BFTech Impressions

Too smart for what? Too smart for me, apparently. I know, some switches are designed for very granular control of the network, and these are high end expensive features meant for locking down and fine-tuning networks. That’s not my typical scenario though, and this one tripped me up for a few hours.

The situation:

·         Dell PowerEdge R710 server, shiny and brand new.

·         ESXi 3.5 U3 booting from a memory stick.

·         iDRAC configured and working.

·         ESXi tested and working fine on NIC1.

·         1st NIC on the server is plugged into an HP Procurve switch.

·         2nd NIC on the server is plugged into a Cisco Catalyst Express 500 switch.

When I moved my VM from the first virtual switch (also hosting iDRAC and management network) to the 2nd NIC to allow it unhindered performance, DHCP stopped working.

Everything else seemed fine. DHCP was authorized. Scope was activated. Scope was in the correct subnet.

When I moved another VM into the same virtual switch, it could talk to the DHCP server just fine. Nobody else (on other virtual switches or other physical workstations) could.

After much troubleshooting, which I will spare you the painful details of, I discovered the problem:

The Cisco Catalyst switch had all of its ports set to the “Desktop” role, which includes security “to limit unauthorized access to the network” (and also to give IT guys headaches).

Once I switched the port to the “other” role (for unspecified devices, no security), DHCP went live against and all was well in the world.

Here is a breakdown of the roles for Cisco Catalyst switches, and the brief explanation of each role:

Desktop

·         Optimized for desktop connectivity

·         Configurable VLAN setting

·         Port security activated to limit unauthorized access to the network

IP Phone + Desktop

·         Optimized QoS for IP Phone + Desktop configurations

·         Voice traffic is placed on “Cisco Voice” VLAN

·         Configurable data VLAN

·         QoS level helps ensure that voice-over-IP (VoIP) traffic takes precedence

·         Port security activated to limit unauthorized access to the network

Router

·         Configured for optimal connection to a router or firewall for WAN connectivity

Switch

·         Configured as an uplink port to a backbone switch for fast convergence

·         Permits 802.1Q trunking

Access point

·         Configured for optimal connection to a wireless access point

·         Configurable VLAN

Server

·         Can be classified as trusted, critical, business, or standard server

o    Trusted—For use with Cisco Unified Communications Manager Express; same QoS setting as for voice (VoIP traffic is prioritized)

o    Critical—For crucial servers with QoS set higher than default

o    Business—Default setting; QoS higher than for desktop Internet traffic

o    Standard—For servers set to same level as regular desktop Internet traffic

·         Configurable VLAN

·         Port security activated to limit unauthorized access to the network

Printer

·         QoS settings for Printer are the same as for Desktop, Access Point, and Standard

·         Server

·         Configurable VLAN

·         Port security activated to limit unauthorized access to the network

Guest

·         Guests are allowed access to the Internet, but not to the company network

·         All guest ports are placed on “Cisco Guest” VLAN

·         Port security activated to limit unauthorized access to the network

Other

·         Cisco Smartports Other role allows for flexible connectivity of nonspecified devices

·         Configurable VLAN

·         No security

·         No QoS policy

Diagnostic

·         Customers can connect diagnostic devices to monitor traffic on other switches (configurable using Cisco Configuration Assistant only)

Tags: Cisco Catalyst, Network Security

Server Operating Systems:

At this time, I see little reason to upgrade to Windows 2008. For what most servers do, Windows 2003 does the job just fine, and is still being supported (with hot-fixes, but not Service Packs) by Microsoft. The software you run on it likes 2003 just fine. Before long, new hardware will be built with Windows 2008 in mind, and Windows 2003 drivers for your hardware might get harder to find. However, I recommend moving to virtual servers at that time, and it will then not be necessary to have Windows drivers for your new server. The virtualization layer (hypervisor) will handle that, and the “virtual hardware” assigned to your server will work fine with Windows 2003 for many years to come.

Exchange 2007? Let’s just not talk about that right now. This is an OS discussion, and I will just say that I intend to resist that one as long as possible too, until Microsoft remembers that if we wanted to manage everything with command lines and scripts, we’d be using Linux with Sendmail or some open-source, command-line driven equivalent.

