Syed Jahanzaib Personal Blog to Share Knowledge !

December 30, 2011

Howto add SQUID Proxy Server with MIKROTIK [Short Reference Guide]


To add SQUID Proxy Caching Server support in Mikrotik, Assuming the following Scenario.

DSL MODEM IP = 192.168.1.1
MIKROTIK LAN IP = 10.0.0.1
SQUID LAN IP = 192.168.2.1

I assume that you already have working Mikrotik in place, and Already configured SQUID Server ready, (You can search guides about there configurations at my blog), I will just show you how to interconnect them together so All users browsing port 80 request will go to SQUID for caching facility)

We will divide this article in two sections.

1#  MIKROTIK CONFIGURATION
2#  SQUID CONFIGURATION

.

1#  MIKROTIK CONFIGURATION

Mikrotik Have 3 Interfaces.

ether1 = 10.0.0.1
Connected to LAN

ether2 = 192.168.2.2
Connected Directly to PROXY’s eth0 via crossover cable.

ether3 = 192.168.1.2
Connected Directly to WAN/DSL
As shown in the image below . . .

Open New Terminal and create new NAT rule to redirect port 80 traffic to SQUID proxy server. Command as follows.

/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-port=80 protocol=tcp to-addresses=192.168.2.1 to-ports=8080

[192.168.2.2 is the SQUID proxy server ip]

As shown in the image below . . .


That’s it for mikrotik configuration, If internet sharing is already configured at SQUID server, then now you don’t need to adjust any configuration at squid box, all requests will be served by squid.

Now moving on to squid . . .

.

.

2#  SQUID CONFIGURATION

SQUID PROXY SERVER have two Interfaces

eth0 = 192.168.2.1
Connected Directly with Mikrotik’s PROXY interface via crossover cable.

eth1 = 192.168.1.3
Connected Directly with WAN/DSL

Note: I Will not discuss howto configure SQUID here as it have already been well described in my other articles as follows, Therefore I assume you have already configured SQUID and must be running it in TRANSPARENT mode (using squid.conf directives and iptables)

Add the following line in /etc/squid/squid.conf

# PORT and Transparent Option
http_port 8080 transparent

For iptables to redirect user request to port 8080 transparently, Also masquerade traffic , Add the following line in /etc/rc.local or issue the command at CLI,

# Redirect users request to squid port 8080
iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.2.1:8080

# Set this system as a router for Rest of LAN
iptables --table nat --append POSTROUTING --out-interface 192.168.1.3 -j MASQUERADE

Where eth0 is LAN interface of  SQUID.

.

Now Try to Browse, and at Proxy Server , Monitor SQUID Log by following command

tail -f /var/log/squid/access.log

and you will see User Browsing request coming  via Mikrotik ip.

As shown in the image below . . .

.

.

If you want to log USER’s Original IP address instead of Mikrotik, Either add route in Squid server for your local user subnet pointing to mikrotik proxy interface, OR you have to use Packet Marking + ROUTING method as described in the following article.

https://aacable.wordpress.com/2011/07/21/mikrotik-howto-redirect-http-traffic-to-squid-with-original-source-client-ip/

More are here …

For more information, Read the below . . .

https://aacable.wordpress.com/2011/08/08/linux-transparent-squid-proxy-server-guide/
https://aacable.wordpress.com/2011/06/01/linux-simple-internet-sharing-script/
https://aacable.wordpress.com/2012/01/19/youtube-caching-with-squid-2-7-using-storeurl-pl/

.

.

Regard’s
SYED JAHANZAIB

December 29, 2011

Howto to enable Mikrotik RouterOS Web Proxy in Transparent Mode


Web proxy is a service that is placed between a client and the internet for HTTP web surfing. It can cache certain contents / http pages in its local cache. Mikrotik have basic PROXY package builtin called WEB PROXY. It is suitable for basic caching for small to mid size networks.

For advance caching capabilities, Use 3rd party external proxy server like SQUID.

MikroTik WEB.PROXY Recommendation

Always try NOT to use the same storage disk to store your your cache and your your Router OS, to ensure there is always enough space on your router OS Disk for logs, upgrade / update packages & Backups. Therefore It is highly recommended that the web-proxy cache is stored on a physically separate drive (store) other than the Router OS. Placing the cache on a separate drive ensures maximum performance and reduces problems if the disk becomes full or fails as the OS will then still be OK!

Caching Internet access will require a lot of read and writes to the disk, chose fast disk as for maximum performance / concurrent user request support.

Cache performance also largely depends on RAM size, the More RAM you have in your server, the Better performance you will get.

We will divide this article in 3 Sections.

1# Preparing Secondary Partition for Cache
2# Configuring Web Proxy
3# Transparent Proxy

Let’s BEGIN . . .

1# Preparing Secondary Drive for CACHE

First we will Format secondary harddrive (to be used for cache ), IF YOU DON’T WANT TO USE SECONDARY HARD-DIVE, SKIP THIS STEP.

Goto SYSTEM > STORES > DISKS

Select the Secondary Hard drive and click on FORMAT DRIVE

As shown in the image below.


.

Now go to STORES tab (by navigating to  SYSTEM > STORES)

Select the WEB-Proxy package and click on COPY

It will ask you where to copy WEB-Proxy package, Select Secondary Drive in TO box.

As shown in the image below.


2# Configuring Web Proxy

Now We have to Enable Mikrotik Web Proxy by navigating to
IP > WEB PROXY

As shown in the image below.

.

Now Click on “Enable”

in Port, Type 8080

Max Cache Size , Select Unlimited from drop down menu, OR if you have limited Disk Space, then use your desired amount.
You have to specify space in KiloBytes for example 1024 KB = 1MB , so if you want to set 5 GB Cache, then use 5242880 , I am using 5 GB in this example. The cache size is really based off of how much RAM you have in the machine
As shown in the image below . . .

.

Click on Apply and your Mikrotik’s Web Proxy is Ready to be used, But Every client have to set proxy address pointing to Mikrotik IP to be able to use Proxy Service.

3# Transparent Proxy

If we want that every user must be automatically redirected to Proxy transparently, then we have to create additional rule to forcefully redirect users to proxy service, which is called TRANSPARENT PROXY.

.

Goto IP > FIREWALL > NAT and create new rule
In Chain , Select dsntant,
In Protocol, Select 6 (tcp)
In Dst. Port, Type 80


As shown in the image below
. . .

.

Now goto Action Tab,
In Action, Select redirct
In To Ports, Type 8080
As shown in the image below . . .

.

Now your newly created rule will look like something below image.
As shown in the image below
. . .

OR the CLI version of above rule would be something like below.

/ip firewall nat add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp to-ports=8080

Done. Now Mikrotik web proxy will perform as TRANSPARENT PROXY , Every user’s HTTP PORT 80 request will automatically be redirected to Mikrotik built-in Web Proxy.

You can View Proxy Status and other info via going to IP > WEB PROXY > SETTINGS > STATUS  and other tabs in the same window.

As shown in the image below . . .

=========================================
WEB-PROXY Tips ‘N’ Tricks !! by Zaib (December, 2011)
=========================================

.

Howto Send CACHED Contents to user at Full Speed / Ignoring QUEUE Limit for cached-hits marked packets 🙂

First Mark Cached Contents by MANGLE Rule.

/ip firewall mangle
add action=mark-packet chain=output comment="CACHE HIT/Zaib" disabled=no dscp=4 \
new-packet-mark=cache-hits passthrough=no

Now Create an Queue Tree which will send cache-hits packets to users at full LAN speed, ignoring the user’s Static OR Dynamic QUEUES

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="Unlimited Speed for CACHE by zaib" packet-mark=cache-hits \
parent=global-out priority=8 queue=default

Now Try to download any cacheable content , for example download following file,

http://www.rarlab.com/rar/wrar410b5a.exe

Once Downloaded, Try to download it again from any other computer or via same test pc. You will see the Queues and rules in action, sending cache-hits packets to users at full LAN speed.Remember Mikrotik web proxy is very basic and simple proxy server with not much tweaks and nuts ‘N’ Bolts  to set, So it will cache what it can. For advancements, Use SQUID instead.

