Friday, March 27, 2015

Microsoft 70-410 - Configuring Servers

These are study notes for Microsoft 70-410 dealing with Servers and Hyper-V. This is again from the google spreadsheet here.


Port mirroringmonitors traffic at a VM level
Network Adapter Meteringshow how much bandwidth is used by a specific VM, done by ACLs
PVLAN in promiscuous modecommunicates with all ports in the same VLAN
PVLAN in community modecommunicates with all ports in the same VLAN and the same community
PVLAN in isolated modecommunicates with promisicuous ports on the same VLAN
vRSSvirtual Recieve side scaling - offloads network traffic to processors, so to increase bandwidth, increase cores
SR-IOVSingle Root I/O Virtualization - allows network traffic to bypass Hyper-V switch to improve performance. Can't be used with NIC Teaming. Offloads traffic from CPU's to physical adapter
NIC Teamingdistributes traffic over multiple adapters. implemented in Host OS, not Guest but can't be used with SR-IOV, IF using you need to create a vswitch that uses the team, To enable for the VM, you need to change an advanced feature or it doesn't use.
Switch independent Teaming modeused if no teaming is supported on a switch
Static Teaming Nic teaming modeplugged into the same switch
LACPplugged into same switch and uses the LACP protocol to automatically configure teaming
generation 2 VMrequires 2012 R2, supports PXE boot, virtual SCSI device and Secure boot
Windows Filtering Platform (WFP)filters and modifies TCP/IP packets in realtime enabled by default on new virtual switches
virutal Fibre Channela virtual adapter at the VM level that always access to a SAN LUN
emulated SCSI controllercan be used to attach VHDs to a VM
Host Bus Adapter (HBA)added to the host and is the mechanism that allows support of the virtual fibre channel
Offloaded Data Transferfeature in 2012 to enable more efficient processing of large stat transfers, requires a vhd on supported hardware and mounted as either virtual scsi or pass through
VirtualSubnetIDfunctions as a broadcast domain similar to a VLAN. 0 = cleared, valid ID's are in the range of 4096 and 16777215
NUMA TopologyNon-Uniform Memory Access, Is a hyper-v feature that is not compatabile with dynaminc Memory. It allows a vm to optimize assignment of virtual RAM and VCPUs but also requires NUMA aware services like SQL.It ties the vCPU and memory to the physical nodes where it is effective.
Enhanced Session ModeEnabled on the host to do things like allow redirection of local devices and resources from computer running the virtual machine connection
Virtual SwitchHost level virtual switch management, includes External, Internal, and Private
Access Based Enumeration (ABE)will only display the available files and folders to a user based on their rights
VMChimneyA Hyper-V feature that can be used to offload external virtual network adapters to a physical network adapter
Sync ClockHandles Hyper-V guest time syncronization to fight drift with the time synchronization intergration service
Web Service ScannersSupports network connected image scanners and printers. Uses WSD(Web Services for Devices) Scan driver and the Windows Image Acquistion (WIA)
Powershell Web Access GatewayA feature that gives you acess to power via a web browser portal. It is a role that can be added and and also requires a web server role installed. After installed, you need to add an authorization rule. 

Microsoft 70-410 Installing and Configuring Windows Server 2012 Powershell Commands Study Guide

Here are the list of Powershell commands I came across while studying for the Microsoft 70-410 test.

I have made a google docs spreadsheet of these, and that link is accessible here for a more convenient format. This is not an exhaustive list, but should help with test crunch

