Archive

Archive for March, 2014

What is MTU and how to change in windows ?

March 30, 2014 Leave a comment

What is MTU ?

MTU is the Maximum Transmission Unit. This is the largest physical packet size (measured in bytes) that a network can transmit. Any messages larger than the MTU are divided (broken up) into smaller packets (fragmented) before being sent.In other words, the value of MTU defines the maximum length of a data unit a protocol can send in one shot (without fragmenting)

Do we need to change MTU every time when the machine needs to communicate with other machines in different networks? Of course not, computer is very smart. With the help of PMTUD, we don’t need to change MTU manually. It can help detect the minimum MTU between different networks.

Path MTU Discovery (PMTUD)

It can help detect the minimum MTU between different networks. So no need to change MTU every time when the machine needs to communicate with other machines in different networks

For IPv4 packets, Path MTU Discovery works by setting the Don’t Fragment (DF) option bit in the IP headers of outgoing packets. Then, any device along the path whose MTU is smaller than the packet will drop it, and send back an Internet Control Message Protocol (ICMP) Fragmentation Needed (Type 3, Code 4) message containing its MTU, allowing the source host to reduce its Path MTU appropriately. The process is repeated until the MTU is small enough to traverse the entire path without fragmentation.

How to get MTU value?

 netsh int ip show int

For most Ethernet networks this is set to 1500 bytes

1

We can see that the MTU is configured 1500 on my local are connection

How to find the real MTU in the network?

Open the command prompt

  1. Type the following: ping -f -l 1600 servername
  2. You should receive the message “Packet needs to be fragmented but DF set“, which indicates that the size of the packet sent (1600 bytes) was too large for the network to send without splitting it.
  3. Keep repeating step 2, but this time use smaller numeric values (such as 1500, 1450, 1400, 1350 etc.) for the size of the data packet.
  4. Eventually you should receive the ‘standard’ PING message “Reply from XX.XX.XX.XX: bytes=xxxx time=YYms TTL=ZZZ“. This means that this packet size was small enough to fit inside the MTU.
  5. Slowly increase the data packet size again, until you find the maximum size that can be sent without receiving the message “Packet needs to be fragmented but DF set“. This is your maximum MTU size between the client PC and the destination.

But usually we don’t need to do it. since the packet will be fragmented during transferring and the PMTU discovery will help detect the minimum MTU.

How to change MTU value in the windows ?

  1. Open the command prompt in elevated mode
  2. To see what interfaces you have  connected , type netsh int ip show int
  3. netsh interface ipv4 set subinterface “Local Area Connection” mtu=1500 store=persistent

where Local Area Connection is the name of the network connection on your computer, from the list obtained above and 1500 is the desired value for MTU

2

Reboot after the changes done

More information

=====================

How do I find my optimum MTU setting

http://www.dslreports.com/faq/5793

EnablePMTUDiscovery

http://technet.microsoft.com/en-us/library/cc957539.aspx

What is ‘MTU’ and how do I change it in Windows 2008 R2

http://craigocon.wordpress.com/2012/10/03/whats-mtu-and-how-do-i-change-it-in-windows-2008-r2/

 

Advertisements
Categories: Windows Servers

Configuration manager console cannot connect to the configuration manager site database

March 16, 2014 2 comments

Issue

Unable to open SCCM Console “configuration manager console cannot connect to the configuration manager site database. verify the following”

1

2

Resolution

We run Microsoft network monitor and find that SQL sending large packets to SCCM and its dropped while transmission on network layer due to MTU Size. So its fixed when reduce MTU size on NIC level

Categories: SCCM 2012

Hyper-V host Server Memory Sizing

March 10, 2014 Leave a comment

Last week , I do a quick research on how to size memory ( RAM ) for the hyper v host .There is no real documentation about what should you reserve for an Hyper-V Host because it totally depends what you are running on it.

Here is a blog which talks about windows 2008 R2 hyper v host. But you can use this formula as approach

http://blogs.technet.com/b/virtualpfe/archive/2011/08/29/hyper-v-dynamic-memory-and-host-memory-reserve-setting.aspx

In summary, Hyper-V host memory can be sized based on following formula.

384MB + 30MB per 1GB of physical memory on the host machine.

At the end I am calculating it for my LAB Server which has 256 GB RAM memory:

(384MB + 30MB* 256 )= 8064 . So can reserve 8 GB memory for the host which has 256 GB

But again it’s just an approach to size hyper v host and you need to monitor your servers because this count differs based on the scenarios

Categories: HYPER V Tags:

SMB Signing is disabled or enabled ?

March 8, 2014 6 comments

In this post describes, what is the recommendations of SMB protocol  signing behavior in the  domain networks.

What SMB protocol is?

SMB is the resource sharing protocol that is supported by many Windows operating systems. The Server Message Block (SMB) protocol is a network file sharing protocol that allows applications on a computer to read and write to files and to request services from server programs in a computer network. The SMB protocol can be used on top of its TCP/IP protocol or other network protocols. Using the SMB protocol, an application (or the user of an application) can access files or other resources at a remote server. This allows applications to read, create, and update files on the remote server. It can also communicate with any server program that is set up to receive an SMB client request.

What is SMB Signing features ?

SMB Signing is a feature through which communications using SMB can be digitally signed at the packet level. Digitally signing the packets enables the recipient of the packets to confirm their point of origination and their authenticity. This security mechanism in the SMB protocol helps avoid issues like tampering of packets and “man in the middle” attacks.

Is SMB signing disabled is risk?

Yes, Attackers can potentially intercept and modify unsigned SMB packets and then modify the traffic and forward it so that the server might perform undesirable actions. Alternatively, the attacker could pose as the server or client after legitimate authentication and gain unauthorized access to data.

Recommended SMB Signing Configuration?

SMB signing configurations can change through group policy. Set the GPO as  following:

Computer Configuration->Policies->Windows Settings->Security Settings->Local Policies->Security Options

Disable Microsoft Network Client: Digitally Sign Communications (Always).

Disable Microsoft Network Server: Digitally Sign Communications (Always).

Enable Microsoft Network Client: Digitally Sign Communications (If Server Agrees).

Enable Microsoft Network Server: Digitally Sign Communications (If Client Agrees).

Additional Information

Overview of Server Message Block signing

http://support.microsoft.com/kb/887429/en-us

The Basics of SMB Signing (covering both SMB1 and SMB2)

http://blogs.technet.com/b/josebda/archive/2010/12/01/the-basics-of-smb-signing-covering-both-smb1-and-smb2.aspx

Microsoft network server: Digitally sign communications (always)

http://technet.microsoft.com/en-us/library/jj852239.aspx

Microsoft network client: Digitally sign communications (always)

http://technet.microsoft.com/en-us/library/jj852186.aspx

%d bloggers like this: