master.mdf, masterlog.ldf

C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER08\MSSQL\DATA

Model.mdf, modellog.ldf

C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER08\MSSQL\DATA

MSDBdata.mdf, MSDBlog.mdf

C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER08\MSSQL\DATA

Tempdbv.mdf, templog.ldf

C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER08\MSSQL\DATA

planetgeek.mdf, planetgeek_log.ldf

C:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER08\MSSQL\DATA

First thing you notice the filenames are all tuned in the same schema, pls. Microsoft it cannot be so hard. Our mission is to move all log files in the path D:\mssqlserver08 and all data files to E:\mssqlserver08. The first thing we should do is give the sqlserver service account user read and write rights to this two directories. This step is not quiet necessary but the remote db creation and auto grow features will not work. Let’s start with the master db. Start the SQL Server Configuration Manager. Click “start” -> “run” and type “SQLServerManager10.msc” and right click on the properties from the SQL server Service.

In the advanced tab you have to edit the Startup Parameters

The default value is (keep in mind there are no spaces!!!):

-dC:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER08\MSSQL\DATA\master.mdf;

-eC:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER08\MSSQL\Log\ERRORLOG;

-lC:\Program Files\Microsoft SQL Server\MSSQL10.MSSQLSERVER08\MSSQL\DATA\mastlog.ldf

-d is the path to the master.mdf

-e path of the “ERRORLOG” File.


-l is path to the ldf File

After change the path to (keep in mind there are no spaces!!!):

-dD:\mssqlserver08\master.mdf;

-eD:\errorlog\ERRORLOG;

-lE:\mssqlserver08\mastlog.ldf

stop the sql server (for cluster use you can use an UNC path and share name. This is useful on relaxed security cluster environments). Copy the master db files to the new path. And start the SQL server Service. One step done four steps are left, so let’s move on with the temporary db. Open the SQL Server Management Studio and open a new query and enter the following lines

After the alter database statement you need to stop the Sql Server move the files in explorer to their new location and start the SQL Server Service. Many of you are maybe wondering why “ … name = tempdev, …” and the “name = templog” in the SQL query. This is the internal database name. A very easy name to get this name is stored procedure sp_help

with this procedure you are able to easily modify the path of all other databases. Normally we would have finished at this point. But after then years of experience as IT guy I know that “developers” often don’t care about path in the file system (developers who write for planetgeek are not this kind of developers . So we should change the default database creation path to ensure it will work even when we are not in the office (Yes the IT Professionals have Holydays;-).

Enjoy the comfort of non direct attached storage, RIDE ON

Konrad

Nice Irony I guess

The question is not so easy as it guess. Because Mac OS X leopard has many of the things I nee built-in. Let us start with some basic tools I Use.

VMware Fusion. is a virtual machine software product developed by VMware for Macintosh computers with Intel processors. Fusion allows Intel-based Macs to run x86 and x86-64 "guest" operating systems, such as Microsoft Windows, Linux, NetWare and Solaris as virtual machines simultaneously with Mac OS X as the "host" operating system using a combination of virtualization, emulation and dynamic recompilation. While similar in most respects to VMware Workstation.

Skype is a software application that allows users to make telephone calls over the Internet. Calls to other users of the service, and in some countries to free-of-charge numbers are free, while calls to other landlines and mobile phones can be made for a fee. Additional features include instant messaging, file transfer and video conferencing.

Keypass X  is a free open source password manager, which helps you to manage your passwords in a secure way. You can put all your passwords in one database, which is locked with one master key or a key file. So you only have to remember one single master password or select the key file to unlock the whole database. The databases are encrypted using the best and most secure encryption algorithms currently known (AES and Twofish)

Microsoft Office 2008, Word PowerPoint, Excel and Entourage. More or less the same bugi thing like on Windows.

LaTeX is based on the idea that authors should be able to focus on the content of what they are writing without being distracted by its visual presentation. In preparing a LaTeX document, the author specifies the logical structure using familiar concepts such as chapter, section, table, figure, etc., and lets the LaTeX system worry about the presentation of these structures. It therefore encourages the separation of layout from content while still allowing manual typesetting adjustments where needed.

Cyberduck is an open source FTP, SFTP, WebDAV, Mosso Cloud Files and Amazon S3 browser for the Mac. It features an easy to use interface with quickly accessible bookmarks. The outline view of the browser allows to browse large folder structures efficiently and you can quickly preview files with Quick Look. To edit files, a seamless integration with several external editors makes it easy to change content quickly. Both Amazon CloudFront and Cloud Files from Rackspace can be easily configured to distribute your content in the cloud. Many OS X core system technologies such as Spotlight, Bonjour and the Keychain are supported and a large number of translations makes you feel at home.

Freeciv is a multiplayer, turn-based strategy game for workstations and personal computers inspired by the commercial proprietary Sid Meier’s Civilization series. The game’s default settings are closest to Civilization II, both in gameplay and graphics (including the units and the isometric grid).

These are the Programs that make my 24 iMac to a Powerful blog machine. There is only one thing I am missing. On windows there is a free Software called Live Writer. Live writer make blogging very easy but I don’t find a Sirius alternative for Mac. If you know something pls don’t hesitated post a commend.

Regards Konrad

A good place to fix this whole bunch of problems is by verifying the backup strategy and ensuring that all system-states are saved on all domain controllers. The second step is verifying that DNS are fine and syncing the proper way. Now we are ready to move the FSMO roles. For everyone that is not familiar with the five FSMO Friends, here is a small overview from Wikipedia

Flexible Single Master of Operation (FSMO, F is sometimes floating ; pronounced Fiz-mo), or just single master operation or operations master, is a feature of Microsoft’s Active Directory (AD). As of 2005, the term FSMO has been deprecated in favor of operations masters.

FSMOs are specialized domain controller (DC) tasks, used where standard data transfer and update methods are inadequate. AD normally relies on multiple peer DCs, each with a copy of the AD database, being synchronized by multi-master replication. The tasks which are not suited to multi-master replication, and are viable only with a single-master database, are the FSMOs.

Domain-wide FSMO Roles:

Every domain in an Active Directory forest must contain one of each of the following FSMO roles:
The Relative ID Master allocates security RIDs to DCs to assign to new AD security principals (users, groups or computer objects). It also manages objects moving between domains.
The Infrastructure Master maintains security identifiers, GUIDs, and DNS for objects referenced across domains. Most commonly it updates user and group links. This is another domain-specific role and its purpose is to ensure that cross-domain object references are correctly handled. For example, if you add a user from one domain to a security group from a different domain, the Infrastructure Master makes sure this is done properly. As you can guess however, if your Active Directory deployment has only a single domain, then the Infrastructure Master role does no work at all, and even in a multi-domain environment it is rarely used except when complex user administration tasks are performed, so the machine holding this role doesn’t need to have much horsepower at all.
The PDC Emulator operations master role processes all password changes in the domain. Failed authentication attempts due to a bad password at other domain controllers are forwarded to the PDC Emulator before rejection. This ensures that a user can immediately login following a password change from any domain controller, without having to wait several minutes for the change to be replicated. The PDC Emulator Operations Master role must be carefully sited in a location to best handle all password reset and failed-authentication forwarding traffic for the domain.

Forest-wide FSMO Roles:

Regardless of the number of domains in an Active Directory forest, the following FSMO roles exist only once:
The Schema Master maintains all modifications to the schema of the forest. The schema determines the types of objects permitted in the forest and the attributes of those objects.
The Domain Naming Master tracks the names of all domains in the forest and is required to add new domains to the forest or delete existing domains from the forest. It is also responsible for group membership.

Normally it’s very easy to move these roles by right clicking the forest level and choose Move …  in the Active Directory Schema snap-in, Active Directory Domains and Trusts snap-in and Active Directory Users and Computers snap-in. But it will fail to 99% with an obscure error. The reason for the error is one domain controller in the replica ring is missing and marked as Tombstone. Let’s get to the bigger guns and start “ntdsutil.exe”, open a command prompt and enter “ntdsutil.exe”. If the shell is bugging you that the exe is missing, you need to install the server support tools. They are located on the Windows CD in the support folder. Other ways you can download it from Microsoft using Google ☺.

!! Remember at this point you can do very large harm to the directory so please be sure that you have properly working backups!!

After “ntdsutil.exe” has successful started, type “roles” and press enter. Type “connections” and press enter. Now Type “connect to server xyz.planetgeek.ch”, where xyz.planetgeek.ch is the name of the server where you want to transfer the roles to. A message will appear:

“Binding to xyz.planetgeek.ch …
Connected to servername using credentials of locally logged on user.”

Tipe “quit” to leave the selection menu. Now appears: “fsmo maintenance:” now enter:

“Seize schema master” if you want move the schema master.
“Seize domain naming master” if you want move the naming master.
“Seize PDC” if you want move the PDC.
“Seize RID master” if you want move the Relative ID master.
“Seize infrastructure master” if you want move the infrastructure master.

Next thing to do is kicking the metadata out of the directory. To do this I know two possible ways. The first is use a VB script written by Clay Perrine from Microsoft. The second way is to use ntdsutil.exe. I prefer the VB script. It works on the most common Windows Operating systems (2k, XP, 03, Vista and 08). The script is below ore you can obtain it directly from Microsoft (http://go.microsoft.com/fwlink/?LinkID=123599).

REM    ==========================================================
REM                GUI Metadata Cleanup Utility
REM             Written By Clay Perrine
REM                          Version 2.5
REM    ==========================================================
REM     This tool is furnished "AS IS". NO warranty is expressed or Implied.

on error resume next
dim objRoot,oDC,sPath,outval,oDCSelect,objConfiguration,objContainer,errval,ODCPath,ckdcPath,myObj,comparename

rem =======This gets the name of the computer that the script is run on ======

Set sh = CreateObject("WScript.Shell")
key= "HKEY_LOCAL_MACHINE"
computerName = sh.RegRead(key & "\SYSTEM\CurrentControlSet\Control\ComputerName\ComputerName\ComputerName")

rem === Get the default naming context of the domain====

set objRoot=GetObject("LDAP://RootDSE")
sPath = "LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext")

rem === Get the list of domain controllers====

Set objConfiguration = GetObject(sPath)
For Each objContainer in objConfiguration
    outval = outval & vbtab &  objContainer.Name & VBCRLF
Next
outval = Replace(outval, "CN=", "")

rem ==Retrieve the name of the broken DC from the user and verify it’s not this DC.===

oDCSelect= InputBox (outval," Enter the computer name to be removed","")
comparename = UCase(oDCSelect)

if comparename = computerName then
    msgbox "The Domain Controller you entered is the machine that is running this script." & vbcrlf & _
        "You cannot clean up the metadata for the machine that is running the script!",,"Metadata Cleanup Utility Error."
    wscript.quit
End If

sPath = "LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sPath)

For Each objContainer in objConfiguration
    Err.Clear
    ckdcPath = "LDAP://" & "CN=" & oDCSelect & ",OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
    set myObj=GetObject(ckdcPath)
    If err.number <>0 Then
        errval= 1
    End If
Next

If errval = 1 then
    msgbox "The Domain Controller you entered was not found in the Active Directory",,"Metadata Cleanup Utility Error."
    wscript.quit
End If

abort = msgbox ("You are about to remove all metadata for the server " & oDCSelect & "! Are you sure?",4404,"WARNING!!")
if abort <> 6 then
    msgbox "Metadata Cleanup Aborted.",,"Metadata Cleanup Utility Error."
    wscript.quit
end if

oDCSelect = "CN=" & oDCSelect
ODCPath ="LDAP://" & oDCselect & ",OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
sSitelist = "LDAP://CN=Sites,CN=Configuration," & objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sSitelist)
For Each objContainer in objConfiguration
    Err.Clear
    sitePath = "LDAP://" & oDCSelect & ",CN=Servers," &  objContainer.Name & ",CN=Sites,CN=Configuration," & _
        objRoot.Get("defaultNamingContext")
    set myObj=GetObject(sitePath)
    If err.number = 0 Then
        siteval = sitePath
    End If   
Next

sFRSSysvolList = "LDAP://CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System," & _
    objRoot.Get("defaultNamingContext")
Set objConfiguration = GetObject(sFRSSysvolList)

For Each objContainer in objConfiguration
    Err.Clear
    SYSVOLPath = "LDAP://" & oDCSelect & ",CN=Domain System Volume (SYSVOL share),CN=File Replication Service,CN=System," & _
        objRoot.Get("defaultNamingContext")
    set myObj=GetObject(SYSVOLPath)
    If err.number = 0 Then
        SYSVOLval = SYSVOLPath
    End If
Next

SiteList = Replace(sSitelist, "LDAP://", "")
VarSitelist = "LDAP://CN=Sites,CN=Configuration," & objRoot.Get("defaultNamingContext")
Set SiteConfiguration = GetObject(VarSitelist)

For Each SiteContainer in SiteConfiguration
    Sitevar = SiteContainer.Name
    VarPath ="LDAP://OU=Domain Controllers," & objRoot.Get("defaultNamingContext")
    Set DCConfiguration = GetObject(VarPath)
    For Each DomContainer in DCConfiguration
        DCVar = DomContainer.Name
        strFromServer = ""
        NTDSPATH =  DCVar & ",CN=Servers," & SiteVar & "," & SiteList
        GuidPath = "LDAP://CN=NTDS Settings,"& NTDSPATH
        Set objCheck = GetObject(NTDSPATH)
        For Each CheckContainer in objCheck
rem ====check for valid site paths =======================
            ldapntdspath = "LDAP://" & NTDSPATH
            Err.Clear
            set exists=GetObject(ldapntdspath)
            If err.number = 0 Then
                Set oGuidGet = GetObject(GuidPath)
                For Each objContainer in oGuidGet
                    oGuid = objContainer.Name
                    oGuidPath = "LDAP://" & oGuid & ",CN=NTDS Settings," & NTDSPATH 
                    Set objSitelink = GetObject(oGuidPath)
                    objSiteLink.GetInfo
                    strFromServer = objSiteLink.Get("fromServer")
                    ispresent = Instr(1,strFromServer,oDCSelect,1)

                    if ispresent <> 0 then
                        Set objReplLinkVal = GetObject(oGuidPath)
                        objReplLinkVal.DeleteObject(0)
                    end if
                next

                sitedelval = "CN=" & comparename & ",CN=Servers," & SiteVar & "," & SiteList
                if sitedelval = ntdspath then
                    Set objguidpath = GetObject(guidpath)
                    objguidpath.DeleteObject(0)
                    Set objntdspath = GetObject(ldapntdspath)
                    objntdspath.DeleteObject(0)
                end if
            End If
        next
    next
next
Set AccountObject = GetObject(ckdcPath)
temp=Accountobject.Get ("userAccountControl")
AccountObject.Put "userAccountControl", "4096"
AccountObject.SetInfo
Set objFRSSysvol = GetObject(SYSVOLval)
objFRSSysvol.DeleteObject(0)
Set objComputer = GetObject(ckdcPath)
objComputer.DeleteObject(0)
Set objConfig = GetObject(siteval)
objConfig.DeleteObject(0)
oDCSelect = Replace(oDCSelect, "CN=", "")
msgval = "Metadata Cleanup Completed for " & oDCSelect
msgbox  msgval,,"Notice."
wscript.quit

An easy to use description of the ntdsutil.exe way you find under http://technet.microsoft.com/en-us/library/cc736378.aspx

Next thing that will drive you crazy are the millions of ntfrs errors in the Eventlog. Ntfrs is the “New Technology File replication Service” from Windows. It is used for the replication of the sysvol/ netlogon. Remember Since Windows 2003 R2 nftrs is replaced trough DFS. First of all we are saving the eventlog to a file then clean it and boot every Domain Controller in the domain and wait a few minutes. On my experience this will fix half of the problems, like swiss admins tend to say “ein boot tut immer gut” ; -).

The other prerequirement you need is a Linux OS. I don’t want install some bloody Linux on my iMac, so I use VMware Fusion and the problem is solved. I use in this tutorial the Ubuntu 8.04 LTS Server. You might be considering now why I choose Ubuntu, the simple answer is I don’t known. Normally I use Open SUSE from Novell, but in this case I really don’t know. Strange things happen some times. Another side note I will guide you trough the installation so don’t panic if you are not an unix geek. But actually as non console junkie you should consider not to buy an EMC / IBM / … NAS ☺

Create a VMware with the normal settings 1 CPU, 10 GB HD,  Nat NIC and 512MB Ram. Attach the OS iso and boot the whole batch job. Using the default settings is a nice strategy for not so experienced user. I only changed the keyboard layout to “swiss german (mac)” and check in the screen “install additional software” “ssh server” file transfer will be easy. Create an user called “geek” Then after next, next, …., next, next. The server has finished the miraculous installation. As a windows administrator the first thing I have done is enter in the console

Sudo reboot

After the restart I want to log in as root user, but the install wizard doesn’t accept the root password. After some time I decided to log in as user “geek”. Because it is only a testing environment I decided to enable root login in the console

sudo passwd root

After setting the password i started a console session on my mac shell and connected with ssh. You don’t need to do this but with an ssh session you are able to use Copy and Past with the host OS. For the poor windows user putty is a nice ssh tool. The Mac and Linux user just need to enter the following commands in the console

ssh <ip of the VM> -i root

the next thing you need to do is copying the download from the net app side “7.3.1-tarfile-v22.tar” to the VM server. I use “Cyberduck”. For windows users a nice program is winscp. The Linux guys should use the mighty shell console. By the way I createt a folder named “/netapp”. So let us open the tar file

tar xvf /netapp/7.3.1-tarfile-v22.tgz

In the readme form net app gives us a hint that the simulator uses perl. To install perl on your machine use “apt-get install perl”, actually pearl was installed so you don’t need to do it. Okay now we are ready to start installing the simulator. The strangest thing on this point was I didn’t have to deal with any problems, all worked just fine. This is a bad sign.

cd /netapp/simulator
./setup.sh

and the installation starts. Some logs from the console behind

Script version 22 (18/Sep/2007)
Where to install to? [/sim]:
Would you like to install as a cluster? [no]:
Would you like full HTML/PDF FilerView documentation to be installed [yes]:
Continue with installation? [no]: yes
Creating /sim
Unpacking sim.tgz to /sim
Configured the simulators mac address to be [00:50:56:0:6c:5]
Please ensure the simulator is not running.
Your simulator has 3 disk(s). How many more would you like to add? [0]: 10

The following disk types are available in MB:
        Real (Usable)
  a -   43   ( 14)
  b -   62   ( 30)
  c -   78   ( 45)
  d -  129   ( 90)
  e -  535   (450)
  f – 1024   (900)

If you are unsure choose the default option a
What disk size would you like to use? [a]:
Disk adapter to put disks on? [0]:
Use DHCP on first boot? [yes]:
Ask for floppy boot? [no]:
Checking the default route…
You have a single network interface called eth0 (default route) . You will not be able to access the simulator from this Linux host. If this interface is marked DOWN in ifconfig then your simulator will crash.
Which network interface should the simulator use? [default]:
Your system has 455MB of free memory. The smallest simulator memory you should choose is 110MB. The maximum simulator memory is 415MB.
The recommended memory is 512MB.
Your original default appears to be too high. Seriously consider adjusting to below the maximum amount of 415MB.
How much memory would you like the simulator to use? [512]:
Create a new log for each session? [no]:
Overwrite the single log each time? [yes]:
Adding 10 additional disk(s).
Complete. Run /sim/runsim.sh to start the simulator.

Wow this was very easy. Nice Job Net App. In the last row there is the hint how to start the simulator so lets go.

/sim/runsim.sh

Peng, Klaap, kabumm, doing and an error appears on the console “Error ./maytag.L: No such file or directory”. F.. after some time, maybe 4 hours reading logs, traying these and that, and drinking some coffee I figured out that I need to install some libraries for AMD 64. This sounds funny but it solved my problem. This was the penalty for the easy setup.

apt-get install ia32-libs

and again try to startup. I deleted some info rows from the console log. But all questions should be present in the log below.

root@netapp:/netapp/simulator# /sim/runsim.sh
runsim.sh script version Script version 22 (18/Sep/2007)
This session is logged in /sim/sessionlogs/log

NetApp Release 7.3.1: Thu Jan  8 00:10:49 PST 2009
Copyright (c) 1992-2008 NetApp.
….
….
….
Do you want to enable IPv6? [n]: n
Do you want to configure virtual network interfaces? [n]:
Please enter the IP address for Network Interface ns0 [172.16.111.136]:
Please enter the netmask for Network Interface ns0 [255.255.255.0]:
Please enter media type for ns0 {100tx-fd, auto} [auto]:
Please enter the IP address for Network Interface ns1 []:
Would you like to continue setup through the web interface? [n]:
Please enter the name or IP address of the IPv4 default gateway [172.16.111.2]:
    The administration host is given root access to the filer’s
    /etc files for system administration.  To allow /etc root access
    to all NFS clients enter RETURN below.
Please enter the name or IP address of the administration host:
Please enter timezone [GMT]:
Where is the filer located? []:
What language will be used for multi-protocol files (Type ? for list)?:
language not set
Do you want to run DNS resolver? [n]:
Do you want to run NIS client? [n]: Setting the administrative (root) password for mynetapp …

New password:
Retype new password:
Mon May  4 20:31:11 GMT [passwd.changed:info]: passwd for user ‘root’ changed.
….
….
….
This process will enable CIFS access to the filer from a Windows(R) system.
Use "?" for help at any prompt and Ctrl-C to exit without committing changes.

        Your filer is currently visible to all systems using WINS. The WINS
        name server currently configured is: [ 172.16.111.2 ].

(1) Keep the current WINS configuration
(2) Change the current WINS name server address(es)
(3) Disable WINS

Selection (1-3)? [1]:
        A filer can be configured for multiprotocol access, or as an NTFS-only
        filer. Since multiple protocols are currently licensed on this filer,
        we recommend that you configure this filer as a multiprotocol filer

(1) Multiprotocol filer
(2) NTFS-only filer

Selection (1-2)? [1]:
        CIFS requires local /etc/passwd and /etc/group files and default files
        will be created.  The default passwd file contains entries for ‘root’,
        ‘pcuser’, and ‘nobody’.
Enter the password for the root user []:
Retype the password:
        The default name for this CIFS server is ‘MYNETAPP’.
Would you like to change this name? [n]:
        Data ONTAP CIFS services support four styles of user authentication.
        Choose the one from the list below that best suits your situation.

(1) Active Directory domain authentication (Active Directory domains only)
(2) Windows NT 4 domain authentication (Windows NT or Active Directory domains)
(3) Windows Workgroup authentication using the filer’s local user accounts
(4) /etc/passwd and/or NIS/LDAP authentication

Selection (1-4)? [1]: 4
What is the name of the Workgroup? [WORKGROUP]:
CIFS – Starting SMB protocol…
Welcome to the WORKGROUP Windows(R) workgroup

CIFS local server is running.

Password:
mynetapp> Mon May  4 20:32:25 GMT [console_login_mgr:info]: root logged in from console
Mon May  4 20:32:31 GMT [nbt.nbns.registrationComplete:info]: NBT: All CIFS name registrations have completed for the local server.

mynetapp>

SO this was not so hard. Now enjoy the world class filer in your VMware

Normally I’m not a big promoter of software. But this tool is amazing. Every, and I mean every IT Professional are having the same problem. Everybody in the world looks at you and sees the free helpdesk. Ok I must admit most of the time this is not a problem because helping is caring friendship. Helping over the phone is good because you don’t have to travel. But this is not easy for each occasion. There are a lot of good remote software programs for companies. But the use in private environments is not so as easy as it should be because you need port forwarding, special firewall rules etc. Looking around in the Internet I found a very exciting tool for remote support. It’s called TeamViewer.

http://www.teamviewer.com

The benefits of TeamViewer are:

•    It’s free for personal use.
•    No installation needed.
•    No firewall changes are required because remote clients create an outgoing connection to the team server.
•    It works on PC and Mac, even cross-platform, connect from Mac to windows is no problem.
•    It’s Fast and
•    It’s free for noncommercial use.

At least it’s the Holy Grail of remote software

Regards Konrad

The lab hardware is composed of two personal workstations and two 3500 Cisco switches. The Cisco’s are connected together with two Gigabit Ethernet links. Each of the switches has  a PC attached to it.

So let’s start with the basic configuration.

I prefer putty for serial telnet and ssh connection to my network devices. But hyper term will also do a good job.
After the login the switch welcomes us with the shell prompt

Switch>

First thing we are entering is the enable mode, which gives us the opportunity to make basic configurations.

Switch>enable

the shell prompt now enters into the enable mode and the “Switch>” changes to “Switch#” first we are going to change the time of the switch.

Switch# clock set 20:09:01 3 Apr 2006

To test the settings “show clock” will show us the actual time. In the next step we are going to the configure terminal. This allows us to change network and settings on the device.

Switch#configure Terminal

The notice “enter configuration commands, one per Line. End with CNTL/Z and the shell prompt shows “Switch(config)#” to change the DNS Hostname of the switch the command is simple hostname. Just enter it.

Switch(config)#hostname MySwitch1

now the shell prompt changes to “MySwitch1(config)#” and we are able to continue with the setting of a password for the enable mode by entering

MySwitch1(config)#enable secret TopSecretPassword

After setting the password for the enable mode it would be wise to set an password for the Virtual Terminal (Telnet & SSH Access). We need 2 lines to do this, the first line is for setting the password and the second for the rights of the remote console. Some Admin’s think “vty 0 15” is to much rights for a remote console. I think “vty 0 15” is ok if the switch is on a remote location.

MySwitch1 (config)# password MySecretTerminalPassword
MySwitch1 (config)# line vty 0 15

The last thing we need to do is setting up a managed port. This port is only for the management. The port should not be used for clients. In most companies the port is set in the management vlan but we don’t do this in this post. This will be done by entering an Interface, disabling the switching on this port, setting the port state up, setting the IP and subnet mask and leaving the interface config.

MySwitch1(config)#interface fastethernet 1/1
MySwitch1(config-if)#no switchport
MySwitch1(config-if)#no shutdown
MySwitch1(config-if)#ip address 192.168.1.3 255.255.255.0
MySwitch1(config-if)#exit

One nice thing left do at the end of the basic configuration is setting a login banner. The banner is written to the console after the login. If the company has hundreds of devices it helps to keep the overview. And I like asci art.

MySwitch1(config)#banner motd ^
#########################################
#  if you cant make it good, at least make it look good!!!    #
#                                                             #
#            Name:              MySwitch1                     #
#            Location:          HQ, Lucerne                   #
#            Model:             Cisco 3500                    #
#                                                             #
# WARNING, unauthorized access to this network is prohibited. #
#                                                             #
# Unauthorized access will lead to prosecution according to   #
# the law                                                     #
#########################################
^ 

Now the basic configuration of the running configuration is done. The last thing we do is copy the running configuration to the startup configuration by entering

MySwitch1#write

In a second Post we will create the uplink using port channel and vlans. If you are now hot to hack a little bit around. I found an free trial of a simulator on
http://www.certexams.com/buy.htm. It is very limited but it a good starting point.

Cheers Konrad

In ADSI edit Connect to the “Default naming context” and browse to the CN= Password Settings Container,CN=System,DC=YourDomain,DC=YourDomain. With the right click you are able to create a new PSO with a wizard (I am not 100 % sure but it is a wise idea to do this with the newest version of adsiedit.msc on the server).

The wizard shows up and your are able to set the PSO settings:
•    Password settings precedence
•    Password reversible encryption status for user accounts
•    Password history length for user accounts
•    Password complexity status for user accounts
•    Minimum password length for user accounts
•    Minimum password age for user accounts
•    Maximum password age for user accounts
•    Lockout threshold for lockout of user accounts
•    Observation window for lockout of user accounts
•    Lockout duration for locked out user accounts
•    Links to objects that this password settings object applies to (forward link).

The last setting is very nice. The policy are now bound to an active directory global, universal or domain local group. The PSO does not outweigh the older GPO based managed policy. If a user has a policy both through PSO and GPO the GPO policy is enforced.

To use the PSO a PDC Emulator FSMO Role must be configured on the Windows 2008 Server. The domain and forest function level must be at least Windows Server 2008. The PSO works on Windows XP, Vista, 2003 and 2008 Servers.

Enjoy the simplified but even though smarter password policy
Cheers Konrad

A good tool to find security issues is the “Microsoft Baseline Security Analyzer” aka. MBSA. Which is released in version 2.1. The MBSA can be obtained for free from the Microsoft homepage. My recommendation is to install the tool on one centrally accessible client or server. Because it need’s full RPC access to all machines that are to be tested. Some heretic may say that a client that needs RPC ports through the whole network is a security problem in high secure environment, and maybe he is right, but this is another topic. After a short installation of the MBSA it’s ready to use. The tool is the solution for scanning whole networks and domain. Please keep in mind that the tool needs some performance on the scanned server or workstation

Let us start with a report for one server. A notice to my chef: “This is not a corporate server, it’s an special virtual machine for this blog, so relax when you see the report at the end J”. One of the nice features is the possibility to set the patch repository to a local WSUS. So if there is a problem with a windows patch you decide to not install it doesn’t show up as an error. I recommend in most cases to use the Microsoft update as repository. Maybe you’ll find out some dark secrets of the WSUS administrator

After a scan that runs approximately for 40 seconds a nice report is created by the tool.

Special remarkable is that Microsoft gives a short description how to correct the problem.

A small summary is that the tool can’t make wonders, but it’s an nice way to ensures that the big risk’s are closed even when you don’t have detail knowledge of the software like SQL Server. The tool is not perfect so checkup the recommended solution. “Some potentially unnecessary services are installed“ means in my test lab the “save service” which is a virus scanner. After all it’s a good tool. Read you soon !!

Cheers Konrad

Lets take a closer look at the server. there are 16 Bays for servers some enterprise servers need two slots, some "low power" dual quad core etch with 32 GB memory need for tow serves an half slot. In my case i am using 16 HP ProLiant BL460c Server Blade. Nice to know is that this slots can be used for Tape (DLT 5), storage (DAS) and PCI-Express Blades. but you lose an slot.

The network slots of the blade can be equipped wit Cisco, hp, Mc Data and Virtual connect bays. cowsing the best for your environment is an very hard and complex dissensions. The Virtual connect is an brand new technology from hp witch is "weder fisch noch Vogel". the best description it is an Virtual Patch panel. it can swishing, some layer 3 thinks like vLan tagging. The most important thin is it is able to du an dynamic LACP port Cannel, with is on HP English an Auto Port .

so stop the geek fan boy stuff and lets talk about benefits / disappointment of Blade. in the most guid’s you find that the c7000 is internal complete redundant. this is simply an lie. The base board is one Part if its fail the hole c7000 goes DOWN !!!. HP say it hase an normal time to fial from 140 years. why i know to blade centers with the second baseboard i am  not so old It has 10 fans slots, but to operate in redundant mode you need only 8. if one fails nothing happened. my guess is you only need in future wit 16 GHZ 12 qore CPU an 200 gb ram the 10 fans. so safe the money while ordering. not every mezziane card that are able to work in the slot make sense.

thake a look to this schematics from hp product bulletin. With an half high blade (16 Blades per enclouser) you only able to use 2 slots. So if you buy an quad port NIC you only able to use 2. HP don’t tell you in the order process.  in Some cases blade are cheeper than normal serves but it depend on the configuration. in most case if you need fiber cannel HBA’s it’s an good chance to be on the cheeper side. Blade are an complex an modern technology witch requires intensive study for the IT professional’s.

at the least some nice videos from HP wit happy people from japan