CommandDescription
Enable-NetFirewallRuleenables a disabled firewall rule
Get-NetFirewallProfileretrieve information that is presented on the Windows Firewall with Advanced Security Properties MMC Console, with the tabs for Domain, Private and Public profiles.
Get-NetFirewallSettingretrieve global firewall settings. Does not matter what profile is in use.
Set-NetFirewallInterfaceFiltermodifies interfaces attached to firewall rules
Get-NetFirewallRulegets firewall rules from a computer. -policystore and grab all rules applied
Disable-NetFirewallRuleDisables an existing firewall rule, you can use -displayname to specifiy the rule
Get-NetFirewallAddressFiltergets the filtered ip addresses assigned to firewall rules
Remove-NetFirewallRuledeletes one or more firewall rules from policy store
Set-NetFirewallAddressFilterchanges the local or remote ip address filters assigned to a rule
Copy-NetFirewallRulecopy a firewall rule as well as any associated filters to a policy store. This will make copy of all firewall to the new policy store.
New-NetFirewallRulecreates a firewall rule that can be inbound or outbond
Set-NetFirewallRulechanges the existing firewall rule
Set-NetFirewallSettingchanges properties that apply to firewall and is not dependent on profile, it is a global setting
Show-NetFirewallRuledisplays firewall rules in a policy store
Rename-NetFirewallRuleRenames a firewall rule
Set-NetFirewallProfilechange profile level settings like enabling/disabling profile or changing logging for profiles including domain, public, private, and global
New-VHDCreates a New VHD in Hyper-V environments
Set-VMHostwith resourcemetering save interval parameter can specify how often data that tracks resources will be saved
create vdisk diskpartCreates a new virtual disk to be added to a system, it still must be initialized, partioned, formatted and assigned
New-VirtualDiskUsed for managing virtual disk properties in the Storage Spaces Disk Pool
Rename-VMUsed to change a VM name in Hyper-V manager
Set-VMchanges virtual machine settings, for example memory, cpu, autostart and autostop details
Set-VHDmanages VHD properties like physical sector size or parent VHD files
Measure-VMDesigned for reporting resource utilization data for one or more VMs, but it must first be enable at the host level
Rename-ItemCan be used to rename VHD's and other files
Enable-VMResourceMeteringdesigned to enable resource metering for a specific VM
Get-Countergets the memory from performance counters which can only get memory usage by OS or maximum amount configured, not what Hyper-V has allocated
Get-VMMemoryshows the VM's configured memory not actaul usage
Add disk diskpartCreates a mirror of a simple volume
Set-ItemCan be used to do things like add servers to a managed servers trusted host list
Set-ItemPropertycan be used to do things like change or add registry entries to overide UAC to permit access
Add-DNSserverResourceRecordcreates resource records inside a zone
Add-DNSServerPrimaryZoneCreates a new primary zone, For example "GlobalNames" which can replace WINS
Add-DNSserverForwarderadds forwarders to forward dns queries to other zones
Add-DNSserverResourceRecordDScreates DNSSEC resource records inside a zone
Disable-ADAccountdisables an ad account
Enable-ADAccountenables an ad account
Set-ADAccountExpirationsets an account expiration date
Set-ADuserconfigure properties of the account
remove-AdUserremoves Ad user accounts
Clear-ADAccountExprationcan set a user account to have no expiration date
Set-AddAccountPasswordconfigures the password of an ad account
Unlock-AdAccountunlock and ad user whose account has been locked out
Get-AdComputerUse to get information about the computer, for example -lastlogontimestamp parameter could be used to find the last time the computer logged on to the network or did something like reboot *****This was a test question for me based on this and dsquery -o
Get-ADGroupMembergets ad members in a specific group
Add-ADgroupMemberadd ad members to a group
Get-ADGroupuse to check for groups that match certain input criteria
Set-AdComputerchanges properties of a computer object like sAMAccountName, DNSHostname and Description
Set-ADObjectmodifies Active Directory Object properties and can do things like enable the global catalog
Set-ADDomainchanges properties of the domain such as DNS suffix, managed by or last logon replication interval
Set-ADOrganizationalUnitmodifies the attribute properties of an OU
new-netroutedefine interface to advertise ipv6 address out of and add to routing table
set-netipinterfaceAllow the interface to advertise the IPv6 address out of the interface
Set-NetIsatapConfigurationDefine the router and enable isatap on that router because it is disabled by default, also enables isatap on a client
Get-NetIPAddressget interfaces that is being used by ISATAP
Restart-ServiceCan be used to restart services like dns
Set-AppLockerPolicychange the properties of an existing applocker policy and can merge two policy with the -merge parameter
Set-AppLockerFileInformationgets applocker info from file or event logs
Get-AppLockerPolicygets an existing applocker policy
Import-GPOimports GPOs that have been backed up into GPO
New-GPOCreate a new GPO policy tath could include an applocker policy
Test-AppLockerPolicyTest whether specific files are allowed on local computer for specific user
DSCConfigurationNameCreatedAsAFunctioncall this configuraiton name with the -machinename parameter specified to to create the folder and MOF file that will be used in the DSCConfiguration
Start-DscConfigurationcalls the MOF file that will apply the DSC configuration
Test-DscConfigurationwill compare current standard to dsc drift
Set-GPPermissionchange the permissions of group policy objects in Active Directory
Get-GPPermissionretrieve permissions on existing group policies
Set-GPLinkused to link or unlink group policy objects
Set-GPInheritancesets an inheritance link for group policy objects
uninstall-WindowsFeatureuninstalls a windows feature, use the remove option to delete the feature from the harddisk
Install-WindowsFeature (Server-Gui-Mgmt-Infra)Installs the minimal server interface including Server Manager, MMC, Powershell and command line
Install-WindowsFeature (Server-Gui-Shell)depends on minimal interface and includes Desktop, Start Screen, Explorer, and Internet Explorer
Install-ADDSDomainused to install a new AD domain
Add-ADDSReadOnlyDomainControllerAccountIt is used to create a read-only domain controller
Install-ADDSDomainControllerinstalls a domain controller in a new or existing domain
Install-ADDSForestinstall a new AD forest
Add-VMNetworkAdapterACLapplies and ACL to traffic through a virtual machine network adapter
Add-PSWAAuthorizationRuleadds an authorization rule for the powershell web access gateway, inlcuding computers, users and credentials
Remove-PSWaAuthorizationRuleRemoves a specified rule from powershell web access gateway
Get-PswaAuthorizationRuleGets the poweshell web access gateway rules
test-PswaAuthorizationRuletest a rule to determine if a specific user or computer has access

Thursday, March 19, 2015

Cisco EIGRP to Extreme OSPF Route Migration and Redistribution

This post will describe some of the configuration necessary to use a Cisco switch running EIGRP and redistribute routes between EIGRP and OSPF for a device that is not Cisco, in this case Extreme Networks. The steps in this post should work for any router that can run open standards like OSPF.

The network design is as follows:


In this configuration the network 172.31.1.0/30 is a point to point link with using VLAN tag 302. The extreme configuration for this with the port/interface on the Extreme side being 1:1 (first port in the first slot) would be

create vlan p2pToCisco
configure vlan p2pToCisco tag 302
configure vlan p2pToCisco add ports 1:1 tagged
configure vlan p2pToCisco ipaddress 172.31.1.2 255.255.255.252

The following commands configure ospf on the Extreme switch assigning it to area 0.0.0.0. You would also add any other networks such as the 10.10.x.0/24 networks to this ospf area. The ospf link-type of point-to-point is used for point to point connections. The passive type is for networks that will not connect to any other ospf areas. The default for Cisco is a type called broadcast.

configure ospf routerid 1.1.1.1
configure ospf add vlan p2pToCisco area 0.0.0.0 link-type point-to-point
configure ospf vlan p2pToCisco priority 0
configure ospf vlan (OtherVlans) area 0.0.0.0 passive
enable ospf

To verify configuration you can run the commands 
show iproute, show ospf, and show ospf lsdb detail


On the Cisco side which will be doing the route redistribution the configuration is as follows.

On the VLAN interface you must set the ospf network type to point to point by default when you create the ospf router this will have an ospf type of broadcast. With that you will see the Cisco and the Extreme create an OSPF Full peer status and using when looking at the link state database you may see the networks but they will not enter the routing table.

interface Vlan302
 description Interface for point to point to Extreme
 ip address 172.31.1.1 255.255.255.252
 ip ospf network point-to-point

!

On the EIGRP router you need to redistribute the routes into OSPF like the following example.

router eigrp 101
 network 169.254.10.32 0.0.0.31
 redistribute ospf 1 metric 1500 10 255 1 1500
 eigrp stub connected summary redistributed
!

On the OSPF router you also need to redistribute the EIGRP routes but you need to create a route-map filter to keep the summary addresses that OSPF feeds into EIGRP from being redistributed back into OSPF creating a routing loop.

To create a route-map match list preventing 10.0.0.0/8 summaries from being reinjected into the route table use the following.

ip prefix-list eigrp-to-ospf seq 5 deny 10.0.0.0/8
ip prefix-list eigrp-to-ospf seq 10 permit 0.0.0.0/0 le 32
route-map eigrp-to-ospf permit 10
 match ip address prefix-list eigrp-to-ospf

The following is what the OSPF router configuration would look like

router ospf 1
 log-adjacency-changes
 redistribute eigrp 101 metric-type 1 subnets route-map eigrp-to-ospf
 network 172.31.1.0 0.0.0.3 area 0.0.0.0
!

Finally the following configuration will set the cisco interface to be a trunk to match the Extreme tagged VLAN. 

interface GigabitEthernet1/0/1
 description Uplink to Extreme 1:1
 switchport trunk encapsulation dot1q
 switchport trunk native vlan 999
 switchport mode trunk
!

Friday, February 27, 2015

The stapler that lets paper lay flat.

So I ran across this stapler thanks to a podcast, and had to post it on here because it does something so different from a regular stapler. It doesn't round the bottom of the stapler when it staples but lets it lay flat. This means that if you have a stack of papers with staples in the corner they won't pile up, but will lay flat.



