As we have learned from Microsoft, WNLB (Windows Network Load Balancer) interfaces are connected to a Layer 2 device by default, it uses the Mask_Source_MAC to ensure that the L2 switch is unable to learn the original source MAC addresses of the NLB hosts. In other words, on an Unicast NLB, the switch is not able to associate a MAC with a particular port because it is masked, it just sends the data to all switch ports to ensure all NLB hosts process the traffic. Thus, it always create “flood” to L2 switch network, even though most of network engineers do not like such traffic -switch flood, but it is part of the WNLB strategy that it has to get the best throughput for the load of client requests by relaying packets which are sent to the VIP/WNLB to all cluster hosts.
By Hui-Jen Shiau, Senior Technical Consultant, Taos Recently, I was at a client site cloning some virtual machines, when I encountered some odd behavior. When I would change the ip address of the clone, the ip address would show in the network properties, but not in the vm’s summary or when I typed ipconfig from […]
From a systems administrator perspective, change management can be challenging. You are ready to resolve an issue, patch a system, or otherwise improve the state of a server, but you must first submit a change record for approval. In many cases the change record must meet particular requirements or it’s rejected. Multiple parties may need to approve the change, delaying the implementation. In the meantime you are watching your server languish, and likely receiving grief from the application and service owners. You know that with a few quick keystrokes, the server could be performing better; it could be configured more robustly, that its redundancy could be improved. You are at the mercy of others, others that may not fully understand the change (or at least not as well as you).
The Internet domain name is the heart of your organization’s Internet identity. However, domain registration has become commoditized and inexpensive, so many organizations fail to adequately protect their most important Internet asset.
CloudWatch is an Amazon Web Services (AWS) service that automatically collects a wide range of performance and health data about your AWS resources. This data is available through an API, and also can be viewed as graphs on the AWS console. However the graphs are located on the separate console pages for each type of resource (e.g. EC2, RDS, load balancer, etc). The dispersed locations make it impossible to have a single dashboard view of multiple AWS resources.
Authority information access (AIA) locations must be included in the extensions of issued certificates
Issue: This certification authority (CA) is not configured to include authority information access locations in the extensions of issued certificates. The authority information access extension provides the network location of the issuing CA’s certificate.
Impact: Clients may not be able to locate the issuing CA’s certificate to build a certificate chain, and certificate validation may fail. Certificate validation is critical to a correctly functioning PKI. A certification path that leads to a trusted root certificate is a requirement for a valid certificate. To build a certification path, the issuing CA’s certificate is retrieved by CryptoAPI, which reads the authority information access extension of issued certificates to identify the network location of the CA’s certificate. If the extension does not include the location of the CA certificate, then certificate validation cannot be completed and applications that require the certificate might fail.
The DNS (Domain Name System) is one of the most critical protocols in use on the Internet. Virtually every end user transaction involves a DNS query. Every email, text message, and web page viewed requires interaction with a DNS server. With such a critical service, it’s no surprise that it has increasingly become the target of attack since its inception in 1983. There are multiple ways the DNS can be attacked. The current implementations of DNS are inherently insecure and prone to attack using various methods including cache poisoning, man-in-the-middle attacks, DDoS (Distributed Denial of Service) Amplification attacks, or simply just hijacking the registrar and changing the authoritative DNS servers to the choice of the attacker, among others.
Over the past decade most companies have come to accept ongoing security evaluations as a cost of doing business. Companies take pride in the careful evaluation of vendor products and processes done to limit risk. However, the last two months of revelations have shown us that this straightforward approach is no longer enough.
Revelations in 2012 that Google, Microsoft, and other cloud business vendors were providing customer data to the U.S. government’s PRISM program without a warrant1 woke many up to the risks inherent in cloud storage. However, the last few months haven’t been easy reading for companies who avoid cloud storage either.
Speaking of the performance of GPOs, is it better to have fewer and bigger GPOs, or many and smaller GPOs in the AD domain? There is no right answer, but you may have one after reading the interaction described below.
Why doesn’t my server boot as fast as my iPad? I like my iPad-mini not just because I can take it anywhere, but because I don’t have to wait very long for it to boot. A simple test revealed that my iPad-mini boots in about 30 seconds. If the iPad is in a sleep state, which is essentially a power-save mode, then in one press of the button it’s awake and ready for use. Most servers also have a sleep mode, aka power save mode, but it’s usually disabled, as it’s been known to cause problems in production environments. In general, a server needs to be readily available 100% of the time.