blog.scottlowe.org

While we are on the topic of bulk changes—I’ve discussed bulk changes in Active Directory and bulk adds to a WINS server—I thought I might discuss bulk adds of resource records to a DNS zone.

There are two pieces to the formula for bulk adding records to a DNS zone.  First, we’ll reuse the “for /f” command used in automating the addition of entries into WINS.  This time we’ll couple it with the Dnscmd.exe tool from the Windows Server 2003 Support Tools (this link is for the 32-bit SP1 tools).

The format of the Dnscmd.exe tool to add a record in DNS is:

dnscmd <server> /RecordAdd <zone> <node> <RR type> <RR data>

To create a host (A) record, the actual command would look like this:

dnscmd . /RecordAdd example.net host1 A 10.20.30.40

The “.” syntax here refers to the local server; this can be easily substituted with an IP address or hostname of a remote DNS server.

Using some of the same techniques as before, combining Dsncmd.exe with the “for” batch command allows us to do something like this:

for /f “tokens=1,2” %1 in (newhosts.txt) do
@dnscmd dns.example.net /RecordAdd example.net %1 A %2

This assumes that the “newhosts.txt” file contains something like this:

host1 10.20.30.40
host2 11.22.33.44
host3 12.24.36.48

Here’s a small twist, though:  What is your list isn’t space delimited, but comma delimited?  No problem, just adjust your command accordingly:

for /f “tokens=1,2 delims=,” %1 in (newhosts.txt) do
@dnscmd dns.example.net /RecordAdd example.net %1 A %2

The “delims=,” parameter tells the “for” command to use a comma as the delimiter, allowing us to use comma-separated input.

With this command, we now can pretty easily add large numbers of hosts to a DNS zone file.

Here’s another incredibly simple task that one often needs to perform when using Linux:  mounting an ISO image.  The problem is, I so very rarely do this that I forget the exact switches to use.  So, to avoid that problem in the future, I’m posting the information here for future reference.  Even if no one else finds it useful, at least I’ll know where to look next time I need to do this.

To mount an ISO file, use the following command:

mount -t iso9660 -o loop /path/to/image.iso /mount/path

I know, a very simple command and one that Linux veterans around the world have probably used a million times over.  Like I said, when it’s not something that you do every day, it’s easy to forget it.  (Especially when your brain is busy trying to process other new information…)

I spent the day today working with ESX Server 3.0 and VirtualCenter 2.0, the next-generation products from VMware.  After shutting down one of the older ESX 2.5.3 servers in the test lab and then booting it back up again, I ran into an error trying to start some of the VMs.

At first, I tried starting the VM (which, again, was hosted on an ESX Server running version 2.5.3 Upgrade Patch 1) from VirtualCenter 2.0.  The error was something along the lines of “General System Error, VirtualCenter is Unable to Set the Power State of the Server” (or similar).  Thinking perhaps that it was an incompatibility between the new version of VirtualCenter and the older version of ESX Server, I opened an SSH session to the Service Console and tried using vmware-cmd.

From the Service Console, I used this command:

vmware-cmd /home/vmware/vsbgw01/vsbgw01.vmx start

I received an error there, too; this error was something along the lines of:

There was an error connecting to the specified virtual machine:
Unexpected response from vmware-authd:
The process exited with an error:
Cannot change mode of /var/run/vmware to 01777:
Operation not permitted
Failed to initialize the VMX VMDB instance

A quick search on the Internet turned up this VMTN community forum thread, where I learned the problem was permissions on the /var/run/vmware directory.  The thread has all the pertinent information to fix it, and after running the command mentioned in the thread all the VMs started up just fine—both from the Service Console command line as well as from VirtualCenter.

I’m not sure how the permissions got changed, but in the event you run into that error yourself, here’s the fix.

UPDATE:  I ran into this problem again, and to make finding the solution easier, I’m including the full details here instead of making readers follow the link.  Basically, the error is the result of losing the “sticky bit” on the /var/run/vmware directory, and running the command “chmod 01777 /var/run/vmware” as root will fix the problem.  The correct permissions for the directory should be “drwxrwxrwt” in the directory listing.

There may be times when large numbers of static (or dynamic, for that matter) entries need to be added to your WINS server.  This may be the result of migrating from one WINS server to a new WINS server.  In any case, here’s the commands needed to do just that.

First, create a simple text file that contains the names and IP addresses of the computers that should be added to the WINS server.  These should be separated by a space.  Something like this will work well:

SERVER1 172.16.100.1
SERVER2 172.16.100.2
SERVER3 172.16.100.3

Let’s assume this file is called “static.txt”.  From the same directory where “static.txt” is currently saved, execute this command at a command line prompt (the line is broken here for readability, please enter as a single line):

for /f “tokens=1,2” %1 in (static.txt) do
@netsh wins server add name name=%1 ip={%2}

Assuming that the user account under which this command is run has read/write access to the currently-configured WINS server, the output of this command should be something like this:

***You have Read and Write access to the server srv01.example.net***
 
Command completed successfully.

This will be repeated for each line in the text file static.txt.  After this command completes, WINS Manager will show the new static entries in the WINS database.

Please note that it should be possible to modify this command line to accept input piped in from another program, but I have not tested this.  Enjoy!

UPDATE:  To direct the requests to a specific WINS server rather than just the default WINS server, add the IP address of the WINS server in the command line like this:

for /f “tokens=1,2” %1 in (static.txt) do
@netsh wins server 10.10.10.100 add name name=%1 ip={%2}

This will direct the name registrations to the specified WINS server.

Exploit code that takes advantage of the security flaws patched by Microsoft’s recent MS06-025 security update has been made available (see also this article).  The exploit code was made available as part of the Metasploit framework, an open source tool for penetration testing and vulnerability assessment.

Microsoft knocked the security researchers for releasing the exploit code, but H.D. Moore knocked back on his weblog, arguing the “accepted industry practice” of withholding exploit details until the vendor had time to address them.

Also important to note is a comment on that article from the Metasploit weblog, where it’s stated that Windows 2000 is not vulnerable to unauthenticated exploit via the flaws in RRAS, contrary to Microsoft’s security bulletin.

Fortunately, this exploit takes advantage of TCP port 139 and 445, both of which are commonly blocked by perimeter firewalls.  While this won’t protect organizations from internal attacks or viral infections, it will lessen the possibility of an Internet-borne attack.

The actual Metasploit framework module is available here.

The news is all over the ‘Net:  Microsoft has killed WinFS as an independent product and will instead roll the technology into the next version of SQL Server, code-named “Katmai.”

I hate to say this, but I’m not really surprised.  Microsoft has been talking about this abstract storage strategy since the pre-NT4 days, when “Cairo” was going to introduce the Object File System.  The idea keeps getting pushed farther, and farther, and farther back…

In the meantime, technologies and products such as Spotlight (for Mac OS X), Beagle (for Linux), and Google Desktop (for Windows) continue to improve and continue to make this kind of sweeping technological change irrelevant.  Is that why Microsoft killed WinFS?  Do they feel the need for WinFS has been eliminated due to pervasive search technologies being embedded in the OS?  Perhaps, but I would disagree with that belief.  Tacking search technologies onto a file system instead of fixing the file system is just covering up the problem.

Instead, why not focus on more fully utilizing the functionality of the file system you’ve got?  Why is Windows still relying on file name extensions to determine file types when that information could be stored in an alternate data stream directly in NTFS?  Why aren’t applications being written to be able to take advantage of things like alternate data streams, or extensible properties?

In preparation for some NetApp training that I’ll be attending next month, I downloaded the NetApp ONTAP Simulator.  The ONTAP Simulator runs on top of Linux (a few different distributions are supported) and allows you to simulate a NetApp Filer.  This is pretty cool for a couple of reasons, not the least of which is that it allows you to perform testing of NAS and iSCSI operations without having an actual Filer.  Unfortunately, I had some problems getting the ONTAP Simulator working in a virtual machine on VMware ESX Server.

To setup the ONTAP Simulator, I created a Linux virtual machine on ESX Server 2.5.3 and installed Red Hat Linux 9.0.  Red Hat 9.0 is a supported distribution for the ONTAP Simulator as well as a fully supported guest OS on ESX Server, and so I didn’t expect any issues.  However, after installing and configuring the simulator, I couldn’t get any network connectivity whatsoever.  I had full connectivity to the guest OS, but not to the simulator.

Finally, after digging around in the documentation for the simulator, I came across a statement indicating that the network interface that was being used by the simulator had to be in promiscuous mode.  That rang a bell:  ESX Server, by default, doesn’t allow NICs in guest operating systems to be in promiscuous mode.

The fix is this:

echo PromiscuousAllowed yes > /proc/vmware/net/vmnic0/config

Replace “vmnic0” in this command with whatever virtual switch or NIC team the virtual machine in question is using.  Once I did this (from the Service Console on the ESX Server) and rebooted the virtual machine running the ONTAP Simulator, it worked like a champ.

(Note:  You must be a current NetApp customer or partner in order to use the ONTAP Simulator.)

The new Apple Store in Raleigh opened yesterday at Crabtree Valley Mall.  I had started to mention this on my weblog yesterday, but initially dismissed the idea.  Then I saw this article, and decided, “Hey, I’m not the only one that was excited about the new Apple store!”

Unlike James, I didn’t bother trying to get there early enough to be one of the first 1,000 customers and get a free T-shirt.  Instead, my son and I had a leisurely morning and got over there around 11:30 AM.  Man, was it packed!  The store is a bit smaller than the only other Apple store in the area (at Streets of Southpoint in Durham), and with the crowd that was there for the grand opening it was standing room only.  I wanted to hang around and play with a MacBook Pro (I’m trying to talk myself into buying one), but my son was definitely not interested in hanging out with all those people.  We left to enjoy some coin rides instead (it’s about the important things in life, you know).

In a recent article discussing Novell’s leadership change, one analyst was quoted regarding the change as being positive for Novell in that they (Novell) could stop building very high quality products and instead build products that are just good enough.  I don’t know about you, but this spirit of mediocrity is exactly the wrong kind of thinking for IT vendors.

Specifically, the quote stated this:

“Ron Hovsepian appears to be an astute business person, one who will be able to quickly take stock of the environment and Novell’s position within that environment. This, I hope, will help Novell move from its current position of very slowly building extremely high quality products to quickly building and marketing products that are good enough to satisfy the market,” concluded Kusnetzky.

So what is he (Dan Kusnetzky) proposing then?  It sounds to me that Dan thinks IT software vendors should make their products just good enough to pass muster, instead of making them the best that they can be.

In my opinion, this spirit of mediocrity—this willingness to accept products that are knowingly released with imperfections and flaws because they are “good enough”—is exactly what brought the industry to where it is today.  This mediocrity is what brought SQL Slammer, Blaster, and Melissa.  This is the view that accepts that rebooting your computer a few times a day is just a part of life, and that our operating systems and applications shouldn’t be expected to be stable and reliable.  Just good enough?  When was the last time you recommended a product, service, or vendor because they were “just good enough”?  No, just good enough isn’t good enough.

Every major IT vendor out there—from HP, IBM, and Sun, to Apple, Microsoft, and Red Hat—should be held accountable for the quality of the products they release.  Hey, I understand that companies may make mistakes, and miss errors.  That’s understandable.  But any company that knowingly releases a product that’s “just good enough” when it could have been better is not a company we should be praising.  We should be supporting those companies that emphasize quality over “just good enough”.

Perhaps I’m overreacting.  Perhaps the analyst’s comments were merely directed at the speed with which Novell releases their products, and was instead trying to state that Novell needed to release competing products more quickly.  Even so, any vendor that values speed over quality is bound to get bitten sooner or later.  Microsoft got bitten, and changed their priorities (somewhat).  Apple will get bitten, too, if they start letting the quality of Mac OS X releases slide in favor of shorter development cycles.  The same goes for all the other vendors.

What about you?  I’d love to hear your comments on the matter.

A while ago, I discussed the use of Apache to protect OWA from web-based attacks.  This configuration placed an Apache HTTP server in front of a server running Microsoft Exchange Server 2003 to protect it against web-based attacks, offload SSL encryption, and enable name-based virtual hosts (for the conservation of public DNS hostnames, especially important for smaller organizations).  While this is a useful configuration, it is not without its drawbacks.

First, let’s review some of the advantages of this type of configuration:

• You can use the open source mod_security module to protect OWA against virtually all forms of URL-based attacks.  Mod_security is an extremely powerful and useful module that can greatly increase the protection against web-based attacks.  See the mod_security web site for more information.
• Even without mod_security, deploying Apache in front of OWA can protect the OWA server against many IIS-specific attacks.
• This configuration can be used in addition to IIS-specific protection such as URLScan.
• You can terminate the SSL connection at the Apache server instead of on the OWA server, freeing up CPU resources on the OWA server for other tasks (this is especially useful in smaller Exchange deployments where the OWA server may also be a mailbox server).

Now, for some of the disadvantages of this type of configuration:

• Apache lacks the intelligence of an Exchange server configured as a true front-end, and therefore cannot direct requests to multiple back-end mailbox servers.  In this type of configuration, the Apache reverse proxy always directs requests to the same OWA server and cannot determine which mailbox server the user is homed on.
• Organizations with expertise in Microsoft products won’t necessarily see any real benefit from this due to the added overhead and learning curve of supporting Linux and Apache.  (Don’t snicker, this is a real concern for organizations.)

I’m sure there are other disadvantages as well.  Anyone care to comment and share their experiences?