Pages

11/09/2009

Website Redirection

I seem to be looking this up every time. Say I have a website with an app in a subfolder. I want to redirect to website/appfolder/default.htm so I don't make the user type https://website/appfolder.
Take this and save it to default.htm

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<html>
<head>
<title>TITLE</title>
<meta http-equiv="REFRESH" content="0;url=https://info.domain.com/reaction"></HEAD>
<BODY>
Please wait while you are being redirected.
Click<a href="https://website/appfolder">here</a> to go there immediately.
</BODY>
</HTML>

If you want to redirect from unsecure (http) url to a secure (https) url then it is necessary to customize the 403.4 error message text to be the HTML code above.
Do this for IIS by replacing C:\WINDOWS\help\iisHelp\common\401-4.htm with above.
You can revert to the default anytime:
  • right-click the website and choose properties
  • Click Custom Errors tab
  • Click on the 401;4 entry and hit "Set to Default"

  • 11/06/2009

    NewSID retired

    I have always religiously run SysInternals' NEWSID when I cloned or imaged machines. I recently learned that doesn't work on well on Vista/Windows 2008 and doesn't work at all for Windows 2008 R2 or Windows 7.

    I am shocked now to learn that this has not been necessary all along. I'm still digesting it all, but Mr. SysInternals himself says this isn't even necessary and NEWSID is being retired.

    In this eye-opening article he walks through every use of the machine SID and proves that a duplicate machine SID in a workgroup or domain will not cause any problems.

    Mark's Blog

    10/30/2009

    Disable Strict Name Checking

    Allow proper network access to a server using a DNS alias:

    See 281308 Connecting to SMB share on a Windows 2000-based computer or a Windows Server 2003-based computer may not work with an alias name

    Or copy out the codes below into a .REG file and import it.


    Windows Registry Editor Version 5.00

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\lanmanserver\parameters]
    "DisableStrictNameChecking"=dword:00000001



    Also may need to disable Loopback checking:
    926642

    DisableLoopbackCheck registry entry in the KEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa registry subkey to 1. To set the DisableLoopbackCheck registry entry to 1, follow these steps on the client computer:
    - Click Start, click Run, type regedit, and then click OK.
    - Locate and then click the following registry subkey:
    HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Lsa

    - Right-click Lsa, point to New, and then click DWORD Value.
    - Type DisableLoopbackCheck, and then press ENTER.
    - Right-click DisableLoopbackCheck, and then click Modify.
    - In the Value data box, type 1, and then click OK.
    - Exit Registry Editor.
    - Restart the computer.

    Windows 2008
    It still works for Windows 2008.

    Windows Server Black Logon Screen

    VERY strange problem
    Hit ctrl-alt-del to logon console or rdp to server. Just get a black screen with difficult to see underscores where the logon fields should be. We were able to tab around on the screen and enter logon name and password and get logged on. (or input logon credentials into RDP before connecting.) Once logged on, everything was normal.

    We had two servers, both of which happened to be print servers, both experienced this same issue at the same time. Windows 2003 R2 SP2 running as ESX3.5 virtual machine.


    Cause
    As strange as the problem is, it's root cause is strangely simple.
    The display colors for the default user have all been changed to black.
    After a tedious internet search we learned about someone elses experience with this exact problem: http://www.flyhpr.com/blog/2005/02/windows-2003-black-login-screen.htm.
    They said they called Microsoft and this is a known problem but supposedly they didn't get enough calls about it to make it a KB article. (???that is also a very strange answer, by the way.) The article goes on to say Microsoft told them this issue was caused by the system drive running out of space.


    Solution

    Change the colors back to normal. copy the clipped lines below
    and save a .REG file. Run it on the server with the problem.
    -------------------------------------------------------
    Windows Registry Editor Version 5.00

    [HKEY_USERS\.DEFAULT\Control Panel\Colors]
    "ActiveBorder"="212 208 200"
    "ActiveTitle"="10 36 106"
    "AppWorkSpace"="128 128 128"
    "Background"="102 111 116"
    "ButtonAlternateFace"="181 181 181"
    "ButtonDkShadow"="64 64 64"
    "ButtonFace"="212 208 200"
    "ButtonHilight"="255 255 255"
    "ButtonLight"="212 208 200"
    "ButtonShadow"="128 128 128"
    "ButtonText"="0 0 0"
    "GradientActiveTitle"="166 202 240"
    "GradientInactiveTitle"="192 192 192"
    "GrayText"="128 128 128"
    "Hilight"="10 36 106"
    "HilightText"="255 255 255"
    "HotTrackingColor"="0 0 128"
    "InactiveBorder"="212 208 200"
    "InactiveTitle"="128 128 128"
    "InactiveTitleText"="212 208 200"
    "InfoText"="0 0 0"
    "InfoWindow"="255 255 225"
    "Menu"="212 208 200"
    "MenuText"="0 0 0"
    "Scrollbar"="212 208 200"
    "TitleText"="255 255 255"
    "Window"="255 255 255"
    "WindowFrame"="0 0 0"
    "WindowText"="0 0 0"
    -------------------------------------------------------

    10/22/2009

    Good article: Storms RIP the Net

    This is an informative recounting by Laura Chappel of the investigation and repair of network traffic issue crippling a network. Nothing could stay connected even long enough to do a "normal" packet capture.
    She had them setup a quick packet capture outside the GUI to allow for getting on and getting the capture before being bumped off.

    tshark -c 100 -w gen1.pcap


    The -c parameter indicates the number of packets to capture. The -w parameter is
    used to define the name of the trace file to create.

    Looking at the 100 packets the fact that the IP Identification field matched for every packet indicated that this was a looping condition rather than some kind of denial of service from a single host.

    A switch loop is easy to create and often hard to troubleshoot, unless you are looking for this exact condition. And often the opportunity to create a loop is made available to the masses with proliferation of workgroup switches to avoid spending a couple hundred bucks on having another jack installed. ("Gee, here's an end of a cable coming out of a big tangle under my desk. It must need plugged in...")

    Separating broadcast domains into several VLAN's, like one per floor or some other logical separation, can limit the scope of a problem due to a switch loop. At least only one VLAN will be down and you have a narrower search area for the loop -- check the log on one or two switches instead of 20-30.

    10/16/2009

    Computer Browser Won't Start

    [HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Browser\Parameters]

    "MaintainServerList"="Yes"


    If MaintainServerList is set to No, the service will start and immediately stop with a message on the screen something like "some services only start when they are needed..."

    10/12/2009

    IE7 Restricted Sites

    Our enterprise administrators have pushed out the Restricted Sites list in IE somehow.  After upgrading from IE6.x to IE7 this list's behavior appears to have changed.  I am being restricted from a site, but when I go through the hundred or so items on the restricted sites list, I don't find this one to remove it.  It has to be in there, but I can't see it. 
    I came across this helpful .INF that took care of my problems.
    ; DelDomains.inf © 11-28-04 | Revised 01-15-06
    ; Created by: Mike Burgess  Microsoft MVP
    ; http://mvps.org/winhelp2002/
    ;
    ; Warning: Deletes all entries in the Restricted & Trusted Zone list
    ; http://mvps.org/winhelp2002/restricted.htm
    ;
    ; Revised to include the EscDomains key
    ;
    ; To execute this file: in Explorer - right-click (this file)
    ; Select Install from the Menu.
    ; Note: you will not see any onscreen action.
    [version]
    signature="$CHICAGO$"
    [DefaultInstall]
    DelReg=DelTemps
    AddReg=AddTemps
    [DelTemps]
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
    HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
    HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains"
    ; Recreate the keys to avoid a restart
    [AddTemps]
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
    HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Domains"
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
    HKLM,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\Ranges"
    HKCU,"Software\Microsoft\Windows\CurrentVersion\Internet Settings\ZoneMap\EscDomains"
     

    9/28/2009

    Month of Chaos

    Month of Chaos


    Keeping head barely above water is all the progress made in the month of September.
    - budget prep crunch for my bosses so I was hopping fulfilling requests for information
    - swine flu - one employee and other possibly related absences for care of sick child, pick up from child-care with fever, etc. 2 staff with vacations, 1 staff with training absence, and a regional flood which resulted in multiple staff absences in a 2 day period, and I had a 2 day family emergency as well.
    - I still have outstanding the "critical" "urgent" projects from over 3 weeks ago: extranet infrastructure, Windows 2008 Domain upgrade, Database cluster hardware replacement, Shanghai vpn concentrator setup, transition to new Exchange server in Hong Kong, migrate mailboxes out of NYC offices asap to get off rickety hardware platform as well as make progress toward centralization. Progress has been made in fits and bursts, but most of my time and that of my staff has been in dealing with crises almost on a daily basis.
    - The Highly Visible Crises: in LIFO order: NYC circuit flap resulting in no failover, Centralized exchange server mysteriously bogged down for 2 minutes, multiple mysterious losses of connectivity of Gig/E link connecting our stretched vlan to secondary data center, various weekend power outages from flooding/storms, security door cardscanner controllers down, new remote contractor with vpn phone problem dragging on for over 1 week must be fixed now, 18 hour total loss of connectivity to branch office awaiting local operations visit to restart router, urgent planning and discussions for replacing database cluster server hardware asafp, two SAN issues in a single day, revelations about free disk requirements for our Compellent SAN, HP virtual connect interface disconnect from HP Onboard Administrator and hurried deployment of new servers to migrate VM's to in order to fix virtual connect, HP iLO bug remotely mapping A: does not work -- the only stinking way to deploy a server is via HP RDP -- pita.
    Lessons Learned
    - HP iLO firmware bug prevents remotely mapping to A: disk. So there is just about no way to do a manual install and hit F6 during install to load the boot from SAN disk drivers when you are using a blade server. Perhaps this will be fixed with an upgrade to firmware, however that's a house of cards I'd rather not disturb right now. I thought I had made some progress with nLite build of windows installation, but it keeps telling me that I don't have the right disk driver for 64 bit windows 2003. Before we do a remote blade enclosure around the world we *have* to get a windows install working without having to first implement an RDP infrastructure (chicken and egg thing...)
    - Duh to Local Operations: Just the fact that somebody can connect to the internet but their phone can't connect to the VPN that doesn't mean there is a problem with the phone itself requiring re-requesting the phone and building in a 3 day delay before this problem gets abdicated on account of lack of gumption to figure it out.
    - IPSec vpn - phone or not - *really* doesn't work well when a user buys a router and sticks it in to his 8 year old dsl modem. This was another really phun day of telling a 60+ guy how to unplug his PC from his router into his dsl modem and guess at how to logon to it and browse for possible options for turning off NAT. At one point he got his ISP tech support on his other phone, put it on speaker and put me on speaker and had me try to talk to her. English was her second language (or third) and that didn't work out so he held the phone up to the speaker then to his ear and I would translate her question to him and coach him through our answer back and then explain her instructions to him on what to open, etc.
    - Although it may be technically possible to add a tray to a Data Domain Restorer appliance it didn't really work that way for us. A graceful shutdown is much more advisable first.
    - Compellent SAN would work best with 15-20% *unallocated* free space to allow for faster rebuilds of the RAIDsets of failed disks, etc. We are pushing 15% of "free" but allocated space. And we had a failing SATA drive around the time when a software bug in 4.3.2 code resulted in it "losing" the preferred paths to the SATA disks. This resulted in the "unlucky" i/o requests coming down the wrong path to pass over the backplane instead and that resulted in 4500ms (yes, 4.5 s) disk latency for the pool overall. This resulted in over 12 hours of troubleshooting and cussing and a conference call and some more stuff before this bug was isolated and resolved. That was an extraordinarly bad day in a totally crappy month.

    8/17/2009

    Good Monday

    - standard Monday morning stuff: timesheet corrections, review of schedules,
    - short staffed: one guy broke his foot over the weekend, another going to the doctor for strained back. another left early because his wife was sick and his child got sick at school and had to come home.
    - Help calls and emergencies were not excessive -- it's a good thing, I only have two hands and three keyboards.
    - First day of school today and I spent my final moments on my way out the door this morning "encouraging" my children to stop whining and fighting. This will be a fun year of homeschooling if this morning lasts all week.....
    - meeting with vendors
    - on licensing.microsoft.com downloading enterprise and standard versions of Windows 2008 R2 -- nearly 5GB!! Had to delete some old stuff off my IT server to fit these ISO's in.
    - signed up for Laura Chappel free WireShark class this week.
    - trying to cleanup notes and other work knowledge that is scattered around several places. Deleting old stuff.
    - familiarizing myself with lightweight access points/wireless lan controller wireless solution.

    8/14/2009

    Finicky QOS

    Laura's Blog
    The link to Laura Chappel's blog is really a teaser she posted to make us interested in her "top 10 reasons why the network is slow" online training session.
    If "training" was not a bad word around here, I'd recommend a couple of us attend that session and all the rest of them too. They are just $99 and they are awesome. I was able to watch one of them some time ago and it was extraordinary.
    Anyway, her blog has a link to a sample capture file. I wish I had gathered some captures a while back on our network because we had this very issue at one of our WAN sites.
    That office moved and got a new phone setup: all IP phones pointed to an enterprise phone system back in the HQ datacenter. That was all fine and good except the voice contractor doesn't listen to anything we say and we spent several days coming to some kind of half understanding of what the setup was and how we needed to make adjustments to QOS.
    Basically, we just need to dedicate half our circuit to the EF queue and then stick everything in it. :) Having work now with both Avaya and Cisco VOIP people I find there is a really big gap in Avaya contractors giving a care about communicating with network people.

    Finally Friday

    This has been a long week. My boss was away and gladly it was fairly quiet. My network guy was out at the beginning of the week and broke his foot last night so was out today too.
    - fighting with moving backups off one of the backup to disk appliances so we can get rid of that physical unit. It has been a long road but we are finally where we need to be on backup storage, at least for now. Along the way it took a lot of acrobatics and some loaner equipment from the vendor. Once we get all the data off it we can return it. Most of the data "aged off" as designed, but some backup data we wanted to keep long term needed AUXCOPY'd off. This took all week and we had to reschedule moving the equipment until next week because it wasn't done.
    - just finished paperwork for performance appraisal for our best guy. Once I review it with him next week I will be done with administrative BS for a while.
    - speaking of administrative BS, our HR dept just forced all the managers to read a lame book and attend discussion sessions. It was what you might expect.
    - Planning more for upcoming extranet work and it's starting to shape up to the point I actually think we can get it done and it will work. Got a design drawing done and listed off what we need to buy. still need to do a formal project plan.
    - Scheduled weekly meetings with all my staff. I had tried to save time and frustration by just having a big group meeting with everyone there. This meeting is very helpful to everyone and we get actual work done in them. However, it didn't really accomplish the same thing as personally reviewing status with each one individually.
    - spent some time talking with some guys from another firm like ours who aren't quite as far along as we are with Exchange 2007. I saw them on a list serve asking how well failover and failback worked with SCR replication. We had worked for a while under the delusion that we could fail back from an SCR failover. It was gratifying to help somebody out by sharing that wouldn't work, but I also got to compare notes about how they were doing VMWare and other stuff. I need to focus on "networking" in the social sense much more like this.
    - got a bit done this week in the way of catching up and cleaning up. and left on time more days than usual.
    - will need to begin planning for either adding tier2 storage or finding a way to age more stuff into tier 3. We aren't nearly in as bad a shape as we were at the beginning of the year. that was a true crisis, we came close to a disastrous situation. I've been summarizing and reporting free space weekly and have a much better handle on what we have in use. It is just going to be hard to push for adding 2 more trays of storage after already adding disk this year.

    8/05/2009

    Exchange 2007 Client Access Server: Proxy


    This is an unbelievable pain.
    Exchange 2007 CAS works fine with Exchange 2003 mailbox servers in other AD sites. Why can't it connect with a Exchange 2007 server in another AD site and not require proxying which means we have to used integrated authentication.
    That really sucks because all our users a lulled into not having to put their domain in front of the userid when they logon -- all thanks to forms based authentication.

    Day in my I.T. life


    Today I changed the name of this blog to reflect my endeavor to post more than just little snippets of notes and references for problem solving. I will continue to post those as always, but in addition I am going to attempt to chronicle my life as an IT Manager at a professional services firm.

    I wear many hats even though I work as part of a management team in a fairly large IT organization. I get to be "specialized" to the point of being focused on enterprise-wide infrastructure operations and projects. Although I tend to hate my job, I love the technical work that I do and am privileged to work with a diverse team of fun people. Aside from that, like most organizations, I think my greatest challenge is the organization of this business, even down to the organization of the IT department. Part of being in this sub-department includes being a catch-all place for unknowable questions and the final destination of superstitious help requests that nobody else can figure out and deem them "network issues." My documented responsibilities are enterprise wide design and support of server side systems including physical servers and storage, messaging, server workloads(vmware guests), and infrastructure such as DNS, DHCP, etc. The enterprise team is unfortunately without a network manager and hiring is frozen indefinitely. That means I get to split network responsibilities with my boss. This adds some aspects to my job that I enjoy, but it makes for busy days.

    Today's activities:
    - arrive at work, urgently needing the restroom after a long commute.
    - before visiting the facilities I got pulled into troubleshooting an odd problem
    with a system supporting our cardkey system. Long story on background, but a
    recovery operation conducted on a large number of VM's to fix a storage
    issue, somehow resulted in the software being "unregistered" since it didn't
    see the server as the same hardware. Delegated someone to work with this
    totally useless vendor to re-register or reinstall or whatever.
    - discussed with my guys some alerts we received overnight and a helpcall
    regarding access to our intranet from a specific office. Suspected an issue
    with Riverbed (much more on this thing in the future...) However this
    problem has gone away by the time we troubleshoot it.
    - restroom break - finally.
    - respond to stupid e-mails from stupider people about a project that has been a goat rodeo since it's botched initiation phase. As the non-stupid person on the project team it is my task to do all useful work and answer every single idiotic question they come up with now that the vendor seems to be checking out since the poorly defined
    requirements are 50-85% complete. (I find I cope better when I have low expectations and don't try to be the superhero of every project, especially the more stupid ones.)
    - received update that completely uncooperative local tech in one of our asia offices failed to follow instructions for connecting a new physical server to the network switch and we will not be able to move forward with installing it until another day is wasted on asking for her to correct the situation.
    - one on one meeting with my most experienced guy. Discussed many little items that had cropped up while he was out of the office on leave. And walked through the security architecture of a get-it-done-yesterday extranet project that has long been whined for but at numerous times when we get into details and ask questions about requirements the effort has fizzled out.
    - Got update on cardlock server which is dragging on half the day to do what the retard vendor said would take 5 minutes
    - Get coffee and run into extranet developer, successfully dodge questions and avoid
    standing there all day getting grilled about stuff that isn't approved.
    - research into Scrutinizer netflow aggregation software. briefly compare with
    Orien plus SolarWinds with a colleague who had used them in the past.
    - use Scrutinizer to further investigate an issue with qos for an office that was
    recently expanded and reconfigured. [Yesterday spent watching the service policy
    report dropped packets from priority queue (over 2000 in 24 hours.) Tried using IP Accounting to sort out if something strange was going on or if there is just too much traffic.] Scrutinizer is a great utility and I am going to recommend
    purchasing it. The free version is useful on it's own -- I gained several
    insights today -- but actually buying the real product will give us tons more
    features/options and the ability to store the data longer than 24 hours and get
    trends reports/etc.
    ---
    An aside here -- even though the telephone system is under the responsibility of our department it is very tighly siloed and many systems details are hidden deep in documents that nobody knows are there or are on screens in systems that we don't have a logon to access. Paranoia and limited networking skills on the part of our one primary resource are a big headache as we integrate more with voice systems. It's been 18-24 months that we have been in the same department and yet we are still dragging details out about how IP trunks have been configured and what systems a
    voice call passes over.
    ---
    - Get more coffee. It's already after 2 and our cut-to-the-bone staff is light today due to vacations and sickness and I'd probably get called back if I tried to go to lunch so I'll just eat this coffee cake that somebody dumped here in the kitchen after
    nobody ate it at some meeting or something.
    - After finding some interesting things in the netflow data I have some questions to ask of the voice person/vendor. I also see some odd things hitting the priority queue that shouldn't. I check the router configuration and see an obvious error and correct
    it.
    - after seeing over 2000 drops again today we shall see what tomorrow
    brings. However I am still seeing packets getting dropped.
    - Talk to yet another useless network service provider about a chronic problem with a circuit on a backup WAN link to one of our domestic offices. This circuit went down
    shortly after activation and went unnoticed for a week or so since it was a redundant T1 on a backup WAN router. When it was reported it spent a week getting passed from the service provider to the LEC and back only for them all to report it was fine, even though nobody ever called us about it and it was still down. Ticket was reopened and then mysteriously got closed without any action. After over a month we are escalated to a service manager and this guy was so scatterbrained. He put me on hold about 5 times while he talked to people about my issue and got paged by his boss about something else, etc. Every time he gets back apologizes again that this ticket got closed for no reason last time. He made lame small talk while his slow system came up and expressed a sentiment that I share but I would never tell one of
    my customers: "I love routers, I'd rather work with routers than people..." ROTFL ... So anyway while I'm on the phone trying to get him to call and yell at the LEC again to get them to finally come onsite to check this out apparently the LEC is doing testing on this circuit for the 3rd time. And by the time I get off the phone with this crazy guy the circuit is actually working. Then I get to call this guy back and go through a long process of convincing him that it's now working after he reads the number wrong pulls up the wrong interface and swears to God and me that it's still down. Finally he is convinced and will call the LEC and tell them not to go onsite and charge us a fortune.
    - Get a negative response to a backchannel request to get the RTM
    of Windows 2008 R2 now, instead of 2-3 weeks from now, so that we can proceed
    with upgrading our domain prior to another big project that is likely to affect
    AD. Realize I've never gotten a response to my official request from our TAM
    that seems to spend his life e-mailing everybody patch notices and e-mails full
    of links to stuff on the MS website.

    7/29/2009

    HTML: Scrolling Slideshow

    Interesting HTML options for a scrolling slideshow
     

    Force STP Root


    Hard code spanning tree root's:

     

    Spanning-tree mode rapid-pvst

    Spanning-tree vlan 1-1000 priority 8192

     


    TCP Parameters

     

    http://support.microsoft.com/kb/224829

     


    DSCP & TOS Values

    Excellent reference:
     

    web conferencing appliance

    Very interesting web conferencing product:

     

    7/16/2009

    Fw: html color palette

    Excellent site to compare color combonations and find the html color codes.

     
     

    7/14/2009

    LOOKING GLASS
    Example script to check several telnet route servers and create html file of AS-PATH


    use Net::Telnet ();

    my $outdir = "\\inetpub\\wwwroot\\look\\data";
    my $idxdir = "\\inetpub\\wwwroot\\look";
    my $url = "data";
    mkdir ($idxdir);
    mkdir ($outdir);
    #list of public routers accepting telnet with no logon
    my @list2 = (
    "route-views.optus.net.au" ,
    "route-server.videotron.net" ,
    "route-server.ipilink.net" ,
    "route-server.host.net" ,
    "public-route-server.is.co.za" ,
    "route-server-east.gt.ca" ,
    "route-server-west.gt.ca" ,
    "route-server.gt.ca" ,
    "route-views.on.bb.telus.com" ,
    "route-views.ab.bb.telus.com" ,
    "routeserver.sunrise.ch" ,
    "route-server.belwue.de" ,
    "route-server.ip.tiscali.net" ,
    "route-server.eu.gblx.net" ,
    "route-server.cerf.net" ,
    "route-server.gblx.net" ,
    "route-server.host.net" ,
    "route-server.he.net" ,
    "route-server.twtelecom.net" ,
    "public-route-server.is.co.za" ,
    "route-server.central.allstream.com" ,
    "route-server.east.allstream.com" ,
    "route-server.west.allstream.com" ,
    "route-server.vtl.net" ,
    "route-server.eastlink.ca" ,
    );

    #date
    my ($sec,$min,$hour,$mday,$mon,$year,
    $wday,$yday,$isdst) = localtime time;
    $year = $year+1900;
    $mon = $mon+1;
    $mon = sprintf("%02d", $mon);
    $mday = sprintf("%02d", $mday);
    $hour = sprintf("%02d", $hour);
    $min = sprintf("%02d", $min);
    my $date = "$mon\-$mday\-$year $hour:$min";

    #Build report

    my $file = "$outdir\\$year\-$mon\-$mday\-$hour$min.html";
    open FIL , ">$file";

    print FIL <<ENDHEADER;
    <HTML>
    <HEAD>
    <TITLE>Looking Glass Results</TITLE>
    <META HTTP-EQUIV="Refresh" CONTENT="300">
    <META HTTP-EQUIV="Cache-Control" content="no-cache">
    <META HTTP-EQUIV="Expires" CONTENT="Mon, 16 May 2005 13:59:00 GMT">
    <style type="text/css">
    H1 {font-family:serif; border-width: 0; border-bottom: solid; text-align: left}
    H3 {font-family:serif; padding-top:0px;color:#000000;padding-bottom:0px;margin-bottom:0px;}
    body {font-family:monospace;font-size:.75em;margin:3%;padding:0px;background:#aabbcc;color:#000000;}
    </style>
    </HEAD>

    <BODY bgcolor="#ffffff" text="#000000" link="#000000" vlink="#000000" alink="#000000">

    <H1>AS-PATH to 4.4.4.0/24</H1>
    <H4>$date</H4>
    <HR>
    ENDHEADER
    ;
    #telnet to each router and query for info
    foreach $router (@list2) {
    print ".";
    my (@result, $t);
    print FIL "<H2>$router</H2>\n";
    $t = new Net::Telnet (Timeout => 20, Errmode => "return");
    $t->open("$router");

    ## Wait for prompt and enter command.
    $t->waitfor('/>/') or print "X";
    $t->print("show ip bgp 4.4.4.0/24");
    ($result) = $t->waitfor('/>/');

    #Filter results for lines containing (AS) 32166
    @result = split(/\n/, $result);
    my $prev = "prior line\n";
    print ".";
    foreach $line (@result) {
    if ($line eq $prev) {
    next
    };
    if ($line =~ /32166/) {
    push (@output, "$line<br>\n");
    $prev = $line;
    }
    print ".";
    }

    print FIL "<p>@output</p>\n";
    print FIL "<HR>\n";
    @output="";
    $result="";
    @result="";
    print ".";
    }

    print "\n";
    print FIL <<ENDTAIL;
    </TABLE>

    </BODY>
    </HTML>

    ENDTAIL
    ;

    close FIL;

    #Build index of reports

    open IDX , ">$idxdir\\look.html";

    print IDX <<IDXHEADER;
    <HTML>
    <HEAD>
    <TITLE>Looking Glass Results</TITLE>
    <META HTTP-EQUIV="Refresh" CONTENT="300">
    <META HTTP-EQUIV="Cache-Control" content="no-cache">
    <META HTTP-EQUIV="Expires" CONTENT="Mon, 16 May 2005 13:59:00 GMT">
    <style type="text/css">
    H1 {font-family:serif; border-width: 0; border-bottom: solid; text-align: left}
    H3 {font-family:serif; padding-top:0px;color:#000000;padding-bottom:0px;margin-bottom:0px;}
    body {font-family:monospace;font-size:.75em;margin:3%;padding:0px;background:#aabbcc;color:#000000;}
    </style>
    </HEAD>

    <BODY bgcolor="#ffffff" text="#000000" link="#000000" vlink="#000000" alink="#000000">

    <H1>INDEX</H1>
    <H3>AS-PATH to 4.4.4.0/24</H3><BR>
    IDXHEADER
    ;

    my ($path, $file, @files, $file_full_path);
    opendir (SOURCE, $outdir) or die "Cannot open the source folder for reading: $!\n";
    my @sorted_files =
    map $_->[1],
    sort { $a->[0] <=> $b->[0] }
    map -f "$outdir/$_" ? [ ( stat _ )[9], $_ ] : (),
    readdir SOURCE;


    closedir (SOURCE);
    for (@sorted_files){
    $file_full_path = "$url/$_";
    print IDX qq(<a href="$file_full_path" target="_blank">$_</a>     \n);
    } #end for






    print IDX <<IDXTAIL;
    </TABLE>

    </BODY>
    </HTML>

    IDXTAIL
    ;

    close IDX

    NAT ORDER OF OPERATIONS


    MRTG

    CONFIG MAKER USING INTERFACE DESCRIPTIONS
    perl cfgmaker -ifref=name -ifdesc=descr community@router > output.fil

    SNMPv2 TO SUPPORT LARGE BANDWIDTH LINKS
    interfaces 1Gb or greater:
    add "::::2" to end of target line in CFG this asks to use SNMP v2 which supports a greater number of bits for the bandwidth field.
    e.g.:
    Target[10.1.1.4_Te1_4_1]: #Te1/4/1:community@10.1.1.4:::::2

    PNGTITLE
    Add a title inside the graphic using PNGTitle

    Use this regex to add this line:

    Find: SetEnv\[\(.*\)\]:.*MRTG_INT_IP="\(.*\)".*MRTG_INT_DESCR="\(.*\)".*\n
    Replace: &PNGTitle[\1]: \2 - \3\n

    6/17/2009

    Cisco::VRF::Routing


    Segregating WAN traffic to provide public internet access from a central location

    We provide wireless internet in public areas in every office. For this purpose we provide cable internet, DSL, or dedicated T1 circuits. To save money and better control this traffic, we want to direct that traffic back through our headquarters' internet circuits. To do this we need a way to segregate this traffic on our WAN links for security and to keep it from overutilizing our WAN.
    VRF and tunnels seems to be the answer.

    Cisco Design Guide
    Good Overview

    Extranet::Sharepoint::Design


    This will be an interesting project. putting an ISA server in a DMZ and pointing it to a front end Sharepoint sever.
    Some good design links on technet:
    IAG

    DMZ Architecture

    scaling

    high availability

    VMWare::Internals


    Some of our VM's still have the little ".flat" file that points to the real .vmdk file. It is bad when that file goes away.


    Free utility to rebuild the descriptor file:

    http://www.phdvirtual.com/wrapgen

    5/27/2009

    HTML


    Spent some quality time today working on my project journal site. I tried getting fancy with CSS to try to figure it out. I'm left with kind of a hybrid mess until I have more time to spend on it. I now have a table formatted page, but with an external style sheet taking the place of the STYLE section of my header.
    Some good links:
    http://www.wpdfd.com/issues/70/css_from_the_ground_up/

    http://www.cryer.co.uk/resources/javascript/html5_fun_with_bullets.htm#MenuStyleBulletList

    4/20/2009

    Outlook PermissionsAdmin

    Outlook PermissionsAdmin
     
     
     
    Other features include the ability to export and import permissions, propagate or remove delegate permissions to all or some of the mailbox folders, view individual messages ( and deleted ones as well) and more.
     

     


    IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any tax advice that may be contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding any penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction(s) or tax-related matter(s) that may be addressed herein.

     

    This e-mail communication (including any attachments) may contain legally privileged and confidential information intended solely for the use of the intended recipient. If you are not the intended recipient, you should immediately stop reading this message and delete it from your system. Any unauthorized reading, distribution, copying or other use of this communication (or its attachments) is strictly prohibited.

    3/26/2009

    Exchange

     
    TCPIP patch and network guidance
     
     

    IOS

    sho int counters errors

    MRTG

     
    Use the interface name and description instead of the interface number when running to get more useful descriptions
     
    perl cfgmaker --ifref=name --ifdesc=descr  [community]@[routerip]

    3/23/2009

    USB Device Install Fix

    USB storage device won't automatically setup a device driver for which XP or Vista is supposed to have the latest driver.
     
    Under C:\WINDOWS\INF there should be several usb*.inf files such as:  usb.inf, usbprint.inf and usbstor.inf 
     
    If one is missing, for example usbstor.inf, extract a new one:
     
         expand c:\i386\usbstor.in_ c:\windows\inf\usbstor.inf

    2/27/2009

    Windows::NET


    You learn something new every day.
    I often use the NET USE command. Today I heard from a collegue that if you don't want to pick a drive letter, you can just do something like:

    NET USE * \\server\folder\


    and it will pick a drive for you starting at Z: looking up until there is one free.

    2/25/2009

    Windows::Time::Links


    http://support.microsoft.com/kb/816042
    http://technet.microsoft.com/en-us/library/cc773013.aspx

    Windows::NTFS::Links



    http://www.ntfs.com/

    Fix Time Sync Problems on Windows Domain

    Fix Time Sync Problems on Windows Domain

    • Confirm outside time source is working
    • Identify PDCe in root AD domain: logon to a root DC and run
      NETDOM QUERY PDC
    • Logon PDCe and confirm no errors are returned when syncing:
      W32TM /SYNC
    • Create a file with names of all DC's in root domain (except the PDCe) using the following command:
      NETDOM QUERY DC > ROOTLIST.TXT
  • Cleanup the file and run the following commands to reset the DC's to update time from the domain hierarchy and then sync time.
    PSEXEC @ROOTLIST.TXT W32TM /CONFIG /SYNCFROMFLAGS:DOMHIER /UPDATE
    PSEXEC @ROOTLIST.TXT W32TM /RESYNC /REDISCOVER
  • Confirm time synced:
    W32TM /MONITOR
  • Create a file with the names of all the DC's in the subdomain and repeat the above for the subdomain.
  • Repeat for workstations.

  • Time Sync

    Time Sync in Windows Domain

    MS Exchange CCR Cluster: Maint



    How to Move a Storage Group and Its Database in a CCR Environment

    Pasted from http://technet.microsoft.com/en-us/library/aa997196(EXCHG.80).aspx



    How to Move a Database in a CCR Environment

    Pasted from http://technet.microsoft.com/en-us/library/aa997646(EXCHG.80).aspx

    MS Exchange Failover to SCR Node


    It was a really fun weekend. Scheduled building powerdown overnight -- shutdown Exchange servers gracefully. Next morning both CCR nodes fail to boot up. After hours on the phone with server vendor, SAN vendor, and Microsoft decided to failover to SCR copy. It didn't seem to go according to documents I've read.

    Below are notes of how documents said it should work:

    To get a formated list of SG settings:
    Get-storagegroup -server priexs01ccr | fl


    The following commands were used to move PRIEXS01CCR to SCR target SECEXS01-1:
    Restore-StorageGroupCopy –Identity


    (Pasted from http://www.msexchange.org/articles_tutorials/exchange-server-2007/high-availability-recovery/clustered-continuous-replication-failover-standby-continuous-replication-part2.html)

    StandbyMachine NH-W2K3-SRV01 -Force

    (Pasted from http://www.msexchange.org/articles_tutorials/exchange-server-2007/high-availability-recovery/clustered-continuous-replication-failover-standby-continuous-replication-part2.html)


    Get-storagegroup -server priexs01ccr | Restore-StorageGroupCopy -StandbyMachine Secexs01-1 -Force


    Get-Storagegroup -server priexs01ccr | Disable-StorageGroupCopy -StandbyMachine Secexs01-1 -Confirm:$false


    (Will most likely return errors)

    Get-storagegroupcopystatus -server priexs01ccr -StandbyMachine Secexs01-1

    (This is to verify that the StgCopy returns not configured)

    DNS: change IP to new CMS IP

    Verify the id used for cluster service has change computer perm in AD.
    DO NOT RUN /NEWCMS unless you have MS on the phone and they tell you to.

    Run the following with the correct info:
    setup.com /RecoverCMS /CMSName:CCREX01 /CMSIPAddress:172.16.6.153

    (Pasted from http://www.msexchange.org/articles_tutorials/exchange-server-2007/high-availability-recovery/clustered-continuous-replication-failover-standby-continuous-replication-part2.html)

    This is what we actually did with MS support:

    Setup.com /RecoverCMS /CMSName:priexs01ccr /CMSIPAddress:10.100.1.43

    Get-MailboxDatabase -Server priexs01ccr | Set-MailboxDatabase -AllowFileRestore:$True

    Get-MailboxDatabase -Server priexs01ccr | Mount-Database


    Get-MailboxDatabase -Server priexs01ccr -Status |ft *name*,*mount*

    (Creates a formated list with status)

    Verify Allow restore is no longer checked on SGs, this should occur automatically after the DBs mount, but just in-case.

    1/16/2009

    Change priority of DNS SRV records

     
     
     

     


    IRS Circular 230 disclosure: To ensure compliance with requirements imposed by the IRS, we inform you that any tax advice that may be contained in this communication (including any attachments) is not intended or written to be used, and cannot be used, for the purpose of (i) avoiding any penalties under the Internal Revenue Code or (ii) promoting, marketing or recommending to another party any transaction(s) or tax-related matter(s) that may be addressed herein.

     

    This e-mail communication (including any attachments) may contain legally privileged and confidential information intended solely for the use of the intended recipient. If you are not the intended recipient, you should immediately stop reading this message and delete it from your system. Any unauthorized reading, distribution, copying or other use of this communication (or its attachments) is strictly prohibited.

    1/05/2009

    Application
           Layer
     3
    Classification
    Layer 2 COS
     
    IPP
    PHB
    DSCP
     
    IP Routing
    6
    CS6
    48
    6
    Voice
    5
    EF
    46
    5
    Interactive Video
    4
    AF41
    34
    4
    Streaming Video
    4
    CS4
    32
    4
    Critical Application
    3
    AF31
    26
    3
    Call-Signaling
    3
    CS3
    24
    3
    Network-Management
    2
    AF21
    18
    2
    Bulk Data
    1
    AF11
    10
    1
    Scavenger
    1
    CS1
    8
    1
    Best Effort
    0
    0
    0
    0
     
     
     
     
     
     

    Below is an example of a  quick start quality of service configuration.  We will walk through this configuration over the phone.

     

    Apply the below under global configuration mode:

     

    Config t

     

    class-map match-any Voice
     match ip dscp ef

    class-map match-any Routing

      match ip dscp cs6

    class-map match-any Call-Signaling

      match ip dscp cs3



    policy-map QOS
     class Voice
      priority percent 5
     class Routing
      bandwidth percent 5

    class Call-Signaling

       bandwidth percent 5
     class class-default
      bandwidth percent 60

      queue-limit 256

     

    Then apply the qos policy, in the outbound direction, to the interface:

     

    interface "interface-name"

    service-policy output QOS

     

    We set DSCP CS3 for call-signaling. Some older devices use AF31 instead.  If this is the case then add AF31 to your call-signaling class-map.

     

    class-map match-any Call-Signaling

      match ip dscp cs3

      match ip dscp af31

     

     

    Also please reference the Cisco Solutions Reference Network Design (SRND) Guide for specific questions to best practice deployments within the enterprise.  Please click on the link below to access our SRND for QOS.

     

     

    http://www.cisco.com/univercd/cc/td/doc/solution/esm/qossrnd.pdf