John Howard

Continuing the configuration of a secure wireless network, this part deals with configuring the IAS server to recognise authentication requests from your wireless device. The first part of configuring IAS is configuring a RADIUS client. In this case, it is the wireless box. There's a simple wizard built into IAS to walk you through this.

Right-Click RADIUS Clients and select new client

Give it a friendly name and the IP address of assigned to your wireless device (note I'm disguising my actual IP address range and internal domain names in this article).

If your wireless vendor supports RADIUS standard, choose this. Otherwise, from the drop-down list, choose the appropriate setting. Also now re-type the shared secret password you configured on your wireless box. NOW you see why I recommended the use of notepad in the previous article :)

Finally, your screen should look similar to below

Next you need to configure a wireless access policy in IAS. If you select the Remote Access Policy node in the IAS MMC, you'll see a couple of default policies. In our case, we need to configure a new access policy for wireless. Fortunately, again everything can be configured through a wizard.

Right-click on Remote Access Policies and choose "New Remote Access Policy"

After the intro page to the wizard, a typical policy is probably sufficient for most needs. Give it an appropriate name such as, logically I guess, Wireless

On the next page, choose Wireless

On the next page, select the appropriate groups from Active Directory you wish to allow wireless access to. You may wish to allow all users, or maybe just selected users (in my personal case I have a specific group for wireless access - the reason for this may become apparent later on when it comes to adding accounts from un-trusted domains. The screen shot just shows domain users though).

Now comes the important part. On the next screen, for the EAP type for this policy (assuming you do want this secure), use Smart Card or other certificate.

Click the configure box. At this point, you'll realise you need a certificate authority (but hopefully that will be obvious).

If you're astute, you'll notice in my case I have a certificate for Domain Controller Authentication being issued to the DC. That in itself was a little challenging, but the CA documentation is pretty readily available online :) That's pretty much the end of the wizard.  Once the wizard is complete, it's worth revisiting the settings for the wireless policy and ensure that the only encryption setting checked is that for strongest encryption - by default, all encryption settings are allowed.

At this point, you're pretty much there for the basics. I guess it's group policy next. (It may be a few days to prepare the next blog post part - takes a while to prep the screenshots and walkthroughs).
Cheers,
John.

So there's many tricks to optimising the size of a VHD. One which I always use, but appears not to be widely known about, is to turn of the system file checker. Of course, this has it's downsides and your mileage may vary. In practice you can reduce a VHD by some 300M or so on an instance of Windows 2003 SP1.

To turn off SFC, open a command prompt (must be elevated if run on Windows Vista or Longhorn Server) and run

sfc /cachesize=0
sfc /purgecache

Then perform the standard compaction routine (if this is a dynamically expanding disk).
Cheers,
John.

[Corrected 8/16 as per comments, 300K isn't much of a saving. I did indeed mean 300MB;)]

So I've got a few blog posts which piece together something I've been trying to do (and finally got working) since moving to Seattle. Namely - set up a secure wireless network. Now, I did have a wireless network at home when I was in England, but it wasn't secure. Well, it was, just not quite as secure as I could achieve with the infrastructure I have running (namely AD and a host of virtual machines running all sorts of services).

Some of this may be old news, some new to you. However, if you're a novice at setting up WPA, I hope this will help. Now of course, I didn't want just WPA, I wanted "guest" machines to be able to connect to the network - guests as in non-domain joined machines, or more accurately guest machines which are joined to another domain (such as my corporate laptop), running Windows Vista (of course) to also be able to connect to the network.

The first step in all of this is obviously the hardware. I bought a relatively new Linksys Wireless G box which supported WPA.

The basics are fairly obvious, such as giving it a static IP address in your subnet, putting a secure password on the administration access, an SSID, the wireless channel (best not to clash with neighbours) and (optionally, but useful) configuring a host name in your internal DNS server. Much nicer to be able to go http://wireless than http://192.168.x.x. Some pople would also advocate hiding the SSID from broadcast. Personally, if you've secured the back-end, I don't see there's a lot of value in this considering it's just too easy to use off the shelf tools to find hidden networks.

At this stage, you're on to configuring WPA itself. The first step in this is making sure your wireless box is configured for WPA-Enterprise mode with TKIP encription and pointing at a RADIUS server on your network. In my case, I have a couple of RADIUS servers, both on DCs. Unfortunately, the Linksys configuration doesn't allow for a backup RADIUS server (some DLink boxes do - worth checking first if this is important to you). Important - make sure you choose a REALLY secure shared secret password. A random password generator is recommended. Also, copy it to notepad somewhere so you can paste it later. Your screen should look similar to below at this point.

The next stage (if you haven't already done so) is to install the Internet Authentication Service (IAS) to provide RADIUS services on an appropriate machine on your network. It's hidden away under add/remove programs, Windows Components, Networking Services

In the next part, I'll walk you through configuring the IAS server.

Cheers,
John.

This webcast coming up next week took my eye as I've recently put in a (hopefully) secure wireless network at home over the past few weeks since moving over to the US. There's a few blog posts about that and some of the pain which has been involved - it isn't as easy as you'd think.

Wednesday, August 16, 2006 10AM PST (6PM UK)
Pre-Registration Available Now. Click to register

Experience a live on-line demonstration of Microsoft’s identity-based, policy-driven network authentication infrastructure built on Windows Server 2003 and Windows XP. Together with Aruba Networks Mobile Edge, learn how to deploy a secure wireless LAN end-to-end from the experts.
Microsoft and Aruba Networks professionals will be online to answer your questions in real-time.
Featured Products:
- Microsoft Windows Server 2003 R2 Internet Authentication Service (IAS), Active Directory and Group Policy
- Microsoft Windows XP SP2
- Aruba Networks Aruba 800 Mobility Controller and Aruba AP70 Access Point
 

Webcast Details
- This webcast will include a compelling live demo of how to configure the solution for the most common identity-based wireless access scenarios.
- Experts will enable the most common wireless LAN access scenarios through flexible access policies in both the Windows Server 2003 Internet Authentication Service (IAS) and the stateful firewall in the Aruba Networks' Mobility Controller.
- The demonstration will show how to configure secure, role-based access for trusted employees and short-term contractors using company-managed PCs and a guest using their personal PC. To validate the security of the solution, access rights for an untrusted "hacker" will be shown before configuring the solution for secure role-based access and then afterwards.

A revised version of the VM Additions which supports current public builds of Windows Vista Beta 2 (5384, June Refresh Build 5465 and July Refresh Build 5472) in Virtual Machines is available. If you aren't already registered for the Virtual Server 2005 R2 SP1 Beta program, sign up through http://connect.microsoft.com where the additions are available. The additions are version 13.709.

Be sure to uninstall any previous additions first.
Cheers,
John.

I've just noticed that Windows Small Business Server 2003 R2 will be available next month. Some of the more significant changes are the expanded Exchange mailbox limit to 75GB, Windows Server Update Services (WSUS). In addition, SQL Server 2005 Workgroup Edition is included in the Premium edition.

More information available here.

Cheers,
John.

Announced to day at the World Wide Partner Conference, Windows Server 2003 R2 Datacenter Edition (DCE) has undergone some revisions effective from 1st October 2006:

• It will be available through Volume Licensing
• License rights allow an unlimited number of virtualized Windows Server instances, whether that be Windows Server Standard, Enterprise or Datacenter Edition, or a mix of the tree without having to track the number of VMs or pay for additional Windows Server licenses. You simply license the server's processors with Windows Server Datacenter Edition.
• More OEMs will be providing DCE pre-installed on servers with 2 to 64 processors with and without the Datacenter High Availability program.

Cheers,
John.

I installed the trial of Windows Live OneCare on my childrens machine at home last week - the 90 day trial is available here. If you haven't seen it yet, OneCare can be thought of as an all-in-one tune up and peace of mind package including Antivirus, Antispyware (Windows Defender), a 2-way firewall, a performance tuneup and a backup/restore program. I'm still investigating how it plays with WSUS for the OS updates part... on my list of things to look at.

Note that currently Windows Live OneCare is only available in the US [not that it worries me too much now ;)].

Cheers,
John.

Just seen that this is now available for download from http://www.microsoft.com/windows/ie/default.mspx

Cheers,
John.

Effective immediately, you can now download Virtual PC 2004 SP1 from www.microsoft.com/virtualpc. When we release Virtual PC 2007 early next year, this too will be free. This brings parity with the changes for Virtual Server 2005 R2 earlier this year. The main change Virtual PC 2007 will bring is the ability to support 64-bit Windows Vista hosts. Note, guests will still be 32-bit only, but Windows Vista will be supported as a guest.

There is also a licensing change for Windows Vista Enterprise customers where the license will now permit the installation of up to 4 copies of the OS into VMs - this is for a single user on a single device. The licensing change is specific in that it requires Windows Vista Enterprise to be deployed on the host machine itself. If you buy Windows Vista Enterprise but use XP for example on the host, a license for each copy of Windows Vista Enterprise installed in the VM is required - in other words, in this circumstance, the 4 VM change does not apply.

So a few important points to additionally note:

• Virtual PC Express is effectively superceeded by Virtual PC 2004 SP1 - functionally they are identical except that Virtual PC Express is limited to one VM running at a time.
• If you want to run Windows Vista Beta 2 in a VM today, to get the performance accelerations from the VM Additions, use Virtual Server 2005 R2 SP1 Beta 1. In theory you could install the VM under Virtual PC 2004 SP1 and install the additions from Virtual Server 2005 R2 SP1 Beta 1 to achieve the same, but this is an untested situation AFAIK. There will be additions available soon which will provide acceleration for later builds of Windows Vista (post Beta 2).
• If you want to run 64-bit VMs, support for this will come in Windows Server Virtualization - neither Virtual PC or Virtual Server are currently planned to have 64-bit guest support.

Cheers,
John.

Mike's got all the info here.
Cheers,
John.

I've rippled through quite a few nagging problems since my server failure at home a few weeks ago. One of the more intriguing problem I only noticed a couple of days ago. One server had not been running scheduled Shadow Copies. When you schedule shadow copies in Windows Server 2003 R2, not suprizingly it sets up a normal Windows Scheduled Task with name ShadowCopyVolume{volume} as shown below.

But, as you can see, it's never run and has status "Could not start". If you double click the task, you get the error "General page initialization failed. The specific error is 0x8007000d: The data is invalid". Once you dismiss the dialog, you see the normal task details, but cannot edit the user field (greyed out and blank). You could however create manual shadow copies, so that pretty much narrowed it down to a problem with the scheduled task rather than shadow copies itself.

Some searching on Technet and the MS Knowledgebase drew a blank (or at least nothing appearing to be directly relevant). There's an article here which gives some information which is close but only allows you to setup the task again with a domain account. I didn't want to do that as the Shadow Copy scheduled task is supposed to run under the NT AUTHORITY\SYSTEM account.

However, I bow to Anil's greater knowledge from his blog entry here, specifically the update part at the end. Indeed, deleting C:\Documents and Settings\All Users\Application
Data\Microsoft\Crypto\RSA\S-1-5-18\d42cc0c3858a58db2db37658219e6400_xxxx", deleting the scheduled task, disabling shadow copies and setting it back up again with a schedule creates it correctly.

Thanks Anil!
Cheers,
John.

[This post travelled in time. John is offline for a few days. It may take a while before any comments are published.]

Imagine this. Lots of machines, some virtual, some physical. Every single machine can ping every other machine, except just one pair. An administrators nightmare? Yes. Trust me, I've been there spending several hours diagnosing this particularly tricky problem.

Let's simplify the situation. Start with two Virtual Server hosts. For ease of reference, lets call them A & B. Now let's say A & B each have a two Virtual machines running on them. We'll call these C, D, E & F. C & D are running on host A, while E & F are running host B. Still with me? Maybe the annotation below will make it a bit clearer

 Host    A     B
 VMs     C,D   E,F

Now let's just treat a physical or virtual machine the same draw up the problem in terms of which machine can ping which.

    A   B   C   D   E   F
   -----------------------
A | Y | Y | Y | Y |*N*| Y |
   -----------------------
B | Y | Y | Y | Y | Y | Y |
   -----------------------
C | Y | Y | Y | Y | Y | Y |
   -----------------------
D | Y | Y | Y | Y | Y | Y |
   -----------------------
E |*N*| Y | Y | Y | Y | Y |
   -----------------------
F | Y | Y | Y | Y | Y | Y |
   -----------------------

In other words, A cannot ping E and E cannot ping A. Obvious thoughts? Firewall. Checked, OK. Besides, why would B,C,D & F be able to ping E? Made no sense.

The first step was to run a network trace on host A while trying to ping VM E. This yielded an ARP query of the sort "Who has <IP1>, tell <IP2>" where IP1 is the IP address of VM E and IP2 is the IP Address of Host A. There was no response to that ARP query seen. Even more curious.
 
The next step was to ensure the ARP cache on the host was correct. First I did an "arp -a" and it showed that host A indeed didn't know the ethernet address of VM E. This makes sense, otherwise there wouldn't be an ARP query going out on the network.

Working around the problem, I again used arp, with the -s parameter to add the correct IP address and mac address of VM E to the arp cache on host A. Another network trace later, and all I saw was the ping request going out, but no response being received.

Just to be safe, I cleared out the arpcache using netsh interface ip delete arpcache. Another network trace showed the arp request again.

Of course, I'd already done a reboot of both host A and VM E to no avail, but another reboot never hurts. Same result though.

In the end, a light bulb went on as to what the probable cause of the problem was. In retrospect, it's obvious. In fact, so obvious when I regularly tell Virtual Server users to be aware of the problem that I could kick myself. I just wasn't expecting it to manifest itself in quite the way it was being seen above.

VM's C, D, E & F all have dynamic MAC addresses. OK, that's fine, but Virtual Server only guarantees MAC addresses to be unique between all VMs running on a _single_ host. In other words, you could have a duplicate MAC address on a VM configured with a dynamic MAC address on another host. I came unstuck precisely because of this. Host A did indeed have VM C setup with two network adapters. Both were set for dynamic MAC addresses, but the second NIC was set to disabled within the VM itself. It turned out that the dynamic MAC address for the second NIC for VM C was the same as the single NIC configured for VM E. I would have found this much earlier had that NIC been enabled. But there you go - half the fun of diagnosing this stuff.

I've clearly over simplified the problem description above - in my case there were actually 11 VM's across three hosts, just to add a bit more head scratching to the equation. So the golden rule here - if you have multiple VS hosts with multiple VMs which all need to inter-communicate, either manually assign static MAC addresses to each NIC on each VM yourself, or be extra careful to check the dynamically assigned MAC address. Virtual Server isn't infalible.

Cheers,
John.

You know how sometimes you become so focussed on one thing, you can lose touch with everything else going on around you? So my apologies on this one, only just found out about a series of six webcasts this month around virtualization. The first two are available on demand, but the dates/times, details and registration links for all the others are below.

Vision for Virtualization Overview (Level 200)
In this webcast we focus on virtualization technology and we offer an introduction to Microsoft Virtual Server 2005 R2. We also outline Microsoft's vision for the technology over the next few years. This session provides a high-level overview of the different solutions that you can implement with virtualization.
View this on-demand

How to Virtualize Infrastructure Workloads (Level 200)
Join this webcast to learn about virtualization of infrastructure workloads such as Active Directory, file and print, and Web servers, and the benefits of mixed workload virtualization. We discuss details, tips, and tricks for creating an effective virtualization environment. During this session, we walk you step by step through the process of planning, deploying, and managing a virtual environment for infrastructure workloads.
View this on-demand

How to Virtualize SQL Server 2005 on Virtual Server (Level 300)
20th June 2006 11:30 AM PST (7:30 PM UK)
Join this webcast to learn about the virtualization of Microsoft SQL Server 2005 and the differences between multi-instancing and virtualization. We provide details, tips, and tricks for creating an effective virtualization environment, and walk you step by step through the process of planning, deploying, and managing a virtual environment for SQL Server 2005.
Registration link

Branch Office Server Consolidation (Level 300)
22nd June 2006 11:30 AM PST (7:30 PM UK)
If your organization is planning a branch office server consolidation, this webcast is for you. Join us to receive guidance on what you should consider before, during, and after a server consolidation, and the role virtualization can play in this scenario. Learn how to identify whether your branch office servers can be virtualized, and if there are benefits to virtualization for your scenario. During this session, we provide you with the details, tips, and tricks needed to create an effective virtualized environment. We also walk you through a step-by-step process of planning, deploying, and managing a virtual environment in a branch office.
Registration link

Virtual Server Scripting and Integrated Management (Level 300)
27th June 2006 11:30 AM PST (7:30 PM UK)
This webcast covers scripting basics with the Component Object Model (COM) API. Learn how to use scripting to automate management tasks in a Microsoft Virtual Server 2005 environment. We also provide detailed examples of how scripts can be integrated with Microsoft Operations Manager (MOM) to more easily manage your entire virtual environment.
Registration link

Transitioning to Windows Virtualization (Level 300)
29th June 2006 11:30 AM PST (7:30 PM UK)
Join this webcast to learn more about Windows virtualization, a new technology in Microsoft Windows Server code-named “Longhorn.” We introduce the key scenarios for Windows virtualization and new features and improvements in Microsoft Virtual Server, including better performance. Find out how you can start adopting Microsoft Virtual Server today and transition to Windows virtualization by leveraging the unified format.
Registration link

Cheers,
John.

All because I left, I guess ;) So (IMHO), one of the great things about the TechNet evenings on the Microsoft UK Campus in Reading was the availability of beer & pizza at the break. (Of course, before I get blasted with comments about encouraging alcohol... soft drinks were available too). There was one downside to it in that the beer was pretty fizzy - burping during the second half while amplified through a radio mic did tend to make the 8-9PM slot more interesting sometimes....   But no, I just noticed in a TechNet Flash newsletter from last month, no more pizza, just sandwiches and licensing laws are forcing this to be soft drinks only. Oh well, at least I've got a beer fridge in my office over here :)

Cheers,
John.