Advertisements

Slow server 2008 r2 box…. did you know

http://support.microsoft.com/kb/2207548

In some cases you may experience degraded overall performance on a Windows Server 2008 R2 machine when running with the default (Balanced) power plan. The issue may occur irrespective of platform and may be exhibited on both native and virtual environments. The degraded performance may increase the average response time for some tasks and cause performance issues with CPU-intensive applications

Lame!

 

Advertisements

#Meraki, what a pleasure to work with

It’s not often that I use technology that is an actual pleasure to work with. #Equallogic is at the top of that list, but now I have a new one: #Meraki

So, they first suck you in with their very nice (free!) MDM. MDM stands for mobile device management (i.e. visibility/management into your iPhones/pads/andriods etc…)

Then just for watching a webinar they will send you a free Access Point. So we pull it out of the box and have that sucker configured in about 20 minutes! We did run into an interesting hiccup though, the AP is able to provide multiple SSID’s so you can have one for an internal network, and another for a guest network that can just get to the Internet Etc… We configured the guest network and choose the setting to disallow access to the local LAN… well we have a very screwy ip scheme so the default “LAN Isolation” Link didn’t work for us,

When your turn on the option labled ” Prevent users from accessing your LAN?”, which enables a feature sometimes referred to as “LAN Isolation”, the following configuration is applied to your Meraki network:

  • Any traffic from a client to the following IP ranges is silently dropped: 10.0.0.0/8, 172.16.0.0/12, 192.168.0.0/16
  • The above applies to all traffic except DNS requests – they are passed regardless of the destination IP address

Note that the above configuration does suggest some situations in which Meraki users might be able to access your LAN – for instance, if devices in your LAN are configured with IP addresses that are outside the above ranges, the Meraki network will route traffic to those destinations.

So to fix it, I just added an additional Deny Policy on the layer 3 firewall rules, and used CIDR notation to specify the Destination.

The meraki interface is very clean and mainly logical. You can feel the google heritage (especially the nicely added two factor authentication!)

I look forward to the iphone app since I am assuming this will provide much better GPS location data for the devices.

 

Certificate authentication, Iphone VPN on demand, BigIP F5, godaddy

So we have this cool VPN device from F5 that gives us basically single click entry into our Qlikview. Unfortunately, a certificate expired and then everything broke. This was setup by an F5 consultant, and wasn’t documented. (Note to self, have your consultants document what they do)

So now the crap hit the fan, after spending all day on the phone with F5 support finally they were able to get us up and running again! Thanks F5 guys for working it out!

So, step one. We needed a SSL certificate (my boss didn’t like the last place) we decided to go with a simple godaddy 5 year ssl cert for $60 versus a verisign which I think cost like $1000 (crazy)

Now actually getting to where you can submit your certificate is a little bit cryptic. After you buy it, you go to the Manage Certificates and your like, so now what? So you click the Credits, and then you click the refresh arrow, and then your credit will show up.

 

 

So now you can redeem your credit, so now on the BigIP size of things you need to create your certificate signing request, (CSR)

 

So goto Local Traffic, SSL Certificates, Create, Give it a name, choose Certificate Authority, fill in the common name (I pretty sure this has to match the DNS entry) make it 2048 bits and fill in the rest of the stuff.

Godaddy has a page describing this as well

http://support.godaddy.com/help/article/5597/generating-a-certificate-signing-request-csr-f5-bigip-loadbalancer?pc_split_value=1

 

 

 

Hit finished copy the encryption garbage into your clipboard and then paste it into the godaddy window that looks like this.

Ok Godaddy will chug on it for a while and then you need to prove that you own the domain. The easiest way was to click on the ‘whats the hold up’ link for go daddy and the create the simple little html file proving you own the site. After you have proved you own it, then you can download the certificate, and the godaddy bundle.

So now you need to import the certificate, and the key. So back to the Local traffic, SSL certificates screen, press import, give it a name (i chose one that matched the domain). There, now you have a server SSL certificate.

http://support.godaddy.com/help/article/5511/installing-an-ssl-certificate-in-f5-bigip-loadbalancer?pc_split_value=1

You have to set your SSL client profile to use this for the certificate & the key.

Ok, now are you ready for even more fun????

So we also need to verify that our iphone clients have a client certificate (in order to do the Iphone VPN demand you need to use certificate based vpn) (we also NT authenticate as well)

So in order to do this you need to create a certificate authority, create and sign client certificates, and then configure the F5 to use them, and then export in an iphone friendly format.

Here we go, so get yourself a copy of openssl.cnf (in my case F5 support had one) and then used winscp to copy it over to /tmp/ert/openssl.cnf

This post has pretty much the same steps, but uses different dir(s)

http://www.gomiworld.net/securing-the-web-with-ssl-client-certificates

Now ssh into your F5 box, I suppose you could do this anywhere openssl was installed.

And then run the following procedure

Creating a CA certificate

Create a directory to contain your CA certificate by typing the following command syntax:

mkdir /tmp/cert

Create a private directory in your CA directory by typing the following command syntax:

mkdir /tmp/cert/private

Create a client certificate directory in your CA directory by typing the following command syntax:

mkdir /tmp/cert/client

Create a serial number file for your CA by typing the following command syntax:

echo “0001” >/tmp/cert/ca.srl

Create a CA certificate and key by typing the following command syntax:

  • openssl req -new -x509 –days 365 -keyout /tmp/cert/private/nffckey.pem -out /tmp/cert/private/nffccert.pem -config /tmp/cert/openssl.cnf

Creating and signing a client certificate

Create a client certificate request by typing the following command syntax:

openssl req -new -newkey rsa:512 -nodes -out /tmp/cert/client/client.req -keyout /tmp/cert/client/client.key

Sign the client certificate by typing the following command syntax:

openssl x509 -CA /tmp/cert/private/nffccet.pem -CAkey /tmp/cert/private/nffckey.pem -CAserial /tmp/cert/ca.srl -req -in /tmp/cert/client/client.req -out /tmp/cert/client/client.pem -days 365

 

Results

You created the CA located at:

/tmp/cert/private/nffccert.pem

/tmp/cert/private/nffckey.pem

You created a client cert located at:

/tmp/cert/client/client.pem

Export to PKCS#12

openssl pkcs12 -export -clcerts -in /tmp/cert/client/client.pem -inkey /tmp/cert/client/client.key -out /tmp/cert/client/client.p12

—-

So now you need to import Your CA cert and Key into the F5, go to the same SSL certificate place. I named them the same and then the system combined them together into a Certificate & Key.

So now under the Local Traffic  ››  Profiles : SSL : Client

I click my vpn profile and change the Trusted Certificate Authorities to my newly created one, and also changed the advertised certificate authorities to the new one.

Then I email out the P12 to the iphone clients, change over the profile to use the new certificate and we are back in business!

joy

 

 

 

 

 

How to check that a specific process is running, ‘the dude’

Available: if(array_find(oid_column(“1.3.6.1.2.1.25.4.2.1.2”), “db2sec.exe”)>0, 1, -1)
Error: if(array_find(oid_column(“1.3.6.1.2.1.25.4.2.1.2”), “db2sec.exe”)>0, “”, “DB2_db2sec.exe not detected by SNMP probe”)
Value: 1
Unit: running
Rate: none

Change “db2sec.exe” with the name of the service you like to monitor. One thing I also noticed is, that the name is case-sensitive! Write the service name the same as you see it in the Windows Task Manager.

Getting my ‘the dude’ on part II

So after much futzing I was able to get a service monitored in ‘the dude’ I learned about a whole bunch of things like SNMP Oid’s etc…. at first I tried to create a probe like this

HOWTO check if specific SERVICE is running or not

Create New Probe and tag it with your required target device.

Probe Name:  check_telnet_service
Type:  Function
Available:  if(array_find(oid_column(“1.3.6.1.4.1.77.1.2.3.1.1″),”Telnet”)>0, 1, 0)
Error:  if(array_find(oid_column(“1.3.6.1.4.1.77.1.2.3.1.1″),”Telnet”)>0, “”, “Telnet not detected by SNMP probe”) 
Value
:  1
Unit:

From here http://aacable.wordpress.com/category/mikrotik-related/page/2/

But, that didn’t work for me. Eventually I ran into the fact that you have a copy of SNMPwalk inside of the tools of ‘the dude’ at that point you can paste in 1.3.6.1.4.1.77.1.2.3.1.1 into the top right of the Oid, and then I was able to find the service in question. Then awesomely enough, you can right click and say create SNMP probe from that service. Then I tested. Part of what was difficult was that you have to be patient with the SNMP service. It takes a minute or two before it registers that a service is down! But, I verified it, and this did in fact allow you to monitor whether a service was running or not!

Getting my ‘The Dude’ On

So many moons ago I started implementing ‘the dude’. Recently, I thought I would revive that project. ‘The Dude’ is really one neat piece of software. After messing with it some I was trying to get the CPU stats to be recorded, then I learned that it collects them through SNMP. Now SNMP is of course not enabled by default so I needed a method of enabling it. So SolarWinds makes a tool called the SNMP Enabler for Windows  this looked like the perfect tool but it took some jimmying to get it working. So in order to install SNMP (this is for windows XP) it needs the install media. So luckily I just downloaded a copy of Windows XP service Pack 3 from the microsoft licensing site. (Not having to slipstream service pack 3, bonus!) I extracted the .iso to a network share, now this is important extract the whole thing not just the i386 folder (this hung me up). Also download yourself a copy of pstools so that you have psexec (you will need this for the network install). Click the Settings ‘tab’, Click the Psexec and point it to the path of your PsExec.exe (oh it seems if you are logged onto the box as an admin it behaves more nicely as well, maybe with UAC off) I check marked the Override Graphic Acceleration, and Show Debug Window On Error. Then click the Add button to add the installation data location. I chose Windows Xp Pro, SP3 and then for the path \\seattle-server4\installcds\xpsp3slipstreamed (not to the i386 folder, up one folder)

I’m not sure if all those settings are necessary but it wasn’t working and then after clicking a couple of things it magically started working, so there you go. On occasion the ‘push’ of SNMP won’t take, I just rerun it and usually the second time it will work, go figure. So now my ‘the dude’ shows more nifty stats! Next up, I want to learn how to make a plugin to monitor a specific service!

 

Adding new article to Existing Publication (Transactional Replication)

A smart guy here at work was working on being able to remove and add an article to our SQL server 2008 R2 server. (We used to do it all the time in 2000)

After much googling he finally hit on this blog that ‘actually works’ (compared to many that didn’t)

http://ansqldba.blogspot.com/2012/02/adding-new-article-to-existing.html

Adding new article to Existing Publication (Transactional Replication)

First of all I ran Exec sp_helppublication in my publication database and checked the following fields,
1. Immediate_sync
2. Allow_anonymous
Both the fields were set to ON as they showed a value 1 which is enabled. If the Immediate_sync is enabled, everytime you add a new article it will cause the entire snapshot to be applied and not the one for the particular article alone.
Usually, the immediate_sync publication property is set to true if we allowed anonymous subscriptions while creating the publication through the CreatePublication wizard. To prevent the complete snapshot, run the script below.
Step :- 1
EXEC sp_changepublication
@publication = ‘Pub_dbAmericasCitrixFarm’,
@property = N’allow_anonymous’,
@value = ‘false’
GO
EXEC sp_changepublication
@publication = ‘Pub_dbAmericasCitrixFarm’,
@property = N’immediate_sync’,
@value = ‘false’
GO
Step :- 2
I added the single article using the below command,
EXEC sp_addarticle
      @publication = Pub_dbAmericasCitrixFarm,
      @article = Table_2,
      @source_object = Table_2,
I got the following error for the above command,
Msg 20607, Level 16, State 1, Procedure sp_MSreinit_article, Line 99
Cannot make the change because a snapshot is already generated. Set @force_invalidate_snapshot to 1 to force the change and invalidate the existing snapshot.
The reason behind this error message was that there was already a snapshot that was created recently. Since I added a new article it wouldn’t be able to use the existing snapshot so I need to use the option @force_invalidate_snapshot=1 to invalidate the existing snapshot and it would generate a new snapshot to be applied to the subscriber.
EXEC sp_addarticle
      @publication = Pub_dbAmericasCitrixFarm,
      @article = Table_2,
      @source_object = Table_2,
      @force_invalidate_snapshot=1
Step:-3
Now I adding the subscription to the existing publisher for the single table alone using the below command,
EXEC sp_addsubscription
@publication = ‘Pub_dbAmericasCitrixFarm’,
@subscriber = ‘FTDCCWPCTRXSQL’,
@destination_db = ‘dbAmericasCitrixFarm’,
I got the following error message while running the above command in my publication database.
“Specify all articles when subscribing to a publication using concurrent snapshot processing”
This error occurs when the existing publication was set up with concurrent snapshot option and means that you can’t synchronize subscriptions for such publications without a complete resynchronization. There are 2 workarounds: (a) By specifying @reserve = ‘internal’ when you add the subscription for the new article and the snapshot agent should generate snapshot for the new article after that and b.) Changing the sync_method from ‘concurrent’ to either ‘database snapshot’ (enterprise edition only in SQL Server 2005) or ‘native’ (which locks table during snapshot generation). Change the sync_method will force a reinitialization of all your subscriptions at this point. Alternatively you could create another publication and use this instead.
I ran this command and it worked fine,
EXEC sp_addsubscription
@publication = ‘Pub_dbAmericasCitrixFarm’,
@subscriber = ‘FTDCCWPCTRXSQL’,
@destination_db = ‘dbAmericasCitrixFarm’,
@reserved=’Internal’
Now I went ahead and started the snapshot agent in publisher, it worked perfectly. I can now see that only the particular table I added was replicated. So from now on to apply the snapshots of the entire articles we need to reinitialize the subscriptions since the immediate_sync is set to off.
Drop new article to Existing Publication (Transactional Replication)
EXEC sp_dropsubscription
  @publication = Pub_dbAmericasCitrixFarm,
  @article = N’Table_2′,
  @subscriber = ‘FTDCCWPCTRXSQL’;
GO
EXEC sp_droparticle
  @publication = Pub_dbAmericasCitrixFarm,
  @article = Table_2,
  @force_invalidate_snapshot = 1;
For Pull Subscription (Existing Publication and subscription)
First Make sure that the publisher properties “allow_anonymous” and “immediate_sync” are set to “False”, if these 2 options are set to “True” then this SP will mark all the articles for generating snapshot instead of marking only the newly added articles.To Check the publication properties, use this query.
exec sp_helppublication ‘PublicationName’
GO
If the values of the output columns “allow_anonymous” and “immediate_sync” are 0 then they are set to “False” if their values are 1 then they are set to “True”
Add Article using below command
EXEC sp_addarticle
      @publication = Pub_dbAmericasCitrixFarm,
      @article = Table_2,
      @source_object = Table_2,
      @force_invalidate_snapshot=1
–Refresh Subscriptions
exec sp_refreshsubscriptions ‘ Pub_dbAmericasCitrixFarm ‘
GO
After running the above commands, run the snapshot agent.
>> Adding Article in existing transactional replication using entire snapshot regenerate use below method.
Step 1:-
Set properties “allow_anonymous” and “immediate_sync” to true
Step 2:-
EXEC sp_addarticle
      @publication = Pub_dbAmericasCitrixFarm,
      @article = Table_2,
      @source_object = Table_2,
Step 3:-
EXEC sp_addsubscription
@publication = ‘Pub_dbAmericasCitrixFarm’,
–@article = ‘Table_2’,
@subscriber = ‘FTDCCWPCTRXSQL’,
@destination_db = ‘dbAmericasCitrixFarm’,
–@subscription_type = N’push’
 @reserved=’Internal’
Step 3:-
Run the Snapshot agent, it will genrate the entire snashot again for all the article