Active Directory and relative identifiers

Last night, I wrote a post about how a little logical thinking was required in order to resolve some issues with the dcdiag.exe utility from the Windows Server 2003 Support Tools.

Since then, I’ve been examining the dcdiag test results and was a little alarmed to find that two of the domain controllers (DCs) for the domain that I intend to migrate several hundred users into were reporting a lack of available RIDs:

Starting test: RidManager
   * Available RID Pool for the Domain is 17352 to 1073741823
   *
domaincontrollername.domainname.tld is the RID Master
   * DsBind with RID Master was successful
   * rIDAllocationPool is 14352 to 14851
   * rIDPreviousAllocationPool is 12352 to 12851
   * rIDNextRID: 12849
   * Warning :There is less than 1% available RIDs in the current pool
   …………………….
domaincontrollername passed test RidManager

For anyone who doesn’t appreciate the potential significance of this, relative identifiers (RIDs) are necessary in order to create new Active Directory objects.  Because Active Directory uses a multi-master model, any DC can create an object, which is then replicated between the various DCs in the organisation.  Objects are actually identified by their SID, part of which includes the domain identifier, and part of which is the RID.  In order to maintain uniqueness, the generation and allocation of RIDs is controlled by the DC holding the RID Master role for the domain, allocating pools of 500 (by default) RIDs to DCs for use when generating the SIDs for new objects.  Still with me?  Microsoft knowledge base article 305475 has more details.

Active Directory DCs (at Windows 2000 SP4 and later revisions) request a new RID pool from the RID master once the pool is 50% depleted, so 1% of available RIDs concerned me somewhat.  Other tests had confirmed that replication was working, and switching the RID Master role to another DC didn’t appear to make any change.  I also checked to see that there were no duplicate SIDs in the domain.  As it happens, everything was working normally but the labels, and the warning, are very confusing. This is what I found:

  • rIDPreviousAllocationPool is not, as the name suggests, the last pool that was used – it’s actually the RID pool that is currently being used.   So, in the example above, 12352 to 12851 is the list of RIDs currently being allocated. When this becomes exhausted (rIDNextRID gives an indication of how soon this will occur), Windows copies rIDAllocationPool into rIDPreviousAllocationPool and starts using the new RIDs as needed. There is a global RID pool size limit that the RID Master can allocate from (the Available RID Pool).
  • rIDAllocationPool is the next batch of RIDs to be used (supplied by the RID Master).  In this case, 14352 to 14851 will be the next batch of RID numbers (500 in the pool) for this DC.  This is generated automatically via a request to the RID Master once the pool is 50% depleted.
  • rIDNextRID is the last RID allocated (not the next one to be allocated).  So the next object to get created in the example above will get RID 12850.

I tested this by creating some new users and running further tests with dcdiag.exe, observing the DC reach the end of the pool and then start using the next pool (originally called rIDAllocationPool):

Starting test: RidManager
   * Available RID Pool for the Domain is 17352 to 1073741823
   *
domaincontrollername.domainname.tld is the RID Master
   * DsBind with RID Master was successful
   * rIDAllocationPool is 14352 to 14851
   * rIDPreviousAllocationPool is 12352 to 12851
   * rIDNextRID: 12851
   * Warning :There is less than 0% available RIDs in the current pool
   …………………….
domaincontrollername passed test RidManager

Starting test: RidManager
   * Available RID Pool for the Domain is 17352 to 1073741823 
   *
domaincontrollername.domainname.tld is the RID Master 
   * DsBind with RID Master was successful
   * rIDAllocationPool is 14352 to 14851
   * rIDPreviousAllocationPool is 14352 to 14851
   * rIDNextRID: 14352
   …………………….
domaincontrollername passed test RidManager

Once I have created another 249 or so users, I should see a new rIDAllocationPool generated.

Screenshot showing the RID as part of a SID in the additional account informationJust to be sure that I understood this fully, I installed acctinfo.dll, after which I could clearly see the RID at the end of the SID for the test user account (when viewing the Additional Account Info tab on the user properties in Active Directory Users and Computers).

In short, if you see a message about less than a certain percentage of RIDs in the current pool, don’t worry about it (as long as rIDAllocationPool is different to rIDPreviousAllocationPool)!  The pool will gradually be used until it reaches 0% and tips over into the next allocation.  The problem is the confusing language used (rIDAllocationPool should really be rIDNextAllocationPool, rIDPreviousAllocationPool should really be rIDCurrentAllocationPool and rIDNextRID should be rIDPreviousRID).

File name limitations when accessing Windows file shares from a Mac

Earlier this afternoon, one of my friends got in touch with “a quick tech question” (it had to be quick as his method of communication was SMS text message):

“…We have a brand new, state of the art pre-press system which, for some reason, is running Windows 2000. It seems that this OS cannot handle file names longer than 27 chars…”

I was sure that this would be an integration issue rather than an operating system restriction as I’ve never come across any such limitation with a Windows NT-based Windows system (leaving aside the question as to why would a state of the art device use an old and unsupported operating system?) – besides which, I was in no mood to give an office full of professional Mac users an excuse to bash Microsoft!

After a very short time spent googling, I found a newsgroup post which explains the issue. It seems that Apple filing protocol (AFP) 2.2, used by Windows Services for Macintosh, has a 31-character limit (presumably 4 of those characters are used by the driveletter:\ portion of the filename and another one somewhere else leaving 27 visible characters). AFP 3.x has no such limitation but, as all modern Macs can use SMB to communicate natively with Windows servers, there seems little point in using Services for Macintosh these days. Looking at the Wikipedia article on AFP, there may also be restrictions on file sizes with AFP and certain client-server combinations.

Wireless security and secure remote access

Last night, I attended Steve Lamb‘s Microsoft TechNet UK briefing on wireless security and secure remote access. I won’t repeat the entire content here, because Steve has an article in the November/December issue of Microsoft TechNet magazine, entitled improve your web security with encryption and firewall technologies, which, when combined with Kathryn Tewson and Steve Riley’s security watch: a guide to wireless security article, just about covers the content of the event. Having said that, there were a few more snippets that came out during the presentation, which I’ve plagiarised (and extended) in the rest of this post…

Wireless Security

Anyone who needs to secure a Wireless network at home should check out Steve Lamb’s blogcast on securing a wireless router and Windows XP and, although I’ve already linked it above, I’ll repeat that Kathryn Tewson and Steve Riley’s security watch: a guide to wireless security article is also worth a read. Further information is also available on the Microsoft website.

Some additional notes that I took during Steve’s presentation were that:

  • Wireless network keys can be stored on a USB token.
  • Wired equivalent privacy (WEP) is often considered insecure but consider the name – the equivalency part indicates that it offers the same level of security as a wired network. Yes, it can be broken into, but so can a wired network with public access to the building). Wi-Fi Protected Access (WPA) (or preferably WPA2) is better and dynamic WEP is a half-way house, but whatever security is employed, the wireless network still needs to be easy to use.
  • There are sites on the ‘net that will show you how to break a wireless (or other) connection (if you think it’s irresponsible of me to link that site, you could also find it using a search engine, so I figure that it’s better that the methods are well known, than only being known by the bad guys).
  • Contrary to popular belief, there is no point in securing the SSID for a network as it is transmitted unencrypted (even on a network secured with WPA or WPA2). Ditto for media access control (MAC) addresses, which are easily spoofed.
  • Even WPA doesn’t do anything to prevent a denial of service (DoS) attack and WPA2 (802.11i) doesn’t stop all DoS attacks.
  • 802.1x is port-based authentication and applies equally to both wired and wireless networks. It does have weaknesses, including that it will only authenticate the initial connection. In a wireless configuration, man-in-the-middle (MitM) attacks can be guarded against by requiring the WAP to identify itself using certificates (using a group policy object).
  • WEP requires Windows XP. WPA requires Windows XP SP1, WPA2 requires Windows XP SP2 and a hotfix (see Microsoft knowledge base article 893357).
  • The Windows 2000 Internet authentication service (IAS) can be used as the RADIUS server component in a secure wireless deployment; however Windows Server 2003 supports auto-enrolment (which when used for computer and user certificates will make life much easier).
  • Windows XP will (by default) allow access to its nearest access point, even if it is not secure.

Very importantly – if (like I did), you think that your wireless network (e.g. at home) doesn’t need to be secured because there’s no data of value to be had and anyway, you have bandwidth to spare which you don’t mind your neighbours using, consider the implications of someone using your wireless network to access the Internet and perform illegal activities, which your ISP can trace back to you via your IP address. Having thought about that, I’ll be buying a new wireless access point very soon.

Secure Remote Access

Microsoft are positioning virtual private networking (VPN) technology as no longer the best solution for providing corporate remote access and I tend to agree. The idea of giving an untrusted computer an IP address from the internal network fills me with fear (unless some quarantining is in place). VPNs “blur” the network edge and anyway, do remote users need full network access? I’ve often accidentally printed a document in the office whilst working at home and then had to ask a colleague to retrieve and dispose of it for me (wasting paper, printer resources and somebody else’s time). Some solutions will use VLAN technology to limit the network access for VPN users – there are other methods too, especially when considering that 90% of VPN users only really want to read their e-mail. For example, Outlook Web Access, whilst having improved it’s interface capabilities dramatically with each new release, is still not really a great solution for access from outside the corporate firewall (it’s good for allowing users to access mail without setting up a MAPI profile, but is heavily reliant on ActiveX controls, which may not be allowed in an Internet cafe, and is also a risk if the remote client has a keylogger installed) – full client Outlook using HTTPS over RPC on a notebook/tablet PC is a far better option – totally transparent from an end user perspective (although still a problem if access is required if an e-mail links back to internal resources to retrieve a document).

Steve Lamb’s TechNet magazine article (and my previous post on securing the network using Microsoft ISA Server 2004) elaborate on the need for application layer firewalling rather than blindly allowing HTTP and HTTPS traffic through the firewalls. Other measures employed include pre-authentication and URL scanning.

SSL VPNs are another method of providing remote access (even though they are not really VPNs, but are actually just remote desktops in a browser). Windows Terminal Services can provide basic SSL VPN functionality, which can also be extended with products from Citrix.

Operating over the remote desktop protocol (RDP), which is based on the International Telecommunications Union (ITU) T.120 protocol family and is therefore independent of network and transport protocols, these solutions use compression and caching to reduce bandwidth requirements and support network load balancing. Windows Server 2003 brings a number of terminal services enhancements (over Windows 2000) including:

  • Connection to the console session (in remote administration mode).
  • Control of RDP options via group policy.
  • WMI provider for scripted terminal services configuration.
  • ADSI provider for access to per-user terminal services profiles.
  • Improvements to the terminal server manager MMC snap-in (reduced automatic server enumeration).
  • Ability to limit users to a single session.
  • Improved security:
    • Remote Desktop Users security group (which can be used in place of the Everyone group to fine tune access control.
    • 128-bit RC4 encryption.

Securing terminal services comes back to the well-known principle of defence in depth:

  • A physically secure terminal services server.
  • A secure operating system configuration.
  • A secure terminal services configuration.
  • Network path security.
  • Using the registry to fine-tune control over terminal server sessions (probably overkill, but using group policy to control access is a similar principle).

Using the remote desktop web connection ActiveX control, terminal services can be provided across the web (and optionally secured using HTTPS). The initial client contact is to http(s)://servername/tsweb/ and the ActiveX control is downloaded over HTTP (TCP port 80) or HTTPS (TCP port 443). Once the browser has the ActiveX control installed, the user can connect to the terminal server over TCP port 3389.

If full VPN access is still required (and hopefully the methods above will avoid the requirement for this), then VPN server placement must be carefully considered. Running an encrypted PPTP or L2TP+IPSec VPN connection through a standard packet filtering firewall effectively bypasses the firewall as the VPN port will be open on internal and external firewalls and the traffic inside the connection will not be inspected.

Most network administrators will be alarmed if you propose the installation of ISA Server as the corporate firewall even though ISA Server 2004 has now achieved common criteria evaluation assurance level 4+. ISA Server 2004 is a perfectly good firewall (assuming that the underlying Windows platform is also well-managed), but it will probably be easier to justify to network administrators by using ISA as an additional server in the DMZ, or as the inner firewall (between the DMZ and the internal network). This way, the encrypted connection can be terminated at the ISA server and the firewall can inspect the inbound traffic.

Finally, if a VPN connection must be used to extend the corporate network to remote clients, then network quarantine controls should also be put in place. Full network access protection (NAP) is expected with the next version of Windows Server (codenamed Longhorn) but even now, Windows Server 2003 SP1 routing and remote access service (RRAS) allows for the provision of network access quarantine control for remote clients. The current Microsoft implementation involves using the connection manager administration kit (CMAK) to construct a custom RRAS client which includes a number of post-connection actions. Until these are passed, then vendor-specific options remain in place which prevent the remote VPN client from accessing the network. Unfortunately it is also possible for a technically able user to spoof the message which allows the vendor-specific attributes to be removed, but in reality this is a small risk. Microsoft’s NAP and Cisco’s network access control (NAC) will make this far more effective, extending the scope of control to include wired and wireless clients (as well as VPN clients).

Using RIS to PXE boot non-Windows images

I’ve written a few posts previously for this blog about Microsoft Remote Installation Services (RIS), but today I needed to do something I knew was possible in theory but had never done before – using RIS to serve a boot image of something that’s not an unattended Windows setup.

Although slightly complicated by the need to use Active Directory for security, RIS is, at its most basic, a PXE server, capable of serving boot images via TFTP to suitable client PCs (before an operating system is loaded). In theory, any bootable floppy can be converted into a RIS boot image file but Microsoft doesn’t provide the tools – for that you will need the 3Com RIS Menu Editor (RISME). The original version of this is a free download from 3Com – later versions (e.g. emBoot RIS Menu Editor 2.0) are available for a small price (with a free trial period) but I found the 3Com version to be perfectly adequate (although it only runs locally on a Windows 2000 RIS server, whereas v2.0 of the emBoot product allows remote creation and editing of RIS menus and boot images, and supports Windows Server 2003).

After running RISME to capture an image from boot media, an additional folder structure will have been created on the RIS server, either in \\servername\RemInst\Setup\English\Images\3com\i386\ or in \\servername\RemInst\Setup\English\Tools\3com\i386\, depending on whether or not the image was created via the Automatic Setup or the Maintenance and Troubleshooting tabs.

Along with the image (.IMG) file (which can be edited directly using a utility such as WinImage), is an appropriate boot loader (.LDR) file and a RIS setup information (.SIF) file containing something similar to the following text:

[OSChooser]
Description = "description"
Help = "helptext"
LaunchFile = "Setup\English\Images\3Com\i386\tool1.ldr"
Version = "1.00"
ImageType=Flat

RIS should automatically pick up the new .SIF file and offer it as a menu choice in the OS Choices menu although it may be necessary to edit the User Configuration | Remote Installation Services | Choice Options within the Default Domain Policy group policy object in Active Directory to allow access to some of the RIS menus (e.g. Maintenance and Troubleshooting).

I now plan to use this method to deploy Ghost images (via an MS-DOS boot disk, captured as an image) and a PXE boot to a RIS server but for more information (including links to enable PXE booting of Linux), check out Google’s cached version of an article on how to use RIS to bootstrap other operating systems (unfortunately the original is no longer available online).

Setting up IP forwarding on a Windows network

My network at home has two subnets joined by a wireless link (note that the IP addresses have been changed to protect the innocent):

IP forwarding

You might wonder why it doesn’t all sit under my desk (after all we’re not talking about a multinational corporation here) but the simple fact is that most of my kit has been procured from an eclectic mix of sources over the years (so it is hardly what you might call standard) and the server (on which I do a lot of testing) is a noisy beast, as is the 24-port switch that it’s plugged into – hence the reason they are stored away in the basement.

The trouble with this configuration is that the dual-homed PC which acts as a bridge between the wired and wireless segments in the basement is exactly that – dual-homed – i.e. it needs the 802.3 adapter to be on one subnet and the 802.11b adapter to be on another (otherwise this could all have been on one flat subnet). That means that it also needs to be able to route traffic to and from each subnet, otherwise the server is invisible to the rest of the network (and vice versa).

That’s where IP forwarding comes in (aka IP masquerading in Linux-speak).

Disabled by default in Windows 2000, XP and Server 2003, IP forwarding basically allows a dual-homed host to act as a network bridge. Microsoft knowledge base article 323339 details the registry setting to enable this on Windows Server 2003 – there are other articles for Windows 2000 and XP but they are pretty much identical.

There are, however, a couple of important points to note:

  • Only one interface should have a default gateway. In my case, the default gateway for the bridge’s wired connection is blank.
  • I also had to put a static route to 192.168.2.0/24 on my ADSL router using the IP address of the bridge’s wireless connection as a gateway (so that outbound traffic to the Internet from the 192.168.2.x network has a return path).

For comparison purposes, the routing table on my bridge (192.168.1.50/192.168.2.50) looks like this:

IPv4 Route Table
===========================================================================
Interface List
0x1 ........................... MS TCP Loopback interface
0x10003 ...00 08 02 xx xx xx ...... Intel(R) PRO/100 VM Network Connection
0x10004 ...00 80 c8 xx xx xx ...... D-Link AirPlus DWL-520+ Wireless PCI Adapter
===========================================================================
===========================================================================
Active Routes:
Network Destination Netmask Gateway Interface Metric
0.0.0.0 0.0.0.0 192.168.1.1 192.168.1.50 25
127.0.0.0 255.0.0.0 127.0.0.1 127.0.0.1 1
192.168.1.0 255.255.255.0 192.168.1.50 192.168.1.50 25
192.168.1.50 255.255.255.255 127.0.0.1 127.0.0.1 25
192.168.1.255 255.255.255.255 192.168.1.50 192.168.1.50 25
192.168.2.0 255.255.255.0 192.168.2.50 192.168.2.50 20
192.168.2.50 255.255.255.255 127.0.0.1 127.0.0.1 20
192.168.2.255 255.255.255.255 192.168.2.50 192.168.2.50 20
224.0.0.0 240.0.0.0 192.168.1.50 192.168.1.50 25
224.0.0.0 240.0.0.0 192.168.2.50 192.168.2.50 20
255.255.255.255 255.255.255.255 192.168.1.50 192.168.1.50 1
255.255.255.255 255.255.255.255 192.168.2.50 192.168.2.50 1
Default Gateway: 192.168.1.1
===========================================================================
Persistent Routes:
None

Whilst on the ADSL router it looks like this:

Network Destination Netmask NextHop IF Type Origin
0.0.0.0 0.0.0.0 isprouter ppp-0 Indirect Dynamic
127.0.0.0 255.0.0.0 127.0.0.1 lo-0 Direct Dynamic
192.168.1.0 255.255.255.0 192.168.1.1 eth-0 Direct Dynamic
192.168.1.1 255.255.255.255 127.0.0.1 lo-0 Direct Dynamic
192.168.2.0 255.255.255.0 192.168.1.50 eth-0 Indirect Local
isprouter 255.255.255.255 mypublicipaddress ppp-0 Direct Dynamic
mypublicipaddress 255.255.255.255 127.0.0.1 lo-0 Direct Dynamic
btrouter1 255.255.255.255 btrouter2 ppp-0 Direct Dynamic

For the other LAN-connected devices, the important details are that for LAN 1 the default gateway is 192.168.1.1 and for LAN 2 the default gateway is 192.168.2.50.

Migrating DHCP databases between Windows servers

One side effect of rebuilding the server that runs pretty much everything on my home network was that I had to migrate the DHCP database (twice – first to a virtual machine operating as a temporary server, and then back to the original hardware after it had been rebuilt).

I knew that it was possible (I did it from NT 4.0 to Windows 2000 for a client few years back) but hadn’t done it recently.

It turned out to be pretty straightforward – all of the details are in Microsoft knowledge base article 325473 but basically on the source (Windows 2000 Server) server, stop the DHCP service and use jetpack.exe to tidy up the database, then use the DHCP database export/import resource kit tool (dhcpexim.exe) to dump the database and finally import it on the target (Windows Server 2003) server using the network shell (netsh.exe). The second migration was even quicker – for a Windows Server 2003 source and target it just involves a couple of netsh commands. Finally, don’t forget to disable redundant DHCP services (or deauthorise the servers in Active Directory) to prevent multiple DHCP servers from servicing clients simultaneously.

This is why I’m not a fan of Java

I just wasted 2 days (one of which was on my weekend), and a lot of sleep, trying to work out why I couldn’t upgrade the Windows 2000 server which looks after my domain, DHCP, RIS, SUS and a whole load of other bits at home.

Every time I tried to run Windows Server 2003 setup it seemed to hang – and everything else was pretty slow too. I had to launch control panel applets using their .cpl filenames (e.g. appwiz.cpl for the Add or Remove Programs applet) and services would not stop cleanly.

I decided that my system was badly broken and quickly built a virtual machine on another piece of hardware, promoting that to a domain controller to provide a live backup of Active Directory. As in-place upgrades weren’t working, I resigned myself to the fact that I was going to have to migrate everything to the virtual server, then rebuild the original box but I wanted to cleanly remove the original domain controller from the directory.

Every time I ran the Active Directory installation wizard (dcpromo.exe) it failed – usually with the following error.

Active Directory Installation Failed

The operation failed because:

Failed to prepare for or remove the sysvol replication “The file replication service cannot be stopped.”

(Even though logged events with IDs 13502 and 13503 suggested that the FRS had indeed stopped).

Microsoft knowledge base article 332199 led me to try the dcpromo /forceremoval command but that failed in exactly the same way. I ran dcdiag /s:localhost on each server to look for any issues, checked that each server could ping the other one, that net view \\servername returned a list of shares, and all required DNS entries were present. I checked the DNS settings (to make sure that each server was using itself as the primary DNS server and the other domain controller as a secondary) and restarted just to be sure but all to no avail.

To cut a long story short, I found the answer purely by fluke. I couldn’t get the DHCP server service to stop cleanly (to let me migrate the database to my virtual machine) so I did a Google search for “windows services hang on stop”. This turned up a TechRepublic thread titled APC Java issues cause services to hang. I realised that I do have an APC UPS attached to the server, and that I was using a version of PowerChute Business Edition (PBE) that had been sitting there happily for a couple of years (v6.2.2) – I hadn’t upgraded to 7.x as recommended by APC knowledge base article 7202 because APC had never e-mailed me to notify me of a problem and services that aren’t broken (and that don’t have an inbuilt patching mechanism) generally get left well alone on my systems!

Lo and behold, the APC services had hung on startup and there were various events logged with ID 7022 (the APC PBE Agent service hung on starting). I disabled both the APC PBE client and server services, using the registry (as the services console was inoperable) to locate HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\servicename\ and set Start to 0x00000004 for disabled (0x00000002 is automatic and 0x00000003 is manual), restarted the server and had the fastest boot sequence in days! My Windows installation was responsive again and I was able to remove the offending applications in a few short clicks.

My problems were nothing to do with Active Directory, DNS or even Windows – they all boiled down to an expired Sun Java Runtime Environment (JRE) certificate and sloppy coding from APC which meant that if their services hung, then so did all subsequent ones. I’ve never been a fan of Java applications on Windows – generally they are slow and have a poor user interface – and this experience has done nothing to change my mind.

Once the APC PBE agent, client and server had been removed, I was able to successfully (and cleanly) demote the original domain controller (avoiding having to follow the steps in Microsoft knowledge base article 216498 to remove data left in the directory after an unsuccessful demotion) but having migrated all the services to my virtual machine, I decided to go ahead and perform a clean installation of Windows on the original hardware anyway. I’m currently mid-way through patching the rebuilt server but I’m so glad that P McGrath from Rocky Mount, VA posted his experience on TechRepublic and Google did it’s thing.

Remind me again – how did we ever manage to find things out before we had the web?

A quiet news day?

Today must be a “quiet news day”. We see precious little IT news in the national press, and I know it’s the middle of August, but Metro, the UK’s free newspaper for commuters in and out of our major cities, is really scraping the barrel with its IT reporting this morning. On page 21, a sixth of a page is given over to a story about a worm attacking Windows 2000 (Hackers target Windows 2000) – an officially unsupported operating system. I wouldn’t mind that such a non-event is reported if only it were accurate. According to the Metro article:

“The basic effect of the worm is not damaging but irritating – it forces the computer to repeatedly shut down and reboot, clogging networks.”

Since when did a reboot clog up a network? (A few bytes of DHCP traffic; an increased number of logons). Allegedly, “ABC News producers were forced to use electronic typewriters to prepare TV scripts”. It seems to me that the most pertinent point of the article was the quote from a security expert from McAfee who said that the time between vulnerability exposure and exploit is lessening – something we’ve known for some time now. Microsoft’s advice on what to do about this exploit, known as Zotob indicates that “only a small number of customers have been affected… [with] no indication of widespread impact to the Internet” (although Sophos lists a dozen types of malware exploiting the MS05-039 vulnerability used by Zotob).

The Metro reporter, Sarah Hills, needs to do some research – perhaps instead of alarming a generally computer-illiterate public she should point out that Windows 2000 is old and those organisations affected should tighten up their anti-virus protection! More to the point, the exploit also affects Windows XP and Windows Server 2003 – not just Windows 2000!

In the same paper, immediately below the “Hackers target Windows 2000” piece, is another one about how “Bluetooth thieves log your laptop”, scanning parked cars for Bluetooth devices locked in the boot. Isn’t Bluetooth off when my laptop is switched off?

I know it’s all about stories being newsworthy, but what I’d really like to see is the occasional IT piece in the national press which is both accurate and timely, without being alarmist.

Best practices for managing automatic IP addressing with DHCP

Dynamic host configuration protocol (DHCP) is often taken for granted – we expect it to work; however there are a few items which need to be considered and this post is intended as a general discussion of DHCP best practice.

Most administrators will be familiar with the overall DHCP concept – basically a database of IP addresses allocated to clients dynamically, allowing centralised IP address management; however, most of the organisations I see still need to use static addresses for some devices (e.g. servers). Whilst there is nothing wrong with this and I would still suggest using fixed IP addresses for networking equipment and the DHCP server itself, reservations can be useful to reserve particular addresses for certain clients, based on their media access control (MAC) address. The main drawback of this approach is that if the NIC in the computer changes, so does the MAC, although reprogramming the MAC address is possible (as is setting up a new reservation).

If there are static addresses in use which fall within the an IP address range intended for DHCP, exclusions can be configured (much easier than configuring several scopes to cover the fragmented IP range). Exclusions can be configured for a single address, or for a range of IP addresses.

Lease duration is another area to consider (i.e. the amount of time before a client needs to renew its DHCP address) – if this is set too long, and there are a large number of mobile clients, there is a risk of running out of available IP addresses as these mobile clients join the network, lease an address and then leave again without releasing it; conversely, too short and there is a large amount of renewal traffic as the DHCP client attempts to renew its lease at the half life. For most environments, I find that an 80:20 rule can be applied – i.e. provide 20% more addresses than are expected to be in use at any one time (to cater for mobile clients) and set the lease time to 1 day but for a subnet with largely static PCs, then longer leases may be appropriate.

DHCP includes a number of pre-defined options that can be set on a client:

  • Server options apply to all scopes on a server (e.g. 006 DNS servers, 015 DNS Domain Name).
  • Scope options apply to a single scope (e.g. 003 Router).
  • Class options can be applied to a specific type of device.
  • Reservation options apply to specific reservations.

Occasionally it may be necessary to configure custom options – e.g. 060 for a pre-boot execution environment (PXE) client or 252 for web proxy auto-discovery (WPAD).

If there are multiple DHCP servers on a subnet, then the client will be allocated an address by the first one to answer – hence the reason for Windows 2000 and later DHCP servers supporting DHCP authorisation in Active Directory (hence preventing the use of rogue DHCP servers); however this will not affect non-AD DHCP servers (such as the one in Virtual Server, or on an ADSL router). When a client issues a DHCP request, all listening servers respond with an offer and the client will respond to the first answer received. Because DHCP requests are broadcast-based, they typically cannot traverse routers and so DHCP relaying must be configured to overcome this where clients are remote from the DHCP server.

To configure DHCP for redundancy, it is generally advised to configure two DHCP servers and to split the scope using a 50:50 or 80:20 ratio (50:50 works well where both DHCP servers are on the same site; 80:20 may be often appropriate where a remote site is providing redundancy for a local server) so, for example, if I want to allocate addresses on the network 192.168.1.0/24, I might reserve the top 10 or so addresses for static devices and create two scopes on two DHCP servers – one for 192.168.1.1-120 and the other for 192.168.1.121-240. This provides 240 potentially available addresses but if one server is unavailable then the other can answer. Of course, this scenario only provides for 120 clients (96 taking into account my earlier recommendations for dealing with mobile devices). It is also possible to cluster DHCP servers for redundancy.

Superscopes can be used to group several scopes into one for management purposes, but when I tried to implement these in a live environment, we found that they did not work well and had to revert to individual scopes for each subnet.

Since Windows 2000, the Microsoft DHCP server implementation has included DNS integration. Set on the scope properties, this allows three options for updating A and PTR records in DNS as IP addresses are leased to DHCP clients:

  • Enable DNS dynamic updates, either always, or if requested (by Windows 2000 or later clients).
  • Discard DNS records when the lease is deleted (i.e. clean up afterwards).
  • Dynamically update DNS for legacy clients that do not request updates (e.g. Windows NT 4.0).

In terms of new features, Windows Server 2003 improves on Windows 2000 Server by allowing backup and restoration of the DHCP database from the DHCP console. It also provides for both user- and vendor-specified option classes. Potentially the greatest area of improvement is integration of DHCP commands within the netsh command shell.

Finally, DHCP servers use a JET database and may be busy. At a recent Microsoft TechNet UK event, John Howard recommended that every now and again, the service is stopped and jetpack.exe is used to perform database maintenance, improving performance (as described in Microsoft knowledge base article 145881).

One last patch for Windows 2000

Windows 2000 mainstream support is due to end today and a couple of days back, as expected, Microsoft released update rollup 1 for Windows 2000 service pack 4. Full details of this update (including why it is not called Windows 2000 service pack 5) are included in Microsoft knowledge base article 891861 and the problems which it resolves are listed in Microsoft knowledge base article 900345.

I’ve been working with Windows 2000 since the late 90s, when it was NT 5.0 beta 2, and I guess I’ll still be using it for a while yet (as will many of my clients) but for a view on why 48% of corporates are still using Windows 2000, see my decision time for Windows 2000 users post from a few days back.