Monthly Archives: January 2009

Microsoft

Exchange 2007 Not Reading All DCs

Leave a comment

When people install programs without fully realizing what they are doing, bad things tend to happen. Installing Exchange can be a tedious process – it has so many prerequisites that it can take several hours just to get to the point that exchange actually starts to install.

As we all know, Exchange 2007 requires a 64bit operating system. At least it’s required in a production environment since Microsoft will not support 32bit 2007 servers. We also know that Exchange 2007 does not read from the Global Catalog if the GC is running on a Windows 2000 Server. The newest Exchange requires a minimum of 2003 standard in order to read fully from Active Directory. And we all know that AD is required for Exchange to be happy. These are things we know.

If you open the Exchange Management Console and navigate to Server Configuration. In the main reading pane you should see your Exchange Server(s). Right click on your Exchange Server and select properties. The bottom two text boxes will show you the current Domain Controller(s) and Global Catalog(s). If you have more than one Domain controller and Exchange is only showing one, you have a problem.

First thing to check is always the Eventviewer. Check the eventvwr!!!
Second thing to check is if you can ping your DC from the Exchange Server, and that you can ping your Exchange Server from your DC.
Third thing is to run the command “dcdiag” on the DC not showing up in Exchange:
Start - Run - CMD - dcdiag - press enter
IF all of those pass with flying colors, you can add the DC and GC manually to Exchange using the PowerShell.

PowerShell Fix Steps:

On the Exchange Server, open the Exchange Management Shell.
set-exchangeserver -identity Name_Of_Server -staticDomainControllers ‘dc.domain.com’, ‘dc2.domain.com’
set-exchangeserver -identity Name_Of_Server -staticglobalcatalogs ‘dc.domain.com’, ‘dc2.domain.com’

IMPORTANT NOTE!!!
the Name_Of_Server MUST BE the name of your server. If you named it exchange07, use that name!
the ‘dc.domain.com’ MUST BE the FQDN Fully Qualified Domain Name of your server. If the servername is exchange07, the FQDN would be something like exchange07.mydomain.local!

Then recheck in the Exchange Management Console to verify that the GC and DCs are properly imported.

If you ever need to remove the additions:
get-exchangeserver -identity Name_of_server -staticdomaincontrollers $NULL
get-exchangeserver -identity Name_of_server -staticglobalcatalogs $NULL
After roughly 15 minutes, the “real” GC and DC’s should be populating. If not, check the eventviewer!

Networking

Comcast Business with Third-Party Router

Leave a comment

I’ve had a few clients that required the use of their current router/firewall combination but wanted the speed of the new Comcast Business Cable Internet connection.

The last client has 16 employees all running on a bonded T1 connection. Maxing out of 1.544mb/sec is no way to live in today’s age. So this client ordered Comcast high-speed to replace the aging T1 (at less than half the cost too), and wanted help getting everything up and running. Why not use the Comcast/SMC router/firewall combination and call it a day? Well, that would be the easy way out. The SMC device is pretty potent for average use, but does not have a VPN server built in. The current configuration has VPN in the mix.

Unfortunately there is no way to setup the SMC into bridged mode, so that makes it a little more difficult to setup. Here’s a little fix I found out after searching for a few hours (yes, hours).

Log into the SMC Firewall (cusadmin/highspeed by default)
Click on the firewall setting
Make sure Disable Firewall for True Static IP Subnet Only is enabled
Make sure Smart Packet Detection is disabled
Check your network settings AND WRITE THESE DOWN (we want the Public IP address which is not a 10.*.*.*, the netmask 255.255.255.252 usually, the gateway which is usually a single IP off from the public IP, and the DNS servers)
Save all settings

Log into your existing router/firewall
Set the IP address of the WAN to the Public IP of the SMC Firewall you wrote down
Set the Gateway, Subnetmask, and DNS entries also to what you’ve written down.
Save all settings

Plug a cable from the SMC Firewall switch to the WAN port of your existing router/firewall. Check your connection by pinging 4.2.2.2

If you’ve set everything up correctly you should get responses by 4.2.2.2 UNLESS you have a rule specifically denying ICMP replies. In that case, just open a web browser window and start running on the internet. You may want to use www.speakeasy.net/speedtest to run a speed test.

After connecting, the Speedtest indicated a connection of 21395kbps down and 8947kbps up. That’s 2674KB (2.6MB) down and 1118KB (1.1MB) up. Not bad at all.

Miscellaneous

Folding At Home Error

Leave a comment

I use FaH at home (PS3, File Server, Gaming Rig) and at work (Workstation, Non-Production Server). The beta SMP clients give the most points so I end up using those when I can.

I did get this error though:
MISSING_WORK_FILES

Booo.
So I changed the shortcut from:
"C:\Program Files (x86)\Folding@Home Windows SMP Client V1.01\Folding@home-Win32-x86.exe" -smp
to:
"C:\Program Files (x86)\Folding@Home Windows SMP Client V1.01\Folding@home-Win32-x86.exe" -delete 1

Then when you run the program it’ll say “deleting work unit from queue” and then self-close. You may need to run this for all 4 in the queue (or more if you’ve set it that way). Just change -delete 1 to -delete 2, -delete 3, -delete 4, and so on.

Make sure to change it back to -advmethods or -smp if you want it to run again.

Microsoft

ARP Address Security

Leave a comment

ARP, or Address Resolution Protocol, is the primary method for your computer to talk with other network devices. Basically, your computer has an IP address (192.168.1.100) and wants to talk with your email server (192.168.1.101). Your computer will send out an ARP request for the owner of 192.168.1.101. A message will come back saying that 192.168.1.101 has a MAC address of xx-xx-xx-xx-xx-x1. That’s basically how they communicate. It obviously gets a lot more tedious when you add gateways, routers, and switches to the mix. Then add internet devices too with different masks. Oh man!

But there is a problem – broadcast addresses are always the last available IP in a subnet (in our example it’d be 192.168.1.255 with a mac address of FF:FF:FF:FF:FF:FF). Gateway addresses are always the first available IP in the subnet (once again, 192.168.1.1). If someone wanted to poison the ARP cache, they could easily point to the gateway address and spoof everyone else on the network to believe that they’re the gateway.

Computer: Hi everyone, I’m looking for the gateway
Poison: I’M THE GATEWAY!!!
Poison: I’M THE GATEWAY!!!
Computer2: Hi everyone, I’m looking…
Poison: I’M THE GATEWAY!!!
Computer2: … for the gateway
Poison: I’M THE GATEWAY!!!

You can see why the poisoning of ARP can actually work. The poison programs will flood the network with broadcasts saying I’M THE GATEWAY!!!

So, how do you protect against this? The easiest way is to push a startup script to all your machines that deletes the current ARP and puts a static route in for your gateway. The only problem with this approach is if you ever change gateways or switches – the MAC address you enter as the static ARP will no longer be valid, and the routing for internet will cease.

Windows 2000/XP/Vista:

Start -> Run -> CMD
arp -d
arp -s 192.168.1.1 00-18-00-18-00-18

-d is for delete
-s is for static
obviously put your own gateway IP address in there and MAC address. If you need to find it, you can type arp -a and locate the MAC address associated with your gateway.

Vista requires elevated privs to run the arp commands. Right click on your command prompt and that will help with many of the problems.

Vista may require the following:

netsh -c “interface ipv4”
set neighbors “Local Area Connection” “192.168.1.1” “00-18-00-18-00-18”

Then check to make sure with:

arp -a