Friday, April 30, 2010

How ADSL Sync Speed is Calculated

In this blog post I'm just going to give you a bit of information on how the ADSL sync speed is calculated. I'm not an expert on this subject however I spent the morning reading into this topic and would like to share with you my findings.

There are two main items which contribute to ADSL Sync Speed:
- Line Attenuation
- Signal to Noise ratio

Line Attenuation

Attenuation, in a communications sense, is the energy loss of signal transmission through a given medium. Simply put, if you talk normally I can hear you when you're 10m away but I can't hear you at 100m unless you shout.

With Line Attenuation the lower the value in dB, the better. The further you are away from the exchange, the higher the line attenuation.

Here is a rough values when determining line attenuation:

1.0km = 13.81dB = 23Mbit
1.5km = 20.7dB = 21Mbit
2.0km = 27.6dB = 18Mbit
2.5km = 34.5dB = 13Mbit
3.0km = 41.4dB = 8Mbit
3.5km = 48.3dB = 6Mbit
4.0km = 56dB = 4Mbit
4.5km = 62.1dB = 3Mbit
5.0km = 69dB = 2Mbit

Line Attenuation can also be increased if you have unused cables attached to your phone line, extra phones or devices such as fax machines. In my house we had an unused phone cable plugged into the wall at the end of the hallway. It was not connected to anything. With the cable plugged in I was getting a downstream Attenuation of 53.5dB and an upstream of 31.5dB.



After I unplugged it from the wall my Line Attenuation went down from 53.5/31.5 to 45.5/31.5. As a result my Internet connection sync speed doubled.



Later on I will go up into the roof and disconnect all the unwanted phone cables. We use to have 3 phones in the house, now we only have 1 phone connected to a phone cable. All the other phones connect to the LAN line phone through wireless - which is an awesome way to increase Internet sync speed.

SNR (Signal to Noise ratio)

With Signal to Noise Ratio the higher the value in dB, the better. For those with very long phone lines, this becomes the critical factor and furthermore can degraded by the telephone wiring in the house. Also homes with phone lines split to go to multiple devices can greatly lower the SNR.

When you think of SNR you think of much cable is connected to the link, the quality of the cable, the chance of it fading out.

Phone cables are CAT3 (10BaseT) and can go up to 100m, the same as CAT5/CAT6. The less cabling between the street and your modem, the better the SNR.

So what are acceptable SNR's?

< 6dB = You will not get ADSL Sync
< 10dB = You will get ADSL Sync however wiring or cable length is crap and needs repairing.
< 20dB = Will work ok however not the best.
20dB - 40dB = Very good (most people get in this area).

As mentioned above I have so much cable connected to my phone line, I need to get up in the roof and clean it up.

References

http://whirlpool.net.au/wiki/?tag=dslam_speeds
http://whirlpool.net.au/wiki/?tag=ADSL_Theory_Attenuation
http://www.pcurtis.com/network-adsl.htm
http://forums.whirlpool.net.au/forum-replies-archive.cfm/539544.html

Wednesday, April 28, 2010

Memory Limits in Windows Operating Systems

An excellent website that illistrates the memory limits of the various windows operating systems is:

http://msdn.microsoft.com/en-us/library/aa366778.aspx

A very handy website to keep close.

Tuesday, April 27, 2010

Allow Passive FTP Ports 2008 Firewall

In Windows Server 2008 R2 the windows advanced firewall has an option for Passive FTP ports.



However on Windows Server 2008 (not the R2 version) there is no passive option for FTP.



So how do you allow all the randomly generated passive FTP ports to allow inbound traffic?

The easiest way to do this is to allow the process that handles the FTP traffic "inetinfo.exe".



Users Cannot Send or Reply to Emails OWA

In this problem users could not send or reply to emails through outlook web access. This company had an exchange 2003 server with service pack 2. When users reply or send an email they receive an Internet explorer screen with a red cross, the compose frame does not load as normal.

This is what the problem looks like:



To resolve this Microsoft has modified the outlook web access webpage on the exchange server with a hotfix. This hotfix can be obtained from:

http://support.microsoft.com/kb/911829

Sunday, April 25, 2010

Windows Server 2008 R2 Application Support List

With the release of Windows Server 2008 R2 there are many questions around application support. Which applications will run on Server 2008 R2 and which will have problems?