As shows in the image below . . .

.
Also you can view the cache contents via going to IP > WEBPROXY > CACHE CONTENTS
As shows in the image below . . .

Howto Block Web Sites by Domain Name

You can block any web site via domain name as shown below.

/ip proxy access add action=deny disabled=no dst-host=yahoo.com
/ip proxy access add action=deny disabled=no dst-host=www.yahoo.com

Howto Block Downloading via File EXTENSION Types

You can block Downloading by file types using following code,

/ip proxy access add path=*.mp3 action=deny

Howto Block OPEN PROXY

Please Make sure You are not running your proxy in OPEN PROXY mode, If so any one cane use your proxy service over the internet, and can use perform any illegal activity and your proxy IP will be logged at remote server, So Block it immediately.
Use the following.

/ip firewall filter
add action=drop chain=input comment="Block Open PROXY 🙂 Zaib" disabled=no dst-port=8080 in-interface=wan protocol=tcp  src-address=0.0.0.0/0

In in-interface , select your WANinterface.

Howto Add LOGO and Edit Proxy Default ERROR Pages

Goto IP > WEB PROXY
Click on RESET HTML
It will ask you that “Current html pages will be lost ! Reset anyway?” CLick on YES
As shown in the image below . . .

,
Now goto FILES and you will see webproxy/error.html ,
As shown in the image below . . .

Just copy this error.html file to your desktop and edit it using your favorite html editor.
(I personally use MS FRONTPAGE 2003 due to its easy and user friendly interface, You can use notepad to edit this file content as its very small and contains basic text only. just don’t mess with the codes, only change the text you want, for example network name support numbers etc. after saving , upload it back to Mikrotiok under web-proxy section.)

Howto Block Web Site for Single User

To block any website for a single user , Use the following …

/ip proxy access
add action=deny comment="Block yahoo for single user" disabled=no dst-host=www.yahoo.com src-address=192.168.2.5
(192.168.2.5 is the user ip)

To block single user and redirect him to your policy page on any loacl web server defining the reason why he is blocked , use the following.

/ip proxy access
add action=deny comment="Block yahoo for single user" disabled=no dst-host=www.yahoo.com redirect-to=192.168.2.3/policy/deny.htm src-address=192.168.2.5

(192.168.2.3 is the web server ip , & 192.168.2.5 is the user ip)

As shown in the image below . . .

.

.

Regard’s
SYED JAHANZAIB

December 23, 2011

Howto Add Second Harddisk in UBUNTU

Filed under: Linux Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 1:36 PM

This Guide iwll show you how to add second harddrive to your Ubuntu box.
(since I was running out of space for my squid cache server, I decided to add new harddrive to add more capacity for cache, therefore I wrote this article, so it may be helpful for any one)

After pluggin in new HDD to ubuntu box,  go into your computer’s BIOS and make sure it is detected there properly.

From ubuntu  command prompt , (root access is must) issue the following command.

fdisk -l
It will show two harddrive,
SDA as your primary harddisk,
SDB as your newly added Secondary Harddisk

As shown in the image below . .

If, on the other hand, there is already data on your new hard drive,(you will see the partitions).

Now we need to create partitions on this newly added harddrive. Issue the following command to execute the FDISK procedure.

fdisk /dev/sdb

Type u‘    & press Enter

To create new partition in new hdd,
Type  ‘n‘    & press Enter

To select partition type as primary,
Type ‘p‘    & press Enter

To select partition number,
Type ‘1‘    & press Enter

To write changes to disk partition,
Finally press ‘w‘    & press Enter

As shown in the image below . .

Now the partition is created , We need to run partprobe to update the kernel with the changes we have made with the following command

partprobe /dev/sdb

Next, we need to format our new hard drive. To do this, enter the following command,

mkfs /dev/sdb -t ext4

and Press  ‘y‘ to Continue

As shown in the image below . .

As now the partition is ready to be used , but we have to first mount it any folder.

Create an folder name 2nd-hdd in /mnt by following command,

mkdir /mnt/2nd-hdd

Allow Permission to make this folder writable for every one.

chmod 777 /mnt/2nd-hdd

As shown in the image below . .

Now mount it by using following command

mount /dev/sdb /mnt/2nd-hdd/

To see its content , issue the following command

ls /mnt/2nd-hdd

Now we need to add the following  entry in /etc/fstab so that this newly added harddrive  mount on every reboot auto, Edit /etc/fstab by following command

nano /etc/fstab

Now add the following line at end.

/dev/sdb /mnt/2nd-hdd auto defaults 0 0

As shown in the image below . .


Now either reboot your ubuntu box or issue the following command to mount new harddrive in /mnt/2nd-hdd

mount -a

To test your new harddrive , try creating any file in /mnt/2nd-hdd by following command

touch /mnt/2nd-hdd/my 2nd hdd

As shown in the image below . .

Regard’s
SYED JAHANZAIB

December 17, 2011

Howto install Windows XP from USB Drive?

Filed under: General IT Related, Microsoft Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 4:41 PM

If you want to install Windows XP but your Desktop PC / Laptop has NO CDROM/NETWORK BOOT option , then still you can install Windows XP using USB Disk. Its simple and handy in many situations. Specially for network / hardware support personnel because USB have added benefits. You can  add / remove several apps on the fly from usb.

There are several ways to do this, For example If you have USB disk with under  < 2gb Space, you can follow this VERY simple and easy to follow Guide

http://komku.blogspot.com/2008/11/install-windows-xp-using-usb-flash-disk.html

But unfortunately for some reasons, it didn’t worked out for me .

So I decided to go with the USB_MULTIBOOT, In this example I am using the same.

Here We Start   . . .

.

1)
You will need a special tool name USB_MULTIBOOT that will copy xp cd to usb and enable the Usb to boot Windows XP setup.
You can Download it from

http://www.mediafire.com/?gyjy3tlgdon

Unzip it to any folder. For example
c:\usb_multiboot_10

.

2)
Run USB_MultiBoot_10.cmd from your the folder.
(As Shown in the image below)

Press any key to continue.

.

3)
Format Utility will appear, Select  ‘ H ‘ , It will then give you  several options to choose. Select the following.
FILE SYSTEM = NTFS
FORMAT OPTIONS = QUICK
(As Shown in the image below)


TIP: Using the “HP format” option works fine for any capacity, and you can use FAT32 / NTFS
without problems. This can be useful as more systems can read FAT32 than NTFS.

.

4)
Select Option 1   >   Select the WINDOWS XP Source path (CD or Extracted version)
(As Shown in the image below)


.

5)
Select Option 2  >  Select USB-Drive Target Drive 
(As Shown in the image below)

.

It will ask you to whether you want to install XP in Un-Attendend mode, which means that it will auto enter the required info during the setup installation like User names / Windows XP CD KEY / TimeZone etc.
Select YES and enter the required info like User Name CD Key etc. Follow the on screen instructions.
(As Shown in the image below)

.

6)

Now select option # 3 [Make MultiBoot and Copy Source] to start the setup copy process.
(As Shown in the image below)

.

After this It will start copying XP files to USB and will perform necessary actions to make it Bootable.
After All data is copied It will inform you that

FileCopy to USB-Drive is Ready -OK- Success” ,
Click YES to continue.
(As Shown in the image below)

.

ALL DONE. Your USB – Drive is ready for Booting.

Plug it to your computer and in BIOS select USB in first boot device.

After booting from USB you will see boot menu of usb , Something Like below image.

