FastSysAdmin

Blog

  • Adding a Static Route Windows Server 2019

     

    On a server that is connected to multiple networks, you only have one
    Default Gateway address defined. This means any subnets that need to be
    reached by flowing through one of the other NICs – the ones that do not
    contain the Default Gateway – need to be specifically defined inside
    the routing table. Otherwise,
    Windows simply does not know how to get to those subnets and it will
    attempt to push all traffic through the Default Gateway. This traffic
    will never make its way to its destination and communications will fail.

    We are setting up a new VPN server. This server has a
    NIC plugged into the internet where remote clients will come in, and
    another NIC plugged into the internal network so that the client traffic
    can make its way to the application servers that the users need to
    access. In this scenario, the Default Gateway must be populated on the external NIC. There will be no Default Gateway address defined on the internal NIC, and without some assistance, Windows will have no idea how to properly route traffic toward the servers inside the network.

    For our example, the internal NIC is plugged into the 172.16.97.x
    network. So, what if our VPN users needed to contact a web server that
    is sitting on the 172.16.120.x network? Rhe traffic simply fails.

    We need to define a static route in the routing table of our VPN
    server so that when VPN clients request resources inside the
    172.16.120.x network, that traffic makes its way to the destination
    network successfully.

    The IP address of that router is 172.16.97.1. If we were able to
    configure a Default Gateway on the internal NIC of our VPN server, it
    would be set to 172.16.97.1, and all traffic would work without any
    further input. However, since our VPN server is multi-homed and there
    can only be a Default Gateway configured on the external NIC, we need to
    tell the server that it must push 172.16.120.x traffic through
    172.16.97.1 by using the internal NIC.

    The PowerShell command we would run for our example route is as follows:

    New-NetRoute -DestinationPrefix '172.16.120.0/24' -InterfaceIndex 4 -NextHop 172.16.97.1

    The non-PowerShell equivalent would be as follows:

    route add -p 172.16.120.0 mask 255.255.255.0 172.16.97.1
if 4

    You can verify that it was added correctly with the Get-NetRoute command:

  • Using Telnet and Test-NetConnection to test Windows Server 2019 connectivity

     

    The ping (or Test-Connection, in PowerShell) command has always been
    very useful to Network Administrators. Ping uses ICMP protocol to
    transfer data. The problem we are here to address today is that more and
    more networks and routers are starting to block ICMP traffic by default.

    We have a Server 2019 web server that has a website running. It is
    also enabled for RDP access and file sharing, but ICMP is being blocked
    by the local Windows Firewall. We are going to run some tests with a
    client machine against this server to try to determine which services
    are up and running.

    Test Server IP Address: 192.168.229.133
    Test Client IP Address: 192.168.229.128

    Step 1: Test connectivity by pining Server IP Address

    PS C:UsersAli> ping 192.168.229.133

Pinging 192.168.229.133 with 32 bytes of data:
Request timed out.
Request timed out.
Request timed out.
Request timed out.

Ping statistics for 192.168.229.133:
    Packets: Sent = 4, Received = 0, Lost = 4 (100% loss),

    The ping test is failed.

    Step 2: Install Telnet Client at Client Machine

    Got to Control Panel | Programs | Turn Windows features on or off (or
    Server Manager, if your testing machine is a server) and choose to Add
    roles or features. We want to install the feature called Telnet Client.

    Alternate PowerShell command for Windows 10

    dism /online /Enable-Feature /FeatureName:TelnetClient

    Alternate PowerShell command for Windows Server

    Install-WindowsFeature Telnet-Client

    Step 3: Test Open Port 80

    The general format of the command is telnet <server>
    <port>. Even though we cannot ping 192.168.229.133, let’s try to
    use telnet to open a connection to port 80, which is the website that we
    have running.

    C:UsersAli>telnet 192.168.229.133 80

    When we press Enter, the Command Prompt window changes to a flashing
    cursor. This is your confirmation that Telnet was able to open a
    successful connection to port 80 on the 192.168.229.133 server. Press
    Control + C to exit the Telnet session.

    Step 4: Test Open Port 3389

    Now, try using the telnet 192.168.229.133 3389 command. This also
    results in a flashing cursor, indicating that we successfully connected
    to port 3389 (RDP) on our 192.168.229.133 server.

    Step 5: Test Open Port 53

    And finally, how about telnet 192.168.229.133 53? This one results in
    a timeout, and we do not see our flashing cursor. So, it appears that
    port 53 is not responding on the 192.168.229.133 server, which makes
    sense because port 53 is commonly used by DNS, and this is a web server,
    not a DNS server. If we were to query one of our Domain Controllers
    that is also running DNS, we would be able to make a successful telnet
    connection to port 53 to one of those.

    Telnet
    queries work with TCP traffic, which covers most services that you will
    be polling for. Telnet does not have a connector for UDP ports.

    PowerShell command to test HTTP Conncetion

    PS C:UsersAli> Test-NetConnection 192.168.229.133 -CommonTCPPort HTTP                                                                                                                                                                                                                                                                                                 ComputerName     : 192.168.229.133
RemoteAddress    : 192.168.229.133
RemotePort       : 80
InterfaceAlias   : Ethernet0
SourceAddress    : 192.168.229.128
TcpTestSucceeded : True

    PowerShell command to test RDP Conncetion

    PS C:UsersAli> Test-NetConnection 192.168.229.133 -CommonTCPPort RDP


ComputerName     : 192.168.229.133
RemoteAddress    : 192.168.229.133
RemotePort       : 3389
InterfaceAlias   : Ethernet0
SourceAddress    : 192.168.229.128
TcpTestSucceeded : True

    PowerShell command to test port 53 for DNS

    PS C:UsersAli> Test-NetConnection 192.168.229.133 -Port 53
WARNING: TCP connect to (192.168.229.133 : 53) failed
WARNING: Ping to 192.168.229.133 failed with status: TimedOut


ComputerName           : 192.168.229.133
RemoteAddress          : 192.168.229.133
RemotePort             : 53
InterfaceAlias         : Ethernet0
SourceAddress          : 192.168.229.128
PingSucceeded          : False
PingReplyDetails (RTT) : 0 ms
TcpTestSucceeded       : False

    Telnet and its partner, Test-NetConnection, are simple but powerful
    commands that can be run to query against ports and services on your
    servers. When trying to determine whether a service is available, or
    when trying to troubleshoot some form of network connectivity problem,
    it is a much more reliable tool than using a simple ping request.

    If you have been thinking about building a script that
    programmatically reaches out and checks against servers to report
    whether they are online or offline, consider using TestNetConnection
    rather than ping so that you can query the individual service that the
    system is providing by using its particular port number.

  • HTTP Error 500.19 Config Error Can not read configuration file due to insufficient permissions IIS 8.0

     

    HTTP Error 500.19 – Internal Server Error

    Solution

    Allow Full control to IIS_IUSRS user for website directory.

  • Using the pathping command to trace network traffic

     

    pathping command is an alternative to traceroute command in Windows
    Power Shell. traceroute shows the first hop as the first router that you
    traverse and does not show you what physical NIC the packets are
    flowing out of but pathping does show NIC IP Address. It also shows
    statistics about packet loss.

    pathping Example

    PS C:UsersAli Asad> pathping google.com

Tracing route to google.com [216.58.208.238]
over a maximum of 30 hops:
  0  Ali-PC [10.1.0.2]
  1  10.1.0.1
  2  210.56.23.97
  3  tw21-static149.tw1.com [117.20.21.149]
  4  tw255-static100.tw1.com [110.93.255.100]
  5  110.93.252.198
  6  72.14.194.14
  7  108.170.240.56
  8  209.85.240.12
  9  108.170.231.187
 10  108.170.247.1
 11  72.14.238.197
 12  par10s22-in-f238.1e100.net [216.58.208.238]

Computing statistics for 300 seconds...
            Source to Here   This Node/Link
Hop  RTT    Lost/Sent = Pct  Lost/Sent = Pct  Address
  0                                           Ali-PC [10.1.0.2]
                                0/ 100 =  0%   |
  1    0ms     0/ 100 =  0%     0/ 100 =  0%  10.1.0.1
                                0/ 100 =  0%   |
  2    1ms     1/ 100 =  1%     1/ 100 =  1%  210.56.23.97
                                0/ 100 =  0%   |
  3    2ms     1/ 100 =  1%     1/ 100 =  1%  tw21-static149.tw1.com [117.20.21.149]
                                0/ 100 =  0%   |
  4   19ms     1/ 100 =  1%     1/ 100 =  1%  tw255-static100.tw1.com [110.93.255.100]
                                0/ 100 =  0%   |
  5   20ms     1/ 100 =  1%     1/ 100 =  1%  110.93.252.198
                                0/ 100 =  0%   |
  6   32ms     0/ 100 =  0%     0/ 100 =  0%  72.14.194.14
                                0/ 100 =  0%   |
  7   30ms     2/ 100 =  2%     2/ 100 =  2%  108.170.240.56
                                0/ 100 =  0%   |
  8  ---     100/ 100 =100%   100/ 100 =100%  209.85.240.12
                                0/ 100 =  0%   |
  9  ---     100/ 100 =100%   100/ 100 =100%  108.170.231.187
                                0/ 100 =  0%   |
 10  ---     100/ 100 =100%   100/ 100 =100%  108.170.247.1
                                0/ 100 =  0%   |
 11  ---     100/ 100 =100%   100/ 100 =100%  72.14.238.197
                                0/ 100 =  0%   |
 12   32ms     0/ 100 =  0%     0/ 100 =  0%  par10s22-in-f238.1e100.net [216.58.208.238]

Trace complete.

  • FTP Error: 530 User cannot log in, home directory inaccessible

     

    1. Login to the Windows Server as an Administrator user.
    2. Open IIS [Start → Administrative Tools → Internet Information Service].
    3. Expand Sites option from left pane.

    4. You will see a Default FTP Site in site list, expand this website.

    5. Now, double click on FTP Authorization Rules option from the center pane.

    6. From the right pane, click on Add Allow Rule.

    7. Select the option of All Users and tick the check box of Read and Write permission.
    8. Click on OK button to save the changes and Restart Microsoft FTP Services to reflect them.

    Follow below mentioned steps to restart Microsoft FTP Services:

    1. Open Services [Start → Run → type services.msc and Hit Enter].
    2. Select the service named Microsoft FTP Service.
    3. Click on Restart link from the left pane option.

    Now, try again to login to the FTP account. If everything goes fine,
    then you should not receive any error while connecting to your FTP
    account.

  • Setting up NIC Teaming in Windows Server 2019 for Redundancy

     

    Teaming your network cards basically means installing two NICs onto
    the same server, plugging them both into the same network, and joining
    them together in a team. This gives you NIC redundancy in case of a
    failure, and redundancy is always a great thing!

    Steps

    1. Open Server Manager and from the left-hand pane, go ahead and click on Local Server.
    2. Near
      the middle of the screen, you will see a section marked NIC Teaming. Go
      ahead and click on the word Disabled in order to launch the NIC Teaming
      screen, as follows:

    1. Down in the ADAPTERS AND INTERFACES section, drop down the TASKS menu and click on Add to New Team:

    1. Define a name for your new team and choose the two NICs that you want to be part of it:

    1. That’s it! NIC1 and NIC2 are now successfully joined
      together in a team and will work in tandem to make sure you are still
      connected in the event of a failure.
    2. If you make your way to the
      regular Network Connections screen, where you define IP address
      information, you will see that you now have a new item listed beneath
      your physical network cards. This new item is the place where you will
      go to define the IP address information that you want the server to use.

