tag:blogger.com,1999:blog-44630056730384085902024-02-19T10:59:05.625+08:00switchport SecurityCisco, Security, Windows Server, Linux, coding, and whatever...Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.comBlogger21125tag:blogger.com,1999:blog-4463005673038408590.post-67587085408329497762008-05-18T18:19:00.002+08:002008-05-18T18:23:22.229+08:00What to do on a weekend?Think about next week's activites and prepare?<br /><br />Yeah, right.<br /><br />But honestly, that's what I'm doing right now. I'm here in the office setting up virtualized SQL and Exchange servers for a client. Aside from that, I already finished some infrastructure VM images since Friday.<br /><br />For the weeks to come, it'll be like all out war.<br /><br />It's time.<br /><br />This is the power of the network. NOW.Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-8675883174240709022008-05-17T21:09:00.008+08:002008-05-17T23:33:17.465+08:00Being a Network Engineer: Joining VerizonI got asked questions coming from all angles - HSRP, VRRP, GLBP, MLPPP, at what layer is IPSec, OSPF, BGP, IOS configuration, IOS basics, cabling, MPLS, etc.<br /><br />One of them told me that they won't ask me question regarding BGP and MPLS because it would be unfair. Well, they're nice but it seems the people I'd be working with won't be so forgiving.<br /><br />Most of the questions were focused on router basics and was I in for an incovenience - my last hands on work on a router was 2003!<br /><br />I've been putting time to do Microsoft because it's funding me with respect to my Cisco dream. I feel like I'm sleeping with the devil. ^_^<br /><br />I got to the place around 10PM and I left the vicinity at around 1AM. There were 4 panelists each each one was asking questions or adding questions to the other panelists questions. Most likely, all of them were CCNPs.<br /><br />The funniest part of the interview process must have been when they asked me what do I do in my spare time. One of the panelist commented, "Don't tell me you read books."<br /><br />haha!<br /><br />Plus since I bought my own routers, it kind of rocked during the interview.<br /><br />During the last minutes I heard the most scariest statements made during the entire interview process - "How soon can you start?" and "HR will contact you."<br /><br />Whew!<br /><br />Up to now, I don't know why I'm having butterflies. It seems I'd be dealing with the same type of clients I had when I was at Trend Micro. Maybe that's one of them. Maybe because I'm starting to chicken out. Or maybe it's because I'm already setting expectations for myself that I might not able to achieve.Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-71550798999063022202008-01-27T00:32:00.000+08:002008-01-27T00:34:01.113+08:00Just passed 70-648!!!<span style="font-size:85%;">Um, the exam was easy. </span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">yay!!!</span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-19061986802076941572008-01-14T15:29:00.000+08:002008-01-14T15:30:27.045+08:00Late!I woke up late because of studying till 4 AM... i just missed the beta exam opportunity!<br /><br />:(Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-41951911356438943742008-01-14T02:34:00.000+08:002008-01-14T02:39:52.621+08:0071-647 MCITP: Enterprise Administrator<span style="font-size:85%;">I'm sitting the beta exam in a few hours. And I'm still stuck with IPv6 studies as of now. </span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">I guess I'm over-doing my studies with <span style="color:#3366ff;">Cisco Press</span> materials. Well, I have a bad feeling about 71-646 exam. I should have read Cisco Press and I would have had better chances of passing the exam. </span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">I've just downloaded vids on Vista and one on Russinovich taking about my pet peeve, Hyper-V. </span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">hahahah! I won't tell you why.</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Anyway, let me go crazy as of the moment...</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">-Jaeson</span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-41324493381167522502008-01-13T14:33:00.000+08:002008-01-13T15:02:13.805+08:00IPv6 Subnet Prefixes: What to use?<span style="font-size:85%;">Exactly the point. Given that it can vary, what to use so that you won't get confused?</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Easy.</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Use a /64 prefix as max for your network, especially for site-local addresses [fec0::/10 and fed0::/10], which work ala RFC 1918. </span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">But that isn't a fast, hard rule. It's just some guideline you can follow. Bottom line is that you can use any prefix as long as the number of hosts you need to assign an IPv6 address and subnet affiliation are properly designed via the prefix you use. Heck, you can even use a /128 prefix if all you want is just one host.</span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-17520384470720015462008-01-13T12:56:00.000+08:002008-01-13T13:18:24.028+08:00Addendum regarding IPv6 Subnetting Sample 4<span style="font-size:85%;">One thing I forgot (because I was too busy converting from binary and decimal both to Hex) is that IPv6 does not have restrictions with respect to network and broadcast addresses.</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">So, we can generalize subnetting into the following</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">SN calculation: 2^sn >= req</span><br /><span style="font-size:85%;">H calculation: 2^h >= req</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Applying the generalizations above, the answers for Sample 4 are shown below as follows:</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Net # Alloc IP</span><br /><span style="font-size:85%;">LAN 3 33 2310:1234:0003::/122</span><br /><span style="font-size:85%;">LAN 4 21 2310:1234:0003::40/123</span><br /><span style="font-size:85%;">LAN 1 14 2310:1234:0003::60/124</span><br /><span style="font-size:85%;">LAN 2 04 2310:1234:0003::70/125</span><br /><span style="font-size:85%;">SL 01 02 2310:1234:0003::78/127</span><br /><span style="font-size:85%;">SL 02 02 2310:1234:0003::7a/127</span><br /><span style="font-size:85%;">SL 03 02 2310:1234:0003::7c/127</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">IPv6 subnetting resembling the process of how IPv4 VLSM is perfomed.</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Expounding, we have</span><br /><span style="font-size:85%;"></span><br /><strong><span style="font-size:85%;">LAN 3 33 2310:1234:0003::/122</span></strong><br /><span style="font-size:85%;">IP Ranges for 2310:1234:0003::/122</span><br /><span style="font-size:85%;">Starting IP: 2310:1234:0003::/122</span><br /><span style="font-size:85%;">Ending IP: 2310:1234:0003::3F/122</span><br /><br /><span style="font-size:85%;"><strong>LAN 4 21 2310:1234:0003::40/123</strong><br />IP Ranges for 2310:1234:0003::40/123</span><br /><span style="font-size:85%;">Starting IP: 2310:1234:0003::40/123<br />Ending IP: 2310:1234:0003::5F/123</span><br /><span style="font-size:85%;"></span><br /><strong><span style="font-size:85%;">LAN 1 14 2310:1234:0003::60/124</span></strong><br /><span style="font-size:85%;">IP Ranges for 2310:1234:0003::60/124<br />Starting IP: 2310:1234:0003::60/124</span><br /><span style="font-size:85%;">Ending IP: 2310:1234:0003::6F/124</span><br /><br /><strong><span style="font-size:85%;">LAN 2 04 2310:1234:0003::70/125</span></strong><br /><span style="font-size:85%;">IP Ranges for 2310:1234:0003::70/125<br />Starting IP: 2310:1234:0003::70/125</span><br /><span style="font-size:85%;">Ending IP: 2310:1234:0003::77/125</span><br /><br /><strong><span style="font-size:85%;">SL 01 02 2310:1234:0003::78/127</span></strong><br /><span style="font-size:85%;">IP Ranges for 2310:1234:0003::78/127<br />Starting IP: 2310:1234:0003::78/127</span><br /><span style="font-size:85%;">Ending IP: 2310:1234:0003::79/127</span><br /><br /><span style="font-size:85%;"><strong>SL 02 02 2310:1234:0003::7a/127</strong><br />IP Ranges for 2310:1234:0003::7a/127<br />Starting IP: 2310:1234:0003::7a/127</span><br /><span style="font-size:85%;">Ending IP: 2310:1234:0003::7b/127</span><br /><span style="font-size:85%;"></span><br /><strong><span style="font-size:85%;">SL 03 02 2310:1234:0003::7c/127</span></strong><br /><span style="font-size:85%;">IP Ranges for 2310:1234:0003::7c/127</span><br /><span style="font-size:85%;">Starting IP: 2310:1234:0003::7c/127<br />Ending IP: 2310:1234:0003::7d/127</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Note: It seems very possible to do this but you'd have to understand that we won't normally do it this way as we are bound to around 3 ways of assigning IP addresses - 1. EUI-64 via Stateless autoconfiguration, 2. Stateful configuation through DHCPv6, and 3. Address randomization, just like with Windows Vista and Server 2008, but taking note that the last 64-bits is to be generated by the system unlike what I presented above.</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">I got to read Wendell Odom's book on Cisco certification and he said we can use any prefix as long as we can have bits to represent the hosts in that segment, which I've done in my example.</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Clear?</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">I did it just for fun. ^__^</span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-40959794628737326552008-01-12T18:43:00.000+08:002008-01-12T18:45:26.121+08:00IPv5: From Cisco Press<span style="font-size:85%;">The Internet community uses IPv4 and has used IPv6 for a couple of years. IANA is the organization that has the worldwide responsibility of assigning numbers to everything related to the Internet, which includes versions of the IP protocol. IANA assigned version 6 to the IPng protocol in 1995 following a request by the IPng working group.</span><a name="ch01index116"></a><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">What about "IP version 5"? IPv5 is an experimental resource reservation protocol intended to provide quality </span><br /><span style="font-size:85%;">of service (QoS), defined as the Internet Stream Protocol (ST). It can provide real-time transport of multimedia such as voice, video, and real-time data traffic across the Internet. This protocol is based on previous work of Jim Forgie in 1979, as documented in IETF Internet Experiment Note 199. It consists of two protocols—ST for the data transport and Stream Control Message Protocol (SCMP). IPv5, also called ST2, is documented in RFC 1819 and RFC 1190.</span><a name="ch01index117"></a><a name="ch01index118"></a><a name="ch01index119"></a><a name="ch01index120"></a><a name="ch01index121"></a><a name="ch01index122"></a><a name="ch01index123"></a><a name="ch01index124"></a><a name="ch01index125"></a><a name="ch01index126"></a><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Internet Streaming Protocol version 2 (ST2) is not a replacement for IPv4. It is designed to run and coexist with IPv4. The number 5 was assigned by IANA because this protocol works at the same link-layer framing as IPv4. A typical distributed multimedia application can use both protocols: IP for the transfer of traditional data and control information such as TCP/UDP packets, and ST2 for real-time data carriers. ST2 uses the same addressing schemes as IPv4 to identify hosts. Resource reservation over IP is now done using other protocols such as Resource Reservation Protocol (RSVP).</span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-15307555371199031302008-01-06T14:31:00.000+08:002008-01-07T03:03:08.305+08:00IPv6 Address Assignment and Subnetting!!! (Part 2)<span style="font-size:85%;">I have two more examples to dish out. See below:<br /><br /><strong>Sample 3 </strong><br />This example shows the 48-bit network ID being extended through the subnet ID by borrowing 64 more bits.<br /><br />Net # Alloc IP<br />LAN 3 33 2310:1234:0003::/112<br />LAN 4 21 2310:1234:0003::1:0000/112<br />LAN 1 14 2310:1234:0003::2:0000/112<br />LAN 2 04 2310:1234:0003::3:0000/112<br />SL 01 02 2310:1234:0003::4:0000/112<br />SL 02 02 2310:1234:0003::5:0000/112<br />SL 03 02 2310:1234:0003::6:0000/112<br /><br /><br /><strong>Sample 4 </strong><br />This example is conservative of the address alloocation and very much resembles the process of how IPv4 VLSM is perfomed.<br /><br />Net # Alloc IP<br />LAN 3 33 2310:1234:0003::/122<br />LAN 4 21 2310:1234:0003::40/123<br />LAN 1 14 2310:1234:0003::60/124<br />LAN 2 04 2310:1234:0003::70/125<br />SL 01 02 2310:1234:0003::78/126<br />SL 02 02 2310:1234:0003::7c/126<br />SL 03 02 2310:1234:0003::80/126</span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-57808114648917054202007-12-27T13:37:00.000+08:002012-12-27T12:47:12.724+08:00IPv6 Address Assignment and Subnetting!!! (Part 1)<span style="font-size: 85%;">In IPv4, we have had Classful and Classless subnetting. The reason for subnetting was because the IP addresses were dwindling but it was originally allocated by class. </span><br />
<span style="font-size: 85%;"><br />How do we perform IPng subnetting?<br /><br /><br />What's in here?<br />-IPv6 Address Assignment<br />-IPv4 VLSM Sample<br />-IPv6 Subnetting Sample<br /><br /><br /><b>IPv6 Address Assignment </b><br />The example below shows (even including the part where IANA handed off the IP address assignment task to ICANN) how IPv6 addresses are assigned.This starts with ICANN assigning an IPv6 block to a Regional Internet Registry, ARIN for that matter, the IPv6 block 2310::/12. With ARIN now having an IP block, it can assign ISPs IP addresses.<br /><img alt="" border="0" id="BLOGGER_PHOTO_ID_5149311392135025010" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgKk-Erj3gvIk7ahIgwLmYBQ0pcHAe1cy7Ig_ZSAdzvbjOCVvwLUlFwTxan2mer9JncAvK_znG_8uNxnV2h4zlS6RkfNqJd5gGhFWmcZmOvfwvYCx6e9of5nfAfVM1OPo4Z2aLXtdPNBvw/s400/Address.Assignment.JPG" style="cursor: hand; display: block; margin: 0px auto 10px; text-align: center;" /><br /><b>IPv4 VLSM Sample </b><br />VLSM is actually one of my favorite topics. Everything I want to say is actually in the picture. You can actually perform faster IPv4 subnetting with the technique displayed in the picture. I learned it the hard way -dealing with 1s and 0s to doing it using decimal numbers, which is the way to go.<br /><img alt="" border="0" id="BLOGGER_PHOTO_ID_5149330672243216770" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg7pjpywaGCLksGhdsZ8o6G7xaPlG-mJxmYYkiM7ABYVB_2jolV7Y6t5bG0Nk1bBAKMR0k29sZwFJWa-bz6fQet41cq7uBiLFGyBqWBiPaUYFRwZHHKcsbcc5npWEcDXxHedtbiMJ5EwnY/s400/VLSM.Subnetting.JPG" style="cursor: hand; display: block; margin: 0px auto 10px; text-align: center;" /><b><span style="color: #cc0000;">Note: </span></b>The graphic has a green background because I love the blackboard and chalk combination of the older days. VLSM is a classless subnetting technique whereas when IP subnetting was first devised it was classfulbased. What I mean is that everything was built around following the default prefixes of /8, /16, and /24 and depending on how many subnets were required, subnetting was then performed.<br /><br /><br /><b>IPv6 Subnetting Sample</b><br />How are we to perform subnetting for IPv6? We do this the way we perform classless IPv4 subnetting. Let's make use of the same figure as we have for the VLSM sample I gave only this time we use v6 addresses. Also, let's assume that the network will be using the IPv6 address of 2310:1234:0003::/48.<br /><br />One other thing to consider is that we shouldn't mind ourselves that much with subnet and broadcast addresses. And note what subnet mask value to assign to assign to the network with the lowest IP allocation.<br /><br /><b>Sample 1</b><br />Referring to the VLSM sample I gave (the green pic) and instead of using IPv4 we use IPv6, subnetting the example gives us the following:<br /><br /><br />Net # Alloc IP<br />LAN 3 - 33 - 2310:1234:0003::/58<br />LAN 4 - 21 2310:1234:0003:40/59<br />LAN 1 - 14 - 2310:1234:0003:60/60<br />LAN 2 - 04 - 2310:1234:0003:70/61<br />SL 01 - 02 - 2310:1234:0003:74/62<br />SL 02 - 02 - 2310:1234:0003:7c/62<br />SL 03 - 02 - 2310:1234:0003:80/62<br /><br /><b>Sample 2</b><br />Well, look at these:<br /><br />Net # Alloc IP<br />LAN 3 33 2310:1234:0003::/64<br />LAN 4 21 2310:1234:0003:1/64<br />LAN 1 14 2310:1234:0003:2/64<br />LAN 2 04 2310:1234:0003:3/64<br />SL 01 02 2310:1234:0003:4/64<br />SL 02 02 2310:1234:0003:5/64<br />SL 03 02 2310:1234:0003:6/64<br /><br /><span style="color: #cc0000;">So, what's the difference?</span> That's easy to spot. In sample 1, subnet IDs incremented with how many each subnet allocation incremented.<br /><br />In sample 2, subnets incremented by 1 from 0.<br /><br />Why?<br /><br />Because when hosts are stateless, they will pickup the configuration for the routers and append their interface IDs in the last 64-bits of the v6 address.</span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-15397907486937956542007-12-26T17:36:00.000+08:002008-12-09T14:21:05.880+08:00Address Randomization and Non-unique addresses for IPv6<span style="font-size:85%;"></span><div><span style="font-size:85%;">If IPv6 addresses are to be always static, this will certainly bring up concerns. What's one of the benefits on IP masquerading?</span></div><br /><div><span style="font-size:85%;">That's anonymity!!!</span></div><br /><div><span style="font-size:85%;">There should be a mechanism that allows the creation of random IPv6 Addresses. That's what my last blog post informed you about. </span></div><br /><div><span style="font-size:85%;">Defined in RFC 3041, Privacy Extensions for Stateless Address Autoconfiguration in IPv6, the Windows family of operating system starting Windows CE and later offer this feature and gives preference for this address type for outgoing communication because the address has a short lifetime and will be regenerated periodically. </span></div><br /><div><span style="font-size:85%;"></span></div><br /><div><strong><span style="font-size:85%;">Non-Unique IPv6 address</span><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqEPpN6omQyL3Rtyn8YyHyZD0VV3tE7km71YiCVanrMwVYo3EulH3tIFNV5lcLZtWf_QX20ExnHV1fGQ9550vSl7ETTRBVPIuFl8prQB33VPIAgV4MTIR6ZR8H-mdMhs0b3QwnhX2oe0g/s1600-h/solicited-node.multicast.bmp"><span style="font-size:85%;"><img id="BLOGGER_PHOTO_ID_5148219577088643330" style="FLOAT: right; MARGIN: 0px 0px 10px 10px; CURSOR: hand" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqEPpN6omQyL3Rtyn8YyHyZD0VV3tE7km71YiCVanrMwVYo3EulH3tIFNV5lcLZtWf_QX20ExnHV1fGQ9550vSl7ETTRBVPIuFl8prQB33VPIAgV4MTIR6ZR8H-mdMhs0b3QwnhX2oe0g/s400/solicited-node.multicast.bmp" border="0" /></span></a></strong></div><div><span style="font-size:85%;">Not all IPv6 addresses would be unique. Consider the diagram on the right side.</span></div><div><span style="font-size:85%;"></span> </div><div><span style="font-size:85%;">The right-most 24-vits for Routers B and C are very much the same. </span></div><div><span style="font-size:85%;"></span> </div><div><span style="font-size:85%;">Let's say all nodes have the /64 prefix. This would mean that the network for both routers B and C will be 2001:100:200:300::/64. </span></div><div><span style="font-size:85%;"></span> </div><div><span style="font-size:85%;">A solicited-node multicast address is used in v6 for resolving v6 addresses to a MAC address on a LAN segment.</span></div><div><span style="font-size:85%;"></span> </div><div><span style="font-size:85%;">The two routers will then be listening to the same solicited-node multicast address. If a packet is sent there, each would have a copy but the main point here is that only the host whose full destination address matched the address of the multicast packet will process the data and then respond with a neighbor advertisement.</span></div>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-508805023556795342007-12-26T16:01:00.000+08:002008-12-09T14:21:06.814+08:00The Extended Universal Identifier<div><span style="font-size:85%;">Given a network address and prefix, how would you know the network address of a host in IPv6? </span></div><br /><br /><div><br /></div><div><span style="font-size:85%;">What's in here?</span></div><div><span style="font-size:85%;">-EUI-64</span></div><div><span style="font-size:85%;">-IEEE 802 address conversion example</span></div><div><span style="font-size:85%;">-Randomly generated Interface IDs</span><br /><br /></div><div><span style="font-size:85%;"><strong>EUI-64</strong></span></div><div><span style="font-size:85%;">Interface Identifiers in global unicast and other types of v6 addresses must be 64-bits long and follow a certain format as defined by EUI-64.</span></div><div><br /></div><div><span style="font-size:85%;">This format is dereived from the 48-bit link-layer address of interface cards - the MAC address - and is inserted with the hex value of FFFE between the upper 3-bytes of the OUI and the lower 3-bytes of the link-layer address.</span><br /></div><div><span style="font-size:85%;"><img id="BLOGGER_PHOTO_ID_5148194069277872338" style="DISPLAY: block; MARGIN: 0px auto 10px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhCWmH-e9GtusirTFdMJUNFHtcjqO1Y5I4W4hBle3Ob80Oi7WwHgkrxeZtSDEYHXEXuaXBi4DZ2a4v9JkMCxWWZa6BUfYiyYF1KOkzYNyriMXzOF6xe2NRlb2JhKpPkD3aJ_jkbvJZCzfw/s320/EUI-64.U.L.bmp" border="0" /></span></div><div><span style="font-size:85%;">But it doesn't stop here. The other issue is to make the IPv6 address you've just conjured up, or your machine for that matter, to be universally unique. This is done by flagging the seventh (7th) bit of the higher order, most significant byte to be either 0, as in locally, or 1, as global. This then ensures uniqueness of the address. </span></div><div><span style="font-size:85%;">The 7th bit is known as the U/L-bit. The 8th bit in the higher order, most significant byte is known as the G-bit. </span></div><div><br /><span style="font-size:85%;">The G-bit is used to manage groups - signifying groups or single hosts. In English, this indicates whether the address is either unicast , set to 0, or multicast, set to 1.</span></div><div><br /><br /></div><div><span style="font-size:85%;"></span></div><div><span style="font-size:85%;"><strong>IEEE 802 address conversion example (From http://www.microsoft.com)</strong></span></div><div><span style="font-size:85%;">In this example, Host A has an IEEE 802 address (Ethernet MAC) of 00-AA-00-3F-2A-1C. The following steps occur when converting this address to IPv6:<br /></span></div><div><br /></div><div><span style="font-size:85%;">To convert the MAC address to EUI-64 format, FF-FE is inserted between the third and fourth bytes. This yields 00-AA-00-FF-FE-3F-2A-1C.<br /></span></div><div><br /></div><div><span style="font-size:85%;">The U/L bit, which is the seventh bit in the first byte, is complemented. The first byte in binary form is 00000000. When the seventh bit is complemented, it becomes 00000010 (0x02).</span></div><div><br /></div><p><span style="font-size:85%;"><strong><span style="color:#cc0000;">Note: </span></strong>When complementing the U/L bit, perform the following steps: </span><span style="font-size:85%;"><br /></p></span><span style="font-size:85%;"><ul><li>If the EUI-64 address is universally administered, add 0x2 to the first byte.</span><span style="font-size:85%;"></li><li>If the EUI-64 address is locally administered, subtract 0x2 from the first byte.</span></li></ul><p><span style="font-size:85%;">The result, 02-AA-00-FF-FE-3F-2A-1C, is converted to colon-hexadecimal notation, yielding the interface identifier 2AA:FF:FE3F:2A1C. </span></p><p><span style="font-size:85%;">Thus, in this example, the link-local address that corresponds to the network adapter with the MAC address of 00-AA-00-3F-2A-1C is FE80::2AA:FF:FE3F:2A1C.</span></p><div><span style="font-size:85%;"><strong></strong></span> </div><div><span style="font-size:85%;"><strong>Randomly generated Interface IDs</strong></span><br /><span style="font-size:85%;">Because IPv6 address identifiers remain static, for security reasons, a method is required to provide temporary addresses. The IPv6 protocol for Windows CE .NET 4.1 and later creates temporary addresses for global address prefixes by default.</span></div><span style="font-size:85%;"><div><br />In the IPv4-based Internet it is difficult to track a user's traffic on the basis of IP address. A typical user connects to an Internet service provider (ISP) and then obtains an IPv4 address by using the Point-to-Point Protocol (PPP) and the Internet Protocol Control Protocol (IPCP). Each time the user connects to the Internet, a different IPv4 address might be obtained, making it difficult to track their usage.<br /></div><div><br /></div><div>For IPv6-based dial-up connections, after the connection is made through router discovery and stateless address autoconfiguration, the user is assigned a 64-bit prefix. If the interface identifier is based on a EUI-64 address derived from the static IEEE 802 address, the traffic of a specific node can be identified regardless of the prefix. This makes it easy to track a specific user and their use of the Internet. To address this concern and provide a level of anonymity, an alternative IPv6 interface identifier can be randomly generated and changed over time. This method is described in RFC 3041. </div><p>The following list shows how the initial interface identifier is generated by using random numbers:</p><ul><li>For IPv6 systems that cannot store historical information for generating future interface identifier values, a new random interface identifier is generated each time the IPv6 protocol is initialized. </li><br /><li>For IPv6 systems that have storage capabilities, a history value is stored. When the IPv6 protocol is initialized, a new interface identifier is created through the following process:</li></ul><ol><li>Retrieve the history value from storage and append the interface identifier based on the EUI-64 address of the adapter.</li><li>Compute the Message Digest-5 (MD5) one-way encryption hash over the quantity in step 1.</li><li>Save the last 64 bits of the MD5 hash computed in step 2 as the history value for the next interface identifier computation.</li><li>Take the first 64 bits of the MD5 hash computed in Step 2 and set the seventh bit to zero. The seventh bit corresponds to the U/L bit which, when set to 0, indicates a locally administered interface identifier. The result is the interface identifier.</li></ol><div>The IPv6 address based on this random interface identifier is known as a temporary address. Temporary addresses are generated for public address prefixes that use stateless address autoconfiguration - routers give the addresses.<br /></div><div>Temporary addresses are used for the lower of the valid and preferred lifetimes values shown in the following table.<br /></div><img id="BLOGGER_PHOTO_ID_5148207035784138994" style="DISPLAY: block; MARGIN: 0px auto 10px; CURSOR: hand; TEXT-ALIGN: center" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZeHtGKoYJr6JhY_CM66wvVXyQyjf8VQN-uwpu5XjblanNqIzbLtFuosaoEc3eU378wPgQwc4zgFT2Fw5rqWX2n2GLfwrlONa0pZZ2hcxHe2-ZnMJWMsXwybELdEdMhWxcbD5LCEJ4u_Y/s400/Random.Generation.Stateless.Autoconfig.bmp" border="0" />After the valid lifetime of temporary address expires, a new interface identifier and temporary address are generated.</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;"></span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-70931129851415898672007-12-25T16:13:00.000+08:002008-12-09T14:21:07.068+08:00IP Next Generation (ng): IPv6<span style="font-size:85%;">For starters, we don't have IPv5 that works the way we think it should work. It's somewhat a streaming protocol defined in RFCs 1190 and 1819 and works the same way as MPLS does, in some respect.<br /><br />Ever wondered what an IPv6 number is? Do you understand what ipconfig /all and ifconfig spits out in the CLI about your IPv6 address? And do you know that you have more than one IPv6 address?<br /><br />If you don't, read on!<br /><br />What's in here?<br />-What is IPv6?<br />-The IPv6 Header</span><br /><span style="font-size:85%;">-Addressing Notation<br />-Zone Indices and Multi-homed servers<br />-Address and Communication Types<br />-WKA<br /><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGBGyGHVmoOp5aHDzio1B8fIXpn5Wx-WaAJm7S-n-V8IPe-qOg-QXVbkU84pxoWg4R7mdCCwtubGUiPS2TgtaG5jltROyYgmfmaEaznzirQpZe8QqaAu6q38_ztDChBCSfCgQr4E1I4Eo/s1600-h/5-68.jpg"><img id="BLOGGER_PHOTO_ID_5147823787262382226" style="FLOAT: left; MARGIN: 0pt 10px 10px 0pt; CURSOR: pointer" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiGBGyGHVmoOp5aHDzio1B8fIXpn5Wx-WaAJm7S-n-V8IPe-qOg-QXVbkU84pxoWg4R7mdCCwtubGUiPS2TgtaG5jltROyYgmfmaEaznzirQpZe8QqaAu6q38_ztDChBCSfCgQr4E1I4Eo/s320/5-68.jpg" border="0" /></a><iframe allowfullscreen='allowfullscreen' webkitallowfullscreen='webkitallowfullscreen' mozallowfullscreen='mozallowfullscreen' width='320' height='266' src='https://www.blogger.com/video.g?token=AD6v5dyhR5WImSab2u-JCMJ5HuYSc5BAL0HB7hMA_en8kPJ8UESSoZNIXJVV_Q67FkFBFI-d8TBTk8i2IyJ82Ru4ZA' class='b-hbp-video b-uploaded' frameborder='0'></iframe></span><br /><span style="font-size:85%;"><span style="FONT-WEIGHT: bold">What's IPV6?</span><br /><br /></span><span class="content" style="font-size:85%;">IPv6 is a new IP protocol designed to replace IPv4, the Internet protocol that is predominantly deployed and extensively used throughout the world. IPv6 quadruples the number of network address bits from 32 bits (in IPv4) to 128 bits or approximately 3.4 x 10<sup>38</sup> addressable nodes, which provides more than enough globally unique IP addresses for every network device on the planet. (From http://www.cisco.com)</span><span style="font-size:85%;"><br /></span><span style="font-size:85%;"><br />How different is this from IPv4?</span><br /><ul><li><span style="font-size:85%;">larger address space</span></li></ul><p>Uses a 128-bit addressing format capable of 2^128 IPv6 addresses</p><ul><li><span style="font-size:85%;">Option for Stateless autoconfiguration and </span><span style="font-size:85%;">Stateful configuration for hosts through DHCPv6</span></li><li><span style="font-size:85%;">Multicast</span></li><li><span style="font-size:85%;">Link-local addresses</span></li><li><span style="font-size:85%;">Support for payload of arounbd 65535 octets</span></li><li><span style="font-size:85%;">Network layer security native support</span></li></ul><p><span style="font-size:85%;">IPSec is natively supported and built into IPv6.</span></p><ul><li><span style="font-size:85%;">MIPv6</span></li></ul><p><span style="font-size:85%;">MobileIP is available for both v4 and v6 that enables mobile devices to move seemlessly throughout a network. This is native in IPng.</span></p><ul><li><span style="font-size:85%;">faster processing due to no checksums</span></li></ul><span style="font-size:85%;"><span style="FONT-WEIGHT: bold">The IPv6 Header</span></span><br /><span style="font-size:85%;">The v6 header is noticeably more streamlined than its predecessor. This gives it the notion that v6 communication is a lot faster and more effiecient. Let's take a closer look at it.</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Version</span><br /><span style="font-size:85%;">From the figure above, the first part of the header is the version field that has a value of 6, meaning IPv6. </span><br /><strong><span style="font-size:85%;"></span></strong><br /><span style="font-size:85%;">Traffic Class is an 8-bit field that distinguishes a packet with different real-time delivery requirements used in differentiated services (Diffserv.)</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">MobileIP is available for both v4 and v6 that enables mobile devices to move seemlessly throughout a network. This is native in IPng.<br /></span><br /><span style="font-size:85%;">Flow Label</span><br /><span style="font-size:85%;">Tags flow of packets; used for multilayer switching techniques and faster packet-switching performance<br /></span><span style="font-size:85%;"></span><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Payload length</span><br /><span style="font-size:85%;">As it denotes.<br /></span><br /><span style="font-size:85%;">Next Header</span><br /><span style="font-size:85%;">This is like the Transport field in IPv4 telling you what's the content of the next header - TCP, UDP, or extension headers.<br /></span><br /><span style="font-size:85%;">Hop limit</span><br /><span style="font-size:85%;">Better name for TTL where the default value decreases every router traversed by the packet. The advantage for this part in v6 is that there is no checksum involved and v4 incurs extra processing time.<br /></span><br /><span style="font-size:85%;">Source Address<br /></span><br /><span style="font-size:85%;">Destination Address<br /></span><br /><span style="font-size:85%;">Extension headers</span><br /><span style="font-size:85%;">There might be a need for the missing fields in IPv4 so here is where this comes in handy. Currently, 6 types are defined as follows:</span><br /><ul><li><span style="font-size:85%;">Hop-by-hop options - used for router alerts like for RSVP (resource reservation protocol) and MLD (multicast listener discovery v1) and the jumbograms</span></li><li><span style="font-size:85%;">Destination options - carries optional info needed to be processed by destination nodes</span></li><li><span style="font-size:85%;">Routing - used for source routing and MIPv6</span></li><li><span style="font-size:85%;">Fragmentation - well, we still do have this one but it's used when we have to fragment</span></li><li><span style="font-size:85%;">Authentication and Encapsulating Security payload headers - IPSec protocol stuff</span></li><li><span style="font-size:85%;">Upper-layer header - kind like what the Next field does</span></li></ul><span style="font-size:85%;">Though we still can perform fragmentation for IPv6, what it normally does is to send MTU discover packets so that it can determine the optimum maximum transmission unit for a given session. It queries the link till it gets an appropriate response for what MTU to use when sending data on the line. This is done per link and cached to track the responses. But this can also be performed using the flow labels.</span><br /><span style="font-size:85%;"></span><br /><span style="font-size:85%;">Source-based routing has the source telling how data should traverse the network.</span><br /><span style="font-size:85%;"><span style="FONT-WEIGHT: bold"></span></span><br /><span style="font-size:85%;"><span style="FONT-WEIGHT: bold">Addressing Notation</span><br />It's very easy to distinguish what an IPv6 address looks like. The hard thing is writing it down and memorizing the address - that's why DNS becomes VERY important as well.<br /><br />Given the ip 2002:03c9:0000:0000:0000:0000:1526:69ab, what are other alternatives to representing the address?<br /><br />2002:03c9:0000:0000:0000:0000:1526:69ab can also be written as</span><br /><ul><li><span style="font-size:85%;">2002:03c9:0000:0000:0000::1526:69ab</span></li><li><span style="font-size:85%;">2002:03c9:0:0:0:0:1526:69ab</span></li><li><span style="font-size:85%;">2002:03c9:0:0::1526:69ab</span></li><li><span style="font-size:85%;">2002:03c9::1526:69ab</span></li></ul><div style="TEXT-ALIGN: center"><span style="font-size:85%;"><span style="FONT-WEIGHT: bold; COLOR: rgb(204,0,0)">Note: </span>You can only cut down on leading zeroes.</span><br /></div><span style="font-size:85%;"><br /><span style="font-size:85%;">Representing the IPv4 address 192.168.168.170<br /><br /></span><span style="font-size:85%;"></span></span><ul><li><span style="font-size:85%;"><span style="font-size:85%;">::ffff:192.168.169.170</span></span></li><li><span style="font-size:85%;"><span style="font-size:85%;">::ffff:c0a8:a9aa</span></span></li></ul><span style="font-size:78%;">or<br /><br /></span><span style="font-size:78%;"></span><ul><li><span style="font-size:85%;"><span style="font-size:85%;">0:0:0:0:0:ffff:c0a8:a9aa</span></span></li></ul><span style="font-size:85%;"><span style="font-size:85%;"><br /><br /></span></span><div style="TEXT-ALIGN: center"><span style="font-size:85%;"><span style="FONT-WEIGHT: bold; COLOR: rgb(204,0,0)">Note: </span>c0a8:a9aa, if my conversion was correct (top of my head, sorry)</span><br /></div><span style="font-size:85%;"><br /></span><span style="font-size:85%;">Special Addresses in IPv6<br /><br /></span></span><span style="font-size:85%;"></span><ul><li><span style="font-size:85%;">Link-local Address</span></li><li><span style="font-size:85%;">Site-local Address</span></li><li><span style="font-size:85%;">Multicast address</span></li></ul><span style="font-size:85%;"><br /><br />Link-local<br />:: /128 means software only<br />::1/128 means the loopback address for IPv6, not like IPv4 with 127.0.0.0/8!!!<br />fe80:: /10 the IPv4 APIPA equivalent<br /><br />Site-local<br />fc00:: /7 unique site-local address that is centrally administered<br /></span><span style="font-size:85%;">fd00:: /7 unique site-local address that is locally administered<br /><br /><span style="FONT-WEIGHT: bold; COLOR: rgb(204,0,0)">Note: </span>Does this remind you of RFC1918-type of addresses?<br /><br />IPv4 special Addresses<br />::ffff:0:0 /96 - obsolete though<br />2002:: /16<br /><br /><br />Multicast<br />ff00:: /8 multicast addressing usage<br /><br />Examples<br /><br /></span></span><span style="font-size:85%;"></span><ul><li><span style="font-size:85%;">ff02::1 - all hosts on segment<br /></span></li><li><span style="font-size:85%;">ff02::2 -<br /></span></li><li><span style="font-size:85%;">ff02::5 - must be for OSPF routers</span></li><li><span style="font-size:85%;">ff02::6 - </span><span style="font-size:85%;">must be for OSPF DRs and BDRs</span></li><li><span style="font-size:85%;">ff02::9 - all rip routers, most certainly</span></li><li><span style="font-size:85%;">ff02:::1::ffxx:xxx - IPv6 arp message</span></li><li><span style="font-size:85%;">ff05::101 - all NTP servers</span></li></ul><span style="font-size:85%;"><br /><br /></span><div style="TEXT-ALIGN: center"><span style="font-size:85%;"><span style="FONT-WEIGHT: bold; COLOR: rgb(204,0,0)">Note: </span></span><span style="font-size:85%;">ff02::6, hmm? </span><span style="font-size:85%;">Remember IPvr OSPF DR and BDR multicast address? That's 224.0.0.6!</span><br /></div><span style="font-size:85%;"><br /></span><span style="font-size:85%;"><span style="FONT-WEIGHT: bold">Zone Indices and Multi-homed servers</span><br />All IPv6 hosts, per NIC, have link-local addresses that are on the same network boundary or subnet. In that case, there will be problems when having a multi-homed server or router.<br /><br /></span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbnHyiaHUaH8iZS9PV9b92MS8i3FYjiOgrFR2bgkw9d5NF6WanasR_KzKMX1JcourQCrEpEVKTbcgT_dYQe31klxIg4ykIv8vCPsPvWwUwp5X5R3_As64ImIKrOeqcGqztdma8WGRgFpA/s1600-h/CuteEngineer.JPG"><img id="BLOGGER_PHOTO_ID_5147855574315339938" style="FLOAT: left; MARGIN: 0pt 10px 10px 0pt; CURSOR: pointer" alt="" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjbnHyiaHUaH8iZS9PV9b92MS8i3FYjiOgrFR2bgkw9d5NF6WanasR_KzKMX1JcourQCrEpEVKTbcgT_dYQe31klxIg4ykIv8vCPsPvWwUwp5X5R3_As64ImIKrOeqcGqztdma8WGRgFpA/s320/CuteEngineer.JPG" border="0" /></a><span style="font-size:85%;">But how do we go around this problem?<br /><br /><span style="font-size:85%;">Simple.<br /><br />Through RFC4007, adding zone index for the interface solves the problem.<br /><br />Example:<br /><br /></span></span></span><span style="font-size:85%;"><span style="font-size:85%;"></span></span><ul><li><span style="font-size:85%;"><span style="font-size:85%;">Microsoft - fe80::3%1</span></span></li><li><span style="font-size:85%;"><span style="font-size:85%;">BSD - fe80::5%pcn0</span></span></li><li><span style="font-size:85%;"><span style="font-size:85%;">Linux - fe80::5%eth0</span></span></li></ul><span style="font-size:85%;"><span style="font-size:85%;"><br /><br /><br /><br /></span></span><span style="font-size:85%;"><span style="FONT-WEIGHT: bold">Address and Communication Types</span><br /></span><span style="font-size:85%;"><span class="content">A multicast group is an arbitrary group of receivers that expresses an interest in receiving a particular data stream. This group has no physical or geographical boundaries—the receivers can be located anywhere on the Internet or in a private network. Receivers that are interested in receiving data flowing to a particular group must join the group by signaling their local router. This signaling is achieved with MLD protocol, which is the IPv6 equivalent of the IGMP protocol on IPv4. The network then delivers data to potentially unlimited receivers, using only one copy of the multicast data per subnet. (From http://www.cisco.com)<br /><br /></span></span><span style="font-size:85%;">Unicast - host-to-host<br />Multicast - host-to-group<br /></span><span style="font-size:85%;">Anycast - host-to-closest host<br /><br /></span><span style="FONT-WEIGHT: bold; COLOR: rgb(204,0,0)font-size:85%;" >[Side_Note]</span><br /><span style="font-size:85%;">What is MLD?<br /></span><span style="font-size:85%;">Multicast Listener Discovery (MLD)v1 performs the functions and is derived from version IGMPv2, while MLDv2 is equivalent to IGMPv3 and requires working with PIM-SSM. Unlike IGMP on IPv4, MLD uses ICMPv6 to carry its messages. All MLD messages are local to the link with a hop Limit of 1, and have enabled the Router Alert option.<br /><br /></span><span style="font-size:85%;">There are three types of MLD messages:<br />1. Query<br />2. Report<br />3. Done<br /><br />1. Query (Type = decimal 130)<br />General and Group Specific<br />In a Query message, the Multicast Address field is set to zero when it sends a General Query, which learns which Multicast addresses have listener on an attached link.<br /><br />Group Specific or Multicast-Address-Specific Query, the address field is set to a specific IPv6 Multicast address. Thisquery learns whether a particular Multicast address has any listeners on an attached link.<br /><br />2. Report (Type = decimal 131)<br />In a Report message, the Multicast Address field is that of the specific IPv6 Multicast address to which the sender islistening.<br /><br />3. Done (Type = decimal 132)<br />In a Done message, the Multicast Address field is that of the specific IPv6 Multicast address to which the sender is ceasing to listen, respectively.<br /></span><span style="font-size:85%;"><span style="FONT-WEIGHT: bold; COLOR: rgb(204,0,0)">[/Side_Note]</span><br /><br /><br /><span style="FONT-WEIGHT: bold">Link-local Addresses</span><br /><br /></span></span></span><span style="font-size:85%;"></span><ul><li><span style="font-size:85%;">assigned automatically as host goes online</span></li><li><span style="font-size:85%;">kind of like APIPA</span></li><li><span style="font-size:85%;">always begins with fe80, first 10 bits are 1111 1110 10</span></li><li><span style="font-size:85%;">last 64-bits are the 48-bit physical address of each NIC with FFFE in the middle</span></li></ul><span style="font-size:85%;">Say you MAC address is 00-00-0C-19-ab-cd. </span><span style="font-size:85%;">Your link-local address is fe80::0000:0Cff:fe19:abcd<br /><br /><span style="FONT-WEIGHT: bold">Unique-local(RFC 4193)/Site-local Addresses(RFC 3513)</span><br /><br /></span><span style="font-size:85%;"></span><ul><li><span style="font-size:85%;">used within Enterprise networks to indetify boundary of their networks</span></li><li><span style="font-size:85%;">kind of Private IP adddressing for IPv6</span></li></ul><span style="font-size:85%;">8-bits 40-bits 16-bits 48-bits<br />111 110[10] GlobalID SubnetID InterfaceID<br /><br />fc00:: /8, which becomes fd00:: /8 if locally administered or assigned<br /><br /><br /><span style="FONT-WEIGHT: bold">Global Addresses</span><br />global routing prefix is 48 bits or less<br />subnetID is comprised of whatever bits are left after the global routing prefix demarc<br />have the high-level 3-bits set to 001<br /><br />global routing prefix - n-bits<br /><br />n-bits 64-n-bits interfaceID<br />[001..][..............][.................]<br /><br /><span style="FONT-WEIGHT: bold">Multicast Addressing</span><br /><br /></span><span style="font-size:85%;"></span><ul><li><span style="font-size:85%;">first 8-bits are always FF</span></li><li><span style="font-size:85%;">flag has currently 4 bits defined ---> 0RPT; 0 - unassigned, R - rendezvous point, P - unicast point, T - is it permanently assigned or 0 and temporary or 1</span></li><li><span style="font-size:85%;">scope defines multicast function, 4-bits in length<br /></span></li></ul><span style="font-size:85%;">Scope bits:<br /><br />1 - interface-local<br />2</span><span style="font-size:85%;"> - link-local</span><br /><span style="font-size:85%;">3</span><span style="font-size:85%;"> - subnet-local</span><br /><span style="font-size:85%;">4</span><span style="font-size:85%;"> - admin-local</span><br /><span style="font-size:85%;">5</span><span style="font-size:85%;"> - site-local</span><br /><span style="font-size:85%;">8</span><span style="font-size:85%;"> - organization</span><br /><span style="font-size:85%;">e</span><span style="font-size:85%;"> - global</span><br /><span style="font-size:85%;"><br /><br />Format<br /><br />[111 111][Flag][Scope][Address]<br /><br /><span style="FONT-WEIGHT: bold; COLOR: rgb(204,0,0)">Note:</span> I'll add more to this section. A bit tired now.<br /><br />We don't have broadcasting in IPv6 and Multicasting replaces that function for v6.<br /><br />-Jaeson<br /><br /></span><span style="font-size:85%;"></span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-90446528871247471372007-12-25T15:31:00.000+08:002007-12-25T16:13:34.622+08:00Sweet! MCITP: Server and Enterprise Administrator<span style="font-size:85%;"><span style="font-family:courier new;">You are invited to take the following beta exams.</span><br /><br /><span style="font-family:courier new;"> * 71-646: PRO: Windows® Server 2008, Server Administrator counts as credit towards Microsoft Certified IT Professional (MCITP): Server Administrator</span><br /><span style="font-family:courier new;"> * 71-647: PRO: Windows® Server 2008, Enterprise Administrator counts as credit towards MCITP: Enterprise Administrator</span><br /><br /><span style="font-family:courier new;">If you pass the beta exam, the exam credit will be added to your transcript and you will not need to take the exam in its released form. By participating in beta exams, you have the opportunity to provide the Microsoft Certification program with feedback about exam content, which is integral to development of exams in their released version. We depend on the contributions of experienced IT professionals and developers as we continually improve exam content and maintain the value of Microsoft certifications. Please remember that participation in the beta process is completely voluntary and Microsoft makes no promises or guarantees regarding the beta exam process. You can expect to receive your score on the beta exam within 12 weeks of taking the exam, although in some instances, beta exams may take longer to score and your results may be delayed.</span><br /><br /><span style="font-family:courier new;">Availability</span><br /><span style="font-family:courier new;"></span><br /><span style="font-family:courier new;"> Registration begins: December 21, 2007</span><br /><span style="font-family:courier new;"> </span><span style="font-family:courier new;">Beta exam period runs: December 21, 2007–January 18, 2008</span><br /><span style="font-family:courier new;"> </span><span style="font-family:courier new;">Receiving this invitation does not guarantee you a seat in the beta; we recommend that you register immediately. Beta exams have limited availability and are operated under a first-come-first-served basis. Once all beta slots are filled, no additional seats will be offered.</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> Testing is held at Prometric testing centers worldwide, although this exam may not be available in all countries (see Regional Restrictions). All testing centers will have the capability to offer this exam in its live version.</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> Regional Restrictions: India, Pakistan, China</span><br /><br /><span style="font-family:courier new;">Registration Information</span><br /><span style="font-family:courier new;"></span><span style="font-family:courier new;">You must register at least 24 hours prior to taking the exam.</span><br /><span style="font-family:courier new;"> </span><span style="font-family:courier new;">Please use the following promotional codes when you register for your exam.</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> 71-647: use Promo code 647Q at registration</span><br /><span style="font-family:courier new;"> </span><span style="font-family:courier new;">71-646: use Promo code Q646 at registration</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> Look for the prefix "71" at registration</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> Receiving this invitation does not guarantee you a seat in the beta; we recommend that you register immediately.</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> To register in North America, please call: Prometric: (800) 755-EXAM (800-755-3926)</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> Outside the U.S./Canada, please contact: http://www.register.prometric.com/ClientInformation.asp</span><br /><br /><span style="font-family:courier new;">Test Information and Support</span><br /><span style="font-family:courier new;"></span><span style="font-family:courier new;">You are invited to take this beta exam at no charge</span><br /><span style="font-family:courier new;"> </span><span style="font-family:courier new;">You will be given four hours to complete the beta exam. Please plan accordingly.</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> Find exam preparation information:</span><br /><span style="font-family:courier new;"> </span><br /><span style="font-family:courier new;"> http://www.microsoft.com/learning/exams/70-646.mspx</span><span style="font-family:courier new;"></span><br /><span style="font-family:courier new;"> http://www.microsoft.com/learning/exams/70-647.mspx</span><br /></span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-30344063282129582782007-12-25T04:37:00.000+08:002008-12-09T14:21:07.257+08:00Pretty Gal in Microsoft site<span style="font-family: courier new;font-size:85%;" ><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtzDp4uww64gmMjsfq_bmuWu_bKHjg6pjbKseXcP3MW-WwVje-bnxmU6BKtVVi5Fg9IRbB4198BuGi5m90I_zUtSApm2qkfqEhXX3hjlSa4lrqwAM0nnuMVl5V6kcoNp8-EiHi31ki2ak/s1600-h/CuteGal.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjtzDp4uww64gmMjsfq_bmuWu_bKHjg6pjbKseXcP3MW-WwVje-bnxmU6BKtVVi5Fg9IRbB4198BuGi5m90I_zUtSApm2qkfqEhXX3hjlSa4lrqwAM0nnuMVl5V6kcoNp8-EiHi31ki2ak/s320/CuteGal.JPG" alt="" id="BLOGGER_PHOTO_ID_5147641586159751298" border="0" /></a><br />None much for me to say here.<br /></span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-12800061056661688092007-12-25T00:25:00.002+08:002008-12-09T14:21:07.369+08:00Server Manager CMD<span style=";font-family:courier new;font-size:85%;" ><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://4.bp.blogspot.com/_b9k9u6C_ekU/R2_dus4UkGI/AAAAAAAAAAM/__HeMmCQMxs/s1600-h/ServerManagerCMD.JPG"><img style="margin: 0pt 0pt 10px 10px; float: right; cursor: pointer;" src="http://4.bp.blogspot.com/_b9k9u6C_ekU/R2_dus4UkGI/AAAAAAAAAAM/__HeMmCQMxs/s320/ServerManagerCMD.JPG" alt="" id="BLOGGER_PHOTO_ID_5147576693498876002" border="0" /></a></span><span style=";font-family:courier new;font-size:85%;" >It's Christmas in my timezone right now so I'll greet everyone a very, merry Christmas first!<br /><br /></span><span style=";font-family:courier new;font-size:85%;" >Hmm, need to script what you see in Server Manager? Well, don't fear. We have just the tool for that and it's called ServerManagerCMD.<br /></span><br /><span style=";font-family:courier new;font-size:85%;" >Microsoft distinguishes Roles from Features in Windows Server 2008. This is obvious in the GUI and in the CLI as well.<br /><br />What's in here?<br />-What's ServermanagerCMD?<br />-Using ServerManagerCMD<br /><br /><br /></span><span style=";font-family:courier new;font-size:85%;" ><span style="font-weight: bold;font-size:130%;" >What's ServerManagerCMD?</span></span><span style=";font-family:courier new;font-size:85%;" ><br />Servermanagercmd.exe is a CLI tool designed to perform the following tasks listed below:<br /></span><ul><li><span style=";font-family:courier new;font-size:85%;" >Show roles and features installed on the server</span></li><li><span style=";font-family:courier new;font-size:85%;" >Show role services and features that would be installed if you made it perform results modeling</span></li><li><span style=";font-family:courier new;font-size:85%;" >Add/remove roles and features, settings are default</span></li></ul><span style=";font-family:courier new;font-size:85%;" ><br /></span><span style=";font-family:courier new;font-size:85%;" >What it can't do are the following:</span><ul><li><span style=";font-family:courier new;font-size:85%;" >Change settings</span></li><li><span style=";font-family:courier new;font-size:85%;" >Remoting (but you can use Winrs or was that Winrm?)</span></li><li><span style=";font-family:courier new;font-size:85%;" >Do stuff on ServerCore (but I'm including this though I'm still concentrated on ServerCOre)</span></li><li><span style=";font-family:courier new;font-size:85%;" >Manage non-base server roles and features, notably ISA, Exchange, or SQL server</span></li></ul><span style=";font-family:courier new;font-size:85%;" ><br /><span style="font-weight: bold;font-size:130%;" >Using ServerManagerCMD</span></span><span style=";font-family:courier new;font-size:85%;" ><br />It's quite easy to use servermanagercmd. But first change your CLI properties.<br /><br />I've changed mine to the following:<br /></span><ul style="font-family:courier new;"><li><span style="font-size:85%;">width: 150<br /></span></li><li style="font-family:courier new;"><span style="font-size:85%;">height: 3000</span></li></ul><span style=";font-family:courier new;font-size:85%;" >Also, create an alias for servermanagercmd.</span><br /><span style=";font-family:courier new;font-size:85%;" ><br /><span style="font-family:courier new;">Why?</span> <span style="font-family:courier new;">It's soo long to type.</span> <span style="font-weight: bold; color: rgb(204, 0, 0);font-family:courier new;" ><br /><br />[Side_Note]</span> <span style="font-size:100%;"><span style="font-weight: bold;font-family:courier new;" ><br />Creating an Alias</span></span> </span><span style="font-size:85%;"><span class="article" style="font-family:courier new;"><br />Create a file named smc.bat<br />Type in the following as its contents: </span></span><span style="font-size:85%;"><span class="article" style="font-family:courier new;">%SystemRoot%\system32\servermanagercmd.exe %1 </span></span><br /><span style="font-size:85%;"><span class="article" style="font-family:courier new;">Solves your problem of typing a very long CLI command and works seemingly anywhere but I'm too lazy to think about how to resolve issues like multiple entries for servermanagercmd. ^__^<br /><br />Hint! Hint!<br /><br />s1 -1 input<br /></span></span><br /><span style="font-size:85%;"><span class="article" style="font-family:courier new;">s2 -2 inputs<br /><br />s3 -3 inputs<br /><br />wahahahaha!<br /></span></span><span style=";font-family:courier new;font-size:85%;" ><span style="font-weight: bold; color: rgb(204, 0, 0);">[/Side_Note]</span><br /><br /></span><span style=";font-family:courier new;font-size:85%;" ><span style="font-weight: bold;">Querying installed Roles and Features: </span><br /></span><ul><li><span style=";font-family:courier new;font-size:85%;" >servermanagercmd -query Output.xml</span></li></ul><span style=";font-family:courier new;font-size:85%;" ><span style="font-weight: bold;">Take note of what Roles and Features to install from an install file:</span><br /></span><ul><li><span style=";font-family:courier new;font-size:85%;" >servermanagercmd -inputpath FILE.xml</span></li></ul><br /><span style=";font-family:courier new;font-size:85%;" ><span style="font-weight: bold; color: rgb(204, 0, 0);">Note:</span><br />Using this command won't work because on internal differences in the XML file<br /></span><ul><li><span style=";font-family:courier new;font-size:85%;" >servermanagercmd - inputpath Output.xml</span></li></ul><span style=";font-family:courier new;font-size:85%;" >What works?<br /><br />Download this:<br />Command Line Transformation Utility (msxsl.exe)<br />Brief Description</span><br /><span style=";font-family:courier new;font-size:85%;" >The msxsl.exe command line utility enables you to perform command line Extensible Stylesheet Language (XSL) transformations using the Microsoft® XSL processor.<br /><br />These too:<br />http://rapidshare.com/files/78807142/view.xsl<br />http://rapidshare.com/files/78807141/remove.xsl<br />http://rapidshare.com/files/78807140/install.xsl<br /><br />All you need to do is to convert stuff.<br /><br />How is that?</span><ul><li><span style=";font-family:courier new;font-size:85%;" >Query Servermanagercmd and save it as a reference file</span></li><li><span style=";font-family:courier new;font-size:85%;" >Use the xsl file to convert individual xml files</span></li></ul><span style=";font-family:courier new;font-size:85%;" >Example:<br /><br /><br /></span><a onblur="try {parent.deselectBloggerImageGracefully();} catch(e) {}" href="http://3.bp.blogspot.com/_b9k9u6C_ekU/R2_30c4UkHI/AAAAAAAAAAU/j4OP_XAXDDE/s1600-h/ServerManagerCMD-rolesfeatures.JPG"><img style="margin: 0px auto 10px; display: block; text-align: center; cursor: pointer;" src="http://3.bp.blogspot.com/_b9k9u6C_ekU/R2_30c4UkHI/AAAAAAAAAAU/j4OP_XAXDDE/s320/ServerManagerCMD-rolesfeatures.JPG" alt="" id="BLOGGER_PHOTO_ID_5147605379585446002" border="0" /></a><br /><span style=";font-family:courier new;font-size:85%;" >PATH:\servermanagercmd -query Base.xml<br /><br />For Installing Roles<br />PATH:\msxsl Base.xml install.xsl -o install.xml<br /><br />For Removing Roles<br /></span><span style=";font-family:courier new;font-size:85%;" >PATH:\msxsl Base.xml remove.xsl -o remove.xml</span> <span style=";font-family:courier new;font-size:85%;" ><br />For Viewing Roles and Features installed or not present </span><span style=";font-family:courier new;font-size:85%;" >PATH:\msxsl Base.xml view.xsl -o View.html</span><span style=";font-family:courier new;font-size:85%;" ><br /><br />Using ResultPath for taking note of what happened during installation and removal<br /></span><span style=";font-family:courier new;font-size:85%;" >PATH:\servermanagercmd -installPath xmlName </span><span style=";font-family:courier new;font-size:85%;" >-resultPath rpName.xml</span><span style=";font-family:courier new;font-size:85%;" > [-restart | -whatIf] [-logPath <log.txt>]<br /><br />Actually, you can also use -install and -remove. Crazy, huh? </log.txt></span><span style=";font-family:courier new;font-size:85%;" >There! Now you can make most out of ServermanagerCMD!<br /><br /></span><span style=";font-family:courier new;font-size:85%;" ><span style="font-weight: bold; color: rgb(204, 0, 0);">Note: </span>Updating the Install, Remove, and View xml files created via msxsl seems fine with me but what do you think?</span> <span style=";font-family:courier new;font-size:85%;" >I'm still experimenting.<br /><br /><br /></span><span style=";font-family:courier new;font-size:85%;" ><span style="font-weight: bold; color: rgb(204, 0, 0);">Note: </span></span><span style=";font-family:courier new;font-size:85%;" >http://technet2.microsoft.com/windowsserver2008/en/library/e7edce1d-442c-4ec3-b324-c748e4f937551033.mspx?mfr=true<br /><br /><br /><br />Hope you fellas enjoyed!<br /><br /><br /><br /><br />-Jaeson<br /></span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-14390651616157765612007-12-24T22:49:00.000+08:002007-12-24T23:47:50.893+08:00Server Management in Windows.Server.2008 ServerCore - Part 4<span style="font-size:85%;"><span style="font-family: courier new;">Hmm, ever knew a tool you can use to play around with the permissions on files and folders in ServerCore?</span><br /><br /><span style="font-family: courier new;">What's in here?</span><br /><span style="font-family: courier new;">-Discretionary Access Control: using iCacls</span><br /><span style="font-weight: bold;font-size:130%;" ><br /><span style="font-family: courier new;">Discretionary Access Control: Using iCacls</span></span><br /><br /><br /><span style="font-family: courier new;">Microsoft Windows [Version 6.0.6001]</span><br /><span style="font-family: courier new;">Copyright (c) 2006 Microsoft Corporation. All rights reserved.</span><br /><br /><span style="font-family: courier new;">C:\>icacls</span><br /><br /><span style="font-family: courier new;">ICACLS name /save aclfile [/T] [/C] [/L] [/Q]</span><br /><span style="font-family: courier new;">store the the acls for the all matching names into aclfile for</span><br /><span style="font-family: courier new;">later use with /restore.</span><br /><span style="font-family: courier new;">.</span><br /><span style="font-family: courier new;">.</span><br /><span style="font-family: courier new;">.</span><br /><span style="font-family: courier new;">/setintegritylevel [(CI)(OI)]Level explicitly adds an integrity</span><br /><span style="font-family: courier new;">ACE to all matching files. The level is to be specified as one</span><br /><span style="font-family: courier new;">of:</span><br /><span style="font-family: courier new;">L[ow]</span><br /><span style="font-family: courier new;">M[edium]</span><br /><span style="font-family: courier new;">H[igh]</span><br /><span style="font-family: courier new;">Inheritance options for the integrity ACE may precede the level</span><br /><span style="font-family: courier new;">and are applied only to directories.</span><br /><br /><span style="font-family: courier new;">/inheritance:e|d|r</span><br /><span style="font-family: courier new;">e - enables inheritance</span><br /><span style="font-family: courier new;">d - disables inheritance and copy the ACEs</span><br /><span style="font-family: courier new;">r - remove all inherited ACEs</span><br /><br /><span style="font-family: courier new;"><span style="font-weight: bold; color: rgb(204, 0, 0);">Note: </span>Mark Minasi created a tool that can change the integrity level of files. Pretty cool, huh?</span><br /><br /><span style="font-family: courier new; font-weight: bold; color: rgb(204, 0, 0);">[Side_Note]</span><br /><span style="font-family: courier new; font-weight: bold;">What's this Low Integrity Level?</span><br /><span style="font-family: courier new;">Low integrity level works only on Windows Vista and Server 2008. You'll quickly notice this if you look at IE7's Security Tab for the Internet Zone - you'll see a checkbox referring to enabling Protected mode.</span><br /><br /><span style="font-family: courier new;">So what?</span><br /><br /><span style="font-family: courier new;">Any process or program that runs in the Internet Zone is under Low integrity level.</span><br /><br /><span style="font-family: courier new;">Ever heard of systems implemented with Bell-Lapadula? Microsoft decided a different route for Vista and Server 2008.</span><br /><br /><span style="font-family: courier new;">All lower-level entities in the newer Windows OS have read-up and write-down permissions, including their owned items. This means they can't write or "take control" of items owned by entities in the upper level.</span><br /><span style="font-family: courier new; font-weight: bold; color: rgb(204, 0, 0);">[/Side_Note]</span><br /><br /><span style="font-family: courier new;"><span style="font-weight: bold;">Example: </span>Save the permission entries in the folder Users and all it's files and subdirectories to a file in the root of the drive named myAcl.txt</span><br /><br /><span style="font-family: courier new;">Microsoft Windows [Version 6.0.6001]</span><br /><span style="font-family: courier new;">Copyright (c) 2006 Microsoft Corporation. All rights reserved.</span><br /><br /><span style="font-family: courier new;">C:\>icacls c:\Users\* /save C:\myAcl.txt /T</span><br /><br /><span style="font-family: courier new;">Note: The output file ain't that friendly to read.</span><br /><br /><span style="font-family: courier new;"><span style="font-weight: bold;">Example: </span>Grant the Administrator Full Control over the folder</span><br /><span style="font-family: courier new;">con found in the root drive.</span><br /><br /><span style="font-family: courier new;">Microsoft Windows [Version 6.0.6001]</span><br /><span style="font-family: courier new;">Copyright (c) 2006 Microsoft Corporation. All rights reserved.</span><br /><br /><span style="font-family: courier new;">C:\>icacls .\con\ /grant Administrator:(F)</span><br /><span style="font-family: courier new;">processed file: .\con\</span><br /><span style="font-family: courier new;">Successfully processed 1 files; Failed processing 0 files</span><br /><br /><span style="font-family: courier new;">Pretty neat, won't you say?</span><br /><br /><span style="font-family: courier new;">I'll write more on this one next time. Woohoo!</span><br /><br /><br /><span style="font-family: courier new;">-Jaeson</span><br /><br /></span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-69809070979643222342007-12-24T19:50:00.000+08:002007-12-24T22:49:07.401+08:00Server Management in Windows.Server.2008 ServerCore - Part 3<span style="font-size:85%;"><span style="font-family:courier new;">Well, you've just finished installing ServerCore (I did 3 days ago with RC1, x86...huhuh) and what's the next thing to do?<br /><br />We customize.<br /><br />What's in here?<br />-Creating Local Users on Server Core<br />-</span></span><span style="font-size:85%;"><span style="font-family:courier new;">Creating Local Groups on Server Core</span></span><br /><span style="font-size:85%;"><span style="font-family:courier new;">-</span></span><span style="font-size:85%;"><span style="font-family:courier new;"><span>Permissions management in ServerCore<br /><br /></span></span></span><span style="font-size:85%;"><span style="font-family:courier new;"><br /><span style="font-size:130%;"><span style="font-weight: bold;">Creating Local Users on Server Core</span></span><br />As of now, I have no ideas as to why you'd want to create plain user account on ServerCore, aside from the fact that you'll use that account for day-to-day normal use on the server and using <span style="font-weight: bold; color: rgb(51, 102, 255);">"runas"</span> when you need to administer something on the server.<br /><br /><br />C:\>net user /?<br />The syntax of this command is:<br /><br />NET USER<br />[username [password | *] [options]] [/DOMAIN]<br /> username {password | *} /ADD [options] [/DOMAIN]<br /> username [/DELETE] [/DOMAIN]<br /> username [/TIMES:{times | ALL}]<br /><br /><br /><span style="font-size:100%;"><span style="font-weight: bold;">Example:</span></span> Creating an account named Polly Ester, whose logon id is polly, is enabled, and is required to change her password when she logs on to the machine and is the administrator's wife.<br /><br />net user Polly * /add /active:yes </span></span><span style="font-size:85%;"><span style="font-family:courier new;">/comment:"Added account for messing up my life" </span></span><span style="font-size:85%;"><span style="font-family:courier new;">/expires:aug 8 2008 /fullname:"Polly Ester" /passwordchg:<span style="font-size:85%;">yes</span></span></span><span style="font-size:85%;"><span style="font-family:courier new;"><span style="font-size:78%;"><yyyy><path><path><time><day></day></time></path></path></yyyy></span><br /><span style="font-size:130%;"><br /></span></span></span><span style="font-size:85%;"><span style="font-family:courier new;"><span style="font-size:130%;"><span style="font-weight: bold;">Creating Groups on Server Core</span></span><br />We talked about users. Now, let's look at groups. Groups are a very handy way to easen up access management to resources. Instead of adding each user to a resource, group them together and add the group to the resource and apply permissions on the group.