Microsoft has had a list of all software products from Microsoft that will run successfully on 2008 R2.

http://www.microsoft.com/windowsserver2008/en/us/supported-applications.aspx

Friday, April 23, 2010

Find Mailbox GUID's Exchange 2003

You may need to find the GUID's representing your Exchange 2003 mailbox databases. For example say you want to increase the database size limit to 75GB which is a registry change. This requires you to know the mailbox GUID's as shown in the image below:



An Exchange Engineer named "Bharat Suneja" wrote a really good visual basic script for achieving this which can be downloaded from here:

http://www.exchangepedia.com/blog/stuff/getstoreguids.zip

This script requires the Microsoft ArrayConvert libaries to be installed to function correctly. To download the ArrayConvert libaries visit Microsoft KB250344:

http://support.microsoft.com/kb/250344/

When downloaded extract the ArrayConvert files then copy and past all extracted files to the servers System32 directory:



Register the ADs.dll file using "regsvr32.exe ADs.dll" from the command prompt.



Navigate to the folder containing Bharat Suneja's script in command prompt and run the script using the cscript utility.

Windows Server 2008 DHCP Problem "The parameter is incorrect"

I setup a brand new windows server 2008 standard server. Installed all the latest windows updates. Promoted the server to be a domain controller then added the DHCP console. Upon DHCP setup server 2008 automatically authorized the DHCP server in active directory to provide DHCP..

I did not want the server to be authorized until i'm ready to kick it over from my old DHCP server.

When I went to unauthorize the server however I received the error:

The parameter is incorrect.





I checked using netsh to confirm if the server is authorized in Active Directory. "DC1" is the server name, which it is!



I attempted to remove it using netsh but that also failed with the following error:



Believe it or not the fix for this was:
- Stopping DHCP service
- Deleting the DHCP server object from the DHCP console
- Re-add the DHCP server to the DHCP console
- Start the DHCP service
- Try again to unauthorize the DHCP server

This worked - weird problem!

Tuesday, April 20, 2010

0x800C8203 Autodiscover

I had a client running Exchange 2007 that was receiving the following error in Test E-Mail AutoConfiguration in Outlook when trying to Autodiscover:

FAILED (0x80072F0C)



To resolve this issue you need to set the Client Certificates setting to "Ignore" under the Autodiscover virtual directory in IIS manager.



After making this change autodiscover now works correctly.

Thursday, April 15, 2010

Group Scopes

In this post I will be going over Group Scopes in Active Directory with a quick run down of each.

Global Groups are bad hosts but great travellers. This means that they can only contain objects from their own domain but you can use them to set permissions on any domain as they can travel across trust links.

Domain Local groups are great hosts but bad travellers. They can be used to host objects from any domain, i.e. they can contain objects from other domains across trust links. However they cannot be used to set permissions on other domains, only the domain for which they exist.

Universal Groups are great hosts and great travellers. These guys can hold objects from any domain and can be used to set permissions anywhere. The reason this is possible is because universal groups are held entirely in global catalog. Because of this they should not be used wherever possible as it increases the size of the global catalog database.

There is one exception with Universal Groups, they cannot contain groups or objects from another active directory forest - only from domains within thir forest. Domain Local Groups can contain members from any forest or any domain. I can demonstrate this by trying to convert a Domain Local group to a Universal group that contains objects from another Active Directory forest through a Forest Trust or External Trust I receive the following error:

The following Active Directory Domain Services error occurred:
Foreign security principals cannot be a member of universal groups.



By Foreign Microsoft means another forest or realm (could be OpenLDAP etc).

Tuesday, April 13, 2010

Working with SPN's and SQL Server

In this post I will address SPN's and the relationship they have with SQL Server.

What are SPNs?

A service principal name (SPN) is the name by which a client uniquely identifies an instance of a computer account or service that runs on the computer account. The Kerberos authentication service can use an SPN to authenticate a service. When a client wants to connect to a service, it locates an instance of the service, composes an SPN for that instance, connects to the service, and presents the SPN for the service to authenticate.

Where are SPN's stored?

SPN's are stored on the computer account itself in Active Directory. You can register or view SPN's using the setspn.exe tool from the windows 2003 support tools pack which can be downloaded from here:

http://www.microsoft.com/downloads/details.aspx?FamilyId=6EC50B78-8BE1-4E81-B3BE-4E7AC4F0912D&displaylang=en

You can use this tool to view SPN's associated with a server by typing:

setspn -l servername



Notice in the above screenshot that not all servers have SPN's. By default no server will have an SPN. Some applications automatically register an SPN record for the computer account (only if the application runs as a domain admin account). Other times you will need to create SPN's manually using the setspn.exe utility.

To allow computers to dynamically create their own SPN please read Microsoft KB 319723 (specifically Step 3). You need to grant "SELF" permissions to a few attributes in the schema.:

http://support.microsoft.com/kb/319723

Also in the example above, if you see it say "HOST/computer name", this means the SPN references the entire computer object for kerberos authentication. If you see it say "SOMETHING ELSE/computer name" it means its registered specifically to a service.

The SPN is stored on the computer account objects themselves under an attribute called "servicePrincipalName":



Please note SPN's can also be used for user accounts!

How can I use SPN's for client connections into my SQL Server?

In SQL you create "Logins" used for authentication under the security container in SQL Management Studio. When creating Logins you can use windows authentication or SQL authentication accounts. With windows authentication you can only use the following methods for authentication:
- User accounts
- Group accounts
- Service Principal Names

The following screenshot shows this:



Service accounts can be used as an SPN. They are specified through the connection attribute for the Kerberos authentication and take the following formats:

username@domain or domain\username for a domain user account

machine$@domain or host\FQDN for a computer domain account such as Local System or NETWORK SERVICES.

Here is an account in SQL using an SPN for a computer domain account:



The SQL Server Itself

The SQL Server itself also needs SPN's registered for all its services. For some additional reading please look at:

http://technet.microsoft.com/en-us/library/bb735885.aspx
http://msdn.microsoft.com/en-us/library/ms191153.aspx

You can configure automatic registration of SPN's for SQL service accounts. If your interested in doing this please see this blog post I wrote:

http://clintboessen.blogspot.com/2010/02/dynamically-set-spns-for-sql-service.html

Sunday, April 11, 2010

Disabling User Must Change Password on Next Logon via VB Script

I'm in the middle of doing a AD Migration for a client using ADMT. One thing I noticed though is whenever I migrate user objects with ADMT it automatically enables user must change password at next logon. I do not want this!

The following script disables the option for all user accounts per OU:

Option Explicit
On Error Resume Next
Dim objOU, objUser, objRootDSE
Dim strContainer, strLastUser, strDNSDomain, intCounter, intAccValue
Set objRootDSE = GetObject("LDAP://RootDSE")
strDNSDomain = objRootDSE.Get("DefaultNamingContext")
strContainer = "OU=ITStaff ,"
intAccValue = 544
strContainer = strContainer & strDNSDomain
set objOU =GetObject("LDAP://" & strContainer )
intCounter = 0
For each objUser in objOU
If objUser.class="user" then
intCounter = intCounter +1
strLastUser = objUser.Get ("name")
objuser.Put "pwdLastSet", -1
objuser.SetInfo
wscript.echo objuser.name
End if
next
WScript.Echo intCounter & " Users change pwd next logon. Value " _
& intAccValue
WScript.Quit
' End of User Account example VBScript


Note if you want to re-enable the tickbox for changing passwords change the following value:

objuser.Put "pwdLastSet", -1

You can also do this for the entire domain using WinNT and not LDAP:

Option Explicit
Dim oDomain, oObject
Set oDomain = GetObject("WinNT://cos.local")

For Each oObject in oDomain
If oObject.Class = "User" Then
oObject.Put "PasswordExpired", 0
oObject.SetInfo
End If
Next

Friday, April 2, 2010

Backup Exec 12.5 with Windows Server 2008 R2

If you are running Symantec Backup Exec 12.5 and you are wishing to implement 2008 R2, there is a bug your going to come across. This is a must read article written by one of my work colleges:

http://blog.samkendall.net/2010/04/01/backup-exec-12-5-windows-server-2008-r2-v-79-57344-65225-a-failure-occurred-accessing-the-writer-metadata/

Connection Timed Out - Symantec Ghost Solution Suite 2.5

I have discovered what appears to be a bug with Symantec Ghost Solution Suite 2.5. When running a multicast with a very large image (over 500GB) randomly during a ghost cast (between 3 - 4 hours in at random times) it comes up with "Connection Timed Out".

I setup PXE booting for both the DOS client using the latest NDIS2 driver as well as a WinPE version running ghost32.exe. Both of these had the issue.

I was previously running ghost Symantec Ghost Solution Suite version 1.1 at this customer which worked fine. After performing many hours trouble shooting I rolled back to version 1.1. Symantec Ghost Solution Suite 2.5 works fine when imaging workstations with images under 100GB.

In testing Symantec Ghost Solution Suite 2.5 and Symantec Ghost Solution Suite 1.1 both used exactly the same NDIS2 driver, same switches and same ghost cast server. I uninstalled version 1.1 before installing the 2.5 ghostcast server.

Because my environment was the same in both testing phases, it is definitely an issue with the 2.5 version of Ghost Solution Suite.

Slow MultiCast Imaging with Symantec Ghost

I'm running MultiCast Imaging with Symantec Ghost. The image I'm pushing out is 500GB. It was taking me over 24 hours to push the image out as I was only getting 200MB per minute.

My network was gigabit with a HP ProCurve Switch 2810-48G switch and gigabit NIC's in all the workstations.

Why was it going so slow?

After doing some research I found out that the HP switches have IGMP (Internet Group Management Protocol) disabled by default. IGMP is used to manage the membership of Internet Protocol multicast groups. A ghost cast session is an IGMP group, workstations need to join the IGMP session on the switch to participate in IGMP group traffic. When IGMP is disabled on the switch, the switch treats the multicast traffic as broadcast traffic sending it out over all ports in the specified VLAN - meaning every PC on the network receives the communication. Every PC or device on the VLAN recieves every packet sent from the ghost cast session as they do not have an application listening on the specified port; they will drop the packets.

This network is one big VLAN. Some devices on the VLAN could not support high speed network connectivity even though they had a gigabit NIC. One of these devices was a PACom WebGuard Camera Video Surveillance system. This Camera System was also receiving every packet from the ghost cast session - however because it is not designed to deal with such a large amount of data it was dropping packets meaning the ghostcast server needed to slow down to ensure every PC on the network received the data. A broadcast will only go the speed of the slowest device on the network. Bad cables will also effect the speed of the broadcast. Multicasts have the same principal, they will only go the speed of the slowest device in its multicast group, however you have narrowed it down to a group of devices instead of all devices in a specified VLAN.

To enable IGMP on a VLAN you just enter ip igmp into the switches config under the right area:

ProCurve Switch 2810-48G# show run

Running configuration:

; J9022A Configuration Editor; Created on release #N.11.15

hostname "ProCurve Switch 2810-48G"
snmp-server contact "Clint Boessen"
ip default-gateway 192.168.30.2
snmp-server community "public" Unrestricted
vlan 1
name "DEFAULT_VLAN"
untagged 1-48

ip address 192.168.30.50 255.255.255.0
ip igmp
exit
spanning-tree
password manager


You can also enable IGMP using the HP Web Interface if you have it enabled. Notice when I made the config change in the switches command shell it also updated it in the GUI:





If you have IGMP turned on but you are still experiancing slow ghosting speeds there may be another feature enabled called Automatic Broadcast Control (ABC). When you enable ABC, it automatically sets the broadcast limit (Bcast Limit) on all switch ports to 30% (except for any ports for which you have already set the Bcast Limit manually to a nonzero value). Please do some research into ABC if you have IGMP enabled but are still experiancing slow speeds.

Now with IGMP on we are getting awesome speeds:



The below performance monitor graph shows my Disk Speed in Megabytes per second (MBPS) on the ghost server. As you see my ghost session is getting between 20 to 30.