ProTechs-Online

Network Administration

The more experience I get the more I realise that one person could not possibly know it all. As a network professional everyday brings new challanges. It's nice to have a good foundation of technical training but that only gets your foot in the door. Once you start getting practical experience that is when you really begin to learn how much they didn't teach you in your courses.

This page will have to contain only information of interest otherwise I would be writing a huge technical manual. Who has time for that?

Some Windows Networking Scenarios

Windows NT 4.0 SBS with Exchange 5.5

As a Network Administrator I have found this scenario scary. The server hardware was old and I believe about to fail. Microsoft has discontinued support so no new service packs were going to be available. Disaster recovery analysis of this mission critical server looked improbable.

I implemented a new Windows 2000 mixed domain on a Whitebox server running Windows 2003 Server Std R2 and Exchange Server 2003 Std. Since Windows NT 4.0 SBS cannot create trust relationships it was quite a trick to migrate the mailboxes over to the Exchange 2003 server.

The Windows NT server was running a legacy ERP software package. I knew that I could recover the ERP database and software from a backup onto another server in a disaster recovery situation. Once a newer server became available the Windows NT server along with the legacy software were converted into a virtual machine and put onto a *hypervisor.

* - Hypervisor - A software that is installed on a hardware platform that then acts as the hardware layer for virtual machines. Virtual machines can be installed directly on the hypervisor from disk or from computer systems converted into a virtual machine. When a computer is converted into a virtual machine it then only exists as hard disk files.

Windows 2000 Terminal Server

The main advantage of a Windows 2000 Terminal Server is licensing. A Terminal Server CAD license is not required for Windows XP and above. This looks like a good marketing promotion by Microsoft to encourage PC upgrades to XP.

The only real disadvantage is that the Remote Desktop display is only 256 colors and no RemoteApp capability.

Windows 2008 Terminal Server

You will have to purchase terminal user CALS for Windows 2008 Terminal server. It also has a new feature called RemoteApp. Remote Desktop will display more than 256 colors. I recommend in a Windows 2003 domain that you make this a member server not a domain controller. Server 2008 from my experience uses system resources more efficiently than Server 2000. Users like the Vista look and the Easy Print feature.

Remote Desktop Protocol 8.0 on Windows 7 has a right click issue with Microsoft Office 2010 on a Windows 2008 Terminal Server. When this happens a user can't right click inside any Office application and the only way to fix is to manually logoff the user’s session. I found that installing this hotfix on the clients solved the problem http://support.microsoft.com/kb/2847932.

Distributed File System

I had to implement a DFS between two remote sites. After some research I decide to use Windows 2003 Server R2 for the site servers. This allowed me to get away from the old slower FRS (File Replication Service) and use the RDC (Remote Differential Compression). Also DFS on Server 2003 R2 has bandwidth throttling.

DFS used up too much bandwidth and I need to use a nightly sync schedule. When an issues occurred sometimes this cause the whole system to require a resync. When many gigs of files were involved it was a real problem and one time even required a server to be shipped to the primary location to resync across the local LAN.

I still use DFS but only when a small number of users are involved and nightly synchronization will work for the process. An example would be two teams of engineers use high end CAD software in two different locations. Each team work on different 3D models but the teams still need to look at the others models but not in real time.

Windows Exchange Server 2007

Exchange 2007 must be installed on a Windows Server 2003 or 2008 64 bit system.

Outlook Web Access website has been greatly improved from 2003.

2007 is harder to configure because of its dependence on the new Power Shell scripting language.

To configure NDR reports to be similar to Exchange 2003 follow the these instructions:

1. In Exchange Management Shell use the below commands:

• Set-OrganizationConfig -MicrosoftExchangeRecipientReplyRecipient Administrator
• Set-TransportServer yourserver -ExternalPostmasterAddress postmaster@yourdomain.com

2. In the Exchange Management Console:

• Add SMTP email address postmaster@yourdomain.com to the Administrator's mailbox
• Change Delivery Options for your Administrator mailbox to forward to your mailbox
• I recommend not allowing non-delivery reports to remote domains in the Organizational Config -> Hub Transport -> Remote Domains -> Default -> Properties
• Add the DSN status codes you want to monitor in Organizational Config -> Hub Transport -> Global Settings -> Transport Settings -> Properties -> Message Delivery
• I recommend adding DSN codes 4.4.7, 5.1.1, 5.1.3, 5.1.4, 5.2.0, 5.2.2, 5.2.3, 5.2.4, 5.3.0, 5.4.0, 5.4.4, 5.4.6, 5.4.8, 5.5.0

Windows Exchange Server 2010 Standard and Enterprise

Exchange 2010 has some cool features and its the easiest version of Exchange to install so far.

Features that I liked are:

1. More usable features in the Exchange Management Console
2. Outlook Web App is nicer looking, more intuitive and feature rich
3. Searching is faster especially with Windows 7 and Outlook 2010
4. Outlook 2010 can Search by a single field or combinations of mail fields (ex: To, From, Subject, Body)
5. DAG (Database Availability Groups)
6. Exchange 2010 Standard and Exchange 2010 Enterprise servers can work together for Clustering.

Below is an example of a low cost two Exchange Server 2010 DAG failover cluster, Windows NLB load balancing cluster and CAS Array:

Exchange 2010 Servers needed:

1. Two physical Exchange Standard Servers with Hyper-V
2. Two virtual Exchange Enterprise Servers
3. Each physical server will have one virtual server running on it as shown below

4. Create your DAG with the two physical Exchange Server Standard servers
5. When you create the database availability group a Windows Failover Cluster will be created as well
6. Create a NLB or Network Load Balancing Cluster with the two virtual Exchange Enterprise servers
7. Create an Exchange CAS array that points to the Windows NLB cluster

8. Now all our Outlook clients will go to your CAS array
9. The CAS Array is load balanced round robin with the Exchange Servers with the Exchange HUB Transport role
10. On you WAN router open ports 25 and 443 to your NLB CAS Array cluster so all outside SMTP and SSL from the internet goes to your CAS Array

What happen when one of the physical Exchange servers fails?

• When a physical server fails typically so will the virtual server running in its Hyper-V
• The DAG will make sure that the functioning mailbox server is running the active database
• The CAS array will continue to function using any available HUB Transport servers

*Note: Clients will continue to look for Public Folders from the failed server. You need to run the commands below to get the Outlook client to use a different Exchange Public Folder Database.

Demote and Promoting Servers

Be sure to transfer any of operation master roles that the server might have before demoting the server using dcpromo.exe. If you are decommissioning an Exchange server move the mailboxes and system tables to the new server before uninstalling exchange on the decommissioned server.

Windows Server Update Services 3.0

Windows SharePoint Services 3.0

This service comes with Server 2003 and 2008. SharePoint Services licensing is included in your Windows Servers and User licenses until you allow access from the internet. As far as I understand it once you allow outside access to your SharePoint Services website to people outside your company's Server and User licensing additional licensing is required.

It's best to not install WSUS and SharePoint Services on the same server.The two will fight it out and Sharepoint will win control over the IIS. I have tried many custom configurations to try and get the two to play nice but they don't. WSUS never seemed to work the same until SharePoint Services was removed.

SharePoint Services creates a nice base website designed for intranet file sharing, team collaboration and information sharing. Creating and deleting subsites for specific projects is super easy. Controlling access to groups and user is integrated with Active Directory. Allowing the website to send emails is also easy.

I especially like the Team Collaboration and Wiki subsites.

Two wonderful features are the "Alert Me" which allows for email notifications when changes are made to discussions or files and the built in file subversion system.

Some Linux Network Scenarios

I encourage anyone who has the money to donate to these open source foundations. They really help cash short companies and institutions. Don't get me wrong; the different flavors of Linux operating systems are high quality, dependable and the right choice for many production applications.

Debian is my preferred choice for my network and development linux platforms. It is excellently supported and updated.

Almost everything that can be done with Windows Servers can be done on Linux servers but it's just done differently.

Linux Server as Domain Controller for Windows Domain

I like to use this scenario for small schools. All you do is run Samba on your Linux server. All client systems are Windows. Student users are setup with Roaming Profiles because they can't always get the same computer. The internet goes through a Squid Proxy server and DansGuardian server to filter out any inappropriate websites. You need login scripts that modify the clients registry to set Internet Explorers proxy settings for the Squid Proxy server.

Linux Squid Proxy and Dansguardian Content Filter

The Squid Proxy server can be used on slow response internet connections (satellite) to try to boost page display speeds. Portions of webpages are cached. The cached portions are reused the next time instead of downloading them from the website.

Dansguardian is an excellent content filter. It will display a custom webpage if a user were to try to access a website that has banned content. Banned content can be URL's, IP's, keywords and regular expressions.

Linux Routers

Put a wireless card and an ethernet card into a small form factor PC and presto you have a wireless router. Linux systems can be made to operate as bridges, routers and firewalls. Get a load of cheap computers. Configure one for the application and clone the rest from it. Roll them out.

Embedded Linux

I researched Windows CE and Embedded Linux for a R&D project. Both were great but costs were less going with Embedded Linux. With Embedded Linux I didn't have to worry about software licensing or purchasing development software. I used GNU C++ to write the programs for device operation and OpenSSL for network communications.

Embedded boards have what is called GPIO (General Purpose IO). GPIO is used to turn on motors, sense button presses, activate actuators and, among many other things, turn on lights.

The range of uses for Embedded boards and their accessories is staggering. Some examples are cell phones, pda's, handheld gaming systems and outdoor kiosks.

Network Electronics

Network Card

A network card or NIC (Network Interface Card) comes in many flavors. Some common types are for wire cable, wireless (radio) and fiber optics. For the Ethernet protocol each network card has a unique MAC ( Media Access Control) address. NIC's will only responded to communications address to them. This can be misleading because the NIC will actually listen to all communications. That is how network packet analyzers work. They put the network card into promiscuous mode to listen to all network transmissions.

Hub

When a hub receives a network transmission it repeats the transmission on all its ports. You can make a basic hub by putting multiple jacks on the same Cat5 cable. Hubs have high collision rates. To keep collisions down more subnet's are required.

Switch

These look like hubs but function very much different. When a switch receives a network transmission it only repeats it to the port that has the computer the transmission was meant for. Switches are fast and have low collision rates. Higher end units have management software.

Router

Routers are designed to connect networks together and control how communications between networks are processed. Most routers have WAN (Wide Area Networks) and LAN (Local Area Network) ports specified. The WAN (outside) is typically where your internet connection would be connected. LAN (inside) ports are for computers and switches.

A Firewall is usually integrated into the router. Routers with firewall's are a physical separation between the internet and your computer. With a router firewall you don't need to have firewall software running on your computers.

In my experience Cisco routers are the best. I really like the Cisco IOS command line. Cisco routers have a great network statistics exporter called "NetFlow". I use this with a free NetLister utility to troubleshoot network performance issues.

Cisco 1811 and 1921 Router Configuration Examples

Below are examples Cisco 1811 running configurations for a HUB and SPOKE IPSEC VPN. The VPN connects and stays connected only after one of the devices in the remote sites tries to communication with an IP resource on the HUB side of the VPN.

1. Cisco 1811 VPN HUB configuration
2. Cisco 1811 VPN SPOKE configuration

Below are examples Cisco 1921 running configurations for a HUB and SPOKE IPSEC VPN. I also have configured this router for two ISP internet connections. One ISP is used for general internet access and the other for core business communications and services. The WAN connections are configured to failover NAT so server services continue to be available to the internet.

1. Cisco 1921 VPN HUB configuration with two internet connection and NAT failover
2. Cisco 1921 VPN SPOKE configuration with IP SLA to keep routing working to remote networks

Wireless Router

Wireless router models are capable of a specific range of protocols. WLAN (Wireless Local Area Network) protocols are typically backward compatible. The newer the protocol the more bandwidth it can handle. All a wireless router does is substitute radios for hardwire. Keep in mind that wireless networks are bound to be more problematic due to inherent radio issues.

For professional 68' tower wireless I like to use EnGenius ECB 3500 long range wireless bridges. The software that comes with an ECB 3500 isn't the best and problematic. This bridge really shines once you change the firmware to DD-WRT. In DD-WRT you can export network statistics by enabling "RFLOW" which supplies some of the same information that Cisco "NetFlow" offers.

Satellite

Please don't confuse radio communication using radio towers with Satellite communications. I know this sounds straight forward but the reality is that some people don't really know that satellites are in space and about 26,000 miles away. Wireless internet that uses towers have much faster response times. Satellite on the other hand have to transmit into space 26,000 miles. That signal is bounce back to Earth another 26,000 miles to a central communications center. Then the signal bounces around some countries to the end point. After which the return transmission follow the reverse course. Needless to say this takes a lot longer than regular communications. Don't get me wrong. Satellite is sometime the only option and download bandwidth can be very high. Upload bandwidth is quite expensive.

For satellite data communications you need a satellite dish, radio transmitter, radio receiver and some software. Satellite radio frequencies are so high that getting in from of the dish is very dangerous for your health.