It's long overdue! Finally, we can now configure static route on our newly shipped Cisco Catalyst 2960S L2 stackable switches. By default, you can't configure any routes on it besides the "ip default-gateway". Hence, you have to switch the sdm template from the default desktop to lanbase-routing as follows:
Switch# config t
Switch(config)# sdm prefer lanbase-routing
Switch(config)# reload
Do note that the lanbase-routing template is only supported on C2960S LAN-based image and not on LAN-lite image. For more information, refer to this Cisco documentation.
Thursday, December 8, 2011
Thursday, November 17, 2011
How to rebuild AD-integrated DNS servers
What if a joker wipe out your AD integrated DNS zones accidentally? And there's no backup? You'll find out soon enough that AD operations are heavily dependent on the DNS services.
You'll then have to rebuild the DNS manually by re-creating 2 DNS zone files namely: yourdomain.dns and _msdcs.yourdomain.dns. When non-AD integrated, both zone files should be stored on the system dns folder on %Systemdrive%\System32\dns\ e.g. C:\Windows\System32\dns
You'll then have to rebuild the DNS manually by re-creating 2 DNS zone files namely: yourdomain
- On all of your AD-integrated DNS servers, change both forward primary and _msdcs zones to Standard Primary zones by unchecking the "Store the zone in Active Directory" box. Backup both existing dns files on the system dns folder. Delete both primary and _msdcs zones using the DNS manager.
- Next, you'll need to know the DNS zone file syntax. There are sample files available under the \dns\sample. Another easier way is to go to another DNS server belonging to another intact domain. Change both primary and _msdcs zones to Secondary Zone temporarily and you'll find the 2 files located on the system dns folder for your reference. Copy out the files and remember to change them back to AD-integrated.
- Re-create both zone files using notepad/wordpad and store them on the system dns folder. Pay special attention on SRV records like _ldap, _kerberos, _dc._tcp.domain etc for "referring" your clients to the domain controllers for authentication. Remember to keep a backup copy for both files.
- On your DNS manager, create new standard primary zone (do not integrate with AD yet!) under the forward zones and named it after your domain. On the "Zone File" page of the setup wizard, choose to "Use this existing files". Repeat the same step for _msdcs zones.
- Restart DNS and netlogon services by using "net stop/start dns/netlogon" respectively.
- Test and check all entries. Rectify any errors found.
- Once you're happy with the DNS settings, integrate the DNS server into Active Directory by checking the same box earlier in step 1.
- If you have dynamic DNS records, execute "ipconfig /registerdns" on each dynamic DNS client. Otherwise, just wait for the clients to get back online.
- On each subsequent DNS server, check that the DNS zone is back. Otherwise, create a new secondary zone and a new _msdcs zone. Reference them to the DNS server that you first re-created. Make sure the entries are replicated correctly. If replication fails, check the "Zone Transfer" setting on the first DNS server.
- Once replication is successful, change both secondary zones to primary zones. Integrate both zones into AD. Reboot the DNS server.
Monday, September 19, 2011
Useful References for Intel NIC Teaming on Windows Server Core 2008
1) Enable Remote MMC
To remote MMC console to a standalone (non-domain) computer, add a temporarily administrator account on the target server core that share identical account name and password on another full GUI computer (e.g. Win7, Full Win2K8R2 etc).
Use "sconfig" on the server core to add a local admin account (option 3) and to enable remote administration (option 4).
To perform remote execution,
"winrs -r:%servername% remote command" and press on "Enter" button.
Example: To review remote file system, write the following command:
"winrs -r:DC1 dir"
To remote MMC console to a standalone (non-domain) computer, add a temporarily administrator account on the target server core that share identical account name and password on another full GUI computer (e.g. Win7, Full Win2K8R2 etc).
Use "sconfig" on the server core to add a local admin account (option 3) and to enable remote administration (option 4).
To perform remote execution,
"winrs -r:%servername% remote command" and press on "Enter" button.
Example: To review remote file system, write the following command:
"winrs -r:DC1 dir"
2) Intel NIC teaming on Server Core
http://www.intel.com/support/network/sb/CS-029966.htm
To extract all Intel NIC inf driver files, use PROWinx64.exe /e /f [destination path]
To extract all Intel NIC inf driver files, use PROWinx64.exe /e /f [destination path]
3) Enable remote device driver management for Server Core
http://www.petri.co.il/remotely-manage-devices-windows-server-2008-core.htm
4) Configuring system variable environment on Server Core
4) Configuring system variable environment on Server Core
WMIC Environment where name='Path' SET VariableValue='%ProgramFiles%\Apps;%PATH%'
5) Using PowerShell to manage Windows Features and Server Roles
http://blogs.msdn.com/b/powershell/archive/2009/01/27/managing-server-features-with-powershell-cmdlets-on-windows-2008-server-r2-beta.aspx
6) Enable Jumbo Frames
http://blog.allanglesit.com/2010/03/enabling-jumbo-frames-on-hyper-v-2008-r2-virtual-switches/
7) Enable VMDq on Intel Team for VLANs in Hyper-V
http://www.intel.com/support/network/sb/CS-030993.htm
8) Disable Dynamic DNS update of Hyper-V cluster name
If you have configure static DNS record for the cluster name, you have to disable DNS dynamic update. However, disabling on DNS client update on GPO won't work for cluster name. You have to disable it on the updating interface. Since ncpa.cpl is not supported on server core, use "netsh interface" command and set dnsserver register to none. Example:
To turn off DNS register:
netsh interface ipv4 set dnsserver name="Local Area Connection" source=static address="10.10.10.1" register=none
To add another DNS server
netsh interface ipv4 add dnsserver name="Local Area Connection" address="10.10.10.2"
5) Using PowerShell to manage Windows Features and Server Roles
http://blogs.msdn.com/b/powershell/archive/2009/01/27/managing-server-features-with-powershell-cmdlets-on-windows-2008-server-r2-beta.aspx
6) Enable Jumbo Frames
http://blog.allanglesit.com/2010/03/enabling-jumbo-frames-on-hyper-v-2008-r2-virtual-switches/
7) Enable VMDq on Intel Team for VLANs in Hyper-V
http://www.intel.com/support/network/sb/CS-030993.htm
8) Disable Dynamic DNS update of Hyper-V cluster name
If you have configure static DNS record for the cluster name, you have to disable DNS dynamic update. However, disabling on DNS client update on GPO won't work for cluster name. You have to disable it on the updating interface. Since ncpa.cpl is not supported on server core, use "netsh interface" command and set dnsserver register to none. Example:
To turn off DNS register:
netsh interface ipv4 set dnsserver name="Local Area Connection" source=static address="10.10.10.1" register=none
To add another DNS server
netsh interface ipv4 add dnsserver name="Local Area Connection" address="10.10.10.2"
Friday, September 16, 2011
Part 5: Sysprep and Capture Server Image using MDT2010
In the part 4, I mentioned about using MDT2010 to perform Windows installation over the network share. After you have installed, configured and patched this reference computer, you may like to "clone" this image for subsequent server deployment.
You may use MDT2010 to sysprep and capture this reference image. Initially, I thought of doing a PXE boot and capture the image after creating a new task sequence for sysprep and capture. But I was half-right. Instead, after creating the new task sequence, you have to login to your reference computer, map to the MDT network share and execute the sysprep and capturing LTI scripts as follows:
cscript \\mdtserver\DeploymentShare$\Scripts\LiteTouch.WSF
cscript \\mdtserver\DeploymentShare$\Scripts\LiteTouch.WSF
For step-by-step details, please click on "How to run a Sysprep and Capture Task Sequence from MDT2010".
Thursday, September 15, 2011
AD authentication for Dell iDRAC6
The well-known default login name and password for iDRAC6 are "root" and "calvin" respectively. You should change it immediately, which may probably turn into accountability issues of having shared password among various administrators. A better way is to configure it to permit AD authentication that allows individual login accounts and ensures consistent password policies.
Step 0: Configure IP and DNS settings on iDRAC
Step 1:Enable Microsoft Active Directory on "Directory Service" under "Network/Security"
Step 2: Enable cert validation and upload the Enterprise CA cert.
Step 3: Choose Standard Schema
Step 4: Enter the fqdn of domain controllers e.g. dc1.domain.com. Define the user groups on AD and authorize appropriate rights accordingly.
Step 5: Lastly, test the settings. Supply the test account name using "user@domain.com" format instead of "domain\user" format that won't work.
Step 0: Configure IP and DNS settings on iDRAC
Step 1:Enable Microsoft Active Directory on "Directory Service" under "Network/Security"
Step 5: Lastly, test the settings. Supply the test account name using "user@domain.com" format instead of "domain\user" format that won't work.
Wednesday, September 14, 2011
Enrolling SSL Cert for DELL iDRAC6
Dell's integrated light-out (ILO) management iDRAC6 allows administrators to manage servers remotely (using Java-based virtual console), as though they were in front of the console physically. Think of it like IP KVM. Managing iDRAC is performed over web console. Most likely, you would be greeted by SSL warnings, which is using a default self-signed cert. To do away with these prompts permanently, you would have to setup a PKI within your enterprise network, such as Active Directory Certificate Services (AD CS).
In AD CS, you should be using Web enrollment to generate certificate for entities outside of AD, such as iDRAC. Create a new web server based template and allows iDRAC users to enroll. Next, generate a cert request for iDRAC. To do so, login to manage iDRAC setting and click on Network/Security and SSL as shown below:
Click on "Generate Certificate Signing Request (CSR)" and download a text-based file. Open this file with a notepad or wordpad. Logon to the web enrollment service e.g. http://certservername/certsrv. Click on "Request a certificate" and "Submit a certificate request".
Focus back on the notepad, copy the contents of the csr and paste it on the certificate request. Select the appropriate cert template.
Click "Submit" and download the server cert. Upload this cert via the same SSL web console page on iDRAC setting earlier. And iDRAC will take a few minutes to reset itself. If you still see SSL errors, take a look and troubleshoot. Most likely, it's due to some typo errors that causes a mismatch between Common Name and the DNS name.
In AD CS, you should be using Web enrollment to generate certificate for entities outside of AD, such as iDRAC. Create a new web server based template and allows iDRAC users to enroll. Next, generate a cert request for iDRAC. To do so, login to manage iDRAC setting and click on Network/Security and SSL as shown below:
Click on "Generate Certificate Signing Request (CSR)" and download a text-based file. Open this file with a notepad or wordpad. Logon to the web enrollment service e.g. http://certservername
Focus back on the notepad, copy the contents of the csr and paste it on the certificate request. Select the appropriate cert template.
Click "Submit" and download the server cert. Upload this cert via the same SSL web console page on iDRAC setting earlier. And iDRAC will take a few minutes to reset itself. If you still see SSL errors, take a look and troubleshoot. Most likely, it's due to some typo errors that causes a mismatch between Common Name and the DNS name.
Friday, September 2, 2011
Debugging JUNOS for Cisco dude
In Cisco IOS, you would use debug statement for troubleshooting. How would you do it in JUNOS?
For example, if you were troubleshooting SNMP in Cisco IOS, you would do this:
#debug snmp detail
#term mon
As for JUNOS,
> edit
# edit snmp
# set traceoptions flag all
# set traceoptions file debug-snmp
[Unlike Cisco IOS, you need to commit the changes first]
# top
# commit
[It will start the debugging in next statement]
# run monitor start debug-snmp
[Lots of debugging messages and when you're done, stop it]
# run monitor stop
# delete snmp traceoptions
# commit
For example, if you were troubleshooting SNMP in Cisco IOS, you would do this:
#debug snmp detail
#term mon
As for JUNOS,
> edit
# edit snmp
# set traceoptions flag all
# set traceoptions file debug-snmp
[Unlike Cisco IOS, you need to commit the changes first]
# top
# commit
[It will start the debugging in next statement]
# run monitor start debug-snmp
[Lots of debugging messages and when you're done, stop it]
# run monitor stop
# delete snmp traceoptions
# commit
Subscribe to:
Posts (Atom)