Wednesday, June 29, 2005

How to: Troubleshoot reminders in Outlook

I recently starting receiving an error when I opened Outlook that said, “Cannot start the reminder service. Unable to show reminders.” As busy as I am, the reminders are extremely important. I thought I’d share the solution with you in case you’ve run into the same thing.

You can start Outlook with a variety of switches, one of which is “/Cleanreminders”. Click on Start, then click on Run. In the Run dialog, enter the full path to Outlook.exe and append the switch /Cleanreminders. It will probably look something like this:
“c:\Program Files\Microsoft Office\OFFICE11\OUTLOOK.EXE.” /Cleanreminders

Note the use of quotation marks around the path. If you’d like more information about this procedure and the use of Outlook switches in general, use this link:
http://support.microsoft.com/default.aspx?scid=kb;en-us;296192

For more information about working better with Windows, espcially supporting Windows Server 2003, visit our Windows training section at soundtraining.net. Check it out online or call 206.988.5858 for more info.

Monday, June 6, 2005

Windows tip: Customizing PerfMon counters

In our last post, we talked about the default counters in Microsoft Windows Server 2003/XP Performance Monitor. Obviously, you’ll want to customize the Performance Monitor counters to meet your particular needs.

You can add additional counters by using the key combination of ctrl+i. In the Add Counters window that appears are four configuration options. You can choose to monitor the local computer or a remote system, you can select the performance object, you can choose the counters to monitor, and you can specify an instance or multiple instances to monitor.

Here’s a point-by-point explanation:

You can monitor systems running Microsoft Windows XP (Home or Professional), Microsoft Windows Server 2003, or systems running legacy operating systems such as Windows 2000 from the Performance Monitor. You can enter a UNC (Universal Naming Convention) name (\computername) or an IP address for the remote system. Best practice is to monitor systems remotely instead of locally to get a more “real-world” view of the system’s performance without the overhead of Performance Monitor.

Here's an explanation of the monitoring options:

  • An object is the focus of your tracking and includes things such as processor, physical disk, memory, paging file, and many other objects.
  • A counter is a particular process being executed by the object such as %processor utilization.
  • An instance is a more detailed view of the object. For example, a system with multiple hard disks would show the total for all hard disk activity, plus an instance for each physical disk.

It’s a good idea to perform baseline monitoring on systems while they’re running well. That way, when things go wrong, you can run a similar performance monitor to identify differences between the two monitors and more easily identify the problem. Microsoft provides a web page with helpful information concerning counter values.

Want to know more about getting maximum performance out of Windows Server 2003? (Of course you do!) Our unique, two-day Windows Server 2003 seminar, covers the most important aspects of installation, configuration, optimizing, and troubleshooting. It’s available for presentation onsite at your location for groups of four or more. Call Janet at 206.988.5858 or click here for details.

Wednesday, June 1, 2005

Windows tip: Performance Monitor Basics

The Windows Performance Monitor is the tool we use to observe system resource utilization and other activity on individual systems. You can see an abbreviated view of the Performance Monitor in the Task Manager, but to really see what’s going on, open up the full Performance Monitor in Administrative Tools. (One way to get to Performance Monitor is through Control Panel, then click on Administrative Tools, and double-click on Performance).

By default (under Windows XP and Server 2003), you’ll see three counters:

  • pages per second
  • average disk queue length
  • % processor utilization

Pages per second is an indication of how busy your paging file is. An excessively high level of paging file utilization could indicate some sort of a memory problem; perhaps you need more RAM.

Average Disk Queue Length is the average number of both read and write requests that were queued for the selected disk during the sample period. An excessively high level of queued requests might indicate a problem with a disk controller or the actual disk (or it might indicate that you’re asking the system to do more than it’s capable of doing; try spreading the workload across mutliple systems).

% Processor Utilization is an indication of how busy the processor is doing something other than the idle cycle. Excessive processor utilization could indicate many things including a process gone bad that’s slamming the processor or loading the system beyond its capacity; try spreading the workload across multiple systems.

You can add additional counters by using the key combination of ctrl+I or clicking the + button in the toolbar. In our next blog post, we’ll talk about adding counters and monitoring systems remotely.

You can learn much more about working with Windows’ Performance Monitor in our two-day Windows Server 2003 training seminar, available for onsite presentation at your location for groups of four or more. Click here or call Janet at 206.988.5858 for details including dates and availability.

Tuesday, May 24, 2005

Windows tip: Easy scripts for Media Player

It seems like we spend a lot of time on this blog showing you ways to be more productive or get more out of your routers or your servers. Microsoft recently posted some scripts that, while not really oriented toward productivity, certainly are useful for anyone who uses their Windows Media Player. They’ve created a variety of VBScripts that do everything from exporting song library listings to an Excel spreadsheet to simply playing a particular song. It occured to us that this could also be a great introduction to scripting for anyone who has yet to take the plunge (and it’s fun). Click here to get to their Scripting Center.

Want to know more about working with Windows? Check out our two-day Windows Server 2003 seminar. We cover installation, configuration, optimizing, and troubleshooting. For those of you who have groups of four or more, we’ll bring it onsite to your location. Click here or call 206.988.5858 for more information.

Sunday, May 22, 2005

Linux Tip: See What Hardware is Installed on Your Linux System

Suppose you want to know the exact hardware that’s installed on your system running Linux. You can use lspci to view a listing of most hardware on your system. There may be some unusual or very old piece of hardware that won’t display, but for the most part lspci will show you what’s there. There are several switches that can be used with it to tailor the display for your particular needs. For more information, use man lspci. If it’s not in your path statement, you can usually find it in /sbin.

Want to learn lots more Linux commands? How about getting a good, solid overview of Linux? Our 2-day, hands-on Linux Clinic workshop is perfect for you when you’re looking to jumpstart your Linux experience. Got a group of four or more? We’ll bring it onsite to your location for two days of fast-paced, solution-filled Linux training. Click here or call 206.988.5858 and talk to Janet for all the details.

Wednesday, May 18, 2005

Cisco tip: Restore an IOS image on a 2600

We recently had a classroom situation that required us to copy an IOS image to a router in rom monitor mode using TFTP. I hope you never have to do this, but if you do, it’s helpful to know how. We had copied a new IOS image onto the router which turned out to be corrupted. The old IOS image had already been erased, so the router had no IOS image available for its use. The router returned a rommon > prompt. By using the following series of commands, we were able to download a good IOS image from a TFTP server located at 10.16.0.13 and we were back up and running in about 15 minutes. This procedure uses the first LAN port (in our case ethernet 0/0) and can only be used for downloading a file. It cannot be used to upload a file from the router.

A tip: After you finish configuring the IP address and various related parameters, issue the sync command to copy the settings to NVRAM. That way, if you have to repeat the procedure, at least you won’t have to reenter all the settings.

You can see what settings are already in place by using the set command in ROM monitor mode.

Here’s a step-by-step guide to what you need to do:

rommon 10 > IP_ADDRESS=10.16.0.14
rommon 11 > IP_SUBNET_MASK=255.240.0.0
rommon 12 > DEFAULT_GATEWAY=10.16.0.1
rommon 13 > TFTP_SERVER=10.16.0.13
rommon 14 > TFTP_FILE=c2600-c-mz.123-3h.bin
rommon 15 > tftpdnld
IP_ADDRESS: 10.16.0.14
IP_SUBNET_MASK: 255.240.0.0
DEFAULT_GATEWAY: 10.16.0.1
TFTP_SERVER: 10.16.0.13
TFTP_FILE: c2600-c-mz.123-3h.bin

Invoke this command for disaster recovery only. WARNING: all existing data in all partitions on flash will be lost!Do you wish to continue? y/n: [n]: y

Receiving c2600-c-mz.123-3h.bin from 10.16.0.13..!!!!!!!!!!!!!!!!!!!!!!!!!!!!…File reception completed.

Copying file c2600-c-mz.123-3h.bin to flash.

Erasing flash at 0×607c0000program flash location 0×60440000

rommon 16 >reset[enter]

Want to know more about troubleshooting a Cisco router? Register for any of our upcoming Cisco router training classes. Whether you’re new to routers or have been working with them for years, our Cisco training seminars and workshops offer lots of real world hands-on experience in installing, configuring, optimizing, and troubleshooting. You can attend a public seminar or, for groups of four or more, bring us onsite to your location at the date and time of your choosing. Click here or call 206.988.5858 for details.

Tuesday, May 17, 2005

Cisco tip: Name your access lists

The traditional way of building access lists on a Cisco router is to number them: 1-99 means a standard IP access list, 100-199 means an extended IP access list. It makes a lot more sense to give them a name instead of a number. We have way too many numbers to remember as it is, so having to remember which numbered list does what is just too much. CIOS release 11.2 introduced the ability to name access lists. Now, instead of trying to remember that ACL 101 is designed to block Telnet traffic, we can name it something like “telnet_restrict” so its purpose is obvious.

Use global configuration mode to configure a named ACL. The following sequence of commands configures an IP extended list named restrict_telnet to block telnet (port 23) access from any host to hosts at 10.16.0.13 and 160.254.100.3 on router4’s serial 0/0 and ethernet 0/0 interfaces while permitting all other traffic:

router4#conf t
Enter configuration commands, one per line. End with CNTL/Z.
router4(config)#ip access-list extended restrict_telnet
router4(config-ext-nacl)#deny tcp any host 10.16.0.13 eq 23
router4(config-ext-nacl)#deny tcp any host 160.254.100.3 eq 23
router4(config-ext-nacl)#permit ip any any
router4(config-ext-nacl)#exit
router4(config)#int s0/0
router4(config-if)#ip access-group restrict_telnet in
router4(config-if)#int e0/0
router4(config-if)#ip access-group restrict_telnet in
router4(config-if)#exit

Want to know more about configuring access-lists on a Cisco router? Bring our two-day Cisco Router Fundamentals workshop to your location for groups of four or more in an onsite presentations. Click here or call 206.988.5858 for details and scheduling. Also, check online for public, open-enrollment seminars.

Monday, May 16, 2005

Cisco tip: Load balancing with RIP v1

For internetworks with redundant links between routers, you can use load balancing to distribute traffic across the redundant links. RIP (Routing Information Protocol) does it automatically when there are multiple paths of equal cost to a remote network. The datagrams are allocated to the different paths on a round-robin basis. What’s more, fast switching is enabled by default, offering a more efficient form of load balancing than the alternative of per-packet process switching.

Want to know more about load balancing? Enroll in our two-day Cisco Router Advanced Configuration Procedures workshop, coming to the Pacific Northwest in August. Give us a call at 206.988.5858 or drop us an email and we’ll be sure to let you know when and where. This two-day, hands-on workshop is also available for onsite presentations. That’s where we bring the training right to your door for groups of three or more. Click here or call 206.988.5858 for details and scheduling.

Tuesday, May 10, 2005

Windows tip: Set the time on systems running Windows

As with Linux and Cisco systems, Windows systems like to know what time it is and, when they don’t, they can freak out (and that’s a scary sight). You can set the date manually on NT-based systems (such as NT 4.0, Windows 2000, Windows XP, and Server 2003) with the date command at a command prompt. Similarly, set the time with the time command.

More realistically, you’ll probably want to configure the time centrally from some sort of time source. The Windows 2003 Time Service (W32Time) is configured when you deploy your Forest Root Domain in Active Directory. W32Time uses NTP to synchronize system clocks within a domain. By default, client computers and member servers within an Active Directory domain use their authenticating domain controller as the primary time source. It probably won’t be necessary to perform further configuration on clients and member servers, but if needed you can use the w32tm command at a command prompt. (Use w32tm /? to get options and proper syntax.) On the domain controller, you can also use the w32tm command to specify which Internet time servers to use to acquire the correct time.

You can learn more about working with Windows Server 2003 and Windows XP in our Windows seminars for IT professionals. Our two-day Windows Server 2003 seminar covers the important aspects of installing, configuring, optimizing, and troubleshooting systems running Windows Server 2003 in both standalone and Active Directory environments. Details are available online or call 206.988.5858.

Sunday, May 8, 2005

Linux tip: Set the clock on systems running Linux

Having the correct operating system time is becoming more important today due to the time sensitivity of certain protocols such as LDAP and Kerberos. Even if you’re not currently using such protocols on your systems, accurate time stamping on logs can be a huge aid in troubleshooting and security.

It’s easy to set the time on Linux systems both manually and through NTP. Set the time manually with this command:

#date 0509171405

The above command sets the date and time to May 9 and 5:14 p.m. in the year 2005.

Synchronize with Internet time servers using the Network Time Protocol (NTP) using this command:

#ntpdate [time server URL]

Use multiple time servers by separating each one with a space. Find public NTP servers by using your favorite search engine to query on “NTP servers”. Your Linux/UNIX system may also be running the NTP daemon which will keep the time synchronized. Look for a file such as /etc/ntp.conf on such systems to configure the Network Time Protocol. Learn more about working with Linux in our two-day, hands-on Linux workshop, now available for onsite scheduling for groups of four or more. Bring us onsite to your location and we’ll gladly tailor the training to meet your unique needs. Click here or call 206.988.5858 for complete details.

Cisco tip: Configure the time on a router

Set the router’s time with this privileged EXEC command:

router#clock set [hh :mm:ss] [day of the month] [month] [year]

(Some routers use the calendar command instead of the clock command.)

You can also configure your timezone and daylight savings time using the global configuration mode command clock.

In order to use the timezone command, you’ll need to know your offset from Greenwich Mean Time. Visit http://www.greenwichmeantime.com/ for particulars. To configure your router to synchronize its time with with an Internet time server running the Network Time Protocol (NTP), use this global configuration mode command:

router(config)#ntp server [ip address host name]

Obviously, if you choose to configure NTP with a hostname, you must also configure your router with some means of resolving hostnames to IP addresses such as a name server or a host file. Some low end routers don’t support the NTP command. If your router doesn’t accept it, try the same syntax, but substitute SNTP (Simple Network Time Protocol) for NTP. You can find a listing of public NTP servers by searching online for “NTP servers”.

Learn more about configuring a Cisco router in our two-day Cisco router hands-on workshops. Our two-day classes offer an accelerated learning experience for today’s busy IT professional. The Cisco fundamentals two-day workshop is great for those who are new to routers and our two-day advanced classes offer more in-depth training for those who already understand the basics. Complete details are available online or call 206.988.5858 and enroll today.

Tuesday, May 3, 2005

Cisco tip: Redistribute RIPv2 into RIPv1

Suppose that you have two networks in your internetwork. Devices in one network support the advanced features of RIP version 2, but the devices in the other network don’t. You can still take advantage of the advanced features of RIPv2 in the network that supports it by redistributing the RIPv2 updates into the RIPv1 network. For the purpose of this tip, I assume you’ve already configured RIP version 2 where appropriate.

To route between RIP v1 and RIP v2, use the following procedure:

On the router connected to both networks, configure the following command on the interface connected to the RIPv1 network:

router#conf t
router(config)#interface [interface name]
router(config-if)#ip rip receive version 1

You can gain hands-on experience in techniques just like this, plus many other tips, procedures, and shortcuts when you enroll in our Cisco router training classes. Our accelerated training programs are designed to provide you with practical knowledge combined with lots of hands-on practice so you can go directly from our classroom into your workplace and apply your new knowledge and experience right away. Click here for more information about our Cisco training workshops or call Janet at 206.988.5858 to enroll today.

Wednesday, April 27, 2005

Cisco Tip: Get a New Line After a Console Message

One of the things that makes us crazy when working with Cisco routers is how console messages interrupt console input. You can make your Cisco router return a fresh line after console logging messages by adding the command logging synchronous in the line con 0 configuration:

router#conf t
router(config)#line con 0
router(config-line)#logging synchronous

Want to know more about configuring a Cisco router? For groups of four or more, bring us onsite to your location at the date and time of your choosing. More info is available online or call 206.988.5858.

Thursday, April 14, 2005

Windows Security Configuration Wizard

Last week, we talked about the new Windows Security Configuration Wizard which is included in Windows Server 2003 Service Pack 1. What is it? What does it do? Here’s the short scoop on SCW: Microsoft describes it as an “attack surface reduction tool”. It Disables unneeded services, blocks unused ports, further restricts those ports that are left open, prohibits (if applicable) unnecessary IIS web extensions, reduces security threats posed by SMB, LanMan, and LDAP, and defines an audit policy that is more sensitive to security-related events. Configurable from either the GUI or the CLI, SCW is another step Microsoft is taking in enhancing the security of their products. For Microsoft shops, it’s a welcome advance. For non-Microsoft shops, it’s another tool MS is using to try to lure you into their fold. More info on SCW is here. Learn more about SCW and other security technologies in our two-day Windows Server 2003 seminar, available for onsite presentation at your location for groups of four or more. Click here on call 206.988.5858 for more information.

How to Quickly Find an Executable in Linux/UNIX

Thanks to Karen at McKesson in Denver for reminding us about this handy command during a Linux onsite workshop. When you need to quickly find the path to an executable, use “which”. Here’s an example: “which named” returns on a RedHat 9 system, “/usr/sbin/named“. We’ll show you lots more handy commands and shortcuts when you schedule our Linux Training Seminar at your location for an onsite presentation. Cost effective for four or more, our Linux onsite training workshop offers two full days of Linux installation, configuration, optimizing, and troubleshooting. Click here or call 206.988.5858 to schedule yours’ today!

Friday, March 18, 2005

How to Configure a Gateway of Last Resort

We’re often asked about how to connect a LAN to the Internet through a Cisco router. You need to have a way of telling the router, “If you don’t know what else to do with a packet, send it to the default network.” In this case, the default network would be your Internet connection. It’s actually quite simple.

Configure a static route like this:
#conf t(config)#ip route 0.0.0.0 0.0.0.0 [target IP address (e.g. the Intenet address of the router)]

This command simply tells the router to send any packets addressed to unknown networks to the address specified at the end of the command. The specified address becomes your gateway of last resort. (Sounds pretty desperate, doesn’t it?)

For more information about default routing, register for our two-day Cisco Router Fundamentals Hands-On Workshop, available for onsite scheduling at your location for groups of four or more. Call 206.988.5858 or click here for details. Open-enrollment, public seminars are often available. Check online at http://www.soundtraining.net/ for dates and locations.

Thursday, March 17, 2005

How to Use Dynamic DNS with Legacy Microsoft Clients

Windows 2000 Server (all editions) and Windows Server 2003 support Dynamic DNS. The benefit of Dynamic DNS is that it’s not necessary to manually update client resource records in DNS. A Windows 2000/2003 server running DHCP can also update legacy client’s resource records in DNS. If your network includes clients older than Windows 2000, this feature can save you much time.

By default this should be turned on, but you can check by right-clicking on an appropriate DHCP server or its scope and choosing Properties. Under the DNS tab, ensure that the box labeled, “Enable updates for DNS clients that do not support dynamic updates” is checked. It’s similar in Windows Server 2003, except the check box is labeled, “Dynamically update DNS A and PTR records for DHCP clients that do not request for updates (for example, clients that are running Windows NT 4.0).”

Learn more about working with Windows Server 2003 in our 2-day Windows Server 2003 seminar, available for onsite scheduling at your location for groups of four or more.

Thursday, March 10, 2005

How to Use "rndc" to Control Your BIND Server

BIND is the most popular version of the DNS server. Distributed by ISC, the current version of BIND is 9.3.0. Newer versions of BIND are relatively easy to compile on systems running Linux or UNIX, but configuration and operation can be…err…challenging.

One of the tools that makes BIND administration simpler is rndc (ndc in BIND 8x), the remote name daemon controller. rndc allows you to halt named, reload DNS database files, reload configuration files, view the status of the server, and more.

View available commands by entering rndc with no options at a command prompt or view the man page.

Learn more about rndc and see it in use with our newly updated one-day seminar BIND DNS: Installing, Configuring, Optimizing, and Troubleshooting. It’s now available for presentation at your location. Call 206.988.5858 or click here for more info.

Tuesday, February 15, 2005

How to Troubleshoot DNS Issues with "dig"

“dig” is the domain information groper. You can use dig to query DNS servers for information concerning hostnames and servers. You may be familiar with nslookup (see the previous blog entry), an older utility that does much the same thing. dig uses a clearer, easier to understand command structure and is generally more stable than nslookup, so it is the recommended tool for querying name servers. At this time, dig is not supported in Windows, but it is supported in most Linux distros and most versions of UNIX.

Using dig

#dig [server to query] [name to be looked up] [type of query (if not specified, dig will perform a lookup for an A RR)].

Common uses of dig

  • #dig [fully qualified domain name] will provide information about the IP address of the specified host as well as information about the nameservers associated with that host.
  • #dig -x [IP address] will do a reverse lookup and provide information about the host at that IP address.

Of course, for more information about dig, check out the man or info pages. As with nslookup, you can get more information about dig and other DNS tools in our BIND DNS one-day seminar. It’s now available for onsite scheduling at your location. Call us at 206.988.5858 to schedule your seminar.

Friday, February 11, 2005

How to Troubleshoot DNS Issues with "nslookup"

Nslookup is a very handy and often underutilized tool for assisting in name resolution issues. Nslookup runs in most (if not all) systems utilizing TCP/IP. It allows you to query a name server for various types of information concerning the name resolution process. Try this command at a command prompt:

nslookup [hostnamefully qualified domain name]
This command will display the nameserver for the domain and the IP address of the host.

Or try this:
nslookup
The command by itself starts the nslookup service. The prompt is “>”.

>ls [domain name]
This command will display a listing of hosts in the domain with their IP addresses.

Although many in the Linux/UNIX community prefer to use “dig”, nslookup is the most commonly available of all the DNS troubleshooting tools and is supported on most OS platforms.

Want to know more about using nslookup, dig, and other DNS troubleshooting tools? Check out our BIND DNS one-day workshop. It’s now available for onsite scheduling at your location. Call us at 206.988.5858 to schedule your workshop.

Tuesday, February 8, 2005

How to Use "runas" in Windows 2000/XP/2003

You probably know that it’s best practice for an administrator to have two logon accounts: one used for day-to-day, routine tasks that don’t require administrative rights and permissions and one for administering the computer and/or the network.

The “runas” command was introduced in Microsoft Windows 2000 and is supported in Windows XP and Server 2003. “Runas” allows an administrator to run applications under a different user context than the currently logged on user. For example, suppose you’re logged on with your regular user account, but need to perform an administrative task. You can use the “runas” command to perform the task without having to log off from your regular account and log back on with your administrator account.

To use the “runas” command within the GUI, right-click on a .exe, .mmc, or a shortcut and choose Run as… You also use “runas” within command mode. To see syntax, type “runas” at a command prompt.

Learn more about “runas” and other administration and troubleshooting tools in our Windows XP and Windows Server 2003 seminars.

Thursday, February 3, 2005

How to Use "netstate" to Troubleshoot Connectivity Issues

The “netstat” command is included with most TCP/IP-enabled operating systems. Little understood and infrequently used, netstat is a great tool for troubleshooting connectivity issues related to IP address and port configuration.

Netstat displays protocol statistics and current TCP/IP network connections. Use it with any of several switches to display all connections and listening ports, Ethernet statistics, the routing table, and per-protocol statistics. For UNIX and Linux users, there are even more options available.

Run netstat at a command prompt using the following syntax to see the various options available:
“c:>netstat /?”

A commonly used command is “c:>netstat -an” which displays all connections and listening ports in numerical form. By default, the output is displayed on your screen, but you can direct the output to a file by using the following syntax: “c:>netstat -an > netstat.txt”. That sends a list of all connections and listening ports to the file netstat.txt which can be found in the current directory.

Want to know more about netstat and other troubleshooting tools? Schedule our Networking Fundamentals 2-Day Hands-On Workshop for your location. Remember, onsite training makes sense for groups of four or more.

Wednesday, February 2, 2005

How to Configure the Windows XP Firewall, part 2

This entry is about the Advanced tab on the Windows XP SP2 firewall. The Advanced tab allows you to choose the connections that you want firewalled (the default is all of them), configure logging, control ICMP behavior, and reset the firewall to its default state.

As with other settings, if the setting is configured at a domain level through domain policies, you will not be able to configure it locally (the settings will be grayed). You can also specify the specific types of connections that will allowed on a connection by connection basis by selecting a particular connection and choosing Settings. You might, for example, want to disable ICMP on an external connection but allow it on an internal connection.

Security logging allows you to log successful and failed connection attempts, specify the location of the log, and specify the maximum log size.

ICMP settings allows you to configure how the computer responds to various events on the network. According to RFC 792, ICMP (Internet Control Message Protocol) messages are sent in several situations, including when a datagram cannot reach its destination, when the gateway does not have the buffering capacity to forward a datagram, and when the gateway can direct the host to send traffic on a shorter route. ICMP is best known for its use with the PING utility. PING sends an ICMP echo to its target and the target responds with an ICMP echo reply. PING reports on the success and performance of such requests and responses. Although ICMP is a very handy troubleshooting tool in a network, it can also alert an attacker to the presence of a system. It is generally recommended, therefore, that ICMP be disabled (it is by default) on any external interface and internal interfaces on non-trusted networks. You can enable specific ICMP functionality if needed, but in general, it’s best to leave it disabled.

The Restore Defaults button does exactly what the name implies. Want to know more about supporting Windows? Check out our accelerated Windows training, available in both public and onsite seminars and workshops.

Tuesday, February 1, 2005

How to Configure the Windows XP Firewall, part 1

I suppose if I’m going to get on my soapbox about learning how to configure the Windows XP SP2 firewall, I should probably do a “how-to” guide on the subject. You know, “Put up or shut up!”, right? Here goes.

There are several ways to get to the XP firewall. If you have a preferred path, use it. Otherwise, click Start, then Control Panel, then double-click Network and Internet Connections, and click Windows Firewall. There are three tabs on the Windows Firewall Configuration window: General, Exceptions, and Advanced.

The General tab allows you to turn the firewall on or off and to allow or disallow exceptions. Think of exceptions this way: By default, the firewall doesn’t allow any incoming connections except Remote Assistance. As you work, various applications will request to be allowed access from the Internet. If you choose to allow such access, the application will be listed under the exceptions tab. There may be times, however, when you don’t want to allow such exceptions. An example might be when you’re connected to a non-trusted WiFi network at a coffee shop or in an airport. In those types of settings, you can deny pre-configured exceptions by checking the box “Don’t allow exceptions”.

Under the Exceptions tab, you’ll see all of the applications that you’ve allowed to accept incoming connections. You can remove applications from the list or manually add any applications that need to accept incoming connections. You can also allow incoming connections by TCP or UDP port numbers. For example, suppose that you want to allow Cisco devices to connect to a TFTP server on your computer for configuration backup and restore. On the Exceptions tab, click Add port… and enter TFTP for the name, specify 69 for the port number, and push the radio button for UDP. Use similar procedures for any other ports you wish to enable.

I’ll discuss the Advanced tab in my next blog entry. Want to know more about supporting Windows? Check out our accelerated Windows training, available in both public and onsite seminars and workshops.

Thursday, January 27, 2005

Let’s Stop Complaining About Microsoft Doing the Right Thing

I’m on the road this week teaching a one-day class on supporting Windows XP for a private client. The classroom conversation, as usual, drifts frequently to a discussion of the pros and cons of Service Pack 2. This blog entry is not about Service Pack 2, but it is about the Internet Connection Firewall.

As you probably know, the ICF is now turned on by default on Windows XP systems updated with Service Pack 2. Many students complain about this default configuration, but they’re missing the point.

First, we in the IT community have complained for years about the lack of security in Microsoft products. We compared their products to Novell and UNIX products in which only essential modules or daemons were enabled and we had to explicitly enable everything else. Microsoft, on the other hand, shipped their products with a multitude of services enabled by default. That made for great ease-of-use, but lousy security. Now, Microsoft shuts down network access to workstations unless specific ports or programs are explicitly allowed and people start whining. Gee, isn’t that a step toward what we were asking for? Can we pause for a moment in support of the theory of least privilege?

Here’s the deal: Certain services are permitted by default such as Remote Assistance. You can use Group Policy settings to easily configure the ICF to permit whatever other traffic you wish on multiple workstations or perform simple configurations on an individual workstation to allow the desired traffic through the firewall. One example of desirable traffic that you might wish to allow through the firewall is Remote Desktop. The real question, though, is why on earth would someone in an enterprise want to allow most other types of incoming connections on the average workstation, especially an average user’s workstation? Put it (whatever it is) on a server. That shared printer? Put it on a print server. That shared file or folder that everyone needs to access? That goes on a file server. Certainly, there are times when, as an IT professional, you might need to enable certain services such as TFTP for backing up or restoring configurations on your laptop. That should, however, be the exception and definitely not the rule. The point is simple: Let’s quit complaining about Microsoft doing the right thing and learn how to configure the firewall. Better yet, use workstations as workstations and leave the serving to servers.

Sunday, January 23, 2005

How to Understand OC (Optical Carrier) Levels

SONET (Synchronous Optical Networking) is a standard for using optical fiber to communicate digital information including telephone and data traffic. The basic SONET service operates at OC1 (51.84 Mbits/second). OC is an acronym for Optical Carrier. OC levels are used to describe the various service levels used in SONET.

As of this writing (early 2005), the state of the art in SONET is OC192 (9953.28Mbits/second) which is 192 times faster than the basic SONET service of OC1. Higher OC levels have been designated to allow for future technological advances.

Learn more about data transmission and other basic concepts of networking in our Networking Fundamentals 2-Day Hands-On Workshop, now available for scheduling onsite at your location for groups of four or more. Call 206.988.5858 or click this link for details.

Friday, January 21, 2005

The Story of the PING Utility

Ping is a 1000 line utility written in 1983 by the late Mike Muuss (pronounced “moose”). He was working at the US Army’s Ballistics Research Lab and experienced network connection difficulties. PING was written in response to those difficulties. He is quoted as saying, “If I’d known it was going to be my legacy, I’d have built more functionality into it.”

Contrary to popular belief, PING is not an acronym for anything. It simply stands for “ping” which is based on Navy SONAR, which in turn is based on bat and porpoise navigation.

Ping works by sending an ICMP (Internet Control Message Protocol) signal to a remote host and waiting for a reply.

Read more about ping at Mike Muuss’ website. Unfortunately, Mike was killed in an automobile accident on November 20, 2000. Learn more about ping and other troubleshooting tools in any of our seminars and workshops for IT professionals.

Tuesday, January 18, 2005

How to Understand Task Manager’s Performance Tab

Here’s the explanation of the different fields of the Performance Tab in Windows Task Manager:

CPU Usage tells the percentage of time the processor is working on useful tasks. If your computer is running slowly and this graph indicates a high level of usage, find out what process is monopolizing your processor.

CPU Usage History graphs how busy the processor has been over a period of time. You can set the value for the Update Speed on the View menu. Your choices are:

  • High = twice per second
  • Normal = once every two seconds
  • Low = once every four seconds
  • Paused = the display is not automatically updated

PF Usage shows how busy your paging file is. If your computer is running at a consistently high level, you can increase the page file size.

Page File Usage History graphs page file usage over a period of time. You can set the value for the Update Speed on the View menu.

Totals displays the number of handles, threads, and processes running on the computer.

Commit Charge (K) is memory allocated to the operating system and programs. The value listed under Peak may exceed the total amount of RAM on the system because Commit Charge includes memory copied to the paging file (virtual memory). The value for Total will match the Page File Usage History graph.

Physical Memory (K) is the total amount of RAM installed on your computer.

Available is free memory that is available for use.

The System Cache displays RAM used to map pages of open files.

Kernel Memory (K) is the amount of memory used by the operating system kernel and device drivers. Some memory can be copied to the paging file to free physical memory. That is displayed under Paged. The physical memory can then be used by the operating system.

Nonpaged is memory that will not be copied to the paging file and remains resident in RAM.

You can learn a lot more about tuning, troubleshooting, and administering a Windows Server 2003 box in our Windows Server 2003 seminar. We do an entire section on Performance Monitor, plus lots of coverage of other built-in tools.

Sunday, January 16, 2005

How to Change File Associations

It’s not complicated at all, but it’s a frequent question. How do you change the program that opens a file based on its extension? For example, I often prefer to open text files with WordPad instead of NotePad in Windows. I like the formatting better, so I associate .txt files with WordPad instead of the default of NotePad.

There are several ways to do it; here’s one:

  1. Right-click on any file with the extension in question (such as “.txt”)
  2. Choose Open With and then click on Choose Program…
  3. In the dialog box that appears, choose the program you wish to associate with the extension and check the box near the bottom of the window that says “Always use the selected program to open this kind of file”.
  4. Click the OK button and you’re done.

Tuesday, January 11, 2005

How to Use the "alias" Command

In Linux/UNIX, the alias command is a shell function that allows you to substitute one command for another. Aliases are also handy for assigning default arguments to commands, such as ensuring that the “-i” (interactive) option is always used with “cp” and “mv”.

The syntax for the alias command is: #alias [new command]=”[command with arguments]” #alias cps=”cp -s” would create the new alias “cps” which would always invoke the “cp” command with the symbolic link argument.
You can see existing aliases by issuing the alias command with no options at a command prompt.

Aliases can be removed with the unalias command: #unalias cps will remove the “cps” alias.

Get hands-on practice using the alias command and lots of other commands in our two-day Linux hands-on seminar available in open-enrollment public seminars or you can schedule it in the location of your choosing for groups of four or more as an onsite seminar.

Sunday, January 9, 2005

How to Restore a PIX Firewall to its Factory Defaults

Warning: The following procedure will erase any existing configuration on the PIX firewall. You are strongly encouraged to make a backup of the firewall’s configuration prior to executing the following procedure.

To prepare the PIX Firewall to be decommissioned or restored to its factory default state, perform the following steps:

Connect to the console port of the PIX and bring up Hyperterminal (or your preferred terminal emulation software).

Enter Priviledged Exec Mode, then enter Global Configuration Mode and type the following commands:

ca zeroize rsa [enter]
ca save all [enter]
exit [enter]
write erase [enter]
[enter] To Confirm Erase
reload [enter]
[enter] To Confirm Reload

At this point, the PIX should reload, perform the Power On Self Test and then display the following text:

Pre-configure PIX Firewall now through interactive prompts [yes]?

At this point, the PIX is set to the factory defaults. You can power it down or rebuild the configuration.

You can practice this procedure and many others when you register for our 2-day hands-on ASA / PIX firewall seminar. It’s available in public seminars in Seattle or in onsite presentations at the location of your choice for groups of four or more.

Saturday, January 8, 2005

How to Configure DHCP on a Cisco Router

Many students in our Cisco workshops need to use a router as a Dynamic Host Configuration Protocol (DHCP) server. Here’s how to do it.

Begin by configuring a DHCP database agent, such as a TFTP or FTP server that will store the DHCP bindings database. In global configuration mode, enter the following command:

router(config)#ip dhcp database [url]

The Cisco DHCP implementation assumes that all addresses in the configured subnet are available for use. If you want to exclude certain addresses, you must explicitly configure them (also in global configuration mode):

router(config)#ip dhcp excluded-address low-address [high-address]

Now, configure a DHCP pool name, which also allows you to enter DHCP configuration mode. In the example, the pool name is “dhcpdemo”. You then specify the DHCP pool subnet address and mask.

router(config)#ip dhcp pool dhcpdemo

router(dhcp-config)#network 10.16.0.0 /8

In the above example, the “/8″ indicates an 8 bit subnet mask or 255.0.0.0.

Now, you need to configure the DHCP options, including a domain name, DNS server address(es), WINS server (NetBIOS name server) address(es) and NetBIOS node type (if you don’t know which node type to use, choose “h”), the client's default router (gateway), and lease time [(days, hours, minutes) infinite] (Defaults to one day).

router(dhcp-config)#domain-name soundtraining.net

router(dhcp-config)#dns-server 10.0.0.2

router(dhcp-config)#netbios-name-server 10.0.0.2

router(dhcp-config)#netbios-node-type h

router(dhcp-config)#default-router 10.0.0.1

router(dhcp-config)#lease 8

There are many more commands and options available with DHCP on a Cisco router. To learn more about them and gain hands-on experience, register for our Cisco Router Fundamentals 2-Day Workshop available in various cities or as an onsite presentation at your location for your group of four or more.

Wednesday, January 5, 2005

Alternate Configuration makes it easy to move between networks

Use the “Alternate IP” feature in Windows XP Pro or Server 2003 when you need to move a computer between a network using static IP addressing and one using dynamic IP addressing. Configure the alternate IP address in the IP properties sheet. Right-click on My Network Places and select Properties. Right-click on the connection you wish to configure (perhaps your wireless NIC or another local area connection) and select Properties. In the windows displaying the various items used by the connection, double-click on Internet Protocol (TCP/IP). If you are presently using a static IP address, select the radio button labeled Obtain an IP address automatically. Notice at the top of the Internet Protocol properties window the tab labeled Alternate Configuration. When you select that tab, you’re given the option to use an APIPA address or to configure a custom address which will be used when a DHCP server is not available. (APIPA is an acronym for “Automatic Private IP Addressing”, the technology that creates IP addresses in the 169.254.0.0 network when DHCP servers aren’t available and alternate configuration hasn’t been set.)

Tuesday, January 4, 2005

How to Configure Logon Banners

Cisco router login banners: In global configuration mode, issue the command “banner motd #” and press the Enter key. Type your login banner followed by another “#” and, once again press the Enter key. Learn more about configuring Cisco router logon banners in our two-day Cisco router hands-on workshop, available in both public and onsite workshops.

On a Linux system, the banner is in /etc/issue. Use vi or any text editor to edit the file with whatever text you wish to display before a user logs on. Learn more about configuring Linux logon banners in our two-day hands-on Linux workshops, available in both public and onsite workshops.

Windows login banners can be created through a Group Policy Object for either the domain or locally. (This tip applies to Windows 2000/XP/2003 machines.) Open the Group Policy editor by clicking Start, then click Run, and type “gpedit.msc”. Next, navigate to Computer Configuration>>Windows Settings>>Security Settings>>Local Policies>>Security Options. Configure the actual message text under “Interactive logon: Message text for users attempting to logon” and configure the banner window title under “Interactive logon: Message title for users attempting to logon” (in Windows 2000, it’s just the object called “Message text…). Learn more about configuring Windows logon banners in our two-day Windows seminars, available in both public and onsite workshops.

Regardless of the system you administer, common logon banners say things like, “Restricted system. Do not attempt unauthorized logon. Unauthorized logon attempts may be prosecuted.” or words to that effect. Service providers sometimes use the banner to indicate their ownership of the device and to provide contact information for support.