RSS Subscription 168 Posts and 2,769 Comments

Archive for November, 2007

Forefront Security SP1 for Exchange 2007 SP1

SP1 is available for download at:
http://www.microsoft.com/downloads/details.aspx?FamilyID=2ceb14d4-404b-4d8f-8a21-ebfc71b2e82

View a list of new features at:
http://blogs.technet.com/fss/archive/2007/08/13/forefront-security-for-sharepoint-with-service-pack

Share

Exchange 2007 SP1 Officially Released

SP1 is available by download at:
http://go.microsoft.com/fwlink/?LinkId=104387

View a list of new features at:
http://go.microsoft.com/?linkid=7844544

Share

DHCP Scope vs Superscope

I wanted to provide a short description of when you would use a superscope vs scope(s) in a real-world scenario. One of my coworkers had an issue described below:

The real-world scenario that I’m running into is that a client configured a single Superscope for all 175+ address ranges they have (scattered all over the country) and there are only two DHCP servers. They are using the 50/50 scenario and configuring half of the addresses on one server and half on the other. Laptops are not able to obtain a new IP Address when going from one building to another. It keeps trying to grab an address from its original location. I’m assuming that the reason is because they have a Superscope configured and not multiple scopes, but I have yet to come across Superscopes in the field.

My explanation of superscopes vs scope(s):

In an environment where you have multiple segments segmented by a Layer 3 device, each of those segments will have a different IP Range of course. That Layer 3 device will be configured with a DHCP IP (DHCP Helper IP) that is located in a different segment. Because of this, you only need to use regular scopes, as the DHCP server will see that it was requested from a different segment.

When you have different IP ranges on the same segment, the DHCP server will return a NACK because that DHCP server’s NIC is not on that segment. One way to get around this, is by adding another NIC that contains that same IP range. So if you have 3 different IP ranges on the same physical segment, you’ll need 3 different NICs. There is a way to get around this, and that is by using a superscope.

Using a superscope, you can have multiple logical IP ranges within the same physical segment and be able to hand out IP addresses even if the DHCP’s NIC does not belong to that same IP address range. Because of this, a superscope will help transition to a new scope using a different IP range for the same single physical segment.

So for the scenario stated above, all they would need to do is have 2 physical segments (one for each building), 2 different IP ranges (1 per segment), 2 scopes on the DHCP server, and have the layer 3 device configured with a DHCP Helper IP Address. So when a client moves, boots up and requests a new DHCP IP, it will broadcast, hit the Layer 3 device, the layer 3 device would see that the DHCP is on the different segment and the DHCP would see the request is from a different IP Segment and would provide them with a new IP from the appropriate scope.

Share

Exchange 2007 Clusters and Kerberos Authentication

I encountered an issue when bringing up a cluster and enabling Kerberos Authentication. Apparently, there’s a bug where the cluster nodes won’t properly register SPNs which results in Kerberos Authentication to fail. The fix is easy thanks to KB935676:

Let’s say you have 2 nodes; node1 and node2. Run the following commands (make sure you change the Common Name of the CMS):

add-ADPermission -Identity “cn=exchange-cms,cn=computers,dc=mydomain,dc=com” -User “node1$” -AccessRights WriteProperty -Properties “Validated-SPN”

add-ADPermission -Identity “cn=exchange-cms,cn=computers,dc=mydomain,dc=com” -User “node2$” -AccessRights WriteProperty -Properties “Validated-SPN”

Share