I ran into an interesting problem this weekend.  I noticed that a lot of email was being returned as non-deliverable from my Exchange 2010 server.  Many domains, specifically AOL and some of the major ISPs require that the domains they communicate have mail servers with reverse zone lookups, meaning that their name “mail.domain.com” for example, resolves to a specific IP.  Well, my MX record does reverse resolve to the correct IP, however that IP wasn’t the IP address that my server was communicating from.

My infrastructure goes through a firewall.  It used to be Microsoft ISA Server, but recently I have been trying the new Forefront Threat Management Gateway.  One of the nice things is TMG is supported on Windows 2008 and R2, and can be virtualized as well.  I built mine on Windows 2008 R2, which appears to be part of my identity problem, at least as far as other domains are concerned.

Normally on a network card that has multiple IP addresses assigned to it, the first IP listed will be the one that is used for communication.  In the case of Windows 2008 (and R2), it actually changes to use the lowest IP address (number-wise).  So if my IP ends with 12, and another one ends with 14, even though 14 might be listed first, it will always use 12.  From what I understand and without getting into too much detail, there is something called strong and weak host models.  It’s hardcore networking, so if you want, you can read more here and here.

Microsoft recognized this as an issue and released a hotfix for Windows 2008 SP2 and Vista SP2, but the hotfix doesn’t cover R2.  Basically this hotfix adds a parmeter called SkipAsSource which can be set per interface via NETSH.  After you install this hotfix, you can create IP version 4 (IPv4) addresses or IP version 6 (IPv6) addresses by using the netsh command together with the new “skipassource” flag. By using this flag, the added new addresses are not used for outgoing packets unless explicitly set for use by outgoing packets. Therefore, these IP addresses will not be registered on the DNS servers.  This also induces the behavior as you knew it in Windows 2003.

Now, since I am running R2, this really didn’t help me, but a slight change in configuration in TMG did.  In the Networking configuration inside TMG, I have a rule for anything accessing the Internet.  I can control from here what IP is used to talk to the Internet; this would be the IP address that my mail server would be seen as through Network Address Translation (NAT) on its way to the interwebs.

You can configure the NAT rule to use any or all of your externally routable IP addresses.  Problem resolved!

UPDATE (11/13/2010):

Thanks to Nick for the update.  A hotfix is now available for Windows 2008 R2.  You can find more information here.

I noticed tonight that my domain controller’s clock had creeped ahead by about 15 minutes.  Inconsistent time, especially time that differs between servers, clients, and a domain controller can throw applications like Exchange, who depend upon Active Directory for information, for a loop. 

In Windows 2008 R2 (and Windows 7), the /setsntp and /querysntp switches of NET TIME are deprecated.  W32TM.exe provides similar functionality that NET TIME provided when it came to configuring domain controllers as a primary time source.

W32TM is not terribly intuitive, but I did get enough information to get my Windows 2008 R2 domain controller updated and again updating the time of the resources in my domain.

If you are wondering how to set this up – here are a few steps to help you out.

1. Use W32TM to configure the peer list and then update the configuration.  In this case, I am using a “set” of public servers to get my time information.  From a command prompt, type (on a single line):

w32tm /config /manualpeerlist:”server 0.north-america.pool.ntp.org”,0×8 /syncfromflags:MANUAL /reliable:yes /update

2. I’m not entirely sure that this is required, but we’ll restart the Windows Time Service for good measure.  From a command prompt, type:

net stop w32time

then restart the service:

net start w32time

3. Then we’ll initiate the time resynchronization and rediscovery of the peer list time sources that we specified in Step #1.  From a command prompt, type:

w32tm /resync /rediscover

There.  You should be all set.  If you want to update the time on a client (or a server) ahead of the regular interval at which is checks with a domain controller for the correct time, you can go to a command prompt and type:

net time /domain<domain name> /set /yes 

This will force an update of the time on the current system from your local domain.

This week I was in Las Vegas for the Exchange Connections Conference.  Traveling usually isn’t too much of a hindrance anymore of the availability of a wireless Internet connection just about everywhere you go.  The only downfall is that most public places, particularly hotels, tend to provide Internet access but block non-HTTP traffic in a lot of cases.  For VPN users, this can be a problem and prevent you from accessing the resources that would normal require you to be connected directly to your corporate network.

With Windows 2008, the Routing and Remote Access service can now be used as a means for providing access via VPN to corporate resources.  Since SSL is a common protocol and just as common as it’s HTTP counterpart, it is usually accessible.

I spent a couple of hours tonight working on creating a SSL VPN solution for my network.  I did get it up and running and wanted to provide some of the resources that helped make this process a lot easier. 

The IT Consulting Blog had a good amount of information that got me through some of the pitfalls.

This IT Technology Blog helped a lot when it came to troubleshooting.

I was able to get connected and everything is working great – but – one thing I did have problems with was when the SSTP Client in Windows 7 connects to the VPN Server, it has to make contact with the Certificate Revocation List to check and make sure that the certificate used for the VPN communication hasn’t been revoked.  I am using ISA which may or may not add a layer of complexity, but I did have to disable the CRL check.  At first, I thought the registry edit that disabled that was made on the VPN server, but in fact, it is actually made on the client machine.  You probably don’t want to disable CRL in a production environment – so just keep that in mind.

Microsoft has a section in this article that talks about the registry key required to disable or enable the CRL check.

Finally, Tom Shinder, one of the great ISA experts out there wrote a series on implementing a Windows 2008 VPN behind ISA infrastructure.  This walks you through the entire process from start to finish.  You can find that three part series here.

My last post touched on automating the installation and creation of a failover cluster on Windows Server 2008.  In this post, I want to touch on adding additional redundancy by installing Multipath I/O.  With MPIO, you can have multiple paths to your disk that are masked together to provide high availability and redundancy in your cluster configuration.

In Windows 2008, you can use ServerManagerCmd to automate the installation of the MPIO feature from the command line:

C:\> SERVERMANAGERCMD.EXE -install Multipath-IO

Once the role is installed a reboot will be required, but if you have additional configuration that you want to do with MPIO before that reboot, you can do that first.

Interestingly enough I was looking for a way to add the hardware vendor ID for MPIO disk devices.  You can pre-configure MPIO to look for particular disk devices based on their hardware ID to automatically use MPIO on those devices.  You will have to use this procedure for storage devices that are not SPC-3.

For example, if I wanted to configure MPIO to automatically multipath any disk device on a Compellent Storage Center, I can use MPCLAIM.EXE, which is part of Windows Server 2008.  Specifying a hardware ID will also require a reboot upon completion.  MPCLAIM.EXE can initiate that reboot for you when it’s done.

C:\> MPCLAIM.EXE -r -i -d COMPELNTCompellent

You can couple this with the cluster creation by running this script first.  Once MPIO is installed, configured and the servers have rebooted, you can use the script to create the cluster and you’re ready to go MPIO and all!

UPDATED 07/28/2009

The Hardware ID specified for a Compellent volume was incorrect.  This article has been corrected to show the correct hardware ID for a Compellent Storage Center disk when used with MPCLAIM.

It seems that the day of entering everything via DOS commands have come full circle as larger enterprise environments take advantage of high availability technologies like Windows Failover Clustering.

I was setting up a test environment today which consisted of eight nodes in a Windows 2008 Server Environment.  The days of using the GUI and your mouse to click around get pretty annoying when you have to repetitively follow these processes across a number of servers. 

Here are a couple of quick commands that can be used in setting up your clusters on Windows Server 2008.

Install the Failover Clustering role using the Server Manager Command Line:

C:\> servermanagercmd -install Failover-Clustering

Once you have installed the Failover Clustering role on all of your nodes, you can also automate the creation of the cluster itself from the command line.  Specify a few parameters and you are set to go!

C:\> cluster.exe /cluster:newcluster /create /nodes:”ws08node1 ws08node2 ws08node3″ /ipaddress:192.168.1.10/255.255.255.0

Remember that after the cluster is created, you still have to setup your disks.  This can also be done via command line, but In the case of this cluster, I prefer to do it in the Failover Clustering MMC.  If you are adding a large amount of disks and want to automate that process, the cluster.exe command offers the functionality you need to accomplish that.

Once I had my disk provisioned, the process of installing the role and creating the new cluster (for eight nodes even) only takes a few minutes.

I spent the last week in Las Vegas at Microsoft Management Summit 2008.  MMS is a conference that focuses on the technologies that Microsoft offers to manage infrastructure like desktops, servers and beyond.

I hadn’t realized how much the technologies had changed in the last several years.  When I was still working for Microsoft I spent a lot of time with my customers working on solutions around Systems Management Server (SMS), Microsoft Operations Manager (MOM), and even had some early adopters of Data Protection Manager (DPM).  SMS is now known as Configuration Manager and DPM is stronger than ever with its new version which protects advanced application data (SQL and Exchange) as well as your existing files and folders.Those technologies have all changed and evolved all underneath one umbrella.  Enter Microsoft System Center.

System Center ties all of these components together.  From deployment of desktops and servers, to asset management, service center (help desk) management, and protecting your data.

My focus for this week was to try to understand how the evolution and advancement of all of these products fits together.  I was particularly interested in learning more about System Center Virtual Machine Manager (SCVMM), Hyper-V, and DPM.

System Center Virtual Machine Manager

SCVMM has a 2007 version which allows you to manage instances of Microsoft Virtual Server from a single MMC.  Those familiar with Virtual Server know that it was administrable only through the web interface.  The change to the MMC seems to be mainstream and provides a lot more functionality.

Microsoft announced the beta availability of SCVMM 2008 during MMS.  SCVMM 2008 brings a number of new features including the ability to manage Hyper-V hosts as well as Virtual Server.  The big feature was received the most attention is it’s ability to manage VMware ESX hosts.  Not only can you manage ESX hosts machines and their guests, but you can also initiate VMotion right from within the SCVMM console.  What a powerful feature.   They hit the mark by tying these technologies together and are considering how they can tie other technologies into the mix such as Virtual Iron and Xen.  A Live Migration feature similar to VMotion is also in the works.  It’s timing for a release at this point is unknown.

The SCVMM 2008 beta is available for download on the Microsoft Connect website.

Hyper-V

Hyper-V beta is available on x64 builds of Windows Sever 2008 and easily installable by adding the Hyper-V role to your selected server roles in the Server Console.  Hyper-V is not available on the 32-bit platform.

Updates including the release candidate and final code will be downloadable through standard channels like Windows Update.  No special changes will be required to upgrade to the final code.

Once installed, the Hyper-V Manager is installed in the Administrative Tools.  The Hyper-V Manager is similar to SCVMM with less functionality and doesn’t include the ability to take advantage of a SCVMM library.  It is also limited to the number of hosts that you can manage.  Obviously, Microsoft wants to encourage you to upgrade to System Center Essentials which allows you to manage up to five Virtual Server or Hyper-V hosts, or for unlimited capabilities, the full-blown System Center suite.

Data Protection Manager

DPM is also part of the System Center umbrella.  DPM’s core function is to manage and protect your data by creating regular recovery points and also providing disk to disk backups in addition to disk to tape backups all while the whole entire process is automated.

DPM protection is configurable through a wizard and agent installation.  DPM provides agents to protect your normal files and folders, but also includes advanced protection for transactional data such as SQL or Exchange.  In addition, you can also protect your SharePoint systems and DPM 2007 SP1 will include support for Hyper-V hosts and guests.

In coordination with Microsoft Volume Shadow Copy Services (VSS), a consistent snapshot of data can be taken without having to take applications or services offline.  This allows you to backup applications like SQL or Exchange which normally in most environments must have no service interruptions while they are completely live without skipping a beat. 

The core storage for DPM are fixed disks that are converted to dynamic disks to allow for on-the-fly expandability.  However, DPM can also taken advantage of SAN solutions that offer VSS hardware providers in addition to other integration components.

Microsoft plans to ship Service Pack 1 for DPM in Q4 of 2008.

ABE filters shared folders visible to a user based on that individual user’s access rights, preventing the display of folders or other shared resources that the user does not have rights to access. ABE can be accessed via graphical user interface (GUI), command-line executable tool, and a robust advanced programming interface (API).

This functionality is something similar to what you see in a Novell environment. 

You can control the settings of ABE via Group Policy as well.

You can download the ABE GUI interface here.