Skip navigation

Category Archives: Microsoft

With the security on Windows devices improving natively, things are a little more difficult now to push applications out to the desktop – this is something that should be welcomed, but at the same time makes installation of products like Sophos Antivirus a little more difficult to deploy via the Enterprise Manager.

There are some pre-requisite steps that now need to be taken prior to deployment:

1) Allow traffic to the SBS Server from the LAN.

netsh firewall add portopening TCP 8192 “Sophos”
netsh firewall add portopening TCP 8193 “Sophos”
netsh firewall add portopening TCP 8194 “Sophos”
netsh firewall add portopening TCP 8081 “Sophos quarantine digest”

2) Open up Group Policy and edit the Domain Group Policy ->Computer Config->Windows Settings ->Security Settings->System Services.  Ensure that:

Remote Registry: Automatic
Computer browser: Automatic

3) Allow traffic on the workstations…. Computer Config > Administrative Templates > network > Network Connections > Windows Firewall > Domain Profile

8192:TCP:<SERVERIP>:ENABLED:Sophos8192
8193:TCP:<SERVERIP>:ENABLED:Sophos8193
8194:TCP:<SERVERIP>:ENABLED:Sophos8294

You should then be able to assign the machines to groups within the Enterprise Console

Occassionally when you provide managed services for clients and there are issues, fingers get pointed and accusations get made about the integrity of the network – particularly if the medium in question uses fibre, or another less common network medium (like wireless).

We host a clients server on our premises for backup purposes, on the end of 2Km of multimode fibre connected to media converters at both sides.  When the client was having issues with the speed and  integrity of the network (packet loss and timeouts), it was necessary to do a little research to initially test and then to prove that the issue was not resultant of the fibre link.  Of course, with the aid of an OTDR it’s easy to demonstrate that the fibre does not show losses – but an OTDR is a very expensive piece of equipment to buy or rent, and does not provide any throughput data illustrating whether the endpoints are doing as they should.  As the clients IT support were only testing from a Windows->Windows box and they were only using ping to illustrate the issue, it was necessary to do a little more digging.

I put together a short test plan:

1)A standard ping test
2) A short packet capture while running a standard ping test.
3) An isolated packet capture to ascertain whether there are any obvious network issues
(excessive ARP, retransmission, etc).
4) A flood ping test
5) A bi-directional iperf test to measure the bandwidth and throughput of the fibre link
(through one of the clients network switches)
6) A bi-directional iperf test to measure the bandwidth and throughput of the fibre link
directly from the media converter.

As the ping test yielded no unusual results and the packet capture (tcpdump -i eth0 -s0 -w pingtest.pcap) of the ping test didn’t show anything unusual, I ran the flood ping back to my box (note that it’s fairly important to only flood ping boxes that are capable of handling more traffic than you can generate (wikipedia).

#ping 10.202.4.130 -f

— 10.202.4.130 ping statistics —
11011 packets transmitted, 11010 received, 0% packet loss, time 1725ms
rtt min/avg/max/mdev = 0.129/0.133/5.692/0.055 ms, ipg/ewma 0.156/0.132 ms

Again, this illustrated that even with a massive burst of data in a short space of time that there were no errors in transmission.

Next it was necessary to run test #5.  Iperf was installed on the remote side and on my laptop, so I started the server on the remote side using:

#iperf -s

and started the client side on my laptop using:

#iperf -c 10.202.4.130 -r

The results showed a slow throughput on the client and server side:

ID] Interval  Transfer Bandwidth
[ 5] 0.0-10.0 sec 18.8 MBytes 15.8 Mbits/sec

This looked likely to be the cause of the problem, but the fibre link should have been running at 100Mbps.  The next step was to connect directly into the media converter rather than through the clients switch.  I ran the test directly through the media converter:

#iperf -c 10.202.4.130 -r
ID] Interval  Transfer Bandwidth
[ 5] 0.0-10.0 sec 112 MBytes 94.2 Mbits/sec

A much improved result!  I ran the test again to verify the findings and then plugged into an alternative switch port at the clients side to run the test again, and this time got the 94Mbps I was hoping to see, proving that the issue was with the switch and most likely to be caused by rate-limiting on the switch port.

Sometimes a simple ping is not enough to thoroughly test a network and other tools need to be used to verify findings….iperf is excellent for providing a tangible measurement of throughput, and tcpdump & wireshark are useful for looking for packet retransmissions, excessive arp and other clues to performance issues..

I’ve seen so many people attempt to restore Exchange and fail using Microsofts built in tools, or come unstuck because they want to restore a single mailbox, that I thought I’d document the free method of backing up Exchange that we use, so that it will hopefully help others.

One of the tools available from Microsoft free is Exmerge.  It allows individual mailboxes to be individually exported to PST files, which can then either be re-imported back into Exchange or simply opened in Outlook.  Exmerge is available from http://www.microsoft.com/downloads/details.aspx?familyid=429163ec-dcdf-47dc-96da-1c12d67327d5&displaylang=en

Extract and save to the Exchsrv/bin directory, and when the appropriate mailboxes have been selected, destinations set save the configuration.  This will create an exmerge.ini file.

This can then be scripted in a batch file and run as a scheduled task.  I create a folder on the local disk of the Exchange server (although this can be done to a mapped drive) for each day I want the backup to run.

My exmon.bat file reads:

D:\exchsrvrbinexmerge.exe -F C:\scriptsexmonexmerge.ini -B

Which runs the exmerge.exe, with the options specified in scriptsexmonexmerge.ini and runs the script as a batch job using the -B switch.

To clean the folder prior to running, I have a separate batch file that runs earlier on the same day that runs

del /F /Q /S z:\Exchangeexmon*.*

Subsequently to back up the PST files to a separate server I use the excellent BackupPC running on a Debian server.  Installation instructions for Debian are here: http://www.debianhelp.co.uk/backuppc.htm

The BackupPC box is confugured to access the SMB share that the PST’s are stored in, as well as additional file shares on the server.  BackupPC supports incremental backups and backups via a variety of methods (including SSH and rsync, as well as SMB).

It’s also possible to archive off historic backups for off-site using the archive functions within BackupPC.  As a free solution for backing up mailboxes and beiong able to recover easily (with version control) this is very effective…

Following a reboot of our Exchange 2003 server, the Pop3 service stated it was started, but on trying to connect to port 110 using telnet it just popped up “connection to the host lost”.  When we attempted to restart the service it hung when starting – there were no events in the event viewer following the stopping of the service.

The solution was to kill the process in Task Manager (inetinfo.exe).  We found it immediately re-spawned and worked…

I’ve just had to migrate a batch of printers to a new AD print server. Fortunately this process was made somewhat painless by the Microsoft Print Migration tool available here:

http://www.microsoft.com/DOWNLOADS/details.aspx?FamilyID=9b9f2925-cbc9-44da-b2c9-ffdbc46b0b17&displaylang=en

Outlook web access does not allow the inclusion of images by default. However it is possible to embed the image within the signature.

First upload the image you wish to include to a web server and make a note of the full path. ie, http://www.yourdomain.com/images/companylogo.jpg.

Then create a new signature in Outlook and ensure the path of the image on the signature points to your webserver. You can find the raw signature files in “C:documents and settingsusername.domainapplication datamicrosoftsignatures” on Office 2007/XP.

You can then edit the raw signature in Notepad.This is an ideal opportunity to tidy up the messy html created by Outlook when designing the signature in the first place. Find the image src and edit to point to the full path of the hosted image

Send an email with the signature embedded to the users email address and open the email within OWA (in IE). Copy the signature then go into Options -> Email Signatures and paste in the signature.

I’ve just finished installing a pfSense firewall as a second gateway for a network that required a dedicated internet connection for some services. Some of the hosts on the network use the main office internet connection as their default gateway. As a result of this I was unable to connect to these hosts from remotely via the VPN, as the return path for the packets attempts to go via the primary internet connection, rather than via the VPN.

I had a quick glance at the pfSense/OpenVPN docs to see whether there was anything I could specify in pfSense and they stated that the machines needed to use the pfSense as the default gateway – this was unacceptable for our purposes here (one of the devices in question is the Asterisk VoIP server on the network which needs to use the other Internet connection for it’s external traffic). There is an easy solution to this however by simply adding a static route back to the IP range issued to DHCP clients via the pfSense’s internal IP.

This looks something like this:

openvpn

Effectively any internal machines that need to be visible over the VPN need to have an appropriate return path configured. The DHCP scope I have used for VPN clients is 10.0.200.0/24.
For linux machines on the network, the route can be added on a temporary basis (ie. until reboot) by entering the following command on the host:

route add -net 10.0.200.0/24 gw 10.204.6.1

or permanently by adding an entry into the /etc/sysconfig/static-routes (on Centos as per http://www.centos.org/docs/5/html/5.1/Deployment_Guide/s1-networkscripts-static-routes.html)

On Windows hosts this can be achieved by adding a persistent route:

route add -p 10.0.200.0 mask 255.255.255.0 10.204.6.1
:)

By default, Microsoft exchange uses the username when creating email addresses for users using Recipient Policy.

eg.

username@domainname.com

However, in many cases the standardised email address format is slightly different – for example:

firstname.lastname@domainname.com

This is actually really easy to edit in the Exchange System Manager using a few variables:

%g  = Given Name (First name).
%3g = means first 3 letters of Given Name
%s  = Surname (Last name).
%3s = means first 3 letters of sn.
%d  = displayname.
%m  = Exchange alias.

Once this has been edited, just right click on the Policy and click Update this Policy now.

I keep on finding and losing bookmarks of good base64 encoding and decoding sites, so thought I’d link to one here:

http://makcoder.sourceforge.net/demo/base64.php

Useful when trying to test SMTP-Auth on a mailserver and needing to encode usernames and passwords!
:)

We’re just trialling the Blackberry Professional software here, but with a change of heart as to the test user attempted to delete the user to re-add another.  Unfortunately although the Blackberry Professional Software allows you to delete users, it didn’t successfully purge the user from the database.  This meant that we couldn’t add an alternative user (the software comes with 1 user licence to trial with).

The solution is to manually remove the user from the database.  This can be done using the OSQL command line utility.

osql -E SERVERNAMEDATABASESERVERNAME
1>use BESMgmt
2>select DisplayName from UserConfig
3>go

This will show the DisplayName of the user.  For the sake of this document, we’ll call the user “testuser”.

To delete the user, then enter:

1>use BESMgmt
2>delete from UserConfig where DisplayName=“testuser”
3>go

1>exit

That should remove the user.  On checking within the Blackberry Professional software there is now no longer a user, releasing the licence.
:)