Windows Server - Technology : Networking

Configuring When DHCP is on the Same Server

Richard — Wed, 01 Jul 2009 02:57:00 GMT

Configuring When DHCP is on the Same Server

The method of communication between the booting client and the server uses data fields (known as options) in DHCP packets. The Windows Deployment Services solution for booting over the network works well in many configurations. It works well when Windows Deployment Services is located on the same physical computer or on a different physical computer than the DHCP server. However, the default installation is that Windows Deployment Services and a DCHP server (Microsoft or non-Microsoft) are located on different physical computers. In this scenario, no additional configuration steps are required for interoperability between Windows Deployment Services and the DHCP server.

However, if you are running Windows Deployment Services and DHCP on the same computer, in addition to configuring the server to not listen on port 67, you will need to use your DHCP tools to add Option 60 to their DHCP scopes. This allows booting clients to learn about the Windows Deployment Services PXE server from the DHCP response that is generated by the DHCP server. Setting DHCP option tag 60 has one side effect: clients booting from the network are always notified that the Windows Deployment Services PXE server is available, even if the server is not operational or has stopped. For instructions on configuring these options, see the DHCP section of How to Manage Your Server.

Note

There are some scenarios (particularly those that require running a DHCP server) that do not support adding custom DHCP option 60 on the same physical computer as the Windows Deployment Services server. In these circumstances, it is possible to configure the server to bind to UDP Port 67 in non-exclusive mode by passing the SO_REUSEADDR option. For more information, see Using SO_REUSEADDR and SO_EXCLUSIVEADDRUSE (http://go.microsoft.com/fwlink/?LinkId=82387).

If DHCP is installed on a server that is located in a different subnet, then you will need to do one of the following configure your IP Helper tables (recommended) or add DHCP options 66 and 67. For more information, see Managing Network Boot Programs.

And here are some procedures:

To configure Windows Deployment Services to run on the same computer as Microsoft DHCP


Right-click the server and click Properties. On the DHCP tab, select Do not listen on port 67 and Configure DHCP Option #60 Tag to PXEClient.

This procedure does the following:

Sets HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Parameters\UseDhcpPorts to 0.
Adds the option 60 PXEClient tag to all of your DHCP scopes.

To configure Windows Deployment Services to run on the same computer as non-Microsoft DHCP


Right-click the server and click Properties. On the DHCP tab, select the Do not listen on port 67. Use your DHCP server tools to set Option #60 Tag to PXEClient.

This procedure sets HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\WDSServer\Parameters\UseDhcpPorts to 0.

Network and Sharing Center Operations Guide

Richard — Sat, 17 Nov 2007 15:57:00 GMT

Another guide reviewed by me:

Network and Sharing Center Operations Guide

http://technet2.microsoft.com/windowsserver2008/en/library/7bd38516-8d1c-4eb5-aaed-cf9369c4a0611033.mspx

Acknowledgments

Produced by: Microsoft Windows Server User Assistance team

Project Writer: Dave Bishop, L. Joan Devraun

Project Editor: Scott Somohano

Technical Reviewers: Sen Veluswami, Alvin Tan, Amit Pethe

Microsoft Most Valuable Professional (MVP) Reviewers: Richard Wu, Wai Ho

Telnet Operations Guide

Richard — Sat, 17 Nov 2007 05:19:00 GMT

Telnet Operations Guide

haha! I help Microsoft to review their Telnet Operation Guide before. Now, it was published!

http://technet2.microsoft.com/windowsserver2008/en/library/0bd3aaf1-3475-4676-b85d-7fd5531a9cbc1033.mspx?mfr=true

Look at the bottom of that page, you will see:

Acknowledgments

Produced by: Microsoft Windows Server User Assistance team

Project Writer: Dave Bishop, L. Joan Devraun

Project Editor: Scott Somohano

Technical Reviewers: Jeff Gollnick, Shamit Patel, Shanmugam Kulandaivel, Jay Munro

Microsoft Most Valuable Professional (MVP) Reviewers: Richard Wu, Wai Ho

Changing local admin password?

Richard — Fri, 31 Aug 2007 10:28:00 GMT

Changing local admin password?

I just find a good method to change the local admin password of client PC remotely from MCPMAG. By using this method, you don't need to put the new password in script in order to make it work. You may reference this:

SysInternals offers a free too called PsPasswd
http://www.sysinternals.com/Utilities/PsPasswd.html , which
allows you to remotely reset passwords on a range of computers
on your network. The tool will also report successes and
failures of changed passwords, and allows you to run a single
command against a list of computers. Since the password is just
included within the syntax of a command that you run, it will
never be stored as plain text in a batch or script file.

To use PsPasswd, you'll first need a list of all computers in
your domain. To enumerate all computer objects in a domain,
you could run this script:

LogFile = "C:\computers.txt"
Const ForWriting = 2
Const ADS_SCOPE_SUBTREE = 2

Set objConnection = CreateObject("ADODB.Connection")
Set objCommand = CreateObject("ADODB.Command")
objConnection.Provider = "ADsDSOObject"
objConnection.Open "Active Directory Provider"

Set objCOmmand.ActiveConnection = objConnection
objCommand.CommandText = _
   "Select Name, Location from 'LDAP://DC=mcpmag,DC=com' " _
   & "Where objectClass='computer'"
objCommand.Properties("Page Size") = 1000
objCommand.Properties("Searchscope") = ADS_SCOPE_SUBTREE
Set objRecordSet = objCommand.Execute
objRecordSet.MoveFirst

Set objFSO =
CreateObject("Scripting.FileSystemObject")
Set objFile = objFSO.CreateTextFile(LogFile, ForWriting)

Do Until objRecordSet.EOF
   objFile.WriteLine objRecordSet.Fields("Name").Value
   objRecordSet.MoveNext
Loop

Note that the script will output to a file named "computers.txt"
on the C drive. This could be changed by editing the LogFile
variable assignment in the first line of the script. Note that
in your environment, you will also need to change the domain
referenced in line 12. In my example, I use mcpmag.com
(DC=mcpmag,DC=com).

Once you have a list of all computers, you can then run
pspasswd.exe to change the local administrator password on
all systems in the list. Here's the syntax that I used on my
test network:

pspasswd.exe @c:\computers.txt administrator P@ssword!

Following the @ symbol in the command syntax is the path to
the file containing all computer names. The next part of the
syntax is the name of the account whose password will be
changed, followed by the new password (P@ssword!).

Now here is the output that was generated from the command:

PsPasswd v1.21 - Local and remote password changer
Copyright (C) 2003-2004 Mark Russinovich
Sysinternals - www.sysinternals.com

\\PC1:
Error changing password:
The network path was not found.

\\BSODME:
Password for BSODME\administrator successfully changed.

Since the output will list both success and failures, you will
be able to note the systems in which the password was not
successfully changed. In my case, the system named PC1 was not
located. So I would have to ensure that PC1 was online and then
run the command a second time. (Note that PsPasswd can also be
run against a single computer.) Since the command relies on UNC
paths to connect to systems, you will need to ensure that the
target systems have File and Print Sharing enabled and that File
and Print Sharing is not being blocked by the system's firewall.
By default, the Windows XP Pro SP2 firewall does not allow File
and Print sharing. However, this can be quickly changed via
Group Policy.

As you can see, with a simple list of computers on your network,
remotely changing the local administrator password using PsPasswd
is a relatively painless process.

HyperTerminal for Vista

Richard — Thu, 14 Jun 2007 18:58:00 GMT

Microsoft has removed HyperTerminal from Windows Vista, if you need to connect to a Cisco router through a local COM port, you can get HyperTerminal from Hilgraeve, the company that Microsoft licensed the application through.

You could also use the old XP Hyper terminal. Just extract two files hypertrm.dll and hypertrm.exe. You can put them anywhere on the disk, no installation required. Of course, for that you need to have XP to extract files from.

Besides, puTTY and SecureCRT are great too! I would prefer puTTY as it is FREE! :-p
PuTTY can now connect to local serial ports as well as making network connections!!!

Hilgraeve HyperTerminal for Personal Use
puTTY

Install/Upgrade UltraVNC v1.02 through Remote Desktop.

Richard — Mon, 11 Jun 2007 20:50:00 GMT

If you install VNC through Remote Desktop, you will face a problem that VNC Server can't run as a service even you choose the "Run As Services" option during the installation. To work around to this problem, I search through the net and find a solution which work on my server(W2K /w SP4):

1. Logon the Server by using Remote Desktop and install VNC, run the VNC Server by clicking it's icon in the VNC program group.(It may prompt you to configure the default password if it's a new installation. However, my case is not a new installation, so it don't prompt for configuring the default password).

Configure the default setting by clicking the "Show Default Settings" inside the UltraVNC program group(I configure my VNC password at that time) and click OK.

If it does not work, try copy the HKEY_CURRENT_USER\Software\ORL\WinVNC3\Password to HKEY_LOCAL_MACHINE\SOFTWARE\ORL\WinVNC3\Default\Password

2. Then, created the registry value "AuthRequired" under HKEY_LOCAL_MACHINE\Software\ORL\WinVNC3 and set it to 0 (a DWORD value). That enabled "passwordless" VNC access(Remark: It's DANGER to do so!!!)

3. Go to the services console and start the VNC service.

Now since VNC is hooking video as if we were sitting in front of a console rather than RDP's session stuff, we can attach to the newly started vnc service. Go to start->program files->Ultra VNC->Ultra VNC Server [folder]->Show Default Settings (Assuming everything is in the default places/names at least...)

Now set your password. Do a save and get outta there. Exit VNC client locally, and reconnect - now it prompts for password. Remove the "authrequired" key.

Logging User logon event.

Richard — Mon, 28 May 2007 16:39:00 GMT

If you want to keep track the user logon and logoff event to the domain, you can try this method:

Step 1: Create the following two files using Notepad or your favorite text editor:

------logon.cmd----
echo logon %username% %computername% %date% %time% >> \\dc1\share\logon.log

-----logoff.cmd-----
echo logoff %username% %computername% %date% %time% >> \\dc1\share\logoff.log

Step 2: Update Group Policy to run the appropriate batch file. In Group Policy, go to:
User Configuration-> Windows Settings-> Scripts (Logon/Logoff)-> Logon
User Configuration-> Windows Settings-> Scripts (Logon/Logoff)-> Logoff

Step 3: As users log on and off, your log file should look something like this:

logon Richard WS01 Tue 22/02/2005 10:39:51.12
logon Peter WS02 Tue 22/02/2005 10:42:01.07

logoff Richard WS01 Tue 22/02/2005 10:41:08.45
logoff Peter WS02 Tue 22/02/2005 10:42:46.81

For paid solution and better reporting, you can use the software from:
http://manageengine.adventnet.com/products/desktop-central/

Publish IIS 6 on ISA2004/2006 Server when they are on the same server.

