I found a ton of help on Google for this “Service Unavailable” issue on the OMA virtual directory for Exchange 2003. Unfortunately, this was not something readily available. Several sites will explain the proper config for all the virtual folders in IIS, which you should obviously follow, but they don’t mention one little thing… OMA uses ASP.net 1.1. If you go into the OMA properties in IIS, change it from ASP.net 2 to ASP.net 1.1. After that, it all worked beautifully!

Oh, and by the way, I ran into this issue while setting up some Windows Mobile devices with ActiveSync and Direct Push at a couple clients, one was running IIS5 on Windows 2000, and the most recent was running IIS6 on the Windows 2003. The solution was the same on both of them.

When you clone or image your Linux hard drive with Ghost or Drive Image (or any other imaging software) you might not be able to load Grub. Usually just running some Grub commands off a Linux System Rescue CD will fix it. I think most any bootable Linux Live CD will work. You would run these commands:

After boot, run “grub”. (the following lines are from the “grub>” prompt.)

……………………

find /boot/grub/stage1

    (hd0,0)

root (hd0,0)

setup (hd0)

quit

……………………

You would replace “root (hd0,0)” with whatever is output from the find command above. The above assumes you have /boot on the same root partition.

On IPCop, boot is on a separate partition. So you need to be a little fancier. The key is to tell it what device to use. In the example below, we will assume we know what drive the boot record is on. (hd0,0). Also note, that IPCop because IPCop has boot on a separate partition, running the find command would be like so:

find /grub/stage1

Ok, so using the device command, and since we know our root is on hd0 …
(all on the grub prompt)

……………………

device (hd0) /dev/hda

root (hd0,0)

setup (hd0)

quit

……………………

Now grub should load ok. This would apply to most images/clones made, I think. But, now, what if your distro uses symlinks to represent your hard drives? I ask, because this stopped me from running IPCop off an image. Took me a while to realize two things.

1. IpCop uses symlinks for /dev/harddisk instead of /dev/hda. (Can someone tell me why they do that? Why change that? Every other Linux distro I have used uses /dev/hda1 for the first partition on IDE drive.)
2. When I cloned the system, the grub.conf (also known as menu.lst on other systems) listed the root filesystem as /dev/hda4, and yet, there was no hda4 in dev directory. It didn’t even exist on the old drive, so I have no idea how IpCop was booting!

Solution to #2 above was again to boot to a Linux Live CD, mount the boot partition on hda1, edit grub.conf and change all the /dev/hda4 entries to /dev/hda3, where the root filesystem actually resided.

On number #1 above, I don’t think fixing it actually caused the system to boot, but I did it anyway. While booted to the Live CD, I edited the /etc/fstab file on the hard drive and changed all the entries for /dev/harddisk1 through 3, to point to /dev/hda1 through 3. There is probably a reason for them doing this, but ya got me why. ?? Changing this might bite me it the butt some day, but for now, it boots beautifully!

Oh, and one might ask, why make a drive image of IPCop when they provide a backup and restore feature using floppy? Well, here’s why: 1. I have a ton of add-on programs installed, and they don’t backup. 2. I like an image better than a floppy!

IpCop is an awesome system, and I’ve had zero problems with it over many years now. But, it doesn’t do enough by itself. I mostly like the BlockOutTraffic addon you can install, giving you detailed control over all communication. I also modify the SSH setup to work the way I like it, using certificate auth and custom ports for several users tunneling into our networks. (works way better than VPN!) On some networks, I have to use PopTOP, the PPTP addon for Ipcop VPN. (not by my choice, it’s a requirement by an application we use.) All these might not backup to a floppy, and it’s so fast to make a Ghost image of the drive. You just have to spend a few extra minutes during restore.

Note: I was using IPCop 1.4.16 during all this.

EDIT 10/22 (later that evening…)

For IPCop, YOU MUST boot to an existing drive on /dev/hda that contains a working copy of IPCop and have your newly cloned drive operational as /dev/hdc. When you run grub, and then all the device, root and setup commands, you need to do it like so.

……………………

device (hd0) /dev/hdc

root (hd0,0)

setup (hd0)

quit

……………………

Notice the /dev/hdc above? Don’t ask me why, but when you try to run this from a Live CD, it won’t work. I really would like to know though, because the fact that it doesn’t work drives me nuts. There must be a simple explanation, and I know it’s just my ignorance of the grub boot loader, but this shouldn’t be needed. (and yet it is!) I just don’t have time to figure it out, when I can simply boot an IPCop as hda and run this quickly. Sometimes it is easier to not ask why, and move on. So make a note of this, YOU MUST boot to and IPCop OS with your new drive installed, then run the grub setup. Stupid, but at least it works.

I fought with this one for a while, like several hours. I installed the pptp addon for IPCop, which, by the way, you must Google for. I installed version 0.2.9 (pptpd_0.2.9.tar.gz) and found that on a forum somewhere. If you go to the addon’s from IPCop, you will only find 0.2.6, and that wont work with 1.4.13 or higher. (I might have that version a bit off, but I think that’s right) So Google for that file and you should find the file and ftp server IP. I don’t want to provide that, because I don’t have permission to do so.

Anyway, back to the problem. The pptp addon installed just fine on IPCop, and the admin web gui showed the correct items. I could not, however, get Windows to connect. I always got a 619 error, like that is helpful! On the IPCop /var/log/messages, I found this:
pptpd[5740]: GRE: read(fd=5,buffer=804dc00,len=8196) from PTY failed: status = -1 error = Input/output error

You can see the details on the pptpclient help page:

http://pptpclient.sourceforge.net/howto-diagnosis.phtml#read_eproto

I didn’t know how to do their troubleshooting, especially on IPCop. But then it occurred to me, find pppd, and ask it for help!

I ran this: /opt/pptp/sbin/pppd –help
Returned: /opt/pptp/sbin/pppd: error while loading shared libraries: libpcap.so.0.8.3: cannot open shared object file: No such file or directory

Ah-HA!!!

Run this on IPCop 1.4.15 while in the /usr/lib directory: ln -s libpcap.so.0.9.5 libpcap.so.0.8.3

BINGO! Windows can connect! From Vista no less!

Oh, and I know that PPTP is not the best as far as security goes, but it is the only thing I can use. I am running several Wifi Palm devices with a PPTP client on them for Hotsyncing on the Internet. I realize there is another product available that uses IPSec, but that is quite expensive per device. Plus that solution might run into a lot more hassle for the users while on the road trying to connect over hotspots, because IPSec may be blocked. PPTP is just more compatible. I’d really prefer to have an SSL based VPN on the Palm, but I don’t know of one available. So, for now, I’ll at least suffer with PPTP instead of opening my hotsync up to the world. Not perfect, but I can lock down the connection with IPcop too. (sounds like another blog… J )

For some reason or other, Firefox does not have the option under the Tabs option items to “force links that open in new windows to open in:”. I have Firefox 2.0.0.7 now, and I don’t have that under Tabs options. But, if you open about:config in your address bar, you can change the setting manually.

Change: browser.link.open_newwindow

Mine was set to 3, which told the popups to always open in a new tab. I like that, mostly. But some web sites, TinyMCE editor in this case, like to open a popup and return you back the the original page. I keep losing that original popup. So I wanted to turn off my popup forced to new tab option. To make this behave normally, I set it to 2. All worked just peachy!

Took me a while, again, to figure this out. Thankfully not as long this second time.

When you use ADModify.net to set properties on groups of objects in Active Directory, you can use variables. Home directories, in my case, is a big one. When I moved to a new server, I didn’t want to set the new home directory on each user, so I used ADModify. Now, when you set the variable, this is what got me. You can use the normal: %username% (for example: \\server\homes\%username%) You have to use the AD way. Set it like this: \\server\Homes\%’sAMAccountName’% Notice the syntax: %’variable’%

You can get ADmodify here: http://www.codeplex.com/admodify/Wiki/View.aspx

It’s a lifesaver!

Edit: 10/24/07
NOTE… those are supposed to be apostrophe’s!  So you can’t copy and paste directly, you’ll need to replace those backticks with apostrophe’s. (wordpress seems to be replacing them on publish.)

Edit: 08/20/08

NOTE that Using ADModify.net OR WiseSoft’s Bulk Modify will NOT create the home directories for new users!  You must either manually create the directories, use AD Users and Computers to set the property (and therefore it will create the directory) which is the standard way of creating them, or script that somehow.   What this means is, you can use ADModify to chagne the HOme Folders property from 1 server to another, but if you are trying to create a bunch of new home folders, ADModify will not do this for you.  So, works great if you want to modify existing, like if you copy all the home directories to a new server and you need to update all the user accounts to reflect the new server name.

