this took far too long to find, longer than a walk to the data center. I’ve removed the serial numbers to protect the innocent. I just wanted to list card models without reading them off the card.

sw01#show inventory
NAME: “WS-C6509”, DESCR: “Cisco Systems Catalyst 6500 9-slot Chassis System”
PID: WS-C6509 , VID: , SN: xxxxxxxxxxx
NAME: “5”, DESCR: “WS-X6148-GE-TX 48 port 10/100/1000mb EtherModule Rev. 6.1”

I removed a bunch of lines there. I was trying to figure out why “switchport trunk encapsulation dot1q” wasn’t an option (there was no encapsulation option) on this card.

Finally found on Page 11 of this that these cards don’t support ISL, so they default to 802.1q:

WS-X6502-10GE
WS-X6548-GE-TX, WS-X6548V-GE-TX, WS-X6548-GE-45AF
WS-X6148-GE-TX, WS-X6148V-GE-TX, WS-X6148-GE-45AF

Which was important because I was seeing traffic on the host that didn’t appear tagged, and 802.1q doesn’t tag the native vlan (vlan 1) by default. Of course I have no idea what ISL traffic would look like in a tcpdump, probably thrown away as garbage, but who knows, better to see and know than to guess.

I like seeing things happening. If you’ve never tested SMTP by sending a test message by hand with HELO/MAIL/RCPT/DATA, you really should give it a shot. You can use mailsend or such to do this testing somewhat by hand, but when things fail I find it easier to see it directly.

‘EHLO domain’ via smtp should list what AUTH options are available when testing SMTP AUTH (which lets you use authentication to allow relaying). Sometimes this is different when you’re over SSL (‘250-AUTH GSSAPI NTLM LOGIN’) than when you’re not (‘250-AUTH GSSAPI NTLM’), for good reason such as some of the AUTH options aren’t encrypted or are simply obfuscated (read: base64).

openssl s_client has built in functionality for testing smtp:

openssl s_client -starttls smtp -crlf -connect 1.2.3.4:25

But when connecting to an exchange server, it just hangs at CONNECTED. Trying again with the ‘-debug’ flag shows why:

write to 080B01E8 [BFFFED30] (10 bytes => 10 (0xA))
0000 – 53 54 41 52 54 54 4c 53-0d 0a STARTTLS..
read from 080B01E8 [080AA400] (8192 bytes => 28 (0x1C))
0000 – 35 30 33 20 35 2e 35 2e-32 20 53 65 6e 64 20 68 503 5.5.2 Send h
0010 – 65 6c 6c 6f 20 66 69 72-73 74 0d 0a ello first..

There’s chatter and bugs (1,2) about this out there.

My openssl versions are ancient (such as OpenSSL 0.9.7a Feb 19 2003 (‘openssl version’)), so nobody else will likely have this problem anymore because they added code in ‘openssl-0.9.8e/apps/s_client.c’ to send a ‘EHLO openssl.client.net’ before starttls. On second thought, ubuntu feisty is still on 0.9.8c, so mebbe you will.

Once connected, you can try authing. If you’re using AUTH PLAIN, which I have no idea if exchange supports this but others due, you’ll want to encode your username and password with base64 something like this (thanks crash), I think:

printf “\0username\0password” | openssl enc -a

Then send this in the smtp session with ‘AUTH PLAIN base64’ where base64 is whatever you get out of openssl. It’s worth noting that you’ll get different results if you use “echo -n” instead of printf. crash says to use ‘echo -ne’ to get escape characters working right. YMMV.

Testing ‘AUTH LOGIN’ is similar. Send ‘AUTH LOGIN’ and you’ll get back ‘334 VXNlcm5hbWU6’ which says ‘334 Username:’ when you decode the crap with base64 with ‘printf VXNlcm5hbWU6 | openssl enc -a -d’. Encode your username with ‘printf “username” | openssl enc -a’ and paste this back to the server. You’ll get a ‘334 UGFzc3dvcmQ6’ response which again is ‘334 Password:’. Send your password back in the same manner, base64 encoded (not encrypted, heh. that’s what the ssl is for).

If all works you’ll get something such as ‘235 2.7.0 Authentication successful’ in response. Remember that sometimes throwing -debug on the end of openssl gives you more information. Now try your MAIL/RCPT/DATA shit and make sure you can still relay.

I’d love to provide a way to test NTLM, but it appears, no surprise, to not be that popular. Exchange 2007 will support LOGIN. Open EMC. Server Configuration -> Hub Transport (Or Edge Transport on an edge server). Under Receive Connectors right click and go to properties for the connector. On the Authentication tab make sure “Basic Authentication” is checked and make sure to check the following box limiting to only allow this after starttls.

References start here.

You can enable or disable message tracking by using the Exchange Management Console only in Exchange 2007 SP1

Like public folders, Microsoft chose to just leave message tracking out of the GUI.

By default, message tracking is enabled on all Exchange 2007 computers that have the Hub Transport, Mailbox, or Edge Transport server roles installed.

While using the Exchange Troubleshooting Assistant, which I found through the EMC to try to do Message Tracking (damn wizards) I keep getting “The error message is:Access is denied”.

I didn’t set up this Exchange 2007 install, so it’s been fun poking around it. As it turns out, the default permissions groups were redesigned since 2003. Check out this, part 1 and part 2. “Exchange Organization Administrators” is Exchange Root now or ‘Exchange Full Administrator’ if you prefer actually terms. Through some twist of fate (group stacking a few deep) I was in ‘Exchange View-Only Administrators’. You’d think searching the message tracking logs would fall under ‘view-only’. I guess not.

I went and added ‘Domain Admins’ to ‘Exchange Organization Administrators’. Some day when we have a full time exchange dude… hehe, I’ll change this I guess. Logged out and logged back in and the message tracking works now for me.

It’s interesting to note that it seems like the back end is much better. You don’t have to select a server or anything and there are many more new search options, so kudos to the search options.

I also spent a while searching trying to remember how to do the equivalent of ‘gpresult’ to see what groups I was in. Lots of info out there with old NT commands to distract but I guessed at ‘whoami’ and found that ‘whoami /groups’ will tell you what groups you’re in. This was useful, no doubt.

Somehow, wherever I end up working in Seattle there are internal java projects fscking around with memory. At Haydrian I had a problem where a developer said that his code ran particularly slow on our company hardware compared to his, and therefore our hardware sucked and we were stupid. Basically anyways. The sarcasm helps the frustration.

It was java code, and I spent a bunch of time learning about how java “magically” handles memory for you. It’s great that developers don’t have to worry about memory anymore, i guess. Unfortunately the trade off is that they sometimes tend to use TONS of it, and then there are two solutions, 1) throw memory at their boxes (doesnt scale) or 2) learn whats going on and call them on it.

Being of the type that doesn’t like not knowing whats going on. I started learning about Garbage Collection. I’m still waking up this morning for some reason, so I’m writing this from memory rather than making a real stab at it because I should be doing other work, but I’m waiting for my concentration to improve. Besides, documentation should always be written when you’re not concentrating, that way you leave in little mistakes to totally confuse the reader.

That link goes to the big overview on the whole shebang. Basically java takes a bunch of memory, splits it up into different areas and moves data between these areas based on age, throwing it away if it’s not being used anymore. This is called, Garbage Collection. Exactly what methodology is used by default has changed over releases (too often). However, when GC runs aren’t getting enough memory back a “Full GC” is run, which most importantly stops code from running while it shifts the codes data around. If this doesn’t get enough memory, things blow up and java pukes altogether complaining about being out of heap.

Find your jvm installation ( /usr/local/java ?) and in the bin folder there a bunch of useful tools. I like ‘jps -l’ to list the jvms, which gives you their PID which is how you tell them apart. Then ‘jmap -heap PID’ will show you how the heap is split up. This is worth doing once just to see it, I think it makes more sense than a lot of the documentation out there and it’s definitely solidified what I’ve read over the last couple of years. There’s also, i think, ‘jstat -gccause’ which shows a vmstat like output of whats going on in the different areas (the man page should explain the columns) including what caused the last GC run, which keeping in mind can be hard coded in by the developer.

In testing, you can do things like adding “-verbose:GC” and “-XX:+PrintGCDetails” which makes java let you know (to stdout or stderr or whatnot) whenever a GC or Full GC is run and how long it took (this is important) and the latter adds more information such as what GC method was used, the memory in the different areas before and after the GC (so you can tell what area caused the GC run), etc.

When trying to fix problems, always start by paying attention to what -Xms and -Xmx are set to. These control the heap size by default and a lot of java programmers seemed to have learned that setting -Xmx as high as possible makes them not have to deal with this shit. -Xmx is the max heap size and -Xms is the starting heap size. Java controls the heap size as needed, but if you spend a lot of time tuning and know your code you can set these to the same thing.

It’s important to note that the Perm Gen or “Permanent Generation” is controlled separately. Normally you shouldn’t have to mess with this, as only classes and crap are stored here, but I’ve seen this be a problem recently. “-XX:PermSize=256m -XX:MaxPermSize=256m” would fix the PermGen at 256m. You can see the permgen in the aforementioned ‘jmap -heap PID’.

I guess that is about it. I haven’t really figured out debugging java beyond the GC, so I’ll leave that to you developers.

So UAC is basically a big “Do you want to allow this?” annoyance that I imagine gets ignored a lot. I just spent 30 minutes on a vista machine and I’m sure I clicked ‘GO GO GO’ over 30 times at least.

An app that we used modifies the hosts file based on what environment you want to live in, and vista doesn’t think that should happen. Nor does it let you change permissions by default. Whatever

1) go to \windows\system32\drivers and right click, properties on ‘etc’
2) uhm, I think it was advanced, but go to advanced or something.
3) go to the owner tab and change ownership. You’ll want MACHINE\ADMINISTRATORS
4) ok out of everything and come back into properties.
5) edit permissions (there are extra clicks everywhere compared to XP)
6) give everyone modify access
7) ok out of everything and come back into properties.
8) make sure read only is unchecked and apply / ok.

Note that readonly unchecking wasn’t working for me originally until I gave EVERYONE modify instead of just administrators. I think this was because trustedinstall or system or something was trying to do the permission change and was silently failing.

Nice. So I’m running Exchange 2007. Find out exactly what service pack by going into the new EMC (Exchange Management Console) which replaces ESM (Exchange System Manager) I guess. Go to Help, About Exchange Server and grab the version number then check here.

The final RTM build of Exchange 2007 is build 685.25, but in some places it is listed as 685.24.
The RTM version of Exchange 2007 SP1 is build 8.1.0240

Somehow I have 8.0.685.018. Apparently shit is all messed up:

Also, when you click Help, and then click About Exchange Server 2007, you will see a different version number altogether: 685.018

This bit from here is awesome, so so, so awesome.

One of the big disappointments in the Exchange Server 2007 RTM version was the lack of Public Folder management from within the Exchange Management Console (EMC) UI. In Exchange Server 2007 RTM, all Public Folder management has to be done from either the Exchange Management Shell (EMS), which is quite cumbersome to say the least, or from an Exchange 2003/2000 System Manager console on a legacy Exchange server still part of the Exchange organization.

All I wanted to do was hide the email address on a public folder from the address list. But I have no GUI interface to address lists. Thus, I still stand do behind: Do not ever use an MS product before SP1. Sooooo…. Open up the spiffy new Exchange Command Line thingery (the help totally helps)

get-mailpublicfolder publicFolderName | format-list

Format-list actually provides information, while if you don’t use it you just get a list. I know this doesn’t make sense how I describe it and how it reads, but that’s what happens.

Unfortunately it says it’s already hidden from address lists. Annoying, since it’s coming up for me when typing addresses into the address bar in outlook 2007.

It’s worth noting that I checked the setting against another object type (a mailbox) using this:

get-mailbox userNameActuallyMailboxName | format-list

A couple of people asked me about this, so I’m adding what I found here:

Public Folders are included and supported in Exchange Server 2007. Microsoft has communicated that future releases of Exchange Server may not include public folders. If you use Public Folders, read the Exchange Team Blog on the topic of public folders for more guidance.

And it looks like they’re moving to sharepoint eventually:

For all new collaborative application development, we recommend WSS v3 and the new E12 web services as your platform

Wow. Contrary to what some past coworkers feel, I like recruiters in general. Except those Corp to Corp ones that consistently want to hire me for random Microsoft jobs that often have nothing to do with my skill set at $28.something an hour.

That you all want me for different jobs for the same rate makes me feel like this is a huge scam and you’re the ones making bank off it. Weren’t pyramid schemes illegal? Even small ones?

After I started at Widemile I was still getting calls/emails daily from random bulk recruiters from all over the country(!) for jobs all over the place. The vast majority of this is noise as it’s crappy jobs with recruiters taking a huge cut via this corp to corp bullshit that totally doesn’t give me piece of mind that a company appreciates me as an employee.

So I updated my resume on monster to show that I was now employed. Then someone I had emailed telling them I was all set emailed me back and was all “I saw you updated your resume! want a job?!”. No, did you read it? I’m in a job! Stop reading between non-existent lines. I figured this stuff would cool down after a while.

But today my recruiter from my current job calls, worried, saying that they saw my resume on monster. Jeez guys. So I’ve set my monster profile to private. I’m now officially in hiding to reduce the stress.

I’m sure if someone wants to offer me a yacht, a bank, and 10 months vacation to do SA work for them, they aren’t going to be looking for me on monster anyways.

I had never heard of this trick so I thought I’d pass it along as I just got it from Dell. This may be OEM, so it may apply to other hardware.

Enter BIOS
Turn on num, caps and scroll lock
Press ALT-E to erase the nvram
Press ALT-F to load factory defaults
Press ALT-B to reboot.

I did this through a KVMoIP so I wasn’t sure it was working until the ALT-B when the box did reset.

Today is the day of lots of uneducated information on the internet while researching.

I’m trying to get ntpd to sync off a Windows Server 2003 SP1 box that has the PDC role. There’s a lot of information out there about how w32time between 2000 and 2003 are different, as well as possible 2003 SP1. Complaints from the open source people about how w32time is a crappy SNTP server instead of an NTP server, however a lot of it sounds like their education on the matter is out of date.

This bit here looks close. What follows is what I did, with an attempt made to make it clean looking.

rem pretend we’re reliable
w32tm /config /reliable:yes
rem someone said this being too high was a problem
w32tm /config /localclockdispersion:5
rem changes to ntp from nt5ds or whatever
w32tm /config /syncfromflags:manual
rem use an external server ( NEEDED! )
w32tm /config /manualpeerlist:pool.ntp.org
rem tells w32time to reread it’s config
w32tm /config /update
rem just for kicks
net stop w32time && net start w32time

It’s worth noting that this didn’t work until I synced ntp with something. Apparently w32time doesn’t fake its stratum in such a way that ntp believes. It’s working though. Tomorrow I’ll play more.

update: things seem good now. Wanted to through in this link which had good information about some of the registry keys associated with w32time. This tech article at Microsoft was [surprisingly] the best article I found regarding integrating ntpd + w32time. This blog post has much of the same information as mine and makes more sense in the aftermath. And this article is microsoft’s registry key reference.

I used to bookmark daily sites in a firebox folder just right click, open in tabs to get all my daily sites. I’ve mentioned previously that ones needs to take an additional step (setting ‘browser.tabs.loadFolderAndReplace’ to false as it oddly is set to true) to prevent firefox from mangling your existing tabs, essential for tab heavy people like me. On that note I’d also recommend using the Tab Mix Plus plugin. I turn on “Multirow” which much better supports over ten tabs or so than firefox, and use it’s session restore feature over firefox’s, turning on “ask on startup” so whenever I restart instead of crash, I can still get my old sessions back (tabs!).

Having started a new job, among other things, I’ve had to create these same folders too many times. I’ve just started using del.icio.us today and I’ve installed the full bookmarks plugin which is importantly different than the buttons plugin as it gives you sidebar and top bar access to your del.icio.us (online!) plugins in realtime. Alas, I installed that first, and the bookmarks plugin detected the buttons plugin and disabled it, as it has some of the same buttons and operates in the way I wanted.

I’ve only got this set up on my current work desktop, but when I get home I’ll migrate my bookmarks over and I think I’ll be quite happy. I’m certainly down with the UI so far. Of course, del.icio.us is designed to be pretty “public” and others can see your bookmarks. I guess you can mark certain bookmarks as private, such as your pron or whatnot, but I’m a public kind of guy so I’m not worried about it.

It took me far too long to realize that right clicking on the toolbars gave me the option to uncheck the built in bookmark toolbar and make it go away. I probably wouldn’t use this at home as I use RSS bookmarks to track certain wiki’s and planets, but at work I currently have a crappy monitor and needed the real estate. Looks like I can put rss feeds in del.icio.us and they work as expected though.

Starting today at a new job at WideMile, a Seattle startup (someone not from Seattle might not realize that 5-10 years is still often “startup”) that makes web software and systems to make other companies web sites not suck. Which is noble AND cool.

Of course, it’s more complex, and I don’t REALLY know what it does, but that’s okay. Today I’m building myself a chair and a desktop. So yeah. Startup. The data center is here, big time, high bandwidth, but has grown naturally. So I’ve been there, let’s call Haydrian a dry run for this. Should prove to me more entertaining.

Anyways, goodtimes. Glad to be back to work and be producing something, even if it is just a chair. I’m in downtown now too, so we’ll see how that works out, but any lunch suggestions would be grand.