Time for Windows server 2008 and NTP

Posted on April 2, 2011 by Niall

The UK switched to BST (British Summer Time) on the 27th March and while the idea of altering the time dependent on the position of the planet in its orbit around the sun can be questioned the need for servers and other networked devices to show the correct time is important.

NTP is the protocol used to synchronise clocks across data networks.  Normally, for Windows Servers, you will set your domains operational master to check the time from a master source and the domain members will check time with the domain operational master.

Of course if you have a standalone server or a different network device you can usually configure them to check directly.  The NTP Pool project (http://www.pool.ntp.org) is a distributed collection of machines that exist to provide accurate time service to machines worldwide.

For the UK they offer local time servers, the full list available here http://www.pool.ntp.org/zone/uk

Settings for Windows 7 & Server 2008 to use pool.ntp.org servers

Windows 7 default time settings

The above administrative command prompt shows the default settings for a non-domain Windows 7 machine.  If you look at the section NtpServer: time.windows.com, this shows that my machine is checking the time with the default server provided by Microsoft. 

Steps to change to alternative time server

  1. Stop the W32Time service.
  2. Edit the config.
  3. For operational master domain controllers, make a reliable time source.
  4. Start the W32Time service.
  1. C:\>net stop w32time
  2. C:\>w32tm /config /syncfromflags:manual /manualpeerlist:0.uk.pool.ntp.org,1.uk.pool.ntp.org,2.uk.pool.ntp.org
  3.  C:\>w32tm /config /reliable:yes
  4. C:\>net start w32time

Once set make sure you open UDP port 123 on your firewall to allow NTP traffic in and out.  If your applying these settings on your home Windows 7 machine or other non-domain server you can omit step 3.

If you’re interested in seeing what settings you have applied first you can check the configuration like so:

C:\>w32tm /query /configuration

Checking domain members time subscriptions

To check that a domain member is syncing time with the Active Directory master you can check here in the registry

HKLM\System\CurrentControlSet\Services\W32Time\Parameters\Type

If Type is set to Nt5DS then the member machine should be checking with the domain controller for its time.  If Type is set to NTP it will be checking on its own.

You can see what time server the machine is checking with using the /monitor command

C:\>w32tm /monitor

Running this command on non-domain machines will result in an error.

Posted in Microsoft, Networking, Windows | 3 Comments

Unidentified networks in Windows how to make them private

Posted on March 28, 2011 by Niall

If you have a network connection in your Network and Sharing Centre that Windows is classifying as an “Unidentified Network” chances are you want to make it private for your firewall rules.

The problem is that because Windows cannot classify the type of network, often due to there being no default gateway specified on remote access LAN connections, the default is to make it public as this offers the most restrictive level of network access.  

Irritatingly Windows Server 2008 and Windows 7 do not allow you to alter the type of network if it is classified as unidentified when using the Network and Sharing Centre.

Unidentified network public

A temporary measure is to set the unidentified network to private using PowerShell.  See the MSDN blogs for the script. Be warned though, if you reboot the unidentified network will return to public.

http://blogs.msdn.com/b/dimeby8/archive/2009/06/10/change-unidentified-network-from-public-to-work-in-windows-7.aspx

A more permanent solution, but a possible security risk, is to set any unidentified network to be classified as private rather than public by default.  To do this we need to modify the defaults using the local security policy.  See the steps below.

Local security policy

  1. In Administrative tools, open “Local Security Policy”.
  2. Select “Network List Manager Polices” in the left hand pane.
  3. In the right hand pane open “Unidentified Networks” and choose “Private” in the location type.
  4. Check your firewall settings will not lock you out of the system once the rules apply.
  5. Close the dialogue and reboot to apply the changes.

Unidentified network private

Posted in Microsoft, Networking, Security, Windows | Leave a comment

Dial plan for UK VoIP calls

Posted on February 11, 2011 by Niall

Using a VoIP telephone system provides a great deal of flexibility over your calls.  This can be great if you are a business and have a lot of calls or are a home user and have a special VoIP provider to call relatives overseas.

This flexibility comes at the cost of having to understand the complex and initially confusing dial plan; the regular expression that tells the phone how it should route your call based on the number you have typed.

Chances are your VoIP telephone is using the default dial plan that looks similar to this

(*xx|[3469]11|0|00|[2-9]xxxxxx|1xxx[2-9]xxxxxxS0|xxxxxxxxxxxx.)

Now at first sight that looks confusing, lets break it down to figure out what is going on.  First some details of the syntax.

| Separates items in the dial plan.

* Is the star key on the phone keypad.

# Is the pound or hash key.

x Defines a single digit 0-9.

x. Repeat the previous numeral zero or more times.

[] Range of explicit values. E.g. [3469] 3 or 4 or 6 or 9.

[2-9] Numbers 2 through 9 allowed.

[25-7*] Numbers 2 or 5 or 6 or 7 or *

! Used for barring numbers.

, Sends the dial tone to the handset.

S0 Immediate dial, do not wait for caller timeout.

Dissecting the default dial plan

The default dial plan on most VoIP systems is setup for callers in the USA, once you’ve figured this part out it’s easy to see how the patterns would match.

(*xx|[3469]11|0|00|[2-9]xxxxxx|1xxx[2-9]xxxxxxS0|xxxxxxxxxxxx.)

*xx Allows redial last caller service e.g. *69

[3469]11 Allows you to dial a host of USA based emergency and information services including the commonly known 911.

0 Zero is a common prefix for numbers, all internal calls in the UK begin with 0.

00 Zero zero is the international dialling prefix when calling FROM the UK to a foreign country.

[2-9]xxxxxx This is a USA dialling rule for local calls within the same area code(Simpsons episode 250?)

1xxx[2-9]xxxxxxS0 Again this is a national USA phone number, usually written 1-(555) 123-1234 S0 for immediate dial on the end.

xxxxxxxxxxxx Finally at the end any 12 digit phone number.

Dial plan for the UK

For use in the UK I find this is a better dial plan.

(<911:999> | <00:00>x. | <:441642>[2-9]xxxx. | xxxxxxxxxxxx. | 1xxx | 0[45689]x.| [1xx] | 999S0)

So breaking it down as before we have.

<911:999>  911 to 999 Conversion for American visitors to our offices just in case.

<00:00>x. Allows for all international numbers from the UK. (essential for our international sites)

<:441642>[2-9]xxxx. Allows 5 or 6 digit local numbers to be prefixed with the local area code.

xxxxxxxxxxxx. Allows any full telephone number not covered by other rules.

1xxx Allows for special service numbers like 1471 for ring back and 1571 for voice mail.

0[45689]x. Allows for special numbers in the UK, 0800, 0500 and 09 etc.

[1xx] Again used for special numbers like 123 (speaking clock) and 141 (withhold number).

999S0 finally, allow 999 to be dialled directly and dial immediately.

Advanced rules

The dial plan constructed for use in our office is very open in its restrictions and UK centric.  Many home users may want to restrict the use of premium 0871 numbers and 09 preium rate numbers, but at work we have need to be able to dial such numbers and have policies in place to deal with staff who abuse the open system.

More advanced uses of the dial plan include routing calls between different VoIP providers.  If, for example, you had relatives in Australia and friends in Japan you might have a different VoIP provider for each country.

In this case you could add the following rules

<0061:0061>x.<:@gw1> | <0081:0081>x.<:@gw2>

Each of these say if dialling Australia (country code 61) route calls via VoIP gateway 1 and if calling Japan (country code 81) route via VoIP provider 2.

There are some excellent resources on Wikipedia on the state of the UK telephone system and a excellent php based dial plan simulator you can use when testing your own rules.

Useful  resources

http://en.wikipedia.org/wiki/Telephone_numbers_in_the_United_Kingdom

http://www.netphonedirectory.com/pap2_dialplan.htm

http://supremeit.com/voip/dialplan.php

http://www.cisco.com/en/US/products/ps10033/products_qanda_item09186a0080a35db6.shtml

Posted in Networking, VoIP | 4 Comments

FileZilla Server passive settings

Posted on February 6, 2011 by Niall

FTP (File Transfer Protocol) may seem a bit old hat in the days of peer-to-peer but is still one of the most widely used transfer protocols, especially in business.

The biggest problem with FTP is that in order to create a connection both parties must be able to communicate over the same ports for both commands and data.  With many users being protected by corporate firewalls, NAT and SPI (Stateful Packet Inspection) Routers it can be tough job.

An excellent technical background on exactly what happens during the FTP process and the differences between Active and Passive FTP can be found here http://slacksite.com/other/ftp.html

Configuring FileZilla on Windows to accept Passive FTP connections

Connect to your FileZilla server interface and click on the Passive mode settings

Passive settings for FileZilla server

Here we are telling FileZilla server to use the range of ports that we are going to open on our firewall.  For my sever using Default correctly identifies the fixed IPv4 public Internet address of the server.  If you have connection issues manually enter your fixed IP in the box below by altering the radio button.

Firewall ports to open for passive FTP

Here we can see the firewall rules that I have setup for FTP and FTPS.

We have the internal IP address on the LAN of our FileZilla FTP server and the protocol and port ranges that need to be opened.  FTP uses only TCP ports so you don’t need to open any UDP ports.

Configuring Windows Server Advanced firewall rules for FTP

Using the administrative command line you can specify that you want to open the following ports on your Windows Server firewall.

netsh advfirewall firewall add rule name="FTP (non-ssl)" action=allow protocol=TCP dir=in localport=21

Rather than creating a rule to open all those TCP ports (41500-65535) Windows Server is smart enough to recognise when a high numbered port is needed for data transfer in a FTP session.

netsh advfirewall set global StatefulFtp enable

This command disables the blocking of FTP traffic allowing the requreid ports to be opened only when needed.  You can get all the details on the Windows Server advanced firewall netsh commands from Technet.

http://technet.microsoft.com/en-us/library/cc771920(WS.10).aspx

Finally, from a client machine outside your network (to simulate real user connections) connect in passive mode using FileZilla client for Windows.



Status:		Connecting to 213.106.150.123:21...


Status:		Connection established, waiting for welcome message...


Response:	220 Welcome


Command:	USER ftp_user0157


Response:	331 Password required for ftp_user0157


Command:	PASS *************


Response:	230 Logged on


Status:		Connected


Status:		Retrieving directory listing...


Command:	PWD


Response:	257 "/" is current directory.


Command:	TYPE I


Response:	200 Type set to I


Command:	PASV


Response:	227 Entering Passive Mode (213,106,150,123,177,45)


Command:	MLSD


Response:	150 Connection accepted


Response:	226 Transfer OK


Status:		Directory listing successful
Posted in FTP, Microsoft, Networking, Servers, Windows | Leave a comment

Entering Exchange 2010 Product Key After installation

Posted on January 24, 2011 by Niall

I had to install Exchange 2010 on a 120day trial for a client recently.  The planned weekend for the down time had arrived but the new partner licenses had not.  No bother I thought, it will be easy to enter the Exchange 2010 license when it arrives as the new ‘change your license key anytime’ feature in Server 2008 is great.

Not so in Exchange 2010.  What you get when running on a trial key is a pop-up box every time you open the Exchange Management Console.

Exchnage 2010 unlicensed server alert

It informs you to enter your new license in the “Exchange server work centre action pane” but where on earth is that?

Exchange 2010 Enter Product Key

From the Exchange 2010 Management Console.

  1. Expand Microsoft Exchange
  2. Select ‘Server Configuration’
  3. Select the unlicensed Exchange 2010 server and right click.
  4. Finally select ‘Enter Product Key…’ to start the license wizard.

Exchange 2010 Product Key Successful

Once you’re all done you should get the success message.  Simply restart the Information Store service or restart the machine with any necessary Windows Updates.

Note:

The preferred way of doing anything now in the majority of Microsoft’s server products is with PowerShell 2.0.  Exchange 2010 is no exception.  The confirmation screen of the wizard nicely displays the PowerShell command executed; here it is repeated with a dummy product key for completeness.

Set-ExchangeServer -Identity yourserver -ProductKey ABC12-DEF34-GHI56-JKL78-MNO90
Posted in Exchange Server, Microsoft, Servers | 7 Comments