الجمعة، 8 فبراير 2008

How to Check Network load balancing

Checking NLB

After you have completely configured your servers as a cluster, you can verify that they are working properly by opening up a command prompt and typing wlbs query. You can also ping your virtual IP address to see if it is responding correctly.


more detailed information on your cluster, type wlbs display


Session Directory Overview

· Solves orphaned sessions problem prevalent in Windows 2000 farms

· TS Farms appear as a single server to users

· Routes users back to disconnected session

· Essentially a database of user sessions

· Session Directory is not a load balancer

  • It is Load Balancer Agnostic, works with many third-party Load Balancers – F5, Big IP as well as Windows NLB

Hold current session can't find free solution for it till now….

See this for best sol. Found for this issue,

Configuring Windows Network Load Balancing

Configuring Windows Network Load Balancing

Requirements that all servers must meet to use Windows NLB:

  • Have at least one network interface configured for Load Balancing.
  • Use TCP/IP.
  • Be on the same subnet.
  • Share a common (virtual) IP address.

To enable NLB (Control Panel | Network Connections | Right-click on your network card | Properties | Check the box next to the “Network Load Balancing” option).


Once you enable NLB, you must configure it (Network adapter properties | Highlight “Network Load Balancing” | Click the “Properties” button).


Cluster Parameters

§ First enter the virtual IP address

§ Subnet mask

§ DNS name that your cluster will use

.

Host Parameters

§ The “Host Priority” is a unique number assigned to each server in the cluster.

§ Dedicated IP of the Host (it's IP)

§ Subnet mask

Unicast mode, NLB replaces the network card’s original MAC address.

Multicast mode, NLB adds the new virtual MAC to the network card, but also keeps the card’s original MAC address.

In Multicast mode has two MAC addresses that causes some problems that (Most routers reject the ARP replies sent by hosts in the cluster, since the router sees the response to the ARP request that contains a unicast IP address with a multicast MAC address) so, needs to manually configure the ARP entries on the router.


The disadvantage is that since all hosts in the cluster all have the same MAC and IP address, they do not have the ability to communicate with each other via their NLB network card. A second network card is required for communication between the servers.

Port Rules

§ First add a new rule (Port Rules tab | Add button)

§ Configure the port range

§ Select the protocol (TCP or UDP or Both)

§ The filtering mode “Multiple Host”

§ The “Affinity” determines if a specific client’s requests will continue to be routed to a specific server.

o If you’re using the Session Directory then a specification here is not required or can be set to “none

o If you are not using the Session Directory, set this rule to “single affinity” so that a client will always be serviced by the same server and users can reconnect to their disconnected sessions.

§ The “Load weight” setting determines the amount of users/load this server should handle.

Network Load Balance on Windows 2003

Microsoft Windows Network Load Balancing (“NLB”) is the “free” out-of-the-box software load balancing solution available for Windows 2003-based Terminal Servers.

§ NLB is available with all editions of Windows Server 2003 (All versions of Windows Server 2003 come with Network Load Balancing installed)

§ Network Load Balancing works by assigning a single virtual IP address to those multiple servers that can respond.

§ Then assign a DNS name to the virtual IP address. RDP clients connect to this DNS name.

§ The system responds by automatically connecting the user to the least-busy server.

§ Network Load Balancing enables all of the configured nodes on a single subnet to detect incoming network traffic for the cluster's virtual IP address.

§ If one server has failed but is still responding to the network, the NLB system will continue to send users to it.

§ If a server failure in an NLB cluster will be detected by the other servers (through the cluster’s heartbeat packets)

Advantage of Load Balancing with Windows NLB

  • It’s the “free” solution that’s built-in to Windows.

Disadvantages of Load Balancing with Windows NLB

  • Load calculations are only based on network load.
  • You can’t natively load-balance more than 32 servers.
  • All servers must be located on the same subnet.

الثلاثاء، 5 فبراير 2008

Configuring Application Isolation on Windows Server 2003 and Internet Information Services (IIS) 6.0

Introduction

This paper discusses the general topic of application isolation as it relates to Web applications run on Windows Server 2003 servers with IIS 6.0 running in worker process isolation mode. Isolation refers to the degree of separation between two Web applications running on a server. In this paper, the notion of a Web application is meant in a very broad sense; it includes the processes, files, and even users, serviced by the application. Applications are isolated from each other to the degree that one application is prevented from accessing resources used by another application.

Benefits of Isolation

Enterprises are increasingly interested in isolation because of the opportunity to reduce costs through server consolidation. As the capabilities of hardware increase dramatically over time, fewer servers are required to deliver the same applications. While this decreases the costs of deployment and maintenance, it can create logistical difficulties when there is a vested interest in keeping clear boundaries between applications that are consolidated to run on a single server.

In some scenarios, each Line of Business (LOB) for an organization is essentially a separate customer to the IT group responsible for application infrastructure. For example, an organization that has been acquired may compete with other parts of the acquiring organization. Consequently, there's a business requirement for creating effective barriers between applications serving each LOB and protecting sensitive data.

Another example of a clear need for high isolation is an ISP that hosts Web sites for many clients. One customer should not be able to view the files or databases in use by other Web sites on the server.

In other cases, a company may offer Web applications and other technical resources to business partners who are in competition with each other. As a result, companies need to offer a high degree of isolation for the applications in use by their individual customers, partners, or business units using the same server. It is important, for example, to have the ability to configure one partner's software that accesses a database, such that the application could not access another partners database.

Another benefit of application isolation is that you can design the infrastructure of the applications, server, and network to improve the ability to distribute content and applications. For example, you may want to put content on a remote file store so it can be shared by more than one server. Alternately, you may want to host each applications content on different file servers, to further isolate each LOB application, but share the same Web server as a front end.

The following sections discuss several approaches to obtaining a high level of isolation.

For more details Visit

IIS 6 Pre & Post Installation Tasks

When training on IIS 6, I generate a list of tasks that you need to do or at least be aware of before and after you migrate. I haven't posted this before because I haven't had time to fill it out with full explanations. That day may never come, so I thought it might be useful to post at least the list here.

This list is of course incomplete, but should help you to avoid common problems as well as a few of those that are uncommon but difficult to troubleshoot. In particular, this is designed to troubleshoot/avoid issues of the sort "it used to work on IIS 5 but fails on IIS 6"

1. Use the Log Parser Tool to scan your IIS 5 log files and identify all executables. These must be defined in Web Service Extensions or you have to disable Web Service Extensions by allowing all executables.

2. Use the Log Parser Tool to scan your IIS 5 log files and identify all extensions that in use. You will need to define MIME maps for those that are not defined in IIS 6 and it points the way to identifying script engines that need to be installed.

3. Reset Application Pool recycling to something other than every 29 hours, the absurd default. DO recycle, however, if you can.

4. Consider disabling automatic shutdown of Application Pools after 20 minutes of inactivity. You may not need too and it takes a while for the first request to launch when the pool doesn't exist.

5. Enable logging of Protocol Substatus in the IIS log Files (IIS W3C format).

6. Use Metabase Explorer or other means to set the LogEventOnRecycle Metabase property in the Application Pools key to 255. This will cause all recycle events to be recorded in the event logs.

7. Identify any IIS 5 filters that use Read_Raw_Data before you migrate. Here's the syntax to use MDUTIL to query the settings for the ISAPI filter sspiflit:

Mdutil get w3svc/filters/sspifilt/filterflags

If the result shows ReadRawData you have to run in IIS 5 mode or rewrite the filter.

8. If using custom identities for application pools, make SURE they are members of the IIS_WPG. Not optional.

9. For asp.net content, assign the IIS_WPG read permissions to web content unless running with unique identities for security isolation between websites. In that case, place the unique identity in the IIS_WPG but use the unique identity for ACLS, not the IIS_WPG. See http://www.microsoft.com/technet/prodtechnol/windowsserver2003
/technologies/webapp/iis/appisoa.mspx
for details.

10. Identify any CGI applications (.exe's typically) and permit additional rights for the process identity.

11. Identify HTTP.sys default values that may interfere with your application. There are limits on the url content, url segment length, client submission size, etc. Also HTTP.sys strictly enforces http 1.1 and 1.0 standards. If you have a monitoring system delivering sloppy requests to IIS 6, those may get rejected and there is no "AcceptSloppyHTTP" registry settings.

12. Determine if overlapping recycling causers problems for your applications. If so, disable it. See the IIS 6 Resource Kit for details.

13. Identify if your applications have any dependencies on the IIS 5 architecture such as running as the IWAM or System account.

14. Be aware that when creating new virtual directories on UNC paths, the default is to "pass through" the user's credentials. This will probably fail unless your using Basic or Kerberos with delegation enabled.

15. If your applications use Parent Paths (dotted notation), you will need to enabled that in IIS 6.

16. Determine if your applications are stable when you enable AspExecuteinMTA for multi-threaded ASP. Can get a good performance boost here as long as COM in your applications gets along in the MTA.

17. Identify an services using mapped drives on Windows 2000. You will likely need to find another way to do this on Windows 2003.

18. Consider enabling compression

19. Install CDONTS if you require it. Tip: Don't install SMTP just to deliver email from your application. Instead use one of the many SMTP objects you can invoke in your script. This way, you don't have 24/7 server online that you have to configure, administer, hotfix, secure, etc. The SMTP object delivers mail just fine and is non-existent when the page that creates it goes out of scope.

20. Identify ASP.net process elements that need to be configured in the IIS 6 user interface.

21. Be aware that you may need to increase the number of connections permitted to an application pool on a high volume server.


by Brett Hill IIS MVP

الجمعة، 1 فبراير 2008

Testing Password Safety

Proactive is always better than reactive, especially when trying to secure a corporate network. Learn more about the weaknesses in password security, and how you can audit your network to improve your security level.

Introduction


Information protection gets much attention these days. Many have realized that their data is a treasure, which not only should be treated properly, but should be protected as well.


Preventing and minimizing risks is much better than suffering consequences. This plain rule is also true for informational security of any enterprise.


So a few dollars spent on defending against security threats now can reap millions in avoiding future losses due to hacking of your enterprise network. Fighting to recover from the aftermath of a severe confidential information leak can cost a great deal of money and could even ruin your business.


Average corporate network security is generally at the level of its weakest link. In many cases, it takes only one weak password to cause a breach in the security system of the whole enterprise.
This article is about the risks of using weak passwords within a corporate network and ways to minimize these risks.



Download this white paper

Reporting Services together with SQL Server 2005 Service Pack 2, the "Save As Report" dialog box stops responding, or the "Open Report" dialog box sto

Source: Knowledge Base
Product: Microsoft SQL Server 2005 Reporting Services
Notification Contents: New, All Modifications and Delete

FIX: In Reporting Services together with SQL Server 2005 Service Pack 2, the "Save As Report" dialog box stops responding, or the "Open Report" dialog box stops responding in Report Builder

------------------

Bug #: 50001837 (SQL Hotfix)
Microsoft distributes Microsoft SQL Server 2005 fixes as one downloadable file. Because the fixes are cumulative, each new release contains all the hotfixes and all the security fixes that were included with the previous SQL Server 2005 fix release.

RESOLUTION

The fix for this issue was first released in Cumulative Update 4. For more information about how to obtain this cumulative update package for SQL Server 2005 Service Pack 2, click the following article number to view the article in the Microsoft Knowledge Base:
941450 Cumulative update package 4 for SQL Server 2005 Service Pack 2

Note Because the builds are cumulative, each new fix release contains all the hotfixes and all the security fixes that were included with the previous SQL Server 2005 fix release. Microsoft recommends that you consider applying the most recent fix release that contains this hotfix. For more information, click the following article number to view the article in the Microsoft Knowledge Base:
937137 The SQL Server 2005 builds that were released after SQL Server 2005 Service Pack 2 was released

Microsoft SQL Server 2005 hotfixes are created for specific SQL Server service packs. You must apply a SQL Server 2005 Service Pack 2 hotfix to an installation of SQL Server 2005 Service Pack 2. By default, any hotfix that is provided in a SQL Server service pack is included in the next SQL Server service pack.

APPLIES TO
Microsoft SQL Server 2005 Reporting Services
------------------------------------

http://support.microsoft.com/kb/942715/en-US




The DHCP support is not available when you install SQL Server 2005 on a Windows Server 2008 failover cluster

Source: Knowledge Base
Product: Microsoft SQL Server 2005 Standard Edition, SQL Server 2005 Enterprise Edition
Notification Contents: New and All Modifications

The DHCP support is not available when you install SQL Server 2005 on a Windows Server 2008 failover cluster

------------------

SUMMARY

Microsoft SQL Server 2005 failover clusters do not support Dynamic Host Configuration Protocol (DHCP).

MORE INFORMATION

Windows Server 2008 failover clusters introduce support for DHCP. When you install SQL Server 2005 on a Windows Server 2008 failover cluster, you may expect that you can enable the DHCP support in the SQL Server 2005 failover cluster. However, you cannot find an option to assign DHCP to the IP Address resource when you install SQL Server 2005.

This behavior occurs because SQL Server 2005 failover clusters do not support DHCP. Support for DHCP is scheduled to be included in Microsoft SQL Server 2008 failover clusters.

APPLIES TO
Microsoft SQL Server 2005 Standard Edition
Microsoft SQL Server 2005 Enterprise Edition


---------------------


http://support.microsoft.com/kb/945936/en-US