Terminal Servers, however, could benefit from a Windows 2008 upgrade. Terminal Services (now called Remote Desktop Services) functions have been greatly improved in 2008, specifically in the area of publishing applications seamlessly without giving the users access to the entire desktop – and in the area of remote printing. Remote printing has been a major thorn in your side, and Windows 2008 can help you with that. I believe the new Terminal Services is web-accessible, making it very easy to set up new workstations to use it.

Here is another, more detailed discussion of those improvements.

Is it worth the cost to upgrade? Your customer will have to decide.
Workstation Operating Systems:

I am happy to say that most of my customers have managed to skip right over Windows Vista.

I have not had much experience yet with Windows 7, but my limited experience suggests that Microsoft learned a lot from their Vista flop, and worked to smooth out the rough edges that made people despise Vista. My limited experience also suggests that Windows 7 is still too new for widespread adoption, with pitfalls lurking due to software applications and drivers not being fully compatible with Windows 7 yet.

That being said, we are entering a more sophisticated age of malware and viruses, and it may be time to leave behind the less intrusive security measures we have been enjoying with Windows XP, which is now allowing more and more PCs to become infected – just as it happened with Windows 2000. It will be a rocky time, when we try to balance having appropriate access to our own computers against making them wide open to attacks. Some software will work OK when installed with an administrative account and then used by someone else. Some will not. We’ll have to work out which software requires which installation method, and perhaps sometimes temporarily give a user administrative access to their machine to get something installed and configured, then take it away to help protect them. We can do this with Windows XP for now, and then later with Windows 7.

For the time being, I will recommend that my customers continue to purchase workstations that come with Windows 7 licenses, but have a downgrade to XP installed on them. This will continue for as long as possible, until we start seeing the rate of virus infection become too high, or other factors necessitate a change. The age-old cycle of viruses and antivirus software one-upping each other continues, and maybe we’ll see a comeback of the antivirus software.

For now, Dell is offering workstations with Windows 7 licenses, with Windows XP installed – but only in the Business section.

So, am I just being resistant to change? There is some of that, but I do not embrace change for its own sake. there has to be some benefit, other than the many hours of billable work I could get from pushing customers into unfamilair operating systems just because Microsoft wants to keep their money machine rolling. Let me just say that I was determined to be open-minded abot Vista. I gave it a solid try. When asked whether I wanted Vista or XP on my company-supplied laptop, I chose Vista. I suffered it for 6 months, before finally deciding that enough was enough. I had passed the learning curve and the pain continued. I went back to XP. So no, it is not just resistance to change. There are good reasons for me to hold back. They are related to deficiencies of the new OSes, financial reasons, and the general difficulty of being among the first to move to new technology.

Unless there are specific, compelling benefits to be gained in each scenario, then you won’t see me jumping first to new versions of the OS. Not me, not this time.

Tags: remote Desktop Services, Terminal Services, Virtualization, Windows 2003, Windows 2008, Windows 7, Windows Vista, Windows XP

When I go to http://icanhascheezburger.com, which is a WordPress Blog showing cute cat pictures with (sometimes) funny captions, the page loads OK, but then I get this pop-up error a few seconds later.

However, I did some research on js-kit.com, and found that it is a site that makes plug-ins for people to rate things in blog pages. There’s nothing sinister about it. I googled the heck out of it looking for anyone who was saying it was a malicious thing. I found none.
I went directly to the URL listed as being dangerous, and I got the following warning, again from Trend Micro:

So I went to www.js-kit.com, without the “ratings.js” on the end, and I learned that it is a site written by people who create plug-ins for blog sites, so people can rate how cool they thought particular items were. Again, nothing sinister.

However, I also noticed that when the page loaded, the Internet Explorer icon next to the Address Bar showed an icon that looks a little bit like the Trend Micro icon. It’s blue, it’s circular, and it has some squiggles in it – but it’s NOT the same icon, and they are not pretending to be Trend. They’re not spoofing, but I can see why a moron might think so. Here is the comparison between the two:

Trend icon:

JS-Kit icon:

Maybe an idiot might think those were the same icon, but I don’t.