The basics of this require that we setup a second CPU to take offsite. This system would have AD loaded, GC set, DNS, and all that stuff needed to run AD separately from the network. Here’s the catch, though. We can’t run this and be current. In a disaster, it would work great to be up and running, but it wouldn’t stay current.

So what do we do? We use a cheap PC, do all that DC stuff on it, and make sure it’s syncing good and working on the network (with the GC, DNS, WINS and stuff). IT SHOULD NOT have any FSMO roles. It’s purely a secondary.

BEFORE running DCpromo on that system, Make an image. And make sure we can recover it quickly. Save that image of the server in “stand alone server” install mode (not a DC or even member server yet), because this is what we’ll use to run this process over and over quickly.

AFTER we run the DCpromo and setup all the DC stuff, make another image. We’ll use this to drop back onto the system for offsite recovery of AD.

Here’s the steps to setup. (in general)

1. Setup a stand-alone server, not member of domain. (include all needed SP’s and patches)
2. Make an image. (PRELOAD image, save this!)
3. Dcpromo and setup all needed AD and make sure NTFrs and syncing work perfectly.
4. Make an image. (OFFSITE-DC image, save this!)
5. Demote the server to a member server again and then remove from domain. (this is to remove it from AD as a DC, make AD cleaner and no NTfrs errors)
6. Add OFFSITE-DC image to system again, BUT DO NOT CONNECT TO NETWORK.

Here’s the steps to run regularly to keep up to date.

1. Take that offsite pc, image over it with the PRELOAD.
2. Join this to the domain and do the DC stuff.
3. Make your OFFSITE-DC image again.
4. Demote the server, remove from domain.
5. Load OFFSITE-DC image on again, BUT DO NOT CONNECT TO NETWORK.
6. Take it offsite, seize the FSMO roles. You now have a DC ready to run in an emergency.

This process might take a day with all the imaging, but if you keep the drive loaded with ONLY the DC, it should be pretty quick. And consider that you won’t sit and watch it, you really should only spend like 2 or 3 hours running the process. Also consider that if you run this every month, or even every couple weeks, you’d get real fast at it. And this is what we want in a disaster recovery situation, fast recovery!

Why do all this? Couldn’t we just do an NTBackup recovery? Well, first of all, last I saw on a Microsoft KB article, recovering to alternative hardware on a DC was not supported. So, there’s one obstacle. Though, they do provide a good “how to” KB article, they say it’s not supported. (now I need to find that article again.) Second of all, I tried doing all of the Microsoft suggestions, and I was never able to recover my DC, whether it was the PDC or a backup, to alternative hardware. Of course, I was using Windows 2000, and recovering to 5 years newer hardware, maybe that might have something to do with it. But you know what, I have a lot of clients that would be in that boat. I’ll have more to say on this later.

Some RAID controllers are not what I call *true RAID* drive controllers. They may have a hardware controller, but they run kind of a fake RAID on the host OS. It’s not really software raid, but the RAID is dependant on the OS.

This, as you might guess, causes some problems when we want to do some fun stuff on the system drive while we are not actually booted into the OS. Like when we want to restore an image of the C: drive! That’s ok though, we’ve got a work-around.

BIG NOTICE, DISCLAIMER, OR WHATEVER….

This is based on a RAID1 mirror.
My RAID controller allowed me to build the array based on one of my drives, yours may not.
Do this at your own risk.
Make sure you have a backup. (DUH!)
If you lose your data, it’s your fault.
Your mileage may vary.

Assuming you have made your image successfully already, here’s what we do. The trick is that you must turn off the RAID functions and break the array first. So that your drives look like they are single drives in the system. Delete the partitions you will be reimaging over. On my server, it was just an onboard BIOS setting.

Boot the system into a PE boot disc. You can get a free one called: Ultimate Boot CD for Windows. It’s a doctored up PE Disc, but you’ll need to “build” it. They have great instructions for that on their site. (just Google it) Anyway, you boot into this, and right when the CD starts to boot, you see the “Press F6″ option, like you see when you do a new Windows install. Insert your floppy disc and load the drivers when it asks. Then it will boot to a custom version of XP.

The PE disc should load and see your C: drive. Make sure you open Drive Manager and create your C: drive again. Only DON’T FORMAT it or make a drive letter. Now open Drive Image XML and load the image you made, and recover it to that C: drive.

Reboot when complete and before Windows loads, open the BIOS or RAID controller and turn on the RAID again. On my controller, I was able to recreate the Mirror by building off the first drive. Let that process complete and reboot. Your system should boot right to that image.

The keys to making this work was:
Make the drive appear as a single drive again, turn off RAID in the BIOS or Controller.
Drive Image XML always crashed on me, even if I loaded the drivers at the F6 prompt. It couldn’t deal with that Host based RAID. (but it appeared fine!)
After image is restored, turn on RAID1 again and build your array based on the newly imaged disk BEFORE you boot back to that drive in Windows.

MSTSC V6, both in XP and Vista, now asks for credentials EVERYTIME you connect! I want the server to ask, not the client! Add this line to the Default.rdp file located in your My Documents folder.

enablecredsspsupport:i:0

Also:

authentication level:i:0

You may need to save as another name, then

rename the Default.rdp and replace the file.

=========================

Below are the default.rdp contents as set above

=========================

screen mode id:i:2

desktopwidth:i:1024

desktopheight:i:768

session bpp:i:32

winposstr:s:2,3,0,0,800,600

full address:s:venus

compression:i:1

keyboardhook:i:2

audiomode:i:1

redirectprinters:i:0

redirectcomports:i:0

redirectsmartcards:i:1

redirectclipboard:i:1

redirectposdevices:i:0

displayconnectionbar:i:1

autoreconnection enabled:i:1

authentication level:i:0

prompt for credentials:i:0

negotiate security layer:i:1

remoteapplicationmode:i:0

alternate shell:s:

shell working directory:s:

disable wallpaper:i:1

disable full window drag:i:0

allow desktop composition:i:1

allow font smoothing:i:1

disable menu anims:i:0

disable themes:i:0

disable cursor setting:i:0

bitmapcachepersistenable:i:1

gatewayhostname:s:

gatewayusagemethod:i:0

gatewaycredentialssource:i:4

gatewayprofileusagemethod:i:0

drivestoredirect:s:

enablecredsspsupport:i:0

The shortest interval to download user email with the Exchange Pop3 connector is 15 minutes. Too long for most people. To shorten that to 5 minutes, you have to update/add a registry value in this key:

HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\SmallBusinessServer\Network\POP3 Connector

Add Dword:

“ScheduleAccelerator”=dword:00000003

It works by dividing the default schedule interval by that value. For example, the server connector is set to 15 minutes, the lowest setting. Set the reg value to 3, so 15 divided by 3 equals 5. This makes it a 5 minute interval.

When opening files on the network over mapped drive OR UNC, you receive a “publisher” or “security” warning before running the file. Very annoying.

In IE, you add the server or domain to your “local intranet” security zone. In my case, my server was: main.domain.local
It was mapped on O: drive.

So in the zone I added:
\\main
O:\
domain.local
\\domain.local

That took care of all kinds of connections.

On a domain wide setting: In active directory, I added a group policy for the file types of moderate security.

Go to a domain policy, I did the Default Domain Policy on mine. > Open User Configuration > Administrative Templates > Windows Components > Attachment Manager.

And edit the item: Inclusion List for Moderate Risk file types

Add: .doc;.xls;.exe;.pdf
(just the most common, you might want more)

Add the type you want to exclude from the security warning. Reboot the client computer, or run gpupdate on it to get the new policy. Problem went away for me!

Gregs Uberfast version:

Linux:

openssl genrsa -des3 -out CA.key 1024
openssl req -new -key CA.key -x509 -days 3650 -out CA.crt
chmod 400 CA.key
chmod 400 CA.crt

(the above made a new CA, you want to install the crt into IE’s trusted certs.)

Win:

Make cert request in IIS – take to Lin.

Linux:

(All one line)
openssl x509 -req -days 3650 -in certreq.txt -CA CA.crt
-CAkey CA.key -CAcreateserial -out mail.server.crt

Win:

Take that mail.server.crt and install in IIS. People browsing yoru site will get a “not valid CA” type error, especially in IE7, and they’ll need to accept that. Otherwise, you need to buy a real cert. If it’s only your users on the site, then just have them install the CA.crt into IE, as then they will trust the authority/key from the web server. Every user will need to do that.

Greg Fischer
6/15/07

I used Exchange 2000 on Windows 2000 for this, 2003 might be a little different. Obviously, you need to make sure you have the backups in the first place, this assumes you have done this, and we will only focus on recovery. Also, this is intended for Small businesses with only 1 Exchange server and some, just a little, tolerance for downtime. You maybe can apply some of this in a large organization, but probably not.

Using NTBackup (online data):

(work in progress)

OLD Server: Felix
NEW Server: Ruphus

1. Setup a new server as Ruphus. This can be in the same domain and exist with the old server, BUT you will not be able to reconnect the user mailboxes on the new server. That’s a different story and I have not tested procedures for it. We are going to assume the old server is Gone, bye-bye, toast! Also, see notes on seting up a test domain controller and network for full recovery. But at this point, you should have a new Windows server up and running, a DC or not.
2. Install Exchange, install SP’s on Ruphus.
3. Open System Manager, delete the Felix from the Exchange site. (will give warnings, but ok)
4. At this point, we do not have all the configuration from the old server, and for the purposes of this guide, we are not going to bother and assume you can setup your SMTP and other items from memory. In a very large Exchange environment, this might not be possible though, but this guide is intended for those of us with only 1 Exchange server on a small network.
5. On Ruphus rename the old mailbox and public store databases, and/or create new databases that have the same “exact” logical names as were on Felix. (in System Manager, browse to Servers, and find your public and mailbox stores. Right click and select Rename.)
6. Run NTBackup, go to Restore, and find your Felix Information Store database, check the mailbox stores listed. (and log files, which will probably be an option)
   1. Click Start Restore.
   2. Select Ruphus as the server
   3. Select a temp directory, in my case I used the large D: drive. (d:\temp)
   4. Check the boxes (I think, Last set, and Mount db’s?)
   5. Start recovery.
7. Reboot, and make sure your stores mount.
8. Now, if you have setup a new server on a test network OR your old server is toast and you are trying to recover a new server, then you will need to reconnect the mailboxes to the user accounts. For this you will use a tool called, “mbconn.exe”. On your exchange cd, under: SUPPORT\UTILS\I386
   Find the mbconn.exe and run it. (a gui)
9. In here, you connect to Ruphus, and select the store you want to reconnect mailboxes. It should display all the orphaned mailboxes. Then you go to Action, Preview All, and select the AD container with your user accounts, and select OK. I should put green checkmarks next to the mailboxes that it matches to. Then you go to Action, and Apply.
   Re-apply this to any leftover mailboxes if they are in different OU’s. For example, you might have users in Accounting, or Marketing OU’s. Each will Preview and Apply separately until you have reconnected all of them.
   NOTE: You probably wont be able to reconnect a few items, like System Attendant mailbox, as they are created new on Ruphus. Also, you will need to do this procedure for each mailbox store separately.
10. Check Recipient Update Services in Exchange and set the properties accordingly, they will be set to the old server and domain controllers. Tell the objects in RUS to rebuild.
11. Dare I say, “login as a user and see if Outlook works” … ?

Using Offline Database:

Coming later…

Notes on setting up a DC

In my case, I wanted to have a test network, and also a way to do fast recovery of the network on a new server that is offsite. Instead of recovering a DC and AD, I just installed a new server on my existing domain. I made sure it had BASIC drives, not DYNAMIC! And then I setup the server as a backup DC. Make sure you select it as a Global Catalog too! Also, make sure DNS is setup and configured on it!

So, at this point, I had a new DC, GC, DNS server, acting as a backup on my domain. I went in the AD sites and services, and performed a manual replication in the NTDS settings for each server. I also made a ghost image of this server, so I can make a step back, and/or do this again for backup procedures. Keep in mind, once you move ahead though, you’ll probably need to do all this again each time you want a current snapshot of AD for recovery. So what I would do is, setup a basic Win2k load NOT joined to the domain with all the service packs and IE updates, and even Office (I find usefull), and all your utilities you need. (don’t forget the Adminpak!) Then, make a ghost of this server, before doing the join and DCpromo.

Now, we’ve got our replicated server. Lets shut it down, and set it up on the new testing network. (MAKE SURE!!! You cannot communicate with the old one, make them physically separate!) And once removed and setup on the new network, you will need to manually delete this newly dcpromo’d server from your existing network. (see below)

AT this point, we need to sieze all the roles, and make this server the master of the domain. So, look it up online, run the ntdsutil command program and seize all the 5 FSMO’s. Then, go into DNS and remove anything regarding the old servers. (don’t’ forget the server properties listing the old ones as Name servers too) And also, in _msdc SRV records, remove the old servers. After all that, you might need to go in to ADSIEdit (in the adminpak) and find the old servers and delete them in the CN=Configuration container. And if necessary, go in the AD Computers and in Domain Controllers, and delete the servers. And one more… Go into AD sites, and delete the NTDS replication entries and servers. Whew! I think that’s it! You should have a single DC on a test network. This all takes only minutes once you do it a couple times, so it’s not that bad. The hardest part is remembering the ntdsutil command, which you need to lookup online. Just verify that the new server actually holds all the FSMO roles.

We should have a new server all ready to go on the testing/recovery network! All user accounts and settings intact! And now we can begin Exchange!

Gregs reasons to NOT send images in the email body

Are you ready for my geeky-not-what-you-want-to-hear explanation?

1. Email was never designed to have images. Email programs have “retrofitted” them.
2. They increase the size if each message, sometimes 4-10x and more! When you are talking about a single signature that is 20k, that is 5-6x larger message size than what the message would be without it. And when you load your mail server with thousands and thousands of those, that can mean the difference of a slow or fast server. The difference is in mailbox size, scanning time, transfer and process time, database storage, backup time and space, and sending/receiving time. All being 5,6,10 times more than what they could be, just because you have a logo.
3. More and more people have images blocked by their email client.
4. More and more mail server scanners (for spam and viruses) strip out the images and HTML formatting because of security reasons. (because spam and viruses link images and HTML code to outside sources, loading things you don’t want in your system, and also verifying you exist and can receive more spam!) Which completely disallows the users ability to see the intended publication, which make the message sometimes appear out of order or jumbled around, completely obscuring the message. (which is only in text in the first place)
5. Email client programs can have any possible screen width for the message, making it impossible to correctly format a background and graphical body so that it looks correct for all users. This is way tougher than doing doing web pages, because at least on the web, you design for 800×600 screen size and larger. But email programs can be resized, and sometime very small.
6. Relating to the last item… When you design a template for sending messages in HTML (so you can have images) you are limited to the design capability of the email program. Not everyone has the same email program, and therefore the formatting will most likely be rendered incorrectly. (meaning, it’s not very portable, unlike PDF’s.)

Ok, so that’s all, as far as I know, factual, technical reasons to not use images in email. With that knowledge, it is my *technical* advice to not use them in the message body. On the other hand, they do make the message more attractive (usually). And they can help to “brand” the message. I can surely understand that.

Email is all about the *message* you want to deliver. And what you say is in the typed text. I have all my images blocked on my programs, so I can cut through the mumbo jumbo and read the actual message in my small preview pane. To me, it’s more professional to keep your message body as text, and attach any images you want to share. (including PDF invoices, with images on the invoice itself) And, it’s more respectful to the client that they receive the properly formatted, text message, then to be cute. To me it’s a matter of function-over-form, not the other way around. But, of course, now we’re are talking about *my opinion*.

Statically/manually define/set duplex on linux network card
Use mii-tool or ethtool

//////////////////////////////

A Note About Duplex Settings

By default, Linux NICs negotiate their speed and duplex settings
with the switch. This is done by exchanging electronic signals
called Fast Link Pulses (FLP). When the speed and duplex are forced
to a particular setting the FLPs are not sent. When a NIC is in
auto-negotiation mode and detects a healthy, viable link but receives
no FLPs, it errs on the side of caution and sets its duplex to
half-duplex and sometimes it will also set its speed to the lowest
configurable value. It is therefore possible to force a switch port to
100 Mbps full duplex, but have the auto-negotiating server NIC set
itself to 100Mbps half-duplex which will result in errors. The same is
true for the switch if the switch port is set to auto-negotiate and
server NIC is set to 100 Mbps full duplex. It is best to either force
both the switch port and server NIC to either auto-negotiate or
the same forced speed and duplex values.

//////////////////////////////

//////////////////////////////// mii-tool

/////////////////////////////////////////////////////////////

[root@bigboy tmp]# mii-tool
SIOCGMIIPHY on ‘eth0′ failed: Operation not supported
eth1: 100 Mbit, half duplex, link ok
[root@bigboy tmp]#

[root@bigboy tmp]# mii-tool -v
eth1: negotiated 100baseTx-FD, link ok
product info: vendor 00:10:18, model 33 rev 2
basic mode:   autonegotiation enabled
basic status: autonegotiation complete, link ok
capabilities: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
advertising:  100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD
link partner: 100baseTx-FD 100baseTx-HD 10baseT-FD 10baseT-HD flow-control
[root@bigboy tmp]#

mii-tool -F 100baseTx-FD eth0

//////////////////////////////// Ethtool

/////////////////////////////////////////////////////////////

[root@bigboy tmp]# ethtool eth0
Settings for eth0:
Supported ports: [ TP MII ]
Supported link modes:   10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Supports auto-negotiation: Yes
Advertised link modes:  10baseT/Half 10baseT/Full
100baseT/Half 100baseT/Full
Advertised auto-negotiation: No
Speed: 100Mb/s
Duplex: Full
Port: MII
PHYAD: 1
Transceiver: internal
Auto-negotiation: off
Supports Wake-on: g
Wake-on: g
Current message level: 0×00000007 (7)
Link detected: yes
[root@bigboy tmp]#

#
# File: /etc/sysconfig/network-scripts/ifcfg-eth0
#
DEVICE=eth0
IPADDR=192.168.1.100
NETMASK=255.255.255.0
BOOTPROTO=static
ONBOOT=yes
ETHTOOL_OPTS=”speed 100 duplex full autoneg off”

////////////////////// or
ethtool -s eth1 speed 100 duplex full autoneg off

I am not expert on these things (encryption), but I have done some reading and found some issues with Encrypted File System I don’t like. I may not describe the issues correctly, so this is just my opinion more than anything.

1. In Windows 2000, don’t even bother. It can be bypassed with their recovery agent or administrator. So if you lose your laptop, the data can be accessed.

2. In XP, it is better and more secure. I think there is no data recovery agent, but I think a local administrator account on a non-domain install of XP will still have the private keys.

3. The private keys are on that hard drive!

4. You still see all the files. The file names are all viewable, and that may be a security risk for some companies. It’s better than nothing, but I don’t like that too much.

5. You can’t encrypt the whole system. Or a whole partition for that matter. You must encrypt a folder, and at that, only the files in that folder are encrypted.

6. Here’s the one I like least… with EFS, when you open a file, it is decrypted to a tmp file. This file is deleted once you finish with it, but as you know, files are not “wiped” from the drive when they delete, they just remove the pointer to it. So unless data is overwritten in that place of the drive, that data is accessible to anyone. If you had a spreadsheet with SSN’s or credit card numbers, and you just happen to lose your system to someone who knows what to do with it, you got a big problem!!

7. There’s more, I just can’t think of them.

Anyway, after doing some reading… I found that Bitlocker in Vista will be a very nice solution. But you have to buy Enterprise or Ultimate versions of Vista to get it. Bitlocker can encrypt the entire OS partition. Now that is nice! That is exaclty what we wanted! And if you set it up correctly, using a key or PIN at boot, it will make an extremely secure setup. One drawback, you can only encrypt the partition the OS is on, not other partitions. You’ll need to use normal EFS for them.

That’s nice, but I have Vista Business. And I don’t want to spend more money right now. Plus, on my main system and pretty much all my clients, they have 2000 and XP. Guess what I found to get me by? TrueCrypt. www.truecrypt.org. Nice product!! And it’s open-source and free!!!!

With TrueCrypt, you can password protect an entire partition with AES 256-bit encryption. You can use multiple ciphers and even key based access using a USB drive. (Bitlocker can do the USB drive thing too!) It’s a tiny program running in the systray. And in my case, I am just running a password authentication and 256bit AES on a separate partition, so my performance is pretty good too, though not as fast without encryption. Now, with XP I will be making redirections to My Documents to that private drive, and saving all my “work-in-progress” there. That, to me, operates reasonably, and pretty darn secure. I could do more to secure it, like use a key file on my usb key drive. Then you cannot get into any of my private data without the key drive inserted! But I need to test that first.

TrueCrypt can also create a virtual drive from a file.� That might be handy, but performance is just a little slower that way.� It cannot encrypt your OS partition though, which is a drag, but at least I can encrypt a separate partition and you cannot see the file system structure.� It has a lot of neat features. Definitely worth trying if you want lock down things.