Max Flat-Clinch Black Standard Stapler with 30 Sheet Capacity (HD-50DFBK)


Friday, February 20, 2015

How do I tell if I am at a Healthy Church?

This blog post is a companion of the sermon series currently at Theophilus Bible Church and essentially is trying to dig deeper to determine if I am at a healthy church and more importantly what makes up a healthy church. You need to determine the definition and components of that before you can make a quality statement regarding whether your church is healthy.

In asking if the church is healthy, I ask what would a Healthy church look like? This questions leads to the next question of what is the role or purpose of the church because a church should probably be considered healthy of it is fulfilling its role or purpose. To answer this question, we need to look at the bible and the words of the One who created the church God.

Role/Purpose of the Church
1. To be the Bride of Christ - Ephesians 5:25-27 and Revelation 19:7-9
     What does it mean to be a bride?

  • Pure and Spotless
  • An example that all want to look upon and see
  • Faithful
  • Waiting for the groom
2. To be the Light of the World - Matthew 5:14

  • Once again and example to all the world
  • To show the world the path through the darkness
  • To reveal the dark things that have been hidden
3 To be the Salt of the Earth - Matthew 5:14

  • to function as a preservative that sustains life
  • improves the flavor (makes life better)
  • Can be used for healing via antiseptic properties
  • not having Salt in the body will cause issues


Given these variety of things a simplified summarization is that the church is made up of individual Christians and "Christians make a difference in the world by being different from the world."

To put it another way and quote Beau Hughes from the Village Church who also preached on this topic. (If you want to hear some good messages on this topic I highly recommend this)
The dominant theme in Titus, therefore, is good works, that is, exemplary Christian behavior and that for the sake of outsiders.

In order to do this Paul gives Titus the duty to choose from among the people elders. Based on the requirements set forth in Titus (Titus 1:5-9) which are as followers.

  1. Above reproach - Means unable to be held with disapproval or disappointment. To understand this look at what is currently going on with Brian Williams. His job definition was to ensure he was above reproach. You can also see the fallout of what occurs when someone who is expected to be above reproach isn't.
  2. Husband of One Wife - There is debate about if this means every or currently particular concerning the issue of divorce. I don't know the position of Theophilus Bible Church but my personal opinion is if a divorce occurred before a man became a believer, it does not disqualify him because he received is new life when he accepted Christ. If he divorced after being a professing believer it should disqualify him.
  3. Having children who believe and are not accused of dissipation or rebellion - Provides evidence that he can properly lead his family and also removes another thing that those outside the church could point to as evidence Christians are the same as everyone else.
  4. Not self-willed
  5. not quick-tempered
  6. not addicted to wine
  7. not pugnacious - definition of pugnacious is "eager or quick to argue, quarrel or fight
  8. not fond of sordid gain - success or gain through morally ignoble or vile means
  9. be hospitable
  10. loving what is good
  11. loving what is sensible
  12. loving what is just
  13. loving what is devout
  14. loving what is self-controlled
  15. holding fast the faithful word which is in accordance with the teaching
  16. be able to exhort in sound doctrine - exhort means to give advise, caution earnestly or admonish urgently - thereby requiring knowledge of scripture to provide answers to those seeking
  17. refute those who contradict - also requires knowing scripture to be able to push against in correct doctrine or interpretation of the Word
This list of things is something that we really all should be trying to reach and attain for. What is pointed out is those who are leading us should be a model even in their human imperfection that we can look to as an example or a standard bearer.

Ask yourself, which of these areas are you weakest in? What are you doing to make progress in those areas so your life is a better example to those around you?

I also want to say when you look at this you might see it as perfect that you can't attain that is true for all of us and will only be resolved when we are with Christ having shed this body that has the sinful nature in it. What is more important is the trajectory. What trajectory are you on and what trajectory is the church on. Where is it going and how fast. Maybe you look at yourself in the mirror and find you are lower than you would like and there are a lot of places you could improve, that is great because to means you can go through the growth faster. Maybe you look at yourself though and see a person who has labored and prayed for years to be everything that God has called you to be so you are higher in your process than someone who is just starting out, but the path and rate of change isn't as steep because of that.

In either case, remember not to be discouraged but instead pray, pursue and model Christ for he will bring you a greater joy and through that both you and the church will grow healthier.


Wednesday, February 11, 2015

How to Bridge from Wifi Hotspot (Mifi) to Wired Connection

Sometimes you will find yourself in a location or area that doesn't have good access to a wired internet connection and what you are doing requires it. I searched the internet for a while to find something that works and was finally  about a product that can do that inexpensively serving as a wireless client. It is the product below and was available from Amazon under $20.