    You can create more than one team
    on a server! When setting up a multihomed server with two network
    connections, you could easily make use of four NICs and create two
    teams, each containing two physical network cards.

  • Mount MySQL tmpdir as tmpfs for better performance

    1. Create a directory
      #mkdir -p /var/mysqltmp
    2. Change directory ownership to mysql user
      chown mysql:mysql /var/mysqltmp 
    3. Get uid and gid of mysql user
      #id mysql 
    4. Edit /etc/fstab to automatically mount tmpfs, add a new line. replace gid and uid
      tmpfs /var/mysqltmp tmpfs rw,gid=27,uid=27,size=2G,nr_inodes=50k,mode=0700 0 0 
    5. Mount the filesystems as defined in /etc/fstab
      mount -a 
    6. Edit /etc/my.cnf to change  tmpdir
      [mysqld]
      tmpdir = /var/mysqltmp 
    7. Restart mysqld service
      #service mysqld restart 
    8. Check if variable is updated in mysql console
      SHOW VARIABLES LIKE ‘tmpdir’;

  • Backup Batch file for Windows

    @echo off
     
    :: Compressing the Folder
    7z a "C:Backup.7z" "C:Application"

    :: Mounting the remote directory 

    net use x: \192.168.0.1dBackup /user:username password

    :: Copying backup file to remote directory
    copy /Z /Y "C:Backup.7z" "x:Backup.7z"

    :: Adding Timestamp 

    For /f "tokens=2-4 delims=/ " %%a in ('date /t') do (set mydate=%%c-%%a-%%b)
    For /f "tokens=1-2 delims=/:" %%a in ('time /t') do (set mytime=%%a%%b)
    rename "x:CodeUsers.7z" "Users-%mydate%%mytime%.7z"
     
    :: Unmounting the remote directory
    net use x: /delete

  • How to change Windows Server Remote Desktop Port

     

    Its recommended to change the default port of the RDS services so that these are not scanned in network attacks

    1. Start the registry editor. (Type regedit in the Search box.)
    2. Navigate to the following registry subkey:
      HKEY_LOCAL_MACHINESystemCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp
    3. Find PortNumber
    4. Click Edit > Modify, and then click Decimal.
    5. Type the new port number, and then click OK.
    6. Close the registry editor, and restart your computer.

     

    The next time you connect to this computer by using the Remote Desktop
    connection, you must type the new port. If you’re using a firewall, make
    sure to configure your firewall to permit connections to the new port
    number.

     

    You can check the current port by running the following PowerShell command:

    PowerShell
    Get-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -name "PortNumber"

    For example:

    PowerShell
    PortNumber   : 3389
PSPath       : Microsoft.PowerShell.CoreRegistry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp
PSParentPath : Microsoft.PowerShell.CoreRegistry::HKEY_LOCAL_MACHINESYSTEMCurrentControlSetControlTerminal ServerWinStations
PSChildName  : RDP-Tcp
PSDrive      : HKLM
PSProvider   : Microsoft.PowerShell.CoreRegistry

    You can also change the RDP port by running the following PowerShell
    command. In this command, we’ll specify the new RDP port as 3390.

    To add a new RDP Port to the registry:

    PowerShell
    $portvalue = 3390

Set-ItemProperty -Path 'HKLM:SYSTEMCurrentControlSetControlTerminal ServerWinStationsRDP-Tcp' -name "PortNumber" -Value $portvalue 

New-NetFirewallRule -DisplayName 'RDPPORTLatest-TCP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol TCP -LocalPort $portvalue 
New-NetFirewallRule -DisplayName 'RDPPORTLatest-UDP-In' -Profile 'Public' -Direction Inbound -Action Allow -Protocol UDP -LocalPort $portvalue

     

    You will need to restart RDS services for the changes to take effect or reboot the system.