Windows Server 2008 – Time Synchronisation

Time synchronisation on Windows servers is an issue that comes around every so often, which can cause some serious problems in an infrastructure. I recently had a customer with a time problem which was affecting several services from starting correctly, which were mainly Microsoft Exchange related. There is a ton of information on the internet about ways to fix time issues in Windows based domains, most of which reference third party time applications or registry fixes. Whenever I experience a time issue across an infrastructure I always utilise the following procedure:

1. Open up a command prompt window, if you have User Account Control enabled on your server ensure you open the command prompt window as an administrator

2. Firstly I like to find out the time difference between my domain controllers and an external trusted time source, to obtain this information run the following command. You can change the “computer” attribute to a time server in your geographical area, I have set this to uk.pool.ntp.org to reflect greenwich meantime:

w32tm /stripchart /computer:uk.pool.ntp.org /samples:5 /dataonly

3. You should now be able to see how far out of sync your domain controller is compared to an accurate external time source. To sync your domain controller with this external time source and rectify the issue, enter the following command into the same command prompt window. As with the previous command you can change the “manualpeerlist” entry to reflect an external time server in your geographical location:

w32tm /config /manualpeerlist:uk.pool.ntp.org /syncfromflags:manual /reliable:yes /update

4. That’s it, your domain controllers time you should have correctly synchronised against the external time source specified and other machines in your domain should also now inherit this time if they are configured to obtain time information from a domain controller.

You can find more information on external time sources at http://www.ntp.org

Dell Inspiron N5030 Review

I don’t usually post reviews, however I recently acquired a new Dell Inspiron N5030 laptop computer. As there doesn’t appear to be much information on this product, I thought I’d write a small review.

1. Build Quality

The build quality of the Dell Inspiron N5030 is actually very good, considering I picked up the device for £280 excluding VAT direct from the Dell website. It is comprised of a black plastic ABS enclosure with a matt black finish for both the top of the screens lid and the surface area around the keyboard and the screen itself. The case is also complimented by a “3D” pattern design which I found quite smart and makes the device slightly unique compared to other laptops in the Dell range. The device feels good enough quality survive being dropped, without it breaking into pieces, unlike the much more expensive Dell XPS Studio 1340 I also own.

2. Technical Specification

As this is Dell’s entry level laptop the technical specification isn’t the world’s greatest, but I think it is very reasonable for the £280 price tag. The late 2010 model contains the following hardware specification:

Intel Celeron 900(2.20GHz,800MHz,1MB)
2048MB 1333MHz Dual Channel DDR3 SDRAM [1×2048]
250GB (5,400rpm) Serial ATA Hard Drive
Mobile Intel Graphics Media Accelerator (GMA) 4500MHD
DVD +/- RW Drive (read/write CD & DVD)
15.6″ High Definition (1366×768) WLED Display with TrueLife

When running a Windows Experience Index on a 64-bit installation of Windows 7 Enterprise the Dell Inspiron N5030 produced the following results:

Inspiron N5030 Windows Experience Index 300x128 Dell Inspiron N5030 Review

Overall a score of 3.4 isn’t that bad for the most basic Dell laptop, with it’s Intel Integrated Graphics being the lowest determining score. If you looking for a gaming laptop however, then this device is certainly not for you, as it’s on-board graphics simply do not provide the performance required for latest generation games. On a another note, the Intel Integrated Graphics do display Windows 7 with full aero functionality, meaning you get all the nice glass and aero peek features.

It is also worth nothing that upgrading the laptops memory from 2GB to 4GB can be achieved by purchasing an additional 2GB SO-DIMM from a supplier such as Crucial, their handy system scanner correctly identifies and suggests memory upgrades the N5030. At the time of writing, an additioal 2GB memory module is only £19.96. The laptop itself unfortunately does not contain a traditional memory door on the base of the unit, to install additional memory the keyboard must be removed to reveal the on-board DIMMS’s and details on how to perform this are located within it’s user manual.

3. Connectivity & Input Types

Connectivity types on the N5030 are basic, as you would expect. The laptop contains three USB 2.0 ports, a VGA port and a 100MB Ethernet port. It is also worth noting, that all of these connections are situated on the left hand side of the laptop. Due the cases design there are no connectivity ports located on the back of the laptop, so if you looking to place this on a desk and have Ethernet, power and USB connections coming from the rear, this may not be for you.

