Myles Gray's questions

We have a GoDaddy signed SAN cert for our Exchange 2010 server, internally it works fine - issuer is GoDaddy and cert chain checks out.

Externally the same SAN seems to be used (the domains are the same as the GoDaddy SAN and we have no other certificates installed other than the self-generated Microsoft one) however the issuer is our internal cert authority?

All services, SMTP, IIS, IMAP and POP are all assigned to the GoDaddy cert.

I've spent 2 days messing with this now, from deleting intermediates and cert and reinstalling both to checking every detail I can see in Exchange - checked IIS bindings as well for Default Web Site (where /owa lives) and all use the right certificate.

Any advice greatly appreciated, it's doing my head in - feel like nuking it.

Our ESXi hosts have always been slow booting when it came to iscsi_vmk loaded successfully - sitting here for almost 5 minutes.

In all a full server reboot takes almost 12 minutes.

We have 9 iSCSI targets per host (5 SANs with redundant interfaces) configured as dynamic discovery targets.

Has anyone experienced this? Can it be remedied with static discovery mode? Are there any debug steps we can work through to help diagnose this?

(All our targets are accessible at boot so i'm assuming the host isn't stuck retrying to connect to a target)

I am trying to add a mapped drive for a number of CNC machines that all run off Windows XP boxes that are joined to our domain, the computer policies apply fine but as the software for the CNC only runs on the local admin user account I can't get user GPOs to apply.

I have tried everything including Loopback mode in both Merge and Replace modes to see if either would somehow map the drive for the local admin user but no luck.

Is there any way (other than net use in a logon script - don't want to do this as is messy and hard to maintain) to map a network drive using GPO for local users?

(Or even ALL users on that computer OU would be perfect)

We have 2x Fortigate 200B firewalls that we wish to operate in Active/Active HA mode - though, obviously, they cannot do this with PPPoE/DHCP enabled on the externally facing interfaces.

To overcome this we want to use a Cisco 1841 as a PPPoE terminator on its f0/1 interface and present a static IP on its f0/0 interface (we have done similar with Cisco 857 boxes to terminate RJ11 ADSL PPPoE connections and forward present on a FE interface in RJ45 for the 200Bs). This will allow us to set both 200Bs to manual and issue them the public IP address.

The general theory is to:

Unnumber the static route address against the LAN f0/0 side with the PPPoE virtual interface Dialer1.

So, we have this config (which works) on our Cisco 857s:

!Internally facing

interface Ethernet0
 ip address [ip.add.ress.here] 255.255.255.248
 ip virtual-reassembly
 ip tcp adjust-mss 1452
 hold-queue 100 out

!Externally facing ADSL connection

interface ATM0
 no ip address
 atm vc-per-vp 64
 no atm ilmi-keepalive
 dsl operating-mode auto
 pvc 8/35 
  no oam-pvc manage
  pppoe-client dial-pool-number 1

!Virtual PPPoE interface

interface Dialer1
 ip unnumbered Ethernet0
 ip virtual-reassembly
  encapsulation ppp
 ip tcp adjust-mss 1452
 dialer pool 1
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname [our username]
 ppp chap password 7 [our password]
 ppp pap sent-username [our username] password 7 [our password]
!
ip route 0.0.0.0 0.0.0.0 Dialer1

On our 1841 we have this:

! Internally Facing

interface FastEthernet0/0
 ip address [ip.add.ress.here] 255.255.255.248
 ip nat inside
 speed 100
 full-duplex

! Externally Facing

interface FastEthernet0/1
 no ip address
 speed 100
 full-duplex
 pppoe enable group global
 pppoe-client dial-pool-number 1

! Virtual PPPoE Interface

interface Dialer1
 mtu 1492
 ip unnumbered FastEthernet0/0
 ip nat outside
 ip virtual-reassembly in
 encapsulation ppp
 dialer pool 1
 dialer idle-timeout 0
 dialer-group 1
 ppp authentication chap pap callin
 ppp chap hostname [our username]
 ppp chap password 0 [our password]
 ppp pap sent-username [our username] password 0 [our password]
 no cdp enable
!
no ip classless
ip forward-protocol nd
!
ip route 0.0.0.0 0.0.0.0 Dialer1
!
dialer-list 1 protocol ip permit

But we don't seem to have any luck with this config, can anyone advise?

I work with Fortigate gear a lot and in the CLI it's possible to navigate to a node (say config system global then type in show and it will show me the configuration from that block.

In IOS I can't figure out how to do this, I know I can exit conf term mode and use show run but the configs can be very long.

Is it possible while in say:

router>en
router#conf t
router(config)#interf f0/1

To type a command that will show me only the config section like this:

interface FastEthernet0/1
 no ip address
 speed auto
 full-duplex
 pppoe enable group global
 pppoe-client dial-pool-number 1

Thanks for any advice!

I'm trying to set up a SQL Server 2012 SP1 "AlwaysOn Failover Cluster Instance" on top of a Windows Server 2012 R2 cluster (cl01) consisting of 2x 2012 R2 nodes (sql1 and sql2). Hosted on VMWare ESXi v5.5 with 3x VMXNet3 adapters each (LAN, iSCSI and Private-Heartbeat).

