October Networking MVP Update

Networking MVP Highlights

Windows Server – Networking

Richard Wu

Home: Hong Kong SAR


MVP Award: since October 2005


MVP Public Profile


Blog: Richard Wu

·         Windows Vista / Longhorn Blog

·         Richard Wu(Microsoft Most Valuable Professional[MVP] and Community Star)


Hobbies/interests:  I can tell you that I have lot of hobbies and interests, playing with computer should be the first one. (I start to play computer when I was 10, like many guys in HK, I started with computer games :-p)


I always read computer magazine in order to learn new technology. Tom's Hardware website is my favorite site for learning new hardware.


Comic, Animation from Japan, robot model are my other interests. I have lot of them in my home, my favorites including: Dragon Ball, Saint Seiya, PATLABOR, Nero Genesis Evangelion, etc (Yes, all of them are Japan Animation).


I also like to watch movies and TV programs, X-File, 24, Lost, Prison Break, and Nip Tuck are all my favorites.


By the way, I like doggy! I like Huskey, Golden Retriever and Pomeranian. Although I do not have any one of them in my home, I always visit my friends if they feed dogs. And, I am the member of SPCA (Society for the Prevention of Cruelty to Animals) in HKSAR.


Other technologies of interest/skill: Cisco Router and Switch are my other interests! Remember! I am a networking guy!


Besides teaching Microsoft MOC course in CTEC/MCLS, I teach CCNA course, too!


I find that teaching others to connect the network and computer is fun! That's why I choose trainer as one of my careers.


I am now seeking for more knowledge on Cisco networking and hope I can get CCIE in some day later.


What does it mean to be an MVP? Becoming a Microsoft MVP, I feel my technology knowledge on Microsoft products can be authenticated and proofed.


I feel I have entered another level of knowledge on using MS products. I also feel great as I find Microsoft appreciates my contribution to the communities.


Besides these, I feel I am now getting closer with Microsoft! Before being a MVP, I always think Microsoft is just a business company and doesn't care much about the IT Professional. I feel Microsoft is far from me. But! After becoming a MVP, I have more chances to meet MS guys. All of them make me feel warm and passion!


Now, I feel Microsoft is very close to me and I know Microsoft cares very much about the IT Pro communities!


What would be the one thing you would really want the Networking Product team to know? I appreciate what they are doing! They keep on improving our networking experiences!


I find that configuring network has become much easier than before! At the moment, the only one thing I want them to know is "multicast file transfer". I wish windows will have a feature which allow me to simplify right click files/folders and then let me choose to multicast those files/folder to which group of computers.


(Sure I will need permission to do so). With this feature, I can copy files/folder to my colleagues' computer much easier and decrease the bandwidth usage.


If there was change you could make in the area of networking what would that be? Make the network configuration job much easier! Many of my non-IT friends still always phone me for the steps to setup wire/wireless network at their homes or SOHO. If there is a unified interface which allows the users in windows to configure wire/wireless router connection setting (even difference brand), it would be great!


Why do you find networking so interesting? It makes our life much easier! Remember the old days, when networking is not so common, all colleagues need to stay at office in order to do their work! But now, we can do our work at home, collaborate with colleague with Live Messenger/Live Communicator, networking makes our life easier! By the way, networking shortens the distance between each others. We can get touch with our friends even they are staying at different corner of the world!


You friends look like just living next to you! I love networking!


If there was one problem to highlight around networking what would that be? Integrating different systems! I have a dream, which is installing a little application to Linux/Unix and then I can use Windows to control all of them! It should also include a simple interface to manage and migrate their resources. In this case, linux/unix guys will know Microsoft can make anything possible! We don't need linux/unix guys any more since Windows administrator can now control and manage their system now! haha!


As an MVP what type of engagements would you like to have with the Networking Product team? I would like to visit the office of Microsoft (even local one) in order to meet with the Networking Product team!


I want to learn from them and know the latest networking technology in Microsoft! Besides, more online chat or live meeting from the Networking Product team would be great for us!

Tools to monitor DNS

Just read a good article from MCPMAG which was about DNS command line tools. So, re-post here: 

By Zubair Alexander

Domain Name System service is one of the most important services on
your Windows network. The importance of DNS is even more apparent on
an Active Directory network because the entire Active Directory
infrastructure relies heavily on it.

To troubleshoot and monitor DNS services, you can turn to numerous
tools out there. You might be familiar with Nslookup, a popular,
built-in tool used to troubleshoot DNS-related problems. We'll look
at two that aren't as well-known: DnsCmd and DnsLint, both from
Microsoft. You can find them in the support tools folder in Windows
Server 2003.

DnsCmd is a command-line tool that can be used to perform literally
hundreds of DNS-related tasks. For example, you can modify DNS server
settings, get configuration information, clear server cache, display
or delete records, initiate server scavenging or export a zone file.
Type DnsCmd /? at the command prompt for the syntax.

Figure 1 (see http://tinyurl.com/y67k6o ) shows some of the
commands that you can run. For more information on a specific command,
use the following syntax:

DnsCmd <CommandName> /?

For example, dnscmd /config /? will give you additional options that
can be used with the /config switch.

Let's say you want to list all the zones that are configured on a DNS
server called DNS1. Use DnsCmd with the /enumzones switch to get the
following sample output:

C:\>dnscmd dns1 /enumzones
Enumerated zone list:
Zone count = 8
Zone name Type Storage Properties
. Cache AD-Legacy
_msdcs.example.com Primary AD-Forest Secure
10.5.5.in-addr.arpa Primary AD-Legacy Rev
25.168.192.in-addr.arpa Primary AD-Legacy Rev
example1.com Primary File
example2.com Primary File
example3.com Primary File
example4.com Primary AD-Domain
Command completed successfully.

Try various commands with different switches. You will be amazed at the
amount of information you can obtain from DnsCmd. Because DnsCmd works
from the command line, you can use it in a batch file and perform
configuration tasks remotely on multiple DNS servers.

Another useful tool, DnsLint is used at the command prompt to generate
HTML reports. Use DnsLint /? at the command prompt for more information:

dnslint /d domain_name | /ad [LDAP_IP_address] |
   /ql input_file [/c [smtp,pop,imap]]
   [/no_open] [/r report_name] [/t]
   [/s DNS_IP_address] [/v] [/y]

The three required parameters in DnsLint are the following.

/d — Used to diagnose DNS-related problems, such as lame delegation.

Note: Lame delegation occurs when a DNS subdomain is pointing to a DNS
server that either doesn't exist or is not authoritative for
that subdomain.

/ad — Used to verify DNS records used for Active Directory replication.

/ql — Used to verify DNS records on multiple servers.

There are some rules you have to follow when using DnsLint commands.

    * The /d, /ad and /ql switches cannot be used together.
    * The /c can't be paired up with /ad or /ql.
    * When using /ad, you must also specify /s.

Here are some examples of using DnsLint.

dnslint /d myserver.com
dnslint /v /y /d reskit.com
dnslint /v /y /r ms_report /d microsoft.com
dnslint /v /y /no_open /s /d msn.com
dnslint /v /y /c /t /d reskit.com
dnslint /d reskit.com /c smtp,pop
dnslint /ad /s /v
dnslint /ad /s localhost /v
dnslint /ql mylist.txt /v
dnslint /ql autocreate

Let's try the following step-by-step procedure to create an HTML report
with DnsLint. You will need two pieces of information: FQDN of the
server and its IP address. I'll create a report for my domain called
seattlepro.com at IP address You should substitute your
own domain and IP address in this exercise.

   1. Go to the command prompt and type the following:

      Dnslint /ql autocreate

      This creates a sample text file called in-dnslint.txt in the
      same directory where you typed the above command.

   2. Edit that file with Notepad:

      Notepad in-dnslint.txt

   3. Notice the seventh line from the bottom lists dns1.cp.msft.net.
      I will change that to reflect my DNS server
      (dns1.seattlepro.com). I will also replace microsoft.com in the
      last four lines with the name of my domain and the IP address
      with my IP address in two places. When done, my file looks
      like this:

      +This DNS server is called: dns1.seattlepro.com

      seattlepro.com,a,r ;A record,ptr,r ;PTR record
      seattlepro.com,cname,r ;CNAME record
      seattlepro.com,mx,r ;MX record

   4. Save the file as dnsquery.txt in the same folder where you
      created the in-dnslint.txt file.

   5. To execute the query, type the following at the command prompt:

      dnslint /ql dnsquery.txt /v

   6. You should see an HTML report that's now displayed automatically
      in your default browser. The default name for the report is
      dnslint.htm and it's created in the same directory as the
      in-dnslint.txt and dnsquery.txt files.

For a sample of DnsLint report, see http://www.techgalaxy.net/mcpmag/ .
Notice that if there are any errors or warnings, they are all coded for
your convenience.

Why Microsoft recommend temporarily disabling anti-virus or anti-spyware applications before install IE7?

I got a offical answer from MS guy:

A few people have asked why we recommend temporarily disabling anti-virus or anti-spyware applications (which I??ll refer to together as anti-malware) prior to installing IE7, so here??s a little insight to the situation.

Along with copying IE7 files to your system, IE7??s setup writes a large number of registry keys. A common way anti-malware applications protect your computer is by preventing writes to certain registry keys used by IE. Any registry key write that fails during setup will cause setup to fail and rollback changes. We work around the problem in most instances by checking permissions at the beginning of setup, but many anti-malware programs monitor the key rather than change permissions. Therefore, setup thinks it has access when it starts, but then fails when it later attempts to write the key.

The majority of users likely haven??t seen any such problems even with anti-malware enabled because we work with third-party vendors to identify IE7 setup as ??safe??based on something like digital signatures or file hashes. While this could lead us to remove the recommendation to disable anti-malware apps, we??ve decided to leave it in setup because a number of factors may still cause some customers to have this problem. Specifically:

  • With all the anti-malware apps available, we don??t want to assume all of them work just because we haven??t heard of a problem yet.
  • Even anti-malware apps we??ve tested sometimes require the latest definition updates. If a user doesn??t have the latest definitions, he or she may still hit a problem even though we consider the issue resolved.
  • Failed installation is an awful user experience so we take every step to reduce the chances of setup failing.

I hope this helps answer some of your questions.

John Hrvatin
Program Manager

Explaining WPA2

Can you explain the differences between WPA and WPA2 and provide some information on the different features and functionality?

In April 2003, the Wi-Fi Alliance introduced an interoperable security protocol known as WiFi Protected Access (WPA), based on draft 3 of the IEEE 802.11i amendment. WPA was designed to be a replacement for WEP networks without requiring hardware replacements, using a subset IEEE 802.11i amendment. Organizations who adopt WPA can take advantage of the following features:

* Strong cryptography support from the Temporal Key Integrity Protocol (TKIP), based on the RC4 cipher;

* WPA-Enterprise, a mechanism for network authentication using IEEE 802.1x and a supported EAP type, one of EAP/TLS, TTLS or PEAP;

* WPA-Personal, a mechanism for using TKIP without IEEE 802.1x authentication by using a shared passphrase, intended for consumer networks.

In July 2004, the IEEE approved the full IEEE 802.11i specification, which was quickly followed by a new interoperability testing certification from the WiFi Alliance known as WPA2. WPA2 is based on the Robust Security Network (RSN) mechanism, which provided support for all of the mechanisms available in WPA, as well as:

* Strong encryption and authentication support for infrastructure and ad-hoc networks (WPA is limited to infrastructure networks);

* Reduced overhead in key derivation during the wireless LAN authentication exchange;

* Support for opportunistic key caching to reduce the overhead in roaming between access points;

* Support for pre-authentication, where a station completes the IEEE 802.1X authentication exchange before roaming;

* Support for the CCMP (Counter Mode with Cipher Block Chaining Message Authentication Code Protocol) encryption mechanism based on the Advanced Encryption Standard (AES) cipher as an alternative to the TKIP protocol.

As of March 2006, the WPA2 certification became mandatory for all new equipment certified by the Wi-Fi Alliance, ensuring that any reasonably modern hardware will support both WPA and WPA2.

By leveraging the RC4 cipher (also used in the WEP protocol), the IEEE 802.11i task group was able to improve the security of legacy networks with TKIP while the IEEE 802.11i amendment was completed. It is important to note, however, that TKIP was designed as an interim solution for wireless security, with the goal of providing sufficient security for 5 years while organizations transitioned to the full IEEE 802.11i security mechanism. While there have not been any catastrophic weaknesses reported in the TKIP protocol, organizations should take this design requirement into consideration and plan to transition WPA networks to WPA2 to take advantage of the benefits provided by the RSN architecture.

Why Internet Explorer 7 cannot(IE7) visit some web sites which IE 6 can access with no problem.

Just read a article from MS guy and got a idea why I cannot use IE7 to visit some web sites while IE 6 got no problem on them:

A quick recap:

  • On Windows XP SP2, IE7 will send the following User-Agent header: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.1)
  • On Windows 2003 Server, IE7 will send the following User-Agent header: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 5.2)
  • On Windows Vista, IE7 will send the following User-Agent header: Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.0)

Over the last eighteen months, most sites that had previously blocked the new version of Internet Explorer have been updated, and we're happy to report that the vast majority of Internet sites are now accessible using IE7.

There are a few remaining sites which fail to recognize IE7 because they are performing exact string matches to look for specific IE version strings. Those checks will need to be removed or updated to accommodate IE7. The Best Practice document linked from here can be help:

To enable you to workaround any remaining sites that block access to Internet Explorer 7, we developed the User Agent String Utility. The utility comes in the form of a small executable that opens an IE7 instance that sends the IE6 user agent string. It also provides a mechanism for you to report problem web sites to Microsoft so that we can follow up with the affected site owners. Please download the tool and give it a try.