Shadow Protect Backup/Restore


Backup / Restore Windows System alternative to ShadowProtect IT Edition USB dongle.

You may download latest version of ISO file from following link (product key required for download)

http://www.storagecraft.com/downloads/recovery-environments

Steps to restore a VM from ShadowProtect backup:
(Note: please burn this image file to CD/DVD/USB for desktops or physical server cloning and restoration)

  1. Create a new blank Virtual Machine (VM) with similar specification as source VM (to be restored VM) with slightly higher hard disk size. Restoration will not work if destination hard disk size is smaller the source machine). Skip step 1. If you are familiar with VM creation steps.






  1. Mound .iso image for booting VM from ISO file (boot sequence: boot from CD/DVD). Ensure Connect at power on is selected from Device Status

  2. Select (tick) on Connect at power on for the Network adapter (network connection is required when backup server in the network)

     

  3. Select Force BIOS Setup to boot VM in BIOS mode

  1. Bring CD-ROM Drive on top so that VM boots from Shadow protect ISO image as attached on step 2.
  2. Press F10 keyboard function button and [Yes] to save and exit BIOS Uutility.
  3. Now run the newly created VM.

     

  4. VM will be running from Linux like OS as booted using Cross Platform ISO file
  5. Set your local time zone
    #Select your time zone from “Time Zone Settings” to see your existing backup files with correct timestamp when lookup in step below. In above figure; VM gets IP from DHCP server. You need to setup IP manually if you are in server VLAN where no DHCP scopes are configured.
  6. Manual setting of IP address if DHCP is not present
    #Setup manual IP if DHCP is not available to release IP eg. Server VLAN.
  7. Click on “Disk Map” from left menu

 

  1. Mouse right click on Hard Disk free space and click on Disk Utility
  2. When Disk Utility loads; click on “Create Partition” to create NTFS File type partition for Windows system.

*Note: confusing! Format Drive above doesn’t format disk to type; it is just remove partitions.. Create partition option creates partition as well as format with selected file type.

#Format partition to NTFS (for Windows)

  1. Click on Drives link from left window under Tools menu.

  1. Click on Network icon from right window and Map network path to your shadowprotect backup server folder. UNC path should be exactly match with shadowprotect backup folder (path name with space are not allowed). Note: next icon with hard disk is meant for local drive mapping eg. usb or fix hard disk to clone physical machines (laptop, physical server). Enter shadow protect backup user credentials to access above shadow protect backup server (backup destination server where SP backup *.spi files are located).
  2. Click on Restore Volume link from left
  3. Select desire backup file (.spi) that need to be restored from right window

  1. Select the Recovery Volume created on step 8 above as destination hard disk (new system)

# verify image before restore will take longer to restore..

  1. Wait for restoration tasks to end

#restoration progress status


#restoration task has been completed

  1. Exit from the Shadowprotect Cross Platform application and reboot

     

  2. Click on Shut Down button to stop the VM and make necessary changes on boot sequence.

    Note: do not enable network interface where exiting VM is running.

  3. Ensure CD-ROM is disconnected or change VM boot sequence to Hard Disk else VM will be booted from CD again

  4. Continue with hard disk scan (CHKDSK); do not escape. This will fix some issue (checks for disk error, consistency etc). This will not repeat subsequence boot.

  5. Disconnect Network Interface unless live server is not running.
  6. Please do a required checks (drivers, disk partition, services) before connect network interface and bring up the server to live network.
Advertisements
Posted in DRP, Others | Tagged

Enable Port mirroring from Cisco switch


Enable Port mirroring from Cisco switch

Port mirroring is useful when we need to sniff for details analysis of traffic. For an example; one would like to use Internet interface (uplink to Internet facing firewall) to analyize Internet traffic using sniffing tools like wireshark. Here source port (2/48) is switch port that used for Internet connection and destination switch port (2/22) is mirror port of 2/48 and connect PC with wireshark.

Port mirroring:

source port 2/48

destination port 2/22

 

Switch#config terminal

Enter configuration commands, one per line. End with CNTL/Z.

 

Switch(config)#monitor session 1 source interface Gi 2/48

Switch(config)#monitor session 1 destination interface Gi 2/22

Switch#Show monitor session 1

 

Switch#show monitor session 1

Switch#show monitor

 

Output:

Session 1

———

Type : Local Session

Source Ports :

Both : Gi2/48

Destination Ports : Gi2/22

 

Egress SPAN Replication State:

Operational mode : Centralized

Configured mode : Centralized (default)

 

VLAN Mirroring:

Beside above; we also could mirror a VLAN.
Below steps are to create mirror port for a particular VLAN eg. vlan 1.

 

source vlan1

destination port 2/22

 

Switch#configure terminal

Switch(config)#interface Gi 2/22

Switch(config-if)#port monitor vlan 1

 

Note: you could enter: #show ip int brief or show int to see the switch port name: eg. Gi 0/1 or fa 0/1 etc

Posted in Cisco | Tagged

Find AD Forest Functional Level


Get Forest Functional Level using dsquery:
dsquery * DC=abc,DC=local -scope base -attr msDS-Behavior-Version
OR
dsquery * DC=abc,DC=local -scope base -attr msDS-Behavior-Version ntMixedDomain

0 = Windows 2000
1 = Windows 2003 interim
2 = Windows 2003
3 = Windows 2008
4 = Windows 2008 R2
5 = Windows 2012
6 = Widows 2012 R2

dc-version

Posted in Windows | Tagged

Google SafeSearch and SSL


Google SafeSearch and SSL Search for Schools

As we have noticed, Google has changed the searching behavior. Currently ‘Google Search’ forward searches to secure site eg. https://www.google.com (In country; https://www.google.com.sg ; https://www.google.co.uk). As a result; most UTM firewall (content filer) doesn’t filter encrypted (https://) contents by default. That means safe search will not work and inappropriate sites and Google images searches will show undesirable images.

Now there are couples of solutions to fix this issue:

Option 1. UTM Firewall: (not preferred due to complexities and aftermath issues)

Enable Deep Inspection for SSL (DPI-SSL). But this will create havoc as all secure sites will alert for invalid certificate error message.
To work-around this issue; we need to generate self-certificate from UTM device and install to all our end points and create an exception for site that doesn’t permit packet modifications eg dropbox. In a nutshell; this is tedious to manage and Internet traffic will relatively slow down due to packet encryption/decryption process. Of-course we still need this where we want to block applications like Skype and other cleverly crafted sophisticated applications. But if we just like to solve Google https search issue; option 2 is desirable

Option 2. DNS CNAME: (relatively simple solution)

2.1. Create Forward Lookup Zones with Google domain (eg. google.com, google.co.uk, google.com.tw, google.co.th, google.com.au, google.com.in etc)

2.2. We need to create same record twice where we have two AD-DNS servers unless we select “Store the zone in Active Directory” from below.

2.3. Click Next>

2.4. Click Next>

2.5. Click Next>

2.6. Click Finish

2.7. Create CNAME (now right click on Google domain and select New Alias)

2.8. Leave Alias name blank and enter FQDN as nosslsearch.google.com

(should see follow after the above steps)

Following steps for Windows 2008 and above DNS Manager:
(Please note: Windows Server 2008 does not allow CNAME creation as Windows Server 2003 in above step 2.8)

Repeat above steps from 2.1 to 2.6 as above.
Now create A record in Windows Server 2008 DNS under Google domain (Forward Lookup Zones).

[We also can perform above tasks by having another DNS server which running on Windows 2003 (doesn’t require to be AD-DNS); you could forward the all traffic to that server from DNS forwarder or Conditional Forwarder option. But I find above technique is much simpler as doesn’t require to maintain additional DNS server].

Note: It has been many years Google has not been changed IP address for nosslsearch.google.com [216.239.32.20]; but if they do then we need to change accordingly.

Please also block following site from UTM firewall (proxy exception and webblocker). Leave unblock this site where VIP user needs encrypted search using following link (optional).

http://encrypted.google.com/

Other Google sites (products) and services will not be affected due to above configuration. This is work-around technique for forcing user for non-ssl search so that on-premise UTM firewall could enforce safe search and other policies.

Posted in Others, WatchGuard | Tagged

Required open ports for OS X (Casper) update


To use Profile Manager, you should ensure that the following ports are open on your network.

2195, 2196 TCP Used by Profile Manager to send push notifications
5223 TCP Used to maintain a persistent connection to APNs and receive push notifications
80/443 TCP Provides access to the web interface for Profile Manager admin
1640 TCP Enrollment access to the Certificate Authority

Source: http://support.apple.com/kb/HT5302

Requirements for hosting a software update server

  • DNS

The Software Update service requires that the server is registered in DNS (Domain Naming Service) and resolves correctly. The DNS name of the server is used by the clients to download updates.

  • Servers and ports

The synchronization module accesses the following public Software Update servers on destination port 80:

http://swscan.apple.com
http://swquery.apple.com
http://swdownload.apple.com
http://swcdn.apple.com

The latter (http://swcdn.apple.com) currently redirects to the Akamai content distribution network that hosts the updates. Note that the redirected IP address of http://swcdn.apple.com may vary over time or by geographic region.

With OS X Mountain Lion v10.8 or later, the synchronization module also accesses the following public Software Update server on destination port 443:

https://swdist.apple.com

  • Proxy

Authenticated proxy servers are not supported by the synchronization module, which means updates will not be mirrored by the server. While the synchronization module may work with non-authenticated and transparent proxy servers, Apple recommends that the Software Update server have direct access to the public Software Update servers listed above.

  • Dedicated network connection to the Internet

Software Update Server requires that the server have a dedicated connection to the Internet (specifically, to the URLs listed above in the “Servers and ports” section). If Software Update Server is unable to reach Apple’s content servers within the default HTTP connection timeout, it will try again during the next scheduled sync, 24 hours later.

These network ports are used by Apple TV for communications on your network.

  • TCP port 123 is used to communicate with a network time server.
  • TCP port 3689 is used to communicate with iTunes while using the iTunes Library Sharing feature.
  • UDP port 5353 is used by Apple TV for automatically finding computers with iTunes on your network using Bonjour.
  • TCP port 80 is used for communicating with podcast servers.
  • TCP port 80 and 443 are used for basic and secure communications with the iTunes Store via the Internet.
  • TCP port 53 is used for regular DNS.
Posted in Apple | Tagged

NIC loads issue from restored VM


Issue: when try to restore Linux VM (or physical machine with dissimilar NIC) from another host ESX server, guest (VM) server NIC card may not be activated due to mismatch of network card MAC address in destination host.

Following error message will appear when try to bring up the interface (eg. ifup eth0)

device eth0 does not seem to be present, delaying initialization.

Possible causes are:

Newly installed or replaced NIC Card or restored VM from backup or copy/move from another host server.

Following illustrations are based on CentOS and Vmware ESXi server:

Edit the each network settings in your NIC card and removed this line or edit with your new NIC card eg. Mac Address: HWADDR=90:b1:1c:14:3f:be

#ls –l /etc/sysconfig/network-scripts/

# vi /etc/sysconfig/network-scripts/ifcfg-eth0

Replace HWADDR to correct one.

Temporary Fix:

# cd /sys/class/net
# ls –l

following shows new NIC as eth3 not eth0

Now Crete a symbolic link with new NIC number:

# ip link set dev eth3 name eth0

(assume old NIC was eth0)

#ifup eth0
(bring up the interface eth0)
#ifconfig –a

(check and ensure interface is up with correct IP)

#ping [any ip] to test connectivity.

Here is the issue for this temporary fix; when you reboot the server; all the setting will be revert back to original.

Permanent Fix:

# vi /etc/udev/rules.d/70-persistent-net.rules

Wrong MAC address (old value from source host NIC)

You need to remove the old NIC card and replace the new NIC card with the correct eth0

NIC interface will load automatically from here upon reboots.

Posted in Linux, VMWare | Tagged

Configure SMTP server for marketing emails


Configure Windows SMTP sever for bulk email sending.

Following steps may help when you considering setting up on premise Windows SMTP server for sending newsletter and other email communications to external parties.

  1. Register a new domain

    Register a new domain and host the DNS with ISP or service provider that allows you to manage DNS settings.

  2. User clean public public IP (check for black list database)
  3. rDNS (PTR record)
    nslookup [public ip address of smtp server]
  4. Add SPF record
  5. Send email smaller bath (batch by batch; <30 emails)
  6. Include SPF record for primary domain (optional)
  7. DKIM – (DomainKeys Identified Mail) – optional
  8. Configure SMTP server accordingly
  9. Ensure firewall doesn’t block outgoing and incoming for port 25.
  10. Advise receipts to add your domain to Safe Sender list
  11. Avoid SPAM words in email content

Details steps:

  1. Register a new domain

Register a new domain and host the DNS with ISP or service provider who allows you to manage DNS settings.

  1. Use clean public aka external IP

    Check following url to see whether your domain or IP is black listed
    http://www.mxtoolbox.com/blacklists.aspx
    http://www.dnswl.org/s

  2. Create rDNS (PTR) record by your ISP
    Checks for the rDNS record:
    Enter from command prompt
    nslookup
    [public ip address of smtp server]
    Example:
    nslookup
    203.13.4.5
    mail.yourdomain.com
  3. Add SPF record
    Simple example of spf record (it can be in many forms)
    v=spf1 mx a a:mail.yourdomain.com ip4:203.12.22.23 ~allSPF record lookup
    http://www.kitterman.com/spf/validate.html?
    http://www.microsoft.com/mscorp/safety/content/technologies/senderid/wizard/
  4. Send email smaller bath (batch by batch) – this prevents emails arrive in “Junk / Spam” folder or being blocked.

Email interval (20-30 email on each attempt).

  1. Include SPF record for primary domain (optional)

    this is relevant when email need to send from your other (primary) domain as From: address.
    Example:
    yourprimarydomain.com “v=spf1 a mx ip4: 203.12.22.23 include:yournewsmtpdomain.com ~all”

  2. DKIM – (DomainKeys Identified Mail) – optional
    About DKIM:
    http://www.dkim.org/
    Purchase:
    http://www.emailarchitect.net/domainkeys/
    DKIM Test:
    http://www.appmaildev.com/en/dkim
  3. Configure SMTP server accordinglyPlease ensure you are only relying limited internal IPs. Not to whole world.

    Limit message size and limit number of connection per connections setting are must. As this will prevent sending overlay excessive emails at one time.

    Leave following in Default settings:

    Ensure “Limit number of connections per domain” is less than < 30 as an ideal number but if you could control this from email sending application for not to send more than 30 emails in a minute then you could increase it to maximum number. eg. 300 (just in case occasionally needs to send large emails to internal users)

    Precaution:
    For external recipients; increasing value to 200 – 300 may solve large emails delivery issue with ease (eg. 300 emails to Gmail address in one time) but it will likely cause email to go into “Spam” folder.

    Increase maximum hop count will increase the chance to email delivery for furthest remote mail servers. If any remote email server beyond the specified hop counts value, NDR will be generated. Please check your fully qualified domain (FQDN) name is resolvable by clicking Check DNS button. Having Smart host may improve your email delivery when local smtp server is unreachable (you could put your ISP’s smtp server address here if they allow relay or any other smtp server that allow relay).

  4. Firewall configuration
    Ensure firewall doesn’t block outgoing and incoming for port 25.
    Allow in/out TCP/25.
    Often foreign email servers check incoming response from email sever; this check is done for verify for proper email server or just email blast (out-blast) server.
    Checks:
    c:\> telnet mail.yourdomain.com 25
  5. Add domain name to Safe Sender list
    Advise receipts to add your domain to Safe Sender list
    http://www.campaignmonitor.com/guides/whitelisting/
    http://help.verticalresponse.com/how-to/tutorial/add_our_address_to_your_safe_sender_list/
  6. Avoid SPAM words in email content

Words and Phrases that Trigger Some Spam Filters
http://blog.hubspot.com/blog/tabid/6307/bid/30684/The-Ultimate-List-of-Email-SPAM-Trigger-Words.aspx

http://webmarketingtoday.com/articles/spamfilter_phrases/

Useful links:

Gmail why messages are marked as SPAM
https://support.google.com/mail/answer/1366858?hl=en&ctx=mail&expand=5

Enhance email delivery
http://download.microsoft.com/download/e/3/3/e3397e7c-17a6-497d-9693-78f80be272fb/enhance_deliver.pdf

Blacklist/Whitelist Resources

Posted in Windows | Tagged