<br /><br />C:\>net localgroup /?<br />The syntax of this command is:<br /><br />NET LOCALGROUP<br />[groupname [/COMMENT:"text"]] [/DOMAIN]<br /> groupname {/ADD [/COMMENT:"text"] | /DELETE} [/DOMAIN]<br /> groupname name [...] {/ADD | /DELETE} [/DOMAIN]<br /><br /><span style="font-size:100%;"><span style="font-weight: bold;">Example: </span></span>Add Buster from the MISNET domain and local user Polly to the localgroup Unfair in the server's local database.<br /><br />net localgroup Unfair misnet\Buster Polly /add<br /><br /><br /><br /><span style="font-size:130%;"><span style="font-weight: bold;">Permissions management in ServerCore</span></span><br />Now that we know how to add users and groups, how can we add users or groups to resources to control their access permissions?<br /><br />There are so many Access Control methods but I'll describe 3 - Role-based, Mandatory, and Discretionary access control.<br /><br /><span style="font-size:100%;"><span style="font-weight: bold;">Role-based Access Control</span></span><br />This is easy to distinguish and use to assign permissions to users or groups. The permissions are based on the group whose role is descriptive of its name.<br /><br />For example, if we have a Contributors role, they can most certainly upload content to either a file server or a collaboration server. If the name is Viewer, it seems they only have read-only permissions.<br /><br /><span style="font-size:100%;"><span style="font-weight: bold;">Mandatory Access Control</span></span><br />Windows Vista and Windows Server 2008 is a Class B-ready operating system based on the Rainbow series specification. It's an old defunct standard but I guess they'll be advertising it for CC standards.<br /><br /><span style="font-weight: bold; color: rgb(204, 0, 0);">Note:</span> Fun read ---> http://www4.osnews.com/comments/17788<br /><br /></span></span><span style="font-size:85%;"><span style="font-family:courier new;"><span style="font-weight: bold; color: rgb(204, 0, 0);">Note:</span> Fun read but nothing about MAC ---> </span></span><span style="font-size:85%;"><span style="font-family:courier new;">http://cgi.galion.lib.oh.us/instruction/windows/versions.htm<br /><br /><br />C:\Users\administrator>whoami /all<br /><br /><span style="font-size:78%;">USER INFORMATION<br />----------------<br /><br />User Name SID<br />============================= =============================================<br />misnet-rodc-2k8\administrator S-1-5-21-2944278768-2424685623-3432543248-500<br /><br /><br />GROUP INFORMATION<br />-----------------<br /><br />Group Name Type SID Attributes<br />===================================== ================ ============ ===============================================================<br />Everyone Well-known group S-1-1-0 Mandatory group, Enabled by default, Enabled group<br />BUILTIN\Administrators Alias S-1-5-32-544 Mandatory group, Enabled by default, Enabled group, Group owner<br />BUILTIN\Users Alias S-1-5-32-545 Mandatory group, Enabled by default, Enabled group<br />NT AUTHORITY\REMOTE INTERACTIVE LOGON Well-known group S-1-5-14 Mandatory group, Enabled by default, Enabled group<br />NT AUTHORITY\INTERACTIVE Well-known group S-1-5-4 Mandatory group, Enabled by default, Enabled group<br />NT AUTHORITY\Authenticated Users Well-known group S-1-5-11 Mandatory group, Enabled by default, Enabled group<br />NT AUTHORITY\This Organization Well-known group S-1-5-15 Mandatory group, Enabled by default, Enabled group<br />LOCAL Well-known group S-1-2-0 Mandatory group, Enabled by default, Enabled group<br />NT AUTHORITY\NTLM Authentication Well-known group S-1-5-64-10 Mandatory group, Enabled by default, Enabled group</span><br />Mandatory Label\<span style="font-weight: bold; color: rgb(255, 204, 51);">High Mandatory Level</span> Unknown SID type <span style="font-weight: bold; color: rgb(255, 204, 51);">S-1-16-12288</span> Mandatory group, Enabled by default, Enabled group<span style="font-size:78%;"><br /><br /><br />PRIVILEGES INFORMATION<br />----------------------<br /><br />Privilege Name Description State<br />=============================== ========================================= ========<br />SeIncreaseQuotaPrivilege Adjust memory quotas for a process Disabled<br />SeSecurityPrivilege Manage auditing and security log Disabled<br />SeTakeOwnershipPrivilege Take ownership of files or other objects Disabled<br />SeLoadDriverPrivilege Load and unload device drivers Disabled<br />SeSystemProfilePrivilege Profile system performance Disabled<br />SeSystemtimePrivilege Change the system time Disabled<br />SeProfileSingleProcessPrivilege Profile single process Disabled<br />SeIncreaseBasePriorityPrivilege Increase scheduling priority Disabled<br />SeCreatePagefilePrivilege Create a pagefile Disabled<br />SeBackupPrivilege Back up files and directories Disabled<br />SeRestorePrivilege Restore files and directories Disabled<br />SeShutdownPrivilege Shut down the system Disabled<br />SeDebugPrivilege Debug programs Disabled<br />SeSystemEnvironmentPrivilege Modify firmware environment values Disabled<br />SeChangeNotifyPrivilege Bypass traverse checking Enabled<br />SeRemoteShutdownPrivilege Force shutdown from a remote system Disabled<br />SeUndockPrivilege Remove computer from docking station Disabled<br />SeManageVolumePrivilege Perform volume maintenance tasks Disabled<br />SeImpersonatePrivilege Impersonate a client after authentication Enabled<br />SeCreateGlobalPrivilege Create global objects Enabled<br />SeIncreaseWorkingSetPrivilege Increase a process working set Disabled<br />SeTimeZonePrivilege Change the time zone Disabled<br />SeCreateSymbolicLinkPrivilege Create symbolic links Disabled</span><br /><br /><br />Notice the one's in Yellow? Correct, that's only on Vista and Server 2008. That gives you an idea of what the Mandatory Access control level of the user is. For the administrators, MAC works by having them run as plain users. They still get elevation confirmation through Consent.exe - this runs UAC.<br /><br />I haven't encountered a version of UAC for the CLI by the way. Well, runas works fine with me. It seems that when you install an application as an administrator, you can install it right away. But I'm using a workgroup joined machine. So, what happens when you join it to the domain?<br /><br />Hmm? :)<br /><br /></span></span><span style="font-size:85%;"><span style="font-family:courier new;"><span style="font-weight: bold; color: rgb(204, 0, 0);">Note:</span> </span></span><span style="font-size:85%;"><span style="font-family:courier new;">S-1-16-12288 refers to the Mandatory integrity label for the Administrator, or administrator-level accounts. If you convert that to Hex it'll give you 3000 as a value. The 0x4000 value corresponds to the System (process). System files have no MIL. And as such, they default to user integrity label of 2000.<br /><br /><br /></span></span><span style="font-size:85%;"><span style="font-family:courier new;"><span style="font-weight: bold; color: rgb(204, 0, 0);">[Side_Note]</span></span></span><br /><span style="font-size:85%;"><span style="font-family:courier new;">My friend who works for GeekSquad told me about folder names you can't actually use in the system.<br /><br />I was very puzzled.<br /><br />This turns out to be part of the code of Windows. The items com1, con, lpt1, nul, prn, and others are reserved by the operating system to refer to devices when it makes calls to it.<br /><br />Try this trick.<br /><br />[Open up the cmd prmpt]<br /><br />Microsoft Windows [Version 6.0.6001]<br />Copyright (c) 2006 Microsoft Corporation. All rights reserved.<br /><br /></span></span><span style="font-size:85%;"><span style="font-family:courier new;">C:\Users\Administrator>md con</span></span><br /><span style="font-size:85%;"><span style="font-family:courier new;">The directory name is invalid. <span style="color: rgb(204, 0, 0);"><-- This gets to be the error.</span><br /><br />C:\Users\Administrator>md .\con\</span></span><span style="font-size:85%;"><span style="font-family:courier new;"><span style="color: rgb(204, 0, 0);"><-- Sweet!</span></span></span><br /><span style="font-size:85%;"><span style="font-family:courier new;"><br /><br />[Try browsing it.]<br /><br />C:\>cd con<br />The system cannot find the path specified.<br /><br />C:\>cd C:\con<br />The system cannot find the path specified.<br /><br />C:\>cd C:\con<br />The system cannot find the path specified.<br /><br />C:\>cd .\con\<br />The directory name is invalid.<br /><br />Now, browse the folder using Windows Explorer. ^___^<br /><br />Solves your problem.<br /><br />And it's a safe way to protect your files even from people who connect to your computer through administrative shares but just not through remoting.<br /></span></span><span style="font-size:85%;"><span style="font-family:courier new;"><span style="font-weight: bold; color: rgb(204, 0, 0);">[/Side_Note]</span></span></span><br /><span style="font-size:85%;"><span style="font-family:courier new;"><br /><span style="font-weight: bold;"> Discretionary Access Control</span><br />Woohoo!!!<br /><br />I really wasnn't able to wait to get to this one. I felt like it was eternity.<br /><br />It's referred to as Discretionary because you - the one controlling everything - get to give what permissions users or groups need. Ain't that fun?<br /><br />And how exactly are we gonna go about this matter?<br /><br />Simple. Use iCacls.<br /><br /></span></span><span style="font-size:85%;"><span style="font-family:courier new;"><br /><br />-Jaeson<br /></span></span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-55645955206586089642007-12-24T17:38:00.001+08:002007-12-24T22:36:44.798+08:00Server Management in Windows.Server.2008 ServerCore - Part 2<span style="font-family: courier new;font-family:courier new;font-size:85%;" ><span style="font-size:130%;"><span style="font-weight: bold;">Disk Management for ServerCore Installation</span></span><br /><br />If you're interested in the security of your server, whether it be a plain server role or a RODC, installing BitLocker helps out a lot.<br /><br />Yes, we do have syskey but having the whole drive encrypted brings it to a whole new level.<br /><br />What's in here?<br />-Summary on BitLocker Requirements<br />-Diskpart Basics<br /><br /><br />-Jaeson<br /><br /><span style="font-weight: bold; color: rgb(153, 0, 0);">Note:</span> Syskey is on by default protecting your authentication database in the file system and no lame story of someone putting a server offline and stealing the database files should make you gullible.<br /><br /><br /><span style="font-size:100%;">BitLocker requirements</span><br /></span><ol style="font-family: courier new;font-family:courier new;" ><li><span style="font-size:85%;">Properly formatted drive (see my previous side note post)</span></li><li style="font-family:courier new;"><span style="font-size:85%;">Add BitLocker as a feature<br /></span></li></ol><span style="font-family: courier new;font-family:courier new;font-size:85%;" ><br />As it turns out, my assumptions of how BitLocker should be installed on a Windows 2008 system is the same for Vista. Too bad I didn't partition my full install of Windows 2008 properly for BitLocker.<br /><br />Adding the BitLocker feature: <span style="font-weight: bold;">start /w ocsetup BitLocker</span><br /></span><br /><span style="font-family: courier new;font-family:courier new;font-size:85%;" ><span style="font-weight: bold; color: rgb(153, 0, 0);">Note:</span> My machine doesn't a TPM chip but that isn't much of a problem as you can always go around that obstacle. But doing it in ServerCore seems very much of a problem that we'll try to solve.</span><span style="font-family: courier new;font-family:courier new;font-size:85%;" ><br /><br /><br /><span style=";font-size:85%;" ><span style="font-size:100%;"><span style="font-weight: bold;">DiskPart Basics</span></span><br /></span></span><span style="font-family: courier new;font-family:courier new;font-size:85%;" ><br />How do you exactly use Diskpart?<br /><br />Easy!<br /><br />Type diskpart in the command-line, hoping you have admin privileges<br /><br />Exhibit 1<br />C:\>diskpart<br /><br />Microsoft DiskPart version 6.0.6001<br />Copyright (C) 1999-2007 Microsoft Corporation.<br />On computer: MISNET-DC-W2K8<br /><br />DISKPART><br /><br /><br />How to get help? Easier.<br /><br />Exhibit 2<br /><br /></span><span style="font-family: courier new;font-family:courier new;font-size:85%;" >Microsoft DiskPart version 6.0.6001<br />Copyright (C) 1999-2007 Microsoft Corporation.<br />On computer: MISNET-DC-W2K8<br /><br />DISKPART> help | ?<br /><br />That means type "<span style="font-weight: bold;">help</span>" or the <span style="font-weight: bold;">"?</span>" symbol.<br /><br />Note: Don't get any ideas that this tool will help you after you install ServerCore. Diskpart-ing must be done before installation of the OS choosing the "Repair Now" option.<br /><br /><span style="font-weight: bold; color: rgb(51, 51, 255);">Tip:</span> Want to add on disk space on your system drive?<br /><br /></span><span style="font-family: courier new;font-family:courier new;font-size:85%;" >DISKPART> extend size=[whatever value your system allows you to reclaim]</span><br /><span style="font-family: courier new;font-family:courier new;font-size:85%;" ><br />Well, on Windows Vista and Server 2008, extending your volume is possible - this assumes that you didn't setup all of the diskspace for your primary partition and reserved some for another partition that you eventually want to edit out of your system or you just want to reclaim space.<br /></span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-92161731905739242322007-12-24T16:51:00.000+08:002007-12-24T16:57:14.822+08:00Side Notes 4:57PM 24 Dec 2007<span style="font-family: courier new;font-size:85%;" ><b>Q: </b>What is the story with memory: can it install with less than 512 MB, and will it be supported to run with less than 512 MB?<br /><b>A: </b>Server Core cannot be installed with less than 512 MB. It will not be supported to run with less than 512 MB.<br /><br /><br /><br />Um, the above is from Microsoft. So, what did I do in the past to have raised an eyebrow with the chat above?<br /><br /><span style="font-size:100%;"><span style="font-weight: bold;">ServerCore and Memory Issues</span></span><br />ServerCore installs on a 512MB machine. I just installed it on a virtualized environment and eventually changing memory allocation to only 256MB.<br /><br />Does that mean VirtualPC 2007 is messing up?<br /><br />Nope.<br /><br />My best guess is that it will run on a machine with less than 512MB of memory but if you plan to do something with ServerCore, other than see how it works, you'd definitely be putting in some more memory in there.<br /></span>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0tag:blogger.com,1999:blog-4463005673038408590.post-55052341228593988132007-12-24T14:35:00.000+08:002007-12-24T22:43:27.297+08:00Server Management in Windows.Server.2008 ServerCore<span style="font-family: courier new;font-family:arial;font-size:85%;" >I study for certification exams because it's part of my job and I've always come across interesting facts through the course of my studies and eventually forget them. Now, I have a place to go back to and review them all.<br /><br />What's to expect in this blog?<br />-What is Server Core<br />-Server Management and Maintenance (for the GUI)<br />-ServerCore Management - What I did<br /></span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >-Jaeson</span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" ></span><br /><strong style="font-family: courier new;font-family:courier new;" ><span style="font-size:85%;"></span></strong><br /><span style="font-family: courier new;font-size:130%;" ><strong face="courier new">What is <em>ServerCore</em>?</strong></span><br /><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >ServerCore (maybe somewhat MinWin in essence) is a minimalistic version of Windows Server 2008 - less the UI, less the annoying and absurd UI at times, and less "that's so easy to do 'coz I saw you do it" thing.</span><br /><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >Wouldn't you agree this would be fun?</span><br /><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >I'm fancying ServerCore because it's as close as I can get to configuring a router - I'm from the Cisco world and got ported to the Windows galaxy. I'm enjoying so far. </span><br /><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >I went to one of Microsoft's exhibits and played around with this new Toshiba laptop that was part of the event - free use of Windows Vista. Instead of clicking with the mouse all day I remembered Vista's new feature - Windows Firewall with Advanced Security, or was that Protection? I'm a frequent listener of TechNet Webcasts.</span><br /><em style="font-family: courier new;"></em><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >I spent around 30 minutes and finished playing around with Consec. And was I happy! ^___^</span><br /><br /><em style="font-family: courier new;"></em><span style="font-family: courier new;font-size:130%;" ><br /><strong face="courier new">Server Management and Maintenance </strong></span><span style="font-family: courier new;font-family:arial;font-size:130%;" >(for the GUI)</span><br /><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >If we were to manage a gui-type server, we automatically perform tasks on the server that includes optimizing the server, prepping it up, and making it custom-built for our very own production network. Tasks include:</span><br /><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >Installing Server Core</span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >Changing the admin password</span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >Configuring networking settings</span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >Setting appropriate Regional settings</span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >Changing video resolution</span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >Adding or removing secure screensavers</span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >Installing programs or adding services</span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >Tinkering with the firewall</span><br /><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >...and a lot of other things to do</span><br /><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >The above are very common tasks. So, how do we exactly accomplish this in ServerCore?</span><br /><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" ><strong><em></em></strong></span><span style="font-family: courier new;font-size:130%;" ><br /><strong face="courier new"><em>ServerCore </em>Management - What I did</strong></span><br /><strong style="font-family: courier new;"><span style="font-size:85%;"></span></strong><br /><span style="font-family: courier new;font-family:arial;font-size:100%;" ><strong>[Installing ServerCore]</strong></span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >ServerCore installation is pretty straight forward. But if you don't have extra machines, Microsft's Virtual PC 2007 or Virtual Server 2005R2 and VMWare's Workstation 6.0 of VMWare Server will help you out a lot. I'm a fan of VMWare but I'm currently using VPC2007.</span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" ></span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >But whatever app you've used or method, that would do. (I guess I need to play with WDS later)</span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" ></span><br /><span style="font-family: courier new;font-family:arial;font-size:85%;" >But before we go on and talk about the installation part, which I'll be creating two sections of - normal and unattended - let me first walk you through the bit locker prep thing for ServerCore.</span><br /><span style="font-family: courier new;font-family:Arial;font-size:85%;" ></span><br /><span style="font-family: courier new;font-family:Arial;font-size:85%;" ></span><br /><span style="font-family: courier new;font-family:Arial;font-size:85%;" ></span><br /><span style="color: rgb(204, 0, 0); font-family: courier new;font-family:Arial;font-size:85%;" ><strong>[Side_Notes]</strong></span><br /><span style="font-family: courier new;font-family:Arial;font-size:85%;" ><em>BitLocker - Installation Part</em></span><br /><span style="font-family: courier new;font-family:Arial;font-size:85%;" ></span><br /><span style="font-family: courier new;font-family:Arial;font-size:85%;" >In a nutshell, I did the following to one of my ServerCore installations:</span><br /><ul style="font-family: courier new;font-family:courier new;" ><li><span style="font-size:85%;">Choosing "Repair Now"</span></li><li><span style="font-size:85%;">Diskpart-ing</span></li><li><span style="font-size:85%;">create primary partition size=1500</span></li><li><span style="font-size:85%;">assign letter=S</span></li><li><span style="font-size:85%;">active</span></li><li><span style="font-size:85%;">cre pri par</span></li><li><span style="font-size:85%;">assign letter=C</span></li><li><span style="font-size:85%;">exit</span></li><li><span style="font-size:85%;">format both using QUICK </span></li></ul><p style="font-family: courier new;font-family:courier new;" ><span style="font-size:85%;">But I really wanted to know if that was how I should do it. </span></p><p style="color: rgb(204, 0, 0); font-family: courier new;font-family:courier new;"><span style="font-size:85%;"><strong>[/Side_Notes]</strong></span></p><p style="font-family: courier new;font-family:courier new;" ><span style="font-size:85%;"><br /><br />What you'll notice different about the ServerCore install, and that of the full installation is that you can change the password for the default Administrator account. Nice change from Beta3 and RC0. </span></p><p style="font-family: courier new;font-family:courier new;" ><span style="font-size:85%;">That's actually it. Pretty easy. But what comes next is something rather perplexing, which I'll cover next after a short break.</span></p>Jaeson Velascohttp://www.blogger.com/profile/08939600173423514597noreply@blogger.com0