Richard — Mon, 21 May 2007 19:35:00 GMT

If you want to publish the HTTP service in IIS which was installed on the same machine as ISA, you are require to disable socket pooling on it. Otherise, HTTP service will bind itself to all network interfaces which prevent ISA to listen for incoming request.

1. Install the Support Tools form the W2K3 Server installation disc. It was located in the SUPPORT\TOOLS folder.
2. Run "net stop http /y"
3. Run "net stop w3proxy" if you enabled the web proxy service.
4. Go to the Support Tools folder and Run "httpcfg delete iplisten -i 0.0.0.0"
5. Run "httpcfg set iplisten -i 192.168.8.8" where "192.168.8.8" is the IP of which HTTP service should be listen to.
6. Run "net start http"
7. Run "net start w3svc"
8. Run "net start w3proxy"

You can run "httpcfg query iplisten" to check which IP does the HTTP service is currently listening to.
You can also run "netstat -na | more" to check the active listening ports.

If you want to stop socket pooling on FTP service, you can do this:

1. cd c:\Inetpub\AdminScripts
2. net stop msftpsvc
3. cscript adsutil.vbs set msftpsvc/disablesocketpooling true
4. net start msftpsvc

If you want to stop socket pooling on SMTP service, you can do this:

1. cd c:\Inetpub\AdminScripts
2. net stop smtpsvc
3. cscript adsutil.vbs set smtpsvc/disablesocketpooling true
4. net start smtpsvc

You can also disable socket pooling for POP3 and IMAP4 services by changing the command:
cscript adsutil.vbs set imap4svc/disablesocketpooling true
cscript adsutil.vbs set pop3svc/disablesocketpooling true

Setting up Cluster on Virtual Server 2005 R2.

Richard — Thu, 17 May 2007 12:41:00 GMT

I find a very good article which teach you the steps to configure cluster in Virtual Server.
It's from RoudyBob. Let's share here:

http://www.roudybob.net/downloads/Setting-Up-A-Windows-Server-2003-Cluster-in-VS2005-Part1.pdf

http://www.roudybob.net/downloads/Setting-Up-A-Windows-Server-2003-Cluster-in-VS2005-Part2.pdf

Disable Mapped Drive Reconnect Warning (Windows 95/98/Me)

Richard — Wed, 16 May 2007 13:28:00 GMT

Open your registry and find or create the key below.

Create a new DWORD value, or modify the existing value, called "RestoreDiskChecked" and set it according to the value data below.

Exit your registry; you may need to restart or log out of Windows for the change to take effect.

User Key: [HKEY_CURRENT_USER\Network]
Value Name: RestoreDiskChecked
Data Type: REG_DWORD (DWORD Value)
Value Data: (0 = disabled, 1 = enabled)

Service overview and network port requirements for the Windows Server system

Richard — Wed, 28 Mar 2007 21:04:00 GMT

Thanks Jeepeepee for the link. I re-post the link in here:

Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/?kbid=832017

I think it's very useful when doing diagnostic.

A List of the Windows 2000 Domain Controller Default Ports

Richard — Wed, 28 Mar 2007 11:20:00 GMT

**This article (Q289241) is no longer available via Microsoft Tech Net.

SUMMARY

This article describes the most common ports, protocols, and services that are opened on a Windows 2000-based server that is running Active Directory. The purpose of this article is to list the different services and their respective ports, not to explain how to configure the ports for either a firewall or a proxy.

MORE INFORMATION

21/TCP (Transmission Control Protocol) -- FTP

This File Transfer Protocol (FTP) server is part of Internet Information Services (IIS) and is administered from the IIS administration tool. FTP is a common method to transfer files between two networked computers and to enable the convenient use of remote file storage capabilities.

25/TCP -- SMTP

This Simple Mail Transfer Protocol (SMTP) service is administered from the IIS administration tool. SMTP is the protocol that is used to send e-mail messages by means of the Internet.

80/TCP -- HTTP

Hypertext Transfer Protocol (HTTP) is the set of rules for exchanging files (for example, text, graphic images, sound, video, and other multimedia files) on the World Wide Web (WWW). In comparison to the Transmission Control Protocol/Internet Protocol (TCP/IP) suite of protocols (that are the basis for information exchange on the Internet), HTTP is a program protocol.

88/UDP (User Datagram Protocol) -- Kerberos

Kerberos protocol is a network authentication method that is based on the key distribution model. This protocol enables entities that are communicating over networks to prove their identity to each other and at the same time this protocol can prevent eavesdropping or replay attacks. The Kerberos Key Distribution Center (KDC) listens on this port for ticket requests. Port 88 for the Kerberos protocol can also be TCP/UDP.

119/TCP -- NNTP

Network News Transfer Protocol (NNTP) is the predominant protocol that is used by computers for managing the notes that are posted on Usenet newsgroups. NNTP servers manage the global network of collected Usenet newsgroups.

135/TCP -- RPC

Remote procedure call (RPC) is a facility that enables a program on one Windows-based computer (the client computer) to invoke the services of another program that is running on a separate Windows-based computer (the server) in a distributed network. RPC is a program-level protocol that can use the communications services of any of the Windows networking protocols, which includes TCP/IP.

137/UDP -- NetBIOS Name Server

The network basic input/output system (NetBIOS) Name Server (NBNS) protocol, which is part of the NetBIOS over TCP/IP (NetBT) family of protocols, provides a means for hostname and address mapping on a NetBIOS-aware network.

139/TCP -- NetBIOS Session Services

NetBIOS Session Services are part of the NetBIOS over TCP/IP (NetBT) family of protocols and is used for server message block (SMB), file sharing, and printing.

389/UDP -- LDAP

LDAP is the Lightweight Directory Access Protocol. LDAP is designed to be a standard way of providing access to directory services. In Windows 2000, LDAP is the primary way that the operating system accesses the Active Directory database.

443/TCP -- HTTPS

Secure Hypertext Transfer Protocol (HTTPS) is a variant of HTTP that is used for handling secure transactions. HTTPS is a unique protocol that is Secure Sockets Layer (SSL) underneath HTTP.

445/TCP -- SMB

The SMB protocol is used for file sharing in Microsoft Windows NT and Windows 2000. Windows 2000 enables you to run SMB directly over TCP/IP, without the extra layer of NetBT.

464/TCP -- Kerberos Password V5

The Kerberos change password protocol is used to deny an administrator from setting a password for a new user. This functionality is useful in some environments, and this proposal can be used to enable password setting. This protocol is used when users changes their passwords.

500/TCP -- ISAKMP

Internet Security Association and Key Management Protocol (ISAKMP) or IKE (for Windows 2000) is the key exchange mechanism for a virtual private network (VPN). ISAKMP manages the exchange of cryptographic keys and employs a two-phase process for establishing the Internet Protocol security (IPSec) connection between two gateways.

563/TCP -- SNEWS

SNEWS is secure NNTP.

593/TCP -- RPC over HTTP

RPC over HTTP is used for COM+ Internet Services and requires IIS to operate.

636/TCP -- LDAP over SSL

When SSL is enabled, LDAP data that is transmitted and received is encrypted.

1025/TCP -- Listen

The first port assigned to be used by any application..

1067/TCP -- Installation Bootstrap Service

The installation bootstrap protocol server.

1068/TCP -- Installation Bootstrap Service

The installation bootstrap protocol client.

1645/UDP -- IAS: Internet Authentication Service

This service is used for processing Remote Authentication Dial-In User Service (RADIUS) authentication messages and is supported by IAS to provide backward compatibility with earlier RADIUS servers.

1646/UDP -- IAS: Internet Authentication Service

This service is used for processing RADIUS accounting messages and is supported by IAS to provide backward compatibility with earlier RADIUS servers.

1701/UDP -- L2TP

Layer 2 Tunneling Protocol (L2TP) is a method for encapsulating standard Point-to-Point Protocol (PPP) by means of a variety of media. The protocol also enables encapsulation of PPP by using UDP packets.

1723/UDP -- PPTP

PPTP is an abbreviation for Point-to-Point Tunneling Protocol. It is an Internet protocol that is commonly used in VPN products. Windows NT supports PPTP server, and both Windows NT and Microsoft Windows 95 support PPTP client.

1812/UDP -- IAS Internet Authentication Service

This service is used for processing RADIUS authentication messages.

1813/UDP -- IAS Internet Authentication Service

This service is used for processing RADIUS authentication messages.

3268/TCP -- Microsoft Global Catalog

Active Directory global catalogs listen on this port.

3269/TCP -- Microsoft Global Catalog with LDAP/SSL

Microsoft global catalog SSL connections listen on this port.

3389/TCP -- RDP

Remote Desktop Protocol (RDP) is the protocol that enables a thin client to communicate with the Terminal server over the network. This protocol is based on the International Telecommunication Union (ITU) T.120 protocol, an international, standard multiple-channel conferencing protocol that is currently being used in the Microsoft NetMeeting conferencing software product.

October Networking MVP Update

Richard — Wed, 25 Oct 2006 09:21:00 GMT

Networking MVP Highlights

Windows Server - Networking

Richard Wu

Home: Hong Kong SAR

MVP Award: since October 2005

MVP Public Profile

Blog: Richard Wu

· Windows Vista / Longhorn Blog

· Richard Wu(Microsoft Most Valuable Professional[MVP] and Community Star)

Hobbies/interests: I can tell you that I have lot of hobbies and interests, playing with computer should be the first one. (I start to play computer when I was 10, like many guys in HK, I started with computer games :-p)

I always read computer magazine in order to learn new technology. Tom's Hardware website is my favorite site for learning new hardware.

Comic, Animation from Japan, robot model are my other interests. I have lot of them in my home, my favorites including: Dragon Ball, Saint Seiya, PATLABOR, Nero Genesis Evangelion, etc (Yes, all of them are Japan Animation).

I also like to watch movies and TV programs, X-File, 24, Lost, Prison Break, and Nip Tuck are all my favorites.

By the way, I like doggy! I like Huskey, Golden Retriever and Pomeranian. Although I do not have any one of them in my home, I always visit my friends if they feed dogs. And, I am the member of SPCA (Society for the Prevention of Cruelty to Animals) in HKSAR.

Other technologies of interest/skill: Cisco Router and Switch are my other interests! Remember! I am a networking guy!

Besides teaching Microsoft MOC course in CTEC/MCLS, I teach CCNA course, too!

I find that teaching others to connect the network and computer is fun! That's why I choose trainer as one of my careers.

I am now seeking for more knowledge on Cisco networking and hope I can get CCIE in some day later.

What does it mean to be an MVP? Becoming a Microsoft MVP, I feel my technology knowledge on Microsoft products can be authenticated and proofed.

I feel I have entered another level of knowledge on using MS products. I also feel great as I find Microsoft appreciates my contribution to the communities.

Besides these, I feel I am now getting closer with Microsoft! Before being a MVP, I always think Microsoft is just a business company and doesn't care much about the IT Professional. I feel Microsoft is far from me. But! After becoming a MVP, I have more chances to meet MS guys. All of them make me feel warm and passion!

Now, I feel Microsoft is very close to me and I know Microsoft cares very much about the IT Pro communities!

What would be the one thing you would really want the Networking Product team to know? I appreciate what they are doing! They keep on improving our networking experiences!

I find that configuring network has become much easier than before! At the moment, the only one thing I want them to know is "multicast file transfer". I wish windows will have a feature which allow me to simplify right click files/folders and then let me choose to multicast those files/folder to which group of computers.

(Sure I will need permission to do so). With this feature, I can copy files/folder to my colleagues' computer much easier and decrease the bandwidth usage.

If there was change you could make in the area of networking what would that be? Make the network configuration job much easier! Many of my non-IT friends still always phone me for the steps to setup wire/wireless network at their homes or SOHO. If there is a unified interface which allows the users in windows to configure wire/wireless router connection setting (even difference brand), it would be great!

Why do you find networking so interesting? It makes our life much easier! Remember the old days, when networking is not so common, all colleagues need to stay at office in order to do their work! But now, we can do our work at home, collaborate with colleague with Live Messenger/Live Communicator, networking makes our life easier! By the way, networking shortens the distance between each others. We can get touch with our friends even they are staying at different corner of the world!

You friends look like just living next to you! I love networking!

If there was one problem to highlight around networking what would that be? Integrating different systems! I have a dream, which is installing a little application to Linux/Unix and then I can use Windows to control all of them! It should also include a simple interface to manage and migrate their resources. In this case, linux/unix guys will know Microsoft can make anything possible! We don't need linux/unix guys any more since Windows administrator can now control and manage their system now! haha!

As an MVP what type of engagements would you like to have with the Networking Product team? I would like to visit the office of Microsoft (even local one) in order to meet with the Networking Product team!

I want to learn from them and know the latest networking technology in Microsoft! Besides, more online chat or live meeting from the Networking Product team would be great for us!

Tools to monitor DNS

Richard — Wed, 18 Oct 2006 02:54:00 GMT

Just read a good article from MCPMAG which was about DNS command line tools. So, re-post here:

By Zubair Alexander

Domain Name System service is one of the most important services on
your Windows network. The importance of DNS is even more apparent on
an Active Directory network because the entire Active Directory
infrastructure relies heavily on it.

To troubleshoot and monitor DNS services, you can turn to numerous
tools out there. You might be familiar with Nslookup, a popular,
built-in tool used to troubleshoot DNS-related problems. We'll look
at two that aren't as well-known: DnsCmd and DnsLint, both from
Microsoft. You can find them in the support tools folder in Windows
Server 2003.

DNSCMD
DnsCmd is a command-line tool that can be used to perform literally
hundreds of DNS-related tasks. For example, you can modify DNS server
settings, get configuration information, clear server cache, display
or delete records, initiate server scavenging or export a zone file.
Type DnsCmd /? at the command prompt for the syntax.

Figure 1 (see http://tinyurl.com/y67k6o ) shows some of the
commands that you can run. For more information on a specific command,
use the following syntax:

DnsCmd <CommandName> /?

For example, dnscmd /config /? will give you additional options that
can be used with the /config switch.

Let's say you want to list all the zones that are configured on a DNS
server called DNS1. Use DnsCmd with the /enumzones switch to get the
following sample output:

C:\>dnscmd dns1 /enumzones
Enumerated zone list:
Zone count = 8
Zone name Type Storage Properties
. Cache AD-Legacy
_msdcs.example.com Primary AD-Forest Secure
10.5.5.in-addr.arpa Primary AD-Legacy Rev
25.168.192.in-addr.arpa Primary AD-Legacy Rev
example1.com Primary File
example2.com Primary File
example3.com Primary File
example4.com Primary AD-Domain
Command completed successfully.

Try various commands with different switches. You will be amazed at the
amount of information you can obtain from DnsCmd. Because DnsCmd works
from the command line, you can use it in a batch file and perform
configuration tasks remotely on multiple DNS servers.

DNSLINT
Another useful tool, DnsLint is used at the command prompt to generate
HTML reports. Use DnsLint /? at the command prompt for more information:

dnslint /d domain_name | /ad [LDAP_IP_address] |
   /ql input_file [/c [smtp,pop,imap]]
   [/no_open] [/r report_name] [/t]
   [/s DNS_IP_address] [/v] [/y]

The three required parameters in DnsLint are the following.

/d -- Used to diagnose DNS-related problems, such as lame delegation.

Note: Lame delegation occurs when a DNS subdomain is pointing to a DNS
server that either doesn't exist or is not authoritative for
that subdomain.

/ad -- Used to verify DNS records used for Active Directory replication.

/ql -- Used to verify DNS records on multiple servers.

There are some rules you have to follow when using DnsLint commands.

    * The /d, /ad and /ql switches cannot be used together.
    * The /c can't be paired up with /ad or /ql.
    * When using /ad, you must also specify /s.

Here are some examples of using DnsLint.

dnslint /d myserver.com
dnslint /v /y /d reskit.com
dnslint /v /y /r ms_report /d microsoft.com
dnslint /v /y /no_open /s 169.254.1.10 /d msn.com
dnslint /v /y /c /t /d reskit.com
dnslint /d reskit.com /c smtp,pop
dnslint /ad 169.254.10.22 /s 169.254.44.1 /v
dnslint /ad /s localhost /v
dnslint /ql mylist.txt /v
dnslint /ql autocreate

Let's try the following step-by-step procedure to create an HTML report
with DnsLint. You will need two pieces of information: FQDN of the
server and its IP address. I'll create a report for my domain called
seattlepro.com at IP address 192.168.1.200. You should substitute your
own domain and IP address in this exercise.

   1. Go to the command prompt and type the following:

      Dnslint /ql autocreate

      This creates a sample text file called in-dnslint.txt in the
      same directory where you typed the above command.

   2. Edit that file with Notepad:

      Notepad in-dnslint.txt

   3. Notice the seventh line from the bottom lists dns1.cp.msft.net.
      I will change that to reflect my DNS server
      (dns1.seattlepro.com). I will also replace microsoft.com in the
      last four lines with the name of my domain and the IP address
      with my IP address in two places. When done, my file looks
      like this:

      +This DNS server is called: dns1.seattlepro.com
      [dns~server] 192.168.1.200

      seattlepro.com,a,r ;A record
      192.168.1.200,ptr,r ;PTR record
      seattlepro.com,cname,r ;CNAME record
      seattlepro.com,mx,r ;MX record

   4. Save the file as dnsquery.txt in the same folder where you
      created the in-dnslint.txt file.

   5. To execute the query, type the following at the command prompt:

      dnslint /ql dnsquery.txt /v

   6. You should see an HTML report that's now displayed automatically
      in your default browser. The default name for the report is
      dnslint.htm and it's created in the same directory as the
      in-dnslint.txt and dnsquery.txt files.

For a sample of DnsLint report, see http://www.techgalaxy.net/mcpmag/ .
Notice that if there are any errors or warnings, they are all coded for
your convenience.

Explaining WPA2

Richard — Tue, 10 Oct 2006 15:29:00 GMT

I just read a good article from NetworkWorld which talk abut the new WPA2, so I attached here:

Wireless Security By Joshua Wright, Network World, 09/11/06

Can you explain the differences between WPA and WPA2 and provide some information on the different features and functionality?

In April 2003, the Wi-Fi Alliance introduced an interoperable security protocol known as WiFi Protected Access (WPA), based on draft 3 of the IEEE 802.11i amendment. WPA was designed to be a replacement for WEP networks without requiring hardware replacements, using a subset IEEE 802.11i amendment. Organizations who adopt WPA can take advantage of the following features:

* Strong cryptography support from the Temporal Key Integrity Protocol (TKIP), based on the RC4 cipher;

* WPA-Enterprise, a mechanism for network authentication using IEEE 802.1x and a supported EAP type, one of EAP/TLS, TTLS or PEAP;

* WPA-Personal, a mechanism for using TKIP without IEEE 802.1x authentication by using a shared passphrase, intended for consumer networks.

In July 2004, the IEEE approved the full IEEE 802.11i specification, which was quickly followed by a new interoperability testing certification from the WiFi Alliance known as WPA2. WPA2 is based on the Robust Security Network (RSN) mechanism, which provided support for all of the mechanisms available in WPA, as well as:

* Strong encryption and authentication support for infrastructure and ad-hoc networks (WPA is limited to infrastructure networks);

* Reduced overhead in key derivation during the wireless LAN authentication exchange;

* Support for opportunistic key caching to reduce the overhead in roaming between access points;

* Support for pre-authentication, where a station completes the IEEE 802.1X authentication exchange before roaming;

* Support for the CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) encryption mechanism based on the Advanced Encryption Standard (AES) cipher as an alternative to the TKIP protocol.

As of March 2006, the WPA2 certification became mandatory for all new equipment certified by the Wi-Fi Alliance, ensuring that any reasonably modern hardware will support both WPA and WPA2.