The N5030 also contains a basic two button trackpad, which looks and feels nice. I have noticed however, that when using the trackpad to either single or double click, opposed to using the dedicated buttons, it does need a fairly heavy tap to register an action. Also when moving the cursor around with the trackpad you need to apply a little pressure, overall it isn’t the most touch sensitive I’ve used, but you get what you pay for!

Also hidden away in the laptop’s screen is a 0.3 (you read that correctly) megapixel camera, suffice to say it is low quality and unless used in very good light the frame rate generated by the camera is low, giving the user a “slow motion” experience.

4. Other

Other things to mention are that the 6-Cell battery life is generally very good, when using wireless connectivity I am achieving two and half to three hours of use. Wireless connectivity is also of a good quality with the laptop containing a Atheros 802.11n WiFi module which I haven’t experienced any issues with. The quality of the WLED with TrueLife display is also very good, and the brightness can be adjusted to quite a high ratio. The only pitfall of the screen is that it is very susceptible to light reflection.

5. Overall

Overall the Dell Inspiron N5030 is a great entry level laptop. I would recommend the laptop is geared towards casual users, looking for something to perhaps do word processing on and/or browse the Internet. The laptop however would prove a disappointment if purchased for gaming or any overly CPU intensive applications due to it’s basic hardware specification.

Windows Deployment Services – Injecting VMware Drivers

Windows Deployment Services (WDS) is a technology I have been using for a long time, and is by far one of my favourites. I had a recent requirement to deploy a captured WDS image into a new VMware virtual machine. On doing so I was presented with a driver error, as the VMnet drivers that VMware utilises are not included in the Windows 7 boot.wim file as you would expect. To deploy an image to a VMware virtual machine we need to customise the boot.wim file to include the relevant VMnet drivers. To achieve this, perform the following steps.

1. Obtain a copy of, or use your existing boot.wim file. You can obtain a copy of the boot.wim file from the Windows 7 operating system installation media.

2. Place the obtained boot.wim file on the root of your workstations C:\ drive, so for example, C:\boot.wim.

3. On your C:\ drive create a new folder name “mount”. This will be used to open the contents of the WIM so that we can inject the VMware drivers.

4. Download a copy of the VMnet VMware drivers from here. We will be injecting these drivers into our WIM image. Once the download is complete, extract the drivers folder and place it also on the root of your workstations C:\.

5. Download and install the Windows Automated Installation Kit (WAIK) for Windows 7 onto your workstation. This can be downloaded direct from Microsoft here.

6. Once you have downloaded and installed the relevant WAIK, navigate to WAIK start menu entry and launch the “Deployment Tools Command Prompt”.

7. When the command prompt loads, enter the following command to mount the WIM file for modification without quotes:

“dism /mount-wim /wimfile:c:\boot.wim /index:2 /Mountdir:c:\mount”

8. Once the boot.wim file has mounted, we can now inject the VMware drivers. To perform this run the following command without quotes:

“dism /image:c:\mount /add-driver /driver:c:\vmnet\ /recurse”

9. Once both of the VMnet drivers have been successfully injected, we then need to commit the changes and unmount the image. To perform this run the following command without quotes:

“dism /unmount-wim /mountdir:c:\mount\ /commit”

10.Upload the unmouted image to your WDS server  and then add it as boot image via the WDS console.

Your all done, you should now be able to use both WDS deployment and capture images in VMware virtual machines.

Emulating A Cisco ASA 5520 In GNS3

I recently needed to emulate a Cisco ASA 5520 device, however I noted this could not be achieved through Cisco Packet Tracer. After some research I stumbled upon an excellent network simulator named GNS3. Although, some further reading revealed emulating an ASA device was slightly more tricky to setup than a standard Cisco switch or router. Below is the process I performed to successfully emulate an ASA 5520 in GNS3. The following prerequisites are required before performing the below steps:

  • An installation of Oracle Virtualbox.
  • A virtual machine created in Virtualbox running a 32-bit (x86) operating system.
  • The virtual machine must be on the same network address range as your workstation and it’s virtual NIC must be set to host only.
  • An installtion of GNS3.
  • You have a basic knowledge of GNS3 and Cisco IOS.

