If you read through the walls of web pages you will find it’s often due to the number of licenses available on the server. This was not our case at all.

The issue was somewhat more simple.
The systems we were attempting to join all had the wrong time. In our case they were off by about 15 or 20 minutes and had come from our supplier this way.
Not the greatest error description for sure!

Simple fix. Change the time on the local system to be more close with the Domain Controller(s) and then attempt to join.

One additional thing I found very handy was the ability to join the domain using a specific server. The best way I found to do this in our situation was with powershell. All systems were Windows 7.

Open powershell
Type add-computer -?

Specifically: “add-computer -DomainName gwlab.net -Credentials washburng -Server gwlab.net\DC2″

Tons of other options I recommend considering but this for sure makes pointing to a specific DC a breeze.

In GWLab we decided to use our Microsoft Domain Controllers as time servers.  The main reason for this is to ensure Active Directory logon attempts do not fail due to a time difference.

Here’s an example of how to configure a Cisco 2950 switch:

Config t
ntp server 10.1.1.203
ntp server 10.1.1.107
clock timezone EST -5
clock summer-time EDT recurring 2 Sunday March 2:00 first Sunday November 2:00

The first and second line set the ip addresses of the domain controllers to be our ntp servers.

By default time on the Cisco switch is kept in UTC format.  So the third line in this config example offsets UTC by -5 (which corresponds to EST).  Set this to the correct offset for your timezone.

We want to display time correctly during daylight savings time.  In 2007 the daylight savings time was modified.  The specifics were set that daylight savings time would begin on the 2nd Sunday in March and end the 1st Sunday in November at 2:00 am.  The fourth line in this config example displays the timezone as EDT during daylight savings time.

http://www.shop1stop.net

On the Windows 2008 Standard Core Server (2008 Core) device log in as an administrator.  At the cmd prompt enter the following command to get a list of the interface names:

“netsh interface ipv6 show interfaces”

You should get a list of interface information.  Look for the interface that is not disconnected and not name labeled with some part being loopback.  Use caution as many of the interfaces will have similar names by default.

On my system the interface name of interest was “Local Area Connection 2″ but most devices will need to be configured on “Local Area Connection”

Now that you have the interface name issue the following command:

“netsh interface ipv6 set address ‘inteface name determined above’ ‘ipv6 address’”

In my case that means: netsh interface ipv6 set address “Local Area Connection 2″ fec0:0:0:fffe::aa

Verify you now have the correct IPv6 interface settings by using the following commands:

“netsh interface ipv6 show addresses” or “netsh interface ipv6 show addresses ‘Local Area Connection 2′”

You should also be able to ping interfaces on other IPv6 enabled systems within the same network.  So for example:

ping fec0:0:0:fffe::1%1

You probably don’t need to include the %”interface number” but I’ve found it’s just a good habit to get into.

Secondary Project Goals:
Create an automated method to run a login script.
Map windows fileserver shares within a login script.

You will need an enterprise or domain admin account as well as a local mac system admin account to perform this integration.
As you are going thru the steps you will often need to unlock (the pad lock in the bottom left) many options.  Make sure to lock them back as you click apply, ok, exit, etc.

First the steps to add the Mac to active directory (as a local system admin)
1.) Open Directory Utility (Go > Utilities > Directory Utility)
2.) Click the Services tab
3.) Check the Active Directory option
4.) Click the Directory Services tab
5.) Click the (+) icon and add your domain (for me that’s gwnet.local) – you will need an enterprise or domain admin account within active directory to add the mac

Second the steps to make the login prompt more active directory friendly (as a local system admin)
1.) Open System Preferences (Apple Icon > System Preferences)
2.) Open account options (double click on accounts)
3.) Disable auto login
4.) Change “display login window as” to “name and password”
5.) Check “show input menu in login window”
6.) Uncheck “show password hint”
7.) Check “allow netowrk users to login to this computer”
8.) Uncheck “fast user switching”

Third the steps to give active directory admins administrative rights on the local pc (as a local system admin)
1.) Open Directory Utility (Go > Utilities > Directory Utility)
2.) Click the Services tab
3.) Select the active directory option (make sure you do not uncheck it – just select it)
4.) Click the little pencil icon in the bottom left
5.) Click the administrative tab
6.) Check the “Allow administration by:” and ensure “YOURDOMAIN\domain admins” is are included (for me that’s “GWNET\domain admins”) – feel free to add any other groups that need administrative access – (I also added a group named “GWNET\mac admins” where I placed the mac power users).  To add additional groups you will need your domain shortname and the name of the active directory group.  Click the (+) icon and type in groups as “YOURDOMAIN\your active directory group”.

Fourth is to create a logon script (as active directory user or local user):
I only needed to map windows shares during login but you can include pretty much whatever you need in your login script / application.
1.) Open the apple script editor (in utilities) and create a login script.  The script I use is something like this:
——–
Set strUserName to do shell script “whoami”
set strFileServer to “Fileserver”
set strMount to “smb://” & strFileServer & “/” & “sharename1″
mount volume strMount
set strMount to “smb://” & strFileServer & “/” & strUserName & “$”
mount volume strMount
——–
This script would find the currently logged on username then mount a typically named share (sharename1) in this example.  The script would then mount a specific hidden user accessible share (in this example “\\Fileserver\gw$” assuming gw was the logged on active directory user.
2.) Now save the script as an application.  Ensure you do not have leave open or run startup window enabled.  I choose to save the app in the /users directory but pretty much anywhere accessible to the users is ok.

Fifth is to set the logon script / app you made to the active directory users that will be loggin on to the mac.
1.) Log out of the local system admin account and log in as a an active directory admin.
2.) This will create a profile for the given active directory user (a desktop, documents, etc folder in the /users directory).
3.) Open System Preferences (Apple Icon > System Preferences)
4.) Double click accounts.
5.) click the user you would like to add the login script to.  Probably the user you are logged into now.
6.) click the advanced options.
7.) Click the login items tab.
8.) Click the (+) icon.
9.) Browse to the location where you saved the app / script you created (for me that’s the /users directory) and select it.
10.) Next time the user logs on they will be able to access the new shares by clicking on Go > Computer.

Project Primary Goal(s):

Allow for mapping drives without adding exceptions to an unauthenticated role.

Secondary Goal(s):

Develop method for rolling out CCA Agent using group policy or login scripts that will not impact ability to map drives.

I’m starting out with the secondary goal first in this write up.

In order to install the CCA Agent without errors on all domain machines without user intervention I had to use a msiexec command.  The reason is that if I just push the msi package thru group policy users will encounter errors when the application first installs (something about already in task bar) and then the program exits.  It may also result in the machine attempting to use log in with the machine active directory account rather than the user account (for Active Directory Single Sign-On).

‘——————————————————————-

‘CCAAgent.vbs

‘Install CCA Agent if not installed first.

‘Verify CCA Agent is running.

‘Map network drives.

Dim ADSysInfo

Dim CurrentUser

Dim strGroups

Dim wshNet

Dim fserver

Dim AllProcess

Dim Process

Dim strFoundProcess

Dim numWaits

Dim objFSO

Dim ccainstalledfile

Dim wshShell

ccainstalledfile = “c:\program files\cisco systems\clean access agent\ccaagent.exe”

strFoundProcess = False

numWaits = 0

fserver = “\\servername\homedirectory\”

Set objFSO = CreateObject(”Scripting.FileSystemObject”)

If not (objFSO.FileExists(ccainstalledfile)) then

            Set wshShell = Wscript.CreateObject (”WSCript.shell”)

            wshShell.Run “%windir%\system32\msiexec.exe /package \\domaincontroller\netlogon\ccaagent.msi /qn”

            Set wshShell = nothing

End If

Do While (strFoundProcess = False and numWaits < 20)

            Set AllProcess = getobject(”winmgmts:”)

            For Each Process In AllProcess.InstancesOf(”Win32_process”)

                        If (Instr(Ucase(Process.Name),”CCAAGENT.EXE”) = 1) Then

                                    strFoundProcess = True

                                    Exit For

                        End If

            Next

            Wscript.Sleep 30000

            numWaits = numWaits + 1

Loop

Set wshNet = CreateObject(”WScript.Network”)

Set ADSysInfo = CreateObject(”ADSystemInfo”)

Set CurrentUser = GetObject(”LDAP://” & ADSysInfo.UserName)

strGroups = LCase(Join(CurrentUser.MemberOf))

If (InStr(strGroups, “faculty”) or InStr(strGroups, “staff”)) Then

            wshNet.MapNetworkDrive “U:”, fserver & “facstaff\” & wshNet.UserName

End If

If (InStr(strGroups, “students”)) Then

            wshNet.MapNetworkDrive “U:”, fserver & “students\” & wshNet.UserName

End If

‘——————————————————————-

Project Primary Goal(s):

1.)    Create a trunk port from a switch / router connected directly to a Ubuntu 8.10 Server

2.)    Enable multiple logical network interfaces on the Ubunutu system (1 each for each vlan on the trunk

3.)  Be able to network “sniff” traffic for only a given vlan while still communicating over other vlans for mail / web / etc

4.)  Be able to run VMware guests in different vlans

5.)  No routing enabled on the Ubuntu Server

6.)  Provide static config options for restoring all networks and connections after a reboot

On the Switch (This is Cisco – See below for a Netgear config):

1.)    Enter config mode on the switch “config t”

2.)    Enter config mode for the interface we want to trunk “int gig 1/0/1” for example

3.)    On some switches / routers you will need to set the encapsulation type “switchport trunk encapsulation dot1q”
Note:  If you don’t set this explicitely (even if your switch doesn’t require it) you will not be able to get vlan headers on a full network “sniff” and you may encounter communications problems on your vmware guest systems.

4.)    Set port to trunk mode “switchport mode trunk”

5.)    Allow vlan’s of interest on the trunk “switchport trunk allowed vlan 10,172,192″

6.)    Most admins agree setting a description is worth the effort for reducing confusing in future troubleshooting – ‘description “Trunk link to Ubuntu 8.10 VMware Server”’

7.)    Get out of int config mode “exit”

8.)    Get out of config mode “exit”

9.)    Save config to memory “write mem”

On the switch (This is Netgear config – See above for a Cisco config)

1.)  Enter config mode “Configure Terminal”

2.)  Enter interface config mode “Interface 0/10″

3.)  Set participation in the vlans of interest:
      ”vlan participation include 10″
      “vlan participation include 172″
      “vlan participation include 192″

4.)  Set tagging for all vlans:
      “vlan tagging 10″
      “vlan tagging 172″
      “vlan tagging 192″

5.)    Most admins agree setting a description is worth the effort for reducing confusing in future troubleshooting – ‘description “Trunk link to Ubuntu 8.10 VMware Server”’

6.)    Get out of interface config mode “exit”

7.)    Get out of config mode “exit”

8.)    Save config to memory “save” then “y” to the confirm prompt

On the Ubuntu 8.10 Server (I’ll try to get around to writing up instructions for Fedora 10 as well – basically they are the same except the static settings and the su / sudo commands).

1.)    I prefer to just up my privs to root and leave them there while on the terminal but you might want to use sudo instead – “sudo -s -H” then enter the root password for the system

2.)    Remove any settings on eth0 – Especially do not leave eth0 as DHPC enabled (I’ll provide more info about what I decided to do in the static config section below – but if you are just looking to do something temporary just take off ip information and routing information for eth0)

3.)    Now create the logical interfaces for each vlan.
“ip link add link eth0 name vlan10 type vlan id 10”
“ip link add link eth0 name vlan172 type vlan id 172”
“ip link add link eth0 name vlan192 type vlan id 192”

5.)    If you have a dhcpserver on any of the vlans you can grab a dhcp address
“dhclient vlan10”
To release the dhcp address:
“dhclient -r vlan10”

6.)    If you want to “sniff” traffic on a given vlan set the logical interface to promiscuous mode
“ifconfig vlan172 -promisc”
“tcpdump -i vlan172″
If you want to “sniff” traffic on all vlans
“tcpdump -i eth0″

Static Settings (this section is of interest if you want to set this up perminantely – For me that’s a primary project goal)

Several modifications need to be made to the /etc/network/interface file so “vi /etc/network/interfaces”

I include an example file here:

———————————————————————————————————————-

# This file describes the network interfaces available on your system

# and how to activate them. For more information, see interfaces(5).

# The loopback network interface
auto lo
iface lo inet loopback

# The primary network interface

# I set this up in promiscuous mode for any network “sniffing” I may want to do in the future
auto eth0
iface eth0 inet manual
        up ifconfig $IFACE 0.0.0.0 up
        up ip link set $IFACE promisc on
        down ip link set $IFACE promisc off
        down ifconfig $IFACE down

# The vlan 10 network interface

# This is an example of a logical vlan interface that has connectivity to a DHCP server
iface vlan10 inet dhcp
        pre-up ip link add link eth0 name vlan10 type vlan id 10
        post-down ip link del dev vlan10
auto vlan10

# The vlan192 network interface

# This is an example of a logical vlan interface that needs static / manual ip address information

iface vlan192 inet static
        pre-up ip link add link eth0 name vlan192 type vlan id 192
        post-down ip link del dev vlan192
        address 192.168.7.8
        netmask 255.255.255.0
auto vlan192

———————————————————————————————————————-

Don’t forget to save the file “:wq!”.

Last thing is to reconfigure the VMserver environment:

1. At the root prompt type “/usr/bin/vmware-config.pl”  or at the user prompt “sudo /usr/bin/vmware-config.pl”
2. When it asks to set up various network information the ones of highest interest is the Bridged.  Ensure you choose to set a bridged network for each vlan – I chose to name mine “Bridged10″, “Bridged172″, and “Bridged192″ after the logical vlan interfaces they would operate on.
3. Go into the VMware Server web gui “https://serverip:8333” (you can do this from a remote system since you probably don’t have a graphical front end or web browser for the VMware Server) and for each guest that has been created ensure that the correct bridged network is selected.  For me that meant selecting each Linux guest and changing it’s network to “Bridged192″ and selecting each Microsoft guest and changing it’s network to “Bridged10″.

Note: I did this for VMware applications but it’s not a terrible way to configure a Linux firewall that has only 1 interface.  Just set the default route to the ip address given on each logical vlan interface.  Then enable ip forwarding on the linux system.

I tried installing VMWare ESX but apparently they have no support for the processor I have in this system

New server name was something my wife came up with. 

She thought I should call it “Casino” because it had so many slots

I liked it and it stuck.

I welcome Casino to the Lab.

These directions assume you have a running Ubuntu 8.10 64bit system.  However, I will try to include specific notes where 32bit systems would use different commands.

Duplicating the steps I took:

1.) sudo apt-get install linux-headers-`uname -r`

2.) sudo apt-get install build-essentials

3.) sudo apt-get install xinetd

4.) scp, ftp, copy from cd or whatever method works best for you to copy the vmware server installation files to your ubuntu system.  In my case I have Ubuntu 8.10 64bit Server so I scp’d “VMware-server-2.0.0-122956.x86_64.tar.gz” and “VMware-vix-1.6.0-122956.x86_64.tar.gz” to ~/vmware directory for convenience.  32bit Ubuntu systems will have a different set of vix and server install files.

5.) Set your working directory to the place you copied the vmware installation files “cd ~/vmware”

6.) Extract the installation files “tar xvfz VMware-s*.tar.gz”

7.) Set your working directory to the directory created during the extraction process in step 6 “cd v*”

8.) Run the install script “sudo ./vmware-install.pl”

9.) Accepting all the defaults works for some ppl but not for me.  You will want to pay particular attention to where you install / store your virtual machine, the ports you run the management web interface and ESPECIALLY pay attention to the vmware administrator account.  I recommend you add your username as the administrator during the install.

10.)  Enter the 20 character key you recieved from VMware download.  If you don’t have your key handy you can also go to the VMware site and view your license by going thru the download process for VMware Server.

Note:  To access the VMware manager from any network connected machine that has a route to the VMware Host you would browse to https://”yourhostname”:8333 (i.e. https://10.1.1.107:8333 or for local access https://127.0.0.1:8333)

Note2: I recommend firewalling the server and disabling non-ssl communication with the the VMware Host.

You can imagine I was not terribly please.

But the fix wasn’t bad.  It turns out one of the updates or something done as part of lab testing made my home folder not readable. 

The fix:

sudo chmod 700 /home/yourusername/

If you want other users to be able to read your home folder the fix:

sudo chmod 755 /home/yourusername/

Clonezilla had one really cool thing going for it.  It supports SSH / SCP of images.

PING was ok but I kept getting hangs when trying to connect to remote windows shares.  There were work arounds but, to me it seemed, less friendly.   It also didn’t have support for writing images via ftp (only reading) and did not seem to support SSH / SCP at all.

I tested Clonezilla Live image backups of both linux systems and windows systems with absolutely no problems.

I also added to my future projects list “set up a DRBL (Diskless Remote Boot in Linux) server.”  This will facilitate the advanced features in Clonezilla for supporting multicasting.

To get Clonezilla standalone up and running is as simple as downloading an ISO and burning a CD / USB. 

Download Clonezilla @ http://www.clonezilla.org/download/sourceforge/stable/iso-zip-files.php

Burn the ISO, boot the system you wish to image from the CD or USB you made, and follow the on screen instructions for countless easy to follow options.

Also you can boot to a root prompt (with either product) to reset passwords / accounts or fix broken files or file permissions.   Both products support partition and disk imaging.