No, I haven't forgotten that I've got a blog. In fact, I've got a ton of stuff to put in here. But I've just been way too busy.
A quick note, though. Something I learned the hard way this morning. Both DHCP and WINS don't seem to like sitting on a box that has a NIC with multiple IP addresses. Most of the time, they seem to bind to whichever address is the primary, but it's not 100%.
I had a server that was soley a PDC with DNS, DHCP, and WINS. I've been wanting to get it out of the rack (mainly for the space). I've got a perfectly capable Dell server that I moved the services to.
But, since so many of my clients have static IP addresses (grumble), I needed to ensure that the IP of the old server still would resolve names. Easy enough--just add the address to the adapter on the newer server, right? That worked great for DNS, but WINS and DHCP choked. They both bound to the primary address only.
So, if you ever have need to move those services to a machine with multiple IPs on a single card, check the services after the fact to make sure that they bound to the card you were expecting.
Monday, October 20, 2003
Wednesday, September 03, 2003
Dear Lord, give me bandwidth
Why did the chicken cross the road? Because they had broadband available on the other side. I've been working on setting up our newest branch. Our current approach is DSL and a VPN router to connect to our main site. The DSL provider told me 3 weeks was normal install time--but then most of the eastern seaboard lost power. Whether it's true or not I don't know, but our install date has been bumped because of the power outage. And we needed to go live Sept. 2.
I've been working on a failover plan for our other branches involving a Snapgear router. Most Snapgears support both broadband and dialup (using an external modem). The goal was to get a Snapgear to our remote sites, and have them configured to dial up to the internet if the DSL connection went down. I'd done some testing. Then Sept. 2 rolled around, and it got thrown right into prime time. And what a spectacular failure it was.
Part of it was the fact that we took a bunch of guys who are used to the 100mb connection in their offices, and put them out remotely for a day. It's amazing how quickly you can fill up a 44kbs pipe. But even with one person connected, I still had problems. Telnet sessions (which we depend on) dropped sporatically. Most network resources were fine, but those stateful connections got to be a real pain.
The wierd part is that I remember using Telnet back in college over 9600kbs dialup on static-y dorm room phone lines. It always seemed pretty forgiving. But it wasn't yesterday. I'm still not sure if it's the additional overhead that the IPSEC tunnel adds to the mix, or if it's just plain line speed. But we were sitting around yesterday trying to figure out a way to get a long range wireless connection to work through a hill and a number of highways.
Thankfully I spoke with our DSL "engineer" this morning, and while he doesn't have any specific dates yet, he feels it should be very soon, and he's working for us to try to get the install moved up in the priority list. Until that's in, I'm laying low trying to avoid the bullets aimed in my direction...
Why did the chicken cross the road? Because they had broadband available on the other side. I've been working on setting up our newest branch. Our current approach is DSL and a VPN router to connect to our main site. The DSL provider told me 3 weeks was normal install time--but then most of the eastern seaboard lost power. Whether it's true or not I don't know, but our install date has been bumped because of the power outage. And we needed to go live Sept. 2.
I've been working on a failover plan for our other branches involving a Snapgear router. Most Snapgears support both broadband and dialup (using an external modem). The goal was to get a Snapgear to our remote sites, and have them configured to dial up to the internet if the DSL connection went down. I'd done some testing. Then Sept. 2 rolled around, and it got thrown right into prime time. And what a spectacular failure it was.
Part of it was the fact that we took a bunch of guys who are used to the 100mb connection in their offices, and put them out remotely for a day. It's amazing how quickly you can fill up a 44kbs pipe. But even with one person connected, I still had problems. Telnet sessions (which we depend on) dropped sporatically. Most network resources were fine, but those stateful connections got to be a real pain.
The wierd part is that I remember using Telnet back in college over 9600kbs dialup on static-y dorm room phone lines. It always seemed pretty forgiving. But it wasn't yesterday. I'm still not sure if it's the additional overhead that the IPSEC tunnel adds to the mix, or if it's just plain line speed. But we were sitting around yesterday trying to figure out a way to get a long range wireless connection to work through a hill and a number of highways.
Thankfully I spoke with our DSL "engineer" this morning, and while he doesn't have any specific dates yet, he feels it should be very soon, and he's working for us to try to get the install moved up in the priority list. Until that's in, I'm laying low trying to avoid the bullets aimed in my direction...
Saturday, August 16, 2003
If they want it, they can turn it on...
Oh, I forgot something (or maybe I'm just looking for excuses to stay up even later). About my "performance tuning" on those Prolineas: I'm sure you're asking "How can you make sure that, when a new user logs in, they are set to "Performance" as well?" I understand your curiosity. After all, when a new user logs into a machine, and they don't have a roaming profile (we don't use them yet), their default settings are to have all the fancy colorful stuff that XP has. I wish I could change that default...
Well, duh, I wouldn't be talking about this if you couldn't. Here's my main "user related" tasks when setting up a new machine (unless I work from an image--which I'm not doing just yet):
1. Setup the machine in a workgroup. It's just easier this way--trust me.
2. Create one extra user (in addition to Administrator). Log in as this user when the time comes.
3. In Control Panel|Users, turn off the "Welcome Screen". It'll get turned off when you add the system to the domain anyway, and it makes the following steps a lot easier.
4. Setup your current user (we'll just call it "User1") the way you want. Themes, Start menu, desktop, background image (or lack thereof), everything. If you want to use the "Send To" trick from my first post, set this up as well for "User1".
5. Log out, and log in as Administrator. Notice how everything is so Windows XP-y, and nothing like you had setup "User1".
6. Go into My Computer properites, to the "Advanced" tab, and click the settings button for "User Profiles"
7. Select your "User1" profile. Click the "Copy To" button. Enter "C:\Documents and Settings\Default User" (of course, if your documents and settings folder is somewhere else, change this path accordingly). Hit OK a couple of times. This copies the "User1" profile--which you setup exactly how you like it--to the "Default User" profile.
At this point, you could add the machine to the domain and be happy. But I like to do a couple more steps:
8. Log out, and log in as User1.
9. Go into My Computer properties, Advanced, and "Settings" in User Profiles. Select the "Administrator" profile, and click "Delete". This deletes the current Administrator profile (not the user ID).
10. Log out, and log in as Administrator. Note how it's your "default" profile now. Cool, huh?
11. Go back to that User Profile settings screen (again), and delete the "User1" profile. Also, go into Users in Control Panel and delete the User1 user. Don't want a local user with Admin rights that doesn't have a password.
12. Now add the machine to the domain.
One thing I haven't been able to try yet is to take a "Default User" profile directory from one machine, and put it on another. Seems like it should work--after all, this is all that Roaming Profiles do. If it does work, then I could have my "Gold" default profile on the network, and just copy it to a machine--effectively skipping pretty much every step above. I could also publish updates to the "default" profile, at the same time deleting all other profiles, to force updates out. But this would just tick off clients--imagine your desktop and start menu just getting wiped out and replaced every couple months.
Oh, I forgot something (or maybe I'm just looking for excuses to stay up even later). About my "performance tuning" on those Prolineas: I'm sure you're asking "How can you make sure that, when a new user logs in, they are set to "Performance" as well?" I understand your curiosity. After all, when a new user logs into a machine, and they don't have a roaming profile (we don't use them yet), their default settings are to have all the fancy colorful stuff that XP has. I wish I could change that default...
Well, duh, I wouldn't be talking about this if you couldn't. Here's my main "user related" tasks when setting up a new machine (unless I work from an image--which I'm not doing just yet):
1. Setup the machine in a workgroup. It's just easier this way--trust me.
2. Create one extra user (in addition to Administrator). Log in as this user when the time comes.
3. In Control Panel|Users, turn off the "Welcome Screen". It'll get turned off when you add the system to the domain anyway, and it makes the following steps a lot easier.
4. Setup your current user (we'll just call it "User1") the way you want. Themes, Start menu, desktop, background image (or lack thereof), everything. If you want to use the "Send To" trick from my first post, set this up as well for "User1".
5. Log out, and log in as Administrator. Notice how everything is so Windows XP-y, and nothing like you had setup "User1".
6. Go into My Computer properites, to the "Advanced" tab, and click the settings button for "User Profiles"
7. Select your "User1" profile. Click the "Copy To" button. Enter "C:\Documents and Settings\Default User" (of course, if your documents and settings folder is somewhere else, change this path accordingly). Hit OK a couple of times. This copies the "User1" profile--which you setup exactly how you like it--to the "Default User" profile.
At this point, you could add the machine to the domain and be happy. But I like to do a couple more steps:
8. Log out, and log in as User1.
9. Go into My Computer properties, Advanced, and "Settings" in User Profiles. Select the "Administrator" profile, and click "Delete". This deletes the current Administrator profile (not the user ID).
10. Log out, and log in as Administrator. Note how it's your "default" profile now. Cool, huh?
11. Go back to that User Profile settings screen (again), and delete the "User1" profile. Also, go into Users in Control Panel and delete the User1 user. Don't want a local user with Admin rights that doesn't have a password.
12. Now add the machine to the domain.
One thing I haven't been able to try yet is to take a "Default User" profile directory from one machine, and put it on another. Seems like it should work--after all, this is all that Roaming Profiles do. If it does work, then I could have my "Gold" default profile on the network, and just copy it to a machine--effectively skipping pretty much every step above. I could also publish updates to the "default" profile, at the same time deleting all other profiles, to force updates out. But this would just tick off clients--imagine your desktop and start menu just getting wiped out and replaced every couple months.
Mmmm...frozen Mt. Dew.
Had too much of it at the theater tonight, so here I sit at 1am typing away. Not a whole lot of stuff today. Figure I'll share a couple of little tidbits:
IPSEC VPN Tunnels don't pass Multicast packets. Who cares? Well, if you've got a client on the far side of a VPN telnetting to an AIX (or maybe any Unix) box on your end, and he/she leaves the session alone for a while, it disconnects them. It seems that if the session is just sitting there (no keyboard activity to let the server know that the client is still alive), and if it doesn't respond to enough "Are you out there" queries from the server, the server will toast the connection. AIX seems to send these packets out as a multicast, which doesn't go through our VPN. No way around it, either, without setting up routers internally on each network to create a GRE tunnel between the sites. Bummer.
Installed XP on another of our Compaq Prolinea 2266s today. Put a little extra RAM in those (I bumped the XP ones up to 128MB), and XP runs really well. I was quite surprised. I usually cut down on the color depth (shared video RAM, so the lower your color depth, the more system RAM you've got), and then change the visual settings to the "Performance" option. As long as our application requirements don't change, I think that XP could give us another two years out of these systems. Well, if the hardware holds out, that is.
I've got a plan for them, though, even when I start replacing them. Most of our sites use 64kbs leased lines to connect back "home". With MSBlast out, I've been trying to figure out a good way to get patches and updates out to a site, so they are easily accessible to users at that site without "downloading" it over the slow line multiple times. My hope is to put one of these old machines (running XP with 128MB RAM and possibly a set of mirrored 4GB hard drives) at each site. It'll have a single shared folder that I can run an automated cleaning process on occasionally. I can also use it as a print server--installing printers is a huge pain right now, because I have to track down the IP address of the printer, setup a port, find the driver, etc. If I create a print queue in XP (works in 2K as well), I can embed the drivers for various versions of Windows, and have a single stop for installing printers.
As a continuation of yesterday's post (well, really Thursday's post), thought I'd pass on some more coolness with PSTools. I installed XP SP1A onto a system today. Without touching the system. I copied the update to the system to be patched, and ran it on that system using PSTools. It took over an hour, but I think that was just system speed (these are something like 266mhz Cyrix chips, after all). I kept an eye on network traffic, and after the transfer of the SP to the destination system, there was no other network traffic. I'm definately approaching Network Admin Nirvana here. I think I'm gonna have to step into 1997, though, and write this into a VBScript. I want to do a batch file--I really do. But I can't keep ignoring the future. Now if you'll excuse me, I have to go fire up my 8 track player.
Had too much of it at the theater tonight, so here I sit at 1am typing away. Not a whole lot of stuff today. Figure I'll share a couple of little tidbits:
IPSEC VPN Tunnels don't pass Multicast packets. Who cares? Well, if you've got a client on the far side of a VPN telnetting to an AIX (or maybe any Unix) box on your end, and he/she leaves the session alone for a while, it disconnects them. It seems that if the session is just sitting there (no keyboard activity to let the server know that the client is still alive), and if it doesn't respond to enough "Are you out there" queries from the server, the server will toast the connection. AIX seems to send these packets out as a multicast, which doesn't go through our VPN. No way around it, either, without setting up routers internally on each network to create a GRE tunnel between the sites. Bummer.
Installed XP on another of our Compaq Prolinea 2266s today. Put a little extra RAM in those (I bumped the XP ones up to 128MB), and XP runs really well. I was quite surprised. I usually cut down on the color depth (shared video RAM, so the lower your color depth, the more system RAM you've got), and then change the visual settings to the "Performance" option. As long as our application requirements don't change, I think that XP could give us another two years out of these systems. Well, if the hardware holds out, that is.
I've got a plan for them, though, even when I start replacing them. Most of our sites use 64kbs leased lines to connect back "home". With MSBlast out, I've been trying to figure out a good way to get patches and updates out to a site, so they are easily accessible to users at that site without "downloading" it over the slow line multiple times. My hope is to put one of these old machines (running XP with 128MB RAM and possibly a set of mirrored 4GB hard drives) at each site. It'll have a single shared folder that I can run an automated cleaning process on occasionally. I can also use it as a print server--installing printers is a huge pain right now, because I have to track down the IP address of the printer, setup a port, find the driver, etc. If I create a print queue in XP (works in 2K as well), I can embed the drivers for various versions of Windows, and have a single stop for installing printers.
As a continuation of yesterday's post (well, really Thursday's post), thought I'd pass on some more coolness with PSTools. I installed XP SP1A onto a system today. Without touching the system. I copied the update to the system to be patched, and ran it on that system using PSTools. It took over an hour, but I think that was just system speed (these are something like 266mhz Cyrix chips, after all). I kept an eye on network traffic, and after the transfer of the SP to the destination system, there was no other network traffic. I'm definately approaching Network Admin Nirvana here. I think I'm gonna have to step into 1997, though, and write this into a VBScript. I want to do a batch file--I really do. But I can't keep ignoring the future. Now if you'll excuse me, I have to go fire up my 8 track player.
Thursday, August 14, 2003
I do not speak to people directly. If you need me, please send a page to me as I sit in my ivory tower...
Well, MSBLAST got into the network today. Our salesmen all have laptops, and they regularly dial up to their ISP with them. One of them probably got the worm before we got his laptop patched, and today was the first time he'd plugged it into our network. I wasn't too worried about patching internal systems, because my hope was that if I kept the gates secure, the invaders could never harm the peasants inside (yeah, I love to compare corporate networks to feudal kingdoms. :)).
I had to scramble a little this afternoon to get everything cleaned up, but I'm glad I had the experience. Why? 'Cause I found something uber-cool, that's why. http://www.sysinternals.com/ntw2k/freeware/pstools.shtml is a bunch of freeware process management tools for Windows NT and greater. They give me, as an admin, the ability to remotely start, stop, list, etc. processes on another machine.
So how does this tie back to MSBlast? This worm is pretty simple to detect--if it infects you, you wind up with an msblast.exe file somewhere on your system. I could do a quick dir \\remotesystem\c$ /s to see if it's there. Problem is, if it's there, then it's probably running as well. You can't delete it if it's in use. So, pskill \\remotesystem msblast.exe shuts it off. Then I can delete it. Then I can use psexec \\remotesystem regedit regfile.reg to modify the registry, removing the item that MSBlast puts in there.
But it gets better. I can run the patch on the remote system as well. I can copy the patch to the remote system (I like to name it patch.exe, so it's easy to find later, and replaced if I roll out another patch), and then run psexec \\remotesystem patch.exe /u /z /q. The parms are pretty standard for Microsoft updates: /u runs it in unattended mode (this might be redudant with /q), /z prevents it from rebooting, and /q runs it without a user interface. After that returns, I can run psshutdown \\remotesystem -r to reboot the remote system.
Being the lazy guy that I am, I've put all this into a batch file that I can simply pass a system name to. My ultimate plan is to pick one evening a month that I ask everyone to leave their systems on, but logged off. I create a list of system names, pass it to the batch file, and viola, everyone is patched and rebooted come morning.
Well, MSBLAST got into the network today. Our salesmen all have laptops, and they regularly dial up to their ISP with them. One of them probably got the worm before we got his laptop patched, and today was the first time he'd plugged it into our network. I wasn't too worried about patching internal systems, because my hope was that if I kept the gates secure, the invaders could never harm the peasants inside (yeah, I love to compare corporate networks to feudal kingdoms. :)).
I had to scramble a little this afternoon to get everything cleaned up, but I'm glad I had the experience. Why? 'Cause I found something uber-cool, that's why. http://www.sysinternals.com/ntw2k/freeware/pstools.shtml is a bunch of freeware process management tools for Windows NT and greater. They give me, as an admin, the ability to remotely start, stop, list, etc. processes on another machine.
So how does this tie back to MSBlast? This worm is pretty simple to detect--if it infects you, you wind up with an msblast.exe file somewhere on your system. I could do a quick dir \\remotesystem\c$ /s to see if it's there. Problem is, if it's there, then it's probably running as well. You can't delete it if it's in use. So, pskill \\remotesystem msblast.exe shuts it off. Then I can delete it. Then I can use psexec \\remotesystem regedit regfile.reg to modify the registry, removing the item that MSBlast puts in there.
But it gets better. I can run the patch on the remote system as well. I can copy the patch to the remote system (I like to name it patch.exe, so it's easy to find later, and replaced if I roll out another patch), and then run psexec \\remotesystem patch.exe /u /z /q. The parms are pretty standard for Microsoft updates: /u runs it in unattended mode (this might be redudant with /q), /z prevents it from rebooting, and /q runs it without a user interface. After that returns, I can run psshutdown \\remotesystem -r to reboot the remote system.
Being the lazy guy that I am, I've put all this into a batch file that I can simply pass a system name to. My ultimate plan is to pick one evening a month that I ask everyone to leave their systems on, but logged off. I create a list of system names, pass it to the batch file, and viola, everyone is patched and rebooted come morning.
Wednesday, August 13, 2003
XP on a four year old computer. I must be nuts. Anyway, this is my first post, so at some point I'm gonna have to backtrack and get some other tips typed up. But for today, just a simple one that everyone else in the world probably already knows.
Quite often I have a client ask me "How do I get this to start up when I log in?" I usually shudder--every admin's worst nightmare is that machine that you come to that has every app in the sun starting on logon. The one where the client often says "Yeah, I log in and then go get my morning coffee--it's usually done by the time I get back." But most clients don't really understand why we hate this, so they stay pretty insistent.
The shell update in Windows 98 made this a little easier--being able to right click on stuff in the Start Menu meant that we could copy a shortcut to the clipboard, and then open the startup folder and paste it. But wouldn't be easier to just tell someone "Just right click on the icon, and hit "Startup"?" Well, at least for XP (and if you aren't using XP, then upgrade!), I've found a way to do this, using the "Send To" feature.
Your "Sent To" folder is in (by default) C:\Documents and Settings\. The folder contains shortcuts to applications or folders that you want to send files to. It's a piece of cake to add to your "Send To" menu--just put a new shortcut into this folder. So, if you want to be able to send stuff to your "Startup" group, just find your Startup group under C:\Documents and Settings\\Start Menu, and do a Right Click Drag to the Send To folder--choosing "Create Shortcut Here" when asked. Now you can right click on any icon in your Start Menu, select Send To, and send it right into the Startup Group.
"Wow, man I LOVE this. I want to do it on every machine. I want it for every user. But I'm lazy and don't want to manually add it each time!" Don't worry--I'm lazy too. So I've got a solution. Create a shortcut which points to "%userprofile%\Start Menu\Startup". %userprofile% is the environment variable that points to the folder that your user profile is in. In a login script, copy this .lnk file to "%userprofile%\Send To".
"Man that worked great. But I don't want to leave it in the login script--how do I make sure it's available when someone new logs into a machine?" The Default User profile is your friend--copy your .lnk file you created above into the C:\Documents and Settings\Default User\Sent To folder. Now any time a new profile gets created on that box, the shortcut is put into it's Sent To folder.
Quite often I have a client ask me "How do I get this to start up when I log in?" I usually shudder--every admin's worst nightmare is that machine that you come to that has every app in the sun starting on logon. The one where the client often says "Yeah, I log in and then go get my morning coffee--it's usually done by the time I get back." But most clients don't really understand why we hate this, so they stay pretty insistent.
The shell update in Windows 98 made this a little easier--being able to right click on stuff in the Start Menu meant that we could copy a shortcut to the clipboard, and then open the startup folder and paste it. But wouldn't be easier to just tell someone "Just right click on the icon, and hit "Startup"?" Well, at least for XP (and if you aren't using XP, then upgrade!), I've found a way to do this, using the "Send To" feature.
Your "Sent To" folder is in (by default) C:\Documents and Settings\
"Wow, man I LOVE this. I want to do it on every machine. I want it for every user. But I'm lazy and don't want to manually add it each time!" Don't worry--I'm lazy too. So I've got a solution. Create a shortcut which points to "%userprofile%\Start Menu\Startup". %userprofile% is the environment variable that points to the folder that your user profile is in. In a login script, copy this .lnk file to "%userprofile%\Send To".
"Man that worked great. But I don't want to leave it in the login script--how do I make sure it's available when someone new logs into a machine?" The Default User profile is your friend--copy your .lnk file you created above into the C:\Documents and Settings\Default User\Sent To folder. Now any time a new profile gets created on that box, the shortcut is put into it's Sent To folder.
Subscribe to:
Posts (Atom)