KB: Cheat sheet for adding persistent iSCSI volume in Windows Server 2008 Server Core

Posted 十一月 11, 2009
Filed under: My KB | Tags:
* Leave a Comment

  • Set iSCSI service to autostart

sc config msiscsi star= auto

  • Add persistent iSCSI target

iscsicli.exe

QAddTargetPortal <Portal IP Address>

ListTargets

QloginTarget <target_iqn>

PersistentLoginTarget <target_iqn> T * * * * * * * * * * * * * * * 0

ListPersistentTargets

ReportTargetMappings

  • Create disk partition and volume

diskpart.exe

list disks

select disk <disk number>

online disk

attribute disk clear readonly

create partition primary

format fs=ntfs quick

assign letter=<drive letter>

list volume

 

 

Remarks: The step for clearing readonly flag in DiskPart is important for Windows Server 2008, otherwise creating partition will end up giving “Media is write protected”error. See http://support.microsoft.com/kb/971436/EN-US for details.

KB: Microsoft iSCSI Software Target 3.2 MSI package hack to remove SKU limitation

Posted 七月 23, 2009
Filed under: My KB | Tags: ,
* 回應 (2)

The Microsoft iSCSI Software Target 3.2 is designed for Windows Storage Server 2008 and it’s only distributed to storage OEM partners and MSDN Subscriptions. The iSCSI target MSI package will check for Windows SKU and show error message “Installation is not supported on this operating system.”if it’s not installing on Windows Storage Server.

To install the iSCSI target on other Windows Server SKU for testing purpose, the MSI database can be modified to remove the Launch Condition.

IMPORTANT: This is never a supported configuration and do it at your own risk.

  1. Install the tool “Orca” in Windows SDK. See http://support.microsoft.com/kb/255905
  2. Open the iscsitarget.msi with Orca, look for the IsSupportedSKU condition in LaunchCondition table. image
  3. Remove the IsSupportedSKU condition
  4. In Tools->Options->Database, make sure the “Copy embedded streams during “Save As”” is checked.image
  5. Click File->Save As to export the modified MSI package.

KB: Windows Storage Server 2008 default password

Posted 七月 22, 2009
Filed under: My KB | Tags:
* Leave a Comment

Password: wSS2008!

Reference: http://resume.jimmarch.com/2009/05/windows-storage-server-2008-rc-default-password/

Good & Bad News: Synology Disk Station Manager 2.2 BETA added iSCSI target support, but it lacks“persistent reservation”support so making it not usable for Windows Server 2008 cluster storage

Posted 七月 22, 2009
Filed under: My Lab | Tags: , , ,
* Leave a Comment

I’ve been awaiting for the Synology NAS firmware upgrade with iSCSI support so I can try out Windows Server 2008 failover clustering on my Hyper-V box. The good news is the DSM 2.2 BETA is out with iSCSI but it is IET based which lacks SCSI-3 persistent reservation support required by Windows Server 2008 cluster. Same problem for some other software iSCSI targets, e.g. OpenFiler

 

Reference:

http://blog.baeke.info/blog/_archives/2007/10/24/3311645.html 

http://iscsitarget.sourceforge.net/

見到哩份工都唔知好嬲定好笑

Posted 七月 14, 2009
Filed under: Fun |
* 回應 (2)

Original: http://www.jobsdb.com/HK/EN/Job.asp?R=JDB215305194 

佢要搵個識AD+Exchange+SQL+WSUS既司機喎……. 悲……

image

KB: Lotus Domino 7 and before do not support 4096-bit key root certificate

Posted 七月 12, 2009
Filed under: My KB | Tags: ,
* Leave a Comment

4096-bit key is only supported in Domino 8 and above.

 

Reference:

http://www-01.ibm.com/support/docview.wss?rs=688&uid=swg21149988

http://www-01.ibm.com/support/docview.wss?uid=swg21213645 

http://www-10.lotus.com/ldd/dominowiki.nsf/dx/supported-key-sizes-in-notesdomino

KB: Enable Windows XP Remote Desktop Connection to Windows Vista / Windows Server 2008 requiring Network Level Authentication

Posted 七月 10, 2009
Filed under: My KB | Tags: , ,
* Leave a Comment

Problem: The following error is shown in Windows XP Remote Desktop Connection when connecting Windows Vista / Windows Server 2008 requiring Network Level Authentication.

 image

Solution: Enable CredSSP Security Service Provider in Windows XP SP3 which is disabled by default.

  1. Install Windows XP SP3
  2. Follow the instructions in KB951608 to turn on CredSSP http://support.microsoft.com/kb/951608/

 

More Information:

http://support.microsoft.com/kb/951616/

My Certificate Authority Lab Setup (Part 1) – Offline Root CA

Posted 七月 10, 2009
Filed under: My Lab | Tags: , ,
* Leave a Comment

To start with something simple I’m building up a 2-tier CA hierarchy incorporating an offline root CA and and issuing Windows Server 2003 Enterprise CA.

image

Some notes on my Root CA setup:

  1. Install Windows Server 2003, Standard Edition is good enough for an offline CA.
  2. Workgroup only, DO NOT join Domain.
  3. Think twice on the Computer Name before starting CA installation, computer cannot be renamed afterwards.
  4. IMPORTANT! Create CAPolicy.inf in C:\WINDOWS (or %SYSTEMROOT%) to specify empty CRL distribution point and AIA.
    Example:
    [Version]
    Signature= “$Windows NT$”

    [Certsrv_Server]
    RenewalKeyLength=4096
    RenewalValidityPeriod=Years
    RenewalValidityPeriodUnits=5
    CRLPeriod=days
    CRLPeriodUnits=180

    [CRLDistributionPoint]
    Empty=TRUE

    [AuthorityInformationAccess]
    Empty=TRUE

    [PolicyStatementExtension]
    Policies=AllIssurancePolicy
    Critical=FALSE

    [AllIssurancePolicy]
    OID=2.5.29.32.0
    URL=http://www.contoso.com/cert/cps.htm
  5. Install Certificate Services only and do not install IIS and other services to minimize attack surface. You don’t need web enrollment for this offline CA.
  6. Use custom settings to specify key length as 4096 bits and 5 years validity. (Watch out for Domino root certificate key length support, use 2048-bit if any SubCA is going to issue certificate for S/MIME for Domino 6 & 7. More on MyKB)
  7. After installation, use “certutil –setreg ca\[name]” to set issuing validity timespan and default container distinguished name referenced by CDP and AIA LDAP URL.
    Registry Value
    ValidityPeriod Years
    ValidityPeriodUnits 2
    DSConfigDN CN=Configuration,DC=contoso,DC=com
  8. Config CA’s CDP and AIA locations. The objective is to use external FQDN instead of computer name for the HTTP URL and to make it comes before LDAP URL.
  9. Remove the default URLs except the local disk location and add back the followings URLs
    CDP URL Options
    http://www.contoso.com/cert/%3%8%9.crl CSURL_ADDTOCERTCDP — 2
    ldap:///CN=%7%8,CN=%2,CN=CDP,CN=Public Key Services,CN=Services,%6%10 CSURL_ADDTOCERTCDP — 2
    CSURL_ADDTOFRESHESTCRL — 4
    CSURL_ADDTOCRLCDP — 8
    AIA URL
    http://www.contoso.com/cert/%1_%3%4.crt CSURL_ADDTOCERTCDP – 2
    ldap:///CN=%7,CN=AIA,CN=Public Key Services,CN=Services,%6%11 CSURL_ADDTOCERTCDP – 2
  10. Config CRL publication interval and make sure Delta CRL is disabled. (Which an interval of 180 days is already specified in the CAPolicy.inf file).
  11. Publish the CRL and examine the CDP location. Make sure the DSConfigDN registry is correctly setup and you are not seeing “DC=UnavailableConfigDN namespace”in the LDAP URL.

OK, the root CA is now ready. The next would be the issuing enterprise CA.

References:

KB: User will be enrolled with a new certificate when logging on to new client machine with certificate autoenrollment enabled

Posted 七月 9, 2009
Filed under: My KB | Tags: , ,
* 回應 (2)

Problem: For user logs on to multiple machines with autoenrollment enabled, each machine will generate a new set of private and public keys for the user since user’s existing certificates do not exist in the local certificate store.

Solution: Configure Credential Roaming supported in Windows Server 2003 SP1 Administrative Template.

http://technet.microsoft.com/en-us/library/cc783542(WS.10).aspx

NetScreen 5GT Home-Work Port Mode有古惑

Posted 七月 9, 2009
Filed under: My Lab | Tags: ,
* Leave a Comment

一路都冇留意隻NetScreen 5GT 個Home-Work port mode原來有古惑…. 佢有一條default policy block晒所有Home zone 去 Work zone, 攪到做唔到好似DMZ咁既config.

想要DMZ就要買5GT Extended. 其實係license key upgrade,完全因為銷售策略…

Next Page »