TechOnTip Weblog

Run book for Technocrats

Archive for September, 2012

16 Million Unused IPv4 Address

Posted by Brajesh Panda on September 18, 2012

The UK Department for Work And Pensions (DWP) is sitting on a hoard of 16 million unused Internet IPv4 addresses, which could be worth as much as £600 million because they are in short supply, a petition says. Here is the story; http://www.techweekeurope.co.uk/news/ip-addresses-uk-government-dwp-petition-93069

Brajesh

Advertisements

Posted in IPv6 | Tagged: | 1 Comment »

Find All Domain Joined Hyper-V Hosts

Posted by Brajesh Panda on September 18, 2012

Hyper-V publishes service connection point objects (SCP) under their computer accounts. If we can query for those objects we will able to find out hyper-v hosts.

Get-QADObject -Name ‘Microsoft Hyper-V’ -Type serviceConnectionPoint | Get-QADComputer -Identity {$_.ParentContainerDN}

Get-VMHost from Codeplex Hyper-V module will also pull out registered hyper-v host servers.

Here is my earlier post to find out all domain joined hyper-v virtual machines.

Posted in MsHyper-V | Tagged: | 1 Comment »

Find All Domain Joined Hyper-V Virtual Machines

Posted by Brajesh Panda on September 18, 2012

Curtsy Ask the Core Team Blog

Hyper-V Integration service “Hyper-V Heartbeat Service” always create a Service Connection Point (SCP) Object under the Computer Account. This SCP is named as “Windows Virtual Machine”. You will able to see it in ADSI Edit or using Powershell.

This object is used to differentiate the computer object from other Physical computers & virtual machines (created by other platforms). So we can query for this service connection point object, which will give us all Hyper-v Virtual Machine name in domain.

In case the object is deleted, it will be automatically re-created when the VM is restarted or the “Hyper-V Heartbeat Service” is restarted. On each restart of the service or virtual machine the integration service checks if the machine is domain joined and if it is domain joined, it checks if the service Connection Point (SCP) object exists in the domain. If the object doesn’t exist it will attempt to recreate the object.


Get-QADObject -Name ‘Windows Virtual Machine’ -Type serviceConnectionPoint | Get-QADComputer -Identity {$_.ParentContainerDN}

Or

Get-ADObject –LDAPFilter “(&(objectClass=serviceConnectionPoint)(CN=Windows Virtual Machine))”

Or

Get-QADObject –LDAPFilter “(&(objectClass=serviceConnectionPoint)(CN=Windows Virtual Machine))”

Or

dsquery * Domainroot –Filter “(&(objectClass=serviceConnectionPoint)(CN=Windows Virtual Machine))”

In case of Work Group computers we have to use other query methods like WMI; Win32_ComputerSystem Class. Manufacturer property will return Microsoft Corporation & Model property will return “Virtual Machine”

Here is my another post to find out all domain joined hyper-v hosts.

Posted in MsHyper-V | Tagged: | 1 Comment »

Configure FTPS Server Using IIS

Posted by Brajesh Panda on September 7, 2012

FTPS, SFTP & FTP over SSH are three different things. FTPS is like HTTPS, TelentS, SMTP-S, IMAP-S or POP-S. It doesn’t encrypt any data or authentication details. It just transfers everything in clear text inside the SSL tunnel on a different port. However SFTP (SSH File Transfer Protocol) encrypts everything like SCP. Only similarity is it use same kind of syntaxes & do same file transfer. However SFTP is more secure than FTPS. Last one FTP over SSH implementation is in-between both FTPS & SFTP. It tries to tunnel FTP Control channel in a SSH session & then failover to normal data channel for data transfer.

FTPS implementation can be done in two methods i.e. Explicit & Implicit;

In Explicit mode, FTPS aware & unaware clients can work together. It also called as FTPES. 1st client have to explicitly request security from FTPS server & server will reply accordingly & they will agree on parameters. If client didn’t request, server either can allow on normal mode or can refuse.

In Implicit method both client & server need to be aware of FTPS. Here no security negotiation takes place. Client need to start communication using FTPS control messages. And if such message is not received server will drop connection. In this mode server listens on 990 for control messages & 989 for data channel, however data channel ports can be changed.

Note: for client connectivity we have to use filezilla or winscp. Neither IE nor Windows Explorer support FTPS protocol

As I have a test Windows 2012 server with IIS 8.0. So I am going to use the same. Steps are same for Windows 2008 R2 which comes with IIS 7.5.

  • Install IIS Role – FTP Server Services
    • Using Powershell “Add-WindowsFeature Web-FTP-Service, WEB-Mgmt-Console”
    • Or Use Server Manager and Install FTP Service from IIS Web Role

  • Open IIS Manager, Right click Sites folder & Click Add FTP Site

  • If you want to bind the IP Address type details.
  • Type 990 as FTPS Control Channel Port
  • Virtual Host Depends on if you are going to host multiple FTP Servers
  • Click that check mark to “Start FTP Site Automatically”
  • If you are building it out explicitly FTPS server, select Require SSL & Select your installed SSL Cert & click next
  • As I have already installed a SSL Cert from my internal Windows Certificate Authority

  • If you are creating an Anonymous site select the same else select Basic
  • Select right authorization policy. This Policy will be applied at site level & FTP Virtual Directories are going to inherit the same.
  • I prefer “Specified roles or user groups” with a Local Group & Read Permission.
  • As per my FTP administration procedure I always add FTP users to that group. So all members of that group can get into this FTP site with read access.
  • So by default this config will all of my FTP users to have read access to all virtual directories. Then if I need any custom setting for them, I modify Authorization at virtual directory level. Will be discussed later.

