Das Blinken Lichten

I had the glorious opportunity today of making a Microsoft support call.  Im not sure how many of you out there have made one before, but I have to say its getting WAY better.  I had a call back in less than an hour, and the tech was very knowledgeable.  All said and done, they had the issue fixed in 30 minutes.  Whenever I watch another tech work (this time remotely) I like watching what shortcuts they use when they are doing their work.  I picked up a couple from this support call that I thought were worth sharing.  The first one, in my opinion is enough by itself.

Display your network adapters (Without going to the network and sharing center first!!!)
My biggest pet peeve with server 08 is that it takes more than 2 clicks to see your actual adapters. Not anymore, this shortcut loads the adapter screen in one command!
Command: ncpa.cpl
Usage: Start Menu,  Run, Type  ‘ncpa.cpl’ – Press <Enter>

Display Add/Remove Program (program and features)
Not a huge breakthrough, but it saves time all the same
Command: appwiz.cpl
Usage: Start Menu,  Run, Type  ‘appwiz.cpl’ – Press <Enter>

Show IIS (7)
Another time savor
Command: inetmgr
Usage: Start Menu,  Run, Type  ‘inetmgr’ – Press <Enter>

I’m mostly on the network side, so the first command is most useful to me.  Nonetheless its useful to know some shortcuts even with a GUI OS like Windows.  As a side note you can also run all of these commands out of command prompt but for shortcuts that don’t have the ‘.cpl’ extension you need to preface the command with the word ‘start’ (EG: ‘start inetmgr’)

I ran into this the other day at work and thought I would share.  Hopefully this will save you some time.  I had a service on a windows box that locked up during a standard service restart.  Seeing as most people don’t like having their server rebooted during the day I had to come up with a way to deal with this.  My usual fix for this was to determine what exe the service was running, hunt it down in task manager, manually kill it, and start the service again.  However, when I looked at the service I saw that the listed executable was ‘svchost.exe’.  Knowing that I would encounter more than one svchost.exe process when I opened task manager I decided to spend some time and figure out exactly what the exe was. 

What is svchost.exe?
As it turns out, not all applications and services in windows have the ‘exe’ file extension.  Some of them are actually DLLs (Dynamic-Link Library) files that need a means to run.  Windows (unlike other operating systems) doesn’t have a way to run a DLL directly as a service.  Svchost acts as a platform (a separate EXE) from which to launch these DLLs are services.  So when you see a ton of svchost.exe processes running under task manager, they aren’t actually the same program. 

So which one is which?
So lets walk through an example of how to determine which svchost process is linked to a particular program.  So lets say that the DHCP client service on my windows server locked up and during the service restart the service hung in the dreaded ‘Attempting to stop’ state (Yes, I realize its highly unlikely that your DHCP client service would be a critical service on a server with a static IP, just bear with me as the concept is the same for any service).  So I open up the services MMC and check the properties of the service to find out what EXE the service is running.  The properties screen looks like this…

As you can see, the service runs under the svchost.exe process.  A look at my task manager on the server gives me this…
 

Notice that I have not one, but fifteen svchost.exe processes running.  So which one do I kill?  After some googling I found the answer.  The key to making this determination is the PID (Process ID).  If you cant see the PID in your task manager go to View – Select Columns – And Select PID (For Server 08).   You should now see the PID listed next to each process.  Now go to the command prompt and enter in this magic command…

tasklist /svc

Or if you just want to see the svchost.exe processes…

tasklist /svc /fi "imagename eq svchost.exe"

The output from the second command looks like this…

A quick review of the output reveals that DHCP is running over svchost.exe at PID 956.  Taking a look back at the task manager I locate PID 956 and kill the process.  Pretty slick huh?

Beware!
I view this way of starting and stopping windows services as a last resort.  Often times multiple services run under the same svchost which can cause issues if you start killing them.  Additionally, a lot of windows services that run as svchost.exe don’t like being killed.  For instance, the DHCP client I used in this example when killed just started right back up again.  If you can do a server reboot to clear the hung process that’s usually the best approach.  But if you can’t, and need a quick fix, use this with caution.

Many times I find myself wanting to test the SMTP service in Exchange.  Unfortunately, without using OWA or the actual outlook client there aren’t many options.  Some time ago, a colleague of mine showed me how to test exchange by using telnet and connecting to the server on port 25.  Not only will this give you the error codes for SMTP events but it lets you test internal, external, authenticated, and unauthenticated relay.  So from a sys admin point of view it’s pretty crucial to be able to test this when you are configuring an appliance or a piece of software to send email notifications.

Notes
-Insert your relevant information between <>
-Console prompts are show in green
-Text in blue are variable names I made up, feel free to change them

Connect to the SMTP Server
C:\>telnet <SMTP Server name or IP> 25

If the connection is successful you should receive the SMTP Server banner. It should look something like this and return the 220 code on the first line.

220 SMTPServer.testdomain.local Microsoft ESMTP MAIL Service ready at Sat, 8 Jan 21
10 6:03:15 –0600

If you receive output, try saying hello to the server with the ‘ehlo’ command.  After you press ENTER you should receive a list of available options on that particular SMTP server.  Take note of the line that reads ‘250-AUTH NTLM LOGIN’.  If you want to test authenticated SMTP, you need to have the ‘AUTH LOGIN’ command available.  AUTH LOGIN translates to basic authentication.  For instance, this server supports both NTLM and basic authentication.

ehlo
250-SMTPServer.testdomain.local Hello [192.168.127.10]
250-SIZE
250-PIPELINING
250-DSN
250-ENHANCEDSTATUSCODES
250-STARTTLS
250-X-ANONYMOUSTLS
250-AUTH NTLM LOGIN
250-X-EXPS GSSAPI NTLM
250-8BITMIME
250-BINARYMIME
250-CHUNKING
250-XEXCH50
250 XRDST

If you don’t see the option for ‘AUTH LOGIN’ check your SMTP server settings.  In Exchange 2007, you can open the Exchange management console, browse to Server Configuration, select Hub Transport, and then check the properties of the default receive connector.  In particular, check the authentication tab.  It should look something like this…
Note that basic authentication is selected.  Also ensure that the check box beneath basic authentication (Offer Basic authentication only after starting TLS) is unchecked.  If it’s checked you probably won’t get the ‘AUTH LOGIN’ option.

Once we have basic authentication configured we can try sending a email. 

Login to the STP Server
AUTH LOGIN
334 VXNlcm5hbWU6

It’s important to note here that authentication in SMTP is done using Base64 encoded phrases.  So when I enter ‘AUTH LOGIN’ and press enter the server returns ‘VXNlcm5hbWU6’ which is Base64 for Username:.  Any and all parts of the authentication discussion will be in Base64.  I use this web site…

http://www.webpan.com/Customers/Email/base64_conversion.htm

to do Base64 encodes and decodes.  You can Google for a different method if you prefer.  Let’s do the entire authentication conversation in Base64 and then I’ll show the translated input and output.

Conversation in Base64
AUTH LOGIN
334 VXNlcm5hbWU6
YWRtaW5pc3RyYXRvcg==
334 UGFzc3dvcmQ6
cGFzc3dvcmQ=
235 2.7.0 Authentication successful

Translated back to plain text
AUTH LOGIN
334 Username:
administrator
334 Password:
password
235 2.7.0 Authentication successful

Once we receive the authentication successful response we can test sending a email as that particular user.  This is no different then sending a test email through telnet without the authentication piece.

Send the test email
mail from:administrator@testdomain.com
250 2.1.0 Sender OK
rcpt to:user@mydomain.com
250 2.1.5 Recipient OK
data
354 Start mail input; end with <CRLF>.<CRLF>
This is a test email
.
250 2.6.0 <4b5125d60-e494-47f2-9917-7bd91e455544@SMTPServer.testdomain.local> Queued
mail for delivery

There is one item that I got hung up on the first time I tried testing this.  Basically you can’t make typos.  For instance if I typed..

mail frrom:

Realized that I spelled from wrong, backspaced, spelled it correctly, and then finished the command by pressing enter I would receive this error.

501 5.5.4 Unrecognized parameter

That’s because it takes all of your input and assumes its one line.  It looks like the line is correct but all of those backspaces really didn’t do anything.  If you receive the error type the line again and ensure that you type it correctly the first time.

Now that you have configured all of your IAS remote access policies, what happens if you want to move them to a new IAS server?  Easy!  You can use the Windows netsh command to export and import your IAS policy settings.

Export your IAS policies to a text file
C:\>netsh aaa show config > c:\<file name>.txt

Import your IAS policies
C:\>netsh exec c:\<file name>.txt

That’s it!  These are some great commands to move the policies or back them up.  It never hurts to have a backup copy.