Server Rack Configuration

Proper server rack configuration is key for every business as it provides the technological backbone. There are many options for racks, rack components, and the way they are configured. In this blog post, I will discuss the various options and best practices.

Server rack options?  There are a few options to choose from such as a 2 post rack, 4 post rack and rack enclosures.  2 post server racks are ideal for light equipment (E.g. patch panels, switches and firewalls.) They may also be used for heavier equipment when optional accessories are added such as Trays or conversion kits.  Keep in mind, most of those 2 post rack systems can only support up to 1000lbs. 2 post racks are also cheaper than 4 post rack systems.  4 post racks cost more money but can support more equipment.  The average 4 post rack system can support up to 3000lbs. You have the option of getting bare bone server rack which comes with no options and built in cable management or a 4 post rack enclosure which generally comes with features such as secure access and built in cable management.  2 post and 4 post racks also come in a variety of sizes such as 6U and up to 55U.  Most common rack size used in most small/medium sized business are 42U (6 ½ ft.) and 3.5 ft. deep (4 post.)

What kind of rack should my business use? This all depends on several items; Business size / amount of equipment; Future expansion – you always want to plan for future growth; Available real estate – Server room size may not allow for certain racks; Environment – Do you have a secure server room? Does you need rack enclosure with a lock because your business does not have a server room?  Remember, unauthorized access can cause damage to any business; Money – yes, in the end it comes down to how much money you may have available.  So why, why all this need for server racks? Two simple reasons, organization and equipment security.

What is a U? A U is a rack unit – A rack mounted size described as a number in U. Most server racks have 1U markings along the posts to make mounting hardware easier/efficient.

How should the server rack be installed.. You should always examine the environment where the server rack will be placed.  Find the cold/hot spots in the room and place the front of the rack facing the cold area to provide maximum cooling for your hardware. Ensure you also have enough space around the rack to conduct any service and don’t forget about doors/access panels that swing open. All server racks should be secured in some way. For 2 post rack systems, they should be bolted to the ground with a top ladder support heading out to the rear wall.  4 post rack systems can also be bolted to the ground but also come with screw out feet. Lastly, remember to ground your rack to an electrical panel or busbar.  This task should be handled by an electrician.

How should I install my rack mounted hardware?  This task can sometimes be confusing as there can be many devices to mount. Easiest solution is planning!  Inventory your equipment and determine the space needed.  I also recommend using Visio’s rack diagram as you can get a virtual view of your rack. Before you begin mounting big devices such as servers, you’ll want to mount any cable management options and power distribution units. When the time comes to mounting main devices, I follow one rule, heaviest items on the bottom.  No one wants to pick up 50lbs UPS and mount it to the top or even the middle. Example of mounted devices from the bottom up: UPS, Servers, Video/input, switches, patch panels.

What management options can I get with a server rack?  Some basic options include server rails, which allow you to pull out servers without having to completely remove them. Server rack trays/shelves can also be used for none rack mount compatible devices such as server towers. A must have in all server racks are cable management ducts. These can be installed on the side of racks or in between switches and patch panels. They provide a clean look and make management easier. 2 post server racks can also be fitted with 2 post rack adapters that allow full rack mount spec or 4 post systems to be mounted.

That’s all I have for now, hope this has helped those reading.

Troubleshooting/Debugging BSOD errors

What happens when you get a Blue Screen of Death (BSOD)?  I’m sure almost everyone just says something like “____ Microsoft!”  Unfortunately, most of the time, you would just be using Microsoft as a scape goat.  Why?  According to Microsoft and other gurus, about 70-80% of crashes are caused by 3rd party drivers.  Yep, all those great toys you have hooked up to your computer and the software that control them are most likely responsible.

I have probably just blown your mind or you are probably full of skeptism.  Hopefully these debugging techniques can make you a believer….

Step 1:  Disable auto-reboot on a crash

Step 2:  Create a memory dump versus a Mini crash dump..  This will allow you to get more information from the dumps.

Step3:  Install Windows Debugger tools

Step4:  Set environment variable to automatically download symbols from the Microsoft symbol servers (WinDBG->Source Symbol Path->”srv*C:symbols*http://msdl.microsoft.com/download/symbols”)

Step5: Open the crash dump file located in C:Windows or C:Windowsminidump

Step6: Run “analyze -v” to get list of drivers in the stack text.  If the driver points to one of the Windows core system files (ntoskrnl.exe, win2k32.sys, etc), then you probably have to dig a little deeper.

Step7: Additional helpful debug commands to run to find the culprit

kv – Looks at stack of current thread.  This is used for misdiagnosed analysis.  Look for suspicious drivers

lm kv – Shows version information (dates, etc) of currently loaded drivers to find updates for.

!vm – Check pool usage (if close to maximum, then it’s a leaky driver)

!thread – looks at currently running threads

!process 0 0 – summary level display of processes during crash

!irp <irp from IRP List from !thread> – Associates drivers thread (it’s a hint to investigate)

!poolused (needs to enable on xp and earlier) – Use with Strings

!deadlock

 

 

Debugging mode (F8) – Use when no crash dump created…, needs to connect using usb (modify boot.ini) or serial from another system running windbg

Windbg – File->Kernel Debug

Debug -> Break to connect to crashed system

.dump (saves dump information)

 

Hung system troubleshooting (computer freeze)

– Use crash on control-scrl-scrl (registry setting)

– Check other processors on multiple processors

lm kv <driver name from stack>

A useful print server configuration tool

Have you ever wanted to make a backup of all your printers, it’s shares, the permissions for them, and the drivers on your print server?  Well, Microsoft has a very useful tool that does this.  Furthermore, it also does restores!  I couldn’t believe my eyes either!  It’s great for when you need to setup redundant print server configurations or when you are migrating print servers!

Here it is:

http://www.microsoft.com/WindowsServer2003/techinfo/overview/printmigrator3.1.mspx

Malware,Spyware,Scareware – How to detect and prevent infection…

What is malware and how do I get it?

Generally speaking, malware are malicious software designed to infiltrate a computer system without the owner knowingly allowing it to.  It’s intent is to perform devious acts on or using your computer.   These are programs that generate misleading alerts and false detections in order to convince users to purchase illegitimate security software.

Additional Malware Info

What are the symptoms?

Pop-ups, website redirection, network configuration changes, unresponsive computer, etc…

Information regarding Antivirus2009 Malware

Information regarding Internet Security 2010

How did I get it?

The source usually comes from emails, websites, pirated software downloads, P2P applications, fake video codecs, software exploits (ie. acrobat), etc… The typical scenario is a pop-up that asks you to download and install something.  Once the download and install happens, the malware will take over the computer.

How do I protect myself?

  1. We still live in a world where humans can usually make the best decisions.  This means user training is one of the best method to prevent infections.  Below are a list of things to train users on that doesn’t require a lot of time.
    • Users should be a little paranoid and skeptical when it comes to reading the emails they receive, especially emails requesting actions to be taken. If it sounds important, take the time to read and verify it carefully!
    • Users should make sure they have an SSL connection when making transactions online or logging into banking sites.
    • Exercise caution with e-mail and files received from unknown sources, or received unexpectedly from known sources.  If the email is from someone they know, make sure it has relevant content specific to that person (ie. writing style, context of message, etc.)
    • Users should know sometimes a pop-up can be made to look like a Windows error message. Recognizing legitamite software interfaces can help (Antivirus software, Windows Security Center, Windows Defender, Anti-malware software)
    • Don’t download random software from the Internet until you know it has a valid homepage and user base (look for software reviews for it). Once that’s verified, make sure you download directly from the vendor’s website.
    • Users should understand how a website can be spoofed to go to the wrong website using the HOSTS files.
    • Users should understand that a text link can have a different URL embedded.
    • Don’t install software unless you were intentionally trying to.
  2. Keep Windows and your browser software up-to-date by downloading and applying security updates.
  3. Use an active and updated antivirus and anti-malware application that detects harmful websites, files, and emails. There are many applications out there that are free. Some highly recommended ones are Spybot Webroot, Search and Destoy, MalwareBytes, SuperAntispyware, PC Tools Spyware Doctor.

Removal Tips:

  1. Boot into SAFE MODE. It will give you a more effective platform to work with.
  2. The key is to get the system to allow you to install anti-malware software with the latest updates to slowly remove the programs.
  3. Fix infections and reboot often will get you further along in the removal process.
  4. There is no perfect anti-malware software, therefore, you should run scans using multiple anti-malware software to make sure all malware is removed.
  5. Can’t run/install software due to access permissions – This is usually due to the software restriction in your local security policy or your registry has malicious group policies regarding software restrictions configured.
  6. Can browse website or weird website redirections – Check the Internet Explorer proxy settings. 95% of the time, it shouldn’t be using a proxy. Also, make sure your HOSTS file doesn’t have malicious entries in it.

Windows Server 2008 SSL VPN (SSTP)

Now-a-days, every business is mobile, which means a VPN connection is most likely needed.  The problem is when clients travel to hotels or other countries, where firewall compatiblity and configuration can cause connectivity issues.  Fortunately, there is an answer for this: SSL VPNs.  Since an SSL VPN connection is secure and allowed on almost all firewalls, remote users will have a much more reliable connection mechanism; no matter where they are.  To top it off, SSL VPN (SSTP) is a feature natively bundled with Windows Server 2008.  How cool is that?

How does SSL VPNs help?

  • A NAT device doesn’t need to support PPTP in order for it to work.
  • Specific ports aren’t required to be open on the firewall (think hotels and other countries).
  • Connectivity can be made through web proxy servers.
  • The small footprint VPN client is easily accessible.

Clients supported: Vista SP1+, Windows 7, Windows Server 2008

What are the high level steps involved to setting up Windows Server 2008 SSL VPN connections (SSTP)?

  • Obtain a certificate to be used for your connections (just as if you are installing an SSL certificate for your website)
  • Install IIS on the VPN server
  • Request a certificate for the VPN server using the IIS Certificate Request Wizard
  • Install the SSL certificate
  • Install the RRAS server role on the VPN server
  • Enable the RRAS Server and configure it to be a VPN server
  • Configure the User Account to allow dial-up connections
  • Update DNS (ie. vpn.company.com)
  • Configure the Client to use SSTP and Connect to the VPN Server using SSTP

How-To configure Windows 2008 for SSTP VPN
1.  Install IIS on VPN server with all security settings marked for installation
2.  Create a Certificate Request in IIS console
a.  Make sure common name is actual Internet Hostname clients will connect to (e.g. vpn.company.com)
3.  Cut and Paste the certificate request into your SSL provider’s website
4.  Install any Intermediary certificates and your SSL certificate per your SSL provider’s instructions (DO NOT bind the certificate to a website in IIS)
5.  Install Routing and Remote Access
6.  Load the Routing and Remote Access MMC and run the wizard to enable it (Select Custom -> VPN if you are using only 1 NIC)
8.  Enable Dial-In access for the remote user’s AD account
9.  Enabled SSL connection (port 443) from the outside
10. Update DNS for the domain with the common name of the certificate
11. Test the SSL VPN connection by choosing SSTP in the vpn network connection properties

If the connection doesn’t work, make sure the proper certificate is bound following:
1.  Make sure the right certificate hash is bound (netsh http show  ssl)
a. If necessary, delete and readd the correct certificate binding…
1. Remove binding from IPv4 (netsh http delete ssl 0.0.0.0:443)
2. Remove binding from IPv6 (netsh http delete ssl [::]:443)
3. Delete registry entry for the hash (reg delete hklmsystemcurrentcontrolsetservicessstpsvcparameters /v sha256certificatehash /f)
4. Add binding from IPv4 (netsh http add sslcert ipport=0.0.0.0:443 certhash=<replace with your cert hash> appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY)
5. Add binding from IPv6 (netsh http add sslcert ipport=[::]:443 certhash=<replace with your cert hash> appid={ba195980-cd49-458b-9e23-c84ee0adcd75} certstorename=MY)

Helpful links to configuring SSTP VPN:

  • A step-by-step guide to setting up your own SSTP server is to be found here.
  • Troubleshooting help can be found here, here, and here.

The case of Windows 7 not wanting to install on your hard drive partition

As an IT Consultant, I often find myself mucking with the latest and greatest things before I would even consider recommending them to clients.  The down side to this is the time spent during a Saturday afternoon trying to install Windows 7 Professional 64-bit on my home desktop.  I was so impressed with the RC1 version, that I wanted to deploy it to my single desktop (can’t be worse than Vista… heheh)

Apparently, Windows 7 is very picky about the hardware/harddrive/partition/MBR it’s installed on.  When I ran the installation, my hard drive and the system partition would be displayed, but I could not get it to actually start the installation..

