Rob Golding

The next incarnation of the Ubuntu linux distribution came out at the end of this week, and whilst typing this post, I am upgrading my laptop’s operating system. Unfortunately, I was unable to upgrade in the way that is described on the website here, instead my update manager seemed to think that the system was completely up-to-date, even after multiple refreshes. Therefore, I’m just upgrading the old-school way, by running the following commands:

sudo apt-get update

sudo do-release-upgrade

So, hopefully the improvements to gnome, and the new Dust theme will go down a treat when the upgrade’s finished. Personally I’m looking forward to the new BBC iPlayer integration with Totem, Ubuntu’s media player - and hoping for some improvements to Microsoft Exchange connectivity within Evolution, the mail client.

I shall keep the world up-to-date, as this journey continues!

As time goes on I seem to be accumulating more and more machines - whether they be physical or virtual - which causes somewhat of a problem with my bookmarks. I use my bookmarks as a sort of knowledgebase, with solutions to problems I have encountered in the past for example.

The solution to this dillema: Foxmarks. I’ve had this addon for a long time now - since it was just a simple little bookmarks backup application - so I’m really impressed with how it’s turned out. Basically, Foxmarks syncronises your bookmarks with their server, so that you can access your bookmarks from any machine with firefox installed. It also functions as a backup if your profile goes bad.

Recently I’ve started at university, so I’m using my laptop as my primary machine nowadays, along with a firefox profile on the Computer Science machines. I’ve also got a few virtual machines on my laptop with firefox, so the amount of profiles is getting larger by the day. This is where foxmarks really comes into its own, keeping my bookmarks current between all my installations.

It’s arrived! The final release of VMware Server 2.0 was announced last week. Will you be upgrading?

I’m not going to make the leap just yet. I’ve just upgraded my system (see previous post), and so far it’s been up with not a single hickup since installation. I don’t expect to be ripping up all my hard work for a while yet.

One thing that is interesting my at the moment - what are people’s opinions on the new console? Personally, I think the new console is “sort of OK”. They have the right idea - being able to manage the machine from a remote location without installing client software first - afterall it is called VMware Server. This makes sense in theory, but the console is so sluggish and, in my experience so far, buggy - that it just doesn’t work yet. Starting and stopping virtual machines is slow, and the remote VM console takes a good number of seconds to launch. The interface is vastly improved from the beta that I covered in a post a long time ago, but still not perfect in my opinion.

Also, the console has its own Tomcat web server running on the host machine, which eats up a large amount of RAM. This is annoying at best, and disastrous at worst - when you need all the RAM you have for the Virtual Machines this software is supposed to be managing!

Anyway, I may install this on a test bed somewhere, but certainly not on my production system for some time. I’d love to know if I’m in the majority or the minority on this one.

I have recently upgraded my home server, shelling out on a new Core 2 Duo CPU and 4GB of RAM for the machine. Having this much RAM means that in order to use it, I had to install a 64-bit O/S. I chose Ubuntu Server 8.04 - and VMware Server to host my virtual machines. I have put together a Word Document with some notes on the issues and tips I came accros on the way, which could prove invaluable to anyone taking the same approach as me. One of the main sources for my research and tinkering ideas was a post on the VMware Community forums - http://communities.vmware.com/thread/146002 - linked to inside the Word Document.

This post made extremely interesting and informative reading – if one can understand the material in that post, then a lot of load issues can be easily resolved– especially IOWait issues (my particular concern). My issue turned out to be a mixture of the settings above, and Postfix misbehaving.

See the word document here.

Update: Advice followed, PDF available here.

If you work with Microsoft’s Terminal Services on a regular basis, you’ve probably come accross a printing issue at some point. The point of this post is to provide a potential solution to the problem whereby locally attached network printers cannot be used from a remote terminal services session. By locally attached, I mean directly connected via. IP address, and not by way of a print server. This is often the case with consumer grade network printers, or wireless equivalents.

The concept is simple - attach the network printer as normal, then share it. Then, connect to the share on the local machine - thus using the printer as it is connect via a print server - with the server being the local machine. Here are the steps required to achieve this:

• First attach the printer as normal. For the type of connection I am describing this is via. a TCP/IP port. So choose New Printer in Printers and Faxes, and then Local printer attached to this computer.
• When asked the type of port, choose TCP/IP, and enter the IP address of the network printer.
• Once the printer is connected, share it. This can be done from the wizard, or by using the Sharing and Security panel afterwards.
• Then, choose New Printer again, this time selecting a network printer. Then enter \\<machine_name>\<share_name> as the path to the printer. Obviously machine name is the name of your computer, and share name is the name with which you shared the printer in the previous step.
• Note: This step will not introduce a new printer item to your list of printers, so don’t be alarmed when nothing new appears. Just connect to the terminal server as in the last step.
• Once this is done, connect to your terminal services session and wait for a minute or two for the printer to appear. Note that version 6 of the Microsoft Terminal Services Client may be required for this to work.

Although it seems hacky, and untidy, this solution seems to work well, so I hope this will help at least one person out there. Happy printing.

While improving the network at my house (an indeed, the network which supports this very web server), I started to explore the world of network monitoring and reporting. I had heard quite a bit about Cacti before, but never considered installing it. That was mostly due to the stories I had heard about how unholy difficult the damn thing is to get working properly. “Don’t even go there” was my mindset. Until now, that is.

Cacti is a complete network graphing solution designed to harness the power of RRDTool’s data storage and graphing functionality.

Brilliant. Network graphing is good, I want to see pretty charts and graphs about how my network is doing. So I gave it a go. Here’s some of my ups-and-downs, and the end result.

First, I needed a linux machine to try this on. Cacti itself obviously wasn’t enough of a challenge for me, I wanted to get it to work on an operating system with which I had very little experience. I chose Ubuntu Server 7.10 - I’ve worked with Ubuntu before, and I like the Aptitude package manager which would make this project somewhat easier for me.

So first of all, I installed the O/S. I’m using a Virtual Machine on my main VM host, which had some RAM to spare. I only have the machine 128MB, as I’m not going to be asking too much of it (hopefully). I didn’t specify a LAMP install, even though that is exactly what would be required. I wanted to do all the fiddly stuff later on.

Once the O/S was on, I needed to install the required packages, and then Cacti itself. Cacti requires a web server, with PHP and GD (the image library), and a MySQL server. I followed this guide to get them all installed on this new machine, and then extracted and set up Cacti.

Worth noting here, is that when importing the cacti.sql file into the MySQL database, I first created the database called “cacti”, then modified the cacti.sql file, adding “use cacti” to the beginning of the file - otherwise an error stating “no database selected” would appear.

Once the database was setup, and Cacti was extracted - I pointed Firefox to http://cacti/cacti (I had a creative moment and called the Cacti server cacti). The setup process was web-based from here-on, and Cacti was installed in a matter of seconds.

So, now I added my hosts (after enabling the SNMP service on my Windows Servers, and configuring the community), and created some graphs. Just network traffic graphs at first. After a few polls, I was amazed to see the graphs populating perfectly. After following these instructions I made them look so much better (maybe not sexy, though!), and the result was something like this:

Wonderful. Pretty graphs showing me how much the internet connection is being used. 100k eh? Somehow I think paying for 20Mb isn’t worth it!

OK, so now I have lots of nice graphs, I wanted to get a Network Weathermap working - which is like a virtual network diagram, showing the traffic between each node on the map - as it reads the data from the same source as Cacti.

This was much easier than I thought - after adding the nodes and links into the config file, the values took on the colours of my scale as they should - and I had a lovely diagram of my network with automatically updating traffic information! Here’s the end result.

And there we have it! Not at all as bad as I was expecting. I do hope this will be of help to anyone wanting to do something similar.

Okay, so if you’re anything like me - and like things to be done properly first time (and also to look neat), then you’ll know what I mean when I talk about the separate _msdcs zone in DNS on a Windows AD DNS Server. Of course, you have to be a nerd, like me, to know what I’m talking about here also - but that’s assumed seeing as you’re reading this blog. I digress…

If you have ever reconfigured said DNS server, and recreated the DNS zones from scratch, you’ll know that the neat zone that keeps all the SRV records separate from the oh-so-important A records, disappears - and gets put in a folder under the usual domain root.

Well, I have a solution to the ever so pressing issue. Obviously the only way anyone is going to risk breaking their whole Active Directory network will be if, like me, they are so _totally_ OCD about this kind of thing.

So, if you’re interested, I’ve written a short article on how to restore this behaviour, and published it as always on maxms.net. If you think it might help you out, then here’s the link:

http://maxms.net/article/Restoring-the-Separate-_msdcs-Zone-in-DNS

But remember, follow that article at your own risk!

As an update to the previous post regarding the installation of a new IPCop as my network firewall, I have finally completed the configuration of its VPN service for use as a Roadwarrior. I can now connect to the IPCop machine from my laptop, using the OpenVPN client from anywhere in the world.

I was surprised with the ease of configuration once an addon called “Zerina” was installed. This made the process extremely simple to complete, even offering to package up an OpenVPN configuration file and certificate combination - so all that is needed to connect is one click!

With regards to the IPCop machine itself, it is one of the most stable servers I have ever put into operation. I literally installed the O/S (about 50mb) a couple of weeks ago - and since then there has been not one issue. Not even a restart - it’s just been chugging away on that old 400MHz Pentium II. I am in awe of the little thing - which is actually proving to be a damn sight faster than the overpowered and clunky ISA Server that I used to use.

Also, with the terrible OpenVPN logo, and the lack of suitable IPCop art, I hope the visio diagram to the left bears a resemblance to this post that could be appreciated by the reader. I definitely think it makes the post something special, would you not agree?

My latest project, to replace the bulky overpowered ISA firewall on my home network with a lean mean IPCop machine, was declared a great success a few days ago.

I am familiar with IPCop, as I used to use it a long time ago. Since then it has matured somewhat, but the feature set is pretty much the same as I remember. The new machine is a 400MHz PII, with 192mb RAM. It is sitting in the place of a Sempron 3000+ with 1GB RAM. Amazing, it’s doing the same job with a fraction of the power. And also, it uses a third of the electricity - 30W in total. Good news given the rise in energy prices!

The main challenge so far, which I still haven’t overcome, is how to get RoadWarrior VPN working, using the windows built-in VPN client, with L2TP/IPSec. This used to be trivial with ISA Server, but this isn’t quite the case with a linux firewall. I have been looking at other distributions such as monowall and pfSense, niether of which seem to spell out their ability to achieve this clearly. I am playing with a few of these on Virtual Machines, so hopefully I will come accross a way to do this before long - I’m starting to miss my RoadWarrior VPN server. How sad, eh?

As a matter of curiosity more than anything, I often wonder whether other people’s methods and practices for setting up AD are similar to my own. I will explain as best I can my own procedure, in an attempt to see how it compares to the rest of the IT community.

Firstly, I install DNS on the Domain Controller to-be. I don’t do any configuration on the service, just install it. Then, running DCPromo, I allow the wizard to configure the DNS Service for me. This makes sure that the two separate zones will be present - _msdcs.domain.name, and domain.name. This seems much neater to me, and I like to see this result - so I allow the wizard to take care of it.

When the domain is installed, the first thing I usually do is open up the default domain policy and remove all the password complexity options. These are usually just an annoyance - and unless the network has any particular security needs, I disable them all. Maybe leaving the length value at 6 if it’s inappropriate to turn it off completely. I like managing GPO’s from the Group Policy Management Console (GPMC), so that usually gets installed straight away.

In regard to the structure of the domain, I make an OU with the domain’s Netbios name in the root, and under that I create some OU’s as follows:

• Computers
• Distribution Groups (If Exchange will be installed)
• Security Groups
• Servers
  • Exchange Servers (for a special shutdown script)
• System Users
• Users

As for an explanation for that Exchange Servers OU, I make a shutdown script to stop all the exchange servers when it shuts down, to make the process a hundred times faster. I am so impressed by this technique, it works flawlessly every time. This OU allows me to assign the shutdown script via GPO to all Exchange Servers in the domain. Note that the DC stays in its own Domain Controllers OU that is created by the system automatically.

I guess at this point I’m feeling like I should do a backup of the DC. DHCP servers need authorizing, and Remote Desktop needs configuring. When that’s done, we’re basically there. Get the clients joined to the domain and we’re off!

I have no idea whether my procedure is similar to anyone elses, or in any way superior (or indeed inferior) to others. Give me some opinions anyway, it will be interesting to hear from the rest of the community.