download/en/details.aspx?id=3512)

This hasn’t changed with the Hyper-v server version of Windows 8, but the desktop version of Hyper-V will require the processor also be SLAT compatible.  So, how do I know if my system will support Hyper-V?  Microsoft has a simple little command line tool called CoreInfo that will check for all requirements.   http://technet.microsoft.com/en-us/sysinternals/cc835722

Simply open a command window with elevated privileges and run  coreinfo –v  to display the supported virtualization features.  An asterisk indicates supported and a dash means unsupported.

image

Intel64 Family  –  indicates 64 bit support
Hypervisor is present  –  shows if the Hypervisor role is currently enabled
Supports Intel hardware-assisted virtualization  – verifies Virtualization support
Supports Intel extended page tables (SLAT)  –  confirms SLAT compatibility

Another little utility worth mentioning is Securable by GRC.com   This has been a standard for testing for Hyper-V compatibility, but so far does not include tests for SLAT support.  It does however have a specific DEP check. http://www.grc.com/securable.htm

image

I should also point out, if you plan to enable Remote FX support on a Hyper-V server (a server O/S), whether Server 2008 R2 or Windows Server 8, you will need a SLAT compatible processor.

Category:

Hyper-V, Windows 8

1 Comment

Tagged with:

Windows Phone 7 subnet calculator

March 8, 2012

On occasion I have a need to determine if a specific IP falls within a given subnet.  If for example it were an IP such as 192.168.1.80, and the network is defined as 192.168.1.0/24  (24 = subnet mask of 255.255.255.0) it is pretty obvious.  However when using classless subnetting and less common subnet masks, such as those supplied by ISP’s, it is a little more involved.  As a second example consider the IP 12.34.56.80.  Is it part of the same subnet as 12.34.56.78/29 (29 = subnet mask of 255.255.255.248) ? 

You can certainly do manual calculations using binary numbers like 00001100.00100010.00111000.01100100, or with the Internet readily at hand you can use subnetting calculators.  I recently stumbled on a great little free app for Windows Phone 7 called Network_CalculatorV2.  It is a very handy tool to have in your pocket the few times you might need it rather than searching the internet for that site you found last year, but can’t seem to find now.  It will also do pings to IP’s and DNS names, but it is the network calculator that I found particularly useful and simple to use.

To download search the “Marketplace” for Network_CalculatorV2 or visit:  http://www.windowsphone.com/en-CA/apps/ad048e80-70b1-4c98-9a85-fa644150a9ff

Category:

Networking, Windows Phone 7

Leave a comment

Tagged with:

Am I logged onto a virtual or physical machine ?

March 7, 2012

I was asked; “When logging onto a remote machine, how do I know if it is a physical or virtual, server or PC” ?  Since the experience is “virtually” the same, it is not readily apparent.  There are a few ways to verify but in my opinion the simplest is to run systeminfo from a command line.  Within the output, next to “System Manufacturer” and “System Model:” it will show:

  • On a VM running on Hyper-V => “Microsoft Corporation” and “Virtual Machine”
  • On a VM running on VMware Server => “VMware, Inc.” and “VMware Virtual Platform”
  • On a physical machine => “System Manufacturer” or the actual manufacturer, and the motherboard model number such as D945GNT (Intel)

To parse the results of systeminfo and only return the information to determine if virtual or not, run:

systeminfo |find “System Model”

image

Category:

Hyper-V, Networking, Uncategorized

Leave a comment

Tagged with:

SBS 2008/2011 Renew 3rd party Certificate

March 3, 2012

It seems many Small Business Server 2008 existing third party SSL certificates are expiring and some people are confused about how to renew.  Instructions on the internet often involve lengthy solutions involving the IIS management console.  The forums show that these methods frequently result in failure to import the certificate or it is not properly bound to the default SBS Web Sites.

SBS makes this process very easy. Once again, use the wizards, use the wizards, use the wizards…

Note: This article addresses SBS 2008 and SBS 2011 Standard. If running SBS 2011 Essentials I recomend reviewing Robert Pearman’s Blog article; Renew your SSL Certificate : SBS 2011 Essentials 

I should confirm this article addresses 3rd party SSL certificates, if you are using an SBS self-signed certificate, you simply need to run the “Fix My Network Wizard” to renew.

Open the Windows SBS console and browse to Network | Connectivity | highlight “Certificate” | in the right hand  menu select “”Add a trusted certificate”

image

Choose “I want to renew my current trusted certificate with the same provider”

image

Allow the encrypted certificate request to be generated and click copy.  You could go from here directly the the vendor from whom you are going to purchase and renew the certificate, but there are often delays with process so I recommend pasting to Notepad to retain the text file for a few minutes.  Alternatively you can click the “save to file” button and accomplish the same thing.

image

If you think the provider will supply the certificate immediately you can leave this window open and wait, but most often you are best to put the process in “suspend mode” by selecting “My certificate provider needs more time to process the request”

image

….and complete the wizard.

image

Next, log onto your certificate provider’s webs site, purchase the certificate renewal, create the certificate by copying and pasting the saved contents of Notepad (the encrypted CSR text) when prompted, wait for your certificate approval (usually sent by e-mail), download the certificate, and save to a location of your choice on the server.

Now you can import the certificate.  Once again open the Windows SBS console and browse to Network | Connectivity | highlight “Certificate” | in the right hand menu select “”Add a trusted certificate”.  This time choose “I have a certificate from my certificate provider”.

image

Browse to the location where you saved the certificate.

image

….and complete the wizard.

image

You can confirm your certificate has been imported / updated by choosing “View certificate properties” from the same Windows SBS console window, and reviewing the expiry date.

image

Category:

Networking, SBS, SBS 2008, SBS 2011, Uncategorized

15 Comments

Tagged with: