Life of a Geek Admin

The Daily adventures of a true geek administrator

Life of a Geek Admin - The Daily adventures of a true geek administrator

How to clear ARP Cache in Windows 2003 / 2008

There are many tools and different ways to troubleshoot TCP/IP network issues. One of those steps could involve clearing the ARP (Address Resolution Protocol) cache. One area where clearing the ARP cache can help is if you are seeing web pages not loading, ability to ping certain IP addresses.
Clearing the ARP cache is easy to do. Open a a command prompt Start > Run > type cmd and click OK. Enter in the following command.

netsh interface ip delete arpcache

It will  take 2 – 20 minutes for the ARP cache to update on the server.

To display the ARP cache type

arp -a

To delete an address from the ARP cache type

arp -d <ip_address>

Add static entry to ARP table

arp -s <ip address> <mac address>

Example

arp -s 192.168.1.20 00-cc-00-61-f6-19

 

How To Fix RHEL / CentOS 6.4 LDAP MD5 Cert Error

Recently we updated to the latest RHEL 6.4 which caused LDAP to stop using our MD5 signed  certificate. This was due to the nss-3.14.0 update that now deems MD5 as unsecure. This change caused authentication of users using LDAP to fail. If the account had a local password (such as root), they were able to login.

Since creating / updating the MD5 certificate was not an immediate solution for us we had to find a way to use what we have while we work on a permanent solution Here are a few of the workarounds.

Option 1

The first option involves modifying each kernel line in /etc/grub.conf and adding support for MD5 as well as creating a file in /etc/profile.d exporting this variable. In our situation this option did not work, but others on the Internet it worked.

Add in /etc/grub.conf to the end of kernel lines
systemd.setenv=NSS_HASH_ALG_SUPPORT=+MD5

Create /etc/profile.d/nss.sh
export NSS_HASH_ALG_SUPPORT=+MD5

Reboot the server

Option 2

The second option adds the export option to /etc/sysconfig/init. This option worked for allowing users to connect via ssh, but it did not allow authentication when accessing via a console, like Open Console option in vSphere.

Add to /etc/sysconfig/init
export NSS_HASH_ALG_SUPPORT=+MD5

Reboot the server

Option 3

The third option involves downgrading nss packages to 3.13 and adding an exclusion in /etc/yum.conf to not allow an update to nss 3.14 or higher. This was the option that worked for our situation.

You will need to downgrade nss, nss-tools, nss-sysinit and nss-util.

yum downgrade nss nss-tools nss-sysinit nss-util

Next open /etc/yum.conf and add / change:

exclude=nss*

Reboot the server

I hope one of these options helps you in your situation.

How To setup FreeNX-Server on Fedora 18 x64

Admit it, sometimes you need to have the GUI when accessing your Linux system, most times SSH access is all you need. A good option is NoMachine’s NX server with FreeNX running on your Fedora system.

Here is a way to successfully install.

Become root

$ sudo su -

Now install freenx-server

# yum install freenx-server

This will install any dependent programs it needs.

freenx1

After the installation has completed we need to configure freenx-server
# nxsetup –install –setup-nomachine-key

freenx2

Now we need to make a few changes to node.conf file

# vi /etc/nxserver/node.conf
Un-comment ENABLE_USERMODE_AUTHENTICATION=”0″
Un-comment ENABLE_SSH_AUTHENTICATION=”1″

Un-comment and Change DISPLAY_BASE=1000 to DISPLAY_BASE=1001
Un-comment ENABLE_CLIPBOARD=”both”
Un-comment and change NX_LOG_LEVEL=0 to NX_LOG_LEVEL=4
Un-comment NX_LOGFILE=/var/log/nx/nxserver.log

Depending on your window manager you will have to un-comment
For KDE
COMMAND_START_KDE=startkde
for Gnome
COMMAND_START_GNOME=gnome-session

Un-comment and change COMMAND_MD5SUM=”openssl md5″ to COMMAND_MD5SUM=”md5sum”

Save the changes to the file

start freenx-server when booting up Fedora
# systemctl enable freenx-server.service

start freenx-server
# systemctl start freenx-server.service
# systemctl status freenx-server.service

freenx3

Copy the generated client.id_dsa.key to a location for import on your client, Windows or Linux. For this post I will be using a Windows client.

$ sudo cp /var/lib/nxserver/home/.ssh/client.id_dsa.key ~/

Next part of the process is to download and install the NoMachine NX client. Download the Windows client from http://www.nomachine.com/download-package.php?Prod_Id=3835. Download NX Client for Windows and nxfonts-75dpi-3.5.0-1.exe

You can optionally download

  • nxfonts-100dpi-3.5.0-1.exe
  • nxfonts-misc-3.5.0-1.exe
  • nxfonts-others-3.5.0-1.exe

Double click to install the packages. Once installed you will need to start the client and configure it. Make sure to import the client.id_dsa.key from the server.

freenx6

After a successful login.

freenx7

On the Fedora system you can grep for nx (ps -ef | grep -i nx) and should now see the server running and a connection.

freenx4

Optimal Network Adaptor Settings for VMXNET3 and Windows 2008 R2

There is an ongoing debate between many admins on what are the best settings for the VMXNET3 driver on Windows 2008 R2 settings and I suppose there will be many more. In this postI will attempt to point out some of the options and recommended settings for the VMXNET3 adaptor.

 Global Settings

Receive Side Scaling (RSS)

Receive-Side Scaling (RSS) resolves the single-processor bottleneck by allowing the receive side network load from a network adapter to be shared across multiple processors. RSS enables packet receive-processing to scale with the number of available processors. This allows the Windows Networking subsystem to take advantage of multi-core and many core processor architectures.

By default RSS is set to enabled. To disable RSS you must open a command prompt and type:

netsh int tcp set global rss=disabled

There is also a second RSS settings that is in the VMXNET3 adaptor properties under the Advanced tab, which is disabled by default. Enable it by selecting from the dropdown.

This is a beneficial setting if you have multiple vCPU’s on the server. If this is a single vCPU then you will receive no benefit.

If you have multiple vCPU’s it is recommended to have RSS enabled.

netsh int tcp set global rss=enabled

References

http://technet.microsoft.com/en-us/network/dd277646.aspx

TCP Chimney Offload

TCP Chimney Offload is a networking technology that helps transfer the workload from the CPU to a network adapter during network data transfer. In Windows Server 2008, TCP Chimney Offload enables the Windows networking subsystem to offload the processing of a TCP/IP connection to a network adapter that includes special support for TCP/IP offload processing.

For VMXNET3 on ESXi 4.x, 5.0 and 5.1 TCP Chimney Offload is not supported; turning this off or on has no affect. This is discussed in several places.

References

http://www-01.ibm.com/support/docview.wss?uid=isg3T1012648

http://support.microsoft.com/kb/951037

The Microsoft KB951037 article is of interest because it includes a table that shows how TCP Chimney interacts with programs and services and gives insight to where you can gain the most from this feature. By default this setting is enabled.

As for the use of TCP Chimney Offload is to disable as it is not recognized by VMXNET3. To disable do the following.

Open a command prompt with administrative credentials.

At the command prompt, type the following command, and then press ENTER:

netsh int tcp set global chimney=disabled

To validate or view TCP Chimney

netsh int tcp show global

Recommended setting: disabled

 NetDMA State

NetDMA provides operating system support for direct memory access (DMA) offload. TCP/IP uses NetDMA to relieve the CPU from copying received data into application buffers, reducing CPU load.

Requirements for NetDMA

  • NetDMA must be enabled in BIOS
  • CPU must support Intel I/O Acceleration Technology (I/OAT)

You cannot use TCP Chimney Offload and NetDMA together.

Recommended setting: disabled

TCP Receive Windows Auto-Tuning Level

This feature determines the optimal receive window size by measuring the BDP and the application retrieve rate and adapting the window size for ongoing transmission path and application conditions.

Receive Window Auto-Tuning enables TCP window scaling by default, allowing up to a 16MB maximum receive window size. As the data flows over the connection, it monitors the connection, measures its current BDP and application retrieve rate, and adjusts the receive window size to optimize throughput. This replaces the TCPWindowSize registry value.

Receive Window Auto-Tuning has a number of benefits. It automatically determines the optimal receive window size on a per-connection basis. In Windows XP, the TCPWindowSize registry value applies to all connections. Applications no longer need to specify TCP window sizes through Windows Sockets options. And IT administrators no longer need to manually configure a TCP receive window size for specific computers.

By default this setting is enabled, to disable it open a command prompt with administrative permission and type:

netsh int tcp set global autotuninglevel=disabled

Recommended setting: disabled

References

http://technet.microsoft.com/en-us/magazine/2007.01.cableguy.aspx

Add-On Congestion Control Provider

The traditional slow-start and congestion avoidance algorithms in TCP help avoid network congestion by gradually increasing the TCP window at the beginning of transfers until the TCP Receive Window boundary is reached, or packet loss occurs. For broadband internet connections that combine high TCP Window with higher latency (high BDP), these algorithms do not increase the TCP windows fast enough to fully utilize the bandwidth of the connection.

Compound TCP, CTCP increases the TCP send window more aggressively for broadband connections (with large RWIN and BDP). CTCP attempts to maximize throughput by monitoring delay variations and packet loss. It also ensures that its behavior does not impact other TCP connections negatively.

By default, it is on by default under Server 2008. Turning this option on can significantly increase throughput and packet loss recovery.

To enable CTCP, in elevated command prompt type:

netsh int tcp set global congestionprovider=ctcp

To disable CTCP:

netsh int tcp set global congestionprovider=none

Possible options are:  ctcp, none, default (restores the system default value).

Recommended setting: ctcp

ECN Capability

ECN (Explicit Congestion Notification) is a mechanism that provides routers with an alternate method of communicating network congestion. It is aimed to decrease retransmissions. In essence, ECN assumes that the cause of any packet loss is router congestion. It allows routers experiencing congestion to mark packets and allow clients to automatically lower their transfer rate to prevent further packet loss. Traditionally, TCP/IP networks signal congestion by dropping packets. When ECN is successfully negotiated, an ECN-aware router may set a bit in the IP header (in the DiffServ field) instead of dropping a packet in order to signal congestion. The receiver echoes the congestion indication to the sender, which must react as though a packet drop were detected.

ECN is disabled by default, as it is possible that it may cause problems with some outdated routers that drop packets with the ECN bit set, rather than ignoring the bit.

To change ECN, in elevated command prompt type:

netsh int tcp set global ecncapability=default

Possible settings are: enabled, disabled, default (restores the state to the system default).

The default state is: disabled

ECN is only effective in combination with AQM (Active Queue Management) router policy. It has more noticeable effect on performance with interactive connections and HTTP requests, in the presence of router congestion/packet loss. Its effect on bulk throughput with large TCP Window is less clear.

Currently, it is not recommended enabling this setting, as it has negative impact on throughput.

Recommended setting is disabled

netsh int tcp set global ecncapability=disabled

Direct Cache Access (DCA)

Direct Cache Access (DCA) allows a capable I/O device, such as a network controller, to deliver data directly into a CPU cache. The objective of DCA is to reduce memory latency and the memory bandwidth requirement in high bandwidth (Gigabit) environments. DCA requires support from the I/O device, system chipset, and CPUs.

To enable DCA:

netsh int tcp set global dca=enabled

Available states are: enabled, disabled.

Default state: disabled

Recommended setting is disabled

To disable DCA:

netsh int tcp set global dca=disable

These are just settings that I have used successfully in the VMware environment and work well. You can pick and choose the settings that work best for your environment.

How To Change the default MySQL data directory on RHEL 6

You’ve been using MySQL for sometime now and the database has been growing and you are at the point where it is time to move to another location or to newly added storage that is in a different location.

Stopping the MySQL server

# service mysqld stop

Create a new data diretory and move the content from the old one
Creating a new data directory

# mkdir /app/mysql/
# chown mysql:mysql /app/mysql

Moving the original data files

# mv /var/lib/mysql/* /app/mysql/

Correct the MySQL configuration file

Edit the /etc/my.cnf file.

# vi /etc/mysql/my.cnf

Change

datadir=/var/lib/mysql

to

datadir=/app/mysql

and

socket=/var/lib/mysql/mysql.sock

to

socket=/app/mysql/mysql.sock

and save the file.
If you are using SELinux, adjust parameters to accept the change

Should the following command output “Permissive” or “Disabled” then you may skip the details for SELinux.

# getenforce

Run the semanage command to add a context mapping for /app/mysql.

# semanage fcontext -a -t mysqld_db_t "/app/mysql(/.*)?"

Now use the restorecon command to apply this context mapping to the running system.

# restorecon -Rv /app/mysql

Starting the MySQL server

# service mysqld start

Verifying access and connectivity

$ mysql -u root -p
mysql> show databases;

If this is working, you’re up and running. It is possible you could get a message that says

Can’t connect to local MySQL server through socket ‘/var/lib/mysql/mysql.sock’

then add the following to your /etc/my.cnf

[client]
 socket = /app/mysql/mysql.sock

Optionally you can just use

$ mysql -u root -p --protocol tcp

You have successfully moved your MySQL database.

Online Document Conversions with CometDocs

On past posts I have covered different ways to convert docs to PDF and other format’s on your Linux and Windows systems. One possible way that I have not discussed is the use of online convertors. Recently I was made aware of a site called CometDocs which is a free online document management service.

Online convertors have been around for sometime and have many good uses for quick and easy drag and drop. According to the site it is 100% free and besides the PDF conversions they also offer document sharing, transfers and storage (up to 1 GB). The site supports over 50 file types for conversions that are listed here which includes to and from PDF. For a small office or for personal use this is a nice feature. CometDocs has been providing online conversions since 2009 and only requires free registration to start using the service.

There are certain limitations imposed on free users, all of which can be removed by upgrading to a premium CometDocs account.

The limits for free users are:

3 conversions weekly per IP address
100 MB worth of daily file transfers per IP
transfer and host links are valid for 24h

Registered users have the following advantages:

15 conversions weekly per account.
100 MB worth of daily file transfers per account.
1 GB document storage limit.
Transfer and host links do not expire for stored documents.
Better control of sharing visibility.

So if your demands are low then a free account is probably all you will need. So as far as the service and how does it work?

The interface is pretty easy to use. After logging in you just click on the tab  and follow the instructions.

cometdocs1

Click on the convert tab, click the + to add or drag the file to the Clipboard and drag the file to convert box and click Convert.

cometdocs2

Once the conversion is done you will able to retrieve it from the store tab.

cometdocs3

For a free service I can see this as a way for a small business to aid with conversions when they are needed as another alternative, also a way to share and transfer files with other colleagues and businesses. If your needs are greater then CometDocs offers monthly pay plans with more features and more transfers and storage.

If you are looking for an online conversion or a quick and easy to use Online Document Management service then try CometDocs out and see if it is a fit for you.

 

How To Install MySQL Community Edition on RHEL 6 x86_64

Recently had the need to install the latest Community edition of MySQL on a RHEL 6.3 x86_64 server. For most purposes the included version of MySQL works but if you want the latest version you will need to install the Community edition.

First download the latest Community Edition MySQL from here. At the time of this post 5.6.10 is the current version. From the drop down select Oracle & RedHat Linux 6. Download the following four packages.

  • MySQL-server
  • MySQL-client
  • MySQL-shared
  • MySQL-shared-compat

 

mysqlrhel1

Now that we have the downloads we will need to update the current mysql-libs.

$ sudo yum update mysql-libs
$ sudo yum install MySQL-server MySQL-client MySQL-shared MySQL-shared-compat

Now that we have MySQL installed we will need to create the base tables and start the service.

$ sudo /usr/bin/mysql_install_db --user=mysql
$ cd /usr
$ sudo /usr/bin/mysqld_safe &

Next step is to login and set the mysql root password and we are done.

# mysqladmin -u root -p password newpassword

That’s all we need to do.

How To Fix VMware Error IP address already assigned to another adapter

There has been times when you have deleted a NIC in VMware and to the eye it looks like it is gone but really it is still there and it rears it’s ugly head when you try to re-add it to a Windows VM. You will receive errors similar to the following.

The IP address XXX.XXX.XXX.XXX you have entered for this network adapter is 
already assigned to another adapter Name of adapter. Name of adapter is hidden 
from the network and Dial-up Connections folder because it is not physically in
 the computer or is a legacy adapter that is not working. If the same address is 
assigned to both adapters and they become active, only one of them will use this address. 
This may result in incorrect system configuration. Do you want to enter a different 
IP address for this adapter in the list of IP addresses in the advanced dialog box?

XXX.XXX.XXX.XXX is usually the IP address of the system you are working on. According to VMware support this error can occur also if

  • You have upgraded VMware virtual network adapters (for example, when you migrate a virtual machine from an older to a new version of VMware software).
  • You have added and removed network adapters multiple times.
  • You may see this if you recently performed a P2V and the resulting virtual machine still has the physical NICs and drivers for those NICs present. These ghost NICs have the old IP address and the virtual NIC cannot be assigned the same IP address.

This issue occurs if a network adapter with the same IP address is in the Windows registry but is hidden in the Device Manager (My Computer > Properties > Hardware > Device Manager). This hidden adapter is called a ghosted network adapter.

Using the Show hidden devices option in the Device Manager (View > Show hidden devices) does not always show the ghosted adapter to which that IP Address is assigned.

So how do we fix it? First make the ghosted network adapter visible in the Device Manager and uninstall the ghosted network adapter from the registry:

  1. Click Start > Run.
  2. Type cmd and press Enter.
  3. At the command prompt, run this command:
set devmgr_show_nonpresent_devices=1

Note: If this command does not work (a possibility in Windows Server 2000 and 2003), you may need to add the parameter to Windows and set its value:

a. Right-click the My Computer desktop icon and choose Properties.
b. Click the Advanced tab and select Environment Variables.
c.  In the System variables section, click New.
d.  Set the Variable name to devmgr_show_nonpresent_devices and set the Variable value to 1 to enable the parameter.
e.  Click OK to add the variable to Windows.

4. Start the Device Manager by running this command from the same command prompt:

start devmgmt.msc

5. Click View > Show Hidden Devices.
6. Expand the Network Adapters tree (click the plus sign next to the Network adapters entry).
7. Right-click the dimmed network adapter, then click Uninstall.
8. Once all of the grayed out NICs are uninstalled, assign the IP address to the virtual NIC.

Note: To assign the IP address to the virtual NIC on the command line, run the command:

netsh interface ip set address "Local Area Connection #" static IP_Address Subnet_Mask Default_Gateway

For example:

netsh interface ip set address "Local Area Connection 2" static 192.168.1.101 255.255.255.0 192.168.1.1

9. Close the Device Manager.

That should fix the issue stopping you from adding a new NIC in your VM.

How To Enable Named Pipes and TCP/IP for Microsoft SQL Server 2008 R2 SQLExpress

During a recent installation of HP Insight Manager 7.1 on Windows 2008 R2 server the prerequisites failed complaining about you must enable named pipes and TCP/IP for the existing database service Microsoft SQL Server 2008. After a default install they are usually disabled. This applies to Microsoft SQL Server 2008 Express as well.

To enable named pipes and TCP/IP for Microsoft SQL Server 2008

Click Start > All Programs > Microsoft SQL Server 2008 R2 > Configuration Tools > SQL Server Configuration Manager.
Under SQL Server 2008 Network Configuration > Protocols for MSSQLSERVER:

Double-click the protocol name TCP/IP and set the property ENABLED to Yes.
Double-click the protocol name Named Pipes and set the property ENABLED to Yes.

sqlexpress1
Next we will need to restart mssqlserver service, type the following commands in the command prompt window.

net stop mssqlserver
net start mssqlserver

And that’s all there is to do.

How To Start and Stop Services Using PowerShell Remotely

Admit it, you’re an admin that likes to do everything possible from the desk or laptop and if possible from a command line because automation is our friend.

With the addition of PowerShell this is getting more of the norm for Windows and starting and stopping services remotely is probably one of the most used. To perform this task we will need to several cmdlets, some

  • get-service
  • stop-service
  • start-service
  • restart-service

So for this post we will be stopping and starting the Windows Update Service. First we need to find the name of the service, we can do this using the get-service cmdlet and findstr commands.

PS C:\> get-service -ComputerName cvgwin2008tst | findstr /c:"Windows Update"
Running  wuauserv           Windows Update

From this command we see get-service -ComputerName <computername> and then use the pipe symbol and use findstr with the /c: switch for using specified text as a literal search string and the status, name and display name are shown.

So we know wuauserv is the name of the service. So next lets create a variable called $service and populate it with this information.

PS C:\> $service = get-service -ComputerName cvgwin2008tst -Name wuauserv
PS C:\> $service
Status   Name               DisplayName
------   ----               -----------
Running  wuauserv           Windows Update

So now we want to stop the service but there is a catch, the stop-service cmdlet doesn’t support the -ComputerName parameter but it does support the -InputObject parameter. So let’s stop the service and make the command gives a status of what it is doing using the -Verbose parameter.

PS C:\> Stop-Service -InputObject $service -Verbose
VERBOSE: Performing operation "Stop-Service" on Target "Windows Update (wuauserv)"

Run $service and see that it has been stopped.

PS C:\> $service
Status   Name               DisplayName
------   ----               -----------
Stopped  wuauserv           Windows Update

Now using the start-service cmdlet let’s fire it back up.

PS C:\> Start-Service -InputObject $service -Verbose
VERBOSE: Performing operation "Start-Service" on Target "Windows Update (wuauserv)".
PS C:\> $service
Status   Name               DisplayName
------   ----               -----------
Running  wuauserv           Windows Update

Now that all pieces are in place you can save all the commands as a ps1 and just run a single command!

 

Switch to our mobile site