Setting IP addresses on a UAG DirectAccess Server

2010-Apr-30 3 comments
NOTE:
I have written a much more comprehensive guide on UAG DirectAccess that you can find on my Concurrency Blog. This particular article has also been updated and can be found there as Part 1 of the series.

DirectAccess is pretty cool stuff, but getting started with it might send your head spinning if you haven’t done it before. One of the first things you need to do before configuring DirectAccess is to correctly set up the IP addresses of your server.

I will assume you are not using IPv6 for anything else right now. This TechNet article is a good starting point.

Your UAG server will act as an entry point into your network from the outside Internet, so you need two network interfaces. One will be connected to your network (AKA Internal NIC or Inside Interface) and the other will be conencted to the Internet or perhaps to your DMZ (AKA External NIC or Outside Interface). Here’s a few things to focus on when setting up your IP addresses.

Remove the gateway from the Internal NIC

The Gateway needs to be set on the External NIC so that all traffic that is not bound for something within your Windows Domain is treated as “External” and gets routed through its outside interface (its own internet connection).

Add Static Routes for any private subnets to the Internal NIC

Because the External NIC gets the gateway setting, the Internal NIC should NOT have a default gateway. But what if you have multiple subnets or VLAN’s in your domain? Without a gateway on the internal nic, your server will not be able to talk outside of it’s own subnet. You fix that by defining persistent static routes on the Internal NIC. Any traffic destined for an IP within the range of a defined route will traverse your Internal NIC and anything else will go through the default gatewate (aka default route).

I like to get the list of Subnets as shown in the AD Sites and Services MMC and then run the command below for each one. NOTE: In slash notation a /16 is 255.255.0.0 and /24 is 255.255.255.0. All routes get “metric 1” and -p makes it persistent.

> route add [NETWORK] mask [SUBNET] [GATEWAY] metric 1 –p

So if your UAG server has an internal IPv4 address of 192.168.1.50 and uses 192.168.1.1 as it’s gateway, but you also have a 10.10.0.0 network, you would add it like this:

> route add 10.10.0.0 mask 255.255.0.0 192.168.1.1 metric 1 –p

Set the IPv6 Address to the HEX of your IPv4 address

If your network is 100% IPv4, meaning all your IP addresses are the traditional “dotted quad” a.b.c.d style, then you do not have any IPv6 addresses to worry about and it means you will be using ISATAP (see here). This seems to be the most common scenario (this TechNet article calls it “Scenerio #3” actually). That scenario also states that you will not need to assign an IPv6 address.

However, you must leave IPv6 enabled, and that leaves it seeking out a DHCP server, so I still like to assign an address. The confusing bit is how do you know what IPv6 address to use? The quick way is to sort of convert your IPv4 address and you can do that using the converter at SubnetOnline. You want to know how it works? You take your IPv4 address, convert each octet into it’s Hexadecimal value (here’s a tool for that). Then combine those values with a prefix of fe80::5efe. For example, let’s use 192.168.1.50.

So 192.168.1.50 becomes fe80:0000:0000:0000:0000:5efe:c0a8:0132. An IPv6 address is made up of eight groups of hexadecimal quartets separated by colons. This constant allows some tricks to be used in order to reduce the length of an IPv6 address for us humans to read. It’s called Shorthand notation when you eliminate all leading 0’s and completly omit groups that are all 0’s. So fe80:0000:0000:0000:0000:5efe:c0a8:0132 becomes fe80::5efe:c0a8:132 but means exacly the same thing. You can read more about IPv6 notation at IPv6.com it and ISATAP on Wikipedia.

No DNS on the External NIC

Make sure the Internal Interface is the only one configured with DNS servers and do not register the external interface with DNS. Also, uncheck File and Printer Sharing for Microsoft Networks, uncheck Client for Microsoft Networks, and from the advanced settings you should uncheck NetBIOS over TCP/IP.

