TechOnTip Weblog

Run book for Technocrats

Archive for April, 2013

Can not Access EMC CIFS Share from Windows 8 & Windows 2012

Posted by Brajesh Panda on April 23, 2013

If you can’t access EMC VNX (SAN) CIFS share from your Windows 8 & 2012 server, you need to run below two commands.

Set-SmbClientConfiguration -RequireSecuritySignature $true

Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanWorkstation\Parameters" RequireSecureNegotiate -Value 0 -Force

Posted in EMC VNX | Tagged: | 1 Comment »

Start IE10 without ADD ONs

Posted by Brajesh Panda on April 19, 2013

To run 32-bit Internet Explorer with no add-ons, try the following command in Run box.

"C:\Program Files (x86)\Internet Explorer\iexplore.exe" -extoff

Posted in Mix & Match | 1 Comment »

1024 bit SSL (Encryption) Certs going away from December 2013

Posted by Brajesh Panda on April 18, 2013

Here is a blog article from Thawte. https://community.thawte.com/forums/important-all-1024-bit-certificates-must-migrate-2048-bit-encryption-dec-31-2013

You will also find other necessary Certification Authority/Browser (CA/B) Forum Baseline document.

Public CA companies are also going to start revoking 1024 bit certs near to the end of this year. So check out with your provider before you get locked out.

So right now you can get 1024 bit certificate installed but that will expiry by December 2013.

We just did for a legacy lotus 6 application. I am not a lotus admin so, don’t ask me about that. But if you still looking for how to generate a key ring file, csr, cert & install cert; check out this space later for some instruction.

Lotus 6 only support till 1024 bit key ring files. As we are not going to upgrade our Lotus environment, not sure what we will do after December, 2013. Probably in-house certificates from AD integrated CA.

Hope this info will help you!

Here is the Lotus key size requirement matrix.


 

Posted in Mix & Match | Leave a Comment »

Lync 2010, IE 10 Desktop Sharing Goes Blank in Windows 8

Posted by Brajesh Panda on April 3, 2013

Platform: Windows 8 with Lync 2010

Issue: IE 10 Sharing goes blank, no contents visible from the web page only top tabs and mouse pointer.

Fix: http://www.microsoft.com/en-us/download/details.aspx?id=25055

 

Posted in Mix & Match | 3 Comments »

Windows 2012 Direct Access – ISATAP Router

Posted by Brajesh Panda on April 2, 2013

Click here for other Direct Access related articles.

Out of box Windows 2012 Direct Access configuration wizard enabled ISATAP Router in the Direct Access Server. This ISATAP router can distribute IPv6 IP Addresses & Routes to Windows ISATAP clients. Manage Out clients gets benefitted from this to make IPv6 enabled manage out connection. IIN this article I am not I am not covering how to configure ISATAP router in a standalone server; may be later in another article. For information about other IPv6 Transition technologies check out this article by me.

About ISATAP Interface

Current days all advance IPv6 enabled Operating systems mostly shipped with ISTAP IPv6 Transition technology. You may have observed ISATAP Network Interface while doing IPConfig. We expect One ISATAP Interface per Physical NIC. If you see more than that, try to uninstall them from device manager by doing show hidden devices.

By default these ISATAP interface names looks like isatap.{GUID} – like below picture. ISATAP Interfaces can be seen using IPConfig or NETSH command i.e. netsh interface ipv6 interface


These GUIDs represent the Physical Interface to which it is bonded to. GUID of physical adapter can be seen using “wmic nicconfig get description, SettingIfrom cmd prompt

From above two pictures we can compare and say ISATAP Interface 14 is mapped to Hyper-v Network Adapter #2 and ISATAP interface 27 is mapped to Hyper-v Network Adapter.

This is also another easy way to find out this; Just add a DNS Suffix in one Physical Interface. It will create another ISATAP interface with same DNS suffix. In below picture it created another ISATAP adapter for Corpnet. If you open device manager you will see a new ISATAP interface.

So better to uninstall all ISATAP adapters, add DNS suffix in the Physical Interface & reboot the server. It will create new ones & name them perfectly for identification.

ISATAP Router Discovery

To discover an ISATAP router these clients can query ISTAP.DomainName.Com. Where Domain name is the domain discovered by NIC. So this DNS A record should point to ISATAP Router’s IPv4 Address. This is hardcoded to operating system & part of IPv6 ISATAP transition technology.

If client is able to resolve ISATAP router’s DNS record, it will able to subscribe IPv6 Prefix & published routes. Without Proper deployment it may create routing issue etc., if deployed to all computers in the network. Because as soon as client configures itself using IPv6 address applications aware of IPv6 will start communicating over IPv6 to other ISATAP host or thru the ISATAP router to da different subnet. For better understanding grabbed below pic from https://espix.net/~wildcat/ipv6/i17_isatap_v1a.pdf

In this condition we may not like to create a Global DNS record as ISATAP. There is another option where we can use a custom DNS entry for this record & apply that GPO to specific clients where we want to enable ISATAP functionalities. There is a nice popular article by Jason Jones how to configure this.

  • Create a DNS A record as “DirectAccess-ISTAPRouter.Contoso.Local” & point it to Direct Access Servers Internal IP Address
  • Create an Empty GPO
  • In GPO open “Computer Configuration | Policies | Administrative Templates | Network | TCPIP Settings | IPv6 Transition Technologies
  • Configure below parameters;
    • ISATAP Router Name: Enabled
    • Enter a Router or relay Name: “DirectAccess-ISTAPRouter.Contoso.Local”
  • Apply above GPO to respective clients. In direct access case Manage Out clients

You may need to reboot the client machine to get the ISATAP IPv6 addresses assigned. Else you may try “sc control iphlpsvc paramchangeto refresh the adapter

Troubleshoot few things

  • How to verify if ISTAP is enabled?
    • Use NETSH Status command “netsh interface isatap show state
    • By default state is default
    • But if router is enabled state will be “enabled”
    • If it is enabled thru group policy like on clients it will show enabled (group policy)
  • How to disable ISATAP functionality from OS?
  • Which ISATAP router is used by client?
    • Use “netsh int isatap show router

  • Which routes are published thru router?
    • In Router use below NETSH command to test i.e. netsh int ipv6 show route. Make sure publish is set to yes. You can add extra routes for publish too.

  • How to verify if client is receiving IPv6 routes & default gateway is pointing to ISATAP route?
    • Use same netsh int ipv6 show route
      command and make sure client is receing routes and gateway is pointing to ISATAP address of router

Posted in Direct Access | Tagged: | 5 Comments »

 
%d bloggers like this: