NetBIOS browsing across subnets not working after PDC upgrade to Windows 2008.

We recently upgraded a Windows 2003 primary domain controller to Windows 2008. Following the upgrade we noticed that NetBIOS browsing across subnets was no longer working. The only hosts that were able to be seen were located in the local subnet. This created some issues for some of the non-networking IT staff. While hosts located on the distant subnets could still be reached via hostname they weren’t appearing in the ‘network’ portion of the Windows explorer.

A brief inspection of the running services on the newly upgraded Windows 2008 primary domain controller showed that the ‘Computer Browser’ service was disabled. Apparently, this service is disabled by default in Windows 2008 Server. Setting the service to run automatically and then starting it resolved the browsing issues.

If you are having similar issues after upgrading your domain controllers, we recommend checking the ‘Computer Browser’ service. Ideally, you would probably want this service running on all of your domain controllers to ensure NetBIOS browsing is possible from any of the subnets on your network.

How to configure DHCP on a Cisco Router

I prefer running DHCP on a server within the network, but if it comes to it you do have the option of configuring DHCP on a Cisco router. I do believe some of the newer Cisco Catalyst switches have this ability too.

We are going to assume you have a Cisco router already setup and in service on your network.

First thing you will want to do is login to your router and go into config mode. Once in config mode you will want to setup a DHCP pool.

Router(config)# ip dhcp pool newpool

You can replace ‘newpool’ with whatever you choose to name your DHCP pool. Next thing we want to do is tell the router the network and subnet.

Router(dhcp-config)# network x.x.x.x y.y.y.y

Replace x.x.x.x with the network address and y.y.y.y with the subnet mask. Next we will tell the router what DNS domain name the clients will use.

Router(dhcp-config)# domain-name domain.com

Obviously, you will replace ‘domain.com’ with your domain. Now we need to tell the router the primary and secondary DNS server IP addresses to be used in the DHCP scope.

Router(dhcp-config)# dns-server 1.1.1.1 2.2.2.2

Replace 1.1.1.1 with your primary DNS server and 2.2.2.2 with your secondary DNS server. We need to specify the default gateway or router.

Router(dhcp-config)# default-router x.x.x.x

Replace x.x.x.x with your default gateway or router IP address. Next we want to specify the length of the lease of the addresses assigned by the DHCP server.

Router(dhcp-config)# lease 7

Here I have set the lease time to expire in 7 days. Alternatively, you can use the syntax ‘lease DAYS HOURS MINUTES’, replacing those variables with the obvious requirements. You can even go as far as setting it for an infinite perios of time using ‘lease infinite’.

This pretty much sums up setting up DHCP on a Cisco router with IOS. I do want to show you one more thing. Suppose you want to exclude some IP address that you want to reserve for static devices. The following command needs to be performed in the the global configuration mode, so type ‘exit’ and perform the following if you are still at the last step.

Router(config)# ip dhcp excluded-address x.x.x.x y.y.y.y

You will want to replace y.y.y.y with the start address of the range you want to exclude and replace y.y.y.y with the end address. Example: ‘ip dhcp excluded-address 192.168.100.0 192.168.100.100. This will exclude addresses all the way up to 192.168.100.100. Therefore, DHCP will start assigning IP address leases at 192.168.100.101.

Now that we have setup our DHCP scope we can enable to DHCP service.

Router(config)# service dhcp

Now you should be able to grab an IP address via DHCP. Don’t forget to save your configuration.

How to enable SSH on a Cisco Router or Switch

I know a lot of network administrators have long used telnet to remotely manage Cisco routers. My preferred method of accessing these routers remotely is SSH. It is secure and encrypted verses telnet, where all data will be transferred in clear text making it easy for ’sniffers’ to reveal important information that can be used in an attack.

Any how let’s get started.

This assumes you have already logged in to your Cisco router and are in enable mode.

First, you want to check whether SSH has already been enabled.

Router# show ip ssh
%SSH has not been enabled

If you see the result above it obviously means that SSH has not already been enabled on this device.

On with the configuration:

You will want to configure a hostname on your router. This will be performed in configuration mode. (note the prompt)

Router(config)# hostname Router1

The hostname has been set. Now we will configure a domain name for the device.

Router1(config)# ip domain-name Domain1

The domain name has been set. Now we want to generate a RSA key pair.

Router1(config)# crypto key generate rsa modulus 1024

Next we will set a timeout interval.

Router1(config)# ip ssh time-out 120

This will set a time limit of 120 seconds for the SSH session to negotiate.
You can also set a maximum number of retry attempts incase of a failed negotiation.

Router1(config)# ip ssh authentication-retries 3

This will set the maximum amount of retries to 3.
The next thing we will do is change the default port for SSH from 22 to 8855. This is not necessary, however I do recommend it for an added level of security.

Router1(config)# ip ssh port 8855

At this time you can log off of the Cisco device and test the connection with a terminal client. In Windows I like to use PuTTY and in Linux or OSX I use the ssh command in the terminal.

Once you’ve logged in and verified the connection is good you can disable telnet access.

Router1(config)# line vty 0 4
Router1(config)# transport input ssh

Now the only way you will be able to remotely access your Cisco device is via SSH on the port you specified earlier, if you opted to change the default port.

Now to save your configuration changes to the Cisco device, you want to save the running-config to the startup config. There are 2 ways of performing this. I will show you both ways, but you should already know this by now.

Option 1

Router1# wr mem

Option 2

Router1# copy running-config startup-config

Now your new configuration should be saved. One last thing we can do to verify SSH configuration is repeat the first command in this tutorial.

Router1# show ip ssh
SSH Enabled - version x.x
Authentication timeout: 120 secs; Authentication retries; 3

We should see the above result with the configuration that we performed.

That concludes setting up SSH access on your Cisco router or switch. I highly recommend using SSH over telnet especially if you will be managing your device remotely. Telnet will give you absolutely no protection from sniffing.

How to put a stop to backscatter

First things first, what is backscatter? Backscatter messages are non delivery notices sent to you without your request. These messages are usually directly related to spam issues. A few examples of backscatter would include “out of office” messages, bounced or rejected email notifications, messages from virus scanners, and challenge and response requests from anti spam software originating from addresses you never even sent a message to.

How does it get to your inbox? These aren’t just unexplainable mistakes. Backscatter normally happens when someone uses your email address or domain in the “From:” field of an email. Spammers are notorious for doing this for the simple fact that most mail systems do not deliver mail where email addresses or domains in the “From:” fields are non-existent. Depending on how much spam the spammer sends out you could be receiving hundreds to thousands of NDR (non-delivery receipt) messages.

From the Exchange system administrator, how do I stop backscatter from congesting my exchange server? Here is a solution that I use on my Exchange 2003 server.

1. Open the “System Manager” on the Exchange server.
2. Expand the “Global Settings” selection and click on “Internet Message Formats”.
3. Right click on the “Default” object and select “Properties”.
4. Click on the “Advanced” tab and clear the box for “Allow non-delivery reports” and click “OK”.

You can also specify an address to send NDR messages to. I would recommend setting up a postmaster email box or alias to collect these messages. The instructions for specifying the address to receive the NDR’s are outlined below.

1. In the “System Manager” expand the “Servers” selection.
2. Expand <your.server> and also expand the “Protocols” selection.
3. Expand the “SMTP” selection and right click on the “Default SMTP Virtual Server” object and click on “Properties”.
4. Once in the “Properties” window click on the “Messages” tab and add the address into the “Send copy of non-delivery report to” field.
5. Once you have completed this you will need to restart the MS Exchange Routing Engine as well as the SMTP services.

This is one way to stop backscatter. This solution will only block the NDR type messages. There may be other solutions that would stop the other types of backscatter you may receive, but I feel the NDR type responses are the most common. For those of you running other email servers like qmail, postfix, or sendmail. There are fixes available out there for you to and we will address some of those in the next post.