Change Binding Order

I am not sure this makes much of a difference really, but while troubleshooting another issue with Microsoft, they had me change the binding order under the Advanced Settings of the Network Connections Control Panel. Just hit Alt to bring up the Advanced menu, select Advanced settings and then move the Internal NIC to the top of the list.

Once you have this done, the last thing you need to do (or perhaps first thing you should have done) is to make sure the nics are actually attached to the corret network. Ensure that the routing on your switches and gateways is set up correctly and if you’re using a VM that your virtual networks are configured correctly to allow access to the two network segments.

Now you can move on to actually configuring DirectAccess itself.

Note: Jason Jones, a Forefront MVP, also has a good post on this topic.

Categories: DirectAccess, UAG Tags: , ,

BITS and SCCM Software Updates

Recently I had an SCCM client with several errors related to WSUS 6703 saying something to the effect of “License agreement not ready” or “Failed to sync some of the updates”. After making sure that the WSUS server was set to save the update files locally and the various folders has the correct permissions, I started looking into some of the other log files.

Now I should segway for a moment here and suggest, strongly, that you use the Trace32 utility which is part of the System Center Configuration Manager 2007 Toolkit. It will add years to your life. Honest.

Looking at C:\Program Files\Update Services\LogFiles\SoftwareDistribution.log I saw errors like this:
Content file download failed. Reason: The server does not support the necessary HTTP protocol. Background Intelligent Transfer Service (BITS) requires that the server support the Range protocol header.

Here’s a good KB article on that topic.

I wanted to test this outside the context of SCCM, so I dug around a bit until I discovered BITSAdmin.exe. This awesome app is baked right into Vista, Windows 7 and Windows Server 2008 so there nothing to install, just run it. And it’s easy too:

> BITSAdmin /TRANSFER test http://somesite.com/path/to/file.exe d:\download\file.exe

When it’s working it looks like this:

When it’s not, you might see something like this:

In the end, the fix was to modify the client’s Fortigate firewall and re-run the Update Sync (twice) and then then errors were gone.

Video Playlist in MediaCenter

2010-Apr-05 2 comments

I have a couple videos that would be really nice to have in a Playlist for use in Windows MediaCenter. For example, I have some cartoons that are really short and I just want to play them all back to back. Also, my wife has some exercise videos that can be played in different orders depending the intensity of workout she wants to do. Rather than remembering which videos go in which order, she just wants to select the set for that day and get to sweatin’! There is a mechanism built into MediaCenter for building playlists for music, but how do you do this for videos? It’s simple, and you already have the tools to do it.

You start out by making a playlist in Windows Media Player (NOT Center). Just open Media Player and select “Playlists” on the left side. Now you can drag the video files into the right column where it says “Drag items here” in bold. You can drag files from within Media Player or from Windows Explorer if you like.

Once you have your playlist set the way you want, click the small “List Options” button in the upper right corner and select “Save List as…”

When saving the playlist, make sure you select “Any Playlist” as the type and change the file extension to “.ASX” This is required since MediaCenter, for whatever reason, does not understand any other kind of playlist.

You can put this file wherever you want, but you probably want to put it someplace that MediaCenter can find it. Your Videos library is good place to start.

In my case, I did not get a thumbnail, and it doesn’t show how long the playlist is, but it does play the videos one after the other.

Advanced tip: You can edit the .asx files in a text editor like Notepad and change some settings manually. One thing I like to do is adjust the path to my video files so they are relative to the location of my playlist as opposed to absolute paths. This lets me move my videos and playlists or read them from different computers and they still work.

If you think this process is a little too manual or “hackish”, there is a utility out there called “Windows 7 Media Playlist Creator” written by mbcrump that looks pretty straight forward to use but I haven’t tried it so I can’t really vouch for it.

Categories: MediaCenter Tags: ,

Change MediaCenter’s Aspect Ratio in Windowed Mode

Sometimes it’s nice to see what MediaCenter would look like in “Full-Screen” mode vs “Widescreen”. By default, MediaCenter will display the aspect ratio that is appropriate for your monitor or tv. So if you run a screen resolution of 1024×768 you’ll get a square “fullscreen” 4:3 display, if you run 1280×720 or 1920×1080 (HD resolutions) you’ll get “widescreen” 16:9. When you run MediaCenter in a window, as opposed to maximized, you can manually switch between these aspect ratios, and it’s really simple.

Just click the corner of the window as if you were going to resize it, and then hold the control key on your keyboard and drag the edge in or out. While it scales to size (aka “scaling”), it’ll eventually snap from one AR to the other.

When you maximize the window it’s still going to fill your display, so if you have a 4:3 display and drag MediaCenter to Widescreen it won’t letterbox the interface. Same goes for users with 16:9 or 16:10 displays, you won’t get sidebars.

If helps you then please click the “Vost as Helpful” link on the left side of my post in the TechNet forums.

Categories: MediaCenter Tags:

Upgrading MSI’s with MSP’s

Some software vendors release updates in the form of MSP files. These patches cannot be deployed via Active Directory, but they can be applied to the original MSI and then re-deployed as a new package. For this example we’ll update Acrobat Reader 9.1.0 to 9.1.3. This process can be used on any application that uses msp patch files (like the newer Acrobat Reader 9.3.1), but 9.1 makes a good example becuase there is a series of two patches required to get to 9.1.3.

Fetch the Installer

First, obtain the full MSI installation file for the version the application that the MSP is meant to patch. Adobe makes it pretty straight forward for Acrobat Reader, just browse their FTP starting at ftp://ftp.adobe.com/pub/adobe/reader/win/ to navigate to the latest version. For this example, we want to pull the AdbeRdr910_en_US.msi from /9.x/9.1/enu/

Fetch the Patch(es)

Now grab the MSP patch files and save them to the same location that you put the MSI. In this case, 9.1.0 cannot go straight to 9.1.3, because you have to patch to 9.1.2 as first, so grab both MSP files.
ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.1.2/misc/AdbeRdrUpd912_all_incr.msp
ftp://ftp.adobe.com/pub/adobe/reader/win/9.x/9.1.3/misc/AdbeRdrUpd913_all_incr.msp

Apply the Patch(es)

Open a command prompt and apply the patches to the MSI by using MSIExec. You just need to use the /a switch to specify the application MSI file and the /p switch for the patch. If you have more than one patch, be sure to apply them in the correct order. Also keep in mind that this will alter the MSI file, so you may want to make a copy of it as a backup if you need to keep the original version around.

msiexec /a AdbeRdr910_en_US.msi /p AdbeRdrUpd912_all_incr.msp
msiexec /a AdbeRdr910_en_US.msi /p AdbeRdrUpd913_all_incr.msp

Rename the Updated MSI

The MSI file now contains the version of the application that you have applied, but the filename has not been changed to reflect that. It’s a good idea to rename the msi now so things don’t get confusing about what’s what.

move AdbeRdr910_en_US.msi AdbeRdr913_en_US.msi

Create a Transform (optional)

The last step would be to generate a Transform file (an .MST file) which is essentially a list of answers to the questions that might be asked during the install. Often times you can also make more advanced changes to the installation such are registry edits and file exclusions using a transform. For Acrobat Reader, Adobe has a nice (and free) tool called the “Adobe Customization Wizard” that does a great job of helping you generate it’s MST file.

Install it

Now you can install the application! Just double click it, or if you have an MST you can install from command line or a script. This is how you can do a silent install.

msiexec /i AdbeRdr913_en_US.msi TRANSFORMS=AdbeRdr913_en_US.mst /qb!

Or you can get real fancy and install the new MSI package from Active Directory and deploy it via Group Policy.

Jumbo Frames on Hyper-V Server

2010-Jan-13 10 comments

Enabling Jumbo Frame support in Hyper-V Server 2008 R2 (or Windows Server Core) has proven to be a bit of an adventure.  It really just involves setting the MTU size, but it has to be done in the OS (to affect the TCP/IP stack) as well as the network cards’ driver.  Since Core versions of Windows do not have a network control, setting the MTU on the cards proves to be a bit of a trick.  This is what I had to do to enable Jumbo Frames on several iSCSI nics, and since it differs for Intel vs Broadcom adapters, there are two procedures.

I should point out that this does not address configuring the network switch that these nics are attached to.  That is a whole ‘nother can of worms, but suffice it to say that the switch must not only support Jumbo Frames but have that support enabled, along with a whole host of other settings.

Enable Jumbo Frames on the OS

The first thing you need to do is make sure that your server will allow jumbo frames.  You do this by setting the MTU on your adapters to 9000.  The easiest way to do this is by running a netsh command on each adapter you want to use Jumbo Frames.

Get a list of interface names by running “netsh int show int

Admin State    State          Type             Interface Name
-------------------------------------------------------------------------
Enabled        Disconnected   Dedicated        Local Area Connection 2
Enabled        Connected      Dedicated        Bcom-GB3-iSCSI-A
Enabled        Connected      Dedicated        Local Area Connection
Enabled        Connected      Dedicated        Local Area Connection 3
Enabled        Connected      Dedicated        Local Area Connection 4
Enabled        Connected      Dedicated        Bcom-GB4-iSCSI-B
Enabled        Connected      Dedicated        Intel-GB1-Guest-B
Enabled        Connected      Dedicated        Bcom-GB2-Guest-A
Enabled        Connected      Dedicated        Intel-GB2-Guest-C
Enabled        Connected      Dedicated        Bcom-GB1-Mgmnt
Enabled        Connected      Dedicated        Intel-GB3-iSCSI-C
Enabled        Connected      Dedicated        Intel-GB4-Migration

In this case I have already re-named the Interfaces that I intend to use for iSCSI.  You might just see a whole list of “Local Area Connection” interfaces.  You can use ipconfig or netsh to further identify which ones you want to use.

Now for each interface you want jumbo frames enabled, run this command:

netsh int ipv4 set subint “<Interface Name Goes Here>” mtu=9000 store=persistent

Now you have to configure Jumbo Frames in the driver for each interface.

Enable Jumbo Frames on Intel cards

The Intel driver stores it’s “Jumbo Frame” settings in the registry.  Thankfully, Hyper-V Server (and Windows Core) comes with Regedit, so you can just launch that from command line (regedit.exe) and browse to the following key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\services\Tcpip\Parameters\Interfaces

Here you will see all the network interfaces listed by GUID.  I have found that the easiest way to determine which GUID is which adapter is by finding the IP address and being able to correlate it to the right Interface name.

At this point you should start making a list to help keep things straight.  Copy the GUID into notepad and list the IP address next to it and do this for each card you want to configure.  So for this server, my list looks like this:

SERVERNAME {7A310D71-217C-4E4A-9DA7-43299A76CBD5} 172.16.0.9
SERVERNAME {7BC7F3B9-B245-4579-82CB-C94161BFDBC1} 172.16.0.7
SERVERNAME {8BA5076E-0FC3-4D20-9609-654F228EE6BD} 172.16.0.6
SERVERNAME {98ABBECA-B8A2-41D2-9550-8B571E50F49A} 172.16.0.8

Now we have to navigate to a new registry key to configure the driver.  Go here:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Class\{4D36E972-E325-11CE-BFC1-08002BE10318}

Here you will again see a list of all network interfaces, only this time they are under 4 digit identifiers.  From here, search for the GUID that you copied to your list and you should find it as the “NetCfgInstanceId” key of one of the adapters.  Once found, it’s not a bad idea to update your list to keep track of what’s what.  Mine looks like this now:

