Tag! You're It!

Home Directories in Active Directory

2009-07-08T19:37:00.003-06:00

Ok, Windows Admins who don't know this, listen up.

You know the way that you add home directories to user accounts in Active Directory? Yeah, you're fucking it up!

I have to say that I cannot stand it when admins don't read AT LEAST the bare minimum of basic Windows / Active Directory management. I cannot hold it back anymore, I feel like I'm gonna lose my mind. Everytime I go to a customer site and see where some chucklehead has added the home directory in some stupid way (see below).

1. Create a new directory, either by calling the same as the username or something close.

2. Share out this directory as a normal share or a hidden share

3. Change NTFS permissions manually, or better yet, not at all.

4. Open the user account properties and put in the drive letter and UNC path to this new share.

Ok, so now if you do anything in your life the correct way, do this (bare minimum):

1. Create a single directory under whatever path you like (eg...D:\Home or D:\Users)

2. Share this new directory, usually a hidden share (home$ or users$)

3. Allow SYSTEM and Domain Admins Full Control and Domain Users Read Only

4. Open user account properties and add the drive letter and the UNC path:

(eg...\\server\share\%username%)

5. You can literally use the %username% variable if you wanna.

Step 4 is the only step you have to do once you have created the initial share. What happens when you do step 4? Good question. It will create the home directory for you in the share specified and it will apply proper NTFS permissions with the user account with Full Control and remove the inheritance flag.

If you have a template user account and you copy it, it will create the home directory and apply security properly for you as well based on the username.

From now on, do this or I will come after you with a shovel and a hayfork.

ScreenOS OID's for CPU and Sessions

2009-05-05T14:09:00.003-06:00

In case you are looking for them, here are the OID's for CPU and sessions within ScreenOS.

I'd like to get a better list of OID's. I mean, I imported the MIB's into the SMNP tool I was using, but I can't find any good resource OID's.

CPU Utilization

1.3.6.1.4.1.3224.16.1.3.0

Session Counters

1.3.6.1.4.1.3224.16.3.2.0

DSL Post - New Thought

2009-04-27T10:31:00.002-06:00

I didn't try to implement path-mtu. I'm gonna try it and see what happens.

There are two ways to do it, on the interface and flow settings.

Hm, I'll see what happens later.

ralf

One of My Favorite ScreenOS Hidden Commands

2009-04-24T13:29:00.003-06:00

mod

Yup, mod. As in modify.

This hidden command is what is used when you want to modify a policy, address, or service object.

I like it.

mod add trust “Corp Users 172.20.0.0/16” 172.20.0.0/16 172.20.0.0/16
mod policy 123 order 543

Yay geekdom.

I hate DSL, for today.

2009-04-20T00:18:00.004-06:00

So, this client I've been working with is another victim of a hosted Exchange solution.

We moved them to a new office and the goddamn phone vendor that they hired put in a DSL. Well, that's fine because it was a quick move and we had to do it quick. And now they are putting in fucking CBeyond. Whatever, I'm gonna punch that guy in the neck.

Well, we drop in a loaner 5XT we had sitting around but they could do everything except connect via RPC over HTTP to their Exchange provider. Well, even better when we did traceroutes and the peering from Qwest to XO looked to be fucked. The traces would die as it hit XO's network so we never thought to look at the firewall at first. And let's all keep in mind that the tracert's and ping's are ICMP, not TCP. Read on.

Well, I had the quy move outside the firewall and attempt to connect and it definitely worked fine. So I threw in a 5GT that I had with the exact same config and it did not work either. The pcap's I was grabbing showed shitty TCP CHECKSUM ERROR's and I thought for sure that some flow settings on the firewall were screwy. I have seen that before where we have had to turn off tcp sequence checking (set flow no-tcp-seq-check) or tcp syn check (unset flow tcp-syn-check) to fix issues in the past. But that was modified accordingly with no positive results.

So, for the fuck of it I was like, "well, I'll set the maximum segment size for the Internet bound traffic to see what happens." The tcp-mss for encrypted traffic was set to 1350, a default for the ScreenOS version we were running. The all-tcp-mss was at the default of 1500 so I kicked it down to 1400 (set flow all-tcp-mss 1400) and I'll be dipped in shit. It worked. So I moved it back to 1500 and ran a ping with 1500 byte packets (but forgot to set the no fragment flag) and it worked. So while I'm writing this tonight I decided to move it back to 1500 and run the ping with the no fragment flag (ping -l 1500 4.2.2.2 -f). This failed. I found the sweet spot at 1464 bytes. So I moved the MSS to 1464 and didn't get a login and then to 1460 and still did not. My final tested MSS is set to 1450 right now.

I guess the reason I'm ranting about this is that I'm used to setting the encrypted tcp-mss size down because of the encryption overhead and the like, but haven't run into this before.

So if you read this, try this first and see what happens.

Word? mkay.

Devaluation of Technical Certifications In Progress

2008-06-19T10:33:00.004-06:00

I received this email as a member of a Juniper group within Google, and I was a bit blown away by the fact that someone, first of all, would be willing to pay someone else to get them certified. But then I realized after some thought, while consulting with some of the knuckleheads that I have had to work with that have > 5 certifications all from different vendors, and couldn't possibly due the work they were hired for. Honestly. I've seen it and been dumbfounded by the amount of coin they were pulling in and then they would have me do the work. Awesome.

Is this the end of how certifications are valued? I of course have NEVER thought highly of certifications. My biggest reason is because so many test questions are so loaded and NEVER straight forward and are so subjective that you have to guess what {Enter Vendor Name Here} wants instead of interesting factual information. Fuck I hate tests but not enough to be a jackoff loser to pay someone to take a test for me.

So, without further delay:

********

Obtain
Microsoft,Cisco,Comptia,Oracle,Citrix,CWNP,Ciw,Solaris,Jawa,ITIL,Vmware,Ec-council,Juniper,Norten and Many more Certificaitons Without Tests...Pay after check results…
Friends we have more then 45 testing centers( vue and prometric both).
On which we will do the exams on the candidates behalf,make them passand then provide their results to them, after that candidates willeasily able to check their results online on each vender officalwebsites. after checking their results they have to send us payment.

what things we need from the candidates:-
1. candidates full name ( that they want to appear on theirscoresheets and certificaites)
2. candidates full address ( for certificaiton delivery)
3. candidate any photo id proof colour scan copy
4. candidate phone number with country code

Benifits
Obtain Certificaiton At home
No need to Sit anymore for exams by themselves
100% Passing Gaurantee
Pay after check results on Vender official website

prices :- ( all prices are in USD)
Microsoft Any exam :- 500$
ccna :- 1000$
ccnp :- 4000$
ccsp :- 5000$
ccvp :- 5000$
Comptia A+ :- 2200$
Comptia Network+ :- 1400$
comptia Security+ :- 1500$
server+ :- 1500$
ccda :- 1200$
ccdp :- 2400$
ccie Writtern :- 2000$
Check point :- 1100$( each exam)
Citrix ( each exam) = 700$
CIW ( each exam) = 700$
Cwnp :- ask price first
Ec-council :- 1200$ ( each exam)
ITIL :- 1200$
LPI :- 900$ ( each exam)
Novel :- 700$ (each exam)
Oracle :- 800$ ( each exam)

all exams takes only 5-7 working days

so, intrested feel free to contact us on email@removed.com.

Streaking at Work

2008-03-06T21:39:00.000-07:00

Yes, this happened today.

Entry Level Switch Throughput Comparison

2008-02-27T10:04:00.003-07:00

These numbers are all based on 64 byte packets.

The HP 2800-24G and the 1800-24G can do 35.7 Mpps with 48 Gbps switching fabric.

The Cisco Catalyst 2960-24TC-L can do 6.5 Mpps with 32 Gbps switching fabric.

The Juniper EX 3200-24T can do 65 Mpps with 88 Gbps switching fabric.

The Foundry EdgeIron 24G can do 35.7 Mpps with 48 Gbps switching fabric.

Buy Cisco, and you're the big loser....

A Troubled Economy

2008-02-20T22:20:00.002-07:00

You know things are bad when HP starts hiking prices on memory. Click on the image and look at the first PC2 5300 memory option. Shit!

T1 Utilization Questions...

2007-11-14T21:00:00.000-07:00

The goal was to put to bed the final question that everyone asks and no one ever has a solid answer for, can you get 1.5Mbps up and 1.5Mbps down on a data T1. We have had multiple customers ask us this question recently, so I fired up two routers today to get solid results with empirical evidence to show everyone that has asked.

Here's what I had; a Crisco 1720, a Juniper J2300, one laptop (WinXP) and one desktop (WinXP). Both machines are running WSFTP Server and I used the FTP client via CLI in Windows.

Both T1 interfaces are configured with the IP's shown in the diagram, and encapsulation set to PPP.

Using PRTG we sampled the T1 interfaces for traffic utilization via SNMP. Sampling rate was set to every 10 seconds with averaging set to 1 minute. The defaults are 60 seconds and 5 minutes respectively.

The graphs below shows traffic utilization while a FTP transfer of a 593+ MB ISO to the laptop from the desktop was underway. This is to simply show traffic being transferred in one direction only. And obviously you can see the end of the transfer complete just under an hour. During this transfer I kept Task Mangler open to watch utilization on the NIC on the laptop. The NIC was negotiated at 100-Full and during this transfer the low average that was reported was 1%.

Juniper J2300

Crisco 1720

The second set of graphs show our next test. We opened a FTP session to each machine from each machine, set the hash on to watch the transfer and prepared to hit the enter key at the same time to begin both transfers simultaneously. (I also found it interesting how on the Juniper router I received the blip on the proverbial radar every 5 minutes. At first I thought this was a framing issue with relation to clocking as I had left clocking on both routers to internal. So after the 4th blip I flipped the Juniper's T1 clock over to external. There was no drop in traffic but also didn't 'fix' the issue. Interesting at least to see that compared to the Crisco.)

Juniper J2300

Crisco 1720

And the test went as expected, which is to see 100% utilization bidirectionally. Note (on the close up images) the difference between the first transfer and the second transfer. You can clearly see the input and the output lines not match during the first transfer and then match on the second.

Juniper J2300

Crisco 1720

Watching Task Mangler on the laptop and the desktop showed an increase from a loose report of 1% to 3%, and can be safely assumed that since Task Mangler obviously rounds the percentage up / down that the first transfer was at least 1.49% utilization. At 100 Mbps this would effectively equal 1.49 Mbps, which is about the available bandwidth across a T1. (24 channels x 64 kb per channel) + 8 bits signaling = 1544 kbps; aka T1.
PRTG reported an average of 2.976 kbps.

The result is an obvious yes, you do get 1.5 up and 1.5 down. But this DOES NOT mean a T1 is 3 Mbps connection, it means you are utilizing 24 channels up on one pair of wires, and 24 channels down on the second pair of wires. (no comments from the "Well sort of" crowd). Don't get crazy and start thinking you are Stephen Hawking and adding 1.5 + 1.5, don't do it or I'm coming after ya. I'm honestly sick of this question and the assumed 3Mbps of bandwidth. Geez people.

I have also read all over the net and seen some really stupid comments about how this isn't possible and then others who have the right answers with no solid data. There is also something I read on the net about how this was 'theoretically possible'. Well, sleep tight everyone because the theorem has been proven.

Cisco Catalyst 5509 Coffee Table

2007-11-09T21:57:00.000-07:00

This is our end result. An out of service (though still operational) 120 lb Cisco Catalyst 5509 chassis. This replaces a 4 legged open metal base as the original base of the table. The felt pads that are seen on the corners are supporting and protecting the glass on top of the chassis. In the middle of the table, under the glass, a glass chess board.

The blades are seperated and the slot covers removed to provide space between each blade which become sliding shelves.

Ultimately, this table cost us a whole $3.50. I didn't buy the glass, chess set, or the switch. Not a bad deal I'd say.

Juniper / NetScreen Dual Untrust

2007-09-24T15:06:00.000-06:00

Something I did recently using a SSG 20 with commercial T1 and Comcast and both default virtual routers. (You don't have to use two virtual routers, but here's why I did this at first). Initially, my client reported that Comcast was assigning DHCP to the firewall's interface. When DHCP is used, the default route created from DHCP cannot be modifed and will show up as a directly connected route, so it will have a higher metric (unless you modify your preference / metric settings, but I have not tried that) So, if Comcast is supposed to be the backup route, placing it in the untrust-vr and controlling traffic in the trust-vr worked great. This works fine with a static IP as well.

Here we go:

Here are the default zones in the default trust-vr.

set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"

I created a new custom zone and placed it in the untrust-vr

set zone id 101 "Comcast"
set zone "Comcast" vrouter "untrust-vr"

I set int Ethernet0/1 in the Comcast zone. You will have to do this or track-ip will not fail the interface back. You have to setup a manage IP on the Ethernet0/0 (untrust) interface. See the the track-ip section below.

set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Comcast"
set interface "ethernet0/2" zone "Trust"
set interface ethernet0/0 ip 1.1.1.1/24
set interface ethernet0/1 ip 2.2.2.1/24
set interface ethernet0/2 ip 192.168.1.1/24

I then setup the track-ip option. Track-ip will use the manage ip to ping. Why? Because if track-ip can't ping the remote IP (usually a device a couple of hops from you) it brings down the interface (in software only) and thus can't monitor the remote IP if the interface is down. Track-ip uses the manage ip for those tests. If the interface link goes down, whether you unplug the cable or the upstream device goes offline, then track-ip does not play a role, but since the link is down so is the first default route and thus the second default route comes up.

set interface ethernet0/0 monitor track-ip ip

The default weight is 255, which means that -this- test has to fail 255 times before the track-ip test causes the interface to go down. If you have multiple tests, the sum of all tests must equal the weight before it drops the interface and thus the route. This only happens in software, you probably will not see the link drop or the status of the interface go down.

set interface ethernet0/0 monitor track-ip weight 1

The following interval is in seconds.

set interface ethernet0/0 monitor track-ip ip 4.2.2.2 interval 5

The threshold is the number of tests that must fail before track-ip drops the interface. So, in this scenario, track-ip will monitor the remote ip every 5 seconds (interval), if it fails twice (threshold) then the weight equals 1, and brings the interface down.

set interface ethernet0/0 monitor track-ip ip 4.2.2.2 threshold 2

Set a new default route in the untrust-vr and then set route's back to the network in the trust-vr. The default route in the untrust-vr will be active but traffic won't hit this VR until the track-ip option disables the interface located in the trust-vr. When that happens, the default route in the trust-vr becomes inactive and the second route comes up, sending traffic to the untrust-vr. Note the preference on the two default routes in the trust-vr.

set vrouter "untrust-vr"
set route 0.0.0.0/0 interface ethernet0/1 gateway 2.2.2.2
set route 192.168.1.0/24 vrouter "trust-vr" preference 20
exit
set vrouter "trust-vr"
unset add-default-route
set route 0.0.0.0/0 interface ethernet0/0 gateway 1.1.1.2 preference 10
set route 0.0.0.0/0 vrouter "untrust-vr" preference 20 metric 1
exit

Um, EHLO?!

2007-09-23T22:42:00.000-06:00

So, I have to say what a drag it is to have 20+ .pst files from an Exchange 2000 server and having no way to import said .pst files at the server level into Exchange 2007.

Oh yes, I'm well aware of the SP1 option for the goddamn Import-Mailbox Powershell command syntax, but, I'm also aware that SP1 is not yet out of beta. And even if it was today, it wouldn't have helped me 10 days ago.

Here's the situation. I'm in the middle of trying to migrate a small organization over from Windows 2000 DC's and Exchange 2000 to Windows Server 2003 + Exchange 2007, I run into what I am still dwelling on, no .pst import option.

Well, the two biggest problems / pain in the fekkin' ass on this project was the fact that 1) Active Directory has inconsistencies 2) Exchange 2000 is installed on a Domain Controller.

Now, what's the problem with that?

I can't ADPREP Active Directory with inconsistencies that are not easily resolved. But, for fun let's say I did. Ok, cool, so now I have a Windows 2000 domain that I can put a Windows Server 2003 server as a DC (but remember I can't). And let's say I get 2003 running AD, I can't install Exchange 2007 until I remove the Windows 2000 DC's (Exchange 2007 has to have 2003 DC's -only- due to schema updates). I can't successfully DCPROMO a server that is also running Exchange 2000 without it breaking Exchange upon reboot. Basically, security will be modified on the server running Exchange 2000 to a point that the services won't start thus the information store won't mount. So, sure, I can get the Windows 2000 DC's off so that I can install Exchange 2007 (even if I were to get the AD inconsistencies fixed), but if I can't get Exchange 2000 database to mount, then I can't move mailboxes over, so WTF is the point?

Yeah, so this was my dilemma a couple of weeks ago. What to do. Well, the amount of work trying to fix things and to try and get Exchange 2000 running were rediculous to the point that I might as well just do a full blown migration. There were other stupid problems on this network anyway, so this was the shortest path of least resistance.

A simple Exmerge from Exchange 2000 provided me the .pst's and then I went to do the research on how to get them back into the new server. And to my sarcastic delight, left with no way to do so except for sitting at each machine. Blech.

And while I'm severely disappointed in how Exchange 2007 works so far, I'm stuck with it. And not a usual basher of Microsoft, in fact, I like the shit. But the additional work created during the migration because of the lack of ability to import mailboxes into the new information store was a true pain in my ass.

Framing the Argument

2007-08-09T11:53:00.000-06:00

In the book "Don't Think of an Elephant: Know Your Values and Frame the Debate--The Essential Guide for Progressives" by George Lakoff, the idea that what you say or how you say it becomes essential on selling an idea.

Ideas like "The Death Tax" vs. "The Estate Tax" are spoken of. One with a negative tonality and one with a neutral or positive tonality.

The same holds true when discussing business plans for corporations.

Ideas like "Disaster Recovery" vs. "Business Continuity". Same thing, different tonality.

To sell a product or idea, it really is in the best interest to frame the selling point in a positive tone vs. the end of the world.

They call it a Start button for a reason...

2007-08-07T08:37:00.000-06:00

A recent service order that came in:

Brief Description: PC Desktop Shortcuts
Work Requested: Night Utilities Shortcut not found on PC desktop.

Priceless. Some end users are truly dumb.