How to install Hyper-V Integration Services (ICs) in Ubuntu 12.04 LTS

Posted on June 19, 2013 by Dan Perelman

After you install the guest OS on the virtual machine in Hyper-V, you need to to install the Hyper-V Integration Services in the guest OS. Since the Hyper-V Integration Components were contributed to Linux, they’ve been included in recent versions of the Linux kernel. With distributions based on newer builds of the Linux kernel (2.6.32 and after) you can add high performance support for Hyper-V without the need to download the Linux Integration Components (ICs) from Microsoft.

For Ubuntu 12.04 the following Hyper-V integration services are available: time synchronization, operating system shutdown, and heartbeat. Also, included are the following drivers: IDE, SCSI, networking, and mouse. Microsoft’s About Virtual Machines and Guest Operating Systems article provides a list of guest operating systems and features that are supported for Hyper-V in Windows Server 2008 R2, Hyper-V in Windows Server 2008 with Service Pack 2, and Hyper-V version 1. For a list of guest OS support in Hyper-V role in Windows Server 2012 see Hyper-V Overview in TechNet.

In this post I am using Ubuntu 12.04 LTS as the guest OS and Hyper-V role in Windows Server 2012 as the hypervisor. As mentioned earlier, integration services are built-in (since Ubuntu version 10.10) and do not require a separate download and installation — the ICs just need to be activated. To enable the integration services you will need to edit the modules file located in /etc/initramfs-tools. Below are the step by step instructions on how to do so in vi:

cd /etc/initramfs-tools/
sudo vi modules

In vi navigate to the last line in the file and use the I command to append a new line below this one. Enter the following four lines:

hv_vmbus
hv_storvsc
hv_blkvsc
hv_netvsc

Save the file by hitting the Esc key and issuing the x: command. Once the modules file has been updated, the following command needs to be executed:

sudo update-initramfs –u

At this point the guest OS needs to be rebooted:

sudo shutdown -r now

After the virtual machine reboots, run the following command to check if the modules are enabled:

lsmod

The ICs work great, but the version of the Integration Components is not the exact same one that Windows Server 2012 is expecting (same issues reported with Windows Server 2008 R2). With some versions of the ICs you might see some interesting notes in your Windows event log. Don’t worry, the ICs work just fine as it says in the event log. The comment about support can show up for any version of Linux –- whether it is supported or not due to the timing related to the code release.

Posted in How To, Operating Systems, Virtualization | Tagged , , , , | Comments Off

How to block LinkedIn from connecting to Exchange Web Services (EWS)

Posted on June 16, 2013 by Dan Perelman

See Who You Already Know on LinkedInAs mentioned in the previous post, LinkedIn introduced a feature that allows it to harvest the Global Address List (GAL) of an Exchange organization by having one of the end users simply enter their mailbox login credentials into a web-based wizard.

Most organizations might not be ready yet to lock down Exchange Web Services (EWS) completely as described in the prior post, so presented here are the steps necessary to block LinkedIn only from connecting to EWS. If the Get-OrganizationConfig cmdlet shows that -EwsApplicationAccessPolicy is not configured, it needs to be set to EnforceBlockList and LinkedIn application added to the block list:

Set-OrganizationConfig -EwsApplicationAccessPolicy:EnforceBlockList
Set-OrganizationConfig -EwsBlockList LinkedInEWS

LinkedIn is now blocked from connecting to Exchange Web Services (EWS). LinkedIn actually created a FAQ stating as much, called Disabling Contact Import Process – Corporate IT Managers Instructions. Here is the full text of that FAQ article: How do I disable the ability for employees at my company to import contacts from their work email account? If you’re a Corporate IT manager, you can disable an employee’s ability to import contacts from their work email accounts.

Use Set-OrganizationConfig cmdlet to:

  • Set the value of config parameter EwsApplicationAccessPolicy to EnforceBlockList.
  • Add value LinkedInEWS to config parameter EwsBlockList.

For more information on using Set-OrganizationConfig cmdlet, please refer to Microsoft’s Managing Access for EWS Managed API Applications.

Posted in How To, Messaging | Tagged , , , , , , , , , , | Comments Off

How to lock down Exchange Web Services (EWS)

Posted on June 15, 2013 by Dan Perelman

When LinkedIn introduced a feature that allows it to harvest the Global Address List (GAL) of an Exchange organization by having one of the end users simply enter their mailbox login credentials into a web-based wizard, this has made news as an unwelcome feature on many blogs dedicated to messaging and Exchange. LinkedIn is not the first and not the last service to do so, and we fully expect Facebook to follow their lead helping people “find friends” amongst their coworkers.

See Who You Already Know on LinkedIn

First a quick overview of what EWS is: Exchange Web Services (EWS) provides the functionality to enable client applications to communicate with the Exchange server. EWS provides access to much of the same data that is made available through Microsoft Office Outlook. EWS clients can integrate Outlook data into Line-of-Business (LOB) applications. SOAP provides the messaging framework for messages sent between the client application and the Exchange server. The SOAP messages are sent by HTTP.

Directory harvesting is nothing new and there have been plenty of Outlook plugins doing so in the past. The major difference is that now no software needs to be installed on the client. EWS is a really powerful interface allowing not only directory and object read/write access, but also full mailbox access. Services such as Office 365 are able to migrate whole mailboxes utilizing the EWS interface, so it is fairly obvious why an organization will want to remain in control of this interface. The default setting of the EWS interface is set to allow all. Here is how to check what it is set to and how to lock it down.

Use the Get-OrganizationConfig cmdlet to get configuration data for an Exchange organization.

Get-OrganizationConfig

Use the Set-OrganizationConfig cmdlet to configure various settings of an Exchange organization.

Set-OrganizationConfig -EwsApplicationAccessPolicy:EnforceAllowList

The above command will block all applications from accessing EWS except for the ones specified in the Allow List. To add applications to the Allow List use the following command:

Set-OrganizationConfig -EwsAllowList AppNameEWS

At this point the Exchange Web Services (EWS) are locked down and access is granted to specific applications only.

Posted in How To, Messaging | Tagged , , , , , , , , | Comments Off

How to fix Windows Update endless loop in Windows 2003

Posted on June 11, 2013 by Dan Perelman

On some computers, after installing Windows Update agent later than August 2012, Windows or Microsoft Update gets stuck in an endless loop, trying to download page 3 of 3, but it never does. Then the update process restarts and returns to the trying to download part. Rebooting the computer does not resolve the issue.

In my particular situation this issue occurred on Windows Server 2003 with Internet Explorer 8 (same issue is reported by other users with IE7). The solution that seems to work, is to exit the Windows/Microsoft Update process. Not just close the Windows Update window, which simply minimizes it to the task bar, but to actually exit or kill the update process. Then open a new Internet Explorer browser window. From the Internet Explorer Tools menu — select Windows Update. Whatever this option does, it seems to fix the Windows Update endless loop, and from this point on the update agent functions normally.

How to fix Windows Update endless loop

Posted in How To, Operating Systems | Tagged , , , | Comments Off

How to add servers to Windows 2012 Server Manager in a workgroup

Posted on June 10, 2013 by Dan Perelman

With Windows Server 2012 you can manage multiple remote servers by using a single Server Manager console. Servers that you want to manage by using Server Manager can be running Windows Server 2012, Windows Server 2008 R2, Windows Server 2008, or Windows Server 2003. Server Manager can receive only online or offline status from servers that are running Windows Server 2003. Although you can use Server Manager to perform management tasks on servers that are running Windows Server 2008 R2 or Windows Server 2008, you cannot add roles and features to servers that are running Windows Server 2008 R2, Windows Server 2008 or Windows Server 2003.

This post describes how to add servers to the Server Manager server pool in a workgroup (non-domain) environment. If you tried just adding the server to Server Manager, you have most likely already encountered one of the following manageability status errors:

  • Kerberos target resolution error
  • Kerberos authentication error
  • Online – Access denied

If two computers are not in the same subnet, or if the workgroup computer’s network profile is not set to Private, on the workgroup computer that is running Server Manager, change the inbound Windows Remote Management (HTTP-In) setting in Windows Firewall to explicitly allow connections from remote computers by adding the computer names on the Computers tab of the setting’s Properties dialog box.

On the computer that is running Server Manager, add the workgroup server name to the TrustedHosts list. This is a requirement of NTLM authentication. To add a computer name to an existing list of trusted hosts, add the Concatenate parameter to the command. For example, to add the Server01 computer to an existing list of trusted hosts, use the following PowerShell command.

Set-Item wsman:\localhost\Client\TrustedHosts Server01 -Concatenate -Force

To override UAC restrictions on running elevated processes on workgroup computers, create a registry entry called LocalAccountTokenFilterPolicy on the workgroup server by running the following PowerShell cmdlet.

New-ItemProperty -Name LocalAccountTokenFilterPolicy -path HKLM:\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System -propertyType DWord -value 1

At this point you should be able to add the servers specified in TrustedHosts to the Server Manager pool. As you add remote servers to Server Manager, some of the servers that you add might require different user account credentials to access or manage them. To specify credentials for a managed server that are different from those you use to log on to the computer on which you are running Server Manager, use the Manage As command after you add a server to Server Manager, which is accessible by right-clicking the entry for a managed server in the Servers tile of a role or group home page.

Based on tests conducted by Microsoft, Server Manager in Windows Server 2012 can be used to manage up to 100 servers that are configured with a typical workload. The number of servers that you can manage by using a single Server Manager console can vary depending on the amount of data that you request from managed servers, and hardware and network resources available to the computer running Server Manager. As the amount of data you want to display approaches that computer’s resource capacity, you can experience slow responses from Server Manager, and delays in the completion of refreshes. To help increase the number of servers that you can manage by using Server Manager, Microsoft recommends limiting the event data that Server Manager gets from your managed servers, by using settings in the Configure Event Data dialog box. Configure Event Data can be opened from the Tasks menu in the Events tile.

Posted in Operating Systems | Tagged , , | Comments Off

How to manage Network Time Protocol (NTP) in a small network

Posted on June 9, 2013 by Dan Perelman

Network Time Protocol servers and clientsNetwork Time Protocol (NTP) is a networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. A less complex implementation of NTP, using the same protocol but without requiring the storage of state over extended periods of time, is known as the Simple Network Time Protocol (SNTP). It is used in some embedded devices and in applications where high accuracy timing is not required.

According to Microsoft, most [if not all] versions of Windows OS use Simple Network Time Protocol (SNTP) and not NTP. What this means is that majority of network devices that require NTP server as a time source will not be able to sync time from a Windows server. This list of devices includes printers, VoIP phones, routers, switches, and many other managed network devices. The primary reason for making sure that all devices have acurrate time, and that is in sync with the rest of the devices on the network, is to ensure the accuracy of transaction, audit and security logs (syslog, SNMP, etc.) to adhere to the requirements of many local and federal regulations such as HIPAA and Sarbanes Oxley (SOX).

In large enterprise environments these issues are usually addressed using dedicated NTP hardware appliances, such as the ones offerred by Symmetricom, or NTP daemons running on high-end UNIX-based servers. For a small network or branch office environment that still require Network Time Protocol synchronization, the enterprise solutions mentioned previously are most likely cost prohibitive. There are a couple of low cost options for providing NTP sync — one is a hardware appliance and the other is a software only solution.

Mentioned in an earlier post, the TM1000A GPS Network Time Server from Time Machines is a Stratum 1 time source appliance. Because it uses a GPS antenna to receive the current time broadcast by United States GPS satellites — it requires a line of sight access to the sky, so it may not be possible to implement within most datacenter or IT facilities. In these situations the only possible solution may have to be a software one. As described in the previous post, it is very easy to deploy a NTP server (daemon) on a Linux machine. The machine does not have to be a physical box either — this can be implemented inside a VM.

After the NTP server solution is decided upon and implemented, the final steps include configuring the client devices. For most, the NTP server IP address or fully qualified domain name (FQDN) will be ‘hardcoded’ into the config, but for others the NTP server address can be broadcasted via DHCP. In a IPv4 DHCP scope, option code 042 is used to specify the IP address in binary format of each server that provides NTP/SNTP (RFC 958 / RFC 1769). Do not confuse it with option 004, which specifies servers that provide TIME/ITP (as per RFC 868).

One last tip: For devices that require specifying two NTP servers and there is only one available on the network — a simple workaround is to specify the IP address of the NTP server for NTP1 setting, and the fully qualified domain name (FQDN) of the same NTP server for the NTP2 setting (or vice versa).

Posted in How To | Tagged , , , | Comments Off

How to setup NTP server in Ubuntu 12.04 LTS

Posted on June 8, 2013 by Dan Perelman

The initial Google search on “implementing NTP server on Ubuntu” produced a number of conflicting results. As it turned out, the process is very simple — much simpler than described in some blogs. The best source for this information is the official Ubuntu documentation. Nevertheless, in this post I will go over the few things one needs to know about Network Time Protocol (NTP) server setup on Ubuntu 12.04 LTS.

Out of the box Ubuntu has the NTP client (ntpdate) only installed. It will run once at boot time to set up your time according to Ubuntu’s NTP server. It can be executed on demand from the Command Line Interface (CLI) or Cron job like so:

ntpdate -s ntp.ubuntu.com

The NTP server on Ubuntu is called ntpd (NTP daemon). It calculates the drift of your system clock and continuously adjusts it, so there are no large corrections that could lead to inconsistent logs for instance. The cost is a little processing power and memory, but for a modern server this is negligible. Installing ntpd is simple using the apt-get package installer: 

sudo apt-get install ntp

Please note that the apt-get package is called “ntp”, not “ntpd”. To view the status of newly installed NTP server (ntpd), use the ntpq command: 

sudo ntpq -p

Finally, one may wish to customize the list of stratum server that the NTP server will sync with. By default these servers are configured: 

server 0.ubuntu.pool.ntp.org
server 1.ubuntu.pool.ntp.org
server 2.ubuntu.pool.ntp.org
server 3.ubuntu.pool.ntp.org

Edit /etc/ntp.conf to add or remove servers. After changing the config file you have to reload ntpd using the following command: 

sudo /etc/init.d/ntp reload

At this point the NTP server is configured and running, so you can start pointing your NTP clients to it.

Posted in How To | Tagged , , , | Comments Off

What is the best Linux distribution for deploying LAMP?

Posted on May 31, 2013 by Dan Perelman

linuxesA common question that comes up fairly often, is which Linux distribution is best to use for deploying the LAMP software bundle? Quick reminder, the acronym LAMP refers to the first letters of Linux (operating system), Apache HTTP Server, MySQL (database software), and PHP, Perl or Python, principal components to build a viable general purpose web server. Since the question is phrased as which “Linux distro” is best to use — let’s exclude FreeBSD and other UNIX variants.

This article will attempt to explain in general terms the pros and cons of using a specific flavor of Linux. Currently there are three commercially viable Linux vendors: Red Hat, SUSE and Canonical. Ubuntu from Canonical is distributed as free and open source software, and there are open source variants of the other two Linux distros. CentOS (Community ENTerprise Operating System) is the open source version of RedHat Enterprise Linux (RHEL) with all Red Hat branding and utilities removed. openSUSE is open source distro of SUSE Linux Enterprise.

Now using the process of elimination lets attempt to select the best Linux distro for LAMP deployment. First we eliminate SUSE Linux/openSUSE from the competition. The main reason behind this is that SUSE is owned by Novell, which is in turn owned by Attachmate. This seems like a questionable combination from the start, so quality and support of future releases of this distro are unknown. It’s no surprise that Novell have been shopping around for a buyer for SUSE for a few years now. It has been rumored that VMware was interested in buying SUSE, but so far they haven’t. This means only two contenders are left: Red Hat/CentOS and Ubuntu.

For the purposes of this competition we will consider free open source distributions only (see my previous post for more reasons why). After all LAMP is supposed to be a combination of free, open source software. This leaves us with CentOS and Ubuntu. Since CentOS is RedHat Enterprise Linux based it is probably one of the most widely used Linux distros out there. That does not mean that it’s perfect. It has its share of issues and occasional bugs arising from the upstream RHEL releases. Ubuntu seems to have much wider hardware support, but since the main purpose of this competition is finding the best distro to deploy LAMP, we are going to discount Ubuntu Desktop and focus on Server only. Hardware support in CentOS is basically comparable to that of Ubuntu Server, although Ubuntu is known to run better than CentOS inside the Microsoft Hyper-V hypervisor.

The two distros are not identical by any means. CentOS is RHEL based, uses Yum (PackageKit) update method, and RPM package manager. Ubuntu is Debian based, uses APT / Software Updater update method, and dpkg package manager. Working with either one will require specific knowledge, thus at this point you may have a preference for one or the other based on your past experiences. Now there are two great reasons why in the end Ubuntu comes out on top. First of all you can easily obtain commercial support for it from Canonical. This point might be important to enterprise users. CentOS is community support only. Also, Canonical’s team seems to have the release process down to a science, with its bi-annual releases along with long-term support (LTS) releases that are maintained for five years.

The second major reason why Ubuntu seems to be the winner of this competition is Ubuntu Cloud and OpenStack. Ubuntu Server is now widely available in the public cloud (Amazon Web Services, Rackspace, and Windows Azure), both as underlying infrastructure and as a guest operating system. With Ubuntu Cloud Guest, you can install Ubuntu Server instances on any of the leading public clouds. Canonical claims that Ubuntu is now the most heavily used guest OS on both Amazon Web Services (AWS) and Rackspace. That means you can easily move your systems between on/off-premise and between different public cloud providers. Based on the reasons described above, my prediction is that over the next few years we will see Ubuntu grow exponentially to become one of the dominant server platforms on the Internet. Just look at where Android was five years ago and where it is today.

Posted in Operating Systems | Tagged , , , , , , , , , , , , , , | Comments Off

Open source — IT pro’s salvation from the Cloud

Posted on May 30, 2013 by Dan Perelman

In an earlier post, “Adapting IT jobs to applications moving into the cloud”, I suggested that an average IT professional’s skillset is changing primarily due to the fact that applications are moving into the cloud. Skills required to deploy and manage an on-premise installation of the Exchange Server, differ from the ones necessary to maintain an off-premise Exchange within Office 365.

The question that emerges is: What IT skills will have greatest value in the future? I would like to make the argument that skills related to open source software will retain their value. The reasons behind this are simple. As companies seek to get better returns from their IT budgets, they will shift more enterprise applications into the cloud. Software as a service model offers low-to-none implementation or buy-in cost, followed by fixed monthly service fees. Very few organizations will opt-in to spend their IT dollars on deploying general use enterprise systems in-house for three simple reasons — cost of hardware/infrastructure, software licensing, and IT staff required to keep these systems running.

This is where open source comes into play. By removing one of the three major upfront costs (software license fees) of running these systems in-house, we even out the playing field somewhat. Now if the existing IT staff already has the required skillset to deploy, manage and maintain these open source applications, this is another reason why it becomes cost effective to keep these systems on-premise. So my premise is that any IT pro today who faces the question of where to spend their training budget, should focus a good portion of their time and resources on learning open source software.

Posted in Management | Tagged | Comments Off

Low cost NTP server hardware appliance

Posted on May 29, 2013 by Dan Perelman

TM1000A GPS Network Time Server frontAnyone looking for a low cost NTP hardware appliance for small offices and remote sites, should consider TM1000A GPS Network Time Server from Time Machines (retail price range is $299-399). As far as NTP hardware appliances go — Symmetricom seems to be the leader in this field, but most of their solutions cost thousands of dollars, thus are outside the budget range of most small organizations.

The Time Machines GPS Network Time Server is a simple to use GPS based time server that will supply accurate time for all computers and time keeping devices on the network. By placing a time server on the local network, (S)NTP time packets are provided without requiring systems to go to the Internet to get a Stratum 1 time synchronization. The system uses an active GPS antenna to maintain the current time as broadcast by United States GPS satellites.

TM1000A GPS Network Time Server rearWith this device installed on your local network, there is no longer the worry that if the Internet connection goes down, time synchronization is lost across the network. The unit is small and can be placed anywhere within the network layout. The built in high sensitivity GPS receiver is able to lock multiple satellites from within many buildings or from a window location, removing the requirement that outdoor antenna be installed.

Setup and use of this time server is straightforward. Simply connect both the included power supply and the GPS antenna to the base unit and then connect the base unit to the local network. Go to a computer on the network and browse to the device at its default address to enter the software setup within the control box. Set parameters to match your network and the system will start to send out time packets to any device on the system that asks for an update from it.

Posted in Hardware | Tagged , , , | Comments Off