Amazon is Down! - No redundancy while the shopping giant suffers a major outage

That's right kiddies!

Ask The Admin brought it to you first. Don't go knocking on Amazon's door today. Nobody will answer.

Could it be that the Shopping GIANT of the net doesn't even have server redundancy worked out right for itself?

Anybody out there know anything about this? Doesn't Amazon offer hosting services as well?
Hit us in the comments people. Any speculations? DOS Attack?
You tell us...

Hit the comments, aaaaaaand begin!

(Edit they are back up at 3:05pm... Maybe all the Admin's were out to lunch? Almost an hour down that has to cost some serious moolah!)

(Double Edit: 3:14 back down again...)

3:32 When you can get to the site we have a pretty little note posted...

And now Rumors are flying that it is PS3 related here and here... Anyone?

C64 (the one you used to play Bruce Lee on)

How can you monitor the overall status and health of your network?

So you've just finished rolling out 500 new desktops using disk imaging, and you're keeping them updated using WSUS. How are you going to monitor the overall status and health of your network?


There is a wealth of excellent network monitoring software available, both commercial and open source. One problem with many of them is that they are really geared towards the very large network. Monitoring 1000 servers, 300 switches, 100 routers and 15 firewalls on 3 continents is very different from monitoring 10 servers, 2 switches, 1 router and 1 firewall in a single office. Commercial monitoring software is probably going to be prohibitively expensive for a small network.

JFFNMS (Just For Fun Network Management System) is an excellent open source network monitoring package you can run on any spare Windows or Linux server. Don't let the name fool you, it is a full-featured piece of software which includes autodiscovery, fully configurable alerts, performance graphing, reporting and network mapping.

Installation and configuration is pretty typical for an open source project (meaning a bit more complex than a typical Windows installer package) but I'm sure any experienced administrator can handle it. You will also need to install and configure SNMP on any machine you want to monitor. (Full disclosure and shameless plug: I wrote the new version of the Windows installation instructions.)

After installation, the rest of the configuration is done from a remote browser interface. You add your individual machines and interfaces to the monitoring system and set what parameter changes you want to be notified about. You can monitor pretty much any part of the system that can be queried by SNMP, such as free disk space, network utilization, processor usage, reachability, or if a specific application is running. You can then be alerted when a specific threshold is met or event occurs. You can create pretty graphs to better show trends and create reports of system uptime and availability.

Even in a small network a good NMS allows the administrator to keep on top of the network and be alerted to any potential problems before they result in downtime. It's much better to receive an email telling you the mail server is running out of disk space than to start getting angry calls from users complaining the mail server is down.

Try a working demo.

Download JFFNMS.

PC power users switching to Mac? Mac's got a toolbox that's right up your alley!

Good weekend kiddies,

Comodore64 back again to shed some light for any newly ordained Mac users that are carrying over from the M$ world. Since Mac is gaining a kind of strangle hold on the industry, I'm pretty sure there are a lot of guys like myself who have a PC for certain purposes and a Mac for others. In my case, it's a Powerbook. But not just any Powerbook, this is one of the last Powerbooks made with a PowerPC processor, right before Jobs and Co. made the switch to Intel processors. In retrospect, it was one of my better purchases in life. Worth every penny, and keeps on tickin. Unfortunately, a lot of you didn't stay on the PowerPC bandwagon, and jumped over (maybe not even by choice) to the new Intel Macs. From what I've seen and heard , they are quite the problematic little buggers. But my PowerPC Powerbook has been rock solid since day 1 (gleam.)

Shortly after buying this Powerbook over 2 years ago, I was rummaging around the hard drive for whatever pre-installed goodness I can come across a folder that looks like the image above. This collection of proggies is sure to make any former M$ user feel right at home.

Here is a rundown I've found courtesy of http://www.freemacblog.com/exploring-the-utilities-folder-on-your-mac/

Activity Monitor - Activity Monitor let’s you know what is going on with your computer. It can let you know where your memory and CPU is being used most.
Airport Admin Utility - The application will let you configure your Apple Airport products.
Airport Setup Assistant - This app is used when you first set up your Airport product. It’s an easy wizard for setup.
Audio MIDI Setup - You can use Audio MIDI Setup to configure the audio input and output devices you use with your computer, such as microphones and audio playback equipment. If you need this app, you probably already know how to use it.
Bluetooth File Exchange - If you have a cell phone or PDA with bluetooth, this application makes it very easy to send files back and forth. This is a great way to take your photos off of your phone, or to add ringtones to your phone.
Colorsync Utility - This app gives you access to to Apple’s Colorsync specs. In this app you can set different profiles. There is also a nifty calculator that can convert between RGB and CMYK. This is another of those apps that isn’t useful to most people.
Console - Console gives you a “behind the scenes” look at your Mac. While you see all the pretty pictures and graphics of Mac OS X, there is a ton happening in the background. Console lets you watch that. It’s especially helpful to see error or status messages.
Digitalcolor Meter - If you are preparing your work for professional printing and you have an Apple monitor, you can use DigitalColor Meter to match the color on your screen against several industry standards.
Directory Access - Directory Access lists the different kinds of services that Mac OS X can access. The list includes directory services, which give Mac OS X access to user information and other administrative data stored in directory domains. The list also includes kinds of network services that Mac OS X can discover on the network.
You can enable or disable access to each kind of service. If you disable a kind of service in Directory Access, Mac OS X no longer accesses services of the disabled kind. The different services can be found here.
Disk Utility - There is all kinds of power in the Disk Utility. Here you can reformat a disk, check and fix permissions, and so many other things.
Grab - Grab will let you “grab” screenshots of your Mac. Of course, you can already do this with key combinations, but Grab does have one nice feature. You can do a timed grab. Start the timer and ten second later the Mac will grab a screenshot.
Grapher - Grapher lets you create 2D and 3D graphs from equations.
OS 9 came with a graphing calculator. OS X versions before Tiger had no graphing options. But, with Mac OS X Tiger, we now have Grapher.
Installer - You’ve probably used Installer a hundred times and didn’t know it. Whenever you download a new application that comes in a package or a metapackage, Installer makes it possible to install that application.
Keychain Access - Keychain Access gives you access to the keychain. Duh.
Anytime you save a password to a site or a server or anything on the Mac, it is stored in the keychain. If you forget one of those passwords and it isn’t filling in automatically, you can access keychain with this application and find your password.
Migration Assistant - This is simply one of the most amazing applications. If you’ve ever purchased a new Mac and migrated from your old one, this is the app you used. You can also use it to get a use from a different machine.
Netinfo Manager - Netinfo is the built-in Mac OS X directory system. It stores information about users and resources and makes it available to Mac OS X processes that want to use it. This application helps you manage it.
Network Utility - Since I run a fairly large network of Macs this app is great. It makes it easy to ping machines, lookup name server and DNS, do traceroutes, port scans, etc. It also is a quick way to find info on your Network interfaces. (e.g., ethernet, airport, etc)
ODBC Administrtator - This will give you access to database management systems using Open Database Connectivity standards.
Printer Setup Utility - When you get that new printer and hook it to your Mac, this app comes to the rescue. It will lead you along to get the printer working.
System Profiler - If you need information about your Mac, here is the place to come. It will tell you about your RAM and your drives and your processors and anything thing else you’d need.
Terminal - This is the gateway to the true power of Mac OS X. It is a terminal emulator that will let you use the Unix base of Mac OS X.
VoiceOver Utility - Voiceover is a Mac OS X feature that lets you interact with your Mac via voice. It will read the text of websites, email, and documents. It also allows you to control your Mac using audible commands. Voiceover Utility lets you determine how Voiceover will behave.

Well, kiddies I hope this helps you settle into your new Mac a little easier. Some of these Utilities are clutch and definitely make me feel more in control of my MAC.

Til next time,
Commodore64 (The one you used to play Bruce Lee on)

What are some good network monitoring tools?

I would like to monitor event logs on multiple windows machines - maybe ping them every so often?

I used to use something called Emon but it seems pretty outdated. I looked at bigBrother but it seems too expensive.

Do you have a solution?

Have you heard of VMWare??

If you are game then keep on reading... It used to be restricted to linux boxes but now you can get your Virtualization on - Windows style as well.

I have played with a few of these in the past, but if you're managing a decent sized infrastructure you might want to try them. These are VMWare virtual appliances, I will write something on them at a later date, but basically they work with VMWare's free software(they have a player and a server product, both free).

You download these packaged virtual appliances, boot them up and they just go! Of course you want to follow the directions provided...

But lets be honest most IT people are guys, and what self respecting guy really reads directions anyway?!?

Here are a couple of the network monitoring appliances that I have tried at some point. They all have their strong points and weak points. They all take some time and effort to get your network configured in it. But the rewards are pretty nice!

Without further ado, here are some linky links:

• Unnoc
• Network Management Station
• Zabbix - I liked this one the best
• BaywatchOS - I always thought Nicole Eggert was better looking than Pam Anderson
• You Can Search Here for more virtual appliances...
  

Feel free to dig into these. Download them and the VMWare player and give them a go. Don't be shy...one of the glorious things about the VMWare appliances is that you cannot mess up your PC/Laptop by using them as it is segregated from the OS and the hardware, but again...more on that at a later date.

Do you use VMWare? Or how about Microsoft's Virtual PC 2007? Let's here it in the comments guys! Sound off.

Can I Replace Telnet With Open SSH on Windows?

For those of you out there still living in the dark ages, and still using Telnet on Windows because you haven't found a more viable alternative (You know who you are) We have some good news for you!

Maybe you haven't decided to switch to a more secure solution because you use Windows Servers and Windows hasn't adopted using SSH.

Maybe you think SSH is only for Unix/Linux.

Well, your excuses are no longer good here sonny boy. If you haven't heard there is an OpenSSH port for Windows. Now you can still use the terminal remote access method, but you won't be sending your login credentials and important information across the wire in plain text.

OpenSSH provides full support for SSH/SCP/SFTP. So what are you waiting for? Download OpenSSH and secure your servers.

As we always say at Asktheadmin.com The Safer the better! If we don't have to send our credentials as plain text, we are all for it. After all we do know how to use a SNIFFER!

From Their Website:

OpenSSH for Windows

OpenSSH for Windows is a free package that installs a minimal OpenSSH server and client utilities in the Cygwin package without needing the full Cygwin installation. This is similar to the package formerly available from NetworkSimplicity.

The OpenSSH for Windows package provides full SSH/SCP/SFTP support. SSH terminal support provides a familiar Windows Command prompt, while retaining Unix/Cygwin-style paths for SCP and SFTP.

Catch the download page here. [Via SourceForge]

_TheSecureAdmiN_

IP Subnet Mask Quick Cheat Sheet

So I get asked on a regular basis how many addresses can i get from a /24 subnet or what does 255.255.255.0 mean.

Let me break it down for you real quick like:

When you use 255.255.255.0 as your subnet you are limiting yourself to a network containing all the same ip's except for the last number. Like 192.168.1.0 where the 0 changes. And using 255.255.0.0 Would limit you to the last two digits changing like 192.168.0.0 . Are you with me? It gets a little more complex with different subnets but here is a quick breakdown for you:

Check out this IP Subnet Tool Calculator - MINT! http://www.syrex.co.za/ipcalc/

I need to open a port on my router or firewall. How do i do that? What is that? Should I Be Scared??

New Years is almost upon us and the Admin needs some rest - maybe a day off? Yeah right we have even more emails today! This has been a big year for the AtA gang - stay tuned for more of our geeky flavored content in 2008.

Our reader Diego has an application on his computer that he needs to get access to while he is away. Diego is trying to get VNC going on his iPhone. This tutorial is for you no matter what router you are on but, it uses the WRT54G as an example. You should be able to use the knowledge to work with most modern routers. To begin there are a few things you need to do. First as a prerequisite you need to know the difference between external and internal ip addresses.

Now you see that you can't get to your internal addresses also referred to as your NAT IP from outside without some work. You are in a protected kingdom. (Pardon the corny references but they work well!) The inside of your network is like the inside of your virtual castle. The only way in is by opening a port sort of like building a virtual draw bridge. To open this draw bridge to your computer over the internet you need your computer to have a static IP address.

Now we need to see if you are using a static IP or a dynamic IP. Do you know how to tell? In Windows this is done by:

1. Right click on the my network icon
2. Choose properties
3. Right click on the icon that represents your Connection
4. Choose properties.
5. Scroll down to Internet Protocol and click Properties.
6. If the check box is checked to obtain an IP address automatically then We want to check the Use The IP address. BUT don't fill in anything or click OK yet We will get right back to this as soon as we get the address to fill in!
7. Now we want to goto DOS and find your current IP address. Goto Start
8. Run
   
9. Type in CMD and hit enter
10. Now type ipconfig /all
11. and write down your IP address, subnet mask, default gateway and DNS servers. We Will now fill this address information into the address box we left blank a moment ago.
12. Now you have a static IP address and are half way there! Now goto this link here:

PortFoward.com

Plug in your static IP we set above and follow the rest of the instructions and you will be remote controlling your PC from your Shiny iPhone in no time! Let us know how it works out for you!

_TheAdmiN_

Does Vista still share C$ by default? Nope and here is the Registry quick fix.

Davey writes to us that he needs to get access to his home Vista machine over the wireless network and it would make his life easy if he can do it - like he does it in XP or 2000.

Dave connects using a browser or command line to file://machine/drive$. As we have covered before the $ makes the share hidden. (oh!) So that's why it doesn't show up if you just type file://machinename/ at the command prompt.

So we did some digging for you Davey boy and you can definitely do it. Its a registry tweak and just don't forget that foxing with the registry is dangerous make a full backup first and don't blame us if you don't!!

Ever since Windows 2000, Windows has always created a few shares administrative purposes. The most often used being, \\machinename\c$ , because it's an easy way to get access to an entire drive, if you have permissions to be there.

As a default, only Administrators have access to it - the fact that there's a trailing $ means that it won't show up in the Network browser. Hidden access. Sweet!

Vista has it built in as well, but for some reason my domain machines allowed access to this share -while my home /workgroup machine didn't.

I would get the log in prompt.

I'd log in.

It'd come back screaming "invalid account" and I'd look at the screen and shrugged my shoulders'. Some googling on the interwebs gave me a registry tweak to get around it...

Head our warnings and... open the registry and go to:HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System

Create a new DWORD called LocalAccountTokenFilterPolicy

Set the DWORD value to 1

Some people have said to reboot. It still prompts for a user ID, and you still have to have File Sharing turned on via the Firewall and permissions set for this user for the drive, but that's a given.

Basically, if you make this registry mod and you still can't connect, create a new share and see if you can get to that - my guess is that you'll find that some global network setting was turned off so not only would this fail but all network calls would fail.

And as per usual: this is a change to the registry and that's scary stuff. Use it at your own risk and for your own system. Make backups often in the event that you accidental twitch and delete the majority of your registry: it won't be my fault. I'll empathy and probably sympathize, but I don't know that I can help you recover.


Are you alright now Dave? - Let us know!

Internet2, the internet for mad scientists has hit 100 gbps. Speeds of 10x that are imminent. Whatcha know about that?

So it turns out there is a second Internet for the real important people behind our technological advancements. And today they have hit record breaking speeds of 100 gbps. Researchers are predicting that it will hit 10x that in the near future. We all ready knew Asia was light years ahead of us, bandwidth wise - but if we have the technology for it, how can I get connected at 100 gbps??

How does that make you feel? Stop drooling... It wont help you with your Bangbus or "Dental Assistants Gone Wild" torrents, it is actually reserved for people who actually do the stuff you can't comprehend. Nuclear physics, super computing permutations and searching for Santa Claus. (maybe you can comprehend, who are we to judge?)

They need to be able to shoot their data between universities, Evil Fortresses, and research facilities.
How do I apply to have my Porn um social science research projects accessing this line? Does it get to the real net? Or is it just a transport? We need to know! Anyone out there have access to this line? Know more about it? C'mon share it with us - we won't tell anyone :) We Promise. (fingers crossed) Well back to our measly little10mb fiber optic connection :(

Don't forget to check out our 2GB Memory upgrade giveaway from Crucial! Enter today!


_TheINeeds100GbpsAdmiN_

Definition of the Day: NAT and Public vs. Private IP addresses

So a lot of my end users don't know what N.A.T. is . And if you haven't guessed it - it's not what is pictured on the left! Most end users have no idea what the difference is between their external and internal IP addresses or Public vs. Private. Chances are they will never know unless they try to connect to their desktop remotely and even than FAT CHANCE. They will come and ask you to set it up for them! Isn't that what an Admin is for? (...Mutters RTFM under breath...)

I get calls rather frequently since we started letting key users use MSTSC to connect to a RDP session. In fancy terms they open a Remote Desktop Connection and work as if they were in front of their machine. Your external IP comes in handy when you are using MSTSC, PCANYWHERE, VNC or other similar products.

I have seen it all from the user going to http://www.whatsmyip.com/ and trying that to a user trying to change their local ip to "Something They Can Remember" LOL! It was set to 1.1.1.2. Do Not Do This. I Repeat DO NOT DO THIS! It's funny as fuck but not functional @ all.

So here I go trying to break it down real simple like:

Your machine has an ip address on it that allows you to connect to your internal network. These addresses usually look something like 192.168.x.x or 10.0.0.x these addresses can not be addressed from outside your network they are INTERNAL addresses or PRIVATE addresses. If you want to connect to this INTERNAL address you need a NAT or a 1 to 1 this is a Network Translated Address or a 1 to 1 NAT.

You set this up in your firewall, router or default gateway. If you have a cable modem or dsl chances are you have a single dynamic Ip that changes every so often. But if you have a bigger line like a T1 or 10mb you should have been given a net block. Probably 4 public addresses.

If you are not sure contact your ISP.



Here is some more information I have gathered for a more detailed explanation (not real simple like):

IP NUMBERS, NAMES, AND DNS

Our current IP number system is referred to as "IPv4". To give the most simple explanation, IP numbers, like 209.204.13.67 can be described as phone numbers, and "fully qualified names" like ip-067.wmld.com can be described as the name of the device at that number. The DNS service or "Domain Name Server" is a software system of keeping track of what name is equivalent to what number, and vice versa. Much like the phone book.

Let's think about the telephone system. Joe Smith has a telephone number of 323-555-1234, and Mary Jones has a telephone number of 323-555-1987. If Joe needs to call Mary but doesn't know her number, he could dial 411 and ask for the number for Mary Jones. The operator may reply that there is more than one listing for a Mary Jones so he needs to be more specific, and provide an address. He then tells her he needs the number for the Mary Jones at 123 Main St., of which there is only one listing, and he gets the number. Conversely, Mary Jones might be looking at her telephone bill, and see a call to 323-555-1234 and wonder who she was talking to. Mary could look thru her rolodex until she found the number, and she would see that she had called Joe Smith.

The internet uses a very similar system, the combination of IP numbers and "fully qualified domain names", and the DNS server is the "411 service" keeping track of the matching records between the two. When a person using a computer needs to connect in some way to someone else's computer, they need to either know the IP number (like a phone number) of their computer, or they need to know the fully qualified domain name (like a person's name along with their street address) of their computer so the DNS system can look up the IP number of thier computer and return it to the requestor (just like the 411 operator does). IP numbers are structured as 4 numbers, from 0 to 255, each separated by a dot. 206.205.204.203 is just as valid a number as 1.2.3.5 or 16.7.200.34.

"Fully Qualified Domain Names" are much like a name along with an address, and can vary widely in their structure, but the most common are in the form "host.domain.extension". "host" being the "name" you or your system administrator has assigned to your computer, like "receptionist", and "domain.extension" is like a virtual "area" in which your computer can be found, like bigcompany.com. A domain name like "bigcompany.com" is very similar to the "areacode-prefix" combination used by phone companies to identify which region of the city your number is in, and which switching center your number is handled out of. "323-465" tells Pacific Bell that a number is in the "North and West of Downtown LA" area (323) , and served from the Hollywood #1 switch center (465) along with many other prefixes. "bigcompany.com" tells the network world that your computer is in the "area code" handled by BigCompany Inc. and "receptionist" tells the network world which computer inside that "area" to look up when looking for (or "resolving") an IP number from a fully qualified name. Therefore, when a computer program looks to the DNS server for the IP number assigned to "receptionist.bigcompany.com", the correct IP number is returned. If the computer program in question were to simply query the DNS for a computer called "receptionist", there might be thousands and thousands out there, and no way to resolve which one is which without the "street address" of the one you're looking for, in this case "bigcompany.com".

The name structure within a company can be varied to show more breakdown or to organize computers into department specific groups, like "receptionist.marketing.bigcompany.com". The setup and system for the prefix to a company's domain name is up to the administrator at the company and/or their internet service provider to decide on and implement.

PUBLIC VS. PRIVATE IP NUMBERS

Private IP numbers are the source of much confusion for many new networking users. Many home "powerusers" with more than one computer, small offices, and just about any user of a broadband IP connection to the internet like DSL or Cable Modem has probably come face to face with this issue. The whole use of IP numbers is generally hidden from your typical Internet user who uses a modem and PPP software to connect to the internet - they are transparently and dynamically assigned an IP number while they are dialed in by their ISP, and don't really have to think about it. That is until the user starts to get curious about running a webserver on a machine in their house, or moving up to faster "always on" connections like ISDN, DSL, Cable Modem, or other methods.

Think about what happens when a small city runs out of phone numbers, but can't split up an area code. Things could get difficult and providing additional phone service as the city expands would be a nightmare. One method of preventing an area from going totally overboard on providing separate phone numbers is to have one or a handfull of numbers used in a shared manner amongst many phone users, like any large office would do. A large company with 250 workers in an office building each with a phone at their desk wouldn't want to pay the phone company for 250 discreet and separate lines for each desk, nor would the phone company want to give all those numbers to them if they were trying to conserve numbers. Therefore, offices use internal equipment to "share" a smaller number of lines amongst their users, like mabye 20 or so used in rotary. By doing so, each desk can have an inter-office extension number, which is bridged to an outside phone company line when the user picks one up to dial out and one is free at that moment. In this case, any number of offices in the city might have an "extension 123" within their office, but each "extension 123" in these offices would never conflict with each other because they are "behind" the company's phone equipment which serves up the company's outside lines to those extensions when needed. The internal office extensions can communicate with each other perfectly fine, but must be connected to an outside line to connect to an extension at the company across the street. 213-555-1200 thru 1210 would be BigCompany, Inc.'s "public" phone lines, and extensions 1 thru 250 would be BigCompany, Inc.'s, "private" phone lines.

IP protocol networks use a system very similar to the above to prevent the world from running out of IP addresses. Even though 0-255.0-255.0-255.0-255 is technically 4,228,250,625 numbers, the useable amount of numbers is much lower due certain types of numbers set aside for special signalling and identification uses and not for typical "device" identification and traffic. Also consider that just about EVERY device that will handle IP traffic must have a unique number, and there are probably just as many routing and switching and serving devices on "the net" as there are actual computers. Add all that up and one can see how the current IP number structure really doesn't go all that far, and there is a need for computers and devices in certain groups to be able to use "private extensions" that work behind a group's "public numbers", just like the large company offices example above.

The organizations that agree on the technical standards behind the IP protocol have issued a standard for "Private IP number blocks", or numbers that can be used within an enterprise as long as the enterprise has the technical capability to separate those private IP numbers from the rest of the Internet at large, and properly gateway the traffic between the internal stations at the enterprise in question and the public Internet. For Example, when a large company with 200 computers in the office needs to implement IP networking and connectivity both between the computers in the office *AND* supply inbound and outbound connectivity to the Internet from within their office network, that company would avail themselves of a block of IP numbers within the "private" numbers set aside for just that purpose. There is most certainly many other computers somewhere in the world using your IP number if your IP number is one of these private numbers, but both yours and the other private IP numbers in the world are safely operated behind other IP routing equipment which handles all the internal network's traffic out to and in from the public Internet, just like all the "extension 105" numbers in offices thruought the world are safely operated behind telephone equipment that bridges those extensions in and outbound thru a given office's public telephone system number.

The private IP addresses that you assign for a private network (inter-office LAN, Internet Service Provider customer bases, campus networks, etc) should fall within the following three blocks of the IP address space:

10.0.0.1 to 10.255.255.255, which provides a single Class A network of addresses, which would use subnet mask 255.0.0.0.(theoretically up to 16,777,215 addresses, good for VERY large enterprises like internet service providers or other global deployment)

172.16.0.1 to 172.31.255.254, which provides 16 contiguous Class B network addresses, which would use subnet mask 255.255.0.0.(theoretically up to 1,048,576 addresses, good for large enterprises like colleges and governmental organizations)

192.168.0.1 to 192.168.255.254, which provides up to 2^16 Class C network addresses, which would use subnet mask 255.255.255.0.(theoretically up to 65,536 addresses, widely used by default in consumer/retail networking equipment)
Explanation of Subnet masks, Network classes, and other technical info is readily available on the internet.

Click here (updated - .pdf file) for an example page showing how the University of Michigan uses private IP numbers in their networking strategy.

Click here to read the Internet standards document RFC 1918, "Address Allocation for Private Internets".
ADDITIONAL READING, FUTURE CHANGES (ADDED 12-08-2005)

From Wikipedia - IPv6. IPv6 is the future improvement and extension of IPv4 (our current IP number system). The change is already happening although slowly. With IP numbers under IPv4 growing ever more scarce, IPv6 is bound to creep into your computing life...

Google Search - Link-Local IP numbers. Ever wonder why your Macintosh seems to have a strange IP number starting with 169.254, and you can't connect to the internet? There really is a good reason. Quoting from Wikipedia: "A second type of private network is the link-local address range codified in RFCs 3330 and 3927. The intention behind these RFCs is to provide an IP address (and by implication, network connectivity) without a DHCP server being available and without having to configure a network address manually. The subnet 169.254/16 has been set aside for this. If a network address cannot be obtained via DHCP, an address from 169.254.1.0 to 169.254.254.0 is assigned randomly. The standard prescribes that address collisions must be handled gracefully. The subnets 169.254.0/24 and 169.254.255/24 have been set aside for future use. As with the private network addresses defined in RFC 1918, packets from this subnet must not be routed to the internet at large."

Hope that cleared it up for ya? If all else fails send us your question and we will get you all fixed up - real quick like. Ya Heard?

_BackToRealityAdmiN_

Keeping Your Network Updated With WSUS.

So you've just finished rolling out 500 new desktops using disk imaging. How are you going to keep them updated? As you know, Microsoft releases updates on the second Tuesday of each month. You need a way to approve and install these updates on all your desktops and servers, and you need to do it quickly because the time between release of the update and an exploit being developed is shrinking.

You've got a couple of options:

1. Allow each user to go to Windows Update and select and install their own updates. That would put an enormous strain on your network as each update is downloaded 500 times and you need to rely on the users actually doing this.


2. Configure Automatic Updates on each machine. Still strains your network and you don't know what is really being installed.


3. Do nothing and hope for the best.

A better option is to use the free Windows Server Update Services from Microsoft to install a Windows Update server on your internal network. This allows all your clients and servers to get their updates from the local WSUS server. There are numerous benefits to using WSUS:

1. It saves bandwidth since each update is only downloaded once from the Internet and then stored locally.


2. It allows you to investigate and authorize updates before they are installed.


3. You can group your machines and install different updates to different groups.


4. You can force the machines to only use your local WSUS server and not allow users to download updates from Windows Update.


5. You can force updates to be installed within a specific timeframe.


6. You can use WSUS to update Office, Exchange, SQL, ISA and other Microsoft products.


7. The whole thing can be controlled using Group Policy.


8. You can create detailed reports showing which updates are needed by which machines.
   


9. The WSUS software is free!

All you need is a moderately powered Windows Server 2003 box to run it on (Remember, most of the month the machine won't be doing anything). Installing and configuring WSUS is not complicated and there are many, many articles available about how to do it.

Once you have your WSUS server set up, you can use Group Policy to force the clients to use it and configure how and when they install updates. All you need to do is analyze and approve the updates when they are released and assign them to the groups you created. WSUS handles notifying the clients and pushing the updates out to them.

The WSUS team maintains a blog with some good information (although it's not updated that often).

Using WSUS gives you complete control over keeping your network updated. If you run a really large network, you should check out the new System Center Configuration Manager 2007, which is the updated version of SMS. It is a full featured network management system that does update management and much, much more.

Download WSUS 3.0

We also covered 3rd party programs that will keep your small workgroup or individual computers updated via firefox here.

40Gbps and 100Gbps ethernet both set to become standards. How long before we have to upgrade??

We have just learned from ITWire that the powers that be will work on 40gbps and 100gbps simultaneously. This is the sentence that jumped out at us:

"It was discovered 100GbE would likely best meet the demands of the next generation Internet backbone and network aggregation points. In enterprise computing, 40GbE better matches the bandwidth demand driven by server technologies such as host bus interfaces, memory speeds, and multi-core processing."

100gbps on the backbone and 40gbps to the desktop... Sweet! We don't know yet if it will require new hardware, new wiring or will it work over the existing infrastructure? We upgraded all of our Cat-5 to Cat 6E last year when we finished upgrading all of our 10/100 nodes to pure 1000. How long before we are running through this again??

Anyone have any other information on this please post it in the comments!

How can i come up with passwords that are complex and easy to remember? My short term memory is shot Help!

Unique and complex passwords are great and easy to come up with but remembering them - Now that's a totally different story! Have you ever considered using password phrases instead? Full sentences are easier to remember than obscure characters and have many benefits. Keep on reading grasshopper...

Did you know that Windows allows you to use passwords with up to 127 characters?

How does that help you Young Admin with a bad memory?

Its quite simple actually. I don't use passwords anymore. I will wait for the gasps to stop.

Yes, I have phased passwords out in favor of password phrases.

Why would you want to remember a password like BeDffd123cSwsspO0s129 when you could just remember a sentence like "suck giant monkey balls","Piss Off Wanker!" or "How much does this job suck!" (Well maybe not that last one if you need to document it!)

You can use uppercase, lowercase, special characters, or even spaces… but you are using them in context, which makes it much more natural to remember.

Post-it notes on your monitor are not secure and very 1999. Sorry Buddy.

It turns out that it is very difficult for a computer to break a password string containing more than 20 characters. It certainly couldn't be done on the fly. Most windows passwords can be cracked in no more than a few minutes and in most cases seconds.

If a skilled hacker can get physical access to your machine, they can boot to Knoppix or Ubuntu, and have your password in seconds. Even with multiple machines running brute force cracking programs, there is no possible way that someone could crack a password that long in a reasonable amount of time. Even if somebody had the super computing power to do so hopefully you change your password every few months or so.

It may be difficult to use password phrases on other operating systems, or especially on websites, because they don't properly handle spaces in the password, or have a small password length limit. One of the tricks that I usually do is use a password phrase without the spaces, if I possibly can.

Ok I'll wait while you go change your password ;)

_TheSecureAdmiN_

Question Of The Morning - How do you deal with cable management? Send us your pics!

Is that what your server room looks like? Or do you have some magic cable management skills you want to share with our readers? Send us shots of your server room or server closet or the half closet half server room half place where you take naps on these 100 degree days?

Dont be shy comment away... Post pics or send them to us via email info at mistercomputerhead dot com.

Karl Gechlik
_TheAdmiN_





Edit Here's one of TheAdmiN's server rooms:

Do you use SysInternals tools? Did you know they were acquired by Microsoft?

Check it out - SYSinternals was aquired by Microsoft and they have been slowly integrating their tools into MS OS's.

You can find all of their tools here.

We use a lot of these on a daily basis like WHOIS and PSTools, PSMon, PageDefrag, SDelete, PSKill, Handle, and PSInfo among others. These programs make the admin's job a lot easier. Do you use any of these? Are there better alternatives?

Post your experiences and favorite networking/security/administration tools in the comments or hit us up at info @ asktheadmin dot com. (Every time I type dot com I have a google commercial going off in my head; they sure did a good job back in 2000! dot coooooooom!)

YourAdmin@TheBeach

Thursday Morning's Question... This ones a doooosie...

We have all been there. Stuck on a job impacting issue - the suits got you up against a wall and you are worried that they will can you if you don't do it right. The pressure's on. This guy wouldn't even let me print his name so we shall call him Anon:

I need to join my windows 2003 Small business server to my existing domain but I cant! I can make a new domain but I cant join this box to mine! There has to be a way! Help me please we have two smaller companies merging and i want to keep my IT job!

Anon In Vegas

Step up! Help our boy keep his job!

_TheObligedAdmin_

What do you guys know about IP over Power Lines?

So we have a question from Angela out in New Jersey and she writes in:

"Hey there Admin,

I would like to find out if I can use these IP over Power adapters? How easy is it and are there any restrictions. Can it be dangerous? To me physically or my equipment?

I live in a 2 family house and have my circuit breaker on my floor. Will the neighbors be able to see my lan? Are there any safeguards like WEP? How far can this go? I have some outlets on my circuit in the backyard and by the pool as well. Could i have a networked tivo out there using this?

Needs Help In New Jersey"

I haven't worked with this technology at all but I have some buddies that are using it - anyone out there have any experiences they would like to share with the rest of the group?

Recommendations on brands anyone? Bueller?

Bueller?

Post your replies in the comments!

+TheAdmiN+

Question To Let Marinate Overnight (Take Two)

Alrighty then seeming our reader El Di Pablo (cool name, I just got that) seems to hit it right on the head almost as quick as I pitched it out... (I suck with the sports metaphors...)

Drum Roll Please...

James Dumont from Arizona writes to us:

"Mr. Admin, my house isn't that big but my WIFI drops out all the time. I have two floors, a patio, and a back yard. I could see if it was only dropping off outside or in the basement but I have problems in the same room as the router - what gives? Sometimes it says 100% Excellent and others it drops down to nothing. Its a Belkin Pre-N that I upgraded from a Buffalo G before that and a Linksys B before that. They all give me the same problem. There is no method to my insanity. Can you help me?"

Who can help James? If you do it too quick, I will have to post another question.

Karl L. Gechlik
_TheAdmiN_

How to Migrate users from a workgroup to a domain.

Wow, that was fast... We got our first question while I was writing my second post. John from Downtown Manhattan wants to know what the best way to migrate his users from a Windows 2003 Standalone Server into a fresh new domain.

Well, John we have just completed something very similar with the assistance of Microsoft's addusers.exe command and l0phtcrack for password retrieval. Addusers.exe can be found on the windows 2000 Resource CD or from Microsoft.com. Using addusers.exe with the /d switch we were able to extract to a text file all of our local users, groups and descriptions. But we were unable to export passwords... Thats where l0phtcrack came in we ran this against our local server and recovered all 250 user passwords in under 24 hours.

Then after joining the machine to our freshly created domain we used the adduser.exe to import the user information from the text file we exported using the /c script. We then went in manually and set the passwords. You could also leave the option to require the user to change their password on the next logon. Below you will find the syntax for addusers.exe.

Adds, Writes, or Erases accounts as specified by a delimited file.

ADDUSERS {/c/d{:u}/e} filename [/s:x] [/?] [\\computernamedomainname] [/p:{lced}]

/? Display this help screen.
/c Create accounts specified in the file.
/d: Write current accounts to the specified file, opt. followed by {:u}.
/u Write current accounts to the specified file in Unicode text format.
/p: Set's account creation options, followed by an comb. of {lced} l Users do not have to change passwords at next logon. c Users cannot change passwords. e Passwords never expire. (implies l option) d Accounts disabled.
/e Erase user accounts specified in the file.
/s:x Sets the separator character for the input/output file. Replace the x with the character to be used for separating fields. (e.g. /s:~)

Note: The separator character is a comma ',' by default.
For detailed information please refer to the Resource Kit Help file.

_TheNetworkedAdmin_

Resetting a Cisco 2600 Series Router PW - Physical Access Needed

I read this article via Digg @ Bauer-Power.Net and I really liked it. So here it is for your perusal. I have had to use this technique on more than one occasion and had to pull it off of Cisco's cryptic website but here it is:

"Have you ever heard the expression, "If you have physical access to a machine on the network, you can own that machine." I have, one of my professors at school harps on that all the time. I knew what he was talking about as far as Windows machines. I mean there are tons of free utilities you can use to reset the administrator's password in Windows. There are an equal number for Linux I'm sure, but what about a router? I'm not talking about a cheap D-Link router that you use at home, I am talking about production grade Cisco routers. Resetting the privileged mode password is really a simple process. In class tonight, we had a lab where we had to do password recovery on a Cisco 2600 series router. The process was really simple.

First of all, in order to reset the password you have to be physically connected to the console port, so forget the notion of telnetting in and "Hacking the Gibson."Now that you have picked the lock to get into the server room where the routers are, or if you are a network admin and you genuinely have access to the server room, you can hook up your laptop directly to the router's console port. With something like hyperterminal, make sure you have connectivity with the router (Check with Cisco's website for the hyperterminal settings).Now that you have a good connection, power off the router, then power it back on. After you turn it back on you have 60 seconds to press ctrl+break. Keep it held down until you see

rommon 1>.At rommon 1> type confreg 0x2142 the press enter.
At rommon 2> type reset.

Now the router will reboot and will now skip the startup configuration and you will now be prompted to go through router setup. When prompted, select no. We don't want to reconfigure the router, we only want to reset the password.

Now you should be at a prompt like this:

router>, type enable and press enter.

You should now be at a prompt like this: router#.

Type enable and your new password then press enter.

You should also reset the secret password by typing enable secret and the new secret password. Now with the passwords reset, save your changes by typing copy running-config startup-config and press enter. Now type config-register 0x2102 and press enter. Type reload at the prompt and the router will now be rebooted with your new password. Congratulations! You now own the box! Please keep in mind that this is for a Cisco 2600 series router. For the full step by step instructions for this or any other Cisco product, visit Cisco.com and do a search for password recovery."

Original Post: Bauer-Power: Information is Power!