.

.

Choose Text installation at first time
and GUI INSTALLATION AFTER REBOOT TWICE !

( Description: Choose step 1 to start installing xp in text mode, partition setup etc,  After reboot choose step two, After continued install , choose  step 2 AGAIN to log into XP –

As soon as you arrive at the Windows XP Desktop you can safely remove the USB Drive.

IMPORTANT! DO NOT REMOVE USB STICK UNTIL YOU’LL SEE XP’s FINAL LOGIN SCREEN!

.

http://www.msfn.org/board/topic/112627-usb-drive-target-error/

Regard’s
SYED JAHANZAIB
aacable@hotmail.com

December 16, 2011

CyebrCafe Pro Basic Configuration Guide


~!~ Article by SYED JAHANZAIB ~!~

I recently deployed Mikrotik base hotspot system at a customer’s internet cafe but It was missing something which was  “Control over the client system, better time management system, on the fly changing in time limit,  & anti theft system “. then Cybercafe pro name popped up in my mind. I used this tool many years back in a gaming zone at Gulshan-e-Iqbal.

Cyber Cafe Pro is a very powerful user time management base application/server for internet cafe base business. Its a server / client base system. You can create per-paid time codes / vouchers or User accounts.

There are two major components of this application.

# Cybercafe pro Server – (Main Control Station.)
Install this module to the computer which will be used as the front-desk or Main Control Station. IT can be Windows 7/Vista/XP/2003 .

# Cybercafe pro Client
Install this module to ALL the computers which will be used by customers. Upon installation, it will automatically detect CCP Server running on the LAN. Otherwise you can manually set it via using CCP Client application.
Note: Please install the CyberCafe Pro Server before the CyberCafe Pro Client — and install Client software on computers other than the Server

We will divide this article in two sections

1 # Server setup

2# Client setup


# C.C.P  SERVER SETUP

For some reasons, I will not discuss about the installation of CCP Server ver 5 module. Please read the following article for installation 🙂

http://syedjz.blogspot.com/2011/12/howto-crack-cybercafe-pro-ver-5.html

After CCP Server installation is done, Open the CCP Main Control Station (Short code name : MCS),
Click on Login to activate MCS.
See the below Image.

To start it every time windows start, Go to ADMIN > SYSTEM SETTINGS > and click on NT SERVICE, Select YES
See the below Image.

Now Its time to configure CCP Server configuration. First we will adjust “Client  Settings” .

Goto ADMIN   >  SETUP  >   CLIENT SETTINGS

Now you will be presented with CLIENT SETTINGS Panel where you can adjust / configure many client side tweaks.
Here at SECURITY TAB, You can adjust many functions like Disable Hotkeys/CD/Drives/Control panel Access etc. Choose the options as shown in the image below, later you can fine tune them as per your requirements.
See the below Image.

Now Go to “System Settings“, here you can allow/restrict some options like Startup Folders/Lock , reboot computer at end of session / etc.  Also here you can restrict login types. Either Timecodes or User Account. In this example We will chose TIMECODES. Time-code is a per-paid 5 Digits code (code length number can be extend) which client can use for login.

Choose the options as shown in the image below, later you can fine tune them as per your requirements.
See the below Image.

Now goto “Marquee” tab, Here you can add you banner text, which will be displayed at client side login screen. Its for advertisement purpose as shown in the image below.
See the below Image.

Basic configuration for client is done. It’s time to Generate prepaid Timecodes .

Goto TIEMCODES & click on GENERATE, You will be then presented with a new Panel of “GENERATE TIMECODES“.

Now you have to choose various options in this window. I am describing basics of all

1#  Number of Codes to Generate : How many prepaid time-codes to generate? (numbers)

2# Time Limit : Time limit defines for how long user can use this timecode, for example half hour / 1 hour / 2 hour

3#  Automatic Expiry: Here its absolutely upto you how you want to handle this option. In this example I have selected “Expired in specific number of days after this timecode is sold” Which means that When I will sell the code, it will auto expires after one day after 1st usage ,  It’s necessary to do so this ID it may not be used again and again.

4# Just Select “Full access to the windows desktop. So that when user logon via CCP Cleint module, he will be presented with the WINDOWS XP Desktop access after few seconds.  IF you don’t want to provide him with the desktop access, you have to create sets of allowed applicaiton in CCP Client admin section , user will see the panel list from where he can access only allowed apps.

Now click GENERATE AND SELL. ( If you select only Generate, it will not be marked ACTIVE (User wont be able to use it), so when you give this code to any client, you have to right click on the code and select SELL CODES to make it ACTIVE.

See the below Image.

Basic configuration with timecodes is ready at server end. Moving to client end section.

# C.C.P  CLIENT SIDE MODULE

At client pc, Install Ccp5-Client.exe, again installation is very simple, just click next next. See the image below.

at End of the client setup , Select the following.

After this  ,  REBOOT the client pc. After rebooting, You will see CyBerCafe Pro Client Login Window.
See the image below.

NOTE: IF you are unable to click the LOGON button as shown in the above image, then go back to CCP SERVER Main Control Station and you will be seeing one GREEN ICON which indicates that one client PC have been connected with the CCP Server.
Simply right click on it and select “Account / Timecode Group“.

See the image below. (Server Side)


After this you will be able to click LOGON button on client side.

See the image below. (client side)

After Login, you will see the windows desktop screen after few seconds.

As shown in the image below.

CCP Tips ‘N’ Tricks

HOWTO EXTEND TIME

If you want to extend the time for any already connected user, then simply follow the below images.

HOWTO CREATE MAPS for YOUR CYBER/GAMING CAFE

You can create interesting Live MAP of your Cyber Cafe and place your connected pc’s in the MAP as shown in the image below. You can then easily Drag n Drop the Pc’s to appropriate location as related to physical layout.

CUSTOMIZING RECEIP/VOUCHER

You can customize voucher/receipt of CCP. See the below image

***************************************

I hope you will find this guide very useful and simple to follow. There are lot of things that haven’t been discussed in this article as aim of writing this article was to simply enable the admin to guide on howto install basic version of CCP server with time code generation and howto connect client side PC with CCP server.  I will write more info when any requirement will be received.

Regard’s

SYED JAHANZAIB
aacable@hotmail.com
https://aacable.wordpress.com


December 13, 2011

Monitoring Network with the DUDE (PC x86 or Mikrotik NPK Ver)


MIKROTIK DUDE BASIC INSTALLATION GUIDE, yes only basic 🙂
~ Article by Syed Jahanzaib ~

CNMS - Centralized Network Monitoring & Management System !!! - JZ

Example MAP of my Office LAN

NOTE: Be careful, Dude on router has a big impact on the router CPU resources. It is best to use it on a separate windows base system for more customized control.

What is THE DUDE ?
Answer is below > As Mikrotik Wiki defines:

The Dude is a free Monitoring application by MikroTik, which can dramatically improve the way you manage/monitor your network environment.
It will automatically scan all devices within specified subnets, Draw and Layout a map of your networks, monitor services of your devices and execute actions based on device state changes.

Some customized probes used in this map:

  • Voice / Speak Alert on various target / devices down/up events
  • NOC Room temperature (It alerts when temperature goes above 25)
  • Vmware ESXi 4.0/5.0 Guest VM  + windows/linux servers Power ON/Shutdown from Dude using Tool Menu with customized scripts *
  • UPS Load / Voltages / UPS Internal Temperature
  • IBM Lotus Number of Mail Waiting / DB Connected Users / Availability Index
  • HP Printers Toner Remaining in %
  • No. of Connected Users on each A.P
  • Disk Free/Total Statics, Alerts when Specified partition goes above 90%
  • Disk Read/Write Monitoring / Alert
  • High Memory Monitoring Alert
  • Windows Service Monitor on SAP Servers
  • Cisco ASA / Switches CPU Load/ Up-time / Temperature
  • Cisco Access Point Active Connected Users
  • Alerts for Lotus Domino / SAP Servrs Service alert , for example if server is on but specific service is down
  • Wireless Link Usage Monitoring
  • Internet / LAN Link Monitor, If the link is in full utilization i.e 4mb, the link color changes to Orange, indicating Load on the link. very useful to monitor load.