  • Now you FTPS Site is ready;
  • Let’s check till now what has been configured by double clicking specific icons on home page of site

  • Authentication & Authorization

  • Directory Browsing style as MS-DOS, FTP SSL Settings as we configured at the beginning

  • I am selecting “user home directory” as user logon start point. You can restrict them to check other users folders too.

  • Another key configuration point is Data Channel Ports. These are Passive Port range.
    We define on which port server & client need to transfer data.

  • You have to configure on IIS Server Level. So select the IIS server Name & configure Data Channel Ports. I am configuring them to 5000-5001. You can choose your one numbers.
  • FTP Sites in this IIS server are going to inherit these numbers.
  • If you are going to publish this server to internet thru a firewall & publishing this server to internet using NAT rules. Make sure you configured that Public IP address in the External IP Address box.

  • Till now our FTPS server is ready, let’s talk to your External Firewall Administrator & ask him to open 990, 5000-50001 port on this Public IP Address.
  • While he is doing that let’s create a Virtual Directory & configure related user access so we can test our FTPS server.
  • Create a Local Windows User as “Brajesh”
  • Create a Local Windows User Group as “FTPUsers”
  • Add the above Brajesh user to “FTPUsers” Group & remove from “Users” group
  • Create a folder named as “Brajesh” in the FTP Root folder i.e. inside e:\FTPRoot. Because E:\FTPRoot is our FTP Website Root Folder. Make sure keep that folder name as Brajesh, so it will work like a Home Directory.
  • Right click the FTP Website & Add a Virtual Directory

  • Keep alias as Brajesh & select the Brajesh Folder we created under E:\FTPRoot

  • Now you can select Brajesh virtual directory & check its configurations

  • Under Brajesh FTP Authorization Rules, you can see FTPUsers group has been already added with Read Permission
  • Add “Brajesh” user as a specified user with read & write permission & remove FTPUsers from this Authorization rules.

  • We are ready with FTPS server & Virtual Directory

Let’s download Filezilla & WinSCP to test FTPS connectivity. Note neither IE nor Windows Explorer support FTPS protocol

  • In Filezilla client, for host just type ftps://FTPServerURL or IP, then user name & password.
  • You can see it will connect on port 990. If your certificate is public trusted it will not prompt you any trust message. In my case it is an internal certificate, so it is asking me to trust it. So I will click “Always trust certificate in future sessions” and click okay.

    If you don’t trust the cert, it will connect but it will not let you upload any data. Because it will not able to authenticate the SSL channel!

  • Let’s take a look at FileZilla connection messages.

  • Do you see that message “227 Entering Passive Mode (10,10,10,105,19,136)? It has two contents i.e. IP Address & Data Channel Port server is listening on.
  • 10.10.10.105 is server IP Address & 19,136 makes port i.e. (19 x 256) +136 = 5000. Remember we configured Data Channel port as 5000 & 5001.

Now let’s try with WinSCP. For WinSCP make sure you change the protocol to FTP & SSL/TLS Implicit encryption

  • Make sure you accept & select Trust in case any SSL certificate warning

Posted in IIS | 1 Comment »

EMC VNX Performance Analysis – 1

Posted by Brajesh Panda on September 5, 2012

  • You must have Navisphere/Unisphere Analyzer Enabler installed on the storage array
  • Analyzer Enabler (license) will help to generate readable statistics log files, called as NAR files.
  • Without this license it will generate encrypted logs (NAZ files) and you may need help of EMC support analyze the same.

  • Make sure you start “Statistics Logging” from system properties


Read the rest of this entry »

Posted in EMC Storage, EMC VNX | 2 Comments »

Self-Sign Certificates in Windows 2008 R2

Posted by Brajesh Panda on September 5, 2012

If you want to know how to generate SAN certificate read this article.

  1. If you don’t have IIS Web Server Roll installed
    1. Download old age IIS6 Resource Kit tool & install it
    2. Then from Program -> IIS Resource -> SelfSSL -> Click SelfSSL.exe
    3. It will open up below command prompt with an example; but you may fine tune as per your requirement.

  1. It will prompt you to overwrite the settings for site 1, type yes & enter
  2. It will throw an error saying “Error opening metabase: 0x80040154 “
  3. This error can be ignored due to IIS 6.0 not being installed on the server.
  4. If you browse local Cert Store of the computer, you will able to see the certificate.

Read the rest of this entry »

Posted in IIS, Tools | 1 Comment »

Back from Vacation

Posted by Brajesh Panda on September 4, 2012

Expect couple of articles – “How to find out how many I\O you are getting from EMC VNX Flash Drives?”

Lately I was researching on this topic. We have a VNX SAN which has Flash Drives & Auto Data tiring feature. So it should keep the hot data in flash drives & move cold data to my SATA Drives. This will help me to find out if flash drives are really up to anything.

I just concluded a POC for Backup over WAN using client side deduplication, I have captured all my findings just need to compose the article ““My Experience on Backup over WAN – Using Client Side Deduplication”.

Other couple of projects related to System Center 2012, we are going to kick off.

Thanks,

Brajesh Panda

Posted in Mix & Match | Tagged: | Leave a Comment »

 
%d bloggers like this: