Showing posts with label Windows 2008. Show all posts
Showing posts with label Windows 2008. Show all posts

Thursday, October 9, 2014

Source IP Address Preference with Multiple IPs on a NIC

Deploying SCOM agents on servers in the DMZ isn't that difficult, what is so difficult about this?
All that is needed is to raise a Change Request for the Firewall Team to open up TCP 5723 between the SCOM Management Server and the server to be monitored. Well, you are right.
What about if the server is having a single NIC that is assigned several IP addresses?
That's where the challenge will come.

A behavior that changed with the introduction of Server 2008 is that the source IP address on a NIC will always be the lowest numerical IP. So that whole idea of your primary IP being the first one you put on the NIC will be used by the server to communicate is no longer valid.

For example, let’s say we build a new web server and configure the NIC with IP 10.0.0.100. This IP is registered in DNS and the server uses this IP as the source when communicating with other servers. Our fantastic network administrator has also created a NAT rule on the firewall to map this IP to a particular public IP for outbound SMTP so that our PTR lookups match up.

But now we want to add another IP for a new website and the network admin hands you a free IP which happens to be 10.0.0.50. You add this as an additional IP on the NIC and voila – you have a couple issues:

1) You just registered two names for the same server in DNS if dynamic registration is enabled.
2) Your server is now sending all outbound traffic from 10.0.0.50! (because 50 is lower than 100)

One of these is easily solved – just turn off dynamic registration and manually create the DNS records for the server. The other one is a little trickier because Server 2008 and 2008 R2 will still be sending traffic as the 10.0.0.50 IP.

Fortunately, there is a way to tell Windows not to use the lower numbered IP as a source address by adding the IP via the netsh.exe command. For Server 2008 SP2 and 2008 R2 RTM we need to apply a hotfix first. 2008 R2 SP1 included this fix by default so it is no longer required. Without the hotfix or SP1 you’ll find netsh.exe does not display or recognize the special flag.

Hotfix Downloads:
2008 SP2: http://support.microsoft.com/kb/975808
2008 R2 RTM: http://support.microsoft.com/kb/2386184/

The key to this is the IP address must be added via netsh.exe with a particular flag. So if you’ve already added the IP address via the GUI you’ll need to remove it first. After that, use this command to add the secondary IP:

netsh int ipv4 add address "Local Area Connection" 1.2.3.4/24 SkipAsSource=true

The SkipAsSource flag does two things – first, it instructs Windows not to use this IP as a source IP for outgoing traffic. And secondly, it prevents the registration of this IP in DNS if dynamic registration is enabled. Two birds with one stone!

You can always view the status of the IPs and their SkipAsSource status with the following command:

netsh int ipv4 show ipaddresses level=verbose

Once you have done the above, you can now put in the correct IP address to be allowed for communications through the firewall in your change request.
:)

Tuesday, August 5, 2014

How to enable the Disk Cleanup tool on Windows Server 2008 R2

For some odd reason Microsoft decided to leave this feature disabled by default, and place it within a optional feature set called "Desktop Experience".

If your hard drive is getting full and you wish to do a disk cleanup, there are two ways to enable the Disk Cleanup tool. We recommend using option #2 below for several reasons:

- Installing the Desktop Experience feature will not only install Disk Cleanup, but a lot of other utilities you likely don't need on a server (sound recorder, desktop themes, etc).

- Installing the Desktop Experience feature will require a server reboot


How to enable the Disk Cleanup tool:

1) Go to Programs & Features, and in the Features section, enable/install "Desktop Experience". The downside to this is that you will need to reboot your server after installing this and it installs other components you do not need on a server.


2) [RECOMMENDED] - All you really need to do is copy some files that are already located on your server into specific system folders, as described at http://technet.microsoft.com/en-us/library/ff630161(WS.10).aspx


The location of the files you need to copy depend on your version of Windows:


Once you have located the files move them to the following locations:

Copy Cleanmgr.exe to %systemroot%\System32
Copy Cleanmgr.exe.mui to %systemroot%\System32\en-US.

You can now launch the Disk cleanup tool by running Cleanmgr.exe from the command prompt.

Monday, July 16, 2012

Windows Server 2008 stops responding and hangs at the "Applying User Settings" stage of the logon process

An issue was flagged to me last week that a HyperV Guest running on Windows 2008 Sp2 is starting up extremely slowly (Applying Computer settings, Applying Security Policies etc) and it can take up to hours for the Server to reach the Logon Screen.

Even though I could logon to the server , it has been found that multiple services inclusive of the below are not started. Weird!!

Print Spooler
Terminal Services
Server service
Remote Registry
Windows Management Instrumentation (WMI)
Distributed Transaction Coordinator
Any services that are related to applications

After several rounds of troubleshooting which includes

- Booting to Safe mode (Booting to safe mode flies)
- Re-installing the HyperV integration Disk
- Tweaking Physical NIC settings

I finally came across a Microsoft Article (http://support.microsoft.com/kb/2004121) that more or less describes what I am facing.

This issue occurs because of a deadlock in the Service Control Manager database.

The Service Control Manager tries to start the HTTP.sys service and then puts a lock in place in the Service Control Manager database. Then, HTTP.sys makes a call that requires Cryptographic Services during startup. Then, a request is sent to start Cryptographic Services. However, a lock is already in place in the Service Control Manager database. Therefore, a deadlock occurs.

To verify that this is true, run "sc querylock" from command prompt.
The output below will indicate that the Service Control manager (SCM) databse is locked

QueryServiceLockstatus - Success
IsLocked : True
LockOwner : .\NT Service Control Manager
LockDuration : 1090 (seconds since acquired)


To Resolve the issue

You can modify the behavior of HTTP.SYS to depend on another service being started first. To do this, perform the following steps:

1) Open Registry Editor
2) Navigate to HKLM\SYSTEM\CurrentControlSet\Services\HTTP and create the following Multi-string value:DependOnService
3) Double click the new DependOnService entry 
4)Type CRYPTSVC in the Value Data field and click OK.
5) Reboot the server