Mikrotik’s “The DUDE” LIVE Monitoring System , It shows Live View of all devices and server’s on screen, Auto Refreshes at defined intervals,

GREEN
icon shows target is Active & Healthy,
ORANGE shows one or more probes failed to poll query any specific counter/oid,
RED means the target device is not reachable via network or powered off.

With some my of my Customized Advance Monitoring Probes Like UPS Temperature, KESC Voltages IN , NOC Room Temperature, HDD Monitor, I have also made some Custom Alerts, For Example if NOC Room Temperature Goes above 25 Degree, It will show Visual Alert, Email or SMS. or if D: drive space on mail server goes above 80% it will alert me, If a targeted service on specific server stop, it visually alerts. Voice Speak Alert for various counters.

Very good and advance Monitoring System, It can Shutdown and POWER ON any system on MAP using tools and custom scripts, Also I have added some customize tools/scripts to run on target device using custom command , added in tool menu.

We call it CNMS, Centralized Network Monitoring System
Thanks to DUDE ;)

You can Install the DUDE on your Windows PC , OR you can also install it on your Mikrotik x86/RouterBoard.

First Download ‘The Dude’ from

http://www.mikrotik.com/thedude.php

 

For Windows PC, Get the The Dude for Windows

http://download.mikrotik.com/dude-install-3.6.exe

After download simply execute the .exe file and it will install it just like any other simple application.If you have install it on PC, you can start by going to START / Programs / The due.

Download DUDE 4.0b3 For Windows

download the Dude 4.0b3

Mikrotik Dude 4.0b3 for Windows

 

Once installation is done, You can start by going to START / Programs / The due

Ok execute the dude. You will be asked for the credentials, Just like Mikrotik default installation, dude have no default password

  • ID = admin
  • Password = No Password, Just Enter

Now you will The Dude main screen. Just for an example, I will add simple Network by using Auto DISCOVERY. You can later create your own desired network MAP once you understand HOW things works in dude.

Use your local subnet series. Also click on ‘LAYOUT MAP AFTER DISCOVERY COMPLETE’.
Remove un-necessary services from SERVICES menu, so you will not get red icon if the services not found.
Its best to install SNMP on all of your servers to get the maximum information like Link usage/CPU/Memory/HDD etc etc.

After it will completes the discovery, it will create a automatic layout map, Something similar to below image.

If you are unable to see any PC , Try adding few ips manually. If target pc  ping/icmp is blocked, then you won’t be able to see any PC in the graphs, so its better to use another approach /combination on “Device name preferences”. Also check your mikrotik / target pc firewall configuration.

The above image looks Pretty much messed up, but you can trim it or adjust it according to your flavor :), like the below

 


The DUDE tip’s n tricks 🙂

Howto ADD Machines/Devices Manually (Without Auto Discovery Mode)

Sometimes You would like to add only few targeted devices / computers on your network to be monitored via dude.
To do so follow the instructions showed in the below screenshots.

On the Network MAP screen, Click on + sign, then select Device. Now enter IP address of your target device and click NEXT.

Now select DISCOVER to check what services target device is offering for monitoring.

Now add another device as shown in above images.

Now add Network ICON so that we can connect both devices for link monitoring.

Now the real part, Again Click on + sign and click LINK to create link between device and network icon.

 


Howto Change Background Image

You can change background image by going to

 


HOWTO ENABLE WEB BASE ACCESS

You can also View/Controll Dude via web browser.  This is convenient if you have fix public ip on your mikrotik / pc where due is hosted, you can monitor your network all over globe using browser only.
First you have to enable Web Service in DUDE.

Make sure there is no other web server running on your pc/mikrotik. If so, please change the port in above image to something different , example 1234. Now open your browser and point it to your dude server.

[sourcode]

http://192.168.2.6

[/sourcecode]
It will ask id password, Enter your credentials. (First time dude installation have no password, just enter use admin without any password, and then you can change password from ADMIN section.
Now click on MAPS > Network Map & you will be redirected to your network map. See the below image.


HOWTO Show Link Capacity with color changing on full usage

If you want to monitor link bandwidth usage, and you want to configure that if the link is used fully its color should be changed as showed in the image below . . .

link

.

take properties of link , and tick on ‘speed’ and define the value you want to monitor. for example 1mb

as showed in the image below.

link-2


HOWTO Show any OID on Device

Some of the examples are taken from the Mikrotik DUDE forum.
Special thanks to Mr. Lebowski

Right click on your device and select APPEARANCE, click on LABEL: and add this OID (For example only, change the OID as your requirement)

NOC Room Temperature : [oid("1.3.6.1.4.1.534.1.6.5.0")]

OR

if you want to divide the value to be displayed, use following formula

Temperature: [oid("1.3.6.1.4.1.13400.2.62.2.1.2.0")/100]

 MIKROTIK OIDS FOR DISPLAY

[Device.Name]
Uptime: [string_substring(oid("1.3.6.1.2.1.1.3.0"),0,8)]
[device_performance()][Device.ServicesDown] Active PPP users: [oid("1.3.6.1.4.1.9.9.150.1.1.1.0")]
Voltage: [oid("1.3.6.1.4.1.14988.1.1.3.8.0")/10] V / Temperature: [oid("1.3.6.1.4.1.14988.1.1.3.10.0")/10] C
Processor-Temp: [oid("1.3.6.1.4.1.14988.1.1.3.11.0")/10] C
Power-Consumption: [oid("1.3.6.1.4.1.14988.1.1.3.12.0")/10] W

Result:

active users


HOWTO Remote Shutdown any PC using DUDE Tools (generally for AD environment)

Open Dude console, from left menu, goto tools, and click on plus sign + to add new tool,the following


Type: Executable

Name: Shutdown

Target: c:\windows\system32\shutdown.exe -s -f -t 30 /m \\[Device.FirstAddress]

I will add more snaps and info of some live networks where I deployed this beautiful tool.

One Link:

https://aacable.wordpress.com/2012/07/02/the-dude-show-us-your-map-series/


 HOWTO add probe for disk like C: & D:

To monitor C: or D: drive for space alert, First create Function, then create probe and use the function. then add this probe to device 🙂

Function.

Name:
 drivec
Code :if(array_size(oid_column(1.3.6.1.2.1.25.2.3.1.6,10,5)),round((oid(1.3.6.1.2.1.25.2.3.1.6.1,10,5)/oid(1.3.6.1.2.1.25.2.3.1.5.1,10,5))*100),False)

Now create new Probe.

Name:Low Space in C Drive
 Type: Function
 Available:drivec()False
 Error:if(drivec()False,if(drivec() < 85, , concatenate(Warning: Drive C = , drivec(), %)), Failed to read Drive C the server might be down)
 Value:drivec()
 Unit: %

Now add this probe in target windows device in service section. That’s it. Now if the C: Drive goes above 85%, it will alert, you can tag voice/visual/email/sms alert with it. I use VOICE alert 😀
NOTE: The OID for the C: drive can be different on your system , it depends on the drives you have in your system, for example I used the 1.3.6.1.2.1.25.2.3.1.6.1 , but you may have 1.3.6.1.2.1.25.2.3.1.6.2 , so its better to check it in snmp section of device properties.

