Monthly Archives: February 2011

Linux VMs running Hyper-V lose network connectivity when Live Migrated or Restarted

I ran into a problem not too long ago where a Linux VM running in Hyper-V lost network connectivity when it was restarted, or when it was Live Migrated between hosts in a Hyper-V cluster.

At first I verified all of the normal things, I made sure it was connected to the right Virtual Network, I made sure the Microsoft Network Virtual Switch Protocol was the only protocol enabled on the NIC for that Virtual Network on both Hosts in the cluster. I also made sure that the VM was using a Legacy Network Adapter instead of a Network Adapter.

I logged into the VM itself via the console and ran an ifconfig, the only adapter that showed up was lo (the loopback adapter). I thought this was odd, as I just configured eth0 not too long ago. I verified that the /etc/network/interfaces file had the proper network settings configure for eth0, which it did.

At this point I had to do some research and I found that the newer linux kernels use the MAC address of the NIC instead of the hardware ID of the device to assign a logical eth number to each network card. I checked within the VM’s Settings and sure enough the Legacy Network Adapter on the VM was set to dynamic MAC address instead of Static. I changed the setting to Static, and kept the currently assigned MAC address as it’s static MAC address.

Inside the VM I can an ifconfig -a and saw that interface eth1 was available, but not configured. I edited the /etc/network/interfaces file to say eth1 instead of eth0 and then restarted the networking services by issuing the following command: sudo /etc/init.d/networking restart. Sure enough I was able to start accessing the network.

I did a restart and a Live Migration and was able to continue accessing the network.

Configuring Dell 54xx Series and 62xx Series Switches – Cheat Sheet

In preparation for a few writes up that I’ll be posting up here soon I wanted to go through a some of the more common things you’d probably want to do with the Dell 54xx and 62xx series of switches. Why Dell switches? The foremost answer is cost, for around $1000.00 you can get yourself a nice 48 port managed gigabit switch with a great selection of functionality. Is it better then the equivalent Cisco? Not nessesarily, but it’s also a half of the cost.

One of the reasons I like these so much, is the fact that if you’re putting together a large order with Dell, you can get them to toss these in for hundreds off of the list price, and it’s a single point of support if you need to call dell for any SAN or Networking support.

So, What are some things you’d like to do with these? The more common things that I find myself configuring are:

  • VLANs
  • LAG Groups (Cisco calls these Ether-Channels)
  • Configuring Spanning Tree and Rapid Spanning Tree Protocols
  • Configuring PortFast

Assuming that you’ve already ran through the startup wizard, given the switch a username, password, IP address, Mask, and Gateway…

Configuring VLANs

  1. Telnet into the switch (or use the console)
  2. Type ” config ” to enter config mode
  3. The first order of business when configuring VLANs is to define which VLANs should be active on this switch. Type ” vlan database ” to enter the vlan configuration mode.
  4. Type ” vlan ## ” where ## is any number between 2 and 4094. Repeat this step for each VLAN that you’d like to define on this switch.

Once you’ve created the VLANs you can assign ports to each VLAN in one of two modes, Access or Trunk.

Access ports strip off the VLAN header from the TCP/IP packet and pass that traffic out that switch port without VLAN tags on it. Traffic coming into this switch port without a VLAN tag will have the VLAN tag added to it with the ID that the port is assigned to. The exception to this is VLAN 1 which is always untagged. Access ports are used to connect to Client computers, Printer, “dumb” switches that don’t understand VLANs or anything else that would not know what to do with a VLAN tag. Access ports can only be assigned to one VLAN at a time.

Trunk ports on the other hand can be assigned multiple VLANs at once. The reason for this is to allow you to pass traffic for each VLAN over single link to another switch. Trunk links don’t strip off the VLAN tag from the TCP/IP packets, and instead forward the packet in tact. This allows to receiver of the packet to identify what packets belong on what VLANs, any untagged packets are put onto VLAN 1.

To configure an Access Port:

  1. From the config# prompt type: ” interface ethernet g# ”  where the # the port number of the switch (to configure a range of ports at once type ” interface range ethernet g#-@ ”  where the # is the first port in the range, and @ is the last port in the range)
  2. From the config-if# prompt type: ” switchport mode access ” (this is the default, but also the way you switch back from being a trunk port)
  3. Fromt the config-if# prompt type: ” switchport access vlan # ”  Where # is the VLAN you want to assign to this port. To change back to the default setting type: ” switchport access vlan 1

To configure a Trunk Port:

  1. From the config# prompt type: ” interface ethernet g# ”  where the # the port number of the switch (to configure a range of ports at once type ” interface range ethernet g#-@ ”  where the # is the first port in the range, and @ is the last port in the range)
  2. From the config-if# prompt type: ” switchport mode trunk
  3. From the config-if# prompt type: ” switchport trunk allowed vlan add # ” where # is the VLAN number you want to add to the trunk. Repeat this step for each VLAN you want to add to the trunk. to remove a VLAN from a trunk type: ” switchport trunk allowed vlan remove #
  4. Make sure you configure both sides of a trunk link with the same VLANs or the traffic wont get passed between the switches.

To configure VLANs on LAG Groups (Ether channels) substitute ” interface port-channel # ” for ” interface ethernet g# ” in the above commands.

It may become necessary to change which VLAN is the un-tagged VLAN for a trunk link. If you need to do this you can use this command: ” switchport trunk native vlan XX ” where XX is the VLAN that should have its traffic passed WITHOUT VLAN tags (typically VLAN 1). You’ll have to perform this step on both ports that makeup the trunk link.

Configuring LAG Groups

LAG groups are a collection of links between switches, or server NIC teams where more than 1 ethernet cable can be combined into one logical connection. This allows for 2 gigabit ethernet cabled to make a 2 gigabit logical connection, or 4 cables to make a 4 gigabit logical connection. This is a great way to make a switching backbone, or to create multiple links between switches that can be used for load balancing instead of just redundancy.

  1. Telnet into the switch (or use the console)
  2. Type ” config ” to enter config mode
  3. Type ” interface ethernet g# ” or ” interface range ethernet g#-# ” to select one or a range of interfaces to add to the LAG group.
  4. Type ” channel-group # mode auto ” where # is the number of the LAG group you are adding the switch ports to, normally 1-8.

Verifying a LAG Group

  1. First make sure that the switch on the other end of the LAG group is also configured.
  2. To verify that the LAG is active and working properly type ” exit ” until you’re back at the config# prompt. Type ” show interfaces port-channel
  3. the output will tell you what ports are members of the LAG, and which ones are active.

Configuring Spanning Tree Protocol

Spanning Tree prevent loops in the switching fabric. Which is to say it keeps you from screwing things up (well not you, you never make mistakes, but it keeps co-workers from breaking things, yeah we’ll go with that). If you were to plug a switch port back into the same switch, or if you were to connect two switches together with more than 1 cable (and not create a LAG group) you’d quickly figure out that your switching fabric has become completely saturated with broadcasts, as you switches pass broadcasts back and forth between each other.

Spanning Tree is a global feature that’s turned on at the switch level and not the port level. You turn on Spanning Tree by performing the following:

  1. Telnet into the switch (or use the console)
  2. Type ” config ” to enter config mode
  3. Type ” spanning-tree
  4. That’s it. That’s all there is to it, but spanning tree takes quite awhile for the database to converge, so in more modern switches you can also configure Rapid Spanning Tree protocol which is done by typing in ” spanning-tree mode rstp
  5. If you have an environment that contains switches or devices that don’t understand Rapid Spanning Tree, but do understand Spanning Tree you can run both side by side by entering ” spanning-tree mode mstp ” the Spanning Tree type used will depend on the type being used by the neighboring device.

Configuring PortFast

PortFast is a way of speeding up Spanning Tree on interface ports that are KNOWN to not be connected to anything other than a end device, such as a Printer, Server, Workstation, etc. Spanning Tree takes some time to figure out where all of the loops are in the switching fabric, this isn’t a problem if the switching network has been up and running for awhile, or if a single switch is rebooted, but let’s say your entire switching network lost power all at once and were rebooted, the Spanning Tree protocol could take up to 2 minutes or more to fully converge and during this time no one would be able to send traffic over the switches. PortFast is a way to tell the switches that we KNOW nothing on this port will cause a loop, it’s okay to allow it to pass traffic without Spanning tree being fully converged.

To enable PortFast on an interface:

  1. Telnet into the switch (or use the console)
  2. Type ” config ” to enter config mode
  3. Type ” interface ethernet g# " to enter the config-if# prompt
  4. Type “ spanning-tree portfast ” To disable portfast type ” no spanning-tree portfast

Requesting and Installing a GoDaddy.com UCC Certificate in Exchange 2007

Exchange 2007 Requires a UCC certificate in order for the various services within exchange to work properly. Exchange likes to see an SSL certificate for each of it’s services, internal and external so in order to cover all bases I typically create a certificate with the following Subject Alternative Names (SANs) (assuming that the server’s name is “mailserver” the external company name is “company.com” and the internal Active Directory name is “company.local”):

  • Public FQDN of the Server (mail.company.com)
  • Private FQDN of the Server (Mailserver.company.local)
  • Netbios name of the server (mailserver)
  • autodiscover.company.com
  • for the last SAN feel free to use WWW, or anything else so that you can use this expensive certificate on your IIS servers as well

Godaddy.com allows you to create a UCC certificate with a Domain name, and up to 4 additional SANs, for a total of 5 FQDNs per certificate.

The first thing you’ll need to do is to log into your godaddy.com account, purchase a UCC certificate and the start the wizard to configuring it. When it asks you for your CSR you’ll need to follow these instructions on your exchange server in order to create one:

  1. Open the Exchange Management Shell.
  2. The first thing I do is run the following command to get a handle of what certificates are currently installed: Dir cert:\LocalMachine\MY | fl
  3. To Generate a new CSR you’ll need to enter the following command:” New-ExchangeCertificate -generaterequest -keysize 2048 -subjectname "c=COUNTRY, l=CITYNAME, s=STATENAME, o=COMPANY NAME,cn=FIRST FQDN" -domainname SAN1, SAN2, SAN3, SAN4 -PrivateKeyExportable $true -path c:\certrequest.txt ”  You’ll have to fill in the BOLD sections with your own information and the SANs that we created above.
  4. Once You’ve run the command, copy the contents of C:\certrequest.txt into the Godaddy.com CSR request field and continue the wizard.
  5. The wizard will complete, and eventually you’ll get an email from Go Daddy that your request is completed and you can download the certificate. Download the zip file to you exchange server and extract it to a folder. The zip file will contain two Certificates, an intermediates.p7b file and your FQDN.crt file.
  6. You’ll have to follow these instructions from Go Daddy to install their Intermediate certificate and disable their older Class 2 Root Certificate, I’ve included these instructions verbatim here, but you’ll probably want to follow the most recent set of instructions from them when you download the certificate.
  7. Once the Intermediate is installed, and the Class 2 Root Certificate is disabled, you can install the new certificate on the Exchange server by moving the .crt file to c:\ and typing the following in the Exchange Shell:” Import-ExchangeCertificate –path c:\FQDN.crt ” You’ll need to change the name of the .crt file to match that of the one you were sent.
  8. Type ” Dir cert:\LocalMachine\MY | fl “again and copy the thumbprint of the newly installed certificate.
  9. To enable the certificate type: ” Enable-ExchangeCertificate –Thumbprint XXXXXXXXXXXXXXXXXXXXX –services “iis,IMAP,POP” ” replace the Bolded X’s with the thumbprint you copied from step 8. IMAP and POP are optional, and I don’t typically configure SMTP with SSL either.

That’s it! You’re new SSL certificate is now installed.

Installing GoDaddy.com Intermediate Certificates

Note: These instructions are a verbatim copy of what is published on godaddy.com. These are published here because I reference it from another blog post, you’ll probably want to follow the instructions included with you certificate when you download it from GoDaddy.com to make sure you are following the most recent set of instructions.

To Install Intermediate Certificate Bundles

  1. Type mmc in the Start search box after pressing the Start menu to start the Microsoft Management Console (MMC).
  2. In the Management Console, select File then Add/Remove Snap In.
  3. In the Add or Remove Snap-ins dialog, click the Add button and then select Certificates.
  4. Choose Computer Account then click Next.
  5. Choose Local Computer, then click Finish.
  6. Close the Add or Remove Snap-ins dialog and click OK to return to the main MMC window.
  7. If necessary, click the + icon to expand the Certificates folder so that the Intermediate Certification Authorities folder is visible.
  8. Right-click on Intermediate Certification Authorities and choose All Tasks, then click Import.
  9. Follow the wizard prompts to complete the installation procedure.
  10. Click Browse to locate the certificate file. Change the file extension filter in the bottom right corner to be able to select the file. Click Open after selecting the appropriate file.
  11. Click Next in the Certificate Import Wizard.
  12. Choose Place all certificates in the following store; then use the Browse function to locate Intermediate Certification Authorities. Click Next. Click Finish. NOTE: If the Go Daddy Class 2 Certification Authority root certificate is currently installed on your machine you will need to disable it from the Trusted Root Certification Authorities folder.
  13. Expand the Trusted Root Certification Authorities folder
  14. Double-click the Certificates folder to show a list of all certificates.
  15. Find the Go Daddy Class 2 Certification Authority certificate.
  16. Right-click on the certificate and select Properties.
  17. Select the radio button next to Disable all purposes for this certificate.
  18. Click OK.
  19. Repeat steps 13 to 18, using Starfield Class 2 Certificate Authority as the certificate name to disable.

NOTE: Do not disable the Go Daddy Secure Certification Authority certificate located in the Intermediate Certification Authorities folder. Doing so will break the server, causing it to stop sending the correct certificate chain to the browser.

Windows 7 Not Rembering Remote Desktop Credentials for Server 2008 / Server 2008 R2

If you’re like me you use RDP all of the time, You’ve probably got tons of RDP icons with the passwords saved in each one so that you can quickly bounce into all of the servers you are managing. If you’ve upgraded to Windows 7 as your workstation OS, you’ve probably also noticed that those RDP connections are now no longer remembering your passwords for connections that connect to Windows Server 2008 or Server 2008 R2.

Here is how to resolve this problem:

  1. Click on Start, and then in the search bar type: gpedit.msc
  2. Expand Computer Configuration, Expand Administrative Templates, Expand System, Expand Credentials Delegation
  3. Double Click on “Allow Delegating Default Credentials with NTLM-only Server Authentication“. Click the “Show…” button, Enter the following: TERMSRV/*
  4. Click OK, to close the Show Contents Window, Click OK again to close the next window.
  5. Double Click on “Allow Delegating Saved Credentials with NTLM-only Server Authentication“. Click the “Show…” button, Enter the following: TERMSRV/*
  6. Click OK, to close the Show Contents Window, Click OK again to close the next window.
  7. Click on Start, and then in the search bar type: GPUPDATE /FORCE

You’ll now be able to save credentials into RDP connections for Server 2008 / 2008 R2 connections.