Category Archives: Windows XP

Active Directory Microsoft Exchange Server Network Infrastructure Windows Server Windows XP

Managing DNS In Windows Server 2012

June 12, 2013 – 6:00 am

Previously, I covered installing the DNS role in Windows Server 2012. Once installed, managing the role is very similar to how management was done in Windows Server 2003 through 2008 R2. With the exception of how you access the tools. DNS is one of the most important services in Windows Servers, as with most other platforms. So it’s important to configure DNS.

To get into the DNS Manager in 2012 Server, first open Server Manager (you might get sick of using this tool in Server 2012, similar to how my Mac Server brethren have gotten tired of it in Lion and Mountain Lion Servers. Then from Server Manager click on DNS from the Tools menu.

Screen Shot 2013-06-07 at 7.47.38 PM

Once the DNS Manager mmc is open, notice that you will have Forward and Reverse zones listed. The forward zones point names at IP addresses or other types of records and the reverse zones contain information about what the name is for a given IP address.

Screen Shot 2013-06-07 at 7.51.53 PM

By default there are no zones, so click on New Zone from the Action menu to bring up the New Zone Wizard. From here, click on Next. If the zone is a new zone, click on New Zone. Otherwise, choose Secondary Zone if the server will be acting as a secondary name server for a given zone (make sure the primary allows zone transfers from the IP of the system you’re configuring) or select Stub Zone if the server will host a partial list of records. Click Next when you’ve selected the type of zone to create.

Screen Shot 2013-06-07 at 8.18.36 PM

At the New Zone screen, enter a name for the zone. For example, krypted.com. Once entering the new Zone name, click Next.

Screen Shot 2013-06-07 at 8.16.19 PM

At the Zone file screen, enter a name for the file that information about the new zone will be stored in and click on the Next button.

Screen Shot 2013-06-07 at 8.19.36 PM

At the Dynamic Update screen, choose whether the zone will allow dynamic updates. Here, you can choose whether clients can update DNS information in zones and if so, who can do so. I usually just leave this at the default (unless I’m preparing to install AD into the zone) and click on the Next button.

Screen Shot 2013-06-07 at 10.23.20 PM

At the Completing the New Zone Wizard screen, click on the Finish button (provided of course that the settings match your desired configuration for the zone).

Screen Shot 2013-06-07 at 10.24.02 PM

Once you see the domain name in DNS Manager, double-click on it. You’ll see the NS and SOA records. Usually you won’t ever end up touching these. Next, create records for your domain. Using the Action menu, select to create a new A Record, CNAME, etc. In this example, we’ll create a basic A Record, selecting the checkbox to automatically create a PTR with the record. Click

Screen Shot 2013-06-07 at 10.29.21 PM

Continue creating your records until they’re all built and go ahead and take this time to test them as well, as they’re being created. I usually like to run a flushdns between each creation/change:

ipfconfig /flushdns

Once you’re done with all of the records, I usually like to restart DNS with net stop:

net stop dns

And of course, start it back up.

net start dns

At the DNS Manager screen, right-click (control-click if you’re using a Mac) on the name of the server and then click on Properties. From the Properties screen, you’ll initially see the interface screen. Here, uncheck the box for any of the interfaces you don’t wish to have a listener for the DNS service (port 43).

Screen Shot 2013-06-07 at 10.33.36 PM
Click on the Forwarders tab. Here, define servers that your server uses to resolve DNS. DNS is kinda’ like a pyramid scheme like that. You shouldn’t need to use these too often, but there are some great options here for conditional forwards, where your server looks to a specific server for a given DNS domain.

Screen Shot 2013-06-07 at 10.33.48 PM

Click on the Advanced tab. Here, you can configure a variety of server options. A common security task would be to disable recursion. If this server is an Active Directory integrated DNS server doing so would not disable additional Active Directory DNS servers from communicating with one another as they receive their DNS information from Active Directory, as can be seen in the Load zone data on startup field of this screen. The Enable BIND secondaries allows a Mac to act as a secondary DNS server for the records stored on this server. This doesn’t work too well with Active Directory service records, in my experience, but works pretty well with anything else provided you define each zone to cache.

Screen Shot 2013-06-07 at 10.34.01 PM

Click on Root Hints. If you need to edit these then you might be doing something wrong. Root hints are the root DNS servers that sit atop the DNS pyramid scheme. I’ve only ever needed to edit these once, at the instruction of Microsoft during a support call for an environment that was in a walled garden. If the server connects to the Internet then chances are it should use the Forwarders to resolve names as opposed to Root Hints.

Screen Shot 2013-06-07 at 10.34.12 PM

Click on the Monitoring tab. Here, you can configure a small monitor that will run queries against the DNS server (or with recursion as indicated with the second option) and you can automate the test to run every so often and show the results.

Screen Shot 2013-06-07 at 10.34.23 PM

Click on the Event Logging tab. By default, all events are logged. Here, you can decrease logging so that the server only logs errors, warnings or even nothing at all.

Screen Shot 2013-06-07 at 10.34.32 PM

Click on the debug logging. This is like a special rockin’ tcpdump for DNS logs. You can log packets of various types with regards to name resolution, filter the output by IP address(es) and dump information out to a file. This is extremely detailed logging so you also have the option to indicate a maximum size of your log files.

Screen Shot 2013-06-07 at 10.34.42 PM

You also have more more granular controls for each domain. In the DNS Manager, right-click on your new domain and then click on Properties. Here, you’ll see the information you provided when configuring the zone in the first place (btw, zone is pretty much the same thing as domain, except each subnet of IP addresses for PTR records is also considered a zone). At the General tab you can pause a domains DNS, change the zone from a primary to a secondary if needed, etc. You can also define a different name for your zone file and enable dynamic updates. If the zone is a primary zone, click on the Aging button if you’d like to configure stale record scavenging. There, you can define when records that become stale are automatically deleted.

Screen Shot 2013-06-07 at 10.35.17 PM

Click on the SOA tab. Here, you can define the serial number for the domain. Those are automatically provided but you can override them if needed. You can define primary servers if the zone is a secondary and then provide an email address/username of the user who manages the domain. Here, you also configure TTL for the domain, domain record expiry, retry intervals for the domain, etc.

Screen Shot 2013-06-07 at 10.35.27 PM

At the Name Servers tab, you can add servers that this zone can be hosted on.

Screen Shot 2013-06-07 at 10.35.36 PM

Click on the WINS tab. If you are integrating WINS with DNS then chances are you missed flannel going out of style. But that’s ok, since provided you’re wearing your flannel with super tight jeans that require a can opener to get off, it’s just fine to wear a flannel. Anyway, if you use WINS with DNS, you’ll need to install WINS with Server Manager. When you go to add WINS it’s a feature, not a role.

Screen Shot 2013-06-07 at 10.35.48 PM

Click on Zone Transfers. This is where you define what IP addresses are able to perform a zone transfer for the domain you’re configuring. By default, all hosts from the Name Servers tab can be accessed. To open it up for everyone (not the best security option) click “To any server”, or to use a separate list than the Name Servers use the “Only to the following servers” button and then use the Edit button to populate the list.

Screen Shot 2013-06-07 at 10.35.58 PM

 

Once you’ve configured the properties for your zone as granularly as you’d like, click Apply and then finish populating the zone with any other required records and testing all the settings. I also like to restart my DNS again after all that fun stuff.

Tags , , , , , , , , , , , | Permalink | Comment (0)
Active Directory Mac OS X Mac OS X Server Mac Security Network Infrastructure Ubuntu Unix VMware Windows Server Windows XP Xsan

List All DNS Records For A Domain

May 8, 2013 – 6:00 am

Sometimes you want to move a domain but you don’t have a copy of the zone file in order to recreate records. The easy way to do this is to grab a zone transfer. To do so, dig is your friend:

dig -tAXFR mycompany.com

Sometimes though (and actually more often than not) a zone transfer is disabled. In that case you’ll need to dig the domain a bit differently. I like to use +nocmd, query for any and list the results (+answer):

dig +nocmd krypted.com any +answer

Which results in the following:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 39183
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;krypted.com. IN ANY

;; ANSWER SECTION:
krypted.com. 1262 IN A 97.74.215.39
krypted.com. 3600 IN MX 0 smtp.secureserver.net.
krypted.com. 3600 IN MX 10 mailstore1.secureserver.net.
krypted.com. 3600 IN NS ns25.domaincontrol.com.
krypted.com. 3600 IN NS ns26.domaincontrol.com.
krypted.com. 3600 IN SOA ns25.domaincontrol.com. dns.jomax.net. 2010010400 28800 7200 604800 3600

;; Query time: 127 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Tue May 7 22:31:15 2013
;; MSG SIZE rcvd: 207

The above shows the naked domain name entry (yes, I still giggle every time I write the word naked so it’s ok if you giggled when you read it), all of the mail (which btw I don’t actually use that mail so please don’t try and send any at this time) and the ns servers. Now, the serial and refresh information isn’t included in this output. Actually, it is but it might not make sense, so we’ll just add the +multiline option which will make this look strangely like a zone file:

dig +nocmd krypted.com any +multiline +answer

Notice the serial, refresh, retry, expire and minimum options are now listed in a much more fashionable way:

;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 10965
;; flags: qr rd ra; QUERY: 1, ANSWER: 6, AUTHORITY: 0, ADDITIONAL: 0

;; QUESTION SECTION:
;krypted.com. IN ANY

;; ANSWER SECTION:
krypted.com. 3225 IN A 97.74.215.39
krypted.com. 3225 IN MX 0 smtp.secureserver.net.
krypted.com. 3225 IN MX 10 mailstore1.secureserver.net.
krypted.com. 3225 IN NS ns25.domaincontrol.com.
krypted.com. 3225 IN NS ns26.domaincontrol.com.
krypted.com. 3225 IN SOA ns25.domaincontrol.com. dns.jomax.net. (
2010010400 ; serial
28800 ; refresh (8 hours)
7200 ; retry (2 hours)
604800 ; expire (1 week)
3600 ; minimum (1 hour)
)

;; Query time: 22 msec
;; SERVER: 4.2.2.2#53(4.2.2.2)
;; WHEN: Tue May 7 22:32:20 2013
;; MSG SIZE rcvd: 207

And there ya’ go. You’ve basically done a zone transfer on a box, even though zone transfers are disabled. Silly DNS admins, disabling zone transfers and all that… Yes, I disable zone transfers on most of my DNS boxen as well, or at least only allow them for specific IPs… ;)

Tags , , , , , , , , , | Permalink | Comments Off
Windows Server Windows XP

Reboot Windows 8 Pro Using A Touch Screen

April 21, 2013 – 7:44 am

How to reboot Windows 8 using a touch screen.

Permalink | Comments Off
Mass Deployment Windows Server Windows XP

Powershell Goodies From Vexasoft

June 14, 2012 – 6:09 pm

There are a number of features that make mass deployment of Mac OS X pretty easy. Some of these would be great to have in Windows. These range from systemconfiguration to networksetup and the ability to look at packages that have been installed and review their bills of material. Well, the good people at Vexasoft have built a number of Powershell libraries that, while they aren’t named as such, do a number of the features that these commands do, just for Windows clients via Powershell. And the best part is, a number of them are free.

Let’s look at what some of these commands do:

  • First, there are the cmdlets used to manage the network stack (so similar to various verbs in networksetup). These include Add-NetworkAdapterDNS, Add-NetworkAdapterGateway, Add-NetworkAdapterIP, Disable-NetworkAdapter, Enable-NetworkAdapter, Get-NetworkAdapter, Remove-NetworkAdapterIP, Remove-NetworkAdapterGateway, Remove-NetworkAdapterDNS, Set-(followed by the others from the above sets) and Rename-NetworkAdapter.
  • Second, you can automate binding with Set-Domain. This is similar to dsconfigad but less awesome because it’s third party, but still more awesome than the native tools because it’s easier.
  • Third, rename the system. This is similar to scutil, hostname, sets. Just use Rename-Computer to change the name of a Windows system.
  • My favorite, having written something similar, is probably Get-RemoteDesktopConfig and Set-RemoteDesktopConfig, similar to the kickstart options in OS X.
  • And a tool similar to installer in OS X, Install-MSIProduct, which installs MSIs.
  • Sixth, there’s Set-Pagefile, because if you’re gonna’ change it, do so while imaging to save a reboot later…
  • While there are others, the final one I’d like to mention is still free: Get-RegistryKey, which gives us the ability to basically run the closest thing to defaults commands I’ve found against the Windows platform.

They install as standard Powershell modules, making them easy to drop into practically any imaging environment. Much of these can be done via WMI or Powershell already, but will require a bit more legwork to script. Having them pre-built makes it easier than ever to perform some basic tasks for other platforms en masse, on Windows.

Tags , , , , , , , , , , , , | Permalink | Comment (1)
Mac OS X Mac OS X Server Mac Security Mass Deployment Windows XP

And The Badass Award Goes to CrashPlan…

October 14, 2011 – 6:00 am

Over dinner one night, Matthew Dornquast, the CEO of CrashPlan, was running something by a few of us sitting around the table. Basically, giving access to files that are backed up in CrashPlan to other systems. I don’t think I fully understood what he was talking about (I mean, you can already restore data on any system you install CrashPlan on, right?) and didn’t pay much mind to it. Then, I heard about the CrashPlan app for iOS (iPhone, iPad, iPod Touch).

After downloading the app, I realized it wasn’t just showing me when my machines last backed up (which it does very nicely). It’s more than that. You can actually download files from your CrashPlan backup, view them and then use the clipboard to shuttle them to another program. For example, the keynote that I had been working on last night opened nicely in the Keynote app on my iPad and I was able to view it on my TV at home by mirroring my iPad to the TV.
This kind of innovation is what I’ve come to expect from these guys. Their deduplication tech far exceeds you getting what you pay for. Unlimited backup to their cloud for the home version is just awesome. Making the home version free for backing up to other computers is just a nice thing to do. And to top it all off, the PROe stuff far exceeds what anyone else can do in terms of edge, or client backups – and they have a nice mass deployment situation, making it easy to both integrate with LDAP and deploy via packages. You can even backup an Xsan with it (to disk of course), making it amongst the least expensive packages for doing so.

Overall, I think what I’m saying is that I think their tech deserves the badass award!

Permalink | Comments (7)
Windows XP

Disable autotuning in Windows

September 28, 2011 – 6:00 am

Microsoft has a great feature called autotuning. Autotuning though can be problematic when it comes to network connections with Microsoft Outlook, Internet Explorer 7, RDC and even some file sharing protocols over the WAN. This is mostly because not all firewalls support TCP Window Scaling for non-HTTP-based protocols.

If you’re running into problems where these applications give you errors like “Outlook is trying to retrieve data from the Microsoft Exchange Server Exchange_Server_FQDN” then you can try disabling autotuning to see if that is your problem (usually this involves wan connections, btw). To disable autotuning, use netsh to set tcp for autotuninglevel to disabled:

netsh interface tcp set global autotuninglevel=disabled

To turn autotuning back on, just set the autotuninglevel to normal:

netsh interface tcp set global autotuninglevel=normal

Tags , , , , , | Permalink | Comments Off
Mac OS X Mac OS X Server Mac Security Ubuntu Unix Windows XP

NTP, OS X, Windows, Cisco and You

June 9, 2011 – 7:24 am

At this point, most Mac admins know to how to enable ntp on a Mac OS X Server and set clients to the server. Most Mac admins also know how to use managed preferences to set ntp as well. We all know that time is pretty important and most are using ntp at this point.

Network time should, almost by definition, be continuous, which allows ntpd in Mac OS X can update clocks in small denominations. Thus, managing corrections with little overhead or impact to the system enables ntp to be an inexpensive method for managing clocks. But ntp is also built to keep things running smoothly even when there are a lot of corrections. When there are a lot of corrections made by ntp, these are tracked and can be seen using the ntpdc command. The ntpdc is used to view and set the state of the ntp daemon and is interactive. To enter the interactive environment, simply type ntpdc at a terminal prompt:

ntpdc

Once you are in the ntpdc interactive environment you will need to use one of the many verbs provided for ntpdc. One such verb is looping, used to “display loop filter information:”

ntpdc> loopinfo

offset: 0.017866 s
frequency: -499.996 ppm
poll adjust: 13
watchdog timer: 209 s

The above output has four items of interest:

  • Offset: How far off the client is from the server (drift is natural, so all zeros in this category typically represent the server being offline).
  • Frequency: Frequency external signals can offset correction of the kernel clock
  • Poll adjust: Used to Increase or decrease the polling interval. The range is -30 to 30. 13 is an increase of 13 seconds whereas -30 would represent a decrease of 30 seconds.
  • Watchdog timer: The time since the last update to the system.

Note: To make it easier to parse, you can run looping with a online option, placing output into a single comma seperated line.

There are other verbs as well, which allow you to add servers (addserver), show peers (showpeer), set a password to use for password requests (passed), see various statistics (sysstats, sysinfo, stats, instates, ctlstats, clockstat, iostats) and set encryption keys (keyid, trustedkey, untrustedkey, etc). There’s a pretty good bit you can with these verbs; just run help to see a full list of supported verbs (my favorite verb other than looping is fudge).

You can also check ntp information on the fly using the ntpq command. Here, ntpq -p will show you the name, IP address and other information live:

ntpq -p

Returns:

remote refid st t when poll reach delay offset jitter
==============================================================================
*time.apple.com 17.72.133.55 2 u 181m 512 376 32.169 17.084 0.315

Windows clients using Active Directory domains automatically get time from domain controllers. If a client is part of an Open Directory or SMB-based domain, you can add a NTP server by clicking on the time in the system tray (bottom right corner of the Windows screen). Click on Internet Time. Click the check box for Automatically synchronize with an Internet time server. Enter the name or IP of the ntp server. Click the Update Now button.
When finished, you’ll see a note that Your time has been successfully synchronized.

For clients other than Windows, it makes little sense to set ntp settings with a GPO, given that systems not in Active Directory won’t really use them. And most environments that don’t have a directory service are pretty small. But this isn’t to say that you won’t want to deploy these settings en masse. Much as you can use the /etc/ntp.conf file or the systemsetup -setnetworktimeserver command to configure a time server in Mac OS X you can use the registry to do so in Windows. If you can use the registry to configure a setting you can then use regedit or regedit32 to set the keys programatically.

But if you choose to, the keys are in HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\W32Time\Parameters (most notably is the NtpServer key) or you can use w32tm with the /config option. Once configured, reset the time to that of the time server to test. This can be tested with w32tm:

w32tm /resync /rediscover

Mac OS X and Windows can use an ntp-based server, but given that ntp is so widely used, what else? Using ntp with appliances can help with authentication protocols and also assist with triangulating issues from within log files. So, how about a Cisco IOS device. SSH into one and let’s get started. First off, run the enable command and then provide a password:

enable

Then, go into config mode:

config t

Now we’re going to use the ntp command and issue and update calendar to tell IOS to update the hardware clock from the software clock:

ntp update-calendar

Then we’ll specify our ntp server(s):

ntp server 10.0.0.88

Note: Just run the ntp server command twice if you want to specify a second ntp server.

Then exit config mode:

exit

And write your new settings into memory:

wr mem

Tags , , , , , , | Permalink | Comments Off
Mac OS X Unix Windows XP

Subversion Cheat Sheet

March 12, 2011 – 7:37 pm

I’ve done a few articles in the past on different tasks in svn and git, but I have a little cheat sheet of sorts I’ve been using for awhile for Subversion on Mac OS X and thought I would share it. Before you get started, check your version. I use 2.0 but I seem to remember all of these are about the same as they were previously:

svn --version

To get started, Subversion uses a repository to store projects. Each client needs a repository and these should be on direct attached drives. The repository hosts a Berkeley database a folder per project you check out, or import. To create a repository in a folder called Repository that lives in your home folder, you can use the following command, which uses the svnadmin command (svnadmin is used for most admin tasks in Subversion and the svn command itself is used for most user operations) and then the create verb, followed by a path:

svnadmin create ~/Repository

Note: These commands are mostly the same in Windows, except you use a drive letter rather than a fully qualified path. They are identical in Linux.

Within the Repository directory, each project will have a folder. Within these, you would then create folders for branches, tags and trunk, where trunk is the directories and files you will be working with. Then, we’ll import our first project. To do so we’re going to use the svn command, along with the import verb and then in the second position, we’ll use project to define the type of import. Next, we’ll define the location. The location could be http:// or file:///. In this case we’ll use an existing, mounted AFP file system at /Volumes/myserver/sharedrepo/projectname. Next, we’ll just put a message in there using the -m option, indicating “Initial Import”:

svn import project file:///Volumes/myserver/sharedrepo/projectname -m "First Import"

That wasn’t so bad. To see a list of the projects stored in a repository, use the svn command along with the list verb. When I do this, I like to use the –verbose option (optional, thus an option). YOu would also provide the path to the repository:

svn list --verbose file:///Users/cedge/Repository

To update the repository:

svn update

We now have a local copy of the project we imported earlier (creatively called projectname) and can work on it. Before we start working on it though, we want to check it out. To do so, we’ll use the svn command, along with the checkout verb. We’ll then provide the path to the project and name of the project:

svn checkout file:///Users/cedge/Repository/projectname/trunk projectname

When you’re done working on things, let’s look at what’s changed using svn’s status verb (btw, a writing point, by making svn possessive there, did I give it a personality? If so, then it’s certainly cranky at times so I suppose that’s fine):

svn status

You’ll invariably want to add things to a project, which uses the oddly named add verb (bad grammar pun, sry):

svn add filename

Removing files is a similar process:

svn delete filename

Adding, deleting and changes all need to be committed once you’re done working on the project. To commit changes, use the commit verb. Here, we’re going to provide a message explaining what we did (Added a method for handling invalid file names and bad grammar puns) and then the path:

svn commit -m "Added a method for handling invalid file names and bad grammar puns" file:///Users/cedge/Repository/projectname/trunk

I didn’t include tagging, getting releases (list verb), using preshared keys (ssh-keygen, ssh-copy-id, ssh-agent, ssh-add), resolving conflicts (resolved verb), so feel free to add comments with your examples if others read this and would like to add more!

Tags , , , , , , , , , , , , , | Permalink | Comments Off
personal Windows XP

The Most Elite Hax0r Evah!

January 13, 2011 – 9:00 am

This came across the UUASC email list. It is a video my a kid who seems to have the most awesomest understanding of IP and traceroute that I have ever seem. The use of a “dot dot” to reference a colon, or as he calls it, semi-colon also shows his strong command of the proper way to reference the system as well. I stand in awe of his l33t skillz!

Next up, how to use ping to see how many people are watching his video on YouTube…

Tags | Permalink | Comments (3)
Windows XP

Change Listening Port for RDP

October 12, 2010 – 7:14 pm

In Windows 7 (and previous versions for that matter), you can change the port that RDP listens on for new Remote Desktop connections. To do so you would fire up regedit and then browse to the following key:

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\TerminalServer\WinStations\RDP-Tcp\PortNumber

Here, you would change the PortNumber to a new decimal value that is the port you wish to listen on. Save, reboot and you’re good to go.

Tags , , , | Permalink | Comments Off

Next Page »

Next Page »