By leveraging the RC4 cipher (also used in the WEP protocol), the IEEE 802.11i task group was able to improve the security of legacy networks with TKIP while the IEEE 802.11i amendment was completed. It is important to note, however, that TKIP was designed as an interim solution for wireless security, with the goal of providing sufficient security for 5 years while organizations transitioned to the full IEEE 802.11i security mechanism. While there have not been any catastrophic weaknesses reported in the TKIP protocol, organizations should take this design requirement into consideration and plan to transition WPA networks to WPA2 to take advantage of the benefits provided by the RSN architecture.

Why Internet Explorer 7 cannot(IE7) visit some web sites which IE 6 can access with no problem.

Richard — Fri, 06 Oct 2006 15:27:00 GMT

Just read a article from MS guy and got a idea why I cannot use IE7 to visit some web sites while IE 6 got no problem on them:

A quick recap:

On Windows XP SP2, IE7 will send the following User-Agent header: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
On Windows 2003 Server, IE7 will send the following User-Agent header: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2)
On Windows Vista, IE7 will send the following User-Agent header: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

Over the last eighteen months, most sites that had previously blocked the new version of Internet Explorer have been updated, and we're happy to report that the vast majority of Internet sites are now accessible using IE7.

There are a few remaining sites which fail to recognize IE7 because they are performing exact string matches to look for specific IE version strings. Those checks will need to be removed or updated to accommodate IE7. The Best Practice document linked from here can be help:
http://msdn.microsoft.com/workshop/author/dhtml/overview/aboutuseragent.asp
http://msdn.microsoft.com/workshop/author/dhtml/overview/browserdetection.asp

To enable you to workaround any remaining sites that block access to Internet Explorer 7, we developed the User Agent String Utility. The utility comes in the form of a small executable that opens an IE7 instance that sends the IE6 user agent string. It also provides a mechanism for you to report problem web sites to Microsoft so that we can follow up with the affected site owners. Please download the tool and give it a try.

Problem when downloading large file in Vista RC1

Richard — Tue, 26 Sep 2006 18:41:00 GMT

If you download a large file(over 1GB) by IE7 in Vista RC1. The downloaded file may disappear
from the destination folder after the download finished. The file will instead, be placed in
c:\users\username\appdata\local\microsoft\windows\temporaryinternetfiles
\virtualized\c\users\username\documents\

This problem maybe related to the security feature in IE7. To prevent this problem, you will
needed to run IE by using the "run as" method and use the Administrator account to start IE7.

In this case, large downloaded file will be placed in anywhere that you specificed.

Problem on Vista connect to Linux

Richard — Mon, 25 Sep 2006 18:22:00 GMT

From brianwu :

I am using Vista RC1. I found a problem when i connect to my linux server. It prompted me to insert account and pw. After I keyed in the account/pw. It said that my account/password was incorrect.

However, when I was using WinXP connecting to the linux, it worked (using the same acc and pw). I tried to disable the Vista firewall, it also failed..

If i connect from the Vista to the linux using ftp, it worked.

Anyone know the problem?
---------------------------------------------------------------------------------------

My Answer:

Hi Brian. MS don't think 3rd party SMB server is safe....so....It encrypt all password send to 3rd party SMB server(linux samba).

You can try to change the local policy to solve the problem:

Configure the "Microsoft network client: Send unencrypted password to third-party SMB server" option to be ENABLE

Configure "Network security: LAN Manager authentication level: Send LM & NTLMv2 session security if negotiated"

can help!

Better Synchronization in Offline File of Vista

Richard — Thu, 07 Sep 2006 06:26:00 GMT

Just read a introduction on the change of Offline file in Vista from Navjot Virk, program manager for Offline Files in Windows Vista. I feel it is great and would like to share with yours:

Better Synchronization
Offline Files in Windows Vista offer much improved synchronization. The improvements to synchronization are two-fold. First, Offline Files in Windows Vista uses a new faster algorithm to determine what files or directories are different between the client and the server. Second, Offline Files in Windows Vista uses “Bitmap Differential Transfer” when synchronizing changes from the client to the server. Bitmap Differential Transfer is essentially a mechanism to keep track of what blocks of file were modified when offline. When synchronizing changes from the client to the server, Offline Files in Windows Vista sends only those blocks of the file that were modified offline. In Windows XP, Offline Files always copies the entire file even if only a small part of the file was modified.

Bitmap Differential Transfer makes the synchronization in Windows Vista more efficient and enables Offline Files to cache large files like .pst and .mdb files. Because Offline Files in Windows XP could not synchronize large files efficiently, files like .pst and .mdb were by default not cached. Offline Files in Windows Vista can cache all file types and by default no file types are excluded.

Please note that the Bitmap Differential Transfer in only used when pushing changes from the client to the server. This optimization is not used when pulling changes from the server to the client. If a file is modified on the server when offline, Offline Files in Windows Vista will still copy the whole file down to the client during synchronization. The impact of this will be more pronounced for those users who modify the same files from multiple client computers.

Also, note that Bitmap Differential Transfer only works for pre-existing files that are modified in place. Bitmap Differential Transfer will not happen for files that are created while offline. Some applications, like Microsoft Word, do not modify the file in place. These applications create a new temporary file with the changes and later rename the temporary file to the original file. Bitmap Differential Transfer will not happen for such files.

All improvements to synchronization including Bitmap Differential Transfer will be available against any SMB server, for example, Windows 2000, Windows 2003, Windows R2, NetAPP server, etc.

Offline Files in Windows Vista also provides per-user synchronization. All synchronization operations only synchronize files that the currently logged on user has access to. Offline Files in Windows XP would always try to synchronize all files in the cache including files that where cached by other users. The logged on user would see synchronization failures for the files that he did not have access to. In Windows Vista, the user will only synchronize his files (files that he has access to) therefore he will never see errors for files that belong to some other users (files that he does not have access to).

Also, synchronization of Offline Files in Windows Vista can be scripted using WMI.

Windows Update Troubleshooting Tips

Richard — Thu, 07 Sep 2006 04:07:00 GMT

When you point your WinXP/W2K3 computer at the Microsoft Windows Update Web site
(same thing happens with a Windows Software Update Services, or WSUS, server).
You try to download and install updates, and get an error:

0x800704DD and 0x80240020.

MS Knowledge Base article 910341 http://support.microsoft.com/kb/910341
have lot of information can help, and it's a doozy involving the usual warnings about editing the
registry. Start by logging onto the computer as a local admin. Use
Runas.exe to run Internet Explorer as a local admin. Try Windows Update
again. If it works, then you need to fix the registry for non-admin users.
Open Regedit and find HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\
CurrentVersion\Winlogon\Notify\SensLogn. You need to verify several keys
and values:

Key                Type                  Value
Asynchronous       DWORD                 00000001
Disconnect         String                SensDisconnectEvent
DLLName            String                WlNotify.dll
Impersonate        DWORD                 00000001
Lock               String                SensLockEvent
Logoff             String                SensLogoffEvent
Logon              StringSensLogonEvent
MaxWait            DWORD                 00000258
PostShell          String                SensPostShellEvent
Reconnect          String                SensReconnectEvent
Safe               DWORD                 00000001
Shutdown           String                SensShutdownEvent
StartScreenSaver   String                SensStartScreenSaverEvent
StartShell         String                SensStartShellEvent
Startup            String                SensStartupEvent
StopScreenSaver    String                SensStopScreenSaverEvent
Unlock             String                SensUnlockEvent

This is the sort of that makes you totally lose faith in the registry
as a place to store configuration information -- how did this get
messed up on my machine? The workaround, by the way (should the above
not fix the problem) is to not use the Web site. Seriously. You're
supposed to just let Automatic Updates do the work, which is fine,
except that it won't download optional updates you may want. So,
let's hope the above registry changes fixes things for you.

Windows Server - Technology : Networking

Configuring When DHCP is on the Same Server

Configuring When DHCP is on the Same Server

To configure Windows Deployment Services to run on the same computer as Microsoft DHCP

To configure Windows Deployment Services to run on the same computer as non-Microsoft DHCP

Network and Sharing Center Operations Guide

Telnet Operations Guide

Telnet Operations Guide

Acknowledgments

Changing local admin password?

Changing local admin password?

HyperTerminal for Vista

Install/Upgrade UltraVNC v1.02 through Remote Desktop.

Logging User logon event.

Publish IIS 6 on ISA2004/2006 Server when they are on the same server.

Setting up Cluster on Virtual Server 2005 R2.

Disable Mapped Drive Reconnect Warning (Windows 95/98/Me)

Service overview and network port requirements for the Windows Server system

Service overview and network port requirements for the Windows Server systemhttp://support.microsoft.com/?kbid=832017

A List of the Windows 2000 Domain Controller Default Ports

SUMMARY

MORE INFORMATION

21/TCP (Transmission Control Protocol) -- FTP

25/TCP -- SMTP

80/TCP -- HTTP

88/UDP (User Datagram Protocol) -- Kerberos

119/TCP -- NNTP

135/TCP -- RPC

137/UDP -- NetBIOS Name Server

139/TCP -- NetBIOS Session Services

389/UDP -- LDAP

443/TCP -- HTTPS

445/TCP -- SMB

464/TCP -- Kerberos Password V5

500/TCP -- ISAKMP

563/TCP -- SNEWS

593/TCP -- RPC over HTTP

636/TCP -- LDAP over SSL

1025/TCP -- Listen

1067/TCP -- Installation Bootstrap Service

1068/TCP -- Installation Bootstrap Service

1645/UDP -- IAS: Internet Authentication Service

1646/UDP -- IAS: Internet Authentication Service

1701/UDP -- L2TP

1723/UDP -- PPTP

1812/UDP -- IAS Internet Authentication Service

1813/UDP -- IAS Internet Authentication Service

3268/TCP -- Microsoft Global Catalog

3269/TCP -- Microsoft Global Catalog with LDAP/SSL

3389/TCP -- RDP

October Networking MVP Update

Networking MVP Highlights

Windows Server - Networking

Tools to monitor DNS

Explaining WPA2

Why Internet Explorer 7 cannot(IE7) visit some web sites which IE 6 can access with no problem.

Problem when downloading large file in Vista RC1

Problem on Vista connect to Linux

Better Synchronization in Offline File of Vista

Windows Update Troubleshooting Tips

Service overview and network port requirements for the Windows Server system
http://support.microsoft.com/?kbid=832017