The Windows servers have Failover Clustering enabled, iSCSI LUNs mapped and Quorum assigned, created a MSDTC clustered role and verified the cluster with the wizard (no warnings), all seems good.

I install the primary (sql1) SQL 2012 SP1 node with database engine, reporting services and analysis services - all set up with their own respective network accounts as per best practise.

I then go to add the second Windows server (sql2) "Add node to existing SQL cluster" - and somewhere during the install of this node to the cluster service the primary SQL node (sql1) always BSODs: IRQL_NOT_LESS_OR_EQUAL (tcpip.sys). It then continues to BSOD on every reboot and ends up in a boot-loop.

So I figured it must have been the OS on sql1 so I uninstalled all components on both servers and instead set up sql2 as primary and sql1 as secondary - this time sql2 (now primary) goes down with the exact same BSOD and displays the same behaviour as the last scenario.

• Is SQL clustering broken in 2012 SP1 or Server 2012 R2?
• Does it have anything to do with the machines using VMXNet3 adapters (I have tried E1000E with the same results) - network interruptions causing "purposeful" BSOD as cluster eviction?
• Clearly this is network related (tcpip.sys) event viewer shows nothing untoward however.

I want to use an iSCSI targeting framework that supports SCSI-3 and VAAI for use as an iSCSI SAN cluster across 2 servers.

As far as i'm aware I can use either Lio (http://linux-iscsi.org/wiki/Main_Page) or QuadStor (http://www.quadstor.com/). Quadstor isn't as mature as LIO hence my bias towards it.

I have 2 servers built on openSUSE 12.3 (of course this can be changed) for the moment and am having a hell of a problem finding out how to use LIO.

LIO was integrated into the Linux Kernel at v2.6.38 in January 2011 and is now used as the default SCSI framework in Linux. That's all fine, but how the hell do I use it?

According to their docs all I have to do is install targetcli from their repo for openSUSE: http://linux-iscsi.org/wiki/Target

Did that, nada.

What's the best OS or best way to get about using LIO that supports VAAI preferably through kernel integration?

We have 2x APC symmetra LX 16kVA units running at the moment and have read (in Eaton's documentation) that their UPSs can have a common synchronised output (based on input phase or set phase with a master/slave clock type arrangement) - http://pqlit.eaton.com/ll_download_bylitcode.asp?doc_id=10925

We would like to connect our two UPS units together as at the moment one is a "cold" manual switch standby unit.

Do APC offer a synchronised phase output for N+1 redundancy between chassis and if so are there any special units required to join the outputs or can a standard tie-cabinet be used?

APC's docs aren't so clear on connecting modular (symmetra) UPSes to a common output. http://www.apcmedia.com/salestools/LARD-8YPBGX/LARD-8YPBGX_R0_EN.pdf

We recently built a replicating SAN array from 2x Dell R720XD's, we are using LSI 9270-8i MegaRAID cards with CacheCade 2.0, BBU and Write Back cache enabled.

Our cards are showing HUGE chip temperatures (97*C+ with NO disk activity!).

Our R720's are in auto temp management mode so the max exhaust temp is 50*C.

The MegaRAID cards are passively cooled and depend on good airflow to cool them - however is 97*C normal? - I have seen reference to 60*C max ambients but nothing for chip temp.

I have set up DNS scavenging on our Windows Server 08 R2 boxes as we had records in there that were duplicated and some dating back to 2004!

I set the no-refresh and refresh-after intervals both to 3 days, zone scavenging is enabled on each zone and at a server level the Ageing settings are enabled for scavenging too.

However, when we run the scavenge nothing happens (even after a few days) so we checked the settings again and found a box that said "this zone can be scavenged after" and the date was 11/01/2014...

Is there a way to change this value so it is for example, today - waiting until 2014 for a simple DNS scavenge is a bit much...

Cheers, Myles

P.S: I followed the "holy grail" guide to Windows DNS Scavenging for all the processes: http://blogs.technet.com/b/networking/archive/2008/03/19/don-t-be-afraid-of-dns-scavenging-just-be-patient.aspx

We have 3x ESX hosts and 2x SANS that we wish to move to a redundant 10G networking infrastructure.

We have 4x Dell PowerConnect 8024F's to provide our backbone and are configured as so (only core switches relevant to this question):

So the questions are:

1) Do the interconnects between the 4x 8024F's need to be LAG'd or just STP'd

2) As the NICs on the servers are split across 2 switches, does any special configuration need to be done here or on the switches?

3) If a link or switch fails will the switches automatically find a new path to the Server/SAN?

We are constructing a new networking infrastructure to replace out 1GbE backbone and have decided upon using 4x Dell PowerConnect 8024F's as our "core" switches.

As per the diagram below we have 2x 8024's upstairs and 2x downstairs providing links over MMF fiber for redundancy. Data being transferred is a mixture (70/30) of iSCSI/LAN on separate VLANs.

How can we best configure these switches to allow for redundancy and throughput, 2x stacks of 2 8024's or 1x stack of 4 switches and where should LAG be employed?

Does anyone know what the Screw size is (Thread and length) that Dell use on their PowerConnect Switches, to connect the ears to the switch?

In particular the 6224 and 8224?

We are looking to implement 10Gig ethernet for our ESX hosts and SANs. There are a number of solutions we have been looking at and it has really boiled down to what will give us the best bandwidth.

One solution was to run Intel X540-T2 cards with CAT6a to a Netgear XS712T switch.

The more I read into it the more favourable SFP+ becomes however, And with good availability of second hand switches like the Dell PowerConnect 8024F at a reasonable price point (<£2K GBP) that support stacking and low price difference in 10GBASE-T and 10GBASE-DA NICs it seems to make sense.

Does anyone have any direct experience with SFP+ and CAT6a/CAT7 cabling in a VMWare ESX environment and can offer advice?

I have a Fortigate 100D with 2x BT Business Infinity Fibre connections acting as WAN1 & WAN2.

The BT lines come with 5 static public IPs each and I have my DNS hosted through CloudFlare pointing at a static IP on one of WAN connections.

(Say you do a nslookup on mylesgray.com you will see 217.45.201.1 as the public IP).

We want redundancy for our A Records (for hosted websites, VPNs, ssh etc) but obviously the 2x BT lines have 2x different sets of public IPs, so if WAN1 goes down, we are dead in the water - no failover as the address is static.

I had looked up external DNS failover but that seems messy and very wrong to me (round robin annoys me). Then anycast came up as an option, however, Anycast seems to require and entire /24 block or in some ISP's casts even /22. We are running an enterprise level router so using BGP etc is not a problem.

Can anyone shed any light on how to achieve failover for DNS A-Records short of buying a /22 block of IPs or using Round Robin DNS?

I am having trouble with aptitude update and apt-get update not downloading a certain list file (specifically http://gb.archive.ubuntu.com precise/universe Sources [5,019 kB]).

I can download it through my browser from here: http://gb.archive.ubuntu.com/ubuntu/dists/precise/universe/source/Sources.bz2

Plan was to download through my local machine, FTP it to the server where aptitude and apt-get look for it and have it just Hit the file locally rather than re-download.

So I am looking for where apt downloads the source lists to, the package cache is of course /var/cache/apt but the package lists aren't there?

I have a server set up on CentOS and I need to change the API from CGI to FCGI (Someone else set this up initially) for x-cache to work (we need this as we have a TV appearance on monday and are expecting high-load).

The server is a dedicated Dell R210 with Intel Xeon L3426 (8M Cache 1.86GHz) and 2GB RAM - but it craps out with 244 concurrent clients (through loadimpact.com).

The plan is to install nginx as a reverse proxy for apache and config apache to listen on port 81 localhost and have nginx forward requests to apache.

At the moment what is killing our processor is php rendering as we are running Joomla 1.5 and as such I want to run x-cache as an op-code cacher to RAM. But x-cache doesn't work with CGI - only FCGI and so ends my explanation as why this needs to be done.

Is this a safe change for a Joomla site?

How can this be done through CLI - we have cpanel but I hate it.

My MD had a clear out of her mailbox (anything from september 2011 back to 2005 was deleted!) she is now majorly regretting this as there was contracts etc etc in there.

Now I have looked in OWA but the deleted items are all gone, what gives me a glimmer of home is that in exchange I am still seeing 40K items under her AD account not 2.5K.

Is there any way to get these messages back through Exchange as it is still showing all messages as stored?

I have a Fortigate 80C that allows remote administration via https.

I access the URL and all fine but the one thing that really bugs me is that is brings up "untrusted connection" in chrome with the whole "click to proceed" thing.

At the moment the cert is self-signed by the Fortigate unit.

On the unit there are 5 CA signed certs for use but I cannot figure out how to assign these certs to the routers interfaces.

Does anyone know how to assign the CA signed certs to the WAN interface on port 443 so it wont ask me to confirm the cert all the time?

(I know the traffic is still encrypted but it is still nice to have)

I have a Windows Server 2008 R2 install running SQL Server 2008 R2 with all the latest updates etc applied,

I have restored a database from an old image (SQL 2005) and am trying to get web-sync working with merge subscriptions.

However when I attempt to start the SQL Snapshot Agent on the distribution I have defined I get this error:

Unable to start execution of step 2 (reason: Error authenticating proxy SERVER-NAME\Administrator, system error: Logon failure: unknown user name or bad password.). The step failed.

I am starting the agent as the computer admin and am not using a proxy server.

Any ideas on why this might show up?

See below:

The params used by the SQL Snapshot agent are:

-Publication

-Publisher

-Distributor

-PublisherDB

-ReplicationType

If you are using SQL Server Authentication (I am), you must also specify the following arguments:

-DistributorLogin

-DistributorPassword

-DistributorSecurityMode = 0

-PublisherLogin

-PublisherPassword

-PublisherSecurityMode = 0