Further information about JS-Kit:
They build plug-ins for blogs. Their site tells how to embed the plug-ins. It’s really pretty straightforward. Here are the instructions:

…and here is a URL to their FAQ, telling all about what they do.
http://wiki.js-kit.com/FAQ+-+Navigator

I called Trend Micro support and asked about it. The tech did not have any idea why it was blocked, and when I showed him the JS-Kit icon, he actually made noises like he thought it was fishy, that it was a good reason for them to be blocked. I had to educate him about how the icons may be SIMILAR, but they are NOT the same.

I’ve submitted this information to Trend Micro. Hopefully they will see how dumb they are being and it will be removed from their block list.

In the meantime, I guess I’ll add it to my exclusion list.

Update: I just got this from Trend Micro Support (potentially sensitive info blocked out):

From: Trend Micro Technical Support
Sent: Wednesday, October 21, 2009 11:03 AM
To: Paul Sterley
Subject: [SR#-#-##########] [WFBS 6.0] Website Blocked

Hi Mr. Sterley,

Good Day!

The URL that you submitted has now been untagged on our detection list.

Please confirm.

It is beneficial for our records to be up to date, by simply REPLYING Back to this email. Please let me know if I was able to resolve your Concern(s) so I may formally close this case for you. A simple “Close this case” note would do.

Again, thank you for your time.

Sincerely yours,

Xxxxxxx Xxxxxxxx

Systems Engineer

NABU SMB Support, Trend Micro Inc.

Tags: JS-Kit, Trend Micro

This is a fairly complicated subject, as SQL is a fairly complicated application.

Maybe you need to test connectivity to your SQL server as part of preparations for a failover.

Maybe you’re having some problems with getting a client application to connect and you want to make sure your SQL server is responding.

Maybe it seems to work locally but not remotely, and you want to gather more information on where you can connect from and where you cannot.

There’s no really simple methodology for testing this, because MS SQL can be configured in many different ways – using Windows authentication, using SA authentication, using TCP/IP, or Named Pipes, on different ports, even on dynamic ports.

So rather than present a step-by-step approach that will only work for one specific configuration, I’ll point you to some articles that will help you determine which way SQL is configured first – and then how to test it using that information.

This one is about enabling remote connections, but in the process it tells us where to look for the actual port number being used:

http://blogs.msdn.com/sqlexpress/archive/2005/05/05/415084.aspx

This one helps us figure out whether the server is using TCP/IP or Named Pipes, whether or not Dynamic Ports are bring used, etc:

http://support.microsoft.com/default.aspx/kb/265808

This one helps us use SQLCMD to connect to x instance with y port, giving a number of syntax examples:

http://msdn.microsoft.com/en-us/library/ms188247.aspx

If any of these links go missing, please send me a comment so I can replace them.

Tags: Connectivity, SQL

How many times have you found yourself restoring a server which happens to be the DHCP server, and the leases start expiring? Suddenly, it goes from one server being down, to the entire network being down.

I find that when fixing problems with servers during business hours, the users will often be quite content to leave me be, as long as they can surf the web while I work. Sometimes they cannot do this becase the server is also the DNS server.

It’s not worth the time to set up a temporary DHCP server, right?

Wrong.

There is an open source project called Dual DHCP DNS Server. It’s free, it’s powerful, and it is very quick and easy to set up. Assign a static IP address to any workstation, download and install this, adjust a few lines in the INI file, and you’re off and running. the installation takes only a few seconds. At the end, without a reboot, it (optionally) starts the service.

You just need to edit the DualServer.ini file, and edit a few lines. The most important ones for a simple setup are:

[DHCP-RANGE]
DHCP_Range=192.168.2.100-192.168.2.199
Subnet_Mask=255.255.255.0
DNS_Server=4.2.2.2
Router=192.168.2.1
Lease_Time=1000

Override the default settings and adjust them for your network, (re)start the service, and you’re good to go.

Of course there are plenty of options in there, and you can get as complex as you want with this utility - but if you’re like me, you’d rather do that with a fancy GUI DHCP server built into Windows. For a free quick-start simple DHCP server though, this is the ticket.

Tags: dhcp, free