Using Windows 7 with Multiple Gateways (Routers) and DHCP

Early last year we implemented a second Internet connection on our network.  We wanted to make it as easy as possible to switch between the two if the primary connection went down.  We are on a Windows domain and use DHCP from one of our domain controllers so it was easy to implement the 003 Router scope option with the two gateways and it worked great!

According to RFC2131 and the DHCP Options and BOOTP Vendor Extensions;

The router option specifies a list of IP addresses for routers on the client’s subnet.  Routers SHOULD be listed in order of preference.

That last bit was the key for working in our situation.  Our Windows XP clients grabbed the multiple gateway addresses and modified the routing table like this:

Active Routes: 
Network Destination  Netmask       Gateway    Interface  Metric
          0.0.0.0    0.0.0.0    172.16.0.1  172.16.0.40      20
          0.0.0.0    0.0.0.0  172.16.0.220  172.16.0.40      20

Both entries have the metric of 20, which was dynamically assigned by windows based on the link speed, the first entry is the one that was used.

We recently began testing Windows 7 in our environment.  We are fairly happy with most of the new features, performance and the overall experience in the new OS.  One thing that, so far, has been a great improvement is the new network stack.  With Vista, there were several issues including problems with unexpected freezes while network requests are made and problems with notebooks when trying to close the lid.  In Windows 7 most of those issues seem to have went away.

One minor issue that we did run across seems to be a bug, in my opinion.  When our Windows 7 clients processed the same DHCP requests as our XP clients, the routing table looked like this:

Active Routes:
Network Destination  Netmask       Gateway    Interface  Metric
          0.0.0.0    0.0.0.0    172.16.0.1  172.16.0.40      30
          0.0.0.0    0.0.0.0  172.16.0.220  172.16.0.40      30

Very similar results, just slightly modified metric which I can only assume is due to an updated algorithm for calculating the dynamic metric.  The only problem is that the second entry was being used as the default gateway.  We verified this on multiple Windows 7 clients.  It seems like it goes against he “order of preference” bit of the RFC.

It took quite a while and a lot of research, but I found out that Microsoft implements a vendor specific extension, 003 Microsoft Default Router Metric Base option.  The documentation for this value reads:

This value is a specified router metric base to be used for all default gateway routes used at Windows 2000 DHCP-enabled client computers.

This value can be assigned as an integer cost metric ranging from 1 through 9,999. It is used in calculating the fastest, most reliable, and least expensive routes. If a value is not specified, a default of either one (1) or the currently set interface-specific metric is used.

This is not very specific and for a while I did not think it would apply different metrics, but rather the same metric to all of the values in the 003 Router option.  I decided to give it a try regardless of my doubts and it worked!  Now, my XP route table looks like this:

Active Routes:
Network Destination  Netmask       Gateway    Interface  Metric
          0.0.0.0    0.0.0.0    172.16.0.1  172.16.0.40       1
          0.0.0.0    0.0.0.0  172.16.0.220  172.16.0.40       2

And my Windows 7 route tables looks like this:

Active Routes:
Network Destination  Netmask       Gateway    Interface  Metric
          0.0.0.0    0.0.0.0    172.16.0.1  172.16.0.40      31
          0.0.0.0    0.0.0.0  172.16.0.220  172.16.0.40      32

It is still disappointing that the DHCP routing options seems to be broken in Windows 7 (IMHO), and I am sure there will be plenty of people having similar problems when they begin rolling out Windows 7 clients in their environments.  Hopefully this article will save someone a little time trying to configure their Windows 7 clients to use multiple gateways.

Restarting the Microsoft Download Manager (Shouldn’t this be easier?)

Today I had the need to download something from our MSDN subscription and I decided to do it from the server I needed the file on rather than downloading it locally then transferring it to the co-located facility. The problem came up when my terminal server (RDP) session timed out and logged me off!

Oops!

Logging back in after such an event does not restart the Microsoft download manager and, unfortunately, there is no shortcut that I could find to run it.

It took some research to find the solution, or at least part of it. Where is the download manager located! It turns out to be at %windir%\Downloaded Program Files\TransferMgr.exe. I found that on this post for reference.

What the post did not mention is that the folder is one of those special Windows folders. Opening it up in Windows Explorer only revealed garbled object names. Not much use there so I opened a console (cmd.exe) window and did a quick CD C:\WINDOWS\Downloaded Program Files\ followed up with DIR. It revealed my target, TransferMgr.exe. I typed in the file and it ran just fine.

Next I decided to create my own shortcut in the event that my session could be ended before completion. Uh oh, another problem! I cannot even manually enter the path into the wizard! No biggie, I simply created a shortcut to something valid, then opened the shortcut properties and manually typed the path to the download manger. From there things worked fine. I figured I should write this down so that I do not forget it at a later date.

How to use Windows Mobile Sync Center on Vista with F-Secure Client Security

We’ve been using F-Secure as our virus/malware protection in our company for a little over a year now. I have been and continue to be impressed with the product and the company support.

Recently I purchased my new laptop with Windows Vista installed. More recently I purchased a new HTC P4300 smartphone with Windows Mobile 5. It’s been working great, and I love the phone. The only weird issue has been syncing with the USB cable. In order to make it work I had to temporarily turn off the firewall inside of F-Secure Client Security. Syncing via Bluetooth was working fine so I tended to lean on that.

Today I decided it was time to fix the issue. I gave a call to the business support line at F-Secure, explained the problem quickly to the technician. She told me right off the bat that this was an issue she had no experience with, so she asked if I minded giving her a little time to investigate. Of course I said that was fine.

Within 30 minutes I had an email from her outlining the solution. My total phone time was about 5 minutes and then another 5 to put the fix into place. Thank you!

The problem is simply that the Sync Center in Vista uses some ports over the USB connection that are new enough not to be included as a standard. After adding the ports and making sure that one of the applications was allowed, everything worked great. Since I do not believe they have a technical article yet, I thought I would outline the solution here in case anyone else needs it.

Please note that these steps only work if your security policy allows you to edit a few things. If you are running in a corporate environment you may need to give these instructions to your network administrator to include in the corporate policies for your virus protection.

Step 1

Windows Mobile Sync Center on Vista with F-Secure Step 1

The first thing to do is to get into the Client Security configuration screen where we’ll be doing most of the work. Right click on the F-Secure icon in your system tray and choose Open F-Secure Client Security. This will bring up the main window. You will want to choose the Internet Shield menu option on the left, then click on the Change link next to Application Control.

Step 2


Windows Mobile Sync Center on Vista with F-Secure Step 2Next you need to add the application that does the communication to the allowed list in Application Control. wmdHost.exe is the component that performs the actual communication requests. It is possible that this application may already be there, but if it is not, simply click Add it to include it in the list. If it is not in the list it should be found in C:\Windows\WindowsMobile\ If you do have to add the file, I’ve noticed that my Client Security software will default to the access level of prompt for a new application. The other bit that is odd is that it will not let me change it when I’m adding the file. I complete the addition to the list, then go back in to the details to modify it. At this point it will let me change the behavior to Allow.

Step 3

Windows Mobile Sync Center on Vista with F-Secure Step 3Finally you need to create a new service and add the necessary ports. There are 5 inbound and 1 outbound port necessary.

Start by switching to the Firewall configuration screen, then to the Services tab and add a new one. I simply called it Windows Mobile Sync Center. Make sure to choose the TCP protocol.

On the screen where you add, there are two areas for ports. They are termed Initiator ports and Responder ports. These map to inbound and outbound. Here are the correct settings:

Initiator (inbound) ports:

  • 990
  • 999
  • 5678
  • 5721
  • 26675

Responder (outbound) ports:

  • 5 679

Windows Mobile Sync Center on Vista with F-Secure Step 4Once you’ve made all of those configuration changes you are ready to give it a shot.  Grab your Windows Mobile device and your USB cable and hook them up.  You should get the Connected check box and see it synchronize as expected.

I hope that helps you out!

Happy Sysadmin Day!

Yes, it is the last Friday in July and that means the 8th Annual System Administrator Appreciation Day.  If you’re able to read this post, thank your sysadmin!  Let’s face it, they go mostly unappreciated and at times cursed for the efforts they take to keep you online and safe.

The official site has some good information about how the diligent sysadmin affects your daily online life.  Let’s give it up for him/her and help promote this international day of recognition!

A Milestone!

Apparently the Windows 2000 daylight saving issue is on the mind of many network administrators.  My original post pointing to the patch that we used is getting quite a bit of traffic.  It is understandable with the new date for daylight saving time looming only a few weeks away.

But that is not the milestone.

Windows 2K daylight saving patch gains #1 spot on GoogleMost of the traffic that post is receiving is coming from search engines.  I decided to check out how people were getting there by searching on Google for Windows 2k daylight saving patch and was surprised, very pleasantly I might add, to find the #1 link for that search term to be my post!

I know that the rankings on google are fairly fluid so I thought I would capture it for posterity.  Thank you Google and thanks to all out there who may have linked back here to help get me a milestone such as this!

Daylight Saving Time patch for Win 2K

The SBS Diva has posted this fix for Windows 2000 and Windows 9x to account for the change to Daylight Saving Time. This tool is a huge help for sysadmins with several older OS’s in their environment with the pending switch next month.

Thanks to Greg Duncan for posting the link to it. Keep those Cool [Insert Clever Name] of the Day items coming Greg!

[Edit] I’ve noticed quite a few running across this particular post so I thought I’d give a brief update.  We have used this patch on all of our Windows 2000 machines now with no problem.  Of course the test will be when the date gets here however our preliminary testing of the patch (prior to roll-out) seemed to work just fine.

NFS Server on Windows; What a pain!

We use a nice open source package called BackupPC.   It is a nice system with a powerful web interface that has many capabilities to interact with other nix and windows based hosts.

We had been using smb (Samba) to do most backups from windows hosts, however there was one problem with our Exchange Server.  The backup file was huge, roughly 16GB using ntbackup.  Samba has a limitation of 2GB files for transfer, so that was a killer.

Initially I took the “quick and dirty” route.  I created a batch file that ran the backup and use the split command to split the backup file into 500mb chunks.  It worked, but what a hack!  Recovery means restoring the files and using join to get them back together.  Not a fun prospect.

I recently ran across the the Windows Services For Unix (SFU) on a different server and found that it had the ability to add NFS server functionality to a Windows 2003 server.  Hallelujah!  No more 2GB limitations!

I looked up documentation on installing and configuring things.  I found that I had to implement User Mapping in order for Windows to translate UNIX users to Windows accounts.  No problem, it all seemed very straight forward.  I set up my shares, made sure my permissions were correct and that my users were mapped.   The drive mounted on my Linux box perfectly!  Then I tried to list the contents:

Permission Denied

Dang, so close!  I must have mucked up permissions, right?  Wrong.  I went through all of the standard troubleshooting, opened the share up to everyone including root access, mapped, remapped and changed other settings.  Still nothing.  Ugh!   Time to search Google.  I found many similar issues, but nothing that was what I really needed.  Many people had permission denied problems that turned out to be issues with user mapping or root access.  Not my problems, although I tried everything I found.

Finally I went directly to Google Groups and began searching.  After a few pages of things I’d seen before, I ran across a post that pointed me to this TechNet article.  I do not know why it was so hard to find this.  Searches at the MS Knowledge base did not yield these results.

Anyway, it turned out the only problem was a single initial setting all the way at the top of the SFU snap-in.  It is under the Settings tab and it simply says Server Name.  It was blank!  I would have thought that it would put the default name of the server in there, but it did not.  No biggie, I changed it and viola, everything worked!  I backed out of all my troubleshooting changes to give access only to Backup Operators and no root access to the share and things ran very smoothly.

Hopefully someone may find this pointer faster than I did, if so then my work here is done!  Until the next problem of course.  🙂