My Chellam.....
Difference between IPv4 and IPv6
| IPv4 | IPv6 |
| Addresses are 32 bits (4 bytes) in length. | Addresses are 128 bits (16 bytes) in length |
| Address (A) resource records in DNS to map host names to IPv4 addresses. | Address (AAAA) resource records in DNS to map host names to IPv6 addresses. |
| Pointer (PTR) resource records in the IN-ADDR.ARPA DNS domain to map IPv4 addresses to host names. | Pointer (PTR) resource records in the IP6.ARPA DNS domain to map IPv6 addresses to host names. |
| IPSec is optional and should be supported externally | IPSec support is not optional |
| Header does not identify packet flow for QoS handling by routers | Header contains Flow Label field, which Identifies packet flow for QoS handling by router. |
| Both routers and the sending host fragment packets. | Routers do not support packet fragmentation. Sending host fragments packets |
| Header includes a checksum. | Header does not include a checksum. |
| Header includes options. | Optional data is supported as extension headers. |
| ARP uses broadcast ARP request to resolve IP to MAC/Hardware address. | Multicast Neighbor Solicitation messages resolve IP addresses to MAC addresses. |
| Internet Group Management Protocol (IGMP) manages membership in local subnet groups. | Multicast Listener Discovery (MLD) messages manage membership in local subnet groups. |
| Broadcast addresses are used to send traffic to all nodes on a subnet. | IPv6 uses a link-local scope all-nodes multicast address. |
| Configured either manually or through DHCP. | Does not require manual configuration or DHCP. |
| Must support a 576-byte packet size (possibly fragmented). | Must support a 1280-byte packet size (without fragmentation). |
Activating Windows 2003 Terminal server license on end user system
Many of us face challenges while we activate the terminal servers licenses from the remote system. Recently I faced the same issue and I followed the below steps and the problem was resolved.
- The Terminal Services Licensing Server must be configured properly and it must be up and running fine on the same network environment. For example, we will consider this server Frank2k3 (192.168.150.100) as a Terminal services licensing server and this server is reachable to the End user system.
- If the Terminal Services Licensing Server is present in a different network then we have to enable the required communication ports between two environments. For example if we have the Licensing server present in the network 192.168.150.X and the End user system present in the network 10.50.10.X then we need to enable the following ports from the End user network (10.150.10.X) to the 192.168.150.X network: TCP-135, TCP-139, TCP-445, TCP 5000-5100**.
(The ports range of 5000-5100 can be modified to any other range of at least 100 ports and it should be above the port 1024. I used 5000-5100).
- We need to add below entries in the registry (use regedit.exe tool and update the registry). Create the Key in the name of Internet under KEY_LOCAL_MACHINE\Software\Microsoft\Rpc
Under the Internet key, add the below three values
”Ports” (MULTI_SZ)
”PortsInternetAvailable” (REG_SZ)
”UseInternetPorts” (REG_SZ) - After update of the above entry in the End user system the new registry key appears as follows:
- Ports: REG_MULTI_SZ: 5000-5100
PortsInternetAvailable: REG_SZ: Y
UseInternetPorts: REG_SZ: Y - Restart End user system. All applications that use RPC dynamic port allocation use ports 5000 through 5100, inclusive. In most environments, a minimum of 100 ports should be opened, because several system services rely on these RPC ports to communicate with each other.
- On the End user system, open up Terminal Services Configuration. Click on Server Settings --> License server discovery mode and fill in the IP address of the Terminal Server Licensing Server (192.168.150.100). Clicking on the Check Names button should tell you if it is working or not. Finally click on Server Settings –> Licensing and select Per Device or Per User, to match whatever types of licenses are installed on the licensing server. We used the Per Device license. Everything will work now. If any problem occurs, then check the Licensing server and it will show up in the System event log with event ID 1010.
- The end user system (10.50.10.X) will need to be rebooted after these changes.
The below screen shots show the registry changes:
Avoiding performance issues with Linked Clone VMware View Desktop through fully deployed (thick) desktop
Optimal design of a VMware View environment must take several factors into consideration. One of the most important factor is the Storage design. When proper storage design planning is not done, it invariably leads to performance issues in the environment. The most prominent example would be having linked clones in an environment in multiple SATA drives with very little cache space. There is a solution for avoiding such performance issues and that is to have fully deployed (thick disk) desktop. Having fully deployed desktops means spreading the I/O over many spindles instead of crowding all requests to one spindle.
This can be done in two methods:
- Cloning the Desktop VM
- Storage VMotion the Desktop VM
Cloning the Desktop VM
Steps:
1. From VCenter, right click on desktop VM. Select ‘Clone’
2. Keeping continuing with the wizard till the point of selecting what to do with the disk
3. Now select ‘Same Format as Source’
These steps can be done when the desktop is on or off (hot or cold). In a nutshell, the linked clone is read (the latest snapshot of vmdk file that includes all changes down to base disk) and stand-alone disks are created which are independent of the linked clone storage structure. Thus the file created from the cloning is the thick vmdk file which can now be used as base.
The advantage with this method is that one can verify that the cloning is complete before removing the linked clone VM in the View Manager. The new one can be manually added after verification.
Storage VMotion the Desktop VM
Steps:
1. From VCenter, right click on Desktop VM. Select ‘Migrate’
2. Select ‘Change Datastore’
3. Follow the next steps and select ‘Same Format as Source’ in disk section
The VMs are converted just in the same way as the first method with the only benefit that this can be done without any downtime for the desktop.
This method also has the disadvantage of having no verification mechanism and the necessity of free space to be available on another datastore.
Tips for strong password in server hardening
The need for a highly secure Strong Password is felt more these days due to increased hacking and phishing. With Microsoft integrating windows logon to many online transactions, the need is further more important.
The password policy setting is one of the most important steps in server hardening procedure. This is usually done in 99% of the environments. But if in any environment it was overlooked, there are methods how one can enforce the strong password policy there.
The steps to enable password security policy in Windows 2003 Domain server is presented in this post:
Step#1: Start—> Program –> Administrative Tools –> Domain Security Policy
Step#2: From the Domain Security Policy Window, enable the “Password must meet complexity requirements” under Password policy in Account Policies
Once these steps are done, the password policy will be enforced when the users do a password reset.
Microsoft has some suggestion on how to make your password strong. I find the following tips useful:
- The length of password is very important – make it at least 14 characters or more.
- Make your password strong with special characters (symbol) in it.
- Mix upper and lower case letters to increase complexity.
- Remember to use the entire keyboard instead of using common words.
- Increase the length by using numbers between the letters.
- More complex the better – add punctuation at the beginning.
You might also want to refer to the Microsoft Documentation for detailed examples and Password checker tool
3
comments
|
Filed Under:
Microsoft,
Server Hardening,
Strong Password,
Win2003 Domain,
Windows 2003 server
Restoring corrupted windows OS files without affecting the existing configuration files
Many a times we have the difficulty of having to restore some corrupted OS files. But this is always scary as there is a high chance of the other existing configuration files getting corrupted as well.
Well, in one of my tight situations I found that Microsoft was a life saver yet again! Microsoft provides a command line tool System File Checker “SFC” which can be used to recover the corrupted windows operating system files.
Since the discovery of this tool, I have used SFC in many production windows server environment successfully and the problem got fixed every time!
When you are not really sure that all the OS files are good and you doubt that system files have been somehow corrupted, do use SFC. This tool will validate the digital signatures of all the Windows system files and if there are any incorrect files, they are restored.
During the recovery process if possible it will use the on-disk cache files. But in some cases, this tool may request the original installation CD. This is because; the SFC tool will replace a damaged file from CD if it is not available in the on-disk cache.
So before start the system files recovery process using the SFC utility tool we should have original OS CD.
To run the System File Checker utility
- Step1: Go to Start menu and select Run
- Step2: Enter the command SFC /Scannow - Press enter button
This command will take few minutes to trigger the System Scan process. If any of the system files are replaced by the SFC, a reboot is required. This will not affect any previous configuration settings.
Check this Microsoft link for Microsoft documentation on SFC
Subscribe to:
Posts (Atom)