1. Download the “vmlinuz” emulation file from here and download a copy of the file “asa802-K9.initrd.gz”, which you can locate externally from here.

2. Open the GNS application and select edit from the menu bar and then select preferences. In the preferences window select “Qemu” from the side bar and then select the ASA  configuration tab. Under the “ASA Specific Settings” section click to browse for a file next to “Initrd” field and select the asa802-K9.initrd.gz file you downloaded. Proceed and browse for a file next to the “Kernal” field and select the vmlinuz file you downloaded and click OK, as shown in the below screenshot.

gns preferences 300x275 Emulating A Cisco ASA 5520 In GNS3

3. In the main GNS3 window drag the ASA Firewall object from the left hand side bar into the center workspace. Once the ASA icon displays in the workspace, click the green play icon located at the top of the GNS3 window.

4. Proceed and open the ASA console window, this can be performed by clicking the small command prompt looking icon located at the top of the GNS3 application, this will inturn launch and instance of Putty. Download the initial ASA setup from here, and paste the set of commands the file contains into the console window and press return on your keyboard.

5. Once this is complete your ASA should now be running and you will now have access to the enable mode. Enter into enable mode, and then enter into configuration terminal mode and download the starter configuration from here. Once the file has downloaded, paste the set of commands it contains into the console and press return on your keyboard.

6. In the main GNS3 application window drag the cloud object from the left hand  side bar into the center workspace, and then double click the object. In the cloud properites window, select your virtual box host only adapter and click OK. In the main GNS window drag a switch into the center workspace and then proceed to link the cloud, switch and ASA devices together. Your topology should look similar to the below:

ASA topology 296x300 Emulating A Cisco ASA 5520 In GNS3

7. Open your created virtual machine and then download and install a copy of tftpd32 from here. Following the installation of the tftp application download the asdm-621 installation file from here. Proceed and configure tftpd32 to point to the in which you have stored asdm-621 file in.

8. From within GNS3, open the console for the ASA device again and type the following commands to upload the asdm installation to your ASA device. Each line should be proceeded by pressing return on your keyboard.

copy tftp flash
[Enter your virtual machines IP address, where TFTPd32 is running]
asdm-621.bin
Press enter to accept the default destination
[Image copy starts & finishes]
config t
asdm image flash:/asdm-621.bin

9. In your virtual machine download and install Fiddler and the ASDM Launcher which are available from here and here. When the installation is complete set Fiddler to decode HTTPS by selecting the following:  

Fiddler –> Tools –> Fiddler Options –> HTTPS –> Check ‘Decrypt HTTPS Traffic’.

In the Fiddler menu bar, click Rules –> Customize Rules. Proceed and download the customised rules file from here, and then and paste these new rules, erasing any existing information, into the customize rules dialog box.

10. Configure Java to proxy the ASDM launcer information to Fiddler. To perform this go to the virutal machines control panel and perform the following:

Java –> Network Settings –> Use Proxy Server –> “localhost:8888″ –> Advanced –> Use Same Proxy For All Protocols.

11. With Fiddler running, load the ADSM Launcher and enter the username of “ciscoasa” with the password of “cisco” and set the connection IP address to 192.168.0.100 and click OK. Press “Yes” when alerted by Fiddler and ASDM should now load correctly.

I hope this helps getting your ASA 5520 emulated in GNS3.

Windows Server 2008 – Disabling Dynamic DNS Updates

I recently experienced an issue with Dynamic DNS updates on Windows Server 2008. Since upgrading VMware tools on a Windows Server 2008 virtual machine, all six network adapters that were assigned to the VM were now registering themselves on my internal DNS servers, despite me having unchecked the “Register the connections address in DNS” checkbox on each adapters properties. This resulted in me having six host A records in my internal DNS for the same server, however I only wanted one of the servers IP addresses to be registered against it’s hostname.

Unfortunately enabling and then disabling the “Register the connections address in DNS” option again did not resolve the issue. I figured this occurred as when upgrading VMware tools the servers network adapters are removed and re-added. To resolve this issue I opted to disable Dynamic DNS updates on the server all together using a registry entry. To disable Dymanic DNS on a Windows Server 2008 or Server 2008 R2 machine, perform the following actions.

1. Login to the server with the issue.

2. Click the Start menu and select Run.

3. In the Run dialog box type the following entry without the quotation marks and then click ok:

“reg add hklm\system\currentcontrolset\services\tcpip\parameters /v DisableDynamicUpdate /t REG_DWORD /d 1 /f”

4. Reboot the server to complete the process.

I would recommend keeping a watch on your internal DNS servers for 24 hours after applying this registry key, to completely ensure the issue is resolved. You can find additional information on methods of disabling Dynamic DNS on Windows Server platforms at the following Microsoft  KB article: http://support.microsoft.com/kb/816592

ForeFront TMG & GFI MailEssentials – Updating Issues

I have recently experienced an issue on several deployments of Microsoft ForeFront Threat Management Gateway in conjunction GFI MailEssentials 2010. When installing GFI MailEssentials on a server running ForeFront TMG, a configuration error occurs in the MailEssentials config.mdb file which incorrectly points the spam definition updating entry to “C:\Program Files\” opposed to “C:\Program Files (x86)\”. Due to this, updates for spam modules such as Phishing and SpamRazer do not download correctly and as a result you may experience the following error:

GFI 254x300 ForeFront TMG & GFI MailEssentials   Updating Issues

Despite the error stating the problem occurred due to a “network error”, it certainly is not and several hours of testing with ForeFront TMG’s own monitoring utilities and WireShark proved this theory correct. To resolve the issue, please perform the following actions:

1. Stop all GFI MailEssentials services and the Message Queuing service on the server running GFI MailEssentials 2010.

2. Click Start, and select Run. In the Run dialog box type the following without quotations “iisreset /stop” , and click ok

3. Navigate to the folder “C:\Program Files (x86)\GFI\MailEssentials” and copy the config.mdb file to a workstation that has Microsoft Access 2003 or higher installed.

4. Open the config.mdb file in Microsoft Access and open the table named “au_profiles”. In this table locate the “localpath” entry and change this to be “C:\Program Files (x86)\” opposed to “C:\Program Files\”

5. Save the amended config.mdb file and then copy this to the “C:\Program Files (x86)\GFI\MailEssentials” directory on your server, choosing to overwrite the existing file.

6. Click Start, and select Run. In the Run dialog box type the following without quotations “iisreset” , and click ok.

7. Start all GFI MailEssentials services and wait for, or manually update your anti-spam module definitions.

Symantec Backup Exec 2010 – Removable Backup To Disk Folder

A nice feature of Symantec Backup Exec is it’s ability to backup directly to removable media, such as USB hard disk drives. This can be extremely handy if your primary backup device, such as as tape unit, develops a fault. To create a removable backup to disk folder and re-target your current backup job(s) perform the following:

1. Ensure you have connected your removable media and that it has been formatted and assigned an appropriate drive letter in your Windows operating system.

2. Open Backup Exec 2010 and click the “Devices” tab. In the devices sub window, right click your server name and then select “New Removable Backup-to-Disk Folder” from the available context menu.

New Removable Backup To Disk Folder 300x279 Symantec Backup Exec 2010   Removable Backup To Disk Folder

3. Follow the Backup to Disk Wizard, and when prompted for a path to your backup to disk folder click “…” to browse and select your removable media drive from the resources window.

Backup To Disk Location 300x235 Symantec Backup Exec 2010   Removable Backup To Disk Folder

4. Complete the rest of the wizard, filling the the values as required. The maximum file size is generally set the size of the removable storage device, the maximum backup sets per file can be left at the default of 100, and the low disk space threshold can be left at it’s default also.

5. Once the creation of the backup to disk folder is completed, you will now notice a new device listed under the “Devices” tab in Backup Exec. If you did not name your device during the creation wizard you will see it listed as “Removable Backup-to-Disk Folder 1″. If you expand the device you will notice a folder will be visible (FLDR000001) denoted by the USB symbol. “Right click this folder and select associate with media set”. From here you can place the folder in the media set that your backup job is targeted at.

Removable Media Folder 300x255 Symantec Backup Exec 2010   Removable Backup To Disk Folder

6. Now you have associated the removable backup to disk folder with your media set, it is recommended you re-target you backup job to point to the removable media device we have created. To do so click the “Monitor” tab in Backup Exec and double click your required backup job. When the backup job properties window opens, select “Device and Media” from the sub menu’s located on the left. Using the drop down menu available under the device section, select your removable media drive and click “Submit” to save your changes. This will now re-target your backup job to your removable media.

As a side note, if you are backing up a large volume of data expect your job completion time to exceed 12 hours. Typically you won’t receive a data rate higher than 300 megabytes a minute using a removable media device. More information on this process can be found at the following Symantec knowledge base article: http://seer.support.veritas.com/docs/253764.htm

McAfee ePO – Manual Agent Installation

From time to time, across several infrastructures, I often get people report they cannot push anti-virus agents to workstations from McAfee’s ePolicy Orchestrator. This can be time consuming and frustrating, and as you’ll know ePO isn’t the most user friendly or affective application. You can however manually install the McAfee Agent and then force it to comply with your anti-virus policies or client tasks. To do this, perform the following actions:

1. On the affected machine browse to the following location: \\EPOSERVERNAME\C$\Program Files\McAfee\ePolicy Orchestrator\DB\Software\Current\EPOAGENT3000\Install\0409\

2. Double click the FramePkg.exe file and let the agent install. Please note, you will need administrative rights over the workstation to perform this.

3. Open a command prompt window and type the following: cd “C:\Program Files\McAfee\Common Framework”

4. Once in the aforementioned directory, type the following at the command prompt and press return: CmdAgent.exe /s

5. You will now be presented with the McAfee Agent console, click “Collect and Send Props”. This prompts the agent to advertise itself to the ePO server and enforce any policies or client tasks that maybe set, which in my case is usually the installation of the ant-virus product itself.

I hope this eases your ePO frustrations, it certainly did mine.

BlackBerry Professional Software – Adding Users

BlackBerry Professional Software (BPS), is a relatively unknown product that is available through most mobile operators as an intermediate between BlackBerry Internet Service (BIS) and BlackBerry Enterprise Server (BES). While BPS is actually very similar to BES, I am going to cover the most frequent task of adding users and provisioning devices.

You will notice I reference BES frequently, as mentioned earlier BPS is very similar and in most cases mobile operators consider these the same mobile service. There really isn’t any distinction from an operators point of view between the two products.

Prerequisites

1. Ensure your BlackBerry device is provisioned for the BES service, your mobile operator will be able to perform this for you. Make sure any BIS addresses you may have associated with your BlackBerry are removed.

2. Backup your data, as a part of the process it is recommended that you perform a data wipe on your BlackBerry.

Adding Users & Configuring Devices

1. Login to your BPS server using your BESAdmin account.

2. Double click the BlackBerry Manager icon located either on your desktop or through Start -> All Programmes -> BlackBerry Professional Software -> BlackBerry Manager.

3. When presented with the BPS home page, click the users tab.

BPS1 300x241 BlackBerry Professional Software   Adding Users

4.  In the users window, locate an area of free white space in the centre, right click and select Add Users.

BPS2 300x241 BlackBerry Professional Software   Adding Users

5. From the user selection window, which queries your Exchange servers Global Address List (GAL), pick the user or users you require and click Select and then OK.

6. You user or users will now be visible in BlackBerry Manager. Right click the user you have added and select Set Activation Password.

 BPS3 300x223 BlackBerry Professional Software   Adding Users

7. When the Activation Password window opens, set a password of your choice. This can be anything you like and is a one time password used to simply activate your BlackBerry with BPS.

8. On your BlackBerry device perform a data wipe. The wipe function is generally located under the Options -> Settings -> “Security” or “Security Options” sub menu’s.

9. When the device has been wiped, hit the BlackBerry button and then navigate to Manage Connections and then check/enable the Mobile Network option. Also take this opportunity to set your date and time settings.

10. Navigate back to the BlackBerry’s options screen and select Advanced Options ->Enterprise Activation. On the activation screen the only two fields you need to complete are the e-mail address and password entries. The e-mail address is the users primary SMTP address, for example joe@bloggs.com and the password is the one you set through the BlackBerry Manager console for the user (Steps 6-7).

11. The BlackBerry will then attempt to activate and it’s status will be updated by a percentage counter located in the right hand corner of the display. Depending on the amount of messages, contacts and calendar appointments the user has, this may take some time. Once complete, your all done!