TP-LINK TL-WR702N Wireless N150 Travel Router, Nano Size, Router/AP/Client/Bridge/Repeater Modes, 150Mpbs, USB Powered

Here is an image of the device with the power cord it comes with and a patch cable to demonstrate the size.
When the device boots up it will be initially broadcasting as a wireless router. You can change this to the client network mode and attach it to a mobile hotspot or other wireless network.

Friday, February 6, 2015

Cloud Based Wireless Vendor Comparison Matrix

As an System Engineer for a Value Added Reseller doing a lot of time responding to the latest changes in the FCC's erate proposal. In order to give a better solution to the customer, I created a spreadsheet looking at the various features of the following competitive solutions.

Extreme Networks (which we sell and I install)
Aruba
Meraki
Aerohive

Some notes and disclaimers. This matrix was created by using the test or evaluations available for and for some examples like Aruba clearpass youtube videos and datasheets. Due to the way technology works, this is a point in time snapshot of features around the time of first of the year 2015. I am sure there are features that each vendor will argue about and disagree and see their solution is better, but this was as agnostic of an approach as I could take because its purpose was to help our sales people know when to and when not to chase business based on customer pain points.

For a brief synopsis of the various solutions.

Meraki - Excellent at small, multiple location deployments and staff with very little experience. Larger lifetime costs because of license model. ( Well and also probably because it carries the Cisco name and people pay more just for that.)

Aerohive - Basic AP settings, will work for multiple location deployment but limited feature set

Extreme Networks - Excels in high dense, highly complex environments with a great deal of flexibility. Initial install is more complicated than Meraki, but easy to use thereafter.

Aruba - similar to extreme networks particularly when including clearpass.

So now for the Wireless Vendor comparison matrix.

Extreme Cloud Hosted - With Identity and Access Extreme On Premise Hosted - With Identity Extreme Cloud Based - No Nac (priced as partner) Extreme Networks - On Prem no NAC (Purchased as normal) Meraki Aerohive Arbua Instant
Management Features
Accessible from anywhere via Web Yes No Yes No Yes Yes yes
Browser based management yes yes yes yes yes yes yes
Annaul AP License required Yes Yes Yes No YEs Yes yes
Usable if license expires if migrated local yes if migrated local yes no no yes
Fully Redudant Design Yes Yes Yes Yes Yes Yes yes
Zero touch AP Provisioning yes yes yes yes yes yes yes
Automatic firmware updates yes if managed but can be scheduled yes if managed, but can be scheduled yes if managed but can be scheduled no yes yes yes
802.11ac only requires PoE not POE+ yes yes yes yes no runs in low performance mode yes
Layer 3 roaming yes yes yes yes yes with limitations no yes
Guest/ Captive Portal Features
Guest Portal Support Yes Yes Yes Yes Yes Yes yes
Guest portal registration Yes Yes No No some yes no
Guest verification by SMS yes yes no no yes no no
Captive Portal registration Yes Yes No No no yes yes
Guest Portal Sponsorship yes yes no no no no not sure
Guest portal billable no no no no yes no no
Application and Integration Features
Layer 7 Application firewall no no no no yes no yes
URL filter no no no no yes no no
Integrates with Palo Alto yes yes no no no no yes
Integrates with Iboss yes yes no no no no no
Integrates with lightspeed yes yes no no no no no
Radio/Band Features
AP support 100+ Simulentanous clients Yes YES Yes Yes no no no
Per SSID bandwidth Limit per AP No No No NO Yes no yes
2.4Ghz and 5Ghz band steering yes yes yes yes yes yes yes
Load Balance clients in high density areas yes yes yes yes no no yes
Automatic RF Optimization yes yes yes yes yes yes yes
User/ Device Features
AD/LDAP user login Yes Yes Yes with external radius yes with external radius yes yes yes
AD user to group policy decisions yes yes no no no no yes
Mobile Device registration Yes Yes No No allow and deny only no without airwatch yes with clearpass
Allow or Deny access by Device type Yes Yes No No Yes no yes with clear pass
Dynamically change policy by device type Yes Yes no no no no yes with policy enforcement firewall
User based reporting and lookup Yes Yes No No some no yes with clear pass
Per User bandwidth Limit Yes Yes Yes Yes Yes no yes
multiple VLANs, device typein  1 SSID yes yes yes yes no no yes


Finally when looking at costs of these various solutions, I worked up a couple of models to best approximate some costs based on realistic numbers not list price. These are NOT set it stone as vendors can adjust margins/discounts but it should give you an approximation.

So the following is for 100 3x3:3 access points from each vendor. The Extreme Networks price includes installation the other vendors do not.