SERVERNAME {7A310D71-217C-4E4A-9DA7-43299A76CBD5} 172.16.0.9  0009 Intel
SERVERNAME {7BC7F3B9-B245-4579-82CB-C94161BFDBC1} 172.16.0.7  0005 Broadcom
SERVERNAME {8BA5076E-0FC3-4D20-9609-654F228EE6BD} 172.16.0.6  0004 Broadcom
SERVERNAME {98ABBECA-B8A2-41D2-9550-8B571E50F49A} 172.16.0.8  0008 Intel

Scroll up to find the “*JumboPacket” key and double click it to change the default value of 1514 to 9014.  Note the extra 14 bytes here represents packet headers that normally are not counted in MTU size.

Repeat this for each Intel adapter you need to configure, and then reboot the server for the setting to take effect.

Enable Jumbo Frames on Broadcom cards

First make sure you have the latest Broadcom drivers.  Make sure you get the 2008 R2 x64 set.

If you haven’t already, then download and install the driver and then reboot the host.  Note: Make sure you migrate any existing guest servers off the host before you install the drivers.  The temporary outage of the card due to the update seems to make a failover cluster angry.

Now get the Broadcom Management Application suite.  Again, get the x64 set from the same page.

Install the management app.  I opt’d not to install the BASP component (see screenshot below) since we do not want failover or teaming in this scenario.  It’ll likely warn you that you need the dotNet Framework 2.0 and you should be able to ignore this because the installer just does not recognize the “Core” framework, but the application still runs.  To make sure you do in fact have the framework installed, run “oclist | findstr /i netfx” and look for a line stating that NetFx is installed.  For example, “Installed:NetFx2-ServerCore”.  If not, you can install it by running “start /w ocsetup NetFx2-ServerCore” or instead you can install dotNet 3.0 and 3.5 by running “start /w ocsetup NetFx3-ServerCore”.

From C:\Program Files\Broadcom\BACS run “BACSCLi” to run in interactive mode.  It will show you a list of all network adapter drivers installed.  You only care about the “NDIS” adapters so enter “list ndis” and you’ll see something like this:

C  MAC          Dev Type Name
-  ------------ -------- ----------------------------------------------------
0  001B214285B8 NDIS     [0000] Intel(R) Gigabit ET Quad Port Server Adapter
1  001B214285B9 NDIS     [0007] Intel(R) Gigabit ET Quad Port Server Adapter #2
2  001B214285BC NDIS     [0008] Intel(R) Gigabit ET Quad Port Server Adapter #3
3  001B214285BD NDIS     [0009] Intel(R) Gigabit ET Quad Port Server Adapter #4
4  0026B9429866 NDIS     [0002] Broadcom BCM5709C NetXtreme II GigE (NDIS VBDClient)
5  0026B9429868 NDIS     [0003] Broadcom BCM5709C NetXtreme II GigE (NDIS VBDClient) #2
6  0026B942986A NDIS     [0004] Broadcom BCM5709C NetXtreme II GigE (NDIS VBDClient) #3
7  0026B942986C NDIS     [0005] Broadcom BCM5709C NetXtreme II GigE (NDIS VBDClient) #4

If you did the Intel configuration you’ll notice the four digit number in square braces of the Name field matches the Control\Class registry key.

Use some combination of “ipconfig /all” in another window or CtxAdmTools’ Visual Core Configurator 2008 or the four digit registry code to identify the adapter that you want to configure.  In this example we want Connection #6.  Select it by using “select 6” or whatever number is in the “C” column that matches your adapter.  Now validate that you have selected the correct adapter by reviewing some of its details.  Run “info” to see it’s MAC/IP, etc.

Vital Signs
-----------
MAC Address:              : 00-26-B9-42-98-6A
Permanent MAC Address:    : 00-26-B9-42-98-6A
IPV4 Address              : 172.16.0.6
Link Status               : UP
Duplex:                   : Full
Speed(in Mbps):           : 1000
Offload Capabilities      : TOE,LSO,CO,RSS
Mtu                       : 1500

Driver Information
-----------
Driver Status:            : Loaded
Driver Name:              : bxnd60a.sys
Driver Version:           : 5.0.13.0
Driver Date:              : 07/30/2009

Notice the MTU setting is set to 1500 by default.  Now run “cfg advanced” to list its advanced properties.

Advanced
--------
Ethernet@WireSpeed:                     Enable (Default)
Flow Control:                           Disable
IPv4 Checksum Offload:                  Tx/Rx enabled (Default)
IPv4 Large Send Offload:                Enable (Default)
IPv6 Checksum Offload:                  Tx/Rx enabled (Default)
IPv6 Large Send Offload:                Enable (Default)
Interrupt Moderation:                   Enable (Default)
Jumbo MTU:                              1500 (Default)
Locally Administered Address:           Not Present (Default)
Number Of RSS Queues:                   8 (Default)
Priority & VLAN:                        Priority & VLAN enabled (Default)
Receive Buffers:                        750 (Default)
Receive Side Scaling:                   Enable (Default)
Speed & Duplex:                         Auto (Default)
TCP Connection Offload (IPv4):          Enable (Default)
TCP Connection Offload (IPv6):          Enable (Default)
Transmit Buffers:                       1500 (Default)
VLAN ID:                                0 (Default)
Wake Up Capabilities:                   Both (Default)

Run “cfg advanced “Jumbo MTU”=9000” to set Jumbo frames to 9000 bytes.  Note that you do not have to account for the 14 bytes of header data here.  It’ll take a few seconds to apply the change but you should not need to reboot (yay!).  You can now run “cfg advanced” and “info” to list the settings and ensure that the MTU is in fact set to 9000.

You should also enable Flow Control for Transmit (Tx) and Receive (Rx).  With the correct adapter already selected, run “cfg advanced “Flow Control”=”Rx & Tx enabled””.

Once that is complete you can enter “q” to exit BACScli or start over using “list ndis” and select another interface to configure.  You can also use this utility to select non-Broadcom adapters to display some of their info like MTU size.

Testing Jumbo Frames

To test if Jumbo Frames are working you can ping another host target that also supports Jumbo Frames.  The easiest way that I have found to do this was to just change the IP of your test NIC and your test target NIC to something that no other adapter has.  This is because there is no way to tell windows specifically what NIC to send traffic over, so setting the NIC’s to their own network ip space is the only way to ensure that the ping traverses a particular adapter.

For example, I changed the source test nic to 172.16.1.4 and the target to 172.16.1.8 and no other adapters on either host saw set in the 172.16.1.* range.

First try a normal “ping 172.16.1.8” and it should work fine.  Then use “ping -f -l 6000 172.16.1.8” to test jumbo frames and it should also work, only this time you’ll see it sending 6000 bytes instead of 32.

So that about covers it.  I had to do this for each of the 32 iSCSI nics spread across the 8 host servers, but it works!  You should be aware that if you do a driver update or if you share a NIC with a virtual network (as a Hyper-V Host) your settings may be lost and you’ll have to go through this again.

iPhone Mail Folders

When setting up my iPhone to work with Exchange over IMAP, I noticed that Apple and Microsoft have decided to use different names for a few standard mail folders.  Microsoft uses “Deleted Items” and “Sent Items”, but Apple uses “Deleted Messages” and “Sent Messages”.  The net result is when you send or delete a message on your iPhone, it puts them in a different folder than they would have gone into if you had instead sent or deleted it from Outlook or OWA.  It’s a pretty quick change to “fix” this.

On your iPhone, open the Settings app, go to Mail and select your IMAP account.  Scroll down and select Advanced.

 

Here you can set the location of your Sent and Deleted mail.

 

Just tap it and select Microsoft’s “Items” folders and you’re done.

Now from Outlook you can delete the “Messages” folders that your iPhone created.

Categories: iPhone Tags: , ,