I tried the following, but to no avail:

  • Installed latest drivers
  • Deleted partition
  • Reformatted newly created partition
  • Removed external hard drive and USB key so the only thing left was a single 200GB HD and an IDE cdrom.
  • Using diskpart to set the new partition as an ACTIVE partition

Looking at the setup logs (Shift-F10 -> notepad windowspanthersetupact.log), I saw a bunch of “not system disk”, “not primary partition”, “not enough space”, “not good enough” errors…

Finally, I tried to think outside of the box.  I decided to repair my MBR and Boot record the old fashion way.  I booted off a Windows XP SP2 CD and ran the recovery console.  Once in, I ran “fixmbr” and “fixboot”.  I then rebooted into Windows 7 setup and was able to click Next to continue with the Windows 7 Professional installation.

Hopefully, this technique would work for most of you.  If it still doesn’t work for you, try making sure there’s no USB keys or any other storage device connected when you install.

Conficker (aka Downadup) – FAQ

What kind of damange can this virus do?

  • Create administrative accounts on your PC
  • Prevent you from downloading security and antivirus updates
  • Use your computer as part of a Denial of Service (D.O.S.) attack.
  • Could steal personal information
  • Populate your computer with malware pop-ups
  • Erase data on your computer

What computers are affected?

  • Unpatched Microsoft Windows operating systems (Microsoft Windows 2000, Windows XP, Vista, Windows Server 2003, and Windows Server 2008 systems)

What are some of the symptoms of being infected by the Conficker worm?

  • Windows Security Center will not work.  You can verify this by Start -> Control Panel -> Security Center
  • Account lockout policies are being tripped.
  • Automatic Updates, Background Intelligent Transfer Service (BITS), Windows Defender, and Error Reporting Services are disabled.
  • Domain controllers respond slowly to client requests.
  • The network is congested.
  • Various security-related Web sites cannot be accessed (Symantec, McAfee).
  • Disable commercial antivirus software
  • Turn off Microsoft’s security update service

How do I prevent infections?

  1. Patch your Windows operating system with the following patches:  MS08-067
  2. Install the latest security updates from Microsoft
  3. Make sure you are running up-to-date antivirus software and definitions from a trusted vendor (Mcafee, Symantec, Eset, Microsoft, etc…)
  4. Disable the AutoPlay feature through the registry or using Group Policies
  5. Exercise caution in what websites you visit
  6. Don’t open file attachments unless you have verified that you know the person who sent them and that they really meant to send the attachment.

How does the software spread?

  • Exploitation of the vulnerability that is patched by security update MS08-067 , MS08-068 a MS09-001
  • The use of network shares
  • The use of the AutoPlay functionality

How do I remove the worm from an infected computer?

  1. Disconnect the infected  computer from the network and the Internet.
  2. Install the patches below.  Use an uninfected computer to download the patch if necessary:  MS08-067 , MS08-068 a MS09-001
  3. Reset your system passwords to admin accounts using more sophisticated ones.
  4. Download and run the Conficker remover
  5. Reconnect your computer back to the network
  6. Update your antivirus application and definitions
  7. Install Microsoft updates

How do I protect my computer from similar threats?

  1. Enable Automatic Updates for your Windows computer
  2. Set your antivirus and definition update schedules to be more frequent (1 or 2 times a day)
  3. Exercise caution in what websites you visit
  4. Use caution when you see pop-ups on your screen (e.g. false virus notifications)
  5. Don’t open file attachments unless you have verified that you know the person who sent them and that they really meant to send the attachment.

Slipstreaming RAID and SATA controller drivers to your Windows XP, 2003 installation media

It still amazes me how many critical IT related tasks still require a floppy disk.  I came upon one of these situations when trying to install Windows 2003 Server R2 on an extra Dell Workstation I had.  Of course, it wanted the drivers on A:, which didn’t exist.  Of course, you could always install a disk drive… Below are instructions how to address this issue without using a disk drive.  The term is slipstreaming because it injects the files just as if it was part of the original installation media.

  1. Download nLite (http://www.nliteos.com/).  You could also download the Vista version called vLite (http://www.vlite.net).
  2. Install the application
  3. Select your original Windows XP, 2003 installation media location.
  4. Select a target location to copy the installation files
  5. Select the tasks you would like to perform (ie. install drivers, install service packs, remove components, etc…)
  6. Choose to create an ISO image from your previous selections or Direct Burn to create a new CD image.
  7. Install the OS using your CD, but this time, you don’t have to press F6 to try to load drivers.

Troubleshooting Backup issues

Backing up files can be troublesome. Speeds can reach disasterous new lows, and files tend to get corrupted along the way. It might just seem like more trouble than it’s worth, but in our experience, it makes the difference of hours and days. However, with the correct tools and information, it is possible to narrow down the problem, and even solve it. Below is a troubleshooting guide for common reasons why your server backup process may be causing errors.

1.Here is a summary of what we will be examining in order to better realize a potential problem:

oDocument any noticeable problems

oWhen did you notice the change or error(s)?

oHave there been any changes to the main backup server, media servers, or backup clients?

oWhat, if anything, have you done already to troubleshoot this problem?

oDo you have any site documentation?

oWhat are your expectations once the problem has been ratified

2.Hardware Related Slow-down

oThe speed of the disk controller and hardware errors caused by the disk drive, tape drive, disk controller, SCSI bus, or even improper cabling/termination can slow performance.

oTape drives are incompatible with SCSI Raid Controllers.

oFragmented disks (act of data being written on different physical locations of a disk) take much longer to back up. Not only will it affect the rate at which data is written, but it will affect your overall system performance. A solution to this is simply by defragmentation.

oThe amount of available memory greatly impacts backup speed. A lack of free hard disk space is a commonly overlooked issue. This is generally due to improper file paging settings.

3.File Types and Compression

oThe average file can potentially compress at a 2:1 ratio if hardware compression is used. Backup speed could potentially double if average compression is used prior.

oThe total number of files on a disk, and the relative size of each file is important in calculating backup speed. The fewer large files, the faster the backup.

oBlock size has an important role in compression, and thus, affects backup speed. The bigger the block size, the more capable the drive is to achieve better throughput and increased capacity. It is not recommended to increase the Block Size above the default.

4.Remote-Disk Backup

oThe backup speed for a remote disk is limited by the speed of the physical connection. The rate at which a remote server’s hard disks are able to be backed up depends on the make/model of network cards, the mode/frame type configuration for the adapter, the connectivity equipment (hubs, switches, routers, and so on), and the Windows NT 4 or Windows 2000 settings.

oA commonly overlooked reason for slowdown on network backups can be the configuration of the network itself. Certain features such as “Full-Duplex” and “Auto-Detect” may not be fully supported in every environment. Setting the speed to 100Mb and duplex to half/full on the server side, and 100 MB on the switch port is the common practice. Dependent on the resulting speeds, half or full duplex will be the better solution.

5.Methods to potentially improve tape backup performance

oMake sure the tape drive is properly defined for the host system. It is common for a SCSI host to disable the adaptive cache on the drive if it is not recognized. The cache enables features like drive streaming to operate at peak performance.

oPut the tape drive on a non-Raid controller by itself.

oMake sure all settings in the controller’s Post Bios Setup Utility are correct.

oMake sure the proper driver updates have been applied for the SCSI Controllers.

oConfirm proper cabling/termination for the devices being used.

oUpdate the firmware on the tape drive to the latest level. In some cases, the firmware may actually require downgrading to improve performance.

oCheck the tape drive and tape media statistics to see if errors occur when backups run.

oCheck the Windows NT or Windows 2000 Application Event Logs for warnings/errors.

Grant Full mailbox access to Domain Admins and Enterprise Admins in Exchange 2003

One would assume that administrators (Domain Admins and Enterprise Admins) would be allowed to fully control user mailboxes. Unfortunately, this presumption is shown to be incorrect when admins try to add additional mailboxes to their Outlook client. Of course, you can always manually set permissions on a per mailbox basis, but that defeats the purpose of global mailbox management. The cause is due to Microsoft deciding to globally set Deny permissions to Full Mailbox Access (Send As / Receive As) and hide the security tab in which one could edit these permission settings in Exchange System Manager. Fortunately, there is a simple registry fix for this problem.

1.Run regedit

1.Click Start, point to Run, and then type regedit.

2.Add registry key ShowSecurityPage

1.Go to HKEY_Current_UserSoftwareExchangeExAdmin

2.Once you reach the above section of the registry you need to create a DWORD called ShowSecurityPage.

3.A value of 1 (Numeric one) means on (show security tab), whilst 0 (Zero) means off.

4.Close the registry editor.

5.Close the Exchange System Manger, then reopen (no need for a reboot)

6.Right click on YourOrganization (Exchange), then click Properties.

7.Click the Security tab, then highlight the Domain Admins group.

8.Scroll down the permissions list and uncheck Deny for Send As and Receive As

9.Repeat the above step for the Enterprise Admins group.