Friday, December 19, 2008

IT Security Top 10 Tips for 2009

#10 Wifi: As you travel are you will frequently see “Free Public Wifi” in your list of available wireless networks. This is almost always a VIRUS on someone’s computer trying to get you to connect so it can infect you also. Think of this as the “free public used gum” stuck under your desk. DO NOT ‘connect’ to it for any reason. Never connect to any Wi-Fi you do not fully trust; unless of course you like hackers using your identity or credit cards…

#9 Fake News Emails: Never click on any links in an email from CNN or MSNBC, or any other "news alerts" that you have never subscribed to. No matter how realistic it looks. Usually they start with a very absurd or weird story such as "Britney Spears killed in a car accident or Bigfoot found in new jersey, etc.." Even if you have subscribed to news alerts it is best to be cautious when following links.

#8 Fake “tracking number” Emails: If you get a "UPS tracking " attachment never ever open these attachments, they are virus's. They also appear to come from FedEx, USPS, etc… A valid tracking email will never have an attachment.

#7 Fake “Greeting Cards”: Never open a email postcard (Hallmark e-card is the most popular) unless it’s your birthday and it’s from someone you expect it from. This is the main delivery mechanism of most of our virus’s today. Also, an e-card will never have an attachment with a .exe extension.

#6 Lock your Desktop when not in use and have a screensaver password. Also lock your mobile devices (phone) with a password. If you don’t lock the doors then it does not make much sense to bar the windows. Don’t make it easy for hackers or others who would want to cause damage.

#5 Fake Instant Messages: Many people here use IM to communicate. It is a great tool but you need to be suspicious of hyperlinks; even if the link appears to be from your friends or coworkers. When a computer gets infected by a virus it is not uncommon for it to steal the address book and email/IM all of that persons contacts with the same virus. Best rule of thumb: Don’t follow hyperlinks

#4 Don’t put every CD you get mailed or USB key you find lying in the parking lot into your PC, they can “auto-install” a virus onto your PC or do many other nasty things. You didn’t just win a free prize, this is like the “free used gum”; besides it is a very well known technique for hackers and pen-testers alike. Again, don’t make it easy for the bad guys.

#3 Make sure you have Antivirus Installed and make sure that it has recent definitions, if you AV software is not updating, it is almost as good as not having it at all. In today’s day and age antivirus is a must…. well maybe not if you don’t have an internet connection…

#2 Keep your software up to date. Do your Microsoft Updates and software updates for all the products that you use. This includes software like Adobe, VMware and whatever else you use. We try our best to reach every machine with ECM but we can’t reach every machine due to a variety of issue and we don’t patch your home machines. Also we can’t patch your work machines unless you keep them powered on and put them in the WP domain. As the famous ex-hacker Kevin Mitnick suggests “Update your OS religiously and be vigilant in applying all security patches released by the software manufacturer.”

And the #1 thing Everyone should do in 2009 is:
#1 Backup everything you use. Make sure you have it somewhere else, on an external hard drive, a file share, somewhere. Don’t assume that anyone else (even IT) is backing that data up. If you have a question if a file share is being backed up please contact the IT Department, otherwise assume it is not. One Worm or Trojan or drive crash can wipe out 100% of your data forever, don’t let it happen to you.

Tuesday, December 9, 2008

How to change ESX SSL so its actually trusted.

Found a good article

http://www.vm-help.com/esx/esx3i/change_name_and_cert.php

ESX 3.5 Default & Suggested Partition Sizes

Partition - Default - Brian Suggested


/boot - 100mb - 200mb EXT3
Reason : Possible future boot size needs

/ (root) - 5gb - 20-25gb EXT3
Reason: 3rd Party apps goes here..

Swap - 544mb - 1600mb
Reason: Should be 2x console Ram (272 is default, 800 is max, go high)

/var/log - 2gb - 10-15gb EXT3
Reason: move mount to /var instead of /var/log, log files go here, logging is good

VMKCORE go with default
Reason: this is the crash dump area

VMFS3 whatever you have, use iSCSI or fcSAN if possible.

Tuesday, November 25, 2008

Symantec changes mind about VMotion Support

At this time running the Symantec Endpoint Manager (SEPM) is considered an alternative configuration and will be handled with "Best Effort Support".
Customers have reported problems with Symantec AntiVirus Server and Symantec Endpoint Protection Manager with VMware VMotion ESX server. These problems may or may not be related to the presence of VMware VMotion or the presence of the Symantec Endpoint Protection Manager.

Symantec is investigating each support case and will update Symantec products where necessary.

Can't Log into 2008 Server with network account

The error is: The User Profile Service failed the logon. User profile cannot be loaded.

I had added this 2008 Server to the domain, and I can still login with a local admin, but not my domain account. The fix was to disable UAC, then it worked.

Wednesday, November 19, 2008

Symantec doesn't support SAV OR SEP on VM's..awesome

Question/Issue: Is ESX server Vmotion supported with SAV and SEP?

Symptoms: There have been many issues reported a few examples are, Client communication problems Symantec Endpoint Protection Manager (SEPM) communication issues Content update failures Policy update failures Client data does not get entered in to the database Replication failures

Solution:Symantec does not support ESX server Vmotion at this time.

http://service1.symantec.com/SUPPORT/ent-security.nsf/docid/2008101607465248?Open&seg=ent

Friday, November 14, 2008

Exchange 2007 Can't Receive Large(er) Attachments = 20mb

Ok, this was a really hard one to solve. I tried everything you can think of to get this to work. I found a great manual online, good work to the author here:
http://exchangepedia.com/blog/2007/09/exchange-server-2007-setting-message_10.html

I also found some good troubleshooting steps here as well:
http://forums.msexchange.org/m_1800436085/mpage_1/key_/tm.htm#1800436085

However, that still didn't help me, this was an upgrade from 2003 exchange, I modifed the ADSIEDIT stuff, the send/receive connectors, the transport connectors, the global settings, the mailbox settings, etc..etc... I still got the #550 5.3.4 SMTPSEND.OverAdvertisedSize; message size exceeds fixed maximum size ## error.

Now exchange 2007 out of the box has a 10mb email size limit. I could send 13mb attachments, just not 15+. This is odd for several reasons, but let me explain the eventual fix. I was trying to "double" the size to 20mb from 10mb, so I went from 10240 to 20480 in the "size" settings.

We enabled verbose logging on the Edge SMTP machine, it showed the 18mb test email I was sending was actually 25xxx in size, so my 18mb attachment, the "SMTP" size of the email was 25 megs-ish. We increased the sizes up to 30000 and blamo..20mb email attachments now work. I tried sending from gmail and another exchange server, both significantly increased the size of these emails with the 18mb attachment. I'm not sure why, but that is a problem for another day.

Wednesday, November 5, 2008

Another Acrobat 8 Vulnerability

http://www.adobe.com/support/security/bulletins/apsb08-19.html , another one of those, you view the web page with a malicous PDF document and you get a Virus or Trojan types.

In order to get ourselfs up to date, you need to push this out to alot of machines. Since 8.1.2 isn't good enough anymore, you probably need the 8.1.3.msi file. Since I can't get it to extract using the "approved Adobe methods" http://www.adobe.com/go/kb400540, I had to resort to going straight to the ftp site for adobe

ftp://ftp.adobe.com/pub/adobe/reader/win/8.x/8.1.3/enu/AdbeRdr813_en_US.msi

Now that i've got the MSI, it'll be cake to push out.

Tuesday, October 28, 2008

Sweet Tool to email text files to yourself

If your like me, you like to have alot of scripts copying backup files around, and doing other things, cleaning up directories, etc..
I found the coolest tool called "Blat"
http://www.blat.net/

You can use it to send yourself these .txt files, it also does alot more, but that's all I need.

set dow=%date:~0,3%
Blat results%dow%.txt -to bsmith9999@gmail.com -server SMTPSERVER -f Server@domain.com

Enable Virtual Center Single Sign on SSO

To enable Windows Single Sign-on follow these steps:
Log in to a workstation where the VI Client is installed.
Right-click the desktop and select New > Shortcut.
In the Create Shortcut Wizard, click Browse and navigate to the location of the VpxClient.exe program and click OK.Note: By default it is located in C:\Program Files\VMware\Infrastructure\Virtual Infrastructure Client\Launcher\
After the full path is in the Type the location of the item field append -passthroughAuth -s to the end of the line, where is the hostname or IP Address of the VirtualCenter instance you want to connect to.
Click Next.
Give a Name for the shortcut.
Click Finish.
After the shortcut has been created, double-click on the new shortcut, and you are logged into the VirtualCenter Server using the currently logged in credentials.

Note: If the currently logged in user does not have appropriate permissions to VirtualCenter log in fails.

http://kb.vmware.com/selfservice/microsites/search.do?language=en_US&cmd=displayKC&externalId=1006611

Friday, October 24, 2008

Exchange 2007 Public Folders Rights

Ok, so I inherited the exchange environment, no biggie, but I need to create a new public folder on the root, however, I dont have rights. 2007 SP1 has a new command I can use.

Add-PublicFolderAdministrativePermission -Identity "\Marketing" -User "Chris" -AccessRights AllExtendedRights -Inheritance SelfAndChildren
from:
http://technet.microsoft.com/en-us/library/aa996369(EXCHG.80).aspx

However, my only question was (and I know i'm a noob) how do I add myself to ALL public folders, I just had to change the identity to "\"

Also to list your Identity's, use this command
Get-PublicFolder –GetChildren

Vmware Server Won't Install on 2003 R2 x64

I got the error "Setup cannot continue. The Microsoft Runtime DLL installer failed to complete installation".

I read another bloggers suggestion to download the redistributable directly from Microsoft, which almost helped me, but it installed sucessfully, no help there.
http://www.microsoft.com/downloads/details.aspx?familyid=EB4EBE2D-33C0-4A47-9DD4-B9A6D7BD44DA&displaylang=en

However, it gave me an idea, I run the setup, and when the error was on my screen (and before I clicked ok) I could go to my %temp% directory and try to run the vcredist_x64.exe file manually, it gave the error that it couldn't write to D: drive, not enough space. Well, I have a CD-ROM drive in D:, so that doesn't suprise me alot.

I simply swapped my D: and E: drives and fixed my issue, now it installed like a champ, I know this is a workaround, not a fix, but if it happens again I know where to start.
Never use Xcopy, always use Robocopy, it's from the 2k3 resource kit, it rocks.

Wednesday, September 24, 2008

ESX HA Errors

When trying to setup HA, I received the error "An error occurred during configuration of the HA Agent on the host." Looking deeper under "Tasks & Events" I was able to see the error was that the "configuration of the host IP address is inconsistent on host ESX1.local.com: address resolved to 192.168.x.x and 172.168.x.x"

I looked in
/etc/hosts
/etc/FT_HOSTS (didn't exist for me)
/etc/sysconfig/network
/etc/vmware/esx.conf
checked all my DNS entries, even made sure they were case sensative (someone elses blog said that mattered)
I did a hostname -i and a hostname -s, all returned good results.

I also read that your /etc/hosts file must be

IPaddress (x.x.x.x) then Hostname, then FQDN, in that order, and contain all ESX hosts, I tried that, it didn't help.

I did a /opt/vmware/aam/bin ./ft_gethostbyname, it gave me an incorrect result, for a service console that no longer existed.

Then after hours of pulling my hair out
I then looked in the /etc/opt/vmware/aam/FT_HOSTS , it had old bad information.

I deleted that file, then disabled HA on the cluster, then re-enabled it and FINALLY HA installed properly.

Tips for Common ESX HA Errors

Check to make sure DNS is configured properly
Check to see if you can resolve DNS
Check DNS records
Make sure you are using FQDN’s
Check your /etc/hosts file
Make sure your using lower case
Check Service Consoles have the same names and networks
Disable and Re-enable HA
Select Reconfigure for HA on the ESX host

Out of these troubleshooting tips the most common problem with HA is a DNS issue, so it is best to start troubleshooting DNS first.

I got this from here,
http://www.holy-vm.com/2008/09/17/troubleshooting-tips-for-common-ha-errors/

Thanks for the info..it helped me.

Monday, September 22, 2008

Notes to make the openfiler 2.2 instructions below work (the "simple stuff" he left out)

First off, I am using openfiler 2.3, not 2.2

Lets start with some notes:

1) if you use two nics, I like to use Balance lb
2) Jumbo frames, for some reason, make my NFS a little slower..not sure why yet.
3) iostat -x is a great way to find out your I/O performance.
4) make sure to open NFS Client on your ESX firewall
5) Setup your "host access" at the bottom of the Network Access Configuration page BEFORE you setup the cluster, do it early when you setup the network, otherwise it doesn't work later (permissions)
6) if you skipped 5, just chmod the /cluster_metadata/opt/openfiler/etc directory and files in it so the openfiler GUI still works for all pages AFTER the cluster setup.
7) The guy who wrote this help file is a genius, however, he keeps using the volume group name vg0drbd and vg0_drbd interchangeable, but you need to use one or the other, his way it don't work.


Added Instructions
1) before you being, you must setup your two new drives/partitions that will run the "cluster_metadata" and "vg0_drbd" volumes.
to do this, use fdisk /dev/sda(or_whatever) you will have this
1 = Boot (whatever size it says i do)
2 = OS (2GB min)
3 = Swap (twice ram min)
4 = you must setup, 300Meg+ required.
5 = Data, as much space as you can get.

Since fdisk only allows 4 partitions, the 4th partition needs to be an "extended" then create the two partitions inside the "extend"

2) You need to create your meta data for your volumes. Do this after the ha.cf stuff, before you start the drbd service
(on both nodes)
drbdadm create-md vg0_drbd
drbdadm create-md cluster_metadata

3) after you setup your cluster.xml, make sure you fix the following links.
rm /cluster_metadata/opt/openfiler/sbin/openfiler
rm /cluster_metadata/opt/openfiler/etc/httpd/modules
ln -s /usr/sbin/httpd /cluster_metadata/opt/openfiler/sbin/openfiler
ln -s /etc/httpd/modules/ /cluster_metadata/opt/openfiler/etc/httpd/modules

4) before you can start the heartbeat, you must/need to create your Volume inside your volume group, I also setup my share at this time.

A troubleshooting note, sometimes the 'openfiler' GUI (webpage) is dead after a node reboot, make sure one of your nodes mounts the data, i.e. somebody is the primary node, then the GUI should work again.

Openfiler/software linux raid misc commands and pieces of info

Openfiler/software raid:

If you have a software raid /dev/md0, even if you sub-partition it, you cant use those for openfiler, software raids can't be partitioned(and work).

Also, if you rebuild your openfiler, and for some reason your disks are now type "gpt" you may not be able to add them to a raid, use these commands

parted /dev/sdb
then type
mklabel msdos

do that for each of your drives to get them back to msdos type so you can re-raid them. Also be VERY CAREFUL with that command as it will nuke/wipe any drive you use it on, and by default if you don't specify the 'parted' drive, it defaults to your first/boot drive..and blamo, your back with a CD reinstalling the OS...not that I know...from experience....

To Zero out a partition, here is the command
dd if=/dev/zero of=/dev/hdc3

Friday, September 19, 2008

Setting up Jumbo Packets with ESX 3.5

First off, thanks to another blog

http://blog.scottlowe.org/2008/04/22/esx-server-ip-storage-and-jumbo-frames/

But there is one thing left out, i'll put it at the end.

Configuring ESX Server
There is no GUI in VirtualCenter for configuring jumbo frames; all of the configuration must be done from a command line on the ESX server itself. There are two basic steps:
Configure the MTU on the vSwitch.
Create a VMkernel interface with the correct MTU.
First, we need to set the MTU for the vSwitch. This is pretty easily accomplished using esxcfg-vswitch:
esxcfg-vswitch -m 9000 vSwitch1
A quick run of “esxcfg-vswitch -l” (that’s a lowercase L) will show the vSwitch’s MTU is now 9000; in addition, “esxcfg-nics -l” (again, a lowercase L) will show the MTU for the NICs linked to that vSwitch are now set to 9000 as well.
Second, we need to create a VMkernel interface. This step is a bit more complicated, because we need to have a port group in place already, and that port group needs to be on the vSwitch whose MTU we set previously:
esxcfg-vmknic -a -i 172.16.1.1 -n 255.255.0.0 -m 9000 IPStorage
This creates a port group called IPStorage on vSwitch1—the vSwitch whose MTU was previously set to 9000—and then creates a VMkernel port with an MTU of 9000 on that port group. Be sure to use an IP address that is appropriate for your network when creating the VMkernel interface.
To test that everything is working so far, use the vmkping command:
vmkping -s 9000 172.16.1.200
Clearly, you’ll want to substitute the IP address of your storage system in that command.
That’s it! From here you should be able to easily add an NFS datastore or connect to an iSCSI LUN using jumbo frames from the ESX server.

when doing the excfg-vmknic I got the following error:
"Error performing operation: A vmkernel nic for that portgroup already exists: PortGroupName"
I did a esxcfg-vmknic -d PortGroupName
Then you can follow the instructions as written.

========THE SHORT VERSION=========
The Setup...
esxcfg-vswitch -m 9000 vSwitch1
esxcfg-vmknic -d PORTGROUPNAME
esxcfg-vmknic -a -i 192.168.1.10 -n 255.255.255.0 -m 9000 PORTGROUPNAME (set your ESX IP on a portgroup)

To Make sure everything took......
esxcfg-vswitch -l
esxcfg-vmknic -l
vmkping -s 9000 192.168.1.20 (another host running jumbo frames)

Tuesday, September 16, 2008

Free ESX / Compliance Checker Tool

Configuresoft announced a free ESX Compliance tool that checks for the ESX hardening guidelines & the CIS Benchmarks for ESX.

You can download the tool here, the only limitation is that you can only scan 5 ESX hosts at a time, but you can print and save the results.

http://www.configuresoft.com/compliance-checker.aspx

Sunday, September 14, 2008

2008 boot.ini or lack thereof

I was trying to add PAE so I could use my 8GB of ram with my 32 bit procs and run 2008 in 32 bit mode with all my ram, but there is no boot.ini in 2008.

The Solution, use bcdedit.

1. BCDEdit /set nx AlwaysOff (kills DEP)
2. BCDEdit /set PAE forceenable (Enables PAE)
3. Reboot

Saturday, August 30, 2008

Domain Controller Problems & AD DNS not syncing.

Ok, so here is a tip for all of you, if your going to vmotion a Domain Controller, you gotta power it off first. Seems to be smart, but I prefer to learn things the hard way. Apparently this changes some internal things, long story short, this DC had to be completely blown away and rebuilt. The first thing I noticed was that for some reason AD Integrated DNS was no longer syncing. I ran a dcdiag since I didn't see much of anything in the logs. Basically all it told me was that I needed to run adprep /rodcprep. I tried since it seemed odd it would still need that (I upgraded to 2008 a while back, and thought I had done it.). Doing this gave me some new errors "Adprep could not contact a replica for partition DC=DomainDnsZones,DC=mydomain,DC=suffix.
Adprep encountered an LDAP error.
Error code: 0x0. Server extended error code: 0x0, Server error message: (null).
Adprep failed the operation on partition DC=DomainDnsZones,DC=mydomain,DC=suffix. Skipping to next partition. "

Now the fix for this is several things. The first two are easy of course.
1) Seize the rolls it held.
http://www.petri.co.il/seizing_fsmo_roles.htm
2) Blow away the old info from ntdsutil, ADSIEdit, & DNS.
http://www.petri.co.il/fix_unsuccessful_demotion.htm
3) Here is the really fun part. When seizing the roles in 2008(my first time seizing in 2k8) it left some stuff that had to be modified in ADSIEdit
Thanks to drewhill.net for the info,
http://drewh70.wordpress.com/2008/05/15/error-message-when-you-run-the-adprep-rodcprep-command-in-windows-server-2008/

Error message when you run the "Adprep /rodcprep" command in Windows Server 2008
“Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Domain,DC=suffix”“Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Subdomain,DC=Domain,DC=suffix”“Adprep could not contact a replica for partition DC=ForestDnsZones,DC=Domain,DC=suffix”
Read: Error message when you run the “Adprep /rodcprep” command in Windows Server 2008: “Adprep could not contact a replica for partition DC=DomainDnsZones,DC=Contoso,DC=com”
Note: I could not get the VB script that Microsoft provided in the above KB article to work. I received the following error, “fixfsmo.vbs(1, 1) Microsoft VBscript compilation error: Expected statement”.
Here’s the way I ended up fixing the problem:

Open ADSIEdit
Connect to DC=DomainDnsZones,DC=domain,DC=suffix
Expand it and select CN=Infrastructure
Right click, click on Properties and look at the fsmoRoleOwner attribute. In my case it was referencing a deleted domain controller:
CN=NTDS SettingsADEL:0db95bd9-0a15-46d8-9665-951689a3c7f9,CN=PFCSRDC1ADEL:5bcf835e-adb2-4eba-9a3e-bccc9611fc78,CN=Servers,CN=PFCS,CN=Sites,CN=Configuration,DC=pfcs,DC=farm
This means that AD has a bad value for the infrastructure master because the infrastructure master for the referenced partition or partitions has been forcefully demoted or is offline.
You will need to copy the correct path to the infrastructure master into the fsmoRoleOwner value. To do this, first determine what server your infrastructure master is supposed to be using AD Users and Computers.
Once you have the , go back into ADSIEdit.
Connect to the Configuration partition.
Expand CN=Sites, CN=, CN= and go to properties of CN=NTDS Settings.
Edit the distinguishedName attribute, select the value and copy it into the clipboard. (cut off the first crap, only keep CN=NTDS Settings... erase all those crazy numbers and everything before it)
Now go back to the Infrastructure object underneath DomainDNSZones, and copy the value you got into the fsmoRoleOwner attribute.
This will have to be done for each partition with a bad value.
After AD has been cleaned up rerun the “Adprep /rodcprep” command.

Wednesday, July 30, 2008

After Migrating an ESX VM (local storage to local storage) I get an error "The parent virtual disk has been modified since the child was created"

Basically the .vmdk files for the C: and D: drives lost their connection with the snapshot vmdk files. I was removing some snapshots to try and make the migration work smoother, and apparently it forgot what we were doing part way through. I used this site to find out how to do basic CID repair

http://sanbarrow.com/vmdk-basic-CID-chain-repair.html

http://sanbarrow.com/vmdk/vmdk-when-its-too-late.html

Worked like a champ, now my VM's are alive again on the new ESX Server.

Monday, July 28, 2008

ISA 2006 Reverse Proxy dies with 23006 error

So in an attempt at High(er)-availability I setup a proxy server load balance on my IIS7 Web Farm. I debated between using NLB or ISA, I have always been an ISA fan since back in the 2.0 days, so I went with it. However about once a week all of the websites being served with ISA report a 500 error. I am using a fully patched ISA 2006 server on a 2003 R2 SP2 machine. I noticed in the application event logs, this: Event ID: 23006

Description:The Compression filter cannot handle a response because the allocated memory currently used for compression reached its limit. The memory allocated for compression is specified by the following registry values under the HKLM\Software\Microsoft\RAT\Stingray\Debug\W3Filter key: COMPRESS_MEMORY_ALLOC_MBYTES (by default, 256) and COMPRESS_MEMORY_POOL_BLOCKS (by default, 200).

To resolve this I went into the general tab at the bottom of ISA manager and disabled HTTP Compression, but I did find a KB article about this bug. http://support.microsoft.com/kb/947521

Tuesday, July 15, 2008

GPO VPN connections

In Group Policy i'm trying to setup a VPN connection under the "Network Options" Windows Settings Preferences. Everything almost works great, but for some reason IPv4 and IPv6 are unchecked or not enabled on the clients after they receive the policy. I can't seem to find a way of making this work. I found this article of someone having the same issue, but nobody knows how to fix it. http://www.eggheadcafe.com/software/aspnet/32624228/configuring-vpn-using-gro.aspx

Any ideas?

Thursday, July 10, 2008

Weird DHCP issue ..resolved

Ok, so a user reports vista wants them to identify a new network i've never heard of as "home,work, or public". This isn't our corporate domain (which their machine is a member of), and this is happening over wired connections. To put it mildly, this gets my attention. I look at his network adapter settings, it's all setup to DHCP, nothing hard coded. doing a ipconfig /all and looking at his registry, he is receiving a different DHCP server than I am handing him, and his "DhcpDomain" as it is referred to in the registry is not my domain, but this newfound mystery domain. The crazy thing is that the "DhcpServer" is MY server. I verified with wireshark that my dhcp server is giving him the address directly, and that on his end, he is receiving DHCP from me, so what gives? where is the incorrect data coming from? In the packet capture I noticed something very interesting, there are Dhcp Inform packets coming from a random PC on my corporate lan.

Basically the answer is, someone created a "test domain" and installed DHCP server, configured a scope, and then disabled that scope, but did not delete the scope or uninstall/disable DHCP Server. Due to a microsoft bug, http://support.microsoft.com/kb/944200, it will still respond to these DHCP inform packets, and append/overwrite the data my DHCP server is sharing.

Good luck if this happens to you. I am going to go drink a Guinness.

Tuesday, July 1, 2008

More IIS FTP7

Ugh, so after a couple hours of frustrating results trying to FTP into my web cluster, a friend brought the obvious to my attention, windows 2008 firewall is blocking FTP by default, and that's why I can only reach it locally. Do the following to turn it off for anonymous(non SSL) FTP.

netsh advfirewall firewall add rule name="FTP (no SSL)" action=allow protocol=TCP dir=in localport=21
netsh advfirewall set global StatefulFtp enable

Thanks to the following blog
http://blogs.iis.net/jaroslad/archive/2007/09/29/windows-firewall-setup-for-microsoft-ftp-publishing-service-for-iis-7-0.aspx

132GB of ram in a workstation

16 Ram banks. I didn't think this was possible..

I just hope this thing will run ESX 3.5

http://h10010.www1.hp.com/wwpc/us/en/sm/WF25a/12454-12454-296719-307907-296721-3432827.html

Maximum memory
128 GB 667 MHz DDR2, 16 DIMM slots


What time does FedEx arrive today?

Word 2007 Prints garbage on envelopes

Well if your printing to an envelope and it looks like your printing in windings, in my scenario it turns out you may have a corrupt default font type (+Headings), try another font, replace the bad font if you still want to use that one.

asp (not dot net) troubleshooting is awful in 2008/IIS7

Well I found that when upgrading older applications written in the original asp to 2008/IIS7 can be very difficult as it appears no matter what you do, all errors return "500 Server error". I did read if you change the ASP options to show "Send Errors to Browser" and disable "HTTP Friendly error messages", and do this locally on the server, no matter what..you still only get "500 Server error". So the really cool error reporting and repair suggestions work great for asp.net, but don't bother with them for good old asp pages. The ASP CDO emailer page I was modifying had perfect code, but the SMTP server was rejecting my connection, and blamo, 500 server error.

Installing IIS FTP7 in a shared config

Since microsoft didn't ship FTP 7 on the windows 2008 disks, you have to uninstall the FTP 6 you installed during setup. Then you need to download the x86 or x64 version from here

http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1619 (x86)
or
http://www.iis.net/downloads/default.aspx?tabid=34&g=6&i=1620 (x64)

Easy enough to install, unless your using a shared config IIS web farm. Now if you have no data in your shared config, no big deal, unless you're me and have completed the migration of a number of sites over to this shared config already and your doing FTP as a "last step" setup. So when you install FTP7, it says you can't be in a shared config, so you take the machine out of shared mode, install FTP7, add it back in, and you do this for all the machines in your shared config. However when your done, you don't have the option to "create FTP site" under your "Sites" tab. I also noticed in my System log the following error: Source: FTPSVC EventID: 30 "the FTP Service encountered an error trying to read configuration data from the file "\\?\UNC\servername\sharename\applicationHost.config, line number 0. The error message is: The configuration section 'system.ftpServer/providerDefinitions' cannot be read because it is missing section declaration. blah blah blah

So what this all means is that because I pulled my nodes out of the shared config one by one, then installed FTP7 on them, FTP7 modified the local config, then was never published those changes back to the shared config files, therefore the FTP Service doesn't work and I can't create FTP sites because the shared config doesn't know we have FTP7 installed. So a step by step on how to fix this follows.

1) Uninstall FTP6(on windows 2008 cd if you installed it) & FTP 7 if you've installed it already

2) Pull all your nodes out of the shared config 1 by 1, make sure you choose the option to copy the shared profile locally. This will keep your 'same config' and your sites wont experience an interruption during the modification process (assuming you have NLB or ISA-NLB or another load balancing option setup correctly).

3) Pick a node you like that has the shared config now copied locally. Install IIS FTP7 to that node. Make sure to restart IIS and your IIS Manager app, verify when you right click sites you have the option to "Add FTP Site...".

4) Move your shared config files somewhere else, leave the directory empty.

5) go into the "shared config" page again, choose "export configuration" and follow the normal steps and now make a new shared config. (just a hint, to make a encryption key that works, you need upper, lower, number and symbol). restart IIS and IIS Manager just for fun.

6) on all your other nodes, install FTP7, and add them back into the shared config.

That's about it, it should work for you.