This article gives helpful hints on how to successfully interoperate Windows Server with Mac clients. Areas covered are:

• Accessing Windows File Server from Macintosh
• Using Windows DHCP Server with Macintosh clients
• Using Windows DNS with Macintosh clients
• Additional tips for Macintosh (How to Ping, NSLOOKUP, etc)

Background

Many organizations such mainly media and advertising agencies have a mixed environment containing Windows and Macintosh machines. This article explains some of common tasks required when operating Macintosh clients in a Windows Server environment.

Making Windows file shares accessible to Macintosh users

Step 1. Configure the Windows file server

1. Create the folder on the file server

1. Right-click My Computer, choose Manage.

1. On the left pane, expand System Tools > Shared Folders

1. Right Click Shared Folders choose Configure File Server for Macintosh.

1. On the Configuration tab, under Security, select “Apple ClearText or Microsoft” under Authentication.
   

1. If you would like to allow Macs to save the password, put a check mark next to Allow workstations to save password.

1. You can also specify a logon message for connected Mac users if required.

1. On the left pane, expand System Tools > Shared Folders > Shares

1. Right Click on Shares and choose New > Share.

1. Click Next on the welcome screen.

   

1. Put a check mark next to Apple Macintosh users. Click Next.

1. On the next screen, choose Use custom share and folder permissions and click Customize.

   

1. Click on the security tab and add users whom you want to give access.

1. For read-only access Allow only Read & Execute, List folder contents, Read privileges. For full access, click Modify and Write also.

   

1. Click Next and then click Close.

   

16. In Computer Management, see that a new MACINTOSH share for your folder has been created. Right click the MACINTOSH share for your folder and select Properties.

17. Under SFM Volume Security, Remove the check mark next to This Volume is read-only.

1. Click OK.

Step 2. Configure the Macintosh client

1. Goto Apple > Chooser

1. Click AppleShare. Click Server IP Address.

1. Enter IP address of file server.

1. Click Connect.

1. Choose Registered user and enter domain username and password. Click Connect.

1. Select the folder that you shared on the file server and click Connect. You can also save the password to keychain before clicking connect.

1. The icon for the shared location will appear on the desktop.

Enabling Macintosh clients to use Windows DHCP (Mac OS X)

1. Go to Apple > Control Panel > TCP/IP

1. Select obtain IP addresses through DHCP

1. Close the window. Click Save when prompted.

Enabling Macintosh clients to use Windows DHCP (Mac OS 10.x/TIGER)

1. Go to Apple > Control Panel > Networks

1. Select the Network interface connected to the LAN

1. Select TCP/IP.

1. Choose DHCP.

Enabling Macintosh clients to use Windows DNS

1. Go to Apple > Control Panel > TCP/IP (for Mac OS 10.x, choose Networks > TCP/IP)

1. Under Name Servers, specify your DNS Server IP address.

1. You can also specify your domain name suffix under Search Domains.

1. On your Windows DNS Server, allow both secure & non-secure updates.

Additional Tips

• For Mac OS 10.x, you can use “ping” command (without quotes) from the Terminal. (Go > Applications > Terminal)

• For Mac OS 10.x, you can use the “dig” (without quotes) to see the name servers that are being used. In the last four lines of the output, you will see the IP address of the primary DNS server mentioned on a line starting with the word SERVER

SERVER:192.168.2.10#53

• For Mac OS 9.x, you can do a ping, NSLOOKUP, etc by using a free tool called OT Tools, available for download from http://mac.softpedia.com/get/Math-Scientific/OTTool.shtml

This article explains how you can enable Remote Desktop on a server that you do not have physical access to.

You’ve built new servers, updated them with the latest service pack, and even run Windows Update. Proud of the good job you done, you move upstairs to the comfort of your office to do the rest of the installation, away from the freezing server room. And then you suddenly realize that you did not enable Remote Desktop connections on your new server. Aw, now you need to go back all the way to your data center to enable RDP. The situation is even worse if you pre-configured the server without enabling RDP and shipped it to your branch location in Timbuktu!

Well, here’s the good news. You can actually enable remote desktop remotely. All you need to do is open up the registry of that server remotely, and make some changes and then initiate a remote restart of the server. Well, that’s the only downside – you normally don’t need a restart if you enable it physically.
1. On your Windows workstation, open Registry Editor (Start –> Run –> Regedit.exe –> OK)
2. On the File menu, choose Connect Network Registry.

3. Select the name of the computer that you want to enable RDP on. Make sure the logged in user has administrator rights on the remote server.

4. On the remote computer, Navigate to the key HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server. Find a value named fDenyTSConnection and change it to 0 (zero).

5. Restart the remote computer by typing the following command in the Command prompt of your workstation.

shutdown -m \\myserver -r

where ‘myserver’ is the name of your server.

6. Wait for the server to restart and connect to it using Remote Desktop Connection (MSTSC) from your Windows PC.

Recently, I noticed that many of the computers running Windows Server 2003 SP2 had the Server service in the stopped state. When I tried to manually start the service I got an Access Denied error. A restart of the server didn’t help.

The Server service is critical because file sharing depends on it. If the service is stopped, shared folders and administrative shares on the server cannot be accessed. This is especially critical on file servers, and on domain controllers for replication/access to SYSVOL folder for group policies.

The problem got resolved when I installed all the latest updates from Microsoft Update and restarted the machine. This is a security vulnerability listed in the security bulletin MS08-067 released by Microsoft this Sunday.

Sometimes you cannot delete or rename a file that is currently in use. You might receive an access violation error, or simply a message telling you that your action could not be completed because the file is open in another program.

You may have already come across the Unlocker freeware tool that lets you "unlock" files that are in use by some application.

Here is another way (let’s call it the ‘techie’ way) to unlock files that are in use. It makes use of the Process Explorer tool from Windows SysInternals.

• Download the Process Explorer tool. Execute procexp.exe
• Choose Find > Find Handle or DLL option

• Type the name of the file you want to unlock and hit Search.

• The process EXE locking the file and the path to the file are listed. Double click on the result.

• The file handle will be highlighted. Right-click on it and choose Close Handle.

Your file is now unlocked and can now be deleted, moved or renamed.

A little disclaimer here, closing handles might cause data inconsistency, loss and/or other undesirable effects. Make sure you understand what you’re doing before you do it.

Your enterprise root CA is an important piece of your enterprise network. Especially if you issue a lot of certificates for a wide variety of purposes to your users.

It’s been some time since I’ve written new articles on shijaz.com

I have added two new articles on Remote Desktop:

• How to enable Remote Desktop “remotely”
  Discusses how to enable Remote Desktop on a machine that you do not have physical access to. Needs administrator privileges (of course!)
• How to enable Remote Desktop on Windows Server 2008 Server Core
  Discusses how to enable Remote Desktop on Windows Server 2008 Server Core, the installation mode in which there is no GUI!

If you have already have ISA Server 2006 Enterprise Edition installed and you are trying to installing ISA Server on another server and configuring it as a replica of the Configuration store, you may get the following error on Windows Server 2003 R2:

Setup then exits and you are unable to complete the installation. This usually happens if there was a previous failed installation from the machine that you’re trying to join to the array. You will need to cleanup the values related to the server you’re installing from the ADAM installed on your first configuration store, which stores config information for the array.

A simple solution to this is to ensure that both nodes are running Windows Server 2003 R2 and then edit the ADAM to remove the orphaned server on which installation is failing:

1. Open \Windows\ADAM\ADAM-ADSIEDIT.msc on the existing ISA Config Storage server.
2. Navigate to CN=Configuration, CN=Sites, CN=Default-First-Site-Name,CN=Servers.
3. Delete the server on which you have the installation problem.

Re-run the installation, it should succeed now.

I installed Windows Server 2003 Service Pack 2 on a client’s Exchange Server 2003 cluster on Thursday night (Yeah, I hear you – what a way to spend a weekend!). Everything went well, installation completed, rebooted and everything was happy and kicking.

…until on Friday morning when the Exchange HTTP Virtual Server Instance failed. Since this resource was configured to ‘affect the group’, the failure forced a failover of the whole Exchange cluster group to the passive node.

Within no time, Exchange HTTP Virtual Server Instance failed again, this time on the passive node! Someone press the Panic button!! The initial understanding of the situation was clear – Installation of Windows Server 2003 Service Pack 2 brought the mighty Exchange cluster to its knees.

I rebooted both nodes and normal operation ensued. But after a couple of hours it happened again. In the event logs, I could see things like:

Event Type: Warning
Event Source: MSExchangeIS Mailbox Store
Event Category: General
Event ID: 1115
Description:
Error 0xfffffbbe returned from closing database table, called from function JTAB_BASE::EcCloseTable on table DeletedFolders. For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type: Error
Event Source: MSExchangeCluster
Event Category: Services
Event ID: 1005
Description: Exchange HTTP Virtual Server Instance 100 (servername): The IsAlive check for this resource failed. For more information, click http://www.microsoft.com/contentredirect.asp.

Event Type: Error
Event Source: Srv
Event Category: None
Event ID: 2019
Description: The server was unable to allocate from the system nonpaged pool because the pool was empty. For more information, see Help and Support Center at http://go.microsoft.com/fwlink/events.asp.

I couldn’t find much on these errors on the Internet, and this is the reason for this post. Here’s what the problem is.

My client is running Windows Server 2003 on a 32 bit server. 32-bit versions of Windows, as we all know, support a maximum of 4 GB RAM. By default, Windows slices the total memory right down the middle: 2 GB is reserved for the OS and 2 GB for the applications. Out of the 2 GB reserved for the OS, 256 MB is reserved for non-paged pool memory.

My client is using the /3GB switch, which forces Windows to limit itself to 1 GB RAM and let the applications use 3 GB. But this causes the non-paged pool memory reservation to be reduced to 128MB instead of 256MB.

Now, 128 MB is a tight little space. IIS uses non paged pool memory for processing requests. On Windows Server 2003 and Windows Vista, IIS stops processing requests once the available non-paged pool memory goes below 20 MB. Event 2019 is evidence for that.

Of course you know, Exchange relies heavily on IIS. So that explains why the Exchange HTTP Virtual Server resource went down! But wait – what’s hogging up the non-paged pool memory? And how do we fix this?

That’s when Microsoft sent in their Poolmon utility, that grabs information on whats in there. The culprit? – Broadcom’s NetXtreme II network card driver! It was incompatible with scalable networking features bundled with Windows Server 2003 SP2 (and the Windows Scalable Networking Pack) and caused a memory leak! I disabled the TCP Chimney with the following command:

Netsh int ip set chimney DISABLED

I also disabled the registry key HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\Tcpip\Parameters\EnableTCPA registry value setting by it to zero on both nodes and other steps mentioned in KB936594. That was all it took to solve the problem!

See my earlier related post: Delayed Logins: Change Password feature in ISA 2006

Q. What is Network Load Balancing?
NLB is a distributed algorithm used to load balance network traffic across a number of hosts.

Q. What is a Cluster?
A cluster is a group of independent computers that work together to run a common set of applications and provide the image of a single system to the client and application.

Q. What are the differences between NLB Clusters and Server Clusters?
Server Cluster is a collection of servers that together provide a single, highly available platform for hosting applications.

NLB Clusters dynamically distribute the flow of incoming TCP and UDP traffic among the cluster nodes according to a set of traffic-handling rules. NLB usually functions at the network level and have little to do with the actual application. There is no shared disk requirement.

Q. Can I Use NLB and Server Clusters on the same set of servers?
No. NLB and Server Clusters CANNOT be used on the same set of servers.

Q. How large can my NLB cluster be?
A single NLB cluster supports up to 32 hosts.

Q. Are there any performance concerns as my cluster grows?
Yes. NLB performance begins to decrease from the linear as the cluster grows beyond 20-25 nodes.

Q. How can I get around the 32-node limit on NLB?
NLB can be used to scale beyond 32 machines by using Round Robin DNS between multiple NLB Clusters.

For example, if virtual IP 1 (VIP1) has 32-nodes behind it, and VIP2 has another 32 nodes behind it, you can load balance between VIP1 and VIP2 using Round Robin DNS, hence having 64 nodes in NLB. The same analogy can be scaled to very large number of nodes. (Although I don’t see a reason why you would need so many nodes operating in tandem).

Q. How Does NLB Detect a Server Failure?
NLB Cluster host emits “heartbeats” to the other hosts in the cluster. If a host fails and stops emitting heartbeats, then after a default time period of 5 seconds, the remaining hosts in the cluster undergo a process called convergence to remove the failed host from the cluster and have new client connection requests mapped to remaining hosts in the cluster.

Q. How long does it take for a failed Server to be removed from the cluster?
5 seconds are required to detect a failed host it is default time.
2 to 3 seconds to remove the failed host and redistribute its load to the alive hosts.

Q. Do the heartbeat packets consume a lot of bandwidth?
No. Heartbeat packets are emitted every second by each host and consume less than 1,500 bytes

Q. Is NLB a kernel component?
Yes. NLB has a Windows kernel component called WLBS.SYS. (WLBS = Windows Load Balancing Services)

Q. What are the benefits of NLB over simple Round Robin Domain Name Service (RRDNS)?
In Windows NLB, automatic recovery occurs within 5 seconds
The load balancing is more even in the case of Windows NLB, when compared to Round Robin DNS.

Q. How Does NLB Cluster Convergence Work?
Convergence involves computing a new cluster membership list and recalculating the statistical mapping of client requests to the cluster hosts. There are two instances in which cluster traffic has to be remapped due to a change in cluster membership:
1. when a host Leaves the Cluster, and
2. when a host Joins the Cluster.

Q. Can NLB Balance Load Based on CPU/Memory Usage?
No. NLB does not respond to changes in the server load such as CPU usage or MEMORY utilization or the HEALTH of an APPLICATION. NLB has nothing to do with the application itself. It merely balances evenly the network traffic among a number of nodes based on some port rules. If your NLB nodes are of different hardware configurations, you may face problems when requests are sent to the slower node, because NLB has no way of finding out which node is slow, it just evenly distributes traffic. period.

Q. Will I get more even Load Balancing if most clients connect to the NLB Cluster through a proxy?
If the cluster is configured in No Affinity mode, NLB will use both the Source IP Address and the Source Port to achieve the load balancing, and so load will be distributed amongst all of the hosts.

Q. What is the basic difference between Multicast and Unicast Modes of operation?
Unicast:
There is no inter-host communication possible between the hosts configured in Unicast mode with 1 NIC.
Multicast:
Allows inter-host communication between the hosts configured in Multicast mode with 1 NIC.

Q. How do I Reduce Switch Flooding Caused by Network Load Balancing?
Hosts can be homed to their own LAN or Virtual LAN. It will work for both Unicast or Multicast modes.

Q. Does NLB require two Network Cards per host?
No.

Q. How do I configure layer 2 switches to work with Windows NLB?
Make sure that the switch does not associate the cluster MAC address with a particular switch port!

Q. How Do I Configure Layer 3 Switches to work with Windows NLB?
Layer 3 switches need to be specially configured to work with NLB. A VLAN must be established for the hosts in the cluster, and this VLAN must be configured to operate in Layer 2 mode.

Q. How Do I Remove the Switch as a Single Point-of-Failure?
Create a subnet that spans two switches and connect half of the NLB cluster nodes to each switch. In this case, if one switch fails, you only lose half of your nodes from participating in the NLB. Alternatively, you can have other failover arrangements on your core switch.

Q. I Have two Network Adapters on each server in my NLB Cluster. How do I ensure that all outbound traffic goes through non-load-balanced network adapters?
Simply set the metric on the cluster NIC to a higher value than the non-cluster NIC.

Q. Can I Have Part of the Cluster Operate in Multicast Mode and the Other in Unicast Mode?
No. The entire cluster MUST be in one operational mode.

Q. Does NLB Support Multiple Virtual IP Addresses?
Yes. NLB supports multiple, virtual IP addresses.

Q. Is it possible to specify different port rules for different virtual IP addresses (VIPs) on the same set of hosts?
Windows Server 2003 supports specifying different port rules for different virtual IPs. However, this is not supported on Windows 2000 NLB.

Q. Is it possible to mix Windows NT 4.0 WLBS, Windows 2000 WLBS and Windows Server 2003 in the same cluster?
Yes. Mixing is supported.

Q. Is it possible to Bind NLB to multiple interfaces?
Yes. This is supported in Windows Server 2003 only.

Q. Can I have two NLB clusters on the same subnet?
Yes. In a switched environment.

Q. We Need to span a cluster, where nodes are distributed across buildings. Can we use NLB to load-balance them?
Yes. As long as the hosts are part of the same subnet.

Q. How can I keep a record of NLB Manager activities?
Configure Network Load Balancing Manager to log each event.

Q. Can I manage an NLB Cluster remotely using WLBS.EXE?
Yes, but this is generally not recommended.

Q. How do I deal with Denial of Service (DOS) attacks on my NLB Cluster?
NLB utilizes the TCP/IP Denial of Service attack protection.

Q. How Do I secure my NLB Cluster?
NLB assumes that the
LAN to which it is homed is trusted. There are no security features to configure on the NLB itself. Administrators should secure the network itself using firewalls, intrusion prevention systems, etc.

Q. How do I configure my cluster to handle load non-uniformly?
To configure a host to handle more or less than an equal share of the load, edit the port rule to clear the “Equal” load weight check box and enter a load weight number between 1 and 100.

Q. How Does Single Affinity Mode Differ From No Affinity Mode? Which One Should I Use to Load Balance My Application?
Single Affinity mode:
NLB load balances traffic based only on the Source IP Address of the incoming connection. Single Affinity mode ensures that all TCP connections originating from the same client (IP Address) are sent to the same host in the cluster.

No Affinity mode:
NLB load balances traffic is based on Source IP Address and Source Port of the incoming connection request. In No Affinity mode, multiple connections from the same client may be handled by different hosts in the cluster as long as these connections have different source ports.

Q. If my clients use SSL to connect to my web servers, can I still use NLB to load balance these web servers?
Yes, for efficiency reasons configure the port rule in Single Affinity mode.

Q. I have multiple web servers on my NLB. How do I make sure that the website content is exactly the same on all nodes so that all users get the same version of the page?
NLB has nothing to do with your application/web site. It merely distributes requests evenly between the nodes. The synchronization/replication of content/data evenly between the two nodes has to be done manually or by using another solution.

Q. Can I use NLB to load balance my database server?
No, for database servers like Microsoft SQL Server, use Server Clusters/Microsoft Cluster Service instead. You can, however, use NLB on your front end application web servers and have them connect to the Server Cluster on your database servers. See image below.

Q. Can NLB be used for Load Balancing Terminal Server Clusters?
Yes.

Q. While Load Balancing Terminal Server Clusters, how can I ensure that a disconnected user always re-connects to the same terminal server node?
WLBS/NLB relies on the client’s IP address to determine which Terminal Server services a client. If you configure WLBS/NLB to use Affinity, the IP address used by the client is serviced by the same Terminal Server as long as you do not change the Terminal Server cluster.

If you need disconnected clients to connect to the same Terminal Server to recover from a ‘disconnected’ session, the client computers need to use static IP addresses and WLBS/NLB must be configured to use Single Affinity. Note that IP addresses obtained from DHCP servers on the LAN or through your ISP may change, as well as roaming users’ IP addresses. See KB243523.

Q. Does NLB Support WINS Resolution?
No. WINS names should not be automatically registered for the IP addresses configured on the NLB interface. The IP can be mapped statically in WINS.

Q. Can I Use L2TP/IPSec on a NLB Cluster?
Yes, in Windows Server 2003 NLB supports both PPTP and L2TP VPN sessions.

Q. Can I Use Kerberos with Applications Load-Balanced by NLB?
Yes.

Q. Can I Use NLB with Host Header Names?
Yes.

Q. Can I Load-Balance NetBIOS Traffic?
Yes, it is possible, though not recommended for File and Print Services.

See also: How to use Windows NLB to load balance web servers