26 March 2012

DHCP considerations for Servers

Assigning DHCP IP addresses for ever single last server in your environment is probably not a great idea.  Servers like domain controller and Network load balanced sevrer or failover clusters should be configured with static IPs.  However there are relatively few places where a static IP is actually mandatory.  Using DHCP can greatly reduce a number of issues associated with manual IP configuration.

Defining DHCP for Clients and server are essentially the same but considering the different environments you can optimize the DHCP configuration to best suite the requirement.  As an example a DHCP scope for WiFi clients are typically very dynamic with loads of different machines coming and going all the time.  This is compared to a DHCP scope for a particular VLAN in a data-center where changes are rare and machines tend to stay running 24x7.

To understand why the recommendation are what they are, you need to have an understanding on how the DHCP lease process works.  IF you want more detail check out:


I will also be covering ways to avoid certain problems that could crop up.

Use the correct DHCP server configuration
Generally the biggest problem with DHCP is if it is not available.  So when deploying DHCP make sure you are using decent kit.  Unline your dekstop environement  you essentially want your servers to always be assigned the same IP you need to server the DHCP requests from a single scope.  The best ways to do this is to use a fail-over DHCP configuration (available in Windows Server 8)

Using a split scope will work in-case a single DHCP server fails but you will not be able to renew it's lease on the existing IP address.

When creating the scope you can use the following setting server side to ensure the client are configured correctly.

Longer DHCP leases
The DHCP lease cycle is pretty important.  If the cycle is too long you could run out of available IPs.  Changes to the scope would take very too long to be applied to the clients.  Making it too short will result in unnecessary broadcast chatter.  It could also cause issues should DHCP availability becomes compromised.

When a DCHP client starts up and receives a lease the clock starts ticking.
When 50% of the lease has expired the client will attempt to renew the lease. If successful the the lease period is renewed. And any changes made to the scope are applied.

If the lease renewal fails the clock keeps ticking till it gets to 87.5% of the lease time.  At this point it will rebroadcast to all DHCP servers for a new lease.

If at this also fails the clock will keep ticking this the lease expires.  At this point the DHCP client process start from scratch.
If there is no DHCP server available it will grab an IP from the APIPA range (Automatic Private IP Addressing) Unless there is a Alternative Configuration specified.

While using the APIPA or Alternative Configuration the client will still periodically attempt the establish a DHCP lease

Conflict detection attempts
The DHCP server can be configured to check for potential conflicts before issuing an IP for a lease.  This is not enabled by default.  This could be a very useful safeguard especially in environments where some machines are configured manually and others are via DHCP.

The DHCP server attempts to ping the IP it want to assign, if it gets a reply it select and tests another IP before assigning one that does not conflict.

To enable this

  • Open the DHCP management console
  • Expand the server - IPv4
  • Right Click - Properties
  • Select the Advanced Tab
  • Assign a value bigger than 0 to "Conflict detection attempts"

Scope Exclusions
If you are deploying DHCP for a subnet where there are manually configured clients, you should consider exclusions and exclusion ranges.  Essentially this prevents the DHCP server from issuing these IPs to any clients.  Exclusions should be made for machines that will always have static configuration.

To enable this

  • Open the DHCP management console
  • Expand the server - IPv4
  • Expand the relevant scope
  • Select Address Pool and right click - New Exclusion Range
  • Enter the range of IPs you want to exclude

Reservations instructs the DHCP server to reserve an IP for a specified MAC address and never issue it to any other MAC.  Reservation should be made for server that need to retain the same IP address.  Reservations can be made prior or during use of a lease.

To configure a lease ahead of time

  • Open the DHCP management console
  • Expand the server - IPv4
  • Expand the relevant scope
  • Select Reservations - Right Click - New Reservation
  • Specify the DNS name
  • Specify the IP address to reserve
  • Specify the MAC of the client machine

You can use the getmac utility to retrieve your local mac, but you can also get the MAC from a remote machine by using the following command:

getmac /s <servername>

To configure a reservation for an existing lease
(The method you would probabaly use most often)

  • Open the DHCP management console
  • Expand the server - IPv4
  • Expand the relevant scope
  • Select Address Leases
  • Select the lease of the server you want to reserver
  • Right Click - Add  to reservation

DHCP client configurations

There are a few things that you can define on the client side to also mitigate a DHCP outage.  The biggest problem you would normally associate with DHCP is if the there is no DHCP available when a  lease needs renewal or when the DHCP client starts up

Windows Vista and 2008 Server by default would not retain their DHCP IP if there was no DHCP server available when the client restarts.  You can fix this behavior with the following


Alternative Configuration
If no DHCP server is available the DHCP client will revenrt to Either an APIPA addreess or if one is specified it will use the Alternative Configuration.   Essentially you can configure this as a failback, shoudl there be a serious DHCP outage.

To configure and Alternate Configuration

  • Open Network and Sharing Centre
  • Change adapter settings
  • Select the relevant NIC
  • Right Click  - Properties
  • Select TCP/IP v4 - Properties
  • Select the Alternate Configuration tab
  • Specify your desired configuration

There are many steps you can take to mitigate DHCP failure, but as you would have noticed, a few things need to go wrong at the same time.  For most server environments simply setting a reasonable lease duration on a Windows Server 8 fail-over DHCP deployment would be all that is needed.

The sequence I would recommend is as follow:

  1. Use Windows Server 8 Failover DHCP Scopes
  2. Enable Conflict detection
  3. Set reservation for running machines
  4. Specify alternative configuration on the client (optional)

20 March 2012

Samsung Galaxy GT-P1000 update to Gingerbread 2.3.6 step by step guide

Unlike the Apple iOS devices, Android devices almost seem to be designed with a much higher rate of obsolescence in mind.   In short, Android devices have a much shorter shelf life.  The one way to keep your device as fresh as possible is to keep your software / firmware up to date.  This is unfortunately not as simple as it should be.

I have a first generation Samsung Galaxy Tab.  The 7' GT-P1000.  This unit shipped Android version 2.2.x  know as Froyo.  Attempting to update the device with the default Samsung Kies application was a bit of a dead end.  The best part of installing was that the required drives for the tab are installed.

The steps below will allow you to update this model of Galaxy Tab up to Android version 2.3.6 know as Gingerbread.

WARNING / NOTICE - Some people have had 100% success with this procedure but there have also been some issue.  I cannot assist with any info beyond what is already in this post.  Check all the comments below before starting.

Before you begin.
  • Make sure the battery is fully charged
  • You have enough time to follow through and complete everything
  • You have your nerves of steel with you.
  • Remember that as long as you get a connection in odin your devices is not Bricked...
UPDATE: Before you start reset your device to factory defaults.  There is no reason not to do this since the device will be totally wiped in the process.

There are a few files you will need to achieve the update.

The files are in various archives. 7Zip is capable of opening / extracting all of them.

This tool is used to update and tranfer ROMS to the android devices.  It is the only executable that will be used.

You will need the correct USB drivers for the connectivity to work properly.  Yu can either get the drivers by Install Samsung Kies, or by downloading and installing the Drivers


This is the actual OS that you will be updating.  Android is  very device specific so you have to use the correct Firmware / ROM.  The one I used is here.


The file is a .tar archive.  Using 7Zip you can open the archive and extract the PIT file.  Other than extracting the PIT file you use the file "as is" in the .tar.md5 format.

The PIT File
P1_add_hidden.pit   This file is required for the first step in the process.  The file is contained withing the Firmware archive, and must be extracted first.

Open the firware archive file with 7Zip
Find the file - then drag it to the folder where all you other files are.

Database Flash file
DBDATA.RFS.TAR.  I needed to update this file to overcome the boot loop that happened after the firmware update.


Install and test the drivers
Before making any changes you want to ensure that everything is working as it should be.  You should be able to connect your Galaxy in either USB storage or Kies mode.
To change this behaviour on the Galaxy you need to go to  Settings - Wireless and Network - USB settings.

How to put the Galaxy in download mode
There is a special mode for transferring firmware level files to the device referred to as download mode.
To get the device to this you need to:

  • Power Off the device
  • Hold down the volume down key then press power

The device will now show this screen

At this point one should note.  This is a static screen, if nothing is happening here you can turn off the tablet.  If a download is actually occuring there will be a progress bar on the screen too.

Step By Step
Up to now everything has just been preparing for the actual update process.  Good luck!

Flash the old firmware

  • Launch Odin3
  • Put the device in download mode
  • Connect to the PC
  • Should now see a active connection being indicated in the ID:COM box - (In yellow)

  • Select the three options Re-Partition + Auto Reboot + F.Reset Time
  • Select the PIT file
  • Click the Start Button

Wait for the process to complete, the device will restart and then finish up by saying PASS

At this stage your galaxy will not boot past the initial "Samsung Galaxy Tab" screen.

Upload new Firmware

  • Launch Odin3 
  • Put the device in download mode
  • Connect to the PC
  • Should now see a active connection being indicated in the ID:COM box - (In yellow) 
  • Click the reset button to clear all the fields
  • Only check the  Auto Reboot option
  • Click the PDA button and specify the firmware file
  • Click Start

Wait for the process to complete saying PASS.

At this stage the new files have been placed on the Galaxy.  When you disconnect it and boot it you should see the screens indicating the the new firmware is being unpacked and installed.

If all has gone perfect that should be it.... Reboot the device and give it a good - long 10 minutes to come up for the first time, don't rush here.

The device should now boot with:

Firmware Version 2.3.6
Baseband Version P1000XXJPZ
Kernel Version
Build Number Gingerbread.XWJQ8

Fixing The Boot Loop

In my case this update completed but it went into a "Boot Loop".  Pretty much it stayed on the orbing SAMSUNG screen and never got past there.

To fix this you need to also update the DBDATA.RFS.TAR file.

  • Launch Odin3
  • Put the device in download mode
  • Connect to the PC
  • Should now see a active connection being indicated in the ID:COM box - (In yellow)
  • Click the reset button to clear all the fields
  • Only check the  Auto Reboot option
  • Click the PDA button and specify the DBDATA.RFS.TAR  file
  • Click start and wait for the PASS

You should now be able to reboot.

Updating your Galaxy tab is not difficult, just complicated.  There are a few nice touches in the update but so far I have not seen anything that jumps out as a MUST HAVE feature.  It does however seem to be more stable and that battery is lasting a bit longer too.

16 March 2012

MS12-20 - How to implement the work around

The MS12-20 Vulnerability is described as follows:

Pre-auth, network accessible, service running as SYSTEM

This issue is potentially reachable over the network by an attacker before authentication is required. RDP is commonly allowed through firewalls due to its utility. The service runs in kernel-mode as SYSTEM by default on nearly all platforms (except for one exception described below). During our investigation, we determined that this vulnerability is directly exploitable for code execution

For more information check out.

Essential turning on Remote Desktop with Network Level Authentication prevents the issue (RDP NLA) resolves the problem.  This option is available from Vista / Windows Server 2008 on wards.

To implement the work around is actually quite simple, and should actually be the default the enabling remote access.  The advantage of making this change is that there is no need for a reboot.  Once the setting is applied it is active.  In the case of using GP this has no affect on machines that do not have RDP enabled.

The simplest way of doing this is to log onto the machine and changing the setting manually

  • Select Computer - Properties
  • Remote Settings
  • Select "Allow connections only from computers running Remote Desktop with Network Level Authentication (more secure)

Group Policy
Manually changing every machine is just not practical especially since you might not know which machines need to be changed.  You can use a group policy to apply these changes for you.

Computer Configuration\Administrative Templates\Windows Components\Remote Desktop Services\Remote Desktop Session Host\Security\
"Require user authentication for remote connections by using Network Level Authentication"  needs to be enabled.

One nice thing about setting this through Group policy is that all future deployed machines will have enforced.

The only reason I can think of that would require you to use the less secure configuration is to support older Remote Desktop clients, such as the default one from Windows XP.   There is an updates version and can be found here: 

Other ways of implementing the NLA setting
Using cscript to make bulk changes to remote desktop.

Using a  free custom Powershell cmdlet called set-remotedesktop

Getting the hotfixes
The table below show the affected systems and has links to download tghe relevant hotfixes

Operating System
Bulletins Replaced by this Update
KB2570222 in MS11-065replaced by KB2621440
KB2570222 in MS11-065replaced by KB2621440
KB2570222 in MS11-065replaced by KB2621440
KB2570222 in MS11-065replaced by KB2621440
KB2570222 in MS11-065replaced by KB2621440
No bulletin replaced by KB2621440
No bulletin replaced by KB2621440
No bulletin replaced by KB2621440
No bulletin replaced by KB2621440
No bulletin replaced by KB2621440
No bulletin replaced by KB2621440

No bulletin replaced by KB2667402
No bulletin replaced by KB2621440

No bulletin replaced by KB2667402
No bulletin replaced by KB2621440

No bulletin replaced by KB2667402
No bulletin replaced by KB2621440

No bulletin replaced by KB2667402

14 March 2012

Increase DNS capacity with DNS dedicated Active Directory Integrated servers

There are various reasons that you might want to increase the availability and performance of DNS.  The logical step would be to add additional dedicated DNS servers. There is a toss up though.  To have a dedicated DNS server you would have to forgo the advantage of having Active Directory Integrated Primary Zones.  On the flip side of this if you are using full AD DS your DNS server will not be dedicated to DNS but will also serve client log in requests.  This is not necessarily a bad thing.  Having another AD server available in case of failure can be useful.

I am going to step through the ways to manipulate the domain controller election process to reduce the authentication requests as low as possible.  If a domain controller fails the DNS server is then still able to server authentication request.

Why you want Active Directory Integrated DNS (AD DS)

  • DNS features multimaster dynamic record replication and better security based on AD DS
  • Zones are replicated to any new domain controllers
  • DNS and ADDS are replicated together so it simplifies replication planning and implementation
  • AD DS user per property replication and there for transmits only the relevant changes making it far more efficient

For more info check out http://technet.microsoft.com/en-us/library/cc726034.aspx

Installing AD DS with DNS
These step will cover adding an additional domain controller with DNS to an existing domain.
  • From server manager
  • Add roles
  • Select Active Directory Domain Services (DNS will be added later)
  • Finish the wizard
  • Open a command prompt
  • Run DCpromo.exe
  • Check Use advanced mode installation
  • Select to add the domain controller to an existing forest and to an existing domain
  • Confirm the correct domain
  • On the Select a Site screen choose to use the site that corresponds to the IP of this computer (Later on we will cover to steps if you would  like to move to another site)
  • On the Additional Domain Controller Options screen select
  • DNS server - (the reason why we are doing this)
  • Global Catalog (If like me you want this to be a standby domain controller in case of failure)
  • When prompted select Replicate data over the network form and exiting domain controller
  • Let the wizard choose an appropriate domain controller
  • Accept the default folders
  • Specify a password for Restore Mode
  • Finish the Wizard

Your installation summary should look like this

  • Choose not to reboot on completion

You now have to option to complete the steps bellow to reduce it's authentication priority before the server adds itself to DNS,  This will prevent clients form latching on to the new server with the default settings.

Configure an additional IP (Optional)
Since DNS queries are made against IP addresses and authentication requests are made against server names you can split the two.  Assign and additional IP address to the server.  Use this IP only for DNS.

If at a later stage you want to configure a load balanced DNS implementation you can use this spare IP as opposed to having to change your domain controller DNS name

The same goes for when you need to replace your DNS servers.  It is much cleaner to simple release the IP on the old server and assign it to the new one.

Note:  There can be issues having multiple IP addresses on a domain controller, these deal with Netlogon registering both IPs

How authentication selection works and how to "turn it off"
To drastically reduce the number of requests that the DNS server will have to serve we need to understand how the client determines which AD server to use.
  1. Netlogon service on client queries registry for DynamicSiteName
  2. DC Locator service uses the DynamicSiteName to query DNS srv record to find domain controllers in it's site
  3. DNS returns a list of IP addresses sorted by priority and weight
  4. Client ispects the SRV record and attempts to choose the lowest priority
  5. If priorities are the same it randomizes based on the weight
  6. Netlogon on the client sends datagram to chosen domain controller
  7. Netlogon on the server replies

There are a few more steps to this but we are mainly interested in steps 2 to 5.  You would also notice that steps 1 through 5 is purely DNS.

The order in which to "step down: the amount of authentication request is the reverse of the selection order.  this means:

  1. Decrease weight amount
  2. Increase the priority
  3. Manipulate the site

For more info check out http://blogs.technet.com/DomainControllerLocatorInDepth

Manipulating the site selection process
In step 2 DNS is requested to return a list of servers based on the site.  We can use this to reduce the chance of our DNS server being selected.

In step 2 If the client's site name does not match the initial domain controller the controller returns the site that most closely matches the client IP address

  • To create a DNS isolation site do the following
  • Open Active Directory Sites and Services
  • Expand Sites 
  • Right Click - New Site
  • Specify a Name and select and existing site
  • Find your DNS server - right click - move - select the new site
  • Expand Subnet 
  • Right Click new Subnet
  • Specify a network prefix that is significantly different form your normal IP range (
  • Right Click the subnet - properties
  • On the General Tab select the new site created earlier.

Manipulating server priority and weight
The SRV records returned by DNS contain the priority and the weight for that requested service.  A look at DNS will show the following:

The SRV record for _ldap contains 4 values [LdapSrvPriority][LdapSrvWeight][Port][Server FQDN]

This specifies the priority of the domain controller, the lower the value, the higher priority.  The priority determines the order that clients will use to attempt contacting the domain controller.

The default value is 0, making all domain controllers equal.  From the image you can see a number of server all wiht the default value.

If there are multiple server with the same priority the server weight is used.


This value specifies the weighted priority.  The higher the weight the higher the priority.  This determines the probability that a client selects the domain controller.  If there are multiple servers with the same weight a formula is used to calculate the probability.

The default value is 100, therefore server that has the weight assigned of 0 should have a very small chance of being selected.

The formula is:   LdapSrvWeight / Sum (LdapSrvWeight for DCs of that priority)


Adjusting the values
The alter the default values the server will publish to DNS you need to make two registry changes. Both values are DWORD need to be added to


You can save the following as a .reg file and import the settings.  This sets the server to the lowest Priority (65535) and the lowest weight (0)

Windows Registry Editor Version 5.00


After making these changes you will have to reboot the server.

Check the setting from a client machine
To verify that the client machines will get the correct SRV data you can check DNS or you can run the following nslookup on a client machine.

set type=all

This should return a result as follows

If you want to return the servers for a specific site use



Monitoring  authentication requests

NOTE:  The steps above do not disable the ability for the server to serve authentication requests, it just drastically reduces the probability of it being chose by a client.

To verify that the DNS server is getting a reduced number of authnetication requests you need to see how many it has received relative to the other domain controllers.

The easiest way to do this seems to be to check the event logs.

  • Open the event viewer
  • Select Windows Logs - Security
  • Right Click - Filter Current Log
  • Include only Event ID 4624 (Successful Logon)
  • For Logged - select Last Hour
  • When the Events are return look at the Number of events.  

If you compare this number to other domain controller this should be significantly less.

All done!
At this point you should have achieved the design goal of having a server primarily designed for serving DNS requests, making use of the advantages of being a AD DS intergrated DNS server.  It will also act as a failover authentication server should the primary domain controllers fail.

Turn off authentication completely (Optional)
To totally prevent or stop authentication against the domain controller you will have to essentially hide the server by preventing netlogon from registering the SRV record in DNS.  To do this you need to set the following group policy.  The trade off to this is that the server will not be able to serve as a backup authentication server.

  • MMC - Add - group Policy Object Editor
  • Local Computer
  • Computer Configuration
  • Adminisrtative Templates
  • System
  • Net Logon
  • DC Locator DNS Record
  • Enable DC Locator DNS records Not Registere by the DCs
  • Specify the following string for Mnemonics 

LdapIpAddress Ldap Gc GcIPAddress Kdc Dc DcByGuid Rfc1510Kdc Rfc1510Kpwd Rfc1510UdpKdc Rfc1510UdpKpwd GenericGc

  • Delete all the SRV entries in DNS for this server.  Reboot

The Mnemonic string value above turns off generic records.  There are few more to add if needed http://support.microsoft.com/kb/306602

DNS expansion and migration guide

DNS is an essential service for machines on your network, without it very little would actually keep working.  It is therefore important to ensure that the service is always available for all the clients.

Since some of the steps are common I will walk through what is required to add additional servers for DNS and then also how to change the zone type. And then removing old server out of the mix.

NOTE: This does not allow for the use of Active Directory Integrated DNS which has a number of advantages.  For more in on how to do that check: http://fixmyitsystem.com/2012/03/increase-dns-capacity-with-dns.html

Prepare existing DNS servers for new ones
  • To allow the new server to sync up the DNS you need to authorize ZONE transfer for the new server
  • Open the DNS Manager on the existing server
  • Right Click the relevant Forward lookup zone
  • Properties
  • Select the Zone Transfer Tab
  • Check Allow Zone transfers
  • Select "only servers listed in the Name Servers tab"
  • Select the Name Servers tab
  • Add the FQDN of the new DNS server (at this point it will not be validated yet)
Adding Servers
  • Install DNS server Role
  • Open DNS Manager Console
  • Create new Forward lookup zone
  • Secondary zone
  • Specify zone name - domain.com
  • Specify one or more master DNS servers (an existing server)
  • Delete IPV6 entry (if one shows up)
  • Finish the wizard
  • Select the forward zone
  • Right click - Transfer from Master

At his point you should have a DNS server that is syncing data with the Master DNS server.  Because we configured it as a Secondary Zone this server is not yet authorative so you cannot edit or delete records.

Change Zone type
  • Right click the forward lookup zone - properties
  • Select the General tab
  • Click the Change button to change to zone type
  • Select Primary zone

At this point you will now have multiple servers controlling the same zone as primary servers.  To ensure that all server can sync properly check that your new server is also configured to allow Zone transfer to Name Servers

05 March 2012

Unlock AD user account with a VBscript

From time to time I need this script so I thought I would just put it somewhere handy.  Log into any domain joined machine with a user account with sufficient rights to unlock accounts.  The script will promt for the user's login name.  This would be the same as what the user uses to log in with.

******************* Start of Script ***********************

username=inputbox("Enter user logon name:")
if username = "" then wscript.quit
ldapPath = FindUser(username)
if ldapPath = "Not Found" then
wscript.echo "User not found!"
set objUser = getobject(ldapPath)
if isAccountLocked(objUser) then
objuser.put "lockoutTime", 0
wscript.echo "Account Unlocked"
wscript.echo "This account is not locked out"
end if
end if

Function FindUser(Byval UserName)
on error resume next
set objRoot = getobject("LDAP://RootDSE")
domainName = objRoot.get("defaultNamingContext")
set cn = createobject("ADODB.Connection")
set cmd = createobject("ADODB.Command")
set rs = createobject("ADODB.Recordset")
cn.open "Provider=ADsDSOObject;"
cmd.commandtext="SELECT ADsPath FROM 'LDAP://" & domainName & _
"' WHERE sAMAccountName = '" & UserName & "'"
set rs = cmd.execute
if err<>0 then
wscript.echo "Error connecting to Active Directory Database:" & err.description
if not rs.BOF and not rs.EOF then
      FindUser = rs(0)
FindUser = "Not Found"
end if
end if
end function
******************* End of Script ***********************

04 March 2012

Windows 8 Consumer Preview ISO images

The Consumer Preview version of Windows 8 was released last week.  This supersedes the Windows 8 developer preview and has some changes, importantly this promises to be a lot closer to  the the final release version.

ISO images - direct from Microsoft
   64-bit (x64)  Download (3.3 GB) 
   32-bit (x86)  Download (2.5 GB)

Product Key:   DNJXJ-7XBW8-2378T-X22TX-BKG7J

You can use the Windows 7 USB DVD Download Tool to create a USB install drive.
All info here if from - http://windows.microsoft.com/en-US/windows-8/iso