 


HOWTO show Disk Read & Write Time

You have to first install snmptools and add disk counters in the ini file in order to retrieve the disk read write time counters.e.g: https://aacable.wordpress.com/2012/07/25/using-snmptools-to-monitor-disk-read-write-time-win2008-6432-bit/

Disk Read / Write Time C: & D: [string_substring(oid(“1.3.6.1.4.1.15.1”),0,3)] / [string_substring(oid(“1.3.6.1.4.1.15.2”),0,3)]


HOWTO check if specific program is running or not [using taskmgr list]

Create New FUNCTION and tag it with your required target device.

Probe Name:  lotus_notes_test
 Type:  Function
 Available: if(array_find(oid_column("1.3.6.1.2.1.25.4.2.1.2"), "nserver.exe")>0, 1, -1)
 Error:  if(array_find(oid_column("1.3.6.1.2.1.25.4.2.1.2"), "nserver.exe")>0, "", "Domino Service not Running")
 Value:  1
 Unit:  running

Note: Replace notes2.exe with your require file’s name you want to monitor. The name is case-sensitive! Write the full file name the same as you see it in the Windows Task Manager List.

 dude-task-running-0ro=not

ddueprobe


HOWTO check if specific SERVICE is running or not

Create New Probe and tag it with your required target device.

Probe Name:  check_telnet_service
 Type:  Function
 Available:  if(array_find(oid_column("1.3.6.1.4.1.77.1.2.3.1.1"),"Telnet")0, 1, 0)
 Error:  if(array_find(oid_column("1.3.6.1.4.1.77.1.2.3.1.1"),"Telnet")0, "", "Telnet not detected by SNMP probe")
 Value:  1
 Unit:

Note: Replace Telnet with the service name your want to monitor. Type the full name of the service you see in the services console. The name may be case-sensitive! Write the file name the same as you see it in the Services Console.


HOWTO Create Alert if specific OID result gets below Specific Digit/% like NOC room temperature

If you want to monitor specific OID result and if it gets below or above your pre-defined number, it should alert, Use the below probe (I used this probe to monitor my data center room temperature using temperature device, if the temperature goes above 25, it alerts using sms/voice alert)

Name:  NOC Room Temperature Alert
 Type:  Function
 Available:  if(oid("1.3.6.1.4.1.534.1.6.5.0")0, 1, -1)
 Available:  if(oid("1.3.6.1.4.1.534.1.6.5.0")25, "", "NOC Room Temp Over 25 / SJz")
 Value:  1.3.6.1.4.1.534.1.6.5.0
 Unit: C

 and if you want to divide the snmp result by 100 , then you have to first create function like following.


 

1- get temp

then create a probe with following data.

 

2-probe

Name: NOC Room Temp
Type Function:
Agent: Default
Available: getTemperature()
Error: if(getTemperature()<25, "", "NOC Room Temperature above 25 c, Please check A.C")
Value: getTemperature()
Unit: C

 

 HOWTO show ping result on device label

If you want to show the ping result on your device label, Right click on device , select appearance, in Lablel, paste the following code:

[array_element(ping(device_property(“FirstAddress”)),0)] ms


 HOWTO Check for High Delay via Ping Function/Probe

If you want to monitor any device ping delay ms, for example if ping ms delay to any internet link increases above 600 ms , then it should alert, use the following function/probe.

First add new function

Function:
 Name: ping_rtt
 Description: Returns the round-trip time of a ping request to the FirstAddres of a device
 Code: round(array_element(ping(device_property("FirstAddress")), 0))

Now create probe and tag the ping_rtt function in it.

Probe Name:  Ping Delay
 Type:  Function
 Available:  and(device_property("FirstAddress") <> "", ping_rtt()>-1)
 Error:   if(and(ping_rtt()>-1, ping_rtt()<200), "", if(ping_rtt()>-1, concatenate("Latency above 200ms with ", ping_rtt(), "ms"), "down"))
 Value:  ping_rtt()
 Unit:  ms

Now tag it with the device in services section.


HOWTO check HP 2420n Toner Cartridge

On device label, use the following oid [Make sure you have enabled the snmp on the printer and in the device snmp section)

TONER [oid("1.3.6.1.2.1.43.11.1.1.9.1.1")/0.6000*100] % Remaining

 HOWTO show number of connected users on Cisco AP

Active WiFi Users: [oid("1.3.6.1.4.1.9.9.273.1.1.2.1.1.1")]

 HOWTO show number of PPP ACTIVE users on Mikrotik RouterOS

Active PPP Users: [oid("1.3.6.1.4.1.9.9.150.1.1.1.0")]

HOWTO show Disk C: & D: Free/Total statistics on Device Lable

 Disk [Free/Total]  C:\=[round(((((oid("1.3.6.1.2.1.25.2.3.1.5.1")-oid("1.3.6.1.2.1.25.2.3.1.6.1"))*oid("1.3.6.1.2.1.25.2.3.1.4.1"))/1024)/1024)/1024)]/[round(((oid("1.3.6.1.2.1.25.2.3.1.5.1")*oid("1.3.6.1.2.1.25.2.3.1.4.1")/1024)/1024)/1024)] GB 

 


 

HOWTO show Cisco ASA 5510 Cpu Usage & Connections

Cisco ASA Cpu Usage:   CPU Load 1min: [oid("1.3.6.1.4.1.9.9.109.1.1.1.1.5.1")] %
Total Connections: [oid("1.3.6.1.4.1.9.9.147.1.2.2.2.1.5.40.6")]


 HOWTO show Cisco 3750 CPU USAGE

Cisco 3750 switch Cpu Usage LAST 5 SEC AVG : [oid("1.3.6.1.4.1.9.2.1.56.0")]
Cisco 3750 switch Cpu Usage LAST 1 MNT AVG : [oid("1.3.6.1.4.1.9.2.1.57.0")]
Cisco 3750 switch Cpu Usage LAST 5 MNT AVG : [oid("1.3.6.1.4.1.9.2.1.58.0")]

HOWTO show Cisco 3750 Switch Temperature

Temperature : [oid("1.3.6.1.4.1.9.9.13.1.3.1.3.1006")]

 HOWTO show EATON UPS 9155 : Temperature/Volts/Load

UPS Temp: [oid("1.3.6.1.4.1.534.1.6.1.0")]
Volts: [oid("1.3.6.1.2.1.33.1.3.3.1.3.1")]
LOAD [oid("1.3.6.1.2.1.33.1.4.4.1.5.1")] %
Backup Time Remaining: [oid("1.3.6.1.2.1.33.1.2.3.0")]

 EATON Powerware Environment Monitoring Probe [EMP]

NOC Room Temperature : [oid("1.3.6.1.4.1.534.1.6.5.0")]
NOC Room Humidity : [oid("1.3.6.1.4.1.534.1.6.6.0")]


 EMERSON LIBERT 10kva UPS Monitoring Probe [EMP]

INPUT Volt: [oid("1.3.6.1.4.1.13400.2.16.2.2.1.0")/100]
LOAD [oid("1.3.6.1.4.1.13400.2.16.2.3.6.0")/100] %
Battery Volt [oid("1.3.6.1.4.1.13400.2.16.2.5.1.0")/100]
Backup Time: [oid("1.3.6.1.4.1.13400.2.16.2.5.2.0")]

# Temperature & Humidity are not builtin feature, separate sensor module should be attached with the UPS like IRM-S02TH
Temperature: [oid("1.3.6.1.4.1.13400.2.62.2.1.2.0")/100]
Humidity: [oid("1.3.6.1.4.1.13400.2.62.2.1.3.0")/100]

 HOWTO show all CPU’s Load

Load on [array_size(oid_column("iso.org.dod.internet.mgmt.mib-2.host.hrDevice.hrProcessorTable.hrProcessorEntry.hrProcessorLoad"))] CPU('s): [oid_column("iso.org.dod.internet.mgmt.mib-2.host.hrDevice.hrProcessorTable.hrProcessorEntry.hrProcessorLoad")]

 Howto add MYSQL or any service probe

mysql probe


 IBM Lotus Domino Server

Mail Waiting: [oid("1.3.6.1.4.1.334.72.1.1.4.6.0")]
Server Availability Index: [oid("1.3.6.1.4.1.334.72.1.1.6.3.19.0")]
Lotus DB Connected Users: [oid("1.3.6.1.4.1.334.72.1.1.6.3.6.0")]

Howto Show System/Device UPTIME

Uptime: [string_substring(oid("1.3.6.1.2.1.1.3.0"),0,8)]

Howto Send SMS alerts via DUDE.

https://aacable.wordpress.com/2013/11/02/mikrotik-dude-sms-notification/


Howto Show Cisco SG300/SG500 CPU Load

CPU: [oid("1.3.6.1.4.1.9.6.1.101.1.7.0")]

Regard’s
~ Syed Jahanzaib ~

December 9, 2011

Mikrotik Howto block Winbox Discovery + Limit Winbox Access


To hide your mikrotik from being appearing in WINBOX scan neighbor list, & to limit WINBOX access from your specific IP address or admin PC only,
Use the Following.

To disable winbox access using mac address you have to disable mac-server on the NIC
Go to Tools -> MAC Server
Click on the WinBox Interfaces Tab
By default this is set to all
You can add specific interfaces, and disable the all entry

OR using CLI, use the following command

/tool mac-server
add disabled=yes interface=all
/tool mac-server ping
set enabled=no

Or disable MAC Discovery for all interfaces by using following

/ip firewall filter
add action=drop chain=input comment="Block mikrotik discovery/zaib" disabled=no dst-port=5678 protocol=udp
add action=drop chain=input comment="DROP ALL WINBOX REQUEST By MAC Address" disabled=no dst-port=20561 protocol=udp
add action=drop chain=input comment="DROP ALL WINBOX REQUEST EXCEPT FROM MY PC" disabled=no dst-port=8291 protocol=tcp src-address=!192.168.2.6

The above rules will disable Mikrotik discovery via winbox, and also it will allow 192.168.2.6 to access Mikrotik. Make sure to change this ip address to match your management pc ip.

You can also disable Network Neighbor Discovery on the interface to which your network users are connected
Example:

/ip neighbor discovery set ether1 discover=no

TIP:
I recommend to block all UN-necessary services like www , ftp, ssh. Also do change the WINBOX Default port via IP > Services console just to make mikrotik more secure and allow only specific IP Address to be able to connect to Mikrotik via winbox

Regard’s
SYED JAHANZAIB

Howto Crack Mikrotik 3.30 [P.C.C SUPPORTED VER] [For Educational purpose only]


~ Article by Syed Jahanzaib ~

Crack Link for Mikrotik  3.30 have been Removed on Community Request ! 22/2/2013

I personally condemn usage of illegal/cracked version of MIKROTIK or any licensed software. I highly recommend that if you are using it just for learning purpose then its ok, otherwise if you are using it in commercial environment, then Please, Please, Please BUY it from the Mikrotik/Author WebSite. There are some grey area arguments you can make when using unlicensed software as an hobbyist individual or poor college student, but if you’re a commercial entity making money from said software, then you have little ground to stand on.

While I don’t have any problem when some very low sized network or individuals use unlicensed software when they can’t afford them.

I’m personally not comfortable stealing software and it was one of my reasons to eventually move on to Licensed Versions. I’d rather not use a program at all or get by with a more restricted free version than pirate it. I would consider making an exception for tools that are outrageously expensive for an individual, like most of Microsoft’s  products, but only with the understanding that if a person makes money using those tools, they should eventually pay for them instead of riding the free piracy train.

Anyhow ‘usage of pirated software’s’ talk will never gonna end, we should get down to our business ;) This guide will demonstrate how-to crack Mikrotik ver 3.30  >> (This version supports PCC) Hmmmmmmm

Crack Link for Mikrotik 3.30 have been Removed on Mikrotik Community Request ! 22/2/2013

 

Regard’s
SYED JAHANZAIB

December 7, 2011

Mikrotik Howto give PiNG / iCMP high Priority

Filed under: Mikrotik Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 3:20 PM

caution-you-ping-me-i-blow-your-head[1]
Mikrotik Queuing is heuristic , means every packet leaving mikrotik destined to your IP is capped, even ICMP too.

So when you do browsing or downloading any data , there will be less or no bandwidth available for PING/ ICMP packets and ping form client to mikrotik OR to internet will face frequent timeout and high latency in case of full usage of allowed bandwidth.
As showed in the image below …

highi_ping

 

NOTE:

It is recommended to block the ICMP/PING protocol on every network to avoid flooding and un wanted queries from the client end. (You can exempt your admin pc or other from this restriction via source address list)

Or if you still want to allow icmp , then simply mark icmp packets and and create a queue that allows more bandwidth to icmp marked packets.


 

1- EXAMPLE OF PING/ICMP QUEUE USING SIMPLE QUEUE [overall capping]

###########################################
# PING/ICMP Priority Script for Mikrotik
# Syed Jahanzaib / aacable @ hotmail . com
# https://aacable.wordpress.com
###########################################

# Connection PACKET marking for ICMP, valid for both 5.x and 6.x ROS versions
/ip firewall mangle
add chain=prerouting protocol=icmp action=mark-connection new-connection-mark=icmp-con passthrough=yes comment="" disabled=no
# PACKET marking for ICMP, valid for both 5.x and 6.x ROS versions
add chain=prerouting protocol=icmp connection-mark=icmp-con action=mark-packet new-packet-mark=icmp-pkt passthrough=no comment="" disabled=no

# QUEUE TREE For Mikrotik 5.x Version to allow 128k Bandwidth for ICMP/PING Packets
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=128k max-limit=128k name=Hi-Prio-to-icmp-aacable packet-mark=icmp-pkt parent=global-out priority=1 queue=default
# For 5.x All Done. Now check your PING results. t.c

###################################################################
# IF you are using Mikrotik 6.x then above queue wont work,instead use SIMPLE queue 
# SIMPLE QUEUE approach is valid For both 5.x and 6.x Versions.
# DO Make sure to move it on TOP [order wise 0]

/queue simple
add max-limit=128k/128k name=ICMP_Priority packet-marks=icmp-pkt target=""

Result after implementing above code.

ping ok


2- SECOND EXAMPLE OF PING/ICMP QUEUE USING PCQ TREE | (FOR PER USER DISTRIBUTION)

The following script will mark icmp packets and will allow 32k per user for icmp traffic via PCQ / QUEUE TREE

/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark ICMP I / zaib" new-packet-mark=ping_pkts_i protocol=icmp
add action=mark-packet chain=postrouting comment="Mark ICMP O / zaib" new-packet-mark=ping_pkts_o protocol=icmp

/queue type
add kind=pcq name="ping_pkts_i_32K" pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64
add kind=pcq name="ping_pkts_o_32K" pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64


/queue tree
add name=ping_pkts_i packet-mark=ping_pkts_i parent=global-out queue="ping_pkts_i_32K / zaib"
add name=ping_pkts_o packet-mark=ping_pkts_o parent=global-out queue="ping_pkts_o_32K / zaib"

 

TIP: You can also use PRIORITY base queuing to give priority to ICMP packets from user own queue over other protocols.

 

Regard’s
Syed Jahanzaib

“Disaster Recovery Plan” (D.R.P) as a part of “Business Continuity Plan” (B.C.P)

Filed under: General IT Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 12:45 PM

Few years back, When I joined an company, I saw that there were no proper Documentations, No standard operating procedures (S.O.P’s) available and all the network was quite messed up. So I Decided to Document everything.

This document is an drafted version I made, It outlined all the proceedure / steps that should be taken when any disaster or downtime occurs at the network. [Its an incomplete version as it was the only drafted version I was able to retreive from my past email. I will try to complete it soon. I will try to add my DRP plan for the Mini ISP and Cable.Net Environment, hang on ]

HERE WE GO . . . . . . . . .

NEW  ALLIED  ELECTRONICS  INDUSTIES  (Pvt)  Ltd. IT DEPT.

DISASTER RECOVERY PLAN ( D.R.P)
as a part of
BUSINESS CONTNIUITY PLAN ( B.C.P )

SYED JAHANZAIB
NEW ALLIED ELECTRONICS INDUSTRIES (PVT) LTD.
syed.jahanzaib@nae.com.pk

 

Below material is not written by me, it was copied from a book, I don’t exactly remember the link, but I will add it soon, I only edited and make it smaller as per the requirement.

 

What is Disaster Recovery?

Disaster Recovery (DR) is, or should be part of your Business Continuity plan. It is defined as the way of recovering from a disturbance to, or a destructive incident in, your daily Network / operations. In the context of Information Systems and Technology, this means that if an incident completely destroys data, slows down productivity, or causes any other major interruptions of your operations or your business, the process of reverting to normal operations with minimum outage from that incident is called Business Continuity. Disaster Recovery is, or should be, a part of that process. You could say that Business Continuity and Disaster Recovery go hand in hand, but they do vary depending on the area and subject. For example, if your WAN connection goes offline, it means that your business units can no longer communicate via email or internet with each other, although each local unit can still operate and continue to work. This scenario would definitely be outlined in your Business Continuity Plan. However, if your server room burns down in one location, the rebuilding of the server room and the data housed in it would be Disaster Recovery.

Why is Disaster Recovery Needed?

A lot of people may ask themselves:   “Why would we need a ‘guide’ for Disaster Recovery?”

If a Domain Controller (DC) has a critical failure, we just install another one”. This might seem to work at first, and even for a longer period in small organizations, but in the long run, there would be problems, and a lot of error messages. Correct recovery is crucial to ensure a stable AD environment. The speed at which problems appear, grows exponentially if there are multiple locations of various sizes across different time zones and countries

 Design Your Active Directory

In most corporations and large organizations, there are people with job titles such as “Network Architect”, “Windows Server Configuration Owner” or “Network Designer“. These people do not have these titles just for fun. In large organizations, there is an actual need for people whose sole purpose is to design or optimize the networking topology according to how technology progresses.

There are always new ways of doing things and new designs surfacing in the IT world, and those people need to stay on top of their respective fields.


Disaster Recovery for Active Directory

We have understand that DR is an important part of a Business Continuity plan. But now, we can go further and say that, DR for AD is only a part of a Disaster Recovery plan, and not the whole plan by itself. You are correct if you think that you should have different DR guides for different things.

It is important to take the standpoint that the person who performs the recovery has little or no knowledge of the system. If you roll out your own hardened and customized version of Windows 2003, some things might differ during the installation and someone who has no clear guide will install a system that differs from your actual DC install guidelines. This can cause incompatibility or result in an improperly-functioning system, later on. This happens say, when you have specific policies that are applied to DCs, and during an install process, the selection of policies is called in a manner different from the dictats of the DC policy.

You might think that this situation will never arise, but hurricane Katrina in the U.S., and the tsunami that struck Thailand, India, and others, proves that it can. Situations may arise when a knowledgeable person is not around at the time of crisis, so the guide needs to be as clear as possible. It may also be possible that the person doing the actual recovery is an external IT consultant or junior IT staff member because the senior and trained staff are not available. In this case, the person handling the recovery may not at familiar with your environment all be.

AD is a great system, but it is also very complex. Performing correct DR is therefore crucial. If AD forms a part of, or is the backbone of, your network and IT infrastructure, a proper guide to bringing it back online in the event of an incident needs to be as clear and concise as possible.

The Business Continuity plan, and the DR guides, especially the AD DR guides, should be practiced and tested at regular intervals. This effectively means that once a year or so, you need to test that your guides are working and that they will actually bring your business back online. In order to test all kinds of scenarios, building a test environment—preferably virtualized because it gives you much more flexibility such as rollbacks and snapshots—is a necessity.

It may be difficult to convince the top management that your systems could actually fail, but replicating your systems, or even just a crucial portion of your server infrastructure, and testing that would definitely be acceptable to them.


Documentation

Documentation seems to be a problem in many companies and is usually the component in a project that is most often overlooked. Every time that either a new employee starts or an external contractor is hired for an AD related project, instead of getting a binder with proper documentation, he or she is assigned a buddy who explains the systems and infrastructure. Then, the first new task is to write the documentation that has been missing for the last X years. However, after the first week he or she realizes there is not enough information and when they ask for it, they get some vague pointers on where to look.

Unfortunately, the usual circle is that documentation is left for later stages in the project, and over time gets forgotten or information is passed on by word of mouth, or as a collection of links to websites, instead. Over time, the missing or incomplete documentation becomes a costly burden to the organization knowledge is lost and, because of its non-existence, is impossible to back up. The eventual creation of this documentation, which wouldn’t have taken that much time to begin with, is a lengthy and expensive process.

Documentation is not really that hard to do, but it can be hard to convince your project or program manager allocate the extra time in order to complete it. Usually, the questions will arise as to why this needs to be done now and cannot be done later. A good argument for this kind of questioning would be to explain to him or her that at a later time, information is no longer fresh and remembered, or that it is necessary for backtracking problems. I have found that both of these work very well and generally managers will give you time to document properly. If, however, you don’t get the time, please make sure that you obtain written confirmation regarding the project or program managers acceptance that there is no way of knowing what has been done, and no time to write proper documentation.

Getting documentation done is actually quite easy. It comprises two steps, and once you have done this a couple of times, it will flow easily and you will produce documentation that your manager will actually be proud to show around.

First open notepad or any text editor and write, in short points, what you do, every step. In some cases, I just copy and paste the command, or the output, or both, into a line and keep going. Once you have completed the task, take a standard company template and format it into four sections. The outline is shown in the following table:

Document part or section Description
Presentation page A plain page containing nothing but the title of the document, the department, and the name of the author. A version table at the bottom of the page is optional.
Index A proper index table. This should be on its own page and will make it look more professional.
Purpose This describes, in a short paragraph, what this document is about.
Content All of the actions you took with detailed descriptions. Screenshots are a big winner here. Also make sure you separate different subjects with headers.

If you write a document about what group policies you are currently applying, then any change needs to be reflected in that document for it to beup-to-date.

Documentation plays a big part in disaster recovery, and sitting having afreshly-recovered domain, not knowing some of the settings that were applied earlier that now prevent things from working, dearly-it may even cost you even your job!

When writing your DR, please make sure that you have a printed copy in each location and at least one offsite copy per location. In some companies, it is standard practice for the domain or Enterprise admin at least to have a printed copy at home or on a USB key with him or her at all times. It is also good practice to have a printed copy or an electronic copy in the location’s safe so that it can be retrieved very quickly.

Write your documents regarding your infrastructure as clearly as possible, and do not make any assumptions about who will be reading the documents. It could very well be a summer worker or a trainee, although very often companies rely on professional DR-specialized companies. Some of these companies not only do regular, twice a year, complete DR in an isolated environment, but also sometimes provide you with warm sites to get your infrastructure back up and running more quickly. However, you never know what the disaster situation will be and if it is bad, you will want to ensure that everything possible is provided in the instructions.

Design and Implement a Disaster Recovery Plan for Your Organization

Implementing a Disaster Recovery guide in an organization that has never had one, or has had one that is outdated, may seem like an easy task. But it is not, as there are many hurdles that need to be overcome in the Disaster Recovery process. So, an accurate and proper method of implementation is very important. This chapter is designed to help you take that approach and get the whole process of Disaster Recovery implemented as fast as possible.

A lot of people assume that a Disaster Recovery guide (DRG) explains reasonably well what needs to be done to get systems back online. This is absolutely wrong. The first question that this assumption could raise is, why would one superficially touch the subject when you are writing a guide already? The second question could be that one never knows who will do the actual recovery. This statement is something that quite a few administrators that I know smiled over so at. The most compelling arguments, however are that someone technical is always around and that a non-technical person is unlikely to perform the recovery.

While both arguments have their validity, the risk of a non-technical person restoring one of the mission-critical systems and clicking the wrong button in the process, is just too high. Even if it takes a few more hours to write a proper guide, it can save days during system recovery.

The key to a successful and well-implemented DRG is motivation. If there is no motivation from the management and no motivation from the actual technical personnel, then it is not possible to develop a well-implemented and functional DRG. The all-too-common problem, though, is that the motivation usually comes in the form of an incident where a DRG would have helped but was not available.

Create a Business Continuity Plan

Business Continuity Plans are, as mentioned earlier, high-level documents and procedures. These should always accompany Disaster Recovery guides. A BCP can be created for the Active Directory as well, and the sample in Appendix can help us get started. But in order to create one, we need to have a clear view of our infrastructure and what impact any outage has on our business. The key thing that needs to be done is to define the acceptable downtime and recovery time.

The communications department should also be involved in this process so that the right communications channels and responsibilities are used and defined. Communications, within the company and with external entities, can be crucial in the event of a disaster if an organization has responsibilities to investors or is in collaboration with partners. Setting and defining the right channels and processes for company personnel helps to mitigate the outage because users will then know that there is an issue and that the IT department is working on it. They won’t bombard you with phone calls complaining that they cannot work properly.

The second important thing, though no less critical, is to define a call tree. We need to have a complete contact list and an escalation path clearly defined in our BCP. The communications department also needs to be involved in this.

 Design and Implement a Disaster Recovery Plan for Your Organization

The call tree is a diagram with different levels of escalation, with the responsible person and phone number listed. With this, it is easy for someone to follow the chain of command and understand who needs to give the go-ahead for a certain action.

The following diagram shows the call tree for LG N.A.E as an example: [image not available now]

During an outage or disaster, the communications department should take responsibility for communicating the issue to the entire workforce, and not just the technical staff. For example, the information bulletin could state that the IT department is aware of the problem and is working on solving it, and also give a rough estimate of the time within which the problem is expected to be fixed and normal operations resumed.

The BCP needs to be clearly understandable and well written, because in the event of a disaster, confusing instructions can hardly be helpful. Once the final draft is ready, it would be best to have the communications department or technical writer(s) go over it to ensure an easily-readable yet professional-looking BCP.

 Present it to the Management (Part 1 and 2)

This is a step that should be done by someone who has good presentation skills and an in-depth knowledge of the BCP that was designed. It is also a “two-part step” because the project has to get going start before the final draft can be approved. In order to clear this process with the management, the importance and the consequences of the BCP have to be communicated to them in anon-threatening manner.

Often, people who were deeply involved in the design of the BCP and the DRP failed in making it official due to their lack of presentation skills and “social connectivity”. Explaining in detail what we are trying to achieve and why it is crucial for the organization is essential. Once the process has been cleared and has received the go-ahead for creation of the BCP, we must proceed to the next step, and then come back to this step later.

Ultimately, it is in the best interest of the organization to have a proper DRP. Obtaining management clearance, and therefore being able to make the BCP and DRP an official standard in the organization, can open a lot of doors for you in the acceptance department. Whenever you hear complaints regarding the implementation, or disagreements in terms of content or testing, you can point to the directive and say: “take your complaints up to the next level“. Nine times out of ten, the discussion ends at that point.

 Define Roles and Responsibilities

This step is an important one because the people who have been delegated responsibilities are also accountable for them. This might not be what some people want, so the roles and responsibilities have to be discussed with the staff to ensure that they understand the implications of them.

A clear list of contacts and their roles in the BCP and DRG should be drawn up. This is not a step to be rushed. Make sure that everyone involved, including the managers, know what they are supposed to be doing when push comes to shove.

Also important here is the on-call role. Someone from the IT department should always be contactable. Rotation of this role, as well as adequate compensation for this duty, need to be clearly defined. The on-call person needs to have a clear understanding of what steps to take when something happens, and how he or she can determine whether this needs to be escalated or not.

Once everyone is on board and clear with their responsibilities, we need to put this into a visual form, a call tree. Many people, especially a lot of technical staff, complain about presenting things visually. & lot of professionals agree that a visual representation helps immensely in understanding a process, a visual representation of that process helps immensely. When you then read the text regarding that representation, most likely you will understand and memorize the process steps easier.

To get a clear picture of what roles and responsibilities should be included in the BCP of LG N.A.E, see the following table. This example gives an overview of who should be included.

Role/Title Name Email Telephone
Director Information Officer Office phone and emergency number
IT Manager Office phone and emergency number
IT Engineer / Designer(s) Office phone and emergency number
IT Administrator(s) Office phone and emergency number
Branch Technicians or Specialist(s) Office phone and emergency number
Branch System Specialist(s) Office phone and emergency number
Internal Communications Office phone and emergency number
External Communications Office phone and emergency number

 

Ensure that Everyone is Aware of Locations of the DRP

This has happened twice in companies that I worked with like Fariya Netoworks . They had invested a lot of money into a DRP process and tested it once. They passed with flying colors, but the man in charge (in this example, me) subsequently left the company. The DRP was put on ice because no one took the responsibility and even worse, the whole plan got “lost”.

At Some places , When First , I asked for the BCP and DRP, I got a blank face saying: “Well, we have it somewhere”. Eventually, someone dug up a draft version from their archived inbox. After 2 weeks of searching, I found the actual plan in an obscure and forgotten place on their intranet. Not really a good thing.

Please make sure that the location of the DRP is well known. Make a section in your IT pages in your intranet, print it out, and hand it to everyone, and always mail the latest version to the people involved. An off-site, updated, copy of the DRP and all its related documents, along with copies of software that is running in your organization, is absolutely critical. The process of keeping the DRP off-site in printed form and possibly also in electronic form is likely going to be an enormous time and money saver. This way, many copies will be around in case of an emergency.

 

 Define the Order of Restoration for Different Systems (Internet Servers / Domaind Controller / ADC / Mail Servers then Add One Server etc.

The contents to be recovered and their order of recovery should be clearly defined in the DRP and the BCP. (This means, first the root DC in the hub site, then the first Domain Controller, then the second, then one at a regional sites, and so on.)  Also to ensure internet connectivity you must have backup liens and proxy servers ready.

Go back to “Presentation to Management”

This is the final step. Once everything is implemented, documented, and tested, go back to the management and tell them that the task is complete. Show them numbers for recovery times, pie charts of possibilities, and maximum outage numbers. Once they are convinced that money was not wasted, get it all approved and standardized.

 

You should be well known by then as “the man” for disaster recovery and your job, in case of an emergency, just got much, much easier.


SUMMARY

In this presentation, we went through all the steps and processes required to get a DRP implemented successfully. Knowing the correct processes, even if it seems strange and out of place, and then applying these processes can save a lot of additional work, and possibly your job.

If you have a trained team and a plan that illustrates every step of the way, your downtime will be minimal and if the downtime is caused by something that you had no control over, such as a natural disaster or someone with a screwdriver in the wrong place, then your management and your company will know what they invested the time, effort and money into.

This is by no means a complete guide to implement a DRP but it should definitely point you in the right direction, and a good way there.
Regard’s

SYED JAHANZAIB
NEW ALLIED ELECTRONICS INDUSTRIES (PVT) LTD.

Older Posts »

%d bloggers like this: