Avatar of ahanbali

by ahanbali

Block Rogue DHCP Server’s on Cisco Equipment

August 5, 2011 in Cisco Switches, Infrastructure

Block Rogue DHCP Server’s on Cisco Equipment

Network loops are not the only issue that you may face in simple or complex LAN setup; you may face Client-Installed DHCP server.

Well, such issue can be overcome by implementing one of two:

  1. By enabling DHCP snooping as bellow:
    • Enable the feature globally with the ip dhcp snooping global configuration command.
    • Enable the feature for individual VLANs with the ip dhcp snooping #VLAN# global configuration command.
    • Configure the trusted interfaces with the ip dhcp snooping trust interface configuration command.
    • Rate-limit DHCP on untrusted interfaces with the ip dhcp snooping limit rate interface configuration command.
  2. By applying an ACL that prevent DHCP traffic, as known DHCP offers are flooded on port 68 from DHCP server to DHCP client; so, you can apply an inbound extended ACL on the interface facing the would-be rogue servers. This is the relevant configuration:

ip access-list 100 deny udp any any eq 68
ip access-list 100 permit ip any any
int [interface facing the would-be rogue]
ip access-group 100 in

That will block any DHCP server sending an offer or an acknowledgment into that interface, but it will not block a client sending a discover or a request into the interface.

 Number of views: (1569)

Twitt

Tags: , , No Comments »

Avatar of ahanbali

by ahanbali

Unable To Update Default Global Address List After Killing Last Exchange 2003

September 8, 2009 in MS Exhange Server

As per my earlier article, the public folders database is fully mounted but I found a new problem; the Default Offline Address Book is not updated with any new changes or any new mailbox.

By diagnosing this issue, I found that when manually update the “Default Global Address List” which is the source of OAB content, I found list of warnings as bellow:

WARNING: The recipient “/Microsoft Exchange System Objects/Offline Address Book – \/o=First Organization\/cn=addrlists\/cn=oab” is invalid and could not be updated.

WARNING: The recipient “/Microsoft Exchange System Objects/Offline Address Book – First Administrative Group” is invalid and could not be updated.

WARNING: The recipient “/Microsoft Exchange System Objects/Schedule+ Free Busy Information – First Administrative Group” is invalid and could not be updated.

WARNING: The recipient “/Microsoft Exchange System Objects/OAB Version 2″ is invalid and could not be updated.

WARNING: The recipient “/Microsoft Exchange System Objects/OAB Version 3a” is invalid and could not be updated.

These are system public folders from the Exchange 2003 server and they are mail-enabled in Exchange 2003 system, while in Exchange 2007 the system public folders are not mail-enabled, on other hand these warnnings is because these PFs have incompatible aliases format with Exchange 2007… once changing their aliases format to compatible one with the Exchange 2007 alias format (Only by removing the spaces) OR by mail-disable them; these warnings are disappeared, and the “Default Global Address List” is fully generated.

 

 Number of views: (4446)

Twitt

Tags: , , , , No Comments »

Avatar of ahanbali

by ahanbali

The New Exchange 2010 Client Accessibility

September 2, 2009 in MS Exhange Server

In Exchange 2010 all Outlook clients use Client Access Server even the entourage clients need to connect to CAS in order to access mailbox.

In Exchange 2010, MAPI access and directory access has been transferred to the Client Access server. This is to provide all data access through a single, common path.

I like that… Outlook MAPI clients will talk to MAPI on a Middle Tier layer (CAS) which then talk to Mailbox server, same for directory information Outlook talk to NSPI endpoint located on Middle Tier layer (CAS), NSPI talks to Active Directory Driver which talks to Active Directory Service.

Unlike in Exchange 2007; Outlook MAPI clients will talk to RPC proxy which is installed on the CAS then it will talk directly to MAPI RPC component on the Mailbox server and the NSPI endpoint in Active Directory.

Oh… Exchange 2010 require RPC encryption, which means that clients with outlook 2003 will not be able access their mailboxes by default, and to configure Outlook 2003 to use RPC encryption:

  1. Click Tools > E-Mail Accounts > View or Change an Existing Account.
  2. Select the account and click More Settings.
  3. Select the Security Tab.
  4. Select Encrypt data between Microsoft Office Outlook and Microsoft Exchange Server.
  5. Click OK.

OR… by disabling RPC encryption requirement on Exchange 2010 Client Access Server:

Set-RpcClientAccess –Server <CAS server> –EncryptionRequired $false

But the recommended solution it configure Outlook 2003 to use ERP encryption.

 

 Number of views: (444)

Twitt

No Comments »

Avatar of ahanbali

by ahanbali

First Look MS Exchange 2010 Features

April 15, 2009 in MS Exhange Server

Microsoft has just released the Beta version of the new Exchange server 2010 with code name “E14”.

Exchange 2010 comes with new features and improvements:

1. Improved Storage Reliability: E14 has brought new 70% I/O reduction, with new architecture the fail over designed around the mailbox database level instead of Server level “known as DB mobility”; which enable Organizations to run High-Available Exchange environment without dealing with clustering, RAID Disks or Enterprise disks solutions (SAN).

2. MailTips: no more over-quota email message sent accidently.

3. Conversation View.

4. More internet browsers support for OWA.

All of these and will continue…

 

 Number of views: (326)

Twitt

No Comments »

Avatar of ahanbali

by ahanbali

Important Consideration When Migration To Exchange 2007 From Earlier Version

April 2, 2009 in MS Exhange Server

I don’t know why I did not find it anywhere as part of the pre-migration process; because if you have it, your installation of mailbox role will keep failing.

While Microsoft keeps saying the LDAP filters are supported in Exchange 2007, but you cannot edit them from Exchange 2007 console, if you try migrating to Exchange 2007 mailbox role, and if you have Recipient Policy or Address List that is configured with LDAP filters you may experience:

Error:

The Exchange server address list service failed to respond. This could be because of an address list or email address policy configuration error.

The service can’t work properly because Email Address Policy ‘CN=NAME,CN=Recipient Policies,CN=First Organization,CN=Microsoft Exchange, CN=Services, CN=Configuration, DC=DOMAIN,DC=COM’ has an invalid filter rule (PurportedSearch). The error is ‘ANR is not supported.’. Use the Exchange Management Console to correct this problem. New users, contacts, and groups won’t be fully provisioned until this is fixed.

That because not all LDAP filters are supported in Exchange 2007. In Exchange 2007 new OPATH filters replace the old LDAP ones, so before migrating the mailbox role it is very important to make sure of the LDAP filters used in the Recipient Policies & Address Lists are compatible with OPATH ones.

 

 Number of views: (813)

Twitt

No Comments »

Avatar of ahanbali

by ahanbali

Install Exchange 2007 CAS With The Same Name Of The Dead One

February 27, 2009 in MS Exhange Server

Two days ago my stuff experienced a dead CAS server because of poor hardware. The recovery process is to bring new box install OS with same name of the dead one then install Exchange 2007 CAS role, but when trying to install Exchange 2007 CAS on the new machine it keeps raise

The Exchange Server is in an inconsistent state. Only disaster recovery mode is available.

With some research I found that the Active Directory still contains information about the dead server, so this information must be removed; by mean of Active Directory Service Interfaces (ADSI) Edit (Adsiedit.msc) navigate and delete object of old CAS

CN=Configuration, DC= Domain Name, DC=com, CN=Services, CN=Microsoft Exchange, CN=Organization Name, CN=Administrative Groups, CN= Exchange Administrative Group, CN=Servers, CN=%Server Name%

Then run Exchange 2007 CAS installation and it completed smoothly.

It is very important for us when we plan to deploy any sensitive service such Exchange 2007 roles we must put the hardware quality and performance into consideration to avoid such a disaster.

 

 Number of views: (598)

Twitt

No Comments »

Avatar of ahanbali

by ahanbali

Migrating Enterprise Root Certificate Authority to a New Domain Controller With Different Server Name

February 26, 2009 in MS Active Directory

My client asked me to if it possible to upgrade his Windows-2000 DC which host Enterprise Root CA, in order to upgrade all DCs in the his network to Windows 2003…

So I started the task by deploying a new Windows 2003 DC, then I installed a new CA in the while on the old DC backing up CA database and its logs in addition to the private key, and exporting the CA registry key:

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration

So now we have a complete backup of the old CA service, on the new machine, and we have now the new CA installed now we have to proceed into the second step of the migration.

Now suspend CA service on the old box, and restore CA service on the new box, by importing the registry keys –don’t forget to rename CAServerName value to the new server name under-

HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\CertSvc\Configuration\%CA-NAME%

Now the new server is ready to import CA DB, by finishing this process you can kill the old CA service from the old server.

 

 Number of views: (2145)

Twitt

No Comments »

Avatar of ahanbali

by ahanbali

Active Directory Domain members located in DMZ

May 22, 2008 in Infrastructure, MS Active Directory

It is good practice to have DMZs in our network to isolate some services or to separate some services, because it is known that some services classified in two categories “Anonymous Access & Authenticated Access”, but sometimes these services is obtained by domain member; so firewall shall be configured to permit AD traffic:

Firewall must allow from domain member server in the DMZ to Domain Controller:

1. Microsoft CIFS (TCP & UDP).

2. DNS traffic.

3. Kerberos-adm (UDP).

4. Kerberos-sec (TCP).

5. Kerberos-sec (UDP).

6. LDAP.

7. LDAP Global Catalog.

8. RPC.

9. NTP (UDP).

 

 Number of views: (757)

Twitt

No Comments »

Avatar of ahanbali

by ahanbali

Deleted SVC records in the DNS

May 17, 2008 in Infrastructure, MS Active Directory

One of our IT stuff had deleted the SVC records for the Active Directory services by mistake, then after a while he called me that the network is down and one can login.

So after understanding the whole problem and how it happened the resolution is to run “netdiag /fix”, restart the Domain Controller or wait until automatic recreation take place in the netlogin service.

This problem addresses how match we understand the functionality of the Active Directory infrastructure and how we use the small commands to resolve these issues we faced daily.It is known that any Domain Controller could be assigned dynamic IP settings which mean the IP address may be changed from while to while which make the DNS has invalid SVC records for the Active Directory but because of “netlogin” service which recreate and fix these SVC records on the configured DNS.

 

 Number of views: (277)

Twitt

No Comments »

SEO Plugin pro by directory submission service