DNS secondary zone transfers

If you ever configure a Windows based domain server as a secondary zone you can configure several sources for the domain.

If is important to remember that even if the first server in the list fails, but does not return a valid reply it will not continue down the list. An invalid reply might be "zone transfer failed", a common problem with source domain that are configured to accept dynamic updates. Read more about the zone transfer throttling mechanism here.

How to make a Windows share HA or clustered

The text below is an excerpt of a document I wrote for a customer regarding how to make a file share (repository) highly available.

Please ask if you have any questions.

File share

The file share is a common repository to store files.

There are two ways to configure a file share to be highly available. One solution is Distributed File System and the other solution is Microsoft Cluster Services.

Distributed File System

DFS is a service that provides a single point of reference and a logical tree structure for file system resources that may be physically located anywhere on the network. With DFS you create a share like \\domain.local\share$ that a client (in this case the Mobile Wipe servers are the clients) connects to. All files in a DFS can be replicated among several servers and the client connects to the nearest server that is available.

Microsoft Cluster Services

Microsoft implements failover clustering for file services. You set up two (or more) servers in an active/passive configuration, which means that if a failure occurs on a server that is a member of the cluster (Cluster node) the services that the failing server was hosting will automatically restart themselves on another server that is a member of the same cluster. The process of a service moving from one server to another is called failover.

DNS directed lookups - pros and cons

When you have to do directed name lookups you have lots of options. Conditional forwarders, stub zones and secondary zones. What should I choose? It is not easy to choose, as the pros and cons are hard to find. But look no further, you are now reading the definitive source.

Before I go into the discussions about pros and cons bear in mind that not all environments are equal. For this discussion there exist only two types of connections (WAN) between sites. A network that is firewalled can in many circumstances look like a LAN-LAN VPN type of connection - the same restrictions applies.

Connection	Configuration
LAN-LAN VPN	In this configuration a remote site is connected to the main site using VPN over Internet. The remote site have only access to parts of your network based on the IPSec policy.
Leased line	The remote site shares the entire IP network with the main network and can access all internal resources.

Stub zones

Microsoft added support for stub zones a few years ago. With stub zones you configure from where to load the stub and then all queries are iterative from that point. More about stub zones here.

Why

Why not

Does not require zone transfers to work. Easy to integrate into an existing network as it can scale and change with the network. The stub zone can be placed in Active Directory and automatically loaded onto all domain controllers.

If stub zones fails to load (can not obtain NS and SOA) the zones can be loaded with information on the Internet. If a zone is part of a split DNS then the public information is cached instead of the private information. Queries are iterative; the DNS server will attempt to query all DNS servers by it self to get the answer. If the zone have delegated subzones then our DNS server needs to talk to all other DNS servers. Changes to information within DNS propagates slower as the server caches all answers. (Also negative answers.) You have to reconfigure the zone properties for most changes in the other DNS server.

Secondary zone

A secondary zone will at all times keep a copy of the entire zone on disc or in memory. Read more here.

Why

Why not

Faster updates (potentially) as your DNS server can be notified on any changes to the original zone. (If not, the zone is refreshed based on values inside the SOA record.) The server does not have to query any other server to get the answer. (Except when you have delegated subzones.) If the zone expires (it fails to update the zone within the configured time) the server will only send back negative answers. It will not ask other DNS servers for an answer. (No chance for cache poisoning.)

You need zone transfers, and that is usually blocked on DNS servers. If it is a zone with many records then you consume memory, disc and network resources. You have to reconfigure the zone properties for most changes in the other DNS server.

Conditional forwarders

A conditional forwarder sends (by default) a recursive query directly and returns the answer. Read more here.

Why	Why not
Queries are unconditionally forwarded to the forwarder(s). Answers are cached.  Reduces number of queries as they are recursive. (Good if you have a slow WAN.)	Have to be configured manually on all name servers. You have to reconfigure the zone properties for all changes in the other DNS server.

Sources

• DNS: Conditional Forwarders vs. Stub-Zones
• Contrasting stub zones and conditional forwarders
• DNS Conditional Forwarding in Windows Server 2003

DNS and directed lookups explained

With Microsoft DNS Server you roughly have three ways to force lookup to specific servers. They are:

• Stub zones
• Secondary zones
• Conditional forwarding

In any environment with split DNS, non-public zones or where you use .local domains you need to plan how to manage DNS lookups from third parties.

In this article you can read about the differences between these types.

 

Stub zones

When you configure a stub zone you only tell the DNS Server where to download the glue records for the zone. The glue records contains SOA, NS and if needed the corresponding A/AAAA records for that zone. Further resolving from the DNS server is done using these records. You have to type in one or more IP addresses of DNS servers to download the glue records from.

The local DNS server will use these records and continue recursion as normal, using these NS pointers as hints. You can not control what DNS Server that will be queried.

Secondary zones

A secondary zone contains a copy of the entire zone and can give authoritative answers. The entire content of the zone is downloaded from your DNS Servers (you have to specify where to download the zone from) and stored in a local file.

Conditional forwarders

This is also known as a forward delegation. When you configure a conditional forwarder you simply say that for all queries to a domain, ask this (or these) IP addresses.

All queries are recursive with a conditional forwarder.

MaxMind - GeoIP | IP Address Location Technology

MaxMind - GeoIP | IP Address Location Technology is a software set to give you back information about a given IP address.

Clipart sites

I have earlier written about how to get clipart to your web pages. I have used http://www.clipart.com for a while and is very found of it.

But after using it for a while I have to admit that I get bored with the look of the cliparts. I have looked at Stockxpert and also used some images from them. But what I really miss are computer icons and simple clipart.

Here are some of my findings in this quest. Most icons listed here probably will cost some money. Those that are free will probably have some usage constraints attached to them. You will have to be the judge if it is worth the price.

Site	Content
FreeIconsWeb	Here you can browse and download Over 15,000 high quality Free Icons for Windows, Macintosh and Linux Systems. (Desktop Icons,Windows Icons,Windows XP and Vista Icons,Mac OS X Icons, Linux, PNG Transparent Icons,Gif Icons,Pixels Icons).
IconGalore	Our Icon creation process consists of seven strenuous steps and each step is governed by high level of quality control. Design overview of each icon is brought out by scrupulous planning and discussions to make them look unique and highly expressive. Providing the perfect color depth and sharp features to all icons (irrespective of the icon size and format) is another area which we give utmost importance to. Finally all our icons go through arduous testing and quality control measures before they are presented as completed ones. They also do custom icons.
IconsPedia	Lots of cool clip arts that are free and computer related.
IconExperience	Since 2003 the IconExperience is one of the leading sources for high professional icons. We invite you to browse through our icon collections and see for yourself how much we care for outstanding icon design.
Barry's clipart server	Lots of clip arts in the same style as clipart.com.
Pure Clipart	Some clip arts. Not the greatest site but at least the site is easy to navigate through.
Free clipart fever	This site is loaded with annoying popups and ads. But they also got some nice clip arts for you to download.
clip-art.com	The Net's Original and Best Collection of Clipart Links
IconShock	We release about 5000 new and unique professional icons in 3 new icon sets each week... with different design styles: XP, Windows Vista, Mac and many others unique and original styles. We provide a lot of sizes, formats and color states for each icon, also you will find vector icons, which includes source files fully editables.
Icons-Land	Not many icons to choose from but they seem to be of great quality.

How to automatically archive or move deleted items

Many organizations have policies that automatically deletes deleted items after a period of time. How can you as a Outlook user circumvent this limitation?

Many Outlook users use their deleted items folder as an archive of previous threads. Often it can be hard to know what to archive and what to delete. As a result everything is archived in the deleted items folder.

I know of two ways to work around this issue.

1. Configure archiving of your deleted items folder to a local PST file.
2. Run programs like Auto-Mate to automatically move items from your deleted items folder to another folder in your mail system.

The downside for both proposed solutions here is that it is client-side, whereas the automatic delete is server side. If your client is offline for more than the retention days you will loose your valuable mails archived in deleted items.

NAD C320 and Infinity Beta 10 review

NAD C320 is now an old amplifier. I have it and I like it. At least to some extent.

There are many reviews on the net for this amplifier. You can find some on Google. I will not try to write an extensive review, just my thoughts about this amplifier.

I have used the amplifier with Infinity Beta 10 for some time now. I have never really liked the sound, the bass is to powerful and everything is "distorted" somehow. It is not easy for me to describe the sound accurately. When playing with low volume everything is OK. But when I turn up the volume I very soon start to get cracks in the sound and too much bass.

I decided to switch amplifier because of the cracks. I looked in my basement and found my old Philips FA890 there. If I am not wrong this amplifier was the first I bought in my youth.

After the switch all the cracks went away. The "new" amplifier is much better at driving the loadspeakers. I can play much loader now, the bass is more powerful - and the best part is that the "distorted" part is gone.

Many reviews write about the NAD amplifier having a warm sound. I think this, in conjunction with the loudspeakers are the reason I did not have good sound.

Moral of the story: You need to find loudspeakers and an amplifier that matches your preferences on sound. Do not base you purchase decision solely on amplifier reviews. See what loudspeakers the amplifier are tested with - and more importantly; listen for yourself.

CEF and unequal traffic sharing

Today I stumbled across a Cisco switch where the layer 3 CEF switching resulted in an unequal sharing of the outgoing load. The incoming traffic is from a Fortigate router which handles load sharing differently.

First I looked into the routing table and verified that I have two active routes to the destination.

Switch#sho ip ro 192.168.1.1
Routing entry for 192.168.1.0/24
  Known via "ospf 1", distance 110, metric 10, type extern 2, forward metric 1
  Last update from 10.47.1.1 on Vlan3800, 2w2d ago
  Routing Descriptor Blocks:
  * 172.30.254.249, from 10.47.1.1, 2w2d ago, via Vlan3800
      Route metric is 10, traffic share count is 1
    172.30.254.241, from 10.48.1.1, 2w2d ago, via Vlan200
      Route metric is 10, traffic share count is 1

I then looked into CEF.

Switch#sho ip cef 192.168.1.1 internal
192.168.1.0/24, epoch 1, RIB, refcount 6, per-destination sharing

The destination here is 192.168.1.0/24 - and it seems like Cisco is sending everything to that destination out on only one interface. Investigating further I found this command that also confirms this. (Run it several times!)

Switch#sho ip cef exact-route 10.0.0.1 192.168.1.1
10.0.0.1 -> 192.168.1.1 => IP adj out of Vlan3800, addr 10.47.1.1

I went looking on the Internet and found a great resource on Cisco and CEF on Cisco IOS hints and tricks.

Unfortunately, I did not find a solution that helped me.

IPv6 prefixes explained

IPv6 addresses are hard to read. Prefixes are also new for us. In this article I will show common prefixes and how to use them.

IPv6 addresses

There are many ways to express an IPv6 address. For example, the addresses below are all valid and equivalent:

2001:0db8:0000:0000:0000:0000:1428:57ab
2001:0db8:0000:0000:0000::1428:57ab
2001:0db8:0:0:0:0:1428:57ab
2001:0db8:0:0::1428:57ab
2001:0db8::1428:57ab
2001:db8::1428:57ab

The important lesson here is that the IPv6 addresses are complex and long. One or any number of consecutive groups of 0 value may be replaced with two colons (::).

Prefixes

You can specify a prefix on an IP address. Prefixes have the syntax /#bits, like 2001:db8::/32. Prefixes are only used for routing as networks that connect computers are expected to have a /64 prefix.

Each group of octets in an IP address represents 16 bits, giving us a total of 8 groups. A mask of /32 is thus the two first groups.

IP	2001	:	0db8	:	0000	:	0000	:	0000	:	0000	:	1428	:	57ab
Prefix	/16		/32		/48		/64		/80		/96		/112		/128

Sources

Wikipedia is used as the main source. Their article on IPv6 is used as the source.

HP GbE2c Ethernet Blade Switch User Guide

The user guide (documentation) for this switch, dated May 2006 can be found here.

VLAN tagging on GbE2c

The HP GbE2c Ethernet Blade Switch for HP c-Class BladeSystem can sometimes be hard to configure correctly.

To configure a port to be in trunk (Cisco term) or tagged mode, allowing it to pass through several VLAN over one port.

First we change port 5 to allow it to send and receive tagged VLAN's.

/cfg/port
Enter port (1-24): 5
>> Port 5# tag
Current VLAN tag support: disabled
Enter new VLAN tag support [d/e]: e
 

Remeber to verify that the VLAN's you need are enabled on the switch. Below you see VLAN 1 and 107 defined on this switch.

>> System# /info/l2/vlan
VLAN Name Status Ports
1 Default VLAN ena 4 5 11-13 17 18 20 21 23 24
107 VLAN 107 ena 9 21

If you need to add more VLAN's you have to type in the commands listed below. Here I will create VLAN 142.

/cfg/l2/vlan
Enter VLAN number: (1-4095) 142
ena
Current status: disabled
New status: enabled

The PVID is 1. This is the VLAN that is untagged.

You are now ready to add VLAN's to the port. You have to repeat this for every VLAN that you want to carry over the port.

/cfg/l2/vlan 142
add 5

Before you finish remember to apply and save the changes. You apply them to make them active, and you save them so they are persistent between reboots of the switch.

save
apply

Can I image computers with OfficeScan?

If you try to clone, copy or ghost a computer with Trend OfficeScan installed you need to take some precautions.

Each installation of OfficeScans places a unique identifier in registry. This identifier looks like a GUID. I do not know how OfficeScan creates this identifier. But I know that is has to be unique for web updates to work.

There are two ways to solve this:

1. Install OfficeScan after making the image of the computer.
2. Run the tool imgsetup.exe (Image Setup Utility) prior to imaging the client.

Some background information

Imaging and ghosting are common names used to copy one computer to another. You will do this when you want to update many similar computers with new operating systems.

Ghosting leads from a software suite called Ghost. This probably was the first software that did imaging [^{wild guess}]. Ghost is currently sold by Symantec.

If you want to retrieve GUID's or SID's from a computer you can see how here.

How to get the computer GUID and SID

From time to time you might need to get your computer GUID and/or SID.

You can read down and see how to retrieve these values from your computer.

Computer GUID

To get the GUID of your computer you can download a tool called SIW. This is not a program you have to install to run.

Click on Operating System and you will find the computer GUID there.

Computer SID

Download NewSID from Microsoft and run it. NewSID is a tool to change the computer SID and is used with cloning of computers. The SID has to be unique within a network.

You will see the current SID when you can specify what to change it to. Do not change your SID.

Another workaround for Blogger publishing

Many have experienced problems when publishing content from Blogger. The error message is:

The error message is:
java.net.ConnectException: Connection timed out

As you might guess I also have this problem. You can read more about it here.

I did some investigation and finally have managed to make a workaround that works for me.

I pretty early guessed that the source of the problem was network related but could not pinpoint the source of the problem. So I started by trying to publish to other IP addresses to see what happened. For all other ISP's I could see that Blogger tried to publish the content for me.

I started out by using another IP address for Blogger - they published to a different IP address than the normal one. This did not work.

My hosting company (where I work...) have two separated data centers with all infrastructure duplicated. So I then went on and configured inbound NAT in the other data center and routed the traffic back to the original server.

This worked for me and also proves that there is a problem, probably within the Blogger environment itself. I also understand that not everyone can do this by theirself.

Word verification is not easy to use

Google is not making it easy for OCR software to analyze their verification words.

Unfortunately they do not make it easy for us either...

 

Cannot publish with blogger

This post was also posted here. The reason is because of writing I currently cannot post new posts to my own blog. Free services are great until you get into trouble and need some help.

I can not publish my blogs any more. This only happens for one of my four blogs. The others works well. The problem started around Christmas time, but I can not give the exact date.

The error message is:
java.net.ConnectException: Connection timed out

I have read about many others with the same problem. The problem appeared at the same time. Unfortunately I have yet to find a solution for this problem.

I started by looking into my own server to see if I could find an error there. I could not.

I switched from sftp to ftp publishing to see if that helped. No luck.

I then changed from a hostname to IP address to see if that helped. It did not.

I do not see any kind of traffic through my firewall when I try to publish anything.

I then decided to try publish to another IP address, on another ISP. When I did so I could se traffic. When I did so I got the IP source 72.14.206.132 which belongs to Google.

This made me believe we have a routing issue on the Internet. But I checked that as well and it seems to be right. I can at least do a ping back to the originating IP.

It seems like blogger works from multiple sites. I have found in my logs that some of my blogs are published from a site in Canada - but I have this problem when publishing from Google i California.

I hope they find a solution really soon.

Some sources:

• SmarterGeek
• Blogger support thread with many complaints (but no solutions...)
• A Google search

TMPGEnc Authoring Works 4 first look

 This is a fist look on the product TMPGEnc Authoring Works 4 from Pegasys, Inc.

I am a long time user of their product TMPGEnc Xpress 4.0 - a tool that I use to convert videos into what every format I like, mostly MPEG. Unfortunately I have not written anything about this product yet.

This article expresses my opinions about this product after using it for about one hour.

What is TAW4?

This is a tool to create DVDs, Blu-Rays and DivX discs from your videos. You can use almost any video sources as input and it will transcode it to whatever it takes to make the appropriate output. It is fairly easy to make menus the way you want.

In an earlier article about DVD authoring tools I have listed some alternatives for you. I think TAW4 is a good combination of DVD authoring software and editing software. But definitely not the best tool if you really want to have control of all aspects of your production.

What is good?

• Fairly easy to use.
• Faster when working with AVCHD content (compared to other TMPGEnc products).
• Good control of output - both for look, menu and quality.
• Does not re-encode more than what is necessary to the output stream. (Faster production.)
• Comes with burning software included.

What is bad?

I have not found anything really bad about this product yet, but I lack control of transcoding parameters. I think you in the end will use Xpress 4.0 first to convert many of your AVCHD files and then use TAW to make the disc.

Selfsat H10D first look and review

I just deiced to buy a satellite dish. I found a dish from Selfsat called HD-10D. The main reason I chose this dish over a traditional round dish was its size and its discrete form.

The dish is flat and does not stand out from the house. But you can read all about these arguments from their own homepage. For the rest of this article I will talk about my experience with this dish.

The box

When I received the box my first impression was a solid box with all parts properly locked in the right position This box is made to be shipped around the world.

The box ships with all brackets you probably will need. For wall mounting, window mounting and on a vertical stand. You get all the screws and nuts you need - except for those that you need to mount to the external surface. (Your wall etc.)

You also get a compass. Nice if you don't have one - you will need it when you adjust the dish.

The assembly

The assembly is straight forward. The included instruction manual takes you step by step through how to assemble it for your specific configuration. The assembly is done within half an hour plus the time you need to put in on your wall.

Mounting

I have not mounted it yet so no comments here for now. I am exited to learn how to mount and adjust the dish to the wall. I just need a received before I can continue.

Happy new year

Happy new year